עברית English
Compliance Auditing
Internal Auditing
SOX & ISOX Services
Royalty Auditing
IT Auditing
Services for Internal Auditing Departments
 

General

Information technology is one of the more crucial resources of any organization. The future of the organization and the efficiency of its activities are actually dependent on the manner in which this resource is managed. Notwithstanding the importance of an organization’s IT activity, very often the managements of organizations have no real ability to direct, check and control this resource. Our approach is that the audit of information systems is an important tool in the hands of internal auditors and other executives for purposes of obtaining an objective and professional picture of the fairness of the management of the organization’s information technologies, by focusing on the performance of examinations in those areas of organizational activity that involve the greatest risks.

Our firm has amassed extensive experience in auditing information systems. Our experience incorporates practical work in the area as former IT personnel, with internal audit work in general and information systems auditing in particular. This integration enables us to understand the needs in the field of information systems, of both IT staff and management and audit staff. In conducting our audits, we make use of advanced techniques, as well as computerized audit tools.

In our opinion, the combination of experience in internal auditing and information systems auditing, together with information systems analysis, provides our audit with considerable added value which is to the benefit of the organization.

The audit process

Our approach to the IT audit is that it is a process that is supposed to check and improve the work processes and control mechanisms in the system being audited. As part of the audit, we check, among other things, whether a given computerized process includes proper controls (input, processing and output), whether the control cycles are closed, whether the computerized controls are effective, whether the provisions of the law and management guidelines are adhered to, and the quality of the interfaces with other systems and the quality of the information security. The audit process includes the following major phases:

·      Introductory discussions with executives – The discussions are held "top-down”, with a goal of obtaining an understanding of the audited issue and the people involved therein, presenting the audit process to the audited party, focusing and setting goals and the scope of the audit.

·      Planning the audit – Conducting a risk assessment for the relevant audit and identifying the major points of risk on which the audit will focus. On the basis of this assessment, a detailed audit plan is prepared, including prioritization of issues.

·      Field work – Based on the audit plan, the field work includes, in some cases, use of computerized audit tools that allow the audit team to efficiently examine large quantities of data.

·      Summation meeting – Toward the end of the audit, a meeting is held with the auditee, during which the auditors present the findings of the audit as have been formulated to date. The goal of this meeting is to receive feedback from the auditee regarding the findings, and to jointly formulate the recommendations for remedying the faults that were found. In our opinion, this meeting provides an opportunity for the audit parties to identify with the audit.

·      Preparation of a draft of the audit report – The audit report is prepared in a structured format, on the basis of the process that was audited. The report includes an executive summary, summary of findings and recommendations for the convenience of the reader. The report is submitted to the audit party for his comments.

·      Presentation to management and preparation of a final report – A draft of the report is sent to management. The auditor presents the audit that was conducted and a discussion takes place in connection with the findings and the recommendations. Management feedback is incorporated into the report, following which a final version of the report is prepared.

·      The report is presented to the audit committee

Types of IT audits

·      Conducting an audit in the area of information systems

Our experience includes conducting audits in a broad variety of information systems, including complex systems such as ERP and billing, and other systems for financial management, bookkeeping, suppliers, logistical systems, such as: procurement, inventory, sales, payroll and manpower, asset management system, banking system, file management, etc. In respect of all of the systems, the audit can check, among other things, the following issues:

·           Whether the system supports the work processes and whether it is adequately suited to the needs of the client

·           The quality of the controls integrated into the system

·           The quality of the data and identification of deviant or erroneous data

·           Information security in the system

·           The quality of the interfaces and the connections with other information systems

·           The infrastructure of the system (developments and adjustments, versions, problems and support, documentation)

 

 

·      Auditing the functioning of the computer systems

Checking special areas of activity, managed by the computer unit or by other parties at the Company:

·           Development and maintenance of information systems

·           Help-desk activity

·           Procurement of systems and equipment

·           Backup management

·           Management of the computer unit

 

·      Computer-related risk assessment

Conducting an assessment of operational risks in connection with computerization. The assessment is used by management and by the internal auditor and includes mapping all of the computer-related issues in the organization. Each issue constitutes a chapter of the report which includes a general background, findings that arose during the assessment, evaluation of the potential risk, and issues to be checked in this area of activity.

 

·      Information security

Information security can be divided into three major areas of activity: physical security of the data, information security in the area of infrastructure (the operations department, networks, etc.), and information security in the area of information systems. The major audit issues are presented below:

·           Organizational policy and the manner in which it is enforced

·           The quality of the management of user accounts

·           The quality of the user authorization matrix of both company and third-party users

·           Ensuring that the password policy complies with Israeli standards

·           Protection of communications systems

·           Following up information security events

·           Aspects of the law for the protection of privacy

·           Securing computer installations

·           The quality of the backup management

 

·      Preparedness for emergency situations (BCP & DRP)

·           A disaster recovery plan (DRP) and its updating and being tailored to the needs of the organization

·           Statutory aspects and compliance therewith

·           The quality of the backups performed and the controls in connection with such performance

·           Conducting tests and trial runs to assess the ability to implement the DRP and the fairness of the backups

 

·      Miscellaneous

·           Participation in the meetings of the computerization steering committee

·           Audit in connection with acceptance testing of information systems

·           Checking the definition of information systems needs

·           Training in connection with information systems auditing