Auditing Policy

Version: 1.00Issue Date: 3/23/2015

This Auditing Policy ensures that auditors can perform audits and required items for audits are not missed.

1.0 Overview

This Auditing Policy will help ensure that policies and processes are followed and are effective.

2.0 Purpose

This Auditing Policy is intended to ensure that policies are being followed to keep the organization secure and efficient.

3.0 Scope

This Auditing Policy applies to all computers, employees, contractors, and policies that are used by or perform work for the organization. It applies to all network devices, operations, and assets owned or used by the organization including devices that remotely connect to organizational resources and devices that are used to view or store organizational data. This policy is effective as of the issue date and does not expire unless superseded by another policy.

4.0 Auditing Access

Access to authorized auditors or authorized staff representing auditors will be provided as required within the constraints of access policy. Access may include:

  • Access to work areas.
  • Access to computer systems or network devices.
  • Access to data or information owned or managed by the organization as required for an audit.

5.0 Audit Charter

  • An internal audit charter and mission statement should be created which provides for early auditing involvement in projects.
  • The audit charter must be endorsed by executive management including the stakeholders in projects.
  • The audit charter must be published and accessible through the entire organization and members of the organization must be aware of the charter.
  • The audit charter shall provide for an audit committee which shall oversee the review and auditing of financial information, oversee the review and auditing of systems of internal controls and management, hiring and overseeing the work of independant accountants and auditors, and oversee the organization's financial and accounting process. The audit committee will oversee functions only and will not carry them out. Members of the audit committee must not have any conflict of interest.
  • The internal audit charter shall define how external auditing integrates with internal auditing and the audit committee.
  • The audit charter is reviewed annually by the audit committee, auditors and other personnel as appointed. The audit charter is reviewed to determine its effectiveness and modified as required. The audit charter may be reviewed when either the head of the auditing department or the audit committee requests a review.
  • The audit charter should describe the activity performed by the auditing section along with procedures used. Audit timetable and desired results should be defined. Provision should be made for correcting deficiencies found by audits in a timely manner.
  • Best practices and standards should be used to determine the organizational status regarding audit results. The audit charter should provide for using best practices and standards to benchmark audit results.
  • The charter shall provide for yearly independent external auditing of the auditing department.
  • Projects and many internal functions may be audited using independent external auditors.

6.0 Audit Function

  • The head of the audit section reports to and is responsible to the audit committee.
  • The audit department shall be audited yearly by independent external auditors to determine their effectiveness and objectivity. Results shall be reported to the audit committee.
  • The audit department offices shall not be mixed in with other offices to maintain their independence and objectivity.
  • Standards of auditing shall include but not be limited to:
    • Independence
    • Due professional care in auditing and preparing reports
    • Professional proficiency to carry out the required tasks.
    • Quality control of audits assuring that professional auditing standards are being adhered to.
  • Changes to auditing standards are modified as required by the audit section and updates are made and published as required.
  • Auditors are not allowed to be involved with departments they audit including but not limited to working in the department within a year or planning to work in a department at the time of an audit on that department.
  • Auditors shall follow the Code of Ethics Policy and agree in writing to comply with it. More strict codes may be adapted and applied to auditors including policies that include relationships with other departments rather than relationships with external organizations.
  • Positions in the audit section shall be clearly defined including the roles, activities, responsibilities, and required skills for each position.
  • Position descriptions in the audit section will be reviewed annually and modified as needed. Senior management will be sure the descriptions call for adequate skills for the activities, responsibilities, and roles of the position.
  • Individuals that possess the skills and experience required for each audit section position are placed. Practical experience in various areas shall be considered.
  • Auditors will be encouraged to hold professional audit or other technical certifications. Some positions may require certifications. Applicable certifications may include CPA, CIA, CISSP, CCSN, CISM, CISA, and MCSE.
  • The audit department shall identify useful professional membership organizations useful for enhancing the skill levels of auditors.
  • The audit department shall identify continuing education requirements and recommendations for each position. Continuing education shall be planned with the employee and their management considering the budget and scheduling.
  • Employee development programs for the audit department shall include both technical and management skill areas covering both internal and external training.
  • A process shall be created allowing the audit department staff to provide feedback to management about department processes, audits and risk assessments, professional standards, planning, and projects.
  • The audit section shall create auditing plans that consider project and system development methodologies. The sequence of tasks in development methodologies and other processes such as the System Development Life Cycle (SDLC) should be considered. External factors such as regulatory requirements should be considered. The auditing section should consider use of external auditors where it is useful.
  • The auditing section should provide plans and be able to provide flexibility to support additional audit requests that are not originally planned.
  • The audit plan for the audit section will be approved by the audit committee. A process for creating the audit section plan and other audit plans shall be created and approved by the head of the audit section and reviewed by the audit committee.
  • Auditing plans should be designed to suit the business needs of the organization. The areas of compliance with regulations and laws, information security, efficiency, and control effectiveness should be included unless there is a specific reason not to include them. The assessment of value and risks should be a primary concern in the audit plan. If an external auditing resource is used, the plan is formed in cooperation with that resource.
  • Audit plans should have an allowed list or group of recipients. audit reports should be considered to be confidential and sensitive and protected in electronic form with access controls.
  • Audits are planned so audit data can be collected efficiently, the impact of the audit is estimated, and audit assurance can be reported. Audit assurance will show the audit conforms to the organizational requirements such as:
    • What is being audited and the reason will be obvious.
    • The reason for the audit will be clear.
    • The audit report will show how risk was assessed.
    • The audit plan shows how the audit plan fits into the section or organization's operations that is being audited.
    • Audit topics should be relevant and well presented.
    • The chance of errors should have been considered.
  • Standards and methods of practicing audits including the evidence gathering process, working and paper format and content must be communicated to audit staff and be easy for them to obtain. Audit staff must apply the standards on the job.
  • Staff that are assigned to specific audits must be based on experience and the skills available and most useful for the audits to be performed. The auditor should be able to adjust for changes in the auditing plan such as delays in the project.
  • Opportunity for more experienced staff to review the auditing of less experienced staff must exist on a periodic and appropriate basis. Less experienced auditors should be able to learn from more experienced auditors on a daily basis, during audit interviews, review of papers, and planning of meetings.
  • Audit plans that are modified must be approved by supervisoring members of the audit team.
  • Evidence produced by the auditing process is confirmed, analyzed, and interpreted. The findings must be directly supported by the evidence provided by the audit. Papers used during the audit or that support the conclusions must be kept for a predetermined length of time. The records should be used as a record to help plan audits of the same project or functionality in the future.
  • Any available and practical tools that can be used to increase efficiency and preserve evidence during the auditing should be used. Some tools that should be used include standard forms, work papers, and organized locations to store items.
  • Audit report formats:
    • Reports should have a list of recipients.
    • A statement in the report should define the limit of permisible distribution.
    • The audit report should reflect the type of work planned whether it be to determine policy and procedure compliance, advisory in nature, or assurance of proper methods or improper methods being used in the business process.
    • The audit report introduction should describe previous related audits, the period of time the audit was conducted, the objectives of the audit, and the scope of the audit. Limitations in scope along with disclaimers, and reservations must be clearly described.
    • The audit report must provide conclusions.
    • The auditor must sign the report.
    • The audit report is not finalized until appropriate management has approved the report. The report is presented to senior management before it is issued in final form and distributed.
  • Activities after the audit:
    • After the audit report is issued, a policy must be created by the audit section management and the audit committee about proposed audit follow-up activities covering risk.
    • Senior management must allocate resources and propose projects to implement activities and solutions which will reduce or eliminate problems discovered by the audit.
    • Tools should be used to automate notices of actions to be taken after the audit such as being sure that the correct people are aware of actions to be taken in a timely manner after the audit.
    • The audit section checks at various intervals after the audit to determine whether recommended actions have been taken. The effectiveness of closure actions must be assessed.

7.0 Auditing Requirements

  • Auditing of operations should be done a minimum of every six months. External auditing resources should be used when internal resources are insufficient to supply the auditing need or there is a need to check for internal conflict of interest or bias.
  • Auditing should check compliance with security procedures and baselines on a regular basis.
  • Auditors are delegated the ability to check any systems for unauthorized software.

8.0 Project Auditing

  • The project lifecycle should have auditing involved at an early stage to be sure proper internal controls are designed into the project.
  • Project audit findings must be resolved prior to the project moving to production and the head of the audit section must sign the report.
  • Project auditing must include but is not limited to auditing of security standards and requirements, coding practices, operational requirements, disaster recovery, and internal controls.
  • Critical projects are to be identified early and should be included in an annual audit plan. As soon as initial project documentation is available including the functional requirements specification, project management plan, and initial high level designs, auditing for design deficiencies should begin.

9.0 Operations Auditing Areas

  • Account creation and management - When accounts are created and removed and whether done with authorization.
  • Employee screening, employee termination - Are employees screened and terminated according to the policies and established process?
  • Server administration - Are the Server Security Policy, Server Monitoring Policy, Backup and Recovery Policy, Patch Management Policy, Virus Protection Policy, Incident Response Policy, System Lockdown Policy, and the Audit Trail Policy being followed? Important items include daily server checks ,daily and validated backups, system updates, anti-virus updates, incident response (Are incidents logged?, concluded?, solved? prevented?, evidence preserved?), accounts on servers, guest accounts, intrusion detection and prevention, network server scanning, vulnerability remediation, server hardening and process, and what is logged and log permissions.
  • Are intrusions promptly investigated? (Intrusion Detection Policy)
  • Workstation configuration - (Workstation Configuration Policy) Are user privileges, user browser configuration, and user anti-virus configured and working according to policy?
  • User surf control policy - Is the surf control policy effectively protecting users?
  • Email Policy - Are users educated about the dangers of email? Are dangerous file attachments blocked and users informed about which files are blocked?
  • Software creation - Are software creation standards being adhered to?
  • Change management - Is the change management process in place and being followed?
  • Network - remote access policy compliance (authentication mechanisms, business justification, security of remote systems, sensitive resource access and encryption). Is the computer and printer naming policy being followed?
  • Security of perimeter security devices - Perimeter security policy and Internet DMZ security policy (Auditors must be sure computer security related events are being logged and those logs are saved for at least 30 days), Router Security policy, Telecommunications Communication Policy - Are these policies being followed?
  • Access - password policy (administrator passwords), logon banner, All devices must have adequate authentication mechanisms (Authentication Mechanism Policy).
  • Computer centers - Proper environmental controls?, proper physical security?, proper backup capability?, proper standby power and environmental controls?
  • Are maintenance windows scheduled? Are hosting requirements reviewed as part of the project cycle according to the System Availability Policy? Are servers appropriately sized according to the Server Setup and Configuration Policy? Are baseline tests run and are they obtainable? What are the capacity and performance thresholds on the servers?
  • Does the project life cycle provide for certification and accreditation of servers? Is the certification and accreditation process periodically evaluated to determine its effectiveness?
  • Training - Is training being effectively applied to increase efficiency and reduce security incidents?
  • Project management - Is the Development Life Cycle policy being followed? Are software standards being adhered to? Is the Change Management Policy, Configuration Management Policy, Acquisition and Maintenance Policy, and Application Implementation Policy being followed? Is a risk assessment done when required according to the Risk Assessment Policy?
  • Are risk assessments conducted when they are required? (Risk Assessment Policy) Are staff qualified? Are the steps defined? Are mitigation steps followed based on the report?
  • Do applications meet proper coding and security standards? (Application Implementation Policy) Is the Development Life Cycle Policy and Change Management Policy followed? Is proper testing done to assure propery application quality according to a test plan?
  • Is information categorization and handling performed according to the Privacy and Confidentiality Policy, Information Sensitivity Policy, Encryption Policy, and Database Passwords Policy?
  • Is data adequately encrypted based on its sensitivity level and using approved encryption protocols and key lengths? (Encryption Policy)
  • Are databases adequately protected? Do database passwords and accounts meet standards? (Database Passwords Policy)
  • Equipment control - Is inventory and especially proper asset disposal being performed according to the Asset Control Policy, Equipment and Media Disposal Policy?
  • Software tracking - Is software tracked for licensing? - Software Licensing Policy, Intellectual Property Rights Policy (intellectual property must also be tracked) and Software Tracking Policy.
  • Mobile computer and device use - Mobile Computer Policy and Mobile Device Policy.
  • Auditing of approved and unapproved wireless use. - Wireless Communication Policy.
  • Communications - Monitoring whether policies and processes required by employees are well communicated. Monitor whether employees know who to contact for various services. - this improves efficiency of the organization and allows employees to suggest methods of improvement, identify bottlenecks.
  • Review of policy and procedure effectiveness and currentness.
  • Audit approved application list, audit for installed applications that are not approved.
  • Network documentation policy - is it being followed?
  • Server documentation Policy - Are servers and contacts properly listed? Are users and administrative staff notified when changes that may affect them are made? Is configuration information properly stored for easy reference and for disaster recovery?
  • Are critical services identified and those services supported by fault tolerant equipment? - Equipment Purchase Failure Prevention Policy
  • Are computer forensics policies and procedures being followed? (Computer forensics Policy)
  • Are data owners identified? Is data classified according to sensitivity? (Data Classification Policy) Is data handled according to its classification? (Information Sensitivity Policy) Is data properly marked?
  • Does a disaster recovery plan exist? Has it been tested? (Disaster Recovery Policy)
  • Are physical security measures followed? Is logging used for secure areas? Are IDs worn? Are records of people with access kept by proper authorities? (Physical Security Policy)
  • Are external connections properly evaluated and approved? (Extranet Policy) Are third parties properly identified to be secure based on the nature of the connection and data being accessed? (Third Party Identification Policy)
  • Are new threats and technologies evaluated annually? (IT Steering Committee Policy)
  • Is purchased insurance adequate to preserve the business if disasters or serious loss should occur based on risk analysis (Insurance Purchase Policy)
  • Separation of duties (Segregation of Duties Policy) - Can a password be modified without confirmation by the user?
  • Change Management Policy - Is it being followed and are users properly notified of changes?

10.0 Enforcement

Since following the Auditing Policy is important for ensuring the security and proper operation of the organization, employees that purposely violate this policy by willingly refusing to cooperate with an audit, or falsifying documents, may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

11.0 Other Policies

  • Change Management Policy
  • Development Life Cycle Policy
  • Code of Ethics Policy

12.0 Additional Requirements

  • Creation of an Audit Charter is required.
  • A procedure for creation and approval of audit plans is required.
  • Job descriptions and qualifications of auditors is required.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________