IT audit is the process of collecting and evaluating evidence to determine whether a computer system of an organization has been designed to maintain data integrity, safeguard assets, allows organizational goals to be achieved effectively and uses resources efficiently. IT auditors must know the characteristics of users of the information system and the decision-making environment in the audit organization while evaluating the effectiveness of any system. Use of computer facilities has brought about radically different ways of processing, recording and controlling information and has combined many previously separated functions. The highly repetitive nature of many computer applications means that small errors may lead to large losses. For example, an error in the calculation of income tax to be paid by employees in a manual system will not occur in each case, but once an error is introduced in a computerized system, it will affect each case. This makes it imperative for the auditor to test the invisible processes and to identify the vulnerabilities in a computer information system, as through errors and irregularities, the costs involved can be high.
Increasing use of computers for processing organizational data has added new scope to the review and evaluation of internal controls for audit purposes. The IT internal controls are of great value in any computerized system and it is an important task for an auditor to see that not only adequate controls exist, but that they also work effectively to ensure results and achieve objectives. Also internal controls should be commensurate with the risk assessed so as to reduce the impact of identified risks to acceptable levels. All of documents of an organization sustain by IT department. So, IT department all equipments will be more secure and restricted.
The use of Information and Communication Technology (ICT) within government entities has become increasingly significant in recent years, particularly following greater use of the Internet and organizational intranets. Technology has increased the amount of data and information being processed and it has significantly impacted the control environment. ICT is also now a key component of government entities business strategies and core business processing activities. The management of ICT risk has therefore been elevated within entities and now forms a key part of corporate governance. Accordingly, the effective and efficient management of ICT is vital to the success of most entities.
As computer technology has advanced, Government organizations have become increasingly dependent on computerized information systems to carry out their business operations and service delivery and to process, maintain and report essential information. There are also an increasing range of ICT vulnerabilities and threats that have to be effectively and efficiently managed. As a consequence, the confidentiality, integrity, availability and reliability of computerized data and of the systems that process, maintain and report these data are a major concern to audit. IT auditors evaluate the effectiveness and efficiency of IT controls in information systems and related operations to ensure they are operating as intended.
What is IT Audit?
IT audit is the process of collecting and evaluating evidence to determine whether a computer system has been designed to maintain data integrity, safeguard assets, allows organizational goals to be achieved effectively and uses resources efficiently. An effective information system leads the organization to achieve its objectives and an efficient information system uses minimum resources in achieving the required objectives. IT auditors must know the characteristics of users of the information system and the decision-making environment in the audited organization while evaluating the effectiveness of any system.
Use of computer facilities has brought about radically different ways of processing, recording and controlling information and has combined many previously separated functions. The potential for material systems error has thereby been greatly increased causing great costs to the organization. The highly repetitive nature of many computer applications means that small errors may lead to large losses. For example, an error in the calculation of income tax to be paid by employees in a manual system will not occur in each case, but once an error is introduced in a computerized system, it will affect each case. This makes it imperative for the auditor to test the invisible processes and to identify the vulnerabilities in a computer information system, as through errors and irregularities, the costs involved can be high.
Increasing use of computers for processing organizational data has added new scope to the review and evaluation of internal controls for audit purposes. The IT internal controls are of great value in any computerized system and it is an important task for an auditor to see that not only adequate controls exist, but that they also work effectively to ensure results and achieve objectives. Also internal controls should be commensurate with the risk assessed so as to reduce the impact of identified risks to acceptable levels. IT auditors need to evaluate the adequacy of internal controls in computer systems to mitigate the risk of loss due to errors, fraud and other acts and disasters or incidents that cause the system to be unavailable.
What is IT Audit Compliances?
This section outlines a risk management approach to health and safety in the offices of IT Compliance. It provides general information about the framework of Victorian occupational health and safety legislation, and how this applies to office environments. Information about the development and implementation of health and safety in IT Compliance policy in the office is also discussed.
Figure 2: Document salve setting [source: Internet]
The aim of occupational health and safety in IT compliance risk management is to eliminate or reduce the risk of injuries and illness associated with work. Managing IT compliance health and safety in the office requires a process of hazard identification, risk assessment, risk control and evaluation of control measures. Effective management of health and safety hazards also involves training, consultation, documentation of health and safety activities and regular review of the management system in IT compliance. Risk management is a continuous process, as technology changes and further options for the control of risks become available. It requires consultation between employers, employees and IT Compliance Health and Safety Representatives when determining the approach and methods to be used. Employers are also required to provide information, training and supervision so that employees can perform their work in a safe manner. Training should provide employees and their supervisors with an understanding of:
- Health and safety legal responsibilities in IT compliance;
- The nature of the hazards in the workplace;
- The process of hazard identification, risk assessment and risk control;
- The arrangements for reporting;
- Circumstances likely to cause hazards;
- The reasons for and safe use of the risk control measures in place in the workplace; and
- Safe work practices.
Employers are also required to keep information and records relating to the health and safety about IT compliance of employees. These include records for legal requirements (for example, injury reports) as well as records of hazard identification, risk assessment and risk control.
IT Audit Policy Issues
Establishing audit policy is an important facet of security. Monitoring the creation or modification of objects gives you a way to track potential security problems, helps to ensure user accountability, and provides evidence in the event of a security breach.
There are nine different kinds of events you can audit. If you audit any of these kinds of events, Windows records the events in the Security log, which you can find in Event Viewer.
- Account logon events. Audit this to see each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account. Account logon events are generated in the domain controller's Security log when a domain user account is authenticated on a domain controller. These events are separate from Logon events, which are generated in the local Security log when a local user is authenticated on a local computer. Account logoff events are not tracked on the domain controller.
- Account management. Audit this to see when someone has changed an account name, enabled or disabled an account, created or deleted an account, changed a password, or changed a user group.
- Directory service access. Audit this to see when someone accesses an Active Directory directory service object that has its own system access control list (SACL).
- Logon events. Audit this to see when someone has logged on or off your computer (either while physically at your computer or by trying to log on over a network).
- Object access. Audit this to see when someone has used a file, folder, printer, or other object. While you can also audit registry keys, we don't recommend that unless you have advanced computer knowledge and know how to use the registry.
- Policy change. Audit this to see attempts to change local security policies and to see if someone has changed user rights assignments, auditing policies, or trust policies.
- Privilege use. Audit this to see when someone performs a user right.
- Process tracking. Audit this to see when events such as program activation or a process exiting occur.
- System events. Audit this to see when someone has shut down or restarted the computer, or when a process or program tries to do something that it does not have permission to do. For example, if malicious software tried to change a setting on your computer without your permission, system event auditing would record it.
- Server room: Every Organization need to separate server room where will be stay two AC, Temperature meter, Fire Exit system, Door lock Key etc
- Work Station: Work station system will be very clear
Data Backup System: Here I show backup and restore system of data
Importance of IT Audit System
The role of information technology (IT) control and audit has become a critical mechanism for ensuring the integrity of information systems (IS) and the reporting of organization finances to avoid and hopefully prevent future financial fiascos such as Enron and WorldCom. Global economies are more interdependent than ever and geopolitical risks impact everyone. Electronic infrastructure and commerce are integrated in business processes around the globe. The need to control and audit IT has never been greater. Initially, IT auditing (formerly called electronic data processing (EDP), computer information systems (CIS), and IS auditing) evolved as an extension of traditional auditing. At that time, the need for an IT audit function came from several directions
- Auditors realized that computers had impacted their ability to perform the attestation function.
- Corporate and information processing management recognized that computers were key resources for competing in the business environment and similar to other valuable business resource within the organization, and therefore, the need for control and audit ability is critical.
- Professional associations and organizations, and government entities recognized the need for IT control and audit ability.
The early components of IT auditing were drawn from several areas. First, traditional auditing contributes knowledge of internal control practices and the overall control philosophy. Another contributor was IS management, which provides methodologies necessary to achieve successful design and implementation of systems. The field of behavioral science provided such questions and analysis to when and why IS are likely to fail because of people problems. Finally, the field of computer science contributes knowledge about control concepts, discipline, theory, and the formal models that underlie hardware and software design as a basis for maintaining data validity, reliability, and integrity.
IT auditing is an integral part of the audit function because it supports the auditor's judgment on the quality of the information processed by computer systems. Initially, auditors with IT audit skills are viewed as the technological resource for the audit staff. The audit staff often looked to them for technical assistance. As you will see in this textbook, there are many types of audit needs within IT auditing, such as organizational IT audits (management control over IT), technical IT audits (infrastructure, data centers, data communication), application IT audit (business/financial/operational), development/implementation IT audits (specification/ requirements, design, development, and post-implementation phases), and compliance IT audits involving national or international standards. The IT auditor's role has evolved to provide assurance that adequate and appropriate controls are in place. Of course, the responsibility for ensuring that adequate internal controls are in place rests with the management. The audit's primary role, except in areas of management advisory services, is to provide a statement of assurance as to whether adequate and reliable internal controls are in place and are operating in an efficient and effective manner. Therefore, whereas management is to ensure, auditors are to assure.
Today, IT auditing is a profession with conduct, aims, and qualities that are characterized by worldwide technical standards, an ethical set of rules (Information Systems Audit and Control Association [ISACA] Code of Ethics), and a professional certification program (Certified Information Systems Auditor [CISA]). It requires specialized knowledge and practicable ability, and often long and intensive academic preparation. Often, where academic programs were unavailable, significant in-house training and professional development had to be expended by employers. Most accounting, auditing, and IT professional societies believe that improvements in research and education will definitely provide an IT auditor with better theoretical and empirical knowledge base to the IT audit function. They feel that emphasis should be placed on education obtained at the university level. The breadth and depth of knowledge required to audit IT systems are extensive. For example, IT auditing involves the
- Application of risk-oriented audit approaches
- Use of computer-assisted audit tools and techniques
- Application of standards (national or international) such as ISO 9000/3 and ISO 17799 to improve and implement quality systems in software development and meet security standards
- Understanding of business roles and expectations in the auditing of systems under development as well as the purchase of software packaging and project management
- Assessment of information security and privacy issues which can put the organization at risk
- Examination and verification of the organization's compliance with any IT-related legal issues that may jeopardize or place the organization at risk
- Evaluation of complex systems development life cycles (SDLC) or new development techniques; e.g., prototyping, end user computing, rapid systems, or application development
- Reporting to management and performing a follow-up review to ensure actions taken at work. The auditing of complex technologies and communications protocols involves the Internet, intranet, extranet, electronic data interchange, client servers, local and wide area networks, data communications, telecommunications, wireless technology, and integrated voice/data/video systems.
The article is extracted from a thesis work supervised under my guidance and successfully accomplished by Md Shahadat Hossain, a graduate student of the Department of Computer Science and Engineering at Daffodil International University.