CONTACT US
SC&H / Insights / Value: From an Information Technology Internal Audit Perspective

Value: From an Information Technology Internal Audit Perspective

BlogRisk
Updated on: October 18, 2019

As we continue our three part series on the value derived from internal audit (IA), here is a quick recap: 

In the first part of this series, Value: Understanding the Benefits of an Effective Internal Audit Function, we learned that IA provides value through increasing the maturity level of processes while reducing organizational risk. The realization of this value occurs when the benefits of implementing recommendations that reduce organizational risks or inefficiencies exceed the costs or efforts of their implementation. In this case “benefits” isn’t limited to just cost savings or revenue recovery, but also includes improvements like the elimination of redundancies, process automation, a reduction in errors, or an increase in initial quality that drive value.

The second part of this series, Internal Audit: Adding Value to High-Performing Organizations, discusses how the perception of value can differ throughout each level of an organization, as well as to outside stakeholders. The post also provides an example of a review we performed that focused on specific business processes within an organization. The value added results of this case study included:

  • Time savings through increased process efficiency
  • Enhancing policies and procedures that improved segregation of duties controls
  • Mitigating risk around identified process gaps and deficiencies

The third part of our series focuses on the additional value that can be created within organizations through the efforts of a high-performing Information Technology (IT) audit function.

What’s the Difference between Business Audits and IT Audits?

Both business and IT audits focus on evaluation of systems and processes throughout an organization to identify weaknesses or gaps in controls, and to develop a remediation strategy to reduce the identified vulnerabilities. While business audits typically focus on the operational, financial, and departmental components of an organization, IT audits focus on the IT infrastructure, IT processes, and IT procedures that support those business functions. Although the focus areas are different, both types of audits can provide considerable value to the organization.

How do IT Audits Add Value to an Organization?

The range of potential IT audit topics can vary from a specific process within a single department (e.g. a financial system access review) to an evaluation that covers an entire organization (e.g. entity-wide IT risk assessment). These different audit types will provide understanding of the existing risks to assist in adding value to an organization. Specific examples of the value that might be identified through IT audit include:

  • Maturing Cybersecurity Processes
    • The National Institute of Standards and Technology (NIST) Cybersecurity Framework[1], is a risk-based tool developed to strengthen the resilience of physical and virtual systems and assets against attacks. Through the use of this framework IA departments can help organizations align and prioritize cybersecurity activities with business mission requirements, risk tolerance, and resources. This alignment can help increase the maturity of cybersecurity related processes by strengthening and implementing controls within function areas considered at risk.
  • Improving System Recovery Time After a Major Disruption
    • Natural or man-made disasters could impact an organization at any given time. Being prepared for such a disaster is key to sustaining critical operations and minimizing disruptions. An IT audit over the Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) can identify risks in this process while improving system recovery caused by major disruptions.
  • Reducing the Risk of Inappropriate User Access to Systems
    • Users provided with unauthorized access or inappropriate access can create major issues that may go undetected. If a user has valid login credentials, even if access is inappropriate, monitoring systems may not create an alert on the user accessing the system. To reduce the risk of inappropriate access, a user access review and the specific access rights within the system should be performed. This type of review will add value to organizations by reducing the likelihood of an unauthorized individual performing malicious activity in a system, such as reading and capturing sensitive information and making unauthorized changes.
  • Increase Organizational Awareness of IT Hazards
    • Value added starts with awareness and an understanding of an organization’s IT environment. An IT risk assessment can assist is this understanding. The value that a risk assessment can provide to an organization is an understanding of:
      • Direct or indirect threats to the organization
      • Internal and external IT-related organizational risks
      • Organizational impact of IT-related negative event occurrences
      • Likelihood that harm would occur if vulnerability is exploited

Internal Audit – including the IT internal audit group – should not be perceived within organizations as a policing unit, but instead seen for what it is: a value added resource and/or partner equally committed to achieving the missions, goals, and objectives of the organization. IT internal audit works on behalf of the organization to help increase process maturity, reduce risk, and improve awareness of the threats and vulnerabilities within the organization’s risk environment. An effective partnership between IT internal audit and the business units within the organization provides value through increased confidence and reliability in the IT infrastructure and technology environment.

[sch_pullbox]Organizations striving to achieve these added values should consider leveraging IT internal audit through their in-house audit department, or through a co-sourced or fully outsourced service provider like SC&H that offers specialized IT risk management and internal audit expertise. Click here for more details on co-sourcing and full outsourcing.[/sch_pullbox]

[1] https://www.nist.gov/cyberframework/framework

Related Insights

Blog

What is Microsoft Fabric? The AI-Powered Tool for Advanced Analytics

Blog | Case Study

Driving Growth: How a Trucking Company Increased its Revenue by 41%

Blog

Achieving Microsoft SSPA Compliance: A Supplier’s Guide to DPR v9 Updates

Blog

2023 Community Impact Report: Empowering Change Through Community Service

VIEW MORE INSIGHTS

Subscribe to our Insights

A collection of insights about our capabilities, solutions, people, and client successes.

SERVICES

Accounting

Advisory & Transformation

Audit

Capital

Risk

Tax

Technology

Wealth

ABOUT

Client Experience

Community Impact

INSIGHTS

Press Releases

In the News

Events

INDUSTRIES

LEADERSHIP TEAM

CAREERS

CONTACT

© 2024 SC&H Group, Inc. All Rights Reserved

Legal Disclaimer

Privacy Policy

Data Privacy

Services
Services Overview
Advisory & Transformation
Advisory & Transformation Overview
Finance Transformation
ERP Advisory & Implementation
Data Strategy & Analytics
Managed Services
OneStream Software
Oracle EPM
Corporate Restructuring
Technology
Technology Overview
Cloud Strategy & Infrastructure
Cybersecurity Advisory & Assessment
ERP Advisory & Implementation
Fractional CTO & CIO
Managed Services
Software Selection
Risk
Risk Overview
Contract Compliance Audit
Cybersecurity Advisory & Assessment
Internal Audit
ISO Certification
IT Audit & Risk Advisory
Microsoft SSPA Attestation
SOX Compliance & Advisory
Third Party Risk Management
Accounting
Accounting Overview
CFO Advisory
Cloud Accounting & Automation
Outsourced Accounting
Outsourced HR & Payroll
Sage Intacct
Tax
Tax Overview
Business Tax
Corporate Tax & Provisions
Cost Segregation
Individual Tax Planning & Advisory
International Tax Provisions
Audit
Audit Overview
Financial Statement Audits
Due Diligence
Employee Benefit Plans Audits
SOC Audits
Capital
Capital Overview
Mergers & Acquisitions
Special Situations Investment Banking
Business Valuation
Employee Stock Ownership Plans
Representative Transactions
Wealth
Wealth Overview
Financial Advisory
Individual Tax Planning & Advisory
Industries
Industries Overview
Affordable Housing
Construction
Education
Energy
Financial Services
Government Contracting
Healthcare
Hospitality & Entertainment
Manufacturing & Distribution
Media, Technology, & Telecommunications
Nonprofits
Pharmaceuticals & Life Sciences
Private Equity
Professional Services
Real Estate
Retail
Transportation
Technology Partners
About
About
Client Experience
Community Impact
Leadership
Careers
Careers
Internships
Insights
Insights
Press Releases
In The News
Events
Client Login Contact Us ×

FEATURED INSIGHTS