Monday, August 20, 2007

Internal Control, Internal Audit and IT Audit

So, let's start with basics.

What is the difference between Internal control and Internal audit and how to extend it to aspects of information technology?

We could say that internal control is the process intended to improve the quality of buisness processes of organization. And main tasks of internal audit are to assure the quality of internal controls are and give recommendations on how to improve existent internal control system.

IT Audit as part of Internal Audit will act in similar way. But if there is no information security unit in organisation, IT Audit could perform some responsibilities in information security field. For instance, it could be access rights approval or daily checks of security event logs of financial applications and appropriate operation systems.

The main problem of this approach is the impaired independence of auditor opinion in part of information security controls and inablity to audit these control processes. But even in such a situation IT Audit shouldn't perform any activities concerned with changes in any settings of software, telecommunicational facilities etc.

What is better? Have some information security controls without adequate assurance or have no information security controls at all? It is up to you guys.

Thursday, August 16, 2007

IT Audit, Information Security and Internal Control, why do we need to bother?

Why do we need to audit and control all these boring things?
Do the people really need somebody, who will crack a whip,

Unfotunately our practice and experience shows that it is our case. It is like Murphy's low: If something could be done wrong, it will be done wrong.

The answer, why it is happen, if the answer exists at all, lies in areas of philosophy and psychology. But it easy to see, that even highly motivated people are often suffer from the lack of the desire to adhere to all formalities, that they call bureaucracy.

That is why we IT Auditors and Information Security specialists will always have a job. And it is not only as result of SOX or Basel II or any other local requirements to the management of IT Audit, Information Security, Information Risk Management function.

So the main purpose of this blog is to provide you with information how to fully accomplish your functions and make people believe that they want your recommendations. :)

Do you think it is possible? Let's try together!