How to Provide Security Assurance in 9 Easy Steps!

The following is proven to work across all security disciplines including Physical Security, Personnel Security and Electronic Security. I know the thought of inviting Auditors into your areas of responsibility is a little daunting but if used correctly this can really be a very effective tool and can also be utilised to provide some free consultancy advice.

In conjunction with management you should produce and deliver an Annual Programme (1) of risk based audits aimed at ensuring security risks are identified and effectively managed. It is more than useful to obtain senior executive level approval that is communicated throughout your organisation and that clearly sets out the objectives, authority and responsibilities of the Department conducting these security audits.

Once high level approval is obtained you need to develop a structure as to how these security audits should be done and who needs to be involved. Below is an idea for a structure that could be adopted once the business area or security risk owner (also known as an auditee) has been identified.

A Planning or Opening Meeting (2) should be arranged with you and the auditee to agree areas of scope and to gain a better understanding of their business area. This meeting will include discussion of: appropriate questions to enable the level of risk maturity to be determined, confirmation of your understanding of the purpose of the area under review, the objective and scope of the audit, agreement of the key risks, any concerns risk owner may have which need to be addressed and agreement of key contacts and dates. This information then sets out the detail that is captured in an Engagement Letter (3) and once complete this letter is issued to the principal auditee(s) before fieldwork starts. I see the engagement letter as an essential document because it enables and drives the auditee and other key staff to have an input into the audit, clarifies the work that will be done, confirms the timing of the audit, ensures that the appropriate resource has been assigned to the audit, and establishes responsibilities of all parties.

Once you have identified your resource, the security auditor/advisor/manager should create a security audit programme. The purpose of the Security Audit Programme (4) is to set out in more detail the actual testing and work that will be carried out to address each of the areas in the scope. The programme is used as a basis to effectively align the Fieldwork (5) with the risks to be reviewed. The audit programme is the document that will focus on testing the effectiveness of the security controls and other risk mitigations in place to manage the most significant risks.

Fieldwork consists of a range of activities undertaken by the auditor/advisor and may include the following: Interviews with key staff involved in business processes, observation of key processes, carrying out tests of key controls, reviewing relevant documentation The purpose of fieldwork is to gather sufficient information to document the processes involved in the system under review and form an opinion on how well the key security risks or areas for review are being managed. The outcome of fieldwork will then form the content of the report with a management action plan to address any findings highlighted.

On completion of audit fieldwork and armed with a copy of the Draft Report (6) you should then meet up again with the management and auditee and hold a Closing Meeting (7) where the draft report, the findings and any suggested actions to rectify be discussed and pending this outcome it is then you notify management of the next stages in the audit process.

Most audit functions apply 4-5 Conclusion (8) titles ranging from very good, very poor to must try harder (a traffic light system is also sometimes used). It doesn’t matter what the conclusions are called just as long as it means something to the business. Based on the assessment of the fieldwork and the content of the identified issues a conclusion should be assigned to it, time scales with a defined date of when the identified issues will be addressed and owners named as this audit will have a Follow Up (9) and further tested at the agreed date. The report should then get an appropriate level of circulation to enable the business area, its managers and those that want and need assurance to understand its risk better. Dependant upon the audit conclusion the report circulation might include COE’s and other senior board members.