The top five benefits of IT auditing

IT auditors often find themselves educating the business community on how their work adds value to an organization. Internal audit departments typically have an IT audit component that is implemented with a clear perspective of its role in an organization. However, in our experience as IT auditors, the broader business community needs to understand the IT audit function to gain maximum benefit. It is against this background that we publish this brief summary of the specific benefits and added value that an IT audit provides.

To be specific, IT audits can cover a wide range of IT processing and communication infrastructure, such as client-server systems and networks, operating systems, security systems, software applications, web services, databases, data infrastructure, etc. telecommunications, change management procedures, and disaster recovery planning. .

The standard audit sequence begins with risk identification, then evaluates the design of controls, and finally tests the effectiveness of the controls. Skilled auditors can add value at every phase of the audit.

Companies typically maintain an IT audit function to provide assurance on technology controls and ensure regulatory compliance with federal or industry-specific requirements. As technology investments grow, IT auditing can ensure that risks are controlled and large losses are not likely. An organization may also determine that there is a high risk of disruption, security threat, or vulnerability. There may also be requirements for regulatory compliance, such as the Sarbanes Oxley Act, or requirements that are specific to an industry.

Below, we look at five key areas where IT auditors can add value to an organization. Of course, the quality and depth of a technical audit is a prerequisite for adding value. The planned scope of an audit is also critical to added value. Without a clear mandate for which business processes and risks will be audited, it is difficult to guarantee success or added value.

Here are our top five ways an IT audit adds value:

1. Reduce risk. The planning and execution of an IT audit consists of the identification and evaluation of IT risks in an organization.

IT audits typically cover risks related to the confidentiality, integrity, and availability of information technology infrastructure and processes. Additional risks include IT effectiveness, efficiency, and reliability.

Once risks are assessed, there can be a clear vision of what course to take: reduce or mitigate risks through controls, transfer risk through insurance, or simply accept risk as part of the operating environment.

A critical concept here is that IT risk is business risk. Any threat or vulnerability to critical IT operations can have a direct effect on the entire organization. In short, the organization needs to know where the risks are and then proceed to do something about it.

The best IT risk practices used by auditors are the ISACA COBIT and RiskIT frameworks and the ISO/IEC 27002 ‘Code of Practice for Information Security Management’ standard.

2. Strengthen controls (and improve security). After evaluating the risks as described above, controls can be identified and evaluated. Poorly designed or ineffective controls can be redesigned and/or strengthened.

The COBIT framework of IT controls is especially useful here. It consists of four high-level domains that cover 32 control processes useful for reducing risk. The COBIT framework covers all aspects of information security, including control objectives, key performance indicators, key objective indicators, and critical success factors.

An auditor can use COBIT to assess controls in an organization and make recommendations that add real value to the IT environment and the organization as a whole.

Another control framework is the Treadway Commission Committee of Sponsoring Organizations (COSO) internal controls model. IT auditors can use this framework to obtain assurance about (1) the effectiveness and efficiency of operations, (2) the reliability of financial reporting, and (3) compliance with applicable laws and regulations. The framework contains two elements out of five that relate directly to controls: the control environment and control activities.

3. Comply with regulations. Far-reaching regulations at the federal and state levels include specific requirements for information security. The IT auditor plays a critical role in ensuring that specific requirements are met, risks are assessed, and controls are in place.

The Sarbanes Oxley Act (Corporate and Criminal Fraud Liability Act) includes requirements for all public companies to ensure that internal controls are adequate, as defined under the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework discussed previously. It is the IT auditor who provides assurance that these requirements are met.

The Health Insurance Portability and Accountability Act (HIPAA) has three areas of IT requirements: administrative, technical, and physical. It is the IT auditor who plays a key role in ensuring compliance with these requirements.

Several industries have additional requirements, such as the Payment Card Industry (PCI) data security standard in the credit card industry, for example, Visa and Mastercard.

In all of these regulatory and compliance areas, the IT auditor plays a central role. An organization needs to ensure that all requirements are met.

4. Facilitate communication between the business and technology management. An audit can have the positive effect of opening communication channels between the commercial and technological management of an organization. Auditors interview, observe and test what happens in reality and in practice. The final deliverables of an audit are valuable information in written reports and oral presentations. Senior management can get direct feedback on how their organization is performing.

Technology professionals in an organization also need to know the expectations and goals of senior management. Auditors assist in this top-down communication through participation in meetings with technology management and by reviewing current implementations of policies, standards, and guidelines.

It is important to understand that IT auditing is a key element in management oversight of technology. An organization’s technology exists to support business strategy, functions, and operations. The alignment of the business and supporting technology is essential. IT audit maintains this alignment.

5. Improve IT Governance. The IT Governance Institute (ITGI) has published the following definition:

‘IT Governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT supports and furthers the organization’s strategies and objectives.’

The leadership, organizational structures and processes referenced in the definition point to IT auditors as key players. Central to IT auditing and overall IT management is a solid understanding of the value, risks, and controls around an organization’s technology environment. More specifically, IT auditors review the value, risks, and controls in each of the key components of technology: applications, information, infrastructure, and people.

Another perspective on IT governance consists of a framework of four key objectives that are also discussed in the IT Governance Institute documentation:

*IT is aligned with the business *IT enables the business and maximizes benefits *IT resources are used responsibly *IT risks are properly managed

IT auditors ensure that each of these objectives is met. Each objective is critical to an organization and therefore critical in the IT audit function.

In short, IT auditing adds value by reducing risk, improving security, complying with regulations, and facilitating communication between technology and business management. Finally, IT auditing improves and strengthens overall IT governance.

References:

ISACA. Control Objectives for Information and Related Technologies (COBIT).

ISO/IEC 27002 Code of practice for information security management.

Framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO).