IT Audit and Information System Security

IT audit and information system security services deal with the identification and analysis of potential risks, their mitigation or removal, with the aim of maintaining the functioning of the information system and the organization's overall business.

Our services include:

IT System Audit, Review and Assessment

IT audit constitutes an assessment of IT system management, its alignment to corporate management, vision, mission and organizational goals.

The goal of IT system audit, review and assessment?

  • Systematize, improve and integrate business procedures and the coverage of business information in the information system
  • Identify risks and weaknesses, thus enabling the definition of solutions for introducing controls over processes supported by IT
  • Accelerate the business information collection process
  • Centralize the control system and eliminate bottlenecks in information flow through the IS
  • Regulatory compliance
  • Reduce IT-related costs, as they represent a significant proportion of the organization's total costs
  • Ensure information confidentiality, integrity and availability
  • Assess ERP system before and after implementation
  • Align IT assessment and IT strategy
  • Attain IT management standards

Deloitte Approach:

  • Testing logical and physical security controls
  • Testing IT operations
  • Testing disaster recovery procedures
  • Testing business continuity
  • Data integrity assessment (process assessment, controls identification...)
  • Assessment of controls over critical system platforms, network and physical components, IT infrastructure supporting relevant business processes
  • IT strategy preview
  • IT organization review (organizational structure, leadership...)
  • IT process review (helpdesk, service management, application management oversight)


  • Reliable IT controls and risk management capability
  • Security information management enabled
  • Improved data availability and integrity
  • Improved ability to enter new markets
  • Enhanced reputation
  • Long-term savings
  • Revenue growth

IT Risk Management

IT risk management enables measuring, managing and controlling IT-related risks, thus enhancing the reliability of processes and the entire information system.

Key areas:

  • Security and Privacy (Information leakage prevention, Security of changes, Biometrics and identity management)
  • Data (Data privacy, Data quality, Data access)
  • Resilience and Continuity (Recovery after IS failure, Resilience and preparedness, Testing, drills and simulations)
  • Fraud (IT forensics, Fraud risk management)
  • Payments (Payment risk management, PSD/SEPA preparedness, Sanctions OFAC)
  • Projects and Testing (Project risk management, Test management, Implementation of tests)
  • Contracts (Contracting risk, Supplier risk management)
  • IT Controls (Controlling changes, Technology risk management, Organization-level risk management, IT internal audit)

IT Due Diligence

IT Due Diligence entails a comprehensive analysis of the organization's IT sector to ascertain its alignment with business goals and the extent to which it supports other parts of the organization. It is commonly performed when a potential investor/partner wishes to gain insight into the level of IT support to business and IT resources.

IT audit

  • Activities:

Interviews with business users and IT staff

Documentation analysis

Software controls check

  • Methodology:

Cobit, Deloitte Express

  • Results:

A detailed description of IT audit by control objectives, with a description of control objectives, findings and best-practice recommendations.

Resource analysis

  • Activities:

Analysis of hardware, applications, operating systems, IT resources

  • Methodology:

Cobit, Deloitte Express

  • Results:

A detailed description of resource analysis results, with findings and best-practice recommendations

Information system adequacy assessment

  • Results:

An assessment of the adequacy and relevance of the existing information system and its support to the organization's business.