IT Auditing: The processes involved and its importance in today’s business
By Bernard Farrugia
Nowhere to hide
In his 1997 best-selling book, "The Innovator's Dilemma", Professor Clayton M. Christensen coined the term ‘disruptive technologies’ to describe the creation of a ground-breaking product, service or platform to transform the established way of doing things. Since then, the prevalence and impact of this phenomenon has soared. Just think of the impact that smartphones and social networks have had on landlines and traditional advertising respectively. Recent surveys show that more than 8 out of 10 private consumers and 19 out of 20 business purchasers undertake online research before making purchasing decisions.
Couple this with the potential for massive breaches of data, such as in the case of the Ashley Madison dating website, and we can see that reputations are more critical and vulnerable than they have ever been. Even if you do not consider your organisation to be ‘high tech’, it’s of critical business importance not to have your head buried in the sand when it comes to technology risks. There is nowhere to hide from today’s IT risks.
What Is IT Audit?
Internal auditing in general is defined by the Institute of Internal Auditors as an; ‘independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.’
Building on this, Kenneth Magee, a leading practitioner in the field of IT auditing defined IT audits as any audit that encompasses both the review and the evaluation of automated information processing systems, their relation to automated processes and the interfaces among them.
Therefore, as with other types of audits, IT Audit work can include assignments that provide assurance or advice. An IT Audit typically evaluates and reports upon the procedures and control environment around the IT systems in place within an enterprise with a view to achieving more effective management of the risks to which the entity is exposed.
How to plan an IT audit?
The critical ingredients involved in planning an IT audit are an appreciation of the IT environment, understanding the IT risks and pinpointing the resources required to carry out the work. We will cover each in turn.
The IT environment - An appreciation of the IT environment flows from an understanding of the internal IT procedures and operations of the subject under review. This cannot be stressed enough. Without this basic understanding it is likely that audit work will be misdirected, raising the risk of drawing unsuitable or incorrect conclusions. This initial research work should involve a high level review of the IT procedures and control environment in place focusing on the basic principles of IT security which are Confidentiality, Integrity and Availability. At a minimum, the areas covered at this stage would be:
a) Change Management, i.e. the change controls around software and hardware updates to critical systems;
b) Access Security i.e. the access controls enforced to enter the systems both internally and externally, and;
c) Business Continuity and Disaster recovery i.e. the ability of an enterprise to safeguard information assets from unforeseen threats or disasters and how to quickly recover from them.
Having this level of understanding will enable the IT auditor to plan out their work efficiently and effectively.
IT risks - As is the case for other types of professionally handled audit work, these days most IT auditors apply the risk-based approach to planning and performing their work. This involves identifying the most important risks, linking these to control objectives and identifying specific controls to mitigate these risks. In this respect, IT auditing standards/guidelines (e.g. ISO 27001 & COBIT 5) may be used by the IT Auditor to identify or advise on controls that will reduce the risks identified to an acceptable level.
Resources required – The last important piece in the audit planning jigsaw is to assess the amount of work involved including the need for specialist expertise. With the timing and availability of suitable IT audit human resources typically being a challenge, getting this step right should result in higher quality and lower cost audit work.
Executing an IT Audit
Having defined the controls which are expected to be in place, the IT Auditor will gather the evidence to determine whether the stated controls are designed and operating effectively. This may require subjective judgment on the auditor’s part and is where the IT auditor’s experience can bring real value to the exercise. Control weaknesses should be documented and included as findings in a report to those charged with governance.
Making IT real
Last year, a US financial institution handed over a $225,000 fine following an incident in which one of the firm's IT employees lost an unencrypted laptop in a restroom. In this case, enabling policies where encryption would be forced on all company laptops could have reduced such a risk and possibly prevented the fine, as well as the loss of credibility which might have ensued.
In the workplace there is an increasing awareness that risks of this type need to be managed. Is there a better way to achieve this than through an expert review of the IT environment? Certainly, with the ‘Internet of Things’ well and truly upon us, one must expect further disruption, and with it the inevitable necessity for a dynamic understanding of internal IT processes and the attendant risks.