The global skills and competency framework for the digital world

#1379 add skill for Audit change request accepted

Consider adding an Audit skill to SFIA 8 to describe a range of audit responsibilities including - but not limited to - audits related to information and cyber security systems and processes.

Audits are used to assess a wide range activities, processes, products, systems and  service related to the scope of SFIA.  This complements existing skills in SFIA – risk management, quality assurance, conformance review.

A first draft for an Audit skill definition is included below.

Audit AUDT 

The independent, risk-based assessment of the effectiveness of the controls and compliance environment in information and technology processes and systems.  The structured analysis of the risks to achievement of business objectives.

Guidance notes
Audits are used to assess a wide range activities, processes, products, systems and  service. Such as, but not limited to hardware, software solutions, safety systems and safety integrity, information and technology, security systems and tools.  SFIA describes the audit skill in generic terms – detailed audit work also requires knowledge of recognised criteria and frameworks.  

Audit: Level 7

  • Leads the definition, implementation, and communication of the organisation’s audit function.
  • Ensures that the audit function adds value to that organisation.
  • Plans audit cycle and ensures appropriate audit coverage across the organisation.
  • Communicates with a variety of internal and external stakeholders.
  • Directs use of risk analysis to identify areas for in-depth review.
  • Ensures appropriate resources are available to deliver organisational requirements for audits.
  • Reports at the most senior level on the findings, relevance and recommendations for improvement.

Audit: Level 6

  • Leads and manages complex audits.
  • Obtains and manages specialists contracted to contribute highly specialised technical knowledge and experience.
  • Develops organisational policies, standards, and guidelines for how the organisation conducts
  • Develops plans for risk-based audits for inclusion in audit planning.
  • Ensure audit coverage is sufficient to provide the business with assurance of adequacy and integrity.
  • Identifies areas of risk and specifies audit programs.
  • Authorises the issue of formal reports to management on the effectiveness and efficiency of control mechanisms

Audit: Level 5

  • Manages and delivers risk-based audits of existing and planned processes, product, systems and services.
  • Identifies areas of risk and evaluates adequacy and effectiveness of organisation's approach to risk.
  • Assesses and communicates associated risks stakeholders.
  • Recommends changes in processes and control procedures based on audit findings.
  • Provides general and specific audit advice.
  • Collates conclusions and recommendations, and presents audit findings to management regarding the effectiveness and efficiency of control mechanisms.
  • Collaborates with professional in related specialisms to develop and integrate findings and recommendations.

Audit: Level 4

  • Contributes to planning and execution of risk based audit of existing and planned processes, product, systems and services.
  • Identifies and documents risk in detail.
  • Identify the root cause of issues during an audit, and communicate these effectively as risk insights.
  • Develop recommendations regarding the interpretation and implementation of control measures.
  • Prepares and communicates reports to provide independent assurance.

Audit: Level 3

  • Adopts a structured approach to execute and document audit fieldwork.
  • Maintains integrity of records to support and satisfy audit trails.
  • Identifies typical risk indicators and explains prevention measures.

Current status of this request: accepted

What we decided

This change request has been reviewed alongside other SFIA skills in the area of Governance, risk and compliance.

What we changed

New skill and skill level descriptions for Audit have been added.

Carol Long
Mar 08, 2021 05:13 PM

Recommendation
a) Do not implement CR1379 in SFIA 8.
b) Include CR1379 in a larger effort to rationalise the breadth of skillsets addressing independent/external audit and testing of processes and artifacts. (AUDT, CORE, TEST, CFMG, BPTS, QUAS, QUMG) in a future release.
c) Amend AUDT 7, AUDT 5, AUDT 4 to remove references to recommending solutions (as below)
d) Amend AUDT 7 to reflect role in audit strategy selection (see below)
e) Amend AUDT 7 to reflect corporate governance expectations.
f) Amend AUDT 7 to reflect specific responsibilities towards supporting QUMG and QUAS
g) Review CFMG to establish is the independent audit of configuration management practices and particularly configuration audits at external boundaries (e.g. release or handover) should be included in generic terms in AUDT 3, AUDT4.
h) Review SLMO to determine if audit of service provision
i) Review SCAD to determine if audit is part of security monitoring in proactive modes
j) Review SUPP, especially SUPP 6, as “Assures that the quality of the services delivered by suppliers meet contractual commitments and business needs” is often referred to as a supplier audit process (should this be part of CORE or AUDT?)

Audits are formal reviews of processes and practices with appropriate and sufficient independence from management activity.
This CR overlaps with CORE (Conformance Review) in the IT security aspects. especially Levels 3 (evidence gathering), 4 (identifying non-conformance), 5 (appraising internal controls), 6 (planning reviews)
This CR overlaps with QUAS (also see CR#1324) with respect to audits as part of QA.
This CR overlaps with QUMG, especially QUMG 7 responsibility for “internal quality audit schedule.”
This CR may overlap with TEST (and thus CORE) with respect to testing of services (thus processes and practices) (see CR #1382)
This CR may overlap with CFMG (reviews of configuration audits) which are not overtly mentioned in this CR or in CFMG. (seen as potential activities for AUDT 3, AUDT4)
This CR may overlap with BPTS as some audit practices run scenario tests of business processes.
This CR overlaps SLMO with respect to SLA audits.
This CR may overlap with SUPP with respect to supplier audits.
This CR may overlap with SCAD 5 or SCAD 6 (implied proactivity suggest audits as part of monitoring but not overly stated)

Note, while auditors can explain and be helpful, they compromise their independence and risk straying beyond their knowledge and competence if they recommend a course of action (see https://www.quality.org/knowledge/maintaining-independence-internal-audits or https://na.theiia.org/standards-guidance/topics/Pages/Independence-and-Objectivity.aspx ) and would in future audits be “marking their own homework”.

AUDT 7
Edit “Reports at the most senior level on the findings, relevance and recommendations for improvement.”
To read “Reports at the most senior level on the findings, relevance and recommendations for improvement.”
Edit: “Plans audit cycle and ensures appropriate audit coverage across the organisation.”
To read: “Defines Audit strategy, plans audit cycle and ensures appropriate audit coverage across the organisation.”
Add: “Review and provide advice to Quality Management and Quality Assurance plans to avoid inefficient or ineffective resource use in quality activities”
Add: ”Support the most senior level in the organisation in compliance with corporate governance requirements for audit and business reviews”

AUDT 5
Edit “Recommends changes in processes and control procedures based on audit findings.
Provides general and specific audit advice.
Collates conclusions and recommendations, and presents audit findings to management regarding the effectiveness and efficiency of control mechanisms.
Collaborates with professional in related specialisms to develop and integrate findings and recommendations.”
To read: “Identify areas for changes in processes and control procedures based on audit findings.
Provides general and specific audit advice.
Collates conclusions and areas for improvement
Presents audit findings to management regarding the effectiveness and efficiency of control mechanisms.
Collaborates with professional in related specialisms to develop and integrate findings and evaluate improvements.”

AUDT 4
Edit: “Develop recommendations regarding the interpretation and implementation of control measures.”
To Read: “Provide factual information regarding the interpretation and implementation of control measures.”

Kevin Streater
May 16, 2021 12:37 PM

Please add a level 3 audit to meet the requirements of Cyber Security Technologist (Level 4, Standard Reference ST0124)

Definition is:

Conduct cyber security audits.