Audit and Assurance

Expand all | Collapse all

Types of IT audit

  • 1.  Types of IT audit

    Posted 17 Mar, 2020 07:00
    Hi guys,

    How do you distinguish the difference between the different audit types?

    In detail, I understand there are 3 level of depth in auditing:

    1. I understand there are audit to assess the level of compliance (whether an enterprise create sufficient policy/regulation documentation to meet the authorities's law).

    2. I also understand there are  audit to assess the level of control (risk mitigation) (whether an enterprise design and implement/operate the controls for the identified risks).

    3. I also understand there are audit to assess the enforcement of controls with technical solutions, so that the effectiveness of controls can be ensure).

    My question is:
    - what are the theories to define different levels of auditing depth?
    - If no theories, how would you define for yourself? For example: in an example domain of "Access Management", I can create 3 audit engagements:
    1. An audit to seek assurance on whether a company create sufficient documentation on policy/regulation for Access Management.
    2. An audit to seek assurance on whether a company create controls in place (by processes) for Access Management.
    3. An audit to seek assurance on whether a company create a TECHNICAL SOLUTION for enforcing the ACCESS MANAGEMENT.

    Is it proper for me to create such 3 audit engagements?

    Thanks for your sharing!


    Hong-Anh Nguyen
    IT Auditor

  • 2.  RE: Types of IT audit

    Posted 19 Mar, 2020 14:14
    Hi Hong-Anh,

    Hope that you are doing well and staying safe.  The audit engagements you are referencing in your comments are simply audit steps within an engagement that has a scope that include access management.  The three different types of audits are IT General Controls Reviews, Application Controls Review, and Post implementation/project control review.

    Each one of these types of audit would include an access control review in it. In any given audit we always review the governance/compliance as you mentioned above, then we review the processes around managing access to identify control points implemented by the organization and what risk mitigation controls present, and finally we test either a sample or the entire population to confirm that the controls are working effectively.  As for enforcement of the controls, it will be identified in the risk mitigation controls.
    To answer your questions above, the level of depth depends on the scope of the audit.  For example, if you work for a bank and you are asked to complete an ITGC review for a branch, then you will review the access controls for the branch.  If the branch uses enterprise processes to manage the access, then you just test the users' access at that location. If they don't, then you have to ask for all the governance, process, and test the access for that location.

    Hope that helps.

    Juman Doleh-Alomary
    Director, IT Audit

  • 3.  RE: Types of IT audit

    Posted 20 Mar, 2020 12:17
    A clear explanation, Juman, thank you.

    Building on Juman's advice, Hong-Anh, I would also check auditees' understanding of the controls in place, e.g: what they believe their purpose is; how useful the controls are; which controls they believe are inappropriate and why.  This review provides additional, in-depth evidence of each control's strength as well as broadening the evidence that can be useful in assuring the quality of risk management generally, and identifying the potential for security breaches and social engineering in particular.
    This type of review is more part of the governance and risk mitigation, and less about actual compliance. but will help identify where compliance exists with inappropriate or out-of-date controls.  That sort of compliance provides false comfort.
    This approach should, of course, be included in all access management reviews and can be applied to your own three 'in depth' levels.  The review of auditees' understanding will help assess the value and quality of compliance, process controls and technical controls.

    Sue Milton

  • 4.  RE: Types of IT audit

    Posted 21 Mar, 2020 21:57

    About the first point, we can classify audits to compliance audits and non-compliance audits.

    About the second point, it kinds of correspond to test of design (TOD) or design effectiveness test (DET), auditor checks the control design of something. For example, an auditor checks a physical access control design to a data center. S/he finds areas with access card control and guards but no CCTV. S/he might find the design a bit lacking and then recommend them to install CCTVs. Checking existing policies and procedures is TOD.

    The third point kinds of correspond to test of effectiveness (TOE) or operational effectiveness test (OET), auditor checks whether the designed controls are working and effective. For example, the auditor might find through observation that the guards are sometimes not in their places for an extended period. The auditor should check both technical controls and nontechnical controls.

    In a compliance audit, the auditor checks whether the design complies with regulations (TOD), and then check the implementation of the control design (TOE). 

    In a non-compliance audit, the auditor evaluates the design using existing frameworks and standards as references, such as TIA 942 (TOD). After that s/he checks the implementation of existing control design (TOE).

    Auditor should do both TOD and TOE (point 2 and 3?), only doing TOD is not enough and might lead to false assurance. Only doing TOE.. err... I guess it's not systematic not prudent?

    Reza Aminy