• Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.

• It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes”

• Independence is a central tenet of most auditing standards, practice guidance, and codes of ethics specified by major audit related professional associations and standards development organizations.

Benefits of IT Audit

• In contrast to the compliance focus of many types of external audits, internal audits are driven in large part by an organization’s desire to find operational weaknesses, discover any deviations from established policies or standards, assess effectiveness,

• and identify opportunities to improve operational processes and capabilities where possible.

Objectives of Internal IT Audit

• supporting corporate IT governance, risk management, and compliance

• programs;

• verifying adherence to organizationally defined policies, procedures, and

• standards;

• satisfying requirements to achieve or maintain process maturity, quality

• management, or internal control certification;

• adding formality to or increasing the rigor of self-assessment processes and activities; and

• preparing for or “shadowing” anticipated external audits.

Internal IT Audit common subject matter topics

• business domains and associated processes supported by IT systems;

• data governance, data management processes, data backup and restoration, and

• storage technologies;

• IT policies and procedures;

• operations and maintenance processes;

• systems development life cycle process and activities;

• application, systems, and security architecture;

• computer operating systems;

• IT governance and risk management processes and frameworks;

• internal control types and applicability;

• IT process management or security management models; and

• IT-related standards and certification criteria.

IT Audit Activities

IT Governance

IT Governance includes

Source of IT Governance information

Risk Management

• The scope of enterprise risk management covers all organizational aspects for which adverse events have the potential to affect the achievement of objectives and intended outcomes.

Risk Appetite

• Risk Tolerance and Risk Propensity

• An organization’s risk tolerance (also sometimes called risk appetite or risk propensity) is the level of risk it is willing to accept before it takes action to mitigate or otherwise respond to risk.

Popular sources of IS vulnerabilities

Popular sources of vulnerability information include the Common Vulnerabilities and Exposures (CVE) database, the Computer Emergency Response Team Coordination Center (CERT), US Computer Emergency Response Team

Business Continuity and

Disaster Recovery

Imagine a company…

• Bank with 1 Million accounts, social security numbers, credit cards, loans…

• Airline serving 50,000 people on 250 flights daily…

• Pharmacy system filling 5 million prescriptions per year, some of the prescriptions are life-saving…

• Factory with 200 employees producing 200,000 products per day using robots…