Audit and Assurance

Expand all | Collapse all

Audit Documentation Organization

  • 1.  Audit Documentation Organization

    Posted 15 Jan, 2020 22:10
    How do you guys keep all your evidence organized?  I work for an IT Company and we are restructuring quite a bit and I'm looking for a bit of advice to improve our current process.  Thanks for any suggestions.

    Star Gutierrez

  • 2.  RE: Audit Documentation Organization

    Posted 15 Jan, 2020 22:33

    Hi Star Gutierrez,

    You have initiated a good post and i expect a lot responses from our experienced colleagues. My experience is as follows.

    1) Classify the file and folders such as Internal Audit, External audits, etc
    2)Create Audit wise folders and While setting the naming convention for the files and folders prefix date and context of the Audit e.g. 20200116_InternalAudtiUserAcessReview (for folder).
    3) For files based upon the date of responses received from various Dept,  I add little bit e.g. 20200117_InternalAuditUserAccessReviewHR.XLSX
    4) Create Year wise folder as parent folder e,g, 2020_InternalAudit and under that put all the files/folders related/conducted Internal audits during the year.
    5) Same for Observations if any.
    6) In case I get sensitive information as an evidence then I Keep that in "Password protected" format".

    This is little-bit effort to share my view and not the standard as such.

    D Anand

  • 3.  RE: Audit Documentation Organization

    Posted 16 Jan, 2020 01:55
    Edited by Alain Rousseau 16 Jan, 2020 01:55
    Why not avoid such folder and file structures altogether?

    I hope you don't mind this "thought" in the thread as I come to it from another perspective. I often come across organisations that work that way, but after a while and certainly with a team larger than 3 auditors just managing the structure and audit overview become a huge task. Add to that new auditors that are likely to make mistakes in the naming convention.

    So, why not invest in a professional audit software?
    That way the audit evidence could just be attached to the appropriate component (say a Test), without fuss.

    True, implementing audit software is an investment that requires some budget and time (but not hugely so). On the other hand, it would help you professionalise the audit function no end. Not only with documentation but also with planning, security, audit reports, analysis and action tracking. So my point is here to try and negate the instinct to store everything in shared folders and perform management in Excel.

    As I mentioned, I come from another perspective and that is implementing such audit software. Hence my "bias" if you like but the idea is still worth considering. If you are interested in some examples, I have documented several advantages here: "How does Pentana audit software support Internal Audit?".

    With kind regards,

    Alain Rousseau

    Alain Rousseau
    Sepia Solutions

  • 4.  RE: Audit Documentation Organization

    Posted 16 Jan, 2020 10:09
    Edited by Anand D 16 Jan, 2020 10:14
    Hi Alain,

    Thanks for the details and much appreciated but I felt that user environment is yet to get mature to reach to such GRC tool and hence I have suggested the cost effective way.

    You know nothing is free and when you start exploring better you follow some intermediary process and then move to mature cycle.

    Also If you are an audit company and you are conducting audits for your various clients then you don't have choice to carry such application and conduct audits at their environment.

    In my experience, we may have to wait for the evidences post audit. So I am not sure how this can be handled in GRC tools. Yes GRC tool may help to process the spreadsheets generated at remote site during the audit but evidences are something which auditor has to rate manually for their authenticity, correctness in the context, etc.

    D Anand

  • 5.  RE: Audit Documentation Organization

    Posted 16 Jan, 2020 04:21
    You should look into an encrypted GRC system like Archer GRC. They have different modules for any kind of classification of data. Whatever it is it should be encrypted and a risk assessment on the technology should be performed by your security manager and approved by your change management committee.

    I'm currently looking for the right security position so if you require a solid security professional with 9 years in cyber security please reach out to me ASAP!!

    John Augustus MBA SANS

    John Augustus MBA SANS
    Security Professional

  • 6.  RE: Audit Documentation Organization

    Posted 16 Jan, 2020 09:59
    Hi all.  We are looking to implement a GRC tool at some point in the near future (hopefully before our next audit) but I'm trying to have a backup plan, just in case it doesn't come through.  Thanks for the feedback!

    Star Gutierrez