Last year I wrote an article that discussed using COBIT 5 to audit cyber controls, in this instance the Australian Signals Directorate (ASD) Top 4. At the time of writing this article I had the privilege of being an expert reviewer on a draft ISACA white paper on creating an audit program. This white paper has now been released.
In the Australian government, as with all governments around the world, compliance against legislative and regulatory requirements is an important factor for the various government entities responsible for the delivery of functions for the Australian government. As a result, the internal audit programs for these government entities generally have a strong focus on compliance factors. Within the Australian government, entities are required to comply with a myriad of legislation, regulations and rules, including (but not limited to):
- The Protective Security Policy Framework
- The Information Security Manual
- The Public Governance Performance and Accountability Act (and associated legislation)
- The Commonwealth Procurement Rules
- The Commonwealth Risk Management Policy
- Whole-of-government ICT Policy
- The Commonwealth Fraud Control Policy
Each government entity is also required to comply with their individual enabling legislation and regulations, as well as laws and regulations that any business and organization must comply with. In recent times, the following have been a focus of internal audit programs:
- Workplace health and safety requirements
- The Privacy Act
As discussed in my article about the ASD Top 4, internal audit has traditionally taken a yes/no approach to auditing compliance in government. For instance, if an audit on procurement was scheduled on the audit program, an auditor would take a sample of recent procurements, assess them against the regulatory requirements and internal policy and procedures, and produce a report that outlined instances of noncompliance.
In my opinion, this approach is useless. It does not help management understand why there was noncompliance and how they can prevent noncompliance. This white paper goes through a 5-step process to develop an audit plan:
- Develop an audit plan.
- Define audit objective.
- Set audit scope.
- Perform audit planning.
- Determine steps for data gathering
These five steps provide details on how to put together an effective audit plan that can ensure that you help management. It very deliberately guides you on what to consider and prepare in the planning process so you are better prepared to undertake the audit. This will help ensure that when undertaking an audit of legislative compliance in government, you move away from the traditional yes/no approach and consider the factors or, to use a COBIT 5 term, the enablers that actually help management achieve compliance.
David Berkelmans, CISA, Executive Director IT Audit, Synergy Group
[ISACA Now Blog]