Information Systems Consulting (IT)…
To Define information technology (IT) tests; It can be said that it is an audit of IT systems, corporate or organizational management and operations, and related processes.
IT audit;
- Mandatory or at the request of the regulatory authority
- It can be made optionally.
In Turkey, the Banking Regulatory Authority (BDDK) is obliged to monitor bank information systems and banking processes. This audit is conducted by an independent audit firm that is approved by BRSA and meets the conditions required by the published regulations.
However, it is quite possible that IT audits of audited companies, especially those outside the banking sector, are carried out voluntarily by other independent auditing bodies and auditors.
Information Systems Consulting (IT)
Currently, the accounting systems of many companies mainly use computers in the services and operations they provide. need to do it.
Audit Types:
The purposes of the IT audit can be listed as follows:
- Assessment of the reliability of data obtained from IT systems affecting the financial statements of businesses.
- Determine the level of compliance with applicable applicable laws, policies and standards.
- Detection and control of inefficiency as a result of unnecessary and excessive practices in the use and management of IT systems.
Why is IT Audit Important?
Many companies spend a lot of money on information technology. For example, we all know how expensive technology investments in ERP systems for medium-sized companies and subsequent services are. Therefore, IT systems must not only be reliable, but also secure and immune to technical attacks.
IT audits are important. To control; to ensure that IT systems are adequately protected, provide reliable information to decision makers and information users, and are properly managed to achieve their intended benefits. Most business users rely on information technology without understanding how computers work and how algorithms work. However, computer he errors are endlessly repetitive and can cause far more damage than human errors.
IT audits also help mitigate risks such as data corruption, tampering, system leaks, IT system failures and mismanagement.
How to Perform IT Audit?
- In general, the IT audit process is performed as follows:
- The objectives and scope of the IT audit are determined.
- The necessary audit plan has been developed to achieve the IT audit objectives.
- Relevant information is obtained from IT controls and the information obtained is evaluated.
- Auditing tests such as copying and testing data or analyzing accounting software are performed using Computer Assisted Auditing Techniques (CADT).
- Audit findings are reported.
How to create an IT Audit Plan
The critical elements that should be included in planning an IT audit are;
- Information technology environment (ecosystem),
- IT risks and
- It should be established by evaluating the resources necessary to carry out the audit work.
IT Environment
A review of the IT environment consists of understanding the internal control procedures and activities performed. Failing to make these basic decisions and misdirecting audit work increases the risk of inappropriate and erroneous results. At the same time, this review is a first. This should include a high-level review of the IT processes and control environment, focusing on key IT security principles such as confidentiality, integrity and availability.
At least this phase needs to be addressed:
- Change management; for example, change controls over software and hardware updates of critical systems
- Access security; for example, control of forced access to the system, both internally and externally
- Business continuity and disaster recovery; the ability of the business to protect information assets from unforeseen threats or disasters and how to recover them quickly.
IT Risks
As in the independent audit, a risk-oriented approach is applied in the planning and execution of the works in the IT audit.
So this approach;
- Identify the most important risks,
- Associating the identified risks with the desired control objectives and
- Includes the identification of specific controls to mitigate these risks.
In this context, IT Auditing Standards such as ISO 27001 or COBIT 5 can be used to identify controls or make recommendations that can reduce the risks identified by the IT auditor to an acceptable level.
Required Resources
A final important factor when planning an audit is to consider the overall amount of work to be performed as an IT audit, including the need for dedicated specialists.
Scrutinizing this phase in terms of sufficient numbers of her IT audit staff and the timing of audits will improve the quality and make the audit work cheaper and more profitable.
Execution of IT Audit
Once the controls to be implemented have been identified, the IT auditor should collect evidence to confirm whether the identified controls were designed and functioning effectively. In this case, the accountant’s professional experience helps reinforce the subjective professional judgment that the accountant requires at a particular point in the practice.
Audit Reporting
Control weaknesses identified during the audit process should be documented and the findings presented to those charged with governance in a report.
What is Information Systems Auditor?
To the extent that information technology standards can be referenced to conduct audits, IS auditors can produce reports containing objective and highly acceptable findings and recommendations. Standards related to information technology guide company managers and employees of information processing units. This helps the IS auditor prepare an audit program consistent with the audit objectives. There are now general standards for the use of information technology and detailed standards that focus only on specific topics such as information security and service delivery.
Ensuring the accuracy and reliability of financial reporting under the oversight of international organizations and national authorities to protect investors and take into account the interests of society and the public as a result of scandals experienced around the world important steps have been taken to The aforementioned rules and standards for auditing information systems. This includes legal regulations, standards for IS audits, determination of professional competence in IS audits, audit activities related to the audit process, and supplementary regulations. Today, there are also standards and frameworks developed by international organizations in the areas of risk, management, control and information security that are not specific to, but included within, the field of information systems auditing. These six standards and frameworks are constantly being changed, updated and made more comprehensive in terms of the processes and principles involved.