Practical Guide- Beginner to Pro- Cyber and IT Auditing Part 1 (Planning) | Technology Accountant | Skillshare

Playback Speed

  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x

Practical Guide- Beginner to Pro- Cyber and IT Auditing Part 1 (Planning)

teacher avatar Technology Accountant, Inspire and educate!

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Lessons in This Class

29 Lessons (2h 2m)
    • 1. Introduction and what are IT audits?

    • 2. What is risk based auditing?

    • 3. Understanding control types and how to test controls

    • 4. Understanding independence and ethics

    • 5. Knowing the differences between Internal Vs External Audit and Auditing Standards

    • 6. Knowing the different IT standards and frameworks and your IT audit career path

    • 7. Understanding the IT audit lifecycle

    • 8. How to conduct audit planning and pre-planning activities

    • 9. Test your pre-planning knowledge

    • 10. Understanding the client

    • 11. How to define your scope and objective

    • 12. Test your planning knowledge

    • 13. How to document Cyber & IT planning documents -1

    • 14. How to document Cyber & IT planning documents-2

    • 15. Communication and Kickoff to your clients

    • 16. Understanding basics of Cybersecurity

    • 17. Understanding basics of Cybersecurity: Availability

    • 18. Understanding basics of Cybersecurity: Confidentiality

    • 19. Understanding basics of Cybersecurity: Integrity

    • 20. Knowing the differences between Cybersecurity vs general IT

    • 21. Gaining knowledge in IT processes and access mgmt controls

    • 22. Gaining understanding in patch mgmt

    • 23. Gaining understanding in network mgmt

    • 24. Gaining understanding in incident mgmt

    • 25. Gaining understanding in vendor mgmt

    • 26. Gaining understanding in security configuration

    • 27. Gaining understanding in logging and monitoring

    • 28. How to identify Cyber and IT risks

    • 29. Lessons learnted and recap

  • --
  • Beginner level
  • Intermediate level
  • Advanced level
  • All levels
  • Beg/Int level
  • Int/Adv level

Community Generated

The level is determined by a majority opinion of students who have reviewed this class. The teacher's recommendation is shown until at least 5 student responses are collected.





About This Class

Are you interested in kick starting a career in IT auditing? Tired of learning IT auditing through theory and books? Then this is the perfect course for you! This is a condensed course to go over the basics and advanced concepts in IT auditing. The course is one of the first of its kind to not only cover concepts but to also walk you through practical examples and know-hows to conduct a Cyber and IT audit during the planning stages. The course will also introduce technical knowledge of IT processes/IT controls and IT systems to prepare you to become a knowledgeable auditor.

Your Instructor

Your instructor is a proven and skilled individual with over 6+ years of experience in big consulting, big4 accounting and big5 banks. Chris (The Technology Accountant) has worked in in-demand fields in consulting, advisory and assurance in Cyber and IT space. He holds a CPA (Chartered Professional Accountant), CISSP (Certified Information System Security Professional) and CISA (Certified Information System Auditor) designations and has taught over 20,000 students from 155+ countries on this platform.

Benefits to you

-Gain theoretical and practical knowledge of various auditing concepts and Cyber/IT controls/risk technicals

-Gain theoretical and practical knowledge and skills in creating your own Cyber and IT audit plan through practices;

  a) 15+ downloadable course templates and detailed information for your learning/practice

  b) 1 project case assignment to test and practice your overall learning with step by step answer


  c) Scenarios videos/practice questions in course lectures

-Gain expert knowledge and material from proven Instructor

Accomplished Goals

At the end of this course, you would gain the fundamental and practical knowledge and skills in IT Audits, Risks, Controls and Cybersecurity, you will also become prepared on how to plan an Cyber and IT audit with supporting real world examples/scenarios and templates. Lastly you will also gain technical knowledge of various IT and Cyber controls and technicals within this course to not only help you audit but also effectively plan your audits as a lead or future lead in your audit engagements.

Meet Your Teacher

Teacher Profile Image

Technology Accountant

Inspire and educate!


Technology Accountant is a course provider that provides various topics in Cybersecurity, IT, finance/accounting, personal development, investing and more!

Your #1 instructor in Technology Accountant is Chris. Chris is currently doing IT Infra and Cyber security audits at a Big5/ Fortune500 bank and also as a Sessional Instructor Assistant at the University of Toronto. Chris holds a Bachelors of Business Admin degree and professional certifications such as Chartered Professional Accountant (CPA), Certified Information Systems Security Professional (CISSP) and Certified Info Systems Auditor (CISA). Chris has worked in various in-demand fields (ie mgmt consulting, advisory, assurance etc) and has professional experiences from Deloitte, Accenture, Sapient (now Publicis.Sap... See full profile

Class Ratings

Expectations Met?
  • Exceeded!
  • Yes
  • Somewhat
  • Not really
Reviews Archive

In October 2018, we updated our review system to improve the way we collect feedback. Below are the reviews written before that update.

Why Join Skillshare?

Take award-winning Skillshare Original Classes

Each class has short lessons, hands-on projects

Your membership supports Skillshare teachers

Learn From Anywhere

Take classes on the go with the Skillshare app. Stream or download to watch on the plane, the subway, or wherever you learn best.


1. Introduction and what are IT audits?: Every minute, every hour, every day, companies are under attack by cyber criminals, hackers, and threats. Did you know that by 2021 cybercrime due to system vulnerabilities, witnesses would have costs global economy by $6 trillion. So how many companies really protect the data, assets, and resources? One of the best ways is risk management in the form of having internal and cyber AND IT controls. And to ensure that these controls are effective, internal auditing assist is companies to achieve a secure control environment. By taking the Sagarin IT course, you'll develop IT and cyber auditing skills. You also develop knowledge and had planning leader cyber AND IT audit most banal Louise, you also develop a foundation in cyber AND IT controls processes, technicals. So are you ready? Hey there and welcome to the Technology counting program for cyber in IT auditing. This is part one who Practical Guide from beginner to pro. Before we dive deep into the course and introduce you to your instructor or program and the course features. I'm instructor, My name is Chris. I have a bachelors of business men. I'm also started professional accounting CPA, and a half shirt find information system. Our designation as 15 plus years experience in IT, consulting, advisory, an auditing, a top consultant firms, bit four and bit five banks. Now so I have domain in different areas such as cyber security, IT infrastructure applications at processes, project management assurance and finance and accounting. Now as part of the technology County program, we have over 10 thousand students and over 140 countries. And we covered different course topics such as cybersecurity 90 auditing, such as this, risk management project management, finance and accounting stocks into full investing in tax and budgets. And for this course, we aim to give you value through a progressive roadmap, quizzes and checkpoints, learning scenarios, comprehensive lesson plans, and increased technical knowledge and soft skills as well. So in terms of our learning roadmap, courses actually broken down into three components for part one. The first is MOOC over what our IT odd, it's an abstract objective. The basic audit and concepts, IT frameworks and standards. And also we'll take a look into the career paths with actually auditing Mack Brown. Mathematical could dive deep into the planning activity is reception too. And then after that, we'll go into section three, which we'll call her technicals, such as looking into what cybersecurity is, the generosity processes and understanding what IT and cyber risks are. So what exactly are IT odd x n, x objectives? Well, we can answer this question for breaking down into three simple parts. What, how, and why. The one is, what exactly are we doing? So we attest to UN entities, IT processes and controls for design and operating effectiveness. And we'll go over some of this until the next couple of slides exactly on what control design and operating effectiveness is. What but the how well, actually audits can go for internal and external audits. And when you're going for things like external audit, maybe looking at socks, Shippers Organization reports, d2 or SOC one reports. So assessments or I CFR audits. And when you going for internal audits, you mainly look at things like operational audit compliance on at socks and the types that's in-house. Now for the y, which is also the objective, is the purpose of conducting the audit is really to obtain reasonable assurance to issue a opinion or rating, whether the control in the design and operating effectiveness is really operating effectively or designed. And they're permanent base on what they were described to be. Let's take a look into some of the basic audit and concepts. So for those that have done some form of auditing or have encountered auditors and pass terms such as risk control and audit. More ring a bell. And if we beginners, understanding these terms is important because they will be able to help you particularly and understand and perform the audit effectively. Now, risk is defined as the likelihood of a potential impact or loss of IT acids and data caused by lack of controls n or font abilities. And risk, for example, would be an unauthorized user getting privilege access. And the impact would be that the user with this privilege access conduct inappropriate activities causing financial loss or data loss. Control is defined as a process, activity, or mechanism that prevents or detects the risk from occurring. And controls are meant to reduce risks to minimal acceptable level, but does not eliminate the risk. Now an example of a control for that risk that we just mentioned would be having a test stations or entitlement reviews. Being able to have a manager to review the privilege access of users would be Fido because it enables them to remove users. I have unauthorized access. Now in audit as mentioned, is to test the controller and verify whether the control is signed and or operating effectively to prevent and detect rest from occurring. And we'll go over some more basic concepts. 2. What is risk based auditing?: Let's go through the concept of risk-based auditing. So how exactly are Audits done well for both internal and external audits conducted through risk-based approaches are risk-based auditing and republish. Auditing is defined as the Ottoman style, which focuses on analysis and management of risk. So this is simply different than checking system controls, whether they exist or not. Whether this is configure a certain way. And the benefits of recipes auditing is that it provides us a proactive approach rather than a reactive. And also focuses on important research areas based on our auditors risk assessment. And also focuses on high risks of frequent areas of risk which will be covered in the audit. Now how do we essentially assess risk? Well, there's a couple of things that we can do. The first is professional judgment. And it's essentially defined as the auditor's application of accumulated knowledge and experience gained through relevant audits and training to make informed decisions. So for example, if you've been on Affairs types of audits and you know that access control, specifically privilege axis, is a higher risk because you know that privilege accounts have elevated axis and if they are compromise, then the system would essentially fail. So this is what the use of professional judgment is all about. Now, understanding client is also important as well. Having the knowledge of prior year controls, having the knowledge of important relevant client processes, the areas are risky and also the general IT environment and controls that they have in place will help us better assess whether the rest is high, medium, or low. Now, together with professional judgment and understanding of the client, we can effectively determine the risk. Now when we determine risk, this is generally the inherent risk. And inherit risk is defined as the risk naturally occurring in a process without mitigation. And there's two aspects to determine inherent risk. The first truly impact and it's the finance, the damage that would occur if a threat were to realize evolvability. And likelihood relates to the possibility or the chance or the threat relies in one abilities. You often hear me talk about foreign abilities, threats and risks. But they actually three different things I'm gonna explain to you about each one and then we'll go over an example. So vulnerabilities is defined as the control weakness or gaps in a security program or process that can be exploited by threats. Threat is defined as anything that can be exploiting a vulnerability intentionally or accidentally and obtain a damage or the store or acids. A risk is defined as the likelihood of a potential impact of the loss of an ITS yet OData caused by a lack of controls hand or the vulnerability itself. So an example would be, let's say we have two servers, which is server a and B. Survey transmit data to server B regularly, and this contains payment card information. Now, payment card information is really highly sensitive and private information that should be protected. Now the vulnerability as it's not encrypted. So when data is being sent over, it can essentially be picked up and read. Now, a threat could be a hacker or third party, which would see that this data is not being encrypted as it sends through from a to B. And then my exploit this by either sniffing the packets are picking up this information stored somewhere. And the risks into all of this is that there's a loss of confidentiality and the loss financial information potentially if this payment card information X exploited or a impact to our reputation if this data is preached. So R Now you can see the relationship between or vulnerabilities, threats, and risk. After assessing risk, it's important to determine the risk level. And as mentioned earlier, there are two factors to determine inherent risks, impact and probability. And there are many different ways companies and firms have to determine the risk level. But in our example here, this is one of the most easy and straightforward way to assess. So going from low to high and the impact, we categorize it from. Minor impact, moderate impact, insignificant impact. And you can see that as you go from right to left, the recession increases a. Similarly, when we go for probability, which start with remote chance, nobel chance or likely chance. And as we go up, we can see that the risk is also increasing and together, impact and probability, we can map this into create or matrix to determine what the appropriate risk level ways. So for example, we have likely insignificant, then it's going to be high risk. Or if we have a minor impact and a remote probability, it's going to be although risks, so or not, this is how we determine the risk level. 3. Understanding control types and how to test controls: Now that you know how to assess risks and what risk really is, let's talk about controls. There are many different types of controls in a company and for each department that will have their own controls. For IT, the same concept applies. And generally when we start off with controls, there are automated or manual nature. And what this really means is that the control would either be performed automatically by the system, such as a backup to which backs of data on a scheduled basis, or a manual control, which can be something like a data owner classifying data manually on media. From automated and manual controls, there are eight different categories of controls. We'll start from left to right, beginning with preventative, preventative controls are implemented before a thread event occurs and reduces rewards, the likelihood and impact of the threat occurring. And what this means is that the controls objective is to prevent something from happening. For example, we have a faraway place to prevent unwanted traffic from entering into our networks. And that there is preventative and also automated in nature. The next example is Detective. Detective controls are implemented to detect errors, issues, and thread events that have already occurred. And what this means is that if something were to happen, we put to detect that occurred and investigate or respond to this. For example, we have a sim which is a system incident event manager, such as trip wire or Splunk, which monitors and detects inappropriate activities by users. And the fact that it monitors and detects events, mix it at detective control and also a automated control as well. Corrective controls are implemented, remediate and resolve issues, errors or impacts caused by the threat. And example be if there was an incident that caused the system to break down and the accounting department now the accounting manager raises taken requesters IT to fix this so I can fix this issue. And this in this process is that there is a place to fix that down systems making it a corrective control. So in our example, this is also a manual control in nature. Compensating controls are a little unique. They are implemented as alternative security measures that is deemed too difficult to implement. For example, let's say we have a system that contains important data and that data is not secure properly. Many people have access to that system making it subject to the rest of data being disclose. What we're compensating controls that the data is encrypted enough for those who don't know what encryption is. Essentially a security mechanism to turn plain text data into ciphertext, which is hard to read. The encryption in this case is compensating control because the control that would have prevented potential risks or data being disclose would have been the appropriate axis in the system. Now in this case, because the system already has an appropriate axis, it needs an alternative. And this case the alternative is compensating show, which is encryption. And this is also a automated control nature, but could also be a menuController as well. Administrative controls are management controls that mitigate threats of individuals. Now to reduce the chances of employees fallen threats or becoming threats themselves. Administrative control such as training procedures, policies, ethical guidelines are used by companies. In most cases, administrative controls really manual in nature because they require employees to follow fears, documentations, contracts, or guidelines. Logical and technical controls are designed to protect systems networks, environments in data. Logical controls can be things like use your axis in a system. The system properly authorizes user privileges based on their side rates rose. And then the aspect of technical logical can also be such as disabling or enabling certain configurations in the system. Therefore, most cases, logical technical controls really automated or a combination of both recovery controls and signed to enable the assumption of operations at the thread event. Controls such as having a disaster recovery plan or business continued planner elements and recovery control where company resumes operations and alternative sites. Another aspect of recovery can ask me something simple like a backup tape being recovered after system is download that data was loss. Depending on the nature of the control, these can be manual like the Disaster Recovery Plan or automated in nature such as the immediate backup tool restoration. Lastly, fiscal controls are implemented to physically protect IT acids. These include things like logs, fence, security guards, cameras anymore. In most cases, they are automated or manual. Now, for instance, a security guard checking and visitors at the datacenter would be a menu control, whereas emotion detection system is an automated control. The next concept we'll go over is really how controls are audited. You just learned the different types of controls, but how exactly are the oddity? Well, there are three simple steps. The first is to determine the controls at address and correlate tourists. And that we aim to audit through the understanding of the client's environment. So remember, auditing means to test the controls and verify if the controller is designed and operating effectively to prevent and detect the risk. In our lesson earlier, we understand how risk can be determined through our professional judgment and understanding of the client. So the next is really determining the types and specific controls that we would address the risk. And we can determine an understanding of control axises by understanding our clients IT environment. And therefore essentially when we identify a specific risks and the client which we are operating, we can also identify a specific show that mainly addressed risk. So this is step one. The next step is to conduct test scripts, fear auditing, testing methods sufficient and appropriately Evidence. Test scripts are really procedures are instructions which the auditor follows two tests of control. And the next slide we will go through testing methods. And you may also see that I went over sufficient and appropriate evidence and I underline the word evidence. Now in auditing, when you test controls, you need to prove that the controls are designed and operating effectively. In this case, evidence can be things like screenshots, logs, paperwork, documents, files, listing, and so forth, which helped prove that the control is either effective or not effective. And therefore, sufficient inappropriate evidence means that everyone sat we document and tasks and the audit must be sufficient or have large enough quantities are instances to prove that the controller is designed. And or operating effectively and that the evidence must also be appropriate, which highlights the fact that evidence should be relevant and related to control that we are testing. So this defines sufficient and appropriate evidence. Lastly, documenting the results in concluding the controls design effectiveness or operating effectiveness is the final step of how controlling an audit is conducted. Wash over the terms, design and operating effectiveness in the next couple of slides. But the idea is that the control design is how control is structured and created to prevent or detect a risk. Whereas the operating effectiveness, It's more of how a controller is implemented to perform through regular operations for a period of time. Now again, I'm also underline another term here, which is the audit period, determines are so important because essentially the time period which our testing and evidence would be valid for the audit. So the audit period isn't really based on the calendar year or company urine, but more on its own cycle. For example, in your audit, you may be doing in on it which tests is declines IT processes and environment for the period of, say, July first 2019 to July 31st, 2020. And the audit period helps us and the client determine what is valid or important for the audit. For instance, the evidence that falls outside the period won't generally be considered in the audit. So therefore, the client won't be giving us evidence is outside the audit period and we won't be generally conducting or considering evidences outside of the RT period as well. There are five types of testing methods that you can apply to controls. Generally nowadays, we would do normally one but a combination so that we can demonstrate that we have sufficient appropriate evidence. Let's go through each one. Observation is the audit procedure to test controls by observing or viewing the control performance, executing the control. For example, you are testing a i to control that sense and alert on the Dashboard when a security event occurs. In this case, you're observing how the system conducts the control and your observation of this is being formed to demonstrate to you that the controller is designed and operating as intended. Examination it's inspection of relevant evidence such as screenshots, documents, logs, usually sings, and so forth. Let's go back to our example of the system that generates an alert on the dashboard. Now in this case, let's assume that we want to validate that the system is operating effectively for the period of time. Remember, if we wanted to prove that controls operating effectively, we need to show that is being performed through regular operations for the period of time. And this case, it won't be realistic to observe other alerts to show that the system is joining alerts all the time. So therefore, we need to get evidence to examine the trolls operations. And there was going to be many different types of evidence that we can examine by. And we have to choose one that's sufficient and appropriate. In this case, logs of the system alerts are generally sufficient appropriate because the logs would be procreate enough to show the types of alerts in time and various information. And if there is a history of the long span, our audit period, this will be sufficient in quantity to demonstrate that we can show is performing for the period. So inquiry is when the auditor asks questions to the RDD to determine relevant information. An example be asking the client to confirm the process or fears things by the statement of facts. And inquiry generally is not sufficient to prove that the shows to sign an operating effectively. Therefore, we would only have a combination of different testing methods to ascertain that the controls being designed and our operating effectively. Read performance is the auditors independent execution of the controls had their validate. So what this means is that the auditor actually performs the controls to see if it is working. So for example, back to our log example. The client has a investigation process after the alerts, where the security analyst's reviews alerts to determine false positives. Following set of guidelines. The auditor can perform this by getting the same logs and following those guidelines to determine if the results are the same as the security analysis review. So this is pre-performance. Analytical is when the auditor uses Analytics and computer assisted auditing techniques to determine relevant information. In this case, the auditor generally gets datasets or uses dashboards to analyze anomalies. For example, if the auditor gets a dataset of all the security events, which shows the alert time, day, and security response time. And let's say the control testing was to validate the timeliness of response by the security team, then the auditor would analytically compare the response time against the alert time and date for timeliness as response. So this is analytical testing. Finally, after testing the control, it is important to determine the outcome of control. And the three main common outcomes are ineffective, effective, and effective with exceptions. And effective is when the control cannot address risks that it is intended for. For example, we go back to our security alert example. The whole point of a security alert control is to address duress that events in issues are detected and identified. And it turns out that the security alerts are actually not capturing security events are things like network traffic, then the control is not effective to address the risks. The next outcome is effective, which means controls can address the risks that it is intended for. And the straightforward because if the security alerts example does identify and detect security events, it is effectively doing its job to address the risks that the security events are not being detected in the first place. And the last outcome is effective with exceptions. And this means that the troll can address the risks that it is intended for. But there are some anomalies. For example, the security events are actually being reviewed by the analysts. But it takes an average ten business days to review the events rather than a company policy of five business days. And these are the anomalies. The control is that there's still effectiveness because the security analyst's reviews all the events, but there are exceptions, anomalies due to his or her lateness and reviewing the events. And these anomalies would impact the control testing outcome to become effective. With exceptions. 4. Understanding independence and ethics: All right, let's take a look into two of the terms that we described earlier, which was design effectiveness in operating effectiveness in detail. For design effectiveness, it is defined as the evaluation of controls design and whether the trope in address the risks. And during a few work auditors which generally tests and instance or sample one to include whether the control is designed properly. So an example p would say we are looking into vulnerability management, into test design. We may be looking into how the process is structured from the beginning to the end. And we may be looking to the standard documents or process documents just to get an understanding to see that design is in place. Now for operating effectiveness, it is defined as evaluating controls ability to operate for a period of time. Such and field work auditors generally obtain a population select samples to conclude whether the control can operate effectively for the given period. So, come back to our vulnerability example. Let's say there's a vulnerability scan happens every week. So for your operating effectiveness testing, you'll be looking at the weekly scans to ensure that they are being conducted and that is operating effectiveness. Another concept that we should actually be understanding is what exactly is an oddity client, the auditor and stakeholder, and how they all are involved in relationship to support the audit. So an oddity in client is really the party that business line team department or the subject matter experts, which the auditors, such as yourself, would engage throughout the audit process for evidence Finding, discussions and communication. And the other thing is the auditor well, what exactly are we were really the members involved in the audit project. It's Sharpie to plan, execute, and report on the audit. Now, in terms of stakeholders, these are really the parties are authorizing or requesting the auditors to perform the decision with people in the senior management roles of the company. And there will be the recipient of the report. And together, all of these parties are engaged throughout the audit and they support one another. So after understanding or what relationships are involved through the oddity, the auditor and stakeholders is also important to understand what ethics in independents are. And this is especially important for the auditor profession because Ethics and amp, penance helped us establish our credibility or professionalism and how we should conduct the audit in a professional manner. Now, ethics relates to the auditors principle and Moroz when conducting an audit, the auditor encourages compliance, due diligence, and professional care. So for example, when you're auditing and you come upon an RDD that has manipulated some of the evidence that you're looking for, for control, you should really be escalated or reporting this instance to stakeholders are relevant parties. Now, independence is related to the auditors objectivity, professional manner, and to serve the stakeholders in an honest UFO, high conduct, and also objective way. So an example would be, let's say you're doing external audit for a client. And the client is hiring your services to conduct an audit. Now, they're also asking you issue a satisfactory rating or a clear opinion. Now, this is a violation to independence because how you audit shouldn't really be dependent on the client's revenues or or Dios or, or how they should approach to relationship. So this is independence. Let's take a deeper dive into the different threats related to independence. And independence of an auditor is not limited, simply reporting, but also fears relationships in the perception of being seen as independent. Now independence is important because when there's a breach of it through the RA, this may impact our ability to issue a objective opinion or a rating. Now there's five different threats. These are self-interests of review, advocate see familiarity and intimidation. Self-interest is essentially ordered having the financial or the interests of the organization that we are auditing. Now, auditors may own shares or as is, or have personal relationships with the 4G that impact the independence. Self-review is when the auditor reviews are on work, for example, when you design a system or implement them and then you audit them, that's a self-review threat. Advocacy is when their auditor promoter supports a client. So for example, promoting clients and business or promoting them for their shares is threat to our independence through efficacy. For modularity is when the auditors relationships with directors employees are too familiar. Now, auditor's may spend many years at the client or the firm, and they begin to establish friendly terms with these clients. And because you have such a friendly terms with these clients, you may not want to jeopardize relationship in. Then when you encounter different issues or errors, you may not bring that up. So that's a threat to independence. Intimidation is when the auditor is intimidated by management or the client. And RDDs and client threatens the auditor by either withdrawn from the audit or threatening to sue and so forth. Now it is important to understand different types of assurances because when we issue on its ratings and opinions piece will have reasonable assurance. But it's also important to understand that there are other types of assurances because when we perform non audit services such as advisory, consulting assessments or reviews, these things do not have the same level of assurance as an audit. And we won't go into too much detail what those are, the types of services are because it's an IT audit course, but it's important to understand what limited assurances, what non assurances as well. Reasonable assurance relates to the highest level of assurance that the auditor can provide because we cannot provide absolute assurance with a 100% certainty. Audits with ratings and pins will have reasonable assurance. Limited assurance relates to the auditor providing a reduced set of assurance on such a pattern, but also less than reasonable assurance. So auditory stream, we issue a negative form of expression to conclude their assessment. And what this essentially means is that when they issued the conclusion, there would state that no nothing wrong has came to their intention during the review. Now reveals provide limited assurance. Non assurance relates to the auditor providing services and W both on the subject matter of our confidence and assurance. So auditors will not be a Hsun ratings or opinions. And these things could be advisory, consulting, or assessment projects because they will have any assurance. So I know that was a lot to take in by AdSense. Summarize this into a table. Now you start to realize that there's many different types of shapes is the auditors to perform by. We won't go into these in detail because at the end of the day, this is an IT Arctic course. So we can break this down and start to see that audits give reasonable assurance and the issue ratings and opinions. And you can read a bit more of this in the download PP attachment or what these definitions are. A review gives limited assurance and issues, no opinions or ratings, but give a negative expression that nothing wrong or areas have came up to the attention of the auditor. Now for non assurance like advisory, consulting or assessments, this essentially giving no assurance and they gave no opinions or ratings. But they do give a conclusion that the credo of limbo with no Sharon's was conducted by the auditor. And these are custom when you need to the different deliverables that the auditor would be providing. 5. Knowing the differences between Internal Vs External Audit and Auditing Standards: As mentioned in one of our first slides, audits can be conducted internally or externally. In the next couple of slides will go over the differences of the two. So at a high level, internal audits are really audits that are conducted by internal auditors of the organization. And the internal auditors, which are the conductor fears types of audits such as compliance and operational socks integrated project or an investigator bought it for different businesses and clients. Now, for the external audits, These are that's performed by external auditors through license accounting firms such as Big Four accounting firms. So IT related audits that they do would include things like sock, socks, ISO 2702, and financial audits with integrated IT controls. We won't go over the details of these because this course is to go for planning activities and planning concepts. But you can read more indelible attachments or in internet search engines as well. Another aspect that's different about internal and external audits is destruction. For internal audits, the audit department chairman reports directly to the audit committee, which is committee at the board of directors level, and may also report administratively to the CEO. And difference in reporting first administration is that things like paying clinical procedures would be reviewed a managed by things like the CEO. But the results of the audit planning strategy issues from the audit, what we sent to the audit committee for review. And the reasons why in general, editors do this because it needs to strive for independence. And if the auditors reporting issues and errors are fraud to CEO CFO, then the COC WHO could potentially disregard the auditor's findings. However, if the auditor reports directly to the audit committee, there is no half that their interests are threats by intimidation, so often the audit department, and you can also see that there is a green box here, which consists of the rose at VP senior manager, managers in your auditor, in an auditor. And the screen box represents generally the audit team that is involved in the audit. As mentioned earlier in the relationship slide, auditors are members of the other project. Therefore, auditors work mainly in teams to conduct the are in. The same can also be setup external auditors where the partner, senior manager, manager, senior editor and auditor asks work in teams. The idea is that there is a clear reporting line and that the quality of the audit is maintained as work is reviewed and approved by different levels. This also helps us understand that there is adequate supervision by senior members of the team. Now in terms of the reporting line, we can see that the external auditors report to the board of directors or the audit committee. And the reason is that they are third parties to an organization and that the audit committee will be in charge of hiring and terminating the external auditors. Another concept that we should be aware of is the idea of auditing standards. Auditing standards are essentially guidelines and standards where the auditor as the profession should follow when conducting their audits. The reason is that audits are generally regulated by government bodies and associations where the agencies will review the auditors work. Now if the work is not quality feed or follows the applet, both standards, fines and penalties can be applied in different countries and regions will have their own auditing standards. And here's some common examples in the United States, the public accounting oversight board, PCB has different standards, mainly for financial audits, socks and integrated audits for public companies. And the reason why this is important is because if you are in an audit firm conducting audits, I've pulled the companies that are placed in the United States and you happen to do IT controls testing than the standards would apply. The American Institute of Certified Public Accountants, AICPA also provides different standards related to service organization control audits. And you may have heard me mention soc several times. So the SOP reports are really audits of service. Organisation controls. Its service. 4g is essentially copying that provide services to another company. And the idea is that the surest Oracle what hiring external auditors to test the internal controls, which include IT controls to demonstrate to the customers that they are safe and security use. And the standard governs how the auditor should consider and conduct serious organization reports. And the same goes for the internal auditing and assurance standards for what their equivalent of AICPA SAS 18 to the form of IS-A e3 for O two. So overall, each company and firm would have required to follow different standards are applicable to the audits that they are performing. And each country while their own fear standards, regulations. Finally, this concludes the basic concepts that we discussed so far in this course. Please keep in mind that we mainly went over specific concepts that are meant for a practical guide to help you in your day-to-day aspects. There will be additional concepts and terms as we progress. However, please note that there are much more concepts which aren't covered specifically in this course. And the reasons that this is mainly for planning and there are other concepts which will be covering the other series or outside of this course. So the importance is to understand just enough to be practical. 6. Knowing the different IT standards and frameworks and your IT audit career path: What are some IT standards and frameworks? Well, there's many different types, but we'll go over some five common ones. You can also download the download attachments for a bit more detail information into the standards and frameworks will begin with ITA, which is the information technology infrastructure library. And this focuses on the detail practices for IT serious management and also how they tailor to our business needs. I tell is broad and can be applied to many different organizations and really act as a baseline to plan, implement, and measure those services and processes. Iso, which is the information security standards and particularly the ISO 27,001, gives management in idea inflammation security systems and specifics and focuses on the information security management system and provides organizations with kindness into security controls. Now Colby and which is the control objective for NFO and related technologies, we say exactly framework which focuses on IT management and governance, defines processes and management with IT and also offers insights into inputs, outputs, processes, activities, and so forth. The coasts of the committee of a sponsoring organization of treadmill Commission is another framework, but also focuses on operations reporting and compliance. And really gives an idea by d0 controls and processes and how they all play in our organization. Now ness is the National Institute of Standards and Technology. And there's a cyber framework which relates to five functions of identifying, protecting, detecting, responding, recovering, and also various categories of control activities and processes. You may be wondering what typedef career paths of doom IT adding leads to what are some exit opportunities. I'll go over some of the common career paths which myself with some friends have done in the past. Now please note that there's much more to this list and I'm just providing a simple overview. Now at the end of the day, it is also dependent on your personal knowledge and skills to direct you to your career. Will go over some of these and scribe what people in these rows tend to do. And the Common Education skill sets required will first begin with IT auditor after Augustus in IT audit course. Now, an IT auditing, you start to realize that a lot of the work isn't just understanding risks and controls, but also conducting audits, assessments, and reviews of your subject matters. Now, auditors can work in professional services like firms are also in industries as our internal auditors. In terms of knowledge and experience, auditors can be recruited street from universities or ASA join as experienced hires. Common designations that IT auditors string. We have included the Certified Information Systems Security Professional, sips, or the Certified Information System order, the csa and are so furious or the technical certifications. Next is business systems analysts have been in business Ismailis in one my projects when I did consulting before and business systems analysts generally assessing development or the upgrade by IT systems and they meet stakeholders ten standard business technical arguments to help document and translate those into functional and technical designs which developers would then create. A BSE education experiences can also be diverse, may tend to what's more individuals that can describe and simplify complex and technical solutions for business and stakeholders. And the common certifications may include things like the certified business analysts professional there, CB API or the PMI professional and business analysts anymore. And for IT auditors transitioning to business system NLS rows wouldn't involve understanding how systems are being, developing the waterfall agile projects cycles from system dev, audits and also having good technical knowledge and soft skills like interviewing, communication. The cyber security analysts can also be a broad field depending on the organization and show only this row performs analysis on security events and can also actively contribute to identification, detection of cyber issues and us remediate these issues. The processes that cybersecurity analyst support can range from things like being part of the log and modern patrols to us a beam cyber-security incident management response team personnel for expenses and skill sets that this depends on the areas now cybersecurity analysts may be hired directly from my university or also experienced hires, depending on the row technical knowledge in how they protect, detect, and remediate issues in network servers applications, technical knowledge would be required. Common certifications for cybersecurity analysts may include things like the synapse, the CompTIA, and also other IT certifications and for IT auditors transitioning to become a cybersecurity analysts. This may require skills and experience from audit cyber knight processes like findability and patching, security configurations, network access management, logging on and so forth. Cybersecurity Engineering focuses on the development of controls and security features in architectures for new and existing systems and processes. The engineer will not only apply cyber security principles, I claim with the organization, but also the best practices to ensure our security is upheld throughout the entire IT environment. How cybersecurity engineers are not always trained engineers and can originate from individuals who have the theoretical and technical knowledge and cybersecurity. Common certifications for cyber engineers include sips and also the system which is the Certified Information Security Manager. And other technically IT certifications for IT auditors transition to become a cyber engineer. This mean we are not only knowing the IT inside processes, but also having a deep understanding of technical knowledge and system architecture, cyber controls and also risk mitigation to create effective security system designs. Go on a bit more broad. We can look into IT consultants, which is another exit opportunity for IT auditing. I actually started my career in first in consulting where I designed and implementing new technologies like mobile app payment systems and re-engineered processes. And IT consultants can range from being technical folks that worked on projects for professional firms to build inside systems, to also being advisors, providing expertise to management for process, risks and controls, for experience requirements. These depend in visuals, can be high street from university or being experienced professional certifications. It's a mixed bag. Consultants can sometimes have things like MBAs, Masters, or even have things like PMP, CPA, CFA slips and so forth. The transition of an IT auditor to add consulting will likely require the auditor to ask, possess strong soft skills, communication, presentation, and stakeholder management. It would also require the IT audit, tap how skills and understanding business processes and also understanding the client-side systems and solutions as well. Next, IS IT compliance analysts. The role children reviews, whether IT business units and departments or a client with standards and processes of the company as part of the business. As usual activities they keep track of compliant for snug plan activities regulations, coordinate with stake holders to try for compliance goals and also milestones, and also provide advice and inputs in new controls and processes hosted by IT. In terms of experiences, the individual may be hired straight out of university or they may also have a no certifications as how, how for having other certifications related to risk management or IT securities such as the ones I mentioned, will help you excel quicker in the career. For IT auditors that transition to ADA compliance is relatively straightforward, but having knowledge in risk control processes and regulation would be an acid. Last the row as the information skew specialists is brought. However, individuals in this area generally act as advisors are subject matter experts in shaping new standards processes, technical documents for the company to address security needs. The security specialist may also conduct rests and control assessments. Are the assessments to review and show electrodes are designed an operating. Now they may not provide assurance like IT auditors because IT auditors, as mentioned, are the ones I provide independence and objective audits for expenses. These information specialists main generally require five plus years of experience in certification such as sips. This is another technical IT designations for IT auditors to transition to this row. Having knowledge and technical background in cyber security is a mass. 7. Understanding the IT audit lifecycle: So now we can go into the second section of the lesson for scores. And we're going to explain the different planning activities involved. Before we go deep into planning activities though, which takes a step back and understand what audit lifecycle is. Now, audits are broken down into general three phases, planning, fieldwork and reporting. And planning generally Plan, Scope and determine what tasks in what the time period is. Now in terms of field work, that's when we do the current oh, the work and we test the controls and we pass processes. And reporting is really when we report to the stakeholders of the findings and overall the rating and opinion of the subject matter that we were auditing against. Now, in planning fieldwork on the pouring, each of these have different types of work and timelines involve. And then we take a closer look. We can see that planning and reporting as she takes about the same time. But in terms of field work, a bulk of the time and effort that was spent during the audit is actually done in this phase. Let's take a closer look into the different activities related to the phases of the auto lifecycle. For planning, we have things like preplanning administration in this covers budgeting, resourcing seven timelines. Understanding new clients and the processes is important because you need to understand the control environment, their IT systems involved, team structure, new updates and so forth so that you can help determine scope. And defining the scope and objective in itself is actually documenting, risk, assessing and determining whether controls and processes should be tested or not be tested. Creating planning memos, procedure and risk assessment is part of the documentation to evidence that effective planning happened conducted so that the ADA will be more smoothly. Klein and team communication is important because you will need to be able to build rapport, trust, and credibility throughout. So communication is key, not only in the planning, but you see that in the execution phase and also the reporting phase as well. The next two phase activities will go through at a high level, we won't go into too much in this course because Course 23 will cover these areas. So for execution, field work at these activities include creating and managing evidence on quizzes, sample sizes in populations, conducting meetings, work sessions, Examining evidence and deviations against work papers, reviewing and approving work papers in our SAP back client and team communication again. Lastly, Reporting, assessing control findings, drafting audit reports, screening lesson learned, summary memos and wrap up documentation, stakeholder review and approvals. And lastly, again, Client and team communication is vital and critical throughout the entire process of the audit. You need to be able to communicate findings and you ought to report to the stakeholders. 8. How to conduct audit planning and pre-planning activities: It is important to understand the different planning activities in detail. After all, you will need to understand this and conduct these to perform a smooth and effective audit. So planning activities are broken them down into several areas. These are preplanning administration, understanding the client, defining the scope and receptive planning, documentation, and communication. In the next couple of slides will go over each of these bullets and the topics in detail. Our rate, let's take a look into pre-planning activities. There's five areas. The first is approval to conduct the audits. Second is client capacity needs. Third is independence and ethics for risk budgeting, resourcing. And fifth is accepting client for approvals to conduct the this involves things like establishing the legalities and form a contract in place so they can conduct the audit. And it's important to obtain that management client buying an approval. So I have all the permissions to conduct the audit. Now if you're doing external audits, is important to also establish terms in payments and fees because you don't want to have a fee risk and taste client more people to pay you down the road. It's also important to consider whether this is a new or existing client as well. Because depending on the nature of these, shim firms or organizations may go through additional rounds of approvals and forms and administration work required to perform the audit. Now, quite capacity needs needs to be considered as well. For example, client availability. Do they have the staff and time to help support the audit? For example, there's a new update system, a project being implemented. What they'd be jeopardizing that type of work to support us or what they now have our staff to support us at all. Now, understanding objectives is also important as your audit focus on a assessment type or review or is it a shock? We need to understand what the objective is. Laws and regulations needs to be considered as well, whether your client is internal or external, you need to understand whether they are susceptible to sooner laws and regulations, independence and ethics. And we already mentioned the details of this, but it's also important that your staff have independence and our objective throughout the audit. So whether they have financial interests is right. Do they own shares, bonds, or loans to accompany your auditing against? Do they have are non arm's-length relationships, are they related to someone that they're auditing? Client reputation? You need to understand whether the client is dealing with fraud, mitigation, and other things. Because as an auditor, you need to have a professionalism, you need to have credibility. So client reputation also impacts us an auditor and conflict and surfaces or you're doing consulting for his auditing, right? So you don't wanna do that self-review threat. Next is budgeting and resourcing. Need to be able to consider staffing needs and requirements. For example, this complex systems like mainframe or core databases, SAP, you need to have these folks in line so that went field work begins. Everything goes smoothly. Because as fewer begins, timelines, execution of these pick-up really relatively quick. So you need to have these folks ready. Timelines, milestones, budgets and efforts need to be considered. So for example, need to understand what are the sufficient time to execute your field work and also to follow up and finally, to discuss findings and recommendations and also present the report to the relevant stakeholders. Finally, accepting client is one of the final steps and this is generally applies to external auditing as in to consider all these different aspects and pre-planning to determine whether you should go for work the client. Now for internal auditing, generally, we will consider different aspects, will have the availability when they have time, when we have the budget and effort to conduct it, or should we defer the audit? So the final step is really upsetting the client after considering all these different aspects. 9. Test your pre-planning knowledge: Let's take a look into a pre-planning scenario to test your knowledge on what we've just learned. I'm going to walk us through step-by-step into one exactly the answer is in a sec. But in terms of the scenario, here it is. So a company is interested in our services to review their IT database systems for the customer data for control weaknesses. The company sells insurance and there hasn't been phishing incidence targeted to the customers and staff in the last six months. The company is also like us to finish the audit within two weeks, which normally takes us five weeks to finish. We'd also like the IT manager to perform the audit Asimo since they believe that this will save costs and also make it more efficient. Now, looking at these, we have to consider what are some of the important aspects in pre-planning based on this information? Let's take a look into the different options available to select the right answer. So there's option a, B, and C. I'll give you guys a couple of seconds. And then I'm going to select the right answer and walk us through step-by-step on how we derive this. The right answer is option a. And this includes considering things like independence, new client, recent attacks, knew IT systems and type timelines. So looking at the highlighted sentence, we can see that the client wants to IT manager to perform the audit with us. And in the previous lectures we went over the different factors for independence. Now it's important to understand that independence normally applies to auto groups, but also in cases for clients as well. And in this scenario, they want their IT manager who's also responsible for managing the processes and systems to audit the work as well. And this creates a self-review threat which is a violation to independence. Next is new clients. So this is straightforward because stay weak, show to us to obtain our services so we know that this is a new client. It's also important to look at the sentence and find that we need to understand that there's a new IT system involved because they mentioned that they have a new IT database system for the customer data. Next is recent attacks. So in this scenario, we know that there's fishing incidents targeted to the customers and the staff in the last six months. So understanding that there's recent tax gives us an idea that there's existing vulnerabilities potentially and the networks are IT systems. And lastly, timelines. So the client has asked us to conduct the audit in two weeks, but we normally do it in five weeks. So this is a no-brainer. There's a tight timeline issue. So looking at all of this, we can see that there are many different types of things that we need to consider in pre-planning. 10. Understanding the client: Do you have effective scoping? It's important to understand your client and oddity, and this involves understanding for different areas. The first is understanding the environment and it looks into the landscape of the client's number of systems, data, NID dependent processes. For example, this client used Linux or Windows servers. This client has certain types of fender arrangements that's involved. It's also important to look into the number of data being processed because if it's high volume, chances are the systems involve are a bit more complex. And in terms of IT dependent processes, what are some systems and processes that's in place to support the applications? For example, are there change management processes? Is your system development? Is there access management processes in place? So it's important to understand this landscape when understanding BIT environment. The second is understanding the people. And when we understand the people, we have to look into things like roles and responsibilities because this will give us an idea of whether soon IT processes are managed by student teams. But it also helps us to identify the stakeholders involved so that we can escalate or we can reach out to gather evidence and so forth. Because this on all helps us determine a clear reporting line and also helps evaluate whether people are competent or expert and managing certain processes. Because when you examine design in your execution, it's important to understand whether people are competent or not performing the controls. Third is understanding the data criticality. So knowing the data criticality and dependencies of different systems or their interfaces in between. As a middlewares or Zara API calls for different systems. It's important to understand these relationships. And it's also important to understand whether there's relevant business processes in place that are dependent on these critical datasets or these critical paths. And last but not least, it's Understand Events and weaknesses. So for example, in this recent breaches or new systems and struggle failed controls or turnovers, all these impact nominally be audit, but also the client as well. So the client has to new systems in place. Chances are the controls are not as robust or mature to support a lot of the objectives in the company. So you might want to focus on areas like there. And then aspect was also if there's historical failed controls, it's important to understand why this control would continue to fail and whether there is mitigation that's in place or whether there's remediation by the client has been working towards. So it's another area that you might want to focus on in your audit. 11. How to define your scope and objective: So I have to understanding your client and oddity is important to define your scope and objectives. So this is broken down into three main areas. The first is control and risk assessment. Second is timelines and audit periods, and third is audit objective. So when we conduct the control risk assessment, I'll go into a bit more detail in next couple of slides. But we need to consider things like high risk series in effective controls, new controls and systems. Major changes in the control nature. And also understanding of there's any client and RDD recent assessment challenges or any assurance evaluations to the applicable controls that we may be locking. Next is timelines and Adi periods. We need to consider the timing of our audit and milestones. For example, the planning start and end dates, the period that we're testing, a few walks, start and end dates, audit reports and finding dates and any internal milestones that we agreed with the client and our stakeholders. And last but not least, is the audit objective itself. We need to determine statement that outlines the purpose of the audit. The statement which only a client with the stakeholders audit needs, such as frameworks, standards or any key controls and processes, and also the scope area. 12. Test your planning knowledge: Let's take a look into, and then there's scenario and we'll go over planning in this case. So we're gonna go through step-by-step and walk us through exactly what is important for scoping. Now, in our case, the client has gotten back to us and upset at the audit, and they wanted to inform us of some of the basics before we begin the audit. So they introduce us to their IT manager, push manager is three people. Now this department performs different IT systems and processes like IT operations for problem issue management, patching vulnerabilities, access management, system development and security. They also have fear system such as pay one for payroll, SAP for ERP systems, and general MS Office 365. The pay one and Office 365 RA Software as a Service. And their data and backups are Infrastructure as a Service. And they are planning to move to a new SAP 2 and the next couple of months and are actually gone through business requirements. And the reason that switchover was because P1 hat integration issues and was subject to many breaches. And the finance team mentioned that the system was not reliable and had to perform a lot of manual calculations. So in this case, how would you identify what is relevant for scoping and where would it belong? Here is a step-by-step breakdown of how the information given by the client can apply to our scope and understanding the client. So in the first section identifies that the auditing client contacts are and also the responsibilities. We now know that there's an auto manager in the Manchus, three people, so it's a relatively small department. But we also understand down pat. They perform soon in IT operation passes such as problem issue management, patching, access management system thereof, and so forth. And the next section identifies the systems that they use and also gives us a hint that there are vendors involved. So for example, pay one in Office 365 is a software as a service. So we know that there's going to be vendors in place in that process is that they mentioned above may not necessarily apply to a lot of these systems because vendors were badge systems for them. But then the meat information that we got out of this is r. So there's actually another third vendor which they had been specifically mentioned. But how we know this is because they mentioned that they use infrastructure as a service. So we need to probably ask them a bit more walkthroughs to get a bit more detail information on who the offender is and what are some of their responsibilities involved in. The next section identifies that they are going through an implementation of a new system soon. Now, new systems generally will really be tested in terms of their production processes like access management and patching, maintenance and so forth. But what's important is that because they're implementing the system, things like project management and governance. And our SIS vendor selection is important because how they designed a system, how the implementer going forward is important. So by understanding that proper procedures and proper controls are in place during the project development lifecycle is gonna give us a bit more confident that the other controls and the data feeding into some of these processes will be reliable going forward. So it might be an area that we would like to look into. The next section is that there are breaches in the system. So understanding the type of breaches will give us an idea if there are some vulnerabilities in different systems or the networks or and it also gives us an opportunity to identify these to the client so that they can remediate them. The last session identifies that there are control weaknesses and this is good to unauthorized access. So when there's unauthorized access may be for privileged users in the system, chances are the integrity of the system is not as complete. So in this case, we might not have as much dependencies on the system's output file. So in this case, we might do a trend into procedures. And this is coinciding with the fact that climate is doing manual calculations because there are unauthorized accesses in the system. So we might be doing a tutorial procedures or additional steps to ensure that when we audit the system, at least we addressed the fact that information is complete and accurate. 13. How to document Cyber & IT planning documents -1: After determining the scope and high level planning activities such as understanding climate pre-planning, it is important to document your planning considerations. And the reason why we need to document our planning, it's to not only demonstrate that we conducted planning properly, but also the fact that there are regulators of auditors in agencies that may inspect and review our documents. And there are many different planning documents such as planning memo, scoping memo, risk assessment, test scripts and procedures, which is also the worksheet and engagement letters start notices. Now we will go for each of these in detail. So the planning memo outlines a summary of a planning activities. And it consists of many different sections were fun document. And you can download a copy of this and downpour resource to follow along. One of the main sections in a planning memo was added also provides the overview and background of the RDD and client that rosen responsibilities, systems involved and any background info that describes the client. And then the area that the planning memo may document is the auditor's understanding of the client's environment. Now, recalling how we talked about how we should understand the client's processes and controls while the section enables the auditors to document this understanding. Now, depending on the firm or organizations, auditors may document ease within the memo or reference it. Outside. Laws and regulations are also important as well and should be documented to illustrate that the auditors has considered applicable standards and laws that may impact system. So for example, if for clients to a database, an applications process credit card data, then PCI DSS would be applicable standard which we may consider in the audit. And the third is the use of third parties and subject matter experts. And depending on the audit, these people may be involved in our audit, right? If we are using experts to assist in tests and procedures are controls in the audit, it's important to document their roles and responsibilities through competency and experience and whether they are independent. Now, relevant matters for consideration as a section which we may have additional scope that we may want to test or considering the audit. For example, if there's a cyber breach in the last couple months while we should document our understanding of that breach and whether we plan to address this and how it impacts our audit. Risk screening and assessment, which we'll go over in detail after this is also dopamine at a high level in the planning memo or would be referenced here. Now, as mentioned earlier, when we do scoping risk assessments are important because auditors test controls through a risk-based approach. And if there are certain high recite poems chances on, we would test these controls and processes. And this memo outlines the processes, risks, and controls which we may scope in or out, and also documents our rationale for risk assessment. Now and scope and objective as mentioned earlier, is the outline of the determined scope based on the risk assessment. And we may specify the specific systems and the processes controls where testing along with the description of our objectives. Again, depending on the company or firm, you may reference this or document that separately in a scoping level. Now resourcing and also timelines should be considered and are planning memo because it helps us manage your projects internally. And the auto manager or lead would outline the resources are staff on the team along with their roles and responsibilities and whether they train, competent and independent as well. The timelines, affairs, deliverables, milestones would also be documenting and the planning model. And lastly, the appendix would have Ferris documents out would reference from the sections above, for example, if there was applicable laws or risk profiles that we described in the sections above, we will make reference to it and they appendix would have that relevant information that we called upon. Now in terms of sections in other planet memos, Please note that every company will have their own and what formats. And moreover, depending on whether this is a integrated on it or external audit, are things like materiality, budget, or other aspects will also be included. So you gotta keep in mind that this template is in the O-H, N-H, and B0. Now in our example, this is an assumption that this is a standalone internal audit planning memo or now how regardless to nature and the most of this section that we've described here would be the same and other types of audits. The next document is the scoping memo. And the scoping memo essentially outlines or scope considerations to keep in mind when we derive are scoping memo. This is based on the risk assessment, which will go for in the next document example. Now for the scoping memo, however, the results of the risk assessment under the Discussions and considerations will be documented in this memo. The scope period defined superior to put our control testing evidence would be valid for inspection and conclusion. And the scope application processes would outline a specific IT systems and whether certain processes are in scope. Whether these processes are managed by third-party vendors, are internally manage. And this section also documents any of the outer scope processes and controls the systems along with the rationale you see here. So finally, the other matters of considerations in scoping Memo may also include other things like controls, uh, processes that we aim to audit, such as a medium or low risk type of process, or any special relevance to Yad it for example, if there's a new project being implemented, are data being converted? These are things that we made. Take a look into. Now keep in mind that this is a high-level scooping memo and that each company and firm may have their own sections and components as well. We will now go into the risk assessment or also the restraining memo. And as mentioned early, the risk assessment feeds into scoping them. And the risk assessment essentially lines the systems that are relevant to the client and the various processes that we may test in our audit. So for example, we go into the systems tab here in outline syllabus of systems and tools that are relevant to our audit. Now, for simplicity, let's assume that these are the main system's core data and infrastructure that supports it. Now generally script tool, this salt, some of these systems and tools in place so that we can assess whether they are specifically in scope or under scope and how they all fall into the bigger picture. The second tab is the risk assessment or the restraining, and in this section and outlines the various IT processes that will be relevant for the audience. And there could be much more processes. But for example, here let's make it simple, bad. These are the main processes that we learned from the client. And the next step is really to document our understanding of the rest. So we'll go through one example here, which is the axis provisioning. So you can see that there's various columns and one of the main terms that we should know is the inherent risk. Now this is defined as the risks that would occur if the controls are nine place. And how we determine the inherent risks is really through two components, which is the likelihood and the impact. Now the impact is defined as the damage or exposure that could occur to a client if the risk was materialize. Whereas the likelihood, and it's really the possibility or the chance of the risks actually occurring. Now if these documented assessed in, the next step is really to determine and see what controls from the client are in place to address this risk. And how we obtain this is really through our understanding of the client. Remember how we talked about we should understand our client, conduct the walkthroughs to know what are some processes in place while this is where we document and map that to the risk. So we will document our control description based on our understanding from client, but also other information such as the true design effectiveness. If we did the Saad from prior year, actual operating effectiveness when firing your sewer, but also other information such as at the frequency of the true control nature, Schrodinger, and whether it is actually in scope or out of scope for our audit and this assessment will help us support our scoping memo and provide documentation to demonstrate that we've done our due diligence to be competent auditors. Again, please do know that each company or firm will have their own templates and categories and methodologies and when assessing risk. And this is really simple example to demonstrate the nature and the spirit overall of age general risk assessment. 14. How to document Cyber & IT planning documents-2: After the scoping memo planning them or risk assessments have been created and reviewed by your audit partner or see you measure. The next is really creating audit procedures or tests steps that will help you conduct the audit. Now in most cases, companies and firms would have procedures and test scripts for generality controls already been created. But at times you would still have to adjust, manually update these, especially for certain clients and RDDs for their particular systems control processes. Now, regardless, having adequate procedures in test scripts will prepare you for the execution stage of the nodded. Let's go through an example which is the worksheet or work paper that you're looking here. Now this contains sphere some items as well, but I was also includes the test script procedures as well. Now, before we begin the term worksheet and we'll paper is really defined as a document that tracks the auditors testing of a control. And it usually contains things like the control name, Russ, ID, description, mock through documentation and control design evaluation. Now we won't go into each detail of all these components here because as we call it to the second course, which we'll go over execution book over some of these in detail. But the main focus of this example here is really the procedures. Now you can see that in the test procedures, they are actually largely created. For example, you first obtain evidence of system listing and then second step would then be evaluating whether that listing is appropriate NADH and so forth. So oddest steps, actual flow through a orderly fashion. Now how these are the steps you are greeted and really relies on two things. Step one is really the experience of your audit manager or lead creating them. And it's important because they will generally have the knowledge and creating the procedures. And two, it's really the teams understanding of the clients and their systems and processes. So from these things, we can derive specific tests, procedures that will help test the controls ability to address the risk. So this is overall an example of a worksheet slash test script procedure. So the next document that we will go over is to start notice. Now store notices are usually issued by internal auditors to applicable management or executives. And the purpose of star notice is really to communicate to executives and management that there's going to be an odd going on and that there's any issues with escalation, coordination and awareness and findings. At least management is aware. So components of a star known is really encompasses what exactly are we auditing any relevant information of the background of the entity or the business line or the systems or processes that we are auditing against and any prior year past ratings as well for a management to understand if this is a new or a reoccurring audit. It also includes things like the start and end date and also any contact information in case executives have any questions or concerns. So overall, this is a start notice. The final document that we go through today is the engagement letter. Now the engagement letter as issue generally by the external auditor to people like the board, directors, CEO, or the art community. And engage milliner really conforms with professional services that the auditors performing to the client and the various components in the arrangement letter. So the first is Ruby outlining the objectives and limitations of services. And the section, the auditor will explain what exactly are we auditing against? What are some applicable standards and that there is reasonable assurance being provided. So keep in mind that there are many different types of assurance that we went through and this course already and absolute assurance not able to be provided. And this explicitly important to state this because when arguments are legality comes into play, the auditor can prove that reasonable assurance was provided and not an absolute. And there's also other boil plate information that the auditor would also specified in the letter to protect themselves. Another area that the engagement letter would have would also be the responsibility to communicate with management. So if there are any issues, errors of fraud and the systems or controls, then the auditor has a responsibility to communicate on timely basis. Other sections include management and auditor responsibilities. And finally, section is denoted as of independent standards. So it specifically outlines auditor's compliance with independence and any applicable standards. Now, other areas that may be included in the engage Miller depends on the firm or the type of engagement. And these can include things like scope and areas of review. The fee, such as payments or times to receive a payment. I team members and contexts involved a specific deliverable. So for example, there's different types of assessments or the assurance ports involved in this engagement. Then the auditor may specify HIS along with it. And any relevant specify timelines and milestones may also be included in the military as well. So all in all, this is a engagement letter. 15. Communication and Kickoff to your clients: Finally, this comes down to the last stage of the planning activities, which is communication or kick off. Now, it is important to have communication throughout the Arctic, Benetton sauce critical to communicate to clients and stakeholders on a scope plans in lecture six at the beginning. Therefore, kickoff is essentially a meeting to me with your clients in RDDs to go through the areas and controls that your team is reviewing the expectations there are the scope period and logistics and so forth. For example, you may want to go over suny milestones and when you expect to share your findings in the report. The over benefits and this communication is and these include things like building client and RDD ramp or relationships. Providing transparency, reduce inclined in ADI to push-backs and Senate expectations and approaches in logistics. So over our kickoff for communication is really important. Planning. 16. Understanding basics of Cybersecurity: This now comes down to the last section of the course which we will go over. Introduction to cybersecurity, shimmer IT processes and IT in cyber risk. So what exactly is cybersecurity? Well, many people have different interpretations, impressions of it. When people thank, involving hacking, penetration tests, log monitoring. But it's actually a whole field of diffrent things revolving around physical security, logical security, and different types of security aspects. And here we have a word bubble, which kind of shows you the different areas of cybersecurity. And there's so much more to this encryption vulnerability management and vendor management security architectures for 2D configuration. All these different things are part of cybersecurity. One of the best ways to understand cybersecurity is really by breaking down into different domains. An IC square, the Certified Information Systems Security Professional Certification, breaks it down into different domains. So the first domain is security and risk management and this coverage different concepts like integrity, confidentiality, and availability, integration of professional ethics, security governance, compliance requirements, personnel security policies and procedures and so forth. The next domain is as a security. And this covers security information requirements for assets within an organization. So for example, things like data classification as retention, handling and so forth. The third domain is security architecture and engineering. And this includes fairs aspects of designing principles, models and secure capabilities and security architecture. So things like engineering implementation using secure design principles, fundamental concepts used in security models, encryption, and also applying and implementing security principles and controls to different sites. Fourth domain is communication and network security. And this looks into things like network components, the protocols, principles in implementing communication. So looking at things like the OSI model or this TCP protocols is important aspect of this domain. Fifth domain is the Identity and Access Management. And this coverage future assesses ability and features within an organization. And topics include things I controlling fiscal enlarge y-axis to assets, and understanding, integrating identity as a third party service and so forth. The six domain includes the security assessment. Testing builds upon things like assessing security control testing, collecting, securing data, analyzing testing outputs, and generating test reports and facilitating security audits. The seventh domain is the security operation. And this covers things like the plan of operations, can investigations, monitoring and protection techniques for security. It looks at things like understanding, investigation, establishing, logging modern activities, asset inventory configuration, and management, so forth. The final domain is the software development security. And this covers concepts and applications under the system development lifecycle. Things like agile, hype remodels, waterfall. So executing security controls in development environments and how to best protect them. So or not, these are the domains in the IC square model. And we're not gonna go over each of these into detail. In the next couple of slides, we're going to look into at least some of the core concepts are the basics of what cybersecurity really is. 17. Understanding basics of Cybersecurity: Availability: One of the core concepts in cybersecurity is Trinity. Mobility, confidentiality, and integrity. Availability means to enable system services and resources to be assessable by users and other systems. Confidentiality means to ensure that the data and information from the systems are restricted to authorize individuals with appropriate axis and privileges. And finally, integrity means to ensure that the system itself and the data AT holds or complete inaccurate and apps of separate dough to manipulation or unauthorized modification. And it's Trinity concepts sets the cybersecurity foundation caused the organization to protect their IT acids environment. And the next several slides I will go over the concepts of these areas and also the cybersecurity controls, often these principles. Now additionally, I'll also use the diagram below to illustrate how cybersecurity is designed and implemented to uphold each of these principles. So let's quickly go over a diagram here to get an understanding of each component. Looking at the diagram in your seat, I split up into several areas. The private network into infrastructure, into computer and apps, and network infrastructure. The private network is essentially a network that is assessable by employees of the organization and what be separated from third parties on the internet. The private network operates on private IP addresses, and the organization will have their own custom set of private networks with different computer acids have a for simplicity, researchers assume that in our case, this is our setup in the infrastructure layer. And this generally consists of things like databases, sugars, Integration Services, hardware and prices, sums and network. Now our example here, for simplicity, we only have database server and we're also going to separate the network from the infrastructure to network infrastructure. For those who are new to IT, databases are central, a collection of info and data that is organized so that it can easily assessable and manage and update it. Now the server is really a piece of computer hardware or software that provides functionality for programs and devices for storing and retrieving a sending several different files. Now in our case here, if the computers are acquiring resources or files from the database, the sugar will help coordinate to provide the files from the database to the user's computer. Now, the computer is an app's APK group these into its own area. But let's assume these computers on workstations of employees with different applications installed on. And then the Sierra, the employees would be able to use computers to conduct their own workflow. The network infrastructure usually contains more complex devices and systems such as modems, routers, firewalls, switches, hubs, bridges, and so forth. But making it simple, let's just assume we have a router and a firewall. A router is essentially a networking device stack forwards data packets between computers and networks. And a firewall is defined as a network security system that monitors and controls incoming and outgoing network traffic based on rules. So now we have a basic understanding of her setup and the basic terms. Let's look at how we can apply cybersecurity onto the availability principle. As mentioned earlier, cybersecurity is the protection of systems acids, networks and softwares from threats and races. As you go more events and intermediate, there's going to be more concepts to protect a system's availability from different aspects of cyber attacks. In our case here. And let's go over to simple codes that can ensure availability principle is being met. The first is to make our data being available in the event of disasters or IT system failures. A second goal is to ensure that our networks and systems are being available in the event of a tax. So we look into our diagram here, the first co causes to protect our data and make it available if things go wrong. Now, in this case, some of the best practices would include things like having data replication and data backup. And therefore, IT would implement these controls to ensure that data would be available. For those who don't know what data replication is. Data replication is essentially replicating the store data into a second location so that the first location is destroyed, Alice is going to be data available. Data backup also helps fulfill stability because if a system is down, users can retrieve backed up data to resume operations. To achieve the second goal, the best way is to also Hardin and secured endpoints to a network. Now in this case, although we initially have the router and firewall, strengthening the security configurations and protocols would help us prevent potential attackers, such as denial of service attacks. Denial of service or gas short involves malicious attackers targeting organizations with botnets or protocol attacks to cause system or network to shut down. How does works is that the mechanism which the attacker uses would essentially train the computing resources of the victim, server or system, causing the system to shut down. Now, to prevent this, firewalls can be hard in with additional rules to prevent unwanted traffic from entering the network. Routers can also be configured to do PET scans to detect DOS attacks so that these are the cybersecurity controls, mechanisms to uphold availability. 18. Understanding basics of Cybersecurity: Confidentiality: The next is confidentiality. Some of the goals and confidentiality is to really protect our data that we have at rest and in transit. And data rest represents data being stored at the database. In transit means data being moved from one location to another. Another goal that poets confidentiality can also be restricting users access to lease privileges or needs to know. And the reason you should restrict access is because users with higher levels of access can also grant themselves or others access to different files and resources which may hogs confidential data. So how do we accomplish some of these holes to uphold confidentiality? For the first school, one of the best ways to protect our data at rest and in transit is to really use encryption. Now Encryption is a security technique to convert plaintext information into unreadable texts, which has caused ciphertexts via safer algorithms. It uses different two methods such as private or public key encryption, which can decrypt an encrypted data for use. The benefits encryption is at when attacker gets hold of the data from the database or DNN transient, they will not be able to use a data if they do not have the necessary keys to decrypt. The second goal in preventing and limiting user axis by least privilege or needs to know. It's basically an access control. We can restrict the users on our database, servers, computers, and networks to only authorized individuals. And there will be then a less chance that our data can be stolen or exported outside the network. Access control can also go one step further if they follow a least privilege or needs to know basis. And these are important concepts in logical IT axis controls least privilege means users are given the least amount of privileges in the system to operate and nothing more. And each genome means users are given just enough access to conduct their jobs or duties. And together these cancer cure axis in our IT environments without confidentiality principle can be uphold. 19. Understanding basics of Cybersecurity: Integrity: The last principle is integrity. Some of the common goals include the use of ensuring that the data files have integrity and restricting axis will help maintain integrity as only authorized individuals can make modifications is how did we accomplish these goals? One of the first ways is truly hash file. So hashing is a security mechanism which calculates and provides a hash value or the file and dataset for hashing algorithms. For example, when you have a file and apply hashing algorithm on that file to create a hash digest which contains a value. Now somewhat later changes that file and you can then take that file and recreate the hash digest. But because you made changes to that file, the hash value of the new hash digest will be completely different than the old hash value. And this would then indicate that there were changes to the file. So therefore, if we hash your data as a security measure, you can then track if the data integrity was compromised. And other aspect to maintaining integrity is also to use privilege axis. So similar to how we talked about confidentiality, the fact that we do have authorized individuals in our IT environment. This will have a less chance at these same individuals will make imax arise or inappropriate changes to the system. 20. Knowing the differences between Cybersecurity vs general IT: So in summary of the three principles of cybersecurity, we went over the specific principles and ask them to discuss about examples of cybersecurity controls and the mechanisms to uphold them. And the next set of slides we're going to go over the IT controls and processes. But please note that there is actually a gray line between IT and cyber controls, NS, since IT controls and processes are really part of cybersecurity controls and processes itself. So I outlined them in a table. So the main difference is that a cybersecurity dives into a bit more of the technical aspects of IT systems and processes and mechanisms. Whereas general attitude control touches on the higher level management and operational processes to secure the IT environment. Now another point that I would ask you wanna indicators I wish to think of cybersecurity and general eduction shows as mutually exclusive because they do overlap. So Cybersecurity would encompass IT processes and controls 90 processes and controls a good awesome bed. Some of those cybersecurity techniques. So the two work hand in hand. Lastly, we should also say that the nature of cybersecurity does focus on more of the protection of IT assets and environment. But the id processes and chose more driven by operational risk management and control objectives in the first place. So at the end of the day, these two do interlinked so that when you conduct cyber or IT audits need to be we timestamp. Ok. 21. Gaining knowledge in IT processes and access mgmt controls: Let's go for generality processes. And it's important to understand this because when we go for planning and also execution of our audit, we don't know what these processes are. We won't be able to effectively plan or executes on these controls. So the next set of slides we're going to go over each of these processes in a bit more detail. For now, these are the core processes that will go over, such as access management, patch and vulnerability management. That was security problem incident management, the new governance management, security configuration management, login monitoring, and change management. Let's look into the access management and process control. The six of these will go into each of these in the next set of slides. The first is access provisioning, which is a process of granting users access to resources in IT acids. The next is access modification, which is the process modifying and users axis in IT processes and Acids due to rho changes or updates to their Tuesdays. Acts were vocation is a process of removing, disable, and reuse. You do two terminations I'll leave or that the axis is no longer required. Acts reveals is a process periodic testing and verifying users entitlement and acts as being appropriate or not. Privilege axis is also the process of securing, managing appropriateness super-users and men accounts in a system. And finally, authentication as a process to authenticate a user by local passwords as a so multi-factor or other mechanisms. Now you may notice that IR supporting a label of the control nature for each of these control processes. Now, by nature, some of these design might be different in every company, in the firm. And the basis of this is I, I put these labels so that when we go through our examples, specific examples, you'll notice that hey, these are Ashley preventative or detective controls. So it kinda links back to exactly what we went over as part of our first section and the course. All right, axis provisioning. So as mentioned earlier, acts provisioning as a process of granting access to users for specific systems. And in our example here, we have a precondition where we assume that the organization allow self-service requests. And what this means is that the requester can submit request is for a specific system accesses. So looking at our diagram to see how it all plays out. So step one is requesters meter, whereas for the systems access via ticket or email. And then this ticket or email gets sent to the requester is manager or system owner for approval. And then the approver reviews of the axis will be based on the job description or duties. So this is essentially control point because the approval will determine whether the user has access to appropriate or not based on the class. So if the axis being requested is not appropriate, they will reject the request and cancel the ticket. And this ends the process. But let's say the access that they requesting as appropriate for the user, they will prove the requests. And then this gets sent to the system men. Which would actually grab the axis that will reveal their requests and then they would then grant the axis. So R naught, this is how access provisioning process is. The second process is access modification, which handles how access is updated and removed for existing users. Now the precondition in our example here is that employee has a new job promotion and acquires a set of different axis than prior role. So let's look into our diagram. We can see that step one, the manager requesters and reviews the direct reports, new job description, and verifies if the current axis is still required and whether new axis is needed. Now the control point here is that they are wondering if there are changes to this axis. So if there's no changes, then the process ends. But let's see, this changes to this axis. So the manager then opens a ticket or emails requests indicating the axis that employer needs for his or her role. And then also states that the specific assets that they no longer required for removal as well. And then this then gets sent to the system men. So again, System Men reviews requests, and then grants the new axis or removes the old axis accordingly. So this is the modification process. So the next process is access relocation. This usually occurs when there is terminations or when the user no longer ours axis. So we have a precondition in our example here, which the HR and the employee's manager has already conducted the administrative and clerical duties like exit interviews to our fourth employee. So the process here for axial location, listen the IT perspective is at the manager or the HR begins to submit a ticket or email requests to IT service desk to afford them. Now if the user had access to systems and they say they don't, then the process ends, but let's say they do right? Then the manager will begin to open a ticket or email requests indicating the axis that employee hat and also what axis to be disabled or deleted. And this eventually gets sent to the system in which reviews requests and then removes the axis accordingly. So this is the example of a axis revocation. Access review. It is a process to periodically review a user's axis by people manager, the system owners. Now in our example here we have a precondition where we assume that the system amend, manages and coordinates the axis review process. So beginning and a process right here, we have the system men on a periodic basis, generate a list of users from the system and sends these lists of users to the appropriate people managers. Now the reviewer, which is also the People Manager, will then review the list of users that are under his or her reporting line and they're given axis. Now the control point here is that the reviewer will determine whether the user's access is properly or not. But let's say it is then the people manager will send the confirmation for attestation back to the system in on that there was no changes in the process ends. But let's say there was inappropriate axis then the people manager would send a confirmation for the attestation back to the system in, and of course at the axis to be changed. So when the system maine gets his confirmation, they would then commence changes to the user's axis based on the people managers attestation. So this is access review. Privilege axis is a logical technical control. So instead of going mover, a flowchart diagram may be best to go for some of the best practices. So number one is that privileged access on systems should be restricted to system admins and support and users shouldn't really have privilege axis. Second, pointers I named the IDs, are used on the system, so this enables accountability interests, mobility, a privileged account activity. Now System accounts should also be locked in, disable. So if the system counts have privileged access, this should really be locked and disable so that no other user should be using them unless there's emergency. A fourth is i privilege axis should be on a needs to know basis and Elise access spaces. So what this means is that provision, users should only be granted access when they need them and what they need them for the roles. Finally, shared accounts are prohibited unless secured through Password Manager tools. So if there's privileged counts that are shared account for the team, then b should be secured in a way which enforces traceability and accountability as well. Authentication is a logical and technical control and the aims is to prevent unauthorized users from entering into the system. So here are some of the best practices. The first is having strong password parameters. So this includes setting up your system to configure for password length, password, age, password complexity, password history, and password lock out attempts. Another best practice is having multi-factor authentication. And this includes having at least two authentication types so that you can have multi-factor authentication, for example, having Type one and Type three. Lastly, having encryption is important. Passwords that are stored or in transit should also be encrypted. So these are some of the best practices to reinforce authentication. 22. Gaining understanding in patch mgmt: Next, general IT processes and controls are patching and vulnerability. So we split this up into two controls here. One is vulnerability assessment and many others patching. So vulnerability assessment is really the process of scanning for vulnerabilities in IT systems and evaluating the vulnerabilities and those vulnerabilities. Patching is a process of applying the latest security features configurations and fixes to reduce potential threats and risks while addressing vulnerabilities in IT systems. So here is a vulnerability diagram. And in our example here, we assume that the organization uses an automated scanning tool to detect vulnerabilities. And that there's also segregation between vulnerability team and the patch and team. So what this means is at the patch and team would remediate, which we'll go over in the next process. And the vulnerability team would scan and document unless out the reports for vulnerabilities. So looking at our diagram, we first start off with the, say, the scanning tool, which scans the range of IPs, are receives configuration files from those imbedded agents. And they're moving on. This report or listing of vulnerability is then provided to the vulnerability team. So the vulnerability team will then assess, evaluate, and review whether the listing vulnerabilities would impact system. So let's say if it doesn't impact system, then there was simply conduct a risk assessment document this finding and the rationale. But let's say it does impact the system. Then they will again do the same thing conducted a risk assessment and determine the risk levels and then prioritize the vulnerabilities to remediate. And this is important because there's so many different types of vulnerabilities and it's important to rank which ones will be high, critical, medium, or low, so that the pageant team or the team's responsible Would the media in a timely manner. So after this is done, they would then communicate with the political IT teams to discuss the potential patching of these foreign buildings and then the process, hence, patch management builds upon the bond mobility management process that we talked about. So the precondition is that the organization has established a change management process which requires the patch team to undergo when implementing new fixes, patches, or security updates to the system. Looking at our diagram here, we first have patch team received two missing the font abilities. And from there the patch team may meet with one building a team to understand Yvonne Billy's resonant packed for additional information. Afterwards, the patch team researchers packages and fixes and security updates to remediate this vulnerability. But let's say the fixed doesn't remediate the fungibility and while they continue to research, but if it does, then they submit the change requests so that they can remediate the variability. So this is the patch management process. 23. Gaining understanding in network mgmt: Network management processes and controls. And when the key processes or controls is really network hardening. And this is the process of hardening the network to reduce potential vulnerabilities for configuration changes mechanisms. In the next slide, we will go over several examples of network hardening controls. So here's some examples of network Hardin and controls and this includes strong firewall rules in architecture, endpoint protection and access controls. And there's actually much more networking Harding and controls by, we can go through some of these basic examples here in the course. So for strong firewall rules in architecture, this includes really having multiple firewalls across different layers of your network model. Now this includes your OSI model or TCPIP model for those who don't know what these models are, read a bit more and they develop attachment. Now implicit versus explicit deny rules it's pointing to really set in Harbin strophe Our who said I can't prevent unauthorized or unwanted traffic into your network. And this is what network rules are. Endpoint Protection includes different mechanisms to protect endpoints, and it really includes things like antivirus and anti-malware is data loss prevention systems or for those who don't know what data loss prevention systems are. It's essentially a software to filter and determine whether confidential data or sensitive data are being exported outside of the network. And it's also important to have VPNs, which helps security end-to-end point out protection as well. And finally, access controls is important because you can limit authenticate users and devices accessing the network. So having appropriate users that have access puffing and network limits a chance have inappropriate and unauthorized activities. 24. Gaining understanding in incident mgmt: In sedimentary processes and controls. Incident management is a process of resolving incidence and issues related to IT operations. So here's an example of a incident management process. Now, we assume that the organization has centralized IT support team to investigate and analyze and we meet the issues and problems on the IT systems. So looking at our diagram, we first happen error that is detected and identified by the city user or the system on the IT assets. And that ticket is either open automatically or manually by the football teams. This ticket then gets sent to the IT support team to review the tickets, description, rating a priority. Now every company has their own set of processes and procedures, but let's say the, IT support him then investigates and analyses to cause in our example. And from there, they would then remediate the issue or assign it to other teams to actually remediate further. So when the remediation is done, this is tested prior to implementation into the production environment and the finally gets and remediated. So this is the incident management process. 25. Gaining understanding in vendor mgmt: Fender governance management or vendor management processes are really applicable to clients with IT systems that's managed by third-party vendors. So the idea is that the governance process is to proactively evaluate and monitor the vendors services and performance. While also working with the vendor to resolve any issues or errors for the services that they provide to the client. Here's some venue governance management controls, and there are review of vendors SLA performance metrics, review vendors shock reports and onboarding and off-board and vendor processes. Now the idea is that if your client or oddity uses third-party vendors to manage or perform services for their IT systems which are enslaved free audit. And it's then important to determine how those clients in RDD managers or have governance over the vendors. For reveal a vendor's SLAs and performance metrics. This is controlled that share only involves a client and oddity haven't peer out of meetings or assessments to reveal the vendor service level agreement. And the idea is to have comfort that declined has oversight of the vendors. And the reason is that the services performed by the vendors are generally outside of your client in RDDs controls underperformed outside when your client in oddities IT environment, and there needs to be a comfort that things are working. Another control is a review of the vendors shock reports, as mentioned earlier, sharp reports or service organization Control reports, the audits as service providers controls for services to perform. For example, if the vendor provides backup services to their client and oddity, then the report would indicate whether controls our design and operating effectively. The idea is that the oddity and client reviews these reports, you demonstrate that they assess it if exceptions of findings have any impact on the surfaces they ascribe to you. So this will help auditors understand if indeed the client in oddity has good governance in mitigating the racism of third-party vendors. Lastly, clients in RDDs having onboarding and affording Fenner processes are also ideal. These processes essentially govern how a new and existing venue will be on-boarding or terminated. Some common control features in these processes include having onset reviews to determine them. The vendors controls and processes are in place by observation and even having signed contracts and clauses and define terms and conditions is important. So together these demonstrate to the auditors at defenders and the clients have governance in managing these relationships and issues. 26. Gaining understanding in security configuration: Security configuration management processes and controls. Security configuration management is a process of monitoring and maintaining system configuration drips from baselines and ensuring that configurations or remediated in a timely manner. The coordinates of security configuration management is that IT systems shown we have different configurations and settings and a baseline is generally created by the company so that a minimum set of security measures are in place to prevent security weaknesses, vulnerabilities from happening. And therefore, security configuration management is to monitor and remediate in case the system deviates from that baseline because through the year, changes and updates can happen to the system which can cause these deviations. So here is a process diagram for security configurations. The assumption is that the organization in our example has a designated team to coordinate and conduct security configuration management and monitoring on behalf of the system owners. Now for those who don't know what the system owner is, it's essentially an individual that is responsible for the overall system. They all know controls, processes, configurations, and so forth related to the system. Looking at our diagram first begins with the scanners detecting misalignment and system security configurations against those baselines. Now the system may then generate a report to indicate what is not compliant based on the scan against baseline. And the report would then get sent to the IT support team which may review the non-compliance and a bit more detail to provide a copy to the system owner. Afterwards, the system owner would then review the report of non-compliance and determine the root cause. Here is decision factor where if the system owner determines if this isn't known risk, if there is something like a false positive or recurrent href which they are renew. They would likely provide a rationale to the coordinating team to document this in the next run. Now, if this was something that's new and not previously receptive, they would investigate, submit tickets to remediate these drifts so that the security configuration would then realign and the baseline. So overall, this is a example of the security configuration management process. 27. Gaining understanding in logging and monitoring: Logging, monitoring processes and controls. So for logging and monitoring, this is the process of really maintaining autotrophs and logs of activities of the security events while awesome monitoring and responding to them. Now the idea is how when a security event occurs and logs are enabled, these logs are monitored and detect it and an incident response team would then respond to the security incident. So looking at our diagram here or accept assumes that the organization has a sim, which is a security incident events managers such as Splunk and other tools. Now we assume that the individual systems are enabled for logging. Because it is important that systems have long and modern enabled because if it is not, the logs on even exist in the first place and the control will fail. In our example, we first start off with the individual system sending logs to the sim. Similar then automatically check the logs font assuming setup conditions or use cases to trigger alerts for investigation. For example, the system will only trigger alert f, say five invalid login attempts happen within an hour. However, F, only four happened, then the alerts won't be triggers. So you can see that rules and conditions in the sim will determine when to send alerts for investigation. But let's say we get another wall security team will then review the alert and determine the impact and root causes. I take it made them be generated to track the issue. And here there's a decision factor. Let's say this is a man of false positive. The shoes then responded promptly and contained to mitigate the impact. They should would then be reported and ticket in appropriate stakeholders are notified. Afterwards. Any losses in down systems are slowly recovered. Finally, remediation and less than learns takes place and take it is close. This is a process when a true incident occurs. Let's go back and take a look. If this is a false positive. So if this is a false positive, that taken as simply update it and then close the process ends. And there won't be any need for escalations, reporting or remediation. 28. How to identify Cyber and IT risks: So when we talk about cyber 90 risk, we should really ask a question of what can go wrong. Because when we ask this question, we can then determine the risk. So here are some common IT in cyber races now won't explain each of these in detail, but you can read more in the downloadable attachment. So the main idea and I want to share in this slide is really how we should determine CyberKnife fluorescent first-place. While simple way is to look at the IT environment controls, and processes that you're auditing against. You can also look at the web, app and infrastructure layer and see and get an understanding of how a tax and Vs can occur. For example, at the web layer that say we have employees were poor knowledge and no one gets training and frog or scam prevention. Now we know that they can fall victim to phishing. So this is a risk. And the same thing can be actually said if privileged users are now secured and the infrastructure layer, so for example, they have excessive axis and unauthorized access would then become a risk. So the overall idea when you identify CyberKnife risks is to look at the processes and controls and think what can go wrong. And as mentioned earlier, you can read a bit more on the specifics of these risks and attachment below. 29. Lessons learnted and recap: This now comes down to the end of the course. And the course we cover three main sections. The first is that we cover what exactly are IT audits its objectives and also a fair amount of basic auditing concepts. We also discussed what I'd frameworks are and the standards and also the potential career paths related to IT audits. In section two, we covered how we can conduct cyber 90 audit planning and when over things like the audit lifecycle and all the different planning activities like preplanning, understanding, client scoping objectives, planning, documentation, and communication. The last section, we looked into bit more technical aspects such as cybersecurity, Cerner IT processes and technical so IT and cyber risk. Now of course, there's much more knowledge in technicals I'm one should learn, but these come with hands on experience in years of practice as well. However, this course will provide you enough practicality and technical. It's just to set you in the right direction for planning. So overall, thank you for learning in this course, jumped to inner cyber in ITER in and career and all the best. If you enjoyed this lesson and have suggestions for future topics in courses that you'd like to learn, please rate and comment. These are the attributions and credits in this course.