8 mins read

Top Five Benefits of IT Auditing

admin0

IT auditors often find themselves educating the business community on how their work adds value to an organization. Internal audit departments typically have an IT audit component that is implemented with a clear perspective of its role in an organization. However, in our experience as IT auditors, the business community at large needs to understand the IT audit function to get the maximum benefit. In this context, we publish this brief summary of the specific benefits and added value that an IT audit provides.

To be specific, IT audits can cover a wide range of IT communications and processing infrastructure, such as client-server systems and networks, operating systems, security systems, software applications, web services, databases, infrastructure telecommunications, change management procedures and disaster recovery planning. .

The sequence of a standard audit begins with the identification of risks, then the design of the controls is evaluated, and finally the effectiveness of the controls is tested. Expert auditors can add value at every stage of the audit.

Companies generally maintain an IT audit function to provide assurance over technology controls and to ensure regulatory compliance with federal or industry-specific requirements. As investments in technology increase, IT auditing can provide assurance that risks are controlled and that large losses are not likely to occur. An organization may also determine that there is a high risk of disruption, security threat, or vulnerability. There may also be requirements for regulatory compliance, such as the Sarbanes Oxley Act, or specific industry requirements.

Here we look at five key areas where IT auditors can add value to an organization. Of course, the quality and depth of a technical audit is a prerequisite for adding value. The planned scope of an audit is also critical to added value. Without a clear mandate on which business processes and risks will be audited, it is difficult to guarantee success or value added.

So these are our top five ways an IT audit adds value:

1. Reduce risk. Planning and executing an IT audit consists of identifying and assessing IT risks in an organization.

IT audits generally cover risks related to the confidentiality, integrity, and availability of information technology infrastructure and processes. Additional risks include IT effectiveness, efficiency, and reliability.

Once risks are assessed, there can be a clear vision of what course to take: reducing or mitigating risks through controls, transferring risk through insurance, or simply accepting risk as part of the operating environment.

A fundamental concept here is that IT risk is business risk. Any threat or vulnerability to critical IT operations can have a direct effect on the entire organization. In short, the organization needs to know where the risks are and then proceed to do something about it.

The best IT risk practices used by auditors are the ISACA COBIT and RiskIT frameworks and the ISO / IEC 27002 standard ‘Code of practice for information security management’.

2. Strengthen controls (and improve security). After evaluating risks as described above, controls can be identified and evaluated. Poorly designed or ineffective controls can be redesigned and / or strengthened.

The COBIT framework of IT controls is especially helpful here. It consists of four top-level domains that cover 32 useful control processes to reduce risk. The COBIT framework covers all aspects of information security, including control objectives, key performance indicators, key goal indicators, and critical success factors.

An auditor can use COBIT to evaluate controls in an organization and make recommendations that add real value to the IT environment and the organization as a whole.

Another control framework is the internal controls model of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). IT auditors can use this framework to ensure (1) the effectiveness and efficiency of operations, (2) the reliability of financial reporting, and (3) compliance with applicable laws and regulations. The framework contains two elements of five that relate directly to controls: the control environment and the control activities.

3. Comply with regulations. A wide range of regulations at the federal and state levels include specific requirements for information security. The IT auditor plays a critical role in ensuring that specific requirements are met, risks are assessed, and controls are in place.

The Sarbanes Oxley Act (Corporate and Criminal Fraud Liability Act) includes requirements for all public companies to ensure that internal controls are adequate as defined under the Treadway Commission Committee of Sponsoring Organizations (COSO) discussed above. It is the IT auditor who provides the assurance that these requirements are met.

The Health Insurance Portability and Accountability Act (HIPAA) has three areas of IT requirements: administrative, technical, and physical. It is the IT auditor who plays a key role in ensuring compliance with these requirements.

Various industries have additional requirements, such as the Payment Card Industry (PCI) Data Security Standard in the credit card industry, for example Visa and Mastercard.

In all of these regulatory and compliance areas, the IT auditor plays a central role. An organization needs to be sure that all requirements are met.

4. Facilitate communication between business and technology management. An audit can have the positive effect of opening channels of communication between the business and technological management of an organization. Auditors interview, observe and test what happens in reality and in practice. The final deliverables of an audit are valuable information in written reports and oral presentations. Top management can obtain direct feedback on the performance of their organization.

Technology professionals in an organization also need to know the expectations and goals of top management. Auditors aid this top-down communication by participating in meetings with technology management and by reviewing current implementations of policies, standards, and guidelines.

It is important to understand that IT auditing is a key element in management oversight of technology. An organization’s technology exists to support business strategy, functions, and operations. Business and supporting technology alignment is critical. IT audit maintains this alignment.

5. Improve IT governance. The IT Governance Institute (ITGI) has published the following definition:

“IT Governance is the responsibility of the executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the company’s IT supports and extends the strategies and objectives of the organization.”

The leadership, organizational structures, and processes referenced in the definition point to IT auditors as key players. A fundamental aspect of IT auditing and IT management in general is a solid understanding of the value, risks, and controls of an organization’s technology environment. More specifically, IT auditors review the value, risks and controls in each of the key components of the technology: applications, information, infrastructure and people.

Another perspective on IT governance consists of a framework of four key objectives that are also discussed in the IT Governance Institute documentation:

* IT is aligned with the business * IT enables the business and maximizes benefits * IT resources are used responsibly * IT risks are managed appropriately

IT auditors provide assurance that each of these goals is being met. Each objective is critical to an organization and therefore critical in the IT audit function.

In short, IT auditing adds value by reducing risk, improving security, complying with regulations, and facilitating communication between technology and business management. Finally, IT auditing improves and strengthens the overall governance of IT.

References:

ISACA. Control objectives for information technology and related (COBIT).

ISO / IEC 27002 Code of practice for information security management.

Committee of Framework Sponsoring Organizations of the Treadway Commission (COSO).

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts