IT Audit – a tool for strategic management of the company
For many organizations nowadays information and its supporting technologies are the most valuable, though often not fully and completely understood assets. Successful companies realize the benefits offered by information technology (IT) and willingly apply them, increasing their own value, efficiency and other advantages in a competitive environment.
However, the sheer fact of IT adaptation and use for business purposes does not guarantee at all obtaining of all expected benefits. Since experience has proven that apart from benefits, information technology can bring a variety of negative factors, such as dependence of business continuity and business efficiency upon the use of IT, as well as various IT risks (ranging from unauthorized access to confidential information to financial frauds).
Deepening of information technology integration into business processes of organizations and dependence of performance results on their application stipulate an increase in IT importance as a strategic resource which should be managed at an appropriate level.
Fundamentals of strategic management of information technology in organizations are stated in the concept of IT Governance, which gives basis for the best practices of IT management. Basic principle of this concept manifests the necessity of adjusting IT strategies of a company with general business strategy, objectives and IT processes in accordance with business objectives and processes. Practical attaining of this level of management is possible only in terms of holistic view on the environment of information technology (IT environment) of organization as a complex system, continuous monitoring of its components according to specific performance indicators, as well as conducting regular IT audits on specific objects/objectives of control.
Audit of Information Technology (IT Audit) is an independent review (examination) of IT-environment of the company aiming to obtain adequate information (facts) about its current state, give a fair audit opinion, as well as offer advice on the improvement of this subsystem of the enterprise.
Increasing attention of business (not only IT directors, but also key management personnel) to IT-audit is caused by the fact that its results can provide answers to questions regarding the efficiency of IT environment and its components in reaching business objectives; conformance of implemented IT models to business, competitive advantages from the use of IT, economic feasibility of IT investments, the impact of IT risks on company performance, the efficiency of their control, as well as other relevant issues.
Using IT audit in management system enables company management to see clearly the place of information technology within the overall operational structure and its contribution to the achievement of business objectives, to assess the adequacy level of IT strategy to overall business strategy, the maturity level of IT processes and IT risk management.
Stages of IT audit
We offer IT audit service, consisting of the following stages:
• preliminary IT diagnostics, audit of IT infrastructure;
• audit of IT department;
• audit of IT security;
• monitoring of the implementation of the advice given by IT audit.
Preliminary IT diagnostics is carried out within 3 – 5 working days in order to determine the types, terms and cost of work on IT audit. In terms of diagnostics, information about the company (audit client) is collected which is required for identifying the key problems in the IT sphere. This will contribute to development of a detailed proposal for an IT audit in the company.
Audit of IT infrastructure is conducted in order to obtain adequate information (facts) about the current state of infrastructure of information technology implemented in the organization, its strengths and weaknesses, efficiency in reaching business objectives, as well as giving professional advice on the improvement of this subsystem of IT-environment of the company.
Audit of IT department – is carried out in order to obtain adequate information (facts) about the current state of the department of information technology management in the organization, its strengths and weaknesses, efficiency in reaching business objectives, as well as giving professional advice on the improvement of this subsystem of IT-environment of the company.
Audit of IT security – is conducted in order to obtain adequate information (facts) about the current state of information security of the organization, its strengths and weaknesses, efficiency in reaching business objectives, as well as giving professional advice on the improvement of this subsystem of IT-environment of the company.
Monitoring of the implementation of the advice given by IT audit is carried out in order to monitor and support the implementation of the audit results by its audit client. This stage is an important practice in audit execution which enables to ensure high quality and efficiency of the audit results in order to satisfy business needs of the audit client.
The basis of the IT audit methodology
In providing IT audit services we are guided by the best practices in IT management, documented in the form of generally accepted standards, guidelines, instructions, such as: ISACA IT Audit and Assurance Standards; ITGI COBIT®; ISO 9000х, ISO 20000х, ISO 27000х, ISO 31000, ISO 38500:2008; IFAC IT Committee Guidelines; INTOSAI IT Audit Committee Guides; OGC ITIL®; SEI CMMI®; Hewlett-Packard ITSM; Microsoft MOF.
Conducting of IT audit based on the best practices of information technology management in organizations ensures compliance with such modern management approaches as: systematic, holistic, process, customer-oriented, service approach, as well as the principles of IT strategic management.