An information technology audit is an examination of the checks and balances, or controls, within an information technology (IT) group. An IT audit collects and evaluates "evidence" of an organization's information systems, practices, and operations. The evaluation of this evidence determines if the information systems are safeguarding the infomation assets, maintaining data integrity, and operating effectively and efficiently to achieve the organization's business goals or objectives.
Tsl understand the primary functions of an IT audit are to evaluate the systems that are in place to guard an organization's information. Specifically, information technology audits are used to evaluate the organization's ability to protect its information assets and to properly dispense information to authorized parties. The IT audit aims to evaluate the following:
✓Will the organization's computer systems be available for the business at all times when required? (known as availability)
✓Will the information in the systems be disclosed only to authorized users? (known as security and confidentiality)
✓Will the information provided by the system always be accurate, reliable, and timely? (measures the integrity)
In this way, the audit hopes to assess the risk to the company's valuable asset (its information) and establish methods of minimizing those risks.
TSL Services provided are:
✓Operational computer system/network audits:review the controls within and surrounding operational computer systems and networks, at various levels e.g. network, operating system, layered software, application software, databases, logical/procedural controls, preventive/detective/corrective controls, crypto, logging ...
✓IT installation audits:take a look at the computer building, suite, room or cupboard, including aspects such as physical security (walls, CCTV, locks, guards, barbed wire, visitor procedures ...), environmental controls (fire and flood protection, power supply, hair conditioning), computer and network operations processes and management systems, oh and the IT equipment itself.
✓Developing systems audits:typically cover either or both of two aspects: (1) project or programme management controls (often, the auditor is the only person with the knowledge, experience and balls nerve to point out that the average project manager’s progress reporting is “somewhat optimistic” at best); and (2) the specification, development, testing, implementation (installation and configuration) and initial operation of technical and procedural controls, including classical technical information security controls and the related business process controls such as divisions of responsibility. Read more about these audits below.
✓IT management audits: review the organization, structure, strategy, work planning, resource planning, budgeting, cost controls etc. and, where applicable, relationships with outsourced IT providers (in some cases, these aspects may be audited by operations and financial auditors, leaving the IT auditors to the more technological aspects, although mixed teamworking can be more productive and insightful).
✓IT process audits: review the processes which take place within IT department such as application development, testing, implementation, operations, maintenance, housekeeping (backups, preventive maintenance etc.), support, incident handling.
✓Change management audits: review the planning and control of changes to systems, networks, applications, processes, facilities etc., including configuration management, control over the promotion of code from development through testing to production, and the management of changes to the organisation as a result of ICT.
✓Information security & control audits: ew controls relating to confidentiality, integrity and availability of systems and data.
✓IT legal compliance audits: review legal and regulatory aspects of IT systems (e.g. software copyright compliance, protection of personal data).
✓Certification and other compliance audits: compliance to information security standards such as ISO27k and industry standards such as PCI-DSS is normally audited by IT auditors working for accredited certification bodies. Formal certification audits typically have strictly defined scopes, but the auditors may be persuaded to open up a little in pre-audits or post-audit drinks at the bar, to find out what they really thought.
✓Disaster contingency, business continuity planning and IT disaster recovery audits: review arrangements to restore some semblance of normality after a disaster affecting the IT systems, and perhaps assess the organisation’s approach to risk management, reviewing the links between (a) identifying and protecting critical business processes, and (b) securing the supporting IT services, systems, network and processes. These audits may or may not cover the much-neglected but vital issue of resilience, which is of course all about avoiding disastrous outages as far as possible.
✓IT strategy audits: review various aspects of IT strategy, vision and plans, including their relationship to other strategies, visions and plans, or not as the case may be. Video clips of managers scribbling furiously on whiteboards and waving their hands about are worth a thousand audit words each.
✓"Special investigations":this is audit-speak for contingency and other un-pre-planned or hush-hush work such as investigating suspected frauds or information security breaches, performing due diligence review of IT assets for mergers and acquisitions etc. Oh and Christmas parties.