Further to yesterday's piece about a free ISMS audit guideline, I normally prepare Internal Controls Questionnaires to structure and record my audit fieldwork.
As the illustrative extract above shows, these work nicely as landscape tables in MS Word with the following 4 columns:
- Check: these are the audit tests, written before the audit fieldwork starts. As well as the classic audit 'show me' and 'tell me about ...', I much prefer open-ended questions and general prompts such as 'check', 'review' and 'evaluate'. ICQs are intended to be used by reasonably competent and experienced auditors, not spouted verbatim by novices. [The ISMS audit guideline includes an extensive but generic set of audit checks ready to cut-n-paste into this column, then trim and modify according to your specific audit requirements and situation.]
- SWOT: these record the auditor's first impressions - an initial evaluation of the findings. Is this area a Strength (the findings are good, risks well under control), a Weakness (there are some issues but nothing too desperate), an Opportunity (generally meaning an ‘opportunity for improvement’ i.e. a change that will benefit the business) or a Threat (a significant risk or concern that ought to be addressed in order to avoid a serious incident)?
- Notes: briefly state the audit findings. Factual evidence is crucially important to the audit process, and needs to be recorded carefully. For example, I sometimes quote the precise words spoken by auditees in audit interviews, and incorporate or cite relevant extracts from policies, procedures, logs, reports etc. The auditor's comments and interpretation are a valuable output too (e.g. explaining the context and possible consequences), but strong facts speak for themselves and are hard to deny.
- Ref: references to hardcopy evidence held in the audit file, all neatly sorted and indexed (by the end of the fieldwork, anyway – I’m often too busy and disorganized before that!). Referencing facilitates many-to-many mapping e.g. several documents (such as policies or interview notes) may be cited from several relevant parts of the ICQ. It's also useful as a check for completeness (is every finding supported by evidence? Also, was something useful gleaned from every audit interview and document review?).
The rows systematically cover the audit scope area, with a sensible structure and generally just a handful of headings, derived from the earlier audit risk analysis and planning stage.
Down at the bottom of the ICQ table are 4 rows to summarize the main findings (the most important Strengths, Weaknesses, Opportunities and Threats – these will probably feed into the audit report and presentation) and a final row for an initial conclusion and perhaps recommendations (which also feed into the audit report and executive summary, but usually get modified later once I’ve had time to think more carefully about the audit, and talked it through with audit colleagues plus management).
While other auditors have their own ways of working, the above approach suits me. It evolved over about 2 decades slogging away in the audit trenches. YMMV.
[By the way, there's a generic ICQ in every month's NoticeBored awareness module, covering the same information security topic as the rest of the module. The extract above is a work in progress - we're currently revising the InfoSec 101 module covering the basics.]