Management of IT Auditing John Schultz
Define IT – What areas should be considered for inclusion in an IT audit plan? Evaluate IT-related Risk – Doing so will help ensure that IT audit procedures and resources are focused on the areas that represent the most risk to the organization. Define the IT Audit Universe – defining the IT audit universe will help effectively balances IT audit needs with resource constraints. Execute IT Audits – how to execute IT audit procedures and how to understand what standards and frameworks exist in the marketplace that can support required procedures. Manage the IT Audit Function – techniques for maximizing the effectiveness of the IT audit function and managing IT audit resources. Address Emerging Issues – IT evolves rapidly. This evolution can introduce significant new risks into an organization.
IT Environment
IT related Risks Availability – when the system is unavailable for use. Security – when unauthorized access to systems occurs. Integrity – when the data is incomplete or inaccurate. Confidentiality – when information is not kept secret. Effectiveness – when the system does not deliver an intended or expected function. Efficiency – when the systems cause a sub-optimal use of resources.
IT Audit Universe Using overly broad definitions for IT audits (e.g. IT general controls) will almost ensure that there will be scope creep in audit procedures. The audit universe for the year should touch on all the layers in the IT environment. IT audits should be structured in such a way as to provide for effective and logical reporting. IT audits should cover the appropriate risks.
Executing IT Audits
Managing the IT Audit Function Audit Facilitators -Electronic Work papers -Project Management Software -Flowcharting Software -Open Issue Tracking Software -Audit Department Web Site Audit Accelerators -Data Analysis Software -Security Analysis Tools -Network Analysis Tools -Hacking Tools -Application Security Analysis Tools
Emerging Issues Wireless Networks Wireless Networks Mobile Devices Mobile Devices Interfaces Interfaces Data Management Data Management Privacy Privacy Segregation of Duties Segregation of Duties Administrative Access Administrative Access Configurable Controls Configurable Controls Piracy Piracy
Management of IT Auditing John Schultz