How to Plan and Use an IT Audit Checklist
An IT audit needs to cover a few essential elements in order to effectively assess and evaluate existing IT processes. Having an IT audit checklist can simplify this process and ensure that no key pieces are left out.
In this post, we’ll learn what an IT audit should encompass and what elements must be included in your checklist.
How to plan and use an IT audit checklist
IT audits are designed to ensure an organization’s IT infrastructure, systems, and procedures are aligned with recognized standards and, most importantly, the organization’s objectives.
During the initial research stage, Deloitte suggests that auditors work with IT personnel to first understand the IT environment, risks, and the resources required.
Having an understanding of the IT department’s core controls and procedures, such as ITSM change management, security, and business continuity will ensure that the auditors can actually draw the correct conclusions from their work.
During this stage, it is also crucial to define the audit scope, since not all audits cover the same areas. Some are focused on cybersecurity, while others are focused on IT governance, and yet others may focus on specific applications or processes.
With all of that in mind, auditors can then plan and execute the audit.
Here are the key checklist items to include at this stage:
- Understand the organization, its context, and its strategy
- Define the scope of the IT audit universe and the components to evaluate
- Assess the risks of the IT audit universe
- Validate the plan
Having an actual framework to use when performing the audit can also go a long way towards simplifying the audit process and ensuring that it is thorough and that it meets its objectives.
Risk factors to audit
The exact process and nature of the audit will depend on the audit scope, as mentioned. Defining that scope and the important points to cover, however, can be daunting without guidance.
ISACA is the best resource to turn to when planning an IT audit since they develop IT frameworks that focus on governance and auditing. ITAF is their framework that focuses on IT auditing best practices.
Another useful framework is one developed by ISACA in 1996, called COBIT. The first edition of this framework focused specifically on auditing, but over the years, it has expanded into a complete IT governance framework designed to help align IT with business objectives.
When performing a complete top-down audit of IT, including risk management and IT governance systems, COBIT can be a very useful resource.
According to ISACA, COBIT design factors can be used synonymously with IT risk factors.
These factors include:
- Enterprise strategy
- Enterprise goals
- A risk profile
- I&T-related issues
- The threat landscape
- Compliance requirements
- The role of IT
- The source model for IT
- IT implementation methods
- A technology adoption strategy
- Enterprise size
The scope of the audit will naturally determine which of these factors are to be evaluated and which are to be excluded.
Components and scoring
COBIT’s latest iteration, COBIT 2019, also provides seven specific components that can be used to describe, in detail, a given goal of an audit process.
- Organizational structures
- Principles, policies, and frameworks
- Culture, ethics, and behavior
- People, skills, and competencies
- Services, infrastructure, and applications
Each of these seven components can be further tailored to meet the specific needs of the audit and the organization.
When evaluating each component, consider employing COBIT’s process maturity scale, which scores processes on a six-point scale:
- 0. Lacks even basic capabilities.
- 1. Not very organized, but the process does achieve its purpose.
- 2. The process completes its basic purpose through activities characterized as “performed.”
- 3. The process is more organized and leverages organizational assets.
- 4. The process is clearly defined and measured.
- 5. The process is defined, measured, and undergoing continual improvement.
These scores should be compared to the desired outcomes that were previously defined by the organization’s IT governance system, and those results should then be compiled into a report.
Concluding the audit
Once the audit process has been completed, the results should be compiled into a report and presented to the proper stakeholders.
When auditors create this report, it is important to clearly document every aspect of their process, including:
- The audit plan, scope, and objectives
- The audit methodology
- The audit engagements and operations
- The outcomes of the audit
An audit report is the final step in the process and will provide all the information necessary to anyone unfamiliar with the process, its purpose, or its findings. Clear documentation of the process can also be used to ensure that proper audit procedures were followed and no key points were omitted.