Defining the Scope, Objectives, Goals, and Frequency of an Audit
The scope, objectives, goals, and frequency of audits are based on a risk. The goal of the planning phase of an audit is to define an audit universe and then identify the risk that puts the organization’s goals in jeopardy. An audit universe is defined as the collection or grouping of auditable areas, units, or entities grouped of logically separate areas to ensure full coverage of risks. For example, to cover all of the IT infrastructures we can logically separate the information technology (IT) operations versus the information security (IS) functions. Both are needed to ensure data are appropriately processed and applications are protected to support the business's goals. Consequently, an auditable entity or grouping can be organizationally or functionally aligned.
Once the auditable entities and groups are defined, the next step is to determine the risks associated with each grouping. For example, cutting-edge high-tech firms are highly reliant on skilled teams of developers, while a retail store may be reliant on older technologies. Both situations come with different risks and, thus, may have a different set of priorities when it comes to auditing.
To determine the risks associated with each auditable entity, a detailed assessment and analysis should be performed. Typically, these assessments and analyses are performed annually as part of the audit planning cycle. Audit cycles are how often do you audit or assess an auditable entity. This is important because rarely there are enough time and resources to do a complete audit in one year. Consequently, if you have an audit cycle of a designated amount of time—say five years—you would then be able to break up operations audits into five parts and at the end of five years have complete coverage for that auditable entity. There is no specific rule on how short or long these cycles can be; however, generally three to five years is the accepted norm. It is important to note that these cycles are not rigid; if a higher risk is identified within a cycle, you would audit that more frequently. For example, on the five-year cycle, if you audited the data backups two years ago but recently determined an elevated risk with the increase in ransom attack, it may be still necessary to re-audit your backups based on the increased risk.
Assessments are a very important process to determine the risks and thus drive the audit frequency. While risks will not a complete scope, they drive the need to audit and will be the starting point for scope discussion. Specifically, if you know what risks are driving the need to have an audit, then the scope at a minimum will cover all the risks identified.
The detailed assessments and analysis of risk should include a review of the following:
-
IS threats and vulnerabilities
-
Operational dependencies and efficiencies
-
Legal and regulatory requirements
-
Business goals and objectives
Depending on the risk, the frequency of audits varies. Critical systems controls might need to be monitored more often than noncritical controls. In more high-risk situations, automated or continual audit tests might be considered.
Before performing an audit, the auditor should first define the audit scope. The scope includes the area or areas to be reviewed as well as the time frame to complete. Experienced auditors know it’s just as important to define what will be audited as it is to define what will not be audited. Risk often drives these decisions to include or exclude areas of concern. Most importantly, the higher risks should be covered. Risks need to align to likelihood. If you have a seemingly slightly higher risk item but the likelihood is very low compared to a slightly lower risk item with a much higher likelihood, typically the one with a higher likelihood would take priority. If the scope is not clearly defined, scope creep occurs, likely increasing the auditor’s workload. Scope creep is a term common to projects where the plans or goals expand beyond what was originally intended.
The audit objective or the goal of the audit is to ensure the identified risks are appropriately being managed by the organization. Both scope and objective are closely related. For the audit to be effective, the scope must consider the objectives of the audit. Defining scope requires the identification of the relevant deployed controls that will mitigate the risks identified. Time is another consideration dependent upon the objective. The depth and breadth of an audit usually determines the time frame required to meet the objectives.
When defining the scope, the auditor should consider the controls and processes across the auditable entities of IT infrastructure. This includes relevant resources such as the following:
-
Data
-
Applications
-
Technology
-
Facilities
-
Personnel
Auditors need to ensure the scope is sufficient to achieve the stated audit objectives. Restrictions placed on the scope could seriously affect the ability to achieve the stated objective. Examples of restrictions that an organization may place on an auditor that could have such a negative impact include the following:
-
Not providing enough resources
-
Limiting the time frame
-
Preventing the discovery of audit evidence
-
Restricting audit procedures
-
Withholding relevant historical records or information about past incidents
Planned audit activities also have a defined rate of occurrence, known as the audit frequency. There are two approaches to determine audit frequency. Audits can occur on an annual basis or every two or three years, depending on regulatory requirements and the determined risk. IT audits also are known for not following a predefined frequency, but instead using a continuous risk-assessment process. This is more appropriate given the fast-paced change in technology as well as the threats and vulnerabilities related to IT.