IT Governance, Risk, and Compliance


January 20, 2012  9:06 PM

Auditing IT Service Delivery and Support – Part III



Posted by: Robert Davis
Certified Information Systems Auditor, Certified Information Technology Professional, Certified Internal Auditor, Certified Internal Controls Auditor, Certified Public Accountant, COBIT, Infrastructure, ISO, IT Audit, ITSM, Service Delivery, Systems

Primary drivers for IT service audit planning are verifying delivery and support existence and adequacy. However, as with standard IT audits, a general control environment, information systems, and control procedures understanding should be obtained during engagement planning to comply with ISACA’s assurance standards and guidelines as well as other applicable attestation, audit, accounting, and IT standards.

IT auditors should clearly define the IT service engagement objectives and ambit. Typically, management is interested in IT service delivery and support work performance processes with emphasis on requirements and expectations ensuring entity-centric objectives achievement. Consequently, the focus of IT service delivery and support attestation engagements should be on the items and services produced and associated processes; with the objective of improving service performance and process effectiveness.

View Part I of the Auditing IT Service Delivery and Support series here

Post Note: As of January 12, 2012, Robert E. Davis, MBA, CISA, CICA is a Master of Science in IT Auditing and Cyber-Security Program instructor at Temple University.

January 17, 2012  8:20 PM

Auditing IT Service Delivery and Support – Part II



Posted by: Robert Davis
Certified Information Systems Auditor, Certified Information Technology Professional, Certified Internal Auditor, Certified Internal Controls Auditor, Certified Public Accountant, COBIT, Infrastructure, ISO, IT Audit, ITSM, Service Delivery, Systems

An IT auditor assigned an IT service delivery and support engagement should consider performing assurance services based on major process points established in the ISO/IEC 20000 as well as COBIT frameworks. Where entity-centric ITSM is extracted from the ISO framework, an IT auditor will probably find assertion veracity or direct subject matter verification more productive if they are well versed in service delivery and support concepts. When confronted with an uninitiated entity, the risk-based IT assurance program addressing relevant ISO/IEC 20000 and COBIT areas can assist IT management through valuable process improvement recommendations that reflect generally accepted ITSM global standards.

View Part I of the Auditing IT Service Delivery and Support series here

Post Note: As of January 12, 2012, Robert E. Davis, MBA, CISA, CICA is a Master of Science in IT Auditing and Cyber-Security Program instructor at Temple University.


January 13, 2012  11:17 PM

Auditing IT Service Delivery and Support – Part I



Posted by: Robert Davis
Certified Information Systems Auditor, Certified Information Technology Professional, Certified Internal Auditor, Certified Internal Controls Auditor, Certified Public Accountant, COBIT, Infrastructure, IT Audit, Service Delivery, Systems

IT service management (ITSM) extraction, decomposition, analysis and assessment can provide the key to unlock the knowledge door for understanding an entity’s IT governance framework. The way in which IT is delivered as a service to end users is a critical managerial component that can impact IT effectiveness as a business enabler. Hence, IT service delivery and support areas should be periodically examined by IT audit to attest foundational vigor.

ISACA’s Effect of Pervasive IS Controls guideline suggests, the effectiveness of the controls in the Acquire and Implement (AI) and Deliver and Support (DS) domains are influenced by the effectiveness of controls operated in the Plan and Organise (PO) and Monitor and Evaluate (ME) domains. As presented, “Inadequate planning, organization and monitoring by management imply that controls over acquisition, implementation and service delivery and support will be ineffective. Conversely, strong planning, organization and monitoring can identify and correct ineffective controls over acquisition, implementation and service delivery and support.”

Post Note: As of January 12, 2012, Robert E. Davis, MBA, CISA, CICA is a Master of Science in IT Auditing and Cyber-Security Program instructor at Temple University.


January 10, 2012  3:45 PM

Auditing Systems and Infrastructure Life Cycle Management – Part VIII



Posted by: Robert Davis
Certified Information Systems Auditor, Certified Information Technology Professional, Certified Internal Auditor, Certified Internal Controls Auditor, Certified Public Accountant, Infrastructure, IT Audit, Life Cycle Management, SDLC, Systems

Although most business processes rely upon planning, projects and the IT infrastructure to ensure effective management, IT infrastructure management (ITIM) is typically undervalued. In fact, according to International Data Corporation (IDC), investments in ITIM have the largest single impact on an entity’s revenue. Therefore, when performing SILCM audits, understanding network infrastructure concepts as well as linkages are imperative for evaluating control adequacy to determine whether the entity is meeting generally accepted information criteria within the defined IT architecture.

View Part I of the Auditing Systems and Infrastructure Life Cycle Management series here


January 6, 2012  10:01 PM

Auditing Systems and Infrastructure Life Cycle Management – Part VII



Posted by: Robert Davis
Certified Information Systems Auditor, Certified Information Technology Professional, Certified Internal Auditor, Certified Internal Controls Auditor, Certified Public Accountant, Infrastructure, IT Audit, Life Cycle Management, SDLC, Systems

Because tasks and titles vary, an IT auditor should concentrate upon the analysis and development processes that should be considered in SILCM, despite what any individual or group choose for delineation or designation. Objectives should be developed to address the seven COBIT information criteria (Effectiveness, Efficiency, Confidentiality, Integrity, Availability, Compliance, and Reliability); and then agreed upon by the entity’s management.

Commonly, the purpose of an application systems assurance is to identify, document, test and evaluate the controls over an application that are implemented by an entity to achieve relevant control objectives. These control objectives can be categorized into control objectives over the system and the related data. Correspondingly, the selected objectives and ambit of an application systems audit should form part of the TOR.

View Part I of the Auditing Systems and Infrastructure Life Cycle Management series here


January 3, 2012  8:55 PM

Auditing Systems and Infrastructure Life Cycle Management – Part VI



Posted by: Robert Davis
Certified Information Systems Auditor, Certified Information Technology Professional, Certified Internal Auditor, Certified Internal Controls Auditor, Certified Public Accountant, Infrastructure, IT Audit, Life Cycle Management, SDLC, Systems

Primary drivers for IT systems and/or infrastructure life cycle management assurance planning are verifying control utilization, existence and adequacy. However, as with standard IT audits, a general control environment, information systems, and control procedures understanding should be obtained during engagement planning to comply with ISACA’s assurance standards and guidelines as well as other applicable attestation, audit, accounting, and IT standards.

Typically, management is interested in IT project management work performance processes — with emphasis on requirements and expectations ensuring entity-centric objectives achievement. Consequently, the focus of SILCM engagements should be on project management processes; with the objective of improving implementation efficiency and effectiveness.

View Part I of the Auditing Systems and Infrastructure Life Cycle Management series here


December 30, 2011  9:55 PM

Auditing Systems and Infrastructure Life Cycle Management – Part V



Posted by: Robert Davis
Certified Information Systems Auditor, Certified Information Technology Professional, Certified Internal Auditor, Certified Internal Controls Auditor, Certified Public Accountant, Infrastructure, IT Audit, Life Cycle Management, SDLC, Systems

Entities may partially or fully delegate some or all of its IT asset development to a third party processor (TPP). Whereby, IT resources that may be outsourced include: infrastructure, platforms, and applications. Usually, the responsibility for confirming outsourced activity compliance with contracts, agreements, laws as well as regulations resides with the entity. When a TPP is within the SILCM ambit, IT audit is accountable for determining whether the TPP is in compliance with the contracted service’s terms of reference (TOR).

View Part I of the Auditing Systems and Infrastructure Life Cycle Management series here


December 27, 2011  9:38 PM

Auditing Systems and Infrastructure Life Cycle Management – Part IV



Posted by: Robert Davis
Certified Information Systems Auditor, Certified Information Technology Professional, Certified Internal Auditor, Certified Internal Controls Auditor, Certified Public Accountant, Infrastructure, IT Audit, Life Cycle Management, SDLC, Systems

‘Application-based’ implementation audits assess any or all parts of the deployment process of a project. The IT auditor should assess relevant SDLC stages, as they are occurring, to highlight risks or issues and provide necessary risk mitigation recommendations to the appropriate management.

‘Application-based’ post-implementation audits includes assessing the actual operation of the new system compared to the documented expectations at the time the system project was approved and whether the delivered solution can be adequately managed and controlled. Specifically, post-implementation assurance service coverage includes application-level security after implementation and system conversion if there has been a transfer of data and master file information from the old to the new system.

Lastly, ‘Application-based’ maintenance audits evaluate any part of the project life cycle that performs system remediation.

View Part I of the Auditing Systems and Infrastructure Life Cycle Management series here


December 23, 2011  8:48 PM

Auditing Systems and Infrastructure Life Cycle Management – Part III



Posted by: Robert Davis
Certified Information Systems Auditor, Certified Information Technology Professional, Certified Internal Auditor, Certified Internal Controls Auditor, Certified Public Accountant, Infrastructure, IT Audit, Life Cycle Management, SDLC, Systems

Categorically, ‘Application-based’ pre-acquisition audits assess a system prior to obtaining usage rights considering such matters as: software requirements, vendor bidding, and system selection. Specifically, pre-acquisition assurance service coverage includes effects on IT resources, cost, and plans.

Whereas; ‘Application-based’ pre-implementation audits assess a system under construction considering matters such as, whether: appropriate controls are designed into the system; the application will process information in a complete, accurate and reliable manner; the application will function as intended; the application will function in compliance with any applicable statutory provisions; the system is developed in compliance with the established systems development life cycle process. Whereby, at the detail-level, a pre-implementation application audit normally addresses the architecture of application-level security, plans for the implementation of security, the adequacy of system and user documentation, and the adequacy of actual or planned user-acceptance testing.

View Part I of the Auditing Systems and Infrastructure Life Cycle Management series here


December 20, 2011  8:54 PM

Auditing Systems and Infrastructure Life Cycle Management – Part II



Posted by: Robert Davis
Certified Information Systems Auditor, Certified Information Technology Professional, Certified Internal Auditor, Certified Internal Controls Auditor, Certified Public Accountant, Infrastructure, IT Audit, Life Cycle Management, SDLC, Systems

SILCM audits normally have a functional focus. ‘Functional-based’ SILCM audits examine identified processes as auditable units. However, if during ‘functional-based’ planning the IT auditor discovers a SILCM related framework is not deployed, the audit planner should consider utilizing the COBIT framework domain processes as a baseline for setting objectives. Typically, for SILCM assurance services, effectiveness and efficiency are the primary information criteria; while integrity, availability, compliance, and reliability should be considered secondary information criteria, even when other audit measurement standards are included within the audit ambit.

View Part I of the Auditing Systems and Infrastructure Life Cycle Management series here


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: