Columns | Internet Marketing
AL MOORE MARATHON CONSULTING
I
When An IT Audit May Be A Good Thing f your business requires annual audits to validate your financial statements, and your information technology systems are critical to your operation, perhaps you should consider having your CPA conduct an IT audit.
As we know, a financial audit is directed toward enabling the CPA to render an opinion on the accuracy of your financial statements. If your use of IT is limited to purely financial transactions like accounts payable processing, accounts receivable, and general ledger reporting, the complexity of the IT component of a regular audit can be relatively limited. However, if your IT systems are critical to the core mission of your business, the IT audit will be both more complicated, and possibly mandatory. If you rely on automated systems for such functions as sales order management, purchasing, shop floor control, inventory control, or the handling of patient healthcare information, an IT audit definitely deserves consideration. There are several reasons why the IT audit should be important to the business owner or chief executive. A few of these reasons are cited on the www.jerichoforum. org website. They include: 1. Without an appropriate IT audit, important IT controls within an organization may not be fully tested. This can lead to higher levels of risk, including regulatory compliance risks, and real financial risks.
2. An IT audit is a measurement of IT risk management, which translates into business risk management. 3. Improper management of IT risks carries severe business impacts if regulatory noncompliance is revealed. The SarbanesOxley Act (SOX) represents an example. 4. Against a landscape of increasing threats, vulnerabilities and regulatory compliance demands, the need for evidence that adequate governance of information security has been implemented and operates effectively across the scope of the organization and its IT infrastructure will increase. IT audits frequently address many interrelated topics, most of which focus on protecting the organization’s assets. If internal controls are lax, assets can be diverted, inadvertently or intentionally. In either case, there is a high probability that these misappropriations will not be accurately reflected on the financial statements. While the boundaries among the topics are somewhat grey, the categorization of specific audit tasks is immaterial. The important considerations are whether or not the audit tasks are completed, and what they reveal.
14 Small Business Insight | November/December 2010
Specific audit topics usually include: • Control of Admin Privileges • Access Control • Physical Security • Internet & E-mail Use • Password Security • User Account Management • Anti-SPAM Policies • Use of Social Media • Mobile Computing • Anti-Virus Protection • Database Access • Network Access Control • Network Configuration Mgmt. • Transaction Logging/Audit Trails • Data Privacy • Change Management • Incident Reporting • Intrusion Detection • Secure Software Development Lifecycle • Data Backup & Storage • Business Continuity Planning Once the organization’s procedural intentions are understood and documented, the IT audit will typically include some form of validation — “Testing” in the auditors’ glossary. Tests and how they are applied are defined in the various auditing standards that