A step by step Guide for IT Auditing: SOUTECH Web Security- Penetration Testing company in NigeriaEsang U. E
IT audit attempts to evaluate the controls surrounding data as it relates to confidentiality, integrity, and availability. IT audits ensure that confidentiality of information, ensures the integrity and availability which is a key factor to recovering from an incident.
This is a follow up article to on IT audits but I will be dissecting more on the methodologies and steps to performing audits
One of the challenges that audit managements and IT auditing have faced overtime is that it ensures IT audit resources are readily available to conduct IT audits. It audits require a lot of technical skills unlike financial audits, for example, an IT auditor will need a lot of training in web applications in other to audit a web application. Likewise, if they want to an oracle audit, they need to be trained efficiently as well as Windows platforms.
Another problem that audit management faces is in the management of IT auditors, because this because they have to track the timing when compared with the objectives of the audit as well as follow-up time on the measures of corrective actions that the clients take when responding to any previous recommendations and possible findings.
One of the important factors in IT auditing and one in which audit management struggles with consistently, is to ensure that adequate IT audit resources are available to perform the IT audits. Financial audits quite unlike IT audits are very intensive in terms of knowledge, for example, if an IT auditor is performing a Web Application audit, then they need to be trained in web applications; if they are doing an Oracle database audit, they need to be trained in Oracle; if they are doing a Windows operating system audit, they need to have some training in Windows and not just XP, they’ll need exposure to Vista, Windows 7, Server 2003, Server 2008, IIS, SQL-Server, Exchange.
Another factor that audit management faces is the actual management of the IT auditors, for not only must they track time against audit objectives, audit management must allow for time to follow-up on corrective actions taken by the client in response to previous findings and/or recommendations.The following are the things that an IT expert needs to do before beginning an audit;
- Perform a review of the organizational structure of the IT assets
- Perform a review of all IT policies and procedures
- Perform a review of all the IT standards
- Perform a review of the IT documentations
- Perform a review of the organization’s BIA
- Conduct an interview the authorized personnel
- Observe and monitor the processes and the performance of the employees
- Examine the testing of controls, and the results gotten from the tests.
Steps to Perform IT Audits
1. Understand the Audit Subject Area
- Perform a tour of all the facilities related to audit
- Perform a review of the background materials
- Review the IT and business strategic plans
- Conduct an interview for the key managers in order to understand business
- Review audit reports that have been in existence
- Identify regulations and where they have been applied
- Identify the areas that have been outsourced
2. Perform an Audit Engagement Plan Vocabulary
Subject of the Audit: The area that is to be audited. An example is the information systems related to sales
The objective of the Audit: The purpose of performing the audit. An example is determining if the sales database is safe against data breaches, due to inappropriate authentication, access control, or hacking.
Scope of the Audit: Streamlining the audit to a specific system, function, or unit, or period of time. An example is the is determining if the scope is constrained to Headquarters for the last year.
3. Perform Risk Assessment: Risk-Based Auditing
Check Inherent Risk: Determine the susceptibility of the system to a risk. An example is a bank’s inherent risk of being robbed.
Control the risk: If a problem exists that will not be detected by an internal control system. Still using the bank case as an example, if a thief accesses a customer’s account at Money Machine and is not detected
Detection of Risk: An auditor does not detect a problem that does exist. Example as in the case of the bank, if a fraud takes but it is not detected.
Perform an overall risk auditing: Combine all the audit risks.
4. Audit Engagement Risk Analysis
5. Prepare an Audit Engagement Plan
- Develop a risk-based approach
- Include audit objectives, required resources, timing, scope
- Comply with all applicable laws
- Develop an audit program and procedures
6. Add Detail to Plan
7. Evaluate Controls:
8. Classification of IT controls
- Corrective controls: It involves fixing the problems to prevent future problems by using:
- Contingency planning
- Backup procedures
- Detective Controls: These involves finding any form of fraud when it occurs using:
- Hash totals
- Check points
- Duplicate checking
- Error messages
- Past-due account reports
- Review of activity logs
- Preventive Controls: Preventive control measures include:
- Programmed edit checks
- Encryption software
- Access control softwares
- A well-designed set of procedures
- Physical controls
- Employ only qualified personnel
9. Evaluate Controls: Simple Control Matrix
- Test the Vocabulary
Compliance Testing: A compliance test should take this form
- Are there controls in place and are they consistently applied?
- Check access control
- Ensure program change control
- Procedure documentation
- Program documentation
- Software license audits
- System log reviews
- Exception follow-ups
Substantive Testing: Check the following:
- Are transactions processed accurately?
- Is data collected correct and accurate?
- Double check processing
- Calculation validation
- Error checking
- Operational documentation
If the results for the compliance testing are poor, the substantive testing should increase in type and sample number.
Compliance Testing: It should check the following
- Control: Is production software controlled?
- Test: Are production executable files built from production source files?
- Test: Are proper procedures followed in their release?
- Control: Is access to the sales database constrained to Least Privilege?
- Test: Are permissions allocated according to documentation?
- Test: When persons gain access to the database, can they access only what is allowed?
- Audit: Is financial statement section related to sales accurate?
- Test: Track the processing of sample transactions through the system by performing calculations manually
- Test: Test error conditions
- Audit: Is the tape inventory correct?
- Test: Search for sample days and verify complete documentation and tape completeness
Tools for IT Audits
ISACA has Standards and Guidelines related to Audit
- Section 2200 General Standards
- Section 2400 Performance Standards
- Section 2600 Reporting Standards
- Section 3000 IT Assurance Guidelines
- Section 3200 Enterprise Topics
- Section 3400 IT Management Processes
- Section 3600 IT Audit and Assurance Processes
- Section 3800 IT Audit and Assurance Management
- Translate the basic audit objectives into specific IT audit objectives
- Identify and select the best audit approach to verify and test controls
- Identify individuals to interview
- Obtain departmental policies, standards, procedures, guidelines to review
- Develop audit tools and methodology
IT General Controls Check List
1. Documentation of employees and the organization
- Draw an organizational Chart
- IT Department
- Current Phone List/Company Directory
- Job Descriptions for the IT Department
- Sample of Employee Evaluation Form
- List of all the terminations/ disengagements in the last 12 months.
- Checklist of newly hired employees
- Termination Checklist
- IT Project List – Is it being planned, completed in the last 12months on its ongoing?
- Review of the past year’s management response letter
2. Documentation of IT policies and procedures
· Obtain a network architecture diagram and documentation
· Obtain a network diagram
· Obtain a diagram and Lists of hosts and servers that are running financial applications
· Change the management policies and procedures
· Make an inventory of network hardwares and softwares
· Determine the computer operations, its policies and procedures
· Layer down security policies
· Enforce password policies
· Acceptable Use Policy
· Layer down incident response policies
· Get a curriculum for security awareness training
· Configure firewalls and rule sets
· Obtain software policies and procedures
· Setup remote access policies
· Setup policies for emails, instant messaging, internet usage
· Develop a disaster recovery and business contingency plan
· Setup policies for data backup and data recovery
· Get backup logs
· Offsite Tape Rotation Logs
· Obtain a listing of IT related insurance coverage
· Get copies of vendor contracts and service level agreements
· Deploy an organized Help Desk with help desk request tracking forms and trouble tickets
· Report open and closed tickets
· Employ batch processing
When performing an IT audit, the responsibility of the auditor general is to check if the IT system complies with government IT policies, procedures, standards, laws and regulations. Also, the auditor general should endeavor to use IT audit tools, technical guides and recommended resources by ISACA where appropriate. The resources recommended by ISACA (Information systems Audit and control association should encourage IT audit staff and the team as a whole to be certified. Certifications include but a few;
- CISA (Certified Information systems Auditor)
- CIA (Certified Internal Auditor)
- CISM (Certified Information Security Manager)
- CGEIT (Certified in the Governance of Enterprise IT)
The Audit reports
After a successful audit process, the IT auditor needs to do a detailed documentation. Here is a list of a few things an auditor needs to include in the audit.
- Plan and prepare the scope and objectives for the audit
- Describe the scope of the audit area
- Draft and audit program
- Get down the steps performed and gather the audit evidence of the audit
- If the services of other auditors and IT experts were used and what their contributions were.
- Document your findings, make conclusions and recommendations
- Document the audit in relation with document dates and identification
- Report obtained as a result on the audit performed
- An evidence of the review for audit supervisory
The audit results should be submitted to the organization upon exit where you can take out time to discuss in details your findings and recommendations. You should be certain of the following;
- That all the facts and findings noted down on this report are accurate
- That the recommendations you’ve made are cost-effective, more realistic and there are alternatives which should be negotiated with management
- That the dates for the recommended implementation will be agreed.
There are some other things you need to consider when you’re preparing to present your final report. You need to consider the audience and if the presentation is going to be done to the audit committee. The audit committee may not be really notice the minutia that goes into the business report. Your report should be done in a timely manner so as to give way for any form of corrections.
Finally, if you come across a significant finding in the course of the IT audit, you should inform management immediately.
Always subscribe to Soutech Ventures where we can handle all your IT solutions especially in the areas of IT audits.
Also enroll for a cyber security, ethical hacking training at SOUTECH.