We can classify audits into three basic categories. Each of these represents a slightly different level of trust and unique objectives. The purpose is always to determine the truth.
Internal audits and assessments This involves auditing your own organization to discover evidence of what is occurring inside the organization (self-assessment). These have restrictions on their scope, and the findings should not be shared outside the organization. The findings cannot be used for licensing.
External audits External audits involve your customer auditing you, or you auditing your supplier. The business audits its customer or supplier, or vice versa. The goal is to ensure the expected level of performance as mutually agreed upon in their contracts.
Independent audits Independent audits are outside of the customer-supplier influence. Third-party independent audits are frequently relied on for licensing, certification, or product approval. A simple example is independent consumer reports.
So what will the CISA be asked to look at during an audit? Auditors are called to audit products, processes, and systems. Each of these requires a different approach. Let's review the basic approach required for each of these audits to be successful:
Product audits check the attributes against the design specification (size, color, markings). The 2007 hazardous toy recall of over a million Chinese-manufactured toys for Mattel is an example of using a product audit. The lead-based paint used on the toys was in violation of the design specifications. You can expect that CISAs will audit more software products than toys.
Process audits evaluate the process method to determine whether the activities or sequence of activities meet the published requirements. We want to see how the process is working. This involves checking inputs, actions, and outputs to verify the process performance.
System audits seek to evaluate the management of the system, including its configuration. The auditor is interested in the team members' activities, control environment, event monitoring, how customer needs are determined, who provides authorization, how changes are implemented, preventative maintenance, and so forth, including incident response capability.
Financial audit verifies financial records, transactions, and account balances. This type of audit is used to check the integrity of financial records and accounting practices compared to well-known accounting standards.
Operational audit verifies effectiveness and efficiency of operational practices. Operational audits are used frequently in service and process environments, including IT service providers. An operational audit is detailed in Statement on Auditing Standard 70 (SAS-70).
Integrated audit includes both financial and operational controls audits. An integrated audit is detailed in SAS-94.
Compliance audit verifies implementation of and adherence to a standard or regulation. This could include ISO standards and all government regulations. A compliance audit usually includes tests for the presence of a working control.
Administrative audit verifies that appropriate policies and procedures exist and have been implemented as intended. This type of audit usually tests for the presence of required documentation.
Information systems certification and/or accreditation. Certification usually involves system testing against a reference standard, whereas accreditation represents management's level of acceptance.
Now we need to move on to the different roles people play in the audit.