|
|
|
News
< Back
Sarbanes Oxley : Auditing : Risk Management
Planning: Key to IT Risk Management
|
Lily Bi
CIA, CISA, Director of Technology Practices
Institute of Internal Auditors
|
The Institute of Internal Auditors (IIA) has published two new editions in its series of Global Technology Audit Guides® (GTAGs). GTAG 10: Business Continuity Management and GTAG 11: Developing the Information Technology (IT) Audit Plan recognize the criticality of proactive planning when managing and sustaining effective IT systems.
Business Continuity Management (BCM) is designed to help prepare organizations for natural or man-made events that could disrupt operations. This guide includes disaster recovery planning for continuity of critical IT infrastructure and business application systems.
"Despite high-profile events such as 9/11 and hurricane Katrina, some companies are still not as prepared for a disaster as they think they are," said IIA Director of Technology Practices Lily Bi, CIA, CISA. "In a time of crisis, if you're not sure how you're going to deal with your critical business functions and IT systems that support those functions - you're taking a huge risk. This guidance can help internal auditors evaluate the effectiveness of their plan before it's too late."
Themes in GTAG 10 include:
- Common disaster scenarios - Hurricanes, earthquakes, and fires shatter lives and devastate businesses. Man-made disasters like power failures and terrorism are no less destructive. These anticipated events pose risks to business and the financial fallout can persist for years.
- Management roles during business interruption - Management should define a central group within the organization responsible for BCM and create a system for deployment. Management should ensure appropriate funding for activities, communicate its importance, and conduct training.
- Disaster recovery solutions for IT - IT systems may be needed to support recovery of critical business processes. A disaster recovery document should be created and include detailed recovery instructions referencing procedures, vendor preferences, system diagrams, hardware and software, communications, and document management systems.
- Risk assessment and mitigation - A business continuity risk assessment should identify risks likely to disrupt critical processes. Management should review similar organizations in the same region, use government or industry data, and hire subject matter experts when data is limited. Mitigation strategies should be created to address disasters, operational failures, loss of primary office, loss of IT network connectivity, and loss of the IT data center.
- Business recovery and continuity strategy - A business impact analysis should be used to identify critical business processes that need to be recovered following a disaster. It should provide recovery solutions needed to resume the critical business processes, and should address things such as manual work processes, outsourcing, disaster recovery for IT, alternative staffing, and alternative facilities.
- Testing - To keep a business continuity management program current and executable, tests addressing a variety of scenarios should be held at periodic intervals. Exercises can include desk checks, walkthroughs, boardroom activities, communication plan tests, and alternate site operations.
GTAG 11: Developing the IT Audit Plan guides chief audit executives and audit supervisors through the process of effective planning for an IT systems audit. In its work with numerous organizations of all sizes and complexity, The IIA has determined that IT audit planning is typically the activity most challenging for a company's internal audit department.
"If an internal auditor has a limited technology background, it can be really hard to understand the top risks in their IT systems. And it can be even harder to understand how those risk play into the bigger picture of overall business risk," added Bi. "Internal auditors should use this guide to get the full picture of what we call, ‘the IT Universe' - all the things that should be included in the audit plan, such as IT infrastructure, applications, and operational processes."
GTAG 11 emphasizes:
- Understanding the business - Having a fundamental knowledge of the organization's objectives, strategies, uniqueness, operating environment and IT environment will help auditors understand how technology supports existing business models and mitigates the organization's overall risks.
- Considering IT environment diversity - An analysis should be made of the IT environment and its unique risks. Important factors to consider include the degree of system and geographic centralization, the technologies deployed, customization, formal company policies and standards, regulation and compliance, outsourcing, and reliance on technology.
- Performing an IT risk assessment - It is vitally important for organizations to periodically assess their risk portfolio. The chief audit executive (CAE) must identify and understand business objectives and IT strategy, and assign a risk rating to all subcategories - including infrastructure, computer operations, and applications. CAEs should also follow one of the leading IT governance frameworks, such as COBIT, ISO 27002, or ITIL.
- Defining important audit subject areas - The audit plan should focus on the highest-risk areas where auditors can add the most value. Auditors should establish separate audit areas for each platform type and audit subjects should be divided into appropriately sized areas to define a reasonable allocation of audit resources.
Written in straightforward business language, GTAGs address timely issues related to information technology management, control, and security; and serve as a ready resource for CAEs, executive management, and boards of directors looking to understand and mitigate various technology-associated risks. To read the guides, visit: www.theiia.org/guidance/technology.
|
|
|
