Expertise Beyond the Numbers

Value: From an Information Technology Internal Audit Perspective

As we continue our three part series on the value derived from internal audit (IA), here is a quick recap: 

In the first part of this series, Value: Understanding the Benefits of an Effective Internal Audit Function, we learned that IA provides value through increasing the maturity level of processes while reducing organizational risk. The realization of this value occurs when the benefits of implementing recommendations that reduce organizational risks or inefficiencies exceed the costs or efforts of their implementation. In this case “benefits” isn’t limited to just cost savings or revenue recovery, but also includes improvements like the elimination of redundancies, process automation, a reduction in errors, or an increase in initial quality that drive value.

The second part of this series, Internal Audit: Adding Value to High-Performing Organizations, discusses how the perception of value can differ throughout each level of an organization, as well as to outside stakeholders. The post also provides an example of a review we performed that focused on specific business processes within an organization. The value added results of this case study included:

  • Time savings through increased process efficiency
  • Enhancing policies and procedures that improved segregation of duties controls
  • Mitigating risk around identified process gaps and deficiencies

The third part of our series focuses on the additional value that can be created within organizations through the efforts of a high-performing Information Technology (IT) audit function.

What’s the Difference between Business Audits and IT Audits?

Both business and IT audits focus on evaluation of systems and processes throughout an organization to identify weaknesses or gaps in controls, and to develop a remediation strategy to reduce the identified vulnerabilities. While business audits typically focus on the operational, financial, and departmental components of an organization, IT audits focus on the IT infrastructure, IT processes, and IT procedures that support those business functions. Although the focus areas are different, both types of audits can provide considerable value to the organization.

How do IT Audits Add Value to an Organization?

The range of potential IT audit topics can vary from a specific process within a single department (e.g. a financial system access review) to an evaluation that covers an entire organization (e.g. entity-wide IT risk assessment). These different audit types will provide understanding of the existing risks to assist in adding value to an organization. Specific examples of the value that might be identified through IT audit include:

  • Maturing Cybersecurity Processes
    • The National Institute of Standards and Technology (NIST) Cybersecurity Framework[1], is a risk-based tool developed to strengthen the resilience of physical and virtual systems and assets against attacks. Through the use of this framework IA departments can help organizations align and prioritize cybersecurity activities with business mission requirements, risk tolerance, and resources. This alignment can help increase the maturity of cybersecurity related processes by strengthening and implementing controls within function areas considered at risk.
  • Improving System Recovery Time After a Major Disruption
    • Natural or man-made disasters could impact an organization at any given time. Being prepared for such a disaster is key to sustaining critical operations and minimizing disruptions. An IT audit over the Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) can identify risks in this process while improving system recovery caused by major disruptions.
  • Reducing the Risk of Inappropriate User Access to Systems
    • Users provided with unauthorized access or inappropriate access can create major issues that may go undetected. If a user has valid login credentials, even if access is inappropriate, monitoring systems may not create an alert on the user accessing the system. To reduce the risk of inappropriate access, a user access review and the specific access rights within the system should be performed. This type of review will add value to organizations by reducing the likelihood of an unauthorized individual performing malicious activity in a system, such as reading and capturing sensitive information and making unauthorized changes.
  • Increase Organizational Awareness of IT Hazards
    • Value added starts with awareness and an understanding of an organization’s IT environment. An IT risk assessment can assist is this understanding. The value that a risk assessment can provide to an organization is an understanding of:
      • Direct or indirect threats to the organization
      • Internal and external IT-related organizational risks
      • Organizational impact of IT-related negative event occurrences
      • Likelihood that harm would occur if vulnerability is exploited

Internal Audit – including the IT internal audit group – should not be perceived within organizations as a policing unit, but instead seen for what it is: a value added resource and/or partner equally committed to achieving the missions, goals, and objectives of the organization. IT internal audit works on behalf of the organization to help increase process maturity, reduce risk, and improve awareness of the threats and vulnerabilities within the organization’s risk environment. An effective partnership between IT internal audit and the business units within the organization provides value through increased confidence and reliability in the IT infrastructure and technology environment.

Organizations striving to achieve these added values should consider leveraging IT internal audit through their in-house audit department, or through a co-sourced or fully outsourced service provider like SC&H that offers specialized IT risk management and internal audit expertise. Click here for more details on co-sourcing and full outsourcing.

[1] https://www.nist.gov/cyberframework/framework