登录查看更多内容

How can you perform a risk-based IT audit for ITOM?

由人工智能和领英社区提供技术支持

A risk-based IT audit is a systematic process of evaluating and improving the effectiveness and efficiency of IT operations management (ITOM) activities. ITOM is the discipline of managing and optimizing the performance, availability, security, and cost of IT infrastructure and services. A risk-based IT audit can help you identify and prioritize the most critical ITOM risks, align your ITOM objectives with your business goals, and implement best practices and controls to mitigate or reduce the impact of potential ITOM issues. In this article, you will learn how to perform a risk-based IT audit for ITOM in six steps.

此文章中的业界达人

由社区从 3 条内容中精选。了解更多

Sanjeev Jha

Aligning IT Security Control & Business Risk Objective @Volkswagen | IT Auditor & Offensive Security Professional
Sanjeewa Wijesekara

Senior Manager Informations Systems Audit at DFCC Bank

1 Define the scope and objectives

The first step is to define the scope and objectives of your IT audit for ITOM. You need to determine what ITOM areas, processes, functions, or systems you want to audit, and why. You also need to define the criteria and standards you will use to evaluate the performance and compliance of your ITOM activities. For example, you may use frameworks such as COBIT, ITIL, or ISO/IEC 27001 to guide your IT audit for ITOM. You should also consider the expectations and requirements of your stakeholders, such as senior management, customers, regulators, or auditors.

添加您的观点

Sanjeewa Wijesekara

Senior Manager Informations Systems Audit at DFCC Bank
举报内容
Risk assessment is crucial. Ensuring the risk surface is covered and capturing the critical areas of audit in the planning stage is paramount. You can use the laid down standards, frameworks and you should make sure the business organization specific risks have not gone unnoticed as well...

已翻译

赞

2 Assess the ITOM risk environment

The second step is to assess the ITOM risk environment. You need to identify and analyze the internal and external factors that may affect your ITOM activities, such as changes in technology, business processes, regulations, or customer demands. You also need to evaluate the likelihood and impact of each ITOM risk, and rank them according to their significance and urgency. For example, you may use a risk matrix or a heat map to visualize and prioritize your ITOM risks. You should also document the sources, causes, and consequences of each ITOM risk, as well as the existing controls and mitigation strategies.

添加您的观点

Sanjeev Jha

Aligning IT Security Control & Business Risk Objective @Volkswagen | IT Auditor & Offensive Security Professional
举报内容
I have always trusted systematic attack surface mapping of system to be one of the most effective techniques to evaluate risk in the organization. In case of application, for example, attack surface mapping can be performed at the design phase using various techniques such as DREAD. Similarly, application functionality mapping while the application is in execution also known as dynamic testing can provide comprehensive overview of all the attack surface and its consecutive risk.

已翻译

赞

3 Plan the IT audit activities

The third step is to plan the IT audit activities. You need to design and prepare the audit procedures and methods you will use to collect and analyze the evidence and data related to your ITOM activities. You also need to allocate the resources and time you will need to conduct the IT audit, such as staff, tools, budget, or schedule. For example, you may use interviews, surveys, observations, tests, or reviews to gather information and insights about your ITOM performance and compliance. You should also communicate the scope, objectives, and plan of your IT audit to your stakeholders, and obtain their approval and support.

添加您的观点

4 Execute the IT audit activities

The fourth step is to execute the IT audit activities. You need to perform the audit procedures and methods you planned in the previous step, and collect and analyze the evidence and data related to your ITOM activities. You also need to document and report the findings and results of your IT audit, such as strengths, weaknesses, gaps, errors, or non-conformities. For example, you may use checklists, templates, or tools to record and organize your IT audit evidence and data. You should also verify and validate the accuracy and reliability of your IT audit findings and results.

添加您的观点

5 Report the IT audit outcomes

The fifth step is to report the IT audit outcomes. You need to summarize and communicate the main findings and results of your IT audit, and provide recommendations and suggestions for improvement and action. You also need to present and discuss the IT audit outcomes with your stakeholders, and obtain their feedback and agreement. For example, you may use reports, presentations, or dashboards to convey and visualize your IT audit outcomes. You should also follow the format, style, and tone of your IT audit report according to your organization's policies and standards.

添加您的观点

6 Follow up the IT audit actions

The sixth and final step is to follow up the IT audit actions. You need to monitor and track the implementation and progress of the recommendations and suggestions you provided in the previous step, and measure and evaluate the impact and effectiveness of the improvement and action plans. You also need to report and communicate the status and results of the follow-up activities, and identify and address any issues or challenges that may arise. For example, you may use indicators, metrics, or benchmarks to quantify and compare your ITOM performance and compliance before and after the IT audit. You should also update and revise your ITOM risk environment and IT audit plan according to the changes and outcomes of the follow-up activities.

添加您的观点

Gaffery Michael

Senior Internal Auditor, ICT
举报内容
In my experience the auditor is basically going to review the processes that were identified as posing high risk to meeting objectives through the audit activity.

已翻译

赞

7 Here’s what else to consider

This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?

添加您的观点

IT Operations Management

+ 关注

给文章评分

我们借助人工智能创建了此文章。您认为这篇文章怎么样？

很棒不太好

举报此文章

查看全部

How can you perform a risk-based IT audit for ITOM?

1

2

3

4

5

6

7

1 Define the scope and objectives

2 Assess the ITOM risk environment

3 Plan the IT audit activities

4 Execute the IT audit activities

5 Report the IT audit outcomes

6 Follow up the IT audit actions

7 Here’s what else to consider

IT Operations Management

给文章评分

感谢您的反馈

更多IT Operations Management相关文章

更多相关阅读内容

How can you perform a risk-based IT audit for ITOM?

1

2

3

4

5

6

7

1 Define the scope and objectives

2 Assess the ITOM risk environment

3 Plan the IT audit activities

4 Execute the IT audit activities

5 Report the IT audit outcomes

6 Follow up the IT audit actions

7 Here’s what else to consider

IT Operations Management

给文章评分

感谢您的反馈

查看其他技能