Was sind die wichtigsten Schritte und Tools für die Durchführung von IT-Audit-Tests und die Sammlung von Nachweisen?

1. The first step to any IT audit is obtaining a throughout understanding of the risks. This can be done by liaising with the process owners/stakeholders. This process would help determine the scope of the audit. 2. Once the risks are identified, it is critical to define the controls implemented by the auditee to address the risk. 3. Once the controls are defined, the next step is to determine the extent of testing to be performed to verify the effectiveness of controls. For e.g.; testing just the design of the control versus testing operating effectiveness. This approach should be decided in conjunction with the auditee. 4. Based on the extent of testing, the approach to testing (sampling criteria, documentation etc.) are decided.

Eh essenciaal que na etapa planejamento da abordagem de teste seja definir o escopo e os objetivos da auditoria de TI, identificar os sistemas, processos e controles a serem testados, desenvolver um plano de teste detalhado, incluindo os procedimentos a serem seguidos e as ferramentas a serem utilizadas.

Before testing, ensure completeness, accuracy, and a good understanding of the business. Otherwise, you might end up valuing bonds at 'par' like an old discount store

I agree, completeness and accuracy is very important before testing commences. I would add knowledge of business as one of the prerequisites. For example, government bonds are currently issued at par. Previous, they were issued at discount. Applications used to value bonds are expected to be revised.

When planning your testing approach for IT audit, start by defining the objectives and scope of the audit. Identify the key areas and systems to be tested, such as network security, application security, and data protection. Determine the testing methods and tools to be used, such as vulnerability assessments, penetration testing, and log analysis. Develop a detailed test plan that outlines the testing approach, schedule, and resources required. Ensure that the test plan aligns with the organization's goals and compliance requirements. Regularly communicate with stakeholders to keep them informed of the testing progress and any findings.

It is common when interviewing personnel to make in-person requests while discussing the control being tested. Direct requests may involve an auditor sitting with a control owner observing software controls and gathering screen-shots and other electronic information as evidence. An auditor may confirm the availability of policies, procedures, and disaster recovery plans by asking someone to show where they are located. Direct requests may be made for information to be supplied later. An auditor might follow up a meeting with an e-mail summarizing requested information and what is to be expected.

When selecting and using tools for IT audit testing, consider the specific needs and objectives of the audit. Choose tools that are reliable, user-friendly, and capable of providing the necessary insights into your systems and processes. For example, use vulnerability scanners like Nessus or Qualys for identifying vulnerabilities, log analysis tools like Splunk or ELK Stack for monitoring and analyzing security logs, and compliance tools like Tripwire or OpenSCAP for ensuring compliance with standards. Additionally, consider using penetration testing tools like Metasploit or Burp Suite for simulating attacks and identifying security weaknesses.

Whenever feasible, automated tools should be employed for evidence collection. These tools not only streamline the process, saving time and effort, but also boost the credibility of the collected evidence. This is because they ensure the inclusion of pertinent details such as date and time stamps. Moreover, the reliability of the evidence is directly tied to the reliability of the tool used for its collection. Therefore, it’s crucial that the tool itself is dependable to ensure the accuracy of the information it captures.

Além disso, entendo ser crucial na execução dos procedimentos de testes, realizar os testes de acordo com o plano estabelecido. Utilizar ferramentas de auditoria, como softwares de varredura de vulnerabilidades, para identificar possíveis falhas de segurança e vulnerabilidades, além de seguir os procedimentos de teste de acordo com as melhores práticas de auditoria de TI.

There are 2 main factors to be considered during execution: 1. Timing of the testing Audits may take place in different phases. For instance; for year-end audits, the testing may be bifurcated into interim and roll forward phases to get coverage of how the control is placed throughout the year. Whether or not to use the phased testing approach is decided based on the length of the audit period. 2. Testing Plan Testing plan for audits are defined based on the type of the audit. For SOX and SOC-1 audits, the testing objectives would be more focused more on controls over financial reporting. For SOC-2 audits, the testing objectives follow the TSCs. It is crucial to have a well-defined testing plan well-tailored to the audit being performed.

When executing your testing procedures for an IT audit, follow your defined test plan and use the selected tools to conduct the tests. This may include vulnerability assessments, penetration testing, and log analysis, among others. Document your findings and observations accurately and thoroughly, noting any vulnerabilities, weaknesses, or areas for improvement. Ensure that testing is conducted in a controlled and ethical manner, respecting the confidentiality and integrity of the systems being tested. Regularly communicate with stakeholders to keep them informed of progress and any significant findings.

Na fase de coleta e analise suas evidências entendo que seja uma das considerações mais criteriosas do processo, desta forma, deve-se documentar todas as evidências coletadas durante os testes de auditoria. Analisar as evidências para identificar padrões, tendências e possíveis pontos de melhoria. Utilizar ferramentas de análise de dados, se necessário, para processar e interpretar as evidências coletadas.

When collecting evidence, it’s not merely enough for an auditor to witness the extraction process firsthand. Equally crucial is the documentation and recording of these procedures. By documenting the steps in detail so that an independent auditor can replicate the process and arrive at the same conclusion regarding the completeness and accuracy of the extracted evidence is very crucial step.

Collecting and analyzing evidence in an IT audit involves gathering information from various sources, such as documentation, logs, and interviews, to support your findings and conclusions. Ensure that the evidence is relevant, accurate, and reliable. Analyze the evidence systematically, looking for patterns, trends, and anomalies that may indicate security risks or compliance issues. Use tools and techniques to help analyze the evidence, such as data analysis tools and forensic methods. Document your analysis findings clearly and concisely, linking them back to the audit objectives and criteria.

A coleta de evidências é essencial para assegurar a eficácia e segurança dos sistemas de informação de uma organização. Durante essa etapa, é importante revisar documentos e políticas relacionadas à segurança da informação, conduzir entrevistas com pessoal chave para compreender processos e controles, e utilizar ferramentas de auditoria para examinar sistemas e logs. Posteriormente, é necessário analisar as evidências, comparando práticas observadas com critérios e padrões estabelecidos, avaliando a eficácia dos controles e identificando vulnerabilidades, além de documentar descobertas e preparar relatórios de auditoria.

A mistake many make is forgetting to ensure sufficiency by addressing the completeness assertion. Receiving evidence is one thing, verifying that parameters used to extract the evidence align with cut off requirements and overall scope, is another thing altogether.

Nesta fase é hora de relatar suas descobertas e recomendações, Elaborando um relatório de auditoria detalhado com as descobertas, análises e recomendações. Apresentar as conclusões do teste aos stakeholders relevantes e discutir as medidas corretivas necessárias. Documente claramente as recomendações para melhorias futuras.

When communicating the results and suggestions of an IT audit, it is important to present the information in a clear, brief, and structured way. Begin with an executive summary that emphasizes the main findings and recommendations. Give thorough findings for each audited area, detailing the nature of the finding, its consequences, and any supporting evidence. Provide practical suggestions for addressing the findings, prioritizing them according to risk and impact. Customize the report to the audience, offering technical specifics for IT staff and high-level overviews for management. Incorporate a plan for executing the recommendations and enhancing the organization's overall security posture.

When reporting findings and recommendations from an IT audit, present the information in a clear, concise, and organized manner. Start with an executive summary that highlights the key findings and recommendations. Provide detailed findings for each area audited, including the nature of the finding, its impact, and any supporting evidence. Offer practical recommendations for addressing the findings, prioritizing them based on risk and impact. Ensure that the report is tailored to the audience, providing technical details for IT personnel and high-level summaries for management. Include a roadmap for implementing the recommendations and improving the overall security posture of the organization.

Often, as IT auditors, we may too focused on driving the discussions around findings purely from a technical standpoint - ignoring the business impact and what really matters to the stakeholders from our exceptions noted. It's always important as we report to remember: IT enables the Business, not the other way around.

Por fim, acompanhe e feche seus testes, monitorando a implementação das recomendações e ações corretivas propostas. Verifique se as melhorias foram efetivamente implementadas e se os controles de segurança foram reforçados.Encerre formalmente o processo de auditoria de TI e documente todas as etapas realizadas, incluindo os resultados e as lições aprendidas. Ao seguir essas etapas e utilizar as ferramentas adequadas, é possível realizar testes de auditoria de TI de forma abrangente e eficaz, garantindo a segurança e conformidade dos sistemas de informação da organização.

In my professional experience, the most important thing when it comes to collecting evidence is to verify the completness and accuracy of that evidence. No matter which tool is used to gather the evidence and perform procedures, unless you are comfortable on the data that has been pulled, testing doesn't make any sense. I always ensure that the evidence is complete and is accurate. I perform additional procedures to verify it so that my testing results are up to the mark. As an IT Auditor, you should also document these procedures performed in verifying the completeness and accuracy of data being utilized in audit testing!

While there could be numerous tools for evidence gathering, the most reliable source of evidence is the one which the IT auditor collects themselves to ascertain the evidence collected is complete & accurate serving the purpose.