I need a Systems Audit
My organisation has in place or is planning to implement an Innovative Technology Arrangement (ITA) and have been advised that we need a Systems Audit.
“Innovative Technology Arrangement”, also referred to as “ITA” within this document, as defined within the First Schedule of the Innovative Technology Arrangements and Services Act, 2018. For the avoidance of doubt, this definition includes, inter alia, any ITA supporting an IVFAO, Providers of VFA Services or similar arrangements.” – From the ITA Guidelines
So, I need a Systems Audit so I can submit a Report?
A Systems Audit is required so that the Issuer can submit a report to the MDIA (Malta Digital Innovation Authority) or the MFSA (Malta Financial Services Authority) depending on whether the ITA is classified as a DLT, Smart Contract or VFA. The purpose of the report is to confirm that reasonable standards with reference to the specific purposes, qualities, features, attributes, behaviours and/or aspects of the ITA are met.
The Issuer is responsible for the report but it is the Systems Auditor who provides ‘the opinion’ on whether the standards have been met.
What steps do I need to take?
OK so we appreciate that this all seems a little confusing and you would be right. This process is new (end of 2018) and there is a lot to take in particularly when all you want to do is run your business, or launch something new.
Step 1 – Appoint a Systems Auditor and let them guide you through the process.
A good systems auditor will be able to advise you on what type of audit you need and the process to follow. They should also be able to advise on what the report should look like and what the content needs to be.
|What do you need to do?||How can we Help|
|Find an auditor who has the required skills to audit your ITA, as approved by the MDIA.
(You can choose any auditor who the MDIA says is suitable, but you can’t choose an auditor who isn’t approved by the MDIA)
|STIS Group have a unique skills matching process. You tell us what systems and technologies you are using and we can provide an instant score against our skills.
The instant response tells you we have the requisite expertise, if you wish to check with the MDIA if they agree we provide you with a matching report in a standard format that we use for every client and how the MDIA is used to accepting them.
|Determine which type of Audit you need?
This can be a Type 1, or a Type 2, and eventually there will be an enhanced audit.
|Although the choice is quite simple the amount of effort involved for each is significantly different for you and the Systems Auditor.
We will advise and or confirm you have chosen the correct type of audit and provide a detailed explanation of what you can expect from each.
|Decide which of the 66 top level controls are applicable to your environment.
For every control you consider does not apply, you must provide justification – the justification must be validated by the Systems Auditor and ultimately included in the report.
|This exercise really determines the scope of your audit.
STIS Group have an online auditing system which allows you to look at each control, and simply choose whether you think it applies to you or not – we provide guidance on what each control means.
This selection process enables us to determine what we will be auditing and hence provide a quote for the engagement.
The major benefit to you is that if you subsequently choose STIS Group to perform your audit, some of the work has already been done.
Without doing this step no Systems Auditor will be able to provide an opinion and without an opinion you will have no audit and therefore no report.
STIS Group provide a core set of controls that we believe are applicable to every/most organisations. This takes some of the pressure off you as you only need to think about the exceptions.
|Choose an auditor
|We would like to think that you would choose STIS Group for your audit, however we have been around long enough to realise that every client is different and has different preferences, so you may not choose us and we can’t win them all.
If you do choose us we believe we have the smoothest, most user friendly auditing process you will find amongst any of the accredited Systems Auditors.
If you do not choose us, there is a high chance that you may need some help with your audit. Whilst a Systems Auditor can provide a degree of assistance during your audit once appointed they cannot for example write your policies, processes and procedures, they cannot provide you with staff contracts, or data processing agreements. So if you find yourself with a Systems Auditor and a little out of your depth then come to us and we can help.
If we are not your Systems Auditor we can provide as much help as you need to get you through your audit.
|Undertake the audit
By way of documents, demonstrations, screenshots, interviews, explanations, provide some evidence of what control measure has been applied and what test confirms that the measure meets the control.
Easy? Well no not really, and this is where your Systems Auditor choice really makes the difference.
|Whether a Type 1 or a Type 2 audit these are the main steps.
Remember the 66 high level controls? You now need to demonstrate that your organisation meets all those controls.
And for every control you thought did not apply to your organisation you now need to provide that justification.
STIS Group have developed on online Systems Audit tool which guides you through the process. Using our experience of performing a variety of audit engagements including PCI DSS, GDPR, IT Security and Data Centres, we have built over 300 controls that you can use as templates for your own controls.
Our controls are based on existing standards as advised by the MDIA, and are tried and tested methods for verifying the top-level controls required for the audit.
Our online tool will save you days if not weeks of effort inventing your own controls, working out which documents you need to write, worrying about what each control means, and all of this online, at your own pace, guided by your own named Systems Auditor.
|Write the report
Yes the MDIA places the responsibility for the report on the auditee – YOU.
|Just because you own the report doesn’t mean we can’t help.
We provide a templated report for you.
It contains all the sections you need, we help you with the format, the layout, the description you need to provide, the assertion you need to sign and of course the main elements.
Details of all the high levels controls either satisfied or out of scope and why they are out of scope, along with the Systems Auditor sign off.
For each control which of our experts assessed it.
Each control completed and what the test was including the auditor’s opinion.
And most importantly of all the Systems Auditors opinion on the ITA, whether the controls, the description, the blueprint or whitepaper all add up to a pass or fail.
|Retain your Systems Auditor||Once you have passed your audit you will need to retain systems auditor, this does not necessarily need to be the one who performed your audit, however our advice would be to choose a systems auditor, pay the retainer, have the same auditor perform the certificate renewal.
If you choose STIS Group our online system keeps all your data.
We keep all your controls, you can continue to upload your evidence and document’s throughout the year so that the final audit is minimal disruption.
|Renew your Certification
|You will need to be Certified every year. And this will be a Type 2 audit, the controls will have had to be effective for the previous 12 months, So you could have been uploading your access controls reviews to us every month, or your virus scan results, or your new Information Security Policy, and we will use these as evidence when it comes to the audit.
Our philosophy is that your audit is not a one off test, it should be a continuous process, with STIS Group signing you off every year.
Think about it, you don’t want to get to the end of year audit only to find that your controls for one or more criteria have not ben working
What if I Fail an Audit?
We don’t want to see any of our clients fail an audit, it’s not good for us and it certainly isn’t good for you.
Our methodology and service offering including our proprietary online tool is designed to help you pass the audit, without doing it for you.
Whilst other auditors might see a failure on your part as a way to gain another audit fee, we see it as a failure on our part.
We will tell you up front if we don’t think you are going to pass, you can take our pre-audit for a nominal fee which enables you and us to determine exactly what state you are in. If you are not ready you can pause for a while and get into shape, or ask us to help get you ready for an audit, of course we then won’t be able to audit you, but you could retain us as your auditor and we could audit you on the renewal of your certificate.
Why would I fail?
There are lots of reason why you might fail an audit.
First and foremost, would be not taking the advice of your Systems Auditor.
If you decide that you want to put a control out of scope and your auditor does not agree, then you effectively fail that control – the Systems Auditor has the final say.
If you do not satisfy controls you will also fail that control. I.e. if you invent a test that does not prove the control in the eyes of the auditor then you will fail.
For a Type 2 audit, having the right control and not executing it correctly will also be a fail.
For full details on the Systems Auditor and the Systems Auditor Report, refer to the ‘Systems Auditor Guidelines’.