MO04 IT Audit

MO04: IT Audit

1. Description

Independent audits carried out at regular intervals to increase confidence levels and benefit from best practice advice.

2. Control Objectives

Audit Charter - A charter for the audit function should be established by the organisation’s senior management. This document should outline the responsibility, authority and accountability of the audit function. The charter should be reviewed periodically to assure that the independence, authority and accountability of the audit function are maintained
Independence - The auditor should be independent from the auditee in attitude and appearance (actual and perceived). Auditors should not be affiliated with the section or department being audited, and, to the extent possible, should also be independent of the subject organisation itself. Thus, the audit function is to be sufficiently independent of the area being audited to permit objective completion of the audit
Professional Ethics and Standards - The audit function should ensure adherence to applicable codes of professional ethics (e.g., Code of Professional Ethics of the Information Systems Audit and Control Association) and auditing standards (e.g., Standards for Information Systems Auditing of the Information Systems Audit and Control Association) in all that they do. Due professional care should be exercised in all aspects of the audit work, including the observance of applicable audit and information technology standards
Competence - Management should ensure that the auditors responsible for the review of the organisation's information services function activities are technically competent and collectively possess the skills and knowledge (i.e., CISA domains) necessary to perform such reviews in an effective, efficient and economical manner. Management should ensure that audit staff assigned to information systems auditing tasks maintain their technical competence through appropriate continuing professional education
Planning - Senior management should establish a plan to ensure that regular and independent audits are obtained regarding the effectiveness, efficiency and economy of security and internal control procedures, and management's ability to control information services function activities. Senior management should determine priorities with regard to obtaining independent audits within this plan. Auditors should plan the information systems audit work to address the audit objectives and to comply with applicable professional auditing standards
Performance of Audit Work - Audits should be appropriately supervised to provide assurances that audit objectives are achieved and applicable professional auditing standards are met. Auditors should ensure that they obtain sufficient, reliable, relevant and useful evidence to achieve the audit objectives effectively. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence
Reporting - The organisation’s audit function should provide a report, in an appropriate form, to intended recipients upon the completion of audit work. The audit report should state the scope and objectives of the audit, the period of coverage, and the nature and extent of the audit work performed. The report should identify the organisation, the intended recipients and any restrictions on circulation. The audit report should also state the findings, conclusions and recommendations concerning the audit work performed, and any reservations or qualifications that the auditor has with respect to the audit.
Follow Up Activities - Resolution of audit comments rests with management. Auditors should request and evaluate appropriate information on previous findings, conclusions and recommendations to determine whether appropriate actions have been implemented in a timely manner

3. Key Goal Indicators

Increased level of confidence derived from independent audit activities
Increased adoption of best practices as a result of independent audit advice and recommendations
Increased value for the money
Increased level of communication with the audit committee and senior management

4. Key Performance Indicators

Increased level of satisfaction with the audit function working relationship
Number of corrective and sustainable actions taken as a result of new audit findings
Increased number of auditors with professional and technical certifications
Improved cycle time of the audit process, from planning through reporting

5. Critical Success Factors

An audit committee that defines and supports an audit mandate that provides for the independence, responsibility, authority and accountability of the audit function
Risk-based planning is used to identify business and IT activities for initial and cyclical reviews
The planning and conducting of audits are proactive
The audit methodology is properly supported by tools and techniques
Clearly-agreed on practices between management and audit are established for tracking and closing audit recommendations and for reporting on global status
Auditors perform impact assessments of recommendations, including cost, benefit and risk
Audits are performed in accordance with generally accepted auditing standards

6. Service Maturity Variations

0 Non-existent	Management is unaware of the importance of an independent audit function and independent audits do not take place.
1 (Initial/Ad Hoc)	An informal IT audit function exists which carries out independent reviews from time to time. There is no overall plan for providing independent audits and no co-ordination between reviews. Independent audit planning, managing and reporting are based on individual expertise. The quality of planning and delivery of audit services is generally poor, with variable results and very limited management involvement.
2 (Repeatable but Intuitive)	Provision of an independent audit function is recognised by management as being potentially useful, but there is no written policy defining its purpose, authority and responsibilities. Senior management has not established an infrastructure and process to ensure that independent audits are performed on a regular basis. Independent audit planning, managing and reporting follows a similar pattern, based on previously gained experience and the expertise of the team members. There is little co-ordination between audits and limited follow-up of previous audit findings. IT management interest and involvement in the audit process is inconsistent and dependent on the perceived quality of the specific audit team.
3 (Defined Process)	A charter for the IT audit function is established by senior management and followed in providing for the independence and authority of the audit function. Audit management has identified and understands the IT environment and initiatives. A process is established for planning and managing audits. Audit staff is expected to comply with auditing standards, but results may be variable. Resolution of audit comments does occur, but often there is poor follow-up and closure. Basic elements of quality assurance are established to assure that practices comply with applicable auditing standards and to improve the effectiveness of audit function activities. The IT, financial and process audit functions are not generally integrated. IT management is aware of the need for independent audits, but is not always satisfied with the quality provided and does not have confidence that the function has adequate knowledge to make valid recommendations.
4 (Managed and Measurable)	Strategic and operational risk-based audit plans are established, based on an assessment of current and future needs. Individual audit plans are developed, based on a cyclical operational plan and resource availability. The audit process can be tailored to specific assignments. A process knowledge base is established and is developed to ensure that quality assessments can be made and useful recommendations are generated. Audits are co-ordinated and integrated with any associated financial and process audits. Results are reported to management and follow-up occurs to ensure that management has taken corrective actions on critical issues identified by the audits. A structured quality assurance function facilitates quantitative management and control of the audit process. The IT audit function participates in the development of corrective actions and in projects to ensure that controls are appropriately built into processes. IT management is usually positively involved in all audits and makes use of audit results to improve performance.
5 Optimized	The audit function is capable of rapidly responding to management concerns related to business process and IT control risk issues on a continuous, organisation-wide basis. Audit planning is closely integrated with business and IT strategies. Audit processes are monitored and analysed for improvement in adapting to changing environmental conditions. This includes quantitatively monitoring activities in the auditing community and taking into account state-of-theart industry best practices and other external trends in adjusting auditing processes. Audit is involved in the development of business plans and in all projects that support business plans, to ensure that the appropriate controls are included into all processes. Audit is consulted on all projects for control and business advice.