IT operations
The last area of focus is the IT group and how the integrity of the system is
maintained. If changes to the system and security around the system are
compromised, one may not be able to place any reliance on the automated
controls or the reporting produced by the system. Prior to auditing any
environment, it is helpful if one can draw a conclusion on the effectiveness
of both the design of controls and compliance with them in the IT area.
Again, auditors will have access to many useful production reports, which
should include exception reporting. Looking at access control procedures
is the key to ensuring only authorized personnel have access to the system
and to very specific functionality. The auditor needs to be in constant
contact with violations and security breaches to assess system integrity, as
well as rule out the potential fraud element.
Another critical area is the change management process. System upgrades
are routine, but must follow authorized protocols to ensure not only the
integrity of the system, but also that the system continues to operate
without failure. The auditor will need to utilize production reporting to
ensure all changes are identified, authorized and validated.