IT auditors often need to educate the business community about how their work adds value to an organization. Internal audit departments typically have an IT audit component that is deployed with a clear understanding of their role in an organization. However, in our experience as IT auditors, the broader business community needs to understand the IT audit function to achieve maximum benefit. In this context, we publish this brief overview of the concrete advantages and added value of an IT audit.
Specifically, IT audits can cover a wide range of IT processing and communication infrastructure, such as B. Client-server systems and networks, operating systems, security systems, software applications, web services, databases, telecommunications infrastructure, change management procedures and disaster recovery planning.
The process of a standard audit begins with identifying risks, then evaluating the control design, and finally testing the effectiveness of the controls. Skilled auditors can add value at every stage of the audit.
Organizations generally have an IT audit function to ensure technology controls and ensure regulatory compliance with state or industry requirements. As investments in technology increase, IT audit can provide reassurance that risks are under control and large losses are unlikely. An organization may also determine that there is a high risk of failure, a security threat, or a vulnerability. There may also be regulatory compliance requirements such as the Sarbanes Oxley Act or industry-specific requirements.
Below, we discuss five key areas where IT auditors can add value to an organization. Of course, the quality and depth of a technical audit is a prerequisite for value creation. The planned scope of an audit is also crucial for value creation. Without a clear mandate about what business processes and risks are being audited, it is difficult to ensure success or value.
Here are our top five ways an IT audit adds value:
1. Reduce risk. Planning and conducting an IT audit consists of identifying and evaluating IT risks in an organization.
IT audits typically cover risks related to the confidentiality, integrity and availability of information technology infrastructure and processes. Other risks include the effectiveness, efficiency and reliability of IT.
Once the risks are assessed, there can be a clear idea of what course to take – reduce or mitigate the risks through controls, transfer the risk through insurance, or simply accept the risk as part of the operating environment.
A key thought here is that IT risk is a business risk. Any threat or vulnerability to critical IT operations can have a direct impact on an entire organization. In short, the organization needs to know where the risks lie and then take action against them.
IT risk best practices used by auditors include the ISACA COBIT and RiskIT frameworks and the ISO/IEC 27002 Code of Practice for Information Security Management standard.
2. Strengthen controls (and improve security). After the risk assessment described above, controls can then be identified and evaluated. Poorly designed or ineffective controls can be redesigned and/or strengthened.
The COBIT framework for IT controls is particularly useful here. It consists of four high-level domains covering 32 control processes useful for risk mitigation. The COBIT framework covers all aspects of information security, including control objectives, key performance indicators, key target indicators, and critical success factors.
An auditor can use COBIT to assess the controls in an organization and make recommendations that add real value to the IT environment and the organization as a whole.
Another control framework is the Committee of Sponsoring Organizations of the Treadway Commission (COSO) model of internal controls. IT auditors can use this framework to ensure (1) operational effectiveness and efficiency, (2) reliability of financial reporting, and (3) compliance with applicable laws and regulations. The framework contains two of five elements that relate directly to controls: control environment and control activities.
3. Comply with the regulations. Extensive regulations at federal and state level contain specific requirements for information security. The IT auditor performs a critical function by ensuring that specific requirements are met, risks are assessed, and controls are implemented.
The Sarbanes Oxley Act (Corporate and Criminal Fraud Accountability Act) contains requirements for all public companies to ensure that internal controls are adequate, as defined in the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework discussed above. It is the IT auditor who ensures that these requirements are met.
The Health Insurance Portability and Accountability Act (HIPAA) has three sets of IT requirements: administrative, technical, and physical. The IT auditor plays a key role in ensuring compliance with these requirements.
Various industries have additional requirements, such as the Payment Card Industry (PCI) Data Security Standard in the credit card industry, e.g. e.g. Visa and Mastercard.
In all of these compliance and regulatory areas, the IT auditor plays a central role. An organization needs assurance that all requirements are met.
4. Facilitate communication between business and technology management. An audit can have the positive effect of opening communication channels between an organization’s business and technology management. Auditors question, observe and test what is happening in reality and in practice. The end result of an audit is valuable information in written reports and oral presentations. Senior management can get direct feedback on how their organization is performing.
Technology professionals in an organization also need to understand senior management’s expectations and goals. Auditors support this top-down communication by attending meetings with technology management and by reviewing the current implementation of policies, standards and guidelines.
It is important to understand that IT review is a key element in management’s oversight of technology. An organization’s technology is designed to support business strategy, functions and operations. Alignment of business and enabling technology is critical. The IT exam maintains this alignment.
5. Improve IT governance. The IT Governance Institute (ITGI) has published the following definition:
“IT governance is the responsibility of executives and the board of directors and encompasses the leadership, organizational structures and processes that ensure that the organization’s IT supports and enhances the strategies and goals of the organization.”
The management, organizational structures and processes mentioned in the definition all point to IT auditors as key actors. Central to IT audit and all IT management is a strong understanding of the values, risks and controls surrounding an organization’s technology environment. More specifically, IT auditors examine the value, risks and controls in each of the key components of technology – applications, information, infrastructure and people.
Another perspective on IT governance consists of a framework with four main objectives, which are also discussed in the IT Governance Institute documentation:
*IT is aligned with business *IT enables business and maximizes value *IT resources are used responsibly *IT risks are appropriately managed
IT auditors ensure that each of these goals is met. Each objective is critical to an organization and therefore critical to the IT audit function.
In summary, IT audits add value by reducing risk, improving security, complying with regulations, and facilitating communication between technology and business leadership. Finally, IT audit improves and strengthens overall IT governance.
References:
ISACA. Information and Related Technology Control Goals (COBIT).
ISO/IEC 27002 Code of Conduct for Information Security Management.
Committee of Sponsoring Organizations of the Treadway Commission Framework (COSO).
Be First to Comment