Auditors technology accounts often find themselves educating the business community on how their work adds value to the organization. Has internal audit departments usually element scrutiny of information technology that is deployed with a clear perspective on its role in the organization. However, in our experience, squinting information technology, the business community needs a broader understanding of the function of auditing the IT domain in order to achieve maximum benefit. In this context, we publish this brief overview of the specific benefits and the added value provided by IT audits.
to be specific, and audit of information technology can cover a wide range of communications infrastructure and information-processing technology, such as customers, networks, operating systems and security hardware service systems, software applications, Web services, databases, and communications infrastructure, change management and planning procedures for disaster recovery.
sequence begins with a review of the standard risk identification, then the design of controls assessment and finally test the effectiveness of the controls. Skillful auditors can add value at every stage of the review stages.
generally maintain the function of auditing information technology to provide assurances about the technology and controls to ensure regulatory compliance with federal or industry-specific requirements of companies. Investments in technology to grow, we audit can provide assurance that risks are controlled heavy and unbearable losses. The organization may also determine that a high risk of disruption or threat or security vulnerability exists. There may also be regulatory compliance such as Sarbanes-Oxley or requirements that are specific to the industry requirements.
Below we discuss five key areas of IT auditors can add value to the organization. Of course, the quality and depth of the technical review is a prerequisite for achieving added value. The planned scope of the audit is also critical to the value added. Without a clear mandate for what will be auditing business processes and risks, it is difficult to ensure the success or value-added.
So here are our top five ways that information technology audit adds value:
1. minimize risk. Planning and implementation of the audit process consists of the identification and evaluation of information technology in the organization risks.
verified the information technology typically cover risks related to confidentiality, integrity and availability of infrastructure for information technology and operations. Additional risks include the effectiveness, efficiency and reliability of the information.
once the risk assessment, there can be a clear vision about what course to take - to reduce or mitigate the risk through controls for the transfer of risk through insurance or simply risk acceptance as part of the operating environment.
a very important concept here is that IT risk and business risk. Any threat or weakness of critical IT processes can have a direct impact on the entire organization. In short, the Organization must know where the risks and then move on to do something about them.
best practices in risk of information technology used by auditors are ISACA COBIT frameworks RiskIT and ISO / IEC 27002 standard "Code of practice for information security management.
2. the strengthening of controls (and improve security). after the risk assessment as described above, controls can then be identified and evaluated. Poorly designed or effective controls can be re-design and / or strengthened.
COBIT framework of controlled it is particularly useful here. it consists of four high-level domains, which covers 32 useful control processes in risk reduction. this includes the framework COBIT all aspects of information security, including control objectives and key performance indicators, key indicators objective and critical success factors.
References can use COBIT to assess the controls in organize and make recommendations that add real value to the environment of information technology and the organization as a whole.
under another control is the Committee of sponsoring of the Treadway Commission organizations model (COSO) of the internal controls. can auditors iT use this framework to get assurances on (1) the effectiveness and efficiency of operations, (2) reliance on financial reporting and (3) compliance with laws and regulations. The framework includes two members of the five that relate directly to the controls - controls and control activities environment.
3. compliance with regulations. The regulations include extensive at the federal level and the state of the specific requirements for information security. IT Auditor provides an important function in ensuring that meet specific requirements, the risk assessment and controls implemented.
Sarbanes-Oxley (accounting fraud and criminal corporate law) include requirements for all public companies to ensure adequate internal controls as defined within the framework of the Committee of Sponsoring Organizations of the Treadway Commission in (COSO) discussed above. It checker, which provides information technology to ensure that these requirements are met.
accountable health insurance and transport law (HIPAA) three areas of information technology - the administrative, technical and physical requirements. It is the auditor of information technology, which plays a key role in ensuring compliance with these requirements.
various industries have additional requirements such as Payment Card Industry (PCI) data security standard in the credit card industry, such as Visa and MasterCard.
in each of these areas, regulatory compliance, and the auditor of information technology plays a pivotal role. Organization needs to ensure that all requirements are met.
4. facilitate communication between business and technology management. Audit process that can have a positive effect on open channels of communication between business and IT Enterprise Manager. Interview reviewers, and monitoring and testing what happens in reality and practice. The final outcome of the audit process is the value of information in written and oral reports. Senior management can get feedback directly on how the organization works.
technical professionals in an organization also need to know the expectations and objectives of senior management. Auditors help these contacts from top to bottom by participating in meetings with the management of technology and through review of current applications of policies, standards and guidelines.
It is important to understand that the audit of information technology a key element in the management control of Technology. The presence of technology in the enterprise to support its business strategy and functions and processes. Business Alignment and supporting technology is critical. It maintains IT scrutiny this compatibility.
5. Improve IT governance. Information Technology Institute of Corporate Governance (ITGI) published the following definition:
'is the responsibility of executives and members of the Board Governance Technology, consisting of leadership and organizational structures and processes that ensure that the institution it maintains and extends the strategies and goals of the organization.
leadership and organizational structures and processes referred to in the definition of each point for IT auditors to key players like. Central scrutiny of information technology and management of comprehensive information technology is a strong understanding of the value and risks and controls about the organization IT environment. More specifically, the auditors review the value of information technology, risk and control every element of the basic elements of the technology - applications, information, infrastructure and people.
another perspective on IT governance consists of a framework of four key objectives, which is also being discussed in the IT governance documents Institute:
* aligned IT with the business * enables information technology business and maximize benefits * The use of information technology resources responsibly * IT risks are managed appropriately
auditors provide assurance that all of these goals and fulfill technology accounts. Each decisive goal for the institution and is therefore critical to the function of auditing information technology.
In summary, IT audit adds value by reducing risk and improving security, regulatory compliance, and facilitate communication between technology and business management. Finally, IT audit improves and strengthens IT governance in general.
References:
ISACA. Control Objectives for Information and related Technology (COBIT).
ISO / IEC 27002 Code of practice for information security management.
Committee of Sponsoring Organizations of the Treadway Commission Framework (COSO).
0 Komentar