Continuing with this month’s theme on IT Assessments, we will pick up this week where we left off. Last week we looked at why you might want to consider an IT Assessment, discussed a framework for discussing and thinking about IT Assessments and introduced some terminology such that we can explore this area in more depth. This week, I am looking at how the IT Assessments are conducted and what an organization can expect in going through an Assessment. I’ll leave the tail-end of the discussion to things to consider when choosing who to provide such Assessments.
For the assessor, the forensics process starts prior to actually being on-site and starting the field work. A proper planning phase ensures that the right resources are made available on both sides – the assessor’s and the organization being assessed. Initial discussions and decision points need to focus around which type of assessment is going to be undertaken: Risk Assessment, Review or an Audit (An Introduction to IT Assessments). Another primary area for inquiry is the objectives and audience for the Assessment. It is important to understand the angle that the project will be evaluated on. For example, is the audience all internal? Are the stakeholders a financial institute and this Assessment is part of covenant requirements? Is this regulatory compliance? While this information won’t guide what is assessed, it might be important for the manner in which the findings are communicated.
If a Risk Assessment has not been performed and is not part of the scope of the current Assessment, then there are two alternative approaches to establishing the scope—embark on a pragmatic review that includes the things you know should be focused upon or choose a framework that encompasses enough to ensure that the areas of concern are captured.In last week’s blog we mentioned a couple such frameworks. Again, knowing what the objective of the Assessment is becomes important. For instance, if the goal is to ensure that your environment’s security risks have been shored up as best as possible, that information will drive the decision as to which framework(s) to adopt. Whereas if the objective is to ensure adequate controls around the financial systems to lower the risk of fraud, that too will drive the decision on framework. Once the scope is agreed upon, it’s time to move along.
How Much Time is this Going to Take for my Internal Staff?
You can expect that the assessors will likely be on-site or establish some form of contact whereby they have access to the resources (staff, devices/infrastructure, etc.) to complete the assessment. Whereas in the past this necessitated an on-site presence, the use of technology is changing the landscape and currently firms are offering the same or in some cases better assessments remotely through the use of tools like Skype, GotoMeeting and Microsoft Lync. I will treat these as the same and collectively will refer to this as “Field Work”. This is where the majority of the assessment is performed – the real-world observation as to what is really happening in your environment. In general, while the Field Work is being conducted, resources from the organization being assessed should plan that 10-25% of their day may be spent with the assessor – demonstrating procedures, playing liaison between other organizational resources, answering questions posed by the assessor and more. Depending on the scope of the assessment and the general volume of work to be conducted, you should also plan for the Field Work to be anything from 2 days within a small environment, to several weeks on a large environment, with most of the single-site assessments being around the 1-2 week timeframe.
For Risk Assessments, an organization can expect that direct interaction between the organization’s internal resources and those of the assessor will be a higher percentage of the total, when compared to Reviews and Audits. Since the assessor will be relying heavily upon background information, walkthroughs and interviews, this direct involvement is expected. The organization should ensure that the most appropriate Subject Matter Experts (SMEs) are available for the assessor and that adequate time is made available to thoroughly explore the areas of risk.
As discussed in last week’s blog, a Review entails the review of the control environment with the objective of critiquing the sufficiency of the controls – assuming that the controls are in-place and working. Again, the direct involvement of the organization’s SMEs may be higher in this area as compared to their involvement during a full Audit.
And finally, we arrive at the full audit. Most clients undergoing an audit find it ironic that the more stringent, more involved IT audit actually demands less amount of their staff’s direct involvement. Don’t get me wrong, there’s still a lot of interaction and go-between, but as a percentage, direct involvement with the assessor is lower. Since the essence of the audit is to actually test the control environment, it stands to reason that the majority of the effort (time, resources, man-power, etc.) is geared towards actually testing the controls. While organizations can move towards automated controls, a subset of controls will be manual – and therefore tested manually. However, the majority of the controls are likely to be system controls, which can be tested by an assessor in a more isolated manner (i.e. testing on the system versus requiring internal staff’s assistance). As such, it’s not a surprise that the majority of the time that an assessor is performing Field Work during an Audit, it involves little of the organization’s staff’s direct involvement.
Field Work Wrap-Up
Depending on the scope and depending on the number of locations being visited, all of the Field Work may be wrapped up in one visit (could be multiple days). There are times that several visits over the course of weeks is scheduled—allowing the assessor to perform some Field Work, digest that information, document it, review ramifications of the results and then return for follow-up testing. Make sure you understand the overall expectations on both sides for how the schedule on Field Work is going to be laid out.
Regardless, at the end of the Field Work we suggest that there is a formal closing meeting, whereby the organization’s stakeholders (IT, management, ownership and other interested parties) can hear first-hand what the findings (results) are. This closing meeting serves purposes on both sides.< For the organization being assessed, it provides some focused time to hear what the gaps are and to ask follow-up questions that will help to form a game plan for prioritizing and addressing the shortcomings. For the assessor, it helps ensure that the findings are accurate. It provides an opportunity to check on assumptions and ensure that there isn’t some other mitigating control in-place that wasn’t mentioned by the organization. This last point shouldn’t be underestimated. There are countless times when, even when asked directly, about additional controls something is not mentioned until the organization hears the actual feedback/results. The closing meeting gives an opportunity to the organization to place additional evidence in front of the assessor for consideration when there is a gap in controls. This additional evidence will likely be further tested to ensure that it is in-place and working as prescribed and that it will adequately address the organization’s risks appropriately.
The culmination of the scoping, planning and Field Work comes down to understanding the gaps between the “actual” environment and the “ideal” environment. Some level of distinction between the severity and prioritization of the findings should be established at this point (if not already). Since many times the stakeholders’ technical abilities vary considerably, there may be more than one report containing some of the same information. For example, one version of the report will go to non-technical upper-management for review and to understand the exposures, whereas a more technically-focused version is provided to IT so that they can act upon the findings and remediate the findings – the topic for next week’s entry.
By Damon S. Hacker, MBA, CCE, CISA,
President & CEO at Vestige Digital Investigations