IT AUDIT - INFORMATION SYSTEM AUDIT - INFORMATION SECURITY ASSESSMENT IT AUDIT is an independent and systematic exercise of assurance (according to standards or as per the company's defined policy) of the IT environment under study or the business application, in order to give reasonable assurance that controls over IT processes have been implemented in such a way the company can achieve its objectives effectively (using available resources optimally) and efficiently (in terms of performance), controls of which should prevent, detect or correct any undesirable event that can negatively impact the company. The measure of conformity (or not) of existing controls should be supported by the evidence that the auditor should collect and assess for reasonability, completeness and reliability. For items requiring improvements, he/she should suggest recommendations for improvement. IT AUDIT can be done at the level of an IT system or at the level for example of the responsibilities assignment procedure for the execution of a given IT process.

IT Risk Assessment on the other hand seeks to identify and evaluate (quantitatively or qualitatively) the risks and vulnerabilities in the audited element and recommend measures according to best practices in order to eliminate or reducing the risk at an acceptable level. In any audit exercise, a preliminary thorough risk assessment (that culminates into drafting the audit plan) precedes the actual audit tasks. More so when the IT audit is performed more precisely at the level of the enterprise information system security, in which case the auditor can make use of the ISO 27002 framework which is an internationally recognized standard for information security. The Importance (Raison d'Etre) of controls over IT processes: It all starts from the principle that the information system represents the backbone of an enterprise and that the information delivered by the same (including business applications, staff, IT infrastructure) should conform to information criteria as defined by senior management so as to allow the company achieve its objectives. So what controls should be implemented over IT processes in order to help achieve these business objectives? The COBIT framework can be used to provide reasonable assurance that all key IT processes have been considered for that matter.

General Approach of an IT audit: 1- Obtain a good understanding of the audited element (what are the business processes, sector of activity, etc.) 2- Preliminary risk assessment (assign a quantitative or qualitative score to risks) and audit plan realization 3- Detailed audit plan 4- Preliminary inspection of the element under audit 5- Evaluation of the element to audit 6-Verify and evaluate controls 7- Control design/compliance testing 8-Analytical/substantial testing (to assess the degree of correctness of existing controls) 9-Report (communicate the audit results to senior management/audit committee) 10- Follow Up