All right. So good morning, guys and thank
you for joining me here today. So, today, I
just wanted to do a quick training on IT
audio walkthroughs, and to be honest, I
was planning to record this by myself
and then I decided, you know, what, why not
just make it a live training and see if
others are interested in joining, and you
guys are. So, thank you for joining.
It's going to be short. This is just
going to be 30 minutes, maybe about 15-20
minutes of training. And then, I'll see if
you guys have any questions.
It's intended for YouTube, for
transparency sake. So, it will be recorded
to YouTube, but the difference is those
that are here live with me, you get to
ask questions, and those on YouTube can't
ask questions right. So, let's go ahead
and get started. If you guys are ready to
get started, okay. You let me know. Yep, yep,
yep.
All right. So awesome awesome. So let's go
ahead, and get started here. Thank you for
joining me here today for a training on
IT audit walkthroughs. So in today's
training, I just want to give you guys
a quick overview or an introduction
to what IT audit walkthroughs are. I know
many of you might have been searching
the internet trying to find additional
information on audits, and you may have
seen the word walkthrough, right. And you
don't understand what that is. So today,
I'm just going to give you an
introduction to that. And then, we'll see
if you guys have any questions related
to the topic.
Later on, all right. So, I see more of
you joining. Thank you for joining, guys.
So, before we get started, very brief
introduction to myself. I don't want to
take too much time here.
But for those, that are just meeting
me for the first time. My name is Peju Adedeji.
I have over 18 years of experience in
the I.T space. A lot of that is around IT
audit GRC program management. All in the
audit and compliance space really. My
passion is teaching. That's one of the
things that I've always loved to do. So,
I'm also a career coach where I help
people that are looking to start their
careers in I.T cyber security audit, and
compliance.
Okay, for me, I like practical training
recently joined the Forbes coaches
council. Again, I really love teaching so
I like to be with other coaches trying
to develop myself so that I can help my
students as well.
This year, we've already had multiple
six-figure salaries that have come in
our program, and so I I'm really excited
about what we're doing. So let's go ahead
and get started with the training for
today.
So here are the topics for today.
We're going to go over an
introduction to IT audit at a higher
level. So if you are not familiar with
this you can probably check my YouTube
channel. And you see the training, I've
done it on this in the past.
But I'm going to just introduce that
because I know some people that are here
today may not right have watched any
of my videos before or attended any of
my training. And then, we'll talk about
the IT audit phases because it's during
this discussion that we're then going to
talk about walkthroughs, because
walkthroughs that's one of the phases or
part of one of the phases. And there's
going to be a bonus review, where I'm
going to walk through some actual
examples with you. And maybe I'll give
you guys a bonus document. But let's see,
okay. And at the end I'll give about 10
minutes or so for questions.
So let's go ahead and start with our
introduction to IT audit.
I'm not going to go in depth into this
like I said, I have a training on my
YouTube channel that you guys can watch.
But, I do want to introduce this in
today's training because I want you to
understand what audits are before we
talk about walkthroughs, right. So, what's
an audit at the end of the day, you know,
people have different definitions of
what it is, but IT audit at the end of
the day, if you want to use simple terms,
is an examination of the organization
systems to determine if controls are
operating effectively. So systems usually
have controls in there, and for controls.
Again, the prior training I mentioned
will have that but think of a control as
like a password control, right. When you
want to log into your computer, you have
to put in a password,
or maybe your e-mail you have to put
in a password that's a control. So,
organization systems have controls, as
well,
and this controls right.
In order, part of an I.T audit is
testing and examining those systems to
determine if those controls are
operating effectively because if they
are not operating effectively, then the
security of that system right is in
question. And you might be wondering, "Well,
why should I be concerned about the
security or of a system or whether the
controls are operating effectively," and
the reason is one you want to mitigate
risks, right. You don't want people having
inappropriate access to your systems, so
when I say, "You, I'm in the
organization," an organization doesn't
want people having inappropriate access
to the systems. So, it's important to have
controls in place to ensure that that
security is there. And as the I.T auditor,
right, part of your audit objective or
your control objective for your test is
determining if security controls are in
place. So you are examining those systems
to see if those controls are effective
in mitigating risks, like I said for
example security risks or just even
medium compliance and regulatory
requirements, right. So in the US, we have
servings, okay. Other countries have
similar laws and standards as well. We
have PCI, SOX, SSA 18, right. So, all those
standards depending on what your
organization needs to comply with then
the audit is going to take place to
examine and determine if those controls
are meeting those requirements, okay. So
that's a summary of what we have of
what IT audits are.
So,
there are three key phases of IT
audience, all right. So we have the audio
planning phase we have our field
workplace, and this is where you have the
walkthrough, so that's where the
walkthroughs are performed, and you also
have the reporting and the follow-up
phase. So I'm going to again summarize
this. So that I set the stage for what
we really want to talk about today, so in
your audit planning phase right. This is
where you're understanding the
organization trying to define the scope,
and the objective and also trying to
identify what tests you perform so
you're essentially just planning for the
audit in that phase. Now, the field work
phase is, kind of, I'll say, that's where
the medium potatoes are right. I guess
when you do the real field work for the
audit you do your testing and all of
that. But, before you actually start
testing, you have to perform your
walkthroughs, and I'm going to come back
to the World Series after I finish the
third stage or the third phase.
The third phase is where you do the
reporting, so you finish planning, you've
done the actual testing, and you have
results then in the third phase, you're
doing your reporting, and your follow-up.
So, this is where you type up the report
to management on the results. And if
there were any issues identified, you can
go back, and retest to confirm whether or
not, they've been addressed. So those are
the three phases of an audit. Now, I want
to dial in on that walk through piece
because
there are many moving parts, right. So as
you can imagine an audit is like a
pretty big project, right. So, there are
many moving pieces and today, I'm now
going to focus on the IT audio
walkthrough piece right again. The IT or
the walkthrough is part of the field
work phase.
So now, let's talk about what are IT? What
other walkthroughs or what, I'm not sure
if you know, maybe if you've
you rented an apartment, or you bought
a house before they give you the keys,
right. You, kind of, they will take you to
what they call a walkthrough. Typically,
right, you just go in kind of just look
at how things are before they give you
the keys and say, "Okay, we agree that this
is the state that you're giving us the
house or the apartment in or whatnot." So
if you think about that it's not exactly
the same, but a walkthrough from the IT audit
perspective is you getting a better
understanding of the I.T control
environment of the company.
So what you do at the beginning of the
audit, because you're an auditor right,
you're not I.T. You're not, if you're an
external auditor, you're not working in
the company right. So you can't assume
that you know everything about that
company. You can't assume that you know
their control environment. So the reason
for that walkthrough is for the auditors
to get a better understanding, right, of
the control environment that they're
going to be auditing. So, it's absolutely
critical because if you don't conduct
your walkthrough effectively, you might
have gaps in your understanding of the
control environment, and that's going to
ultimately impact right the quality of
the control procedures that you choose
to perform and your understanding of the
impact of the risk. So, walkthroughs are
very important because that's where you
really get a good understanding of that
environment, and a key part of that is
that you have to include key players and
the control owners from I.T. So, you're
not just going to have a random set of
people in your work just giving you
information about the environment. You
have to understand that you have to
invite the right players. So if for your
IT audit walkthrough, you probably have
their management levels there right the
people that are responsible for those
controls. So the control owners you want
to make sure that they are in the room
with you or on Zoom if it's virtual,
right, explaining their an I.T
environment. And even if they're not the
key control owner, but they have a part
in the process.
And, they're a key player or key
stakeholder then you want to make sure
that they're also in the room with you
because if not, then again, you run the
risk of not having that information on
the control environment. So it's
important to have the key players and
especially the control owners in the
meeting where you're having that walk
through and one of the things that
you would test there or that you could
test, there is a test of design again if
you don't know what test of design is,
you can watch my prior video, and I'll
probably link it when I post this on
YouTube, so you can see that video where
I talk about test of design in terms of
operating effectiveness. So depending on
the control that you're testing or the
controls that you're reviewing during
your walkthroughs, you may be able to
perform some tests of design there. Okay.
So again, just to summarize this why
didn't we conduct I.T audit walkthroughs,
it's to understand or better understand
the control environment. The I.T control
environment that you'll be testing, you
should include the key players
stakeholders and control owners from it.
And during this, you may be able to test
the design of controls as, well, okay, one
thing I do want to stay here before we
move on to the next area is that
you'll go through questions should be
worded properly, right. So that you can
get useful responses from those that
you're interviewing. So let me pause here
for a second. Have you guys ever asked a
question and then you got the wrong
answer back? Let me see you guys in the
chat just to make sure, you guys are
still here with me. Have you ever asked
the question and the kind of answers
you're getting, you're like, "Okay, maybe I
asked the wrong question."
Yeah? Okay, so that's the same thing for
walkthroughs. So it takes some skill,
right? You need to know what questions
that you should ask in order to be able
to get the right risk. I don't want to
use the word, right because it's not
really right and wrong, but in order to
get
good responses, right. Useful responses
where you when you're actually testing
it makes sense not the kind of response
is that when you start testing, it's like
okay what they said doesn't make sense
based on what I'm looking at right. So,
that's a skill you'll need to gain as
you go through your walkthroughs because
if you don't write, then you run the
risk of not getting the responses that
will be useful to you in performing your
audience. So um here is the bonus part
I'm going to now give you a couple of
examples so that you know again I like
practical teaching so that this can be
real to you okay so let's look at some
um sample questions and there are
different parts of it audits I'm going
to look at couple of questions and
logical security
so logical security this is around
access to systems we're not going to go
deep into logical security itself but
let's talk about what are some questions
right so you want you're going to have
different levels to your questions so
for example you start off with describe
the user access provisioning process
this is open-ended you want to give them
the opportunity to describe the whole
process for you and then you can go
deeper right so who has authority to
approve users and their privileged
levels so you again you're starting
higher getting a broader understanding
of the environment and their process and
then you can ask deeper questions based
on the controls that you're testing so
these are just a few examples for you to
see what you might ask during a
walkthrough and then
um again let me look at change
management
so change management again is another
area that we test for in I during it
Audits and here you might also start
with describe the change management
process right again Study High Level
giving them the opportunity to describe
the process to you end to end and then
you ask who's required to approve
changes for example so that's a little
bit more um you're diving deeper into
maybe one of the controls to get a
better understanding of that particular
control area okay so
um hopefully that was helpful for you
guys do you guys feel like you have a
better understanding of what
walkthroughs are now yep okay good good
I see yes uh thank you Diamond Lake con
thank you Ashley so that's really what I
wanted to cover here today again this is
intended to be a short training session
just bite size so that you understand
um some unique areas in the audit space
that would help you all right so
um rainbow said basically to understand
the yeah so to understand the IC control
environment and that would help you when
you're putting together your um
procedures of Performing your test for
your it audit all right so now let's do
a summary I promise you there'll be some
time for Q a at the end let me see if
you guys have any questions if you have
questions you can put them in the Q a
section and I'll take a few minutes to
answer them here but let me do a quick
summary for you guys because I know some
of you
um joined after we already started
um just to summarize what we talked
about here today we started off by just
going through an introduction to it
audits right uh again if you want more
information there you can watch that
video I have on the channel and then we
talked about the I.T audit faces right
what are the phases so let me pause
before I answer the question in the chat
can you tell me what are the phases that
we talked about today
awesome thanks Bob
oh second phase
thank you and then one more
reporting and follow awesome awesome on
what phase do we have the Ito
walkthroughs
walk through his field work so the field
work isn't um the ID audio walkthrough
happens in the field work stage and this
is where again you're getting a better
understanding of the environment you're
talking to the control owners and you're
talking to the uh all the key
stakeholders in the I.T space and then
we just walk through a few examples so
that you can see how
um how walkthroughs are conducted okay
so I'm going to pause now let's see if
you guys have any questions I did tell
you it's going to be about 30 minutes so
I want to make sure that we don't go
over time what questions do you guys
have
you guys have any questions or was this
straightforward for you guys
okay so great question Nick and Nick is
asking can walkthroughs be done
virtually or does he have to be in
person
um it can be done virtually so if you
think about the pandemic right where
everyone no one went out right if we
weren't going to the office we're all
working remotely a lot of those
walkthroughs were performed remotely
because you can have interviews now the
difference would be physical security
will views where you have to physically
walk through a data center for example
then you'll have to physically go there
but other than that for the most part
you can have them virtually it can be in
a meeting on Zoom or whatever meeting
software your organization uses
um rough is asking which video should
you focus on
um I'll say that depends on your
interest right because I have a lot of
videos on different areas so you you can
select the one that you want I'm trying
to do a better job posting I'm pretty
busy I have a full-time job so training
is not the only thing I do
um so I'm trying to do a better job
posting but I'll say watch the video
that makes sense to you all right so
um oh what she was asking walkthroughs
seem to be like something to be done to
enhance your planning how come it's in
the field work phase
um it depends on your definition of
enhancing your planning right because
planning you're not really doing any
work right in planning you actually
determine what areas you need to test
and that will then determine what areas
you need to do your walk through right
because you don't necessarily need to
test all the areas of I.T depending on
the scope of your audit so planning is
more scope focused once you identify
your scope and then you know the areas
you want to test then it's reasonable
that you would then go do walkthroughs
for that area you don't need to do
walkthroughs for everything definitely
you don't need to do a walk through for
an area you don't need to test okay so
hopefully that addressed the question
um the last one I see here
so Laker is asking what it audit
applications are used as a side Erp
systems
um I don't know that that question is
really accurate
um because you're talking about two
different things so when you say it
audit applications Erp systems those are
two different things so maybe you want
to reward that question let me better
understand if you're talking about
applications that the audit team uses
for their audit and GRC you have
servicenow orchard all of that and then
the Erp systems are not audit systems
Erp systems are systems that the
organization is using for their
operational needs right so those are two
different things so hopefully that helps
all right
um and she Iggy is asking what's the
name of the YouTube channel it's your
I.T career maybe I'll find the link hold
on
I'll put it in the record when I post
the recording I'll send an email out and
I'll just um I'll give you guys access
to that because I don't know that I have
a handy let's see
um
what's the difference between internal
and external audit so sure I will refer
you to my YouTube channel for that just
because I have another video that goes
into that in depth so I think that'll
probably be more beneficial to you okay
um Sarah is asking you missed the
training yes the recording is going to
be on YouTube so I was transparent I was
planning to record this for YouTube
anyways and instead of recording it by
myself I decided to invite you guys to
listen to me record it live so let's say
in the next couple of days or so you
guys should see it on YouTube the
difference is those that are here live
get to and ask questions okay
all right so let's now go to let's see
if there any other questions I will be
wrapping up in a few minutes
in Lincoln said got it okay good
so she always asking can virtual audit
be done for a physical Operation Center
um it depends on the objective it
depends on what you're testing but
typically if the con it depends on the
controls so if you don't understand what
controls are again let me see if I can
find that channel for you uh but it's
the control is what's going to determine
how you perform right so you can't just
take an audit what what are you actually
testing because if the control is a
physical control that someone needs to
see Right Touch or whatever then you
will need to do that physically but if
it doesn't require physical presence
then if that control could be tested
virtually okay
all right let's see if there's any more
question if there are any more questions
hey so good good good so thank you guys
for joining me here today now did you
guys let
all some media is asking do I have
resume workshops on it audits do you
mean just training on how to do your
your resume is that what you're asking
awesome media okay so I don't do
workshops on resume training however I
have covered the topic before where I
talked about resume mistakes that you
might make in it audit so if and I think
I actually have that on my YouTube
channel as well so if you go there I
think I have one training where I talk
about resume mistakes that you might be
making
um so I don't do workshops and that now
in my full-blown comprehensive training
I do provide resume training for my
students I bring in like a live
professional resume writer to come give
training to students in one of my
courses so that's something I provide
because you resume is not just about
finding a template online and putting it
together right your resume should
reflect what you know your experience I
think okay I'll answer one more question
because we have just one more minute
um did we do control testing in the
process of walkthrough only check the
design
um typically during your walkthrough
you're just that's where you're really
doing your design review depending on
the control you may not even be able to
really finish that in the walkthrough
but you would look at that there however
additional testing will be needed to
finish your testing procedures okay all
right so I think we're up on time here
today thank you guys for joining me if
you guys learned something I promise to
you guys you will learn something all
right great great great so before we go
let me just make sure there's a free
Italy career guide so this guide has
been downloaded so so many times by so
many people let me put it in the chat
and it's also going to be available in
the YouTube link when I'm done but if
you guys want the guide for those
interested in it audits go ahead and
download this guide
um and it just walks through some things
that you need to know so make sure you
download that guide um it's free I'm not
charging you for that at all and um I'm
not sure how often I'll do this free
training maybe once a month I don't know
but if you're on my email list so if you
get that guy for example you'll be on my
email list and you'll get invited to
this I don't publicize this small
meetings anywhere else it's just going
to be for those on my email list I think
I scroll too fast okay there it is all
right so thank you guys you guys have a
great rest of your day bye