0:00:03.179,0:00:05.580 All right. So good morning, guys and thank 0:00:05.580,0:00:08.340 you for joining me here today. So, today, I 0:00:08.340,0:00:10.320 just wanted to do a quick training on IT 0:00:10.320,0:00:13.500 audio walkthroughs, and to be honest, I 0:00:13.500,0:00:14.940 was planning to record this by myself 0:00:14.940,0:00:17.039 and then I decided, you know, what, why not 0:00:17.039,0:00:19.260 just make it a live training and see if 0:00:19.260,0:00:21.960 others are interested in joining, and you 0:00:21.960,0:00:24.420 guys are. So, thank you for joining. 0:00:24.420,0:00:25.980 It's going to be short. This is just 0:00:25.980,0:00:28.859 going to be 30 minutes, maybe about 15-20 0:00:28.859,0:00:30.539 minutes of training. And then, I'll see if 0:00:30.539,0:00:32.279 you guys have any questions. 0:00:32.279,0:00:34.020 It's intended for YouTube, for 0:00:34.020,0:00:36.420 transparency sake. So, it will be recorded 0:00:36.420,0:00:38.760 to YouTube, but the difference is those 0:00:38.760,0:00:41.160 that are here live with me, you get to 0:00:41.160,0:00:42.960 ask questions, and those on YouTube can't 0:00:42.960,0:00:45.360 ask questions right. So, let's go ahead 0:00:45.360,0:00:47.460 and get started. If you guys are ready to 0:00:47.460,0:00:49.500 get started, okay. You let me know. Yep, yep, 0:00:49.500,0:00:50.399 yep. 0:00:50.399,0:00:53.940 All right. So awesome awesome. So let's go 0:00:53.940,0:00:56.460 ahead, and get started here. Thank you for 0:00:56.460,0:00:59.219 joining me here today for a training on 0:00:59.219,0:01:01.980 IT audit walkthroughs. So in today's 0:01:01.980,0:01:04.979 training, I just want to give you guys 0:01:04.979,0:01:07.500 a quick overview or an introduction 0:01:07.500,0:01:10.619 to what IT audit walkthroughs are. I know 0:01:10.619,0:01:13.140 many of you might have been searching 0:01:13.140,0:01:14.939 the internet trying to find additional 0:01:14.939,0:01:17.340 information on audits, and you may have 0:01:17.340,0:01:19.680 seen the word walkthrough, right. And you 0:01:19.680,0:01:21.600 don't understand what that is. So today, 0:01:21.600,0:01:22.740 I'm just going to give you an 0:01:22.740,0:01:24.960 introduction to that. And then, we'll see 0:01:24.960,0:01:26.759 if you guys have any questions related 0:01:26.759,0:01:28.200 to the topic. 0:01:28.200,0:01:30.600 Later on, all right. So, I see more of 0:01:30.600,0:01:32.220 you joining. Thank you for joining, guys. 0:01:32.220,0:01:35.520 So, before we get started, very brief 0:01:35.520,0:01:37.380 introduction to myself. I don't want to 0:01:37.380,0:01:39.119 take too much time here. 0:01:39.119,0:01:40.380 But for those, that are just meeting 0:01:40.380,0:01:42.979 me for the first time. My name is Peju Adedeji. 0:01:42.979,0:01:45.780 I have over 18 years of experience in 0:01:45.780,0:01:48.479 the I.T space. A lot of that is around IT 0:01:48.479,0:01:52.979 audit GRC program management. All in the 0:01:52.979,0:01:55.979 audit and compliance space really. My 0:01:55.979,0:01:57.659 passion is teaching. That's one of the 0:01:57.659,0:01:59.759 things that I've always loved to do. So, 0:01:59.759,0:02:02.040 I'm also a career coach where I help 0:02:02.040,0:02:04.200 people that are looking to start their 0:02:04.200,0:02:06.899 careers in I.T cyber security audit, and 0:02:06.899,0:02:08.098 compliance. 0:02:08.098,0:02:12.120 Okay, for me, I like practical training 0:02:12.120,0:02:13.980 recently joined the Forbes coaches 0:02:13.980,0:02:15.840 council. Again, I really love teaching so 0:02:15.840,0:02:18.660 I like to be with other coaches trying 0:02:18.660,0:02:21.180 to develop myself so that I can help my 0:02:21.180,0:02:23.040 students as well. 0:02:23.040,0:02:24.599 This year, we've already had multiple 0:02:24.599,0:02:26.340 six-figure salaries that have come in 0:02:26.340,0:02:29.280 our program, and so I I'm really excited 0:02:29.280,0:02:31.500 about what we're doing. So let's go ahead 0:02:31.500,0:02:34.020 and get started with the training for 0:02:34.020,0:02:35.220 today. 0:02:35.220,0:02:38.040 So here are the topics for today. 0:02:38.040,0:02:39.540 We're going to go over an 0:02:39.540,0:02:41.459 introduction to IT audit at a higher 0:02:41.459,0:02:43.319 level. So if you are not familiar with 0:02:43.319,0:02:45.060 this you can probably check my YouTube 0:02:45.060,0:02:47.220 channel. And you see the training, I've 0:02:47.220,0:02:49.260 done it on this in the past. 0:02:49.260,0:02:51.000 But I'm going to just introduce that 0:02:51.000,0:02:52.860 because I know some people that are here 0:02:52.860,0:02:55.860 today may not right have watched any 0:02:55.860,0:02:58.379 of my videos before or attended any of 0:02:58.379,0:03:00.540 my training. And then, we'll talk about 0:03:00.540,0:03:03.300 the IT audit phases because it's during 0:03:03.300,0:03:05.459 this discussion that we're then going to 0:03:05.459,0:03:06.780 talk about walkthroughs, because 0:03:06.780,0:03:09.660 walkthroughs that's one of the phases or 0:03:09.660,0:03:12.300 part of one of the phases. And there's 0:03:12.300,0:03:13.920 going to be a bonus review, where I'm 0:03:13.920,0:03:15.300 going to walk through some actual 0:03:15.300,0:03:17.819 examples with you. And maybe I'll give 0:03:17.819,0:03:19.680 you guys a bonus document. But let's see, 0:03:19.680,0:03:22.440 okay. And at the end I'll give about 10 0:03:22.440,0:03:24.659 minutes or so for questions. 0:03:24.659,0:03:27.659 So let's go ahead and start with our 0:03:27.659,0:03:29.819 introduction to IT audit. 0:03:29.819,0:03:31.620 I'm not going to go in depth into this 0:03:31.620,0:03:33.900 like I said, I have a training on my 0:03:33.900,0:03:35.400 YouTube channel that you guys can watch. 0:03:35.400,0:03:37.920 But, I do want to introduce this in 0:03:37.920,0:03:39.900 today's training because I want you to 0:03:39.900,0:03:42.239 understand what audits are before we 0:03:42.239,0:03:44.940 talk about walkthroughs, right. So, what's 0:03:44.940,0:03:47.700 an audit at the end of the day, you know, 0:03:47.700,0:03:49.500 people have different definitions of 0:03:49.500,0:03:52.140 what it is, but IT audit at the end of 0:03:52.140,0:03:54.120 the day, if you want to use simple terms, 0:03:54.120,0:03:57.120 is an examination of the organization 0:03:57.120,0:04:00.120 systems to determine if controls are 0:04:00.120,0:04:02.879 operating effectively. So systems usually 0:04:02.879,0:04:05.159 have controls in there, and for controls. 0:04:05.159,0:04:06.780 Again, the prior training I mentioned 0:04:06.780,0:04:09.180 will have that but think of a control as 0:04:09.180,0:04:11.519 like a password control, right. When you 0:04:11.519,0:04:13.080 want to log into your computer, you have 0:04:13.080,0:04:14.580 to put in a password, 0:04:14.580,0:04:16.079 or maybe your e-mail you have to put 0:04:16.079,0:04:18.720 in a password that's a control. So, 0:04:18.720,0:04:21.478 organization systems have controls, as 0:04:21.478,0:04:22.260 well, 0:04:22.260,0:04:24.840 and this controls right. 0:04:24.840,0:04:27.060 In order, part of an I.T audit is 0:04:27.060,0:04:30.660 testing and examining those systems to 0:04:30.660,0:04:32.400 determine if those controls are 0:04:32.400,0:04:34.500 operating effectively because if they 0:04:34.500,0:04:36.900 are not operating effectively, then the 0:04:36.900,0:04:38.940 security of that system right is in 0:04:38.940,0:04:42.000 question. And you might be wondering, "Well, 0:04:42.000,0:04:44.340 why should I be concerned about the 0:04:44.340,0:04:46.800 security or of a system or whether the 0:04:46.800,0:04:49.139 controls are operating effectively," and 0:04:49.139,0:04:51.180 the reason is one you want to mitigate 0:04:51.180,0:04:53.520 risks, right. You don't want people having 0:04:53.520,0:04:56.400 inappropriate access to your systems, so 0:04:56.400,0:04:58.320 when I say, "You, I'm in the 0:04:58.320,0:05:00.360 organization," an organization doesn't 0:05:00.360,0:05:02.759 want people having inappropriate access 0:05:02.759,0:05:06.300 to the systems. So, it's important to have 0:05:06.300,0:05:08.759 controls in place to ensure that that 0:05:08.759,0:05:11.580 security is there. And as the I.T auditor, 0:05:11.580,0:05:13.560 right, part of your audit objective or 0:05:13.560,0:05:15.900 your control objective for your test is 0:05:15.900,0:05:18.120 determining if security controls are in 0:05:18.120,0:05:20.820 place. So you are examining those systems 0:05:20.820,0:05:23.160 to see if those controls are effective 0:05:23.160,0:05:25.259 in mitigating risks, like I said for 0:05:25.259,0:05:27.600 example security risks or just even 0:05:27.600,0:05:29.940 medium compliance and regulatory 0:05:29.940,0:05:32.460 requirements, right. So in the US, we have 0:05:32.460,0:05:34.320 servings, okay. Other countries have 0:05:34.320,0:05:36.600 similar laws and standards as well. We 0:05:36.600,0:05:40.500 have PCI, SOX, SSA 18, right. So, all those 0:05:40.500,0:05:42.840 standards depending on what your 0:05:42.840,0:05:46.139 organization needs to comply with then 0:05:46.139,0:05:48.300 the audit is going to take place to 0:05:48.300,0:05:50.759 examine and determine if those controls 0:05:50.759,0:05:54.060 are meeting those requirements, okay. So 0:05:54.060,0:05:57.900 that's a summary of what we have of 0:05:57.900,0:06:00.000 what IT audits are. 0:06:00.000,0:06:01.800 So, 0:06:01.800,0:06:03.539 there are three key phases of IT 0:06:03.539,0:06:05.940 audience, all right. So we have the audio 0:06:05.940,0:06:08.280 planning phase we have our field 0:06:08.280,0:06:10.440 workplace, and this is where you have the 0:06:10.440,0:06:11.699 walkthrough, so that's where the 0:06:11.699,0:06:13.860 walkthroughs are performed, and you also 0:06:13.860,0:06:15.660 have the reporting and the follow-up 0:06:15.660,0:06:18.180 phase. So I'm going to again summarize 0:06:18.180,0:06:21.180 this. So that I set the stage for what 0:06:21.180,0:06:23.639 we really want to talk about today, so in 0:06:23.639,0:06:25.440 your audit planning phase right. This is 0:06:25.440,0:06:26.699 where you're understanding the 0:06:26.699,0:06:29.940 organization trying to define the scope, 0:06:29.940,0:06:32.400 and the objective and also trying to 0:06:32.400,0:06:35.340 identify what tests you perform so 0:06:35.340,0:06:37.620 you're essentially just planning for the 0:06:37.620,0:06:40.620 audit in that phase. Now, the field work 0:06:40.620,0:06:42.240 phase is, kind of, I'll say, that's where 0:06:42.240,0:06:43.680 the medium potatoes are right. I guess 0:06:43.680,0:06:46.620 when you do the real field work for the 0:06:46.620,0:06:48.900 audit you do your testing and all of 0:06:48.900,0:06:51.000 that. But, before you actually start 0:06:51.000,0:06:53.100 testing, you have to perform your 0:06:53.100,0:06:54.780 walkthroughs, and I'm going to come back 0:06:54.780,0:06:57.360 to the World Series after I finish the 0:06:57.360,0:06:59.460 third stage or the third phase. 0:06:59.460,0:07:01.680 The third phase is where you do the 0:07:01.680,0:07:04.259 reporting, so you finish planning, you've 0:07:04.259,0:07:06.180 done the actual testing, and you have 0:07:06.180,0:07:08.819 results then in the third phase, you're 0:07:08.819,0:07:10.740 doing your reporting, and your follow-up. 0:07:10.740,0:07:12.720 So, this is where you type up the report 0:07:12.720,0:07:15.419 to management on the results. And if 0:07:15.419,0:07:17.819 there were any issues identified, you can 0:07:17.819,0:07:20.580 go back, and retest to confirm whether or 0:07:20.580,0:07:23.220 not, they've been addressed. So those are 0:07:23.220,0:07:27.120 the three phases of an audit. Now, I want 0:07:27.120,0:07:29.280 to dial in on that walk through piece 0:07:29.280,0:07:30.419 because 0:07:30.419,0:07:32.880 there are many moving parts, right. So as 0:07:32.880,0:07:34.500 you can imagine an audit is like a 0:07:34.500,0:07:36.479 pretty big project, right. So, there are 0:07:36.479,0:07:39.120 many moving pieces and today, I'm now 0:07:39.120,0:07:41.039 going to focus on the IT audio 0:07:41.039,0:07:44.099 walkthrough piece right again. The IT or 0:07:44.099,0:07:46.080 the walkthrough is part of the field 0:07:46.080,0:07:47.880 work phase. 0:07:47.880,0:07:51.479 So now, let's talk about what are IT? What 0:07:51.479,0:07:53.819 other walkthroughs or what, I'm not sure 0:07:53.819,0:07:56.160 if you know, maybe if you've 0:07:56.160,0:07:58.259 you rented an apartment, or you bought 0:07:58.259,0:08:00.539 a house before they give you the keys, 0:08:00.539,0:08:02.639 right. You, kind of, they will take you to 0:08:02.639,0:08:04.380 what they call a walkthrough. Typically, 0:08:04.380,0:08:06.599 right, you just go in kind of just look 0:08:06.599,0:08:08.759 at how things are before they give you 0:08:08.759,0:08:11.220 the keys and say, "Okay, we agree that this 0:08:11.220,0:08:12.960 is the state that you're giving us the 0:08:12.960,0:08:15.900 house or the apartment in or whatnot." So 0:08:15.900,0:08:18.240 if you think about that it's not exactly 0:08:18.240,0:08:21.120 the same, but a walkthrough from the IT audit 0:08:21.120,0:08:23.840 perspective is you getting a better 0:08:23.840,0:08:26.220 understanding of the I.T control 0:08:26.220,0:08:28.379 environment of the company. 0:08:28.379,0:08:30.419 So what you do at the beginning of the 0:08:30.419,0:08:32.039 audit, because you're an auditor right, 0:08:32.039,0:08:34.320 you're not I.T. You're not, if you're an 0:08:34.320,0:08:36.059 external auditor, you're not working in 0:08:36.059,0:08:38.820 the company right. So you can't assume 0:08:38.820,0:08:40.679 that you know everything about that 0:08:40.679,0:08:42.360 company. You can't assume that you know 0:08:42.360,0:08:44.760 their control environment. So the reason 0:08:44.760,0:08:46.860 for that walkthrough is for the auditors 0:08:46.860,0:08:50.580 to get a better understanding, right, of 0:08:50.580,0:08:52.260 the control environment that they're 0:08:52.260,0:08:55.380 going to be auditing. So, it's absolutely 0:08:55.380,0:08:57.720 critical because if you don't conduct 0:08:57.720,0:09:00.420 your walkthrough effectively, you might 0:09:00.420,0:09:02.760 have gaps in your understanding of the 0:09:02.760,0:09:04.800 control environment, and that's going to 0:09:04.800,0:09:07.620 ultimately impact right the quality of 0:09:07.620,0:09:09.360 the control procedures that you choose 0:09:09.360,0:09:12.480 to perform and your understanding of the 0:09:12.480,0:09:15.120 impact of the risk. So, walkthroughs are 0:09:15.120,0:09:17.279 very important because that's where you 0:09:17.279,0:09:19.080 really get a good understanding of that 0:09:19.080,0:09:21.899 environment, and a key part of that is 0:09:21.899,0:09:25.560 that you have to include key players and 0:09:25.560,0:09:27.899 the control owners from I.T. So, you're 0:09:27.899,0:09:29.700 not just going to have a random set of 0:09:29.700,0:09:31.200 people in your work just giving you 0:09:31.200,0:09:33.180 information about the environment. You 0:09:33.180,0:09:34.920 have to understand that you have to 0:09:34.920,0:09:37.860 invite the right players. So if for your 0:09:37.860,0:09:39.600 IT audit walkthrough, you probably have 0:09:39.600,0:09:41.700 their management levels there right the 0:09:41.700,0:09:43.560 people that are responsible for those 0:09:43.560,0:09:45.899 controls. So the control owners you want 0:09:45.899,0:09:47.820 to make sure that they are in the room 0:09:47.820,0:09:50.160 with you or on Zoom if it's virtual, 0:09:50.160,0:09:52.620 right, explaining their an I.T 0:09:52.620,0:09:54.959 environment. And even if they're not the 0:09:54.959,0:09:57.180 key control owner, but they have a part 0:09:57.180,0:09:58.620 in the process. 0:09:58.620,0:10:00.660 And, they're a key player or key 0:10:00.660,0:10:02.880 stakeholder then you want to make sure 0:10:02.880,0:10:04.680 that they're also in the room with you 0:10:04.680,0:10:08.220 because if not, then again, you run the 0:10:08.220,0:10:11.700 risk of not having that information on 0:10:11.700,0:10:13.680 the control environment. So it's 0:10:13.680,0:10:15.480 important to have the key players and 0:10:15.480,0:10:18.060 especially the control owners in the 0:10:18.060,0:10:19.860 meeting where you're having that walk 0:10:19.860,0:10:23.040 through and one of the things that 0:10:23.040,0:10:24.660 you would test there or that you could 0:10:24.660,0:10:27.060 test, there is a test of design again if 0:10:27.060,0:10:28.800 you don't know what test of design is, 0:10:28.800,0:10:31.140 you can watch my prior video, and I'll 0:10:31.140,0:10:32.820 probably link it when I post this on 0:10:32.820,0:10:34.800 YouTube, so you can see that video where 0:10:34.800,0:10:36.839 I talk about test of design in terms of 0:10:36.839,0:10:39.600 operating effectiveness. So depending on 0:10:39.600,0:10:41.580 the control that you're testing or the 0:10:41.580,0:10:43.080 controls that you're reviewing during 0:10:43.080,0:10:45.420 your walkthroughs, you may be able to 0:10:45.420,0:10:48.120 perform some tests of design there. Okay. 0:10:48.120,0:10:51.360 So again, just to summarize this why 0:10:51.360,0:10:53.399 didn't we conduct I.T audit walkthroughs, 0:10:53.399,0:10:55.800 it's to understand or better understand 0:10:55.800,0:10:57.720 the control environment. The I.T control 0:10:57.720,0:10:59.940 environment that you'll be testing, you 0:10:59.940,0:11:01.500 should include the key players 0:11:01.500,0:11:04.200 stakeholders and control owners from it. 0:11:04.200,0:11:06.839 And during this, you may be able to test 0:11:06.839,0:11:11.040 the design of controls as, well, okay, one 0:11:11.040,0:11:13.140 thing I do want to stay here before we 0:11:13.140,0:11:16.140 move on to the next area is that 0:11:16.140,0:11:18.300 you'll go through questions should be 0:11:18.300,0:11:20.760 worded properly, right. So that you can 0:11:20.760,0:11:22.980 get useful responses from those that 0:11:22.980,0:11:25.260 you're interviewing. So let me pause here 0:11:25.260,0:11:27.899 for a second. Have you guys ever asked a 0:11:27.899,0:11:29.820 question and then you got the wrong 0:11:29.820,0:11:32.220 answer back? Let me see you guys in the 0:11:32.220,0:11:33.779 chat just to make sure, you guys are 0:11:33.779,0:11:35.339 still here with me. Have you ever asked 0:11:35.339,0:11:37.620 the question and the kind of answers 0:11:37.620,0:11:39.000 you're getting, you're like, "Okay, maybe I 0:11:39.000,0:11:40.920 asked the wrong question." 0:11:40.920,0:11:43.440 Yeah? Okay, so that's the same thing for 0:11:43.440,0:11:45.959 walkthroughs. So it takes some skill, 0:11:45.959,0:11:47.760 right? You need to know what questions 0:11:47.760,0:11:50.339 that you should ask in order to be able 0:11:50.339,0:11:52.140 to get the right risk. I don't want to 0:11:52.140,0:11:53.579 use the word, right because it's not 0:11:53.579,0:11:55.980 really right and wrong, but in order to 0:11:55.980,0:11:57.000 get 0:11:57.000,0:11:59.579 good responses, right. Useful responses 0:11:59.579,0:12:01.680 where you when you're actually testing 0:12:01.680,0:12:03.839 it makes sense not the kind of response 0:12:03.839,0:12:05.399 is that when you start testing, it's like 0:12:05.399,0:12:06.839 okay what they said doesn't make sense 0:12:06.839,0:12:09.240 based on what I'm looking at right. So, 0:12:09.240,0:12:11.519 that's a skill you'll need to gain as 0:12:11.519,0:12:13.560 you go through your walkthroughs because 0:12:13.560,0:12:17.579 if you don't write, then you run the 0:12:17.579,0:12:20.820 risk of not getting the responses that 0:12:20.820,0:12:23.579 will be useful to you in performing your 0:12:23.579,0:12:26.279 audience. So, here is the bonus part. 0:12:26.279,0:12:28.920 I'm going to now give you a couple of 0:12:28.920,0:12:31.260 examples so that, you know. Again, I like 0:12:31.260,0:12:32.820 practical teaching, so that this can be 0:12:32.820,0:12:36.360 real to you, okay. So let's look at some 0:12:36.360,0:12:38.220 sample questions, and there are 0:12:38.220,0:12:40.440 different parts of IT audits I'm going 0:12:40.440,0:12:42.300 to look at couple of questions, and 0:12:42.300,0:12:43.680 logical security. 0:12:43.680,0:12:46.260 So logical security, this is around 0:12:46.260,0:12:48.600 access to systems we're not going to go 0:12:48.600,0:12:50.880 deep into logical security itself, but 0:12:50.880,0:12:52.620 let's talk about what are some questions 0:12:52.620,0:12:56.100 right. So, you want you're going to have 0:12:56.100,0:12:58.260 different levels to your questions. So, 0:12:58.260,0:13:00.899 for example, you start off with describe 0:13:00.899,0:13:02.760 the user access provisioning process. 0:13:02.760,0:13:05.220 This is open-ended. You want to give them 0:13:05.220,0:13:06.720 the opportunity to describe the whole 0:13:06.720,0:13:08.820 process for you, and then you can go 0:13:08.820,0:13:11.700 deeper, right. So who has authority to 0:13:11.700,0:13:13.620 approve users, and their privileged 0:13:13.620,0:13:15.600 levels. So you again, you're starting 0:13:15.600,0:13:18.300 higher getting a broader understanding 0:13:18.300,0:13:21.720 of the environment, and their process and 0:13:21.720,0:13:24.120 then you can ask deeper questions based 0:13:24.120,0:13:26.220 on the controls that you're testing. So, 0:13:26.220,0:13:28.019 these are just a few examples for you to 0:13:28.019,0:13:30.600 see what you might ask during a 0:13:30.600,0:13:32.639 walkthrough, and then 0:13:32.639,0:13:33.720 again, let me look at change 0:13:33.720,0:13:36.079 management. 0:13:36.300,0:13:38.399 So change management again, is another 0:13:38.399,0:13:40.380 area that we test for in IT. During IT 0:13:40.380,0:13:42.720 audits, and here you might also start 0:13:42.720,0:13:44.100 with describe the change management 0:13:44.100,0:13:46.680 process, right again. Study high level 0:13:46.680,0:13:48.540 giving them the opportunity to describe 0:13:48.540,0:13:50.940 the process to you end to end, and then 0:13:50.940,0:13:52.980 you ask who's required to approve 0:13:52.980,0:13:55.200 changes. For example, so that's a little 0:13:55.200,0:13:58.740 bit more, you're diving deeper into 0:13:58.740,0:14:01.200 maybe one of the controls to get a 0:14:01.200,0:14:03.480 better understanding of that particular 0:14:03.480,0:14:06.480 control area, okay. So, 0:14:06.480,0:14:07.920 hopefully, that was helpful for you 0:14:07.920,0:14:09.360 guys. Do you guys feel like you have a 0:14:09.360,0:14:10.500 better understanding of what 0:14:10.500,0:14:13.800 walkthroughs are now? Yep, okay, good, good, 0:14:13.800,0:14:16.500 I see. Yes, thank you Diamond, Lake Paul, 0:14:16.500,0:14:19.139 thank you Ashley. So, that's really what I 0:14:19.139,0:14:21.540 wanted to cover here today. Again, this is 0:14:21.540,0:14:23.160 intended to be a short training session, 0:14:23.160,0:14:25.920 just bite sized. So, that you understand 0:14:25.920,0:14:28.920 some unique areas in the audit space 0:14:28.920,0:14:32.100 that would help you, all right. So, 0:14:32.100,0:14:33.720 rainbow said basically to understand 0:14:33.720,0:14:36.420 the yeah. So, to understand the IT control 0:14:36.420,0:14:39.480 environment, and that would help you when 0:14:39.480,0:14:41.399 you're putting together your 0:14:41.399,0:14:44.459 procedures of performing your test for 0:14:44.459,0:14:48.240 your IT audit. All right, so now let's do 0:14:48.240,0:14:50.399 a summary. I promise you. There'll be some 0:14:50.399,0:14:53.459 time for Q/A at the end. Let me see if 0:14:53.459,0:14:55.620 you guys have any questions if you have 0:14:55.620,0:14:57.600 questions you can put them in the Q/A 0:14:57.600,0:14:59.940 section, and I'll take a few minutes to 0:14:59.940,0:15:02.160 answer them here. But let me do a quick 0:15:02.160,0:15:04.199 summary for you guys because I know some 0:15:04.199,0:15:05.279 of you 0:15:05.279,0:15:07.980 joined after we already started. 0:15:07.980,0:15:09.600 Just to summarize what we talked 0:15:09.600,0:15:12.180 about here today, we started off by just 0:15:12.180,0:15:13.860 going through an introduction to IT 0:15:13.860,0:15:16.800 audits, right. Again, if you want more 0:15:16.800,0:15:18.240 information there, you can watch that 0:15:18.240,0:15:20.459 video, I have on the channel, and then we 0:15:20.459,0:15:22.740 talked about the IT audit faces, right? 0:15:22.740,0:15:24.720 What are the phases? So, let me pause 0:15:24.720,0:15:27.180 before I answer the question in the chat. 0:15:27.180,0:15:29.160 Can you tell me what are the phases that 0:15:29.160,0:15:32.000 we talked about today? 0:15:33.680,0:15:37.339 Awesome thanks, Bob. 0:15:38.040,0:15:41.180 Second phase. 0:15:43.459,0:15:48.019 Thank you, and then one more 0:15:48.720,0:15:52.139 reporting, and follow awesome, awesome. On 0:15:52.139,0:15:53.880 what phase do we have the IT 0:15:53.880,0:15:56.540 walkthroughs? 0:16:01.980,0:16:03.779 Walk through his field work, so the field 0:16:03.779,0:16:06.240 work isn't the ID audio walkthrough 0:16:06.240,0:16:08.880 happens in the field work stage, and this 0:16:08.880,0:16:10.680 is where again you're getting a better 0:16:10.680,0:16:12.779 understanding of the environment? You're 0:16:12.779,0:16:14.880 talking to the control owners and you're 0:16:14.880,0:16:17.220 talking to the, all the key 0:16:17.220,0:16:19.680 stakeholders in the I.T space. And then 0:16:19.680,0:16:21.420 we just walk through a few examples so 0:16:21.420,0:16:23.220 that you can see how, 0:16:23.220,0:16:25.860 how walkthroughs are conducted, okay. 0:16:25.860,0:16:28.560 So I'm going to pause now, let's see if 0:16:28.560,0:16:31.139 you guys have any questions. I did tell 0:16:31.139,0:16:33.060 you, it's going to be about 30 minutes. So 0:16:33.060,0:16:34.620 I want to make sure that we don't go 0:16:34.620,0:16:36.959 over time. What questions do you guys 0:16:36.959,0:16:38.940 have? 0:16:38.940,0:16:40.920 You guys have any questions, or was this 0:16:40.920,0:16:43.940 straightforward for you guys. 0:16:48.120,0:16:50.040 Okay, so great question Nick. And Nick is 0:16:50.040,0:16:51.360 asking can walkthroughs be done 0:16:51.360,0:16:52.920 virtually, or does he have to be in 0:16:52.920,0:16:53.699 person? 0:16:53.699,0:16:55.860 It can be done virtually, so if you 0:16:55.860,0:16:57.839 think about the pandemic, right? Where 0:16:57.839,0:17:00.120 everyone no one went out, right? If we 0:17:00.120,0:17:01.320 weren't going to the office, we're all 0:17:01.320,0:17:03.360 working remotely a lot of those 0:17:03.360,0:17:05.459 walkthroughs were performed remotely 0:17:05.459,0:17:07.859 because you can have interviews. Now, the 0:17:07.859,0:17:09.839 difference would be physical security 0:17:09.839,0:17:11.520 walkthroughs where you have to physically 0:17:11.520,0:17:13.740 walk through a data center. For example, 0:17:13.740,0:17:15.540 then you'll have to physically go there 0:17:15.540,0:17:17.339 but other than that for the most part 0:17:17.339,0:17:19.740 you can have them virtually. It can be in 0:17:19.740,0:17:22.919 a meeting on Zoom or whatever meeting 0:17:22.919,0:17:26.839 software your organization uses. 0:17:30.179,0:17:31.799 Someone is asking which video should 0:17:31.799,0:17:33.120 you focus on? 0:17:33.120,0:17:34.980 Um, I'll say that depends on your 0:17:34.980,0:17:36.900 interest, right. Because I have a lot of 0:17:36.900,0:17:40.320 videos on different areas so you can 0:17:40.320,0:17:42.539 select the one that you want. I'm trying 0:17:42.539,0:17:45.000 to do a better job posting. I'm pretty 0:17:45.000,0:17:47.220 busy. I have a full-time job, so training 0:17:47.220,0:17:49.020 is not the only thing I do. 0:17:49.020,0:17:50.820 So, I'm trying to do a better job 0:17:50.820,0:17:52.500 posting, but I'll say watch the video 0:17:52.500,0:17:55.500 that makes sense to you, all right. So, 0:17:55.500,0:17:58.620 um oh, what she was asking walkthroughs 0:17:58.620,0:18:00.299 seem to be like something to be done to 0:18:00.299,0:18:02.700 enhance your planning. How come it's in 0:18:02.700,0:18:04.440 the field work phase? 0:18:04.440,0:18:06.720 It depends on your definition of 0:18:06.720,0:18:08.640 enhancing your planning right because 0:18:08.640,0:18:10.860 planning, you're not really doing any 0:18:10.860,0:18:12.900 work, right? In planning, you actually 0:18:12.900,0:18:15.480 determine what areas you need to test 0:18:15.480,0:18:18.059 and that will then determine what areas 0:18:18.059,0:18:19.620 you need to do your walk through, right. 0:18:19.620,0:18:21.960 Because you don't necessarily need to 0:18:21.960,0:18:24.900 test all the areas of I.T. depending on 0:18:24.900,0:18:27.120 the scope of your audit. So, planning is 0:18:27.120,0:18:29.520 more scope focused once you identify 0:18:29.520,0:18:31.980 your scope, and then you know the areas 0:18:31.980,0:18:34.020 you want to test, then it's reasonable 0:18:34.020,0:18:36.360 that you would then go do walkthroughs 0:18:36.360,0:18:38.039 for that area. You don't need to do 0:18:38.039,0:18:39.900 walkthroughs for everything definitely 0:18:39.900,0:18:41.640 you don't need to do a walkthrough for 0:18:41.640,0:18:44.760 an area you don't need to test, okay. So, 0:18:44.760,0:18:48.260 hopefully that addressed the question 0:18:48.299,0:18:52.039 the last one. I see here, 0:18:54.480,0:18:57.120 so Laker is asking what IT audit 0:18:57.120,0:18:59.400 applications are used as a side ERP 0:18:59.400,0:19:00.660 systems? 0:19:00.660,0:19:02.220 I don't know that. That question is 0:19:02.220,0:19:04.440 really accurate 0:19:04.440,0:19:06.059 because you're talking about two 0:19:06.059,0:19:07.440 different things so when you say it 0:19:07.440,0:19:10.440 audit applications, ERP systems, those are 0:19:10.440,0:19:11.940 two different things. So maybe you want 0:19:11.940,0:19:13.500 to reword that question. Let me better 0:19:13.500,0:19:15.299 understand. If you're talking about 0:19:15.299,0:19:17.700 applications that the audit team uses 0:19:17.700,0:19:20.280 for their audit, and GRC you have 0:19:20.280,0:19:23.039 servicenow, orchard, all of that and then 0:19:23.039,0:19:25.380 the ERP systems are not audit systems. 0:19:25.380,0:19:27.900 ERP systems are systems that the 0:19:27.900,0:19:29.820 organization is using for their 0:19:29.820,0:19:32.520 operational needs, right. So those are two 0:19:32.520,0:19:34.440 different things so hopefully that helps, 0:19:34.440,0:19:37.140 all right. 0:19:37.140,0:19:41.580 Um, NSHE Iggy is asking, "What's the 0:19:41.580,0:19:43.320 name of the YouTube channel?" it's your 0:19:43.320,0:19:46.200 I.T career, maybe I'll find the link. Hold 0:19:46.200,0:19:46.980 on. 0:19:46.980,0:19:49.200 I'll put it in the record when I post 0:19:49.200,0:19:51.480 the recording, I'll send an email out and 0:19:51.480,0:19:54.419 I'll just, I'll give you guys access 0:19:54.419,0:19:56.039 to that, because I don't know that I have 0:19:56.039,0:19:58.020 it handy. Let's see, 0:19:58.020,0:19:58.980 um. 0:19:58.980,0:20:00.780 What's the difference between internal 0:20:00.780,0:20:03.000 and external audit? So sure, I will refer 0:20:03.000,0:20:04.620 you to my YouTube channel for that just 0:20:04.620,0:20:06.600 because I have another video that goes 0:20:06.600,0:20:08.880 into that in depth. So I think that'll 0:20:08.880,0:20:14.000 probably be more beneficial to you, okay? 0:20:14.220,0:20:15.960 Sarah is asking, "You missed the 0:20:15.960,0:20:17.400 training?" Yes, the recording is going to 0:20:17.400,0:20:19.559 be on YouTube, so I was transparent. I was 0:20:19.559,0:20:20.940 planning to record this for YouTube 0:20:20.940,0:20:23.580 anyways, and instead of recording it by 0:20:23.580,0:20:25.440 myself, I decided to invite you guys to 0:20:25.440,0:20:27.960 listen to me record it live. So, let's say 0:20:27.960,0:20:29.580 in the next couple of days, or so you 0:20:29.580,0:20:31.500 guys should see it on YouTube. The 0:20:31.500,0:20:33.179 difference is those that are here live 0:20:33.179,0:20:37.020 get to and ask questions, Okay. 0:20:37.020,0:20:40.679 All right, so let's now go to, let's see 0:20:40.679,0:20:42.419 if there any other questions. I will be 0:20:42.419,0:20:45.440 wrapping up in a few minutes. 0:20:46.440,0:20:51.200 Lincoln said, "Got it." Okay, good. 0:20:54.179,0:20:56.640 So she is asking, "Can virtual audit 0:20:56.640,0:20:58.860 be done for a Physical Operation Center?" 0:20:58.860,0:21:00.360 Um, it depends on the objective. It 0:21:00.360,0:21:02.160 depends on what you're testing, but 0:21:02.160,0:21:04.620 typically if the con, it depends on the 0:21:04.620,0:21:07.380 controls. So if you don't understand what 0:21:07.380,0:21:10.380 controls are again. Let me see if I can 0:21:10.380,0:21:13.320 find that channel for you, but it's 0:21:13.320,0:21:15.120 the control is what's going to determine 0:21:15.120,0:21:16.860 how you perform, right. So you can't just 0:21:16.860,0:21:19.260 take an audit, what, what are you actually 0:21:19.260,0:21:21.299 testing? Because if the control is a 0:21:21.299,0:21:22.980 physical control that someone needs to 0:21:22.980,0:21:26.640 see, write, touch or whatever ,then you 0:21:26.640,0:21:28.679 will need to do that physically. But, if 0:21:28.679,0:21:30.720 it doesn't require physical presence 0:21:30.720,0:21:32.880 then if that control could be tested 0:21:32.880,0:21:35.760 virtually Okay. 0:21:35.760,0:21:39.120 All right, let's see if there's any more 0:21:39.120,0:21:42.360 question. If there are any more questions, 0:21:42.360,0:21:45.240 hey so, good good good. So thank you guys 0:21:45.240,0:21:47.820 for joining me here today now. Did you 0:21:47.820,0:21:49.200 guys let 0:21:49.200,0:21:52.260 all, some media is asking. Do I have 0:21:52.260,0:21:55.080 resume workshops on IT audits? Do you 0:21:55.080,0:21:56.640 mean just training on how to do your 0:21:56.640,0:21:58.679 your resume is that what you're asking 0:21:58.679,0:22:01.740 on some media? Okay, so I don't do 0:22:01.740,0:22:04.380 workshops on resume training. However, I 0:22:04.380,0:22:06.780 have covered the topic before where I 0:22:06.780,0:22:08.940 talked about resume mistakes that you 0:22:08.940,0:22:10.980 might make in IT audit. So if and I think 0:22:10.980,0:22:12.419 I actually have that on my YouTube 0:22:12.419,0:22:14.640 channel as well. So, if you go there, I 0:22:14.640,0:22:16.320 think I have one training where I talk 0:22:16.320,0:22:18.120 about resume mistakes that you might be 0:22:18.120,0:22:19.260 making. 0:22:19.260,0:22:21.539 So I don't do workshops and that now 0:22:21.539,0:22:24.659 in my full-blown comprehensive training. 0:22:24.659,0:22:27.299 I do provide resume training for my 0:22:27.299,0:22:29.179 students. I bring in like a live 0:22:29.179,0:22:31.559 professional resume writer to come give 0:22:31.559,0:22:34.200 training to students in one of my 0:22:34.200,0:22:36.480 courses. So that's something I provide. 0:22:36.480,0:22:38.820 Because your resume is not just about 0:22:38.820,0:22:40.980 finding a template online, and putting it 0:22:40.980,0:22:42.840 together right. Your resume should 0:22:42.840,0:22:46.140 reflect what, you know, your experience. I 0:22:46.140,0:22:47.760 think. Okay, I'll answer one more question 0:22:47.760,0:22:50.159 because we have just one more minute. 0:22:50.159,0:22:52.020 Did we do control testing in the 0:22:52.020,0:22:53.580 process of walkthrough only check the 0:22:53.580,0:22:54.659 design? 0:22:54.659,0:22:56.039 Typically, during your walkthrough, 0:22:56.039,0:22:57.539 you're just, that's where you're really 0:22:57.539,0:22:59.760 doing your design review depending on 0:22:59.760,0:23:01.500 the control. You may not even be able to 0:23:01.500,0:23:03.179 really finish that in the walkthrough, 0:23:03.179,0:23:05.520 but you would look at that there. However, 0:23:05.520,0:23:07.500 additional testing will be needed to 0:23:07.500,0:23:10.440 finish your testing procedures. Okay all 0:23:10.440,0:23:12.720 right. So, I think we're up on time here 0:23:12.720,0:23:14.580 today. Thank you guys for joining me. If 0:23:14.580,0:23:16.200 you guys learned something, I promise to 0:23:16.200,0:23:18.240 you guys you will learn something. All 0:23:18.240,0:23:20.880 right. Great great great. So before we go 0:23:20.880,0:23:23.039 let me, just make sure there's a free 0:23:23.039,0:23:25.559 six figure career guide. So this guide has 0:23:25.559,0:23:27.720 been downloaded so so many times by so 0:23:27.720,0:23:29.700 many people. Let me put it in the chat, 0:23:29.700,0:23:33.480 and it's also going to be available in 0:23:33.480,0:23:35.760 the YouTube link when I'm done. But if 0:23:35.760,0:23:37.380 you guys want the guide for those 0:23:37.380,0:23:39.780 interested in IT audits, go ahead and 0:23:39.780,0:23:41.760 download this guide. 0:23:41.760,0:23:44.520 Um and it just walks through some things 0:23:44.520,0:23:46.799 that you need to know, so make sure you 0:23:46.799,0:23:48.840 download that guide. it's free. I'm not 0:23:48.840,0:23:52.200 charging you for that at all. And um, I'm 0:23:52.200,0:23:53.820 not sure how often I'll do this free 0:23:53.820,0:23:55.500 training, maybe once a month. I don't know, 0:23:55.500,0:23:57.720 but if you're on my email list. So if you 0:23:57.720,0:23:59.640 get that guy, for example, you'll be on my 0:23:59.640,0:24:01.559 email list. And you'll get invited to 0:24:01.559,0:24:03.720 this. I don't publicize this small 0:24:03.720,0:24:05.940 meetings anywhere else. It's just going 0:24:05.940,0:24:09.000 to be for those on my email list. I think 0:24:09.000,0:24:11.700 I scroll too fast, okay. There it is. All 0:24:11.700,0:24:13.740 right, so thank you guys. You guys have a 0:24:13.740,0:24:17.480 great rest of your day. Bye.