03.06. A Case Study in Developing IS Audit Plan and IS Audit Program

Company Overview

InnoTech Inc., a leader in renewable energy technologies, operates in a fast-paced and evolving industry. The company, established 15 years ago, has carved a niche in developing and implementing innovative energy solutions. Its product line is diverse, encompassing solar panels, wind turbines, and advanced energy storage systems. Beyond manufacturing, InnoTech also extends its expertise to consulting and maintenance services, ensuring the optimal performance of its energy solutions.

With its headquarters in the United States, InnoTech’s operations span across more than 20 countries, including significant markets in Europe, Asia, and South America. This international presence is pivotal to the company’s business strategy, allowing it to access varied energy markets and adapt to different regional energy demands.

The company’s workforce of around 8,000 employees is a blend of talent, including engineers, researchers, sales professionals, and various support roles. Organized into distinct divisions such as Research and Development (R&D), Manufacturing, Sales and Marketing, and Customer Support, each sector contributes uniquely to InnoTech’s overall success.

InnoTech’s IT infrastructure is a cornerstone of its operations and strategic growth. The company’s extensive use of IT encompasses several key areas. A comprehensive Enterprise Resource Planning (ERP) system integrates core business processes, facilitating seamless operations from production to HR management. The Customer Relationship Management (CRM) software is integral to managing customer interactions, aiding the sales team in efficiently tracking and servicing customers.

The R&D division relies heavily on specialized systems for developing new technologies and testing prototypes. In manufacturing, the Manufacturing Execution Systems (MES) play a crucial role in overseeing the production process. The adoption of cloud computing for data storage, application hosting, and analytics represents InnoTech’s commitment to modern IT solutions. The network infrastructure, including LANs and WANs, connects its global operations, while robust cybersecurity measures protect sensitive data and systems.

Managing such a diverse IT landscape presents unique challenges for InnoTech. The company needs to maintain strong IT governance to manage technologies across different locations effectively. Risks such as cybersecurity threats and system failures are constant concerns. However, these challenges also offer opportunities for leveraging IT to spur innovation and improve decision-making processes through data analytics.

Operating in a heavily regulated industry, InnoTech must adhere to various environmental, data protection, and quality standards. Compliance is not just a legal requirement but also a key factor in maintaining the company’s integrity and reputation.

Developing a Risk-based Annual IS Audit Plan

As discussed in Section 03.01, a risk-based annual IS Audit plan can be developed using the following structured approach:

• Understand the Business
  • Identify the organization’s strategies and business objectives.
  • Understand the high-risk profile of the organization.
  • Identify how the organization structures their business operations.
  • Understand the IT service support model and environment.
• Define the IT Universe
  • Understand business fundamentals.
  • Identify applications supporting the business operations.
  • Identify critical infrastructure for significant applications.
  • Identify major projects and initiatives.
  • Determine realistic audit subjects.
• Perform Risk Assessment
  • Develop processes to identify risks.
  • Assess risk and rank audit subjects using IT risk factors.
  • Assess risk and rank subjects using business risk factors.
• Formalize the Audit Plan
  • Select audit subjects and bundle them into distinct audit engagements.
  • Determine audit cycle and frequency.
  • Add appropriate engagements based on management requests or opportunities for consulting.
  • Validate the plan with business management.

Based on the facts provided in the case study, the following priorities have been identified as the most relevant considerations while understanding the business:

• ERP System Integration and Efficiency: Concerns around the effectiveness and integration of the ERP system across business processes including production, HR, and finance.
• CRM System Effectiveness: Challenges in the operational effectiveness of CRM system’s capabilities in managing customer interactions, data accuracy, and its contribution to sales strategies.
• R&D Systems and Innovation Management: Inefficiencies in the systems supporting R&D for their effectiveness in fostering innovation, managing prototypes, and integrating with other business units.
• Manufacturing Execution System (MES) Compliance and Performance: Instances of non-compliance with industry standards and inefficiencies in production processes for MES.
• Cloud Computing and Data Storage Security: Issues noted with cloud services for data security, compliance with data protection laws, and efficiency in storage and retrieval processes.
• Network Infrastructure and Security: Assess the robustness, security, and efficiency of the company’s LAN and WAN, including vulnerability to cyber threats.
• Cybersecurity Measures and Protocols: Evaluate the effectiveness of cybersecurity measures including firewalls and intrusion detection systems, and adherence to security protocols.
• IT Governance and Policy Compliance: Inspect the IT governance framework for its effectiveness in policy implementation, regulatory compliance, and alignment with corporate objectives.
• Data Analytics and Decision Support Systems: Audit data analytics processes for their role in strategic decision-making, accuracy of insights, and integration with business functions.
• Employee IT Training and Awareness Programs: Review the effectiveness of IT training programs for employees, focusing on awareness and adherence to IT policies and cybersecurity best practices.

Consequently, the IT Audit universe for InnoTech Inc. can look like this:

• Network Administration and Security
• Windows Server Administration and Security
• OS400 Server Administration and Security
• Oracle Database Administration and Security
• SAP ERP Application and General Controls
• Payroll Application and General Controls
• Major Capital Projects
• Corporate Privacy Compliance
• IT Infrastructure Configuration Management
• IT Governance Practices

In terms of the risk assessment, the 10 entities identified in the IT Audit universe above will be ranked on likelihood and impact along the following five dimensions:

• Impact on the organization’s financial statement reporting (F/S Impact)
• High-level assessment of the quality of existing internal controls (I/C Quality)
• Confidentiality measures are designed to prevent sensitive information (Confidentiality)
• The consistency, accuracy, and trustworthiness of data (Integrity)
• Information should be consistently and readily accessible for authorized parties (Availability)

The rating scale for “likelihood (L)” is defined as follows:

• High (3): High probability that the risk will occur.
• Medium (2): Medium probability that the risk will occur.
• Low (1): Low probability that the risk will occur.

The rating scale for “impact (I)” is defined as follows:

• High (3): There is a potential for material impact on the organization’s earnings, assets, reputation, or stakeholders.
• Medium (2): The potential impact may be significant to the audit unit, but moderate in terms of the total organization.
• Low (1): The potential impact on the organization is minor in size or limited in scope.

Using the IT Audit universe, scales for risk assessment ranking, as well as the definitions of rating on the “impact” and “likelihood”, an illustrated risk assessment output can look like this (using hypothetical risk ratings compiled from IS Audit team as well as the organization’s executive management):

Notes:
L = Likelihood; I = Impact; H = High; M = Medium; L = Low
* The final score is calculated as the sum of (likelihood * impact) for each of the five categories per line item.

Now that the risk assessment results are available, the next step is to formalize the audit plan. As discussed earlier, the audit plan consists of risk-driven audit projects, mandatory compliance reviews, stakeholder requests, and follow-up audits of previously identified significant issues. Because these tasks need to be completed using available internal audit resources, some risk-driven audit projects might not be incorporated in the plan. Before we get to the IS audit plan, we will first prioritize the IT audit universe areas based on the net scores as shown below:

InnoTech Inc. has an IS audit staff of five auditors or approximately 1,000 available days for engagements after considering exception time and training. Based on the risk assessment of available audit subjects, mandatory activities, and stakeholder requests, the most effective IS audit plan is shown below:

The audit plan in the table above is based on the Innotech Inc.’s IS audit department’s understanding of the company’s strategies and objectives, historical knowledge of the control environment, and anticipated changes in operations during the next audit period.

Next, we will formalize the IS audit plan for InnoTech Inc. to ensure the efficacy and thoroughness of the auditing process by transforming the results of risk assessments and preliminary analyses into a structured and actionable audit plan. A crucial aspect of the audit plan’s formalization is its communication and approval by senior management and key stakeholders. This ensures that the audit objectives are aligned with the broader organizational goals and that there is a cohesive understanding and agreement on the plan at the highest levels of the organization. Finally, the plan includes a focus on training and preparing the audit team, especially for the more complex and high-risk audit areas. This preparation is vital in equipping the auditors with the necessary skills and knowledge to effectively navigate the intricacies of specific technologies, audit methodologies, and regulatory requirements they will encounter.

Developing an IS Audit Program for the Network Administration and Security
Now that we have identified the risk-based annual IS audit plan, let’s build a detailed IS audit program for one of the high-risk audits – Network Administration and Security Audit.

From our discussion in Section 03.03, we know that an IS Audit program contains the following elements:

• Define Audit Objectives
• Determine Audit Scope
• Review Client Controls
• Set Audit Criteria
• Audit Schedule & Resourcing
• Evidence Gathering Techniques

Here’s an illustrated IS audit program for each of the above components in context of the Network Administration and Security Audit.

For the five existing controls identified in #3 (Review Client Controls) above, here are the proposed test of controls audit procedures:

This wraps up the case study walkthrough of developing a risk-based annual IS audit plan and an IS audit program to give you a practical perspective on the key concepts discussed throughout this chapter. Collectively, these concepts and the example will help you effectively evaluate the IT General Controls (Chapter 5) and Application Controls (Chapter 6).