IS Audit and Advisory Services
An IT audit can be defined as any audit that encompasses review and evaluation of automated information processing systems, related non-automated processes and the interfaces among them.
Objective of an IT audit
Most often, IT audit objectives concentrate on substantiating that the internal controls exist and are functioning as expected to minimize business risk. These audit objectives include assuring compliance with legal and regulatory requirements, as well as the confidentiality, integrity, and availability (CIA – no not the federal agency, but information security) of information systems and data.
Evaluate the systems and processes in place that secure company data.
Determine risks to a company’s information assets, and help identify methods to minimize those risks.
Ensure information management processes are in compliance with IT-specific laws, policies and standards.
Determine inefficiencies in IT systems and associated management.
Review Tasks during IT audit
- Review IT organizational structure
- Review IT policies and procedures
- Review IT standards
- Review IT documentation
- Review the organization’s BIA
- Interview the appropriate personnel
- Observe the processes and employee performance
- Examination, which incorporates by necessity, the testing of controls, and therefore includes the results of the tests.
The audit deliverable
So what’s included in the audit documentation and what does the IT auditor need to do once their audit is finished. Here’s the laundry list of what should be included in your audit documentation:
- Planning and preparation of the audit scope and objectives
- Description and/or walkthroughs on the scoped audit area
- Audit program
- Audit steps performed and audit evidence gathered
- Whether services of other auditors and experts were used and their contributions
- Audit findings, conclusions and recommendations
- Audit documentation relation with document identification and dates (your cross-reference of evidence to audit step)
- A copy of the report issued as a result of the audit work
- Evidence of Audit supervisory review.