The need for IT audit to enhance decision making in Enterprise Risk Management among Zimbabwean firms

Introduction

The Information Communications Technology (ICT) industry has evolved immensely since the turn of the 21^st millennium. The contribution of ICT to the general business performance through the use of bookkeeping and reporting systems has helped firms grow their revenue and in some instances avoid winding down. Information systems have introduced a layer of efficiency in the manner in which businesses operate through provision of better ways to manage information and communications among companies. The introduction of these systems have not only brought with them efficiency but cybercrime and malicious system access which have had a negative impact on the confidentiality, integrity and availability of data. Globalization efforts among trade partners and nations have also significantly made use of ICTs to bridge geographical boundaries and distances.

The negative effects of the introduction of systems necessitated the introduction of control mechanisms to ensure proper usage of these systems using a process called auditing. Auditing is a means of evaluating the effectiveness of a company's internal controls. Maintaining an effective system of internal controls is vital for achieving a firm’s objectives, obtaining reliable financial reporting on its operations, preventing fraud and misappropriation of its assets.  The risks associated with the introduction of computer systems again called for the introduction of means of monitoring and controlling the use of the computer systems in business called information technology audit. The role of information technology control and audit is a critical mechanism for ensuring the integrity of information systems and the reporting of organization finances to avoid and prevent future financial crises.

Asian Risk Management Institute explain ERM as a disciplined and cohesive approach to risk that support the configuration of strategy, process, people, and technology, and allow firms to categorize, rank, and effectively accomplish their serious risks. The Information Systems audit contributes to the enterprise risk management effort by assessing the organisation’s critical systems, technology architecture and processes to assure information assets are protected, reliable, available and compliant with organisation’s policies and procedures, as well as applicable laws and regulations with the country of operation. Significant relationship was found between the level of ERM implementation and the firm’s value. This finding therefore makes it imperative that efforts be directed towards strengthening enterprise risk management through the use of technology to continue increasing firm value.  IT risk systems and their integration with the enterprise risk management process varies widely among enterprises, the auditor must define the scope of the audit to fit the enterprise. This assertion therefore presents the need to assess how effective IT audit systems improve enterprise risk management decisions in firms.

Background

The production of audited company statements is a requirement enshrined in the Zimbabwe companies act 243 (3). The requirements mandates firms to appoint auditors to produce audit reports for the respective company accounts kept within the firm. The adoption of ICT systems by a majority of firms in Zimbabwe has helped them manage information better as well as increase productivity, monitoring and evaluation. This increased use of ICTs in firms has thus paused significant risk to firms in the growing cyber space form cybercriminals. Malicious has also been report to have been generated from organisation’s own employees and system users. To effectively manage the IT risks introduced to the business processes, many firms have adopted the use of IT auditors, internally and externally to review the controls within IT infrastructure, identify the risks and put forward recommendations on how the risks can be managed. The uptake and use of IT audit has been slow with majority of firms preferring to use only financial auditors. However, a report by (PWC, 2011) indicated that threats from the use of ICTs is growing phenomenally with global cybercrime costs estimated to be 400 billion USD by 2017. Some organisations have therefore embraced this growing threat and embarked on a drive to strengthen their enterprise risk management process with the use of IT auditing providing a mechanism for planning, and evaluation of the effectiveness of measures that have been implemented.

Auditing in Zimbabwe

The auditing professions is regulated by the PAAB. Its role is to regulate the audit profession. It can be noted that many organisations have internal audit departments within their organisations with the mandate of carrying out reports which are directed to the board of directors. For the purposes of publication, a number of organisations engage the services of external auditors to issue audit opinions on the status of their financial position. For other organisations, forensic audit processes are initiated to allow for specific issues to be investigated within firms.

Internal auditors are tasked with using a risk-based approach, internal audit provides assurance on the effectiveness of governance, risk management and internal controls, including the manner in which the board and operational management achieve risk management and control objectives. Without internal auditing, organisations would be besieged by fraud, theft, waste and inefficiencies that make them less competitive.

I.T audit in Zimbabwe

IT audit in Zimbabwe has been a growing phenomenon and many organizations are embracing the need for well-trained information systems auditors. IT auditors have played a pivotal role in assisting firms to manage risks related to IT systems. IT audit not only points to vulnerabilities but it also helps organisations assess exposure levels and compare those with the baseline risk appetite defined within its global ERM strategy.

 
The growth of cybercrime as mentioned above has also contributed to the growth of IT audit functions to include forensic investigation. IT audit professionals have found themselves needing forensic investigation skills as crime escalates. The ability to recover from attackers and exploited threats in the major key to establishing IT risk resilient organization.

It is imperative that firms in Zimbabwe continue to invest in equipping their audit functions, especially those related to IT as business embrace technology in doing business. IT auditors also need to be trained and have their skills upgraded in order for them to be able to help organisations detect and respond to cyber threats.

Why IT audit should be considered??

Access Control

Unauthorised access to information and systems is one of the dangers paused by both internal and external actors. This deliberate breach on systems security causes damage to files, and perhaps the integrity of systems and organisations.  Firms need to engage well skilled IS audit personnel to diligently evaluate controls on information to avoid both intentional and unintentional disclosure and changes to files. Policies and procedures need to be employed to manage and limit access to information systems resources. The policies adopted should point out on how access is allocated to both internal and external stakeholders to the organization and it is the work of the auditors to verify that such policies are being adhered to by asking common sense questions regarding aspects of access control such as password change policies, time limitations, and so forth.

Network Security

Computer systems have largely been connected through the use of networks which has seen the advent of such concepts as the internet of things. Network systems protection becomes very important in this era of the internet to ensure no authorized access is granted. Measures also need to be taken to protect data that is transit to ensure that no unauthorized access occurs. The development of protocols and standards have ensured that systems from different vendors can be connected. That interconnectedness of devices also means that more vulnerability to external players who could be remotely locate and yet have active access to systems through networks.

Companies must consider all of the ways in which data flows into and out of their systems and target the weakest links in order to protect against such malicious activity. The transmission of information across airwaves, through technology such as wireless routers and infrared ports, is especially open to hacking because signals are not contained physically.

Investment is therefore needed in ensuring that networks are hardened to protect against attacks.

Asset Management

The computers and other technological devices which store such data are themselves valuable and costly as well. Hardware equipment is subject to theft, damage, impoundment, and maintenance costs. Portable devices such as laptops are especially vulnerable to the two former risks, whereas they and all stationary devices are subject to the two latter risks. Upon the decision to dispose of hardware, an organization must take into account the sensitivity of the data on the machine in determination of its destruction process.

People pose additional risks in consideration of asset management when they become addicted to counter-productive computer activities, download hacker-enabling files, and share illegal files using their machines. The computer activity of employees should be managed carefully, and clear policies should outline computer use expectations. Technological solutions are also available that limit use and monitor activity.

Software Acquisition and Development

An organization’s purchase of software applications poses risks in terms of its usability, effect on customers, legal issues, and effect on company processes. Software tends to be most expensive when developed within a company with the input of outside consultants, and software intended from its onset to perform its function within the company tends to reduce overall risk and minimize costs. A company must be especially careful when choosing Internet-based applications because the lifespan of software is much shorter due to competition and the speed of development.

A successful internal auditor can take into consideration the multi-faceted and ever-changing nature of technology risks within a company and ensure that measures imposed by management provide both flexibility and restriction where they are necessary to allow for effective and realistic business function. The use of common sense in general audits can lead to significant findings even when compared to complex technical reviews, which yield ineffective results if not supported by a strong foundation.

Conclusion

Overall IT audit is a key component of ERM as can be obtained. Firms therefore need to relook into their IT and Risk Management strategy to ensure the aspect of IT risks is considered and given its priority when necessary. Investment should be directed towards equipping IT auditors and information security personnel to further cement the organisation’s cyber resilience. The above recommended areas are only but the beginning to a journey in which IT audit becomes a critical component of risk planning and management in firms.

Introduction The Information Communications Technology (ICT) industry has evolved immensely since the turn of the 21st millennium. The contribution of ICT to the general business performance through the use of bookkeeping and reporting systems has helped firms grow their revenue and in some instances avoid winding down. Information systems have introduced a layer of efficiency in the manner in which businesses operate through provision of better ways to manage information and communications among companies. The introduction of these systems have not only brought with them efficiency but cybercrime and malicious system access which have had a negative impact on the confidentiality, integrity and availability of data. Globalization efforts among trade partners and nations have also significantly made use of ICTs to bridge geographical boundaries and distances. The negative effects of the introduction of systems necessitated the introduction of control mechanisms to ensure proper usage of these systems using a process called auditing. Auditing is a means of evaluating the effectiveness of a company's internal controls. Maintaining an effective system of internal controls is vital for achieving a firm’s objectives, obtaining reliable financial reporting on its operations, preventing fraud and misappropriation of its assets. The risks associated with the introduction of computer systems again called for the introduction of means of monitoring and controlling the use of the computer systems in business called information technology audit. The role of information technology control and audit is a critical mechanism for ensuring the integrity of information systems and the reporting of organization finances to avoid and prevent future financial crises. Asian Risk Management Institute explain ERM as a disciplined and cohesive approach to risk that support the configuration of strategy, process, people, and technology, and allow firms to categorize, rank, and effectively accomplish their serious risks. The Information Systems audit contributes to the enterprise risk management effort by assessing the organisation’s critical systems, technology architecture and processes to assure information assets are protected, reliable, available and compliant with organisation’s policies and procedures, as well as applicable laws and regulations with the country of operation. Significant relationship was found between the level of ERM implementation and the firm’s value. This finding therefore makes it imperative that efforts be directed towards strengthening enterprise risk management through the use of technology to continue increasing firm value. IT risk systems and their integration with the enterprise risk management process varies widely among enterprises, the auditor must define the scope of the audit to fit the enterprise. This assertion therefore presents the need to assess how effective IT audit systems improve enterprise risk management decisions in firms. Background The production of audited company statements is a requirement enshrined in the Zimbabwe companies act 243 (3). The requirements mandates firms to appoint auditors to produce audit reports for the respective company accounts kept within the firm. The adoption of ICT systems by a majority of firms in Zimbabwe has helped them manage information better as well as increase productivity, monitoring and evaluation. This increased use of ICTs in firms has thus paused significant risk to firms in the growing cyber space form cybercriminals. Malicious has also been report to have been generated from organisation’s own employees and system users. To effectively manage the IT risks introduced to the business processes, many firms have adopted the use of IT auditors, internally and externally to review the controls within IT infrastructure, identify the risks and put forward recommendations on how the risks can be managed. The uptake and use of IT audit has been slow with majority of firms preferring to use only financial auditors. However, a report by (PWC, 2011) indicated that threats from the use of ICTs is growing phenomenally with global cybercrime costs estimated to be 400 billion USD by 2017. Some organisations have therefore embraced this growing threat and embarked on a drive to strengthen their enterprise risk management process with the use of IT auditing providing a mechanism for planning, and evaluation of the effectiveness of measures that have been implemented. Auditing in Zimbabwe The auditing professions is regulated by the PAAB. Its role is to regulate the audit profession. It can be noted that many organisations have internal audit departments within their organisations with the mandate of carrying out reports which are directed to the board of directors. For the purposes of publication, a number of organisations engage the services of external auditors to issue audit opinions on the status of their financial position. For other organisations, forensic audit processes are initiated to allow for specific issues to be investigated within firms. Internal auditors are tasked with using a risk-based approach, internal audit provides assurance on the effectiveness of governance, risk management and internal controls, including the manner in which the board and operational management achieve risk management and control objectives. Without internal auditing, organisations would be besieged by fraud, theft, waste and inefficiencies that make them less competitive. I.T audit in Zimbabwe IT audit in Zimbabwe has been a growing phenomenon and many organizations are embracing the need for well-trained information systems auditors. IT auditors have played a pivotal role in assisting firms to manage risks related to IT systems. IT audit not only points to vulnerabilities but it also helps organisations assess exposure levels and compare those with the baseline risk appetite defined within its global ERM strategy. The growth of cybercrime as mentioned above has also contributed to the growth of IT audit functions to include forensic investigation. IT audit professionals have found themselves needing forensic investigation skills as crime escalates. The ability to recover from attackers and exploited threats in the major key to establishing IT risk resilient organization. It is imperative that firms in Zimbabwe continue to invest in equipping their audit functions, especially those related to IT as business embrace technology in doing business. IT auditors also need to be trained and have their skills upgraded in order for them to be able to help organisations detect and respond to cyber threats. Why IT audit should be considered?? Access Control Unauthorised access to information and systems is one of the dangers paused by both internal and external actors. This deliberate breach on systems security causes damage to files, and perhaps the integrity of systems and organisations. Firms need to engage well skilled IS audit personnel to diligently evaluate controls on information to avoid both intentional and unintentional disclosure and changes to files. Policies and procedures need to be employed to manage and limit access to information systems resources. The policies adopted should point out on how access is allocated to both internal and external stakeholders to the organization and it is the work of the auditors to verify that such policies are being adhered to by asking common sense questions regarding aspects of access control such as password change policies, time limitations, and so forth. Network Security Computer systems have largely been connected through the use of networks which has seen the advent of such concepts as the internet of things. Network systems protection becomes very important in this era of the internet to ensure no authorized access is granted. Measures also need to be taken to protect data that is transit to ensure that no unauthorized access occurs. The development of protocols and standards have ensured that systems from different vendors can be connected. That interconnectedness of devices also means that more vulnerability to external players who could be remotely locate and yet have active access to systems through networks. Companies must consider all of the ways in which data flows into and out of their systems and target the weakest links in order to protect against such malicious activity. The transmission of information across airwaves, through technology such as wireless routers and infrared ports, is especially open to hacking because signals are not contained physically. Investment is therefore needed in ensuring that networks are hardened to protect against attacks. Asset Management The computers and other technological devices which store such data are themselves valuable and costly as well. Hardware equipment is subject to theft, damage, impoundment, and maintenance costs. Portable devices such as laptops are especially vulnerable to the two former risks, whereas they and all stationary devices are subject to the two latter risks. Upon the decision to dispose of hardware, an organization must take into account the sensitivity of the data on the machine in determination of its destruction process. People pose additional risks in consideration of asset management when they become addicted to counter-productive computer activities, download hacker-enabling files, and share illegal files using their machines. The computer activity of employees should be managed carefully, and clear policies should outline computer use expectations. Technological solutions are also available that limit use and monitor activity. Software Acquisition and Development An organization’s purchase of software applications poses risks in terms of its usability, effect on customers, legal issues, and effect on company processes. Software tends to be most expensive when developed within a company with the input of outside consultants, and software intended from its onset to perform its function within the company tends to reduce overall risk and minimize costs. A company must be especially careful when choosing Internet-based applications because the lifespan of software is much shorter due to competition and the speed of development. A successful internal auditor can take into consideration the multi-faceted and ever-changing nature of technology risks within a company and ensure that measures imposed by management provide both flexibility and restriction where they are necessary to allow for effective and realistic business function. The use of common sense in general audits can lead to significant findings even when compared to complex technical reviews, which yield ineffective results if not supported by a strong foundation. Conclusion Overall IT audit is a key component of ERM as can be obtained. Firms therefore need to relook into their IT and Risk Management strategy to ensure the aspect of IT risks is considered and given its priority when necessary. Investment should be directed towards equipping IT auditors and information security personnel to further cement the organisation’s cyber resilience. The above recommended areas are only but the beginning to a journey in which IT audit becomes a critical component of risk planning and management in firms.

Introduction

The Information Communications Technology (ICT) industry has evolved immensely since the turn of the 21^st millennium. The contribution of ICT to the general business performance through the use of bookkeeping and reporting systems has helped firms grow their revenue and in some instances avoid winding down. Information systems have introduced a layer of efficiency in the manner in which businesses operate through provision of better ways to manage information and communications among companies. The introduction of these systems have not only brought with them efficiency but cybercrime and malicious system access which have had a negative impact on the confidentiality, integrity and availability of data. Globalization efforts among trade partners and nations have also significantly made use of ICTs to bridge geographical boundaries and distances.

The negative effects of the introduction of systems necessitated the introduction of control mechanisms to ensure proper usage of these systems using a process called auditing. Auditing is a means of evaluating the effectiveness of a company's internal controls. Maintaining an effective system of internal controls is vital for achieving a firm’s objectives, obtaining reliable financial reporting on its operations, preventing fraud and misappropriation of its assets.  The risks associated with the introduction of computer systems again called for the introduction of means of monitoring and controlling the use of the computer systems in business called information technology audit. The role of information technology control and audit is a critical mechanism for ensuring the integrity of information systems and the reporting of organization finances to avoid and prevent future financial crises.

Asian Risk Management Institute explain ERM as a disciplined and cohesive approach to risk that support the configuration of strategy, process, people, and technology, and allow firms to categorize, rank, and effectively accomplish their serious risks. The Information Systems audit contributes to the enterprise risk management effort by assessing the organisation’s critical systems, technology architecture and processes to assure information assets are protected, reliable, available and compliant with organisation’s policies and procedures, as well as applicable laws and regulations with the country of operation. Significant relationship was found between the level of ERM implementation and the firm’s value. This finding therefore makes it imperative that efforts be directed towards strengthening enterprise risk management through the use of technology to continue increasing firm value.  IT risk systems and their integration with the enterprise risk management process varies widely among enterprises, the auditor must define the scope of the audit to fit the enterprise. This assertion therefore presents the need to assess how effective IT audit systems improve enterprise risk management decisions in firms.

Background

The production of audited company statements is a requirement enshrined in the Zimbabwe companies act 243 (3). The requirements mandates firms to appoint auditors to produce audit reports for the respective company accounts kept within the firm. The adoption of ICT systems by a majority of firms in Zimbabwe has helped them manage information better as well as increase productivity, monitoring and evaluation. This increased use of ICTs in firms has thus paused significant risk to firms in the growing cyber space form cybercriminals. Malicious has also been report to have been generated from organisation’s own employees and system users. To effectively manage the IT risks introduced to the business processes, many firms have adopted the use of IT auditors, internally and externally to review the controls within IT infrastructure, identify the risks and put forward recommendations on how the risks can be managed. The uptake and use of IT audit has been slow with majority of firms preferring to use only financial auditors. However, a report by (PWC, 2011) indicated that threats from the use of ICTs is growing phenomenally with global cybercrime costs estimated to be 400 billion USD by 2017. Some organisations have therefore embraced this growing threat and embarked on a drive to strengthen their enterprise risk management process with the use of IT auditing providing a mechanism for planning, and evaluation of the effectiveness of measures that have been implemented.

Auditing in Zimbabwe

The auditing professions is regulated by the PAAB. Its role is to regulate the audit profession. It can be noted that many organisations have internal audit departments within their organisations with the mandate of carrying out reports which are directed to the board of directors. For the purposes of publication, a number of organisations engage the services of external auditors to issue audit opinions on the status of their financial position. For other organisations, forensic audit processes are initiated to allow for specific issues to be investigated within firms.

Internal auditors are tasked with using a risk-based approach, internal audit provides assurance on the effectiveness of governance, risk management and internal controls, including the manner in which the board and operational management achieve risk management and control objectives. Without internal auditing, organisations would be besieged by fraud, theft, waste and inefficiencies that make them less competitive.

I.T audit in Zimbabwe

IT audit in Zimbabwe has been a growing phenomenon and many organizations are embracing the need for well-trained information systems auditors. IT auditors have played a pivotal role in assisting firms to manage risks related to IT systems. IT audit not only points to vulnerabilities but it also helps organisations assess exposure levels and compare those with the baseline risk appetite defined within its global ERM strategy.

 
The growth of cybercrime as mentioned above has also contributed to the growth of IT audit functions to include forensic investigation. IT audit professionals have found themselves needing forensic investigation skills as crime escalates. The ability to recover from attackers and exploited threats in the major key to establishing IT risk resilient organization.

It is imperative that firms in Zimbabwe continue to invest in equipping their audit functions, especially those related to IT as business embrace technology in doing business. IT auditors also need to be trained and have their skills upgraded in order for them to be able to help organisations detect and respond to cyber threats.

Why IT audit should be considered??

Access Control

Unauthorised access to information and systems is one of the dangers paused by both internal and external actors. This deliberate breach on systems security causes damage to files, and perhaps the integrity of systems and organisations.  Firms need to engage well skilled IS audit personnel to diligently evaluate controls on information to avoid both intentional and unintentional disclosure and changes to files. Policies and procedures need to be employed to manage and limit access to information systems resources. The policies adopted should point out on how access is allocated to both internal and external stakeholders to the organization and it is the work of the auditors to verify that such policies are being adhered to by asking common sense questions regarding aspects of access control such as password change policies, time limitations, and so forth.

Network Security

Computer systems have largely been connected through the use of networks which has seen the advent of such concepts as the internet of things. Network systems protection becomes very important in this era of the internet to ensure no authorized access is granted. Measures also need to be taken to protect data that is transit to ensure that no unauthorized access occurs. The development of protocols and standards have ensured that systems from different vendors can be connected. That interconnectedness of devices also means that more vulnerability to external players who could be remotely locate and yet have active access to systems through networks.

Companies must consider all of the ways in which data flows into and out of their systems and target the weakest links in order to protect against such malicious activity. The transmission of information across airwaves, through technology such as wireless routers and infrared ports, is especially open to hacking because signals are not contained physically.

Investment is therefore needed in ensuring that networks are hardened to protect against attacks.

Asset Management

The computers and other technological devices which store such data are themselves valuable and costly as well. Hardware equipment is subject to theft, damage, impoundment, and maintenance costs. Portable devices such as laptops are especially vulnerable to the two former risks, whereas they and all stationary devices are subject to the two latter risks. Upon the decision to dispose of hardware, an organization must take into account the sensitivity of the data on the machine in determination of its destruction process.

People pose additional risks in consideration of asset management when they become addicted to counter-productive computer activities, download hacker-enabling files, and share illegal files using their machines. The computer activity of employees should be managed carefully, and clear policies should outline computer use expectations. Technological solutions are also available that limit use and monitor activity.

Software Acquisition and Development

An organization’s purchase of software applications poses risks in terms of its usability, effect on customers, legal issues, and effect on company processes. Software tends to be most expensive when developed within a company with the input of outside consultants, and software intended from its onset to perform its function within the company tends to reduce overall risk and minimize costs. A company must be especially careful when choosing Internet-based applications because the lifespan of software is much shorter due to competition and the speed of development.

A successful internal auditor can take into consideration the multi-faceted and ever-changing nature of technology risks within a company and ensure that measures imposed by management provide both flexibility and restriction where they are necessary to allow for effective and realistic business function. The use of common sense in general audits can lead to significant findings even when compared to complex technical reviews, which yield ineffective results if not supported by a strong foundation.

Conclusion

Overall IT audit is a key component of ERM as can be obtained. Firms therefore need to relook into their IT and Risk Management strategy to ensure the aspect of IT risks is considered and given its priority when necessary. Investment should be directed towards equipping IT auditors and information security personnel to further cement the organisation’s cyber resilience. The above recommended areas are only but the beginning to a journey in which IT audit becomes a critical component of risk planning and management in firms.