Information Technology Reference
In-Depth Information
practice to commence the audit with senior management such as the CEO, IT director, IT
manager, or line managers so that issues relating to IT governance and other major IT is-
sues affecting the enterprise are discussed first. Later the IS auditor can proceed with inter-
views with operations staff, such as IT system managers, systems administrators, network
administrators, and application administrators.
Armed with well-developed questionnaires and audit tools, the work of an IS auditor
should be a lot easier and a happy journey throughout all the offices and departments. As
the IS auditor makes appointments to interview various managers and specialists, he should
remember that his work is that of an advisor and a value-adding IS auditor. The IS auditor
should not be seen as a police officer or somebody who has come to find faults. Immedi-
ately the IS auditor is perceived to be taking the policing role, It is likely that the officers
would resent his presence and might receive limited cooperation from the auditees. An as-
surance from the IS auditor that he is there to add value at the commencement of the audit
will help provide the required assurance and enable them to open up and fully cooperate. It
is important that the auditees receive assurance from the IS auditor that he is there to help
them enhance performance of the enterprise. In many instances, the auditees will even vo-
lunteer more information than required if they have confidence in the IS auditor.
During the audit, the IS auditor will be required to collect evidence supporting responses
from the client. Where the client is not able to provide evidence immediately, it is good
practice to write down in the questionnaire (just below the questions) the type of evidence
you will be collecting later after the interview. This will help the IS auditor to later compile
a list of documents to collect. The IS auditor should not rely on others to be reminded of
this responsibility. Everyone is busy, and it is unlikely that they will send a reminder notice.
In addition to collecting responses and evidence in document form, the IS auditor will be
required to make data extracts from live or backup system. It's good practice for the IS
auditor to extract data from a non-production system where it is not practical to extract data
from a live system. Data can be extracted from backup servers or from the recovery site.
Sometimes the IS auditor might be required to observe live real-time systems. In this case,
the IS auditor and the client will have to make sure that the connection to the live system
is well tested and will not disturb or corrupt the live system. The IS auditor should also
request for appropriate authorisation from senior management before extracting data from
the live system.
In cases where authorisation is not given by senior management, the IS auditor may have to
rely on historical data from backup servers. It is also recommended that only suitable and
approved software is used to interrogate or connect to live servers.
There are various data interrogation tools on the market which can be used to support dif-
ferent types of audits. The IS auditor can find on the market special software tools which
are used to extract data from network devices such as firewalls, routers, switches, and intru-
Search WWH ::




Custom Search