The ins and outs of auditing
The information system audit is growing in importance as organisations seek to assess the effectiveness of their IT systems
Auditing forms a vital part of good corporate governance, whether financial audit or otherwise, in helping an organisation to assure that its processes are designed and operating in line with policies and regulations, thus achieving its objectives.
For IT departments, the information system audit is growing in importance as a mean to assess the effectiveness of IT systems along with the relevant procedures in place for achieving and monitoring compliance against policies and regulations. Information system audits assess as well whether the executed controls’ design is sufficient to mitigate an intended risk or objective.
Information security body ISACA defines the term “auditing” as a systematic process by which a qualified, competent independent team or person objectively obtains and evaluates evidences regarding assertions about a process for the purpose of forming an opinion about and reporting the degree to which assertion is implemented.
The definition of an information system audit
According to ISACA’s definition, the information system audit, or IS audit, plays a key role in evaluating the controls surrounding the information systems and related resources, through collecting and evaluating evidences to determine the adequacy or lack of controls in safeguarding assets, maintaining data and system integrity and availability, providing relevant and reliable information, achieving organisational goals effectively, consuming resources efficiently and effectively, and to provide reasonable assurance that business, operational and control objectives will be met and that undesired events will be prevented or detected and corrected in a timely manner. Following this definition, IS controls can be translated from policies, procedures and practices, which are established by management to provide reasonable assurance that the objectives will be achieved.
Information system control areas
Controls related to IS audit can be broadly considered in four main areas. Each of these areas should be evaluated in order for the organisation to be confident that the IT environment, under audit, is operating in a secured manner. However, each audit assignment may vary in the depth of inspection for each. Those areas are as follows:
IT governance: The objective of this control is to gain an overall impression on the controls surrounding the information systems within the environment in order to provide assurance of leadership, organisational structure and processes existence. A set of areas should be taken into account while auditing this control such as information security framework and structure, IT strategy, organisational structure, policies and procedures; including information security policies, IT contracting strategies, IT control monitoring, risk management plans and business continuity plans.
Change management: The objective of this control is to provide an appropriate degree of assurance over the changes implemented on the information systems. Change management processes and policies, project management practices, acquisition policies, help desk support, incident handling, system development practices, release management and problem management should be addressed to ensure that the control is effective. It should be noted that this control is not limited to software changes alone where it addresses hardware changes as well.
Access security: The objective of this control is to verify the key components which affect the confidentiality, integrity and availability of information systems. Areas such as design and monitoring of data classification, segregation of duties, security awareness programs, and user access management — including user registration and de-registration, user access provisioning, management of access rights, management of secret authentication information of users, review of user access rights, logging and monitoring, removal or adjustment of access rights and data center access — should be addressed to provide a sufficient degree of assurance on this control.