IT Audit: That's Where The Money Is!

IT assets have to be protected, as that is where the money lies
for enterprises today. Stepping up information security is only one end of the
spectrum. Evaluating, reviewing and taking stock of the IT assets including
information security assets is the other end that is now gradually gaining
prominence. IT auditing today is as important and critical as any other revenue
audit in an enterprise, as most systems handling businesses are automated. The
risks that existed in earlier non-automated environments have increased by
introduction of technology that has brought in its own associated risks.

Its not just security but also the growing awareness towards
improving efficiency and performance of the IT infrastructure that is driving
adoption of not only information security auditing but IT auditing as a whole.
Added to this the growing pressure of adherence to regulatory compliance, it is
not very far off before IT auditing becomes a necessity for agile enterprises.
However, lack of enough qualified professionals to meet the growing demand,
could well put a spade in the spindle. As per ISACA, currently there are 1,645
CISAs certified in India and out of this approximately 400 CISAs have been
certified in the country between January to September, 2006. While the supply of
certified auditors in the last 2 years has seen a jump it still hasn't kept
pace with the growing demand. According to SP Shah Singh, director, Trusted Info
Systems, the need for IT auditors far outstrips the supply of qualified
candidates. The uptake of auditing practice by enterprises will, therefore,
depend a lot on how the demand and supply dynamics emerges over the next few
years.

Gaining Prominence

The adoption of IT audit is globally catching up in the enterprise agenda
and is being taken seriously after the Enron and 7/11 disasters. According to
Vinod Sadavarte, CIO, Patni, global IT auditing, including security auditing,
has shown double digit growth in recent years. There is an increased awareness
and adoption in the Indian context too, with the trend gaining momentum in the
last 2 years. According to A Manjunath Babu, chief manager at State Bank of
Mysore's Information Systems Security Cell, banking, financial institutions,
software developers, outsourcing companies and call centers are the industry
segments where we can see increased adoption.

What's driving the rapid adoption is the recognized need for
effective internal controls making good business sense. There is also global
pressure from the US Sarbanes-Oxley Act of 2002 which requires compliance by all
entities quoted on the US Stock Exchanges. It is now mandatory for a given firm
to ensure that its suppliers/vendors adhere to the same, stringent requirements
worldwide.

According to Radhakrishna Pillai, head, IT, SRL Ranbaxy, the
fact that India has more number of US FDA approved pharma manufacturing
facilities outside of the US, itself shows that to take advantage of the global
opportunity Indian enterprise have to create the right atmosphere and a secured
environment. The BPO growth too has made it imperative to have more security.

As Ravi Srinivasan, senior VP, Client and Technology Solutions,
OfficeTiger, points out: customers are viewing IT auditing as a critical
precursor to working with any third party. India is a major player in the global
IT service center area and is also a major center for the development of new
software. "Global pressures thus apply to businesses, particularly those in
IT, which are based in India," explains Hugh Parkes of Australia-based
Parkes & Parkes Management Cosultants.

According to Arun Gupta, director, P-GIS, BRM—SCANZ, Philips
Electronics India, among the other factors driving adoption, apart from
compliance to local and global legislations, are financial pressures on IT
budgets.

Though auditing has been initially driven worldwide by
legislations, with the maturing of standards like ISO27001 and Cobit there is a
growing trend that uses audits to proactively control IT security and use the
benefits as a business differentiator. Periodic IT audits have been recognized
as the most effective method to implement and maintain efficient IT
implementations.

In India the idea of auditing IT for performance and efficiency
was mostly practiced by the Indian divisions of global giants. Today there is a
growing awareness of the kind of benefits that this kind of auditing would
generate. According to Prosenjeet Banerjee, head, Information Security Services,
HCL Comnet: the key advantage for Indian companies with large IT infrastructure
would be the chance to streamline their organically grown IT infrastructure.

As more Indian companies globalize, they will put the focus on
audit of IT and IT security. In a connected economy, it is expected that the
corporate partners are at par with respect to their IT systems as any compromise
may create an adverse impact. Thus, Gupta points out, most multinational
companies have adopted these practices and encourage their Indian partners to do
so too. Over the next 2-3 years it is expected that there will be few
enterprises, which will not embrace this.

Why Audit?

IT Auditing is gaining criticality among Indian enterprises. It is common
knowledge that as the use of technology grows, so does the vulnerability. While
well-thought out policies and their stringent implementation can help in
overcoming these vulnerabilities, it needs to be followed by audits. It is
important for Indian enterprises to have sound internal controls so that the
community can have confidence in corporate governance (and IT governance) of the
enterprise. assessing and advising on the development of effective internal
controls is a key role of IT auditing.

IT and security audits provide a framework and mechanism to
assess the effectiveness of measures implemented in addressing the internal and
external stakeholder expectations in managing IT, explains Sadavarte.

Auditing also becomes critical if an organization wants its IT
function to perform in tandem with the rest of the company. The pace of change
in the IT environment is so fast that without IT auditing, management will find
it difficult to control their IT spending and achieve expected benefits from
their IT investments. "IT/IS security audit is critical not only for
protection of information assets but also for an assurance that risk is managed
and business objectives are achievable," says Ajay Verma, chief information
technology officer at the Punjab National Bank & president of ISACA's
Delhi Chapter.

"The scope of IT audit
varies from company to company as experienced by me over the last few
years. Within Philips, the scope of IT audit spans SOX, Process Maturity
based on COBIT IV, ITIL and ISO 9000:2000. We are audited every year on
these aspects and measured on the performance with respect to defined
controls. This requires substantial planning and processes that are
repeatable with adequate documentary evidence. With the exception of the
physical network, every other IT component is auditable and is audited.
Over the last one year we have seen improvements in our ratings and are on
the threshold of becoming a best practice within Asia."

-Arun Gupta, director,
P-GIS, Philips Electronics India

What it Involves

So, what all does this whole tedious process of an IT/IS audit comprise? To
understand one will need to understand the objectives behind the two. According
to Babu, the main purpose of an IT audit is to review and evaluate an
organization's information system availability, confidentiality, and
integrity. It can also be said to be an examination of the controls within an
entity's IT infrastructure. The IT security audit, on the other hand, is a
systematic, measurable technical assessment of how the organization's security
policy is employed and practiced. "IT audits at a high level need to ensure
that appropriate policies and processes are in place to ensure availability,
confidentiality and integrity of the organization's IT systems, and that they
meet expectations of the internal and external stakeholders," says
Sadavarte. Overall, IT audits will look at the performance, general direction
and synergy of IT with the rest of the organization.

Typically, aspects of the organization's IT infrastructure
that come under purview of the IT audit include computerized systems and
applications, information processing facilities, processes, power and air-conditioning
systems, networks, systems development and management of IT and
enterprise architecture. There are very few businesses today which do not use
computers, information and application systems in every activity. Therefore, as
Parkes points out, any part of an enterprise's activity can fall under the
purview of an enterprise auditor, who should be fully competent and trained as
an IT auditor as well as familiar and competent in undertaking IT security work.

According to Verma, at a broader level, an IT/Security audit is
guided by the business objective. The components of an IT audit include physical
and environmental, system administration, application software, network
security, business continuity and data integrity review. The physical and
environmental review includes physical security, power supply, air conditioning,
humidity control and other environmental factors. System administration review
includes security review of the operating systems, database management systems,
all system administration procedures and compliance. Application software review
consists of review of access control and authorizations, validations, error and
exception handling, business process flows within the application software and
complementary manual controls and procedures.

Security review takes into account the internal and external
connections to the system-perimeter security, firewall review, router access
control lists, port scanning and intrusion detection are some typical areas of
coverage. Business continuity review includes existence and maintenance of fault
tolerant and redundant hardware, backup procedures and storage, and documented
and tested disaster recovery/business continuity plan. The purpose of the data
integrity review is the scrutiny of live data to verify adequacy of controls and
impact of weaknesses that have been noticed in any of the above reviews. The use
of computer assisted audit techniques has been gaining ground in conducting
these reviews.

According to Shah, the various steps in each of these reviews
are planning, studying, testing and evaluating controls, reporting and then
follow-up. More comprehensively, the steps involved in an audit are
understanding the organization's business profile; the IT infrastructure;
scope and focus of the audit; planning; control-matrix; conducting the audit;
analyzing the findings; and, finally, following up for compliance and closure.

Addressing Security

Security audit is a big component of the IT auditing exercise. As a
stand-alone exercise it can be big enough to encompass the whole organization or
be simple enough as a technical audit of critical servers. However, as Verma
points out, IT security audit is one of the most integral components of the IT
auditing process and has to be taken up in a holistic perspective and its
standalone exercise may not justify the audit. "Whatever the size of the
exercise, IT security auditing remains a critical management aid in controlling
IT risks and ensuring compliance to legislations," opines Banerjee.

Since IT is an integral part of the enterprise, IT security
audit too is critical. Security audit focuses on protection of data and a whole
lot of controls built around it. Data being the mainstay of the business, its
security is imperative.

Security audit covers the organization's risk appetite, what
controls are defined and how they are practiced in accordance to the policy.
According to Shah, the primary goal of a security audit is to assess the
effectiveness of the organization's ability to protect its information assets.
This audit covers the various measures a client organization has taken to secure
its systems from internal and external intrusions. The recommendations arising
out of the review lead to an updated security policy.

There is a questionnaire phase followed by a physical site
visit, then interviews with key staff on security and BCP to understand how they
think, their level of understanding and their knowledge of the business.
"Being prepared with all the documentation ahead of time, including all
Information security policy documentation and proof that the existing policies
are actually implemented, is what the auditor is typically looking for,"
explains Srinivasan.

While IT audit usually covers areas like IT strategy, program
development and change control, operations and access control, security audit is
largely a technical assessment of a system or application from the security
perspective. In short, explains Sadavarte, IT audits touch upon the business
aspect of security at a broader level whereas security audits dwell deep into
the technicalities as well.

Checking Effectiveness

Effective and successful IT audits are accurate, consistent and reliable.
Needless to say, such an audit can reveal time and money wasted on redundant
information sources as well as detects strengths and weaknesses in the existing
information services. So, what makes for an effective and successful audit? An
effective and successful audit first and foremost proceeds from clear management
direction and requirements. An IT audit which fully focuses on the strategic
needs of the business and delivers valuable results to the enterprise, is
therefore the answer. Getting all of these to be recognized and in place is
hard, but necessary. According to Parkes, in an IT audit it is important to
understand where the activity being audited fits within the strategies and
structures of the enterprise as well as to plan what is needed to understand the
internal controls.

Furthermore, to achieve effectiveness the auditor must be very
clear about the scope of the audit. The finding should be directly relevant to
the scope and supported by artifacts. The recommendations too should be clear
and bring out the expected benefits. Like any other audit exercise, an IT audit
too requires independence and an effective reporting system. As IT auditing can
be quite technical or process focused, depending on what is needed, it helps if
the auditors are trained in the technical aspects of IT.

The auditor who conducts the audit must understand the business
of the organization, its mission vision and goal. This must be followed by full
knowledge of the area s/he is expected to audit. The auditor is independent to
conduct the audit. Next, s/he must understand the organization's risk
appetite, conduct the audit with due diligence, abide to secrecy of the
findings, evidence, etc. Be focused on the scope of the audit charter. Be
responsible while reporting (accuracy and sufficiency of evidence, fair
technical assessment, and accountability).

Tools of the Trade

There are a number of tools available to help in IT auditing. A spreadsheet
works as a simple aid to audit. Computer Aided Audit Tools (CAATS) can be used
to extract, sample and manipulate data. CAATS is used for sophisticated analysis
to support business operations beyond accounting and the financial statements.
Some of the other emerging tools and techniques include interactive auditing
capabilities, predictive auditing monitoring, use of artificial intelligence
heuristical or neural knowledge capabilities for inferencing and other purposes.
In the area of IT Security, vulnerability assessment and penetration testing are
used to test controls and weaknesses.

According to Parkes, more fundamental is clear reporting with
the use of graphics to help executive management in understanding of the issues
arising from audit work and why these are relevant to the enterprise. This adds
up to better communication. A digital picture in an audit report can tell more
than a thousand words. An old cliché, but one that is true.

What Now?

Without follow-ups the benefits of auditing are vastly reduced. According to
Pillai, self-evaluation on a regular basis is necessary to improve the quality
of security. So, an enterprise should have an internal audit mechanism for the
same, which should be followed by an annual, external IT audit. However, the
frequency of the auditing exercise is a factor dependent on the organization and
the business they are in. There is no set rule but should be need based keeping
the purpose in mind. The audit can be an ongoing exercise to monitor a specific
control point or with a periodic frequency to meet a compliance requirement.

According to Babu, the auditing exercise should be carried in
the beginning very frequently because the technology is new, policies are new,
and awareness low and risk perceptions high. Later, depending on the tuning and
fine-tuning of the policy and its implementation, the frequency can be worked
out-keeping in view the result of risk assessment exercises-the same is true
for follow-ups.

According to Banerjee, IT audits are usually conducted once or
twice a year and they are also conducted whenever the infrastructure undergoes a
major change. Whatever the frequency, follow-ups are critical to make the
exercise a success.

While the Indian scenario looks good considering the growing
awareness and uptake, the enterprises are still in the process of learning the
tricks of the trade and moving up the maturity ladder. They are in the process
of overcoming the initial barrier of viewing the IT audit exercise as yet
another time and resource consuming affair. As this happens and the enterprises
move to the other side of the fence, the market is expected to grow
exponentially. That is where the lack of adequate manpower will emerge as a
bigger area of concern.

Shipra Arora

shipraa@cybermedia.co.in