Taking a risk-based approach to IT audit can help focus limited resources on the real threats.

Fast-moving changes in technology have added to the potential risks companies face. It is not always easy for senior management to wrap its arms around information technology risks confronting their organization. However, internal audit departments can help shed light on the issue through risk-based IT audit planning.

One way of looking at the subject is simply put: There are no IT risks as such. Rather, it is all about business risks and how IT might impact the business.

The first step before embarking on a risk-based IT audit involves sorting out the IT audit universe. That means pinpointing all the relevant auditable IT entities including: operating systems, databases and networks, as well as the types of computers in the system and their physical location. Is the underlying operating system UNIX, Windows? Is the platform a mainframe or client server? Companies taking this approach will want to measure all of these entities and then focus their limited audit resources on risks that could have the greatest impact on the business.

How you determine what to audit and in what sequence will be based on the risk criteria used to identify the significance of, and likelihood that, conditions or events may occur that would hurt the organization. Examples include the ethical climate and pressure on management to meet objectives; competency, adequacy and integrity of personnel; financial and economic conditions; asset size, liquidity or transaction volume; competitive conditions; and complexity or volatility of activities.

Heading the list of IT risk factors is information criticality. Think of it in terms of an acronym CIA: Confidentiality, Integrity and Availability. These three factors are generally considered the pillars of information security.

Confidentiality is essential to protect personally identifiable information and guard company secrets from inadvertent disclosure. A classic example of an IT security breach happened five years ago when the home of an employee of the U.S. Department of Veterans Affairs was burglarized and data stored on a laptop computer– sensitive records on 26.5 million veterans— was stolen. In the aftermath, the government made laptop hard drive encryption mandatory and many corporations adopted the same policy.

Integrity needs to be in place in application systems so employees can trust that the output can be relied upon for completeness and accuracy.

Availability refers to the assurance that the information is accessible to the people who require it when they need it and that there are adequate backup and disaster recovery systems in place.

Besides the CIA criteria, some other IT risk factors to consider include the following:

1. Materiality: Will it affect the entire company or only a part?
2. Reputational fallout: The now-defunct Arthur Andersen is frequently cited as an example of how a damaged name can cause clients to flee.
3. Strategic plan support: Is it a new project or system? If it is, how big is it and what business risk does it entail?
4. Fraud: What system-based controls are in place to help monitor and prevent fraudulent activity?
5. Outsourced risk: Can we rely on the controls of a third-party vendor?
6. Changes in the audit environment: Did something occur that needs a closer look? When was the last time an audit was conducted and what was the audit opinion/conclusion?

The CIA concept avoids often-confusing technical jargon and is something everyone – from C-level leaders to board of directors to business management can relate to.

The Institute of Internal Auditors’ Global Technology Audit Guide on IT Controls suggests a number of basic questions for an IT risk assessment:

1. What could happen to affect an information asset value adversely (threat event)?
2. If a threat event happened, how bad could its impact be?
3. How often might the event be expected to occur?
4. What can be done to reduce the risk?
5. How much will it cost to reduce the risk?
6. Is it cost-efficient?

Identifying critical information assets and systems, based on business objectives and information assets, is the starting point in the IT risk assessment process. What business systems house information and support critical business functions? Is it payroll, general ledger system, or the accounts payable system? You also will want to determine system support infrastructures (that is, IT general controls), including hardware, operating systems, database management systems, networks and information processing facilities.

Keep in mind, application risk drives infrastructure risk. For example, if a company identifies payroll as a high-risk application, the IT infrastructure components that support that application get the same risk.

Regulations Raise the Bar

Recent compliance regulations have had a huge impact in raising the importance of the risk-based IT audit planning process. Sarbanes-Oxley (SOX) in particular led the corporate world to recognize the necessity of solid IT controls. SOX served as a wake-up call that forced business organizations to look carefully at the integrity of financial reporting. The new rules hammered home the message that without strong IT controls on underlying systems, one cannot rely on the financial statements.

In my view, U.S. companies now have better IT controls than in 2001— thanks to SOX. Also helping strengthen controls are the PCI (Payment Card Industry) Data Security Standards’ requirement that all companies processing credit card information have appropriate controls to protect card information; the Gramm-Leach-Bliley Act that requires banks to protect customers’ financial records; and the Health Insurance Portability and Accountability Act (HIPPA) that insures health record privacy. They all have forced management to allocate resources to make sure they are in compliance with these regulations which are all tied back to IT risks and controls.

When performing an IT risk analysis, consider using what the COSO and COBIT control frameworks have to offer. Auditors need to know what COSO (Committee of Sponsoring Organizations of the Treadway Commission) has to say about controls for financial processes and understand the COBIT (Control Objectives for Information and Related Technologies) focus on IT.

A critical aspect highlighted in COSO is that every entity faces a variety of risks, both from external and internal sources that must be assessed. Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change. What might be relevant today may be less significant tomorrow. Changes requiring special attention include new personnel, change in operating environment, new or revamped information systems, rapid growth, new technology, new products or activities, corporate restructuring, and foreign operations.

COBIT, meanwhile, does not address risk in depth but provides a laundry list of concerns to think about in terms of IT functions. The IT Governance Institute, citing challenges involved in performing an IT risk analysis, has noted that some risks cannot easily be measured, information can be difficult to define and characterize, information value is difficult to establish as is establishing ownership for the entities (especially if it is a global entity).In addition, probabilities (and likelihood probabilities) of the risk occurring are difficult to establish.     

ISACA, in its IT Risk Framework, highlights the balance between IT risk and IT opportunity. IT can help grow the business (value enabler) or destroy business value (value inhibitor). As a value inhibitor IT-related events can result in reduced business value and missed IT-assisted business opportunities; as a value enabler, IT can result in new business opportunities and enhanced business value through optimal use of IT capabilities.

The Tie-In with Integrated Auditing

How does the risk-based IT audit planning process relate to the integrated auditing concept?

By definition, integrated auditing is an integrated or coordinated effort between business audit and technical audit to provide application audit coverage of key business risks. That is, integrated auditing is about auditing the business process and underlying key IT components. Those conducting an integrated audit need to audit the key supporting IT components – operating system, data base, etc. – either before, as part of, or shortly after the integrated audit.

At some point you must look at those high-risk IT components as they relate back to the business. As noted earlier, it’s all about business risks and how IT might impact the business.

Things get trickier when a company outsources IT functions. The risk increases in such a situation and makes it substantially difficult to assess those controlsl. The question becomes: Does this third-party vendor have good controls? And how do you assess those controls?

Because management is accountable for the successful operation of the business, it’s important that they understand the potential risks the organization faces through its IT system. In the past, the conventional wisdom was that “as long as IT is doing a good job, I’m OK.” Now it’s a different ball game: you could be in major trouble if your systems aren’t secure. Regulations such as SOX, PCI and HIPPA have forced management to understand the potential risks to the IT system.

Remember, controls are only as good as top leadership wants to make them. Management, once complacent about earmarking resources for IT, can no longer afford to ignore this critical investment.