The IT Audit Process: A General Rundown
Information technology (IT) is revolutionizing the way businesses operate.
An upstream oil and gas company can use equipment sensors, machine-to-machine systems, edge computing, machine learning, and data analysis to predict machinery downtimes. Consequently, it can shift from a preventive maintenance approach to the more cost-efficient predictive maintenance strategy.
A manufacturing company can also use enterprise resource planning (ERP) software. This will make actionable data centrally available in real time, minimize redundant and duplicated data entry procedures, and automate processes like shop floor scheduling and parts procurement.
For all its benefits, IT also carries risks — thus, the need for an IT audit.
Table of Contents
What Is an IT Audit?
An IT audit systematically analyzes and evaluates a company’s information technology systems, technology infrastructure, and IT-related practices to identify key technology risks and, more importantly, what they can do to prevent them or mitigate their effects.
IT audit services can include:
- A comprehensive assessment of IT risks
- A review of the company’s policies and standard operating procedures for handling, processing, and managing information
- An audit of information technology systems, processes, and controls
- An audit of a specific software or system (say, ERP)
- A review of the company’s regulatory compliance
What Happens in an IT Audit?
In an IT audit, your technology consultants will clarify or identify your IT risk management objectives, establish audit scope, identify your core business process, and discover your IT touch points. Then it will do the following tasks.
1. Identify and Classify Risk Events
At this point, your IT audit team will identify the IT risks or risk events that fall within the scope of the audit. A risk is anything related to your software, systems, technology infrastructure, and processes that can threaten your operations, service availability, data, and critical systems.
Once they have recognized and identified the risks, they will compile them in a risk register. They will also classify them according to initial risk scenarios. Initial risk scenarios or categories include but are not limited to data loss and corruption risks, IT operations risks, personnel risks, project risks, and compliance risks.
2. Assess Risk Severity
Your IT risk consultants will now assess the risks for severity. This is a two-fold process that entails rating a threat according to the likelihood of it happening and its potential impact.
Before they can assign likelihood and impact ratings, your IT audit consultants will need your input to define your likelihood and impact scales or values.
Specifically, you’ll have to establish the frequency at which a risk is likely to occur. For instance:
- Hardly likely: may occur one time in one year
- Slightly likely: may occur less than three times in a year
- Likely: may happen three to five times in a year
- Highly likely: may occur six to 11 times in a year
- Very likely: can happen 12 times or more in one year
Additionally, you also have to assign values to impact levels. Doing this may be more difficult than articulating the likelihood of risk events since there can be multiple ways to measure impact. For instance, a risk event’s effect may be assessed against its dollar cost, project or program timeline delays, and operational or service interruption scope.
To illustrate, risk impact can be:
- Insignificant impact: will lose you $2,000, delay a project for a week, or cause a 10-minute service downtime for a non-critical user
- Low impact: will cost you $5,000, a one-month delay to a project, or a three-hour service downtime for one department
- Medium impact: will cost $15,000, a three-month project delay, and a five-hour service downtime for a department
- High impact: losses equivalent to $40,000, a half-year project delay, and a one-day service downtime for the whole company
- Acute impact: monetary losses amounting to $80,000, a project delay of one year, and the entire organization being incapacitated for at least two days
Note that impact levels vary from company to company since organizations have subjective definitions of what type of monetary losses, delays, and downtimes constitute low, medium, or high impact.
After establishing the criteria for rating risk events’ likelihood and potential impact, your IT audit consultants will rate your IT risks according to severity, which is an index of their likelihood of occurring and their degree of potential impact. A highly likely risk that comes with acute potential impact is a very high severity risk. In contrast, an insignificant-impact risk that may happen once a year merits a negligible risk severity rating.
3. Rank Risks
After assigning severity values to every IT risk, your IT audit consultants will rank your risks according to importance.
An acute-impact risk can cost you hundreds of thousands of dollars, halt company operations for days or lead to program delays of a year or longer. Additionally, if this acute-impact risk is rated very likely to happen, the existence of this risk means you are almost guaranteed to suffer losses.
Therefore, it’s crucial to rank risks according to your risk severity assessment result. Very likely, acute-impact risks (very high severity risks) should come on top, while hardly likely, insignificant-impact risks (negligible severity risks) can go to the bottom of the list.
4. Analyze IT Risks
For every risk, beginning from the risk with the highest severity score, your IT risk auditors will identify the variables, factors, or circumstances that can:
- Trigger the risk
- Prevent it
- Weaken its impact
5. Create a Risk Prevention or Risk Impact Mitigation Plan
After the risk analysis step, your technology consultants can finally put together a risk prevention or mitigation plan. Since the previous step revealed the factors that can lead to the identified risks, their plan will incorporate measures to blunt their impact and, ideally, prevent these risks.
To illustrate, suppose the risk is confidential data theft; this can lead to financial damages caused by the loss of the company’s competitive advantage. Two of the contributing factors identified are the universal accessibility of confidential information and the fact that camera-equipped mobile phones are allowed everywhere the proprietary information may be accessed.
In this case, your IT risk prevention consultants may recommend creating tiered access levels, with only a particular level granted access to the critical company data. Access may also be limited to a specific place in the company. In this restricted-access area, cameras will not be allowed, and every room entry and data access will be monitored, tracked, and logged.
Your IT consultants may even recommend business process reengineering. This is warranted if the way your business processes are designed is a huge contributing factor to your priority risks.
Implementation and Operationalization Are Key
IT audit is a rigorous process that involves IT risk identification, severity assessment, prioritization, analysis, and risk prevention and mitigation planning. You need the help of information technology risk assessment consultants who can perform it adequately and correctly.
For your part, you must commit to operationalizing your IT audit consultants’ recommendations. The best and most detailed risk prevention and mitigation plan is for naught if you don’t implement it.
Ratheesh C. Ravindranathan is the Managing Partner at Affility, a comprehensive advisory services firm assisting clients in the UAE and worldwide with IT, risk and management consulting solutions. Being a specialist FinTech professional with over 20 years of experience, an MBA in Information Systems Management, Oracle Certified Professional (OCP) and a Certified Information Systems Auditor (CISA), Ratheesh is an expert at guiding through your business’s digital transformation journey, Independent ERP Advisory, and Transaction Advisory for various M&As in this region.