Audit and Assurance

Expand all | Collapse all

Adding monetary savings to IT Audit findings

  • 1.  Adding monetary savings to IT Audit findings

    Posted 07 Feb, 2020 18:40
    Is anyone part of an internal IT Audit team that adds estimated monetary ("dollar") values to savings that result from IT audit recommendations, and if so what do you see as areas where IT Audit have made such recommendations? The most obvious one that I see is software licensing, where we might identify over-licensing and therefore savings resulting from their redistribution. Also, improvements in monitoring telecoms usage can lead to savings which can also be quantified.

    But, after these two examples, it becomes somewhat more difficult. Failure to patch can lead to a breach, but how large will that breach be? Not sure how that can be quantified until after the event. Maybe patching is not an area where monetary savings can be quantified before the breach?

    Any experience in this area, or ideas, or can you point me to any ISACA materials?

    Many thanks, for any help that you can give.


    Richard Kingston
    IT Audit Manager

  • 2.  RE: Adding monetary savings to IT Audit findings

    Posted 08 Feb, 2020 10:57


    We have in prior audits identified and reported questioned costs in our audit reports.  We have questioned costs in audits involving Cloud Security where we identified cloud computing services that were acquired and deployed that were not approved, authorized to operate, or covered by a systems security plan (ghost IT).  We have also questioned costs on Supply Chain Risk Management audits where we identified IT assets (hardware, software, and services) that were acquired outside of the supply chain risk management assessment approval process or were otherwise not authorized for use within the network environment.  We use this methodology of questioning costs on most of our IT audits where we are assessing any of the hardware, software, or services within our network environment.  We also question costs when the acquisition of IT hardware, software, and services are done improperly, say when the contract to acquire the item fails to properly incorporate the necessary IT security contract clauses which could create the potential for a risk or a vulnerability if not present.  

    Best of luck,


    Joseph Shook, MBA, CIA, CFE, CISA
    Audit Manager
    NASA Office of Inspector General