Auditing & Monitoring

avatar
Created by
EarlyHorse17571

Subdecks (1)

Cards (63)

  • Auditing:
    • We need some systematic and objective way to evaluate the hospital’s standing, i.e., auditing. We must regularly audit the processes and controls to ensure the hospital abides by all the related regulations and laws. Without auditing, there is no way to know what needs to be fixed.
  • Auditing:
    • In other words, when we ask questions such as: How can we know whether a company complies with the applicable laws and industry standards? How can we assess the effectiveness the risk management and internal controls? How can we detect fraudulent activities or misuse of resources? The answer lies in auditing.
  • What is Auditing?
    • In simple terms, auditing is like a check-up for a company or organisation. It involves carefully examining the company’s processes, internal controls, and financial statements to ensure everything runs smoothly according to the policies and laws. Auditors look for problems, such as errors, inefficiencies, or shady activities, and suggest ways to fix them. This helps the company improve its operations and builds trust with the people involved or affected by the organisation’s activities.
  • What is Auditing?
    • In more formal terms, auditing is a systematic, independent, and objective process of gathering and evaluating evidence to determine if an organisation, its policies, processes, controls, or financial statements comply with applicable laws, regulations, and industry standards.
  • What is Monitoring?
    • In information systems, monitoring is about continually checking a computer’s or network’s performance and behaviour. It involves watching over various components such as applications, storage, and networking to make sure they’re working well together. Monitoring also looks for unusual behaviour and checks if anything violates established rules or policies.
  • Audit Definition
    • In finance, auditing is an official inspection and verification of an organisation’s financial records, procedures, and statements to ensure accuracy, reliability, and compliance with applicable laws, regulations, and accounting standards. In simple terms, an audit aims to verify the financial records of individuals and businesses.
  • Audit Definition
    • However, when it comes to information systems, auditing has a broader meaning as it goes beyond financial records and procedures. Auditing of information systems involves the systematic, independent, and objective examination of an organisation’s IT infrastructure, processes, and controls.
  • Audit Definition:
    • Furthermore, the audit of information systems has more encompassing objectives. The objectives of an information systems audit are to evaluate the effectiveness, security, and compliance of systems and data management within an organisation. By conducting an information systems audit, auditors can assess various aspects of an organisation’s IT infrastructure, processes, and controls.
  • Audit Objectives:
    By conducting an information systems audit, auditors can assess various aspects of an organisation’s IT infrastructure, processes, and controls. Some primary objectives of an information systems audit include the following:
    • Assess the effectiveness of internal controls: This process can help mitigate the risk of fraud, errors, and other disruptions to the organisation’s operations.
    • Identify and assess risks: This process can help the organisation develop and implement appropriate controls to mitigate risks to the organisation’s information systems.
  • Audit Objectives
    • Assess the efficiency and effectiveness of information systems: This process can help the organisation improve the performance of its information systems and make better decisions about future investments in information technology.
    • Ensure compliance with laws and regulations: This process can help protect the organisation from fines, penalties, and other legal sanctions.
  • Audit Objectives:
    • Risk assessment: Identify potential risks and vulnerabilities that may affect information assets’ confidentiality, integrity, and availability and evaluate risk mitigation strategies in place.
    • Regulatory compliance: Ensure that an organisation’s information systems adhere to relevant laws, regulations, and industry standards to avoid legal violations and safeguard the organisation’s reputation.
    • IT governance: Evaluate the effectiveness of IT governance practices, including decision-making processes, resource allocation, and performance management within the organisation.
    • By identifying potential vulnerabilities, weaknesses, or irregularities, IT auditors help prevent unauthorised access, data breaches, system failures, and legal violations, strengthening information security and ensuring the integrity, confidentiality, and availability of critical IT resources and information assets.
  • Audit Types
    One way to classify audits is based on who is performing the audit:
    • Internal audits: These are performed by an organisation’s personnel or staff members assigned to the internal audit function.
    • External audits: External audits are conducted by independent auditors not employed by the organisation being audited. These auditors are typically from external accounting or auditing firms, and the primary purpose is to provide an impartial and objective review.
  • Generally speaking, we would start with an internal audit to verify that the company is carrying out the different procedures correctly. In the next stage, we would pay for an external audit to help discover what we might have missed with our internal team. If we don’t start with an internal audit, we will most likely need multiple external audits, which can get quite expensive.
  • In addition to internal and external audits, we have:
    • Third-party audits: This type of audit is conducted when an organisation needs to assess its IT systems or controls within third parties, such as vendors, service providers, or subcontractors. Third-party audits ensure that the external entities a company relies on adhere to the required security, data protection, and compliance standards, thereby minimising potential risks and exposures that may arise from their operations.
  • Audit Process
    1. Planning: The auditor determines the audit’s scope, objectives, and timelines. This stage involves understanding the organisation’s IT environment – including infrastructure, systems, applications, security measures, and data management practices – and identifying potential risks and controls to be evaluated.
  • Audit Process:
    • 2. Information gathering: The auditor collects relevant data, background information, and documentation to thoroughly understand the organisation’s IT processes and systems. This process typically involves interviewing key personnel, reviewing resource documentation, analysing procedures and policies, and examining the control environment.
  • Audit Process:
    • 3. Risk assessment and control evaluation: The auditor identifies and assesses the risks and vulnerabilities within the organisation’s IT infrastructure, processes, and systems based on the information gathered. This process includes evaluating the effectiveness of internal controls, security measures, and compliance with applicable policies, regulations, and industry
  • Audit Process:
    • 4. Testing: The auditor performs detailed tests on selected systems, applications, specific processes or control procedures to validate their effectiveness, accuracy, and compliance. Testing methods may include data analysis, vulnerability scanning, penetration testing, controls testing, or sampling, depending on the audit objectives and the audited systems.
  • Audit Process:
    • 5. Analysis and findings: The auditor analyses the testing and evaluation results, identifies deviations, irregularities, or vulnerabilities, and evaluates the implications. Auditors determine if systems are configured securely, IT processes are effective and compliant, or risks are adequately mitigated.
  • Audit Process:
    • Reporting: After the analysis, the auditor documents the findings and conclusions, makes recommendations for improvement where necessary, and prepares a formal audit report. This report is then shared with the management, the audit committee, or other stakeholders as required, helping them understand the organisation’s risk exposure, compliance, and effectiveness of IT processes and controls.
  • Audit Process:
    • Follow-up: In some cases, a follow-up may be performed to evaluate if the recommended improvements and corrective actions have been implemented and ensure their effectiveness in addressing the identified issues.
  • Audit Process:
  • Audit Areas
    • Information Systems Hardware: Inspect the hardware configuration and performance to ensure it meets the organisation’s needs.
    • OS: Check the operating system configuration and security to ensure it is secure and compliant with organisational policies.
    • File Systems: Check the file system permissions and access control to ensure that sensitive data is protected.
    • Database Management Systems: Audit the database configuration and security to ensure it is secure and compliant with organisational policies.
  • Audit Areas:
    • Network Infrastructure: Inspect the network configuration and security to ensure it is secure and compliant with organisational policies.
    • Network Operating Controls: Audit the network operating controls to ensure that they effectively prevent unauthorised access to the network.
    • IT Operations: Examine the IT operations to ensure they effectively deliver high-quality IT services.
    • Lights-Out Operations: Check the lights-out operations to ensure they effectively manage IT infrastructure without the need for human intervention.
  • Audit Areas
    • Problem Management Operations: Audit the problem management operations to ensure that they effectively resolve IT problems in a timely manner.
    • Monitoring Operations: Validate the monitoring operations to ensure they effectively detect and respond to IT incidents.
    • Procurement: Check the procurement process to ensure that IT hardware and software are secure and compliant.
    • Business Continuity Planning: Inspect the business continuity plan to ensure that it effectively ensures the continuity of critical IT services during a disaster.
  • Audit Areas
    • Disaster Recovery Planning: Examine the disaster recovery plan to ensure it effectively recovers critical IT services during a disaster.
  • Audit Scenario: We are auditing a company using COBIT. STEP1: Planning
    • Define the scope of the audit Against the Relevant COBIT controls
    • Identify the relevant COBIT controls: We identify the appropriate COBIT controls that are in place to mitigate the risks identified in the scope of the audit.
    • Develop an audit plan: We will need to develop an audit plan that outlines the steps that will be taken to gather evidence and assess the organisation’s compliance against relevant COBIT controls.
  • Note: The COBIT 2019 framework defines 40 control objectives, which are grouped into five domains:
    • Plan and Organise (PO): 13 control objectives
    • Acquire and Implement (AI): 9 control objectives
    • Deliver and Support (DS): 11 control objectives
    • Monitor and Evaluate (ME): 7 control objectives
    • Resilience (RES): 1 control objective
  • Audit Scenario with COBIT:
    Step 2: Execution
    • Gather evidence: We start this stage by gathering evidence of the organisation’s compliance with the relevant COBIT controls. This evidence may include documentation, interviews, and observations.
    • Assess the evidence: Next, we assess the evidence to determine whether the organisation complies with the relevant COBIT controls.
  • Audit Scenario with COBIT:
    Step 3: Assessment
    • Identify gaps in compliance: First, we must identify gaps in the organisation’s compliance with the relevant COBIT controls.
    • Make recommendations for improvement: Next, we can make recommendations for improvement to the organisation’s IT governance practices.
  • Audit Scenario with COBIT:
    Step 4: Reporting
    • Prepare the audit report: We begin by preparing an audit report summarising the audit findings and making recommendations for improvement.
    • Communicate the audit report: Once the report is ready, we must communicate it to the organisation’s management and stakeholders.
    Step 5: Follow-up
    • Monitor the implementation of recommendations: Ideally speaking, we will be able to monitor the implementation of the recommendations made in the audit report to ensure that the organisation is taking steps to improve its IT governance practices.