Information technology processes and general computer controls (GCC) are key to safeguarding your assets, maintaining data integrit and the operational effectiveness of your business.
The objective of our GCC audits is to determine whether controls effectively support the confidentiality, integrity, and availability of your systems.
At Audit Solutions, based in Montreal Canada, we identify, develop and test internal controls and policies. Control reviews are created and implemented to address management objectives ranging from cost recovery, to application and infrastructure controls. We highlight significant exposures and recommend solutions for risk mitigation.
- Management of IT risks ( System and Network Auditing )
- Information Security (Anti-Virus, Firewalls)
- Business Continuity (Backups and Disaster Recovery)
- Change Management
- Physical Security
- IT Operations
- Up to Date Documentation
- Audits of Outsourcing Providers
- Cost Recovery and Invoice Auditing
Information technology auditors gather information and do some planning to gain an understanding of the existing internal control structure.
They need to identify five items:
- Knowledge of business and industry
- Prior year’s audit results
- Recent financial information
- Regulatory statutes
- Inherent risk assessments
To gain an Understanding of the Existing Internal Control Structure, information technology auditors needs to identify five other items:
- Control environment
- Control procedures
- Detection risk assessment
- Control risk assessment
- Equate total risk
Information Technology Audit Strategies
We gather evidence to test if an organization is following its control procedures. We validate the integrity of your data and other information.
- Review information technology organizational structure
- Review information technology policies and procedures
- Review information technology standards
- Review information technology documentation
- Review the organization’s business improvement area (BIA)
- Interview the appropriate personnel
- Observe the processes and employee performance
- Examination, which incorporates by necessity, the testing of controls, and therefore includes the results of the tests.
Observation of what an individual actually does versus what they are supposed to do, can provide information technology auditors with valuable evidence when it comes to control implementation and understanding by the user.
Application & General Controls
General controls apply to all areas of the organization including the IT infrastructure and support services.
- Internal accounting controls
- Operational controls
- Administrative controls
- Organizational security policies and procedures
- Overall policies for the design and use of adequate documents records
- Procedures and practices to ensure adequate safeguards over access
- Physical security policies for all data centers and IT resources
- Processing accomplishes the designed and correct task
- The processing results meet expectations
- Data is maintained
Our tasks when performing an application control audit include:
- Reviewing all available documentation and interviewing the appropriate personnel
- Identifying the application control strengths and evaluating the impact of weaknesses found in the application controls
- Developing a testing strategy
- Testing the controls to ensure their functionality and effectiveness
- Evaluating test results and other audit evidence to determine if the control objectives were achieved
- Evaluating the application against management’s objectives for the system to ensure efficiency and effectiveness
Information Technology Audit Deliverable
The audit documentation provided once the audit is finished includes:
- Planning and preparation of the audit scope and objectives
- Description or walkthroughs on the scoped audit area
- Audit program
- Audit steps performed and audit evidence gathered
- Audit findings, conclusions and recommendations
- Audit documentation relation with document identification and dates
- A copy of the report issued as a result of the audit work
When we communicate the audit results to your organization it will be done at an exit interview where we will have the opportunity to discuss any findings and recommendations.
- The facts presented in the report are correct
- The recommendations are realistic and cost-effective, or alternatives have been negotiated with your organization’s management
- The recommended implementation dates will be agreed to for the recommendations we have in our report.
The presentation will include a high-level executive summary.
The information technology audit report includes:
- An introduction (executive summary)
- The findings in a separate sections grouped by intended recipient
- Conclusion on the adequacy of controls examined and any identified potential risks
- Any reservations with respect to the audit
- Detailed findings and recommendations
If during the course of an information technology audit, we come across a materially significant finding, it will be communicated to management immediately, not at the end of the audit.
Contact us to consult a professional information technology auditor today.