IT Security Audit

An IT audit is the examination and evaluation of an organization’s information technology infrastructure, policies and operations.

Information technology audits determine whether IT controls protect corporate assets, ensure data integrity and are aligned with the business’s overall goals. IT auditors examine not only physical security controls, but also overall business and financial controls that involve information technology systems.

What is an IT Security Audit?

An Information Technology (IT) audit is an audit of an organisation’s IT systems, management, operations and related processes.

An IT audit may be carried out in connection with a financial regularity audit or selective audit. As the records, services and operations of many organizations are often highly computerized, there is a need to evaluate the IT controls in the course of an audit of these organizations.

Types of Audits

The objectives of IT Seucirty Audits include:

Evaluating the reliability of data from ITsystems which have an impact on the financial statements of the organizations.

Ascertaining the level of compliance with the applicable laws, policies and standards in relation to IT.

Checking if there are instances of excess, extravagance, gross inefficiency in the use and management of IT systems.

Why is an IT Audit Important?

Many organizations are spending large amounts of money on IT because they recognise the tremendous benefits that IT can bring to their operations and services. However, they need to ensure that their IT systems are reliable, secure and not vulnerable to computer attacks.IT audit is important because it gives assurance that the IT systems are adequately protected, provide reliable information to users and properly managed to achieve their intended benefits.Many users rely on IT without knowing how the computers work. A computer error could be repeated indefinitely, causing more extensive damage than a human mistake.IT audit could also help to reduce risks of data tampering, data loss or leakage, service disruption, and poor management of IT systems.

How is an IT Audit carried out?

Generally, IT audit is carried out as follows:

1.) Establish the IT audit objectives and scope.
2.) Develop an audit plan to achieve the IT audit objectives.
3.) Gather information on the relevant IT controls and evaluate them.
4.) Perform audit tests, using Computer-Assisted Audit Techniques (CAATs) such as data extraction and analysis software or test data, where appropriate.
5.) Report on the IT audit findings. In performing its IT audits, the Auditor-General’s Office (EndPoint) also checks for compliance with the Government policies, standards, laws and regulations on information and related technology. Where appropriate, EndPoint uses the IT audit tools, technical guides and other resources recommended by ISACA (Information Systems Audit & Control Association, and encourages staff to be certified as CISA (Certified Information Systems Auditor)

Audit Sample

Review the organizations method for identifying, purchasing, installing, updating, maintaining, or developing personal computers, networking, mainframe, or other processing devices. The review of this process also includes an evaluation of methods for ensuring the installation of updates and releases or emergency fixes (patch management).

Data and Physical Security:

Review the Organization’s client/server environment (logical and physical controls and policies).
Review the Organization’s antivirus and antispyware systems and controls.
Review the Organization’s computer equipment/media disposal policies and procedures.
Review the Organization’s portable media device environment (e.g. laptops, smartphones, PDAs etc.), policies, and procedures.
Review the Organization’s host system environment and controls. This review includes physical and logical security and user access levels.
Review the Organization’s loan, deposit, and image platform general controls.
Review the Organization’s Input and Output (separation of duties) controls in the Operations and Retail areas of the bank.
Review Organization’s policies and procedures controlling Internet and email access.

Disaster Recovery Planning/Business Continuity Planning

1

Review the bank’s Disaster Recovery and Business Continuity plan and/or policy. This review is designed to ensure the plan meets the regulatory requirements and is operable in the event of a disaster/contingency.

2

Review any disaster recovery testing results/documentation. This includes core, item, and image processing test, LAN/WAN network recovery test, tabletop test, etc.

3

Review tape backup procedures and contingency supplies.