Introduction to IT Auditing
The constant advancement of technology has dramatically changed how most organizations operate. The developments have seen pen and paper transactions replaced with computerized online data entry application, instead of keys and locks for filing cabinets, strong passwords and identification codes are being used to restrict access to electronic files. Implementation of innovative technology has magnificently improved business efficiency within most organizations, in terms of data processing and transmission capacity. Still, it has also created and introduced new vulnerabilities that need to be addressed and mitigated. Each vulnerability needs to be controlled, which implies the need for better ways of assessing the adequacy of each control hence new auditing methods. Reliance on computerized systems has made it imperative for the auditees to change the approach and methodology to auditing due to fear of a data integrity compromise, abuse of confidentiality policies, and so forth. Therefore, an independent audit is required to verify and prove that an adequate measure has been designed and implemented to minimize or eliminate exposure to various risks.
Definition and Objectives
IT auditing entails any activity done within the periphery of examining and evaluating an organization’s information technology policies, infrastructure, and operations. Information technology auditing can be defined as a process of collecting and evaluating evidence to determine whether a computer system maintains data integrity, safeguards assets, uses resources efficiently, and allows the attainment of organizational goals.
Objectives assessment and evaluation of the process that ensures:
- Safeguarding of assets such as data objects, resources to house and support information systems.
- Ensure that the following sets of data are maintained:
- Reliability of information
Phases of the Audit process
The auditing process involves these four significant steps.
A. Preliminary assessment and information gathering
Planning is a continuous process, although concentrated at the beginning of an audit. An initial assessment is carried out to determine the extent and type if subsequent testing. In a situation where the auditees find that the specific control procedures are ineffective, they may be forced to reevaluate their previous conclusions and other relevant decisions made based on those conclusions.
B. Understanding the organization
The IT auditor has the task of gathering knowledge and inputs on the following aspects of the object to be audited;
- Organization’s operating environment and its function.
- The criticality of the IT system, whether it is a mission-critical system or a support system
- Structure of the organization
- Nature of software and hardware in use
- Nature and extent of the perils affecting the organization
The nature of the organization and the desired level of audit report much determine the extent of knowledge to be acquired about the organization. Information gathered should be used by the auditor to identify potential problems, formulate objectives of the study, and to define the scope of the work.
2. Defining audit objectives and scope
The objectives and scope of an audit are defined from the risk assessment carried out by an auditee after exposure. Risk management is an integral part of securing your organization from hackers. It can be defined as a process of identifying, assessing, and taking necessary steps towards minimizing the risk to an acceptable level within a system. In any organization, the primary security goals are integrity, confidentiality, and availability.
The auditor has a broad platform of risk assessment methodologies to pick from, ranging from simple classification of low, medium, and high as per the judgment to complex and more enhanced scientific classification to come up with a numeric risk rating. After the assessment, procedures, practices, and organizational structures are put in place to reduce risk referred to as internal controls. Preliminary assessment of controls can be done based on having discussions with the management, filling questionnaires, available documentation, and/or preliminary survey of the application.
Some of the common objectives of IT audit include:
- Review of security infrastructure and systems
- Review of IT systems to gain assurance of the safety
- Examine the development process and procedures involved at various stages of the system
- Evaluation of the performance of a specific program or system
Audit objectives and scope are not limited to the aspects mentioned above. It should be able to cover all the critical areas of the security aspect, such as security settings, passwords, firewall security, user rights, physical access security, and so on.
The scope, on the other hand, should define the boundaries, limits, or the periphery of the audit. Coming up with scope for an audit is part of audit planning and covers aspects such as the extent of substantive assessment depending on the peril, control weakness, period of the audit, and the number of locations to be covered.
3. Collection and evaluation of evidence
Substantial, reasonable, and relevant evidence should be obtained to second auditor’s judgment and conclusions on the organizations, function, activity, or program under audit. Techniques used for data collection should be carefully chosen, and the auditor should have a sound understanding of the procedure and method selected.
i. Types of Audit Evidence
The three main types of audit evidence include:
- Documentary audit evidence
- Observed process and existence of physical items
Physical verification implies the actual investigation or inspection of tangible assets by the auditor. The following methods can be used for the collection of audit evidence.
2. Interviews – can be used to collect both quantitative and qualitative evidence during the collection work. Some of the persons to interview include systems analysts to better understand controls and functions within the security system, data entry personnel to determine the methodology they use to enter the data being detected by the system as incorrect, inaccurate, or malicious.
3. Questionnaires – traditionally, questioners have been used to evaluate controls within the system being audited. In some cases, auditors have creatively used questioners to flag specific areas of the system weakness in the course of evidence collection. In preparing the questioners, questions should be as specific as possible, and the language used should be that which commensurate with the targeted person understanding.
4. Flowcharts – are designed to show that controls are embedded in the system and their specific locations within the system. They are fundamental for comprehension, evaluation, and communication during the audit.
5. Analytical procedures – show whether account balance is reasonable through comparisons and various relationships. The procedures should be done at the early stages of the audit to determine the accounts that will require further verification, those in which the evidence can be reduced and areas to concentrate investigations.
ii. Tools of evidence collection
An increase in the need for traceable documentation has opened up the field for various tools being used by auditors. Some of the commonly used software’s include;
Generalized Audit Software provides access to stored data and manipulates other stored media.
Industry-specific audit software – designed to give a high-level command that invokes basic audit operations essential for a particular industry
Utility Software – this software, unlike the other, automatically performs frequently functions such as sort, disc search, copy, disc format, etc.
Specialized Audit software – this software is used to perform a specific set of audit tasks.
Concurrent Auditing Tools – are used to collect data at the same time with applications simultaneously.
4. Documentation and Reporting
Auditors are expected to properly document all the audit evidence, including the extent of planning, basis of the audit, operations carried out, and findings from the audit. The final document should contain planning and preparation of the audit, audit program, observations, reports, data, etc.
How to structure the report
The report should be complete, exact, objective, clear, timely, and precise as the subject allows. Your report can be generally structured under the following titles:
Your report should start with a brief description of the specific audit being taken up. The overview may entail details of the system, such as the description of the software’s environment, resources required to run the system, and some details on the application being used. It is of significance to provide details on the volume of data and the extent of the complexity of processing. This is so that the reader can have a clear understanding of what the report is all about and stimulate them to appreciate the subsequent findings of the audit. You have to state the extent of the criticality of the system as most observations get their degree of seriousness from how criticality of the system has been defined.
Objectives, Scope, and Methodology
In this section, you need to explain the knowledge of the objectives, scope, and methodology of the audit. This is to enable readers to understand the specific purpose of the audit, understand challenges faced, and to be able to make sound judgments on the merits of the audit work done. In the objectives section, an auditor should explain aspects of performance examined in the audit. While in the scope section, the auditor is expected to describe the depth of the work or in-put made to achieve the audit’s objectives. Auditors should point out the specific organization audited, Hardwar ware and software used, geographic locations, the period covered by the audit, explain sources of the evidence presented, and finally to explain the quality of the challenges or defects with the evidence. The methodology should explain the know-how of techniques used to gather and analyze the identified risks.
Auditors are to report significant findings concerning audit objectives. In doing so, the auditor should include sufficient, relevant, and competent information to facilitate an adequate understanding of the issues being reported. The information presented should also be precise to provide convincing to the readers. This can be achieved by providing elaborate background information about the audit.
Conclusions are deducted as per the previously defined audit’s objectives. The persuasiveness of evidence and the logic used to come up with the conclusions greatly determines the strength of the conclusions. It is advisable to avoid sweeping conclusions of risks and controls.
Where the report findings substantiate room for potential improvements, then the auditor should report recommendations. In cases of significant noncompliance with laws and regulations of the land or where there is considerable weakness in controls, then recommendations should be made that effective compliance and abidance by the law. Auditors should also address uncorrected findings and recommendations from past audits and how they affect the current audit and recommendations.
Constructive recommendations are those which aim at solving the identified cause of problems, feasible and directed towards relevant authority who can act. The recommendations should, therefore, be practical, achievable, and cost-effective.
Noteworthy management accomplishments, as well as deficiencies identified within the scope of the audit, should be included as part of the report. It gives a balance or rather a fair representation of the situation that sounds logical and real.
The audit report should mention the limitations and challenges faced by the audit.
1. IT Controls
Technological advancements have caused a rapid change in the capabilities of computer systems in the past several years. Some organizations have fully adopted the system, and all their data are computerized and made available exclusively through digital media. Due to this change in how most organizations manage their data, auditors to have to change their auditing techniques. The overall control objectives of the audit are not necessarily interfered with, except for their implementation. A change of implementation methodology implies a change in approach by the auditors in evaluating internal controls.
With the current IT infrastructure, both compliance and substantive testing are carried out while performing an IT Control Audit. Compliance testing is carried out to verify whether controls are being applied as per the auditees instructions or as per the description offered in the program documentation. It determines the compliance level of controls with management policies and procedures. Substantive audit, just as the name suggests, is a test carried out on a system to substantiate the adequacy of the laid controls in protecting the organization from malicious cyber activities. The tests should be carried out with a deeper understanding of the diversity of threats posed by a computerized environment such as; unauthorized access to valuable organization assets in terms of data or program, undetected misstatements, reduced accountability, unusual transactions, corrupted data files, inaccurate information and so on.
2. Audit of General Controls
Broadly explained, this cuts through performance monitoring of the system, job scheduling, media management, capacity planning, maintenance network monitoring, and administration audit.
3. Audit of Application Controls
Application controls are specific to a particular application and may have a significant impact on how an individual transaction is processed. They are measured put in place to verify and provide assurance that every transaction is legit, authorized, complete, and recorded. Before even proceeding to an in-depth evaluation of application controls, an auditor should first understand how the system operates. A brief description of the application is thus prepared before analysis indicating major transactions carried out, a description of transaction flow and main output, a brief description of major data files, and an approximate figure for transaction volumes.
For a systematic study, application control can be sub-divided into:
Standing data file controls
4. Network and Internet Controls
In most organizations, especially medium to large scale organizations, local or wide area networks are commonly used to connect users. This comes with various risks as it does not guarantee that the system will only be accessed by an authorized individual or user. The network should be designed for access by authorized users only. The security system in place should not be entirely on logical access. Because networks are used to transmit data that may be corrupted, lost or intercepted. Controls should be set to eliminate all these risks.
5. Interment Controls
The safest policy to connect your computers directly to the internet include:
- Physical isolation of the machine from the core information.
- All the unnecessary logical parts of the server should be closed down
- Deny unknown identities access to the machine and re-writable directories or those which can be read by anonymous users.
- Employ an experienced individual to be in charge of the internet machine.
- Continuously monitor login attempts into the machine.
- Limit user accounts as much as possible.
This includes various checklists.
- List of documents to aid in a sound understanding the system
Any audit commences with a piece of background information about the organization to understand its day to day activities and how IT impacts these activities. Below is an illustrative document that can be used for understanding the system.
|No.||List of Documents|
|1||Overview of the organizations’ background|
|2||An organizational chart|
|4||Laws and regulations that influence or affect the organization such as the Income Tax Act|
|5||Applications and their details|
|6||Application and network architecture|
|7||IT department structure and description of their respective roles|
|8||Responsibilities if IT personnel concerning that particular application|
|No.||List of Documents|
|10||Project management reports|
|11||Description of the used hardware|
|12||Description of software used, such as whether it is developed in-house or sourced from outside etc.|
|13||Details on database|
|14||Table listings, data flow diagrams, data dictionary|
|15||Description of relationships between database triggers and tables|
|17||User, operations and system manuals|
|18||Reports on performance analysis|
|19||List of authorized users|
|20||Data and test results|
|21||Proposed security outline for the system|
|22||Past audit reports|
|23||Reports on internal audit|
|24||Feedback from users about the system|
|25||Peer review reports|
2. Criticality Assessment Tool
An organization may have more than one IT system at work. An auditor should be interested in the nature, scope, rigor, and extent of the audit relative to the criticality of the application. Forming criticality of a system is considered a subjective process.
3. Collection of particular or specific information on IT systems
The audit team may decide to use a questionnaire in cases where information is gathered must be specific. The questionnaire is used at the time of conduct of the audit. The questions are precise and designed to fetch a specific response from the targeted persons.
4. Risk assessment checklist
This is a list of questions asked regarding various aspects of IT systems to deduct thought about the risk levels within the system under audit. The list is prepared and organized by the auditor, depending on their understanding of the application and organization at large.
Joseph Ochieng’was born and raised in Kisumu, Kenya. He studied civil engineering as first degree and later on pursued bachelors in information technology from the technical university of Kenya. His educational background has given him the broad base from which to approach topics such as cybersecurity, civil and structural engineering. When he is not reading or writing about the various loopholes in cyber defense, the he is probably doing structural design or watching la Casa de Papel . You can connect with Joseph via twitter @engodundo or email him via [email protected] for email about new article releases”