A COMPREHENSIVE APPROACH
Technology audits examine the risk management controls within an Information technology (IT) environment. The evaluation of obtained evidence determines if the architecture design and implementation safeguards assets, maintains data integrity, and operates effectively to achieve the organization's goals or objectives.
The easiest approach to evaluating coverage of all the application stack layers is to break the stack into three main groups based upon their function within the service delivery.
Infrastructure Audits: Form the foundational, support framework upon applications reside.
Application Development & Support Audits: Evaluate the activities specifically related to the development, testing, and promotion of application code to the live production environment.
Information Security Audits: Focus on the risk management strategies surrounding the confidentiality, integrity, and viability of information.
Why Engage CTSA?
For each technology audit CTSA personnel will –
Obtain an understanding of the activity being audited. The extent of the knowledge required should be determined by the nature of the enterprise, its environment, areas of risk, and the objectives of the engagement.
Consider subject matter guidance or direction, as afforded through legislation, regulations, rules, directives, and guidelines issued by government or industry.
Perform a risk assessment to provide reasonable assurance that all material items will be adequately covered during the engagement. Audit strategies, materiality levels and resource requirements can then be developed.
Develop the engagement project plan using appropriate project management methodologies to ensure that activities remain on track and within budget.
Include in the plan assignment-specific issues, such as:
Availability of resources with appropriate knowledge, skills, and experience
Identification of tools needed for gathering evidence, performing tests and preparing/summarizing information for reporting
Assessment criteria to be used – Reporting requirements and distribution
Document the technology audit or assurance engagement’s project plan to clearly indicate the:
Objective(s), scope, and timing
Roles and responsibilities
Areas of risk identified and their impact on the engagement plan
Tools and techniques to be employed
Fact-finding interviews to be conducted
Relevant information to be obtained
Procedures verify or validate the information obtained and its use as evidence