IT auditors frequently find themselves educating the business community on how their work adds value to an organization. Internal audit departments commonly have an IT audit component which is deployed with a clear perspective on its role in an organization. However, in our experience as IT auditors, the wider business community needs to understand the IT audit function in order to realize the maximum benefit. In this context, we are publishing this brief overview of the specific benefits and added value provided by an IT audit.
To be specific, IT audits may cover a wide range of IT processing and communication infrastructure such as client-server systems and networks, operating systems, security systems, software applications, web services, databases, telecom infrastructure, change management procedures and disaster recovery planning.
The sequence of a standard audit starts with identifying risks, then assessing the design of controls and finally testing the effectiveness of the controls. Skillful auditors can add value in each phase of the audit.
Companies generally maintain an IT audit function to provide assurance on technology controls and to ensure regulatory compliance with federal or industry specific requirements. As investments in technology grow, IT auditing can provide assurance that risks are controlled and that huge losses are not likely. An organization may also determine that a high risk of outage, security threat or vulnerability exists. There may also be requirements for regulatory compliance such as the Sarbanes Oxley Act or requirements that are specific to an industry.
Below we discuss five key areas in which IT auditors can add value to an organization. Of course, the quality and depth of a technical audit is a prerequisite to adding value. The planned scope of an audit is also critical to the value added. Without a clear mandate on what business processes and risks will be audited, it is hard to ensure success or added value.
So here are our top five ways that an IT audit adds value:
1. Reduce risk. The planning and execution of an IT audit consists of the identification and assessment of IT risks in an organization.
IT audits usually cover risks related to confidentiality, integrity and availability of information technology infrastructure and processes. Additional risks include effectiveness, efficiency and reliability of IT.
Once risks are assessed, there can be clear vision on what course to take – to reduce or mitigate the risks through controls, to transfer the risk through insurance or to simply accept the risk as part of the operating environment.
A critical concept here is that IT risk is business risk. Any threat to or vulnerability of critical IT operations can have a direct effect on an entire organization. In short, the organization needs to know where the risks are and then proceed to do something about them.
Best practices in IT risk used by auditors are ISACA COBIT and RiskIT frameworks and the ISO/IEC 27002 standard ‘Code of practice for information security management’.
2. Strengthen controls (and improve security). After assessing risks as described above, controls can then be identified and assessed. Poorly designed or ineffective controls can be redesigned and/or strengthened.
The COBIT framework of IT controls is especially useful here. It consists of four high level domains that cover 32 control processes useful in reducing risk. The COBIT framework covers all aspects of information security including control objectives, key performance indicators, key goal indicators and critical success factors.
An auditor can use COBIT to assess the controls in an organization and make recommendations that add real value to the IT environment and to the organization as a whole.
Another control framework is the Committee of Sponsoring Organizations of the Treadway Commission (COSO) model of internal controls. IT auditors can use this framework to get assurance on (1) the effectiveness and efficiency of operations, (2) the reliability of financial reporting and (3) the compliance with applicable laws and regulations. The framework contains two elements out of five that directly relate to controls – control environment and control activities.
3. Comply with regulations. Wide ranging regulations at the federal and state levels include specific requirements for information security. The IT auditor serves a critical function in ensuring that specific requirements are met, risks are assessed and controls implemented.
Sarbanes Oxley Act (Corporate and Criminal Fraud Accountability Act) includes requirements for all public companies to ensure that internal controls are adequate as defined in the framework of the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) discussed above. It is the IT auditor who provides the assurance that such requirements are met.
Health Insurance Portability and Accountability Act (HIPAA) has three areas of IT requirements – administrative, technical and physical. It is the IT auditor who plays a key role in ensuring compliance with these requirements.
Various industries have additional requirements such as the Payment Card Industry (PCI) Data Security Standard in the credit card industry e.g. Visa and Mastercard.
In all of these compliance and regulatory areas, the IT auditor plays a central role. An organization needs assurance that all requirements are met.
4. Facilitate communication between business and technology management. An audit can have the positive effect of opening channels of communication between an organization’s business and technology management. Auditors interview, observe and test what is happening in reality and in practice. The final deliverables from an audit are valuable information in written reports and oral presentations. Senior management can get direct feedback on how their organization is functioning.
Technology professionals in an organization also need to know the expectations and objectives of senior management. Auditors help this communication from the top down through participation in meetings with technology management and through review of the current implementations of policies, standards and guidelines.
It is important to understand that IT auditing is a key element in management’s oversight of technology. An organization’s technology exists to support business strategy, functions and operations. Alignment of business and supporting technology is critical. IT auditing maintains this alignment.
5. Improve IT Governance. The IT Governance Institute (ITGI) has published the following definition:
‘IT Governance is the responsibility of executives and board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives.’
The leadership, organizational structures and processes referred to in the definition all point to IT auditors as key players. Central to IT auditing and to overall IT management is a strong understanding of the value, risks and controls around an organization’s technology environment. More specifically, IT auditors review the value, risks and controls in each of the key components of technology – applications, information, infrastructure and people.
Another perspective on IT governance consists of a framework of four key objectives which are also discussed in the IT Governance Institute’s documentation:
*IT is aligned with the business *IT enables the business and maximizes benefits *IT resources are used responsibly *IT risks are managed appropriately
IT auditors provide assurance that each of these objectives is met. Each objective is critical to an organization and is therefore critical in the IT audit function.
To sum up, IT auditing adds value by reducing risks, improving security, complying with regulations and facilitating communication between technology and business management. Finally, IT auditing improves and strengthens overall IT governance.
ISACA. Control Objectives for Information and related Technology (COBIT).
ISO/IEC 27002 Code of practice for information security management.
Committee of Sponsoring Organizations of the Treadway Commission (COSO) Framework.