Creating audit questions involves a meticulous process of harmonizing methodologies to ensure consistency and clarity. The process is much more intricate than it initially appears. Here is a detailed explanation of how audit questions are developed:
Understanding the Components
An audit question such as "Are all of the network access points accounted for in the network inventory?" contains significant depth. Key elements include 'network access points' and 'network inventory.' To answer this, one must understand the organization’s policies regarding inventory and change management, controls on what should be inventoried, and how these inventories should be recorded. This involves correlating inventory records with the control and policy to ensure the evidence chain matches up.
Harmonization Process
The UCF team focuses on harmonizing methodologies rather than text to manage the complexity of audit questions. This approach reduces the number of unique audit questions to a manageable level by de-duplicating methods and focusing on the structure and evidence required to answer each question.
Methodology Breakdown
- Rephrasing for Clarity
Each audit question is reworded to ensure the answer can be either Yes, No, or N/A.
- Identifying Audit Artifacts
Various artifacts such as compliance documents, controls within documents, assets, configurable items, records, and roles are identified as supporting elements for the audit question.
- Ensuring Uniqueness
The team tracks each question's focus to ensure uniqueness, avoiding duplication. For instance, different phrasings of the same query are identified and unified under one method.
Sample Audit Question Format
The UCF audit question format might look like this:
"Examine a sample of Network Inventory records associated with the control entitled Identify and control all network access points [UCF CE ID 00529] in the Network Change Management policy. Comparing this to a sample of Network Access Points, does this verify the assets are listed in the records?"
Field Associations
Key elements in a UCF audit question include:
- Compliance Document (cDoc)
- Assets
- Control
- Default Answer
These elements are linked to their respective UCF IDs to maintain consistency and traceability.
Handling Variables
Certain audit questions contain variables such as timeframes or complexity levels that organizations can determine independently. These variables are denoted as "N{*}" and are agreed upon during the pre-questioning phase of the audit. A simple substitute command can replace these placeholders with the agreed-upon terms during the actual audit.
Structured Question Methods
Audit questions are categorized into methods like TEST, OBSERVE, EXAMINE, and INTERVIEW, each linked with evidence-based elements. For instance:
- Examine
Reviewing documents and records.
- Observe
Watching processes or roles in action.
- Interview
Asking stakeholders about processes and documentation.
Sample and Scope
The term "sample" in audit questions indicates that multiple instances of an artifact (e.g., records, assets, roles) are examined rather than a single instance. The process of scoping determines which items are in play for the audit.
Evidence-Based Approach
UCF’s approach ensures that each audit question is evidence-based, linking audit queries to tangible elements like compliance documents, record examples, roles, metrics, events, and configured assets. This structured method ensures clarity and verifiability, crucial for maintaining audit integrity and reliability.
By following these methodologies, the UCF team creates robust and manageable audit questions that are clear, consistent, and verifiable, ensuring a thorough and evidence-based audit process.