Information System Audit and Risk Management Audit
Technology enables rapid global business growth and advancement. It is also a major source of business risk. Boards and senior executives recognize the importance of technology, but can struggle to understand and manage it effectively. Often, business executives and IT professionals don’t speak the similar language. This communication gap can lead to misunderstandings and misaligned expectations and outcomes.
Everyone is aware of the requirement for information security in today’s highly networked business environment. Information is arguably among an enterprise’s most valuable assets, so its protection from predators from both within and outside has taken center stage as an IT priority. Information System Audit encompasses a comprehensive review and evaluation of automated information processing systems, related non-automated processes and the interface between them.
An IT audit is the process of collecting and evaluating evidence of an organization’s information systems, practices, and operations formerly known as Electronic data processing (EDP) audit. Obtained evidence evaluation can assure whether the organization’s information system safeguard assets, maintain data integrity and is operating effectively and efficiently in order to achieve the organization’s goals or objectives. IT audits are also called automated data processing (ADP) audits and computer audits. An information technology (IT) audit or information systems (IS) audit is an examination of the controls within an entity’s Information technology infrastructure.
What AMRA Consultants Offers
Our motive is to ensure that resources of the organization are optimized to deliver maximum possible value. We offer Post Migration Audit Certification to clients switching from manual legacy systems to automated processes. This is also used as part of due- diligence procedure.
Our Information Systems Audit Portfolio covers the following:
Information Systems (is) Governance: –
Effective IS governance helps to ensure that business systems deliver value and that the risks inherent in using technology are managed. Information Technology (IT) performance is continuously being questioned in the light of changing business and regulatory requirements, such as Sarbanes-Oxley, International Financial Reporting Standards (IFRS), and Basel II, & also the need for transparency to shareholders. The IS governance structure should be designed to meet all these aims and to fit within the corporate governance framework. Effective IS governance is increasingly considered compulsory by boards and management. Information Systems governance addresses a number of concerns organizations may have such as:
INAPPROPRIATE IS STRATEGY. Alignment of IS strategy to business strategy is critical. Without alignment, management decisions may lead to inappropriate investments or poor implementations of new systems.
DIFFICULTY IN QUANTIFYING THE VALUE OF IS. This is particularly necessary during acquisitions or disposals. The value derived from the impact of IT should always be known. The absence of this information could lead to inappropriate investment decisions.
REVIEW OF EXISTING INFORMATION SYSTEM SECURITY CONTROLS against best practices and industry standards. Gap analysis with standards such as ISO27001, SANS, NIST etc / other industry benchmarks like CIS, CERT etc. Making recommendations to improve and strengthen IS controls
SYSTEMS AND APPLICATIONS: An audit to certify that systems and applications are appropriate to the entity’s requirements, are efficient, and are adequately controlled to ensure valid, reliable, well timed, and secure input, processing, and output at all levels of a system’s activity.
BUSINESS APPLICATION AUDITS: Testing the application capabilities, features and limitations, establishing the reasonableness of application’s logical access controls, Audit of SDLC process, Review of the operational adequacy of the application package, Performance testing using tools.
INFORMATION PROCESSING FACILITIES: an audit to scrutinize that the processing facility is controlled to assure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions.
SYSTEMS DEVELOPMENT: an audit to verify that the systems under development meet the goals of the organization and to assure that the systems are developed according to generally accepted standards for systems development.
MANAGEMENT OF IT AND ENTERPRISE ARCHITECTURE: an audit to verify that IT management has developed an organizational structure and procedures to assure a controlled and efficient environment for processing of information.
UNCERTAINLY AS TO THE TRUE COST OF IS before investments or modifications are made, an organization should know the current cost in IS. Without a comprehensive management overview, this can be difficult to ascertain.
PERFORMANCE IMPROVEMENT SYSTEMS. Measuring and improving IS is a constant challenge. Performance must be measurable to determine that the investment in IT is properly managed, technology risks are appropriately controlled, and a baseline for improvement is established.
REGULATION AND COMPLIANCE FRAMEWORKS. Compliance frameworks can be costly and complicated to implement. However, without them, organizations may increase their risk of fines and the risk of their IS assets being badly managed.
Value and Performance From it :–
What is the business value of IT to an organization? How is IT performing? These are the questions that many executives are asking about their investment in information technology. Often, what is missing is an effective dialog between the corporate level and the IT function. When this is supported by an investment appraisal and performance monitoring, the organization can have a clear understanding of the benefits IT brings to the business. In addition, business events such as transactions and restructuring will change the overall IT need. Clients then need to reappraise management and sourcing decisions.
Risk Isuues: –
Risks change. Priorities change. People and processes change. When that happens, your business becomes exposed—unless you have a sustainable approach to risk management. The most important risk issues that our clients are seeking advice on; our global risk research into the views of key stakeholders; the unrivalled sector insights that our industry teams offer, and risk case studies that demonstrate how we are helping clients to tackle both the opportunities and threats of risk.
Technology Risk: –
Technology Risk concerns that organizations may have such as:
Security, Privacy and Continuity:
In today’s business environment, the reputation of a business, indeed its existence, can be effected to the great extent by the strength of the security, privacy and business continuity mechanisms it has in place.
Fundamental controls, such as the segregation of duties, are often completely reliant on the strength of technology based access controls. In a world of global communications networks, security vulnerabilities can be quickly exploited. Well-publicized frauds and scams erode public confidence.
It Internal Audit Services:
For some time, risk management through internal audit has been considered a contributing factor to an effective corporate governance framework. With developments, this perception is further reinforced.
The quality and effectiveness of Internal Audit functions are diverse, as are their mandate. To achieve effective Internal Audit coverage, specialist skills will often be needed in order to assess the business’ specific risks. Where IT is concerned, technical subject matter specialists are often required.
It Attestation Services:
In an environment where customers and clients are increasingly affected by a business’ IT systems, extra assurance is often required to satisfy stakeholder expectations.
SAS 70 and similar standards examinations demonstrate that clients have undergone a comprehensive review of control activities. This involves controls over transaction processing as well as IT and related processes. Reviews offer clients with a third party attestation against the organization’s internal control objectives. A formal report including the auditor’s opinion is issued to the client at the conclusion of the examination.
Irm in the External Audit:
IRM is a vital part of the external audit and is used in evaluation of financial audit risk. This comprises of identifying financial and operational risks embedded in business systems and processes, and providing advisory on risk mitigation.
IRM professionals integrate technology issues into the framework of the audit, working as part of the audit team in order to assess the technology component of business issues, risks, and strategies.
Review of migration process from legacy systems to state the art systems like SAP, Oracle Applications. Review of migration process from a non-CBS to a CBS environment. Review of Data Center migration process
Network Audits (Including Vulnerability and Penetration Testing):-
Client/Server, Telecommunications, Intranets, and Extranets: an audit to scrutinize that controls are in place on the client (computer receiving services) server, and on the network connecting the clients and servers.
- Auditing management and security of networks
- Examining the extent to which network security meets internal standards.
- Vulnerability assessment and penetration testing of the networks.
- In-depth review of configurations of various network devices such as routers, firewalls, etc and bench marking them against secure configuration standards.
- Providing an overall review of the consistency, quality, and reliability of the network management processes
Recommend opportunities for improvement.
Data Centre Audits : Data Center Operations Review, General Computer Controls Review covering- IT Assets and resources- Personnel Security- Physical and Environmental Security- Access Controls; Operating System Review; Database Controls Review; Network Controls Review
Web Application Security Testing: Testing web application for security vulnerabilities, Review of web application source code against secure coding standards, Review of underlying operating systems and applications, strengthening website security.