IT process and general computer controls are key to safeguarding your assets and maintaining data integrity and the operational effectiveness of your organisation.
Our services identify, develop and test internal controls and policies. Control reviews are created and implemented to address management objectives ranging from cost recovery, to application and infrastructure controls. We seek to highlight significant exposures and recommend potential solutions for risk mitigation.
System and Network Audits
Audit of Outsourcing Providers
Cost Recovery and Invoice Auditing
SEM Campaign Management Auditing
IT audits encompass review and evaluation of automated information processing systems, related non-automated processes and the interfaces among them. We gather information and do some planning to gain an understanding of the existing internal control structure. IT auditors needs to identify five items:
- Knowledge of business and industry
- Prior year’s audit results
- Recent financial information
- Regulatory statutes
- Inherent risk assessments
To gain an Understanding of the Existing Internal Control Structure, IT auditors needs to identify five other areas/items:
- Control environment
- Control procedures
- Detection risk assessment
- Control risk assessment
- Equate total risk
Objectives of an IT Audit
IT audit objectives concentrate on validating that the internal controls exist and are functioning as expected. These objectives include assuring compliance with legal and regulatory requirements and the confidentiality, integrity, and availability (CIA) of information systems and data.
IT audit strategies
We gather evidence to test if an organization is following its control procedures. Substantive testing is gathering evidence to evaluate the integrity of individual data and other information.
- Review IT organizational structure
- Review IT policies and procedures
- Review IT standards
- Review IT documentation
- Review the organization’s BIA
- Interview the appropriate personnel
- Observe the processes and employee performance
- Examination, which incorporates by necessity, the testing of controls, and therefore includes the results of the tests.
Observation of what an individual actually does versus what they are supposed to do, can provide IT auditors with valuable evidence when it comes to control implementation and understanding by the user.
Application & General Controls
General controls apply to all areas of the organization including the IT infrastructure and support services.
- Internal accounting controls
- Operational controls
- Administrative controls
- Organizational security policies and procedures
- Overall policies for the design and use of adequate documents and records
- Procedures and practices to ensure adequate safeguards over access
- Physical and logical security policies for all data centers and IT resources
- Only complete, accurate and valid data are entered and updated in an application system
- Processing accomplishes the designed and correct task
- The processing results meet expectations
- Data is maintained
Our tasks when performing an application control audit include:
- Identifying the significant application components; the flow of transactions through the application (system); and to gain a detailed understanding of the application by reviewing all available documentation and interviewing the appropriate personnel.
- Identifying the application control strengths and evaluating the impact of weaknesses found in the application controls
- Developing a testing strategy
- Testing the controls to ensure their functionality and effectiveness
- Evaluating test results and other audit evidence to determine if the control objectives were achieved
- Evaluating the application against management’s objectives for the system to ensure efficiency and effectiveness.
The audit deliverable
The audit documentation provided once the audit is finished includes:
- Planning and preparation of the audit scope and objectives
- Description or walkthroughs on the scoped audit area
- Audit program
- Audit steps performed and audit evidence gathered
- Audit findings, conclusions and recommendations
- Audit documentation relation with document identification and dates
- A copy of the report issued as a result of the audit work
When we communicate the audit results to your organization it will be done at an exit interview where we will have the opportunity to discuss any findings and recommendations.
- The facts presented in the report are correct
- The recommendations are realistic and cost-effective, or alternatives have been negotiated with your organization’s management
- The recommended implementation dates will be agreed to for the recommendations we have in our report.
The presentation will include a high-level executive summary.
The audit report includes:
- An introduction (executive summary)
- The findings in a separate sections grouped by intended recipient
- Conclusion on the adequacy of controls examined and any identified potential risks
- Any reservations with respect to the audit
- Detailed findings and recommendations
If during the course of an IT audit, we come across a materially significant finding, it will be communicated to management immediately, not at the end of the audit.
Contact us to consult a professional information technology auditor today.