LECTURE 5.

THE IT AUDIT PROCESS

Recall:
IT audit, is the process of examining an organization's information technology infrastructure to
ensure that it is functioning properly and securely.

Objectives of IT Audit
➢ To safeguard organization’s assets.
➢ To ensure data integrity.
➢ To ensure overall objectives of the organization are met.

Reasons why Organizations conduct IT Audits

• To ensure that information systems are being used effectively and efficiently.
• To detect potential security vulnerabilities.
• To identify compliance risks.
• To assess the impact of new technology initiatives.
• To evaluate the effectiveness of IT governance processes.

Benefits of IT Audits
1. Improved Performance: An IT audit can help identify inefficiencies and areas for
improvement within an organization's information technology infrastructure. By
identifying these issues, organizations can take steps to improve their overall
performance. In some cases, this may involve implementing new technologies or
processes.
2. Maintained Safety: One of the most important functions of an IT audit is to ensure that
an organization's information systems are secure. By identifying potential security
vulnerabilities, audits can help organizations take steps to mitigate the risks posed by
these threats.
3. Monitors Potential Threats: In addition to identifying existing security vulnerabilities, IT
audits can also help organizations monitor for potential threats. By staying up-to-date
 on the latest risks and trends, businesses can be better prepared to defend against
future attacks.
4. Improved Compliance: IT audits can also help organizations ensure compliance with
relevant laws, regulations, and industry standards. By identifying noncompliant areas,
businesses can take steps to mitigate the risks posed by these vulnerabilities.

How to Prepare for an IT Audit

Before the audit, it will help to do the following:

• Create an IT asset inventory

• Create a list of current controls and safeguards
• Get a document checklist
• Get your IT policies and procedures ready.

Key aspects evaluated by an IT Audit

An IT audit evaluates three major aspects of an information system:
1. Availability: will the information system be available when the users need it?
2. Integrity: will the information system be reliable, accurate, and prompt?
3. Confidentiality: will the information in the system be restricted to authorized parties?

THE AUDIT PROCESS

❖ Stage 1: Planning:
The first step in the audit process is to develop a plan.
This plan will outline the objectives of the audit, as well as the scope and methodology.

❖ Stage 2: Preparation and Data Collection:

The auditor needs to gather information about the organization and its IT systems.
 This may involve interviews, document review, and on-site observation.

❖ Stage 3: Testing and Analysis:

The auditor needs to test the controls in place to ensure that they are effective.
This may involve simulations, analysis of logs, and penetration testing.

Once the data has been collected, it will be analyzed to identify any issues or concerns.

❖ Stage 4: Reporting:
The auditor needs to prepare a report detailing their findings and recommendations.
The report should include a description of the audit scope, methodology, findings, and
recommendations for improvement.

❖ Stage 5: Follow-Up:
The auditor needs to follow up with the organization to ensure that their
recommendations have been implemented.

Key Contents of the audit Report.

➢ Scope of the audit
➢ Methodology
➢ Findings
➢ Recommendations.

Key features of an effective IT audit

❖ Risk Assessment
An effective IT audit should have the ability to perform risk assessments.
This involves identifying potential risks and evaluating their impact on the organization.
There are a variety of methods that can be used to perform a risk assessment, including
interviews, document review, and observation.
Usually, a combination of these methods is used to get the most accurate picture
possible. It is important to note that risk assessments are not static. They should be
 conducted on a regular basis to ensure that the organization is aware of new risks as
they emerge.

❖ Compliance Review
An effective IT audit should have the ability to review compliance.
This involves ensuring that an organization's information systems are in compliance with
relevant laws, regulations, and industry standards.
There are a variety of compliance risks that need to be considered, including data
privacy, security, and access control. By identifying these risks, organizations can take
steps to mitigate the impact of noncompliance. It can be especially important to
conduct a review of compliance when an organization is implementing new
technologies or processes.

❖ Identification of Inefficiencies
An effective IT audit should have the ability to identify inefficiencies.
This involves assessing an organization's information technology infrastructure and
identifying areas where improvements can be made. Inefficiencies can lead to a variety
of problems, including increased costs, reduced productivity, and decreased security.
By identifying these issues early on, organizations can take steps to mitigate the impact
of these problems. Some examples of these inefficiencies include duplicate data,
unnecessary processes, and outdated technology.

Risk Assessment methods

✓ Interviews.
✓ Document review.
✓ Observation.

Types of IT Audit / Categories of IT Audit

• System and Applications: This audit focuses on the system and applications in an
organization. It verifies that the system and all applications are efficient, appropriate,
reliable, up-to-date, and secure on all levels.

• Information Processing Facilities: It verifies that all processes are working efficiently,
accurately, and timely, in both normal, and rather disruptive conditions.
 • System Development: This audit verifies that the under-development system is aligned
with the organization’s objectives. It also makes that the system is made per the
generally accepted standards for systems development.
• Management of IT and Enterprise Architecture: It ensures that IT management is
structured and the information processing environment is
efficient and controlled.

• Client/server, Telecommunication, Intranet, and Extranet: This audit focuses on

telecommunication controls. It ensures that proper measures are in place for the server,
client, and network connecting the server and the client.

IT Auditor
✓ An IT auditor is an unbiased observer who makes sure that all the IT controls are
appropriate and effective.
An IT auditor is responsible for developing, implementing, testing, and evaluating the IT audit
review procedures.

Key responsibilities of an IT auditor:

• Identifying the audit scope and primary objectives.
• Developing and planning the audit.
• Coordinating and executing all the audit activities.
• Following the auditing standards established by the company and the industry.
• Generating a detailed report and best practices allowing companies to meet the
requirements of the audit.
• Maintaining and updating all the audit documentation.
• Passing on audit findings and recommendations to relevant people.
• Making sure that the recommendations are implemented.
 Auditing Techniques

➢ Audit techniques are methods used by the auditor to collect evidence for
examination.

➢ Audit techniques are tools, methods or processes by means of which an auditor

collects necessary evidence to support his opinion in respect of the propositions
or assertions submitted by the client to him for his examination.

IT Audit Techniques
All auditing is broken down into four audit techniques:
➢ Inquiry (talking to people).
➢ Observation (observing processes).
➢ Inspection (looking over paperwork or system configurations).
➢ Re-performance (re-performing a process).

❖ Inquiry
Inquiry is the process of gathering information directly from an individual who is familiar with
the subject matter or control being tested. Inquiry may be written (i.e. email) or oral (i.e.
interview).

❖ Observation
Observation is the process or procedure of observing processes take place or witnessing
physical items in place and operating as described. These might also be considered
walkthroughs.

❖ Inspection
Inspection is the examination of documentation that serves of evidence that a control is in
place. Inspection often times involves gathering populations and creating samples for testing,
but can also overlap with observations (e.g. inspecting fire suppression inspection records while
observing that the fire suppression system is in place)
 ❖ Re-Performance
Re-performance is independently recreating a process to verify that it is operating effectively.
Re-performance may also include recreating a process in tandem with an observation to
observe an otherwise automated process.
Re-performance offers the highest level of assurance that a process is in place and operating
effectively.

Auditing Around the Computer Vs. Auditing through the Computer

Auditing around the Computer

➢ This audit concentrates on inputs and their corresponding outputs,

ignoring the processing procedures within computer programs.

➢ This can be a suitable approach where:

• There is less risk of misstatements.

• Auditors have limited knowledge of programs.
• Auditors are satisfied that they can still obtain
sufficient and reliable evidence without involving
the programs.

Auditing through the computer

➢ This audit involves an examination of the detailed processing routines of

the computers and programs to determine whether they are adequate
and reliable in processing of data.

➢ Auditors use Computer Assisted Audit Techniques (CAATs) to achieve

this.