Steps to conduct reliable IT Audit
Let\’s talk about IT Audit today. What have you heard about IT Audit now? Have you ever performed such audits? I have been working for a Auditing company for almost 5 years and all always I was performing various types of IT Audit. That is way, I think that I have some IT Audit experience.
A lot of of my audits were targeted to financial audits, which is the main operations of my company. However, our department had performed special IT Audits and IT Security Audits for various companies worldwide.
While performing such small IT audits during work for financial audit, you often face such term as IT Risk Assessment. We need to remember about risks in all our work, thus it is nothing to do – but we need to assess how our customers perform IT risk assessments at their IT environments. That is why we often look at various reports about work performed, talk to different employees from IT department – our goal is to ensure that this particular company has dialed with IT risk and no significant impact would arise to the company financial statements. We just need to address any possible risks to our work, as our conclusion will be very important. It would be very bad, if in future this conclusion will be affected by exploitation of some risk, which we had not seen during our work.
But in order to perform good and quality IT Audit we need to use various IT Audit Tools and techniques. Such tools vary for different environments – for example for Windows environment it would be some tools provided by Microsoft company (e.g. MS Security Base Line Analyzer). And for UNIX environment we would use another tools. The same is with databases – one IT Audit tools are required for Oracle databases and another will be used for MS SQL databases. But always while performing IT Audit assessment you need to use different IT Audit Tools. This will significantly reduce the amount of manual work you need to accomplish.
So, while performing IT Audit assessments, we need to consider the IT Risk Assessment, which can be performed by company, or we may perform such assessment. We need also to use some IT Audit tools and technics, and produce appropriate report for our analysis. And only after all these tasks are finished, we can start making our IT Audit Report. This is very hard work, as you need to consider all issues which you have noticed during the IT Audit work. You need to combine all these issues, sort them, and decide on which of them will go to final report. As a rule, this is done through classification of findings based on their criticality and impact to the business operations of the company. You can classify all findings as having Low, Medium or High impact. In most cases we report only Medium and High findings to the executives of the company. And the Low findings are discussed only with local IT management in order to address the risk.