Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Anders Carlstedt - Examining a Career as an Auditor - Auditing experiences

81 vues

Publié le

Anders is an officer of ISO/IEC JTC1 SC27 - the ISO committee
responsible for the ISO/IEC 27000-series and other standards
on Privacy, Cyber Security and more, since 2002.

Publié dans : Formation
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Anders Carlstedt - Examining a Career as an Auditor - Auditing experiences

  1. 1. EXAMINING A CAREER AS AN AUDITOR P E C B P A R T N E R E V E N T I N S I N G A P O R E
  2. 2. 2 Anders Carlstedt Managing Director PECB NORDICS +46 738224090 anders.carlstedt@pecb.com www.pecb.com https://www.linkedin.com/in/anderscarlstedt/
  3. 3. 3 Master the context Audit…… ISO 19011, Clause 3.1 Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled In brief: Auditing means asking the auditee what he does, and checking to see if he does it
  4. 4. 4 What is an auditor? Synonyms • Accountant • Bookkeeper • Controller • Actuary • Investigator • Assessor • Questioner • Bean counter • Eavesdropper Set and meet expectations
  5. 5. 5 The perception of the Auditor https://youtu.be/PGIrZz93wSU
  6. 6. 6 (Reasonable) Assurance • The auditor is looking to obtain reasonable assurance that the audited cybersecurity framework is exempt of erroneous material representation and of non-conformity • An auditor cannot obtain absolute assurance • The client expects a result
  7. 7. 7 Independence ISO 19011, Clause 4e Note: The auditor shall ensure independence of mind and the appearance of independence Independent Auditors ISMS Audit ISMS Management Management Users ISMS Auditee
  8. 8. 8 Focus and knowledge of Audit Criteria ISO 19011, clause 3.2: set of policies, procedures or requirements used as a reference against which audit evidence is compared ISO 9001HIPAA SSAE-16 (Replacement of SAS 70) SOX ISO 27001 NIST 800-53 PCI-DSS WLA-SCS IT Baseline OECD Principles
  9. 9. 9 Master the landscape ISO 19011, Clause 3.6 to 3.10 Organization or person requesting the audit Auditee Auditor Expert Audit team Audited organization Competent person conducting the audit Person who provides specific knowledge or expertise to the audit team One or more auditors conducting an audit, supported if needed by technical experts Client
  10. 10. 10 To know and respect your client… The auditee A relationship based on trust…
  11. 11. 11 What Audit? Second Party Audit Our organization audits our supplier Second Party Audit Our customer audits our organization Third Party Audit Our organization is audited by an independent organization Supplier External Internal Organization First Party Audit Our organization audits its own systems Customer
  12. 12. 12 Audit Approach Based on Risk Audit Risks 1. Inherent Risk 2. Control Risk 3. Detection Risk Risk that the auditor is not able to detect a significant defect during an audit Risk that a significant defect not be prevented nor detected by an internal control of the organization Risk that a significant defect arises in the management system without taking into account the processes and controls in place (Risk related to the industrial sector)
  13. 13. 13 Materiality Definition To limit audit risks and to obtain reasonable assurance, the auditor must place the emphasis on the processes and the systems deemed material (synonym: critical)
  14. 14. 14 Maintain Focus… Addressing risk and materiality is added value as well… LOW AUDIT RISK PLANNED AUDIT PROCEDURES LESS ASSERTIVE PLANNED AUDIT PROCEDURES LOW MATERIALITY LESS ASSERTIVE PLANNED AUDIT PROCEDURES MEDIUM MATERIALITY MORE ASSERTIVE ASSERTIVE MORE ASSERTIVE PLANNED AUDIT PROCEDURES HIGH MATERIALITY MORE ASSERTIVE ASSERTIVE ASSERTIVE HIGH AUDIT RISK MEDIUM AUDIT RISK LESS ASSERTIVE
  15. 15. 15 Audit Objectives To receive advice and recommendationsOpinion Audit To prepare for certification Pre-assessment Audit To recommend certification or not Certification Audit
  16. 16. 16 Questions??
  17. 17. 17 Thank you!!

×