IT audit checklist
While specific skills are required for IT, IT audit checklist may differ by industry and an entity’s applications, there are a number of technology skills customarily needed for an IT audit department.
As technology continues to evolve and become more interwoven with business processes, the skills of the auditor must evolve and change as well. The following are a number of specific skills that may be required to complete an IT audit plan. These include:
IT risk assessment and planning: At most organizations, performing an IT risk assessment requires a distinct set of skills. Risk assessment is an art, not a science, and the better one’s understanding of how technology and business risks interrelate, the more on-target the risk assessment and audit plan will be. Effective IT audit planning requires knowledge of both internal auditing and technology risks.
IT governance and management: Organizations are struggling to understand all that IT governance entails, and skills in this area are evolving quickly; they include IT portfolio management, return on investment considerations, issues around IT alignment and service to the organization.
Security and privacy skills: The knowledge needed to audit and understand the security and privacy areas is complex and changing rapidly. A number of regulations impact security and privacy, including the Gramm-Leach-Bliley Act, HIPAA and Sarbanes-Oxley.
One of the most important areas to many companies is around Payment Card Industry (PCI) credit card security standards and how personal information and data are handled and used.
Enterprise application controls – security and configuration skills: Knowledge of how IT applications function is critical. Critical programmed controls include data validation and error-checking routines, reasonableness checks around certain key processing points, logical segregation of duties, and limitations on who can initiate and view transactions. In today’s large ERP applications, these controls are a critical part of the configuration of the application.
Skills are needed around how these programmed controls and configurations interact with the manual procedures. Industry-specific application skills also are needed.
Technology infrastructure components and configurations: This area includes knowledge of criticaltechnology infrastructure, such as networks, databases and platforms. A number of these skills relate to complex security and configuration requirements.
In addition, there are needs around specific operational aspects for the technologies, such as backup, recovery and performance issues.
IT process skills: A number of process skills are needed to audit IT processes. These include security administration in the application and technical component areas, business continuity and disaster-recovery planning, data center operations, application change management, infrastructure change management, and asset and service management
Information strategy, data and records management: Data is becoming more and more independent of applications. Data shared between applications must be owned and managed. Data management issues surround e-discovery and records retention requirements, as well as other key legal issues.
A growing number of skills are needed to adequately address these areas at most organizations. All internal auditors should have a base-level capability related to IT risks and controls. In many cases, deeper specialties are needed in specific applications, ERP systems and other areas discussed above.
In a number of cases, organizations choose to develop an IT specialty practice within their internal audit department, given the magnitude and recurring nature of certain IT-related issues and risks.
Internal audit functions should evaluate the depth, breadth and frequency of their IT audit resource needs, and consider when and how external resources and organizations can be of assistance to achieve the best balance of people and skills.IT audit checklist is instrumental to an effective IT audit. While companies may have different IT audit checklists, each checklist should meet the bottom line.
IT audit checklist is an important tool for internal auditors.