IT Auditing – Planning the IT Audit- Technology’s continual growth has drastically altered how most businesses work. Pen and paper transactions have been replaced by automated online data entry applications, and strong passwords and identification codes have been employed to control access to electronic files instead of keys and locks for filing cabinets. In terms of data processing and transmission capability, the implementation of innovative technology has greatly increased business efficiency within most firms. Nonetheless, it has brought and generated new vulnerabilities that must be addressed and mitigated. Each vulnerability must be controlled, which necessitates the development of new auditing tools to better analyse the adequacy of each control. Because of the reliance on computerised systems, auditees have been forced to adapt their auditing technique and methodology for fear of data integrity breaches, violations of confidentiality policies, and so on. As a result, an independent audit is necessary to verify and confirm that suitable safeguards have been designed and implemented to reduce or eliminate risk exposure.
Objectives and Definition
Any work done on the outskirts of examining and evaluating an organization’s information technology policy, infrastructure, and operations is referred to as IT auditing. Information technology auditing is the act of gathering and analysing information to determine whether a computer system preserves data integrity, protects assets, efficiently uses resources, and facilitates the achievement of business goals.
Assessment and evaluation of the process with the following goals:
- Asset protection includes data objects and resources used to host and support information systems.
- Ensure that the following data sets are kept up to date:
- Information trustworthiness
Phases of the Audit process
These are the four major steps in the auditing process.
A. Preliminary assessment and information gathering
Although emphasised at the start of an audit, planning is an ongoing process. An initial evaluation is performed to identify the scope and type of testing that will be performed in the future. If the auditees discover that the specific control processes are ineffective, they may be required to reconsider their earlier judgments and other important choices based on them.
B. Understanding the organisation
The IT auditor’s job is to acquire information and input on the following aspects of the examined object:
- The working environment and function of an organisation.
- The IT system’s criticality, whether it’s a mission-critical or a support system
- The organization’s structure
- The software and hardware that are now in use are of a certain type.
- The nature and scope of the threats to the organisation
The scope of knowledge to be obtained about the organisation is largely determined by the type of the business and the desired degree of audit report. The auditor should use the information acquired to identify potential problems, develop study objectives, and define the scope of work.
Defining audit objectives and scope
The risk assessment carried out by an auditee following exposure defines the audit’s objectives and scope. Risk management is an important aspect of protecting your company from hackers. It can be defined as the process of finding, assessing, and taking the appropriate steps to reduce the risk in a system to an acceptable level. Integrity, confidentiality, and availability are the key security goals in any firm.
The auditor can choose from a variety of risk assessment approaches, ranging from simple judgment-based classifications of low, medium, and high risk to more rigorous scientific classifications that result in a numeric risk rating. Internal controls are procedures, policies, and organisational structures that are put in place after the risk assessment to decrease risk. Discussions with management, surveys, existing documentation, and/or a preliminary examination of the application can all be used to provide a preliminary assessment of controls.
The following are some of the most typical IT audit goals:
- Security infrastructure and systems are being examined.
- Review of IT systems to ensure their security
- Examine the system’s development process and procedures at various phases.
- An assessment of a programme or system’s effectiveness.
The scope and aims of an audit are not restricted to the areas listed above. It should be able to cover all of the important aspects of security, such as security settings, passwords, firewall security, user rights, and physical access security, among others.
The audit’s scope, on the other hand, should identify the audit’s borders, limits, or peripheral. The scope of an audit is determined as part of the audit planning process and includes elements such as the extent of substantive evaluation based on the risk, control weakness, audit duration, and number of locations to be covered.
Collection and evaluation of evidence
To support the second auditor’s assessment and conclusions on the organisations, functions, activities, or programmes under audit, substantial, reasonable, and relevant evidence should be acquired. The data gathering techniques should be carefully selected, and the auditor should have a thorough awareness of the approach and method adopted.
i. Audit Evidence Types
The following are the three primary forms of audit evidence:
- Analysis of documentary audit evidence
- Processes were observed, as well as the presence of tangible goods.
The auditor’s inquiry or inspection of tangible assets is referred to as physical verification. The methods listed below can be used to gather audit evidence.
2. Interviews – can be utilised to gather both quantitative and qualitative data during the data collecting process. Systems analysts will be interviewed to better understand the security system’s controls and functionalities, as well as data entry staff to establish the methods they use to enter data that the system has identified as wrong, inaccurate, or malicious.
3. Questionnaires – Questioners have historically been used to evaluate controls inside the audited system. In certain circumstances, auditors have employed questioners to identify specific areas of system weakness during the evidence collection process. Questions should be as specific as feasible while preparing the questioners, and the language used should be appropriate for the intended person’s understanding.
4. Flowcharts – are used to demonstrate how controls are integrated into the system and where they are located. They are essential for audit comprehension, evaluation, and communication.
5. Analytical processes – using comparisons and various relationships, determine whether the account balance is appropriate. The methods should be carried out early in the audit to identify accounts that will require additional verification, those where the evidence can be decreased, and areas where inquiries should be focused.
ii. Tools of evidence collection
The demand for traceable documentation has increased, which has opened up the space for auditors to employ a variety of technologies. The following are some examples of commonly used software:
Access to stored data and manipulation of other stored media is provided by Generalized Audit Software.
Audit software tailored to a given industry Is designed to issue a high-level command that initiates fundamental audit processes.
Utility Software – unlike the others, this software does several functions automatically, such as sorting, disc searching, copying, disc formatting, and so on.
Specialized audit software is used to carry out a specialised set of auditing tasks.
Concurrent Auditing Tools — are used to collect data from many programmes at the same time.
Reporting and documentation
Auditors are expected to properly document all audit evidence, including the scope of planning, the audit’s basis, the audit’s operations, and the audit’s findings. The final document should include the audit’s strategy and preparation, audit programme, observations, reports, and statistics, among other things.
How to structure the report
As much as the subject allows, the report should be thorough, exact, objective, clear, timely, and precise. The following titles might be used to format your report:
Your report should begin with a brief description of the audit you’re working on. Details about the system, such as a description of the software’s environment, the resources necessary to execute the system, and some information about the programme being used, may be included in the overview. It’s crucial to include information about the amount of data and the level of processing difficulty. This is done so that the reader has a clear idea of what the report is about and can appreciate the audit’s subsequent findings. You must state the system’s criticality level, as most observations are graded on their seriousness based on how the system’s criticality is characterised.
Objectives, Scope, and Methodology
You must explain your understanding of the audit’s objectives, scope, and methodology in this area. This is to help readers understand the audit’s unique goal, the problems it faced, and to be able to make informed decisions about the audit’s merits. An auditor should explain aspects of performance assessed in the audit in the objectives section. The auditor is expected to describe the depth of the work or input made to fulfil the audit’s objectives in the scope section. Auditors should identify the audited organisation, the hardware and software utilised, geographic locations, the audit period, explain the sources of the evidence supplied, and finally, describe the quality of the challenges or flaws in the evidence. The methodology should describe the techniques that were utilised to collect and analyse the identified hazards.
Significant discoveries relating to audit objectives must be reported by auditors. The auditor should offer enough, relevant, and competent material to allow for a thorough comprehension of the issues being reported. The information supplied should also be exact in order to persuade the audience. This can be accomplished by giving detailed audit background information.
Conclusions are drawn in accordance with the audit’s objectives, which have been previously specified. The strength of the findings is mostly determined by the persuasiveness of the evidence and the logic utilised to arrive at them. It’s best to avoid making broad judgments about risks and controls.
If the report findings show that there is area for improvement, the auditor should make recommendations. If there is severe noncompliance with the rules and regulations of the land, or if there are major weaknesses in controls, recommendations should be made to ensure effective compliance and adherence to the law. Auditors should also consider the impact of uncorrected findings and recommendations from previous audits on the current audit and recommendations.
Constructive recommendations are those that are directed at relevant authorities who may act and try to solve the stated cause of problems. As a result, the proposals should be feasible, attainable, and cost-effective.
The report should highlight notable managerial accomplishments as well as weaknesses detected within the scope of the audit. It provides a fair and balanced description of the situation that seems rational and realistic.
The audit report should include the audit’s limitations and problems.
Information Technology Controls
In recent years, technological breakthroughs have resulted in a rapid change in the capabilities of computer systems. Some businesses have fully embraced the system, with all of their data being computerised and accessible solely through digital media. Auditors will have to adapt their auditing approaches as a result of the change in how most firms manage their data. Except for their implementation, the audit’s general control objectives are not necessarily harmed. A change in implementation methodology necessitates a shift in the auditors’ approach to evaluate internal controls.
Compliance and substantive testing are carried out while executing an IT Control Audit with the current IT infrastructure. Compliance testing is done to see if controls are being implemented according to the auditee’s instructions or the programme documentation’s description. It establishes the level of control compliance with management rules and procedures. As the name implies, a substantive audit is a test performed on a system to verify the effectiveness of the controls in protecting the organisation against hostile cyber activity. Unauthorized access to valuable organisation assets in terms of data or programme, undiscovered misstatements, reduced accountability, unexpected transactions, corrupted data files, wrong information, and so on should all be considered during the tests.
Audit of General Controls
This includes system performance monitoring, job scheduling, media management, capacity planning, maintenance network monitoring, and administration audit, to name a few things.
Audit of Application Controls
Program controls are unique to a given application and can have a substantial impact on how a transaction is handled. They are measures put in place to ensure that each transaction is legitimate, approved, complete, and recorded. An auditor should first grasp how the system works before diving into an in-depth examination of application controls. Before beginning the study, a brief description of the application is created, including the primary transactions performed, a description of the transaction flow and main output, a quick description of the major data files, and an estimate of transaction volumes.
Application control can be subdivided into the following categories for a systematic study:
- Input controls
- Processing controls
- Output controls
- Standing data file controls
Network and Internet Controls
Local or wide area networks are routinely used to connect people in most organisations, especially medium to large scale enterprises. This has a number of drawbacks, as it does not guarantee that the system will only be accessed by authorised users. Only authorised users should be able to access the network. The existing security mechanism should not be only based on logical access. Because data is transmitted across networks, it can be distorted, lost, or intercepted. To eliminate all of these hazards, controls should be implemented.
To connect your PCs directly to the internet, the safest policy is to:
- The machine is physically separated from the essential data.
- All of the server’s logical parts that aren’t in use should be turned off.
- Access to the machine and rewritable directories, as well as those that can be accessed by anonymous users, should be denied to unknown identities.
- To be in charge of the internet machine, hire an experienced person.
- Keep an eye on any efforts to log into the machine.
- As many user accounts as feasible should be limited.
This comprises a number of different checklists.
The following is a list of documents that will assist you in gaining a thorough understanding of the system.
Any audit begins with some background information about the organisation in order to have a better understanding of its day-to-day operations and how IT influences them. An example document can be found below to help you understand the system.
- Background information on the organisations
- A diagram of the organisation
- Personnel procedures
- Laws and regulations affecting or influencing the company, such as the Income Tax Act.
- Applications with their specifics
- Network and application architecture
- The organisation of the IT department and the duties that each department plays
- Responsibilities of IT personnel in relation to such application
- Associated expenses
- Reports about project management
- A description of the hardware that was used
- A description of the software utilised, including whether it was developed in-house or obtained from a third party, and so on.
- Information from the database
- Data dictionary, data flow diagrams, and table listings
- Relationships between database triggers and tables are described.
- Different interfaces available.
- Guides for users, operations, and systems
- Performance Analysis Reports
- Authorized users’ list
- Test results and data
- A security outline for the system is proposed.
- Previous audit reports
- Internal audit reports
- User feedback on the system
- Reports on peer review
Criticality Evaluation Tool
There could be multiple IT systems in use at the same time in a company. In relation to the criticality of the application, an auditor should be concerned in the nature, scope, rigour, and extent of the audit. A system’s criticality is formed through a subjective process.
Data collection on IT systems of a particular or specific nature
In circumstances where the information acquired must be precise, the audit team may decide to employ a questionnaire. The questionnaire is utilised during the auditing process. The questions are detailed and designed to elicit a specific reaction from the people who will be contacted.
Checklist for risk assessment
This is a list of questions that were asked about various areas of IT systems in order to deduce risk levels within the system that was being audited. The auditor compiles and organises the list based on their knowledge of the application and the organisation as a whole.