IT Auditing

ITurnITy provides IT Auditing Services take care for the process of collecting and evaluating evidence of the management of controls over an organization’s information systems, practices, controls and operations. The evaluation of evidence obtained through the IT audit process determines if the information systems are safeguarding assets, maintaining data integrity and operating effectively to achieve the organization’s goals and objectives. This may include traditional audits of technology processes and components as well as integrated audits for audit activities, technology-dependent regulatory processes (e.g., privacy regulatory ) or data analytics support.

The constant advancement of technology has dramatically changed how most organizations operate. The developments have seen pen and paper transactions replaced with computerized online data entry application, instead of keys and locks for filing cabinets, strong passwords and identification codes are being used to restrict access to electronic files. Implementation of innovative technology has magnificently improved business efficiency within most organizations, in terms of data processing and transmission capacity. Still, it has also created and introduced new vulnerabilities that need to be addressed and mitigated. Each vulnerability needs to be controlled, which implies the need for better ways of assessing the adequacy of each control hence new auditing methods. Reliance on computerized systems has made it imperative for the auditees to change the approach and methodology to auditing due to fear of a data integrity compromise, abuse of confidentiality policies, and so forth. Therefore, an independent audit is required to verify and prove that an adequate measure has been designed and implemented to minimize or eliminate exposure to various risks.

The Need for Auditing

Enterprises have never been more dependent on their data. For most, data is the life-blood of the organization. When data is compromised, business is at risk. Consequences of improper data use include, but are not limited to, damage to brand and reputation, loss of value in stock purchase price, customer attrition, fines, even lawsuits.

Additionally, accountability for the integrity of critical information is increasingly being legislated through a myriad of regulations. Among the most notable is the General Data Protection Regulation (GDPR) the most important change in data privacy regulation in 20 years. The regulation will fundamentally reshape the way in which data is handled across every sector, from healthcare to banking and beyond.

To address GDPR sectors must have effective access controls in place for the databases where sensitive information is stored and accessed. At the same time, they need solutions that automate these controls to facilitate their need for a sustainable, cost effective compliance program.

IT Controls  – Technological advancements have caused a rapid change in the capabilities of computer systems in the past several years. Some organizations have fully adopted the system, and all their data are computerized and made available exclusively through digital media. Due to this change in how most organizations manage their data, auditors to have to change their auditing techniques. The overall control objectives of the audit are not necessarily interfered with, except for their implementation. A change of implementation methodology implies a change in approach by the auditors in evaluating internal controls.

With the current IT infrastructure, both compliance and substantive testing are carried out while performing an IT Control Audit. Compliance testing is carried out to verify whether controls are being applied as per the auditees instructions or as per the description offered in the program documentation. It determines the compliance level of controls with management policies and procedures. Substantive audit, just as the name suggests, is a test carried out on a system to substantiate the adequacy of the laid controls in protecting the organization from malicious cyber activities. The tests should be carried out with a deeper understanding of the diversity of threats posed by a computerized environment such as; unauthorized access to valuable organization assets in terms of data or program, undetected misstatements, reduced accountability, unusual transactions, corrupted data files, inaccurate information and so on.

Audit of General Controls  – Broadly explained, this cuts through performance monitoring of the system, job scheduling, media management, capacity planning, maintenance network monitoring, and administration audit.

Audit of Application Controls – Application controls are specific to a particular application and may have a significant impact on how an individual transaction is processed. They are measured put in place to verify and provide assurance that every transaction is legit, authorized, complete, and recorded. Before even proceeding to an in-depth evaluation of application controls, an auditor should first understand how the system operates. A brief description of the application is thus prepared before analysis indicating major transactions carried out, a description of transaction flow and main output, a brief description of major data files, and an approximate figure for transaction volumes

Network and Internet Controls – In most organizations, especially medium to large scale organizations, local or wide area networks are commonly used to connect users. This comes with various risks as it does not guarantee that the system will only be accessed by an authorized individual or user. The network should be designed for access by authorized users only. The security system in place should not be entirely on logical access. Because networks are used to transmit data that may be corrupted, lost or intercepted. Controls should be set to eliminate all these risks..

Definition and Objectives

IT auditing entails any activity done within the periphery of examining and evaluating an organization’s information technology policies, infrastructure, and operations. Information technology auditing can be defined as a process of collecting and evaluating evidence to determine whether a computer system maintains data integrity, safeguards assets, uses resources efficiently, and allows the attainment of organizational goals.

Phases of the IT Audit Process

Preliminary assessment and information gathering is planning a continuous process, although concentrated at the beginning of an audit. An initial assessment is carried out to determine the extent and type if subsequent testing. In a situation where the auditees find that the specific control procedures are ineffective, they may be forced to reevaluate their previous conclusions and other relevant decisions made based on those conclusions.

Understanding the organization, ITurnITy's IT Auditor has the task of gathering knowledge and inputs on the following aspects of the object to be audited, Organization’s operating environment and its function, the criticality of the IT system, whether it is a mission-critical system or a support system, Structure of the organization, Nature of software and hardware in use and Nature and extent of the perils affecting the organization. The nature of the organization and the desired level of audit report much determine the extent of knowledge to be acquired about the organization. Information gathered should be used by the auditor to identify potential problems, formulate objectives of the study, and to define the scope of the work.

Defining Audit Objectives and Scope

The objectives and scope of an audit are defined from the risk assessment carried out by an auditee after exposure. Risk management is an integral part of securing your organization from hackers. It can be defined as a process of identifying, assessing, and taking necessary steps towards minimizing the risk to an acceptable level within a system. In any organization, the primary security goals are integrity, confidentiality, and availability.

The auditor has a broad platform of risk assessment methodologies to pick from, ranging from simple classification of low, medium, and high as per the judgment to complex and more enhanced scientific classification to come up with a numeric risk rating. After the assessment, procedures, practices, and organizational structures are put in place to reduce risk referred to as internal controls. Preliminary assessment of controls can be done based on having discussions with the management, filling questionnaires, available documentation, and/or preliminary survey of the application.

Some of the common objectives of IT audit include, Review of security infrastructure and systems, Review of IT systems to gain assurance of the safety, Examine the development process and procedures involved at various stages of the system, Evaluation of the performance of a specific program or system. Audit objectives and scope are not limited to the aspects mentioned above. It should be able to cover all the critical areas of the security aspect, such as security settings, passwords, firewall security, user rights, physical access security, and so on.The scope, on the other hand, should define the boundaries, limits, or the periphery of the audit. Coming up with scope for an audit is part of audit planning and covers aspects such as the extent of substantive assessment depending on the peril, control weakness, period of the audit, and the number of locations to be covered.

Collection and Evaluation of Evidence

Substantial, reasonable, and relevant evidence should be obtained to second auditor’s judgment and conclusions on the organizations, function, activity, or program under audit. Techniques used for data collection should be carefully chosen, and the auditor should have a sound understanding of the procedure and method selected. Types of Audit Evidence, Documentary audit evidence, Analysis and Observed process and existence of physical items. Physical verification implies the actual investigation or inspection of tangible assets by the auditor. The following methods can be used for the collection of audit evidence.

Interviews – can be used to collect both quantitative and qualitative evidence during the collection work. Some of the persons to interview include systems analysts to better understand controls and functions within the security system, data entry personnel to determine the methodology they use to enter the data being detected by the system as incorrect, inaccurate, or malicious. Questionnaires – traditionally, questioners have been used to evaluate controls within the system being audited. In some cases, auditors have creatively used questioners to flag specific areas of the system weakness in the course of evidence collection. In preparing the questioners, questions should be as specific as possible, and the language used should be that which commensurate with the targeted person understanding. Flowcharts – are designed to show that controls are embedded in the system and their specific locations within the system. They are fundamental for comprehension, evaluation, and communication during the audit. Analytical procedures – show whether account balance is reasonable through comparisons and various relationships. The procedures should be done at the early stages of the audit to determine the accounts that will require further verification, those in which the evidence can be reduced and areas to concentrate investigations. Solutions of Evidence Collection – an increase in the need for traceable documentation has opened up the field for various tools being used by auditors. ITurnITy mostly uses their Software Solution which is is known as eVisie Corporate Compliance Studio for Auditing & Compliance Automation which Mitigates business risk by increasing fraud detection & improving audit efficiency!

Documentation and Reporting

ITurnITy IT Auditors are providing to properly document all the audit evidence, including the extent of planning, basis of the audit, operations carried out, and findings from the audit. The final document contains planning and preparation of the audit, audit program, observations, reports, data, etc.

Advice without obligations about ITurnITy's IT Auditing Consultancy?

Please leave your details on our contact form and we will contact you as soon as possible.

ITurnITy Consultancy Services

ITurnITy Consultancy

INTERIM (IT) EXECUTIVE MANAGEMENT

ITurnITy offers independent Executive Interim Managers and has helped countless companies by providing professional Interim Management. Our Executives Interims and Advisors are operationally successful and verified leaders whose experience adds value to your organization from day one. As a result, our customers are assured of successful cooperation, mutual trust and proven competence.

Readmore

Selecting the Right ERP Software for Your Business!

INDEPENDENT ERP & CRM CONSULTANCY

ITurnITy provides independent strategy and results-oriented business consulting services, specializing in Enterprise Resource Planning (ERP) systems. We provide the strategic thinking and professional advice to help clients manage growth and maximize performance in the areas of ERP selection, implementation, business process improvement, and failing implementation project rescue.

Readmore

How We Rescue Failing ERP Implementation Projects!

ERP Implementation Project Rescue

When Enterprise Resource Planning implementation projects first begin, it means the long purchasing cycle has finally ended. All those surveys, quotes, demonstrations, and evaluations are concluded. Everyone has their own idea of how great it will be to finally have a modern system. Upper management expresses their commitment to eliminate any barriers that may present themselves. There is usually a “kickoff” meeting, where estimated hours are revealed, and the timeframe is outlined.

Readmore

Partner & Tailormade Innovation power!

SOFTWARE DEVELOPMENT, MAINTENANCE & OUTSOURCING

ITurnITy is flexible enough to offer scale advantage, but is small enough to really know every customer. A permanent team develops and manages your applications: you know them, they know you. As a result, short lines and the DevOps team can respond quickly and adequately to your priorities.

Readmore