IT Auditing For Everyone

The first step is essentially a stocktaking exercise. Obtain a comprehensive inventory of all IT systems used in the organisation and identify everything - from the accounting system to the room booking system. If your IT department does not maintain such an inventory, you’ll need to learn what systems the various business units are using in their everyday work (e.g., how does the Finance department process a supplier invoice and make payment? How does the HR department process and disburse payroll each month? How does the Sales department receive and process a customer order?).

1. Assess and rate the criticality of each system on your inventory. In other words, how important is this system to the organisation? Perform a business impact analysis to assess the potential impact (in terms of financial, reputational, regulatory, legal/contractual, life/safety of people, etc) resulting from a disruption of the system.

2. Identify data security requirements for each system. This will help you understand how data that is stored in each system ought to be safeguarded. You can use the CIA Security Triad – namely, Data Confidentiality, Integrity and Availability. As an illustration, let's suppose you have identified the corporate website as critical due to the reputational impact. You will want to be more concerned with inaccurate web contents (data integrity issues) arising from website defacement attacks or poor content management, and less concerned about who has accessed the website. On the other hand, if the website is also used for online transactions, you will then include your areas of concern to cover data confidentiality (to protect customer's privacy) and availability (to ensure that you are receiving the customer’s order).

Not all areas of IT can be reviewed in one audit cycle, hence you need to have a 3-5 year plan. Identify the more technical areas (e.g., interface controls, network security, SAP authorisations, etc), and find ways to get help, either through outsourcing or by bringing in guest auditors who possess the relevant competencies. Organise your IT audit plan to focus on the more critical systems - the crown jewels. Discuss the plan with the CIO and system/data owners, while running through your risk assessments to get their views.

If this is your first IT audit, start with a review of the IT general controls (ITGC). IIA Global has Global Technology Audit Guides (GTAG) which cover various areas of ITGC. Have a read and start with a review of the IT governance.