[section separator="true"]
[section-item 9]
[row]
[column 12]
[toc-this]
Please see also pages on [link title="planning%20an%20IT%20audit" link="%2Faware%2FGAP%2FPages%2FIT-Audit-preparing.aspx" /]
and [link title="performing%20an%20IT%20audit" link="%2Faware%2FGAP%2FPages%2FIT-Audit-executing-reporting.aspx" /]
.
Definitions
IT risks are the risks associated with the adoption, ownership, use, operation, and maintenance of IT systems, representing the threats and vulnerabilities associated with these systems.
IT controls are the policies, procedures, practices, activities, tools, mechanisms, or other techniques used by an entity to manage IT risks, and can be of an administrative, technical, management or legal nature.
IT audit is the examination of IT controls to identify instances of deviation from criteria, including assessing compliance with policies and procedures, laws, regulations, contracts and guidelines, the confidentiality, integrity and availability of data and information and the efficiency and effectiveness of IT operations.
Principles
An experienced IT auditor carries out an initial assessment of IT risks which affect the objectives of the audit. The IT auditor is usually from the IT audit team but can also be an auditor from the chamber who has the appropriate training.
When deciding whether to perform an IT audit, we identify and document all the components of the IT environment, the IT systems and subsystems that affect the area we are auditing, and we evaluate the extent of their impact on the audit objectives.
We gather information about the IT risks relevant to our audit, and the controls established to mitigate them, to obtain an overview of how the auditee manages IT risk and how this can impact the audit.
We assess the IT systems’ importance, complexity and associated risks, and determine which are most critical to the audit.
Based on the outcome, we decide whether to perform an IT audit or a review of the minimum IT controls, assess the level of expertise we will require, and provide this information to the audit team for inclusion in the task plan.
Instructions
The auditee's IT environment
To obtain an [link title="understanding%20of%20the%20audit%20area" link="%2Faware%2FPA%2FPages%2FPlanning%2FUnderstanding-audit-area.aspx" /]
and/or of the [link title="entity%20and%20its%20environment" link="%2Faware%2FGAP%2FPages%2FCA-FA%2FPlanning%2FUnderstanding-entity-and-its-environment.aspx" /]
, identify and document all the components of the IT environment for the auditee’s processes:
- obtain information on the role of IT in the organisation and how it helps the auditee achieve its objectives;
- understand how the IT department and operations are organised and identify key IT roles in the organisation;
- understand where responsibility for managing the IT systems used by the auditee lies;
- identify the key processes, information flows and transaction flows which are relevant to the area being audited; and
- collect information on the key IT controls in place.
IT systems relevant to the audit
To identify the IT systems that impact the audit, and to which extent, consider the following:
- for a financial audit, identify the IT systems involved in preparing the financial statements, especially those used for accounting operations, and which may be associated with a risk of material misstatement. Examples of such systems could include accounting systems, payroll systems, banking/payment systems, business intelligence systems, robotic process automation systems etc.;
- for a compliance audit, identify the IT systems the auditee uses to comply with applicable laws and regulations, policies and procedures. Such systems could include workflow management systems, decision support systems, data collection and data processing systems, reporting systems etc.; and
- for a performance audit, identify the IT systems which are part of the
[link title="internal%20control%20system" link="%2Faware%2FPA%2FPages%2FConcepts%2FInternal-control-performance.aspx" /]
of the auditee with a direct or indirect impact on performance. In addition, consider assessing the impact of the systems on the [link title="reliability%20of%20data" link="%2Faware%2FGAP%2FPages%2FAudit-evidence.aspx" /]
to be used as evidence, understand the relevant dataflows and identify the IT systems involved in the collection, processing, reporting, and dissemination of data.
Consult previous ECA reports, audit programmes, policy scans, subject briefs, internal presentations, information on the auditee that is publicly available, or ask the auditee directly, for example in interviews or by checking the inventory of IT systems.
Assess the impact these systems and sub-systems have on the objective of the audit. For complex systems use the Identification of IT systmes tool to document your understanding of each system’s purpose and assess their impact on the audit objective(s). This can help you determine which of the systems to prioritise.
IT risks identified by the auditee
For background information on levels of IT risk associated with IT systems, review the most common IT risks.
Determine whether the auditee systematically identifies, assesses, responds to, and monitors IT risks using processes that are aligned with international standards and best practice such as the [link new-window title="ISO%2FIEC%2027005%20-%20Information%20security%2C%20cybersecurity%20and%20privacy%20protection%20-%20Guidance%20on%20managing%20information%20security%20risks" link="https%3A%2F%2Fwww.iso.org%2Fstandard%2F80585.html" icon="external-link" /]
and the [link new-window title="NIST" link="https%3A%2F%2Fwww.nist.gov%2F" icon="external-link" /]
special publications [link new-window title="SP%20800-30%20Rev.%201%2C%20Guide%20for%20Conducting%20Risk%20Assessments" link="https%3A%2F%2Fcsrc.nist.gov%2Fpubs%2Fsp%2F800%2F30%2Fr1%2Ffinal" icon="external-link" /]
and [link new-window title="SP%20800-39%2C%20Managing%20Information%20Security%20Risk" link="https%3A%2F%2Fcsrc.nist.gov%2Fpubs%2Fsp%2F800%2F39%2Ffinal" icon="external-link" /]
.
If possible, obtain the auditee’s most recent IT risk registry and IT security plan.
IT controls in place
Obtain an overview of the IT controls set up and operated to address each of the specific IT risks for the IT system under review.
IT controls can exist at several levels within the auditee:
- IT governance controls: these controls form the IT control environment, setting the tone and culture of IT in the organisation. These controls describe how IT is viewed by, and integrated into the structure and functioning of the auditee’s strategies, policies, procedures, risk assessment, resource management, training, ethics, quality assurance and internal audit.
- General IT controls: controls in place for the auditee’s IT activities, which apply to all IT systems. These provide a reliable environment for IT applications to be developed, operated, managed and maintained, and are embedded within IT processes such as application development, access management, change management as well as safeguards built into routine IT operations such as backup and maintenance of the IT infrastructure.
- Application controls: these are embedded within applications and directly support the processes under review. For example, for a financial reporting application, application controls could include restricting access to specific transactions, prohibiting the recording of unauthorised transactions or manual reconciliations.
ISA 315, Appendix 6: Considerations for Understanding General IT controls provides further details that can be considered.
At a minimum, identify and understand the following categories of controls implemented by the auditee:
- IT governance;
- change management;
- information security;
- business continuity; and
- third-party providers and outsourcing.
[toggles]
[toggle title="Design%20and%20implementation%20of%20IT%20controls"]
To design and implement IT controls, organisations usually follow guidance set in international IT standards, frameworks, and best practice, such as COBIT and ISO/IEC 27002. IT Controls can be mapped directly to the 5 components of the [link new-window title="COSO%20Internal%20Control%20%E2%80%93%20Integrated%20Framework" link="https%3A%2F%2Fwww.coso.org%2F" icon="external-link" /]
. IT controls can be implemented as a combination of technical, administrative, and physical controls. For example, a firewall protecting a network from unauthorised access is less effective if the administrator is not adequately trained, the procedures for its configuration and maintenance are unclear or if the firewall is hosted in an area which is prone to flooding. Such cases might create a false sense of security and could result in unidentified IT risks.
Obtain from the auditee any information available on the IT control standards they apply and any recent checks, such as independent IT audit reports, IT quality assurance reports and IT control self-assessments.[/toggle]
[/toggles]
The criticality of the IT system
The criticality of an IT system is the combination between its importance for the audit, its complexity and the potential impact of IT risks associated with the system. The criticality of a given IT system can vary from one audit to another, depending on its importance for the audit objectives and risks associated with it.
Consider the following:
- state of digitalisation of the auditee: the more the processes depend on IT, the higher the IT risk;
- importance of the IT system to the organisation: the greater the impact of a potential system failure on the organisation overall, the higher the IT risk;
- relevance of the IT system to the audit: if the processes you are auditing are highly automated, this increases the level of IT risk;
- accessibility to the public: systems that are directly accessible from the internet are more likely to face security risks;
- interfaces with other systems: interfaces and interdependencies with other systems increase the IT risk;
- certifications and accreditations: certified and accredited systems can provide assurance on some elements of IT risk;
- previous IT audits: recent IT audits can provide assurance regarding elements of IT risk; examine carefully the scope of these IT audits to ensure that the relevant areas are covered;
- IT security risk assessments: if a system has recently undergone an IT security risk assessment and findings are being addressed, cyber and information security risks are significantly reduced;
- system development: commercial off the shelf systems with low customization levels are typically less risky than systems developed in-house;
- sensitivity of processes and data: if the system handles sensitive processes and data, the likelihood of a data breach is higher, and will have greater impact; and
- emerging technologies: if the system is highly dependent on emerging technologies, that have not been fully evaluated and tested, the risk of the system not performing as expected will increase.
To perform the IT criticality assessment you can use the IT criticality assessment tool to help you quantify the impact of the factors above.
For each IT system under review, conclude on whether:
- it is not critical for achieving the audit objectives or there are no significant IT risks affecting the audit (low criticality);
- several IT risks exist, and IT control failures may affect the audit objective (medium criticality); or
- several significant IT risks exist, the audit is highly dependent on the use of technology, or IT control failures significantly affect the audit objective (high criticality).
Based on the level of criticality of the IT system under review apply the set of minimum IT controls to assess whether there is [link title="sufficient%20and%20reliable%20evidence" link="%2Faware%2FGAP%2FPages%2FAudit-evidence.aspx" /]
on the existence and effectiveness of these controls.
Based on the information you have gathered and the level of criticality of the IT system (low, medium, high) decide together with the audit team and the hierarchy how to address the IT risks. As a guide:
- if the criticality of the system is low or if you have sufficient and reliable evidence on the existence and effectiveness of IT controls, you may decide to not perform any additional procedures;
- if the criticality of the system is low or medium, and you do not have sufficient and reliable evidence on the existence and effectiveness of IT controls, include in the audit a review of minimum IT controls using the minimum IT controls checklist as a baseline; or
- if the criticality of the system is high or the criticality of the system is medium but you do not have sufficient evidence of the existence and effectiveness of IT controls,
[link new-window title="plan" link="%2Faware%2FGAP%2FPages%2FIT-Audit-preparing.aspx" /]
and [link new-window title="perform%20an%20IT%20audit" link="%2Faware%2FGAP%2FPages%2FIT-Audit-executing-reporting.aspx" /]
.
[/toc-this]
[/column]
[/row]
[/section-item]
[section-item 3]
[row]
[column 12]
[panel panel-style="boxed" title="Related%20documents" icon="book" class="ref-panel"]
[standards]
[link new-window title="COSO%20Internal%20Control%20%E2%80%93%20Integrated%20Framework" link="https%3A%2F%2Fwww.coso.org%2F" /]
[link new-window title="COBIT%20framework" link="https%3A%2F%2Fwww.isaca.org%2Fresources%2Fcobit" /]
[/standards]
[/panel]
[/column]
[/row]
[row]
[column 12][/column]
[/row]
[row]
[column 12]
[toc fixed="true" selectors="h2%2Ch3" class="basic-toc" /]
[/column]
[/row]
[/section-item]
[/section]
