IT Audit Services: Ensuring the Right Systems and Controls

IT Audit Services
Ensuring the Right Systems and Controls
Are in Place to Manage Risks Created by
New Technologies
Why Data Matters
Accurate and reliable data enables customers to place orders, companies to ship product, sales people to
connect with targets, and management to evaluate what is going on in the business and make appropriate
decisions. All of these processes and many more rely on a complex system of technologies that underpin the
operation of companies today. Navigating this environment is not getting easier. Rather, the pace of change
in technology is increasing, customers now access their accounts remotely, social media is used as a sales
channel, orders are placed on smartphones, and people, both employees and customers, want access to their
data all the time and from everywhere. This is why it is so painful when technology goes wrong and why the
specialized skill of auditing the technologies used to support a business matters.
Today’s Top Technology Challenges
1. 2. 3. 4. 5. IT security and privacy/cybersecurity
Resource/staffing/skills challenges
Emerging technology and infrastructure
changes: transformation, innovation, disruption
Regulatory compliance
Budgets and controlling costs
6. IT governance and risk management
7. Big data and analytics
8. Vendor, third-party and outsourcing risks
9. Cloud computing/virtualization
10. Bridging information technology (IT)
and the business
Results of the ISACA/Protiviti 4th Annual IT Audit Benchmarking Survey
Why IT Audit Matters
Technology permeates almost every facet of business today. We make thousands of assumptions every day
about the reliability or function of some piece of technology that supports what we are trying to achieve. An
organization’s top executives, board of directors and audit committee members look to IT management for
effective oversight of IT risks, and lean on internal audit to provide assurance that the governance of those
risks is happening.
Consistently evaluating how the technology organization identifies and manages risk is a key role of
the IT audit function. IT audit also provides insight into the threats inherent in today’s highly complex IT
environment and provides assurance to the board that the collective organization has the systems and
processes in place to anticipate and manage the risks brought on by new technologies.
In addition, the regulatory environment is constantly changing, impacting the compliance requirements
companies face (e.g., Sarbanes-Oxley, Payment Card Industry Data Security Standard (PCI DSS), HITECH
Act, COSO, Cybersecurity Act, etc.). The IT audit function has a role to understand how these external
requirements impact the organization and how the IT function is mitigating the company’s exposure.
Despite these needs, many organizations are not well-equipped to foresee and manage IT risks adequately.
Our benchmarking survey of IT audit functions,1 which we conduct annually to identify and analyze IT audit
trends and gaps present in organizations today, shows there is a need for significant improvement in IT audit
capabilities within most organizations.
Protiviti has extensive experience with helping companies assess and improve their IT audit capabilities. We
often provide the IT audit function, conduct projects on specific topics, or assist larger in-house IT audit
departments as subject-matter experts.
1
1
4th Annual IT Audit Benchmarking Survey, Protiviti, 2014, www.protiviti.com/ITAuditSurvey
Protiviti IT Audit Services
Protiviti IT Audit Services
2
“ “RISK ASSESSMENT IS THE IDENTIFICATION AND ANALYSIS OF RELEVANT RISKS TO ACHIEVEMENT OF
THE OBJECTIVES, FORMING A BASIS FOR DETERMINING HOW THE RISKS SHOULD BE MANAGED.”
AS DEFINED BY THE COMMITTEE OF SPONSORING ORGANIZATIONS OF THE TREADWAY COMMISSION
Our Philosophy and Approach to IT Auditing
Understanding the landscape of the technology environment and how it supports the business is an involved
task with which many organizations struggle. We use the model below as a guide for IT risk assessments
and audit scoping and planning, to help us plot the use of technology in the company and link it back to the
business. We utilize each part of the model to assess, prioritize and influence the development of the
IT audit universe and audit plan.
• At the core are the organization’s
business processes – the reason
technology exists within any
organization and the ultimate focus
of the IT organization.
• Surrounding the core are key
technology components and
applications needed to enable
the business.
• Platforms, networks, databases and
physical assets form the basis of the
IT organization and each could be a
source of IT risks.
• Key success factors for the IT
organization surround the core
IT processes.
Risks and Indicators of Need
Technology is increasingly used to support and optimize business processes. As reliance on technology grows,
so do the associated risks to the organization. Some of the business aspects affected by rapidly expanding
technology use include:
• Increased automation of business processes
• Rising complexity of processing (users cannot or do not determine the accuracy and completeness of
the processing)
• Increased reliance on information to make real-time management decisions and to achieve compliance
with the Securities and Exchange Commission (SEC) and other regulatory and compliance guidance
• Outsourcing of technology and processes, resulting in changes to the risk profiles
• Increased internal and external threats from hackers and others who want to disrupt business and/or gain
advantage from confidential or proprietary information
3
Protiviti IT Audit Services
The table below outlines typical IT risks and lists important indicators pointing to the need for an effective
IT audit function.
Risks Related to Technology
• The information provided by the systems
lacks integrity and effectiveness (relevance,
accuracy, timeliness, consistency, valid for
its business use, etc.).
• Confidential information is exposed
or breached.
• Systems and data are not available as
needed by the business.
• Technology and data are not managed in
accordance with laws, regulations and
contractual terms and conditions.
• Information and data are not reliable
and sufficient for management to
make decisions.
• Technology and data are not managed
and maintained efficiently and effectively.
Indicators of Need
• There has been a major change in the business
or IT organization caused by rapid growth or
other factors.
• The company lacks a formal IT audit function,
or IT audit staff is not adequately trained in
emerging technologies and the related risks.
• The company currently outsources the IT audit
function to a provider with a perceived lack of
independence and objectivity.
• The IT audit function lacks the technical and
business skills to meet the organization’s needs.
• The company relies on fragmented or immature
technology or has poor internal IT controls.
• The IT department lacks documented policies and
procedures, or its policies and procedures are not
applied consistently across the organization.
• The company must meet regulatory requirements or
provide assurance to third-party entities.
How We Partner With Companies to Deliver IT Audit Services
A successful IT audit assesses technology risks and the control environment as they relate to critical business
processes. Almost all of our IT audit engagements find their origin with a risk assessment exercise. To do this,
we typically establish a “risk universe” of the IT risks inherent in the client’s business or industry, by looking at
critical business processes in place, identifying key applications and supporting technology for each significant
business process, understanding the management and governance structure applied, and noting current and
future IT projects and initiatives. We then organize our observations into a “heat map” of risk areas, as a
means of understanding where our work will deliver the most impact and value for our client, and we correlate
our findings about risk with the goals of executive management.
Co-sourcing or Outsourcing?
An IT audit function must have the appropriate mix of skills that reflects the needs of the organization – that
is, its most critical or most often used business processes and structures. In departments with designated IT
auditors, internal audit staff typically will have basic knowledge of application controls and configuration,
IT general controls testing (a broad level of understanding specific to the IT environment), and IT risk
assessment and audit planning procedures. However, IT audit staff may lack the more advanced and specialized
skills required to address adequately all of the business’s technology risks, or specific risk-sensitive processes,
components and infrastructure – such as can be identified through a risk assessment exercise.
Protiviti IT Audit Services
4
Furthermore, it is often difficult to hire, train and retain qualified IT audit experts in specialized areas, or
the advanced audit skills may not be needed full-time throughout of the year. Organizations must evaluate
carefully their internal IT audit capabilities in light of the needs of the business to determine the best way to
structure the IT audit function. Co-sourcing those IT audits that require skills outside of the organization’s
standard competency profile is often a better option for companies than maintaining a full skill set in-house
year-round. Some organizations will find that outsourcing the IT audit function helps them focus on their
core business activities, with no need to worry about the adequacy of their internal IT audit resources. In both
instances, Protiviti can step in as a highly qualified and experienced IT audit partner to a company’s internal
audit function in either a co-sourced or outsourced capacity.
Why Choose Protiviti as Your Partner
We understand that accurate and reliable data does matter and that technology is about more than settings
on a server, patches that haven’t been applied, or a thousand other details that distract from the key issues.
Technology is relevant to a business because it supports a business process that furthers your strategy.
Our approach to IT auditing is to evaluate the context in which technology is used and enable transparency
from bits and bytes to dollars and cents. Our audit services are delivered by appropriately trained and supported
professionals equipped with leading-practice methodologies, tools and thought leadership. We have hundreds of
professionals focused on IT internal audit solutions, and have executed more than one million hours of IT audit
project work as a firm. We demand a high level of professionalism and commitment to client satisfaction from
our professionals and we actively measure client satisfaction to ensure we are meeting our goals.
We have provided IT audit services to nearly 800 organizations globally, more than 20 percent of which are
Fortune 1000® companies. Our industry footprint includes:
• Financial Services and Real Estate
• Consumer Products and Services
• Healthcare and Life Sciences
• Technology, Media and Communications
• Energy and Utilities
• Industrial Products
• Government
By choosing Protiviti as your partner, you will gain:
• Confidence that Protiviti professionals with deep technical and analytical skills will assess the security,
integrity, availability and reliability of critical information
• Access to Protiviti’s broad knowledge base of industry best practices for IT controls
• Unbiased view of your company’s current IT environment and its risks
• Actionable results to help mitigate uncontrolled risks
• Appropriate alignment between the internal audit function and the company’s business and IT strategies
• Improved effectiveness and efficiency of technology controls and processes
5
Protiviti IT Audit Services
About Protiviti
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance,
technology, operations, governance, risk and internal audit, and has served more than 40 percent of
FORTUNE 1000® and FORTUNE Global 500® companies. Protiviti and its independently owned Member
Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works
with smaller, growing companies, including those looking to go public, as well as with government agencies.
Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a
member of the S&P 500 index.
Contacts
Brian Christensen
Executive Vice President – Global Internal Audit
+1.602.273.8020
brian.christensen@protiviti.com
David Brand
Managing Director
Leader – IT Audit Practice
+1.312.476.6401
david.brand@protiviti.com
UNITED STATES
CHINA
Central Region
Michael Thor
+1.312.476.6400
michael.thor@protiviti.com
Michael Pang
(852) 2238.0499
michael.pang@protiviti.com
Eastern Region
James Armetta
+1.212.399.8606
james.armetta@protiviti.com
Thorsten Ruetze
+49.69.96.37.68.142
thorsten.ruetze@protiviti.de
Western Region
Jonathan Bronson
+1.213.327.1308
jonathan.bronson@protiviti.com
Anthony Samer
+1.415.402.3627
anthony.samer@protiviti.com
AUSTRALIA
Ewen Ferguson
+61.2.8220.9500
ewen.ferguson@protiviti.com.au
CANADA
GERMANY
JAPAN
Yasumi Taniguchi
+81.3.5219.6600
yasumi.taniguchi@protiviti.jp
SINGAPORE
Ivan Leong
+65.6220.6066
ivan.leong@protiviti.com
UNITED KINGDOM
Mark Peters
+44.20.7389.0413
mark.peters@protiviti.co.uk
Marc Poirier
+1.514.871.2348
marc.poirier@protiviti.com
Protiviti IT Audit Services
6
THE AMERICAS
EUROPE/MIDDLE EAST/AFRICA
UNITED STATES
Alexandria
Atlanta
Baltimore
Boston
Charlotte
Chicago
Cincinnati
Cleveland
Dallas
Denver
Fort Lauderdale
Houston
Kansas City
Los Angeles
Milwaukee
Minneapolis
New York
Orlando
Philadelphia
Phoenix
Pittsburgh
Portland
Richmond
Sacramento
Salt Lake City
San Francisco
San Jose
Seattle
Stamford
St. Louis
Tampa
Washington, D.C.
Winchester
Woodbridge
ARGENTINA*
Buenos Aires
CHILE*
Santiago
PERU*
Lima
BRAZIL*
Rio de Janeiro
São Paulo
MEXICO*
Mexico City
Monterrey
VENEZUELA*
Caracas
FRANCE
Paris
GERMANY
Frankfurt
Munich
ITALY
Milan
Rome
Turin
THE NETHERLANDS
Amsterdam
UNITED KINGDOM
London
BAHRAIN*
Manama
QATAR*
Doha
KUWAIT*
Kuwait City
UNITED ARAB EMIRATES*
Abu Dhabi
Dubai
OMAN*
Muscat
SOUTH AFRICA*
Johannesburg
CANADA
Kitchener-Waterloo
Toronto
ASIA-PACIFIC
AUSTRALIA
Brisbane
Canberra
Melbourne
Perth
Sydney
CHINA
Beijing
Hong Kong
Shanghai
Shenzhen
INDIA*
Bangalore
Mumbai
New Delhi
JAPAN
Osaka
Tokyo
SINGAPORE
Singapore
* Protiviti Member Firm
© 2015 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.
Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services.
PRO-0215