WEBVTT 00:00:03.179 --> 00:00:05.580 All right. So good morning, guys and thank 00:00:05.580 --> 00:00:08.340 you for joining me here today. So, today, I 00:00:08.340 --> 00:00:10.320 just wanted to do a quick training on IT 00:00:10.320 --> 00:00:13.500 audio walkthroughs, and to be honest, I 00:00:13.500 --> 00:00:14.940 was planning to record this by myself 00:00:14.940 --> 00:00:17.039 and then I decided, you know, what, why not 00:00:17.039 --> 00:00:19.260 just make it a live training and see if 00:00:19.260 --> 00:00:21.960 others are interested in joining, and you 00:00:21.960 --> 00:00:24.420 guys are. So, thank you for joining. 00:00:24.420 --> 00:00:25.980 It's going to be short. This is just 00:00:25.980 --> 00:00:28.859 going to be 30 minutes, maybe about 15-20 00:00:28.859 --> 00:00:30.539 minutes of training. And then, I'll see if 00:00:30.539 --> 00:00:32.279 you guys have any questions. 00:00:32.279 --> 00:00:34.020 It's intended for YouTube, for 00:00:34.020 --> 00:00:36.420 transparency sake. So, it will be recorded 00:00:36.420 --> 00:00:38.760 to YouTube, but the difference is those 00:00:38.760 --> 00:00:41.160 that are here live with me, you get to 00:00:41.160 --> 00:00:42.960 ask questions, and those on YouTube can't 00:00:42.960 --> 00:00:45.360 ask questions right. So, let's go ahead 00:00:45.360 --> 00:00:47.460 and get started. If you guys are ready to 00:00:47.460 --> 00:00:49.500 get started, okay. You let me know. Yep, yep, 00:00:49.500 --> 00:00:50.399 yep. 00:00:50.399 --> 00:00:53.940 All right. So awesome awesome. So let's go 00:00:53.940 --> 00:00:56.460 ahead, and get started here. Thank you for 00:00:56.460 --> 00:00:59.219 joining me here today for a training on 00:00:59.219 --> 00:01:01.980 IT audit walkthroughs. So in today's 00:01:01.980 --> 00:01:04.979 training, I just want to give you guys 00:01:04.979 --> 00:01:07.500 a quick overview or an introduction 00:01:07.500 --> 00:01:10.619 to what IT audit walkthroughs are. I know 00:01:10.619 --> 00:01:13.140 many of you might have been searching 00:01:13.140 --> 00:01:14.939 the internet trying to find additional 00:01:14.939 --> 00:01:17.340 information on audits, and you may have 00:01:17.340 --> 00:01:19.680 seen the word walkthrough, right. And you 00:01:19.680 --> 00:01:21.600 don't understand what that is. So today, 00:01:21.600 --> 00:01:22.740 I'm just going to give you an 00:01:22.740 --> 00:01:24.960 introduction to that. And then, we'll see 00:01:24.960 --> 00:01:26.759 if you guys have any questions related 00:01:26.759 --> 00:01:28.200 to the topic. 00:01:28.200 --> 00:01:30.600 Later on, all right. So, I see more of 00:01:30.600 --> 00:01:32.220 you joining. Thank you for joining, guys. 00:01:32.220 --> 00:01:35.520 So, before we get started, very brief 00:01:35.520 --> 00:01:37.380 introduction to myself. I don't want to 00:01:37.380 --> 00:01:39.119 take too much time here. 00:01:39.119 --> 00:01:40.380 But for those, that are just meeting 00:01:40.380 --> 00:01:42.979 me for the first time. My name is Peju Adedeji. 00:01:42.979 --> 00:01:45.780 I have over 18 years of experience in 00:01:45.780 --> 00:01:48.479 the I.T space. A lot of that is around IT 00:01:48.479 --> 00:01:52.979 audit GRC program management. All in the 00:01:52.979 --> 00:01:55.979 audit and compliance space really. My 00:01:55.979 --> 00:01:57.659 passion is teaching. That's one of the 00:01:57.659 --> 00:01:59.759 things that I've always loved to do. So, 00:01:59.759 --> 00:02:02.040 I'm also a career coach where I help 00:02:02.040 --> 00:02:04.200 people that are looking to start their 00:02:04.200 --> 00:02:06.899 careers in I.T cyber security audit, and 00:02:06.899 --> 00:02:08.098 compliance. 00:02:08.098 --> 00:02:12.120 Okay, for me, I like practical training 00:02:12.120 --> 00:02:13.980 recently joined the Forbes coaches 00:02:13.980 --> 00:02:15.840 council. Again, I really love teaching so 00:02:15.840 --> 00:02:18.660 I like to be with other coaches trying 00:02:18.660 --> 00:02:21.180 to develop myself so that I can help my 00:02:21.180 --> 00:02:23.040 students as well. 00:02:23.040 --> 00:02:24.599 This year, we've already had multiple 00:02:24.599 --> 00:02:26.340 six-figure salaries that have come in 00:02:26.340 --> 00:02:29.280 our program, and so I I'm really excited 00:02:29.280 --> 00:02:31.500 about what we're doing. So let's go ahead 00:02:31.500 --> 00:02:34.020 and get started with the training for 00:02:34.020 --> 00:02:35.220 today. 00:02:35.220 --> 00:02:38.040 So here are the topics for today. 00:02:38.040 --> 00:02:39.540 We're going to go over an 00:02:39.540 --> 00:02:41.459 introduction to IT audit at a higher 00:02:41.459 --> 00:02:43.319 level. So if you are not familiar with 00:02:43.319 --> 00:02:45.060 this you can probably check my YouTube 00:02:45.060 --> 00:02:47.220 channel. And you see the training, I've 00:02:47.220 --> 00:02:49.260 done it on this in the past. 00:02:49.260 --> 00:02:51.000 But I'm going to just introduce that 00:02:51.000 --> 00:02:52.860 because I know some people that are here 00:02:52.860 --> 00:02:55.860 today may not right have watched any 00:02:55.860 --> 00:02:58.379 of my videos before or attended any of 00:02:58.379 --> 00:03:00.540 my training. And then, we'll talk about 00:03:00.540 --> 00:03:03.300 the IT audit phases because it's during 00:03:03.300 --> 00:03:05.459 this discussion that we're then going to 00:03:05.459 --> 00:03:06.780 talk about walkthroughs, because 00:03:06.780 --> 00:03:09.660 walkthroughs that's one of the phases or 00:03:09.660 --> 00:03:12.300 part of one of the phases. And there's 00:03:12.300 --> 00:03:13.920 going to be a bonus review, where I'm 00:03:13.920 --> 00:03:15.300 going to walk through some actual 00:03:15.300 --> 00:03:17.819 examples with you. And maybe I'll give 00:03:17.819 --> 00:03:19.680 you guys a bonus document. But let's see, 00:03:19.680 --> 00:03:22.440 okay. And at the end I'll give about 10 00:03:22.440 --> 00:03:24.659 minutes or so for questions. 00:03:24.659 --> 00:03:27.659 So let's go ahead and start with our 00:03:27.659 --> 00:03:29.819 introduction to IT audit. 00:03:29.819 --> 00:03:31.620 I'm not going to go in depth into this 00:03:31.620 --> 00:03:33.900 like I said, I have a training on my 00:03:33.900 --> 00:03:35.400 YouTube channel that you guys can watch. 00:03:35.400 --> 00:03:37.920 But, I do want to introduce this in 00:03:37.920 --> 00:03:39.900 today's training because I want you to 00:03:39.900 --> 00:03:42.239 understand what audits are before we 00:03:42.239 --> 00:03:44.940 talk about walkthroughs, right. So, what's 00:03:44.940 --> 00:03:47.700 an audit at the end of the day, you know, 00:03:47.700 --> 00:03:49.500 people have different definitions of 00:03:49.500 --> 00:03:52.140 what it is, but IT audit at the end of 00:03:52.140 --> 00:03:54.120 the day, if you want to use simple terms, 00:03:54.120 --> 00:03:57.120 is an examination of the organization 00:03:57.120 --> 00:04:00.120 systems to determine if controls are 00:04:00.120 --> 00:04:02.879 operating effectively. So systems usually 00:04:02.879 --> 00:04:05.159 have controls in there, and for controls. 00:04:05.159 --> 00:04:06.780 Again, the prior training I mentioned 00:04:06.780 --> 00:04:09.180 will have that but think of a control as 00:04:09.180 --> 00:04:11.519 like a password control, right. When you 00:04:11.519 --> 00:04:13.080 want to log into your computer, you have 00:04:13.080 --> 00:04:14.580 to put in a password, 00:04:14.580 --> 00:04:16.079 or maybe your e-mail you have to put 00:04:16.079 --> 00:04:18.720 in a password that's a control. So, 00:04:18.720 --> 00:04:21.478 organization systems have controls, as 00:04:21.478 --> 00:04:22.260 well, 00:04:22.260 --> 00:04:24.840 and this controls right. 00:04:24.840 --> 00:04:27.060 In order, part of an I.T audit is 00:04:27.060 --> 00:04:30.660 testing and examining those systems to 00:04:30.660 --> 00:04:32.400 determine if those controls are 00:04:32.400 --> 00:04:34.500 operating effectively because if they 00:04:34.500 --> 00:04:36.900 are not operating effectively, then the 00:04:36.900 --> 00:04:38.940 security of that system right is in 00:04:38.940 --> 00:04:42.000 question. And you might be wondering, "Well, 00:04:42.000 --> 00:04:44.340 why should I be concerned about the 00:04:44.340 --> 00:04:46.800 security or of a system or whether the 00:04:46.800 --> 00:04:49.139 controls are operating effectively," and 00:04:49.139 --> 00:04:51.180 the reason is one you want to mitigate 00:04:51.180 --> 00:04:53.520 risks, right. You don't want people having 00:04:53.520 --> 00:04:56.400 inappropriate access to your systems, so 00:04:56.400 --> 00:04:58.320 when I say, "You, I'm in the 00:04:58.320 --> 00:05:00.360 organization," an organization doesn't 00:05:00.360 --> 00:05:02.759 want people having inappropriate access 00:05:02.759 --> 00:05:06.300 to the systems. So, it's important to have 00:05:06.300 --> 00:05:08.759 controls in place to ensure that that 00:05:08.759 --> 00:05:11.580 security is there. And as the I.T auditor, 00:05:11.580 --> 00:05:13.560 right, part of your audit objective or 00:05:13.560 --> 00:05:15.900 your control objective for your test is 00:05:15.900 --> 00:05:18.120 determining if security controls are in 00:05:18.120 --> 00:05:20.820 place. So you are examining those systems 00:05:20.820 --> 00:05:23.160 to see if those controls are effective 00:05:23.160 --> 00:05:25.259 in mitigating risks, like I said for 00:05:25.259 --> 00:05:27.600 example security risks or just even 00:05:27.600 --> 00:05:29.940 medium compliance and regulatory 00:05:29.940 --> 00:05:32.460 requirements, right. So in the US, we have 00:05:32.460 --> 00:05:34.320 servings, okay. Other countries have 00:05:34.320 --> 00:05:36.600 similar laws and standards as well. We 00:05:36.600 --> 00:05:40.500 have PCI, SOX, SSA 18, right. So, all those 00:05:40.500 --> 00:05:42.840 standards depending on what your 00:05:42.840 --> 00:05:46.139 organization needs to comply with then 00:05:46.139 --> 00:05:48.300 the audit is going to take place to 00:05:48.300 --> 00:05:50.759 examine and determine if those controls 00:05:50.759 --> 00:05:54.060 are meeting those requirements, okay. So 00:05:54.060 --> 00:05:57.900 that's a summary of what we have of 00:05:57.900 --> 00:06:00.000 what IT audits are. 00:06:00.000 --> 00:06:01.800 So, 00:06:01.800 --> 00:06:03.539 there are three key phases of IT 00:06:03.539 --> 00:06:05.940 audience, all right. So we have the audio 00:06:05.940 --> 00:06:08.280 planning phase we have our field 00:06:08.280 --> 00:06:10.440 workplace, and this is where you have the 00:06:10.440 --> 00:06:11.699 walkthrough, so that's where the 00:06:11.699 --> 00:06:13.860 walkthroughs are performed, and you also 00:06:13.860 --> 00:06:15.660 have the reporting and the follow-up 00:06:15.660 --> 00:06:18.180 phase. So I'm going to again summarize 00:06:18.180 --> 00:06:21.180 this. So that I set the stage for what 00:06:21.180 --> 00:06:23.639 we really want to talk about today, so in 00:06:23.639 --> 00:06:25.440 your audit planning phase right. This is 00:06:25.440 --> 00:06:26.699 where you're understanding the 00:06:26.699 --> 00:06:29.940 organization trying to define the scope, 00:06:29.940 --> 00:06:32.400 and the objective and also trying to 00:06:32.400 --> 00:06:35.340 identify what tests you perform so 00:06:35.340 --> 00:06:37.620 you're essentially just planning for the 00:06:37.620 --> 00:06:40.620 audit in that phase. Now, the field work 00:06:40.620 --> 00:06:42.240 phase is, kind of, I'll say, that's where 00:06:42.240 --> 00:06:43.680 the medium potatoes are right. I guess 00:06:43.680 --> 00:06:46.620 when you do the real field work for the 00:06:46.620 --> 00:06:48.900 audit you do your testing and all of 00:06:48.900 --> 00:06:51.000 that. But, before you actually start 00:06:51.000 --> 00:06:53.100 testing, you have to perform your 00:06:53.100 --> 00:06:54.780 walkthroughs, and I'm going to come back 00:06:54.780 --> 00:06:57.360 to the World Series after I finish the 00:06:57.360 --> 00:06:59.460 third stage or the third phase. 00:06:59.460 --> 00:07:01.680 The third phase is where you do the 00:07:01.680 --> 00:07:04.259 reporting, so you finish planning, you've 00:07:04.259 --> 00:07:06.180 done the actual testing, and you have 00:07:06.180 --> 00:07:08.819 results then in the third phase, you're 00:07:08.819 --> 00:07:10.740 doing your reporting, and your follow-up. 00:07:10.740 --> 00:07:12.720 So, this is where you type up the report 00:07:12.720 --> 00:07:15.419 to management on the results. And if 00:07:15.419 --> 00:07:17.819 there were any issues identified, you can 00:07:17.819 --> 00:07:20.580 go back, and retest to confirm whether or 00:07:20.580 --> 00:07:23.220 not, they've been addressed. So those are 00:07:23.220 --> 00:07:27.120 the three phases of an audit. Now, I want 00:07:27.120 --> 00:07:29.280 to dial in on that walk through piece 00:07:29.280 --> 00:07:30.419 because 00:07:30.419 --> 00:07:32.880 there are many moving parts, right. So as 00:07:32.880 --> 00:07:34.500 you can imagine an audit is like a 00:07:34.500 --> 00:07:36.479 pretty big project, right. So, there are 00:07:36.479 --> 00:07:39.120 many moving pieces and today, I'm now 00:07:39.120 --> 00:07:41.039 going to focus on the IT audio 00:07:41.039 --> 00:07:44.099 walkthrough piece right again. The IT or 00:07:44.099 --> 00:07:46.080 the walkthrough is part of the field 00:07:46.080 --> 00:07:47.880 work phase. 00:07:47.880 --> 00:07:51.479 So now, let's talk about what are IT? What 00:07:51.479 --> 00:07:53.819 other walkthroughs or what, I'm not sure 00:07:53.819 --> 00:07:56.160 if you know, maybe if you've 00:07:56.160 --> 00:07:58.259 you rented an apartment, or you bought 00:07:58.259 --> 00:08:00.539 a house before they give you the keys, 00:08:00.539 --> 00:08:02.639 right. You, kind of, they will take you to 00:08:02.639 --> 00:08:04.380 what they call a walkthrough. Typically, 00:08:04.380 --> 00:08:06.599 right, you just go in kind of just look 00:08:06.599 --> 00:08:08.759 at how things are before they give you 00:08:08.759 --> 00:08:11.220 the keys and say, "Okay, we agree that this 00:08:11.220 --> 00:08:12.960 is the state that you're giving us the 00:08:12.960 --> 00:08:15.900 house or the apartment in or whatnot." So 00:08:15.900 --> 00:08:18.240 if you think about that it's not exactly 00:08:18.240 --> 00:08:21.120 the same, but a walkthrough from the IT audit 00:08:21.120 --> 00:08:23.840 perspective is you getting a better 00:08:23.840 --> 00:08:26.220 understanding of the I.T control 00:08:26.220 --> 00:08:28.379 environment of the company. 00:08:28.379 --> 00:08:30.419 So what you do at the beginning of the 00:08:30.419 --> 00:08:32.039 audit, because you're an auditor right, 00:08:32.039 --> 00:08:34.320 you're not I.T. You're not, if you're an 00:08:34.320 --> 00:08:36.059 external auditor, you're not working in 00:08:36.059 --> 00:08:38.820 the company right. So you can't assume 00:08:38.820 --> 00:08:40.679 that you know everything about that 00:08:40.679 --> 00:08:42.360 company. You can't assume that you know 00:08:42.360 --> 00:08:44.760 their control environment. So the reason 00:08:44.760 --> 00:08:46.860 for that walkthrough is for the auditors 00:08:46.860 --> 00:08:50.580 to get a better understanding, right, of 00:08:50.580 --> 00:08:52.260 the control environment that they're 00:08:52.260 --> 00:08:55.380 going to be auditing. So, it's absolutely 00:08:55.380 --> 00:08:57.720 critical because if you don't conduct 00:08:57.720 --> 00:09:00.420 your walkthrough effectively, you might 00:09:00.420 --> 00:09:02.760 have gaps in your understanding of the 00:09:02.760 --> 00:09:04.800 control environment, and that's going to 00:09:04.800 --> 00:09:07.620 ultimately impact right the quality of 00:09:07.620 --> 00:09:09.360 the control procedures that you choose 00:09:09.360 --> 00:09:12.480 to perform and your understanding of the 00:09:12.480 --> 00:09:15.120 impact of the risk. So, walkthroughs are 00:09:15.120 --> 00:09:17.279 very important because that's where you 00:09:17.279 --> 00:09:19.080 really get a good understanding of that 00:09:19.080 --> 00:09:21.899 environment, and a key part of that is 00:09:21.899 --> 00:09:25.560 that you have to include key players and 00:09:25.560 --> 00:09:27.899 the control owners from I.T. So, you're 00:09:27.899 --> 00:09:29.700 not just going to have a random set of 00:09:29.700 --> 00:09:31.200 people in your work just giving you 00:09:31.200 --> 00:09:33.180 information about the environment. You 00:09:33.180 --> 00:09:34.920 have to understand that you have to 00:09:34.920 --> 00:09:37.860 invite the right players. So if for your 00:09:37.860 --> 00:09:39.600 IT audit walkthrough, you probably have 00:09:39.600 --> 00:09:41.700 their management levels there right the 00:09:41.700 --> 00:09:43.560 people that are responsible for those 00:09:43.560 --> 00:09:45.899 controls. So the control owners you want 00:09:45.899 --> 00:09:47.820 to make sure that they are in the room 00:09:47.820 --> 00:09:50.160 with you or on Zoom if it's virtual, 00:09:50.160 --> 00:09:52.620 right, explaining their an I.T 00:09:52.620 --> 00:09:54.959 environment. And even if they're not the 00:09:54.959 --> 00:09:57.180 key control owner, but they have a part 00:09:57.180 --> 00:09:58.620 in the process. 00:09:58.620 --> 00:10:00.660 And, they're a key player or key 00:10:00.660 --> 00:10:02.880 stakeholder then you want to make sure 00:10:02.880 --> 00:10:04.680 that they're also in the room with you 00:10:04.680 --> 00:10:08.220 because if not, then again, you run the 00:10:08.220 --> 00:10:11.700 risk of not having that information on 00:10:11.700 --> 00:10:13.680 the control environment. So it's 00:10:13.680 --> 00:10:15.480 important to have the key players and 00:10:15.480 --> 00:10:18.060 especially the control owners in the 00:10:18.060 --> 00:10:19.860 meeting where you're having that walk 00:10:19.860 --> 00:10:23.040 through and one of the things that 00:10:23.040 --> 00:10:24.660 you would test there or that you could 00:10:24.660 --> 00:10:27.060 test, there is a test of design again if 00:10:27.060 --> 00:10:28.800 you don't know what test of design is, 00:10:28.800 --> 00:10:31.140 you can watch my prior video, and I'll 00:10:31.140 --> 00:10:32.820 probably link it when I post this on 00:10:32.820 --> 00:10:34.800 YouTube, so you can see that video where 00:10:34.800 --> 00:10:36.839 I talk about test of design in terms of 00:10:36.839 --> 00:10:39.600 operating effectiveness. So depending on 00:10:39.600 --> 00:10:41.580 the control that you're testing or the 00:10:41.580 --> 00:10:43.080 controls that you're reviewing during 00:10:43.080 --> 00:10:45.420 your walkthroughs, you may be able to 00:10:45.420 --> 00:10:48.120 perform some tests of design there. Okay. 00:10:48.120 --> 00:10:51.360 So again, just to summarize this why 00:10:51.360 --> 00:10:53.399 didn't we conduct I.T audit walkthroughs, 00:10:53.399 --> 00:10:55.800 it's to understand or better understand 00:10:55.800 --> 00:10:57.720 the control environment. The I.T control 00:10:57.720 --> 00:10:59.940 environment that you'll be testing, you 00:10:59.940 --> 00:11:01.500 should include the key players 00:11:01.500 --> 00:11:04.200 stakeholders and control owners from it. 00:11:04.200 --> 00:11:06.839 And during this, you may be able to test 00:11:06.839 --> 00:11:11.040 the design of controls as, well, okay, one 00:11:11.040 --> 00:11:13.140 thing I do want to stay here before we 00:11:13.140 --> 00:11:16.140 move on to the next area is that 00:11:16.140 --> 00:11:18.300 you'll go through questions should be 00:11:18.300 --> 00:11:20.760 worded properly, right. So that you can 00:11:20.760 --> 00:11:22.980 get useful responses from those that 00:11:22.980 --> 00:11:25.260 you're interviewing. So let me pause here 00:11:25.260 --> 00:11:27.899 for a second. Have you guys ever asked a 00:11:27.899 --> 00:11:29.820 question and then you got the wrong 00:11:29.820 --> 00:11:32.220 answer back? Let me see you guys in the 00:11:32.220 --> 00:11:33.779 chat just to make sure, you guys are 00:11:33.779 --> 00:11:35.339 still here with me. Have you ever asked 00:11:35.339 --> 00:11:37.620 the question and the kind of answers 00:11:37.620 --> 00:11:39.000 you're getting, you're like, "Okay, maybe I 00:11:39.000 --> 00:11:40.920 asked the wrong question." 00:11:40.920 --> 00:11:43.440 Yeah? Okay, so that's the same thing for 00:11:43.440 --> 00:11:45.959 walkthroughs. So it takes some skill, 00:11:45.959 --> 00:11:47.760 right? You need to know what questions 00:11:47.760 --> 00:11:50.339 that you should ask in order to be able 00:11:50.339 --> 00:11:52.140 to get the right risk. I don't want to 00:11:52.140 --> 00:11:53.579 use the word, right because it's not 00:11:53.579 --> 00:11:55.980 really right and wrong, but in order to 00:11:55.980 --> 00:11:57.000 get 00:11:57.000 --> 00:11:59.579 good responses, right. Useful responses 00:11:59.579 --> 00:12:01.680 where you when you're actually testing 00:12:01.680 --> 00:12:03.839 it makes sense not the kind of response 00:12:03.839 --> 00:12:05.399 is that when you start testing, it's like 00:12:05.399 --> 00:12:06.839 okay what they said doesn't make sense 00:12:06.839 --> 00:12:09.240 based on what I'm looking at right. So, 00:12:09.240 --> 00:12:11.519 that's a skill you'll need to gain as 00:12:11.519 --> 00:12:13.560 you go through your walkthroughs because 00:12:13.560 --> 00:12:17.579 if you don't write, then you run the 00:12:17.579 --> 00:12:20.820 risk of not getting the responses that 00:12:20.820 --> 00:12:23.579 will be useful to you in performing your 00:12:23.579 --> 00:12:26.279 audience. So, here is the bonus part. 00:12:26.279 --> 00:12:28.920 I'm going to now give you a couple of 00:12:28.920 --> 00:12:31.260 examples so that, you know. Again, I like 00:12:31.260 --> 00:12:32.820 practical teaching, so that this can be 00:12:32.820 --> 00:12:36.360 real to you, okay. So let's look at some 00:12:36.360 --> 00:12:38.220 sample questions, and there are 00:12:38.220 --> 00:12:40.440 different parts of IT audits I'm going 00:12:40.440 --> 00:12:42.300 to look at couple of questions, and 00:12:42.300 --> 00:12:43.680 logical security. 00:12:43.680 --> 00:12:46.260 So logical security, this is around 00:12:46.260 --> 00:12:48.600 access to systems we're not going to go 00:12:48.600 --> 00:12:50.880 deep into logical security itself, but 00:12:50.880 --> 00:12:52.620 let's talk about what are some questions 00:12:52.620 --> 00:12:56.100 right. So, you want you're going to have 00:12:56.100 --> 00:12:58.260 different levels to your questions. So, 00:12:58.260 --> 00:13:00.899 for example, you start off with describe 00:13:00.899 --> 00:13:02.760 the user access provisioning process. 00:13:02.760 --> 00:13:05.220 This is open-ended. You want to give them 00:13:05.220 --> 00:13:06.720 the opportunity to describe the whole 00:13:06.720 --> 00:13:08.820 process for you, and then you can go 00:13:08.820 --> 00:13:11.700 deeper, right. So who has authority to 00:13:11.700 --> 00:13:13.620 approve users, and their privileged 00:13:13.620 --> 00:13:15.600 levels. So you again, you're starting 00:13:15.600 --> 00:13:18.300 higher getting a broader understanding 00:13:18.300 --> 00:13:21.720 of the environment, and their process and 00:13:21.720 --> 00:13:24.120 then you can ask deeper questions based 00:13:24.120 --> 00:13:26.220 on the controls that you're testing. So, 00:13:26.220 --> 00:13:28.019 these are just a few examples for you to 00:13:28.019 --> 00:13:30.600 see what you might ask during a 00:13:30.600 --> 00:13:32.639 walkthrough, and then 00:13:32.639 --> 00:13:33.720 again, let me look at change 00:13:33.720 --> 00:13:36.079 management. 00:13:36.300 --> 00:13:38.399 So change management again, is another 00:13:38.399 --> 00:13:40.380 area that we test for in IT. During IT 00:13:40.380 --> 00:13:42.720 audits, and here you might also start 00:13:42.720 --> 00:13:44.100 with describe the change management 00:13:44.100 --> 00:13:46.680 process, right again. Study high level 00:13:46.680 --> 00:13:48.540 giving them the opportunity to describe 00:13:48.540 --> 00:13:50.940 the process to you end to end, and then 00:13:50.940 --> 00:13:52.980 you ask who's required to approve 00:13:52.980 --> 00:13:55.200 changes. For example, so that's a little 00:13:55.200 --> 00:13:58.740 bit more, you're diving deeper into 00:13:58.740 --> 00:14:01.200 maybe one of the controls to get a 00:14:01.200 --> 00:14:03.480 better understanding of that particular 00:14:03.480 --> 00:14:06.480 control area, okay. So, 00:14:06.480 --> 00:14:07.920 hopefully, that was helpful for you 00:14:07.920 --> 00:14:09.360 guys. Do you guys feel like you have a 00:14:09.360 --> 00:14:10.500 better understanding of what 00:14:10.500 --> 00:14:13.800 walkthroughs are now? Yep, okay, good, good, 00:14:13.800 --> 00:14:16.500 I see. Yes, thank you Diamond, Lake Paul, 00:14:16.500 --> 00:14:19.139 thank you Ashley. So, that's really what I 00:14:19.139 --> 00:14:21.540 wanted to cover here today. Again, this is 00:14:21.540 --> 00:14:23.160 intended to be a short training session, 00:14:23.160 --> 00:14:25.920 just bite sized. So, that you understand 00:14:25.920 --> 00:14:28.920 some unique areas in the audit space 00:14:28.920 --> 00:14:32.100 that would help you, all right. So, 00:14:32.100 --> 00:14:33.720 rainbow said basically to understand 00:14:33.720 --> 00:14:36.420 the yeah. So, to understand the IT control 00:14:36.420 --> 00:14:39.480 environment, and that would help you when 00:14:39.480 --> 00:14:41.399 you're putting together your 00:14:41.399 --> 00:14:44.459 procedures of performing your test for 00:14:44.459 --> 00:14:48.240 your IT audit. All right, so now let's do 00:14:48.240 --> 00:14:50.399 a summary. I promise you. There'll be some 00:14:50.399 --> 00:14:53.459 time for Q/A at the end. Let me see if 00:14:53.459 --> 00:14:55.620 you guys have any questions if you have 00:14:55.620 --> 00:14:57.600 questions you can put them in the Q/A 00:14:57.600 --> 00:14:59.940 section, and I'll take a few minutes to 00:14:59.940 --> 00:15:02.160 answer them here. But let me do a quick 00:15:02.160 --> 00:15:04.199 summary for you guys because I know some 00:15:04.199 --> 00:15:05.279 of you 00:15:05.279 --> 00:15:07.980 joined after we already started. 00:15:07.980 --> 00:15:09.600 Just to summarize what we talked 00:15:09.600 --> 00:15:12.180 about here today, we started off by just 00:15:12.180 --> 00:15:13.860 going through an introduction to IT 00:15:13.860 --> 00:15:16.800 audits, right. Again, if you want more 00:15:16.800 --> 00:15:18.240 information there, you can watch that 00:15:18.240 --> 00:15:20.459 video, I have on the channel, and then we 00:15:20.459 --> 00:15:22.740 talked about the IT audit faces, right? 00:15:22.740 --> 00:15:24.720 What are the phases? So, let me pause 00:15:24.720 --> 00:15:27.180 before I answer the question in the chat. 00:15:27.180 --> 00:15:29.160 Can you tell me what are the phases that 00:15:29.160 --> 00:15:32.000 we talked about today? 00:15:33.680 --> 00:15:37.339 Awesome thanks, Bob. 00:15:38.040 --> 00:15:41.180 Second phase. 00:15:43.459 --> 00:15:48.019 Thank you, and then one more 00:15:48.720 --> 00:15:52.139 reporting, and follow awesome, awesome. On 00:15:52.139 --> 00:15:53.880 what phase do we have the IT 00:15:53.880 --> 00:15:56.540 walkthroughs? 00:16:01.980 --> 00:16:03.779 Walk through his field work, so the field 00:16:03.779 --> 00:16:06.240 work isn't the ID audio walkthrough 00:16:06.240 --> 00:16:08.880 happens in the field work stage, and this 00:16:08.880 --> 00:16:10.680 is where again you're getting a better 00:16:10.680 --> 00:16:12.779 understanding of the environment? You're 00:16:12.779 --> 00:16:14.880 talking to the control owners and you're 00:16:14.880 --> 00:16:17.220 talking to the, all the key 00:16:17.220 --> 00:16:19.680 stakeholders in the I.T space. And then 00:16:19.680 --> 00:16:21.420 we just walk through a few examples so 00:16:21.420 --> 00:16:23.220 that you can see how, 00:16:23.220 --> 00:16:25.860 how walkthroughs are conducted, okay. 00:16:25.860 --> 00:16:28.560 So I'm going to pause now, let's see if 00:16:28.560 --> 00:16:31.139 you guys have any questions. I did tell 00:16:31.139 --> 00:16:33.060 you, it's going to be about 30 minutes. So 00:16:33.060 --> 00:16:34.620 I want to make sure that we don't go 00:16:34.620 --> 00:16:36.959 over time. What questions do you guys 00:16:36.959 --> 00:16:38.940 have? 00:16:38.940 --> 00:16:40.920 You guys have any questions, or was this 00:16:40.920 --> 00:16:43.940 straightforward for you guys. 00:16:48.120 --> 00:16:50.040 Okay, so great question Nick. And Nick is 00:16:50.040 --> 00:16:51.360 asking can walkthroughs be done 00:16:51.360 --> 00:16:52.920 virtually, or does he have to be in 00:16:52.920 --> 00:16:53.699 person? 00:16:53.699 --> 00:16:55.860 It can be done virtually, so if you 00:16:55.860 --> 00:16:57.839 think about the pandemic, right? Where 00:16:57.839 --> 00:17:00.120 everyone no one went out, right? If we 00:17:00.120 --> 00:17:01.320 weren't going to the office, we're all 00:17:01.320 --> 00:17:03.360 working remotely a lot of those 00:17:03.360 --> 00:17:05.459 walkthroughs were performed remotely 00:17:05.459 --> 00:17:07.859 because you can have interviews. Now, the 00:17:07.859 --> 00:17:09.839 difference would be physical security 00:17:09.839 --> 00:17:11.520 walkthroughs where you have to physically 00:17:11.520 --> 00:17:13.740 walk through a data center. For example, 00:17:13.740 --> 00:17:15.540 then you'll have to physically go there 00:17:15.540 --> 00:17:17.339 but other than that for the most part 00:17:17.339 --> 00:17:19.740 you can have them virtually. It can be in 00:17:19.740 --> 00:17:22.919 a meeting on Zoom or whatever meeting 00:17:22.919 --> 00:17:26.839 software your organization uses. 00:17:30.179 --> 00:17:31.799 Someone is asking which video should 00:17:31.799 --> 00:17:33.120 you focus on? 00:17:33.120 --> 00:17:34.980 Um, I'll say that depends on your 00:17:34.980 --> 00:17:36.900 interest, right. Because I have a lot of 00:17:36.900 --> 00:17:40.320 videos on different areas so you can 00:17:40.320 --> 00:17:42.539 select the one that you want. I'm trying 00:17:42.539 --> 00:17:45.000 to do a better job posting. I'm pretty 00:17:45.000 --> 00:17:47.220 busy. I have a full-time job, so training 00:17:47.220 --> 00:17:49.020 is not the only thing I do. 00:17:49.020 --> 00:17:50.820 So, I'm trying to do a better job 00:17:50.820 --> 00:17:52.500 posting, but I'll say watch the video 00:17:52.500 --> 00:17:55.500 that makes sense to you, all right. So, 00:17:55.500 --> 00:17:58.620 um oh, what she was asking walkthroughs 00:17:58.620 --> 00:18:00.299 seem to be like something to be done to 00:18:00.299 --> 00:18:02.700 enhance your planning. How come it's in 00:18:02.700 --> 00:18:04.440 the field work phase? 00:18:04.440 --> 00:18:06.720 It depends on your definition of 00:18:06.720 --> 00:18:08.640 enhancing your planning right because 00:18:08.640 --> 00:18:10.860 planning, you're not really doing any 00:18:10.860 --> 00:18:12.900 work, right? In planning, you actually 00:18:12.900 --> 00:18:15.480 determine what areas you need to test 00:18:15.480 --> 00:18:18.059 and that will then determine what areas 00:18:18.059 --> 00:18:19.620 you need to do your walk through, right. 00:18:19.620 --> 00:18:21.960 Because you don't necessarily need to 00:18:21.960 --> 00:18:24.900 test all the areas of I.T. depending on 00:18:24.900 --> 00:18:27.120 the scope of your audit. So, planning is 00:18:27.120 --> 00:18:29.520 more scope focused once you identify 00:18:29.520 --> 00:18:31.980 your scope, and then you know the areas 00:18:31.980 --> 00:18:34.020 you want to test, then it's reasonable 00:18:34.020 --> 00:18:36.360 that you would then go do walkthroughs 00:18:36.360 --> 00:18:38.039 for that area. You don't need to do 00:18:38.039 --> 00:18:39.900 walkthroughs for everything definitely 00:18:39.900 --> 00:18:41.640 you don't need to do a walkthrough for 00:18:41.640 --> 00:18:44.760 an area you don't need to test, okay. So, 00:18:44.760 --> 00:18:48.260 hopefully that addressed the question 00:18:48.299 --> 00:18:52.039 the last one. I see here, 00:18:54.480 --> 00:18:57.120 so Laker is asking what IT audit 00:18:57.120 --> 00:18:59.400 applications are used as a side ERP 00:18:59.400 --> 00:19:00.660 systems? 00:19:00.660 --> 00:19:02.220 I don't know that. That question is 00:19:02.220 --> 00:19:04.440 really accurate 00:19:04.440 --> 00:19:06.059 because you're talking about two 00:19:06.059 --> 00:19:07.440 different things so when you say it 00:19:07.440 --> 00:19:10.440 audit applications, ERP systems, those are 00:19:10.440 --> 00:19:11.940 two different things. So maybe you want 00:19:11.940 --> 00:19:13.500 to reword that question. Let me better 00:19:13.500 --> 00:19:15.299 understand. If you're talking about 00:19:15.299 --> 00:19:17.700 applications that the audit team uses 00:19:17.700 --> 00:19:20.280 for their audit, and GRC you have 00:19:20.280 --> 00:19:23.039 servicenow, orchard, all of that and then 00:19:23.039 --> 00:19:25.380 the ERP systems are not audit systems. 00:19:25.380 --> 00:19:27.900 ERP systems are systems that the 00:19:27.900 --> 00:19:29.820 organization is using for their 00:19:29.820 --> 00:19:32.520 operational needs, right. So those are two 00:19:32.520 --> 00:19:34.440 different things so hopefully that helps, 00:19:34.440 --> 00:19:37.140 all right. 00:19:37.140 --> 00:19:41.580 Um, NSHE Iggy is asking, "What's the 00:19:41.580 --> 00:19:43.320 name of the YouTube channel?" it's your 00:19:43.320 --> 00:19:46.200 I.T career, maybe I'll find the link. Hold 00:19:46.200 --> 00:19:46.980 on. 00:19:46.980 --> 00:19:49.200 I'll put it in the record when I post 00:19:49.200 --> 00:19:51.480 the recording, I'll send an email out and 00:19:51.480 --> 00:19:54.419 I'll just, I'll give you guys access 00:19:54.419 --> 00:19:56.039 to that, because I don't know that I have 00:19:56.039 --> 00:19:58.020 it handy. Let's see, 00:19:58.020 --> 00:19:58.980 um. 00:19:58.980 --> 00:20:00.780 What's the difference between internal 00:20:00.780 --> 00:20:03.000 and external audit? So sure, I will refer 00:20:03.000 --> 00:20:04.620 you to my YouTube channel for that just 00:20:04.620 --> 00:20:06.600 because I have another video that goes 00:20:06.600 --> 00:20:08.880 into that in depth. So I think that'll 00:20:08.880 --> 00:20:14.000 probably be more beneficial to you, okay? 00:20:14.220 --> 00:20:15.960 Sarah is asking, "You missed the 00:20:15.960 --> 00:20:17.400 training?" Yes, the recording is going to 00:20:17.400 --> 00:20:19.559 be on YouTube, so I was transparent. I was 00:20:19.559 --> 00:20:20.940 planning to record this for YouTube 00:20:20.940 --> 00:20:23.580 anyways, and instead of recording it by 00:20:23.580 --> 00:20:25.440 myself, I decided to invite you guys to 00:20:25.440 --> 00:20:27.960 listen to me record it live. So, let's say 00:20:27.960 --> 00:20:29.580 in the next couple of days, or so you 00:20:29.580 --> 00:20:31.500 guys should see it on YouTube. The 00:20:31.500 --> 00:20:33.179 difference is those that are here live 00:20:33.179 --> 00:20:37.020 get to and ask questions, Okay. 00:20:37.020 --> 00:20:40.679 All right, so let's now go to, let's see 00:20:40.679 --> 00:20:42.419 if there any other questions. I will be 00:20:42.419 --> 00:20:45.440 wrapping up in a few minutes. 00:20:46.440 --> 00:20:51.200 Lincoln said, "Got it." Okay, good. 00:20:54.179 --> 00:20:56.640 So she is asking, "Can virtual audit 00:20:56.640 --> 00:20:58.860 be done for a Physical Operation Center?" 00:20:58.860 --> 00:21:00.360 Um, it depends on the objective. It 00:21:00.360 --> 00:21:02.160 depends on what you're testing, but 00:21:02.160 --> 00:21:04.620 typically if the con, it depends on the 00:21:04.620 --> 00:21:07.380 controls. So if you don't understand what 00:21:07.380 --> 00:21:10.380 controls are again. Let me see if I can 00:21:10.380 --> 00:21:13.320 find that channel for you, but it's 00:21:13.320 --> 00:21:15.120 the control is what's going to determine 00:21:15.120 --> 00:21:16.860 how you perform, right. So you can't just 00:21:16.860 --> 00:21:19.260 take an audit, what, what are you actually 00:21:19.260 --> 00:21:21.299 testing? Because if the control is a 00:21:21.299 --> 00:21:22.980 physical control that someone needs to 00:21:22.980 --> 00:21:26.640 see, write, touch or whatever ,then you 00:21:26.640 --> 00:21:28.679 will need to do that physically. But, if 00:21:28.679 --> 00:21:30.720 it doesn't require physical presence 00:21:30.720 --> 00:21:32.880 then if that control could be tested 00:21:32.880 --> 00:21:35.760 virtually Okay. 00:21:35.760 --> 00:21:39.120 All right, let's see if there's any more 00:21:39.120 --> 00:21:42.360 question. If there are any more questions, 00:21:42.360 --> 00:21:45.240 hey so, good good good. So thank you guys 00:21:45.240 --> 00:21:47.820 for joining me here today now. Did you 00:21:47.820 --> 00:21:49.200 guys let 00:21:49.200 --> 00:21:52.260 all, some media is asking. Do I have 00:21:52.260 --> 00:21:55.080 resume workshops on IT audits? Do you 00:21:55.080 --> 00:21:56.640 mean just training on how to do your 00:21:56.640 --> 00:21:58.679 your resume is that what you're asking 00:21:58.679 --> 00:22:01.740 on some media? Okay, so I don't do 00:22:01.740 --> 00:22:04.380 workshops on resume training. However, I 00:22:04.380 --> 00:22:06.780 have covered the topic before where I 00:22:06.780 --> 00:22:08.940 talked about resume mistakes that you 00:22:08.940 --> 00:22:10.980 might make in IT audit. So if and I think 00:22:10.980 --> 00:22:12.419 I actually have that on my YouTube 00:22:12.419 --> 00:22:14.640 channel as well. So, if you go there, I 00:22:14.640 --> 00:22:16.320 think I have one training where I talk 00:22:16.320 --> 00:22:18.120 about resume mistakes that you might be 00:22:18.120 --> 00:22:19.260 making. 00:22:19.260 --> 00:22:21.539 So I don't do workshops and that now 00:22:21.539 --> 00:22:24.659 in my full-blown comprehensive training. 00:22:24.659 --> 00:22:27.299 I do provide resume training for my 00:22:27.299 --> 00:22:29.179 students. I bring in like a live 00:22:29.179 --> 00:22:31.559 professional resume writer to come give 00:22:31.559 --> 00:22:34.200 training to students in one of my 00:22:34.200 --> 00:22:36.480 courses. So that's something I provide. 00:22:36.480 --> 00:22:38.820 Because your resume is not just about 00:22:38.820 --> 00:22:40.980 finding a template online, and putting it 00:22:40.980 --> 00:22:42.840 together right. Your resume should 00:22:42.840 --> 00:22:46.140 reflect what, you know, your experience. I 00:22:46.140 --> 00:22:47.760 think. Okay, I'll answer one more question 00:22:47.760 --> 00:22:50.159 because we have just one more minute. 00:22:50.159 --> 00:22:52.020 Did we do control testing in the 00:22:52.020 --> 00:22:53.580 process of walkthrough only check the 00:22:53.580 --> 00:22:54.659 design? 00:22:54.659 --> 00:22:56.039 Typically, during your walkthrough, 00:22:56.039 --> 00:22:57.539 you're just, that's where you're really 00:22:57.539 --> 00:22:59.760 doing your design review depending on 00:22:59.760 --> 00:23:01.500 the control. You may not even be able to 00:23:01.500 --> 00:23:03.179 really finish that in the walkthrough, 00:23:03.179 --> 00:23:05.520 but you would look at that there. However, 00:23:05.520 --> 00:23:07.500 additional testing will be needed to 00:23:07.500 --> 00:23:10.440 finish your testing procedures. Okay all 00:23:10.440 --> 00:23:12.720 right. So, I think we're up on time here 00:23:12.720 --> 00:23:14.580 today. Thank you guys for joining me. If 00:23:14.580 --> 00:23:16.200 you guys learned something, I promise to 00:23:16.200 --> 00:23:18.240 you guys you will learn something. All 00:23:18.240 --> 00:23:20.880 right. Great great great. So before we go 00:23:20.880 --> 00:23:23.039 let me, just make sure there's a free 00:23:23.039 --> 00:23:25.559 six figure career guide. So this guide has 00:23:25.559 --> 00:23:27.720 been downloaded so so many times by so 00:23:27.720 --> 00:23:29.700 many people. Let me put it in the chat, 00:23:29.700 --> 00:23:33.480 and it's also going to be available in 00:23:33.480 --> 00:23:35.760 the YouTube link when I'm done. But if 00:23:35.760 --> 00:23:37.380 you guys want the guide for those 00:23:37.380 --> 00:23:39.780 interested in IT audits, go ahead and 00:23:39.780 --> 00:23:41.760 download this guide. 00:23:41.760 --> 00:23:44.520 Um and it just walks through some things 00:23:44.520 --> 00:23:46.799 that you need to know, so make sure you 00:23:46.799 --> 00:23:48.840 download that guide. it's free. I'm not 00:23:48.840 --> 00:23:52.200 charging you for that at all. And um, I'm 00:23:52.200 --> 00:23:53.820 not sure how often I'll do this free 00:23:53.820 --> 00:23:55.500 training, maybe once a month. I don't know, 00:23:55.500 --> 00:23:57.720 but if you're on my email list. So if you 00:23:57.720 --> 00:23:59.640 get that guy, for example, you'll be on my 00:23:59.640 --> 00:24:01.559 email list. And you'll get invited to 00:24:01.559 --> 00:24:03.720 this. I don't publicize this small 00:24:03.720 --> 00:24:05.940 meetings anywhere else. It's just going 00:24:05.940 --> 00:24:09.000 to be for those on my email list. I think 00:24:09.000 --> 00:24:11.700 I scroll too fast, okay. There it is. All 00:24:11.700 --> 00:24:13.740 right, so thank you guys. You guys have a 00:24:13.740 --> 00:24:17.480 great rest of your day. Bye.