Performing an IT Audit




Performing an IT Audit











PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free
download.

Performing an IT Audit

by Faulkner Staff

Copyright 2021, Faulkner Information Services. All
Rights Reserved.

Docid: 00021004

Publication Date: 2109

Report Type: TUTORIAL

Preview

As IT grows more mission critical in all types of enterprises, the need
has arisen to scrutinize technology management like a core business
function. This scrutiny is often exercised through a formal process called
an “IT audit.” But an IT audit is difficult to perform, so enterprises
must understand the process well and learn how to adapt it to their own
business environment.

Report Contents:

Executive Summary

[return to top of this
report]

An IT audit is a formal, comprehensive assessment of an organization’s
use of technology.

Related
Faulkner
Reports
IT Governance Concepts Tutorial
ITIL for Enterprise IT Management Tutorial
Enterprise Performance Management Market
Trends
The ISO/IEC 27001 Information Security Management Standard
IT Project Risk Management Tutorial
Agile Software Development Tutorial

The audit examines the technology itself and the processes being used to
monitor and manage it. Today’s technology environments — which
commonly include mobile devices, cloud technology, and multiple platforms
— are often too complex to evaluate using simple monitoring tools and
other mechanisms that were once sufficient for such oversight. Instead,
many organizations have begun exercising corporate-level governance over
technology to ensure that their business needs are being met and that they
are not overlooking risks to their finances or operations.

Unlike financial audits, the results of an IT audit are not legally
binding. Instead, companies perform audits on their own (or with the help
of an outside firm). This means that organizations must shoulder much of
the burden of planning the audits to ensure that they do not miss anything
and that all departments are in alignment with the organization’s
particular business needs and technology environment. There is,
however, some help available from management consulting firms who perform
audits for clients and from well-structured IT frameworks and
certifications.

Ultimately, an audit should lead to action. The process is not simply
about collecting data. Instead, it aims to change technology and processes
that are creating risks or performing poorly. An audit team must therefore
define processes for how to respond when problems are found. Audits are
also a mechanism to help IT departments expand their role from merely
ensuring the availability and security of computers to ensuring the
performance of a company’s core business and financial operations, a shift
that has been taking place for the past several years.

Description

[return to top of this
report]

An IT audit is a systematic analysis of an organization’s technology and
how well it is supporting business goals. The word “audit” is borrowed
from accounting to suggest that the process is rigorous and comprehensive,
but the analogy extends only so far. Financial audits have the force of
law and are based on clear, widely acknowledged standards. IT audits, on
the other hand, help organizations to assess their own operations, and
thus are not legally binding. Audits can try to improve an
organization’s use of technology in terms of any or all of the following
metrics:

  • Performance
  • Security
  • Cost effectiveness
  • Regulatory compliance
  • Energy efficiency
  • Support of strategic goals
  • Features and functionality
  • Reliability
  • Downtime
  • Incident response time
  • Incident resolution time
  • Bandwidth utilization

Some parts of an IT audit relate to the day-to-day management of
technology. For instance, audits will look at device logs and analyze
reports from asset management tools. But other parts of an IT audit
involve processes that extend beyond ordinary network administration, even
beyond IT itself. Table 1 identifies some of the key business functions
covered by an audit and lists some of the key questions that the audit
will seek to answer.

Table 1. The Business Considerations of an IT Audit
Business Function Key Questions
Procurement Process Do procurement processes adequately take
security into account? Are approval mechanisms in place to prevent
unauthorized policies? Are the types of technologies being
acquired appropriate given the corporate mission?
Hiring Process for Technical Specialists How are prospective technical staff
members evaluated? Does the evaluation process align with
organizational needs? (For information about hiring IT auditors,
see “IT Auditor Interview Questions” and “CISA Interview
Questions” from the Infosec Institute.1)
Regulatory Compliance Is the organization meeting all
regulatory requirements? Do any processes disregard or threaten
the organization’s regulatory needs?
Training for IT Does the IT staff have the skill and
background to manage the current technology infrastructure? Does
the training given to IT align with organizational needs?
Training for End Users Have end users been trained in safe
practices, such as not falling for social engineering attacks and
not falling for phishing scams? Do end users know how to report
problems?

Current View

[return to top of this
report]

Today, there is significant interest in IT auditing across a range of
industries, and although the process has not — and probably will not —
become formally regulated, widely recognized best practices have emerged.

One sign of the presence of best practices is that there are
certifications that individual people can acquire to validate their
knowledge of auditing. The existence of certifications does not mean that
there are true, universal requirements about how to conduct an IT audit.
Unlike with financial audits, an organization can have anyone perform an
IT audit, regardless of whether they have a certification. But the
existence of certifications does show that there are certain best
practices that are widely recognized.

One of the most prominent IT audit certifications is ISACA’s Certified
Information Systems Auditor (CISA). It requires that applicants
demonstrate on-the-job experience and pass a test covering the following
main topic areas:

  • The Process of Auditing Information Systems
  • Governance and Management of IT
  • Information Systems Acquisition, Development, and Implementation
  • Information Systems Operations, Maintenance and Support
  • Protection of Information Assets

Another well-regarded certification is the GIAC Systems and Network
Auditor (GSNA). More technology focused than the CISA, the GSNA requires
applicants to demonstrate expertise in the following topics:

  • Auditing Concepts and Methodology
  • Auditing Network Devices and Services 
  • Auditing Unix Systems
  • Auditing Web Systems
  • Web Application Security

Some universities now offer programs that cover IT auditing, either as part
of a formal degree or part of continuing education. For example, Temple
University offers an IT auditing track as part of the business school’s
program allowing students to earn a combined Bachelor’s and Master’s degree
within five years.2 An additional sign of increased
standardization in the field is that management consulting companies offer
IT auditing as a paid service. These services tend to be comprehensive and
focused on corporate governance. Management consulting leaders like Deloitte
and KPMG also offer financial services like tax and financial guidance, so
their presence in the IT auditing market brings systematic approaches to the
process.

There is, furthermore, a great deal of published guidance about
conducting IT audits, much of it in the form of generic checklists and
other templates. Such guidance tends to be incomplete and may be of
questionable validity, but it is evidence of interest in the topic and of
efforts to formalize it.

Outlook

[return to top of this
report]

The process of IT auditing is likely destined to become increasingly
formal with a greater number of widely recognized best practices. The
factors that have spurred the development of auditing practices thus far
are not mere trends but are instead the evolution of computer technology
from a specialty function into an indispensable part of almost all
business functions.

In particular, two trends that are already well underway — the growing
importance of IT governance and the increasing complexity of IT
infrastructures — will persist and will thus continue to encourage
organizations to perform IT audits.

The Growing Importance of IT Governance 

Today, almost all business functions in a typical organization depend on
IT. Everything from supply chain management to regulatory compliance, from
decision support to product delivery, relies on tools and processes for
which IT is responsible. The importance of IT has forced
organizations to stop treating it like an issue for a specialty department
and to instead exercise corporate-level governance. Audits are a
fundamental way to exercise such oversight. 

The increased interest in corporate governance extends beyond IT,
covering quality control and other core processes. Therefore, oversight of
IT is becoming more closely linked to the governance of other corporate
activities. “[A]fter years of being perceived mostly as an IT concern,
governance has advanced to a board-level issue,” says a report by the
non-profit industry group ISACA.3 “Among the many
reasons … [are] failure of many tech investments to deliver business
returns, the expanding cyber attack surface accelerated by a proliferation
of connected devices, and intense new focus on regulatory and audit
compliance created by a complex new technology challenges.”

As IT’s scope broadens, audits are thus becoming more necessary to
understand and manage the full range of issues and processes involved. The
automated tools IT departments once relied on to monitor activity are
still useful, but human-led processes such as interviews are now also
needed to assess business value, corporate risk, and other concepts that
can’t be reduced to simple algorithms.

The Increasing Complexity of Technology Infrastructures

Organizations manage a much more complicated range of technologies than
they did just a few years ago. In addition to maintaining locally hosted
servers and employee desktops, enterprises now have to oversee the
following:4

  • Smart phones and tablets, including those used as part of
    bring-your-own-device programs
  • Cloud-based applications
  • Wireless networking
  • Mobile apps
  • Voice-over-IP
  • IP-based video surveillance
  • Big data
  • Artificial intelligence and machine learning
  • Blockchain

Collectively, these technologies have made it much harder to perform
oversight with traditional monitoring methods like network management tools.
While such tools remain very useful, they can no longer be the only
mechanism for ensuring that technology is meeting an organization’s needs.
Audits provide the comprehensive oversight that today’s complex
infrastructures demand.

Recommendations

[return to top of this
report]

Focus on Business Goals and Metrics

It is important to keep the focus of an audit on business goals.
Business-focused questions that are useful to ask include the following:

  • How do we want employees to communicate?
  • What metrics govern our business decisions (e.g., speed to process an
    invoice)?
  • What security threats do we face?

Increasingly, IT departments are using key performance indicators (KPIs) to
measure a variety of technical and business goals. In keeping with the trend
of IT becoming more closely integrated with core business operations, the
use of KPIs is partly inspired by how finance departments use metrics like
gross profit and earnings before interest and taxes.

There are many KPIs for IT departments to choose from, and often they are
built into IT management software such as ServiceNow.5 But not
all KPIs are useful in every situation or for every organization. And
using too many metrics can create confusion or divert focus from the most
important issues. Also, while most audit teams will standardize their
approach to some extent, it is important to remain flexible and to address
unique circumstances and objectives. Focusing only on pre-defined KPIs can
prevent an audit from identifying unexpected but crucial types of
problems.

Create an Audit Charter

The goals of an audit may seem obvious — to find vulnerabilities and
identify ways to improve the use of technology. But these general goals are
not precise enough to guide an audit. Without more specific direction, an
audit team could venture into many different directions, spending extra
time and resources without accomplishing the goals that are most important
for the organization.

To guard against this problem, an organization can define a charter,
which is a concise statement of an audit’s scope and what metrics it will
use. An audit team can then base its activities on this charter.

Develop a Response Plan

Audits aim not just to provide information but to fix problems. And
audits will often find problems, some of which need to be solved quickly
to eliminate a security hole or a risk to an organization’s business
operations. Given this, IT audit teams need to have policies established
for how to respond to issues they encounter. These policies will answer
questions such as the following:

  • What events trigger an immediate response?
  • How will problems be prioritized (e.g., by severity, by the number of
    systems affected)?
  • Who will determine the correct response to any given type of issue?
  • How will the audit team determine whether a response has fixed a
    problem?

Vulnerabilities that are identified are often eliminated or mitigated by
the use of controls, which are any type of process or mechanism for
helping to deal with security threats. But there are two sides to
implementing a control. “IT auditors should remember and keep in mind that
controls introduce a cost and a benefit,” writes Tommie Singleton in a
publication from ISACA, which maintains the governance standard COBIT.6
He says that:

The cost is almost always in real dollars —
cost of identifying, designing, implementing and managing the control. The
cost can also be an impact cost of inconvenience or operational efficiency
in slowing down a process. Some of the latter is not so much a concrete
observation as it is an understanding of, and taking into account, the
impact of a control. A key for IT auditors has been seeking a balance
between these costs (real/concrete and impact) and benefits. Benefits can
also be real and concrete — understanding the relative difference in
having the control operate effectively and doing without it. That balance
is easier to describe than to discern effectually.7

Apart from the audit process, many organizations have policies and
procedures for managing changes and corrective actions. Instead of
creating a different set of policies and procedures for audits, audit
teams can use the organization’s standard approach to correcting problems
and managing changes.

Maintain Data Confidentiality

To be comprehensive, an audit needs to peer into many data sources that
contain sensitive corporate information. But audit results are typically
analyzed by a team that includes a diverse range of people from a variety
of departments. As a result, audits are faced with the challenge of
ensuring that all relevant data is fully scrutinized while maintaining
confidentiality.

When an audit plan is being developed, it is helpful to identify the
access policies that apply to each piece of data that will be
analyzed. In a typical organization, there will be a variety of data types
and a complex set of requirements for how they must be handled. These
demands can include laws, regulations, contracts with partners, and
corporate policies. To comply with these requirements, only certain
auditors may be authorized to look at particular data.

The process of recording data also presents security risks. Typically,
audits collect raw data as evidence and then summarize findings in text
documents. Raw data and summary documents contain confidential
information, so they themselves must be protected according to the
organization’s policies.

Consider Using a Framework

Basing an audit approach on a widely recognized framework like COBIT,
COSO, ISO 38500, or ITIL can give an audit structure. This is especially
beneficial for organizations that must meet regulatory demands or other
third-party requirements. But even when a framework is used, there is a
significant amount of customization required.

The use of a framework will push organizations to audit more broadly and
with more of a business focus, as standards such as ISO 27001 have moved
in this direction in recent years. In particular, the perspective of IT
may be broadened to encompass two practices that overlap with, but aren’t
identical to, cyber security:

  • Information Security — Information security covers not only digital
    files but also paper records, verbal disclosures, and other ways data is
    stored and shared. The broader practice of information security covers
    regulatory, financial, and other business risks, not simply IT threats.8 
  • Risk-Based Thinking — Whereas IT security focuses on stopping threats,
    risk-based thinking considers both threats and opportunities, weighing
    the two against each other to make decisions. For example, installing an
    application that stores critical healthcare data would create the threat
    that the data will be hacked, raising legal and regulatory concerns. But
    using the application might be helpful to an organization’s business.
    This balanced view of risk assessment is the approach required by, for
    example, the newest version of the ISO 27001 standard.

An alternative (or complement) to using a structured framework is employing
a concept such as agile auditing. Similar to agile software development,
agile aims to make work flexible and responsive to feedback and empirical
evidence. In place of extensive upfront planning and highly structured
methods, agile substitutes an adaptable focus on issues that are identified
as carrying the most risk.9

The similarity to agile software development can be leveraged to
implement agile auditing, notes consulting company Protiviti.10
Auditing practices applied within the software development department will
smooth the transition to agile auditing methods. Agile practices can be
more easily applied to auditing an agile-based software development
department than they can be applied to, in Protiviti’s example, finance,
which itself is unlikely to use such flexible approaches.11

Adapt to Changes in IT

IT environments and processes evolve, pressuring audit teams to keep
pace. To adapt, audit teams may need to make changes or additions to the
following:

  • Evaluation processes — The performance and security of new technologies
    cannot necessarily be evaluated with the same methods used to assess
    other technologies. Audit teams, therefore, may need to research
    industry standard practices for evaluating new types of assets.
  • Audit personnel — Audit team members aren’t expected to be experts in
    the technologies they evaluate, but having a basic background in
    concepts is helpful. Teams may sometimes need to add members to evaluate
    certain technologies (or give new training to existing members).
  • Scope — The assets and issues that fall under the domain of IT often
    expand, as more processes become digitized and as more business
    executive-level functions (such as legal or regulatory compliance) get a
    voice in IT decisions. Audit teams thus need to routinely consider the scope
    of their evaluations to ensure that they are evaluating all relevant
    functions.
  • Reporting practices — IT audits gather significant amounts of data that
    might only be of use to technical personal, but they also analyze and
    summarize findings for non-technical departments within an organization.
    The type of summary and its presentation must meet the needs of other
    departments, and these needs may change over time, pressuring audit
    teams to regularly adjust their reporting practices. For example,
    describing changes in how risk management analyses are being reported,
    KPMG says that “[r]isk functions are moving toward a quantifiable view
    of risk to guide the organization’s risk and control investments in
    areas of highest return in terms of reducing exposure. IT Internal Audit
    should follow suit to make their recommendations more impactful.”12

Some of the changes to which teams will be adapting now or soon include:

  • Resilience — Regulations and IT best practices are increasingly
    emphasizing the concept of “operational resilience.” Audit teams will
    need to establish a definition of this concept and identify metrics for
    measuring it.13
  • Cloud governance — Regulators and publishers of best practices are also
    pushing the notion of “cloud governance.” Governance is not simply IT
    monitoring and management but a broader, executive-level form of
    oversight and planning.14
  • Third parties — IT audit programs sometimes begin by focusing on
    internal processes, but an organization’s security also depends on its
    work with third parties, from individual contractors to large suppliers
    and other partners.15
  • Remote working — The coronavirus greatly expanded the practice of
    remote working, but the trend began years earlier. An IT audit can
    evaluate not just the practice’s security implications but also its
    impact on productivity and other issues.16

References

[return to top of this
report]

1 See:

“IT Auditor Interview
Questions.” Infosec Institute. October 19, 2017.

Tyra Appleby. “CISA Interview Questions.” Infosec
Institute. July 11, 2019.

2 “IT Auditing and Cyber Security.” Temple University Fox School
of Business.

3 “Better Tech Governance Is Better for Business.” ISACA. 2017.

4 The final three items on this list were suggested by

Todd Weinman. “IT Audit in 2019: Hot Topics
and Trends.” ISACA.

5 "Benchmark KPIs.” ServiceNow. July 26,
2018.

6 Tommie Singleton. “IS Audit Basics: The Core of IT
Auditing.” ISACA. 2014.

7 Ibid.

8 Dave Venable. “Information Security Is Not Information
Technology.” IDG. September 14, 2017.

9 “Internal Audit Insights 2019.” Deloitte. 2019.

10 “Embracing the Next Generation of Internal
Auditing.” Protiviti. 2019.

11 Ibid.

12 “IT Internal Audit — Planning for 2021: Key Domains
and Risks to Focus on Now.” KPMG. 2021.

13 “Confronting Uncertainty: 2021 Hot Topics for IT Internal
Audit in Financial Services — An Internal Audit Viewpoint.” Deloitte. 2020.

14 Ibid.

15 “IT Internal Audit — Planning for 2021: Key Domains
and Risks to Focus on Now.” KPMG. 2021.

16 Gartner Audit Leadership Council. “2021 Audit Plan Hot
Spots Report.” Gartner. 2020.

[return to top of this
report]

[return to top of this
report]