IT audits are designed to ensure an organization\u2019s IT infrastructure, systems, and procedures are aligned with recognized standards and, most importantly, the organization\u2019s objectives. <\/p>\n\n\n\n
Planning<\/strong><\/h3>\n\n\n\nDuring the initial research stage, Deloitte<\/a> suggests that auditors work with IT personnel to first understand the IT environment, risks, and the resources required.<\/p>\n\n\n\nHaving an understanding of the IT department\u2019s core controls and procedures, such as ITSM<\/a> change management, security, and business continuity<\/a> will ensure that the auditors can actually draw the correct conclusions from their work.<\/p>\n\n\n\nDuring this stage, it is also crucial to define the audit scope, since not all audits cover the same areas. Some are focused on cybersecurity<\/a>, while others are focused on IT governance, and yet others may focus on specific applications or processes.<\/p>\n\n\n\nWith all of that in mind, auditors can then plan and execute the audit.<\/p>\n\n\n\n
Here are the key checklist items to include at this stage:<\/p>\n\n\n\n
- Understand the organization, its context, and its strategy<\/strong><\/li>
- Define the scope of the IT audit universe and the components to evaluate<\/strong><\/li>
- Assess the risks of the IT audit universe<\/strong><\/li>
- Validate the plan<\/strong><\/li><\/ul>\n\n\n\n
Having an actual framework to use when performing the audit can also go a long way towards simplifying the audit process and ensuring that it is thorough and that it meets its objectives.<\/p>\n\n\n\n
Risk factors to audit<\/strong><\/h3>\n\n\n\nThe exact process and nature of the audit will depend on the audit scope, as mentioned. Defining that scope and the important points to cover, however, can be daunting without guidance. <\/p>\n\n\n\n
ISACA<\/a> is the best resource to turn to when planning an IT audit since they develop IT frameworks that focus on governance and auditing. ITAF <\/a>is their framework that focuses on IT auditing best practices.<\/p>\n\n\n\nAnother useful framework is one developed by ISACA in 1996, called C<\/a>O<\/a>BIT<\/a>. The first edition of this framework focused specifically on auditing, but over the years, it has expanded into a complete IT governance framework<\/a> designed to help align IT with business objectives. <\/p>\n\n\n\nWhen performing a complete top-down audit of IT, including risk management<\/a> and IT governance systems, COBIT can be a very useful resource.<\/p>\n\n\n\nAccording to ISACA, COBIT design factors can be used synonymously with IT risk factors.<\/p>\n\n\n\n
These factors include:<\/p>\n\n\n\n
- Enterprise strategy<\/strong><\/li>
- Enterprise goals<\/strong><\/li>
- A risk profile<\/strong><\/li>
- I&T-related issues<\/strong><\/li>
- The threat landscape<\/strong><\/li>
- Compliance requirements<\/strong><\/li>
- The role of IT<\/strong><\/li>
- The source model for IT<\/strong><\/li>
- IT implementation methods<\/strong><\/li>
- A technology adoption strategy<\/strong><\/li>
- Enterprise size<\/strong><\/li><\/ul>\n\n\n\n
The scope of the audit will naturally determine which of these factors are to be evaluated and which are to be excluded.<\/p>\n\n\n\n
Components and scoring<\/strong><\/h3>\n\n\n\nCOBIT\u2019s latest iteration, COBIT 2019, also provides seven specific components that can be used to describe, in detail, a given goal of an audit process.<\/p>\n\n\n\n
These include:<\/p>\n\n\n\n
- Processes<\/strong><\/li>
- Organizational structures<\/strong><\/li>
- Principles, policies, and frameworks<\/strong><\/li>
- Information<\/strong><\/li>
- Culture, ethics, and behavior<\/strong><\/li>
- People, skills, and competencies<\/strong><\/li>
- Services, infrastructure, and applications<\/strong><\/li><\/ul>\n\n\n\n
Each of these seven components can be further tailored to meet the specific needs of the audit and the organization.<\/p>\n\n\n\n
When evaluating each component, consider employing COBIT\u2019s process maturity scale<\/a>, which scores processes on a six-point scale:<\/p>\n\n\n\n
Having an understanding of the IT department\u2019s core controls and procedures, such as ITSM<\/a> change management, security, and business continuity<\/a> will ensure that the auditors can actually draw the correct conclusions from their work.<\/p>\n\n\n\n During this stage, it is also crucial to define the audit scope, since not all audits cover the same areas. Some are focused on cybersecurity<\/a>, while others are focused on IT governance, and yet others may focus on specific applications or processes.<\/p>\n\n\n\n With all of that in mind, auditors can then plan and execute the audit.<\/p>\n\n\n\n Here are the key checklist items to include at this stage:<\/p>\n\n\n\n Having an actual framework to use when performing the audit can also go a long way towards simplifying the audit process and ensuring that it is thorough and that it meets its objectives.<\/p>\n\n\n\n The exact process and nature of the audit will depend on the audit scope, as mentioned. Defining that scope and the important points to cover, however, can be daunting without guidance. <\/p>\n\n\n\n ISACA<\/a> is the best resource to turn to when planning an IT audit since they develop IT frameworks that focus on governance and auditing. ITAF <\/a>is their framework that focuses on IT auditing best practices.<\/p>\n\n\n\n Another useful framework is one developed by ISACA in 1996, called C<\/a>O<\/a>BIT<\/a>. The first edition of this framework focused specifically on auditing, but over the years, it has expanded into a complete IT governance framework<\/a> designed to help align IT with business objectives. <\/p>\n\n\n\n When performing a complete top-down audit of IT, including risk management<\/a> and IT governance systems, COBIT can be a very useful resource.<\/p>\n\n\n\n According to ISACA, COBIT design factors can be used synonymously with IT risk factors.<\/p>\n\n\n\n These factors include:<\/p>\n\n\n\n The scope of the audit will naturally determine which of these factors are to be evaluated and which are to be excluded.<\/p>\n\n\n\n COBIT\u2019s latest iteration, COBIT 2019, also provides seven specific components that can be used to describe, in detail, a given goal of an audit process.<\/p>\n\n\n\n These include:<\/p>\n\n\n\n Each of these seven components can be further tailored to meet the specific needs of the audit and the organization.<\/p>\n\n\n\n When evaluating each component, consider employing COBIT\u2019s process maturity scale<\/a>, which scores processes on a six-point scale:<\/p>\n\n\n\nRisk factors to audit<\/strong><\/h3>\n\n\n\n
Components and scoring<\/strong><\/h3>\n\n\n\n
![](\"https:\/\/www.walkme.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/04\/Change-Management-A-min_8643bf07.png\"\/)
<\/a>\n","protected":false},"excerpt":{"rendered":"An IT audit needs to cover a few essential elements in order to effectively assess and evaluate existing IT processes.