Audit profession and audit practices have undergone many changes in line with technological developments. Specifically establishing standards and making legal arrangements have become necessary in accordance with the supervision and implementation to inform the investors and in terms of the protection of society and the public interest in the twentieth century. At this point, it has become a necessity that taking the information technology environment into account during organizations’ audits and giving a place to innovations in information technology with legal arrangements to be made with the standards to be created.
“How Secure You Are?”
IT audit focuses on the determination of risks related to information assets and establishing controls (risk management) to reduce or eliminate these risks. One of the goals of the IT audit in the protection of information assets is to evaluate the appropriateness, confidentiality and integrity of the company’s information systems by reviewing them. In this respect some questions that IT auditors seek answers while performing the audit are given below.
Are the information systems of the company are available to use all the time in order to not disturb the workflow?
Can the information in the system be accessed only by authorized users?
Does the information in the system is always accurate, complete, and reliable and updated?
Information Technology has a significant effect on the internal audit function. As new risks emerge, there is a need for new procedures which will adequately deal with these risks.
Execution time of the IT audit process is usually the same with the execution process of other audit procedures. The auditor plans the audit process, identifies and certifies the relevant controls, tests the efficiency of the operation and design of the controls, finalizes this process and reports. Internal audit managers shall report the results for the IT audit process regularly to main stakeholders such as board of directors, executive directors, regulatory authorities and external auditors and data processing manager. This guide is a source of help to the Internal Audit team to plan and manage the IT audit process more effectively.
Evaluating the IT controls is a continuous process. As technology continues to develop, business processes are also developing constantly. As new weak points emerge, threats are also emerging. When auditors develop an approach to IT control issues which are up to date and supporting the business objectives they also develop audit methods. Management manages the IT control criteria and reporting. Auditors confirm their validity and provide feedback on their value. The auditor should be in contact with management and the audit committee at all levels about issues such as reporting guarantees, validity and effectiveness of the measures.
Controls can be classified in order to understand their objectives and position in the overall internal control system. Control analysts and auditors better understand the role and position in the control framework by understanding this classification and can answer the questions with key importance as follows: Are the controls for the detection enough to find the errors that may have been missed in the preventive control? Are corrective controls sufficient for the correction of detected errors?
The widely applicable method of classification for IT controls is not based on application, it is a general classification.
The Importance of Information Technology Audits
- Planning and execution capabilities such as the efforts to upgrade required IT infrastructure to support new products and services.
- Development projects completed within budget and on time which create the opportunity to provide more cost-effective and better products and services when compared with competitors.
- Ability to use and allocate the resource as expected.
- Consistent and continuous availability and reliability of information and IT services within the organization and for customers, business partners, and other external relations.
- The ability to clearly inform management about the key indicators of effective controls.
- The ability to quickly and effectively resolve the interruptions in IT services and protect itself against new attacks and threats.
- A culture based on safety awareness within the institution and high levels of security awareness on users.
IT Audit can be summarized as the evaluation of information systems and process control, processes related to the organization’s activities, and also coherence, effectiveness and adequacy of internal controls established within this process. These processes will be carried out by expert consultants who will appointed by UITSEC and you will be able to contact with your expert consultants 24/7 and get assistance from them about your problems.
The process, system, operations and control mechanisms which will be encamped in audit scope must be determined on the basis of the principle of materiality with a risk-oriented view. Risk analysis which will be carried out by UITSEC will face you with many reality which your company faces every day depending on the different risk groups.
The effectiveness of controls on processes depends on the efficient and effectiveness of the related IT General Controls. Therefore while the investigation of compliance, effectiveness and adequacy controls over processes deemed necessary qualification statuses are determined by UITSEC consultants and due to problems occurring in appropriateness the upgrade process may be applied.