diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-08 at 10.17.25.png b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-08 at 10.17.25.png new file mode 100644 index 0000000..70ce8a3 Binary files /dev/null and b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-08 at 10.17.25.png differ diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-08 at 10.17.46.png b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-08 at 10.17.46.png new file mode 100644 index 0000000..d6eda20 Binary files /dev/null and b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-08 at 10.17.46.png differ diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-08 at 12.27.59.png b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-08 at 12.27.59.png new file mode 100644 index 0000000..1f15336 Binary files /dev/null and b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-08 at 12.27.59.png differ diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-08 at 12.48.16.png b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-08 at 12.48.16.png new file mode 100644 index 0000000..528daae Binary files /dev/null and b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-08 at 12.48.16.png differ diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-08 at 13.27.02.png b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-08 at 13.27.02.png new file mode 100644 index 0000000..d9e3913 Binary files /dev/null and b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-08 at 13.27.02.png differ diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-08 at 14.30.39.png b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-08 at 14.30.39.png new file mode 100644 index 0000000..abdd6b7 Binary files /dev/null and b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-08 at 14.30.39.png differ diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S07.1-The-impact-of-trends-and-technology-in-auditing.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S07.1-The-impact-of-trends-and-technology-in-auditing.md index c290794..0dbe608 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S07.1-The-impact-of-trends-and-technology-in-auditing.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S07.1-The-impact-of-trends-and-technology-in-auditing.md @@ -7,7 +7,7 @@ tags: - PECB-LA isotags: [] status: active -processed: false +processed: true --- # S07.1 The impact of trends and technology in auditing @@ -17,4 +17,42 @@ This session examines how technology trends are transforming audit practices. Bi ## Transcription -Hi everyone, thank you for joining me. This is section seven for ISO 270001 Lead Auditor. This is the impact of trends in technology and auditing, and we're going to talk about big data The use of big data and audits, artificial intelligence, machine learning, and cloud computing, the use of artificial intelligence and audits. The impact of cloud computing and audits and auditing outsourced operations So the impact of technology and auditing, uh, technology makes auditing a whole lot simpler than it than it uh could be. The advances in technology are changing on a daily basis. In relation to operations of organizations around the globe. Companies that are wanting to make more money, be more efficient, they're all obviously always trying to figure out how they can add more technology to do so. Technology has also been an impact on the way audits are being conducted and data is being analyzed. The use of new technologies like audit tools and software contributes to the increase of the audit quality by providing tools that can help deal with large amounts of data. Tools that can increase the audit efficiency, tools that allocate more time to the audit analysis instead of more time to conduct some sort of technical tests because the tools take care of that. Tools help minimize costs and they can also help provide transparency. However, the use of new technology tools Can also present certain challenges. Data security and quality control are two important factors that have to be considered by organizations to ensure that their data used is reliable, complete, and accurate. Not only that, but also has to be safe, has to be protected. So we have the concept of big data. So the dictionary defines big data as an accumulation of data that's too large and complex for processing by traditional database management tools. If you're interested in artificial intelligence, this is going to be covered in the 42001 course, which is also hosted by PECB. And I'll talk about that later. Big data includes a large number of structured and unstructured data. So structured data is organized, easily reachable. Unstructured data cannot be organized in relational databases and are not easily reachable. So structured data can have a defined data model and are based on relational databases. So example of structured data could be like SQL databases, Microsoft Excel files. And so on. Unstructured data would be an example would be MongoDB, Mongo database. So remember the two differences, especially from the vendor standpoint. Structured data would be like SQL SQL, SQL Server, or Microsoft Excel, but I don't really view Excel as a database, but SQL databases. And then MongoDB would be unstructured data. The use of big data in audits, so technology tools for big data processing can be beneficial in that auditors Can easily identify data that is available and use it easily. Retrieve data that may be considered sensitive, design their program to manage big data better. Collect more qualitative audit evidence, gather data from different systems, and combine structured and unstructured data Big data technology is often used for data analytics as it provides a scalable infrastructure for storing, processing, and analyzing large and complex data sets. Data analytics involves analyzing and examining data to obtain valuable outputs that support organizations in making strategic decisions. Big data analytics enable the integration of different data types quickly and efficiently. So there's a variety of different things we can do in relation to big data, but If we want to optimize the value of data so we can implement various technologies, and some of those could be uh data management, so referring to the activities that are conducted to ensure the accessibility, reliability, and timeliness of information, including the gathering of that information, the structuring structuring of the information, verifying, securing, and so on of the information. Auditors can rely on data management technologies to gather and organize data from various sources to support the audit process. We can also have data mining and that refers to the process of analyzing data to identify patterns and relationships between events. In auditing, data mining technologies are used to identify anomalies and unusual patterns in financial transactions or other data. So in relation to data mining, there may or may not be that much involvement with uh 27001, depending on the type of client you're interacting with. Auditors, however, can use data mining to identify potential areas of risk, such as fraudulent activities or financial reporting. We can also have predictive analytics. Basically, we take the data, we look at it, we start to see trends, and we start to anticipate what could happen. So, the use of big data and audits. So, Microsoft Power BI is an example of a tool. So, Microsoft Power BI is a powerful tool that can be used by auditors to analyze data and identify patterns, trends. and anomalies. Auditors can use Power BI for the following aspects during an audit. So data analysis, visualization, data cleansing, collaboration, and monitoring. And we'll talk about those. But again, from the standpoint of big data and audits, and as well as structured and unstructured. So again, structured data would be like Microsoft SQL Server, unstructured data would be MongoDB. But from the standpoint of Microsoft, think Power BI. Now, artificial intelligence. So the dictionary defines artificial intelligence as the theory and development of computer systems Able to perform tasks usually requiring human intelligence, such as visual perception, speech recognition, decision making, and translation between languages So the interconnectivity fast data transfers that are now possible used to not be so possible through the usage of 5G and there's other technologies besides just 5G. Is expected to allow AI applications to become integral parts of our lives. AI is increasingly ubiquitous across industries. Some common applications of AI are banking, marketing, healthcare. autonomous vehicles and so on. So as it relates to AI, it's becoming more and more prevalent across uh various technologies. I just got a new iPhone 16. It's new to me, maybe not so new to everybody else. But one of the options when I set it up was include artificial intelligence uh uh upgrading some of the uh older iPhones to a current uh iPhone tech iPhone operating system that now allows for AI. There's numerous areas of AI that's now being included across the board. But it is important to understand that artificial intelligence solutions don't necessarily make the right decision the first time. They have to be trained. They have to understand. They have to learn. And so on. So there could be, for example, I saw a video Where a guy had a bunch of balloons on the wall and he said, track all the yellow balloons. And the camera moved all around, but it didn't really know what to do other than track the yellow balloons. And it but it knew what the color yellow was. So it was able to visually perceive the color yellow. It was visually or it was capable of understanding its directive, of tracking the yellow balloon But it didn't know what to do after that. There that had to be another command uh with a decision made by uh a human being I also don't want people to get the impression I I think most people across the planet have seen the Matrix movies or the Terminator movies or so on and so forth. Uh don't want people to think that it that uh artificial intelligence is to that level. It's it's it's not. So the use of artificial intelligence and audits, artificial intelligence is mostly applicable in the domain of information collection or collecting, which refers to data extraction, comparison, and validation processes. By leveraging AI-enabled technology, auditors can extract information from documents and use it more efficiently AI-based systems such as expert systems and neural networks can help auditors in their decision-making processes by addressing potential biases and omissions that could arise. In a manual decision process. The aim is to improve the overall quality of auditor judgment. So there's various technologies that can be used in conjunction with AI technologies To help collect and analyze data that could be used to facilitate the audit process. So, for example, we have the inductive language programming. It could be used in auditing to show patterns and anomalies in large data sets. as well as prepare a hypothesis based on data itself. We can have robotic process automation, which can be used to help automate repetitive tasks Mimicking iterative auditing tasks by identifying inconsistencies and outliers. Expert systems can be used to imitate the auditor's way of thinking to solve problems. Be very cautious about saying the word expert systems because again, artificial intelligence has to learn. You're not gonna flip a switch and they're gonna be as smart as a human being the very second it's turned on. Decision networks can help auditors make more informed decisions based on incomplete or uncertain data because we can predict what the data could be. And then artificial neural networks analyzing large data sets and identify patterns and relationships between different variables without any sort of other prior instruction. But again, that implies learning. AI applications for auditing, risk assessment of individual transactions, augmented audit interviews, and then augmented analysis. So we can perform risk assessments in relation to individual transactions by automatically assessing the accuracy and legitimacy of the individual transactions Without AI or without technology, this could be a labor-intensive process that's could be prone to human error, particularly for small businesses or small entities in general By using AI, the process can be improved, resulting in cost savings, not only to the company, but also increased profit because that reduces human effort, which means they can do other things. To generate revenue, as well as increase the quality of the auditing process itself. The AI-based risk assessment involves automatically detecting and flagging abnormal transactions. between accounts that are unrelated, infrequently used, or do not match the transaction detail. So this helps connect things that did not appear to be obvious independently Could help identify transactions that appear suspicious or fraudulent by looking at outliers as well as evaluating authorizations for transactions. In relation to the cybersecurity space for SIMS, security information event monitoring, a lot of the SIM solutions are actually implementing artificial intelligence to help identify suspicious or fraudulent activities. As a part of the outliers. We can also use AI to augment audit interviews, capture and analyze clients' verbal interactions, so basically their voice speech patterns and uh understand what they're saying, why they're saying, or maybe possibly pick up uh some other things, which could lead into an augmented analysis So if we're if we're able to augment the audit interviews and able to determine speech patterns and uh and so on in relation to the truthfulness or body language if there's visual recognition, then we might possibly be able to use artificial intelligence as a uh ability to analyze that and and augment it a little bit more We can also do an automated confirmation letter, automated data validation, and augmented physical observations. So automated confirmation letter to validate transactions and account statuses Auditors often need to automate or to communicate with external parties during the audit, such as creditors, debtors, customers, regulatory bodies. and so on, or law enforcement, or maybe shareholders. These validations commonly involve repetitive tasks such as selecting the accounts that should be verified, composing and sending the confirmation requests receiving and reading the response, updating the confirmation status, and so on. So all of that could be automated to save a lot of time for the audit team uh itself. By automating uh such processes, auditors can save time and resources. Nonetheless, there are some challenges associated with the use of this technology, such as the financial cost to even make it happen. If it's obviously if it's a smaller entity and the audit the confirmation letter is only gonna be to ten different entities, probably don't want to do that, but if you're looking at a hundred thousand, a million confirmation letters or whatever, you're probably much better off to figure out some way of automating all of it. Automated data validation prior to publishing the annual report of a of an entity, we could validate the accuracy and completeness of the numerical data in that report for that. uh entity that uh ought a T. And then also we can augment physical observations based on uh what uh artificial intelligence, how it's set up and how you're if if they even have a need for a physical observation of the oddity. \ No newline at end of file +Hi everyone, thank you for joining me. This is section seven for ISO 270001 Lead Auditor. This is the impact of trends in technology and auditing, and we're going to talk about: + +- Big data +- The use of big data in audits +- Artificial intelligence, machine learning, and cloud computing +- The use of artificial intelligence in audits +- The impact of cloud computing in audits +- Auditing outsourced operations + +So the impact of technology and auditing, uh, technology makes auditing a whole lot simpler than it than it uh could be. The advances in technology are changing on a daily basis in relation to operations of organizations around the globe. Companies that are wanting to make more money, be more efficient, they're all obviously always trying to figure out how they can add more technology to do so. + +**Advantages** +Technology has also been an impact on the way audits are being conducted and data is being analyzed. The use of new technologies like audit tools and software contributes to the increase of the audit quality by providing tools that can help deal with large amounts of data. Tools that can increase the audit efficiency, tools that allocate more time to the audit analysis instead of more time to conduct some sort of technical tests because the tools take care of that. Tools help minimize costs and they can also help provide transparency. + +However, the use of new technology tools can also present certain **challenges: data security and quality control** are two important factors that have to be considered by organizations to ensure that the data used is reliable, complete, and accurate. Not only that, but also has to be safe, has to be protected. + +So we have the concept of big data. The Merriam-Webster Dictionary defines **big data** as an accumulation of data, that's too large and complex for processing by traditional database management tools. + +If you're interested in artificial intelligence, this is going to be covered in the 42001 course, which is also hosted by PECB. And I'll talk about that later. Big data includes a large number of **structured and unstructured data**. So structured data is organized, easily reachable. Unstructured data cannot be organized in relational databases and are not easily reachable. So structured data can have a defined data model and are based on relational databases. So example of structured data would be SQL databases and Microsoft Excel files (though I don't really view Excel as a database). Unstructured data would be like MongoDB. + +The **use of big data in audits**, so technology tools for big data processing can be beneficial in that auditors can easily identify data that is available and use it easily. Retrieved data that may be considered sensitive, design their program to manage big data better. Collect more qualitative audit evidence, gather data from different systems, and combine structured and unstructured data. Big data technology is often used for data analytics as it provides a scalable infrastructure for storing, processing, and analyzing large and complex data sets. Data analytics involves analyzing and examining data to obtain valuable outputs that support organizations in making strategic decisions. Big data analytics enable the integration of different data types quickly and efficiently. + +So there's a variety of different things we can do in relation to big data, but if we want to optimize the value of data, we can implement various technologies, and some of those could be **data management**, meaning the activities that are conducted to ensure the accessibility, reliability, and timeliness of information, including the gathering of that information, the structuring structuring of the information, verifying, securing, and so on of the information. + +Auditors can rely on data management technologies to gather and organize data from various sources to support the audit process. We can also have data mining and that refers to the process of analyzing data to identify patterns and relationships between events. In auditing, data mining technologies are used to identify anomalies and unusual patterns in financial transactions or other data. Auditors can use data mining to identify potential areas of risk, such as fraudulent activities or financial reporting. We can also have predictive analytics. Basically, we take the data, we look at it, we start to see trends, and we start to anticipate what could happen. + +So, the **use of big data in audits**. Microsoft Power BI is an example of a powerful tool that can be used by auditors to analyze data and identify patterns, trends, and anomalies. Auditors can use Microsoft Power BI for the following aspects during an audit: data analysis, visualization, data cleansing, collaboration, and monitoring. + +Now, artificial intelligence. So the dictionary defines artificial intelligence as the theory and development of computer systems, able to perform tasks usually requiring human intelligence, such as visual perception, speech recognition, decision making, and translation between languages Interconnectivity, also through the availability of 5G and other technologies, is expected to allow AI applications to become integral parts of our lives. AI is increasingly ubiquitous across industries. Some common application areas of AI are banking, marketing, healthcare, autonomous vehicles and so on. +It is important to understand that artificial intelligence solutions don't necessarily make the right decisions the first time. They have to be trained. They have to understand. They have to learn. And so on. +The use of artificial intelligence in audits is mostly applicable in the domain of information collection (data extraction), comparison, and validation processes. By leveraging AI-enabled technology, auditors can extract information from documents and use it more efficiently. AI-based systems such as expert systems and neural networks can help auditors in their decision-making processes by addressing potential biases and omissions that could arise. In a manual decision process, the aim is to improve the overall quality of auditor judgment. +So there's various technologies that can be used in conjunction with AI technologies to help collect and analyze data that could be used to facilitate the audit process. So, for example, we have **inductive language programming**, which could be used in auditing to show patterns and anomalies in large data sets, as well as prepare a hypothesis based on data itself. We can have **robotic process automation**, which can be used to help automate repetitive tasks, mimicking iterative auditing tasks by identifying inconsistencies and outliers. **Expert systems** can be used to imitate the auditor's way of thinking to solve problems. Be very cautious about saying the word expert systems because again, artificial intelligence has to learn. You're not gonna flip a switch and they're gonna be as smart as a human being the very second it's turned on. **Decision networks** can help auditors make more informed decisions based on incomplete or uncertain data because we can predict what the data could be. And then **artificial neural networks** analyzing large data sets and identify patterns and relationships between different variables without any sort of other prior instruction. But again, that implies learning. + + +AI applications for auditing, risk assessment of individual transactions, augmented audit interviews, and then augmented analysis. So we can perform risk assessments in relation to individual transactions by automatically assessing the accuracy and legitimacy of the individual transactions Without AI or without technology, this could be a labor-intensive process that's could be prone to human error, particularly for small businesses or small entities in general. By using AI, the process can be improved, resulting in cost savings, not only to the company, but also increased profit because that reduces human effort, which means they can do other things. To generate revenue, as well as increase the quality of the auditing process itself. The AI-based risk assessment involves automatically detecting and flagging abnormal transactions. between accounts that are unrelated, infrequently used, or do not match the transaction detail. So this helps connect things that did not appear to be obvious independently. It could help identify transactions that appear suspicious or fraudulent by looking at outliers as well as evaluating authorizations for transactions. +In relation to the cybersecurity space for **SIMS**, **Security Information Event Monitoring**, a lot of the SIM solutions are actually implementing artificial intelligence to help identify suspicious or fraudulent activities. As a part of the outliers. We can also use AI to augment audit interviews, capture and analyze clients' verbal interactions, so basically their voice speech patterns and understand what they're saying, why they're saying, or maybe possibly pick up uh some other things, which could lead into an augmented analysis. So if we're if we're able to augment the audit interviews and able to determine speech patterns in relation to the truthfulness or body language, then we might possibly be able to use artificial intelligence as an ability to analyze that and and augment it a little bit more. +We can also do an automated confirmation letter, automated data validation, and augmented physical observations. So automated confirmation letter to validate transactions and account statuses. Auditors often need to automate or to communicate with external parties during the audit, such as creditors, debtors, customers, regulatory bodies. and so on, or law enforcement, or maybe shareholders. These validations commonly involve repetitive tasks such as selecting the accounts that should be verified, composing and sending the confirmation requests receiving and reading the response, updating the confirmation status, and so on. So all of that could be automated to save a lot of time for the audit team uh itself. By automating such processes, auditors can save time and resources. +Nonetheless, there are some challenges associated with the use of this technology, such as the financial cost to even make it happen. If it's a smaller entity, and the audit the confirmation letter is only gonna be to ten different entities, you probably don't want to do that, but if you're looking at a hundred thousand, a million confirmation letters or whatever, you're probably much better off to figure out some way of automating all of it. +Automated data validation prior to publishing the annual report of a of an entity, we could validate the accuracy and completeness of the numerical data in that report for that auditee. And then also we can augment physical observations based on uh what uh artificial intelligence, how it's set up and how you're if if they even have a need for a physical observation of the auditee. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S07.2-The-impact-of-trends-and-technology-in-auditing.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S07.2-The-impact-of-trends-and-technology-in-auditing.md index b777515..36441ef 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S07.2-The-impact-of-trends-and-technology-in-auditing.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S07.2-The-impact-of-trends-and-technology-in-auditing.md @@ -7,7 +7,7 @@ tags: - PECB-LA isotags: [] status: active -processed: false +processed: true --- # S07.2 The impact of trends and technology in auditing @@ -17,4 +17,68 @@ This session distinguishes between artificial intelligence and machine learning, ## Transcription -We're gonna get a little bit more into this, uh, but again, from the standpoint of artificial intelligence, machine learning. and so on. If you're really interested in this or you want to learn a whole lot more, highly suggest you take the PECB course for 42,001, which will provide a lot more information rather than just a few slides. So machine learning and artificial intelligence are sometimes mistakenly used interchangeably, although they do not represent the same thing. So AI encompasses a broader concept of machines that have the capacity to mimic a human being, whereas the main purpose of machine learning is to enable computers to learn automatically. Okay, so just to be clear, even though AI has a capability to mimic a human being, the AI has to understand what it means to be a human being in order to mimic it. So there it's not a light switch where you turn it on and it automatically works. In machine learning, the processor is given the entry data, and the machine solves the problem by applying various methodologies. Some of the essential algorithms that are used utilized by machine learning are linear regression. logistical regression and decision tree. So the two types of machine learning that's important to understand are supervised and unsupervised Supervised machine learning is used in context of classification and regression. So algorithms used in supervised machine learning including logistic regression, support vector machines, and so on. The aim of both classification and regression is to find the structure of the input data so that it can produce accurate output data. Unsupervised machine learning includes clustering, representation learning, and density estimation. Groups data based on output. So algorithms used in unsupervised machine learning include autoencoders, principal component analysis, and clustering. And then the cluster method is, or cluster analysis is the most common method. So again, if you're interested in uh artificial intelligence machine learning, you really want to take the 4200-1 course as well. There's also cloud computing. This is uh uh something that's been in use for several Seems like at least a couple decades by now. Cloud computing is a delivery of computing services like servers, storage, databases, networking, and processing power. So in general, cloud computing delivers a service of some sort over the internet to the auditee or to you as the customer. There's different categories of uh of uh cloud services or cloud computing. So we have infrastructure as a service or IAAS. So that delivers servers with CPU, memory storage, and so on. And it allows customers to directly access the virtualized hardware. So you could think of Microsoft, Azure, where you're building a virtual server. That would be infrastructure as a service. Platform as a service. Is a complete development and deployment environment in the cloud. It allows developers to scale their cloud resources according to the needs such as CPU cores, memory, and storage. And then we also have software as a service, which is the applications are hosted by the provider and delivered through the web. This allows providers to offer a cloud service to run existing online applications Multiple users can access the same application while the user's data and sessions are isolated from others. So a good example of software as a service would be like uh uh Microsoft O365, where you're accessing the platform itself. We are accessing Outlook through through the browser or maybe G Suite or Gmail. That would be software as a service. So there's uh traditional levels or levels of integration in relation to uh cloud computing. You should sort of understand uh the concepts behind these. So you have traditional IT and that's pretty much the no cloud computing at all. What that means is that uh you as the IT team or the auditee. Would be responsible for everything. And as the auditor who is auditing, the auditee, if they had no cloud computing, then you would have a lot of different areas to audit. So then we get into infrastructure as a service. So for example, there we have less management that we personally have to care about. And we've offloaded some of the responsibility like the storage, the network, the server's virtualization, and so on. We've offloaded that to the hosting provider. Then we also have platform as a service where more and more is offloaded to the hosting provider and the only thing we care about is the application and the data. And then there's even more, software as a service. Again, Gmail is a perfect example of software as a service, or O365 from Microsoft Where you pretty much just use it as as you need to. But they manage everything else on the back end to make it work. Practical approaches for auditors in cloud adoption. The revolution of various organizations brought about by cloud computing necessitates careful consideration. of substantial associated risks. So a few methods auditors use effective to effectively handle the possible challenges that could come out of this are risk assessment and adjustment Inventory of cloud activities, roles and responsibilities, clarification, timely involvement, internal training initiative, and a team-focused approach So all of those come together from the practical approaches for auditors and cloud adoptions. If the uh an auditor is going to uh audit a client or an auditee that has cloud Solutions, then or even if they don't have cloud solutions, auditors should ask the client, do you have any cloud solutions in use? It could be anything. For example If uh if they're a G Suite uh company, uh they should ask them, hey, do you have any cloud solutions that you're using? And if they say, yeah, we use G Suite, okay, they should declare that to the auditor so the auditor can understand it. But also as a part of that, the auditor needs to understand the risks of involving that cloud hosting provider of some sort. What are the risks? And if a company is going to migrate to the cloud, then they need to that company needs to understand the risks and possibly do a risk assessment. And if the auditor is showing up right after that, or possibly right before that That might be something that the auditor asks the auditee, have you done a risk assessment in relation to the transition? What's your risk? And if there's a problem, what are you going to do about it? Outsourcing operations. Um, first off, if you're using a cloud service, you are actually outsourcing something Organizations can select or identify potential controls from any standard or source, like legislation, industry best practices. that it deems appropriate and applicable. Organizations can also outsource different kinds of services like payroll, technical support, HR, and so forth It's very common for uh corporations to outsource something, uh if not one thing, but a whole lot of things. The company ADP, which does payroll transactions in the United States, maybe globally, but they do payroll transactions, a lot of corporations outsource that function of payroll to ADP. So you can outsource responsibility. So in this case it's outsourcing payroll to ADP. uh meaning that ADP has to pay the people, but you can't outsource accountability. And that's important to understand when it comes to ISMS or cybersecurity. So organizations outsource in order to reduce their costs, become more efficient, and focus on crucial operations So again, it's very common to outsource. It could be a variety of different things. Payroll is certainly possible. Technical support is possible. Security operations, forensics. uh cybersecurity in general, human resources, all of that could be outsourced and it's totally applicable. In the case of GDPR, for example, It it literally states in there you can outsource the role of the data protection officer to a third party, provided that they have the same amount of authority. uh to perform their duties uh per GDPR requirements. So auditing the outsourced uh operations, the process of auditing outsourced operations Involves the following steps. This is not just these steps, but basically the understanding of them. Reviewing and evaluating the organization processes for monitoring the quality of their outsourced operations. So how good are they going to do? Do you have SLAs in the contract? Verifying if contractual requirements are met So again, contractual requirements, whatever they are. In some cases, uh in most cases, if you're outsourcing something that's cloud-based. . It's not unreasonable to think that the company is going to require what's known as 5. . 9s. So 99. 999 uptime of that outsourced cloud-based solution Determine whether appropriate governance processes are in place with regard to the engagement of outsourced persons or organizations So are they safe to do business with? Uh do they actually do what they say they're going to do? Do they have to report to anybody? Do they have to be certified in 27,000 one as well? And then reviewing and evaluating the organization's plans in case of expected or unexpected termination of the outsourced agreement. Again, this goes into risk and vendor due diligence, but uh in relation to outsourcing, it's always a suggestion for a company if they've outsourced something. Find a backup in case that primary uh outsourced hosting provider uh goes under, goes out of business, uh decides to, you know, maybe they get a breach or something, who knows? But it's always good to have a backup plan And as a part of that, it's important that the auditor uh gather enough audit evidence regarding contractual agreements between the auditee and the outsourced hosting provider to validate that the the out the auditee has done their vendor due diligence to make sure that they've done what they said they were going to do and that the outsourced hosting provider is safe to do business with. So this could be done a variety of different ways, conduct interviews with persons or persons responsible to uh you know check on the vendors or the suppliers. Uh but it could also be done by looking at the evidence that a uh a uh internal person within the auditee firm, like, okay, did you check this company? Yes. They had a SOC two and ISO twenty seven thousand one. Okay, show them to me. So they can see it. If the uh internal person for the auditee has the material or possibly a risk assessment sheet for that uh outsource per uh outsource company, then it can demonstrate to the auditor that uh proper vendor due diligence was being done. So this is the section summary summary. We're almost over with this one. Technology allows auditors to work more efficiently by minimizing time and costs. Thus, they increase the audit quality. Big data includes a large volume of structured and unstructured data Remember structured data would be think Microsoft SQL SQL. Unstructured data, think uh MongoDB. The Merriam-Webster Dictionary defines big data as an accumulation of data that's too large and complex for processing by traditional database management tools. Artificial intelligence encompasses a broader concept of machines that have the capability or capacity to mimic a human being. Machine learning is related to AI, but they are not interchangeable. The goal of machine learning is to let computers learn automatically. Cloud computing includes the delivery of hosted services over the internet, software as a service, infrastructure as a service, platform as a service are all there. Outsourcing is the practice of hiring a third party, which could be a human being, a person, or an organization, to perform activities, tasks, and provide services for the organization. Again, if you're interested in more learning more about artificial intelligence or machine learning, highly suggest you take the ISO 42001 course. With that, I want to thank everybody for your time. I will see you on the next one. \ No newline at end of file +### Artificial intelligence + +Machine learning and artificial intelligence are sometimes mistakenly used interchangeably. AI encompasses a broader concept of machines that have the capacity to mimic a human being, whereas the main purpose of machine learning is to enable computers to learn automatically. +In machine learning, the processor is given the entry data, and the machine solves the problem by applying various methodologies. Some of the essential algorithms that are utilized by machine learning are linear regression, logistical regression and decision tree. + +There's **supervised** and **unsupervised** machine learning. + +**Supervised machine learning** is used in the context of classification and regression. Algorithms used in supervised machine learning include logistic regression, vector machines, and so on. The aim of both **classification** and **regression** is to **find the structure of the input data** so that it can produce accurate output data. +**Unsupervised machine learning** includes **clustering, representation learning, and density estimation**. This groups data based on output. Algorithms used in unsupervised machine learning include autoencoders, principal component analysis, and clustering. Cluster analysis is the most common method. If you're interested in artificial intelligence machine learning, you want to take the 4200-1 course. + +### Cloud computing + +There's also **cloud computing**. This is something that's been in use for several decades by now. Cloud computing is a delivery of computing services like servers, storage, databases, networking, and processing power over the internet. There's different categories of cloud services, or cloud computing. + +![](CleanShot%202026-06-08%20at%2010.17.25.png) + +So we have **IaaS**: infrastructure as a service. IAAS delivers virtual machines (servers with CPU, memory and storage), and allows customers to directly interact with the virtualized hardware. So you could think of Microsoft Azure, where you're building a virtual server. +**PaaS**, or platform as a service, delivers a managed platform for developing and deploying applications in the cloud. "It allows developers to scale their cloud resources according to their needs, such as CPU cores, memory, and storage" (*this is what the course tells us*). +And then we also have **software as a service**, where applications are hosted by the provider and delivered through the web. This allows providers to offer a cloud service to run existing online applications. Multiple users can access the same application while the user's data and sessions are isolated from others. Good examples of software as a service would be Microsoft365, Outlook, G Suite or Gmail. + +A simple way to remember it: + +- **IaaS** → “Rent infrastructure” +- **PaaS** → “Rent a development platform” +- **SaaS** → “Use finished software” + +![](CleanShot%202026-06-08%20at%2010.17.46.png) + +So there's traditional levels or levels of integration in relation to cloud computing, and you should sort of understand the concepts behind these. In traditional IT the auditee would be responsible for everything. With infrastructure as a service, some of the responsibility, like the storage, the network, the server's virtualization, and so on, has been offloaded to the provider. Then we also have platform as a service, where the only thing we have to care about is the application and the data, and the rest is offloaded to the provider. With software as a service, the provider manages the whole stack. + +### Practical approaches for auditors in cloud adoption + +The revolution of various organizations brought about by cloud computing necessitates careful consideration. of substantial associated risks. So a few methods auditors use to effectively handle the possible challenges that could come out of this are: + +- risk assessment and adjustment +- Inventory of cloud activities +- roles and responsibilities clarification +- timely involvement +- internal training initiative +- team-focused approach + +Auditors should begin by asking the client if they have any cloud solutions in use. Also, the auditor needs to understand the risks of involving any, or any specific, cloud hosting provider. And if a company is going to migrate to the cloud, then that company needs to understand the risks, and possibly do a risk assessment. And if the auditor is showing up right after that, or possibly right before that That might be something that the auditor asks the auditee, have you done a risk assessment in relation to the transition? What's your risk? And if there's a problem, what are you going to do about it? + +"Organizations can select or identify potential controls from any standard or source, like legislation, industry best practices, that it deems appropriate and applicable". + +Organizations can outsource different kinds of processes like payroll, technical support, HR, and so forth. You can outsource a business process, technical support, security operations, forensics, and cybersecurity in general: you can outsource responsibility, but you can't outsource accountability. +In the case of GDPR, for example, it it literally states that you can outsource the role of the data protection officer to a third party, provided that they have the same amount of authority to perform their duties per the GDPR requirements. +### Auditing outsourced operations + +If a company is using a cloud service, it is actually outsourcing operations. + +The process of auditing outsourced operations involves the following steps: + +- Reviewing and evaluating the organization's processes for monitoring the quality of their outsourced operations +- Verifying if contractual requirements are met +- Determining whether appropriate governance processes are in place with regard to the engagement of outsourced persons or organizations +- Reviewing an evaluating the organization's plans in case of expected or unexpected termination of the outsourcing agreement. + + So you have to look at + +The organization has to know how good the service provider is doing. Do they have SLAs in the contract? Is the provider delivering according to the SLA? Has there been due diligence to check if the persons or organizations are safe to do business with? Who are they reporting to? Do they have to be certified in 27001? What is going to happen at the end of the outsourcing agreement? Is there a backup when the provider goes out of business? What happens when they get a breach? +The auditor needs to validate that the auditee has done these things.This could be done a variety of different ways, conduct interviews with persons responsible, looking at the evidence, did they check for SOC 2 or ISO 27001? + +### Section summary +Technology allows auditors to work more efficiently by minimizing time and costs. Thus, they increase the audit quality. Big data includes a large volume of structured and unstructured data, too large and complex for processing by traditional database management tools. Artificial intelligence is the broader concept of machines that have the capability or capacity to mimic a human being. Machine learning is related to AI, but not the same: the goal of machine learning is to let computers learn automatically. Cloud computing includes the delivery of hosted services over the internet, software as a service, infrastructure as a service, and platform as a service. Outsourcing is the practice of hiring a third party to perform activities, tasks, and provide services for the organization. diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S08.1-Evidence-based-auditing.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S08.1-Evidence-based-auditing.md index 8b8d13f..256cb5e 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S08.1-Evidence-based-auditing.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S08.1-Evidence-based-auditing.md @@ -7,7 +7,7 @@ tags: - PECB-LA isotags: [] status: active -processed: false +processed: true --- # S08.1 Evidence based auditing @@ -17,4 +17,30 @@ This session introduces evidence-based auditing as defined in ISO 19011. Audit e ## Transcription -Hi everyone, thank you for joining me. This is section eight for ISO 27001 Lead Auditor, Evidence-Based Auditing We're going to talk about audit evidence, the different types of audit evidence, quality and reliability of audit evidence as well. So we're going to talk about the different types and how they interact with each other and their applicability. So 19011 clause 3. 9 defines audit evidence as records, statements of fact, or other information which are relevant to the audit criteria and verifiable. So audit evidence must be verifiable and can be either qualitative or quantitative. The uh the important thing about audit evidence is the verifiable part in relation to the actual evidence. So again, in a previous section we talked about Don't don't just take somebody's uh the oddity's word as fact. Uh you have to have some sort of way of validating the fact to prove that it's it's actually uh being done the way they say it is. So qualitative evidence. So that's the uh basically the concept of uh evaluating something from the standpoint of high, medium, and low. So for example, if uh if there's a risk of a breach, and we said it's a high risk of breach. then that that doesn't necessarily mean that there's going to be a breach, but there's the belief that it's a high risk as opposed to and that's qualitative As opposed to saying something like there's a 90% chance of a breach. If we said that, now we've qualified or we've quantified it with a number And generally, as an auditor or somebody who helps companies get ready for audit, I'm always a huge fan of quantitative evidence, especially when it comes to risk. So understand the difference between qualitative and quantitative. So different types of audit evidence. We have physical, mathematical, confirmative, technical. analytical, documentary, and verbal. And again, uh I hope everybody remembers when people say things, uh if it's possible to validate their their words, then you should absolutely do so. Don't don't assume that they're uh being uh a hundred percent truthful or accurate. So audit evidence does not have to be mutually exclusive either. So it's possible That you might have a uh a process, for example, with the within the audit T, and the process itself, just the mere existence of it, is audit evidence. But then the output of that process could be audit evidence for a completely different area. So it's possible to collect more than one type of evidence to uh determine the conformity or if somebody's the if the audit T is doing what they're supposed to be doing in relation to a particular uh control in the system So, for example, an external audit report is both a confirmative and documentary evidence. So we have an external audit that's confirming, but it's also documented, so it's documentary evidence The verification of the configuration of a firewall is not only physical because there's a firewall, it's also technical, but it's also analytical. And then an interview with a third party could both be confirmative and verbal. So we'll talk about physical evidence first out of that list we just had. Physical evidence is obtained through the observation or direct inspection of tangible elements. It is evidence that can be counted, inspected, examined, or observed. For example, the auditor can observe the physical access controls in the server room, or maybe the physical access controls to even get into the building. The auditor can observe the supporting utilities in the organization, and then the auditor could observe security measures across the board or maybe safety of human life measures Now, in relation to observation, it's important to understand that the auditor must observe it themselves. They can't take the uh the word that somebody else observed it and then just believe it. Observation is helpful in determining audit evidence for a particular kind of evidence because that allows for a faster response. So for example, If an auditor went to some sort of a shipping container for an organization because it's part of the inventory to make sure they're possibly counting inventory or whatever Or look inside the container to make sure that what's inside the container as listed on the packing slip is actually there. That would be an observation Other areas of observation could be walking into the building and observing how did you get inside the building? Do you have to register as a guest? Are there cameras? Are there badge entries? Are there turnstiles? There's all sorts of different things. We also have mathematical evidence. Mathematical evidence is obtained by validating the mathematical exactness of certain documents or records For example, the auditor can calculate the number of training hours relating to the ISMS provided to the personnel. They could also risk uh count the average time it takes to respond to an information security event or incident. as well as the number of nonconformities and corrective actions taken after each internal audit. Mathematical evidence is something I really like because It allows for numbers to be used. And why do we care about numbers? Because numbers can relate to percentages. Numbers can be related to dollars or revenue. So mathematical evidence is is really important from my standpoint as an auditor. Because it gives me a better understanding of the context of the organization. So for example, if we talk about training hours to the ISMS That are provided to people. I could say mathematically that you know each person went through three hours of training. There's a hundred people, so 300 hours of training was initially provided. I could even go so far as to say uh 52 phishing emails were sent out and uh 10% clicked the link or whatever, and then that 10% was uh provided with uh remedial training. So I like mathematical evidence a lot because it allows for a lot of different things. Obviously in financial audits, mathematical evidence is going to be utilized just to make sure that the numbers are right, but that makes sense. Uh how you use math as a part of uh mathematical evidence collection is really up to the auditor, but it's it's certainly uh something that could be done. Confirmative evidence, that is evidence that is obtained by the confirmation of a third party regarding one or more elements observed during the audit. Examples of confirmative evidence are the results of an intrusion test conducted by an external organization. So an external organization or intrusion test, think of that as penetration testing. Verbal statements by the external parties confirming that the organization has engaged in external communication activities. Now if you don't have verbal statements, you could have uh contractual statements that could mean uh something that along the same lines You could also have a prof professional certificate recognized by a recognized uh uh professional certification body So, for example, once you take this complete course and you pass the test and you apply for certification you'll get a professional certificate recognized by a certification body, which is PCB. So there's all sorts of different ways, but the important part in relation to confirmative evidence is it's done by a third party Not the people that you're actually auditing just by a third party. I like to use penetration tests as a really good example Because uh they're practically irrefutable. The the auditee, if you ask the auditee for examples of a penetration test or if it was even done, they're gonna hand you the same document that was handed to them So areas that can help in a auditee have an easier process for auditing is uh has to do with one of the uh other sections that we discussed, and that's dealing with the um outsourcing operations so or outsourcing services to a third party like payroll or uh onboarding and background checks and things like that So the reliability of confirmative evidence will depend on the reliability of the auditee in relation to the third party who provides the evidence. So a reputable third party is more reliable than a disreputable third party. This type of evidence is usually reliable if produced by an independent entity, so a third party, which should be external to the audite. So they're hired to come in and do a particular service or function or whatever. So, examples of mathematical evidence that could be used could be in the areas of competence. So, for example, if you had 10 people on your cybersecurity team But only three of them are certified in cybersecurity, then you could say your competence rate is 30%. Uh and the other s seven people on the team would have to get training in order to bring up that confirmative evidence And of course you wouldn't just assume they're certified, you would ask to see their certification papers. You could do segregation of networks showing that uh information services, users and groups are segregated. There's a variety of different ways you could come up with some sort of confirmative evidence. And as a part of that, you could even say, you know, a network drawing confirms that there is segmentation. There's also technical evidence characterized by the specific knowledge or expertise required to obtain it. This knowledge or expertise can be related to the organization, an activity, a process, a product, a service. or something else. Technical evidence is often, but not necessarily always, obtained with the help of a technical expert and requires conducting detailed inspections or observations of relevant operations. So again, in a previous section, we talked about competence of auditors. And I repeatedly said, if you're not fully aware of how to do something, then get a technical expert. As an auditor, you're not required to know every possible aspect of cybersecurity as a part of the audit itself, but you are expected to be able to contact people to help you out. So an example of technical evidence are number one, analysis of an IPS, so that's intrusion prevention system, analysis of IDS, intrusion detection system, and then analysis of a firewall, like maybe the access control lists. Or if there's a VPN, what VPN encryption is in use? Or how are they connecting? That could all be technical evidence So there's a lot of different ways. You can do the same, have that same concept with uh asking for configurations, uh password configuration uh for uh in uh uh Microsoft uh Active Directory or something, what's the minimum requirements? Just ask for a screenshot of that. That would be technical evidence. \ No newline at end of file +ISO 19011 clause 3.9 defines **audit evidence** as *records, statements of fact, or other information which are relevant to the audit criteria and verifiable*. So audit evidence must be verifiable, and can be either qualitative or quantitative. Verifiable, like we talked about earlier: don't just take the auditee's word as fact, but ask for a way of validating the fact to prove that it's actually being done the way they say it is. + +**Qualitative and quantitative evidence** +Qualitative evidence is basically the concept of evaluating something as high, medium, or low. Quantitative is when we attach a number to that, like saying there's a 90% chance of a breach. + +### Types of audit evidence (1) + +There's physical, mathematical, confirmative, technical, analytical, documentary, and verbal audit evidence. They don't have to be mutually exclusive. So, for example, an external audit report is both confirmative and documentary evidence. The verification of the configuration of a firewall is not only physical, because there's a firewall, it's also technical and analytical. An interview with a third party could both be confirmative and verbal. + +**Physical evidence** is obtained through the observation or direct inspection of tangible elements. It is evidence that can be counted, inspected, examined, or observed. For example, the auditor can observe the physical access controls in the server room, or maybe the physical access controls to even get into the building. The auditor can observe the supporting utilities in the organization, and then the auditor could observe security measures across the board, or maybe safety of human life measures. Now, in relation to observation, it's important to understand that the auditor must observe it themselves. They can't take the word that somebody else observed it, and then just believe it. + +Observation is helpful in determining audit evidence for a particular kind of evidence because that allows for a faster response. So for example, If an auditor went to some sort of a shipping container for an organization because it's part of the inventory to make sure they're possibly counting inventory or whatever Or look inside the container to make sure that what's inside the container as listed on the packing slip is actually there. That would be an observation. Other areas of observation could be walking into the building and observing how did you get inside the building? Do you have to register as a guest? Are there cameras? Are there badge entries? Are there turnstiles? There's all sorts of different things. + +**Mathematical evidence** is obtained by validating the mathematical exactness of certain documents or records. For example, the auditor can calculate the number of training hours relating to the ISMS provided to the personnel. They could also count the average time it takes to respond to an information security event or incident. Or the number of nonconformities and corrective actions taken after each internal audit. + +Mathematical evidence is something I really like, because it allows for numbers to be used. And why do we care about numbers? Because numbers can relate to percentages. Numbers can be related to dollars or revenue. So mathematical evidence is really important from my standpoint as an auditor. Because it gives me a better understanding of the context of the organization. So for example, if we talk about training hours to the ISMS That are provided to people, I could say mathematically that each person went through three hours of training. There's a hundred people, so 300 hours of training was initially provided. I could even go so far as to say 52 phishing emails were sent out and 10% clicked the link, and then that 10% was provided with remedial training. So I like mathematical evidence a lot because it allows for a lot of different things. Obviously in financial audits, mathematical evidence is going to be utilized just to make sure that the numbers are right, but that makes sense. How you use math as a part of mathematical evidence collection is really up to the auditor + +**Confirmative evidence** is evidence that is obtained by the confirmation of a third party, regarding one or more elements observed during the audit. Examples of confirmative evidence are the results of an intrusion test conducted by an external organization, like penetration testing, and verbal statements by external parties confirming that the organization has engaged in external communication activities. Confirmative evidence can only be provided by a third party. "The reliability depends on the reliability of the auditee, in relation to the reputability of the third party". + +Now if you don't have verbal statements, you could have contractual statements that could mean something along the same lines You could also have a professional certificate recognized by a professional certification body. So, for example, once you take this complete course and you pass the test and you apply for certification you'll get a professional certificate recognized by a certification body, which is PECB. So there's all sorts of different ways, but the important part in relation to confirmative evidence is it's done by a third party. Not the people that you're actually auditing, just by a third party. I like to use penetration tests as a really good example because they're practically irrefutable. If you ask the auditee for examples of a penetration test or if it was even done, they're gonna hand you the same document that was handed to them. So areas that can help in a auditee have an easier process for auditing is uh has to do with one of the uh other sections that we discussed, and that's dealing with the um outsourcing operations so or outsourcing services to a third party like payroll or onboarding and background checks and things like that. + +The reliability of confirmative evidence will depend on the reliability of the auditee, in relation to the third party who provides the evidence. So a reputable third party is more reliable than a disreputable third party. This type of evidence is usually reliable if produced by an independent entity, so a third party, which should be external to the auditee. So they're hired to come in and do a particular service or function or whatever. +So, examples of mathematical evidence that could be used could be in the areas of competence. So, for example, if you had 10 people on your cybersecurity team But only three of them are certified in cybersecurity, then you could say your competence rate is 30%. Uh and the other s seven people on the team would have to get training in order to bring up that confirmative evidence And of course you wouldn't just assume they're certified, you would ask to see their certification papers. You could do segregation of networks showing that uh information services, users and groups are segregated. There's a variety of different ways you could come up with some sort of confirmative evidence. And as a part of that, you could even say, you know, a network drawing confirms that there is segmentation. + +**Technical evidence** is characterized by the specific knowledge or expertise required to obtain it. This knowledge or expertise can be related to the organization, an activity, a process, a product, a service, or something else. Technical evidence is often, but not necessarily always, obtained with the help of a technical expert, and requires conducting detailed inspections or observations of relevant operations. + +So again, in a previous section, we talked about competence of auditors. And I repeatedly said, if you're not fully aware of how to do something, then get a technical expert. As an auditor, you're not required to know every possible aspect of cybersecurity as a part of the audit itself, but you are expected to be able to contact people to help you out. So an example of technical evidence are number one, analysis of an Intrusion Prevention System (IPS), analysis of an Intrusion Detection System (IDS), and then analysis of a firewall, like maybe the access control lists. Or if there's a VPN, what VPN encryption is in use? Or how are they connecting? That could all be technical evidence. So there's a lot of different ways. You can do the same, have that same concept with asking for configurations, password configuration in Microsoft Active Directory or something, What's the minimum requirements? Just ask for a screenshot of that. That would be technical evidence. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S08.2-Evidence-based-auditing.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S08.2-Evidence-based-auditing.md index 8369dd6..35360e8 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S08.2-Evidence-based-auditing.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S08.2-Evidence-based-auditing.md @@ -7,7 +7,7 @@ tags: - PECB-LA isotags: [] status: active -processed: false +processed: true --- # S08.2 Evidence based auditing @@ -17,4 +17,59 @@ This session continues the evidence-based auditing topic by covering analytical ## Transcription -Analytical evidence is obtained by analyzing data and their variations to find their tendencies as well as potential deviations. Analytical evidence includes any evidence collected by statistical methods. So examples of analytical evidence are analysis of network access logs to detect deviations or exceptions. Sometimes, depending on the level of intelligence you have with your technology, that could be called outliers. And again, we talked about outliers in artificial, the section about artificial intelligence Analysis of information security incident reports. Analysis of a sample of worker competency tests to measure the understanding of the information security controls, or possibly the the uh pop quizzes or quizzes at the end of information security awareness training. Come up with some analysis based on that. So there's a whole lot of different ways you can analyze the evidence. Obviously, as an auditor, we want uh we desire that our Auditees are up to speed on uh on as many things as possible. So we expect high numbers as auditors. And if they don't have high numbers and you know, we need to come up with a corrective action plan. There's also documentary evidence. This is really the easy ones uh to deal with and you're certainly going to see this in a stage one portion of a ISO 27001 audit We'll talk about the stages in a different section. But documentary evidence is obtained by verifying any record or document that exists already. So for example, information security policy. or any policy relating to information security for that matter. It could be encryption or asset management, it could be development, it could be anything. But those written documents that could be used as documentary evidence. Statement of applicability, where you're stating exactly in 27001 what is applicable and what is not and why for each one. Documented procedures. And any other documented information that the organization views as necessary for the effectiveness of the ISMS? And then also super important ed evidence of the result of management reviews. We can't create uh evidence or reports or reporting in generals, things like that and not actually have management review it to to sign off and endorse it. If uh if management is not aware of cybersecurity, then that is actually not a good thing. Not only in relation to the audit, but it's not good in relation to the health of the entity itself So other areas of documentary evidence could be non-disclosure agreements, policies of any kind, possibly records of backup. uh backup, you know, backing up the data, as well as if you're going to do a backup, you have to do a restore. Other areas of documentary evidence could be a penetration test provided by a third party uh which which would also be confirmatory uh evidence. There's also verbal evidence, which is obtained during interviews with persons that have the necessary knowledge and responsibilities to perform the operations. That are being audited. So general discussions carried out during the audit could be viewed as verbal evidence, and then formal interviews conducted during the audit. However, I will point out Do not assume that your answers from a ver from an interview, the verbal evidence, are accurate. Verbal evidence is very unreliable. compared to actually seeing like the firewall access control lists or seeing a penetration test. It's unreliable And you will find that uh there will be one person that says one thing to this to a question and there will be a person that says something else to the exact same question. And that's generally because the co the organization is not in sync with each other. or that or one person just doesn't know. So there's a whole lot of different ways we can have verbal evidence, but it's also important to understand that verbal evidence could could be uh a tied uh tied to different areas like for example is your leadership and management are they behind uh deploying the ISMS do you have top-down support People could say yes. Uh leadership is totally behind it. But how would we prove that? So we can believe it, but if we had some sort of email from leadership saying We're deploying a 27,001 ISMS. Everybody needs to be on board and we expect full cooperation. That's better evidence than just saying yes, top-down management or top-down support is in place. Quality of audit evidence, audit evidence must be first appropriate and then sufficient. So we have evidence And you can see there it's it's a is the evidence appropriate? Is it relevant? And is it reliable? So is it is when I say relevant, is it relevant to the requirement? But then more importantly, is it reliable evidence? If it's unreliable evidence, then as auditors, we need to figure out how to make it reliable or get different evidence. Once we've done all that Then we can compare it to the control, to the requirement, and we can determine is it sufficient or not. And if of course, if it's not sufficient, then uh going circling backwards, taking a step back. We go find more s more evidence until it is sufficient. But we have to get to a point Whereas auditors, we are comfortable that the evidence provided for any particular control in 27001 is sufficient to meet that control. And if it's not sufficient then we uh have to you know ask for more. Uh reliability of audit evidence, so the main determining factors is objectivity of the evidence, the timing, independence of the source evidence collection techniques and then the internal control system. So objective evidence is based on facts and proof Not hearsay, not belief or anything else. It's based on facts and proof. And we want to make sure that is accurate. So an example of this. If we uh if we said, hey, do you have uh surveillance system, physical security, like cameras or something, we could go around and observe the cameras in place, but that doesn't mean the cameras are recording anything. We could then ask, well, let's see the the the screen where all the camera feeds are going into and if we saw that then we could even go so far as to say Uh hey, uh how long are you retaining the data, the video uh surveillance? So there's all sorts of different things that um That's could be based on. So the objectivity is it's the evidence is based on facts and proof that you can actually see There's also timing of the evidence. So if if we had something with timestamps on it, then uh that proves that the evidence is recent, then that's sufficient. If we have uh evidence that's Say evidence is only required once a year for something. Uh so provided it's within that year time period, technically it's supposed to be good. But if we can regenerate evidence that's closer to the actual audit, then that's even better. But we don't want to say if we have a requirement for evidence that's some kind of task that has to be done monthly, we don't want to submit evidence that's six months old for a task that's supposed to be done monthly Independence from the source is super important to make sure that the evidence is collected outside of how it was generated And then we also have to care about the evidence collection techniques. There could be a variety of different ways on that one. There's collecting evidence or creating evidence in relation to sampling and collecting it that way as well. There's all sorts of different ways. I believe there's other sections where there's evidence collection techniques are discussed in greater detail. There's also the internal control system That has to do with uh the evidence that's collected. Where is it stored? How is it tracked? Who's monitoring it? Who's approving it? Who's saying that this is sufficient enough Are other controls being monitored and adhered to? So there's a quite a variety of different ways of looking at audit evidence. We have verbal evidence, which we've already said is the least reliable Documentary evidence, which could be like a document itself, like a policy standard procedure, but it's written down and we assume that they're doing it right. Analytical evidence. Is uh analysis of evidence to come up with a determination of the uh analytics for whatever the evidence is around Technical evidence like configuration files or evaluating like a server password management uh complexity, things like that. confirmative evidence, uh something that confirms evidence as being accurate and realistic. Then we have physical and mathematical evidence, which we talked about, uh physical evidence could be uh like an you're observing something. of you personally observe it. You're physically observing it, whether it's like a a surveillance camera or maybe antivirus on the workstation, uh could be anything. And then mathematical evidence is calculating, uh coming up with a calculation of of the auditee's environment to figure out, you know, how things are So a good example that they provide here is for mathematical evidence, calculations of the number of auditees computers and the number of antivirus licenses acquired. So if you had a hundred computers, but if you only had 50 antivirus licenses, well you got a problem. And in this slide you can see um The uh the layout of the types of audit evidence least reliable is verbal. Don't believe that uh when somebody says this is the way we do things, don't believe that that's the way they do things The most reliable is physical and mathematical evidence. Alright, this is the summary for section eight. There's seven major types of audit evidence, physical, mathematical. Confirmative, technical, analytical, documentary, and verbal. Again, remember, verbal is the least reliable. Physical and mathematical is the most reliable Documentary is when they uh you're you actually see copies of administrative controls like policy standards, procedures, and so on. Any information that can be verified, measured qualitatively or quantitatively, and used to determine the audit findings can serve as evidence Remember qualifying something is a relative term like high, medium, and low. Quantitatively is a numerical term, like 90%, 100%. Audit evidence should be relevant, reliable, and sufficient to be considered acceptable. In relation to sufficient, remember again that if it's not sufficient, your job as an auditor you would go around and uh and basically uh request more evidence. So there is a quiz for this section, but this is a recording, so you'll have to do that on your own. Thank you. I'll see you on the next one \ No newline at end of file +### Types of audit evidence (2) + +**Analytical evidence** is obtained by analyzing data and their variations, to find their tendencies as well as potential deviations or exceptions. Analytical evidence includes any evidence collected by statistical methods. + +— note that mathematical evidence is obtained by *validating the mathematical exactness* of existing documentation. + +Examples of analytical evidence are analysis of network access logs, information security incident reports, samples of worker competency tests, or quizzes at the end of an awareness training. + +Sometimes, depending on the level of intelligence you have with your technology, those deviations or exceptions could be called 'outliers'. + +Obviously, as an auditor, we desire that our auditees are up to speed on as many things as possible. So we expect high numbers as auditors. And if they don't have high numbers, then they need to come up with a corrective action plan. + +**Documentary evidence** is obtained by verifying any record or document that already exists. + +So for example, any policy relating to information security. It could be encryption or asset management, it could be development, it could be anything. Those written documents could be used as documentary evidence. Statement of applicability, where you're stating exactly in 27001 what is applicable and what is not and why for each one. Documented procedures. And any other documented information that the organization views as necessary for the effectiveness of the ISMS? Also very important evidence is the result of management reviews. We can't create evidence or reports or reporting in generals, things like that and not actually have management review it to to sign off and endorse it. If management is not aware of cybersecurity, then that is actually not a good thing. Not only in relation to the audit, but it's not good in relation to the health of the entity itself. Other areas of documentary evidence could be non-disclosure agreements, policies of any kind, possibly records of data backup and restore. Other areas of documentary evidence could be a penetration test provided by a third party, which would also be confirmatory evidence. + +**Verbal evidence** is obtained during interviews with persons that have the necessary knowledge and responsibilities to perform the operations that are being audited. *Note that verbal evidence is relatively unreliable*. + +So general discussions carried out during the audit could be viewed as verbal evidence, and then formal interviews conducted during the audit. However, I will point out: do not assume that your answers from an interview, the verbal evidence, are accurate. Verbal evidence is very unreliable compared to actually seeing like the firewall access control lists or seeing a penetration test. It's unreliable And you will find that uh there will be one person that says one thing to this to a question and there will be a person that says something else to the exact same question. And that's generally because the organization is not in sync with each other. or that one person just doesn't know. So there's a whole lot of different ways we can have verbal evidence, but it's also important to understand that verbal evidence could be tied to different areas, like for example is your leadership and management behind deploying the ISMS, do you have top-down support? People could say yes, leadership is totally behind it. But how would we prove that? So we can believe it, but if we had some sort of email from leadership saying: we're deploying a 27001 ISMS, everybody needs to be on board and we expect full cooperation. That's better evidence than just saying yes, top-down management or top-down support is in place. + +### Quality of audit evidence + +![](CleanShot%202026-06-08%20at%2012.27.59.png) + +Audit evidence must be first **appropriate**, and then **sufficient**. + +Appropriate means **relevant** to the requirement, and **reliable**. + +So we have evidence And you can see there it's it's a is the evidence appropriate? Is it relevant? And is it reliable? So is it is when I say relevant, is it relevant to the requirement? But then more importantly, is it reliable evidence? If it's unreliable evidence, then as auditors, we need to figure out how to make it reliable or get different evidence. Once we've done all that Then we can compare it to the control, to the requirement, and we can determine is it sufficient or not. And if of course, if it's not sufficient, then we're taking a step back. We go find more evidence until it is sufficient. But we have to get to a point where as auditors, we are comfortable that the evidence provided for any particular control in 27001 is sufficient to meet that control. And if it's not sufficient then we have to ask for more. + +The main determining factors for the reliability of audit evidence are: + +- Objectivity of the evidence +- Timing of the evidence +- Independence of the source +- Evidence collection techniques +- Internal control system + +**Objective evidence** is based on facts and proof, not hearsay, not belief or anything else. And we want to make sure those facts and proofs that are accurate. + +So an example of this. If we asked, do you have a surveillance system, physical security, like cameras or something, we could go around and observe the cameras in place, but that doesn't mean the cameras are recording anything. We could then ask, well, let's see the the the screen where all the camera feeds are going into, and if we saw that then we could even go so far as to say: how long are you retaining the data, the surveillance videos? So the objectivity is if the evidence is based on facts and proof that you can actually see. + +**Timing of evidence**. So if if we had something with timestamps on it, then that proves that the evidence is recent, then that's sufficient. If we have evidence that's only required once a year, then provided the document is from within that year time period, technically it's supposed to be good. But if we can regenerate evidence that's closer to the actual audit, then that's even better. But if we have a requirement for evidence of a task that has to be done monthly, we don't want to submit evidence that's six months old. + +**Independence of the source** is super important to make sure that the evidence is collected outside of how it was generated. + +**Evidence collection techniques**. There's lots of ways to collect or create evidence. There's other sections where that's discussed in greater detail. + +The **internal control system** influences the reliability: where is the collected evidence stored? How is it tracked? Who's monitoring it? Who's approving it? Who's saying that this is sufficient enough? Are other controls being monitored and adhered to? + +![](CleanShot%202026-06-08%20at%2012.48.16.png) +### Section summary + +So there's a quite a variety of different ways of looking at audit evidence. We have verbal evidence, which we've already said is the least reliable. Documentary evidence, which could be like a document itself, like a policy standard procedure, but it's written down and we assume that they're doing it right. Analytical evidence is analysis of evidence to come up with a determination of the uh analytics for whatever the evidence is around. Technical evidence like configuration files or evaluating like a server password management complexity, things like that. Confirmative evidence, something that confirms evidence as being accurate and realistic. Then we have physical and mathematical evidence, which we talked about, physical evidence could be like you're physically observing something, whether it's like a a surveillance camera or maybe antivirus on the workstation, could be anything. And then mathematical evidence is calculating, coming up with a calculation of the auditee's environment to figure out how things are. So a good example that they provide here is for mathematical evidence, calculations of the number of auditees computers and the number of antivirus licenses acquired. So if you had a hundred computers, but if you only had 50 antivirus licenses, well you got a problem. And in this slide you can see the reliability of different types of audit evidence. Least reliable is verbal. Don't believe that when somebody says this is the way we do things, don't believe that that's the way they do things. The most reliable is physical and mathematical evidence. + +Alright, this is the summary for section eight. There's seven major types of audit evidence, physical, mathematical, confirmative, technical, analytical, documentary, and verbal. Again, remember, verbal is the least reliable. Physical and mathematical is the most reliable. Documentary is when you actually see copies of administrative controls, like policy standards, procedures, and so on. Any information that can be verified, measured qualitatively or quantitatively, and used to determine the audit findings, can serve as evidence. Remember: qualifying something is a relative term, like high, medium, and low. Quantitatively is a numerical term, like 90%, 100%. Audit evidence should be relevant, reliable, and sufficient to be considered acceptable. In relation to sufficient, remember again that if it's not sufficient, your job as an auditor you would go around and uh and basically uh request more evidence. So there is a quiz for this section, but this is a recording, so you'll have to do that on your own. Thank you. I'll see you on the next one \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S09-Risk-based-audit.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S09-Risk-based-audit.md index 075a459..851878c 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S09-Risk-based-audit.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S09-Risk-based-audit.md @@ -7,7 +7,7 @@ tags: - PECB-LA isotags: [] status: active -processed: false +processed: true --- # S09 Risk based audit @@ -17,4 +17,136 @@ This session explains the risk-based audit approach, covering three types of aud ## Transcription -Section 9 presents the type of audit risks discusses how to determine and evaluate the audit program risks and opportunity as per ISO 1911 and also introduces the concept of materiality and how to determine the materiality of a system. So looking at the audit approach based on risks. So there are a couple of um different audit risks That we can determine. First of all, we have the inherent risks. So the inherent risks really refer to the risks that despite that an internal control mechanism is active in the organization, a significant defect occurs in the management system. These defects are related to the industrial sector in which the oddity operates. Secondly, we have the control risk. A control risk refers to risks that have a that a significant defect will not be detected or prevented by the organization's internal control mechanism. These risks are obviously higher, according to auditors, in organizations that have ill-defined processes, and where those processes are mainly manual. In contrast, automated processes will have a lower risk of failure. If they are well configured. And lastly, you have a detection risk. Detection risk refers to a risk that a significant defect could not be detected. even by the auditor. In order to minimize such risks, auditors apply the audit principles based on risks. And we will go about talk about that in the later slides, or on materiality. Now, if we look at ISO 1911, that ISO standard gives us an explanation on risk. So risk is really an effect of uncertainty. So an effect is a deviation of what is expected, and that can be both positive or negative. And uncertainty is basically a state, even partially. Of deficiency of information related to understanding or knowledge of an event, its consequences, and its likelihood. So risks are often characterized by a reference to a potential event or consequences or even a combination by those. So understanding what risk is is obvious very important if you want to use an audit approach based on risk. Now If you look at an audit approach based on risk, we of course need to have a look at a couple of things. And there can be risks associated with a couple of things. There are risks and opportunity related to the context of the audity, so the organization that you're auditing, that can be associated with an audit program, and that can affect The achievement of the objectives of the audit. So there are a couple of things that need to be taken into consideration So there can be risks associated with the planning. For example, a failure to set relevant audit objectives and to determine the extent, the duration, location, or even a schedule of the audit. There can be risks associated with the resources. For example, you don't get enough time, the resources are not available, you didn't receive training to set up the audit program, or you don't know how to conduct an audit. There can be a risk associated with the audit team, selecting the right people, because you, for example, don't have people with the right competences to conduct an audit. There can be risks associated with communication. That there are ineffective communication controls. You don't have effective communication channels. Think about You're sending like 20 emails and there isn't a response coming back and perhaps the email address was wrong. So there might be issues with that. There might be risks associated with implementation So um an ineffective coordination of audits within the audit program or not considering information security and confidentiality There might be risks associated with the control of documented information. So might be the case that people don't know what information that is necessary. You can't process audit records to demonstrate the audit program effectiveness. So there might be risks associated with that. There might be is risks with monitoring, review and improving the audit program, so that there might be an issue with reviewing of ineffective monitoring of the audit program outcomes And of course, there might be risks with the availability and the cooperation of the auditee or the availability of evidence that has been sampled. So if you want to have an a sample done and you can't access the information or the information cannot be shown that obviously will pose a risk. So when looking at opportunities for improving that audit program, you can of course think about a couple of things. Firstly you can think about Having multiple audits in a single visit. You can minimize time and distance to traveling to another site. You might think about matching the competences of the audit team so that you have people that have a higher competence accompanied with somebody with who is less experienced and has less competence and you might also think in aligning audit dates with the availability of the audit key step which is uh usually the right way uh to go. So an auditor should um act as part of an assignment uh of an individual audit The risks and opportunities of the organization can be included. The core objectives for such an audit are I give assurance on the credibility of the risks and opportunities that uh were tracked in the identification process. So really understanding okay where are the risks coming from and what are the inputs that the organization uses um so that might be checking if there are external and internal uh issues the strategic uh direction of the organization did they get um input from interested parties, um are there potential sources like environmental aspects that have been taken into consideration. So really looking at the process if it's a valid process Secondly, an auditor should also check if the assurance that the risks that have been determined that they are managed in a correct way and also review how the organization addresses um its determined risks and uh opportunity. An audit of an organization's approach To the determination of risks and opportunities should not be performed as a standalone activity. So any review of your risk assessment process and the treatment should be implicit throughout the whole audit of a management system. Um especially when interviewing top management. What happens a lot of course is that um the risk assessment Is conducted by an ISMS manager and representatives of the organization, and that top management is isn't really involved. However, it's good practice to refer back to the risk management process because all of the controls should uh or most of the controls should be implemented based on risk. So looking at the risk assessment and understanding where the risks are coming from is a good practice to have that throughout the whole So the treatment, the including and the acceptance of a risk and what the organization determines, is of course based on judgment of the audit. If we look at mat reality, so um if you look at the uh definition of mat reality uh um in order to limit audit risks and obtain reasonable assurance The auditor must place emphasis on the processes deemed material to the oddity. So another word for material is of course critical. So you look at the critical processes of the oddity Information is of course considered material or critical if its omission or erroneous handling of statement can influence the decisions of the interested party. So the term materiality comes from accounting. It's not something that comes out of the world of information security, but it comes out of the financial world. Financial auditors usually measure materiality in monetary terms since what they audit is also measured in money. So it's normal that they measure that in monetary terms. term. So materiality really depends on the nature of the information and the seriousness of the error with within that particular circumstances of its emission or which something would go wrong. So, based on the oddity, the auditor, it's up to the auditor to really estimate the materiality threshold from which the interested parties could change their decisions concerning the oddity. So for example, if you would have an inventory loss of fifty thousand dollar undeclared or not detected by the auditor It would be non-material if the organization would make 10 billion US dollars revenue per year, but it would be material if that same organization would only make one million in revenue. So it's really based on What does the organization do? What is the impact? What are the interested parties to determine that materiality threshold? So that's really up to the auditor to determine that. Now, when determining the materiality of a system, there are of course a couple of factors that need to be considered First of all, you look at the cost of the process. What is the cost involved in material, software, potential licenses, or a combination of those? You look at the cost of the operation, like personnel, third-party general fees, combination of these again. What would be the potential cost of errors or non-conformities What are the resources that you need to conduct the process, of course? What are the conditions of service level agreements and costs of potential penalties? And what are the penalties in case of failure to conform legal, regulatory, and contractual obligations? So it's really um the combination of these six factors that make up that materiality threshold. So it's it's not something that an auditor does like on a P Sheet of paper to really come up with a calculated uh estimate, but it's something that based on um the experience of the auditor, based on uh understanding the context of the organization That auditors determine that materiality of a system. So materiality is of course very important when a process is really vital in achieving that organization mission. So In in determining or evaluating that materiality, the auditor should really consider what is the general level of error that is acceptable by management, but also what is acceptable by the certification body. So it's it's it's a combination of three things and what is acceptable by management, what is acceptable by the auditor and by the certification body. It might be the case I haven't seen it a lot though, but it might be the case that an organization decides that they are okay with a certain level of error, while um with common sense you would say, well, you're saying that because you want to get um through the audit in an easy way. So then you need to have a discussion about that. Or the possibility that small errors or small weaknesses would accumulate to um a materiality So evaluation of that materiality is really a question of professional judgment. So it's really based on the experience, the the context of the organization. So the auditor must really look at the general effect on the organization Now, when do you come up with that materiality of an audit? Well it's actually done throughout each step of the organization. So first of all, you have a couple of contact points with your odity. So you have usually your initial contact with the organization where you determine basically the duration of the audit based on inherent risks to the organization So that is where you check, okay, what is the sector that the organization is part of, what is laws and regulations, what are the number of workstations, what is the complexity of the sector system, how many employees do they have? So based on the inherent risks on the context of the organization, you make a first assessment of that In your stage one audit you will have a look at what are the key processes. So you will have a look at um your management system as such. So based on that You will have a look on okay, what are the processes that are now more material than others? So which are the ones that you really want to dive into in a stage two? So making that assumption on based on the initial contact, then checking that in the stage one will give input to your stage two audit where you will adjust the plan based on the materiality of Each process and asset. So basically, these three phases help you by determining the materiality and coming up with a detailed audit plan that will have a focus more on processes that have a higher materiality. So auditors um try to get basically a reasonable assurance that um yeah the audited management system is um free of uh erroneous material um representation and non-conformity. So the problem or the challenge with ISO twenty seven thousand one audits is that auditors are not able to obtain that absolute assurance that the audit conclusions reflect the reality because we always take samples so it's not a 100% uh check So in a ISO 27001 auditors, um auditors should be able to obtain that reasonable assurance That the ISMS as a whole conforms to the requirements as a standard, and it it's not the goal to achieve that assurance that each process is effective and in compliance with the standard requirements. course. So um there are limits of course uh to what an auditor can detect uh based on false material representation You cannot see you only have a limited set of time, so it might be that material might be false, that is not correctly. You cannot always see that there are issues in the internal processes. And you can also affect that several audit evidence is persuasive rather than conclusive. So there are limits of what you can see in an inter or in an uh in an audit based on ISO 27000 So in conclusion, the main types of audit risks are inherent control risks and detection risks An audit approach based on risks, consider the risks and opportunity of the audit that are related to the context of the audity. So you always look at the context of the organization. The main factors to consider when determining the materiality of a system include cost of operation, cost of the process, potential cost of errors or nonconformities, the resources needed for the process Conditions of service level agreements and penalties related to legal non-compliance. Materiality is evaluated at each step of the audit, meaning the initial contact, phase one and phase two audit And auditors cannot obtain absolute assurance that the audit conclusions reflect the reality. \ No newline at end of file +Section 9 presents the type of audit risks discusses how to determine and evaluate the audit program risks and opportunity as per ISO 1911, and also introduces the concept of materiality and how to determine the materiality of a system. + +### Risk-based audit approach + +So looking at the audit approach based on risks. So there are a couple of different **audit risks** that we can determine. + +**Inherent risks** are related to the industrial sector in which the oddity operates, and occur despite an internal control mechanism being active in the organization + +**Control risk** refers to the risk that a significant defect could not be detected or prevented by the organization's internal control mechanism. They point to a significant defect in the management system. These risks are obviously higher, according to auditors, in organizations that have ill-defined processes, and where those processes are mainly manual. Automated processes will have a lower risk of failure – if they are well configured. + +**Detection risk** refers to the risk that a significant defect could not be detected, *even by the auditor*. In order to minimize such risks, auditors apply the audit principles based on risks. + +ISO 19011 explains risk as an effect of uncertainty. A deviation of what is expected, and that can be both positive or negative, is such an effect. And uncertainty is basically a state, of deficiency of information related to understanding, or knowledge of an event, its consequences, and its likelihood. So risks are often characterized by a reference to a potential event or consequences, or even a combination of those. So understanding what risk is, is obvious very important if you want to use an audit approach based on risk. + +Now If you look at an audit approach based on risk, we need to have a look at risks associated with a couple of things. There are risks and opportunities related to the context of the auditee, so the organization that you're auditing, **risks that can be associated with an audit program** and that can affect the achievement of the objectives of the audit. + +*The risks we're looking at here, are not the risks for information security of the auditee, but risks that can affect the audit from achieving it's objectives, i.e. to have a succesfull audit.* + +So there are a couple of things that need to be taken into consideration: + +![](CleanShot%202026-06-08%20at%2013.27.02.png) + +Risks associated with the **planning**. For example, a failure to set relevant audit objectives and to determine the extent, the duration, location, or even a schedule of the audit. + +Risks associated with the **resources**. For example, you don't get enough time, the resources are not available, you didn't receive training to set up the audit program, or you don't know how to conduct an audit. + +Risks associated with the **audit team**, selecting the right people with the right competences to conduct an audit. + +There can be risks associated with **communication**. That there are ineffective communication controls. You don't have effective communication channels. Think about You're sending like 20 emails and there isn't a response coming back and perhaps the email address was wrong. + +Risks associated with **implementation**. So an ineffective coordination of audits within the audit program or not considering information security and confidentiality. + +Risks associated with the **control of documented information**. So it might be the case that people don't know what information is necessary. You can't process audit records to demonstrate the audit program effectiveness. + +There might be risks with **monitoring, review and improving the audit program**, so that there might be an issue with reviewing of ineffective monitoring of the audit program outcomes. + +And of course, there might be risks with the **availability and the cooperation of the auditee** or the **availability of evidence** that has been sampled. So if you want to have an a sample done and you can't access the information or the information cannot be shown that obviously will pose a risk. + +### Opportunities for improving the audit program + +Firstly you can think about having multiple audits in a single visit. You can **minimize time and distance to traveling** to another site. You might think about **matching the competences** of the audit team so that you have people that have a higher competence accompanied, with somebody who is less experienced and has less competence, and you might also think in **aligning audit dates with the availability of the auditee's key staff**, which is usually the right way to go. + +The identification and management of the risks and opportunities of the organization, can be included in the assignment of an audit. + +The core objectives of such an audit are: + +- **establishing the credibility of the risks and opportunities** that were identified by the organization: where are the risks coming from, what inputs did the organization use to check for external and internal issues, the strategic direction of the organization, did they use input from interested parties, have environmental aspects been taken into consideration. +- establishing that the risks and opportunities **have been determined and managed in a correct way**. + +So in short, **validating the risk identification process and its outcomes**. + +"An audit of an organization's approach to the determination of risks and opportunities should not be performed as a standalone activity". So any review of your risk assessment and treatment process should be implicit throughout the whole audit of a management system, especially when interviewing top management. +What happens a lot of course is that the risk assessment is conducted by an ISMS manager and representatives of the organization, and that top management is isn't really involved. However, **it's good practice to refer back to the risk management process throughout the audit, because controls should be implemented based on risk.** So looking at the risk assessment and understanding where the risks are coming from is a good practice to have that throughout the whole audit. + +### Materiality + +The definition of **materiality** is given as: + +*To limit audit risks and obtain reasonable assurance, the auditor emphasize the processes deemed material to the auditee.* + +And: + +*Information is considered material if its omission, or erroneous handling or statement, can influence the decisions of the interested parties.* + +Or in other words: **focus on critical processes and critical information**. + +The term materiality comes from accounting. It's not something that comes out of the world of information security, but it comes out of the financial world. Financial auditors usually measure materiality in monetary terms since what they audit is also measured in money. So it's normal that they measure that in monetary terms. term. So materiality really depends on the nature of the information and the seriousness of the error with within that particular circumstances of its emission or which something would go wrong. + +It's up to the auditor to estimate the materiality threshold, from which the interested parties could change their decisions concerning the auditee. So for example, if you would have an inventory loss of fifty thousand dollar undeclared or not detected by the auditor, it would be non-material if the organization would make 10 billion US dollars revenue per year. But it would be material if that same organization would only make one million in revenue. So it's really based on what the organization does, what the impact is, and what the interested parties are. It's up to the auditor to determine that threshold. + +### Factors to consider in determining materiality + +When determining the materiality of a (business) system, there are a couple of factors that need to be considered: + +- The **cost of the process**, like equipment, materials, software licenses, etc. +- The **cost of operation**, like personnel, third-party general fees, combination of these again. +- The **potential cost of errors or non-conformities**. +- The **resources needed to conduct the process** +- The **conditions of service level agreements** and the penalties of not meeting contractual obligations +- The **penalties related to legal non-compliance** + +The combination of these six factors makes up the materiality threshold. +Also consider the possibility that small errors or small weaknesses could accumulate to materiality. + +A process (or an asset) is material when it's **vital in achieving the organization's mission**. + +When evaluating materiality: + +- the auditor should consider what is **acceptable by management**, what is **acceptable by the auditor**, and what is **acceptable by the certification body** +- The auditor must consider the **general effect** on the organization +- evaluating materiality is a question of **professional judgment**. + +### The importance of materiality during the audit + +![](CleanShot%202026-06-08%20at%2014.30.39.png) + +Materiality is evaluated for each step of the audit! + +In your **initial contact** with the organization you **determine the duration of the audit based on inherent risks** to the organization (based on things like the sector the organization is active in, complexity of the sector system, relevant laws and regulations, number of employees, number of workstations, etc.) + +In the **Stage 1 audit**, you identify and prioritize the key processes to be audited, based on their materiality, and you plan the audit accordingly. + +During the **Stage 2 audit**, you adjust the plan based on the materiality of each process and asset. + +### Reasonable assurance + +Auditors cannot obtain absolute assurance that the audit conclusions reflect the reality. Auditors must therefore try to obtain **reasonable assurance** that the audited management system is free of erroneous material representation and non-conformities. + +This applies to the ISMS as a whole: the auditor can not assure that each process is effective and in compliance with the standard's requirements. + + +--- + +So establishing the materiality is not something that an auditor does like on a sheet of paper to come up with a calculated estimate, but it's something that's based on the experience of the auditor, based on understanding the context of the organization, that auditors determine the materiality of a system. So materiality is very important when a process is vital in achieving the organization's mission. So in in determining or evaluating that materiality, the auditor should really consider what is the general level of error that is acceptable by management, but also what is acceptable by the certification body. + +It might be the case that an organization decides that they are okay with a certain level of error, while with common sense you would say, well, you're saying that because you want to get through the audit in an easy way. So then you need to have a discussion about that. Also consider the possibility that small errors or small weaknesses could accumulate to materiality. + +So evaluation of that materiality is really a question of professional judgment, based on experience and the context of the organization. So the auditor must really look at the general effect on the organization. + +Now, when do you come up with that materiality of an audit? Well it's actually done throughout each step of the organization. + +So first of all, you have a couple of contact points with your auditee. So you have usually your initial contact with the organization where you determine basically the duration of the audit based on inherent risks to the organization. So that is where you check, okay, what is the sector that the organization is part of, what is laws and regulations, what are the number of workstations, what is the complexity of the sector system, how many employees do they have? So based on the inherent risks on the context of the organization, you make a first assessment of that. + +In your Stage One Audit you will have a look at what the key processes are. So you will have a look at um your management system as such. So based on that You will have a look on okay, what are the processes that are now more material than others? So which are the ones that you really want to dive into in a Stage Two? +So making that assumption on based on the initial contact, then checking that in the stage one, will give input to your stage two audit where you will adjust the plan based on the materiality of each process and asset. + +So basically, these three phases help you by determining the materiality and coming up with a detailed audit plan that will have a focus more on processes that have a higher materiality. + +Auditors try to get a reasonable assurance that the audited management system is free of erroneous material representation and non-conformities. The challenge with ISO 27001 audits is that auditors are not able to obtain absolute assurance that the audit conclusions reflect the reality, because we always take samples, so it's not a 100% check. Auditors should be able to obtain reasonable assurance that the ISMS as a whole conforms to the requirements of the standard, and it's not the goal to achieve that assurance for each process. +There are limits of to what an auditor can detect based on false material representation. You only have a limited amount of time, so it might be that material might be false, that is not correct. You cannot always see that there are issues in the internal processes. And you can also not prevent that some audit evidence is persuasive rather than conclusive. So there are limits of what you can see in an audit based. + +### Section summary +So in conclusion, the main types of audit risks are inherent control risks and detection risks An audit approach based on risks, consider the risks and opportunity of the audit that are related to the context of the auditee. So you always look at the context of the organization. The main factors to consider when determining the materiality of a system include cost of operation, cost of the process, potential cost of errors or nonconformities, the resources needed for the process, conditions of service level agreements and penalties related to legal non-compliance. Materiality is evaluated at each step of the audit, meaning the initial contact, phase one and phase two audit, and auditors cannot obtain absolute assurance that the audit conclusions reflect the reality. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/_transcriptions-index.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/_transcriptions-index.md index fadca52..6d04be8 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/_transcriptions-index.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/_transcriptions-index.md @@ -1,4 +1,4 @@ -# PECB Lead Auditor Training — Transcriptions Index + . PECB Lead Auditor Training — Transcriptions Index ```dataviewjs const files = dv.pages('"iso27diy-corp/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions"')