Scope
The scope of our company audit plan will define boundaries within which the audit should be done. The scope of the audit of our company will include relevant personnel, records and systems compliance. It will go through the various security issues as far as protection of the IT infrastructure is concerned, the cost used in the IT infrastructure and the efficiency of the IT infrastructure facilities. The implementation of the recommendations of the previous audit will also be investigated and the recommendation on the current audit done. The audit will also deal with the analysis of the regulations on emission and transmission set by the various regulators. The social media policy and risk are also analysed as they can impact negatively on the reputation of the company
Goals and objectives
The objective of this audit is to analyse the compliance with the security of the IT infrastructure for loss and risk mitigation. The IT infrastructure is analysed in terms of the resource utilisation versus costs incurred and the probability of risk due to the level of access granted compliance by individuals. The study aims to look for ways to mitigate the costs of running the IT infrastructure. It also suggests possible ways in which the efficiency of the IT Company can be increased according to the laid down rules.
The goal of this IT audit is also to safeguard the assets of the company which include data and applications. The technology like the hardware and the software of the IT infrastructure and the facilities that house these IT infrastructure are analysed. Also, the IT Company’s staff skills and support of the IT infrastructures is analysed for compliance
Frequency of audit
The audit will be carried out once a year to cover the various issues that might have arisen from the previous audit. This will provide a better understanding of the compliance performance of the various sections of the company IT. All these will serve to reduce overhead costs for repairing infrastructure and the risk to the company thus increasing the efficiency of operation.
Duration of audit
The audit will be done for a duration of two months then the audit report is sent to the various investors, company management and regulators for further direction.
Critical Requirements
The following are the critical requirements for the IT audit;
Planning-This is the rules on how the planning of the audit should be carried out under the law. The audit should be planned and effected in a manner that ensures efficiency economically. This is the most important part of the audit process since it influences the precision of the audit. The laying down of a strategic plan will be for the longer term like 3-5 years planning when the targets and objectives of the IT infrastructure audit should be carried out. Macro planning will deal with the medium-term planning and involves planning of the audit to be done during the year and getting the resources to carry out the audit. Development of a micro plan will ensure that the details and durations of all the tasks to be undertaken for each audit are addressed. The micro and macro audit plan will always be dynamic
Definition of audit objectives is a very important requirement in planning the audit of the IT infrastructure. This ensures that the main objectives of the exercise are not lost. This will define the confines in which the exercise will be carried out and expected results.
Evaluation of controls will be used to get the appropriate control structures that can be put in place to mitigate the risks associated with the company. The control of the access systems of the company in regards to the IT infrastructure should be done and various solutions to these addressed. Compliance with these controls ensures better performance.
Evidence collection and evaluation through observation, data collection and sampling. The following evidence can be used in this phase and they include the observed process, documentary audit evidence and then analysis of the audit using IT systems.
Evaluation of evidence in the company is gathered before the implementation of the audit. Previous results on the IT audit are analysed and the expected risks documented for the company. This will utilise various software for the collection of the evidence of the risk and make risk assessment easy for the company. The analysis of these risks is planned based on the existing ones and sometimes based on the current threats associated with the advance in technology. This makes it easier to look for the specific system performance of the company during the audit.
Reporting and follow-ups of the audit process should be done by filling the appropriate report and forwarding them to the respective management for further actions. The reports will have the recommendation and findings of the audit and the various areas that can be improved for the efficient operation of the IT infrastructure.
Privacy Laws
These laws are determined by the International Telecommunication Union and IT Infrastructure Library. The National Institute of Standards and Technology plays a very important role also in the definition of the procedures for maintenance of the privacy of information . In the company, the privacy within the organisation is managed by the chief security officer who reports to the management and the regulators. He is constantly monitored for compliance by a wing of the compliance team within the company.
Risk management
The risk management is done at the planning stage. This leads to the better understanding of the threats as perceived by the management and how they can impact on the business. The mitigation procedure of the risks involved in the various processes should be done according to the objectives of the audit. This can involve the risk associated with the usage of the IT infrastructure like lack of compliance in password management through sharing passwords.
Threats analysis
The main threat that affects our chosen company is the threat of hacking due to the increasing number of cyber espionage in the world. The hackers will gain access through phishing, email spamming and use of malwares and viruses. They can also use keyloggers in getting passwords from the employees. There are various laid down policies on the usage of the internet and use of personal portable devices like flash discs. Compliance to these reduces the chance of a hacker using them as a backdoor to the IT infrastructure system. The steps for threat analysis is done by firstly using the existing threats in other similar companies for the assessment of the threats. The threats are then identified and separated from each other. The cause of the threats is analysed and mitigating activities for the threats put in place to minimise the impact of the threat on the company. The audit of the threats to the organisation is then documented for future references
Vulnerability analysis
The measure of how the company is capable of being attacked or exposed in any way is addressed here. The audit should ensure that the company is not vulnerable to any threats thus perform to its optimal level. The proneness of the various sections of the IT infrastructures to be attacked study will ensure that only the appropriate mechanisms are put in place for the prevention of future attacks. The routine operation of the company like the amount of information the staff have increases the vulnerability of the company. The strength of the security compliance of the company’s network will give a clearer picture of the percentage of the vulnerability of the company and thus plays a very important role in the mitigation of the risks involved.
Risk assessment analysis
There are various risks associated with our chosen telecommunication company. The risks can be exposing the customer’s information occasioned by hacking and system failure. The loss of confidentiality, integrity and availability contributes greatly to the risk of the IT infrastructure of the company. The following are the steps in the risk analysis of the company:
The first thing is that the information systems and use in the company are categorised and systems that impact critical functions or assets identified. The risk that affects these systems and the severity of the risks are then prioritised by the audit. The resources, schedule and the frequency of the audit are then analysed
Obtaining Information and Documentation
The following are some of the ways of obtaining the information and the documentation of the audit. The information can be obtained through interviews with the various staff and management of the company and also by going through the previous audit report of the company. This will give a general overview of the risks that might be present in the information system due to compliance issues. The previous recordings of the information can be used to obtain information and the study of the current threats and risks involved in the present IT infrastructure world. Observation of the operation of the IT infrastructure and performance can also serve to obtain information on the IT infrastructure compliance. The information can be obtained through also sampling of the various processes and activities within the IT infrastructure. The documentation of the found information can be done as a report or as a recording for future use.
The resources for the audit are found from the various equipment’s and personnel used in the audit process. People with knowledge and skills in the operation of the IT infrastructure should be used to audit the same company for optimal analysis. The materials for the audit process like the software for analysis should be analysed.
Domains of Audit
Effectiveness- This is the evaluation of whether the IT systems meets the requirements of the users and the business. The company chosen should have a robust and efficient IT infrastructure to enable effective operation and service to the customers.
Efficiency- It deals with the optimisation of system resources for maximum productivity. The cost of running the IT infrastructure in the company of our choice should be directly related to the allowable output from the company. For example, the quality of the communication system of our IT infrastructure is determined by the optimisation of the network coverage and performance of the network
Confidentiality- It is the protection of the private information from unauthorised access. The company has various confidential information about the customers that need to be protected. This can be mobile money payment services where the exposure of this leads to serious repercussion on the company thus the need to comply to confidentiality.
Integrity – It is the accuracy of the information relayed to the customers. The information should be accurate thus the need to make this domain also possible in the audit of the information system.
Availability- The safeguarding of the information to make it available on demand. The audit should try to ensure that the information obtained from the system will be available on demand when required by law or when the need arises.
Compliance- The following of the laid down laws and regulations that govern the licencing and operations of various agents and stakeholders in the areas where the company operates. This will ensure a uniform approach to the various issues within the company thus more effective operations
Reliability of information-The information provided by the audit team should be reliable for an accurate decision to be made from it
Goals to Domains Alignment
The goal of the audit plan for monitoring the system performance can be aligned to efficiency, reliability and availability domain. This is because a high-performance system will be highly available, reliable and run efficiently to meet customer’s needs.
The objective of analysing and strengthening the security of the company can be aligned with the confidentiality domain. The system should maintain high confidentiality to gain customer trust done by beefing up the security of the company
Developing a plan
Existence of Policies and Procedures
The existing policies and procedures of the company are analysed like the access and condition of access to various information. The security policy on the existing conduct of the personnel should be analysed like the use and management of passwords.
The plan will be to sample a number of employees and observe the adherence to the laid down security and policies for the company. The individuals will be selected randomly and not informed so that their normal operations can be used to project the adherence to the laid down policies for the whole company.
Verification of the existence of controls supporting the policies
Our plan will also analyse the level of control to support the various policies and procedures in the company. This will be the rules in the company that specifies the repercussions of not doing according to what the policies and procedure say. The number of non-compliant cases will be forwarded to the management and methods of dealing with the issues audited by the audit team. If the action taken are in accordance to what is captured in the policies and procedures, that means the support of the control of policies exist
Verification of the effective implementation and ongoing monitoring of the controls
The plan to verify this is by studying the implementation process of the various changes that can be effected on the infrastructure.
Critical Security Control Points
The critical control points of the IT infrastructure like access to private and confidential information in the system should be verified throughout the IT infrastructure. The areas that have sensitive customer information like the transaction history of the client, private details of the company should always use double authentication. The person doing the audit should also be monitored to prevent misuse of information from the company.
Process of audit 1
References
Ackerman, M. R. (2007). IT Strategic Audit Plan. Journal of Technology Research, 1-7.
Kaul, V. N. (2002). Manual of Information Technology Audit: IT audit process and methodology. India: Office of the Comptroller & Auditor Generalof India.
Progestic, I. I. (2005). Audit of Information Technology Final Report. Ottawa: National Sciences and Engineering Research Council of Canada.
Rehage, K. H. (2008). Developing the IT Audit Plan. Institute of Internal Auditor.