#1379 add skill for Audit change request accepted

Audits are used to assess a wide range activities, processes, products, systems and  service related to the scope of SFIA.  This complements existing skills in SFIA – risk management, quality assurance, conformance review.

A first draft for an Audit skill definition is included below.

Audit AUDT 

The independent, risk-based assessment of the effectiveness of the controls and compliance environment in information and technology processes and systems.  The structured analysis of the risks to achievement of business objectives.

Guidance notes
Audits are used to assess a wide range activities, processes, products, systems and  service. Such as, but not limited to hardware, software solutions, safety systems and safety integrity, information and technology, security systems and tools.  SFIA describes the audit skill in generic terms – detailed audit work also requires knowledge of recognised criteria and frameworks.  

Audit: Level 7

• Leads the definition, implementation, and communication of the organisation’s audit function.
• Ensures that the audit function adds value to that organisation.
• Plans audit cycle and ensures appropriate audit coverage across the organisation.
• Communicates with a variety of internal and external stakeholders.
• Directs use of risk analysis to identify areas for in-depth review.
• Ensures appropriate resources are available to deliver organisational requirements for audits.
• Reports at the most senior level on the findings, relevance and recommendations for improvement.

Audit: Level 6

• Leads and manages complex audits.
• Obtains and manages specialists contracted to contribute highly specialised technical knowledge and experience.
• Develops organisational policies, standards, and guidelines for how the organisation conducts
• Develops plans for risk-based audits for inclusion in audit planning.
• Ensure audit coverage is sufficient to provide the business with assurance of adequacy and integrity.
• Identifies areas of risk and specifies audit programs.
• Authorises the issue of formal reports to management on the effectiveness and efficiency of control mechanisms

Audit: Level 5

• Manages and delivers risk-based audits of existing and planned processes, product, systems and services.
• Identifies areas of risk and evaluates adequacy and effectiveness of organisation's approach to risk.
• Assesses and communicates associated risks stakeholders.
• Recommends changes in processes and control procedures based on audit findings.
• Provides general and specific audit advice.
• Collates conclusions and recommendations, and presents audit findings to management regarding the effectiveness and efficiency of control mechanisms.
• Collaborates with professional in related specialisms to develop and integrate findings and recommendations.

Audit: Level 4

• Contributes to planning and execution of risk based audit of existing and planned processes, product, systems and services.
• Identifies and documents risk in detail.
• Identify the root cause of issues during an audit, and communicate these effectively as risk insights.
• Develop recommendations regarding the interpretation and implementation of control measures.
• Prepares and communicates reports to provide independent assurance.

Audit: Level 3

• Adopts a structured approach to execute and document audit fieldwork.
• Maintains integrity of records to support and satisfy audit trails.
• Identifies typical risk indicators and explains prevention measures.

Current status of this request: accepted

What we decided

This change request has been reviewed alongside other SFIA skills in the area of Governance, risk and compliance.

What we changed

New skill and skill level descriptions for Audit have been added.