Traditional Audit Processes

In most studies that one would read espousing one particular view of the audit process or another, there are varying degrees of similarity between the processes. Many organizations and writers have developed processes that they believe information assurance auditors should follow when performing a formal audit of an organization’s information assets. Whether it is the process defined by industry groups[1] or varying universities[2] publishing their standards there are certain similarities that one will find. These standards tend to be stand-alone processes, event driven, and typically independent of processes that organizations have already standardized on to complete projects in the enterprise. Rather than work with pre-existing models and proven processes for project development, most audit processes tend to be isolated from an organization’s Project Management Office (PMO) and other enterprise level facilities.

What is the PMBOK?

Enter the PMBOK. To cure the disconnect between multiple project management models vying for an organization’s attention in 1981 the Project Management Institute (PMI) commissioned a standard by which organizations could standardize on how to manage their projects, taking advantage of their industry neutral experience in the area. Therefore whether the organization was public or private, small or large, and regardless of the industry sector the organization could utilize a common standard of practice for all of the projects in their portfolio.

In their own words, the PMI states that, The “Project Management Body of Knowledge” (PMBOK®) is an inclusive term that describes the sum of knowledge within the profession of project management. This full body of knowledge includes knowledge of proven, traditional practices, which are widely applied, as well as knowledge of innovative and advanced practices, which may have seen more limited use.”[3]

Therefore by establishing one common body of knowledge an organization can rely upon proven industry standards for project management and focus their resources on implementing a project (in this case an audit), rather than reinventing a process that has proven itself to be effective. By relying on industry standards this again allows the organization to focus on their core business objectives, rather than be distracted by the development of yet another independent standard.

Towards a Unified Model

One common ailment that faces most organizations, however, is the problem of resource constraints more specifically, most organizations simply do not have the manpower to complete all of the tasks that they would like. Time and personnel resources are at a premium in all organizations and the prioritization of such resources is a critical factor by which the success of the management of the organization is often measured. In that vein then, why is it that organizations feel the need to develop and maintain their own processes for auditing their information assets, when instead those resources could be dedicated to performing the task itself?

The premise of this discussion therefore, is to put away competing standards for auditing an organization’s information systems and to rely upon a proven standard for project management. If the PMBOK truly is an industry vertical neutral platform, could it therefore be utilized by auditors to manage their projects? The bias of this discussion is that the answer to this question is yes and that auditors should capitalize on ongoing, relevant research that is already available in order to form a common foundation for basing their work. But before the auditor can take advantage of the pre-existing standards of the PMBOK, an understanding of its basic tenets is first required.

PMI’s PMBOK Basic Process Groups

The five basic process groups that the PMBOK recognizes as crucial to the development of any project are the following:

  1. Initiating
  2. Planning
  3. Executing
  4. Controlling
  5. Closing

Along with these five basic process groups, the PMBOK also recognizes that there are nine knowledge areas that must also be considered as a part of this project development process. These nine knowledge areas influence the project’s direction and guides the decision making process for all key stakeholders involved in the project. The nine knowledge areas are:

  1. Integration Management
  2. Scope Management
  3. Time Management
  4. Cost Management
  5. Quality Management
  6. Human Resource Management
  7. Communications Management
  8. Risk Management
  9. Procurement Management

While these knowledge areas are beyond the current scope of this article, they certainly serve to lend guidance to anyone contemplating a project management centric view of information security auditing. Each of these knowledge areas is useful especially in further developing a project’s plan and in understanding each of the different phases of the project.

Where do we go from here?

In light of these considerations, what practical outcome should an auditor consider that will affect the method by which audits are actually performed? How does this premise of melding the PMBOK and the audit process actually flesh itself out? The answer should be in the form of a well defined audit process, described in industry standard terms (as defined by the PMBOK) that could be applied regardless the type of audit that is being performed. From this an organization could create project templates, timelines, even Gantt charts that could serve as a model for how audits are performed in a common, standardized manner. And now, with a common set of practices in hand, auditors could focus on their core business tasks of evaluating systems rather than on developing frameworks.

But that will have to be the topic for another article.

1. AuditNet’s Audit Process )  (Old Link Removed); SecurityFocus’s Audit Process (http://www.securityfocus.com/infocus/1697); Microsoft’s Audit Process (http://www.microsoft.com/technet/community/columns/sectip/st0606.mspx); are just a few samples.
2. Boston University’s Internal Audit Process ); University of Indiana’s Internal Audit Process (http://www.indiana.edu/~iuaudit/process.html)  (Old Link Removed); Cornell University’s Internal Audit Process ) are just a few samples.
3. The Project Management Institute (http://www.pmi.org)