Posted: December 11th, 2022

Planning and managing an information technology audit

Planning and managing an information technology audit is a very essential component that every organization should engage in. Information system audits comprise of examination of the management controls found with an information technology infrastructure. Basically, an IT infrastructure is made up of components that are useful for the existence, operation, and management of an IT business environment. The infrastructure can either be internal or deployed within the clod computing systems and it consists of physical devices such as computers and networking hardware, as well as software applications, and network components needed to operate the organization. IT audits enable an enterprise to maintain effective operations and maintain compliance with both administrative and legal regulations. Evaluation derived from the audit evidence helps to determine whether the exiting IT systems within an organization safeguard assets, preserve data integrity and whether the systems are effectively operating to achieve the set goal and objectives. Audits prepare an organization to face potential challenges hence enabling proper functioning of a business. Stakeholders are more informed of the financial, operational, and ethical well-being of an organization they affiliate with through IT audits. Organizations have a responsibility of defining their culture through well stipulated IT policies that define what the members are expected to do and how cases of noncompliance are dealt with. With a well-defined scope, goals, and procedures, it is more likely that a successful audit will be performed which produces evidence that is relevant, reliable, and sufficient to support organizational decision making.
As an information security manager who has been hired by a national retailer to develop a plan for performing regular audits of the IT infrastructure, my duty is to support the goal of the enterprise by providing a two week IUT audit project plan. This paper will be addressing the steps necessary in the management of an IT infrastructure and will in depth, look into the development of the following aspects; internal IT audit policy, a management plan, a project plan, and a disaster recovery plan.
Section 1 (Internal IT Audit Policy)
Planning an IT audit involves gathering information and planning the proceeding to understanding the existing internal control structure. The national retail enterprise has a main office plus 268 across the entire of the United States which means that there are quite a number of employees involved, as well as different servers. Given the size of the enterprise, there is need to establish an organizational IT policy in order to minimize business risk.
The policy that I will develop will be used to advise all the users in the main office and the 268 stores on the security scanning procedures and the precautions that will be observed during the entire audit process. The audit will be conducted to enhance enterprise integrity, confidentiality, as well as availability of both information and resources. It will also be used in the investigation of potential security threats an incidences to ensure conformity to the stipulated policy. Lastly, the audit will be essential when it comes to monitoring both user and system security where applicable.
POLICY STATEMENT
The national retail enterprise has a policy to maintain an effective, independent, and objective Internal Audit Function which is effectively resources hence enabling management of the enterprise through effective sharing of responsibilities. The policy functions as follows;
• Outlining reasonable assurance that the management processes within the enterprise are sufficient in the identification, management, and monitoring of all the potential risks.
• Ensuring effectiveness in the operation of the existing internal control systems.
• Making sure that a credible feedback process on risk management and assurance is in existence during the entire audit process.
• Informing on the objective confirmation that council gets sufficient assurance of reliability, accuracy, and relevance of information from the enterprise management.
SCOPE
The policy will cover all the over 1000 desktops and 500 laptops and communication devices owned and operated by the national retail enterprise employees across all the branches. Any communication device connected to the enterprise network. Computers or communication devise that has been previously connected to the networks that are believed to have been used contrary to the policy of the enterprise while so connected will also comply with the policy. Any computers and communication devices that are making attempts of connecting, interacting, or making an interface with the enterprise networks will also be covered by the policy.
OBJECTIVES
The main objective of the audit is to provide independent and objective assurance as well as consulting and investigation services that are efficiently designed to add value, improve enterprise operation, and enhance achievement of the business goals. The internal audit policy aims at providing reasonable assurance to the enterprise in the following ways;
• Confirming the commitment of the enterprise to an effective Internal Audit Function.
• Ensuring independence of the Internal Audit Function.
• Defining the expected roles and responsibilities of the Internal Audit Function.
• Defining the principles that will guide the approach of the enterprise to the entire internal audit process.
• Explaining the planning cycle of the entire audit process to the board of directors, employees, stakeholders, and the auditing team.
MANAGEMENT OVERSIGHT & RESPONSIBILITY
The policy aims at ensuring that the oversight of the enterprise resources during the entire audit process is well informed. It is the responsibility of the audit to perform the following tasks for an effective audit that is geared towards the achievement of the enterprise goals;
• Effectively identifying and ensuring that’s risks are appropriately managed.
• Interacting with the various governance groups in the numerous stores to enhance coordination of the audit process.
• Ensuring accuracy, timeliness, and reliability of the financial, managerial, and operating data.
• Making sure that actions of all the employees comply with policies, standards, procedures, and all the applicable laws and regulations.
• Enabling an economical acquisition of enterprise resources, and ensuring that the resources are used efficiently and that they are adequately safeguarded.
• Providing an environment for the enterprise control process to foster quality and continuous improvement.
• Outlining significant legislative and regulatory issues that impact the company to ensure that they are recognized and appropriately addressed.
• Ensuring that programs, plans, and objectives are achieved.
COMPLIANCE WITH APPLICABLE LAWS AND REGULATIONS
To enhance compliance with the applicable laws and regulations, there will be need for adequate collaboration across the entire team of employees, managers, board of directors, stakeholders, and the auditing team. For compliance, the following will have to be achieved;
• Meeting with divisional leaders to make sure that the set laws and regulations are feasible in the entire enterprise department.
• Evaluating and determining the best policy format that suits the different audiences that exist within the enterprise since different departments consist of different personalities, schedules, and experiences.
• Making policies and procedures that are accessible to the employees of the enterprise. The policies and regulations will be will be in easily identifiable folders that will be structured by department and type of policy.
• Setting up clear deadlines for each policy and procedure to be recognized. Task-alerts will be included, over-due notifications, and renewal alerts will be included in a program to send alerts to the right people.
• Determining the most appropriate methods that will enable the IT audit team to measure the level at which the employees understand the policies and regulations. The step will be automated to increase efficiency during the policy formulation process and during the entire audit process.
AREAS COVERED IN IT AUDIT
The audit will cover all areas of the organization inclusive of the IT infrastructure and the existing support services. The following are the areas to be audited;
• Internal accounting controls
• Operational controls in all the 268 stores and the main office
• Administrative controls in all the 268 stores plus the main office
• The existing enterprise security policies and procedures
• The usage of documents and records within the enterprise
• The IT infrastructure inclusive of all the over 1000 desktops and 500 laptops belonging to the enterprise. All communication devices that have interacted with the enterprise networks.
• The enterprise networks will be audited inclusive of cloud computing, the Cisco working group and core switches, Cisco routers and the Microsoft windows 2012 servers.
• The physical and logical security systems and policies for all data centers and IT resources within the enterprise.
References
Gelbstein, E. (2017). IS Audit Basics: Preparing for Auditing New Risk. Isaca.org Journal, Volume 2.
Suduc, A. M., Bîzoi, M., & Filip, F. G. (2010). Audit for information systems security. Informatica Economica, 14(1), 43.
Petraşcu, D. (2010). INTERNAL AUDIT: DEFINING, OBJECTIVES, FUNCTIONS AND STAGES. Studies in Business & Economics, 5(3).

SECTION 2: MANAGEMENT PLAN