IT Audit is the process of collecting and evaluating evidence to determine whether a computer system has been designed to maintain data integrity, safeguard assets, allows organisational goals to be achieved effectively, and uses resources efficiently. The most crucial aspect of conducting an IT audit is to well define the scope and objective of what would be covered as part of this audit. Scope would mean what the organization would like to include such as time period and departments. Objectives are what the organization is trying to achieve. Example: Comply with legal requirements etc.
An audit’s primary objective is to examine key controls and ensure that:
- Systems are in place departmentally and across the organization
- Information in the systems are reliable and integrity has not been compromised
- Compliance exists with policies, procedures, laws, and regulations.
- Assets are safeguarded and verify the existence of those assets.
- Operations or processes are consistent with established management goals and objectives.
- Employees in the organization are enabled to successfully perform their duties, discharge their responsibilities and pertinent information concerning their activities is being reviewed.
While deciding on the scope of the audit, care should be taken to clearly define the objective that is sought to be met by this audit. Also for every control one must take into account the amount of risk if that particular activity is not executed or that particular control has been breached. Scope of audit could be just to meet to company procedures or it may be to comply with legal requirements. Also the coverage of the audit, for example entire organization or just one department should also be specified. If the audit is done as per part of a client requirement they may also have a say in deciding the locations or organizational activities that are to be included in the audit. In that case the scope and depth of the audit should be designed to meet the client information security needs. If appropriate even the auditee can be included in deciding the scope of the audit. The key here is to stay within the scope decided and not to wander from it.
The organization would also need to ensure that the resources committed to the audit are sufficient to meet the decided scope and objective. The primary audit objectives are to review the original data and processes to determine the level of procedural compliance, review the procedures themselves, and produce an audit report on the accuracy of the data and level of compliance. This usually is important in a range of different industries since stakeholders would want to know need to know how much they can rely on reports coming in from various processes and the level of risk in different areas of the operation. The risk of audit error is an important audit objective. This just implies that the auditor came to a wrong conclusion or could not detect a non conformance. For example, if the purpose of the audit was to identify the rate of compliance with legal requirements, and the auditor confirmed compliance was found, the audit risk is the chance that this is not the case and that the auditor missed it. Other objectives of audit are to assist management in the pursuit of return on investment. This is achieved through economic, efficient and effective use of resources.
Audit also would be conducted by people who are not from the process being reviewed. Hence the organization may have a separate internal audit team or get help from external auditors to conduct the audit. However this needs to be planned in advance.
Defining the scope of audit helps organization prepare a blue print of the desired action. The audits can get completed in time. Allocation of work gets better as well as the reporting too. It also provides confidence to the process owners about the working of various departments. It helps in the prevention and detection of errors. A well scoped and planned audit also provides an independent opinion of the auditor about business condition.