Developing the IT Audit Plan
Global Technology Audit Guide
GTAG® 11
www.theiia.org
�What this guide covers
• To explore the relationship between IT and
Business
• To define IT audit universe
• To develop IT audit plan from the IT audit
universe
• To provide an example of developing an IT
audit plan
www.theiia.org
� A Quick Overview of IT
• To internal auditors, IT is two
things
– A domain subject to audit
– A tool that helps audit
it
Aud
Help audi
t
www.theiia.org
� A Quick Overview of IT
• IT Domain –
t
en
IT Planning
em
3 Dimensions
ag
System Operations tl
C
an
Programming n
M
– Technical layer io
at
IT
Vendor management ic
p l
(Technology) A
p
Application al
– IT controls e r
Technical Layer
en r o l
G t
(Process) Database IT on
C
– IT management
Operating Systems ls
(People) t r o
on
Network / Physical C
IT
www.theiia.org
� A Quick Overview of IT
Layer 1 - Technical Layer
t
en
IT Planning
em
• Includes business System Operations tl
ag
C
an
applications, and the IT Programming n
it o
M
a
IT
infrastructures that Vendor management il c
pp
underlie, support, and A
Application
enable the applications.
Technical Layer
l
IT era l
– Application systems Database en tro
G
on
– Databases C
– Operating systems Operating Systems s
rol
t
– Networks on
Network / Physical C
IT
www.theiia.org
� A Quick Overview of IT
• Layer 2 – IT Controls
– IT General Controls
t
IT Planning
en
em
• Systems development System Operations tl
ag
C
• Change management n
an
Programming
tio
M
• Data center security Vendor management ic
a
IT
l
• Backup & restore pp
A
• … Application al
e r
Technical Layer
– Application Controls en rol
G t
• Authorization Database IT on
C
• Data integrity check
• Segregation of duties Operating Systems ls
r o
•… ont
Network / Physical C
IT
www.theiia.org
� A Quick Overview at IT
Layer 3 - IT Management
t
en
• Comprises the set of people, IT Planning
em
policies, and procedures System Operations tl
ag
C
an
Programming n
that manage the IT
M
tio
IT
Vendor management a
environment. l ic
p
Ap
– IT Planning Application al
e r
Technical Layer
– System operations en rol
G t
Database IT on
– Programming C
– Vendor management Operating Systems s
rol
nt
o
Network / Physical C
IT
www.theiia.org
� IT and Business
• IT only exists to support and further
business objectives.
Business Objectives
Business
Business Processes
Applications
IT
IT Infrastructure
www.theiia.org
� IT and Business
Business Processes
HR IT support Finance … R&D
.
purchase Production Operation Marketing Sales … Services
Applications Application
IT General Controls
Controls Application A Application B Application C
• Authorization
• Systems • Integrity
Development • Availability
• Change Management IT Infrastructure • Confidentiality
• Logical Access • Segregation of duties
• Physical controls Database
• Service & Support
Processes Operating System
• Backup & Restore
Network/Physical
www.theiia.org
� Understand the Business
• Identify the organization’s strategy and business
objectives
• Identify how organization structures its business
operations
• Understand the high risk profile for the organization
• Understand the regulation and compliance requirements
• Understand the IT support model
– The degree of system and geographic centralization
– The degree of outsourcing
– The degree of reliance on technology
www.theiia.org
�Define the IT Audit Universe
• Dissect the business
fundamentals Business Objectives
• Identify key business areas
• Identify application Business Processes
systems that support the
above business areas Applications Projects
• Identify critical
infrastructure that supports IT Infrastructure
the above applications
• Identify major projects and
initiatives
• Determine realistic audit
subjects
www.theiia.org
� Define the IT Audit Universe
• Defining the IT audit universe
should consider elements under all
three IT layers
– Technical layer - applications, IT
infrastructure
– IT management
– IT controls - general controls and
application controls
www.theiia.org
� Develop the IT Audit Plan
- Risk Assessment
• The IIA Standard 2010 – Planning: The chief audit
executive must establish risk-based plans to determine the
priorities of the internal audit activity, consistent with the
organization’s goals.
• There is no such thing as “IT Risk.” Examples of risks are
• Strategic
• Financial
• Reputation
• Legal and Regulatory
• Operational
• Many risk ranking approaches. The IIA’s IPPF states
Risk is measured in terms of impact and likelihood.
• Prioritize audit subjects based on the risk ranking
www.theiia.org
�Develop the IT Audit Plan
• Risk assessment and audit plan
Understand Risks Allocate Resources
Risk Assessment Audit Plan
Driver = Risks Driver = Resources
Influencer = Resources Influencer = Risks
Key Activities: Key Activities:
• Obtain Explicit Input from Stakeholders • Understand Universe of Potential Audit Subjects
• Identify Relevant Risks • Allocate and Rationalize Resources
• Assess Risks • Reconcile and Finalize Audit Plan
• Prioritize Risks
Source: Ernst & Young
www.theiia.org
� Develop the IT Audit Plan
• Focus on high risk audit subjects
• Audit frequency
– Established in an initial risk assessment and is
proportional to the risk level
– No predefined audit frequency; The audit plan is
based on a continuous risk assessment
• Consider mandated audit areas
• Consider management’s requests for consulting
services
• Integrate the IT audit plan with non-IT audit activities
www.theiia.org
�Validate the IT Audit Plan
Mandated Risk Assessed
H
AUDIT RESOURCES
High
Risk Impact
Total Audit
Universe
*
Low
L H
Likelihood
www.theiia.org
� Summary
Steps to develop the IT Audit Plan:
• Understand the organization and how
IT supports it
• Understand the IT environment and
define IT audit universe
• Prioritize audit subjects through risk
assessment
• Develop the IT audit plan
www.theiia.org
� Conclusion
• IT only exists to support and
further business objectives.
• To define the IT audit universe,
understand the business first
• To develop the IT audit plan,
assess business risk associated
with IT
www.theiia.org
