How to Conduct Effective IT Audits?
Chinmay Kulkarni
Technology Risk Auditor at EY US | Making You The Next Generation IT Auditor | CISA* | CRISC* | CCSK | ISO 27001 LA | ISO 27701 LI
In this newsletter, we're diving into a topic critical for both seasoned auditors and those just starting their audit journey: conducting effective audits
"What's the number #1 thing an auditor should check?"
Well, traditionally, auditors ensure existing controls are functioning as intended, safeguarding against specific risks.
But let's take this a step further.
As IT auditors, our responsibility goes beyond verifying control operation
Imagine a change management control, for example.
Ideally, in any organization, every change destined for the production environment should be thoroughly tested and approved before deployment. This control aims to minimize the risk of introducing errors or vulnerabilities. However, an effective audit goes beyond simply verifying if changes are tested.
We need to delve deeper and assess whether the change management process
Early in my career, I encountered a situation that taught me a valuable lesson about change management testing.
We were tasked with ensuring all changes to various applications followed a proper change management process. In this process, another person would review and approve changes before they were implemented in production, minimizing the risk of unforeseen issues.
While testing the change management procedures for one specific application, I discovered a concerning gap.
A particular type of change, across all the applications, was not being tested before being pushed to production.
This situation became a learning experience for me as an auditor. It highlighted the importance of not immediately calling out discrepancies.
Instead, use them as opportunities for clarification.
In this case, we noticed a deviation from the standard change management process. We brought this to the attention of the control owner, not as an exception, but as a point for understanding. We phrased it something like,
领英推荐
"Hey, we noticed these types of changes aren't being tested in the non-production environment before deployment to production."
Ideally, change management dictates that all changes, regardless of type, should undergo testing in a non-production environment first.
Test results should be reviewed and approved before promoting the change to production. However, in this instance, the client responded by saying these specific changes typically aren't tested.
Now, from an audit perspective, the key question becomes:
Are you comfortable with the associated risk? If these changes go straight to production and something goes wrong, is management willing to accept that risk?
This is where auditor judgment
Let's say management isn't comfortable with the risk of certain changes not being tested in a non-production environment.
Even if you find samples that followed the standard change management process, it might indicate a deeper issue: the control itself might not be designed effectively.
Here's the lesson learned.
As auditors, our responsibility is to ensure controls are designed to address management's risk tolerance
In my case, management wasn't happy with the residual risk, which is why we identified it as an exception. This prompted them to develop action plans to mitigate that risk.
This is the typical auditor workflow. But the key takeaway here isn't just about process. It's about using your judgment.
Don't just test samples and call it a day. Think critically: does the control in place truly address the risk it's designed for?
That's all for this week! I hope you found this information valuable. If you have any questions or want to delve deeper into a specific topic, don't hesitate to reach out. I'm always happy to chat.
By the way, I've included a link below that gives you free access to all my audit content. Take advantage of these resources and empower yourself with financial knowledge!
Audit Compliance Analyst Supervisor at Maryland Department of Budget & Management
8 个月Insightful!