INFORMATION AND COMMUNICATIONS

TECHNOLOGY
(INFORMATION SYSTEM)
AUDITING
PCOL RUBEN B BORRES
ADDA, ITMS

Information and Communications Technology (ICT) Auditing

 What is Information Technology (IT)?
• As defined by the Information
Technology Association of
America (ITAA), is “the study,
design, development,
implementation, support or
management of computer-
based information systems,
particularly software
applications and computer
hardware.” IT deals with the
use of electronic computers
and computer software to
convert, store, protect,
process, transmit, and
securely retrieve information.

Information and Communications Technology (ICT) Auditing

 Information System
• "An information system can be defined technically as a set of
interrelated components that collect (or retrieve), process, store,
and distribute information to support decision making and control
in a organization. In addition to support decision marking,
coordination, control, information systems may also help managers
and workers analyze problems“ - Laudon and Laudon.

Information System

Business Processes
Information and Communications Technology (ICT) AuditingInformation Technology
 Information System

Information System:
• Is a customized programs to cater or fit to a specific business
process or to be use for a specific applications:
❑Storage and retrieval
❑Processing (arithmetic operations, sorting, indexing, extracting,
consolidating, summarizing and others)
❑Distribution/transfer

Information and Communications Technology (ICT) Auditing

 Level of Use of Information System (IS)

Management Expert Strategic

Information Support
Mgmt.
System
System
(MIS) Group Decision SS
4
Expert System and AI Tactical
Decision Support Sys Mgmt.
3
Office Automation Systems and
Information Knowledge Work System Organization
System 2
Transaction Processing System Operations
1

Information and Communications Technology (ICT) Auditing

 Information System

Information and Communications Technology (ICT) Auditing

Information and Communications Technology (ICT) Auditing
 Example of Information System (IS)?
• Example of Information Systems that maybe used in a City Police Office:
– Personnel Accounting Information System (Personnel)
– Criminal Records Information System (Investigation) and Police Clearance Information System
– Wanted Persons Information System (Intel)
– Derogatory Information System (Intel)
– Rogue Gallery Information System (Operations)
– Blotter Information System (Operations)
– Reporting (Spot, Follow-up, Final) Information System and Statistics Information System
(Operations/Investigation)
– Journal Information System (Operations)
– Arrested Persons Information System (Investigation)
– Operations Information System (Operations, Intel, PCR)
– Financial Information System (Finance)
– Logistics Information System (Firearms, Commo, Transpo and others) (Logistics)
– Others (GIS, GPS, Website/webpage, Email, VoIP)

Information and Communications Technology (ICT) Auditing

 IT or IS Audit
An information technology audit, or information systems audit, is an
examination of the management controls within an Information
Technology (IT) infrastructure.

Information and Communications Technology (ICT) Auditing

 IT Audit
SPECIFICALLY:

An information technology audits are used to evaluate the

organization's ability to protect its information assets and to properly
dispense information to authorized parties.

Information and Communications Technology (ICT) Auditing

 IT Audit
The evaluation of obtained EVIDENCE
determines if the information systems are
safeguarding assets, maintaining data
integrity, and operating effectively to
achieve the organization's goals or
objectives.

These reviews may be performed in

conjunction with a financial statement
audit, internal audit, or other form of
attestation engagement.

Information and Communications Technology (ICT) Auditing

 IT Audit Purpose
The purposes of an IT audit are to evaluate the system's internal
control design and effectiveness, for the following (not limited):

❑Efficiency and security controls and protocols

❑Audit business process where the Information System is being use to
prevent and/or detect fraud
❑Development processes
❑IT governance or oversight

Information and Communications Technology (ICT) Auditing

 IT Audit Types
• Technological innovation process audit. This audit constructs a risk profile for existing and
new projects. The audit will assess the length and depth of the company's experience in its
chosen technologies, as well as its presence in relevant markets, the organization of each
project, and the structure of the portion of the industry that deals with this project or product,
organization and industry structure.

• Innovative comparison audit. This audit is an analysis of the innovative abilities of the
company being audited, in comparison to its competitors. This requires examination of
company's research and development facilities, as well as its track record in actually producing
new products.

• Technological position audit: This audit reviews the technologies that the business currently
has and that it needs to add. Technologies are characterized as being either "base", "key",
"pacing" or "emerging".

Information and Communications Technology (ICT) Auditing

 IT Audit Categories (Others)
• Systems and Applications: An audit to verify that systems and applications are appropriate, are
efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing,
and output at all levels of a system's activity.
• Information Processing Facilities: An audit to verify that the processing facility is controlled to ensure
timely, accurate, and efficient processing of applications under normal and potentially disruptive
conditions.
• Systems Development: An audit to verify that the systems under development meet the objectives of
the organization, and to ensure that the systems are developed in accordance with generally
accepted standards for systems development.
• Management of IT and Enterprise Architecture: An audit to verify that IT management has developed
an organizational structure and procedures to ensure a controlled and efficient environment
for information processing.
• Client/Server, Telecommunications, Intranets, and Extranets: An audit to verify
that telecommunications controls are in place on the client (computer receiving services), server, and
on the network connecting the clients and servers.

Information and Communications Technology (ICT) Auditing

 IT Audit Categories (Others)

Studying and
Evaluating
Controls

Testing and
Evaluating
Controls

Information and Communications Technology (ICT) Auditing

 IT, IS and MIS Professions
MIDDLE MANAGEMENT
USER LEVEL UPPER MANAGEMENT
(IT PROFESSIONALS)
▪ Users – Computer ▪ Programmer – Client-server and Web-based ▪ IT Managers and
Operations ▪ Systems Analysis Executives (Private) – IT
▪ Support – Hardware, ▪ Network Administrators Managements
Network, Software and ▪ Database Administrators
People ▪ Systems Administrators ▪ IT Governance (Public)
▪ IT Sales and Marketing ▪ Head of Technical Supports - Chief Information
▪ IT Hardware Manufacturing ▪ Head of Software Support Officer – IT
Workers ▪ Information Security Managers Administrations and
▪ Encoders ▪ IT Risk Managers Operations
▪ Call centers workers ▪ IT Auditors
▪ Quality Controls
▪ Project Leaders
▪ Consultants
▪ IT Trainers
▪ Cybersecurity Professionals

Information and Communications Technology (ICT) Auditing

 Role of IT Auditor

Information and Communications Technology (ICT) Auditing

 The ICT Application

Information and Communications Technology (ICT) Auditing

 Info Security Triad
InfoSec Pillars: C-I-A
❑ Confidentiality ~ Who should
know?
❑ Integrity ~ Is the content
changed?
❑ AVAILABILITY ~ Is it accessible
at the right time and place?

Information and Communications Technology (ICT) Auditing

 CYBERSECURITY FRAMEWORK (NIST):
1 2 3 4 5
4.5
Identify Protect Detect Respond Recover
Classification
Monitoring -
Notify
Mitigations Security Orchestration BCP/DRP
Risk Logs Evaluation And Automation
Management BCP/DRP
Response
Controls/ Security Incident
Business Impact And Event Mgmt
Analysis Measures Data Privacy
(Firewall, (SIEM) Compliances
Web Access Forensic
Vulnerability
Firewall, End-point Detection Investigation
Assessment
Data Lead And Response (EDR)
And Penetration Protection,
Testing (VAPT) CyberSecurity
Intrusion Detection
System/ Analysis
Network Detection
Threat Intelligence/ Intrusion Protection And Response (NDR)
Analysis System, etc.)

Information and Communications Technology (ICT) Auditing

 ICT Auditing
An ICT business
audit can look at Technology Business Data
Presently
and inform you of 5 Available to the
Held and Used
By the Business
important aspects Business

of your business. Information

Needs of the
Business
Reporting back and
Leadership
making ICT Capability
And
Within the
recommendations Business
Management
(IT Governance)
for development.
ICT APPLICATIONS

Information and Communications Technology (ICT) Auditing

 Information
Needs of the
The Business?
Business
❑ What is the Core Business/Mandate of the
Organization?

❑ What are its products or services?

❑ Who are its clients?

❑ What is its current status in the

market/industry?

❑ Who are its partners?

❑ Who are its competitors?

Information and Communications Technology (ICT) Auditing

 Information The Business
Processes?
Needs of the
Business

❑ Existing processes and

technology
❑ Compliances to laws and
policies
❑ Process improvements based
on ICT applications
❑ Identifies functional and
technical requirements for
new systems and processes
❑ Identify funding requirements
❑ Project Development/
Management

Information and Communications Technology (ICT) Auditing

 Information
Information Needs
Needs of the
Business
of the Business

Communication:
❑within the business
❑with clients
❑with suppliers
❑with other significant
individuals or
organisations

Information and Communications Technology (ICT) Auditing

 Technology
Technology Presently
Presently
Available to the
Available to the Business
Business
• Current Hardware

• Current Software

• Mobile technologies

• Current Web Sites and internet technologies

• Social Networks

Information and Communications Technology (ICT) Auditing

 Business Data Business Data Held and
Held and Used
By the Business Used by the Business

❑ Current systems for

managing business data:
manual and electronic

❑ Critical business data

❑ Data security

Information and Communications Technology (ICT) Auditing

 Business Data Business Data Held and
Held and Used
By the Business Used by the Business

Information
Security

Information and Communications Technology (ICT) Auditing

 ICT Capability ICT Capability within
the Business
Within the
Business

ICT KNOWLEDGE:

❑ Individual Qualifications

❑ Individual skills,
understanding and knowledge

❑ Training history

Information and Communications Technology (ICT) Auditing

ICT Capability
Within the
ICT Capability within
Business
the Business

Information and Communications Technology (ICT) Auditing

ICT Capability
Within the
ICT Capability within
the Business
Business

Information and Communications Technology (ICT) Auditing

ICT Capability
Within the
ICT Capability within
the Business
Business

IT GOVERNANCE

Information and Communications Technology (ICT) Auditing

 Leadership
Leadership and
And
Management
Management
(IT Governance)
(IT Governance)

❑ Setting Strategic
Objectives and Direction

❑ Decision making

❑ Management

Information and Communications Technology (ICT) Auditing

 Use of the Result of
an ICT audit:
1. The ICT audit becomes the basis for an ICT/IT development plan that joins together
with existing business planning.
2. Helps ensure best use of existing Information and Communications Technology within
a business.
3. Ensures ‘ownership’ of the technology available to a business.
4. Identifies specific training needs.
5. Give clarity of knowing ‘where you are now’ and where development pathways should
lead.
6. Puts a business in the best position for future informed decision making.

Information and Communications Technology (ICT) Auditing

 The ICT Application

Information and Communications Technology (ICT) Auditing

 The ICT Application

Information and Communications Technology (ICT) Auditing

 Thank You

Information and Communications Technology (ICT) Auditing