IT Audit Verification Planning: Resolving Technique Selection – Part VI

Characteristics of a deployed audit trail can determine the test procedures performed. With an acceptable audit trail, the IT auditor may decide to trace selected data or information through the entire configuration or to determine infrastructure availability. Without a trail, the IT auditor may decide to execute extensive substantive tests on the electronically encoded configuration items.

“View Part I of the IT Audit Verification Planning: Resolving Technique Selection series here“

IT Audit Verification Planning: Resolving Technique Selection – Part V

Performance of audit procedures on individual programs and files, or the entire configuration as an integrated unit, is determined by the audit objectives and the audit trial. To test the functionality of input controls, for example, the IT auditor can perform compliance tests on a specific program; while separately, or jointly, test the integrity of processing through performance of substantive procedures on a specific data file. Alternatively, the selected configuration may be compliance tested as an integrated unit by processing test data through it and examining errors rejected by programs and the contents of files for evidence of controls.

“View Part I of the IT Audit Verification Planning: Resolving Technique Selection series here“

IT Audit Verification Planning: Resolving Technique Selection – Part IV

Auditing IT configurations involves performing compliance and substantive tests on a selected information asset as an integrated unit. Integration can refer to various activities including: combining the separate testing of programs and files into an overall evaluation; combining the testing of programs and files into a single test; utilizing a mixture of techniques to accomplish the compliance and substantive testing objectives and combining the results into an overall evaluation of the entire IT configuration or a specific configuration subset; and treating the IT configuration — with its programs and files — as a single unit that receives input, processes data, and produces output in a regulated environment.

“View Part I of the IT Audit Verification Planning: Resolving Technique Selection series here“

IT Audit Verification Planning: Resolving Technique Selection – Part III

Auditing electronically encoded programs can also involve compliance and substantive testing. Compliance testing usually involves testing programs for controls. Techniques for auditing programs are primarily oriented toward compliance testing. Whereas, substantive testing typically involves ascertaining the reliability with which an electronically encoded program processes data.

“View Part I of the IT Audit Verification Planning: Resolving Technique Selection series here“

IT Audit Verification Planning: Resolving Technique Selection – Part II

Compliance testing is the primary method employed to verify stated controls are operating effectively, while substantive testing is the primary method utilized to increase audit assurance. For instance, an IT auditor may reperform compliance testing, documented by an entity’s software quality assurance department, to verify controls are operating effectively. Whereas, an IT auditor may apply substantive testing procedures for recalculating cost allocations to assess if a discovered deficiency is material.

Auditing electronically encoded files can involve compliance testing and substantive testing. Specifically, files can be tested for evidence of compliance with designed controls or the integrity of the data contained therein. Techniques for auditing files are primarily oriented toward substantive testing of details in the selected repositories.

“View Part I of the IT Audit Verification Planning: Resolving Technique Selection series here“

IT Audit Verification Planning: Resolving Technique Selection – Part I

There are a variety of techniques available to the IT auditor for compliance and substantive testing when performing assurance engagements. Selecting a technique appropriate for the assurance task at hand, however, can be difficult. Analytically, to provide the most suitable IT audit evidence, various classification schemes can be adopted to organize the diverse testing techniques. Through these taxonomies, the IT auditor can gain an understanding regarding which technique may be most appropriate for a given situation. Within this context, determining which elements of the IT architecture are to be examined is critical to the testing technique selection process. For instance, when combined with generally accepted IT naming conventions, IT assurance testing techniques can be applied to information assets such as files, programs, or configurations — depending on the particular audit objectives and accessible audit trails.

An Ounce of Disaster Prevention is Worth a Pound of Disaster Remediation – Part IV

Business volatility includes unexpected IT demand, merger and acquisition activities, as well as economic or government events. Whereby, government volatility can reflect a political event. Theoretically, adequate Continuity Management ensures the capacity to operate when a disaster or unexpected event occurs. Therefore, an IT auditor should assess whether a process exists to ensure that the monitoring of, and planning for, future capacities are done with adequate dialog and participation within the entity well in advance, and whether plans are reviewed at periodic intervals. Good capacity management ensures that the entity’s quality of service is continued at all times — even after a disaster has occurred.

“View Part I of the An Ounce of Disaster Prevention is Worth a Pound of Disaster Remediation series here“

An Ounce of Disaster Prevention is Worth a Pound of Disaster Remediation – Part III

Business continuity and disaster recovery plans should follow suggested best practices for development to ensure adequate incident handling. Commonly, the primary goals of the incident management process are to restore a normal service operation as quickly as possible and to minimize the impact on business operations; thus ensuring that the best possible levels of service quality and availability are maintained.

As a sub-category, business interruption prevention plans and processes allow an entity to avoid, preclude, or limit the impact of a crisis occurring. Tasks included in such a prevention system should enable compliance with applicable laws, regulations, policies, procedures, rules and standards supporting avoidance, deterrence, and detection of potential catastrophic incidents — where incidents may encompass: local events like building fires, regional events like earthquakes, or national events like pandemic illnesses.

“View Part I of the An Ounce of Disaster Prevention is Worth a Pound of Disaster Remediation series here“

An Ounce of Disaster Prevention is Worth a Pound of Disaster Remediation – Part II

Organizational resilience imposes proactive preparation for potential incidents in order to avoid suspension of critical operations and services, or if operations and services are disrupted, resuming processing as rapidly as required for those who rely on them. Typically, an IT department’s success depends upon satisfying end user processing and service requirements. Hence, IT operational resiliency should be considered an overarching organizational priority that can be resolved through disaster recovery planning efforts assisting in ensuring an entity is better prepared for crisis situations. To enable continuity in delivery of IT services in accordance with the entity’s stated objectives and goals; management should develop strategies, tactics, policies, procedures, standards and rules designed to ensure continuity of operations.

Correspondingly, other aspects of continuity planning which should also be addressed during development are the means whereby business users can be re-located and connected to standby technologies; if necessary. In addition, adequate continuity planning normally requires considering needs for: alternative voice and data communications, storing copies of important paper documents off-site as well as procedures permitting clerical processing of data until the standby service is available.

“View Part I of the An Ounce of Disaster Prevention is Worth a Pound of Disaster Remediation series here“

An Ounce of Disaster Prevention is Worth a Pound of Disaster Remediation – Part I

“Attention all personnel! Attention all personnel! We are now experiencing an emergency code red condition. This requires following current crisis management procedures. Please, immediately proceed to your designated evacuation area and await further instructions…”

As we all should be aware, this type of occupational notification can occur at anytime and anyplace in the world that employees perform their assigned duties. Compounding the aforementioned scenario is the fact that some entities now rely on IT services to the extent that if key services are unavailable for a matter of hours the entity’s business can be severely affected. Substantively, this situation can manifest because it is generally impossible to fallback on manual methods, either because it is not technically feasible to substitute current procedures, or there are insufficient personnel to process the volume of work associated with a function, or employees no longer have the necessary skills to perform a key task; or a combination of these factors.