Monday, August 20, 2007

Internal Control, Internal Audit and IT Audit

So, let's start with basics.

What is the difference between Internal control and Internal audit and how to extend it to aspects of information technology?

We could say that internal control is the process intended to improve the quality of buisness processes of organization. And main tasks of internal audit are to assure the quality of internal controls are and give recommendations on how to improve existent internal control system.

IT Audit as part of Internal Audit will act in similar way. But if there is no information security unit in organisation, IT Audit could perform some responsibilities in information security field. For instance, it could be access rights approval or daily checks of security event logs of financial applications and appropriate operation systems.

The main problem of this approach is the impaired independence of auditor opinion in part of information security controls and inablity to audit these control processes. But even in such a situation IT Audit shouldn't perform any activities concerned with changes in any settings of software, telecommunicational facilities etc.

What is better? Have some information security controls without adequate assurance or have no information security controls at all? It is up to you guys.


Andrey said...

Your topic title is exactly describes how these services should be implemented. First internal controls, then internal audit and IT audit.
You can create good internal audit only if internal controls adequate. And IT audit should be based on good IT controls. And of course audit helps to improve existed controls.
But I think that IT audit should not replace IT security or any other IT control function like application tests, backups execution control etc. And not only because of independence. It is just different tasks. It is different scope of knowledge. I'm not sure that IT auditor can make good security logs analyze. In other case why he is IT auditor but not security specialist.

I audit said...

Well formally you are absolutely right. IT Audit should not perform any of information security functions. But. :) There are always some "but" reasons. One of them is the choice that I mentioned. You could give "no assurance" opinion in infromation security area and recommend the create of information security department. You've your duty and all are happy. :) But there is still no acceptable level of information security in organisation. What could you do as IT Auditor in such a case? Yes, I'm talking about compensating controls. And now I have the idea how to assure independent opinion of IT Auditor. There should be always a backup IT Auditor :) who could check your work on indepentent basis. Let's leave the matter of the scope of IT Auditor's knowledge open for now. I guess it should be the theme of another article.

ahadoo said...

hi, nice and very useful blog..
i was surfing to gather information on ISAC... I got your link on