As a company expands its operations, the amount of data – both resident and flowing in and out – increases exponentially. Naturally, information assets (the number of applications and software in particular) also increase by leaps and bounds. Initiatives such as creating a data warehouse, data archiving, etc. are commonly undertaken to tabulate data to convert information into knowledge.

In the wake of this situation, there is a need to assess the risk associated with whether the internal controls exercised on the lines of the company policies are adhered to by employees. The risk element is also important from the perspective of what could go wrong, in addition to mapping of scenarios and coming up with probable solutions.

The need to undertake an IT audit arises at this time. "The auditor should take a holistic view and not get bogged down by individual systems," says Anantha Sayana, former president, ISACA Mumbai Chapter.

Since information systems are varied by nature – some core and some just an escalation of them – companies tend to prioritize them. This occasionally determines the company’s scope for IT audit. For example, a retail company may only audit its CRM system, since it is the core information asset.

In this scenario, it's very important to understand the audit process. Kaustubh Dhavse, program manager, ICT practice, Frost & Sullivan, defines an audit process as "examination of controls within the IT infrastructure by evaluation of evidence of an organisation’s IS, practices and operations determined by the organisation’s goals and objectives".

HDFC Bank-Symantec Partnership

An initiative that involves the process of evidence collection and examination of controls is the recent HDFC Bank-Symantec strategic enterprise level agreement to enhance the bank’s compliance and security posture. In a nutshell, HDFC Bank has to comply with Basel II, ISO 27001 and SOX requirements. They are amorphous and vague.

The COBIT framework converts the compliance requirements into measures that are objective and definite. Symantec will associate with the bank’s team through the PMO (project management office) route, collect evidences, and come up with a single window compliance framework taking care all of SOX, ISO 27001 and Basel II norms.

Looking back, around half the bank’s IT team was busy collecting evidences from the operating system, software and applications, keeping them away from their core IT job. Such a partnership will also enhance the bank’s storage management and enterprise security posture.

Need for an IT Audit

Availability, confidentiality and integrity of information create the trigger for exercising an audit. This is to ensure that information is accessed only by those who are authorized and, as a result, keep the information intact. "Availability is a factor that allows smooth flow of information round the clock and in rare cases even during disasters,” says Sayana.

How do companies achieve this? The answer lies in the 'defence in depth' strategy, or multi-layered security. "Configuration of controls for information access should be only to authorized users. The controls should be at the server, OS, software, application, hardware, database and net gateway level," says Sayana. The controls at these levels should also be configured during new application implementation.

Considering the information that keeps filling the database, the question is: how does one ascertain that the controls are maintained in dynamic situations resulting in application change management? Configuration of devices in data centers get modified due to genuine reasons, and the person who implements the system has to fulfill multiple requirements for meeting a user’s functional needs – such as living up to the features, constraints of technology and applications, meeting deadlines, and making sure there is no compromise on information security.

How does one ensure that the level of security is maintained on an ongoing and consistent basis? The answer is an IS audit. The IS audit is not only about security, it also enables organizations to sharpen their business processes – and that is what companies should look forward to while preparing for one.

Timing the IT Audit and Related Audits

Once a company has decided the scope of the audit, the next decision is regarding whether it should be done parallel to the internal audit or on a standalone basis. "The IT and financial audit can be parallel, but never mixed with each other. This will dilute the importance of the IT audit," says Dhavse.

Some companies also conduct an internal IT audit (by company employees and not a third party). "It is important to integrate IT audit with internal IT audit – this makes tremendous sense and value," says Sayana. In an environment where all the business processes are run by some computer application or the other, the IT audit and the internal audit together bring coexistence value to the final audit. (The Internal IT audit should precede the IT audit, and the data of the former must be used as a reference during the course of the IT audit.)

What to Audit and How

There are five practical points that determine the scope of an IT audit and the ideal way to audit, depending on the company's decision. The first point is System and Applications. An audit product consisting of a host of frameworks could be brought into action to test the system and application. In a small organisation, an independent method of audit can be framed based on a definite framework.

Organisations are making a shift from earlier days when employees were allowed to download content of their choice; the liberty has been cut down by regulating employee control over the Internet. Audit checks whether the controls are in place and working well. Every control is checked but the result that the IT department is watching for is the amount of efficiency breakdown due to intrusion. Other points are information processing and facilities, systems development, management of IT and Enterprise Architecture and Client server.

Types of Audit

Subsequent to deciding on the scope of the audit, it is important to zero in on the audit type. Generally, there are three types of audit: technology evaluation audit, innovation comparison audit, and technology position audit.

Technology evaluation audit essentially conducts a risk profile for existing and new processes. EDRM (Enterprise Digital Rights Management) is a security measure for data security inside the organization. For instance, if employee X develops an application for the organization and does not file for a patent, any employee who may soon quit the organization can download the application and sell it as his own. EDRM prevents this practice.

Innovation comparison audit enables interoperability between disparate systems, writing codes and designing interfaces to derive reports. What is the control exercised – is it within the IT paradigm of the IT Infrastructure? This becomes the comparison model for the organization with its peers. For example, the search functionality of Yahoo and Google is more of process innovation rather than technology. It is aimed at easing the search function.

The technology position audit reviews the organisation’s current technology, deciding whether there's any need to go for that extra impetus. If a company has (say) X number of servers handling 300 people having a capacity of Y number of concurrent transactions, and the network performance is not up to par, the CIO has to decide whether to make a 20 percent extra investment to improve performance by 3 percent. This helps companies compare their performance with similar-sized peers.

Audit of and with Technology

At one level general audit software is available, which extract data from applications and answer queries depending on the business domain. If it were a bank it might post a query about a faulty interest payment. For a retail company, the query could be about the inventory not reconciling with the purchase quantity, or the amount of obsolete or excessive stock.

There are also GRC (Governance Risk And Control) suites available that enable one to pinpoint the SOD (Segregation of Duty) violation. For example, if an employee gains the privilege to make a purchase order and payment authorization, it is an SOD violation and there are technical tools that can run vulnerability scans on OS, network switches etc. "Many of these tools have attained a level of maturity where they can be commercially exploited, if configured properly," says Sayana.

Versatility of Skill Sets

It is imperative for the IT audit manager to ensure that team members have a variety of skill sets. To start with, he should decide the scope of the IT audit to draw an audit plan. He should have the skill to understand the entire picture of the information system, and understand the technology aspect as well as the domain.

For instance, the risk associated with a retail company may be different from banking, so a combination of the technology and domain risk will enable the manager to identify the type of team he should look at. Importantly, he should source technology expertise to lead the team from the front. Going forward, he should select a team that can tackle with the typicality of the information systems of the respective business domain.

Irrelevance of Geographical Spread

The company may be spread across geographical locations. However, the trend today is to run mission critical applications from a central base. For example, a bank may have multiple branches, but as the CBS is at a single location one does not need to worry about diversity of systems across locations. Similarly, if a large manufacturing company runs an ERP system, very often it's a centralized ERP. The power of computing, network and storage enable one to run large systems today. This was not the case earlier, when operations had to run on a standalone basis.

"Audits are done by only accessing the network," says Sayana. However, the auditor has to personally visit the site if he wants to know how the operational processes are run and whether the respective employee is obtaining the necessary permissions.