Introduction:
Organizations are totally dependent on their technology for their business to function and achieve their strategic objectives. Organizations cannot perform their critical operations without their IT systems. The level of technological complexity of Organizations is increasing.
This article Information Technology Audit (IT Audit) in Nutshell, gives the reader an awareness of the vital concepts and principles required to understand audit function and IT Audit based on the Information Systems Audit and Control Association (ISACA), International Organization for Standardization (ISO) [iso.org], IT Assurance Framework (ITAF), Control Objectives for Information and Related Technologies (COBIT) [isaca.org], the Institute of Internal Auditors [theiia.org], and the National Institute of Standards and Technology (NIST) [nist.gov].
ISACA is a global organization focusing on IT Governance that provides IT professionals with Risk-Based Audit, governance, privacy, and security knowledge. ITAF requires that the information technology audit and assurance function use an appropriate risk assessment approach and supporting methodology to develop the overall IT Infrastructure audit plan and determine priorities for the effective allocation of IT Infrastructure audit resources. The COBIT aims to build an IT Governance framework to effectively control the organization's IT activities. The COBIT framework provides a standard language for IT professionals, business executives, and compliance auditors to communicate with each other about IT control objectives and outcomes.
Every organization shall define an audit policy. Within this policy, the auditing requirements and frequency represent the types of audits performed, who perform those audits, and how frequently they are performed. It delineates the authority for remediating audit issues found in the process. The audit policy should also define the auditing requirements for business partners and subcontractors, which should be included in all contracts with third parties who could impact the organization's overall security. Auditing policies typically include event trigger provisions based on organization risk assessments.
To ensure that Audit Teams/Auditors can perform the audit work, they should:
In addition to ensuring Auditor competency, Audit Managers/Lead Auditors should:
Terms and Definitions:
Before we start, herewith are some clarifications that are needed to observe the Audit and IT Audit concept:
Standards vs. Frameworks:
Audit Accountability and Continuous Auditing:
Every organization needs to understand the status of its own IT Infrastructure and decide the level of protection and control it should provide. The question is, how do we manage risks and secure the information and IT asset? Since both goals are tied directly to best practices, the aim is to utilize a common standard generally accepted to define the complete controls for effective IT Governance. That standard would give them a generally applicable and accepted basis for judging good IT Security and control practices. Furthermore, it would also support determining and monitoring the appropriate IT Security and Control level for a given organization.
While auditing any organization's IT Infrastructure, the following frameworks, including COBIT and ISO 27000, can help the organization apply the best practices. The COBIT aims to build a governance framework to control the organization's activities effectively. ISO 27001 is the best-known standard for information security and the only internationally accepted management system requirement. COBIT and ISO27000 are primarily oriented toward conventional business IT in their practical use.
Auditing is accountable to:
Continuous Auditing, per the journal of accountancy, includes:
Auditing and Management Perspective:
An audit process aims to help assure management that its formal controls are sufficient or advise management where processes need improvement. From the management perspective, the obvious question is: "Am I doing all right? If not, how can I make it right or fix it?" The auditing helps to answer these questions. Proper audit procedures suggest that comprehensive risk assessment be conducted to determine which control objectives must be specifically focused on and which may be ignored. The audit objective is to determine whether or not controls are adequate to ensure the reliable processing of the data information. The audit establishes and enforces organizational accountability and control, which requires the explicit description and regular assessment of an identified resource.
Audit Objectives:
The primary objectives of an audit include the following:
Compliance Audit promotes Good Governance:
Any organization needs to establish measures to ensure the control and security of its IT Infrastructure. From a management point of view, controls are defined as determining what is being accomplished. Controls are useless if ineffective, so organization management needs to ensure that any control is effective and may be justified in cost terms. This is one of the essential parts of an audit.
Controls are necessary to assess whether the organization is meeting its goals. For the control process to work, the responsibility for the business or IT process must be straightforward, and that accountability must be unambiguous. If not, control information will not flow, and corrective action will not be acted upon. Controls can be standalone for a given purpose or integrated with other controls to achieve general accountability.
The control process formulation must be both direct and action-oriented and generic enough to give the necessary direction to get the organization's information and related processes under control and monitor the achievement of organizational goals.
The objectives of control system auditing are to provide management with reasonable assurance the control objectives are being met, and then where there are significant control weaknesses, to substantiate the resulting risks and advise management on corrective actions. Therefore, the auditing process is built around evaluating the appropriateness of stated controls and obtaining an explicit understanding of the relevant business requirements and their related risks and the control measures that have been deployed to address those risks and requirements. The generally accepted structure of the auditing process is to identify and document explicit control behaviors, evaluate their effectiveness, assess their compliance with their intended purpose, and substantively test for correctness and effectiveness. Compliance is evaluated by testing whether the stated controls work as prescribed, consistently, and continuously. The risk of not meeting control objectives is substantiated by using analytical techniques and/or consulting alternative sources.
IT Governance accomplishes its aims by building a comprehensive structure of rational procedures and relationships, which can be employed to direct and control information assets. As a result, IT Governance establishes a tangible link between the organization's IT resources and its information and business strategy. Ideally, it does this in such a way that it adds value to the organization's purposes.
Organizational Governance aims to build a tangible control and accounting structure to maintain accountability for specific organizational functions. In comparison, Information Governance is enabled by the specification of policies, organizational structures, practices, and procedures required to achieve particular ends. That includes the definition of explicit control elements for any given requirement. This is comprehensive and coherent for the aspect being controlled. It is based on explicit control objectives, the outcome of which is observable. Properly stated, this ensures that due professional care is exercised in the management, use, design, development, maintenance, or operation of Information Systems and Information Assets.
IT Governance involves several related processes to create and enforce ongoing organizational accountability within a control framework. For IT, in particular, this represents a different orientation from the usual assessments done for process development. Information governance aims to explicitly account for and manage an identified resource on a systematic and ongoing basis, for example, money parts. Assessment is exploratory and often one-shot. It is done to find out something specific about an organizational function.
Audit Findings and Risk Treatment:
The Auditors prepare their working documents from the meeting, including all necessary checklists and forms. The lists are used to evaluate IT systems elements, while the records are used to document observations and evidence. Then, the Auditors collect the evidence using these documentation tools. Audit evidence is collected by:
Risk treatment aims to manage the significance of the risks by addressing either the likelihood or impact or both. Where Auditor's audit findings results are below acceptable thresholds, the organization should assess the residual risk and determine if mitigation, transfer, or acceptance is the correct approach. In some cases, it is impossible to reduce risk further; for example, using legacy systems is required as part of an established business function. Changing the business process or outsourcing the function may be necessary in such cases to avoid the risk. Likewise, it may be required to rethink about IT Infrastructure.
Audit Plan:
An Auditor must understand the overall environment under review when planning an audit. This should include a general understanding of the various business practices and functions relating to the audit subject and the types of information systems and technology supporting the activity. For example, interview appropriate management and staff to understand the following:
The audit plan will enumerate the audit process, including the engagement scope and objectives, identify audit criteria, audit program, reviews and evaluation of evidence, and how to communicate audit conclusions and opinions. The audit plan of the organization should be based on the business risks related to the use of IT.
The audit plan process should be reviewed periodically, typically at least annually, to evaluate new control requirements based on changes in the risk environment, technologies, and business processes and enhanced audit evaluation techniques.
IT Audit process includes:
Sample IT Audit Scope:
Auditor review of the IT systems infrastructure should be concluded by a specific time period. The IT Auditor's mission is to examine and evaluate the adequacy and effectiveness of the ISO 27001 Standards to achieve stated goals and objectives for the comprehensive Information Security Management System (ISMS) Project.
IT Auditor review can be performed per auditee risk and control evaluation conducted on the IT processes and sub-processes. IT Audit Scope includes, for example:
Audit Phases:
The basic steps in the performance of an audit usually include the following:
Auditors will document the process-related IT resources affected by the process under review to obtain the requisite information. Auditors must confirm the understanding of the process under review, key indicators of the process's adequate performance, and the control implications. The effectiveness and appropriateness of control measures for the process under review, or the degree to which the control objective is achieved, can be evaluated using the following criteria:
A different set of audit steps are necessary to ensure that the control measures established are working as prescribed; these require the Auditor to obtain direct or indirect evidence to ensure that the audit procedures themselves have adequately complied for the period under review. Therefore, using both direct and indirect evidence, the Auditor will perform a limited review of the adequacy of the process deliverables. In addition, the Auditor will determine the level of substantive testing and additional work needed to ensure that the IT process is adequate.
Finally, audit steps need to be performed to substantiate the risk of the control objective not being met. These steps aim to support the Audit Report and drive the management into action where necessary. Auditors have to be creative in finding and presenting this often sensitive and confidential information:
When assessing control mechanisms, reviewers should be aware that controls operate at different levels in operation and the lifecycle and that they have indicated relationships. The control framework that is selected will provide some indication as to different control processes, classes, and interrelationships, but actual implementation or assessment of control systems needs to take this added complex dimension into account.
Audit Steps:
The audit begins with a review of all aspects of the audit target. That includes all of the current system documentation. If the preliminary assessment indicates that the system is inadequately controlled, the audit process should go no further. This early exit point is essential because every audit is expensive and time-consuming.
However, if there is reason to assume that the system's controls are in a condition to be audited, an audit plan should be prepared. This is typically executed by the Lead Auditor and approved by the client before the audit begins. The audit is initiated through an opening meeting with the auditee's senior management.
Following the collection phase, any evidence that is obtained through interviews must be authenticated from other sources. In essence, interview evidence should, whenever possible, be confirmed more objectively since it is subjective in nature. Any clues from this evidence that point to possible control system nonconformities must be thoroughly investigated. Then, the system Auditors document their observations using all evidence gathered.
Following the analysis and documentation work, the audit team members make a list of key nonconformities. This list is based on the evidence obtained, and it is appropriately prioritized. The Auditors conclude how well the control system complies with requisite policies and how effectively it achieves its stated objectives. Finally, the Auditors discuss their evidence, observations, conclusions, and non-conformities with the auditee's senior managers before they prepare a final Audit Report.
The Auditor must understand the organization's environment, external and internal factors affecting it, its selection and implementation of policies and procedures, its objectives and strategies, and its performance measurement to identify its key risks effectively. The Auditor should be aware of the six-sigma stages process: Plan Do Check Act [sixsigma.com]. The standard elements of the conventional audit process are:
Business risk is the most crucial driver of the audit program. An audit program is a set of audit instructions and procedures that should be performed to complete an audit. Essentially the audit program includes the following:
The audit process steps should be the first step to determine the correct scope of the audit. This requires investigation, analysis, and definition of the business processes concerned. The IT roles and responsibilities that might be investigated include in- or outsourced organizational objects and functions and the associated business risks and strategic choices. Platforms and information systems support the business process and are audit targets and connections with other systems.
The next step is identifying the information requirements of particular relevance concerning the business processes. Along with that comes the need to identify the inherent IT risks and the overall level of control that can be associated with the business process. To carry this out properly, there is a need to identify the following:
IT Audit Report:
IT Audit Reports can include suggestions for improving accounting procedures, internal controls, and other aspects of the (auditee) organization's business arising from the audit. An Auditor is limited to the scope of the audit. In some cases, the Auditor would need to perform a more extensive study if the organization (auditee) wants him to review for weaknesses in existing systems and present detailed recommendations to improve them.
Identifying and remedying control deficiencies are essential to the practical control process. Where a material control deficiency is identified, the Auditor must report its status to the audit customer. The items of noncompliance are normally reported in Auditor's final report.
Every audit will produce some form of recommendations for corrective action. Those recommendations normally follow their own process independent of the audit's conclusion. The audit follow-up process should be officially planned and organized as part of audit planning. It is composed of formal steps to ensure that rework has been performed and to submit the final report close-out report detailing the particular audit's purpose and scope and the results for the audited organization.
The Lead Auditor is responsible for preparing the report. The Lead Auditor sends the Audit Report to the client, and the client sends it to the auditee. The audited is expected to take necessary actions to correct or prevent control system nonconformities. Follow-up audits might be scheduled to verify that corrective and preventive actions were taken.
Summary:
Before an auditee consults an IT Auditor, the organization should know the best IT systems infrastructure implementation practices based on standards. By seeking out industry-accepted and vetted sources for IT, including significant standards like ISO, NIST, IIA, ISACA, ITAF, and COBIT.
The implementation of these standards/frameworks/guidelines should be done in accordance with the principle of proportionality and strategic alignment, taking into account the scale and complexity of operations, the nature of the activity engaged in, the types of services provided, and the corresponding IT Infrastructure and security risks related to the organization’s processes and services.
The IT Auditing should be closely aligned with the business strategy and direction by adopting a Risk-Based Auditing approach along with the standards/frameworks/guidelines mentioned above. The audit process shall be performed following the best-of-practice standards/frameworks. Keeping in mind that IT only exists to assist and advance the organization's objectives and poses a risk to the organization if its failure makes it impossible to achieve the business purpose from an appropriate point of view.
Generally, IT Auditor review is primarily based on inquiry, interviewing, observation, and analytical review procedures supplemented by limited testing of processes, reports, and reconciliations. The resulting issues and recommendations are discussed with management during the audit and before the finalization of the Audit Report.
References:
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (0)