all right so good morning guys and thank
you for joining me here today so today I
just wanted to do a quick training on it
audio walkthroughs and to be honest I
was planning to record this by myself
and then I decided you know what why not
just make it a live training and see if
others are interested in joining and you
guys are so thank you for joining
um it's going to be short this is just
going to be 30 minutes maybe about 15-20
minutes of training and then I'll see if
you guys have any questions
um it's intended for YouTube for
transparency sake so it will be recorded
to YouTube but the difference is those
that are here live with me you get to
ask questions and those on YouTube can't
ask questions right so let's go ahead
and get started if you guys are ready to
get started okay you let me know yep yep
yep
all right so awesome awesome so let's go
ahead and get started here thank you for
joining me here today for a training on
it audit walkthroughs so in today's
training I just want to give you guys
um a quick overview or an introduction
to what it audit walkthroughs are I know
many of you might have been searching
the internet trying to find additional
information on Audits and you may have
seen the word walkthrough right and you
don't understand what that is so today
I'm just going to give you an
introduction to that and then we'll see
if you guys have any questions related
to the topic
um later on all right so I see more of
you joining thank you for joining guys
so um before we get started very brief
introduction to myself I don't want to
take too much time here
um but for those that are just meeting
me for the first time my name is
I have over 18 years of experience in
the I.T space a lot of that is around it
audit GRC program management all in the
audit and compliance space really my
passion is teaching that's one of the
things that I've always loved to do so
I'm also a career coach where I help
people that are looking to start their
careers in I.T cyber security audit and
compliance
okay uh for me I like practical training
um recently joined the Forbes coaches
Council again I really love teaching so
I like to be with other coaches trying
to develop myself so that I can help my
students as well
um this year we've already had multiple
six-figure salaries that have come in
our program and so I I'm really excited
about what we're doing so let's go ahead
and get started with the training for
today
so here are the topics for today
um we're going to go over an
introduction to it audit at a higher
level so if you are not familiar with
this you can probably check my YouTube
channel and you see the training I've
done it on this in the past
um but I'm going to just introduce that
because I know some people that are here
today may not right have um watched any
of my videos before or attended any of
my training and then we'll talk about
the it audit phases because it's during
this discussion that we're then going to
talk about walkthroughs because
walkthroughs that's one of the phases or
part of one of the phases and there's
going to be a bonus review where I'm
going to walk through some actual
examples with you and maybe I'll give
you guys a bonus document but let's see
okay and at the end I'll give about 10
minutes or so for questions
so let's go ahead and start with our
introduction to it audit
I'm not going to go in depth into this
like I said I have a training on my
YouTube channel that you guys can watch
but I do want to introduce this in
today's training because I want you to
understand what audits are before we
talk about walkthroughs right so what's
an audit at the end of the day you know
people have different definitions of
what it is but I'm audit at the end of
the day if you want to use simple terms
is an examination of the organization
systems to determine if controls are
operating effectively so systems usually
have controls in there and for controls
again the prior training I mentioned
will have that but think of a control as
like a password control right when you
want to log into your computer you have
to put in a password
um or maybe your email you have to put
in a password that's a control so
organization systems have controls as
well
and this controls right
um in order part of an I.T audit is
testing and examining those systems to
determine if those controls are
operating effectively because if they
are not operating effectively then the
security of that system right is in
question and you might be wondering well
why should I be concerned about the
security or of a system or whether the
controls are operating effectively and
the reason is one you want to mitigate
risks right you don't want people having
inappropriate access to your systems so
uh when I say you I'm in the
organization an organization doesn't
want people having inappropriate access
to the systems so it's important to have
controls in place to ensure that that
security is there and as the I.T auditor
right part of your audit objective or
your control objective for your test is
determining if security controls are in
place so you are examining those systems
to see if those controls are effective
in mitigating risks like I said for
example security risks or just even
medium compliance and regulatory
requirements right so in the US we have
servings Oxley other countries have
similar laws and standards as well we
have PCI sock SSA 18 right so all those
standards depending on what your
organization needs to comply with then
the audit is going to take place to
examine and determine if those controls
are meeting those requirements okay so
that's a summary of what we have um of
what it audits are
so
um there are three key phases of it
audience all right so we have the audio
planning phase we have our field
workplace and this is where you have the
walkthrough so that's where the
walkthroughs are performed and you also
have the reporting and the follow-up
phase so I'm going to again summarize
this um so that I set the stage for what
we really want to talk about today so in
your audit planning phase right this is
where you're understanding the
organization trying to define the scope
and the objective and also trying to
identify what tests you perform so
you're essentially just planning for the
audit in that phase now the field work
phase is kind of I'll say that's where
the medium potatoes are right I guess
when you do the real field work for the
audit you do your testing and all of
that but before you actually start
testing you have to perform your
walkthroughs and I'm going to come back
to the World Series after I finish the
third stage or the third phase
the third phase is where you do the
reporting so you finish planning you've
done the actual testing and you have
results then in the third phase you're
doing your reporting and your follow-up
so this is where you type up the report
to management on the results and if
there were any issues identified you can
go back and retest to confirm whether or
not they've been addressed so those are
the three phases of an audit now I want
to dial in on that walk through piece
because
there are many moving parts right so as
you can imagine an audit is like a
pretty big project right so there are
many moving pieces and today I'm now
going to focus on the It audio
walkthrough piece right again the it or
the walkthrough is part of the field
work phase
so now let's talk about what are it what
other walkthroughs or what I'm not sure
if you know maybe if you've
um you rented an apartment or you bought
a house before they give you the keys
right you kind of they will take you to
what they call a walk through typically
right you just go in kind of just look
at how things are before they give you
the keys and say okay we agree that this
is the state that you're giving us the
house or the apartment in or whatnot so
if you think about that it's not exactly
the same but a walkthrough from the itod
perspective is you getting a better
understanding of the I.T control
environment of the company
so what you do at the beginning of the
audit because you're an auditor right
you're not I.T you're not if you're an
external auditor you're not working in
the company right so you can't assume
that you know everything about that
company you can't assume that you know
their control environment so the reason
for that walkthrough is for the Auditors
to get a better understanding right of
the control environment that they're
going to be auditing so it's absolutely
critical because if you don't conduct
your walkthrough effectively you might
have gaps in your understanding of the
control environment and that's going to
ultimately impact right the quality of
the control procedures that you choose
to perform and your understanding of the
impact of the risk so walkthroughs are
very important because that's where you
really get a good understanding of that
environment and a key part of that is
that you have to include key players and
the control owners from I.T so you're
not just going to have a random set of
people in your work just giving you
information about the environment you
have to understand that you have to
invite the right players so if for your
Italy walkthrough you probably have
their management levels there right the
people that are responsible for those
controls so the control owners you want
to make sure that they are in the room
with you or on Zoom if it's virtual
right explaining their an I.T
environment and even if they're not the
key control owner but they have a part
in the process
um and they're a key player or key
stakeholder then you want to make sure
that they're also in the room with you
because if not then again you run the
risk of not having that information on
the control environment so it's
important to have the key players and
especially the control owners in the
meeting where you're having that walk
through and one of the things um that
you would test there or that you could
test there is a test of design again if
you don't know what test of design is
you can watch my prior video and I'll
probably link it when I post this on
YouTube so you can see that video where
I talk about test of design in terms of
operating Effectiveness so depending on
the control that you're testing or the
controls that you're reviewing during
your walkthroughs you may be able to
perform some tests of design there okay
so again just to summarize this why
didn't we conduct I.T audit walkthroughs
it's to understand or better understand
the control environment the I.T control
environment that you'll be testing you
should include the key players
stakeholders and control owners from it
and during this you may be able to test
the design of controls as well okay one
thing I do want to stay here before we
move on to the next area is that um
you'll go through questions should be
worded properly right so that you can
get useful responses from those that
you're interviewing so let me pause here
for a second have you guys ever asked a
question and then you got the wrong
answer back let me see you guys in the
chat just to make sure you guys are
still here with me have you ever asked
the question and the kind of answers
you're getting you're like okay maybe I
asked the wrong question
yeah okay so that's the same thing for
walkthroughs so uh it takes some skill
right you need to know what questions
that you should ask in order to be able
to get the right risk I don't want to
use the word right because it's not
really right and wrong but in order to
get
um good responses right useful responses
where you when you're actually testing
it makes sense not the kind of response
is that when you start testing it's like
okay what they said doesn't make sense
based on what I'm looking at right so
that's a skill you'll need to gain as
you go through your walkthroughs because
if you don't right uh then you run the
risk of not getting the responses that
will be useful to you in performing your
audience so um here is the bonus part
I'm going to now give you a couple of
examples so that you know again I like
practical teaching so that this can be
real to you okay so let's look at some
um sample questions and there are
different parts of it audits I'm going
to look at couple of questions and
logical security
so logical security this is around
access to systems we're not going to go
deep into logical security itself but
let's talk about what are some questions
right so you want you're going to have
different levels to your questions so
for example you start off with describe
the user access provisioning process
this is open-ended you want to give them
the opportunity to describe the whole
process for you and then you can go
deeper right so who has authority to
approve users and their privileged
levels so you again you're starting
higher getting a broader understanding
of the environment and their process and
then you can ask deeper questions based
on the controls that you're testing so
these are just a few examples for you to
see what you might ask during a
walkthrough and then
um again let me look at change
management
so change management again is another
area that we test for in I during it
Audits and here you might also start
with describe the change management
process right again Study High Level
giving them the opportunity to describe
the process to you end to end and then
you ask who's required to approve
changes for example so that's a little
bit more um you're diving deeper into
maybe one of the controls to get a
better understanding of that particular
control area okay so
um hopefully that was helpful for you
guys do you guys feel like you have a
better understanding of what
walkthroughs are now yep okay good good
I see yes uh thank you Diamond Lake con
thank you Ashley so that's really what I
wanted to cover here today again this is
intended to be a short training session
just bite size so that you understand
um some unique areas in the audit space
that would help you all right so
um rainbow said basically to understand
the yeah so to understand the IC control
environment and that would help you when
you're putting together your um
procedures of Performing your test for
your it audit all right so now let's do
a summary I promise you there'll be some
time for Q a at the end let me see if
you guys have any questions if you have
questions you can put them in the Q a
section and I'll take a few minutes to
answer them here but let me do a quick
summary for you guys because I know some
of you
um joined after we already started
um just to summarize what we talked
about here today we started off by just
going through an introduction to it
audits right uh again if you want more
information there you can watch that
video I have on the channel and then we
talked about the I.T audit faces right
what are the phases so let me pause
before I answer the question in the chat
can you tell me what are the phases that
we talked about today
awesome thanks Bob
oh second phase
thank you and then one more
reporting and follow awesome awesome on
what phase do we have the Ito
walkthroughs
walk through his field work so the field
work isn't um the ID audio walkthrough
happens in the field work stage and this
is where again you're getting a better
understanding of the environment you're
talking to the control owners and you're
talking to the uh all the key
stakeholders in the I.T space and then
we just walk through a few examples so
that you can see how
um how walkthroughs are conducted okay
so I'm going to pause now let's see if
you guys have any questions I did tell
you it's going to be about 30 minutes so
I want to make sure that we don't go
over time what questions do you guys
have
you guys have any questions or was this
straightforward for you guys
okay so great question Nick and Nick is
asking can walkthroughs be done
virtually or does he have to be in
person
um it can be done virtually so if you
think about the pandemic right where
everyone no one went out right if we
weren't going to the office we're all
working remotely a lot of those
walkthroughs were performed remotely
because you can have interviews now the
difference would be physical security
will views where you have to physically
walk through a data center for example
then you'll have to physically go there
but other than that for the most part
you can have them virtually it can be in
a meeting on Zoom or whatever meeting
software your organization uses
um rough is asking which video should
you focus on
um I'll say that depends on your
interest right because I have a lot of
videos on different areas so you you can
select the one that you want I'm trying
to do a better job posting I'm pretty
busy I have a full-time job so training
is not the only thing I do
um so I'm trying to do a better job
posting but I'll say watch the video
that makes sense to you all right so
um oh what she was asking walkthroughs
seem to be like something to be done to
enhance your planning how come it's in
the field work phase
um it depends on your definition of
enhancing your planning right because
planning you're not really doing any
work right in planning you actually
determine what areas you need to test
and that will then determine what areas
you need to do your walk through right
because you don't necessarily need to
test all the areas of I.T depending on
the scope of your audit so planning is
more scope focused once you identify
your scope and then you know the areas
you want to test then it's reasonable
that you would then go do walkthroughs
for that area you don't need to do
walkthroughs for everything definitely
you don't need to do a walk through for
an area you don't need to test okay so
hopefully that addressed the question
um the last one I see here
so Laker is asking what it audit
applications are used as a side Erp
systems
um I don't know that that question is
really accurate
um because you're talking about two
different things so when you say it
audit applications Erp systems those are
two different things so maybe you want
to reward that question let me better
understand if you're talking about
applications that the audit team uses
for their audit and GRC you have
servicenow orchard all of that and then
the Erp systems are not audit systems
Erp systems are systems that the
organization is using for their
operational needs right so those are two
different things so hopefully that helps
all right
um and she Iggy is asking what's the
name of the YouTube channel it's your
I.T career maybe I'll find the link hold
on
I'll put it in the record when I post
the recording I'll send an email out and
I'll just um I'll give you guys access
to that because I don't know that I have
a handy let's see
um
what's the difference between internal
and external audit so sure I will refer
you to my YouTube channel for that just
because I have another video that goes
into that in depth so I think that'll
probably be more beneficial to you okay
um Sarah is asking you missed the
training yes the recording is going to
be on YouTube so I was transparent I was
planning to record this for YouTube
anyways and instead of recording it by
myself I decided to invite you guys to
listen to me record it live so let's say
in the next couple of days or so you
guys should see it on YouTube the
difference is those that are here live
get to and ask questions okay
all right so let's now go to let's see
if there any other questions I will be
wrapping up in a few minutes
in Lincoln said got it okay good
so she always asking can virtual audit
be done for a physical Operation Center
um it depends on the objective it
depends on what you're testing but
typically if the con it depends on the
controls so if you don't understand what
controls are again let me see if I can
find that channel for you uh but it's
the control is what's going to determine
how you perform right so you can't just
take an audit what what are you actually
testing because if the control is a
physical control that someone needs to
see Right Touch or whatever then you
will need to do that physically but if
it doesn't require physical presence
then if that control could be tested
virtually okay
all right let's see if there's any more
question if there are any more questions
hey so good good good so thank you guys
for joining me here today now did you
guys let
all some media is asking do I have
resume workshops on it audits do you
mean just training on how to do your
your resume is that what you're asking
awesome media okay so I don't do
workshops on resume training however I
have covered the topic before where I
talked about resume mistakes that you
might make in it audit so if and I think
I actually have that on my YouTube
channel as well so if you go there I
think I have one training where I talk
about resume mistakes that you might be
making
um so I don't do workshops and that now
in my full-blown comprehensive training
I do provide resume training for my
students I bring in like a live
professional resume writer to come give
training to students in one of my
courses so that's something I provide
because you resume is not just about
finding a template online and putting it
together right your resume should
reflect what you know your experience I
think okay I'll answer one more question
because we have just one more minute
um did we do control testing in the
process of walkthrough only check the
design
um typically during your walkthrough
you're just that's where you're really
doing your design review depending on
the control you may not even be able to
really finish that in the walkthrough
but you would look at that there however
additional testing will be needed to
finish your testing procedures okay all
right so I think we're up on time here
today thank you guys for joining me if
you guys learned something I promise to
you guys you will learn something all
right great great great so before we go
let me just make sure there's a free
Italy career guide so this guide has
been downloaded so so many times by so
many people let me put it in the chat
and it's also going to be available in
the YouTube link when I'm done but if
you guys want the guide for those
interested in it audits go ahead and
download this guide
um and it just walks through some things
that you need to know so make sure you
download that guide um it's free I'm not
charging you for that at all and um I'm
not sure how often I'll do this free
training maybe once a month I don't know
but if you're on my email list so if you
get that guy for example you'll be on my
email list and you'll get invited to
this I don't publicize this small
meetings anywhere else it's just going
to be for those on my email list I think
I scroll too fast okay there it is all
right so thank you guys you guys have a
great rest of your day bye