12:26 AM
Ratnarao
An integral part of an IT auditor's work is to educate the business community on how an information technology (IT) audit adds value to an organization. To be sure, internal audit departments which usually include an IT audit component have a clear vision of their function and role within an organization. Our experience has been that the critical role played by IT auditors is not fully understood by the wider business community. It is the wise corporate executive that understands and leverages the value of the IT audit function. In this context, we wanted to publish a brief overview of the specific benefits and value added from an IT audit.
IT audits may cover a diverse range of computing and communication technology infrastructure such as client-server systems and networks, operating systems, security systems, software applications, databases, web services, telecom infrastructure, change management procedures and disaster recovery planning.
The sequence of a standard audit starts with identifying risks, then assessing the design of controls and finally testing the effectiveness of the controls. Skillful auditors can add value in each phase of the audit.
The main motivation to have an IT audit function is the need for assurance and internal control. Organizations that make huge investments in technology generally need IT auditing to provide the assurance that risks are being controlled and that huge losses will not occur. An organization may determine that it has a high risk of outage, security threat or vulnerability. Regulations and compliance requirements such as the Sarbanes Oxley Act or industry specific requirements from the SEC or Federal Reserve are another main motivation to maintain an IT audit function.
We discuss five key benefits from IT auditing below - five areas in which IT auditors can add value and provide clear benefits to an organization. Of course, added value depends on the quality and depth of a technical audit. The scope of an audit is also critical - audit planning involves documenting the specific business processes, risks and controls that will be audited.
So here are our top five ways that an IT audit adds value:
1. Reduce risk. The planning and execution of an IT audit is generally focused on identifying and assessing risks in an organization's IT environment.
IT audits usually cover risks related to confidentiality, integrity and availability of information technology infrastructure and processes. Additional risks include effectiveness, efficiency and reliability of IT.
After risks are identified and assessed, the next step is to start reducing or mitigating the risks through controls, risk transfer (e.g. insurance) or risk acceptance (e.g. built into the business).
It is critical to understand that IT risk is business risk. Threats and vulnerabilities in IT operations can directly affect an entire organization. The organization needs to understand its risks and then proceed to do something about them.
IT auditors use risk best practices such as ISACA COBIT and RiskIT frameworks (www.isaca.org) and the ISO/IEC 27002 standard 'Code of practice for information security management' (www.iso.org).
2. Strengthen controls (and improve security). After assessing risks as described above, controls can then be identified and assessed. Poorly designed or ineffective controls can be redesigned and/or strengthened.
The COBIT framework of IT controls is especially useful here. It consists of four high level domains that cover 32 control processes useful in reducing risk. The COBIT framework covers all aspects of information security including control objectives, key performance indicators, key goal indicators and critical success factors.
An IT auditor using COBIT can assess controls and make recommendations that add real value to the IT environment and to the organization as a whole.
Another control framework is the Committee of Sponsoring Organizations of the Treadway Commission (COSO) model of internal controls. IT auditors can use this framework to get assurance on (1) the effectiveness and efficiency of operations, (2) the reliability of financial reporting and (3) the compliance with applicable laws and regulations. The framework contains two elements out of five that directly relate to controls - control environment and control activities.
3. Comply with regulations. There are a wide range of regulations at the federal and state levels that include specific requirements for information security. IT auditing is critical to ensure that specific requirements are met, risks are assessed and controls implemented.
Sarbanes Oxley Act (Corporate and Criminal Fraud Accountability Act) includes requirements for all public companies to ensure that internal controls are adequate as defined in the framework of the Committee of Sponsoring Organizations of the Treadway Commission's (COSO) discussed above. It is the IT auditor who provides the assurance that such requirements are met.
Health Insurance Portability and Accountability Act (HIPAA) includes three areas of IT requirements - administrative, technical and physical. IT auditors play a key role in ensuring compliance with these requirements.
Various industries have additional requirements such as the Payment Card Industry (PCI) Data Security Standard in the credit card industry e.g. Visa and Mastercard.
In all of these compliance and regulatory areas, the IT auditor plays a central role. An organization needs assurance that all requirements are met.
4. Facilitate communication between business and technology management. An audit opens channels of communication between an organization's business and technology management. Auditors spend time interviewing, observing and testing what is happening in reality and in practice. An audit can provide valuable information in written reports and oral presentations. Senior management needs to know first-hand how their organization is functioning.
The technology professionals in an organization also need to know what senior management thinks, what their objectives are and the directions that they are going. Auditors can communicate some of this information through participation in meetings with technology management and through review of the current implementations of policies, standards and guidelines.
An important point is that IT auditing is a key element in management's oversight of technology. It must be understood that an organization's technology exists to support business strategy, functions and operations. Alignment between business and the technology functions is critical. No organization invests in technology just for the sake of technology but to support overall business objectives. IT audits are critical in maintaining this alignment.
5. Improve IT Governance. The following definition is from the IT Governance Institute (ITGI):
'IT Governance is the responsibility of executives and board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise's IT sustains and extends the organization's strategies and objectives.'
The leadership, organizational structures and processes mentioned in the definition point to IT auditors as key players. IT auditing and overall IT management are focused on the value, risks and controls around an organization's technology environment. IT auditors review the value, risks and controls in all of the key components of technology - applications, information, infrastructure and people.
The framework of IT governance consists of four key objectives which are also discussed in the IT Governance Institute's documentation:
*IT is aligned with the business *IT enables the business and maximizes benefits *IT resources are used responsibly *IT risks are managed appropriately
IT auditors focus on providing assurance that each of these objectives is met. All of these objectives are critical to an organization and are therefore within the scope of IT auditing.
To sum up, IT auditing adds value by reducing risks, improving security, complying with regulations and facilitating communication between technology and business management. Finally, IT auditing improves and strengthens overall IT governance.
References:
ISACA. Control Objectives for Information and related Technology (COBIT). www.isaca.org.
ISO/IEC 27002 Code of practice for information security management. www.iso.org
Committee of Sponsoring Organizations of the Treadway Commission (COSO) Framework. www.coso.org
IT audits may cover a diverse range of computing and communication technology infrastructure such as client-server systems and networks, operating systems, security systems, software applications, databases, web services, telecom infrastructure, change management procedures and disaster recovery planning.
The sequence of a standard audit starts with identifying risks, then assessing the design of controls and finally testing the effectiveness of the controls. Skillful auditors can add value in each phase of the audit.
The main motivation to have an IT audit function is the need for assurance and internal control. Organizations that make huge investments in technology generally need IT auditing to provide the assurance that risks are being controlled and that huge losses will not occur. An organization may determine that it has a high risk of outage, security threat or vulnerability. Regulations and compliance requirements such as the Sarbanes Oxley Act or industry specific requirements from the SEC or Federal Reserve are another main motivation to maintain an IT audit function.
We discuss five key benefits from IT auditing below - five areas in which IT auditors can add value and provide clear benefits to an organization. Of course, added value depends on the quality and depth of a technical audit. The scope of an audit is also critical - audit planning involves documenting the specific business processes, risks and controls that will be audited.
So here are our top five ways that an IT audit adds value:
1. Reduce risk. The planning and execution of an IT audit is generally focused on identifying and assessing risks in an organization's IT environment.
IT audits usually cover risks related to confidentiality, integrity and availability of information technology infrastructure and processes. Additional risks include effectiveness, efficiency and reliability of IT.
After risks are identified and assessed, the next step is to start reducing or mitigating the risks through controls, risk transfer (e.g. insurance) or risk acceptance (e.g. built into the business).
It is critical to understand that IT risk is business risk. Threats and vulnerabilities in IT operations can directly affect an entire organization. The organization needs to understand its risks and then proceed to do something about them.
IT auditors use risk best practices such as ISACA COBIT and RiskIT frameworks (www.isaca.org) and the ISO/IEC 27002 standard 'Code of practice for information security management' (www.iso.org).
2. Strengthen controls (and improve security). After assessing risks as described above, controls can then be identified and assessed. Poorly designed or ineffective controls can be redesigned and/or strengthened.
The COBIT framework of IT controls is especially useful here. It consists of four high level domains that cover 32 control processes useful in reducing risk. The COBIT framework covers all aspects of information security including control objectives, key performance indicators, key goal indicators and critical success factors.
An IT auditor using COBIT can assess controls and make recommendations that add real value to the IT environment and to the organization as a whole.
Another control framework is the Committee of Sponsoring Organizations of the Treadway Commission (COSO) model of internal controls. IT auditors can use this framework to get assurance on (1) the effectiveness and efficiency of operations, (2) the reliability of financial reporting and (3) the compliance with applicable laws and regulations. The framework contains two elements out of five that directly relate to controls - control environment and control activities.
3. Comply with regulations. There are a wide range of regulations at the federal and state levels that include specific requirements for information security. IT auditing is critical to ensure that specific requirements are met, risks are assessed and controls implemented.
Sarbanes Oxley Act (Corporate and Criminal Fraud Accountability Act) includes requirements for all public companies to ensure that internal controls are adequate as defined in the framework of the Committee of Sponsoring Organizations of the Treadway Commission's (COSO) discussed above. It is the IT auditor who provides the assurance that such requirements are met.
Health Insurance Portability and Accountability Act (HIPAA) includes three areas of IT requirements - administrative, technical and physical. IT auditors play a key role in ensuring compliance with these requirements.
Various industries have additional requirements such as the Payment Card Industry (PCI) Data Security Standard in the credit card industry e.g. Visa and Mastercard.
In all of these compliance and regulatory areas, the IT auditor plays a central role. An organization needs assurance that all requirements are met.
4. Facilitate communication between business and technology management. An audit opens channels of communication between an organization's business and technology management. Auditors spend time interviewing, observing and testing what is happening in reality and in practice. An audit can provide valuable information in written reports and oral presentations. Senior management needs to know first-hand how their organization is functioning.
The technology professionals in an organization also need to know what senior management thinks, what their objectives are and the directions that they are going. Auditors can communicate some of this information through participation in meetings with technology management and through review of the current implementations of policies, standards and guidelines.
An important point is that IT auditing is a key element in management's oversight of technology. It must be understood that an organization's technology exists to support business strategy, functions and operations. Alignment between business and the technology functions is critical. No organization invests in technology just for the sake of technology but to support overall business objectives. IT audits are critical in maintaining this alignment.
5. Improve IT Governance. The following definition is from the IT Governance Institute (ITGI):
'IT Governance is the responsibility of executives and board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise's IT sustains and extends the organization's strategies and objectives.'
The leadership, organizational structures and processes mentioned in the definition point to IT auditors as key players. IT auditing and overall IT management are focused on the value, risks and controls around an organization's technology environment. IT auditors review the value, risks and controls in all of the key components of technology - applications, information, infrastructure and people.
The framework of IT governance consists of four key objectives which are also discussed in the IT Governance Institute's documentation:
*IT is aligned with the business *IT enables the business and maximizes benefits *IT resources are used responsibly *IT risks are managed appropriately
IT auditors focus on providing assurance that each of these objectives is met. All of these objectives are critical to an organization and are therefore within the scope of IT auditing.
To sum up, IT auditing adds value by reducing risks, improving security, complying with regulations and facilitating communication between technology and business management. Finally, IT auditing improves and strengthens overall IT governance.
References:
ISACA. Control Objectives for Information and related Technology (COBIT). www.isaca.org.
ISO/IEC 27002 Code of practice for information security management. www.iso.org
Committee of Sponsoring Organizations of the Treadway Commission (COSO) Framework. www.coso.org
About the Author:
Want to find out more about IT Audit services, then visit Sarah Abelow's site featuring the Continental Audit team on how to choose the best IT Auditors for your needs.
Posted in 
No Response to "The Top Five Benefits Of An IT Audit"
Post a Comment