all right so good morning guys and thank

you for joining me here today so today I

just wanted to do a quick training on it

audio walkthroughs and to be honest I

was planning to record this by myself

and then I decided you know what why not

just make it a live training and see if

others are interested in joining and you

guys are so thank you for joining

um it's going to be short this is just

going to be 30 minutes maybe about 15-20

minutes of training and then I'll see if

you guys have any questions

um it's intended for YouTube for

transparency sake so it will be recorded

to YouTube but the difference is those

that are here live with me you get to

ask questions and those on YouTube can't

ask questions right so let's go ahead

and get started if you guys are ready to

get started okay you let me know yep yep

yep

all right so awesome awesome so let's go

ahead and get started here thank you for

joining me here today for a training on

it audit walkthroughs so in today's

training I just want to give you guys

um a quick overview or an introduction

to what it audit walkthroughs are I know

many of you might have been searching

the internet trying to find additional

information on Audits and you may have

seen the word walkthrough right and you

don't understand what that is so today

I'm just going to give you an

introduction to that and then we'll see

if you guys have any questions related

to the topic

um later on all right so I see more of

you joining thank you for joining guys

so um before we get started very brief

introduction to myself I don't want to

take too much time here

um but for those that are just meeting

me for the first time my name is

I have over 18 years of experience in

the I.T space a lot of that is around it

audit GRC program management all in the

audit and compliance space really my

passion is teaching that's one of the

things that I've always loved to do so

I'm also a career coach where I help

people that are looking to start their

careers in I.T cyber security audit and

compliance

okay uh for me I like practical training

um recently joined the Forbes coaches

Council again I really love teaching so

I like to be with other coaches trying

to develop myself so that I can help my

students as well

um this year we've already had multiple

six-figure salaries that have come in

our program and so I I'm really excited

about what we're doing so let's go ahead

and get started with the training for

today

so here are the topics for today

um we're going to go over an

introduction to it audit at a higher

level so if you are not familiar with

this you can probably check my YouTube

channel and you see the training I've

done it on this in the past

um but I'm going to just introduce that

because I know some people that are here

today may not right have um watched any

of my videos before or attended any of

my training and then we'll talk about

the it audit phases because it's during

this discussion that we're then going to

talk about walkthroughs because

walkthroughs that's one of the phases or

part of one of the phases and there's

going to be a bonus review where I'm

going to walk through some actual

examples with you and maybe I'll give

you guys a bonus document but let's see

okay and at the end I'll give about 10

minutes or so for questions

so let's go ahead and start with our

introduction to it audit

I'm not going to go in depth into this

like I said I have a training on my

YouTube channel that you guys can watch

but I do want to introduce this in

today's training because I want you to

understand what audits are before we

talk about walkthroughs right so what's

an audit at the end of the day you know

people have different definitions of

what it is but I'm audit at the end of

the day if you want to use simple terms

is an examination of the organization

systems to determine if controls are

operating effectively so systems usually

have controls in there and for controls

again the prior training I mentioned

will have that but think of a control as

like a password control right when you

want to log into your computer you have

to put in a password

um or maybe your email you have to put

in a password that's a control so

organization systems have controls as

well

and this controls right

um in order part of an I.T audit is

testing and examining those systems to

determine if those controls are

operating effectively because if they

are not operating effectively then the

security of that system right is in

question and you might be wondering well

why should I be concerned about the

security or of a system or whether the

controls are operating effectively and

the reason is one you want to mitigate

risks right you don't want people having

inappropriate access to your systems so

uh when I say you I'm in the

organization an organization doesn't

want people having inappropriate access

to the systems so it's important to have

controls in place to ensure that that

security is there and as the I.T auditor

right part of your audit objective or

your control objective for your test is

determining if security controls are in

place so you are examining those systems

to see if those controls are effective

in mitigating risks like I said for

example security risks or just even

medium compliance and regulatory

requirements right so in the US we have

servings Oxley other countries have

similar laws and standards as well we

have PCI sock SSA 18 right so all those

standards depending on what your

organization needs to comply with then

the audit is going to take place to

examine and determine if those controls

are meeting those requirements okay so

that's a summary of what we have um of

what it audits are

so

um there are three key phases of it

audience all right so we have the audio

planning phase we have our field

workplace and this is where you have the

walkthrough so that's where the

walkthroughs are performed and you also

have the reporting and the follow-up

phase so I'm going to again summarize

this um so that I set the stage for what

we really want to talk about today so in

your audit planning phase right this is

where you're understanding the

organization trying to define the scope

and the objective and also trying to

identify what tests you perform so

you're essentially just planning for the

audit in that phase now the field work

phase is kind of I'll say that's where

the medium potatoes are right I guess

when you do the real field work for the

audit you do your testing and all of

that but before you actually start

testing you have to perform your

walkthroughs and I'm going to come back

to the World Series after I finish the

third stage or the third phase

the third phase is where you do the

reporting so you finish planning you've

done the actual testing and you have

results then in the third phase you're

doing your reporting and your follow-up

so this is where you type up the report

to management on the results and if

there were any issues identified you can

go back and retest to confirm whether or

not they've been addressed so those are

the three phases of an audit now I want

to dial in on that walk through piece

because

there are many moving parts right so as

you can imagine an audit is like a

pretty big project right so there are

many moving pieces and today I'm now

going to focus on the It audio

walkthrough piece right again the it or

the walkthrough is part of the field

work phase

so now let's talk about what are it what

other walkthroughs or what I'm not sure

if you know maybe if you've

um you rented an apartment or you bought

a house before they give you the keys

right you kind of they will take you to

what they call a walk through typically

right you just go in kind of just look

at how things are before they give you

the keys and say okay we agree that this

is the state that you're giving us the

house or the apartment in or whatnot so

if you think about that it's not exactly

the same but a walkthrough from the itod

perspective is you getting a better

understanding of the I.T control

environment of the company

so what you do at the beginning of the

audit because you're an auditor right

you're not I.T you're not if you're an

external auditor you're not working in

the company right so you can't assume

that you know everything about that

company you can't assume that you know

their control environment so the reason

for that walkthrough is for the Auditors

to get a better understanding right of

the control environment that they're

going to be auditing so it's absolutely

critical because if you don't conduct

your walkthrough effectively you might

have gaps in your understanding of the

control environment and that's going to

ultimately impact right the quality of

the control procedures that you choose

to perform and your understanding of the

impact of the risk so walkthroughs are

very important because that's where you

really get a good understanding of that

environment and a key part of that is

that you have to include key players and

the control owners from I.T so you're

not just going to have a random set of

people in your work just giving you

information about the environment you

have to understand that you have to

invite the right players so if for your

Italy walkthrough you probably have

their management levels there right the

people that are responsible for those

controls so the control owners you want

to make sure that they are in the room

with you or on Zoom if it's virtual

right explaining their an I.T

environment and even if they're not the

key control owner but they have a part

in the process

um and they're a key player or key

stakeholder then you want to make sure

that they're also in the room with you

because if not then again you run the

risk of not having that information on

the control environment so it's

important to have the key players and

especially the control owners in the

meeting where you're having that walk

through and one of the things um that

you would test there or that you could

test there is a test of design again if

you don't know what test of design is

you can watch my prior video and I'll

probably link it when I post this on

YouTube so you can see that video where

I talk about test of design in terms of

operating Effectiveness so depending on

the control that you're testing or the

controls that you're reviewing during

your walkthroughs you may be able to

perform some tests of design there okay

so again just to summarize this why

didn't we conduct I.T audit walkthroughs

it's to understand or better understand

the control environment the I.T control

environment that you'll be testing you

should include the key players

stakeholders and control owners from it

and during this you may be able to test

the design of controls as well okay one

thing I do want to stay here before we

move on to the next area is that um

you'll go through questions should be

worded properly right so that you can

get useful responses from those that

you're interviewing so let me pause here

for a second have you guys ever asked a

question and then you got the wrong

answer back let me see you guys in the

chat just to make sure you guys are

still here with me have you ever asked

the question and the kind of answers

you're getting you're like okay maybe I

asked the wrong question

yeah okay so that's the same thing for

walkthroughs so uh it takes some skill

right you need to know what questions

that you should ask in order to be able

to get the right risk I don't want to

use the word right because it's not

really right and wrong but in order to

get

um good responses right useful responses

where you when you're actually testing

it makes sense not the kind of response

is that when you start testing it's like

okay what they said doesn't make sense

based on what I'm looking at right so

that's a skill you'll need to gain as

you go through your walkthroughs because

if you don't right uh then you run the

risk of not getting the responses that

will be useful to you in performing your

audience so um here is the bonus part

I'm going to now give you a couple of

examples so that you know again I like

practical teaching so that this can be

real to you okay so let's look at some

um sample questions and there are

different parts of it audits I'm going

to look at couple of questions and

logical security

so logical security this is around

access to systems we're not going to go

deep into logical security itself but

let's talk about what are some questions

right so you want you're going to have

different levels to your questions so

for example you start off with describe

the user access provisioning process

this is open-ended you want to give them

the opportunity to describe the whole

process for you and then you can go

deeper right so who has authority to

approve users and their privileged

levels so you again you're starting

higher getting a broader understanding

of the environment and their process and

then you can ask deeper questions based

on the controls that you're testing so

these are just a few examples for you to

see what you might ask during a

walkthrough and then

um again let me look at change

management

so change management again is another

area that we test for in I during it

Audits and here you might also start

with describe the change management

process right again Study High Level

giving them the opportunity to describe

the process to you end to end and then

you ask who's required to approve

changes for example so that's a little

bit more um you're diving deeper into

maybe one of the controls to get a

better understanding of that particular

control area okay so

um hopefully that was helpful for you

guys do you guys feel like you have a

better understanding of what

walkthroughs are now yep okay good good

I see yes uh thank you Diamond Lake con

thank you Ashley so that's really what I

wanted to cover here today again this is

intended to be a short training session

just bite size so that you understand

um some unique areas in the audit space

that would help you all right so

um rainbow said basically to understand

the yeah so to understand the IC control

environment and that would help you when

you're putting together your um

procedures of Performing your test for

your it audit all right so now let's do

a summary I promise you there'll be some

time for Q a at the end let me see if

you guys have any questions if you have

questions you can put them in the Q a

section and I'll take a few minutes to

answer them here but let me do a quick

summary for you guys because I know some

of you

um joined after we already started

um just to summarize what we talked

about here today we started off by just

going through an introduction to it

audits right uh again if you want more

information there you can watch that

video I have on the channel and then we

talked about the I.T audit faces right

what are the phases so let me pause

before I answer the question in the chat

can you tell me what are the phases that

we talked about today

awesome thanks Bob

oh second phase

thank you and then one more

reporting and follow awesome awesome on

what phase do we have the Ito

walkthroughs

walk through his field work so the field

work isn't um the ID audio walkthrough

happens in the field work stage and this

is where again you're getting a better

understanding of the environment you're

talking to the control owners and you're

talking to the uh all the key

stakeholders in the I.T space and then

we just walk through a few examples so

that you can see how

um how walkthroughs are conducted okay

so I'm going to pause now let's see if

you guys have any questions I did tell

you it's going to be about 30 minutes so

I want to make sure that we don't go

over time what questions do you guys

have

you guys have any questions or was this

straightforward for you guys

okay so great question Nick and Nick is

asking can walkthroughs be done

virtually or does he have to be in

person

um it can be done virtually so if you

think about the pandemic right where

everyone no one went out right if we

weren't going to the office we're all

working remotely a lot of those

walkthroughs were performed remotely

because you can have interviews now the

difference would be physical security

will views where you have to physically

walk through a data center for example

then you'll have to physically go there

but other than that for the most part

you can have them virtually it can be in

a meeting on Zoom or whatever meeting

software your organization uses

um rough is asking which video should

you focus on

um I'll say that depends on your

interest right because I have a lot of

videos on different areas so you you can

select the one that you want I'm trying

to do a better job posting I'm pretty

busy I have a full-time job so training

is not the only thing I do

um so I'm trying to do a better job

posting but I'll say watch the video

that makes sense to you all right so

um oh what she was asking walkthroughs

seem to be like something to be done to

enhance your planning how come it's in

the field work phase

um it depends on your definition of

enhancing your planning right because

planning you're not really doing any

work right in planning you actually

determine what areas you need to test

and that will then determine what areas

you need to do your walk through right

because you don't necessarily need to

test all the areas of I.T depending on

the scope of your audit so planning is

more scope focused once you identify

your scope and then you know the areas

you want to test then it's reasonable

that you would then go do walkthroughs

for that area you don't need to do

walkthroughs for everything definitely

you don't need to do a walk through for

an area you don't need to test okay so

hopefully that addressed the question

um the last one I see here

so Laker is asking what it audit

applications are used as a side Erp

systems

um I don't know that that question is

really accurate

um because you're talking about two

different things so when you say it

audit applications Erp systems those are

two different things so maybe you want

to reward that question let me better

understand if you're talking about

applications that the audit team uses

for their audit and GRC you have

servicenow orchard all of that and then

the Erp systems are not audit systems

Erp systems are systems that the

organization is using for their

operational needs right so those are two

different things so hopefully that helps

all right

um and she Iggy is asking what's the

name of the YouTube channel it's your

I.T career maybe I'll find the link hold

on

I'll put it in the record when I post

the recording I'll send an email out and

I'll just um I'll give you guys access

to that because I don't know that I have

a handy let's see

um

what's the difference between internal

and external audit so sure I will refer

you to my YouTube channel for that just

because I have another video that goes

into that in depth so I think that'll

probably be more beneficial to you okay

um Sarah is asking you missed the

training yes the recording is going to

be on YouTube so I was transparent I was

planning to record this for YouTube

anyways and instead of recording it by

myself I decided to invite you guys to

listen to me record it live so let's say

in the next couple of days or so you

guys should see it on YouTube the

difference is those that are here live

get to and ask questions okay

all right so let's now go to let's see

if there any other questions I will be

wrapping up in a few minutes

in Lincoln said got it okay good

so she always asking can virtual audit

be done for a physical Operation Center

um it depends on the objective it

depends on what you're testing but

typically if the con it depends on the

controls so if you don't understand what

controls are again let me see if I can

find that channel for you uh but it's

the control is what's going to determine

how you perform right so you can't just

take an audit what what are you actually

testing because if the control is a

physical control that someone needs to

see Right Touch or whatever then you

will need to do that physically but if

it doesn't require physical presence

then if that control could be tested

virtually okay

all right let's see if there's any more

question if there are any more questions

hey so good good good so thank you guys

for joining me here today now did you

guys let

all some media is asking do I have

resume workshops on it audits do you

mean just training on how to do your

your resume is that what you're asking

awesome media okay so I don't do

workshops on resume training however I

have covered the topic before where I

talked about resume mistakes that you

might make in it audit so if and I think

I actually have that on my YouTube

channel as well so if you go there I

think I have one training where I talk

about resume mistakes that you might be

making

um so I don't do workshops and that now

in my full-blown comprehensive training

I do provide resume training for my

students I bring in like a live

professional resume writer to come give

training to students in one of my

courses so that's something I provide

because you resume is not just about

finding a template online and putting it

together right your resume should

reflect what you know your experience I

think okay I'll answer one more question

because we have just one more minute

um did we do control testing in the

process of walkthrough only check the

design

um typically during your walkthrough

you're just that's where you're really

doing your design review depending on

the control you may not even be able to

really finish that in the walkthrough

but you would look at that there however

additional testing will be needed to

finish your testing procedures okay all

right so I think we're up on time here

today thank you guys for joining me if

you guys learned something I promise to

you guys you will learn something all

right great great great so before we go

let me just make sure there's a free

Italy career guide so this guide has

been downloaded so so many times by so

many people let me put it in the chat

and it's also going to be available in

the YouTube link when I'm done but if

you guys want the guide for those

interested in it audits go ahead and

download this guide

um and it just walks through some things

that you need to know so make sure you

download that guide um it's free I'm not

charging you for that at all and um I'm

not sure how often I'll do this free

training maybe once a month I don't know

but if you're on my email list so if you

get that guy for example you'll be on my

email list and you'll get invited to

this I don't publicize this small

meetings anywhere else it's just going

to be for those on my email list I think

I scroll too fast okay there it is all

right so thank you guys you guys have a

great rest of your day bye