-
All right. So good morning, guys and thank
-
you for joining me here today. So, today, I
-
just wanted to do a quick training on IT
-
audio walkthroughs, and to be honest, I
-
was planning to record this by myself
-
and then I decided, you know, what, why not
-
just make it a live training and see if
-
others are interested in joining, and you
-
guys are. So, thank you for joining.
-
It's going to be short. This is just
-
going to be 30 minutes, maybe about 15-20
-
minutes of training. And then, I'll see if
-
you guys have any questions.
-
It's intended for YouTube, for
-
transparency sake. So, it will be recorded
-
to YouTube, but the difference is those
-
that are here live with me, you get to
-
ask questions, and those on YouTube can't
-
ask questions right. So, let's go ahead
-
and get started. If you guys are ready to
-
get started, okay. You let me know. Yep, yep,
-
yep.
-
All right. So awesome awesome. So let's go
-
ahead, and get started here. Thank you for
-
joining me here today for a training on
-
IT audit walkthroughs. So in today's
-
training, I just want to give you guys
-
a quick overview or an introduction
-
to what IT audit walkthroughs are. I know
-
many of you might have been searching
-
the internet trying to find additional
-
information on audits, and you may have
-
seen the word walkthrough, right. And you
-
don't understand what that is. So today,
-
I'm just going to give you an
-
introduction to that. And then, we'll see
-
if you guys have any questions related
-
to the topic.
-
Later on, all right. So, I see more of
-
you joining. Thank you for joining, guys.
-
So, before we get started, very brief
-
introduction to myself. I don't want to
-
take too much time here.
-
But for those, that are just meeting
-
me for the first time. My name is Peju Adedeji.
-
I have over 18 years of experience in
-
the I.T space. A lot of that is around IT
-
audit GRC program management. All in the
-
audit and compliance space really. My
-
passion is teaching. That's one of the
-
things that I've always loved to do. So,
-
I'm also a career coach where I help
-
people that are looking to start their
-
careers in I.T cyber security audit, and
-
compliance.
-
Okay, for me, I like practical training
-
recently joined the Forbes coaches
-
council. Again, I really love teaching so
-
I like to be with other coaches trying
-
to develop myself so that I can help my
-
students as well.
-
This year, we've already had multiple
-
six-figure salaries that have come in
-
our program, and so I I'm really excited
-
about what we're doing. So let's go ahead
-
and get started with the training for
-
today.
-
So here are the topics for today.
-
We're going to go over an
-
introduction to IT audit at a higher
-
level. So if you are not familiar with
-
this you can probably check my YouTube
-
channel. And you see the training, I've
-
done it on this in the past.
-
But I'm going to just introduce that
-
because I know some people that are here
-
today may not right have watched any
-
of my videos before or attended any of
-
my training. And then, we'll talk about
-
the IT audit phases because it's during
-
this discussion that we're then going to
-
talk about walkthroughs, because
-
walkthroughs that's one of the phases or
-
part of one of the phases. And there's
-
going to be a bonus review, where I'm
-
going to walk through some actual
-
examples with you. And maybe I'll give
-
you guys a bonus document. But let's see,
-
okay. And at the end I'll give about 10
-
minutes or so for questions.
-
So let's go ahead and start with our
-
introduction to IT audit.
-
I'm not going to go in depth into this
-
like I said, I have a training on my
-
YouTube channel that you guys can watch.
-
But, I do want to introduce this in
-
today's training because I want you to
-
understand what audits are before we
-
talk about walkthroughs, right. So, what's
-
an audit at the end of the day, you know,
-
people have different definitions of
-
what it is, but IT audit at the end of
-
the day, if you want to use simple terms,
-
is an examination of the organization
-
systems to determine if controls are
-
operating effectively. So systems usually
-
have controls in there, and for controls.
-
Again, the prior training I mentioned
-
will have that but think of a control as
-
like a password control, right. When you
-
want to log into your computer, you have
-
to put in a password,
-
or maybe your e-mail you have to put
-
in a password that's a control. So,
-
organization systems have controls, as
-
well,
-
and this controls right.
-
In order, part of an I.T audit is
-
testing and examining those systems to
-
determine if those controls are
-
operating effectively because if they
-
are not operating effectively, then the
-
security of that system right is in
-
question. And you might be wondering, "Well,
-
why should I be concerned about the
-
security or of a system or whether the
-
controls are operating effectively," and
-
the reason is one you want to mitigate
-
risks, right. You don't want people having
-
inappropriate access to your systems, so
-
when I say, "You, I'm in the
-
organization," an organization doesn't
-
want people having inappropriate access
-
to the systems. So, it's important to have
-
controls in place to ensure that that
-
security is there. And as the I.T auditor,
-
right, part of your audit objective or
-
your control objective for your test is
-
determining if security controls are in
-
place. So you are examining those systems
-
to see if those controls are effective
-
in mitigating risks, like I said for
-
example security risks or just even
-
medium compliance and regulatory
-
requirements, right. So in the US, we have
-
servings, okay. Other countries have
-
similar laws and standards as well. We
-
have PCI, SOX, SSA 18, right. So, all those
-
standards depending on what your
-
organization needs to comply with then
-
the audit is going to take place to
-
examine and determine if those controls
-
are meeting those requirements, okay. So
-
that's a summary of what we have of
-
what IT audits are.
-
So,
-
there are three key phases of IT
-
audience, all right. So we have the audio
-
planning phase we have our field
-
workplace, and this is where you have the
-
walkthrough, so that's where the
-
walkthroughs are performed, and you also
-
have the reporting and the follow-up
-
phase. So I'm going to again summarize
-
this. So that I set the stage for what
-
we really want to talk about today, so in
-
your audit planning phase right. This is
-
where you're understanding the
-
organization trying to define the scope,
-
and the objective and also trying to
-
identify what tests you perform so
-
you're essentially just planning for the
-
audit in that phase. Now, the field work
-
phase is, kind of, I'll say, that's where
-
the medium potatoes are right. I guess
-
when you do the real field work for the
-
audit you do your testing and all of
-
that. But, before you actually start
-
testing, you have to perform your
-
walkthroughs, and I'm going to come back
-
to the World Series after I finish the
-
third stage or the third phase.
-
The third phase is where you do the
-
reporting, so you finish planning, you've
-
done the actual testing, and you have
-
results then in the third phase, you're
-
doing your reporting, and your follow-up.
-
So, this is where you type up the report
-
to management on the results. And if
-
there were any issues identified, you can
-
go back, and retest to confirm whether or
-
not, they've been addressed. So those are
-
the three phases of an audit. Now, I want
-
to dial in on that walk through piece
-
because
-
there are many moving parts, right. So as
-
you can imagine an audit is like a
-
pretty big project, right. So, there are
-
many moving pieces and today, I'm now
-
going to focus on the IT audio
-
walkthrough piece right again. The IT or
-
the walkthrough is part of the field
-
work phase.
-
So now, let's talk about what are IT? What
-
other walkthroughs or what, I'm not sure
-
if you know, maybe if you've
-
you rented an apartment, or you bought
-
a house before they give you the keys,
-
right. You, kind of, they will take you to
-
what they call a walkthrough. Typically,
-
right, you just go in kind of just look
-
at how things are before they give you
-
the keys and say, "Okay, we agree that this
-
is the state that you're giving us the
-
house or the apartment in or whatnot." So
-
if you think about that it's not exactly
-
the same, but a walkthrough from the IT audit
-
perspective is you getting a better
-
understanding of the I.T control
-
environment of the company.
-
So what you do at the beginning of the
-
audit, because you're an auditor right,
-
you're not I.T. You're not, if you're an
-
external auditor, you're not working in
-
the company right. So you can't assume
-
that you know everything about that
-
company. You can't assume that you know
-
their control environment. So the reason
-
for that walkthrough is for the auditors
-
to get a better understanding, right, of
-
the control environment that they're
-
going to be auditing. So, it's absolutely
-
critical because if you don't conduct
-
your walkthrough effectively, you might
-
have gaps in your understanding of the
-
control environment, and that's going to
-
ultimately impact right the quality of
-
the control procedures that you choose
-
to perform and your understanding of the
-
impact of the risk. So, walkthroughs are
-
very important because that's where you
-
really get a good understanding of that
-
environment, and a key part of that is
-
that you have to include key players and
-
the control owners from I.T. So, you're
-
not just going to have a random set of
-
people in your work just giving you
-
information about the environment. You
-
have to understand that you have to
-
invite the right players. So if for your
-
IT audit walkthrough, you probably have
-
their management levels there right the
-
people that are responsible for those
-
controls. So the control owners you want
-
to make sure that they are in the room
-
with you or on Zoom if it's virtual,
-
right, explaining their an I.T
-
environment. And even if they're not the
-
key control owner, but they have a part
-
in the process.
-
And, they're a key player or key
-
stakeholder then you want to make sure
-
that they're also in the room with you
-
because if not, then again, you run the
-
risk of not having that information on
-
the control environment. So it's
-
important to have the key players and
-
especially the control owners in the
-
meeting where you're having that walk
-
through and one of the things that
-
you would test there or that you could
-
test, there is a test of design again if
-
you don't know what test of design is,
-
you can watch my prior video, and I'll
-
probably link it when I post this on
-
YouTube, so you can see that video where
-
I talk about test of design in terms of
-
operating effectiveness. So depending on
-
the control that you're testing or the
-
controls that you're reviewing during
-
your walkthroughs, you may be able to
-
perform some tests of design there. Okay.
-
So again, just to summarize this why
-
didn't we conduct I.T audit walkthroughs,
-
it's to understand or better understand
-
the control environment. The I.T control
-
environment that you'll be testing, you
-
should include the key players
-
stakeholders and control owners from it.
-
And during this, you may be able to test
-
the design of controls as, well, okay, one
-
thing I do want to stay here before we
-
move on to the next area is that
-
you'll go through questions should be
-
worded properly, right. So that you can
-
get useful responses from those that
-
you're interviewing. So let me pause here
-
for a second. Have you guys ever asked a
-
question and then you got the wrong
-
answer back? Let me see you guys in the
-
chat just to make sure, you guys are
-
still here with me. Have you ever asked
-
the question and the kind of answers
-
you're getting, you're like, "Okay, maybe I
-
asked the wrong question."
-
Yeah? Okay, so that's the same thing for
-
walkthroughs. So it takes some skill,
-
right? You need to know what questions
-
that you should ask in order to be able
-
to get the right risk. I don't want to
-
use the word, right because it's not
-
really right and wrong, but in order to
-
get
-
good responses, right. Useful responses
-
where you when you're actually testing
-
it makes sense not the kind of response
-
is that when you start testing, it's like
-
okay what they said doesn't make sense
-
based on what I'm looking at right. So,
-
that's a skill you'll need to gain as
-
you go through your walkthroughs because
-
if you don't write, then you run the
-
risk of not getting the responses that
-
will be useful to you in performing your
-
audience. So, here is the bonus part.
-
I'm going to now give you a couple of
-
examples so that, you know. Again, I like
-
practical teaching, so that this can be
-
real to you, okay. So let's look at some
-
sample questions, and there are
-
different parts of IT audits I'm going
-
to look at couple of questions, and
-
logical security.
-
So logical security, this is around
-
access to systems we're not going to go
-
deep into logical security itself, but
-
let's talk about what are some questions
-
right. So, you want you're going to have
-
different levels to your questions. So,
-
for example, you start off with describe
-
the user access provisioning process.
-
This is open-ended. You want to give them
-
the opportunity to describe the whole
-
process for you, and then you can go
-
deeper, right. So who has authority to
-
approve users, and their privileged
-
levels. So you again, you're starting
-
higher getting a broader understanding
-
of the environment, and their process and
-
then you can ask deeper questions based
-
on the controls that you're testing. So,
-
these are just a few examples for you to
-
see what you might ask during a
-
walkthrough, and then
-
again, let me look at change
-
management.
-
So change management again, is another
-
area that we test for in IT. During IT
-
audits, and here you might also start
-
with describe the change management
-
process, right again. Study high level
-
giving them the opportunity to describe
-
the process to you end to end, and then
-
you ask who's required to approve
-
changes. For example, so that's a little
-
bit more, you're diving deeper into
-
maybe one of the controls to get a
-
better understanding of that particular
-
control area, okay. So,
-
hopefully, that was helpful for you
-
guys. Do you guys feel like you have a
-
better understanding of what
-
walkthroughs are now? Yep, okay, good, good,
-
I see. Yes, thank you Diamond, Lake Paul,
-
thank you Ashley. So, that's really what I
-
wanted to cover here today. Again, this is
-
intended to be a short training session,
-
just bite sized. So, that you understand
-
some unique areas in the audit space
-
that would help you, all right. So,
-
rainbow said basically to understand
-
the yeah. So, to understand the IT control
-
environment, and that would help you when
-
you're putting together your
-
procedures of performing your test for
-
your IT audit. All right, so now let's do
-
a summary. I promise you. There'll be some
-
time for Q/A at the end. Let me see if
-
you guys have any questions if you have
-
questions you can put them in the Q/A
-
section, and I'll take a few minutes to
-
answer them here. But let me do a quick
-
summary for you guys because I know some
-
of you
-
joined after we already started.
-
Just to summarize what we talked
-
about here today, we started off by just
-
going through an introduction to IT
-
audits, right. Again, if you want more
-
information there, you can watch that
-
video, I have on the channel, and then we
-
talked about the IT audit faces, right?
-
What are the phases? So, let me pause
-
before I answer the question in the chat.
-
Can you tell me what are the phases that
-
we talked about today?
-
Awesome thanks, Bob.
-
Second phase.
-
Thank you, and then one more
-
reporting, and follow awesome, awesome. On
-
what phase do we have the IT
-
walkthroughs?
-
Walk through his field work, so the field
-
work isn't the ID audio walkthrough
-
happens in the field work stage, and this
-
is where again you're getting a better
-
understanding of the environment? You're
-
talking to the control owners and you're
-
talking to the, all the key
-
stakeholders in the I.T space. And then
-
we just walk through a few examples so
-
that you can see how,
-
how walkthroughs are conducted, okay.
-
So I'm going to pause now, let's see if
-
you guys have any questions. I did tell
-
you, it's going to be about 30 minutes. So
-
I want to make sure that we don't go
-
over time. What questions do you guys
-
have?
-
You guys have any questions, or was this
-
straightforward for you guys.
-
Okay, so great question Nick. And Nick is
-
asking can walkthroughs be done
-
virtually, or does he have to be in
-
person?
-
It can be done virtually, so if you
-
think about the pandemic, right? Where
-
everyone no one went out, right? If we
-
weren't going to the office, we're all
-
working remotely a lot of those
-
walkthroughs were performed remotely
-
because you can have interviews. Now, the
-
difference would be physical security
-
walkthroughs where you have to physically
-
walk through a data center. For example,
-
then you'll have to physically go there
-
but other than that for the most part
-
you can have them virtually. It can be in
-
a meeting on Zoom or whatever meeting
-
software your organization uses.
-
Someone is asking which video should
-
you focus on?
-
Um, I'll say that depends on your
-
interest, right. Because I have a lot of
-
videos on different areas so you can
-
select the one that you want. I'm trying
-
to do a better job posting. I'm pretty
-
busy. I have a full-time job, so training
-
is not the only thing I do.
-
So, I'm trying to do a better job
-
posting, but I'll say watch the video
-
that makes sense to you, all right. So,
-
um oh, what she was asking walkthroughs
-
seem to be like something to be done to
-
enhance your planning. How come it's in
-
the field work phase?
-
It depends on your definition of
-
enhancing your planning right because
-
planning, you're not really doing any
-
work, right? In planning, you actually
-
determine what areas you need to test
-
and that will then determine what areas
-
you need to do your walk through, right.
-
Because you don't necessarily need to
-
test all the areas of I.T. depending on
-
the scope of your audit. So, planning is
-
more scope focused once you identify
-
your scope, and then you know the areas
-
you want to test, then it's reasonable
-
that you would then go do walkthroughs
-
for that area. You don't need to do
-
walkthroughs for everything definitely
-
you don't need to do a walkthrough for
-
an area you don't need to test, okay. So,
-
hopefully that addressed the question
-
the last one. I see here,
-
so Laker is asking what IT audit
-
applications are used as a side ERP
-
systems?
-
I don't know that. That question is
-
really accurate
-
because you're talking about two
-
different things so when you say it
-
audit applications, ERP systems, those are
-
two different things. So maybe you want
-
to reword that question. Let me better
-
understand. If you're talking about
-
applications that the audit team uses
-
for their audit, and GRC you have
-
servicenow, orchard, all of that and then
-
the ERP systems are not audit systems.
-
ERP systems are systems that the
-
organization is using for their
-
operational needs, right. So those are two
-
different things so hopefully that helps,
-
all right.
-
Um, NSHE Iggy is asking, "What's the
-
name of the YouTube channel?" it's your
-
I.T career, maybe I'll find the link. Hold
-
on.
-
I'll put it in the record when I post
-
the recording, I'll send an email out and
-
I'll just, I'll give you guys access
-
to that, because I don't know that I have
-
it handy. Let's see,
-
um.
-
What's the difference between internal
-
and external audit? So sure, I will refer
-
you to my YouTube channel for that just
-
because I have another video that goes
-
into that in depth. So I think that'll
-
probably be more beneficial to you, okay?
-
Sarah is asking, "You missed the
-
training?" Yes, the recording is going to
-
be on YouTube, so I was transparent. I was
-
planning to record this for YouTube
-
anyways, and instead of recording it by
-
myself, I decided to invite you guys to
-
listen to me record it live. So, let's say
-
in the next couple of days, or so you
-
guys should see it on YouTube. The
-
difference is those that are here live
-
get to and ask questions, Okay.
-
All right, so let's now go to, let's see
-
if there any other questions. I will be
-
wrapping up in a few minutes.
-
Lincoln said, "Got it." Okay, good.
-
So she is asking, "Can virtual audit
-
be done for a Physical Operation Center?"
-
Um, it depends on the objective. It
-
depends on what you're testing, but
-
typically if the con, it depends on the
-
controls. So if you don't understand what
-
controls are again. Let me see if I can
-
find that channel for you, but it's
-
the control is what's going to determine
-
how you perform, right. So you can't just
-
take an audit, what, what are you actually
-
testing? Because if the control is a
-
physical control that someone needs to
-
see, write, touch or whatever ,then you
-
will need to do that physically. But, if
-
it doesn't require physical presence
-
then if that control could be tested
-
virtually Okay.
-
All right, let's see if there's any more
-
question. If there are any more questions,
-
hey so, good good good. So thank you guys
-
for joining me here today now. Did you
-
guys let
-
all, some media is asking. Do I have
-
resume workshops on IT audits? Do you
-
mean just training on how to do your
-
your resume is that what you're asking
-
on some media? Okay, so I don't do
-
workshops on resume training. However, I
-
have covered the topic before where I
-
talked about resume mistakes that you
-
might make in IT audit. So if and I think
-
I actually have that on my YouTube
-
channel as well. So, if you go there, I
-
think I have one training where I talk
-
about resume mistakes that you might be
-
making.
-
So I don't do workshops and that now
-
in my full-blown comprehensive training.
-
I do provide resume training for my
-
students. I bring in like a live
-
professional resume writer to come give
-
training to students in one of my
-
courses. So that's something I provide.
-
Because your resume is not just about
-
finding a template online, and putting it
-
together right. Your resume should
-
reflect what, you know, your experience. I
-
think. Okay, I'll answer one more question
-
because we have just one more minute.
-
Did we do control testing in the
-
process of walkthrough only check the
-
design?
-
Typically, during your walkthrough,
-
you're just, that's where you're really
-
doing your design review depending on
-
the control. You may not even be able to
-
really finish that in the walkthrough,
-
but you would look at that there. However,
-
additional testing will be needed to
-
finish your testing procedures. Okay all
-
right. So, I think we're up on time here
-
today. Thank you guys for joining me. If
-
you guys learned something, I promise to
-
you guys you will learn something. All
-
right. Great great great. So before we go
-
let me, just make sure there's a free
-
six figure career guide. So this guide has
-
been downloaded so so many times by so
-
many people. Let me put it in the chat,
-
and it's also going to be available in
-
the YouTube link when I'm done. But if
-
you guys want the guide for those
-
interested in IT audits, go ahead and
-
download this guide.
-
Um and it just walks through some things
-
that you need to know, so make sure you
-
download that guide. it's free. I'm not
-
charging you for that at all. And um, I'm
-
not sure how often I'll do this free
-
training, maybe once a month. I don't know,
-
but if you're on my email list. So if you
-
get that guy, for example, you'll be on my
-
email list. And you'll get invited to
-
this. I don't publicize this small
-
meetings anywhere else. It's just going
-
to be for those on my email list. I think
-
I scroll too fast, okay. There it is. All
-
right, so thank you guys. You guys have a
-
great rest of your day. Bye.
