Time
51 minutes
Difficulty
Intermediate
CEU/CPE
1

Video Transcription

00:00
screens, everyone welcome to sever Security Audit Overview Episode three went to perform a cyber security audit.
00:11
Now the learning Jack gives are for you to learn what is an annual audit or is a quarterly audit was a special audit
00:20
as well as understanding the purpose of an audit schedule.
00:24
The annual audits air normally performed
00:27
once a year,
00:28
and that's just done to meet audit requirements.
00:32
Basically, what that means is that every entity, every division, every program should be audited at least once a year.
00:40
Now, annual audits air there for Laura's programs or programs are more stable than others
00:46
now. Quarterly audits, on the other hand, are performed on higher risk programs.
00:52
Means that there's a lot of differences, a lot of activities going on. We need to take a look at them more frequently than just once a year.
01:02
And there's also special audits because we discuss before abnormalities like data breaches, new leadership lawsuits, et cetera,
01:11
that require us to go in and take a look at something.
01:15
Thank you know here's a definition for my sack of regarding annual audits.
01:21
Cyber security audit should be planned on an annual cycle. Take into account consideration of the business cycles
01:27
and caused minimal disruption of business activities.
01:33
Now the cycles can be calendar year or fiscal year, and calendar year basically means no January 1st 2 December 31st
01:42
fiscal cycles, however different
01:45
and not all organizations will have the same fiscal years.
01:49
For example, the federal government fiscal year begins October 1st and ends in the end of September
01:57
Dialogue. It should also be scheduled to make sure there's minimal disruption to business activities.
02:05
This is because audits are often intensive and time consuming, and the last thing you really want to do is schedule an audit during the busy part of the year for a particular division or department.
02:19
Now. Quarterly audits, on the other hand, are there to monitor higher risk programs or functions.
02:24
All right, Some examples are access control
02:28
or configuration management.
02:30
With regards to access control.
02:34
Whenever an employee checks on, you want to make sure that they're given access to all the appropriate parts of the organization,
02:40
email, et cetera.
02:43
When they leave, you want to make sure that you cut all that stuff off immediately. That's for the security of the organization.
02:51
They're no longer an employee so they don't need access
02:54
now. Because of that, you don't want to wait 365 days to make sure
03:00
that people are performing access control properly.
03:04
You'd like to do that every 90 days or sooner if possible.
03:08
Quarterly audits can also be performed to verify correction from previous order failures. For example, consecutive failures within a program or division
03:17
may need additional oversight
03:21
if they haven't fixed in the past two audits, you're going to have to do quarterly audits to make sure that they are working towards correcting those deficiencies.
03:31
And quarterly audits may also be performed. This part of new programs or projects management needs on by a status update on a new program or new project is it's being implemented.
03:43
And what better entity to do that, then? The internal on a team
03:47
and special audits?
03:50
Well, basically there abnormalities are unplanned events to require attention. We talked about this before data breaches leadership,
03:58
and they're often directed by management. Magical wants us to go in, take a look at it and basically brief them on the current situation.
04:10
They write her first quiz,
04:14
which of the phone statements are true?
04:15
Annual audits were based on counter fiscal year cycles.
04:19
Quarterly audits are for higher risk programs
04:24
or special circumstances may require an unplanned audit.
04:33
No, the correct answer is all of them.
04:36
They are based on counter fiscal year cycles. Quarterly audits are for hire is programs
04:43
and special circumstances. Abnormalities may require an unplanned on it.
04:49
All right, let's talk about the audit schedule.
04:54
Now. The audit schedules a predetermined and pre approved schedule of planned audits
04:59
approved by senior leadership and published and distributed Simple Understand, right?
05:05
Well, the only problem is you can't use last year's audit schedule, changed the dates on it and then re submit it and think it's gonna work for the upcoming year.
05:16
No. Why is there?
05:18
That's because every single audit schedule has to be planned according to organizational requirements,
05:24
and they can change from year to year.
05:28
For example, an entity that used to be on a quarterly audit schedule
05:32
now has changed to an annual on its schedule.
05:35
You have to take them into account.
05:39
You also have to take into account the fact of holidays
05:44
and special days like company picnics or company meetings.
05:49
You know, the Fourth of July
05:51
American Independence Day is always going to be on the Fourth of July.
05:57
How are the fourth of July in one year? Can be on a Thursday
06:01
and the following year. It can be on a Monday,
06:03
so you have to take that into account when you're actually building your audit schedule.
06:12
No one to have your audit scheduled, planned out and approved
06:15
then that document helps provide planning for the audit team and the organization
06:20
for the auditing. That gives you an idea of when your auditor actually gonna be occurring. And it allows people to take vacation time in between the audits
06:30
and, as far as the organizations concerned, gives them advance notice of when to expect an audit to be occurring. This way, they can plan for it in advance.
06:41
Die on its schedule should be approved by senior leadership,
06:45
and the reason for that is fairly straightforward.
06:48
Sometimes you're gonna come across an individual, it says. Well, you know, unless it comes from my boss from my boss's boss, I really don't care
06:58
this way by having it signed off at the highest level possible CEO president level. It's gonna increase employees interest as well as their opportunity to participate in the audit.
07:11
Now the Arctic schedule must be published and distributed.
07:15
This is because it provides advanced notice of the audits
07:17
to the oddities
07:19
we all can understand. The secret in surprises are not good.
07:25
Okay, time for no matter which bomb.
07:29
During a time when I was a quality assurance officer,
07:31
I used to personally hand out the audit schedule
07:35
two different department heads and entities that we were auditing.
07:40
Now this was an act of good faith on my part,
07:43
basically making sure that they actually had a copy handed to them personally.
07:46
And this way they couldn't say, Well, I didn't know or we didn't have time to prepare. You were given advance notice directed by myself.
07:57
All right, Last quiz.
08:00
Which of the following statements are not true? Once again, not true.
08:05
Audit schedules are based on calendar fiscal year cycles.
08:09
Audit scheduled should be kept quiet to improve negative results.
08:15
Audit schedule should be approved by higher authority.
08:22
Well, it was fairly obvious.
08:24
Hard schedule should be kept quiet to improve negative results is incorrect.
08:30
Schedules should be published once again. Secrets and surprises. They're not good for anyone.
08:37
All right,
08:39
In this video, we discuss annual on its quarterly audits, special audits and audit schedules.
08:46
All right, if you're ready, let's move on to the next episode.

Up Next

Cybersecurity Audit Overview

This cybersecurity audit training is a beginner level course for anyone interested in cybersecurity audits or a career as an auditor. Upon completion of the course, the student will be familiar with the concept and purpose of auditing along with control frameworks focused on cybersecurity.

Instructed By

Instructor Profile Image
Darcy Kempa
Instructor