03. Planning an IS Audit

03.06. A Case Study in Developing IS Audit Plan and IS Audit Program

Credit: Woman in Black Blazer Standing Beside Woman in Blue Long Sleeve Shirt by RDNE Stock Project, used under the Pexels License.

To put things in practical perspective, the case study in this section illustrates how to develop a risk-based annual IS audit plan as well as a detailed IS audit program for a select audit from the plan. Although the steps can be universally followed, the case study’s audit subjects and risk assessment results are presented as generic in nature by design.

Company Overview

InnoTech Inc., a leader in renewable energy technologies, operates in a fast-paced and evolving industry. The company, established 15 years ago, has carved a niche in developing and implementing innovative energy solutions. Its product line is diverse, encompassing solar panels, wind turbines, and advanced energy storage systems. Beyond manufacturing, InnoTech also extends its expertise to consulting and maintenance services, ensuring the optimal performance of its energy solutions.

With its headquarters in the United States, InnoTech’s operations span across more than 20 countries, including significant markets in Europe, Asia, and South America. This international presence is pivotal to the company’s business strategy, allowing it to access varied energy markets and adapt to different regional energy demands.

The company’s workforce of around 8,000 employees is a blend of talent, including engineers, researchers, sales professionals, and various support roles. Organized into distinct divisions such as Research and Development (R&D), Manufacturing, Sales and Marketing, and Customer Support, each sector contributes uniquely to InnoTech’s overall success.

InnoTech’s IT infrastructure is a cornerstone of its operations and strategic growth. The company’s extensive use of IT encompasses several key areas. A comprehensive Enterprise Resource Planning (ERP) system integrates core business processes, facilitating seamless operations from production to HR management. The Customer Relationship Management (CRM) software is integral to managing customer interactions, aiding the sales team in efficiently tracking and servicing customers.

The R&D division relies heavily on specialized systems for developing new technologies and testing prototypes. In manufacturing, the Manufacturing Execution Systems (MES) play a crucial role in overseeing the production process. The adoption of cloud computing for data storage, application hosting, and analytics represents InnoTech’s commitment to modern IT solutions. The network infrastructure, including LANs and WANs, connects its global operations, while robust cybersecurity measures protect sensitive data and systems.

Managing such a diverse IT landscape presents unique challenges for InnoTech. The company needs to maintain strong IT governance to manage technologies across different locations effectively. Risks such as cybersecurity threats and system failures are constant concerns. However, these challenges also offer opportunities for leveraging IT to spur innovation and improve decision-making processes through data analytics.

Operating in a heavily regulated industry, InnoTech must adhere to various environmental, data protection, and quality standards. Compliance is not just a legal requirement but also a key factor in maintaining the company’s integrity and reputation.

Developing a Risk-based Annual IS Audit Plan

As discussed in Section 03.01, a risk-based annual IS Audit plan can be developed using the following structured approach:

  • Understand the Business
    • Identify the organization’s strategies and business objectives.
    • Understand the high-risk profile of the organization.
    • Identify how the organization structures their business operations.
    • Understand the IT service support model and environment.
  • Define the IT Universe
    • Understand business fundamentals.
    • Identify applications supporting the business operations.
    • Identify critical infrastructure for significant applications.
    • Identify major projects and initiatives.
    • Determine realistic audit subjects.
  • Perform Risk Assessment
    • Develop processes to identify risks.
    • Assess risk and rank audit subjects using IT risk factors.
    • Assess risk and rank subjects using business risk factors.
  • Formalize the Audit Plan
    • Select audit subjects and bundle them into distinct audit engagements.
    • Determine audit cycle and frequency.
    • Add appropriate engagements based on management requests or opportunities for consulting.
    • Validate the plan with business management.

Based on the facts provided in the case study, the following priorities have been identified as the most relevant considerations while understanding the business:

  • ERP System Integration and Efficiency: Concerns around the effectiveness and integration of the ERP system across business processes including production, HR, and finance.
  • CRM System Effectiveness: Challenges in the operational effectiveness of CRM system’s capabilities in managing customer interactions, data accuracy, and its contribution to sales strategies.
  • R&D Systems and Innovation Management: Inefficiencies in the systems supporting R&D for their effectiveness in fostering innovation, managing prototypes, and integrating with other business units.
  • Manufacturing Execution System (MES) Compliance and Performance: Instances of non-compliance with industry standards and inefficiencies in production processes for MES.
  • Cloud Computing and Data Storage Security: Issues noted with cloud services for data security, compliance with data protection laws, and efficiency in storage and retrieval processes.
  • Network Infrastructure and Security: Assess the robustness, security, and efficiency of the company’s LAN and WAN, including vulnerability to cyber threats.
  • Cybersecurity Measures and Protocols: Evaluate the effectiveness of cybersecurity measures including firewalls and intrusion detection systems, and adherence to security protocols.
  • IT Governance and Policy Compliance: Inspect the IT governance framework for its effectiveness in policy implementation, regulatory compliance, and alignment with corporate objectives.
  • Data Analytics and Decision Support Systems: Audit data analytics processes for their role in strategic decision-making, accuracy of insights, and integration with business functions.
  • Employee IT Training and Awareness Programs: Review the effectiveness of IT training programs for employees, focusing on awareness and adherence to IT policies and cybersecurity best practices.

Consequently, the IT Audit universe for InnoTech Inc. can look like this:

  • Network Administration and Security
  • Windows Server Administration and Security
  • OS400 Server Administration and Security
  • Oracle Database Administration and Security
  • SAP ERP Application and General Controls
  • Payroll Application and General Controls
  • Major Capital Projects
  • Corporate Privacy Compliance
  • IT Infrastructure Configuration Management
  • IT Governance Practices

In terms of the risk assessment, the 10 entities identified in the IT Audit universe above will be ranked on likelihood and impact along the following five dimensions:

  • Impact on the organization’s financial statement reporting (F/S Impact)
  • High-level assessment of the quality of existing internal controls (I/C Quality)
  • Confidentiality measures are designed to prevent sensitive information (Confidentiality)
  • The consistency, accuracy, and trustworthiness of data (Integrity)
  • Information should be consistently and readily accessible for authorized parties (Availability)

The rating scale for “likelihood (L)” is defined as follows:

  • High (3): High probability that the risk will occur.
  • Medium (2): Medium probability that the risk will occur.
  • Low (1): Low probability that the risk will occur.

The rating scale for “impact (I)” is defined as follows:

  • High (3): There is a potential for material impact on the organization’s earnings, assets, reputation, or stakeholders.
  • Medium (2): The potential impact may be significant to the audit unit, but moderate in terms of the total organization.
  • Low (1): The potential impact on the organization is minor in size or limited in scope.

Using the IT Audit universe, scales for risk assessment ranking, as well as the definitions of rating on the “impact” and “likelihood”, an illustrated risk assessment output can look like this (using hypothetical risk ratings compiled from IS Audit team as well as the organization’s executive management):

Table: Illustrated Risk Assessment Output
Area F/S Impact I/C Quality Confidentiality Integrity Availability Score*
L I L I L I L I L I
Network Adm & Security 3 2 3 2 3 3 3 2 3 3 36 (H)
Windows Adm & Security 3 3 3 2 3 2 3 3 2 3 36 (H)
OS400 Adm & Security 2 3 3 2 3 3 3 2 2 3 33 (M)
Oracle Adm & Security 3 2 3 1 3 2 3 2 3 3 30 (M)
SAP ERP Application 3 3 2 2 3 3 2 3 3 2 34 (M)
Payroll Application 2 2 3 3 3 3 2 2 3 3 35 (H)
Major Capital Projects 3 3 1 2 1 1 2 3 3 2 24 (L)
Privacy Compliance 2 2 3 3 3 1 1 3 2 3 25 (L)
IT Infrastructure Config. 3 2 2 2 3 3 3 3 3 3 37 (H)
IT Governance 3 2 2 2 3 3 2 1 1 3 24 (L)

Notes:
L = Likelihood; I = Impact; H = High; M = Medium; L = Low
* The final score is calculated as the sum of (likelihood * impact) for each of the five categories per line item.

Now that the risk assessment results are available, the next step is to formalize the audit plan. As discussed earlier, the audit plan consists of risk-driven audit projects, mandatory compliance reviews, stakeholder requests, and follow-up audits of previously identified significant issues. Because these tasks need to be completed using available internal audit resources, some risk-driven audit projects might not be incorporated in the plan. Before we get to the IS audit plan, we will first prioritize the IT audit universe areas based on the net scores as shown below:

Table: Prioritized IT Audit Universe Areas
Area Score
IT Infrastructure Configuration Management 37 (H)
Network Administration and Security 36 (H)
Windows Server Administration and Security 36 (H)
Payroll Application and General Controls 35 (H)
SAP ERP Application and General Controls 34 (M)
OS400 Server Administration and Security 33 (M)
Oracle Database Administration and Security 30 (M)
Corporate Privacy Compliance 25 (L)
Major Capital Projects 24 (L)
IT Governance Practices 24 (L)

InnoTech Inc. has an IS audit staff of five auditors or approximately 1,000 available days for engagements after considering exception time and training. Based on the risk assessment of available audit subjects, mandatory activities, and stakeholder requests, the most effective IS audit plan is shown below:

 

Table: Effective IS Audit Plan
Area Score Risk Level Timeline Audit Days Allocated
IT Infrastructure Configuration Management 37 High Q1 175
Network Administration and Security 36 High Q1 150
Windows Server Administration and Security 36 High Q2 150
Payroll Application and General Controls 35 High Q3 120
SAP ERP Application and General Controls 34 Medium Q2 100
OS400 Server Administration and Security 33 Medium Q2 90 (Outsourced)
Oracle Database Administration and Security 30 Medium Q4 85 (Outsourced)
Corporate Privacy Compliance 25 Low Q2 60 (Outsourced)
Major Capital Projects 24 Low Q2 60
IT Governance Practices 24 Low Q4 60
Internal Controls Testing & Reporting N/A N/A Q3, Q4 100
Follow-up on Findings N/A N/A Q3, Q4 85

The audit plan in the table above is based on the Innotech Inc.’s IS audit department’s understanding of the company’s strategies and objectives, historical knowledge of the control environment, and anticipated changes in operations during the next audit period.

Next, we will formalize the IS audit plan for InnoTech Inc. to ensure the efficacy and thoroughness of the auditing process by transforming the results of risk assessments and preliminary analyses into a structured and actionable audit plan. A crucial aspect of the audit plan’s formalization is its communication and approval by senior management and key stakeholders. This ensures that the audit objectives are aligned with the broader organizational goals and that there is a cohesive understanding and agreement on the plan at the highest levels of the organization. Finally, the plan includes a focus on training and preparing the audit team, especially for the more complex and high-risk audit areas. This preparation is vital in equipping the auditors with the necessary skills and knowledge to effectively navigate the intricacies of specific technologies, audit methodologies, and regulatory requirements they will encounter.

Developing an IS Audit Program for the Network Administration and Security
Now that we have identified the risk-based annual IS audit plan, let’s build a detailed IS audit program for one of the high-risk audits – Network Administration and Security Audit.

From our discussion in Section 03.03, we know that an IS Audit program contains the following elements:

  • Define Audit Objectives
  • Determine Audit Scope
  • Review Client Controls
  • Set Audit Criteria
  • Audit Schedule & Resourcing
  • Evidence Gathering Techniques

Here’s an illustrated IS audit program for each of the above components in context of the Network Administration and Security Audit.

Program for Network Administration and Security Audit

Define Audit Objectives

The primary objective of the Network Administration and Security Audit for InnoTech Inc. is to evaluate the effectiveness, reliability, and security of the company’s network infrastructure. This includes assessing the administrative processes and security measures in place to protect against unauthorized access, data breaches, and other cyber threats. The audit will also aim to ensure that network administration aligns with the company’s IT policies and industry best practices, and complies with relevant regulatory requirements.

Determine Audit Scope

The scope of this audit encompasses all aspects of network administration and security within InnoTech Inc. This includes but is not limited to:

  • Physical and logical network infrastructure, including routers, switches, firewalls, and other network devices.
  • Network configuration and management processes.
  • Network security policies, procedures, and practices.
  • Access control mechanisms for network resources.
  • Incident response and recovery procedures related to network security.
  • Compliance with relevant laws and regulations, such as data protection laws.

The audit will cover all geographic locations of InnoTech Inc. where network infrastructure is deployed.

Review Client Controls

This stage involves a comprehensive review of the existing controls InnoTech Inc. has implemented for network administration and security. The review will focus on:

  • Existing network security policies and procedures, ensuring they are up-to-date and comprehensive.
  • Implementation and effectiveness of access control systems.
  • Security measures for protecting network infrastructure, including firewall configurations and intrusion detection systems.
  • Procedures for monitoring and responding to network security incidents.
  • Regular maintenance and updates of network systems.

This review aims to identify any gaps or weaknesses in current controls that could expose the company to network-related risks.

Set Audit Criteria

The audit criteria are the standards against which the network administration and security practices of InnoTech Inc. will be evaluated. These criteria include the following:

  • Compliance with industry standards such as ISO/IEC 27001 for information security management.
  • Adherence to internal policies and procedures of InnoTech Inc. related to network management and security.
  • Alignment with best practices in network administration and security.
  • Compliance with legal and regulatory requirements pertinent to network security and data protection.

Audit Schedule & Resourcing

The audit is scheduled to be conducted in Q1 and is allocated 150 audit days. The schedule is as follows:

  • Pre-audit planning: 2 weeks
  • Fieldwork: 10 weeks
  • Reporting: 3 weeks
  • Follow-up and closure: 1 week

The audit team will consist of IT auditors experienced in network administration and security. External experts may be consulted for specialized areas. Resources such as network diagrams, policy documents, and access to network management systems will be required.

This audit program is designed to provide a comprehensive evaluation of the network administration and security at InnoTech Inc. It aims to identify areas of strength and potential improvement, ensuring the network infrastructure is robust, secure, and aligns with business objectives and regulatory requirements.

Detailed Test of Controls Audit Procedures

Effective audit procedures must have the following four components:

  • Extent of sampling (# of samples to review)
  • Evidence-gathering technique to be used
  • Specific client evidence to be reviewed
  • Auditor’s actions as a part of the procedure

 

For the five existing controls identified in #3 (Review Client Controls) above, here are the proposed test of controls audit procedures:

Proposed Test of Controls Audit Procedures

Control 1: Network Security Policies and Procedures

  • Number of Samples: Review 40 randomly selected policy documents.
  • Evidence Gathering Technique: Inspection
  • Specific Evidence to Review: Network security policy documents, including recent updates and change logs.
  • Auditor’s Actions:
    • Examine the policies for comprehensiveness, relevance, and alignment with industry standards.
    • Verify the date of the last update and the frequency of reviews.
    • Check for signatures and approvals.

Control 2: Implementation of Access Control Systems

  • Number of Samples: Analyze access logs for 40 user accounts chosen at random.
  • Evidence Gathering Technique: Analysis and Observation
  • Specific Evidence to Review: Access control logs, user account details, and permission levels.
  • Auditor’s Actions:
    • Assess whether access levels are appropriate for each user’s role.
    • Observe the process of granting, modifying, and revoking access.
    • Verify that there are no unauthorized access instances.

Control 3: Security Measures for Network Infrastructure

  • Number of Samples: Inspect configurations of 25 firewalls and 25 intrusion detection systems.
  • Evidence Gathering Technique: Inspection and Performance
  • Specific Evidence to Review: Configuration settings, security patches, and update logs of the selected devices.
  • Auditor’s Actions:
    • Check if configurations align with best practice standards.
    • Ensure security patches are up-to-date.
    • Test the performance of intrusion detection systems.

Control 4: Monitoring and Response to Network Security Incidents

  • Number of Samples: Examine records of the last 25 reported security incidents.
  • Evidence Gathering Technique: Inspection and Inquiry
  • Specific Evidence to Review: Incident reports, response actions taken, and follow-up documentation.
  • Auditor’s Actions:
    • Review the incident handling process for completeness and timeliness.
    • Inquire about the effectiveness of the response and any lessons learned or process improvements implemented.

Control 5: Regular Maintenance and Updates of Network Systems

  • Number of Samples: Audit maintenance logs for 40 network devices over the past year.
  • Evidence Gathering Technique: Inspection and Analysis
  • Specific Evidence to Review: Maintenance schedules, update logs, and service reports.
  • Auditor’s Actions:
    • Verify that maintenance is conducted regularly and in line with industry best practices.
    • Analyze the logs for any missed or delayed maintenance activities.
    • Ensure that updates are applied in a timely manner and documented.

 

This wraps up the case study walkthrough of developing a risk-based annual IS audit plan and an IS audit program to give you a practical perspective on the key concepts discussed throughout this chapter. Collectively, these concepts and the example will help you effectively evaluate the IT General Controls (Chapter 5) and Application Controls (Chapter 6).

definition

License

Icon for the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

Auditing Information Systems Copyright © 2024 by Amit M. Mehta is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License, except where otherwise noted.

Share This Book