IT Audits

IT governance is the responsibility of executives and the board of directors, and consists of the leadership, organisational structures and processes that ensure that the enterprise’s IT sustains and extends the organisation’s strategies and objectives.

[Source: IT Governance Institute]

As computer technology has advanced, all organisations have become increasingly dependent on computerised information systems to carry out their operations and to process, maintain, and report essential information. As a consequence, the reliability of computerised data and of the systems that process, maintain and report data are a major concern to audit. IT Auditors evaluate the reliability of computer generated data and analyse specific programs and their outcomes. In addition, IT Auditors examine the adequacy of controls in information systems and related operations to ensure system effectiveness.

IT Audit is the process of collecting and evaluating evidence to determine whether a computer system has been designed to maintain data integrity, safeguard assets, allows organisational goals to be achieved effectively, and uses resources efficiently. Data integrity relates to the accuracy and completeness of information as well as to its validity in accordance with the norms. An effective information system leads the organisation to achieve its objectives and an efficient information system uses minimum resources in achieving the required objectives. An IT Auditor must know the characteristics of users of the information system and the decision making environment in the auditee organisation while evaluating the effectiveness of any system.

Use of computing technology has brought about radically different ways of processing, recording and controlling information and has combined many previously separated functions. The potential for material systems error has thereby been greatly increased causing great costs to an organisation, for example the highly repetitive nature of many computer applications means that small errors may lead to large losses. An error in the calculation of Income Tax to be paid by employees in a manual system will not occur in each case but once an error is introduced in a computerised system, it will affect each case. A bank may suffer huge losses on account of an error of rounding off to the next cent instead of the nearest cent. This makes it imperative for the auditor to test the invisible processes, and to identify the vulnerabilities in a computer information system as the costs involved in errors and irregularities can be high.

The primary function of an IT audit is to evaluate the systems that are in place to guard an organisation’s information. Specifically, information technology audits are used to evaluate the organisation’s ability to protect its information assets and to properly dispense information to authorised parties. In this way, the audit hopes to assess the risk to the company’s valuable asset (its information) and establish methods of minimizing those risks.

ORCA submits that managing data privacy in today’s rapidly changing and complex operating environment needs to be tackled proactively, requiring organisations to develop and implement comprehensive, holistic resources to assess and address the constantly evolving data protection landscape. ORCA can also assist with IT Governance Frameworks and Steering Committees.