Anders is an officer of ISO/IEC JTC1 SC27 - the ISO committee
responsible for the ISO/IEC 27000-series and other standards
on Privacy, Cyber Security and more, since 2002.
Anders Carlstedt - Examining a Career as an Auditor - Auditing experiences
1. EXAMINING A CAREER AS AN AUDITOR
P E C B P A R T N E R E V E N T I N S I N G A P O R E
2. 2
Anders Carlstedt
Managing Director PECB NORDICS
+46 738224090
anders.carlstedt@pecb.com
www.pecb.com
https://www.linkedin.com/in/anderscarlstedt/
3. 3
Master the context
Audit……
ISO 19011, Clause 3.1
Systematic, independent and documented process for
obtaining audit evidence and evaluating it objectively to
determine the extent to which the audit criteria are fulfilled
In brief:
Auditing means asking the auditee
what he does, and checking to see if he does it
4. 4
What is an auditor?
Synonyms
• Accountant
• Bookkeeper
• Controller
• Actuary
• Investigator
• Assessor
• Questioner
• Bean counter
• Eavesdropper
Set and meet expectations
6. 6
(Reasonable) Assurance
• The auditor is looking to obtain reasonable
assurance that the audited cybersecurity
framework is exempt of erroneous material
representation and of non-conformity
• An auditor cannot obtain absolute assurance
• The client expects a result
7. 7
Independence
ISO 19011, Clause 4e
Note: The auditor
shall ensure
independence of mind
and the appearance of
independence
Independent
Auditors
ISMS
Audit
ISMS
Management
Management
Users
ISMS
Auditee
8. 8
Focus and knowledge of Audit Criteria
ISO 19011, clause 3.2: set of policies, procedures or requirements used
as a reference against which audit evidence is compared
ISO 9001HIPAA
SSAE-16
(Replacement of
SAS 70)
SOX
ISO 27001
NIST
800-53
PCI-DSS
WLA-SCS
IT Baseline
OECD
Principles
9. 9
Master the landscape
ISO 19011, Clause 3.6 to 3.10
Organization or person requesting the audit
Auditee
Auditor
Expert
Audit team
Audited organization
Competent person conducting the audit
Person who provides specific knowledge or
expertise to the audit team
One or more auditors conducting an audit,
supported if needed by technical experts
Client
10. 10
To know and respect your client…
The auditee
A relationship
based on
trust…
11. 11
What Audit?
Second Party Audit
Our organization audits our
supplier
Second Party Audit
Our customer audits our
organization
Third Party Audit
Our organization is
audited by an
independent
organization
Supplier
External
Internal
Organization
First Party Audit
Our organization audits
its own systems
Customer
12. 12
Audit Approach Based on Risk
Audit Risks
1. Inherent Risk
2. Control
Risk
3.
Detection
Risk
Risk that the auditor is not able to detect a significant
defect during an audit
Risk that a significant defect not be prevented nor
detected by an internal control of the organization
Risk that a significant defect arises
in the management system without taking
into account the processes and controls in
place
(Risk related to the industrial sector)
13. 13
Materiality
Definition
To limit audit risks and to obtain reasonable
assurance, the auditor must place the emphasis on
the processes and the systems deemed material
(synonym: critical)
14. 14
Maintain Focus…
Addressing risk and materiality is added value as well…
LOW
AUDIT RISK PLANNED AUDIT
PROCEDURES
LESS
ASSERTIVE PLANNED AUDIT
PROCEDURES
LOW
MATERIALITY
LESS
ASSERTIVE PLANNED AUDIT
PROCEDURES
MEDIUM
MATERIALITY
MORE
ASSERTIVE
ASSERTIVE MORE
ASSERTIVE PLANNED AUDIT
PROCEDURES
HIGH
MATERIALITY
MORE
ASSERTIVE
ASSERTIVE
ASSERTIVE
HIGH
AUDIT RISK
MEDIUM
AUDIT RISK
LESS
ASSERTIVE
15. 15
Audit Objectives
To receive advice and recommendationsOpinion Audit
To prepare for certification
Pre-assessment
Audit
To recommend certification or not
Certification
Audit