There are several traditional techniques that can be used during an IT audit. One of them is flow charting. Since many root causes of non-compliance with regulations result from wrong business processes (see Myths about ERM Blog post), an auditor has to be very exact in this area. The problem is that many companies have a great amount of complex processes, touching not only different functional areas, but also a wide variety of different roles of participants. For example, the procurement process can have a great depth, especially with companies in the retail business. A traditional technique used in this area is flowcharting [1]– a mapping of each task to a functional area and defining inputs, outputs and the flow of information from one task to another – giving a visual overview over the processes at hand. By visualizing the information flows, it is possible for the auditor to understand the business processes faster and with fewer misunderstandings.
Another very often used technique is a structured walk-through a business process with a typical incident. With this a process, e.g. a data loss has occurred, is being started and each task that is being described by the policies or procedures will be exactly followed. Especially in IT are these one of the most effective techniques that an auditor can employ. There have been many cases in which a backup of data was conducted to learn afterwards that a restoration was not possible due to a failure in the systems or that they were not backed up at all [2].
A very easy way to establish a continuous auditing of operations is to implement a system of metrics – a combination of different environmental values e.g. customer satisfaction and software quality, reducing the complexity of the situation – to measure the execution of tasks. The auditor can then very swiftly react to a short-term worsening of outputs at any point in the business process. An important point here is that a metric should only be used if the objective has been set beforehand. Otherwise it might lead to a “burying of the organizations in metrics” [3].
There are a couple of more techniques that can be used to aid the IT auditor in his work, but the key point is using those techniques that enhance quality, reliability and speed of an audit.
References:
[1] Sandra Senft and Frederick Gallegos, “Information Technology Control and Audit”, Third Edition, Auerbach Publications, 2009
[2] ZDNet, "How 9/11 changed disaster planning", September 11, 2002, http://www.zdnet.co.uk/news/it-strategy/2002/09/11/how-911-changed-disaster-planning-2122113/
[3] Debra S. Herrmann, “Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI”, Auerbach Publications, 2007
