What should auditors look for in an IT department?
The short answer is there is no short answer. But as a one-word answer, “standards” will do.
Auditors should ask the fundamental question: “Are there documented policies and procedures based on generally accepted IT ‘best’ or leading practices for managing and monitoring the department?” Having clearly defined processes based on widely accepted principles for IT is, or should be, a goal for all IT departments.
In recent years, the need to manage quality, security, and performance of IT has become even more important as organizations are required to respond to an ever-increasing number of regulatory requirements for privacy, fiduciary control, and other concerns. While IT’s mission is to support the organization, a disconnect between IT and the business thinking can lead to differing opinions about how to achieve compliance goals.
Adherence to standards helps resolve potential conflicts. Various capability/maturity models and other frameworks outline what IT needs to do to run efficient operations while maintaining control. Basing IT processes on such accepted standards is essential to ensure that the organizational IT resources are aligned with business objectives.
In large IT shops run by and for major organizations, frameworks such as Control Objectives for Information Technology (CobiT) from ISACA and models such as the Capability Maturity Model Integration (CMMI) from the Software Engineering Institute (SEI) at Carnegie Mellon, along with even more specific requirements such as the HIPAA or Payment Card Industry data security standards, provide the foundation for departmental standards and procedures. When such department rules are documented online or on paper, often in an IT procedures manual, they are key evidence in an audit review.
In smaller IT environments, assessing standards and procedures can be a lot harder to manage (which is not to say it is easy in a large organization). When a relatively small number of staff runs IT systems, processes and procedures typically are informal arrangements. They are unlikely to be documented clearly, and many may exist only in the heads of IT workers. As a result, the quality of the department is highly dependent on staff skills.
Auditors and IT management should both be aware of common gaps in control processes. In a small environment, whether it’s a standalone department or a server room in a larger organization, segregation of duties controls are typically lacking because there aren’t enough workers to divide responsibilities appropriately. This represents a risk to the organization for several reasons. Unrestricted access to sensitive data and systems may invite fraud. More benignly, perhaps, undocumented processes that are known by only a couple of people are a risk to the going concern. When workers leave, their undocumented knowledge goes with them, which makes it hard to train someone new.
Auditors should ask what kinds of standards and guidance are used to run the department. If there is a full-blown policy and guidance document, the next steps might be relatively straightforward—although they will still require time and effort.
Management should be prepared to provide copies of standards, policies, procedures, and other guidelines to auditors. Auditors should review the guidance issue dates (to see if they’re kept current) and completeness of contents (to understand whether the basics for all areas, including development and acquisition, service delivery, information security, operating systems, local and wide area networks, and monitoring, etc., are included). The auditor should then design an audit program around the procedures provided (to see whether they are actually being followed).
It’s important that an audit both review the information provided and see how people work. Many auditors have found that stated work steps and what workers really do are two entirely different things.
For auditors unfamiliar with IT environments, CobiT is a useful reference. Published by the Information Systems Audit and Control Association (ISACA), CobiT is widely used as a framework for IT assessments, since it describes domains and processes for IT operations and monitoring. To support leading practices in IT management and auditing, ISACA also offers an IT-auditor certification, Certified Information Systems Auditor (CISA). Other CobiT resources include a library of supporting documents for CobiT, including mappings of CobiT to other popular IT frameworks, and a vast member community that offers education and support for both auditors and auditees. Note that some of these materials are available to only ISACA members.
The Information Technology Infrastructure Library (ITIL), published by the United Kingdom Office of Government Commerce (OGC), is another example of guidance that is becoming more widely used. The nine-volume set details best practices for IT service management, including a recent volume dedicated to small-scale implementations. Although there are ITIL-based certification programs, the OGC offers no audit certification comparable to CISA.
These two resources provide a foundation of information for evaluating well-organized and well-documented programs. However, when it comes to judgments about the quality of the IT department, whether fully documented or informally controlled, auditors who are truly unfamiliar with information technology should seek assistance from more technically knowledgeable colleagues.
In all cases, active and intelligent exploration must help shape and define the audit process. The question of “What should auditors look for in an IT department?” cannot be answered with a list. Even best practices have exceptions. Some informal procedures, for example, produce evidence that an auditor can review to confirm control existence and effectiveness. By contrast, detailed documentation can be deceptive, since policies and documents are often drafted on principle and ignored in practice.
There is an unfortunate tendency for auditors who don’t have in-depth knowledge of IT to think that an audit program and a control checklist are all a company needs to perform credible reviews. Unfortunately, IT auditing isn’t that simple. IT has a language all its own. If you’re unfamiliar with the territory, it’s all too easy to be misled, to misinterpret, to omit important follow-up questions, or to fail to recognize that the answers you’re getting just don’t make sense.
The term “standards” is used somewhat loosely in this context to indicate governing principles that allow for quality IT delivery and support. True standards are requirements, while the use of maturity models and IT frameworks is optional.
ITIL Managing IT Services (IT Infrastructure Library)(2001). Office of Government Commerce (OGC). Service Delivery: Capacity Management, Availability Management, Service Level Management, IT Service Continuity, Financial Management for IT Services and Customer Relationship Management.
COSO Enterprise Risk Management—Integrated Framework (2004). Committee of Sponsoring Organizations of the Treadway Commission (COSO, authored by PricewaterhouseCoopers).
Xenia Ley Parker, CIA, CISA, CFSA, is a Certified Internal Auditor (Institute of Internal Auditors), Certified Information Systems Auditor, and Certified Financial Services Auditor with more than 24 years of experience in IT and auditing. Parker is Senior Director of internal audit, and global head of IT audit, for a major risk management firm. She was President of XLP Associates for 4 years, and previously was with Coopers & Lybrand for 14 years and Ernst & Young for three. Her clients were in a wide range of industries, particularly financial services. Prior to that, she was with CBS Inc. She has written numerous monographs; the technology aspects of the original COSO study; and was co-author of all editions of The Handbook of IT Auditing. Currently, she is the author of Information Technology Audits, published annually by CCH, with the 5th edition in June, 2007. She was adjunct Assistant Professor of Information Systems at New York University, is a frequent speaker at audit conferences, and was a Senior Consultant for MIS Training Institute.
All views expressed in this article are those of the author and should not be considered to represent the views of any other individual, entity, or organization. They are provided with the understanding that the author is not engaged in rendering legal, accounting or other professional services. If such assistance is required, the services of a competent professional should be sought.
This article originally appeared at itcinstitute.com. Copyright 2008, 1105 Media Inc. Reprinted with permission.