Skip Navigation

Appendix D—Information Technology Audits

Considering the large outlay of resources involved in LDS development, many states will want to review how their tax dollars are being spent. As a result, your agency may become involved in federal or state auditing processes and procedures. Agencies developing LDSs may therefore be interested in the available types of information technology audits and what they encompass.

According to Wikipedia, an information technology audit, or information systems audit, is "an examination of the controls within an information technology (IT) infrastructure. An IT audit is the process of collecting and evaluating evidence of an organization's information systems, practices, and operations. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively and efficiently to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement."

If your agency can afford it, the creation of an internal audit team can be very beneficial, potentially saving your organization time and money. The first step in developing an audit team is to define the information technology audit functions. A useful approach is to define your IT function into layers: IT management, technical infrastructure, applications, and external connections (Juergens 2006).

As Juergens states, IT management "comprises the set of people, policies, procedures, and processes that manage the IT environment." This layer also includes system monitoring, programming, planning, management of outsourced vendors, and IT governance. Technical infrastructure usually refers to systems that underlie, support, and enable the primary business applications such as operating systems, databases, and networks. Applications may be classified into two categories: transactional and support. Transactional applications consist primarily of software that processes and records business transactions. Support applications are specialized software programs that facilitate business activities but generally do not process transactions such as email programs, fax software, and design software. External connections are those that your network connects to, such as the Internet or other business networks.

Organizations developing LDSs may be interested in two types of controls to be audited: application controls and information technology general controls.

Application controls are specific to each application and relate to the transactions and data pertaining to each computer-based application system. The objectives of application controls are to ensure the completeness and accuracy of records and the validity of the entries made resulting from programmed processing activities. Examples of application controls include:

checkmark icon Input controls: These controls are used mainly to check the integrity of data entered into a business application, whether the data is entered directly by staff, remotely by a business partner, or through a web-enabled application or interface. Data input is checked to ensure it remains within specified parameters.
checkmark icon Processing controls: These controls provide an automated means to ensure processing is complete, accurate, and authorized.
checkmark icon Output controls: These controls address what is done with the data, and should compare actual results with the intended result by checking the output against the input.
checkmark icon Integrity controls: These controls monitor data being processed and in storage to ensure they remain consistent and correct.
checkmark icon Management trail: Processing history controls, often referred to as an audit trail, enables management to identify the transactions and events they record by tracking transactions from their source to their output, and by tracing backward. These controls also monitor the effectiveness of other controls, and identify errors as close to their sources as possible. (Bellino and Hunt 2007)

General controls apply to all system components, processes, and data present in an organization or systems environment. The objectives of these controls are to ensure the appropriate development and implementation of applications; as well as the integrity of program and data files, and of computer operations. The most common general controls are

checkmark icon logical access controls over infrastructure, applications, and data;
checkmark icon system development life-cycle controls;
checkmark icon program change management controls;
checkmark icon physical security controls over the data center;
checkmark icon system and data backup and recovery controls; and
checkmark icon computer operation controls.
(Bellino and Hunt 2007)

Risk Assessment

One of the many benefits of an information audits is to identify risks to your organization. Juergens (2006) has identified the following as possible risks:

checkmark icon availability, when the system is unavailable for use;
checkmark icon security, when unauthorized access to systems occurs;
checkmark icon integrity, when the data is incomplete or inaccurate;
checkmark icon confidentiality, when information is not kept secret;
checkmark icon effectiveness, when the system does not deliver an intended or expected function; and
checkmark icon efficiency, when the system causes a sub-optimal use of resources.

The Audit Process

The following is an example provided by Microsoft Corporation's Regulatory Compliance Planning Guide (Microsoft 2006) on what to expect during an IT audit.

  1. Plan the audit (auditor).
  2. Hold audit kickoff meeting (auditor/organization).
  3. Gather data and test IT controls (auditor/organization).
  4. Remediate identified deficiencies (organization).
  5. Test improved controls (auditor/organization).
  6. Analyze and report findings (auditor).
  7. Respond to findings (organization).
  8. Issue final report (auditor).

IT audits create challenges for organizations by forcing them to come into, and maintain, compliance. But audits also offer benefits, increasing your organization's process improvement and business advantage.