Scheduling audits

One type of assurance is audit, hence auditing and IT auditing in particular is very much in-scope for our next security awareness module.

By coincidence, yesterday on the ISO27k Forum, the topic of 'security audit schedules' came up.

An audit schedule is a schedule of audits, in simple terms a diary sheet listing the audits you are planning to do. The usual way to prepare an audit schedule is risk-based and resource-constrained. Here's an outline (!) of the planning process to set you thinking, with a sprinkling of Hinson tips:
  1. Figure out all the things that might be worth auditing within your scope (the 'audit universe') and list them out. Brainstorm (individually and if you can with a small group of brainstormers), look at the ISMS scope, look for problem areas and concerns, look at incident records and findings from previous audits, reviews and other things. Mind map if that helps ... then write them all down into a linear list.
  2. Assess the associated information risks, at a high level, to rank the rough list of potential audits by risk - riskiest areas at the top (roughly at first -'high/medium/low' risk categories would probably do - not least because until the audit work commences, it's hard to know what the risks really are). 
  3. Guess how much time and effort each audit would take (roughly at first -'big/medium/small categories would probably do - again, this will change in practice but you have to start your journey of discovery with a first step).
  4. In conjunction with other colleagues, meddle around with the wording and purposes of the potential audits, taking account of the business value (e.g. particular audits on the list that would be fantastic 'must-do' audits vs audits that would be extraordinarily difficult or pointless with little prospect of achieving real change). If it helps, split up audits that are too big to handle, and combine or blend-in tiddlers that are hardly worth running separately. Make notes on any fixed constraints (e.g. parts of the business cycle when audits would be needed, or would be problematic; and dependencies such as pre/prep-work audits to be followed by in-depth audits to explore problem areas found earlier, plus audits that are linked to IT system/service implementations, mergers, compliance deadlines etc.).
  5. Sketch out the scopes and purposes of the audits, outline the risks they address, scribble notes to be used by the auditors and auditee/clients when it comes to detailed audit planning and authorization of individual audits.
  6. Starting at the top of the list, add a column for a a cumulative running total of the resources needed (e.g. with an estimated 20 man-days required for audit 1, 10 man-days for audit 2, 25 man-days for audit 3, the cumulative resource column shows 20 then 30 then 55 man-days ...).
  7. If you have an audit person or team already assigned, figure out how many man-days of audit resources you have in the year/s ahead. Hinson tip: be conservative. It's never a problem to find more work to do, but it's always a problem to try to squeeze too much out of the person/team so that tempers fray and quality suffers. Be sure to leave some unassigned resources to cope with 'special investigations' (e.g. fraud work), time for audit planning and admin, time for team-building, training and personal development, and (trust me) plenty of contingency for jobs that run over and extra must-do jobs that materialize out of nowhere during the planned period. Draw a pencil line on the list under the audits you can complete with the available resources, and those you probably cannot do. Add a grey area (above the line!) to show that there is significant uncertainty in the plan. Tidy-up the rough plan so it is not quite so rough - presentable even.
  8. Present and discuss the outline plan with senior management. Use your prep-work and notes to outline and explain/justify the audit jobs towards the top of the list, or any stand-outs of particular note. Impress on them that this is not some random noise but there has been thought put into it. Negotiate the contents (audits planned, scopes and purposes, resources needed, resources available, contingency remaining) until you reach a tentative settlement, firming-up your audit schedule. If they insist on moving your pencil line down the list to complete more audits, then insist on the additional resources necessary (more auditors - employees or contractors or secondees) ... and preferably put it down in writing (make sure it is minuted)! Hinson tip: although there will undoubtedly be pressure, stick to your guns on the man-days you estimated are required for each audit. Do not arbitrarily cut back the resources for audits unless they agree to reduce the scope of work accordingly ("minute that, please"): do not allow the quality of audit work to be compromised - together you are investing in assurance, and the reputation of the audit function is an extremely important part of that. Hinson tip: you have some leeway on the timing, title and detailed scope of each audit, but do not chop planned audits from the list without putting up a spirited defense. This is where your prep-work and notes come into play. Play hard-ball if a manager seems determined to chop out an audit in their area: why is that?Do they have something to hide? Or are there genuine business reasons that mean the planned audit would not help the organization? Under extreme pressure to chop a legitimate audit off the plan, 'take the discussion off-line' and work privately with the manager concerned, plus their manager, to evaluate the situation and reassess the risks - or perhaps ask the management team as a whole to make the decision there and then. As a last resort, try to convince the CEO or Chairman of the Board that, in your professional judgment, they need additional assurance in that specific area. And if the final answer is "Chop it!", get that in writing.
  9. Turn the list into a schedule that works, in theory. This step is tricky as it involves juggling audits, resources, objectives, dependencies and constraints (e.g. an internal audit to make sure your ISMS is running sweetly before a scheduled external ISMS certification or surveillance audit obviously has a fixed completion date, so work back from there ... and add slack time/contingency too). Involve the team and colleagues if you can. Hinson tip: version control or date the plan.
  10. Once firmed-up, have the finalized plan formally approved by senior management e.g.the CEO, CISO, CIO, President or Chairman of the Board. Don't neglect this simple but critical step.
  11. Build and brief the team and run the plan. Make it happen. Do and manage stuff. Deal with all the wrinkles that come up In Real Life. Remind auditors and auditees that senior management agreed and formally approved the plan and the resources (that's why step 10 is crucial). Motivate, lead, encourage. Jiggle resources and scopes to make the best of it. Adjust the plan and audits as necessary ... and keep notes for the next round of planning or re-planning. Do your level best not to have to go back to senior management with a request for more resources or an explanation about why you cannot possibly complete the approved plan. Hinson tip: use your contingency sparingly throughout the entire period and monitor it carefully. If a quarter of the plan is complete but you've used half your contingency already, we have a problem Houston.
If that's all too much for you and way over the top, then a much simpler starting point is to map-out the audits you think you will be doing on a wall-planner or the year-to-a-view page in your desk diary. Hinson tip: use dry-wipe erasable markers or pencil!

It gets easier and better with practice, like anything really. Except finding things in the fridge: that's always impossible, for men.

[We will turn that into some sort of pro briefing, procedure or checklist for the awareness module, with a process diagram, a succinct summary and careful layout/formatting to make it more readable - e.g. isolating the tips as side notes in text boxes in a contrasting color. Easy when you know how! We're already working on similar guidance for other types of assurance work, such as testing.]