Home  |  Newsletter | Feedback | Advertise - Online  | Help
Google
Web dqindia.com
Search by issue  | Sitemap

• Visit pcquest.com to know all about the business benefits of IT infrastructure outsourcing • Ad : Play and Plug ERP by IBM

 
 RSS |  Follow Us on twitter
Home > Indepth

IT Audit: That's Where The Money Is!
Continued from page: 1

Shipra Arora
Wednesday, November 08, 2006
The Philips' Example

"The scope of IT audit varies from company to company as experienced by me over the last few years. Within Philips, the scope of IT audit spans SOX, Process Maturity based on COBIT IV, ITIL and ISO 9000:2000. We are audited every year on these aspects and measured on the performance with respect to defined controls. This requires substantial planning and processes that are repeatable with adequate documentary evidence. With the exception of the physical network, every other IT component is auditable and is audited. Over the last one year we have seen improvements in our ratings and are on the threshold of becoming a best practice within Asia."
-Arun Gupta, director, P-GIS, Philips Electronics India

What it Involves
So, what all does this whole tedious process of an IT/IS audit comprise? To understand one will need to understand the objectives behind the two. According to Babu, the main purpose of an IT audit is to review and evaluate an organization's information system availability, confidentiality, and integrity. It can also be said to be an examination of the controls within an entity's IT infrastructure. The IT security audit, on the other hand, is a systematic, measurable technical assessment of how the organization's security policy is employed and practiced. "IT audits at a high level need to ensure that appropriate policies and processes are in place to ensure availability, confidentiality and integrity of the organization's IT systems, and that they meet expectations of the internal and external stakeholders," says Sadavarte. Overall, IT audits will look at the performance, general direction and synergy of IT with the rest of the organization.

Typically, aspects of the organization's IT infrastructure that come under purview of the IT audit include computerized systems and applications, information processing facilities, processes, power and air-conditioning systems, networks, systems development and management of IT and enterprise architecture. There are very few businesses today which do not use computers, information and application systems in every activity. Therefore, as Parkes points out, any part of an enterprise's activity can fall under the purview of an enterprise auditor, who should be fully competent and trained as an IT auditor as well as familiar and competent in undertaking IT security work.

According to Verma, at a broader level, an IT/Security audit is guided by the business objective. The components of an IT audit include physical and environmental, system administration, application software, network security, business continuity and data integrity review. The physical and environmental review includes physical security, power supply, air conditioning, humidity control and other environmental factors. System administration review includes security review of the operating systems, database management systems, all system administration procedures and compliance. Application software review consists of review of access control and authorizations, validations, error and exception handling, business process flows within the application software and complementary manual controls and procedures.

Security review takes into account the internal and external connections to the system-perimeter security, firewall review, router access control lists, port scanning and intrusion detection are some typical areas of coverage. Business continuity review includes existence and maintenance of fault tolerant and redundant hardware, backup procedures and storage, and documented and tested disaster recovery/business continuity plan. The purpose of the data integrity review is the scrutiny of live data to verify adequacy of controls and impact of weaknesses that have been noticed in any of the above reviews. The use of computer assisted audit techniques has been gaining ground in conducting these reviews.

Audit Challenges

  • Lack of awareness about IT Security and IT audit at all levels.

  • IT Security is always placed last after business preferences and goals.

  • It is thought of as a one-time exercise and not a continuing process.

  • IT Audit is blamed for resource hogging.

  • Ensuring all documentation is available up front and is up to date. The IT administrators will generally not part with the required documents and information easily. If the auditor is not knowledgeable he/she is most likely not going to receive much of the required inputs for conducting an effective audit.

  • Translating audit findings into vulnerabilities and businesses impacts to which operating managers and senior management can relate.

  • Communicating with the executive levels of one's organization in terms they understand and are comfortable with, and persuading them to take necessary actions to safeguard their organization.

According to Shah, the various steps in each of these reviews are planning, studying, testing and evaluating controls, reporting and then follow-up. More comprehensively, the steps involved in an audit are understanding the organization's business profile; the IT infrastructure; scope and focus of the audit; planning; control-matrix; conducting the audit; analyzing the findings; and, finally, following up for compliance and closure.

Addressing Security
Security audit is a big component of the IT auditing exercise. As a stand-alone exercise it can be big enough to encompass the whole organization or be simple enough as a technical audit of critical servers. However, as Verma points out, IT security audit is one of the most integral components of the IT auditing process and has to be taken up in a holistic perspective and its standalone exercise may not justify the audit. "Whatever the size of the exercise, IT security auditing remains a critical management aid in controlling IT risks and ensuring compliance to legislations," opines Banerjee.

Since IT is an integral part of the enterprise, IT security audit too is critical. Security audit focuses on protection of data and a whole lot of controls built around it. Data being the mainstay of the business, its security is imperative.

Security audit covers the organization's risk appetite, what controls are defined and how they are practiced in accordance to the policy. According to Shah, the primary goal of a security audit is to assess the effectiveness of the organization's ability to protect its information assets. This audit covers the various measures a client organization has taken to secure its systems from internal and external intrusions. The recommendations arising out of the review lead to an updated security policy.

There is a questionnaire phase followed by a physical site visit, then interviews with key staff on security and BCP to understand how they think, their level of understanding and their knowledge of the business. "Being prepared with all the documentation ahead of time, including all Information security policy documentation and proof that the existing policies are actually implemented, is what the auditor is typically looking for," explains Srinivasan.

While IT audit usually covers areas like IT strategy, program development and change control, operations and access control, security audit is largely a technical assessment of a system or application from the security perspective. In short, explains Sadavarte, IT audits touch upon the business aspect of security at a broader level whereas security audits dwell deep into the technicalities as well.

The Audit Process

The preparation that needs to be made before starting an audit exercise involves collecting background information and assessing the resources and skills required to perform the audit. This leads to allotting the right assignment to the staff with the appropriate skills.

It helps to have a formal audit commencement meeting with the senior management responsible for the area under audit to finalize the scope, understand special concerns, schedule the dates and explain the methodology for the audit. Such meetings get senior management involved, allow people to meet each other, clarify issues and underlying business concerns, and help the audit to be conducted smoothly.

Also, after the audit scrutiny is completed, it is better to communicate the audit findings and suggestions for corrective action to the senior management in a formal meeting, through a presentation. This will ensure better understanding and increase buy-in of audit recommendations. It also gives auditees an opportunity to express their viewpoints on the issues raised. Writing a report after such a meeting where agreements are reached on all audit issues can greatly enhance audit effectiveness.

Checking Effectiveness
Effective and successful IT audits are accurate, consistent and reliable. Needless to say, such an audit can reveal time and money wasted on redundant information sources as well as detects strengths and weaknesses in the existing information services. So, what makes for an effective and successful audit? An effective and successful audit first and foremost proceeds from clear management direction and requirements. An IT audit which fully focuses on the strategic needs of the business and delivers valuable results to the enterprise, is therefore the answer. Getting all of these to be recognized and in place is hard, but necessary. According to Parkes, in an IT audit it is important to understand where the activity being audited fits within the strategies and structures of the enterprise as well as to plan what is needed to understand the internal controls.

Furthermore, to achieve effectiveness the auditor must be very clear about the scope of the audit. The finding should be directly relevant to the scope and supported by artifacts. The recommendations too should be clear and bring out the expected benefits. Like any other audit exercise, an IT audit too requires independence and an effective reporting system. As IT auditing can be quite technical or process focused, depending on what is needed, it helps if the auditors are trained in the technical aspects of IT.

The auditor who conducts the audit must understand the business of the organization, its mission vision and goal. This must be followed by full knowledge of the area s/he is expected to audit. The auditor is independent to conduct the audit. Next, s/he must understand the organization's risk appetite, conduct the audit with due diligence, abide to secrecy of the findings, evidence, etc. Be focused on the scope of the audit charter. Be responsible while reporting (accuracy and sufficiency of evidence, fair technical assessment, and accountability).

Tools of the Trade
There are a number of tools available to help in IT auditing. A spreadsheet works as a simple aid to audit. Computer Aided Audit Tools (CAATS) can be used to extract, sample and manipulate data. CAATS is used for sophisticated analysis to support business operations beyond accounting and the financial statements. Some of the other emerging tools and techniques include interactive auditing capabilities, predictive auditing monitoring, use of artificial intelligence heuristical or neural knowledge capabilities for inferencing and other purposes. In the area of IT Security, vulnerability assessment and penetration testing are used to test controls and weaknesses.

According to Parkes, more fundamental is clear reporting with the use of graphics to help executive management in understanding of the issues arising from audit work and why these are relevant to the enterprise. This adds up to better communication. A digital picture in an audit report can tell more than a thousand words. An old cliché, but one that is true.

Factors For Effective IT Audit

  • Focus on People, Processes and Technology.

  • The auditor must have a clear understanding of the business process of the organization.

  • S/he must follow professional ethics.

  • The report must be comprehensive and unbiased.

  • It must clearly bring out control deficiencies that exist and suggest suitable remedial measures.

  • Clarity on the scope of the audit.

  • Should be focused on the strategic needs of the business.

  • Should be an independent exercise with the right reporting system.

  • The auditor should be technically well-versed.

  • Any discrepancies should be brought up front.

  • Overall expectations must be set.

  • The reports should be fair and unbiased.

What Now?
Without follow-ups the benefits of auditing are vastly reduced. According to Pillai, self-evaluation on a regular basis is necessary to improve the quality of security. So, an enterprise should have an internal audit mechanism for the same, which should be followed by an annual, external IT audit. However, the frequency of the auditing exercise is a factor dependent on the organization and the business they are in. There is no set rule but should be need based keeping the purpose in mind. The audit can be an ongoing exercise to monitor a specific control point or with a periodic frequency to meet a compliance requirement.

According to Babu, the auditing exercise should be carried in the beginning very frequently because the technology is new, policies are new, and awareness low and risk perceptions high. Later, depending on the tuning and fine-tuning of the policy and its implementation, the frequency can be worked out-keeping in view the result of risk assessment exercises-the same is true for follow-ups.

According to Banerjee, IT audits are usually conducted once or twice a year and they are also conducted whenever the infrastructure undergoes a major change. Whatever the frequency, follow-ups are critical to make the exercise a success.

While the Indian scenario looks good considering the growing awareness and uptake, the enterprises are still in the process of learning the tricks of the trade and moving up the maturity ladder. They are in the process of overcoming the initial barrier of viewing the IT audit exercise as yet another time and resource consuming affair. As this happens and the enterprises move to the other side of the fence, the market is expected to grow exponentially. That is where the lack of adequate manpower will emerge as a bigger area of concern.

Shipra Arora
shipraa@cybermedia.co.in

Page(s)   1  2  

Print Comment Email DiggDigg DeliciousDel.icio.us RedittReddit TwitterTwitter



ZTE:Leading CDMA Technology

Extraordinary Networks:Freedom of Choice





Collective Intelligence @ Work

Analysts: Guiding Stars or Shepherds?

How's the 'pitch' looking?

What's your Everest?

 

 

 

 

 

 

Magazine Subscription | Sitemap | Contact Us | About Us | Advertising Print | Mediakit Print | jobs@cybermedia
Other CyberMedia web sites
  [Voice&Data]  [CIOL]  [PCQuest]  [Living Digital]  [IDC India]
  [CIOL Shop]  [DQ Channels]  [DQweek]  [CyberMedia Events]
  [Cybermedia Digital]  [CyberMedia India]   [Cyber Astro
  [Global Services Media ]  [BioSpectrum]  [BioSpectrum Asia]

Copyright © CyberMedia. All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.
Usage of this web site is subject to terms and conditions.