Core characteristics of an audit file
So what should a good audit file contain? That can be summarized in a few key words:
- Ownership
- Classified
- Quality
- Traceable
- Repeatable
For each keyword, we explain below what it means and how you can implement it within your organization.
1. Ownership
In practice, we often encounter that several people are involved in an audit, but no one feels responsible for preparing the audit file. It is highly recommended to appoint someone in the organization to at least manage and coordinate the preparation of the audit file. Consider planning, monitoring deliverables, coordinating the design of the audit file (table of contents) and practical matters such as where a file is stored. Also try to include your colleagues in the audit process and make them responsible for the part they are required to deliver.
2. Classified
What is a must for any audit file is that it is prepared using the standards framework to be tested. After all, an IT auditor is always going to conduct an audit based on that same standards framework and is therefore going to ask questions about specific standards. The approach should be that you can very easily show the corresponding evidence directly using any standards number.
How you do this classification is completely form-free; it can be through an Excel sheet that acts as a table of contents, through a folder structure on a shared drive, or through an advanced ISMS (Information Security Management System). Most importantly, you must be able to properly navigate your own audit file, with the end goal of being able to present the file fluently to an auditor. You will find that if you get this right, audits will go much more smoothly.
3. Quality
Provide a qualitatively sound, complete and accurate file. What do we mean by this? First, an audit is always about design, existence and/or operation. Make sure you cover all these issues with your file. In addition, if asked about policy documents, procedures or other descriptions: make sure that it is visible that these documents describe the "truth."
This means that you must be able to show, for example, that a procedure is not a loose floating document created purely for audit and not used otherwise. This can be done by showing that the procedure has been established, is known in the organization (communicated) and, for example, also runs in an internal control system. If the standards require you to perform audits, make sure that it is clear who is doing the audit, when, what is being audited, what findings and recommendations are, and before whom the audit is done (reporting to final responsible party).
Regarding accuracy: make sure your evidence covers the right topics: the right audit period and the right object of examination (system, application, procedure).
Finally, always put the framework of standards your auditor uses next to your file and verify that you cover all the requirements of that framework of standards with your file.
4. Traceable
Then a piece of content about evidence: make sure everything is traceable! Very often we come across all kinds of beautiful, very useful screenshots, but then just missing the piece that shows when it was made and in what environment. Make sure everything is traceable, every piece of evidence should be easily traceable to the origin of the piece.
Conversely, make sure that all important steps in your procedures are also traceable. After all, an auditor can perform checks in two ways:
From documentation to reality (for example, a ticket system in which an authorization request is made to the actual setup of those authorizations);
From reality to documentation (for example, based on a change log, tracing an arbitrary change in permissions to the underlying documentation justifying that change).
Finally, if your auditor also tests the operation of certain standards, think in advance how you can demonstrate operation. It is very important that all changes (in the example of access control) are demonstrably performed in the same way. You should think about this when setting up your process.
5. Repeatable
Now for the last aspect: make sure you set up your audit file so that it can be easily reproduced for a subsequent audit. This is because most audits are recurring. So you will benefit from structurally preparing your file so that you only need to update it for a subsequent audit. This can save you significant amounts of time.
Good preparation is important
The saying certainly applies to audits as well. If you prepare your file well, you will benefit not only during the audit but also during audits in subsequent years. We therefore advise you to consult with your auditor in good time if you have any questions about preparing a good file.
Do you have questions about our IT audit services? Then contact one of our consultants directly using our contact form.