INTRODUCTION TO IT AUDIT

IT AUDIT?
IT audit is the examination
and evaluation of an
organization's information
technology infrastructure,
policies and operations. IT
audit can be considered the
process of collecting and
evaluating evidence to
determine whether A
computer system safeguards
assets, maintains data
integrity, allows organizational
goals to be achieved
effectively and uses resources
efficiently.
Source: IT Audit Manual: Grant Thornton
IT AUDITOR?
An IT Auditor Is Responsible For
The Internal Controls And Risks
Associated With An
Organization’s IT Network. That
Includes Identifying Weaknesses
In The IT System And
Responding To Any Founds, As
Well As Planning To Prevent
Security Breaches. There Are
Certifications For This Skill, Such
As A Certified Information
System Auditor (CISA) And
Certified Information Systems
Security Professionals (CISSP).

Source: https://www.projectmanager.com/blog/it-audit
OBJECTIVES
OF IT AUDIT
The objectives of IT audit include assessment and evaluation of processes that ensure :

✓ Asset safeguarding
✓ Ensures that the following seven attributes of data or information are maintained

Source: IT Audit Manual: Grant Thornton

 OBJECTIVES
OF IT AUDIT
I. Asset safeguarding –‘assets’ which include the following five types of assets:
1. Data objects in their widest sense, (i.E., External and internal, structured and non- structured, graphics,
sound, system documentation etc).
2. Application system is understood to be the sum of manual and programmed procedures.
3. Technology covers hardware, operating systems, database management systems, networking,
multimedia, etc.
4. Resources to house and support information systems, supplies etc.
5. Staff skills, awareness and productivity to plan, organize, acquire, deliver, support and monitor
information systems and services.

Source: IT Audit Manual: Grant Thornton

 OBJECTIVES
OF IT AUDIT
Ensures that the following seven attributes of data or information are maintained:

1. Effectiveness - deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable
manner.
2. Efficiency - concerns the provision of information through the optimal (most productive and economical) usage of resources.
3. Confidentiality - concerns protection of sensitive information from unauthorized disclosure.
4. Integrity - relates to the accuracy and completeness of information as well as to its validity in accordance with the business' set of values and expectations.
5. Availability - relates to information being available when required by the business process, and hence also concerns the safeguarding of resources.
6. Compliance - deals with complying with those laws, regulations and contractual arrangements to which the business process is subject; i.E., Externally imposed
business criteria. This essentially means that systems need to operate within the ambit of rules, regulations and/or conditions of the organization.
7. Reliability of information

Source: IT Audit Manual: Grant Thornton

IT AUDIT PROCESS
The Audit Process Includes The
Following Steps Or Phases:
1. Planning.
2. Definition Of Audit Objectives And Scope.
3. Evidence Collection And Evaluation.
4. Documentation And Reporting.

This Photo by Unknown Author is licensed under CC BY-SA

Source: IT Audit Manual: Grant Thornton

Planning
Planning involves the following tasks:
1. Preliminary assessment and information gathering.
2. Understanding the organization
• Organizational function and the operating environment
• Organizational structure
• Criticality of IT systems
• Nature of hardware and software used
• Nature and extent of risks affecting the systems

This Photo by Unknown Author is licensed under CC BY-SA

Source: IT Audit Manual: Grant Thornton

Risk assessment to define audit
objective and scope
Risk management is an essential requirement of modern IT systems where
security is important. It can be defined as a process of identifying risk,
assessing risk, and taking steps to reduce risk to an acceptable level. The
three security goals of any organization are confidentiality, integrity and
availability. Risk assessment is a systematic consideration of:
• The business harm likely to result from a security failure, taking into
account the potential consequences of a loss of confidentiality, integrity
or availability of the information and other assets.
• The realistic likelihood of such a failure occurring in the light of
prevailing threats and vulnerabilities and the controls currently
implemented
This Photo by Unknown Author is licensed under CC BY-SA

Source: IT Audit Manual: Grant Thornton

Evidence collection and evaluation
Competent, relevant and reasonable evidence should be
obtained to support the auditor’s judgement and conclusions
regarding the organization, programme, activity or function
under audit. Data collection techniques should be carefully
chosen. The auditors should have a sound understanding of
techniques and procedures chosen.
• Types of audit evidence (interviews, questionnaires, flowcharts,
analytical procedures )
• Tools of evidence collection (generalised audit software,
industry specific audit software , utility software , specialised audit
software , concurrent audting tools )

This Photo by Unknown Author is licensed under CC BY-SA

Source: IT Audit Manual: Grant Thornton

Documentation and Reporting
Auditors should adequately document the audit evidence in working papers, including
the basis and extent of the planning, work performed and the findings of the audit
documentation includes a record of:
• The planning and preparation of the audit scope and objectives
• the audit programme
• The evidence collected on the basis of which conclusions are arrived at.
• All work papers including general file pertaining to the organization and system
• Points discussed in interviews clearly stating the topic of discussion, person
interviewed, position and designation, time and place.
• Observations as the auditor watched the performance of work. The observations may
include the place and time, the reason for observation and the people involved.
• Reports and data obtained from the system directly by the auditor or provided by the
audited staff. The auditor should ensure that these reports carry the source of the
report, the date and time and the conditions covered.
• At various points in the documentation the auditor may add his comments and
clarifications on the concerns, doubts and need for additional information. The auditor
should come back to these comments later and add remarks and references on how
and where these were resolved.
This Photo by Unknown Author is licensed under CC BY-SA

Source: IT Audit Manual: Grant Thornton

SYSTEMS & APPLICATIONS
This focuses on the systems and
applications within an organization. It
makes sure they are appropriate,
efficient, valid, reliable, timely and secure
on all levels of activity.

Source: https://www.projectmanager.com/blog/it-audit
INFORMATION PROCESSING FACILITIES
Verifies that process is working
correctly, timely and accurately,
whether in normal or disruptive
conditions.

Source: https://www.projectmanager.com/blog/it-audit
SYSTEMS DEVELOPMENT

To see if those systems which are under development

are being created in compliance with the organization’s
standards.

Source: https://www.projectmanager.com/blog/it-audit
MANAGEMENT OF IT AND ENTERPRISE
ARCHITECTURE

Making sure that IT management is

structured and processes in a controlled
and efficient manner.

Source: https://www.projectmanager.com/blog/it-audit
CLIENT/SERVER, TELECOMMUNICATIONS, INTRANETS
AND EXTRANETS

This spotlights telecommunication

controls, such as a server and network,
which is the bridge between clients and
servers.

Source: https://www.projectmanager.com/blog/it-audit
IT AUDIT BEST
PRACTICES
SCOPE
By knowing the scope of the audit ahead of time, you’re
more likely to have an audit that runs without problems. For
one thing, you’ll want to involve all relevant stakeholders
when planning. Speak to those who are working in the IT
environment. They can help you understand what risks
you’re looking to identify and understand the current
capabilities of the system. This way you’ll have a better idea
if there’s a need to adopt new technologies or not. Also,
know the applicable laws and regulations to make sure
you’re compliant.

Source: https://www.projectmanager.com/blog/it-audit
OUTSIDE RESOURCES
You might have a team assembled in-house who are able to
run the IT security audit themselves or you might need to
seek outside contractors to help with parts or the whole thing.
This must be determined beforehand. You might have an IT
audit manager or need to hire a consultant, who can then
train the team on what to keep an eye out for in-between IT
audits.

Source: https://www.projectmanager.com/blog/it-audit
IMPLEMENTATION
Know that inventory you have and put these systems down
in a list organized by priority. Know industry standards,
methods and procedures to make sure you’re keeping up
with the most current practices. Evaluate your audit to see if
assets are protected and risks mitigated.

Source: https://www.projectmanager.com/blog/it-audit
FEEDBACK
IT audit reports can feel like they’re in a different language
if you’re not an IT professional. For the audit to be effective,
the audit must be clear to those who are decision-makers.
The IT auditor should give the report in person and field any
questions, so that when done there is no question about the
work and whatever vulnerabilities were discovered.

Source: https://www.projectmanager.com/blog/it-audit
REPEAT
An IT audit isn’t a one-time event, of course, but in-
between audits there is still work to do. That includes
offering recommendations going forward, using IT
software that can automatically monitor systems, users
and assets. It’s a good idea to have a plan set up to
review applicable laws, regulations and new
developments quarterly, as the technology space is
notoriously fast moving.

Source: https://www.projectmanager.com/blog/it-audit
END OF PRESENTATION.
THANK YOU.