Dalton, Walton, & Carlton, Inc. Project Plan: Audit
This document describes the IT audit project undertaken by auditors at Dalton, Walton, & Carlton
(DWC). It will define the project in phases with actions in both generic and specific terms.
Phase 1. Initiation
1.1 Formation and selection of audit team. Audit team members will be tentatively selected based
upon the type and expected goals of the audit. Strengths and weaknesses will be balanced and
targeted towards the type of audit. The goal is to pair one auditor to each functional area and a single
contact for that area, whether it is a manager or experienced employee.
1.2 Initial meeting with DWC executive managers. The audit team will meet initially with DWC
management to introduce themselves and inform the management how the process works and the
overall goals of the audit. Auditors will lay out the audit plan project and discuss any anticipated
challenges and potential focus areas.
1.3 Business orientation. DWC managers will give an overview presentation to orient auditors to the
business and its operating environment. The overview will focus on general methods and processes.
1.4 Determine audit objectives. Audit objectives will be established to help guide and focus audit
events. Audit objectives will be refined in the planning phase when details and additional risks
become more evident.
Phase 2. Planning
2.1 High-Level (Strategic) Review. Review risk assessments, previous audit results, and strategic
policies/documents. These documents will reveal strengths and weaknesses along with risks. Once
risks are understood, the next review step will help reveal whether risks are mitigated or reduced by
established controls.
2.2 Tactical Review. Review procedures and process documents. Review tactical planning
documents. These reviews focus on processes and procedures in order to identify risks that remain
and pose the greatest potential for problems. Both internal and external control requirements and
regulatory requirements are reviewed. These are focus areas for auditors.
2.3 Determine review areas. These focus areas determine the nature and order of audit review
actions. This is the point where the audit plan is refined to become a plan of action. Both the audit
team and the management team will agree on the audit execution plan before beginning the execution
phase.
Phase 3. Execution
3.1 Process orientation. Assessors focus on how processes function and analyze systems, data flow,
security, operating procedures, and metrics. This review is likely to uncover controls also and may be
combined with the next step simultaneously. However, the next step focuses on controls and risks.
3.2 Control orientation. Assessors focus on controls during control orientation, whether they are
procedural, regulatory, or technical. They will use the review areas determined in Phase 2 and guide
their efforts towards risk-based issues. Auditors will try and identify weaknesses and problems with
existing controls. They will also review logs, checklists, and records as necessary.
3.2.1 Auditors will focus on the following areas which present increased risk:
- Software patching and updating
- Wireless network security
- Antivirus/malware protection
- Log in security, both at workstation and remote. Password reset processes
- Physical asset security
- File security, permissions, and access rules
- Non-company (vendor) site access
- Security training, initial and refresher
- While these focus areas are high priority, other areas will be reviewed as discoveries are made
during the audit. Random sampling will also be conducted on areas deemed low risk, primarily to
ensure they remain low risk.
3.3 Issue Discovery & Validation. Potential issues will be listed and described. Auditors will seek to
validate issues and determine issue severity in conjunction with DWC. This phase may involve
testing, detailed analysis, interviews, or simple sampling of tested materials. Once the issue is
validated, the audit team will seek to determine risks and risk residuals.
3.4 Solution Development. The audit team and DWC personnel will develop potential resolutions to
the discovered issues. Potential solutions will be narrowed to a course of action for each actionable
finding in the monitor/control phase since this is an overarching effort. Solutions will focus on the
risks, especially the net effect of each solution and potential residual risk. Each identified action and
its corresponding resolution will generate an action plan.
3.5 Report Drafting. The audit team generates the first draft report. The solutions are drafted into
the report also and the team will seek management coordination before moving on to the last phase.
Phase 4. Monitor/control
4.1 Solution Development (conclusion). The final results will be compiled with the action plans to
include milestone-based timetables. The solution plan will be coordinated among stakeholders and
management. Final approval will be sought before producing the final audit report.
4.2 Final Audit Report Issuance. The final audit report will be generated and include signatures of
audit leaders and the Dalton, Walton, & Carlton managers.
4.3 Effect Solutions. DWC will work towards solutions and resolution of each item on the audit
report according to the established action plans. Progress will be mapped against milestones and
follow-up reporting will be conducted in the next phase. Progress of each action plan will be
summarized in a semi-annual audit follow-up report in the next phase also.
4.4 Issue Tracking. Auditors will provide assistance as needed and verify the corrective actions
follow established timelines and meet milestones. Any changes will be coordinated with the audit
team. Progress will be annotated and reported along with the semi-annual audit follow-up report.
This report will be coordinated and signed by DWC management and audit managers. Follow-up
audit checks will be conducted as necessary when fixes are completed or before the audit is closed.
Phase 5. Closure
5.1 Solution Completion. When all solutions are complete, mitigated, or risks accepted or
transferred, a final audit check of identified items will be conducted. This check is a simple review
of actions necessary to ensure compliance and closure of the problem.
5.2 Closure Report. When all solutions have been finalized in the previous step, a final closure
addendum report will be compiled summarizing all actions taken, the expectation of the residual risk,
and the concurrence of auditors and managers. The next tentative audit will be scheduled based upon
DWC’s need and established timelines after completion of identified items. The final report will be
issued and include concurrence by the audit manager, DWC management, and will project the
expected next audit date.
References
ISACA. (2013). IS auditing guideline: G13 use of risk assessment in audit planning. Retrieved
February 20, 2013, from http://www.isaca.org/Knowledge-Center/Standards/Pages/IS-AuditingGuideline-G13-Use-of-Risk-Assessment-in-Audit-Planning1.aspx
ISACA. (2013). IS auditing guideline: G15 audit planning. Retrieved February 10, 2013,
from http://www.isaca.org/Knowledge-Center/Standards/Pages/IS-Auditing-Guideline-G15-AuditPlanning1.aspx
NIST. (2010, June). Guide for assessing the security controls in Federal information systems and
organizations [Adobe Acrobat]. Retrieved fromhttp://csrc.nist.gov/publications/nistpubs/800-53Arev1/sp800-53A-rev1-final.pdf
Senft, S., Gallegos, F., & Davis, A. (2013). Information technology control and audit (4th ed.). Boca
Raton, FL: CRC Press.
Purchase answer to see full
attachment