Introduction
The Information Communications
Technology (ICT) industry has evolved immensely since the turn of the 21st
millennium. The contribution of ICT to the general business performance through
the use of bookkeeping and reporting systems has helped firms grow their
revenue and in some instances avoid winding down. Information systems have
introduced a layer of efficiency in the manner in which businesses operate
through provision of better ways to manage information and communications among
companies. The introduction of these systems have not only brought with them
efficiency but cybercrime and malicious system access which have had a negative
impact on the confidentiality, integrity and availability of data.
Globalization efforts among trade partners and nations have also significantly
made use of ICTs to bridge geographical boundaries and distances.
The negative effects of the introduction
of systems necessitated the introduction of control mechanisms to ensure proper
usage of these systems using a process called auditing. Auditing is a means of
evaluating the effectiveness of a company's internal controls. Maintaining an
effective system of internal controls is vital for achieving a firm’s
objectives, obtaining reliable financial reporting on its operations,
preventing fraud and misappropriation of its assets. The risks associated with the introduction of
computer systems again called for the introduction of means of monitoring and
controlling the use of the computer systems in business called information
technology audit. The role of information technology control and audit is a
critical mechanism for ensuring the integrity of information systems and the
reporting of organization finances to avoid and prevent future financial crises.
Asian Risk Management Institute explain ERM as a disciplined and cohesive approach to risk that support the configuration of strategy, process, people, and technology, and allow firms to categorize, rank, and effectively accomplish their serious risks. The Information Systems audit contributes to the enterprise risk management effort by assessing the organisation’s critical systems, technology architecture and processes to assure information assets are protected, reliable, available and compliant with organisation’s policies and procedures, as well as applicable laws and regulations with the country of operation. Significant relationship was found between the level of ERM implementation and the firm’s value. This finding therefore makes it imperative that efforts be directed towards strengthening enterprise risk management through the use of technology to continue increasing firm value. IT risk systems and their integration with the enterprise risk management process varies widely among enterprises, the auditor must define the scope of the audit to fit the enterprise. This assertion therefore presents the need to assess how effective IT audit systems improve enterprise risk management decisions in firms.
Background
The production of audited company
statements is a requirement enshrined in the Zimbabwe companies act 243 (3).
The requirements mandates firms to appoint auditors to produce audit reports
for the respective company accounts kept within the firm. The adoption of ICT
systems by a majority of firms in Zimbabwe has helped them manage information
better as well as increase productivity, monitoring and evaluation. This
increased use of ICTs in firms has thus paused significant risk to firms in the
growing cyber space form cybercriminals. Malicious has also been report to have
been generated from organisation’s own employees and system users. To
effectively manage the IT risks introduced to the business processes, many
firms have adopted the use of IT auditors, internally and externally to review
the controls within IT infrastructure, identify the risks and put forward
recommendations on how the risks can be managed. The uptake and use of IT audit
has been slow with majority of firms preferring to use only financial auditors.
However, a report by (PWC, 2011) indicated that threats
from the use of ICTs is growing phenomenally with global cybercrime costs
estimated to be 400 billion USD by 2017. Some organisations have therefore
embraced this growing threat and embarked on a drive to strengthen their
enterprise risk management process with the use of IT auditing providing a
mechanism for planning, and evaluation of the effectiveness of measures that
have been implemented.
Auditing
in Zimbabwe
The auditing professions is regulated by
the PAAB. Its role is to regulate the audit profession. It can be noted that many
organisations have internal audit departments within their organisations with
the mandate of carrying out reports which are directed to the board of
directors. For the purposes of publication, a number of organisations engage
the services of external auditors to issue audit opinions on the status of
their financial position. For other organisations, forensic audit processes are
initiated to allow for specific issues to be investigated within firms.
Internal auditors are tasked with using
a risk-based approach, internal audit provides assurance on the effectiveness
of governance, risk management and internal controls, including the manner in
which the board and operational management achieve risk management and control
objectives. Without internal auditing, organisations would be besieged by
fraud, theft, waste and inefficiencies that make them less competitive.
I.T
audit in Zimbabwe
IT audit in Zimbabwe has been a growing
phenomenon and many organizations are embracing the need for well-trained information
systems auditors. IT auditors have played a pivotal role in assisting firms to
manage risks related to IT systems. IT audit not only points to vulnerabilities
but it also helps organisations assess exposure levels and compare those with
the baseline risk appetite defined within its global ERM strategy.
The growth of cybercrime as mentioned above has also contributed to the growth of IT audit functions to include forensic investigation. IT audit professionals have found themselves needing forensic investigation skills as crime escalates. The ability to recover from attackers and exploited threats in the major key to establishing IT risk resilient organization.
It is imperative that firms in Zimbabwe continue
to invest in equipping their audit functions, especially those related to IT as
business embrace technology in doing business. IT auditors also need to be trained
and have their skills upgraded in order for them to be able to help organisations
detect and respond to cyber threats.
Why
IT audit should be considered??
Access Control
Unauthorised access to information and
systems is one of the dangers paused by both internal and external actors. This
deliberate breach on systems security causes damage to files, and perhaps the
integrity of systems and organisations. Firms
need to engage well skilled IS audit personnel to diligently evaluate controls
on information to avoid both intentional and unintentional disclosure and
changes to files. Policies and procedures need to be employed to manage and
limit access to information systems resources. The policies adopted should
point out on how access is allocated to both internal and external stakeholders
to the organization and it is the work of the auditors to verify that such
policies are being adhered to by asking common sense questions regarding
aspects of access control such as password change policies, time limitations,
and so forth.
Network Security
Computer systems have largely been
connected through the use of networks which has seen the advent of such concepts
as the internet of things. Network systems protection becomes very important in
this era of the internet to ensure no authorized access is granted. Measures
also need to be taken to protect data that is transit to ensure that no unauthorized
access occurs. The development of protocols and standards have ensured that
systems from different vendors can be connected. That interconnectedness of
devices also means that more vulnerability to external players who could be
remotely locate and yet have active access to systems through networks.
Companies must consider all of the ways
in which data flows into and out of their systems and target the weakest links
in order to protect against such malicious activity. The transmission of
information across airwaves, through technology such as wireless routers and
infrared ports, is especially open to hacking because signals are not contained
physically.
Investment is therefore needed in
ensuring that networks are hardened to protect against attacks.
Asset Management
The computers and other technological
devices which store such data are themselves valuable and costly as well.
Hardware equipment is subject to theft, damage, impoundment, and maintenance
costs. Portable devices such as laptops are especially vulnerable to the two
former risks, whereas they and all stationary devices are subject to the two
latter risks. Upon the decision to dispose of hardware, an organization must
take into account the sensitivity of the data on the machine in determination
of its destruction process.
People pose additional risks in
consideration of asset management when they become addicted to
counter-productive computer activities, download hacker-enabling files, and
share illegal files using their machines. The computer activity of employees
should be managed carefully, and clear policies should outline computer use
expectations. Technological solutions are also available that limit use and
monitor activity.
Software Acquisition and
Development
An organization’s purchase of software
applications poses risks in terms of its usability, effect on customers, legal
issues, and effect on company processes. Software tends to be most expensive
when developed within a company with the input of outside consultants, and
software intended from its onset to perform its function within the company
tends to reduce overall risk and minimize costs. A company must be especially
careful when choosing Internet-based applications because the lifespan of
software is much shorter due to competition and the speed of development.
A successful internal auditor can take
into consideration the multi-faceted and ever-changing nature of technology
risks within a company and ensure that measures imposed by management provide
both flexibility and restriction where they are necessary to allow for
effective and realistic business function. The use of common sense in general
audits can lead to significant findings even when compared to complex technical
reviews, which yield ineffective results if not supported by a strong
foundation.
Conclusion
Overall IT audit is a key component of
ERM as can be obtained. Firms therefore need to relook into their IT and Risk
Management strategy to ensure the aspect of IT risks is considered and given
its priority when necessary. Investment should be directed towards equipping IT
auditors and information security personnel to further cement the organisation’s
cyber resilience. The above recommended areas are only but the beginning to a
journey in which IT audit becomes a critical component of risk planning and
management in firms.
No comments:
Post a Comment