IT audit deals with review and evaluation of information processing systems, related- non automated process and an interface between them. It involves gathering information and planning and secondly, understanding of existing internal controls. As in today’s era organizations are moving towards risk-based audit approach, an auditor has to assess risks through an audit plan and make decision as to what may go wrong to penetrate organization’s security at different levels. It involves:-
- Review IT organizational structures.
- Review IT policies & procedures.
- Review IT standards.
- Review IT documentations.
- Review organization’s BIA (Business Impact Analysis).
More often, an auditor has to review two types of controls: –
- General controls.
- Application controls.
General controls
It deals with areas including IT infrastructure & support services viz internal accounting controls, operational controls, organizations security policies, physical & logical securities of all data centres.
Application controls
These controls basically deal with transaction & data relating to each computer-based application systems, ensures completeness and accuracy of records and validity of entries made. These controls oversee input, processing, and output functions of data.
IT auditor tasks includes: –
- Review flow of transactions through application systems.
- Identifying application control strengths, weaknesses.
- Developing testing strategies.
- Control testing to ensure its effectiveness.
- Evaluate test result and to determine if the objectives were achieved.
An auditor also must consider the effectiveness of COSO system operation within the organization which is as follows: –
- Control Environment:It refers to integrity and ethical values among personnel, evaluating right competence at right place, clear understanding of rights and responsibilities and proper utilization of human resources.
- Risk Assessment: It involves management functions of performing techniques to identify risks, perform analysis and manage change.
- Control Activities: It involves adherence to the laid down policies & procedures, improving securities, enable business continuity planning or data backups at regular intervals.
- Information & Technology: It involves sharing of relevant/ quality information to be passed on among personnel and departments.
- Monitoring: It includes evaluation of identified risks, report deficiencies and take appropriate actions.
Business Continuity Planning Audit
An auditor also performs a BCP (Business continuity plan) audit the objective of which is to minimize or limit the downtime when interruptions occurs due to system failures, safeguard personnel at times of disaster, helps in minimizing financial losses and restating of critical business functions. It helps in disaster recovering. As threat due to technology and natural disasters are increasing day by day, BCP Audit is becoming necessary for the organizations.
Steps to initiate BCP audit are as follows: –
- Preparation of audit plan includes scope, approach, and schedule.
- Evaluate information viz Disaster Recovery Plans, BIA, risk assessments.
- Proper documentations/audit papers are required to validate preliminary findings.
- Establish business continuity metrics through work papers.
- Business continuity audit interviews has to be conducted with relevant personnel across organization.
- Draft an audit opinion report and discuss the same with stakeholders in the organization.
- Complete a final audit report and communicate findings to relevant personnel.
- Formulate an action plan & define time frame to prevent the BCP.
- Ensure that action plan is implemented within defined timeframe.
- Schedule next BCP audit.
This content is meant for information only and should not be considered as an advice or legal opinion, or otherwise. AKGVG & Associates does not intend to advertise its services through this.
Posted by:
CA Aman Aggarwal
AKGVG & Associates