Management, compliance & auditing

IT auditing and controls – planning the IT audit [updated 2021]

Kenneth Magee
May 20, 2021 by
Kenneth Magee

An IT audit can be defined as any audit that encompasses review and evaluation of automated information processing systems, related non-automated processes and the interfaces among them. 

How to perform an IT audit

Planning an IT audit involves two major steps: gathering information and planning, and then gaining an understanding of the existing internal control structure. More and more organizations are moving to a risk-based audit approach which is used to assess risk and helps an IT auditor decide as to whether to perform compliance testing or substantive testing. 

In a risk-based approach, IT auditors are relying on internal and operational controls as well as the knowledge of the company or the business. This type of risk assessment decision can help relate the cost and benefit analysis of the control to the known risk. In the “gathering information” step the IT auditor needs to identify five items:

  • Knowledge of business and industry
  • Prior year’s audit results
  • Recent financial information
  • Regulatory statutes
  • Inherent risk assessments

A side note on “inherent risks” is to define it as the risk that an error exists that could be material or significant when combined with other errors encountered during the audit, assuming there are no related compensating controls. As an example, complex database updates are more likely to be miswritten than simple ones, and thumb drives are more likely to be stolen (misappropriated) than blade servers in a server cabinet. Inherent risks exist independent of the audit and can occur because of the nature of the business.

In the “gain an understanding of the existing internal control structure” step, the IT auditor needs to identify five other areas and items:

  • Control environment
  • Control procedures
  • Detection risk assessment
  • Control risk assessment
  • Equate total risk

Once the IT auditor has “gathered information” and “understands the control,” they are ready to begin the planning, or selection of areas, to be audited. Remember, one of the key pieces of information that you will need in the initial steps is a current business impact analysis (BIA), to assist you in selecting the application which supports the most critical or sensitive business functions.

Objectives of an IT audit

Most often, IT audit objectives concentrate on substantiating that the internal controls exist and are functioning as expected to minimize business risk. These audit objectives include assuring compliance with legal and regulatory requirements, as well as the confidentiality, integrity and availability (CIA no not the federal agency, but information security) of information systems and data.

IT audit strategies

There are two areas to talk about here, the first is whether to do compliance or substantive testing and the second is “how do I go about getting the evidence to allow me to audit the application and make my report to management?”  

So what is the difference between compliance and substantive testing?  Compliance testing is gathering evidence to test to see if an organization is following its control procedures. On the other hand, substantive testing is gathering evidence to evaluate the integrity of individual data and other information. 

For example, compliance testing of controls can be described with the following example. An organization has a control procedure that states that all application changes must go through change control. As an IT auditor, you might take the current running configuration of a router as well as a copy of the -1 generation of the configuration file for the same router, run a file, compare to see what the differences were and then take those differences and look for supporting change control documentation. 

Don’t be surprised to find network admins, when they are simply re-sequencing rules, forget to put the change through change control. For substantive testing, let’s say an organization has a policy or procedure concerning backup tapes at the offsite storage location which includes three generations (grandfather, father and son). An IT auditor would do a physical inventory of the tapes at the offsite storage location and compare that inventory to the organization's inventory as well as looking to ensure that all three generations were present.

The second area deals with “how do I go about getting the evidence to allow me to audit the application and make my report to management?” It should come as no surprise that you need the following:

  • Review IT organizational structure
  • Review IT policies and procedures
  • Review IT standards
  • Review IT documentation
  • Review the organization’s BIA
  • Interview the appropriate personnel
  • Observe the processes and employee performance
  • Examination, which incorporates by necessity, the testing of controls, and therefore includes the results of the tests.

As an additional commentary of gathering evidence, observation of what an individual does versus what they are supposed to do can provide the IT auditor with valuable evidence when it comes to controlling implementation and understanding by the user. Performing a walk-through can give valuable insight as to how a particular function is being performed.

Application vs. general controls

General controls apply to all areas of the organization including the IT infrastructure and support services. Some examples of general controls are:

  • Internal accounting controls
  • Operational controls
  • Administrative controls
  • Organizational security policies and procedures
  • Overall policies for the design and use of adequate documents and records
  • Procedures and practices to ensure adequate safeguards over access
  • Physical and logical security policies for all data centers and IT resources

Application controls refer to the transactions and data relating to each computer-based application system; therefore, they are specific to each application. The objectives of application controls are to ensure the completeness and accuracy of the records and the validity of the entries made to them. Application controls are controls over IPO (input, processing and output) functions, and include methods for ensuring the following:

  • Only complete, accurate and valid data are entered and updated in an application system
  • Processing accomplishes the designed and correct task
  • The processing results meet expectations
  • Data is maintained

As an IT auditor, your tasks when performing an application control audit should include:

  • Identifying the significant application components, the flow of transactions through the application (system) and gaining a detailed understanding of the application by reviewing all available documentation and interviewing the appropriate personnel (such as system owner, data owner, data custodian and system administrator)
  • Identifying the application control strengths and evaluating the impact, if any, of weaknesses you find in the application controls
  • Developing a testing strategy
  • Testing the controls to ensure their functionality and effectiveness
  • Evaluating your test results and any other audit evidence to determine if the control objectives were achieved
  • Evaluating the application against management’s objectives for the system to ensure efficiency and effectiveness

IT audit control reviews

After gathering all the evidence the IT auditor will review it to determine if the operations audited are well controlled and effective. Now, this is where your subjective judgment and experience come into play. For example, you might find a weakness in one area which is compensated for by a very strong control in another adjacent area. It is your responsibility as an IT auditor to report both of these findings in your audit report.

The audit deliverable

So what’s included in the audit documentation and what does the IT auditor need to do once their audit is finished? Here’s the laundry list of what should be included in your audit documentation:

  • Planning and preparation of the audit scope and objectives
  • Description or walkthroughs on the scoped audit area
  • Audit program
  • Audit steps performed and audit evidence gathered
  • Whether services of other auditors and experts were used and their contributions
  • Audit findings, conclusions and recommendations
  • Audit documentation relation with document identification and dates (your cross-reference of evidence to audit step)
  • A copy of the report issued as a result of the audit work
  • Evidence of audit supervisory review

When you communicate the audit results to the organization it will typically be done at an exit interview where you will have the opportunity to discuss with management any findings and recommendations. You need to be certain of the following: 

  • The facts presented in the report are correct
  • The recommendations are realistic and cost-effective, or alternatives have been negotiated with the organization’s management
  • The recommended implementation dates will be agreed to for the recommendations you have in your report

Your presentation at this exit interview will include a high-level executive summary. 

Your audit report should be structured so that it includes:

  • An introduction (executive summary)
  • The findings are in a separate section and grouped by the intended recipient
  • Your overall conclusion and opinion on the adequacy of controls examined and any identified potential risks
  • Any reservations or qualifications concerning the audit.
  • Detailed findings and recommendations

Finally, there are a few other considerations that you need to be cognizant of when preparing and presenting your final report. Who is the audience? If the report is going to the audit committee, they may not need to see the minutiae that go into the local business unit report. You will need to identify the organizational, professional and governmental criteria applied such as GAO-Yellow Book, CobiT or NIST SP 800-53. Your report will want to be timely to encourage prompt corrective action.

And as a final parting comment, if during an IT audit, you come across a materially significant finding, it should be communicated to management immediately, not at the end of the audit.

You can find other articles related to IT auditing and controls here.

Kenneth Magee
Kenneth Magee

Ken is President and owner of Data Security Consultation and Training, LLC. He has taught cybersecurity at the JAG school at the University of Virginia, KPMG Advisory University, Microsoft and several major federal financial institutions and government agencies. As CISO for the Virginia Community College System, Ken’s focus was the standardization of security around the ISO 27000 series framework. Writing is one of his passions and he has authored and/or co-authored several courses, including CISSP, CISA, CISM, CGEIT, CRISC, DoD Cloud Computing SRG and a course for training Security Control Assessors using NIST SP 800-53A. Ken has also achieved a number of certifications, including CISSP, SSCP, CCSP, CAP, ISSMP, ISSAP, ISSEP, CISM, CISA, CAC, CEH, ISO9000LA, ISO14001LA, ISO27001PA, Security+, CySA+, CASP, CTT+, CPT, GSEC, GSNA, GWAPT, CIA, CGAP, CFE, MCP, MCSA, MCSE and MCT.