The Basics of IT Audit
What is IT Audit?
If you are new to IT auditing it’s important to understand how the process works, what its aims are and how they are achieved.
For an IT auditor they must firstly understand the business. While a company’s business model might not at first seem connected to their computer network, in many ways it is. How they run their business should be reflected in their IT provision. Two businesses operating in the same sector may well be selling the same products, to the same customers, but they might interact with their systems in completely different ways. You might rely on certain aspects more; a failure in that area could be far more significant for you than it would be for a competitor or vica versa.
It’s also important to understand the threats to the company. By understanding the risks, an IT auditor is better able to assess the situation and make recommendations. You would need to understand the company’s vulnerabilities and its dependencies to truly understand the threats.
To many people they may see their only IT threat as that of hackers. Some people may overestimate the risk assuming an illuminati of hackers of plotting to bring down their website or internal network. There are indeed risks of such a threat but what would motivate the action? If this kind of threat were to materialise it might be because of an ethically questionable competitor, yet it’s not hugely common. It is the job of the IT auditor to assess this risk, understand the current vulnerabilities and recommend action based both on the need and the cost.
Dependency is another factor IT auditors have to take into account. Does the business rely on an order system containing all their customers’ details & financial records on a creaky computer with no back-up strategy? Could the failure of a small low cost item in the system result in much larger costs from lost business? The IT auditor has the responsibility to find these potential problems and help the company solve them.
The next stage for the auditor is the testing of the processes and protection the company has in place. It might be a case of checking every cable leads to a computer, or that every unit is using a safe password or that the firewall is up to scrutiny. By doing this you can see if the protection the company thinks they have in place is actually up to scratch.
It’s difficult for auditors as often they have to interact with systems administrators and other members of the company. These employees can often feel the auditor is being unnecessarily critical of their work. If you are thinking of becoming an IT auditor you will have to be quite diplomatic in your assessment. Their co-operation will make your work far easier so keeping them onside is important.
If you know the ins and outs of IT systems and are inquisitive by nature a job in IT auditing could be just the thing you were looking for.
Written by Jonathon Hickstead for CareersinAudit.com
To look for a new audit job, visit CareersinAudit.com, the leading job site for auditing vacancies.