Auditing Practices Overview

Unfortunately, many organizations treat audits like a school exam they need to “pass”, not a tool to improve the security posture of the organization. The goal isn’t necessarily to fix the problems [ or keep ignoring until a real cyber-attack hits] but to tick boxes and get that stamp of “compliance” In some cases, auditors are handed a narrowly defined scope –while conveniently forgetting to mention messy departments, high-risk projects, personal data processing areas, or sketchy vendor deals. In my experience as well, often, unless I deep dive into questions, many organizations downplay risks and don’t acknowledge the personal data processing risks. Auditors can’t check everything, so some companies serve up carefully curated samples. Example – for a proof endpoint security, share a screenshot of EDR on one of the machines. This could be short-term win, long-term pain: These ignored risks can explode later as lawsuits, fines, or reputational disasters. When audits are rushed or superficial, trust in the system crumbles. Genuine audits demand transparency, empower whistleblowers, and actually fix what’s broken. Image courtesy: AI #audit #compliance #riskmanagement #soc2 #iso27001 #nist #grc #hipaa #itgc #itac

Internal Audit Process: 1. Planning Phase Objective: Establish a clear understanding of the audit subject and develop a roadmap (audit program) for executing the audit effectively. Key Activities: > Initial Contact & Information Gathering: Understand the size, responsibilities, and procedures of the audited unit. > Risk Assessment: Performed to identify high-risk areas for focus. > Audit Objectives & Methodology: Defined and documented through the audit program. > Notification Letter: Sent to leadership to inform them of the audit. May include a pre-audit questionnaire or document request list. > Entrance Meeting: Discuss audit scope and objectives. Explain methodology and timeline. Identify scheduling concerns (e.g., staff availability). Encourage input on known risks and areas of concern. 2. Fieldwork Phase Objective: Evaluate internal controls, compliance, and operational effectiveness through testing and inquiry. Key Activities: > Testing & Documentation Review: Examine transactions, records, and procedures. > Staff Interviews: Conducted to gain deeper insights into practices and control execution. > Disruption Minimization: Work is coordinated to limit interference with operations. > Ongoing Communication: Frequent updates and discussions with audit clients. > Collaborative Analysis: Observations and issues are discussed with management to identify root causes and explore solutions. 3. Reporting Phase Objective: Present audit findings, recommendations, and management’s corrective action plans in a formal written report. Key Activities: > Draft Report: Initially shared with local management for review. > Management Response: Required for each recommendation, including: Action plan. Responsible person. Implementation date. > Exit Meeting: Held if needed to address concerns and clarify findings before finalizing the report. > Final Distribution: The final report is sent to Management and Boards. 4. Follow-Up Phase Objective: Ensure that corrective actions are implemented effectively and that issues are resolved. Key Activities: > Verification Procedures: May involve document review, staff interviews, or re-auditing specific processes. > Ongoing Tracking: Open findings are tracked and presented at each Institutional Audit Committee (IAC) meeting. > Escalation for Delays: If action plans miss deadlines, the responsible party must submit a written explanation. Repeated delays require in-person explanation to the IAC.

Internal Audit: Value for Management or the Audit Committee? Internal auditors are frequently told to “add more value.” The harder question is this: value for whom? The answer is rarely clear. Instead, we hear familiar remarks like, "Internal audit is a cost centre," or "we need to be more commercial." These comments reveal uncertainty about who internal audit ultimately exists to serve. It is easy to focus on what management says. The more important issue is what auditors themselves internalise. When we adopt defensive language about being a cost centre, it shapes how we behave. It influences how firmly we express judgement and how confidently we challenge. Management may see value in cost efficiency and practical recommendations. An audit committee usually sees audit value differently. It looks for independence, clarity of judgement and early visibility of emerging risk and issues. Having served on audit committees for many years, I have seen where real value is recognised. Committees want stability and the absence of unpleasant surprises. They also value candour when issues are uncomfortable and clarity when risks are still forming and before they become real issues. Above all, they value independence of mind, because without it, assurance carries limited weight. When value is not consciously defined, the internal audit function drifts. Messages soften to preserve comfort and effort spreads across competing expectations. The function risks becoming agreeable rather than authoritative. Being a cost centre is not a weakness. Many essential governance functions are cost centres. Accounting, the Company Secretary and Human Resources do not generate revenue, yet no organisation can operate without them. Internal audit plays a similar role. It creates assurance value between management and the board. That value may not appear in profit figures, but its absence becomes clear when governance fails. Clarity about whom the function serves sharpens focus and judgement. Internal audit is mandated by the audit committee - that defines its primary accountability. This does not exclude value to management. Much of internal audit’s work benefits management directly. The two are not mutually exclusive. The distinction lies in where ultimate accountability sits. From that clarity, trust deepens. When the audit committee can rely on internal audit's independence of mind, is when internal audit moves beyond confirming controls and becomes a trusted source of judgement.

Too often, internal auditors report what is easy to say and avoid inconvenient truths. Audit committees do not need comfort. They need candor. In my latest blog post, I focus on the quiet things internal auditors must be prepared to say out loud to the audit committee, especially when: • Management limits or interferes with internal audit’s work • Internal audit lacks the resources to meet stakeholder expectations • Organizational culture is elevating enterprise risk • Audit findings or conclusions are suppressed • Corrective actions are not prioritized or sustained These are not abstract concerns. From my experience, they are real, often recurring, and inevitably consequential. When they go unspoken, oversight weakens and risk grows. I welcome your thoughts. https://lnkd.in/eUKXVRbX

Passed SOC 2 audit with zero findings. Same week, got breached. Compliance ≠ Security. When will we learn this? What the audit said: ✓ Policies documented ✓ Training completed ✓ Access reviews performed ✓ Logs collected Conclusion: "Fully compliant" What the breach revealed: → Policies: Nobody followed them → Training: Click-through theater → Access reviews: Rubber-stamped → Logs: Collected but not monitored Reality: "Completely insecure" How both can be true: Compliance asks: "Do you have a password policy?" Security asks: "Are people using strong passwords?" Compliance: Documentation Security: Outcomes CEO: "We passed the audit!" CISO: "Audits check boxes. Attackers exploit gaps." CEO: "So the audit was worthless?" CISO: "It confirms we have processes. Not that they work." What the audit missed: MFA: Auditor: "Do you have MFA?" Us: "Yes" (available) Reality: 40% adoption Patching: Auditor: "Do you patch regularly?" Us: Shows policy Reality: 200+ unpatched critical systems Monitoring: Auditor: "Do you monitor logs?" Us: Shows SIEM Reality: Nobody reviews alerts The breach: Day 1: Weak password compromised (no MFA) Day 7: Exploited unpatched vuln Day 14: Data exfiltrated Day 30: We discovered it Every step should have been prevented by "compliant" controls. The root cause: We optimized for compliance, not security. → Built policies auditors want → Celebrated audit success → Ignored actual effectiveness Compliance became the goal. Security became secondary. What needs to change: Stop asking: "Will this pass audit?" Start asking: "Will this stop attackers?" Stop measuring: Process existence Start measuring: Security outcomes The new approach: Compliance as foundation, not destination. → Meet compliance ✓ → Then ask: "Are we actually secure?" → Measure effectiveness → Test controls, don't just document Examples: Old: "We have security training" (compliance ✓) New: "Phishing click rate dropped 60%" (security ✓) Old: "We review access quarterly" (compliance ✓) New: "Removed 300 unnecessary accounts" (security ✓) Old: "We have IR plan" (compliance ✓) New: "Contained last incident in 2 hours" (security ✓) To auditors: Please: → Ask about effectiveness, not just existence → Sample actual implementation → Challenge checkbox responses → Help us be secure, not just compliant To CISOs: Compliance is necessary. But don't confuse necessary with sufficient. Passing audits while remaining insecure is the worst outcome. To leadership: Your SOC 2 certificate is a sales tool. It's not a security guarantee. Don't let it create false confidence. Have you ever been "compliant but insecure"? How do you balance compliance and actual security? SOC(k) game is strong curtesy of Akeyless Security #cybersecurity #ciso #soc2 #compliance #security #audit #sales #technology #innovation #leadership

PROCESS AUDIT CHECKLIST (COMMON POINTS) IN MANUFACTURING SECTOR: 1. Process Control Are standard operating procedures (SOPs) available and followed? Is process capability (Cp, Cpk) monitored and within acceptable limits? Are control charts used for critical process parameters? Is there evidence of regular calibration of equipment and gauges? Are process changes documented and approved through change control? 2. Material Handling & Storage Are materials labeled correctly (name, batch, status)? Is FIFO (First-In-First-Out) or FEFO (First-Expiry-First-Out) followed? Are storage conditions (temp, humidity) monitored and maintained? Are rejected or non-conforming materials segregated and labeled? 3. Operator Competency & Safety Are operators trained and certified for the tasks they perform? Are safety PPEs being worn and used correctly? Are safety instructions and emergency procedures visible? Is there a system for reporting and investigating near-misses and incidents? 4. Equipment Management Is there a preventive maintenance schedule and is it being followed? Are breakdowns recorded and analyzed for recurrence? Are start-up and shutdown procedures standardized? Are critical spare parts available and tracked? 5. Quality Assurance Are in-process inspections conducted as per the control plan? Are inspection tools calibrated and used properly? Are quality issues tracked using root cause analysis tools (5 Why, Fishbone)? Are quality records complete and traceable? 6. Production & Planning Is actual vs planned production tracked? Are downtimes recorded with reasons? Is the takt time, cycle time, and lead time monitored? Are WIP levels controlled and visualized (kanban, signage)? 7. Waste Management & 5S Is workplace organization (5S) maintained? Are waste bins labeled and segregated? Are daily 5S audits conducted and actioned? Are there visible signs of lean practices (kaizen, visual boards, etc.)? 8. Tooling & Fixtures Are tools and fixtures stored properly with visual controls? Are they identified and logged for use and maintenance? Is there a system for tool calibration and wear tracking? 9. Documentation & Records Are process-related documents current and controlled? Are logs (production, quality, maintenance) filled accurately? Are version-controlled work instructions available at workstations? 10. Environmental & Regulatory Compliance Are emissions, effluents, and noise levels monitored and controlled? Is compliance with environmental regulations documented? Are MSDS (Material Safety Data Sheets) available and up-to-date?

I became an auditor to discover financial truth. An audit is a mirror to a company's reality. I learned this early in my career. Transactions are not just debits and credits. They are about people and their choices. Audits surface what culture tries to hide. Late reconciliations, rushed reviews, brittle controls. Behind each symptom is a habit. If we treat an audit like a fight, we lose the lesson. If we treat it like an opportunity, the company grows. Here are my 7 tips to help you prepare for an audit: 1. Close cadence: ➞ Every task has an owner, a deadline, and reviewer. ➞ Have a clear plan so the audit starts on time. 2. Reconciliations: ➞ Bank, ledgers, intercompany, inventory, payroll.  ➞ Verify, explain, clear or escalate. 3. Evidence on first click: ➞ Policies, contracts, approvals, and calculations. ➞ Saved with transactions for easy access. 4. Cutoff discipline: ➞ Shipments, revenue, accruals, and provisions ➞ Completed promptly with clear timestamps. 5. Segregation of duties: ➞ Nobody does everything. ➞ Share tasks to lower collusion or fraud risks. 6. Open door policy: ➞ Staff can flag pressure or errors without fear. ➞ Encourage proactive disclosure. 7. Review within 72 hours: ➞ After close, capture errors and fix root causes. ➞ Prompt improvements save you time. When leaders do this, their audit costs reduce and trust increases. Run this ritual for your next audit and let me know how it goes. How do you keep better financial records? ------- ➕ Follow Jonathan Maharaj FCPA for finance‑leadership clarity. 🔄 Share this insight with a decision‑maker. 📰 Get deeper breakdowns in Financial Freedom, my free newsletter: https://lnkd.in/gYHdNYzj 📆 Ready to work together? Book your Clarity Session: https://lnkd.in/gyiqCWV2

"Your controls exist. But do they actually work?" - A GRC reality check 📋 Test of Design vs. Test of Effectiveness. Do you actually mitigate the risk the control objective intended to. What we're really good at proving: - ✅ MFA is enabled through SSO (but half your SaaS apps aren't using SSO) - ✅ EDR is installed (but you don't apply the rules that matter) - ✅ Access reviews happen quarterly (but revoking access is political) - ✅ Secrets rotation is configured (but the service accounts are excluded) - ✅ WAF is deployed (but everything's in monitor mode) - ✅ SAST is running (but all critical findings are "accepted") - ✅ Cloud monitoring exists (but alerts go to an unmonitored Slack channel) - ✅ Disaster Recovery Plan documented (Annual test is crisis management theatre) The auditor sees: "Controls operating effectively" Compliance sees: "Controls existing effectively" Your security team sees: "Controls theoretically ineffective" Your engineers see: "At least I'm still admin on my local machine" The catch with automating evidence collection is that we can forget to check if the evidence proves anything beyond, "a control exists". If your control testing is checking one thing, review if it's design or effectiveness. A well-designed control should also be more effective as mitigating a risk. You just don't want to check if a MFA exists if the intent of the control isn't met with everyone getting to prod through SSH. It's like having a fitness tracker that counts thinking about exercise as steps. #GRCEngineering

🔹 Quarterly Results: Governance or Pressure Cooker? Current rules around quarterly results have become a race against time, pushing management to prioritize speed over substance. This creates incentives to manipulate earnings, or worse, hide mistakes—defeating the very purpose of transparency. Should SEBI consider abolishing public quarterly results altogether or limiting them to confidential filings with regulators? Management bandwidth is consumed preparing accounts four times a year, and Audit Committees often receive financials too late to meaningfully review them. The rush creates unrealistic expectations: management has 365 days to operate but just a couple of days of real oversight each quarter. Instead, a biannual reporting regime could balance transparency with the need for quality. Allowing companies to publish audited accounts 30 days after finalization would give auditors and Audit Committees time for thorough review. 🔹 Audit Committees: Form Over Substance? While corporate governance talks a good game, the reality inside many Audit Committees remains troubling. Accounts are often finalized overnight, delivered to committees at the last minute under the pretext of avoiding insider trading leaks. Meetings start late, run short, and are rushed—chairpersons need to leave for flights, auditors have 15 minutes to present, and critical committee reports get just a few minutes of attention. When non-accounting directors face mountains of standards and disclosures with no time to review, expecting effective oversight is unrealistic. How can Audit Committees truly fulfill their responsibility if they’re given less than an hour to review complex financials? 🔹 Recommendations: A Bold Rethink ✅ Dispense with mandatory public quarterly results and limit filings to regulators. ✅ Allow Audit Committees to meet with adequate time—at least 48 hours’ notice with full access to financials. ✅ Consider scheduling meetings over weekends, so directors can review accounts without weekday time pressures. ✅ Track and disclose the number of times Audit Committees make material changes to financials; consistent ‘NIL’ adjustments can signal lack of diligence. If we genuinely care about investor protection, we must move beyond box-ticking. It’s time to bring substance to corporate governance—rebalancing regulation, removing unnecessary compliance burdens, and empowering Audit Committees to act effectively. To be continued…