IT Internal Audit is a practice governed by Board of Directors’ Committee to ensure that Information Systems environment safeguards information system assets, maintenance of data integrity, availability, and confidentiality.
All the foregoing will ultimately support business resilience, achievement of objectives, as well as quality of financial statements, which is the concern of shareholders and stakeholders.
What is the IT Internal Audit?
IT Internal Audit can be defined as a systematic function used for an independent examination of the business entity’s information systems environment that includes activities of reviewing and evaluating data/information related to implemented information systems,
practices, and operations against the IT international standards requirements and/or approved policies and procedures to provide reasonable assurance, on test-basis, regarding the effectiveness of the controls used over such resources, safeguarding assets, and maintaining data integrity and confidentiality.
What are the standards that are governing Information Technology Internal Audit?
Although internal audit activity is governed by the standards issued by the Institute of Internal Auditors (IIA), IIA referred to specialized standards for IT Internal Audit published and governed by Information Systems Audit and Control Association (ISACA).
ISACA has published information system audit standards as well as a set of guidelines which are:
- COBIT® 2019, a business framework to govern enterprise technology.
- The Cybersecurity Nexus (CSX), a holistic cybersecurity resource.
- Tools and Techniques that assist in creating the relevant IT audit programs.
Who is best positioned to perform the IT Internal Audit?
The IT internal auditors are best positioned to perform the IT internal audit function, which is generally responsible for the internal controls and risks associated with a business entity’s IT environment.
This includes identifying weaknesses in the IT systems in place and responding to any findings, as well as planning to prevent security breaches.
What are the relevant Certifications for the IT Internal Auditors?
There are certifications for IT internal auditors’ skills, such as Certified Information System Auditor (CISA).
What are the typical audit process steps for IT Internal Audit?
In general, as per ISACA, the typical audit process for IT Internal Audit consists of three major phases: Planning, Fieldwork/Documentation, and Reporting/Follow-up.
Each phase in the IT internal audit process is subsequently divided into key steps to plan, define, perform, and report the results of the engagement in line with IT audit standards.
However, business entities can choose to break down the main phases into multiple stages and activities as per their view and perspectives.
What is the scope of IT Internal Audit?
The scope of IT internal audit consists of five main activities:
- Understand and confirm IS controls environment under the audit.
- Perform interviews, walkthroughs, and documentation reviews.
- Assess appropriateness of existing IS controls environment.
- Validate existing IS controls and assess control effectiveness; and
- Develop and deliver IT audit report to the management.
What are the Domains under the scope of the IT Internal Audit?
There are four main domains that should be reviewed under the Information Technology audit:
- Governance and Management of IT
- IS Acquisition, Development, and Implementation
- IS Operations and Business Resilience
- Protection of Information Assets
What are the key IT Controls considered by IT internal auditors?
D1 – Governance and Management of IT
- Governance of Enterprise IT
- Information Systems Strategy
- Maturity and Process Improvement Models
- IT Investment and Allocation Practices
- Policies and Procedures
- Risk Manage4ment
- Information Technology Management Practices
- IT Organizational Structure and Responsibilities
- Business Continuity Planning
D2 – IS Acquisition, Development, and Implementation:
- Project Management Structure
- Project Management Practices
- Business Application Development
- Virtualization and Cloud Computing Environments
- Business Application Systems
- Development Methods
- Infrastructure Development / Acquisition Practices
- Information Systems Maintenance Practices
- System Development Tools and Productivity Aids
- Process Improvement Practices
- Application Controls
D3 – IS Operations and Business Resilience
- Information Systems Operations
- IT Asset Management
- Information System hardware
- IS Architecture and Software
- IS Network Infrastructure
- Disaster Recovery Planning
D4 – Protection of Information Assets
- Information Security Management
- Logical Access
- Network Infrastructure Security
- Environmental Exposures and Controls
- Physical Access Exposures and Controls
- Mobile Computing
- Peer-to-peer Computing
- Instant Messaging
- Social Media
- Cloud Computing
- Data Leakage
- End-user Computing Security Risk and Controls
How can IT Internal Audit help your business entity?
- Ensure compliance with regulatory requirements.
- Enhance the stakeholders’ confidence in the reliability of IT systems ensuring the continuity of services.
- Proactively manage risks associated with information systems in place.
- Enhance the overall performance of the business and provide a competitive advantage.
Why Baker Tilly provide this service?
Baker Tilly is distinguished by specialist professional experience and offers the following characteristics carrying added value to our clients as follows:
- A global consulting firm operating in the State of Kuwait.
- World-class laboratories equipped with state-of-the-art tools used for IT risk assessment.
- Updated databases of automated systems enabling the IT internal audit of any technology environment that a client adopts.
- Local experience under an umbrella of a global network with highly qualified IT internal audit experts; and
- Bilingual team.