IT审计的创新:微观审计与传统IT审计

这取决于组织, 微型审计可以增加灵活性, 节省宝贵时间及简化报告程序. 新万博app下载 partners with clients to evaluate their environment and provide real solutions to assist the IT department in strengthening controls through successful audits.

在当今快速发展的IT环境中, 每个组织都需要平衡用户的技术需求, 速度, 易于使用和方便, against the critical needs to keep information safe and secure against a variety of sophisticated threats and potential liability. 新万博app下载, 一家位于巴尔的摩的咨询万博平台app下载, helps those organizations identify opportunities for improvement in their IT processes and controls with comprehensive audits and assessments. 作为这项服务的一部分, 新万博app下载 can help clients determine whether micro-audits will best suit their needs. 而不是传统的, 全领域,审计, 微型审计更狭义地集中于特定的风险领域, 这意味着它们可能会导致更有效和相关的结果, 较短的周转, 和更成功的报告.

审计前准备和风险评估

An IT audit engagement typically starts with a risk assessment and formulation of an audit plan delineating the scope and objectives of the audit. Clearview集团对监管框架有广泛的了解, best-practices and needed controls clients have to consider based on their size and position in the market. This includes determining whether or not certain risk areas would benefit from a micro-audit as opposed to a traditional audit.

“虽然你总是必须灵活地评估风险, one thing that has become very apparent in the last few years is the paramount importance of agility,” 亚伦克尔他是Clearview集团的咨询服务总监. “You often hear that word when it comes to software development and processes, 但它也适用于it审计. Companies don’t want to be too beholden to an annualized audit plan or traditional segmentation of auditable areas — you need to be able to adapt if something changes in the industry or within the company. You need to have that flexibility in the plan to address those risks even if it wasn’t a high risk at the start of the year. The good news is that if you have solid risk assessment processes within your IT department, 使它们灵活并不是太难, 只要不是很大就行, 数月的项目. 有些项目你可以承担超过几个星期, 在审计之前，什么使它更容易适应.”

新万博app下载 helps clients identify and remediate risks so they’re ready to tackle their next audit without wasting time or resources. 例如, 如果巴尔的摩市遭受了多次勒索软件攻击, 克尔说 clients in that area may ask how susceptible they are to similar attacks. 与micro-audit, small- or medium-sized businesses can answer that question quickly by just assessing that particular threat vector as a risk scenario.

微审计与传统IT审计项目的区别

风险评估后, auditors collect and analyze audit evidence and form opinions pertaining to internal controls as well as reliability of the information provided by management. 与传统的IT审计过程相反, 这可能需要几个星期或几个月, 微型审计可以短至80小时, 克尔说. 这是因为, 而组织总是有大量的潜在可审计领域, 微型审计将传统上复杂的项目分解为各个部分的总和.

“例如, 关于网络的话题, 两个主要领域可以是安全和行动, 但在这些情况下，还会有额外的风险,”克尔说. “A micro-audit is about carving up that universe into areas you can get done in 80 to 100 hours for a small or medium sized business. 如果范围是正确的，有一种方法可以在短时间内增加价值. 这迫使你在更大的风险之下考虑更多具体的风险场景, traditional auditable areas and structure the programing and frequency around those sub areas.”

Kerr points to one client he had a few weeks ago who was looking for a consulting partner. “这是一个相当大的组织, 他们总是把审计安排为几个月的过程,”他说. “现在, 他们更喜欢将审计分开进行, 在这种情况下，网络, 为独立的, 微观审计——关于安全的, 一个是管理，一个是操作. This means each IT audit can be separately risk assessed for priority and take only six weeks instead of six months, and clients aren’t fishing around looking for implausible risk areas trying to tie it to prior interpretations of the area. 这些微型审计确实有益于较小的组织, 因为他们通常在执行方面有更大的灵活性.”

另外, 有了今天的虚拟工具, 克尔说 the ability to successfully implement a micro-audit has never been easier. “There can be a lot of overlap when it comes to evaluating certain areas  — in the past, 有具体的解决方案和供应商, 但现在有了AWS和微软365这样的集成平台, 有些服务你只需要点击一个按钮就可以付费,”他说. “通过微观审计，你可以非常有针对性地快速识别风险. The virtual environment has been a big catalyst for us in terms of how we evaluate certain areas. 我们事先做了研究，这样我们就可以精简, 指向一个特定的屏幕, 评估一个特定的风险区域并给出结果.”

与传统审计报告相比的微观审计结果

一旦审计完成，是时候正式报告调查结果了, 科尔说，他一直试图反对这种稳健的审计报告, 微型审计是一个完美的解决方案.

“传统上, 长时间的审计结果通常需要一个翻译来涵盖所有内容, which can change the way the message resonates with an audit committee and board,”克尔说. “但与micro-audits, 你可以把那份报告缩减到一两页, 用图像或视觉效果将其归结为电梯游说. 为什么不让报告的文字少一点重，这样就不会那么麻烦了? That way you will have a more captive audience and can be very present in describing potential risk scenarios and where they stand in response. 这可能是一个问题，但这真的是一个大风险吗? 与micro-audit, 你可以把目标锁定在你最感兴趣的特定主题上:以下是我们的发现, 所涉及的风险以及客户需要立即采取行动的地方.”

While there are certain high risk IT areas that are going to be looked at each year, 克尔说 新万博app下载 understands that certain areas like cybersecurity can only be mitigated so far and will adapt audit reporting to reflect that.

“你们每年都做同样的审计吗?, or do you have the flexibility to audit specific aspects of cybersecurity depending on changes in organizations, 新市场, 行业趋势和近期事件? We’ve been carving that up into smaller pieces for years now and finding out what makes sense when working through an annual plan every quarter,”克尔说. “无论我们看什么，都是有原因的. 我们不需要解释为什么我们看这个而不看那个. 与我们合作的许多组织可能会问，他们有多容易受到恶意软件的影响, 例如, 我们有很多方法可以在审计中解决这个问题. You can come up with a plan to specifically address that question without reporting on every risk area related to cybersecurity.”

Kerr also added that this streamlined reporting allows organizations to report on risks in a more timely manner. “你应该能在几周内得到答复, 而不是在审计年度结束前,”他说. “客户不想把自己绑在一个过去有意义的方法上, 但现在需要很长时间才能向审计委员会或董事会得到答案. 这些风险实现得如此之快，所以等待是没有意义的.”

整体, 克尔说 新万博app下载 acts as a true partner with its clients and understands that there isn’t a specific definition of what an IT micro-audit has to be. “这是关于针对风险情景的, 建立一个从范围到结果的更快的时间框架的审计计划,”他说. “That is really the key — finding a way to adapt is essential in order to keep up with the fluidity of technology.”

For more information, contact 新万博app下载’s 导演 of 咨询服务, 亚伦克尔 at akerr@www.4ugod.com 或访问: http://www.4ugod.com/