|
IT assets have to be protected, as that is where the money lies
for enterprises today. Stepping up information security is only one end of the
spectrum. Evaluating, reviewing and taking stock of the IT assets including
information security assets is the other end that is now gradually gaining
prominence. IT auditing today is as important and critical as any other revenue
audit in an enterprise, as most systems handling businesses are automated. The
risks that existed in earlier non-automated environments have increased by
introduction of technology that has brought in its own associated risks.
Its not just security but also the growing awareness towards
improving efficiency and performance of the IT infrastructure that is driving
adoption of not only information security auditing but IT auditing as a whole.
Added to this the growing pressure of adherence to regulatory compliance, it is
not very far off before IT auditing becomes a necessity for agile enterprises.
However, lack of enough qualified professionals to meet the growing demand,
could well put a spade in the spindle. As per ISACA, currently there are 1,645
CISAs certified in India and out of this approximately 400 CISAs have been
certified in the country between January to September, 2006. While the supply of
certified auditors in the last 2 years has seen a jump it still hasn't kept
pace with the growing demand. According to SP Shah Singh, director, Trusted Info
Systems, the need for IT auditors far outstrips the supply of qualified
candidates. The uptake of auditing practice by enterprises will, therefore,
depend a lot on how the demand and supply dynamics emerges over the next few
years.
Gaining Prominence
The adoption of IT audit is globally catching up in the enterprise agenda
and is being taken seriously after the Enron and 7/11 disasters. According to
Vinod Sadavarte, CIO, Patni, global IT auditing, including security auditing,
has shown double digit growth in recent years. There is an increased awareness
and adoption in the Indian context too, with the trend gaining momentum in the
last 2 years. According to A Manjunath Babu, chief manager at State Bank of
Mysore's Information Systems Security Cell, banking, financial institutions,
software developers, outsourcing companies and call centers are the industry
segments where we can see increased adoption.
What's driving the rapid adoption is the recognized need for
effective internal controls making good business sense. There is also global
pressure from the US Sarbanes-Oxley Act of 2002 which requires compliance by all
entities quoted on the US Stock Exchanges. It is now mandatory for a given firm
to ensure that its suppliers/vendors adhere to the same, stringent requirements
worldwide.
According to Radhakrishna Pillai, head, IT, SRL Ranbaxy, the
fact that India has more number of US FDA approved pharma manufacturing
facilities outside of the US, itself shows that to take advantage of the global
opportunity Indian enterprise have to create the right atmosphere and a secured
environment. The BPO growth too has made it imperative to have more security.
| IT
Auditor's Checklist |
-
ISACA has its CobiT body
of knowledge that covers most domains that an auditor should consider
in conducting a review. This is much more than a checklist-it is
also a well-ordered way of thinking.
-
The IT auditor must
identify various laws (both local and international depending upon the
area or organization that is being audited) that govern the
information systems in use. It could be IT Act 2000, Indian Contract
Act, Sarbanes Oxley Act or HIPPA to name a few.
-
They should have
appropriate knowledge of the framework, best practices and thorough
knowledge of audit tools.
-
Knowledge of collecting
evidence-reliable evidence (extract, store and present).
-
Appropriate sampling
method that is to be used depending upon the situation.
-
Auditors should give
importance not only to maintenance of CIA (confidentiality, integrity
and availability) of data but also to issues on the economy,
efficiency and effectiveness of IT investment.
-
Questionnaires that
review the existing Information Security policy, physical security
policy, personnel policy, etc are critical for any auditor.
-
Other must haves for an
IT audit are the audit charter, audit plan, auditing tools and
reporting templates.
|
As Ravi Srinivasan, senior VP, Client and Technology Solutions,
OfficeTiger, points out: customers are viewing IT auditing as a critical
precursor to working with any third party. India is a major player in the global
IT service center area and is also a major center for the development of new
software. "Global pressures thus apply to businesses, particularly those in
IT, which are based in India," explains Hugh Parkes of Australia-based
Parkes & Parkes Management Cosultants.
According to Arun Gupta, director, P-GIS, BRM–SCANZ, Philips
Electronics India, among the other factors driving adoption, apart from
compliance to local and global legislations, are financial pressures on IT
budgets.
Though auditing has been initially driven worldwide by
legislations, with the maturing of standards like ISO27001 and Cobit there is a
growing trend that uses audits to proactively control IT security and use the
benefits as a business differentiator. Periodic IT audits have been recognized
as the most effective method to implement and maintain efficient IT
implementations.
In India the idea of auditing IT for performance and efficiency
was mostly practiced by the Indian divisions of global giants. Today there is a
growing awareness of the kind of benefits that this kind of auditing would
generate. According to Prosenjeet Banerjee, head, Information Security Services,
HCL Comnet: the key advantage for Indian companies with large IT infrastructure
would be the chance to streamline their organically grown IT infrastructure.
As more Indian companies globalize, they will put the focus on
audit of IT and IT security. In a connected economy, it is expected that the
corporate partners are at par with respect to their IT systems as any compromise
may create an adverse impact. Thus, Gupta points out, most multinational
companies have adopted these practices and encourage their Indian partners to do
so too. Over the next 2-3 years it is expected that there will be few
enterprises, which will not embrace this.
Why Audit?
IT Auditing is gaining criticality among Indian enterprises. It is common
knowledge that as the use of technology grows, so does the vulnerability. While
well-thought out policies and their stringent implementation can help in
overcoming these vulnerabilities, it needs to be followed by audits. It is
important for Indian enterprises to have sound internal controls so that the
community can have confidence in corporate governance (and IT governance) of the
enterprise. assessing and advising on the development of effective internal
controls is a key role of IT auditing.
IT and security audits provide a framework and mechanism to
assess the effectiveness of measures implemented in addressing the internal and
external stakeholder expectations in managing IT, explains Sadavarte.
Auditing also becomes critical if an organization wants its IT
function to perform in tandem with the rest of the company. The pace of change
in the IT environment is so fast that without IT auditing, management will find
it difficult to control their IT spending and achieve expected benefits from
their IT investments. "IT/IS security audit is critical not only for
protection of information assets but also for an assurance that risk is managed
and business objectives are achievable," says Ajay Verma, chief information
technology officer at the Punjab National Bank & president of ISACA's
Delhi Chapter. Page(s) 1 2
| 
Print
Comment
Email
Digg
Del.icio.us
Reddit
Twitter
