It is a common occurrence today to find many organizations investing more and more resources – money, time, staff, etc. – into technology. Consider a relatively small retail company, for example, that’s focusing on expanding its website and online ordering capabilities while also building web-based platforms that can function seamlessly on a variety of popular mobile devices. At the same time, this company also must manage a broad and growing range of risks related to security and privacy; regulatory compliance; federal, state and local laws; use of social media by employees; and information technology (IT) infrastructure stability, among many other areas.
In this environment, understanding and managing these risks is absolutely critical for an organization to be successful. A key element of this effort must be well-planned and organized IT audit activities that begin with the establishment, experience and capabilities of a strong IT audit function.
Do most organizations have an IT audit function in place? How are they staffed? Do they exist as an independent function or do they reside in another department? How many organizations are, in fact, conducting IT audit risk assessments on a regular basis? Is IT audit an integral component of the organization’s annual audit plan?
What is IT Audit?
Protiviti defines “IT audit” as the process of collecting and evaluating evidence of the management of controls over an organization’s information systems, practices, controls and operations. The evaluation of evidence obtained through the IT audit process determines if the information systems are safeguarding assets, maintaining data integrity and operating effectively to achieve the organization’s goals and objectives. This may include traditional audits of technology processes and components as well as integrated audits for audit activities, technology-dependent regulatory processes (e.g., privacy) or data analytics support.
One of Protiviti’s leading publications is its annual IT Audit Benchmarking Survey. KnowledgeLeader has also published hundreds of tools and templates focused on various IT audit matters. Example tools include:
- IT Risks and Controls Review Report
- IT Application Management Self-Assessment Questionnaire
- IT General Control Assessment Report
- IT Vendor Management Audit Work Program
- IT General Controls Design Assessment Work Program
Check out these sources and let us know in the comments what you think about the importance of IT audit.