Information Technology (IT) audit refers to the overall examination and evaluation of an organisation's IT infrastructure, policies and operations. The audit helps to determine the protection of corporate assets, ensure data integrity and an IT-controlled alignment with the goals of a business entity. Nowadays, organisations consider insufficient preparation to manage cyber threats to be one of their big operational risks. Security breaches of IT systems can have profound effects on organisations. Corporations should ensure the security of its websites and data to maintain their credibility - along with confidentiality, integrity and the uninterrupted availability of IT systems.
According to KPMG, a Netherlands-based auditing firm, "Cyber security has become an enormous issue in the last few years and its importance continues to grow. Major corporations' networks and systems continue to be subject to hacking and attack" and it "is therefore, essential for Audit Committees to understand what management is doing to mitigate IT risks."
RISKS ASSOCIATED WITH IT OF CORPORATIONS FOUND IN AUDITS:
l Does the corporation possess any IT policy including IT controls?
l Has the corporation defined, assigned and accepted its IT responsibilities and controls?
l Do the IT controls operate
l Do IT controls regularly achieve desired results?
l Is the mix of preventive, detective, and corrective controls of IT effective?
l Do IT controls provide evidence when the system's control parameters are exceeded or when its control fails? How corporate management becomes alerted to failures? Which steps are expected to be taken?
l Does the audit trail help to retain evidence?
l Are the IT infrastructural equipment and tools logically and physically secured?
l Does the corporation use information access and authentication control mechanisms?
l Can the existing IT controls protect the corporation's operating environment and data from viruses and malwares?
l Is there a deficiency in the delivery of IT services to customers?
l Do IT systems provide any business benefit?
l Is there any chance of sabotage within the corporation's IT systems?
ESTABLISHING THE AUDIT STRATEGY TO FACE THE RISKS OF IT HAZARDS:
The second important issue after the risk identifications is formulating an audit strategy. An audit strategy relates to the overall approach assurer will take to the audit and the scope of the audit. It includes understanding the entity, the risk it faces, legal framework it operates in, financial reporting standards used etc. Here, in IT audit, the structure that we have designed as a standard is shown in Table-I.
UNDERSTANDING IT CONTROLS OF THE COMPANY: IT controls consist of processes that offer assurance for information and information services and help to mitigate the risks associated with the organisational use of technology. Such controls vary - from written corporate policies to their implementation within coded instructions; from physical access protection to the ability of tracing actions, transactions and responsible individuals; and from automated edits to "reasonability analyses" for extensive data - including the Assessment of Governance-Management-Technical controls, General Application, Prevention controls, Detection controls, Correction controls and Information-Security controls.
IMPORTANCE OF IT CONTROLS: Automatically, the importance of corporate controls will determine how much test of control should be undertaken by auditors. However, substantive procedures will also determine the importance of IT controls in empirical terms of the importance of corporate bodies within organisation.
ROLES AND RESPONSIBILITIES: The roles and responsibilities of the IT Audit are necessary to continue the controls of Governance, Management and Audit. Besides, the governance management should prepare the guidelines to minimise risks if strictly enforced by corporate management.
BASED ON RISK: The controls can also be maintained by concentrating on Risk Analysis, Risk Response and Baseline Controls - considered as Risk-specified IT controls.
MONITORING AND TECHNIQUES: Inside an organisation, overall IT risks can be minimised if proper controls on the performance and operations are maintained through a strict set of monitoring techniques like Control Framework and Frequency Analysis.
ASSESSMENT: Obviously, assessment and the post-assessment evaluation are required to verify the efficiency of IT Audit. Here, Methodologies and Audit Committee Interface are compulsory.
Thus, an audit strategy and overall control procedure can minimise an organisation's IT risks from cyber-attacks. Such tools also prevent the loss of internal or external data and information which can ruin organisational reputation. If confidential information like corporate strategies and trade secrets are revealed to clients and competitors, corporations will face an irreversible crisis.
This can be avoided if IT Audit takes necessary precautions amongst other techniques. Nevertheless, cybercrimes never cease to take place! Competitors or malicious elements often hack corporate websites to malign or victimise an organisation. An organisation's internal IT controls must be strong enough to resolve such glitches. Meanwhile, corporations can safeguard Internal Network (Intranet) with firewall systems so that intruders fail to trespass their websites and internal servers.
A proper and appropriate use of IT Audit can protect the corporate world from cybercrimes, create IT awareness and eventually lead to safe business environment alongside a healthy economy.
Prodip Kumar Roy, FCS is the Chief Financial Officer (CFO) of Active Fine Chemicals Ltd., AFC Agro Biotech Ltd., AFC Capital Ltd. and AFC Health Ltd. Gourav Roy is a graduate of Finance from the University of Dhaka.