IT audit practice communication and practice discussion 3 IT audit and financial perspective Conversion

Most people in IT audit are switched from it, or the IT perspective shows that the problem is more skillful than the financial business perspective. Therefore, write this article to discuss the differences between the two, so as to facilitate mutual transfer and integration.

First, the concept of IT audit: in general, it checks and evaluates IT-related systems and items to determine whether it is sufficient to support business objectives. I believe that most people are familiar with the first half of the sentence-"checking and evaluating IT-related systems and items". They also think that this is the essence of the IT review. In fact, it is somewhat biased, the true charm of IT auditing and even auditing lies in the last half of the sentence: "determining whether it is sufficient to support business objectives ". If you have understood these half sentences, it is enough. A business is a business, and a company or an enterprise is set up to make money. Therefore, the business is paramount, so everything in the company is centered around the business. This must be clear, especially when you are concerned about some of the places that you think are risky during IT audits, you must remember this sentence, so the business is paramount. With this direction, it is obvious that all risks must be at the highest level. For example, whether you think there are many irregularities in the documents left behind by agile development, as long as each system goes online fast enough, the related businesses will pass in through the system smoothly, making money. In the eyes of the boss, non-standard documents of this system are not a problem. Even if key personnel leave their posts, they will not have a great impact in the short term. In this case, our perception is that if you find that there are long-term risks in the future, you should focus on the impact of the current business income, then, we will consider whether the subsequent long-term risk reduction, whether the elimination has an impact on short-and mid-term business, and whether the rectification requires high costs. This is the degree of business audit and IT audit.
This time, although it audits are also business-oriented. But it is definitely not a sign of no bottom line. This principle must be adhered. That is to say, either at the site or when a draft for soliciting opinions should adhere to a bottom line principle, that is, the degree of impact on the business. The IT skills will be used here. You need to use the vernacular to slowly Tell Your auditee that there is a problem with authorization in this system, the most obvious impact is that you can not only approve the payment of a certain amount of funds, but anyone with the permission of the system can easily approve the payment of the funds instead of you, you can also change the amount and account. The method is to change the address information in the browser... Another obvious problem is weak passwords. Especially for LAN applications, users with poor security awareness, coupled with systems with weak password logic, the problem arises. Do not talk about such problems. weak passwords are not acceptable. This is not a matter of communication, and it and users will not be satisfied. For a long time, your IT audit work will not proceed smoothly. We recommend that you have a weak password, which is the most serious risk, and what kind of business risk can be caused. The more this business risk, the better the amount, it developers can see this intuitive loss amount, which may be different from the development consciousness. At the same time, such figures can also be easily understood by leaders and users, and your effort and IT audit efforts are indeed helping them avoid losses. When talking to the auditee, we recommend that you use non-critical systems, such as the conference system, customer service system, and weak passwords as reminders instead of reports. In other words, this is to send you as IT audit personnel. However, for key sensitive systems, such as capital systems, high-sensitivity permissions, such as checking and editing core data, we recommend that you stick to the principle in the case of weak passwords, first, communicate with the auditee about the incident severity, and then tell me that you really have to report it, because before you check this weak password, you have no idea whether the weak password has caused any loss. If you take a big mistake as a human condition, we will not be able to run as IT audit personnel.
Third, as an audit, IT audit aims to assist in the realization of business objectives. Therefore, do not set an absolute distance between yourself and the auditee. On the contrary, it is necessary to establish a good relationship with your auditee. They have reports to be reported to the management, or even to the outside. You should take the initiative to put forward a few points of attention to help them check and make the auditee aware. As an IT Auditor, you actually work as a consultant. It only appears as an examiner during the formal inspection. We recommend that you always remind them of the risks. Don't worry that you won't be able to find any problems during the inspection. If the reminders are in place at ordinary times and they have changed, isn't it just that you have done a good job?
This is not an absolute practice, but a part that needs to be understood and combined with practice, so it is also quite vernacular. Let's take a look.