1 00:00:03,179 --> 00:00:05,580 All right. So good morning, guys and thank 2 00:00:05,580 --> 00:00:08,340 you for joining me here today. So, today, I 3 00:00:08,340 --> 00:00:10,320 just wanted to do a quick training on IT 4 00:00:10,320 --> 00:00:13,500 audio walkthroughs, and to be honest, I 5 00:00:13,500 --> 00:00:14,940 was planning to record this by myself 6 00:00:14,940 --> 00:00:17,039 and then I decided, you know, what, why not 7 00:00:17,039 --> 00:00:19,260 just make it a live training and see if 8 00:00:19,260 --> 00:00:21,960 others are interested in joining, and you 9 00:00:21,960 --> 00:00:24,420 guys are. So, thank you for joining. 10 00:00:24,420 --> 00:00:25,980 It's going to be short. This is just 11 00:00:25,980 --> 00:00:28,859 going to be 30 minutes, maybe about 15-20 12 00:00:28,859 --> 00:00:30,539 minutes of training. And then, I'll see if 13 00:00:30,539 --> 00:00:32,279 you guys have any questions. 14 00:00:32,279 --> 00:00:34,020 It's intended for YouTube, for 15 00:00:34,020 --> 00:00:36,420 transparency sake. So, it will be recorded 16 00:00:36,420 --> 00:00:38,760 to YouTube, but the difference is those 17 00:00:38,760 --> 00:00:41,160 that are here live with me, you get to 18 00:00:41,160 --> 00:00:42,960 ask questions, and those on YouTube can't 19 00:00:42,960 --> 00:00:45,360 ask questions right. So, let's go ahead 20 00:00:45,360 --> 00:00:47,460 and get started. If you guys are ready to 21 00:00:47,460 --> 00:00:49,500 get started, okay. You let me know. Yep, yep, 22 00:00:49,500 --> 00:00:50,399 yep. 23 00:00:50,399 --> 00:00:53,940 All right. So awesome awesome. So let's go 24 00:00:53,940 --> 00:00:56,460 ahead, and get started here. Thank you for 25 00:00:56,460 --> 00:00:59,219 joining me here today for a training on 26 00:00:59,219 --> 00:01:01,980 IT audit walkthroughs. So in today's 27 00:01:01,980 --> 00:01:04,979 training, I just want to give you guys 28 00:01:04,979 --> 00:01:07,500 a quick overview or an introduction 29 00:01:07,500 --> 00:01:10,619 to what IT audit walkthroughs are. I know 30 00:01:10,619 --> 00:01:13,140 many of you might have been searching 31 00:01:13,140 --> 00:01:14,939 the internet trying to find additional 32 00:01:14,939 --> 00:01:17,340 information on audits, and you may have 33 00:01:17,340 --> 00:01:19,680 seen the word walkthrough, right. And you 34 00:01:19,680 --> 00:01:21,600 don't understand what that is. So today, 35 00:01:21,600 --> 00:01:22,740 I'm just going to give you an 36 00:01:22,740 --> 00:01:24,960 introduction to that. And then, we'll see 37 00:01:24,960 --> 00:01:26,759 if you guys have any questions related 38 00:01:26,759 --> 00:01:28,200 to the topic. 39 00:01:28,200 --> 00:01:30,600 Later on, all right. So, I see more of 40 00:01:30,600 --> 00:01:32,220 you joining. Thank you for joining, guys. 41 00:01:32,220 --> 00:01:35,520 So, before we get started, very brief 42 00:01:35,520 --> 00:01:37,380 introduction to myself. I don't want to 43 00:01:37,380 --> 00:01:39,119 take too much time here. 44 00:01:39,119 --> 00:01:40,380 But for those, that are just meeting 45 00:01:40,380 --> 00:01:42,979 me for the first time. My name is Peju Adedeji. 46 00:01:42,979 --> 00:01:45,780 I have over 18 years of experience in 47 00:01:45,780 --> 00:01:48,479 the I.T space. A lot of that is around IT 48 00:01:48,479 --> 00:01:52,979 audit GRC program management. All in the 49 00:01:52,979 --> 00:01:55,979 audit and compliance space really. My 50 00:01:55,979 --> 00:01:57,659 passion is teaching. That's one of the 51 00:01:57,659 --> 00:01:59,759 things that I've always loved to do. So, 52 00:01:59,759 --> 00:02:02,040 I'm also a career coach where I help 53 00:02:02,040 --> 00:02:04,200 people that are looking to start their 54 00:02:04,200 --> 00:02:06,899 careers in I.T cyber security audit, and 55 00:02:06,899 --> 00:02:08,098 compliance. 56 00:02:08,098 --> 00:02:12,120 Okay, for me, I like practical training 57 00:02:12,120 --> 00:02:13,980 recently joined the Forbes coaches 58 00:02:13,980 --> 00:02:15,840 council. Again, I really love teaching so 59 00:02:15,840 --> 00:02:18,660 I like to be with other coaches trying 60 00:02:18,660 --> 00:02:21,180 to develop myself so that I can help my 61 00:02:21,180 --> 00:02:23,040 students as well. 62 00:02:23,040 --> 00:02:24,599 This year, we've already had multiple 63 00:02:24,599 --> 00:02:26,340 six-figure salaries that have come in 64 00:02:26,340 --> 00:02:29,280 our program, and so I I'm really excited 65 00:02:29,280 --> 00:02:31,500 about what we're doing. So let's go ahead 66 00:02:31,500 --> 00:02:34,020 and get started with the training for 67 00:02:34,020 --> 00:02:35,220 today. 68 00:02:35,220 --> 00:02:38,040 So here are the topics for today. 69 00:02:38,040 --> 00:02:39,540 We're going to go over an 70 00:02:39,540 --> 00:02:41,459 introduction to IT audit at a higher 71 00:02:41,459 --> 00:02:43,319 level. So if you are not familiar with 72 00:02:43,319 --> 00:02:45,060 this you can probably check my YouTube 73 00:02:45,060 --> 00:02:47,220 channel. And you see the training, I've 74 00:02:47,220 --> 00:02:49,260 done it on this in the past. 75 00:02:49,260 --> 00:02:51,000 But I'm going to just introduce that 76 00:02:51,000 --> 00:02:52,860 because I know some people that are here 77 00:02:52,860 --> 00:02:55,860 today may not right have watched any 78 00:02:55,860 --> 00:02:58,379 of my videos before or attended any of 79 00:02:58,379 --> 00:03:00,540 my training. And then, we'll talk about 80 00:03:00,540 --> 00:03:03,300 the IT audit phases because it's during 81 00:03:03,300 --> 00:03:05,459 this discussion that we're then going to 82 00:03:05,459 --> 00:03:06,780 talk about walkthroughs, because 83 00:03:06,780 --> 00:03:09,660 walkthroughs that's one of the phases or 84 00:03:09,660 --> 00:03:12,300 part of one of the phases. And there's 85 00:03:12,300 --> 00:03:13,920 going to be a bonus review, where I'm 86 00:03:13,920 --> 00:03:15,300 going to walk through some actual 87 00:03:15,300 --> 00:03:17,819 examples with you. And maybe I'll give 88 00:03:17,819 --> 00:03:19,680 you guys a bonus document. But let's see, 89 00:03:19,680 --> 00:03:22,440 okay. And at the end I'll give about 10 90 00:03:22,440 --> 00:03:24,659 minutes or so for questions. 91 00:03:24,659 --> 00:03:27,659 So let's go ahead and start with our 92 00:03:27,659 --> 00:03:29,819 introduction to IT audit. 93 00:03:29,819 --> 00:03:31,620 I'm not going to go in depth into this 94 00:03:31,620 --> 00:03:33,900 like I said, I have a training on my 95 00:03:33,900 --> 00:03:35,400 YouTube channel that you guys can watch. 96 00:03:35,400 --> 00:03:37,920 But, I do want to introduce this in 97 00:03:37,920 --> 00:03:39,900 today's training because I want you to 98 00:03:39,900 --> 00:03:42,239 understand what audits are before we 99 00:03:42,239 --> 00:03:44,940 talk about walkthroughs, right. So, what's 100 00:03:44,940 --> 00:03:47,700 an audit at the end of the day, you know, 101 00:03:47,700 --> 00:03:49,500 people have different definitions of 102 00:03:49,500 --> 00:03:52,140 what it is, but IT audit at the end of 103 00:03:52,140 --> 00:03:54,120 the day, if you want to use simple terms, 104 00:03:54,120 --> 00:03:57,120 is an examination of the organization 105 00:03:57,120 --> 00:04:00,120 systems to determine if controls are 106 00:04:00,120 --> 00:04:02,879 operating effectively. So systems usually 107 00:04:02,879 --> 00:04:05,159 have controls in there, and for controls. 108 00:04:05,159 --> 00:04:06,780 Again, the prior training I mentioned 109 00:04:06,780 --> 00:04:09,180 will have that but think of a control as 110 00:04:09,180 --> 00:04:11,519 like a password control, right. When you 111 00:04:11,519 --> 00:04:13,080 want to log into your computer, you have 112 00:04:13,080 --> 00:04:14,580 to put in a password, 113 00:04:14,580 --> 00:04:16,079 or maybe your e-mail you have to put 114 00:04:16,079 --> 00:04:18,720 in a password that's a control. So, 115 00:04:18,720 --> 00:04:21,478 organization systems have controls, as 116 00:04:21,478 --> 00:04:22,260 well, 117 00:04:22,260 --> 00:04:24,840 and this controls right. 118 00:04:24,840 --> 00:04:27,060 In order, part of an I.T audit is 119 00:04:27,060 --> 00:04:30,660 testing and examining those systems to 120 00:04:30,660 --> 00:04:32,400 determine if those controls are 121 00:04:32,400 --> 00:04:34,500 operating effectively because if they 122 00:04:34,500 --> 00:04:36,900 are not operating effectively, then the 123 00:04:36,900 --> 00:04:38,940 security of that system right is in 124 00:04:38,940 --> 00:04:42,000 question. And you might be wondering, "Well, 125 00:04:42,000 --> 00:04:44,340 why should I be concerned about the 126 00:04:44,340 --> 00:04:46,800 security or of a system or whether the 127 00:04:46,800 --> 00:04:49,139 controls are operating effectively," and 128 00:04:49,139 --> 00:04:51,180 the reason is one you want to mitigate 129 00:04:51,180 --> 00:04:53,520 risks, right. You don't want people having 130 00:04:53,520 --> 00:04:56,400 inappropriate access to your systems, so 131 00:04:56,400 --> 00:04:58,320 when I say, "You, I'm in the 132 00:04:58,320 --> 00:05:00,360 organization," an organization doesn't 133 00:05:00,360 --> 00:05:02,759 want people having inappropriate access 134 00:05:02,759 --> 00:05:06,300 to the systems. So, it's important to have 135 00:05:06,300 --> 00:05:08,759 controls in place to ensure that that 136 00:05:08,759 --> 00:05:11,580 security is there. And as the I.T auditor, 137 00:05:11,580 --> 00:05:13,560 right, part of your audit objective or 138 00:05:13,560 --> 00:05:15,900 your control objective for your test is 139 00:05:15,900 --> 00:05:18,120 determining if security controls are in 140 00:05:18,120 --> 00:05:20,820 place. So you are examining those systems 141 00:05:20,820 --> 00:05:23,160 to see if those controls are effective 142 00:05:23,160 --> 00:05:25,259 in mitigating risks, like I said for 143 00:05:25,259 --> 00:05:27,600 example security risks or just even 144 00:05:27,600 --> 00:05:29,940 medium compliance and regulatory 145 00:05:29,940 --> 00:05:32,460 requirements, right. So in the US, we have 146 00:05:32,460 --> 00:05:34,320 servings, okay. Other countries have 147 00:05:34,320 --> 00:05:36,600 similar laws and standards as well. We 148 00:05:36,600 --> 00:05:40,500 have PCI, SOX, SSA 18, right. So, all those 149 00:05:40,500 --> 00:05:42,840 standards depending on what your 150 00:05:42,840 --> 00:05:46,139 organization needs to comply with then 151 00:05:46,139 --> 00:05:48,300 the audit is going to take place to 152 00:05:48,300 --> 00:05:50,759 examine and determine if those controls 153 00:05:50,759 --> 00:05:54,060 are meeting those requirements, okay. So 154 00:05:54,060 --> 00:05:57,900 that's a summary of what we have of 155 00:05:57,900 --> 00:06:00,000 what IT audits are. 156 00:06:00,000 --> 00:06:01,800 So, 157 00:06:01,800 --> 00:06:03,539 there are three key phases of IT 158 00:06:03,539 --> 00:06:05,940 audience, all right. So we have the audio 159 00:06:05,940 --> 00:06:08,280 planning phase we have our field 160 00:06:08,280 --> 00:06:10,440 workplace, and this is where you have the 161 00:06:10,440 --> 00:06:11,699 walkthrough, so that's where the 162 00:06:11,699 --> 00:06:13,860 walkthroughs are performed, and you also 163 00:06:13,860 --> 00:06:15,660 have the reporting and the follow-up 164 00:06:15,660 --> 00:06:18,180 phase. So I'm going to again summarize 165 00:06:18,180 --> 00:06:21,180 this. So that I set the stage for what 166 00:06:21,180 --> 00:06:23,639 we really want to talk about today, so in 167 00:06:23,639 --> 00:06:25,440 your audit planning phase right. This is 168 00:06:25,440 --> 00:06:26,699 where you're understanding the 169 00:06:26,699 --> 00:06:29,940 organization trying to define the scope, 170 00:06:29,940 --> 00:06:32,400 and the objective and also trying to 171 00:06:32,400 --> 00:06:35,340 identify what tests you perform so 172 00:06:35,340 --> 00:06:37,620 you're essentially just planning for the 173 00:06:37,620 --> 00:06:40,620 audit in that phase. Now, the field work 174 00:06:40,620 --> 00:06:42,240 phase is, kind of, I'll say, that's where 175 00:06:42,240 --> 00:06:43,680 the medium potatoes are right. I guess 176 00:06:43,680 --> 00:06:46,620 when you do the real field work for the 177 00:06:46,620 --> 00:06:48,900 audit you do your testing and all of 178 00:06:48,900 --> 00:06:51,000 that. But, before you actually start 179 00:06:51,000 --> 00:06:53,100 testing, you have to perform your 180 00:06:53,100 --> 00:06:54,780 walkthroughs, and I'm going to come back 181 00:06:54,780 --> 00:06:57,360 to the World Series after I finish the 182 00:06:57,360 --> 00:06:59,460 third stage or the third phase. 183 00:06:59,460 --> 00:07:01,680 The third phase is where you do the 184 00:07:01,680 --> 00:07:04,259 reporting, so you finish planning, you've 185 00:07:04,259 --> 00:07:06,180 done the actual testing, and you have 186 00:07:06,180 --> 00:07:08,819 results then in the third phase, you're 187 00:07:08,819 --> 00:07:10,740 doing your reporting, and your follow-up. 188 00:07:10,740 --> 00:07:12,720 So, this is where you type up the report 189 00:07:12,720 --> 00:07:15,419 to management on the results. And if 190 00:07:15,419 --> 00:07:17,819 there were any issues identified, you can 191 00:07:17,819 --> 00:07:20,580 go back, and retest to confirm whether or 192 00:07:20,580 --> 00:07:23,220 not, they've been addressed. So those are 193 00:07:23,220 --> 00:07:27,120 the three phases of an audit. Now, I want 194 00:07:27,120 --> 00:07:29,280 to dial in on that walk through piece 195 00:07:29,280 --> 00:07:30,419 because 196 00:07:30,419 --> 00:07:32,880 there are many moving parts, right. So as 197 00:07:32,880 --> 00:07:34,500 you can imagine an audit is like a 198 00:07:34,500 --> 00:07:36,479 pretty big project, right. So, there are 199 00:07:36,479 --> 00:07:39,120 many moving pieces and today, I'm now 200 00:07:39,120 --> 00:07:41,039 going to focus on the IT audio 201 00:07:41,039 --> 00:07:44,099 walkthrough piece right again. The IT or 202 00:07:44,099 --> 00:07:46,080 the walkthrough is part of the field 203 00:07:46,080 --> 00:07:47,880 work phase. 204 00:07:47,880 --> 00:07:51,479 So now, let's talk about what are IT? What 205 00:07:51,479 --> 00:07:53,819 other walkthroughs or what, I'm not sure 206 00:07:53,819 --> 00:07:56,160 if you know, maybe if you've 207 00:07:56,160 --> 00:07:58,259 you rented an apartment, or you bought 208 00:07:58,259 --> 00:08:00,539 a house before they give you the keys, 209 00:08:00,539 --> 00:08:02,639 right. You, kind of, they will take you to 210 00:08:02,639 --> 00:08:04,380 what they call a walkthrough. Typically, 211 00:08:04,380 --> 00:08:06,599 right, you just go in kind of just look 212 00:08:06,599 --> 00:08:08,759 at how things are before they give you 213 00:08:08,759 --> 00:08:11,220 the keys and say, "Okay, we agree that this 214 00:08:11,220 --> 00:08:12,960 is the state that you're giving us the 215 00:08:12,960 --> 00:08:15,900 house or the apartment in or whatnot." So 216 00:08:15,900 --> 00:08:18,240 if you think about that it's not exactly 217 00:08:18,240 --> 00:08:21,120 the same, but a walkthrough from the IT audit 218 00:08:21,120 --> 00:08:23,840 perspective is you getting a better 219 00:08:23,840 --> 00:08:26,220 understanding of the I.T control 220 00:08:26,220 --> 00:08:28,379 environment of the company. 221 00:08:28,379 --> 00:08:30,419 So what you do at the beginning of the 222 00:08:30,419 --> 00:08:32,039 audit, because you're an auditor right, 223 00:08:32,039 --> 00:08:34,320 you're not I.T. You're not, if you're an 224 00:08:34,320 --> 00:08:36,059 external auditor, you're not working in 225 00:08:36,059 --> 00:08:38,820 the company right. So you can't assume 226 00:08:38,820 --> 00:08:40,679 that you know everything about that 227 00:08:40,679 --> 00:08:42,360 company. You can't assume that you know 228 00:08:42,360 --> 00:08:44,760 their control environment. So the reason 229 00:08:44,760 --> 00:08:46,860 for that walkthrough is for the auditors 230 00:08:46,860 --> 00:08:50,580 to get a better understanding, right, of 231 00:08:50,580 --> 00:08:52,260 the control environment that they're 232 00:08:52,260 --> 00:08:55,380 going to be auditing. So, it's absolutely 233 00:08:55,380 --> 00:08:57,720 critical because if you don't conduct 234 00:08:57,720 --> 00:09:00,420 your walkthrough effectively, you might 235 00:09:00,420 --> 00:09:02,760 have gaps in your understanding of the 236 00:09:02,760 --> 00:09:04,800 control environment, and that's going to 237 00:09:04,800 --> 00:09:07,620 ultimately impact right the quality of 238 00:09:07,620 --> 00:09:09,360 the control procedures that you choose 239 00:09:09,360 --> 00:09:12,480 to perform and your understanding of the 240 00:09:12,480 --> 00:09:15,120 impact of the risk. So, walkthroughs are 241 00:09:15,120 --> 00:09:17,279 very important because that's where you 242 00:09:17,279 --> 00:09:19,080 really get a good understanding of that 243 00:09:19,080 --> 00:09:21,899 environment, and a key part of that is 244 00:09:21,899 --> 00:09:25,560 that you have to include key players and 245 00:09:25,560 --> 00:09:27,899 the control owners from I.T. So, you're 246 00:09:27,899 --> 00:09:29,700 not just going to have a random set of 247 00:09:29,700 --> 00:09:31,200 people in your work just giving you 248 00:09:31,200 --> 00:09:33,180 information about the environment. You 249 00:09:33,180 --> 00:09:34,920 have to understand that you have to 250 00:09:34,920 --> 00:09:37,860 invite the right players. So if for your 251 00:09:37,860 --> 00:09:39,600 IT audit walkthrough, you probably have 252 00:09:39,600 --> 00:09:41,700 their management levels there right the 253 00:09:41,700 --> 00:09:43,560 people that are responsible for those 254 00:09:43,560 --> 00:09:45,899 controls. So the control owners you want 255 00:09:45,899 --> 00:09:47,820 to make sure that they are in the room 256 00:09:47,820 --> 00:09:50,160 with you or on Zoom if it's virtual, 257 00:09:50,160 --> 00:09:52,620 right, explaining their an I.T 258 00:09:52,620 --> 00:09:54,959 environment. And even if they're not the 259 00:09:54,959 --> 00:09:57,180 key control owner, but they have a part 260 00:09:57,180 --> 00:09:58,620 in the process. 261 00:09:58,620 --> 00:10:00,660 And, they're a key player or key 262 00:10:00,660 --> 00:10:02,880 stakeholder then you want to make sure 263 00:10:02,880 --> 00:10:04,680 that they're also in the room with you 264 00:10:04,680 --> 00:10:08,220 because if not, then again, you run the 265 00:10:08,220 --> 00:10:11,700 risk of not having that information on 266 00:10:11,700 --> 00:10:13,680 the control environment. So it's 267 00:10:13,680 --> 00:10:15,480 important to have the key players and 268 00:10:15,480 --> 00:10:18,060 especially the control owners in the 269 00:10:18,060 --> 00:10:19,860 meeting where you're having that walk 270 00:10:19,860 --> 00:10:23,040 through and one of the things that 271 00:10:23,040 --> 00:10:24,660 you would test there or that you could 272 00:10:24,660 --> 00:10:27,060 test, there is a test of design again if 273 00:10:27,060 --> 00:10:28,800 you don't know what test of design is, 274 00:10:28,800 --> 00:10:31,140 you can watch my prior video, and I'll 275 00:10:31,140 --> 00:10:32,820 probably link it when I post this on 276 00:10:32,820 --> 00:10:34,800 YouTube, so you can see that video where 277 00:10:34,800 --> 00:10:36,839 I talk about test of design in terms of 278 00:10:36,839 --> 00:10:39,600 operating effectiveness. So depending on 279 00:10:39,600 --> 00:10:41,580 the control that you're testing or the 280 00:10:41,580 --> 00:10:43,080 controls that you're reviewing during 281 00:10:43,080 --> 00:10:45,420 your walkthroughs, you may be able to 282 00:10:45,420 --> 00:10:48,120 perform some tests of design there. Okay. 283 00:10:48,120 --> 00:10:51,360 So again, just to summarize this why 284 00:10:51,360 --> 00:10:53,399 didn't we conduct I.T audit walkthroughs, 285 00:10:53,399 --> 00:10:55,800 it's to understand or better understand 286 00:10:55,800 --> 00:10:57,720 the control environment. The I.T control 287 00:10:57,720 --> 00:10:59,940 environment that you'll be testing, you 288 00:10:59,940 --> 00:11:01,500 should include the key players 289 00:11:01,500 --> 00:11:04,200 stakeholders and control owners from it. 290 00:11:04,200 --> 00:11:06,839 And during this, you may be able to test 291 00:11:06,839 --> 00:11:11,040 the design of controls as, well, okay, one 292 00:11:11,040 --> 00:11:13,140 thing I do want to stay here before we 293 00:11:13,140 --> 00:11:16,140 move on to the next area is that 294 00:11:16,140 --> 00:11:18,300 you'll go through questions should be 295 00:11:18,300 --> 00:11:20,760 worded properly, right. So that you can 296 00:11:20,760 --> 00:11:22,980 get useful responses from those that 297 00:11:22,980 --> 00:11:25,260 you're interviewing. So let me pause here 298 00:11:25,260 --> 00:11:27,899 for a second. Have you guys ever asked a 299 00:11:27,899 --> 00:11:29,820 question and then you got the wrong 300 00:11:29,820 --> 00:11:32,220 answer back? Let me see you guys in the 301 00:11:32,220 --> 00:11:33,779 chat just to make sure, you guys are 302 00:11:33,779 --> 00:11:35,339 still here with me. Have you ever asked 303 00:11:35,339 --> 00:11:37,620 the question and the kind of answers 304 00:11:37,620 --> 00:11:39,000 you're getting, you're like, "Okay, maybe I 305 00:11:39,000 --> 00:11:40,920 asked the wrong question." 306 00:11:40,920 --> 00:11:43,440 Yeah? Okay, so that's the same thing for 307 00:11:43,440 --> 00:11:45,959 walkthroughs. So it takes some skill, 308 00:11:45,959 --> 00:11:47,760 right? You need to know what questions 309 00:11:47,760 --> 00:11:50,339 that you should ask in order to be able 310 00:11:50,339 --> 00:11:52,140 to get the right risk. I don't want to 311 00:11:52,140 --> 00:11:53,579 use the word, right because it's not 312 00:11:53,579 --> 00:11:55,980 really right and wrong, but in order to 313 00:11:55,980 --> 00:11:57,000 get 314 00:11:57,000 --> 00:11:59,579 good responses, right. Useful responses 315 00:11:59,579 --> 00:12:01,680 where you when you're actually testing 316 00:12:01,680 --> 00:12:03,839 it makes sense not the kind of response 317 00:12:03,839 --> 00:12:05,399 is that when you start testing, it's like 318 00:12:05,399 --> 00:12:06,839 okay what they said doesn't make sense 319 00:12:06,839 --> 00:12:09,240 based on what I'm looking at right. So, 320 00:12:09,240 --> 00:12:11,519 that's a skill you'll need to gain as 321 00:12:11,519 --> 00:12:13,560 you go through your walkthroughs because 322 00:12:13,560 --> 00:12:17,579 if you don't write, then you run the 323 00:12:17,579 --> 00:12:20,820 risk of not getting the responses that 324 00:12:20,820 --> 00:12:23,579 will be useful to you in performing your 325 00:12:23,579 --> 00:12:26,279 audience. So, here is the bonus part. 326 00:12:26,279 --> 00:12:28,920 I'm going to now give you a couple of 327 00:12:28,920 --> 00:12:31,260 examples so that, you know. Again, I like 328 00:12:31,260 --> 00:12:32,820 practical teaching, so that this can be 329 00:12:32,820 --> 00:12:36,360 real to you, okay. So let's look at some 330 00:12:36,360 --> 00:12:38,220 sample questions, and there are 331 00:12:38,220 --> 00:12:40,440 different parts of IT audits I'm going 332 00:12:40,440 --> 00:12:42,300 to look at couple of questions, and 333 00:12:42,300 --> 00:12:43,680 logical security. 334 00:12:43,680 --> 00:12:46,260 So logical security, this is around 335 00:12:46,260 --> 00:12:48,600 access to systems we're not going to go 336 00:12:48,600 --> 00:12:50,880 deep into logical security itself, but 337 00:12:50,880 --> 00:12:52,620 let's talk about what are some questions 338 00:12:52,620 --> 00:12:56,100 right. So, you want you're going to have 339 00:12:56,100 --> 00:12:58,260 different levels to your questions. So, 340 00:12:58,260 --> 00:13:00,899 for example, you start off with describe 341 00:13:00,899 --> 00:13:02,760 the user access provisioning process. 342 00:13:02,760 --> 00:13:05,220 This is open-ended. You want to give them 343 00:13:05,220 --> 00:13:06,720 the opportunity to describe the whole 344 00:13:06,720 --> 00:13:08,820 process for you, and then you can go 345 00:13:08,820 --> 00:13:11,700 deeper, right. So who has authority to 346 00:13:11,700 --> 00:13:13,620 approve users, and their privileged 347 00:13:13,620 --> 00:13:15,600 levels. So you again, you're starting 348 00:13:15,600 --> 00:13:18,300 higher getting a broader understanding 349 00:13:18,300 --> 00:13:21,720 of the environment, and their process and 350 00:13:21,720 --> 00:13:24,120 then you can ask deeper questions based 351 00:13:24,120 --> 00:13:26,220 on the controls that you're testing. So, 352 00:13:26,220 --> 00:13:28,019 these are just a few examples for you to 353 00:13:28,019 --> 00:13:30,600 see what you might ask during a 354 00:13:30,600 --> 00:13:32,639 walkthrough, and then 355 00:13:32,639 --> 00:13:33,720 again, let me look at change 356 00:13:33,720 --> 00:13:36,079 management. 357 00:13:36,300 --> 00:13:38,399 So change management again, is another 358 00:13:38,399 --> 00:13:40,380 area that we test for in IT. During IT 359 00:13:40,380 --> 00:13:42,720 audits, and here you might also start 360 00:13:42,720 --> 00:13:44,100 with describe the change management 361 00:13:44,100 --> 00:13:46,680 process, right again. Study high level 362 00:13:46,680 --> 00:13:48,540 giving them the opportunity to describe 363 00:13:48,540 --> 00:13:50,940 the process to you end to end, and then 364 00:13:50,940 --> 00:13:52,980 you ask who's required to approve 365 00:13:52,980 --> 00:13:55,200 changes. For example, so that's a little 366 00:13:55,200 --> 00:13:58,740 bit more, you're diving deeper into 367 00:13:58,740 --> 00:14:01,200 maybe one of the controls to get a 368 00:14:01,200 --> 00:14:03,480 better understanding of that particular 369 00:14:03,480 --> 00:14:06,480 control area, okay. So, 370 00:14:06,480 --> 00:14:07,920 hopefully, that was helpful for you 371 00:14:07,920 --> 00:14:09,360 guys. Do you guys feel like you have a 372 00:14:09,360 --> 00:14:10,500 better understanding of what 373 00:14:10,500 --> 00:14:13,800 walkthroughs are now? Yep, okay, good, good, 374 00:14:13,800 --> 00:14:16,500 I see. Yes, thank you Diamond, Lake Paul, 375 00:14:16,500 --> 00:14:19,139 thank you Ashley. So, that's really what I 376 00:14:19,139 --> 00:14:21,540 wanted to cover here today. Again, this is 377 00:14:21,540 --> 00:14:23,160 intended to be a short training session, 378 00:14:23,160 --> 00:14:25,920 just bite sized. So, that you understand 379 00:14:25,920 --> 00:14:28,920 some unique areas in the audit space 380 00:14:28,920 --> 00:14:32,100 that would help you, all right. So, 381 00:14:32,100 --> 00:14:33,720 rainbow said basically to understand 382 00:14:33,720 --> 00:14:36,420 the yeah. So, to understand the IT control 383 00:14:36,420 --> 00:14:39,480 environment, and that would help you when 384 00:14:39,480 --> 00:14:41,399 you're putting together your 385 00:14:41,399 --> 00:14:44,459 procedures of performing your test for 386 00:14:44,459 --> 00:14:48,240 your IT audit. All right, so now let's do 387 00:14:48,240 --> 00:14:50,399 a summary. I promise you. There'll be some 388 00:14:50,399 --> 00:14:53,459 time for Q/A at the end. Let me see if 389 00:14:53,459 --> 00:14:55,620 you guys have any questions if you have 390 00:14:55,620 --> 00:14:57,600 questions you can put them in the Q/A 391 00:14:57,600 --> 00:14:59,940 section, and I'll take a few minutes to 392 00:14:59,940 --> 00:15:02,160 answer them here. But let me do a quick 393 00:15:02,160 --> 00:15:04,199 summary for you guys because I know some 394 00:15:04,199 --> 00:15:05,279 of you 395 00:15:05,279 --> 00:15:07,980 joined after we already started. 396 00:15:07,980 --> 00:15:09,600 Just to summarize what we talked 397 00:15:09,600 --> 00:15:12,180 about here today, we started off by just 398 00:15:12,180 --> 00:15:13,860 going through an introduction to IT 399 00:15:13,860 --> 00:15:16,800 audits, right. Again, if you want more 400 00:15:16,800 --> 00:15:18,240 information there, you can watch that 401 00:15:18,240 --> 00:15:20,459 video, I have on the channel, and then we 402 00:15:20,459 --> 00:15:22,740 talked about the IT audit faces, right? 403 00:15:22,740 --> 00:15:24,720 What are the phases? So, let me pause 404 00:15:24,720 --> 00:15:27,180 before I answer the question in the chat. 405 00:15:27,180 --> 00:15:29,160 Can you tell me what are the phases that 406 00:15:29,160 --> 00:15:32,000 we talked about today? 407 00:15:33,680 --> 00:15:37,339 Awesome thanks, Bob. 408 00:15:38,040 --> 00:15:41,180 Second phase. 409 00:15:43,459 --> 00:15:48,019 Thank you, and then one more 410 00:15:48,720 --> 00:15:52,139 reporting, and follow awesome, awesome. On 411 00:15:52,139 --> 00:15:53,880 what phase do we have the IT 412 00:15:53,880 --> 00:15:56,540 walkthroughs? 413 00:16:01,980 --> 00:16:03,779 Walk through his field work, so the field 414 00:16:03,779 --> 00:16:06,240 work isn't the ID audio walkthrough 415 00:16:06,240 --> 00:16:08,880 happens in the field work stage, and this 416 00:16:08,880 --> 00:16:10,680 is where again you're getting a better 417 00:16:10,680 --> 00:16:12,779 understanding of the environment? You're 418 00:16:12,779 --> 00:16:14,880 talking to the control owners and you're 419 00:16:14,880 --> 00:16:17,220 talking to the, all the key 420 00:16:17,220 --> 00:16:19,680 stakeholders in the I.T space. And then 421 00:16:19,680 --> 00:16:21,420 we just walk through a few examples so 422 00:16:21,420 --> 00:16:23,220 that you can see how, 423 00:16:23,220 --> 00:16:25,860 how walkthroughs are conducted, okay. 424 00:16:25,860 --> 00:16:28,560 So I'm going to pause now, let's see if 425 00:16:28,560 --> 00:16:31,139 you guys have any questions. I did tell 426 00:16:31,139 --> 00:16:33,060 you, it's going to be about 30 minutes. So 427 00:16:33,060 --> 00:16:34,620 I want to make sure that we don't go 428 00:16:34,620 --> 00:16:36,959 over time. What questions do you guys 429 00:16:36,959 --> 00:16:38,940 have? 430 00:16:38,940 --> 00:16:40,920 You guys have any questions, or was this 431 00:16:40,920 --> 00:16:43,940 straightforward for you guys. 432 00:16:48,120 --> 00:16:50,040 Okay, so great question Nick. And Nick is 433 00:16:50,040 --> 00:16:51,360 asking can walkthroughs be done 434 00:16:51,360 --> 00:16:52,920 virtually, or does he have to be in 435 00:16:52,920 --> 00:16:53,699 person? 436 00:16:53,699 --> 00:16:55,860 It can be done virtually, so if you 437 00:16:55,860 --> 00:16:57,839 think about the pandemic, right? Where 438 00:16:57,839 --> 00:17:00,120 everyone no one went out, right? If we 439 00:17:00,120 --> 00:17:01,320 weren't going to the office, we're all 440 00:17:01,320 --> 00:17:03,360 working remotely a lot of those 441 00:17:03,360 --> 00:17:05,459 walkthroughs were performed remotely 442 00:17:05,459 --> 00:17:07,859 because you can have interviews. Now, the 443 00:17:07,859 --> 00:17:09,839 difference would be physical security 444 00:17:09,839 --> 00:17:11,520 walkthroughs where you have to physically 445 00:17:11,520 --> 00:17:13,740 walk through a data center. For example, 446 00:17:13,740 --> 00:17:15,540 then you'll have to physically go there 447 00:17:15,540 --> 00:17:17,339 but other than that for the most part 448 00:17:17,339 --> 00:17:19,740 you can have them virtually. It can be in 449 00:17:19,740 --> 00:17:22,919 a meeting on Zoom or whatever meeting 450 00:17:22,919 --> 00:17:26,839 software your organization uses. 451 00:17:30,179 --> 00:17:31,799 Someone is asking which video should 452 00:17:31,799 --> 00:17:33,120 you focus on? 453 00:17:33,120 --> 00:17:34,980 Um, I'll say that depends on your 454 00:17:34,980 --> 00:17:36,900 interest, right. Because I have a lot of 455 00:17:36,900 --> 00:17:40,320 videos on different areas so you can 456 00:17:40,320 --> 00:17:42,539 select the one that you want. I'm trying 457 00:17:42,539 --> 00:17:45,000 to do a better job posting. I'm pretty 458 00:17:45,000 --> 00:17:47,220 busy. I have a full-time job, so training 459 00:17:47,220 --> 00:17:49,020 is not the only thing I do. 460 00:17:49,020 --> 00:17:50,820 So, I'm trying to do a better job 461 00:17:50,820 --> 00:17:52,500 posting, but I'll say watch the video 462 00:17:52,500 --> 00:17:55,500 that makes sense to you, all right. So, 463 00:17:55,500 --> 00:17:58,620 um oh, what she was asking walkthroughs 464 00:17:58,620 --> 00:18:00,299 seem to be like something to be done to 465 00:18:00,299 --> 00:18:02,700 enhance your planning. How come it's in 466 00:18:02,700 --> 00:18:04,440 the field work phase? 467 00:18:04,440 --> 00:18:06,720 It depends on your definition of 468 00:18:06,720 --> 00:18:08,640 enhancing your planning right because 469 00:18:08,640 --> 00:18:10,860 planning, you're not really doing any 470 00:18:10,860 --> 00:18:12,900 work, right? In planning, you actually 471 00:18:12,900 --> 00:18:15,480 determine what areas you need to test 472 00:18:15,480 --> 00:18:18,059 and that will then determine what areas 473 00:18:18,059 --> 00:18:19,620 you need to do your walk through, right. 474 00:18:19,620 --> 00:18:21,960 Because you don't necessarily need to 475 00:18:21,960 --> 00:18:24,900 test all the areas of I.T. depending on 476 00:18:24,900 --> 00:18:27,120 the scope of your audit. So, planning is 477 00:18:27,120 --> 00:18:29,520 more scope focused once you identify 478 00:18:29,520 --> 00:18:31,980 your scope, and then you know the areas 479 00:18:31,980 --> 00:18:34,020 you want to test, then it's reasonable 480 00:18:34,020 --> 00:18:36,360 that you would then go do walkthroughs 481 00:18:36,360 --> 00:18:38,039 for that area. You don't need to do 482 00:18:38,039 --> 00:18:39,900 walkthroughs for everything definitely 483 00:18:39,900 --> 00:18:41,640 you don't need to do a walkthrough for 484 00:18:41,640 --> 00:18:44,760 an area you don't need to test, okay. So, 485 00:18:44,760 --> 00:18:48,260 hopefully that addressed the question 486 00:18:48,299 --> 00:18:52,039 the last one. I see here, 487 00:18:54,480 --> 00:18:57,120 so Laker is asking what IT audit 488 00:18:57,120 --> 00:18:59,400 applications are used as a side ERP 489 00:18:59,400 --> 00:19:00,660 systems? 490 00:19:00,660 --> 00:19:02,220 I don't know that. That question is 491 00:19:02,220 --> 00:19:04,440 really accurate 492 00:19:04,440 --> 00:19:06,059 because you're talking about two 493 00:19:06,059 --> 00:19:07,440 different things so when you say it 494 00:19:07,440 --> 00:19:10,440 audit applications, ERP systems, those are 495 00:19:10,440 --> 00:19:11,940 two different things. So maybe you want 496 00:19:11,940 --> 00:19:13,500 to reword that question. Let me better 497 00:19:13,500 --> 00:19:15,299 understand. If you're talking about 498 00:19:15,299 --> 00:19:17,700 applications that the audit team uses 499 00:19:17,700 --> 00:19:20,280 for their audit, and GRC you have 500 00:19:20,280 --> 00:19:23,039 servicenow, orchard, all of that and then 501 00:19:23,039 --> 00:19:25,380 the ERP systems are not audit systems. 502 00:19:25,380 --> 00:19:27,900 ERP systems are systems that the 503 00:19:27,900 --> 00:19:29,820 organization is using for their 504 00:19:29,820 --> 00:19:32,520 operational needs, right. So those are two 505 00:19:32,520 --> 00:19:34,440 different things so hopefully that helps, 506 00:19:34,440 --> 00:19:37,140 all right. 507 00:19:37,140 --> 00:19:41,580 Um, NSHE Iggy is asking, "What's the 508 00:19:41,580 --> 00:19:43,320 name of the YouTube channel?" it's your 509 00:19:43,320 --> 00:19:46,200 I.T career, maybe I'll find the link. Hold 510 00:19:46,200 --> 00:19:46,980 on. 511 00:19:46,980 --> 00:19:49,200 I'll put it in the record when I post 512 00:19:49,200 --> 00:19:51,480 the recording, I'll send an email out and 513 00:19:51,480 --> 00:19:54,419 I'll just, I'll give you guys access 514 00:19:54,419 --> 00:19:56,039 to that, because I don't know that I have 515 00:19:56,039 --> 00:19:58,020 it handy. Let's see, 516 00:19:58,020 --> 00:19:58,980 um. 517 00:19:58,980 --> 00:20:00,780 What's the difference between internal 518 00:20:00,780 --> 00:20:03,000 and external audit? So sure, I will refer 519 00:20:03,000 --> 00:20:04,620 you to my YouTube channel for that just 520 00:20:04,620 --> 00:20:06,600 because I have another video that goes 521 00:20:06,600 --> 00:20:08,880 into that in depth. So I think that'll 522 00:20:08,880 --> 00:20:14,000 probably be more beneficial to you, okay? 523 00:20:14,220 --> 00:20:15,960 Sarah is asking, "You missed the 524 00:20:15,960 --> 00:20:17,400 training?" Yes, the recording is going to 525 00:20:17,400 --> 00:20:19,559 be on YouTube, so I was transparent. I was 526 00:20:19,559 --> 00:20:20,940 planning to record this for YouTube 527 00:20:20,940 --> 00:20:23,580 anyways, and instead of recording it by 528 00:20:23,580 --> 00:20:25,440 myself, I decided to invite you guys to 529 00:20:25,440 --> 00:20:27,960 listen to me record it live. So, let's say 530 00:20:27,960 --> 00:20:29,580 in the next couple of days, or so you 531 00:20:29,580 --> 00:20:31,500 guys should see it on YouTube. The 532 00:20:31,500 --> 00:20:33,179 difference is those that are here live 533 00:20:33,179 --> 00:20:37,020 get to and ask questions, Okay. 534 00:20:37,020 --> 00:20:40,679 All right, so let's now go to, let's see 535 00:20:40,679 --> 00:20:42,419 if there any other questions. I will be 536 00:20:42,419 --> 00:20:45,440 wrapping up in a few minutes. 537 00:20:46,440 --> 00:20:51,200 Lincoln said, "Got it." Okay, good. 538 00:20:54,179 --> 00:20:56,640 So she is asking, "Can virtual audit 539 00:20:56,640 --> 00:20:58,860 be done for a Physical Operation Center?" 540 00:20:58,860 --> 00:21:00,360 Um, it depends on the objective. It 541 00:21:00,360 --> 00:21:02,160 depends on what you're testing, but 542 00:21:02,160 --> 00:21:04,620 typically if the con, it depends on the 543 00:21:04,620 --> 00:21:07,380 controls. So if you don't understand what 544 00:21:07,380 --> 00:21:10,380 controls are again. Let me see if I can 545 00:21:10,380 --> 00:21:13,320 find that channel for you, but it's 546 00:21:13,320 --> 00:21:15,120 the control is what's going to determine 547 00:21:15,120 --> 00:21:16,860 how you perform, right. So you can't just 548 00:21:16,860 --> 00:21:19,260 take an audit, what, what are you actually 549 00:21:19,260 --> 00:21:21,299 testing? Because if the control is a 550 00:21:21,299 --> 00:21:22,980 physical control that someone needs to 551 00:21:22,980 --> 00:21:26,640 see, write, touch or whatever ,then you 552 00:21:26,640 --> 00:21:28,679 will need to do that physically. But, if 553 00:21:28,679 --> 00:21:30,720 it doesn't require physical presence 554 00:21:30,720 --> 00:21:32,880 then if that control could be tested 555 00:21:32,880 --> 00:21:35,760 virtually Okay. 556 00:21:35,760 --> 00:21:39,120 All right, let's see if there's any more 557 00:21:39,120 --> 00:21:42,360 question. If there are any more questions, 558 00:21:42,360 --> 00:21:45,240 hey so, good good good. So thank you guys 559 00:21:45,240 --> 00:21:47,820 for joining me here today now. Did you 560 00:21:47,820 --> 00:21:49,200 guys let 561 00:21:49,200 --> 00:21:52,260 all, some media is asking. Do I have 562 00:21:52,260 --> 00:21:55,080 resume workshops on IT audits? Do you 563 00:21:55,080 --> 00:21:56,640 mean just training on how to do your 564 00:21:56,640 --> 00:21:58,679 your resume is that what you're asking 565 00:21:58,679 --> 00:22:01,740 on some media? Okay, so I don't do 566 00:22:01,740 --> 00:22:04,380 workshops on resume training. However, I 567 00:22:04,380 --> 00:22:06,780 have covered the topic before where I 568 00:22:06,780 --> 00:22:08,940 talked about resume mistakes that you 569 00:22:08,940 --> 00:22:10,980 might make in IT audit. So if and I think 570 00:22:10,980 --> 00:22:12,419 I actually have that on my YouTube 571 00:22:12,419 --> 00:22:14,640 channel as well. So, if you go there, I 572 00:22:14,640 --> 00:22:16,320 think I have one training where I talk 573 00:22:16,320 --> 00:22:18,120 about resume mistakes that you might be 574 00:22:18,120 --> 00:22:19,260 making. 575 00:22:19,260 --> 00:22:21,539 So I don't do workshops and that now 576 00:22:21,539 --> 00:22:24,659 in my full-blown comprehensive training. 577 00:22:24,659 --> 00:22:27,299 I do provide resume training for my 578 00:22:27,299 --> 00:22:29,179 students. I bring in like a live 579 00:22:29,179 --> 00:22:31,559 professional resume writer to come give 580 00:22:31,559 --> 00:22:34,200 training to students in one of my 581 00:22:34,200 --> 00:22:36,480 courses. So that's something I provide. 582 00:22:36,480 --> 00:22:38,820 Because your resume is not just about 583 00:22:38,820 --> 00:22:40,980 finding a template online, and putting it 584 00:22:40,980 --> 00:22:42,840 together right. Your resume should 585 00:22:42,840 --> 00:22:46,140 reflect what, you know, your experience. I 586 00:22:46,140 --> 00:22:47,760 think. Okay, I'll answer one more question 587 00:22:47,760 --> 00:22:50,159 because we have just one more minute. 588 00:22:50,159 --> 00:22:52,020 Did we do control testing in the 589 00:22:52,020 --> 00:22:53,580 process of walkthrough only check the 590 00:22:53,580 --> 00:22:54,659 design? 591 00:22:54,659 --> 00:22:56,039 Typically, during your walkthrough, 592 00:22:56,039 --> 00:22:57,539 you're just, that's where you're really 593 00:22:57,539 --> 00:22:59,760 doing your design review depending on 594 00:22:59,760 --> 00:23:01,500 the control. You may not even be able to 595 00:23:01,500 --> 00:23:03,179 really finish that in the walkthrough, 596 00:23:03,179 --> 00:23:05,520 but you would look at that there. However, 597 00:23:05,520 --> 00:23:07,500 additional testing will be needed to 598 00:23:07,500 --> 00:23:10,440 finish your testing procedures. Okay all 599 00:23:10,440 --> 00:23:12,720 right. So, I think we're up on time here 600 00:23:12,720 --> 00:23:14,580 today. Thank you guys for joining me. If 601 00:23:14,580 --> 00:23:16,200 you guys learned something, I promise to 602 00:23:16,200 --> 00:23:18,240 you guys you will learn something. All 603 00:23:18,240 --> 00:23:20,880 right. Great great great. So before we go 604 00:23:20,880 --> 00:23:23,039 let me, just make sure there's a free 605 00:23:23,039 --> 00:23:25,559 six figure career guide. So this guide has 606 00:23:25,559 --> 00:23:27,720 been downloaded so so many times by so 607 00:23:27,720 --> 00:23:29,700 many people. Let me put it in the chat, 608 00:23:29,700 --> 00:23:33,480 and it's also going to be available in 609 00:23:33,480 --> 00:23:35,760 the YouTube link when I'm done. But if 610 00:23:35,760 --> 00:23:37,380 you guys want the guide for those 611 00:23:37,380 --> 00:23:39,780 interested in IT audits, go ahead and 612 00:23:39,780 --> 00:23:41,760 download this guide. 613 00:23:41,760 --> 00:23:44,520 Um and it just walks through some things 614 00:23:44,520 --> 00:23:46,799 that you need to know, so make sure you 615 00:23:46,799 --> 00:23:48,840 download that guide. it's free. I'm not 616 00:23:48,840 --> 00:23:52,200 charging you for that at all. And um, I'm 617 00:23:52,200 --> 00:23:53,820 not sure how often I'll do this free 618 00:23:53,820 --> 00:23:55,500 training, maybe once a month. I don't know, 619 00:23:55,500 --> 00:23:57,720 but if you're on my email list. So if you 620 00:23:57,720 --> 00:23:59,640 get that guy, for example, you'll be on my 621 00:23:59,640 --> 00:24:01,559 email list. And you'll get invited to 622 00:24:01,559 --> 00:24:03,720 this. I don't publicize this small 623 00:24:03,720 --> 00:24:05,940 meetings anywhere else. It's just going 624 00:24:05,940 --> 00:24:09,000 to be for those on my email list. I think 625 00:24:09,000 --> 00:24:11,700 I scroll too fast, okay. There it is. All 626 00:24:11,700 --> 00:24:13,740 right, so thank you guys. You guys have a 627 00:24:13,740 --> 00:24:17,480 great rest of your day. Bye.