Understanding IT risks
Pinpointing resources required to carry out the work
The IT environment – An appreciation of the IT environment flows from an understanding of the internal IT procedures and operations of the subject under review. This cannot be stressed enough. Without this basic understanding it is likely that audit work will be misdirected, raising the risk of drawing unsuitable or incorrect conclusions. This initial research work should involve a high level review of the IT procedures and control environment in place focusing on the basic principles of IT security which are Confidentiality, Integrity and Availability. At a minimum, the areas covered at this stage would be:
a) Change Management, i.e. the change controls around software and hardware updates to critical systems;
b) Access Security i.e. the access controls enforced to enter the systems both internally and externally, and;
c) Business Continuity and Disaster recovery i.e. the ability of an enterprise to safeguard information assets from unforeseen threats or disasters and how to quickly recover from them.
Having this level of understanding will enable the IT auditor to plan out their work efficiently and effectively.
IT risks – As is the case for other types of professionally handled audit work, these days most IT auditors apply the risk-based approach to planning and performing their work. This involves identifying the most important risks, linking these to control objectives and identifying specific controls to mitigate these risks. In this respect, IT auditing standards/guidelines (e.g. ISO 27001 & COBIT 5) may be used by the IT Auditor to identify or advise on controls that will reduce the risks identified to an acceptable level.
Resources required – The last important piece in the audit planning jigsaw is to assess the amount of work involved including the need for specialist expertise. With the timing and availability of suitable IT audit human resources typically being a challenge, getting this step right should result in higher quality and lower cost audit work.