Types of System Audits

K. Paul Jayakar

1. ITGC Controls Review

IT General Controls (ITGC) are the basic controls that can be applied to IT systems
such as applications, operating systems, databases, and supporting IT infrastructure.
The objectives of ITGCs are to ensure the integrity of the data and processes that the
systems support. The most common ITGCs are as follow:
➢ Logical access controls over applications, data and supporting infrastructure
➢ Program change management controls
➢ Backup and recovery controls
➢ Computer operation controls
➢ Data center physical security controls
➢ System development life cycle controls

2. Application Audit

An application audit is a specific audit of one application. The level of control

expected for a particular application is dependent on the degree of risk involved in the
incorrect or unauthorized processing of that data
Briefly, the process would be to determine audit objectives, map systems and data
flows, identify key controls, understand the application’s functionality, perform
applicable tests, include financial assertions and complete the report.

3. System Interface Audit

In computing terminology, an interface is a shared boundary across which two or more

separate components of a computer system exchange information. The exchange can
be between software, computer hardware, peripheral devices, humans, and
combinations of these.
Interfaces between systems have serious inherent risk. As a result of their inadequate
operational or security capability, the data can be lost, altered or even duplicated; such
incidents can significantly affect the operation of systems or even modify the general
ledger data of the enterprise. With the help of audit techniques one can identify
functional errors and interface security issues.
 4. Pre-Implementation Review

This is a review of the resources, project plans, timelines, central design, blueprints
and implementation plans, and data conversion techniques prior to the commencement
of the implementation activities to provide reasonable assurance about the project
success prior to commencement.
Early involvement of the audit function ensures that important internal controls are
implemented and that legal and supervisory requirements are taken into consideration
during the initial development of a new concept. Potential procedural errors or points
of economic vulnerability already can be identified and eliminated in advance.

5. Post Implementation Review

This review cum audit consists of conducting a gap analysis, determining whether the
project goals were achieved, determining the satisfaction of stakeholders, evaluating
the project's costs and benefits, identifying areas for further development, document
lessons learned and report findings and recommendations.

6. Security Audit

A security audit is the high-level description of the many ways organizations can test
and assess their overall security posture, including cyber-security. There are many
types of security audits like Risk Assessments to prioritize risks, Vulnerability
Assessment to identify security weaknesses in an information system, Penetration
Tests which are an authorized simulated cyberattack on a computer system, performed
to evaluate the security of the system and Compliance Audits to achieve the desired
results and meet the business and regulatory objectives.

7. Data Centre Audit

➢ Security Audit
A data center audit focusing on physical security will document and ensure that the
appropriate procedures and technology are in place to avoid downtime, disasters,
unauthorized access and breaches. It will revolve around things like, fire suppression
systems, screening of employees and contractors who access equipment, biometrics or
other forms of access control, video surveillance amongst others.
➢ Energy Efficiency/Power Audit
A data center energy efficiency audit helps to pinpoint potential ways to reduce energy
usage and utility bills. By examining the consumption of power, the thermal
environment and lighting levels, the audit can uncover things such as malfunctioning
equipment, incorrect HVAC settings and lighting which can be avoided. Power usage
effectiveness (PUE) can also be calculated (based on dividing total power usage by IT
equipment power). By tracking this number, it can be used to benchmark and
determine whether data center performance is improving or declining over time.
➢ Asset Audit
An audit that involves inventory of assets creates a library of accurate, up-to-date
information about all of the equipment in the data center – from servers and cabinets to
storage devices. The information documented in an asset audit could include
manufacturer, model number, equipment age, current performance level, maintenance
records and requirements.
➢ Standards-Compliance Audit
There are many standards and guidelines to follow depending on the types of data the
data center processes and stores. A few examples:
PCI-DSS: to ensure that acceptable practices are in place to protect credit card data
HIPAA: to ensure that protected health information is stored and hosted online in
accordance with HIPAA hosting standards, and that stored data is protected and
available only to people who are authorized to view them
Sarbanes-Oxley (SOX): to ensure proper management of electronic records and to
protect shareholders and the general public from accounting errors and fraudulent
practices in enterprises, and to improve the accuracy of corporate disclosures.
Audits for other standards can also be conducted:
SSAE 16: to measure data center controls relevant to financial reporting
SOC 1: to measure data center controls relevant to financial reporting (similar to
SSAE 16)
SOC 2: to measure security, availability, processing integrity, confidentiality and
privacy controls
SOC 3: documentation of SOC 2 compliance along with a seal of approval for use on
websites and other marketing materials and documents
➢ Design Audit
This type of data center audit focuses on design and comparing the facility’s actual
design to applicable standards (like ISO/IEC TS 22237-1:2018)
 8. Third party Information Risk Assessment

A third-party risk assessment is an analysis of vendor risk posed by an organization's

third-party relationships along the entire supply chain, including vendors, service
providers, and suppliers. Risks to be considered include security risk, business
continuity risk, privacy risk, and reputational risk.
Third-Party Threats include but are not limited to regulatory and legal violations
(which have intensified globally), breaches of systems and data, reputation damage,
financial dependence, systemic events, geopolitical events and establishing ownership
and buy-in.

9. Process Audit

Documents such as work instructions, software menus, control plans, and routing are
used to control individual processes. ISO 9000 defines a process as a set of interrelated
or interacting activities that use inputs to deliver an intended result.
Processes that are typically carried by a manufacturing organisation include filling,
washing, reacting, drilling, cutting, treating, sorting, transporting, informing, ordering,
and opening. This is the level at which work takes place. When an audit of any of
these individual processes is conducted, it’s called a process audit.
When auditing processes, auditors should be familiar with the type of process they’re
auditing and must follow process steps. The closest thing to a checklist would be a
flow chart or work instruction. Using either of those tools, auditors can follow one
process to the next until they are assured the process is effective. Process audits
identify weaknesses and risks while also identifying areas for improvement. Process
audits go beyond the limited control elements defined in a standard. The conformity
and compliance standards contain minimum controls.

10. Data Migration Audit

Data integrity checks are conducted by the migration team to check for completeness
and accuracy of data and the decommissioning of the original source of data. The type
of migration audits can be:
Legacy To New Solution involving: Validation of the transfer of data from multiple
legacy systems, legacy and core system data integrity, vendor management, techno
functional issues, data backup strategy, preparation / validation of the migration
strategy documents and its Versions and the project management.
Core Version X To New Version involving: high volume of data to be transferred,
limits on post migration window time, online data migration, identification of business
critical data, pre-migration assurance, preparation / vetting of migration strategy
documents and its versions and project management.
Core DB To Data Ware House involving: vetting of multiple inputs to a centralized
system, high volume and online migration strategy, capacity and performance analysis,
migration strategy document preparation / vetting and project management.

11. Internal Controls Review / SOX Controls Review

ICR (Internal Control Risks) is an overall assessment of the internal control system to
address the relevant risks and its adequacy in each business area in an organization.
Through control review, an organization's resources are directed, monitored, and
measured in an effective manner. There are three main types of internal controls:
detective, preventative, and corrective. All organizations are subject to the occurrence
of threats that adversely impact the organization and cause the loss of assets.
Unfortunately, processes and control activities are not perfect, and mistakes and
problems will be found.
In order to achieve these objectives an internal control framework needs to be applied
and followed throughout the organization. The five components of the internal control
framework (as per the COSO framework) are the control environment, risk
assessment, control activities, information and communication, and monitoring
In brief the SOX Audit Process consists of the following steps:
Defining the scope using a risk assessment approach; determining materiality and risks
- accounts, statements, locations, processes, and major transactions; identifying SOX
controls - non-key & key, ITGC, and other entity-level controls; performing a fraud
risk assessment; managing process and control documentation; testing key controls;
assessing deficiencies; and delivering management’s report on controls

12. SSAE18/ISAE 3402 audit of IT Processes

ISAE 3402 (International Standard on Assurance Engagements) / SSAE 18 (Statement

on Standards for Attestation Engagements) an independent assessment report as per
the ISAE 3402/ SSAE 18 provides the confidence on control procedures, adequacy
and reasonable assurance of our service delivery and information security, data
privacy related controls. SSAE 18 is relevant for the US market while ISAE 3402 is
relevant for the rest of the world. The assessment report illustrates the positive effects
of properly functioning and articulated control environment to an organization’s senior
management and clients.
The SSAE 18 “attestation” standard and the ISAE 3402 “assurance” standard
essentially share a common framework derived from the Auditing Standards Board
(ASB) of the American Institute of Certified Public Accountants (AICPA), which put
forth SSAE 18, and the International Auditing and Assurance Standards Board
(IAASB) of The International Federation of Accountants (IFAC), which put forth
ISAE 3402. This common framework between SSAE 18 and ISAE 3402 is one that
represents a migration, adoption, and ultimately, an acceptance of globally accepted
accounting standards, such as those of the International Financial Reporting Standards
(IFRS), which are essentially the standards, interpretations and framework adopted by
the International Accounting Standards Board (IASB).
Internal process audit teams carry out regular process audits on compliance to the
established process, customer service delivery fulfilment and Information Security
controls. Over and above external auditors carry out periodical assessment as part of
the aforesaid certifications. These are very much essential to ensure that the
organizational processes are in conformity with those committed to the customers in
terms of the customer agreements as well.

13. Software Asset Management (SAM) Audit / Licensing Audit

Software Asset Management (SAM) is a subset of IT Asset Management (ITAM), and

is focused on software assets, licenses and related services, as well as media (physical
or digital) by which software is delivered.
A comparison of SAM and its subsets, follows
➢ Software License Compliance is focused on avoiding ‘under-licensing’, by
ensuring compliance with license entitlements – often with (inadequate) focus on
the number of licenses as compared to software deployments. However,
compliance must take into account other license parameters such as device
configuration, geographic location, employee/non-employee, and many others.
The objectives are to minimize audit likelihood, minimize audit impact, avoid
unbudgeted expense and avoid legal and reputational risk.
➢ Software License Management, including software license optimization, goes
beyond software license compliance to additionally focus on ‘right-licensing’ –
avoiding unnecessary licenses in type, quantity and function. Most organizations
are over-licensed for some products in quantity (e.g., Microsoft Project) or in
product function (e.g., enterprise versus standard edition). In some cases, the
software can be deployed more optimally to reduce licensing requirements and
costs – e.g., relocating the software to a smaller server.
➢ Software Asset Management goes beyond a focus on licenses to additionally
focus on the software product (asset) – function, currency, standardization, full
lifecycle cost, and more.