I am a Certified Information Systems Auditor (CISA) and a qualified Chartered Accountant (ACA) with over 20 years experience in the field, my career was developed, for many years. in the UK National Audit Office and then working internationally with a variety of Supreme Audit Institutions.
In this time what is called the 4th industrial revolution or the digital revolution has altered the nature of work considerably. The nature of how business is done both by auditors and our clients has changed quickly and the pace of change is only increasing but it is not impossible to keep up. To remain focused on the fundamentals is therefore key to meeting our audit objectives and holding our nerve in the face of digital innovation and change.
It is important that both the IT auditor and their clients are aware of the main technology trends of the digital revolution; these are many but of particular importance in government and in IT audit are: Artificial Intelligence (AI), Machine Learning, Data Analytics, Remote Working, Blockchain, Cloud and Edge Computing, Robotics, smarter networks, Quantum computing and Robotic Process Automation (RPA). These are likely to significantly impact the IT auditor but there are many other aspects to the digital revolution e.g. 5G and 3D printing which may impact the IT audit profession. It is almost impossible to be an expert in all of them. It is challenging for any State Audit Institution to be have expertise in all these areas, not least due to the cost of having these experts available. So how to cope ?
While there are different IT audit frameworks around the world the main framework that is used is COBIT 5, produced by ISACA; however this covers many eventualities and in some peoples opinion is not simple to use for the practitioner. It is also aimed at the needs of those with governance responsibilities but can be easily adapted for the IT auditor.
What follows is not a short guide to COBIT 5 but instead an insight on how an experienced IT auditor might view the fundamentals of IT audit so that the changing nature of the digital landscape does not seem overwhelming. There are four key areas to consider: Governance, IT Change Management, Digital Access Security and Physical Security. If an IT audit covers these areas then it will have sufficient coverage to ensure that audit and client objectives are met regardless of what the latest technology challenges are.
1. Governance
Effective IT governance is having the right people in place to lead the organisation. They should be able to develop clearly define IT Policy and Strategy and ensure that the organisations IT and IT personnel are properly aligned with overall business goals, objectives and strategies and that there are appropriate internal control frameworks.
Indicators of an appropriate level of governance are:
- IT strategy should include a risk assessment to assess the threats to IT security.
- Management should have obtained independent certifications, accreditation and assurance (e.g. Internal Audit) that IT processes and operations are maintained and monitored.
- Management should have adequate personnel procedures to ensure that only suitable staff are employed.
- Management should have a defined IT security policy and ensure that staff are aware of, and made responsible for, relevant security policies and procedures.
- Procedures should be in place to provide adequate and timely IT assistance and support to end users. This should include establishing and operating a help desk and monitoring end user satisfaction with the IT environment.
- IT systems should be regularly checked for compliance with security standards
2. IT Change Management
Change management is all about the client acquiring implementing and maintaining IT system hardware and software and ensuring that all changes are managed so that the integrity of the data produced by the information systems is not compromised. System development and maintenance should be consistent with business strategy and defined requirements and standards.
Indicators of an appropriate level of control over IT change management are:
- High level management approval should be obtained and evidenced for new systems development and changes to existing systems.
- Separate environments (preferably both digital and physical should be maintained for the development, modification and testing of IT solutions that are separate from the live operating environment.
- Procedures should incorporate user acceptance of new developments that ensure that end users are active involved in the test process and formally sign off their acceptance.
- Testing of all new or modified applications should be performed before release to the live environment. This should ideally incorporate parallel running of the old and new systems and the detailed comparison of output data.
- Development personnel should be prohibited from migrating applications and data from the test environment to production to ensure segregation of duties.
3. Digital Access Security
The objective of establishing digital access security is to ensure that the client establishes an appropriate level of security to safeguard IT systems and resources against unauthorised use, modification, disclosure or loss.
Indicators of an appropriate level of control over digital access security are:
- The client should have formally documented procedures in place that define its approach to digital access security
- There should be a defined password policy.
- Shared areas should be restricted through password controls, and selected facilities should be restricted to specific categories of user.
- All systems should time out if left unattended for any prolonged period of time.
- There should be log-on procedures to protect system integrity. The number of unsuccessful log-on attempts should be limited and recorded.
- The client should establish formal policies and procedures ensuring the update and/or removal of systems access rights to employees who change job duties or leave the organisation.
- Administrator rights should only be assigned to a limited number of individuals who require those rights to perform their job duties. The activities of systems administrators and other privileged users should also be logged and subject to periodic review.
4. Physical Security
An appropriate level of control and physical security is vital to ensure that hardware, software, and the related data produced by the information system is protected from damage, loss, unauthorised use, and modification
Indicators of an appropriate level of control over physical security are:
- The client should have formal procedures in place that define its approach to physical security.
- Physical security should be achieved through the use of physical barriers to entry.
- The client should establish procedures against malicious programs through the use of anti-malicious software protection.
- Management should initiate regular reviews of the software and data content of critical system to identify the potential presence of unauthorised files and data.
- Management should ensure that all data is backed-up on a regular basis and that such back-ups are maintained in a secure location off-site.
- Access to internal networks and/or applications by suppliers, customers, and/or other business partners should be approved by appropriate management and limited to those networks and/or applications required for the conduct of the business. Representatives of suppliers, customers and other business partners should be required to adhere to the client’s own policies, procedures and security standards when accessing the client’s systems.
- Connections with business partners and public networks should be adequately managed and controlled by a firewall.
- Where third parties are responsible for the security of client data, the client should ensure that adequate back-up procedures exist, and that it has a right to audit.
And Relax
What the IT auditor needs to remember is not to be afraid of the digital revolution but to remember that the original structures built to audit IT are in essence unchanged and that any new approaches and technology will always be able to be assessed within the context of these fundamentals of our IT audit profession.
Good luck and embrace the digital revolution.