Qualified Advice Partners assists your organisation with the assessment of the information system controls that contribute to the implementation of IT risk management.
IT Audit preparation
IT Audit execution
By looking at the fiduciary, quality and security requirements of an organisation, the «to-be-managed» IT risks are identified. Based on these major risks, the CobiT® control framework is used to determine a set of generally accepted best practices. The Guide to the Assessment of IT Risk (GAIT) series describes the relationships among risk to the financial statements, key controls within business processes, automated controls and other critical IT functionality, and key controls within IT general controls (ITGC). A high-level risk assessment based on likelihood and business impact of the events determines which processes and issues are audited first.
Are IT projects contributing to the realisation of the business objectives? How does an IT disaster affect the continuity of the business services? Are incidents managed and adequately resolved? Do third parties provide the expected service?
The audit scope determines which IT processes or resources will be audited. Within this context, the IT risks to the achievement of the business objectives are identified. The required control objectives and related control measures that should be in place to manage those risks are determined with the help of the COBIT®.
An audit is an impartial assessment of processes against identified suitable criteria. The Global Technology Audit Guides (GTAG) are practice guides who provide detailed guidance for conducting internal audit activities. Based on interviews and tests, an audit opinion is rendered by comparing this desired situation with the actual design and effectiveness of controls. To close the gaps, recommendations are issued in a draft report.
The final step consists of a management discussion on how much effort is to be spent on mitigating these IT risks. Actions plans are then drawn up. The final management report on the assurance level, in addition to the audit opinion, provides an overview of the agreed recommendations with appropriate actions. Ultimately, a recommendation follow-up should be scheduled at regular times.