IT auditors often find themselves in the business community how to develop the value of their work for the organization. Internal audit departments generally have an IT control component that is clearly illustrated by their role in the organization. However, according to our IT auditor experience, the broader business community needs to understand the IT audit function in order to realize the maximum benefit. In this context, we will publish a brief overview of the specific benefits and added value of IT control.
Specifically, IT controls can cover a wide range of IT processing and communication infrastructures, such as client-server systems and networks, operating systems, security systems, software applications, web services, databases, telecommunications infrastructure, change management procedures, and disaster recovery planning .
The order of the standard check begins with the identification of the risks, then the evaluation of the planning of the controls and finally the examination of the effectiveness of the checks. Professional auditors can add value at every stage of the audit.
Companies usually maintain an IT control function to ensure technological controls and ensure compliance with federal or industrial standards. As technology investment increases, IT auditing can ensure that risk control and huge losses are unlikely. The organization may also determine that there is a risk of major loss, security threat or vulnerability. There may also be requirements such as the Sarbanes Oxley Act or industry-specific requirements.
Below are five key areas where IT auditors can add value to the organization. Of course, the quality and depth of technical inspection is a prerequisite for adding value. The planned area of control is also critical for added value. Without a clear mandate, what business processes and risks are being audited, it is difficult to ensure success or added value.
So here are the five best ways to add value to IT control:
1. Reduce risk. Design and implement IT control elements for identifying and evaluating IT risks within an organization.
IT controls typically cover risks related to the confidentiality, integrity and availability of IT infrastructure and processes. Other risks include IT efficiency, efficiency, and reliability.
Once the risks have been assessed, a clear idea of what steps need to be taken – reduce or mitigate the risks through controls, relocate risk, or simply accept the risk as part of the operating environment.
The critical concept is that IT risk is a business risk. The threat or vulnerability of critical IT operations can have a direct impact on a corporate organization. In short, the organization should know where the risks are and then do something about them.
ISACA COBIT and RiskIT Framework and ISO / IEC 27002 & # 39; Practical Rules for Managing Information Security.
2nd Strengthening controls (and improving security). After assessing the risks described above, the controls can be identified and evaluated. Badly designed or inefficient controls can be redesigned and / or strengthened.
The COBIT framework for IT controls is particularly useful here. It consists of four high-level domains covering 32 control processes that are useful for risk reduction. The COBIT framework covers all aspects of information security, including audit objectives, key performance indicators, key target indicators, and critical success factors.
The auditor can use COBIT to evaluate the organization's controls and formulate recommendations that give real value to the IT environment and the entire organization.
Another control framework is the Committee of Support Organizations for Internal Audit Models of the Treadway Commission (COSO). IT auditors may use this framework to ensure that (1) the effectiveness and efficiency of operations (2) is the relativity of financial statements and (3) compliance with applicable laws and regulations. The framework consists of five elements that are directly related to the controls – the control environment and audit activities.
3rd Follow the rules. The wide-ranging regulation at federal and state level includes specific requirements for information security. The IT auditor performs a critical function to ensure that the specific requirements are met, assess the risks, and perform the controls.
The Sarbanes Oxley Act (Corporate and Crime Accountability Act) contains provisions for all public companies to ensure that internal controls are appropriate as defined by the Treadway Commission (COSO) Support Organizations Committee. discussed above. The IT auditor ensures that such requirements are met.
Health Insurance Portability and Accountability Act (HIPAA) has three IT requirements – administrative, technical, and physical. The IT auditor plays a key role in ensuring compliance with these requirements.
Various industries have additional requirements, such as the credit card industry's payment card industry data security standard (Visa and Mastercard).
The IT auditor plays a central role in all these compliance and regulatory areas. The organization must ensure that all requirements are met.
4th Facilitate communication between business and technology management. Control can have a positive impact on the opening of communication channels between the organization's business and technology management. Auditor Interview, Observation and Testing in Reality and Practice. The final results of the audit are valuable information in written reports and oral presentations. Top management can get direct feedback on how the organization works.
Technologists in the organization should also be aware of the expectations and goals of senior management. The auditors help to communicate from top to bottom through participation in meetings with technology management and review of current implementation of policies, standards and guidelines.
It is important to understand that IT auditing is a key element of management technology management. The organization's technology supports business strategy, functions and operations. The coordination of business and support technologies is critical. IT control includes this setting.
5th Improving IT governance. The IT Management Institute (ITGI) has published the following definition:
IT management is the responsibility of executives and the board of directors, as well as the members of the management, organizational structures and processes that ensure the business; IT maintains and extends the organisation's strategies and goals. & # 39;
The leadership, organizational structures and processes mentioned in the definition play a key role in the IT auditor. The central element of IT audit and IT management is a strong understanding of the value, risks and controls inherent in the organisation's technology environment. Specifically, IT auditors review the value, risks and control of key components of technology – applications, information, infrastructure, and people.
Another perspective of IT management consists of a framework of four main objectives, which are also covered by the IT Governance Institute documentation:
* IT is in line with business * IT enables business and maximization of benefits * IT resources used responsibly * IT risks are properly managed
IT inspectors ensure that each objective is met. Each objective is critical to the organization and is therefore critical to the IT audit function.
In summary, IT control brings added value by reducing risks, improving security, complying with rules, and facilitating communication between technology and business management. Finally, improving IT control and strengthening IT control.
ISACA. Objectives for controlling information and related technologies (COBIT).
ISO / IEC 27002 Practical Code for the Management of Information Security.
Committee for Organizations Supporting the Framework for the Treadway Commission (COSO).