Orientation in IT Audit
- 2. INTRODUCTION
When most people hear the word “audit,” their first reflex is to cringe. Usually,
it means having some outside team come in to review everything and tell them
what they’re doing wrong in technical term.
An IT audit is the
- Examination and evaluation of an organization’s information technology
infrastructure, policies and operations.
- Information technology audits determine whether IT controls protect
corporate assets, ensure data integrity and are aligned with the business’s
overall goals.
- IT auditors examine not only physical security controls, but also overall
business and financial controls that involve information technology systems.
- 3. What is IT Audit?
An information technology audit, or information systems audit, is an examination
of the management controls within an Information technology (IT) infrastructure.
The evaluation of obtained evidence determines if the information systems are
safeguarding assets, maintaining data integrity, and operating effectively to achieve
the organization's goals or objectives. These reviews may be performed in
conjunction with a financial statement audit, internal audit, or other form of
attestation engagement
First, it’s important to define exactly what an IT audit is. Simply put, it’s the process of
collecting and evaluating an organization’s information systems, practices and operations. In
this process, an IT auditor not only looks at the physical controls but also the business and
financial controls within a company.
The audit takes place to ensure that a business is compliant with legislation, ensuring that
their data and records are secure. The IT audit is just an assessment and provides
recommendations to fix any gaps or challenges.
- 4. What is an IT Auditor?
While an IT auditor may have various
responsibilities, their main job is to lead
projects that improve internal processes
and performances. They report problems
related to IT systems, analyze data and
increase internal controls. Much of their
work time is spent collecting and
reviewing data from databases, software
programs and information management
systems.
An IT auditor may work in a variety of
industries, with the most common being
technology, finance, healthcare and
education.
- 6. IT Auditor Skills
• The skills you need as an IT auditor will vary depending on your specific role and
industry, but there’s a general set of skills that all IT auditors need to be successful.
Some of the most commonly sought skills for IT auditor candidates include:
• IT security and infrastructure
• Internal audit
• IT risk
• Data analysis
• Data analysis and visualization tools (ACL, MS Excel, SAS, Tableau)
• Security risk management
• Security testing and auditing
• Computer security
• Internal auditing standards including SOX, MAR, COSO and COBIT
• Analytical and critical thinking skills
• Communication skills
- 7. IT Auditor Job Requirements
• Entry-level IT auditor positions require at least a bachelor’s degree in computer
science, management information systems, accounting or finance.
• You’ll want a strong background in IT or IS and experience in public accounting
or internal auditing.
• The job requires a strong set of technical skills, with a strong emphasis on security
skills, but you’ll also need soft skills like communication.
• You’ll be responsible for not only identifying issues during an IT audit but also
explaining to leaders outside of IT what is wrong and what needs to change.
• Analytical and critical thinking skills are also crucial, as you’ll need to evaluate
data to find trends and patterns to identify IT security and infrastructure issues.
- 8. What is the purpose of an IT Audit ?
• The purposes of an IT audit are to evaluate the system's internal control design and effectiveness.
This includes, but is not limited to, efficiency and security protocols, development processes, and
IT governance or oversight. Installing controls are necessary but not sufficient to provide adequate
security. People responsible for security must consider if the controls are installed as intended, if
they are effective if any breach in security has occurred and if so, what actions can be done to
prevent future breaches. These inquiries must be answered by independent and unbiased observers.
These observers are performing the task of information systems auditing. In an Information
Systems (IS) environment, an audit is an examination of information systems, their inputs, outputs,
and processing.
• The primary functions of an IT audit are to evaluate the systems that are in place to guard an
organization's information. Specifically, information technology audits are used to evaluate the
organization's ability to protect its information assets and to properly dispense information to
authorized parties. The IT audit aims to evaluate the following:
• Will the organization's computer systems be available for the business at all times when required?
(known as availability)
• Will the information in the systems be disclosed only to authorized users? (known as security and
confidentiality)
• Will the information provided by the system always be accurate, reliable, and timely? (measures
the integrity)
- 9. IT Auditor Certifications
• ISO 27001:2013, ISMS
• Certified Information Systems Auditor (CISA)
• Certified Information Security Manager (CISM)
• Certified Internal Auditor (CIA)
- 10. What is ISO 27001:2013
• Technological position audit
• Systems and Applications Audit
• Information Processing Audit
• Systems Development Audit
• Management of IT and Enterprise Architecture Audit
• Client/Server, Intranets, and Extranets Audit
• Information System Audit or Information Technology Audit (IT Audit)
• Compliance Audit
• Operational Audit
• Special Audit
• Integrated Audit
• Agreed Upon Procedures (AUP) Audit
- 11. ISO/IEC 27001, 27017 & 27018- Information Security
Management System (ISMS)
Increasing data breaches are a concern for most organizations. Technologies
are constantly changing and thus we need to keep pace with the environment
and adapt a process of change to enable the use of these new technologies in a
safe manner.
Implementing an ISMS standard such as ISO/IEC 27001:2013 is one way to
ensure that those organizations follow a process for its information systems to
provide an assurance to its vendors and third-parties that the systems and data
are appropriately protected.
The ISMS provides an audit certificate of Confidentiality, Integrity and
Availability (CIA) of cybersecurity of the organization that follows an
Internationally recognized process to manage their customer's information.
The ISO 27017 demonstrates Cloud Service Providers (CSP’s) controls overs
its cloud services. The ISO 27018 is used for Personal Data (PII) data in the
cloud.
- 12. Why ISMS
• Assures your customers about your organization's standards in managing the
data.
• The organization follows an established ISO process that could reduce the
likelihood of a potential security breach.
• Third-Parties or Vendors accept ISO 27001 (ISMS) Certificate as a vendor
due diligence process.
• The add on such as ISO 27017 or ISO 27018 provides assurance for CSP’s.
- 13. NEWS COVERAGE
In the world of cybersecurity, the position of IT auditor has become very
significant and is a growing occupation, with thousands of job openings
now available in the U.S. This growth has been fueled by new
regulations and compliance requirements such as Sarbanes-Oxley.
https://resources.infosecinstitute.com/category/cybersecurity-careers/how-to-become-an-it-auditor/what-
does-an-it-auditor-do/#gref
- 14. Conclusion
• The career of IT auditor has a bright future, as almost every enterprise has the
need to improve its controls and remain in compliance. I hope this
walkthrough of the requirements and responsibilities of an IT auditor will
help you to decide whether you’d like to pursue this course of study.
My Investment My Income
ISO 27001:2013, 7 days, 60 hours, 90 K
CISA 8 Days, 70 hours, 150 K
CISSP 8 Days, 70 hours, 150 K
75K per Audit/ 6 Audit Per Year
85K per Audit/ 6 Audit Per Year
95K per Audit/ 6 Audit Per Year
- 17. WHY TO AUDIT
• Company knows only after attack
• Are client/ customer safe to invest ?
- Invest Data
- Invest Information
- Invest Money
- Invest Career and so on.
• Are promoter and shareholder safe ?
• What will be the loss value ?
• When will you recover ?
• What sort of Disaster you may face ?
- 20. PURPOSE
• The purposes of an IT audit are to evaluate the system's internal control
design and effectiveness.
• This includes, but is not limited to, efficiency and security protocols,
development processes, and IT governance or oversight.
- 21. Finance: 22
Microfinance: 91
Commercial Bank: 27
Development Bank: 24
Co-operative: 2,800
0
10000
20000
30000
40000
50000
60000
70000
80000
90000
Small Office Corporate Finance Bank IT Companies
Number of Data Storage Sector
Data
- 22. STATEMENT OF PROBLEM
• Many organizations are spending large amounts of money on IT because
they recognize the tremendous benefits that IT can bring to their
operations and services. However, they need to ensure that their IT
systems are reliable, secure and not vulnerable to computer attacks.
• Introduction of New Threads and Attack are you updated ?
• Assurance of IT system adequately protected
• Less knowledge on IT
• Not providing importance to data
• Continuous loss of data and hacked
- 24. SOLUTION
• To give assurance that IT systems are adequately protected.
• Provide reliable information to user and properly managed to achieve their
intended benefits.
• Reduce Risk of data tampering
• Reduce Data loss or leakage
• Reduce Service disruption
• Provide Proper management of IT System
- 25. MOTIVATION
Different kinds of cyber attacks that are mostly transpired in Nepal. List of those
cyber attacks are as mentioned:
• Attacks on social media
• Piracy
• Identity Threat
• Unauthorized access
• Website hacking
- 26. CASE STUDY
1.Pune Citibank MphasiS Call Center Fraud
some ex employees of BPO arm of MPhasis Ltd MsourcE, defrauded US
Customers of Citi Bank to the tune of RS 1.5 crores has raised concerns of
many kinds including the role of "Data Protection".
The crime was obviously committed using "Unauthorized Access" to the
"Electronic Account Space" of the customers. It is therefore firmly within the
domain of "Cyber Crimes".
2.SONY.SAMBANDH.COM CASE
India saw its first cyber crime conviction recently. It all began after a complaint
was filed by Sony India Private Ltd, which runs a website called www.sony-
sambandh.com.
- 27. 3. The Bank NSP Case
The Bank NSP case is the one where a management trainee of the bank was
engaged to be married. The couple exchanged many emails using the
company computers. After some time the two broke up and the girl created
fraudulent email ids such as "indianbarassociations" and sent emails to the
boy's foreign clients. She used the banks computer to do this. The boy's
company lost a large number of clients and took the bank to court. The bank
was held liable for the emails sent using the bank's system.
- 30. IT Audit Process
• The below provided are the basic steps in performing the Information
Technology Audit Process.
- 32. METHODOLOGY
• Quantitative Research Methodology has been used in this research. The
research theory of this paper has been to construct knowledge and
meaning from Researchers experience, that is, Constructivism, which has
direct application to education. The research theory indicates technological
Constructivism.
• Primary data were collected by means of online survey, Questionnaire and
Interview where professionals from different areas of ICT were chosen,
which helped to study current situation in Nepal. Secondary data were
collected from several comparative studies of different research papers/
journals, websites, newspaper which helped to gather information on
international level.
- 33. RESULT & DISCUSSION
A survey was conducted to support this research and different charts are
presented for further clarifications. There were 108 respondents to qualify
in Fig.
- 34. RESULT & DISCUSSION
Shows attacks from 2007 to 2014 has been growing relatively with prominent
probability of attacks in any components of security audit mentioned in Fig.
- 35. Depicts experience on the different types of attacks or vulnerabilities
experienced by user from 2007-2014 by ICT users from different fields as in
Fig.
- 36. Depicts IS Audit Awareness in Nepal by 83.58% which looks promising as IS
Audit practicing would not be very difficult job to begin.
- 37. CONCLUSION
Information Security is an increasingly important part of our life today, and the
degree of interconnectivity of
Networks implies that anything and everything can be exposed, and everything from
national critical
Infrastructure to our basic human rights can be compromised. Governments are
therefore urged to
Consider policies that support continued growth in technology sophistication, access
and security, and as a crucial first step, to adopt a national cyber security strategy.
Risk assessment and security audit has to be conducted eventually to minimize and
mitigate risks. Local law, local and international standards and policy must be
followed while preparing the ICT Security policies in an organization. Audit is must
for data security assurance. This research has proposed an audit model for IS Audit
which is highly recommended for IS Audit in any IS Audit and Security
Vulnerability minimizing.