Home > Resources > IIA Singapore Blog > IT Auditing For Everyone

IT Auditing For Everyone

 

Planning to conduct your first IT Audit? Thinking about how to get started? Wondering if it's better to just leave it to the 'techie'?

There is often a notion that one needs to be IT-trained or perhaps even have a computer science degree before attempting to make sense of the technical world of IT. While there are domains that may be very technical, most of us are not totally unfamiliar with the IT world, judging from our daily use of gadgets and technologies.

What about IT auditing then? Is it as simple as making an online purchase on your smartphone or connecting your laptop to a VPN at work?

Not quite, but you can always start with something simple.

Here’s how you can comfortably get started:

 

1. Understand the IT environment
 

The first step is essentially a stocktaking exercise. Obtain a comprehensive inventory of all IT systems used in the organisation and identify everything - from the accounting system to the room booking system. If your IT department does not maintain such an inventory, you’ll need to learn what systems the various business units are using in their everyday work (e.g., how does the Finance department process a supplier invoice and make payment? How does the HR department process and disburse payroll each month? How does the Sales department receive and process a customer order?).

   
2. Conduct risk assessment
 
  1. Assess and rate the criticality of each system on your inventory. In other words, how important is this system to the organisation? Perform a business impact analysis to assess the potential impact (in terms of financial, reputational, regulatory, legal/contractual, life/safety of people, etc) resulting from a disruption of the system.

 

  1. Identify data security requirements for each system. This will help you understand how data that is stored in each system ought to be safeguarded. You can use the CIA Security Triad – namely, Data Confidentiality, Integrity and Availability. As an illustration, let's suppose you have identified the corporate website as critical due to the reputational impact. You will want to be more concerned with inaccurate web contents (data integrity issues) arising from website defacement attacks or poor content management, and less concerned about who has accessed the website. On the other hand, if the website is also used for online transactions, you will then include your areas of concern to cover data confidentiality (to protect customer's privacy) and availability (to ensure that you are receiving the customer’s order).
   
3. Prepare an IT audit plan and identify areas where you may need help
 

Not all areas of IT can be reviewed in one audit cycle, hence you need to have a 3-5 year plan. Identify the more technical areas (e.g., interface controls, network security, SAP authorisations, etc), and find ways to get help, either through outsourcing or by bringing in guest auditors who possess the relevant competencies. Organise your IT audit plan to focus on the more critical systems - the crown jewels. Discuss the plan with the CIO and system/data owners, while running through your risk assessments to get their views.

   
4. Start with the basic
 

If this is your first IT audit, start with a review of the IT general controls (ITGC). IIA Global has Global Technology Audit Guides (GTAG) which cover various areas of ITGC. Have a read and start with a review of the IT governance.

 

As usual, the first hurdle is usually the hardest to cross. Take that first step, connect with others in the internal audit community to share your experience and learn along the way.

 

 

Norman Kuik is an internal auditor at the Economic Development Board and a Governor of The Institute of Internal Auditors Singapore.


 

The Institute of Internal Auditors Singapore blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors Singapore and its committees and from opinions endorsed by the bloggers’ employers.