How to conduct IT audit properly?
By Glib Paharenko on Tue Aug 04 2020
IT audit is not a simple subject. Consider two main questions:
- How to measure IT audit performance?
- How to prove the value of IT audit to the business?
There are many cases when shareholders, board and top management do not trust to the value of the audit and not investing their resources into audit engagements. To say the truth only after long period of time business can get used to the audit and will slightly start understand its benefits. But you can speed up the processes with our set off "steroids" for IT audits.
Define the proper type of the audit
For the shareholders and the board most value will be delivered from the external and internal IT audits. You're very lucky if your business being audited from its earliest life years in the different areas. If not, than the board and shareholders should find the real risks/problems in the business which can be highlighted by the audits. Also the key performance indicators/bonuses of TOP management should be linked to the audit results. And be ready to change auditors regularly. This will reduce any risks of collision between the management and auditors.
Do not underestimate the importance of the self-audits
The external/internal audit provide the highest assurance. But they never can raise the awareness about IT risks like the self-audits can. COSO framework tells us about 3 lines of control:
- Linear business units
- Risks, Infosec, Quality, Financial controlling, etc.
- Internal audit
The most important line is the first - as business unit managers are the primary responsible for controls execution and risk elimination. ISO27001 stays that without a mature awareness program you can not expect a good management system. Self-auditing triggers the mind of linear managers and focuses them on identification and solving the problems, which otherwise be neglected. Self-audits also reduces time, efforts and pricing for the internal and external audits, so this is double time wise to practice them.
Follow the standards
IT audit can be successful at the long run only if it follows the best industry practices. One fault in the report can break the trust to the audit for many years. You can not accept such risk. The assurance about the audit can be achieved with the next frameworks:
- IT Assurance Framework from the ISACA (the leader in the IT audits)
- International Professional Practices Framework (IPPF) from the Institute of Internal Auditors
- ISACA audit programs
- IIA Global Technology Audit Guides (GTAGs)
Especially these publications helpful when your are going to setup the audit unit, set audit criteria, involve external experts, create the report or follow up the recommendations.
Hopefully you see how the audit is important and understand than it should be properly setup. Our team of professionals can assist you in any kinds of IT audits as well as setting up the internal audit function. Contact our sales team to learn more and discuss the potential project details.