| IT Audits are essential for companies large or small in | | | | structure of the portion of the industry that deals with |
| order for you to identify what you have in place, why, | | | | this project or product, organization and industry |
| and also to help identify improvements and system | | | | structure. |
| vulnerabilities. An information technology audit, or | | | | - Innovative comparison audit. This audit, as its name |
| information systems audit, is an examination of the | | | | implies, means conducting an analysis of the innovative |
| controls within an Information technology (IT) | | | | abilities of the company being audited, in comparison to |
| infrastructure. An IT audit is the process of collecting | | | | its competitors. This requires examination of |
| and evaluating evidence of an organization's | | | | company's research and development facilities, as well |
| information systems, practices, and operations. The | | | | as its track record in actually producing new products. |
| evaluation of obtained evidence determines if the | | | | - Technological position audit: This audit reviews the |
| information systems are safeguarding assets, | | | | technologies that the business currently has and that it |
| maintaining data integrity, and operating effectively to | | | | needs to add. Technologies are characterized as being |
| achieve the organization's goals or objectives. These | | | | either "base", "key", "pacing", or "emerging". |
| reviews may be performed in conjunction with a | | | | Others describe the spectrum of IT audits with five |
| financial statement audit, internal audit, or other form of | | | | categories of audits: |
| attestation engagement. | | | | - Systems and Applications: An audit to verify that |
| An IT audit should not be confused with a financial | | | | systems and applications are appropriate, are efficient, |
| statement audit. While there may be some abstract | | | | and are adequately controlled to ensure valid, reliable, |
| similarities, a financial audit's primary purpose is to | | | | timely, and secure input, processing, and output at all |
| evaluate whether an organization is adhering to | | | | levels of a system's activity. |
| standard accounting practices. The primary functions | | | | - Information Processing Facilities: An audit to verify |
| of an IT audit are to evaluate the system's efficiency | | | | that the processing facility is controlled to ensure timely, |
| and security protocols, in particular, to evaluate the | | | | accurate, and efficient processing of applications under |
| organization's ability to protect its information assets | | | | normal and potentially disruptive conditions. |
| and properly dispense information to authorized parties. | | | | - Systems Development: An audit to verify that the |
| The IT audit's agenda may be summarized by the | | | | systems under development meet the objectives of |
| following questions: | | | | the organization and to ensure that the systems are |
| - Will the organization's computer systems be available | | | | developed in accordance with generally accepted |
| for the business at all times when required? | | | | standards for systems development. |
| (Availability) | | | | - Management of IT and Enterprise Architecture: An |
| - Will the information in the systems be disclosed only | | | | audit to verify that IT management has developed an |
| to authorize users? (Confidentiality) | | | | organizational structure and procedures to ensure a |
| - Will the information provided by the system always | | | | controlled and efficient environment for information |
| be accurate, reliable, and timely? (Integrity) | | | | processing. |
| Types of IT audits | | | | - Client/Server, Telecommunications, Intranets, and |
| Various authorities have created differing taxonomies | | | | Extranets: An audit to verify that controls are in place |
| to distinguish the various types of IT audits. Goodman | | | | on the client (computer receiving services), server, and |
| & Lawless state that there are three specific | | | | on the network connecting the clients and servers |
| systematic approaches to carry out an IT audit: | | | | IT Audit Process |
| - Technological innovation process audit. The aim of | | | | 1. Planning |
| this audit is to construct a risk profile for existing and | | | | 2. Studying and Evaluating Controls |
| new projects. The audit will assess the length and | | | | 3. Testing and Evaluating Controls |
| depth of the company's experience in its chosen | | | | 4. Reporting |
| technologies, as well as its presence in relevant | | | | 5. |
| markets, the organization of each project, and the | | | | |