Audit Plays a Vital Role in Risk Assessment

Audit:

The audit focuses on determining whether the organization has implemented policies and procedures to regulate data processing and that processing is carried out following such policies and procedures. When an organization complies with its requirements, it effectively identifies and controls risks to prevent operational interruption.

Overall, an audit help ensure the business is operating smoothly. The classification of audit can be:

Financial Audits: assess the correctness of financial statements.
Operational Audits: evaluate internal control structure.
Integrated Audits: a combination of financial and operational Audit steps.
Administrative Audits: assess issues related to efficiency in operations.
Information Systems Audit (IS Audit)/Information Technology audit (IT Audit): evidence that IS related-systems are safeguarded, integrity, reliability, effective, and efficiency.
Specialized Audits: third-party review services (outsourced services).
Forensic Audits: it is related to discovering, disclosing, and following up on frauds and crimes (help in developing evidence that can be used by law enforcement and judicial authorities).

Risk:

Risk is any event that may negatively affect the accomplishment of business objectives. Elements of Risk are threats, vulnerabilities, impact, and likelihood, controls, which can reduce the risk to acceptable levels.

Risk Assessment provides essential information required to determine the appropriate risk response. The Risk assessment can:

Helps auditors identify risks, vulnerabilities, and threats.
Helps auditor evaluate controls.
Helps auditor determine audit objectives.
Supports risk-based audit decisions.

A risk-based audit consists of the following steps:

Identifying business objectives
Risk Assessment/Analysis (identify risk, determine probability and impact).
Risk Mitigation (using controls to mitigate risk to an acceptable level).
Monitoring performance (reevaluation).

IT Audit is a component of a risk-based audit program designed to help auditors facilitate effective resource allocation. By adopting the risk-based audit approach, IT Auditors focus on auditing the high-risk areas that impact the organization's objectives most.

Information Technology IT Audit/Information System IS Audit:

In the IT Audit, ISO 27001 [https://www.iso.org/] can be used as a guideline that addresses several domains, such as:

Security Policy;
Security Organization;
Asset Classification and Control;
Physical and Environmental Security;
Communications and Operations Management;
Access Control;
Business Continuity Management;
Compliance;
Information Security Incident Management.

IT Audit evaluates the organization's procedures, systems, records, and activities to ensure that related policies, procedures, plans, and documentation are in place and data and systems' security is well conserved.

Additionally, an IT Audit ensures the Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) readiness is maintained, adequate physical and environmental controls are well implemented, and a proper monitoring process is in practice.

Scope of the Audit:

The primary objective of the initial meeting with an audit client is to help define the scope of the audit. Based on the scope and audit objectives, IT Auditors choose the control tests that will be performed on the areas that have been selected for review under the Information Systems Audit Scope. These may include as an example:

IT Governance
IT Risk Assessment
IT Security Assessment
IT Users Management
IT Privileges Management
IT Configurations Manage
IT Operations Management
IT Change Management

Summary of IT Auditor Work:

IT Auditor observations are based on understanding the client's processes, interviews conducted with the management (process owners), and leading practices.

In this article, I will highlight some samples of findings, risks/implications, and recommendations that IT Auditors can write in their reports during audit projects after understanding the client's business. I am covering only IT Governance, IT Change Management, IT Operations Management, and IT Security Assessment, to raise awareness of the IT departments in the organizations about IT/IS Audit.

Generally, the details of IT Auditor work conducted on the sub-processes of the Information Technology processes include:

Gaining an understanding of the flow of transactions through reviewing the approved policies and procedures.
Reviewing the adequacy of the designed controls.
Identifying essential controls and assessing whether or not they are operating as designed.
Validating findings with management.
Obtaining management responses.
Issuing the final audit report.

ISACA [https://www.isaca.org/] has produced standards, guidelines, and a report template, which should be referenced to ensure that each organization's audit reports meet high standards.

Sample of IT Auditor Observations and Recommendations in IT Governance:

1. Observation: Absence of IT policies and procedures

Implication: Lack of written documentation of policies and procedures may lead to the risk of nonadherence to corporate policies and inability to establish an internal control environment. Furthermore, the lack of a formal access management policy and procedures increases the risk of users gaining inadequate access to the system.

Recommendation: IT and IS policies and procedures should be developed. These policies should cover areas like User Access Assignment and Revocation, Service Level Agreements, Back up management, and IS Operations.

2. Observation: Absence of IT strategic planning

Implication: Without a formal IT strategic planning procedure that includes the phases of conducting current capability/performance assessment and a series of meetings with key business owners will lead to the following:

A lack of common understanding of business and IT priorities leads to conflicts about allocating resources and priorities.
Furthermore, IT capabilities do not fully contribute to the organization's mission and goals, leading to unnecessary IT initiatives and investments.

Recommendation: IT strategic plan needs to be developed to cover the next five years and in alignment with the business objectives and expectations; in addition, it should include the following: Formal IT vision, mission, and mission statements need to be identified; IT Principles (applications, infrastructure, etc.) need to be established based on the IT vision and mission identified; Reference target architectures (e.g., target applications architecture, target infrastructure architecture, etc.) need to be developed.

3. Observation: Absence of IT risk assessment

Implication: Without a formal risk assessment and related risk management procedures in the IT environment, it is difficult for management to ascertain and assess the possible impact of threats concerning compromising IT-related information, the nonavailability of information assets, or IT functions/services.

Recommendation: Management should conduct a comprehensive risk assessment covering all related IT applications/systems and operations per their risk assessment methodology and procedure. Nevertheless, the evaluation should be documented and archived.

4. Observation: Absence of comprehensive IT security awareness sessions.

Implication: Lack of proper IT security awareness within an organization might increase the risk of internal breaches through employees who utilize IT core applications/systems and data.

Recommendation: Management should start implementing IT security awareness activities and programs to mitigate any risks that arise from its absence. These programs should be formally documented.

5. Observation: Unidentified data ownership

Implication: In the absence of a formal data ownership document, business data might be improperly secured and protected. Additionally, requirements for protecting business data might not align with business requirements, resulting in business process owners not taking responsibility for the hosted data.

Recommendation: Organizational information that is proprietary or confidential must be strictly protected. Data classification is an appropriate method to categorize and protect an Organization's information assets. An information classification framework that categorizes data into security categories and allocation of ownership should be established.

At a minimum, management shall consider implementing the following:

Provide policies and guidelines to ensure appropriate and consistent ownership and classification of data;
Define, maintain and provide appropriate tools, techniques, and guidelines to provide effective security and controls over information assets in collaboration with the owner; and
Create and maintain an inventory of information assets (systems and data) that includes a listing of owners, custodians, and asset classifications. Include assets that are outsourced and those for which ownership should stay within the organization.
Have formal processes in place to ensure the confidentiality, integrity, and availability (CIA triad) of protected data.

6. Observation: Unidentified IT roles and responsibilities

Implication: Not identifying, documenting, and applying IT roles and responsibilities IT personnel might not know their exact roles and responsibilities, leading to overlapping activities that might lead to security breaches and control deficiencies.

Recommendation: IT roles and responsibilities should be identified, documented, approved, applied, and shared between the related personnel.

7. Observation: Unimplemented IT segregation of duties (SOD) matrix and authority matrix

Implication: Without implementing an IT SOD matrix, roles and responsibilities might overlap, leading to security breaches or control failures.

Recommendation: IT SOD Matrix should be implemented, including all of the IT department's roles and activities. IT SOD should be documented, applied, updated, approved, and reflected on the IT roles and responsibilities Matrix.

Management should establish a formally approved access authority matrix
highlighting the privileges assigned for each role for all applications/systems according to user level and job descriptions. Furthermore, it is recommended that management ensures granting access to user accounts as per the approved access authority matrix.

8. Observation: Undocumented IT configurations' baseline

Implication: Without documented IT configurations baseline, it will be hard to identify, track and reapply any system's configurations once they are altered from the default configurations.

Recommendation: IT configurations baseline should be documented, approved, secured, and updated based on changes to the default configurations.

Sample of IT Auditor Observations and Recommendations in IT Security Assessment:

1. Observation: Inappropriate users management activities

Implication: Without managing users' enrolment, maintenance, and termination activities in the IT environment, IT security breaches can occur, or IT controls can fail.

Recommendation: User management activities (adding, maintaining, and terminating users in the IT environment) should be documented and approved by the assigned data owner and archived appropriately.

2. Observation: Inappropriate IT roles management activities

Implication: Without managing roles activities, security breaches can occur, and IT controls can fail.

Recommendation: Roles management activities (Creating, adding, maintaining, and terminating roles on the IT environment) should be documented, verified, approved by the assigned data owner, and updated when necessary.

3. Observation: Inappropriate settings, review, and maintenance of IT logs

Implication: Without enabling, reviewing, securing, and maintaining IT logs, it will not be possible to identify past activities and their related impact. In addition, verifying the completeness and accuracy of the logs generated will not be possible.

Recommendation: IT logs should be enabled on all IT environment levels information systems and applications covering all risky activities that can be conducted. IT logs should be secured and reviewed correctly by the data or process owner based on the risk of the activity. IT logs should be maintained for an appropriate period for audit purposes.

Management should perform independent periodic reviews of security logs to ensure that applications/systems comply with internal policies, security requirements, and industry-leading practices. Furthermore, the results of these reviews should be formally documented and presented to the management for review to ensure continuous compliance regularly.

Management should consider implementing Security Information and Event Management (SIEM) solution to address all the significant logs use cases, including:

Log management
Incident investigations and workflow
Incident Response
Forensics
Real-time monitoring and alerting on threats
Available data collectors for popular data sources
Regulations and frameworks, including PCI, SOX, NIST 800-53, ISO 27001/27002, COBIT, SSAE 16

4. Observation: Inappropriate data confidentiality management

Implication: No encrypting data on the related levels will allow those who don't have permission to view data in clear text.

Recommendation: Confidentiality should be implemented through encryption. Data should be encrypted on all appropriate levels.

5. Observation: Inappropriate IT configuration management

Implication: Not configuring the IT setting appropriately will lead to easily guessing the default setting and increasing risk activities.

Recommendation: IT configurations should be changed from default where appropriate and according to the best practice.

Sample of IT Auditor Observations and Recommendations in IT Operations Management:

1. Observation: Absence of disaster recovery plans

Implication: Without defined, communicated, documented, and tested business continuity and disaster recovery plans, the organization may be unable to resume its normal operations promptly, resulting in potential financial losses in the event of a disaster or business interruption.

Recommendation: Management should develop comprehensive BCP and DRP to ensure that all essential aspects of critical business operations have been adequately covered. Have written plans for business continuity and IT disaster recovery. Nevertheless, the plans must be tested periodically to ensure proper and timely restoration for systems, where the testing should be adequately documented. Management shall consider setting up a Business Continuity executive steering committee. This committee's primary responsibility is to oversee the overall implementation of the Business Continuity plan.

2. Observation: Inappropriate data backup controls

Implication: In the absence of a comprehensive data backup, it may be challenging to ensure the availability of information in case a recovery is required.

Recommendation: Management should ensure remediating the risk by implementing several controls over the backup process, such as :

Formal backup procedures documentation is to be governed by clear accountabilities.
Periodical documented backup testing
Limiting full admin access over the backup configurations
Encrypting off-site backup
Properly documented tape rotation schedule
Comprehensive backup error handling procedures

Regarding Tape backup, management should develop a formal policy governing the sanitization/disposal procedures pertaining to backup tapes and a special form listing all the steps to be carried out when disposing of or reusing data media. This form shall be signed and archived to establish an audit trail for future review. Such a procedure will reduce the risk of unauthorized data access and possible confidentiality breaches.

Other recommendations for Backup controls/plans:

Have policies, procedures, and processes in place.
Have an organized training and awareness program for your employees.
Regularly update the plan with hardware, software, business, and staffing changes.
Test the plan using a worst-case scenario.
Have a recovery strategy.
Test offline backup media.

Sample of IT Auditor Observations and Recommendations in IT Change Management:

1. Observation: Absence of change requests classifications

Implication: Without classifying change requests, emergency changes might take longer to resolve, leading to operational/technical/financial impacts on the organization.

Recommendation: Management should implement an IT change request classification, including the levels of the classifications and the resolving process and details. Classifications should be documented, approved, and
shared with the related parties.

2. Observation: Inappropriate documentation of testing IT changes.

Implication: Without documenting the change test scenarios, it will be hard to keep track of the results of the test and react to the results accordingly.

Recommendation: IT changes test scenarios should be documented, approved, and archived for an appropriate period. The procedures should also require that test results are maintained for future reference.

Management shall develop and apply test cases and test plans that will be followed during the testing phase.

Moreover, prior to testing, changes along with testing scenarios and cases shall be documented. After satisfactory completion of the pre-defined tests, users should sign off to formally approve system changes or enhancements. This will reduce the risk of failure to catch errors during the implementation of a change to a system or application. Testing documentation must be retained for audit trail purposes if future processing problems occur.

Management shall request, obtain and maintain adequate technical documentation for all applications/systems deployed within the organization.

Conclusion the Benefits of Being Audited:

The IT Audit provides numerous benefits to an organization: