All right. So good morning, guys and thank you for joining me here today. So, today, I just wanted to do a quick training on IT audio walkthroughs, and to be honest, I was planning to record this by myself and then I decided, you know, what, why not just make it a live training and see if others are interested in joining, and you guys are. So, thank you for joining. It's going to be short. This is just going to be 30 minutes, maybe about 15-20 minutes of training. And then, I'll see if you guys have any questions. It's intended for YouTube, for transparency sake. So, it will be recorded to YouTube, but the difference is those that are here live with me, you get to ask questions, and those on YouTube can't ask questions right. So, let's go ahead and get started. If you guys are ready to get started, okay. You let me know. Yep, yep, yep. All right. So awesome awesome. So let's go ahead, and get started here. Thank you for joining me here today for a training on IT audit walkthroughs. So in today's training, I just want to give you guys a quick overview or an introduction to what IT audit walkthroughs are. I know many of you might have been searching the internet trying to find additional information on audits, and you may have seen the word walkthrough, right. And you don't understand what that is. So today, I'm just going to give you an introduction to that. And then, we'll see if you guys have any questions related to the topic. Later on, all right. So, I see more of you joining. Thank you for joining, guys. So, before we get started, very brief introduction to myself. I don't want to take too much time here. But for those, that are just meeting me for the first time. My name is Peju Adedeji. I have over 18 years of experience in the I.T space. A lot of that is around IT audit GRC program management. All in the audit and compliance space really. My passion is teaching. That's one of the things that I've always loved to do. So, I'm also a career coach where I help people that are looking to start their careers in I.T cyber security audit, and compliance. Okay, for me, I like practical training recently joined the Forbes coaches council. Again, I really love teaching so I like to be with other coaches trying to develop myself so that I can help my students as well. This year, we've already had multiple six-figure salaries that have come in our program, and so I I'm really excited about what we're doing. So let's go ahead and get started with the training for today. So here are the topics for today. We're going to go over an introduction to IT audit at a higher level. So if you are not familiar with this you can probably check my YouTube channel. And you see the training, I've done it on this in the past. But I'm going to just introduce that because I know some people that are here today may not right have watched any of my videos before or attended any of my training. And then, we'll talk about the IT audit phases because it's during this discussion that we're then going to talk about walkthroughs, because walkthroughs that's one of the phases or part of one of the phases. And there's going to be a bonus review, where I'm going to walk through some actual examples with you. And maybe I'll give you guys a bonus document. But let's see, okay. And at the end I'll give about 10 minutes or so for questions. So let's go ahead and start with our introduction to IT audit. I'm not going to go in depth into this like I said, I have a training on my YouTube channel that you guys can watch. But, I do want to introduce this in today's training because I want you to understand what audits are before we talk about walkthroughs, right. So, what's an audit at the end of the day, you know, people have different definitions of what it is, but IT audit at the end of the day, if you want to use simple terms, is an examination of the organization systems to determine if controls are operating effectively. So systems usually have controls in there, and for controls. Again, the prior training I mentioned will have that but think of a control as like a password control, right. When you want to log into your computer, you have to put in a password, or maybe your e-mail you have to put in a password that's a control. So, organization systems have controls, as well, and this controls right. In order, part of an I.T audit is testing and examining those systems to determine if those controls are operating effectively because if they are not operating effectively, then the security of that system right is in question. And you might be wondering, "Well, why should I be concerned about the security or of a system or whether the controls are operating effectively," and the reason is one you want to mitigate risks, right. You don't want people having inappropriate access to your systems, so when I say, "You, I'm in the organization," an organization doesn't want people having inappropriate access to the systems. So, it's important to have controls in place to ensure that that security is there. And as the I.T auditor, right, part of your audit objective or your control objective for your test is determining if security controls are in place. So you are examining those systems to see if those controls are effective in mitigating risks, like I said for example security risks or just even medium compliance and regulatory requirements, right. So in the US, we have servings, okay. Other countries have similar laws and standards as well. We have PCI, SOX, SSA 18, right. So, all those standards depending on what your organization needs to comply with then the audit is going to take place to examine and determine if those controls are meeting those requirements, okay. So that's a summary of what we have of what IT audits are. So, there are three key phases of IT audience, all right. So we have the audio planning phase we have our field workplace, and this is where you have the walkthrough, so that's where the walkthroughs are performed, and you also have the reporting and the follow-up phase. So I'm going to again summarize this. So that I set the stage for what we really want to talk about today, so in your audit planning phase right. This is where you're understanding the organization trying to define the scope, and the objective and also trying to identify what tests you perform so you're essentially just planning for the audit in that phase. Now, the field work phase is, kind of, I'll say, that's where the medium potatoes are right. I guess when you do the real field work for the audit you do your testing and all of that. But, before you actually start testing, you have to perform your walkthroughs, and I'm going to come back to the World Series after I finish the third stage or the third phase. The third phase is where you do the reporting, so you finish planning, you've done the actual testing, and you have results then in the third phase, you're doing your reporting, and your follow-up. So, this is where you type up the report to management on the results. And if there were any issues identified, you can go back, and retest to confirm whether or not, they've been addressed. So those are the three phases of an audit. Now, I want to dial in on that walk through piece because there are many moving parts, right. So as you can imagine an audit is like a pretty big project, right. So, there are many moving pieces and today, I'm now going to focus on the IT audio walkthrough piece right again. The IT or the walkthrough is part of the field work phase. So now, let's talk about what are IT? What other walkthroughs or what, I'm not sure if you know, maybe if you've you rented an apartment, or you bought a house before they give you the keys, right. You, kind of, they will take you to what they call a walkthrough. Typically, right, you just go in kind of just look at how things are before they give you the keys and say, "Okay, we agree that this is the state that you're giving us the house or the apartment in or whatnot." So if you think about that it's not exactly the same, but a walkthrough from the IT audit perspective is you getting a better understanding of the I.T control environment of the company. So what you do at the beginning of the audit, because you're an auditor right, you're not I.T. You're not, if you're an external auditor, you're not working in the company right. So you can't assume that you know everything about that company. You can't assume that you know their control environment. So the reason for that walkthrough is for the auditors to get a better understanding, right, of the control environment that they're going to be auditing. So, it's absolutely critical because if you don't conduct your walkthrough effectively, you might have gaps in your understanding of the control environment, and that's going to ultimately impact right the quality of the control procedures that you choose to perform and your understanding of the impact of the risk. So, walkthroughs are very important because that's where you really get a good understanding of that environment, and a key part of that is that you have to include key players and the control owners from I.T. So, you're not just going to have a random set of people in your work just giving you information about the environment. You have to understand that you have to invite the right players. So if for your IT audit walkthrough, you probably have their management levels there right the people that are responsible for those controls. So the control owners you want to make sure that they are in the room with you or on Zoom if it's virtual, right, explaining their an I.T environment. And even if they're not the key control owner, but they have a part in the process. And, they're a key player or key stakeholder then you want to make sure that they're also in the room with you because if not, then again, you run the risk of not having that information on the control environment. So it's important to have the key players and especially the control owners in the meeting where you're having that walk through and one of the things that you would test there or that you could test, there is a test of design again if you don't know what test of design is, you can watch my prior video, and I'll probably link it when I post this on YouTube, so you can see that video where I talk about test of design in terms of operating effectiveness. So depending on the control that you're testing or the controls that you're reviewing during your walkthroughs, you may be able to perform some tests of design there. Okay. So again, just to summarize this why didn't we conduct I.T audit walkthroughs, it's to understand or better understand the control environment. The I.T control environment that you'll be testing, you should include the key players stakeholders and control owners from it. And during this, you may be able to test the design of controls as, well, okay, one thing I do want to stay here before we move on to the next area is that you'll go through questions should be worded properly, right. So that you can get useful responses from those that you're interviewing. So let me pause here for a second. Have you guys ever asked a question and then you got the wrong answer back? Let me see you guys in the chat just to make sure, you guys are still here with me. Have you ever asked the question and the kind of answers you're getting, you're like, "Okay, maybe I asked the wrong question." Yeah? Okay, so that's the same thing for walkthroughs. So it takes some skill, right? You need to know what questions that you should ask in order to be able to get the right risk. I don't want to use the word, right because it's not really right and wrong, but in order to get good responses, right. Useful responses where you when you're actually testing it makes sense not the kind of response is that when you start testing, it's like okay what they said doesn't make sense based on what I'm looking at right. So, that's a skill you'll need to gain as you go through your walkthroughs because if you don't write, then you run the risk of not getting the responses that will be useful to you in performing your audience. So, here is the bonus part. I'm going to now give you a couple of examples so that, you know. Again, I like practical teaching, so that this can be real to you, okay. So let's look at some sample questions, and there are different parts of IT audits I'm going to look at couple of questions, and logical security. So logical security, this is around access to systems we're not going to go deep into logical security itself, but let's talk about what are some questions right. So, you want you're going to have different levels to your questions. So, for example, you start off with describe the user access provisioning process. This is open-ended. You want to give them the opportunity to describe the whole process for you, and then you can go deeper, right. So who has authority to approve users, and their privileged levels. So you again, you're starting higher getting a broader understanding of the environment, and their process and then you can ask deeper questions based on the controls that you're testing. So, these are just a few examples for you to see what you might ask during a walkthrough, and then again, let me look at change management. So change management again, is another area that we test for in IT. During IT audits, and here you might also start with describe the change management process, right again. Study high level giving them the opportunity to describe the process to you end to end, and then you ask who's required to approve changes. For example, so that's a little bit more, you're diving deeper into maybe one of the controls to get a better understanding of that particular control area, okay. So, hopefully, that was helpful for you guys. Do you guys feel like you have a better understanding of what walkthroughs are now? Yep, okay, good, good, I see. Yes, thank you Diamond, Lake Paul, thank you Ashley. So, that's really what I wanted to cover here today. Again, this is intended to be a short training session, just bite sized. So, that you understand some unique areas in the audit space that would help you, all right. So, rainbow said basically to understand the yeah. So, to understand the IT control environment, and that would help you when you're putting together your procedures of performing your test for your IT audit. All right, so now let's do a summary. I promise you. There'll be some time for Q/A at the end. Let me see if you guys have any questions if you have questions you can put them in the Q/A section, and I'll take a few minutes to answer them here. But let me do a quick summary for you guys because I know some of you joined after we already started. Just to summarize what we talked about here today, we started off by just going through an introduction to IT audits, right. Again, if you want more information there, you can watch that video, I have on the channel, and then we talked about the IT audit faces, right? What are the phases? So, let me pause before I answer the question in the chat. Can you tell me what are the phases that we talked about today? Awesome thanks, Bob. Second phase. Thank you, and then one more reporting, and follow awesome, awesome. On what phase do we have the IT walkthroughs? Walk through his field work, so the field work isn't the ID audio walkthrough happens in the field work stage, and this is where again you're getting a better understanding of the environment? You're talking to the control owners and you're talking to the, all the key stakeholders in the I.T space. And then we just walk through a few examples so that you can see how, how walkthroughs are conducted, okay. So I'm going to pause now, let's see if you guys have any questions. I did tell you, it's going to be about 30 minutes. So I want to make sure that we don't go over time. What questions do you guys have? You guys have any questions, or was this straightforward for you guys. Okay, so great question Nick. And Nick is asking can walkthroughs be done virtually, or does he have to be in person? It can be done virtually, so if you think about the pandemic, right? Where everyone no one went out, right? If we weren't going to the office, we're all working remotely a lot of those walkthroughs were performed remotely because you can have interviews. Now, the difference would be physical security walkthroughs where you have to physically walk through a data center. For example, then you'll have to physically go there but other than that for the most part you can have them virtually. It can be in a meeting on Zoom or whatever meeting software your organization uses. Someone is asking which video should you focus on? Um, I'll say that depends on your interest, right. Because I have a lot of videos on different areas so you can select the one that you want. I'm trying to do a better job posting. I'm pretty busy. I have a full-time job, so training is not the only thing I do. So, I'm trying to do a better job posting, but I'll say watch the video that makes sense to you, all right. So, um oh, what she was asking walkthroughs seem to be like something to be done to enhance your planning. How come it's in the field work phase? It depends on your definition of enhancing your planning right because planning, you're not really doing any work, right? In planning, you actually determine what areas you need to test and that will then determine what areas you need to do your walk through, right. Because you don't necessarily need to test all the areas of I.T. depending on the scope of your audit. So, planning is more scope focused once you identify your scope, and then you know the areas you want to test, then it's reasonable that you would then go do walkthroughs for that area. You don't need to do walkthroughs for everything definitely you don't need to do a walkthrough for an area you don't need to test, okay. So, hopefully that addressed the question the last one. I see here, so Laker is asking what IT audit applications are used as a side ERP systems? I don't know that. That question is really accurate because you're talking about two different things so when you say it audit applications, ERP systems, those are two different things. So maybe you want to reword that question. Let me better understand. If you're talking about applications that the audit team uses for their audit, and GRC you have servicenow, orchard, all of that and then the ERP systems are not audit systems. ERP systems are systems that the organization is using for their operational needs, right. So those are two different things so hopefully that helps, all right. Um, NSHE Iggy is asking, "What's the name of the YouTube channel?" it's your I.T career, maybe I'll find the link. Hold on. I'll put it in the record when I post the recording, I'll send an email out and I'll just, I'll give you guys access to that, because I don't know that I have it handy. Let's see, um. What's the difference between internal and external audit? So sure, I will refer you to my YouTube channel for that just because I have another video that goes into that in depth. So I think that'll probably be more beneficial to you, okay? Sarah is asking, "You missed the training?" Yes, the recording is going to be on YouTube, so I was transparent. I was planning to record this for YouTube anyways, and instead of recording it by myself, I decided to invite you guys to listen to me record it live. So, let's say in the next couple of days, or so you guys should see it on YouTube. The difference is those that are here live get to and ask questions, Okay. All right, so let's now go to, let's see if there any other questions. I will be wrapping up in a few minutes. Lincoln said, "Got it." Okay, good. So she is asking, "Can virtual audit be done for a Physical Operation Center?" Um, it depends on the objective. It depends on what you're testing, but typically if the con, it depends on the controls. So if you don't understand what controls are again. Let me see if I can find that channel for you, but it's the control is what's going to determine how you perform, right. So you can't just take an audit, what, what are you actually testing? Because if the control is a physical control that someone needs to see, write, touch or whatever ,then you will need to do that physically. But, if it doesn't require physical presence then if that control could be tested virtually Okay. All right, let's see if there's any more question. If there are any more questions, hey so, good good good. So thank you guys for joining me here today now. Did you guys let all, some media is asking. Do I have resume workshops on IT audits? Do you mean just training on how to do your your resume is that what you're asking on some media? Okay, so I don't do workshops on resume training. However, I have covered the topic before where I talked about resume mistakes that you might make in IT audit. So if and I think I actually have that on my YouTube channel as well. So, if you go there, I think I have one training where I talk about resume mistakes that you might be making. So I don't do workshops and that now in my full-blown comprehensive training. I do provide resume training for my students. I bring in like a live professional resume writer to come give training to students in one of my courses. So that's something I provide. Because your resume is not just about finding a template online, and putting it together right. Your resume should reflect what, you know, your experience. I think. Okay, I'll answer one more question because we have just one more minute. Did we do control testing in the process of walkthrough only check the design? Typically, during your walkthrough, you're just, that's where you're really doing your design review depending on the control. You may not even be able to really finish that in the walkthrough, but you would look at that there. However, additional testing will be needed to finish your testing procedures. Okay all right. So, I think we're up on time here today. Thank you guys for joining me. If you guys learned something, I promise to you guys you will learn something. All right. Great great great. So before we go let me, just make sure there's a free six figure career guide. So this guide has been downloaded so so many times by so many people. Let me put it in the chat, and it's also going to be available in the YouTube link when I'm done. But if you guys want the guide for those interested in IT audits, go ahead and download this guide. Um and it just walks through some things that you need to know, so make sure you download that guide. it's free. I'm not charging you for that at all. And um, I'm not sure how often I'll do this free training, maybe once a month. I don't know, but if you're on my email list. So if you get that guy, for example, you'll be on my email list. And you'll get invited to this. I don't publicize this small meetings anywhere else. It's just going to be for those on my email list. I think I scroll too fast, okay. There it is. All right, so thank you guys. You guys have a great rest of your day. Bye.