What is IT Audit?

What is IT Audit?

IT Audit’s objective is to obtain assurance about the IT infrastructure and processes to produce the expected business results. Those results are; effectiveness (i.e. the ability to satisfy the business requirements), efficiency (i.e. using organizational resources at an optimum level), security (i.e. protection of the information assets’ confidentiality, integrity and availability), reliability and compliance (which are the derivatives of the previous outcomes).

Although information technologies is an area of technical expertise, the planning and excercise of IT audit should be in line with the generally accepted audit practices and principles. Some of those principles are risk based audit planning and obtaining objective evidences to support the audit conclusions. IT audit is a kind of control assurance audits.

Information technologies controls are mainly composed of organizational controls, process controls and technical controls. The physical controls which protects the information technologies infrastructure from the physical threats are also part of the IT controls.

In order to create a risk based audit plan, an audit universe of auditable units should be defined. An audit universe and its components may change over time, but we need it to discuss prioritization of the audit scopes. An auditable unit is characterized as an audit scope which can be audited without needing (or needing much) to refer to another auditable unit, which has certain inputs and outputs, and logistically efficient to audit in a defined time period. It can be expressed in terms of organizations, infrastructure zones or systems. For instance, database management, software development life cycle, network management, IT project management or security monitoring scopes can be used as auditable units.

Various methods can be used for risk assessment. However, every risk method should take the factors of impact and likelihood into account, and try to measure those factors for every risk domain.

While developing an audit plan for multiple periods, some critical auditable units may be included in each period and some units may be rotated. Some auditable units may become important at certain times due to changes in environmental conditions or business objectives. The main objective of the risk assessment is to recognize these changes in a timely manner and to make the right prioritization.

There are frameworks and standards of best practices that can be used to identify information technology controls to be audited. These include COBIT, ITIL, ISO27001 and ISO27002, PRINCE, CMMI.

IT audit uses general control audit techniques such as interview, observation, document review and reperformance techniques. In accordance with the general approach in control audits, automated controls can be tested on fewer samples than manual controls. Similar to other audit areas, continuous audit method can be applied for some critical controls where remote monitoring is possible.

In general, it is possible to mention certain benefits for the audit activities in the field of information technologies. However, evaluating these benefits sectorally will make it much easier to understand. Accordingly, with IT audit, the following specific benefits can be expected in the following sectors:

Holding Company: If a holding company has a central role in IT support and IT procurements for its affiliated entities, a holding company can be assured of:

  • IT Architecture Management: Directing the group IT infrastructure investments in accordance with the current infrastructure and future strategic IT directions, resulting in faster and more flexible solutions, optimization of hardware, software and personnel resources and optimization of procurements
  • IT Project and Investment Management: Prioritizing the group IT investments in line with the group’s business strategies, ensuring that the investments made provide the expected benefits
  • Central Security Consultancy and Incident Response Support: Providing security consultancy support to group entities by creating a center of excellence for information security and supporting them in case of a security breach for effective incident response

Finance Industry: As an industry which heavily uses IT systems, processing excessive amounts of personally identifiable information and heavily regulated in terms of IT and information security controls, the following assurances can be obtained:

  • Compliance with Regulations: Establishing the necessary organizational structures for compliance with the regulations, establishing the necessary processes for IT and information security governance
  • Service Continuity: Implementing the necessary investments, developing the processes required and training the personnel for the continuous delivery of financial services and timely recovery from possible incidents
  • Security of Personally Identifiable Information and Protection of Corporate Reputation: Definition of information classes and implementation of access controls, encryption controls, and log management controls on their life cycles
  • Protection of Financial Assets Against Attackers: Protection of corporate and customer financial assets through robust design and technical compliance audits of critical infrastructures, servers, and applications open to dangerous networks

Telecom Industry: Telecom industry is another industry which is highly regulated. The need for confidentiality and continuity is quite high for the telecom industry due to the sensitivity of the personal information processed and the vitality of communications services for the community. The high level of competition in this industry creates pressure on project delivery times and that leaves enough room for mistakes in security controls. For this reason, there is a need for high levels of assurance in the following areas:

  • Security of Communications Traffic Information and Compliance with Regulations: Implementation of security controls to protect the sensitive communications traffic and implementation of the security management system to assure a sustained security level
  • Protection of Customer Information: Protection of the customer information (product, package, location, profile) from the malicious dealers, business partners and customers through application services and other channels
  • Service Continuity: Keeping service continuity at the highest level possible by making necessary infrastructure investments, developing business continuity and disaster recovery plans
  • Secure Adaptation of New Technologies: Performing the necessary risk analyzes and taking precautions against security breaches for the latest technology implemented in this sector, which is an early adaptor in the emerging technologies
  • Investment Efficiency: Telecom industry is probably the leading industry for the amount of investments made for the information systems infrastructure. Thus it is very important to make the right decisions for investments to make the most out of them

Energy Industry: Although not as much as the finance and telecom sectors, due to its importance in terms of social life and economy, energy security has been subject to information security regulations in recent years. Some of the energy companies provide online services to their customers. Thus cyber security is an important issue for this industry as well. Important security needs for the energy industry can be listed as follows:

  • Protection of Industrial Control Systems (ICS / SCADA) Against Sabotage and Terrorist Attacks: In recent years state supported attacks against the critical infrastructure are a great danger. Necessary measures should be taken against cyber attacks targeting the energy infrastructure.
  • Ensuring the Continuity and Security of Collection Systems: Making necessary infrastructure investments and improving the processes, implementation of necessary security controls against possible delays and service interruptions in the billing and collection processes.
  • Protection of Customer Information Against Competition: Implementation of necessary access controls, log management and monitoring controls in order to protect the customer information against the competition.

Retail Industry: For the retail industry it is more important to reduce inventory costs and use decision support systems effectively rather than information security. Thus obtaining assurance in the following areas is important for this sector:

  • Effective IT Project Management and Ability to Deliver IT Solutions: Having an effective IT management and organization to deliver business results and having an effective software development life cycle
  • Having Effective Decision Support Systems: Having an effective decision support system infrastructure to manage business resources efficiently to improve the profit margin
  • Credit Card Information Security: Avoiding the risks from the leakage of credit card data and managing the risks against it

Production and Contract Sectors: The availability and effectiveness of enterprise resources planning and project management software are very important for the efficient use of resources in the production industry. Obtaining assurance in the following objectives is important for the production and contract industries:

  • Effective IT Project Management and Ability to Deliver IT Solutions: Having an effective IT management and organization to deliver business results and having an effective software development life cycle
  • Having Effective Decision Support Systems: Having an effective decision support system infrastructure to manage business resources efficiently to improve the profit margin

In addition to the objectives mentioned above important hygiene rules for IT organizations and processes (e.g. event management, change management, backup, logging, capacity and performance monitoring, etc. processes) can be reviewed for effectiveness of those IT controls.

IT auditing is an important assurance tool for information technology risks, which is a business risk. IT audit is very important for the organizations and industries which heavily depend on information technologies for their operations. In addition to that, information technology audit is an indispensable tool for managing risks associated with suppliers and business partners where information sharing is high.