Question - Requiered modul: Audit Planer

Hi everybody,

we’re using eramba since March this year and just passed our ISO 27001:2022 transition audit. :muscle:

The ISO 27001 requires an “Internal Audit” that has to review every ISO control within three years. To ensure this the “Internal Audit” has to have an audit plan that includes every ISO control. We have defined all ISO controls as a compliance package in eramba and linked them to internal controls and policies.

Currently we have an audit plan as an Excel spreadsheet that relates to each ISO control, but it would be very nice to have this governance feature in eramba.

Is anything like that in the pipeline as a new eramba module?

Kind regards
Andre

1 Like

Hello,

I’m a bit lost here. In the internal control module, you have the option to define audit or maintenance. In the same way, you can create Internal control called internal audit.
Please review our documentation regarding internal controls and its auditing: Internal Controls | Eramba learning portal

Hi Sam,

thanks for your reply, but these are two different topics. Internal controls are handled by the respective business units. This has nothing to do with the “Internal Audit” as defined by ISO. The “Internal Audit” must check whether processes and the internal controls named are created correctly from a legal/standardized point of view and whether these processes and controls are also being executed in this way.

Of course, I can use the audit function in the Internal Controls module to check the implementation of the controls. However, I do not have a direct link to ISO, DORA and so on and cannot create a comprehensible and exportable multi-year plan.

Greetings Andre

It sounds like you may have an over caffeinated auditor that is reading things that don’t exist in the standard and the auditor has probably never worked in an environment that is doing once (controls/audits) and applying to many (iso, dora, etc.). The other thing is that your audit plan is not required to review/audit every requirement - it’s a risk based judgement that you should make.

That being said - there is a combination of educating the auditor and some extra receipt gathering to do -

What we do to justify the audit plan review is we create a control that is to review the audit plan. The artifact reviewed is a a report from the compliance analysis module where we pull in everything that’s audited (and maybe a planned audit report for then next year) to demonstrate that we have selected the controls and schedule that we will audit.

From an educational perspective, the auditor will need to understand that you work/audit based on controls that are mapped and you will not perform the audit to the standard specifically, other than that control that reviews the mapping. Iso auditors tend to struggle with that, but that review tends to sort things out.

I would also suggest that if you’re auditing a control less than annually, you probably don’t need to be auditing it…

1 Like

Hi David,

I would love to see the reaction from our German Banking Authority (BaFin) auditor, if you tell him or her to be over caffeinated. :rofl: The location of our company is germany and we provide IT-services to Asset Managing companies who are supervised by the (BaFin) and the European Banking Authority (EBA). It is common practice in our branch and a requirement of the BaFin/EBA to have an audit plan over 3 years

Back to topic - one possible solution would it be, if we can add audits in the compliance analysis module as it is always possible in the internal control module.

Greetings
Andre

if you find that on the iso standard i pay you 1000000000000 italian liras! ctrol+f “3 years” and you won’t find that anywhere. iso is not prescriptivie, there are no deadlines.

audits are covered on section 9, in plain english you need to measure control eficacy as per 9.1 (internal audits in eramba) and have an audit program (9.2) which although is not explicit that needs to be internal, all auditors in my experience would expect that to happen to assure in their view impartiality.

Guys, I don’t want to discuss about what’s in the ISO and what’s not.

I had a question about a possible future module based on an existing request of our auditors.

the question is wrong so the expectation of a solution will be wrong too

As I wrote an hour ago, it is not just about the ISO…

Well, that certainly changes the response when you have regulators involved (as overcaffeinated is their baseline, and I agree, don’t poke the bear on informing them of such).

I think the difficult thing here is when you’re working within the structure of the “problems vs solutions principle” within eramba, the audits are a component of the solutions (controls) which get abstracted from the problems (the requirement to have an audit on some schedule - Compliance).

When you say “ISO Control” - I assume you mean “ISO Requirement” as they are not your controls (solutions) - ISO is a problem that your controls solve. The other differentiation is that for controls - I agree, those should be owned by the departments along with the maintenances, but the audit portion of controls is what GRC/Internal Audit should own.

The other thing that gets tricky with the “3 year plan” if your plan is to actually rotate across all controls (instead of doing the same set of audits every 3 years), the audit scheduling configuration isn’t going to be helpful as it assumes that if you’re auditing, it’s minimally an annual thing. There’s also not a direct relationship from the Compliance Analysis page to audits performed - you can call back controls and you can call back controls with issues to that page.

However, if you head over to the Internal Controls page, you should be able to build a filter that pulls in a compliance framework, the mapping to controls, and then things like the next audit date for the controls on a single page. This accounts for the probability that you’ll have multiple controls for some requirements and the next audit date for those controls may be at different times. There’s also a built in system status that is “Control without Audit Plan” that will call out any that are missing.

Now, to solve the 3 year frequency, part of your audit process will be to create the audit item for the next time it is scheduled manually as opposed to letting the system schedule. If you complete Audit A now, and next one is in 3 years, then create the item with that future planned start date. Once all of those are entered you can report on all planned future audits from either the Controls or Audits page and they should appear in the dashboard calendar widget.

I also think it would make sense to create an annual review/3 year plan reconciliation control where you go through and clean everything up above, then attach the outputs of the filters as evidence of the maintenance which would be what you demonstrate to the regulators as opposed to trying to show them on the live system.

The above takes into account how eramba handles the concept of audits - as of right now, there’s not really a thing to do an “audit” of a “problem” (i.e. all ISO requirements). The closest you might get there is via the online assessment module where you can create an assessment that comprises of the ISO requirements and work through it that way, however, there’s no linkage back to the Compliance or Controls modules. This may be the more efficient way to “audit to the problem” though.

Afterthought - you can add some custom fields to the Compliance Analysis module and use those to document the audit strategy for each control and report on that to replace excel (and perhaps, have a maintenance to review/update that, tied in with the annual suggestion above).

Hopefully this is helpful - at this point its starting to sound like incoherent rambling on my part!

3 Likes

Hi Andre,

We are based in the UK and use one of the big 4 auditors to certify against ISO27001 and our SOC2 Type II attestation. We have implemented a specific Eramba internal control to manage this requirement (9.2 Internal Audit) via planned audits where we use an independent external auditor to review all of the controls over a 3 year period. Every annual audit we do covers the mandatory controls and a sample of the Annex A controls, making sure we cover them all by the end of the 3 year cycle.
We get complimented on how we manage and plan this using Eramba and in my view is very simple.

1, Create an Internal Control (you could add a multiple select dropdown custom field here and name your compliance packages and essentially map your new control back to your compliance packages).
2, Detail your aspirational audit plan at the control level by saying what you intend to do (this is your plan detail). This is where you can create scheduled future audits or leave disabled to create manual ones at a later date identifying which controls you are auditing per year as your methodology.
3, Once this is done you can then map the 9.2 ISO control back from the Compliance Analysis module to the Internal Control.
4, Create a specific Item Report for the control using a mixture of widgets and filters detailing everything, including the scheduled audit detail. This is your plan and can even be scheduled to send out via email at specific times if needed!

For us the above works perfectly and satisfies the ISO control, we have never had an issue raised from any auditors using this method, but happy to be challenged if someone has a better idea.

2 Likes