Technology audit by Magdy El messiry


Published on

The main objectives of this booklet are to give the reader a survey of the different elements of the Technology Auditing (TA), hence the TA is the only way for the organization to improve their situation on the market. Technology audits will help identify potential issues that may become serious problems for your business if left unattended. Technology auditing will be recognized as the reliable and trusted source for the best application of relevant technology in the industry.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Technology audit by Magdy El messiry

  1. 1. Technology AuditTechnologyAuditTraining CoursePART IByDr. MAGDY ELMESSIRYKNOWLEDGE TRANSFER CENTER ALEXANDRIA UNIVERSITY20111 Dr. Magdy El Messiry
  2. 2. Technology AuditTechnology Audits Will Help IdentifyPotential Issues That May Become SeriousProblems for Your Business If Left UnattendedWhile each organization should insurean effective continuous auditing forincrease the generated income. Dr. M.El Messiry2 Dr. Magdy El Messiry
  3. 3. thousand miles begins with a single step" Technology Audit "A trip of a thousand miles begins with a single step"PREFACEThe main objectives of this booklet are to give the reader a survey of the different elements ofthe Technology Auditing (TA), hence the TA is the only way for the organization to improvetheir situation on the market. Technology audits will help identify potential issues that maybecome serious problems for your business if left unattended. Technology auditing will berecognized as the reliable and trusted source for the best application of relevant technology in theindustry. The continuous technology auditing will lead to the following;  Establishing proven methodologies for technology assessments  Establishing proven methodologies for quality control  Establishing a network of reliable and brief information sources  Establishing a periodic review and assessment of technology news and information  Establishing a standard technology assessment model  Establishing a secured database of reports and assessments  Establishing and maintain business models for measuring return on investment and total cost of ownership To enhance the effectiveness of organization by providing the tools will be achieved through information concerning the latest technology and innovation relevant to the particular industrial fields that is the specific mission and goals of the organization.The role of the Universities in implementing the Technology Auditing in the differentorganizations can be accomplished through the specialists in the technology and other areas of aglobally competitive economy. Their function will be the assistance in:  Promoting competitiveness and job creation.  Enhancing the quality of life.  Developing human resources.  Working towards environmental sustainability.  Promoting an information society.  Producing more knowledge-embedded products and services.  Developing innovation technologies that lead to increasing the number of patents.The objective of this course is to give the specialists in the technology transfercenters at the universities and the industrial organizations the basic concepts onTECHNOLOGY AUDITING and to help them in building TA departments.3 Dr. Magdy El Messiry
  4. 4. Technology Audit TABLE OF CONTENTSPREFACECHAPTER ONETECHNOLOGY AUDTING1.1 Introduction1.2 Technology Audit CompositionCHAPTER TWOINTERNAL AUDIT, EXTERNAL AUDIT, AND CONTINUOUS AUDITING1. Internal Audit1.1 Mission of the Internal Audit Function1.2 Internal Audit Practice in Organization1.3 Steps for Building the Internal Audit Team1.4. Suggestion for Successful Internal Audit1.5 Code of Ethics for Audit Staff1.6 International Standards for the Professional Practice of InternalAuditing (Standards)2. External Audit2.1 Implementation Procedure2.2. Continuous Auditing2.3. Key Steps to Implementing Continuous Auditing2.3.1. Additional Considerations2.3.2. Organizational Infrastructure4 Dr. Magdy El Messiry
  5. 5. Technology Audit2.3.3. Impact on PersonnelCHAPTER 3THE AUDITORS PERFORMANCE IN TECHNOLOGY AUDIT3.1. Introduction3.2. Role of AuditorPhase One: Pre-AuditPhase Two: On-Site Visit3.3. Road Map for the External Audit Team Audit Leader3.4. Notes to the Auditor3.4. Control objectivesCHAPTER 4SWOT ANALYSIS4.1 Introduction4.2. The Need for SWOT Analysis4.3. Limitations of SWOT Analysis4.4. SWOT Analysis FrameworkCHAPTER 5PRACTICAL EXAMPLES OF SWOT ANALYSIS5.1. Health centers5.2. University SWOT Analysis5.3. Retail Industry SWOT Analysis4.4. Web Business SWOT Analysis5 Dr. Magdy El Messiry
  6. 6. Technology AuditCHAPTER 6GLOSSARYAPPENDIX ISWOT Analysis TemplateAPPENDIX IIAudit ChecklistAPPENDIX IIIAudit Checklist ISO/IEC 19770-1APPENDIX IVTemplate to use when writing an audit reportAPPENDIX VInformation Technology Audit ReportREFERENCES6 Dr. Magdy El Messiry
  7. 7. Technology Audit CHAPTER ONE TECHNOLOGY AUDTING1.1 IntroductionToday, the products‘ life cycle becomes gradually smaller. Actually in somesectors such as the computer sector, technological devaluation of the productsoccurs within a few months. Therefore it is a great competitive advantage for thecompanies to be able to introduce new products to the market before theircompetitors, gaining in this way significant sale shares. Today the companies mustbe able to be constantly innovative to maintain or improve their position in themarket. In order to achieve this, they must know how to identify the innovationneeds of a business problem. The innovation management tools, which are utilizedfor doing this, are Technology Audit and SWOT method1. Technology has becomean increasingly dynamic sector of the global economy. The critical task is now tomaintain a broad awareness of the nature and potential impact of emergingtechnologies, the points of junction, and impact on market place trends on aworldwide basis. Management of technology is an interdisciplinary field thatintegrates science, engineering, and management knowledge and practice. Thefocus is on technology as the primary factor in wealth creation. Wealth creationinvolves more than just fiscal values and it may encompass factors such asenhancement of knowledge, intellectual capital, effective exploitation of resources,preservation of the natural environment, and other factors that may contribute toraising the standard of living and quality of life.The Technology Audit is a method for identifying the major companyrequirements, needs, weaknesses and strengths on human resources andinfrastructure as well as opportunities that should be taken under consideration.The Technology Audit is also a technique which identifies the management‘s viewof how the company performs as well as strong indications of what the companyreally needs2.The Technology Audit technique examines in tandem the External and Internalenvironment of the company and identifies the human resources relation tocompany‘s performance. Furthermore, it assists the company to discover the moresignificant actions that it should adopt.7 Dr. Magdy El Messiry
  8. 8. Technology AuditAs shown in Figure (1), an organization can perform an audit in order to:  Generate income (or more income) for the technology driven organizations (e.g. technology based enterprises, research centers, institutes) from their available technology.  Improve the productivity of the technological factors.  Improve business competitiveness and public administrations performance.  Assess your current capabilities before making expensive changes.  Learn how to optimize the use of current technology.  Learn about your technology options.  Get an independent assessment that can help convince your organizational partners of changes needed. An audit is merely a ―checkup.‖ As we gather more and more techno-devicesaround us, we recognize the need to ensure that they are all accounted for, areworking properly, and are being employed for proper purposes, purposes thatadvance the cause for our organizations. Consequently, a technology audit exists atits very core as an activity that focuses our full attention upon improvement,sustainable improvement and continuous innovation. Organizational survey andtechnology audit will help in understanding the level of attention paid totechnology in the organization and facilitate the involvement of employees fromdifferent departments of the organization in the technology management process.The organizational survey and technology audit provides an instrument forauditing the organization‘s technological capabilities and its awareness oftechnology as means of improving competition. The organizational survey andtechnology audit are used to assess whether the organization‘s management has theappropriate level of understanding of technology and technology management, andwhether the required climate to use technology is in place.Formulation of technology strategy addresses the issue of how to recognize thecritical technological needs and identifies the basic dimensions of a technologystrategy. It consists of three steps: technology assessment, technology selection,and definition of the portfolio of technological projects, and strategic priorities andactions3. The technology audit is equally applicable to manufacturing and servicefirms. The firms should wish to create new products, incorporate new processes,diversify their activities and be with growth potential. They should have capacityto survive and innovate and competence for international cooperation. Technologyauditing should consider as means of ensuring business continuity in amanufacturing organization.8 Dr. Magdy El Messiry
  9. 9. Technology Audit Figure (1) Objectives of Audit Cycle9 Dr. Magdy El Messiry
  10. 10. Technology Audit1.2 Technology Audit CompositionThe implementation of the technology auditing starts with the answering to;  What is the relationship between technology, business strategy and innovation in ensuring continuity of the organization?  What does a technology audit consist of and what tools are available to help conduct the technology audit?  What is the process flow of a technology audit?The main steps of a technology audit process are 4:Step 1: Company Decision for Technology AuditThe starting point of the technology audit process is the desire or wish of a firm tocarry out a technology audit.Step 2: Initial phaseThe initial phase is important to ensure that the audit proceeds smoothly andeffectively. It includes discussion at the management level to explain and agreeupon the purpose of the audit, to design the questionnaire and the framework forthe report to suit the organization and to select those to be interviewed. Initialinformation about the organization (published and unpublished reports) is gatheredat this stage. Analysis of questionnaires should be done prior to the interviews andmight be done at an earlier stage, so that selection of those to be interviewed ispartly based on questionnaires.Step 3: Interview and report phaseThe company is being interviewed with a questionnaire, normally withparticipation of the General Manager, aiming at:  Collecting general company data  Shaping company technology profile  Performing SWOT Analysis  Identifying technological areas for further analysis.10 Dr. Magdy El Messiry
  11. 11. Technology AuditTechnology Audit Tool consists of two parts, the questionnaires and the reports.The results derived from the questionnaires generate the reports that can be easilyaccessed by the General Manager of the company, but for a more accurate and lessbiased diagnosis, an external specialized consultant is proposed.Step 4: Technology Audit Report FrameworkThe final report of the technology audit should include:  Subjects analyzed  Methodology used  Problem areas identified  Solutions proposed for the problems  Steps to be taken for implementing the solutions (action plan)The expected results from a carefully conducted technology audit mainly concern4:  Complete and comprehensive analysis and evaluation of the requirements of the organization for its sustainable growth  Thoroughly objective SWOT Analysis  Opportunity spotting for new products / new services / new technologies / new markets  Networking with technology suppliers, technological sources, other companies  Possible assessment of technology portfolio, intellectual property rightsThere are five tasks within the audit process area:1. Develop and implement a risk-based international audit standards (IS) auditstrategy for the organization in compliance with international audit standards,guidelines and best practices.2. Plan specific audits to ensure that IT and business systems are protected andcontrolled.3. Conduct audits in accordance with IS audit standards, guidelines and best practices11 Dr. Magdy El Messiry
  12. 12. Technology Auditto meet planned audit objectives.4. Communicate emerging issues, potential risks and audit results to key stakeholders.5. Advise on the implementation of risk management and control practices within theorganization while maintaining independence.12 Dr. Magdy El Messiry
  13. 13. Technology Audit CHAPTER TWO INTERNAL AUDIT, EXTERNAL AUDIT, AND CONTINUOUS AUDITINGThe auditing process can be divided into three categories; Internal Audit, ExternalAudit, and Continuous Audit that might integrate for the fulfillment of theorganization objectives as illustrated in Figure (2).2.1. Internal AuditInternal auditing, as defined by the Institute of Internal Auditors (IIA), is anindependent, objective assurance and consulting activity designed to add value andimprove an organizations operations. It helps an organization accomplish itsobjectives by bringing a systematic, disciplined approach to evaluate and improvethe effectiveness of risk management, control, and governance processes‖.2.1.1 Mission of the Internal Audit FunctionThe mission of the internal audit function is to provide organization managementwith systematic assurance, analyses, appraisals, recommendations, advice andinformation with a view to assisting it, and other stakeholders, in the effectivedischarge of their responsibilities and the achievement of organization‘s missionand goals5. The role of the internal audit function includes providing reasonableassurance on the effectiveness, efficiency and economy of the processes in variousareas of operations within the organization, as well as compliance withorganization financial and staff rules and regulations, general assembly decisions,applicable accounting standards and existing best practice.2.1.2 Internal Audit Practice in OrganizationEach organization should establish Internal Audit. Its original mandate includedboth internal audit and evaluation functions. The Internal Audit Department alsoinformally acted as a focal point for investigation and inspection. The organizationInternal Audit Charter follows Standards for the Professional Practice of InternalAuditing issued by the Institute of Internal Auditors5 (IIA) in assignments13 Dr. Magdy El Messiry
  14. 14. Technology Auditperforming audit. Audits are conducted in accordance with a detailed annual auditplan that is developed based on an annual risk-based assessment of internal auditneeds for the whole of organization. Figure (2) Types of Auditing Models Figure (3) Steps of Performing Internal Audit14 Dr. Magdy El Messiry
  15. 15. Technology AuditRisk-based annual audit plans are subject to regular revision, at least annually, inorder to be aligned with the strategic objectives of the organization. Audit needsare estimated based on a thorough review of organization‘s business and othersystems and processes which make up the audit environment for the InternalOrganization Audit Department. The audit needs assessment is reviewed annuallyat the same time as the detailed annual audit plan is set out.For annual audit planning purposes in line with the new set of strategic goals setfor the Organization, the Internal Organization Audit Department strategy andannual plans are re-aligned regularly to ensure:  Due emphasis is put on the ―operational efficiency and effectiveness‖ aspect in the detailed work plans to the extent possible.  Main organization business processes are reviewed to identify strengths and good practices, as well as gaps and deficiencies. Value adding recommendations are made to assist management in addressing these issues.  Audit support is provided to key management and governance initiatives recognizing that the responsibility for such initiatives rests with the management in the case of a strong indication of any fraudulent activity found during an audit.  Sufficient audit work is performed to gather factual evidence and the supporting documentation is handed over to the Investigation Section for further examination if need be.2.1.3 Steps for Building the Internal Audit TeamFigure (3) represents the steps for building the Internal Audit Team. 1- Group Formation Local audit team leaders are chosen. They may appoint an individual to serve as overall coordinator, as well. The key here is to get the best leadership in place and functioning quickly. 2- Audit teams Audit teams are formed and necessary documents needed to support the audit are gathered (Technology plan, facilities plan, personnel reports, etc.).15 Dr. Magdy El Messiry
  16. 16. Technology Audit 3- Meetings Meetings are held at each organization department to explain this process to employees. The purpose is to ensure that all employees know what to expect as their auditors begin gathering data from a large number of locations to explain the process, to seek community support and patience, and to forecast some findings. This serves to get the community ―on board.‖ 4- Teams Work Department-by-Department teams are working within the organization. At the same time, another team works on the organization as a whole. 5- Individual Team Reports Reports are written, and then combined into an organization wide document. 6- Team Leader Report Team leader shares the internal audit report with the organization board. 7- Report Approval Organization board approves the internal technology audit final report. 8- Report Publication Team leader authorizes the report publication.2.1.4. Suggestion for Successful Internal AuditIn order to insure the success of the internal audit processes the followingrecommendations6 should be considered by the organization manager forimplementing the Internal Audit;Recommendation 1:Invite the Director General to submit Internal Audit Charter to the organizationgeneral assembly. The charter could then cover the activities of the EvaluationSection and could give a general description of the tasks of the department and amore detailed description of the tasks of each Section (Director, Internal Audit,Investigation, and Evaluation & Inspection). After this recommendation has beenaccepted, Internal Organization Audit Department supports this recommendation asit will help clarify the distinct roles of the three main functions, i.e. internal audit,investigation and evaluation and promote the role of oversight in organization. Arevision of the Internal Audit Charter will be proposed for review by the Programand Budget Committee which will create an Internal Audit.16 Dr. Magdy El Messiry
  17. 17. Technology AuditRecommendation 2:Director of Internal Organization Audit Department should draw up a list of thetraining undertaken by all of his staff and update such a file as and when necessary.This recommendation has been accepted. The recommendation will assist furtherthe tracking of the professional training being carried out.Recommendation 3:Invite the Director of Internal Organization Audit to develop a program (concept)of quality assurance and improvement that includes documentation on periodic andongoing internal assessments of all areas of internal audit activity. Onceestablished, this concept should be included in the Internal Audit Manual. It seemsclear that ongoing assessments would only be suitable when the Internal AuditSection has at least two qualified staff members. This recommendation has beenaccepted. All audits are done in line with the Institute of Internal Auditors (IIA)Standards and are subject to review and quality control. It is already InternalOrganization Audit Department‗s stated policy to have regular external andinternal quality assurance in accordance with the (IIA) 7 Standards.Recommendation 4:Invite Internal Organization Audit Department for the following:a. to decide, during its annual planning, on precise audit themes which are thenmentioned in the final reports,b. to continue to draw up a list of planned, completed and reported audits, whichshould be updated as necessary, andc. to implement long-term audit planning.Recommendation 5:The drafting of the audit manual should be completed and made it available toorganization staff and/or over the intranet. This manual should cover all theessential elements specified in the Audit Standards**.Recommendation 6:Suggest that, from now on, Internal Organization Audit Department includes anevaluation of the following in its reports:a. exposure to significant risks and the corresponding controls,b. subjects relating to governance, andc. any other issue in response to a need or a request of the general management orthe Audit Committee.17 Dr. Magdy El Messiry
  18. 18. Technology AuditRecommendation 7:Invite Internal Organization Audit Department to review its strategy on planningfor audits involving medium to low risks in order to concentrate more onengagements involving higher risks.Recommendation 8:The Internal Audit Section should:a. clarify the work program by linking it with the risk analysis,b. ensure that the work program includes the priorities and the resource allocationfor each subject to be audited,c. ensure that the work program allows a connection to be made between theworking papers and the recommendations,d. ensure that comments concerning the involvement and assignment of externalexperts are highlighted in the audit plan, ande. ensures that the signature of the Director of Internal Organization AuditDepartment and the date of approval are systematically placed on the auditprogram before the audit begins.Recommendation 9:Invite Internal Organization Audit Department:a. to improve the formalization of working documentation so that a third partyaudit professional is always able to compare the objectives of the engagement, thecontent of the examinations carried out, the results, the auditor‘s opinion and therecommendations. The standardization and organization of working papers couldgo some way to achieving this,b. to integrate into the Internal Audit Manual regulations relating to auditdocuments, information to be archived and the period for which files must be kept;rules on access by third parties to working papers should also be included,c. to create audit notes that include a summary of the work carried out and allowconnections to be made between the work program, interviews, analyzeddocuments and the notes and recommendations contained in the report,d. to establish a system for reviewing working papers and dating and signing them,ande. to provide for the establishment of standards relating to documentation in theaudit manual.18 Dr. Magdy El Messiry
  19. 19. Technology AuditRecommendation 10: In order to increase the visibility of the internal audit function within organization,invite the Director of Internal Organization Audit Department to increase hiscontact with the Organization General manger.2.1.5 Code of Ethics for Audit StaffThe internal audit staff is expected to follow the internal audit function in conductingaudits as set out in the Audit Charter8.  The Internal Auditor enjoys operational independence in the conduct of his/her duties. He/she has the authority to initiate, carry out and report on any action, which he/she considers necessary to fulfill his/her mandate.  The Internal Auditor shall be independent of the programs, operations and activities he/she audits to ensure the impartiality and credibility of the audit work undertaken.19 Dr. Magdy El Messiry
  20. 20. Technology Audit  Internal audit work shall be carried out in a professional, unbiased and impartial manner.  The conclusions of the audits shall be shared with the managers concerned, who shall be given the opportunity to respond.  Any situation of conflict of interest shall be avoided.  The Internal Auditor shall have unrestricted, direct and prompt access to all organization records, officials or personnel holding any organization contractual status and to all the premises of the Organization.  The Internal Auditor shall respect the confidential nature of information and shall use such information with discretion and only in so far as it is relevant to reach an audit opinion.2.1.6 International Standards for the Professional Practice of Internal Auditing(Standards)The Institute of Internal Audit published the professional practice that includesIntroduction to the Standards, Attribute Standards, and Performance Standards*.Internal auditing is conducted in diverse legal and cultural environments; withinorganizations that vary in purpose, size, complexity, and structure; and by personswithin or outside the organization. While differences may affect the practice ofinternal auditing in each environment, conformance with the IIA‘s InternationalStandards for the Professional Practice of Internal Auditing (Standards) is essentialin meeting the responsibilities of internal auditors and the internal audit activity.The purpose of the Standards is to: 1. Define basic principles that represent the practice of internal auditing. 2. Provide a framework for performing and promoting a broad range of value- added internal auditing. 3. Establish the basis for the evaluation of internal audit performance. 4. Foster improved organizational processes and operations. The Standards are principles-focused, mandatory requirements consisting of:20 Dr. Magdy El Messiry
  21. 21. Technology Audit  Statements of basic requirements for the professional practice of internal auditing and for evaluating the effectiveness of performance, which are internationally applicable at organizational and individual levels.  Interpretations, which clarify terms or concepts within the Statements.The structure of the Standards is divided between Attribute and PerformanceStandards. Attribute Standards address the attributes of organizations andindividuals performing internal auditing. The Performance Standards describe thenature of internal auditing and provide quality criteria against which theperformance of these services can be measured. The Attribute and PerformanceStandards are also provided to apply to all internal audits.Implementation Standards are also provided to expand upon the Attribute andPerformance standards, by providing the requirements applicable to assurance orconsulting activities. Assurance services involve the internal auditor‘s objectiveassessment of evidence to provide an independent opinion or conclusionsregarding an entity, operation, function, process, system, or other subject matter.The nature and scope of the assurance engagement are determined by the internalauditor. There are generally three parties involved in assurance services:1. the person or group directly involved with the entity, operation, function,process, system, or other subject matter — the process owner,2. the person or group making the assessment — the internal auditor,3. the person or group using the assessment — the user.Consulting services are advisory in nature, and are generally performed at thespecific request of an engagement client. The nature and scope of the consultingengagement are subject to agreement with the engagement client. Consultingservices generally involve two parties:1. the person or group offering the advice — the internal auditor,2. the person or group seeking and receiving the advice — the engagement client. When performing consulting services the internal auditor should maintainobjectivity and not assume management responsibility.21 Dr. Magdy El Messiry
  22. 22. Technology Audit2. External AuditExternal assessments must be conducted at least once every five years by aqualified, independent reviewer or review team from outside the organization. Thechief audit executive must discuss with the organization board the need for morefrequent external assessments and the qualifications and independence of theexternal reviewer or review team, including any potential conflict of interest. Aqualified auditor or auditing team demonstrates competence in two areas: theprofessional practice of internal auditing and the external assessment process.Competence can be demonstrated through a mixture of experience and theoreticallearning. Experience gained in organizations of similar size, complexity, sector orindustry, and technical issues is more valuable than less relevant experience. In thecase of an auditing team, not all members of the team need to have all thecompetencies; it is the team as a whole that is qualified. The chief audit executiveuses professional judgment when assessing whether an auditor or auditing teamdemonstrates sufficient competence to be qualified. An independent auditor orauditing team means not having either a real or an apparent conflict of interest andnot being a part of, or under the control of, the organization to which the internalaudit activity belongs.2.1 Implementation ProcedureA schematic of the steps that are normally followed while carrying out atechnology audit is shown and described below. Partial techniques per step are thetools used for the proper implementation of the technique.STEP 1: Desire/Wish to Carry Out Technology AuditDesire / wish of the organization to carry out technology audit, if the companyinitiates the audit, no particular communication tool is used. However, if thecompany is approached by the service provider, it should explain: Scope ofinitiative, brief description of technique, potential benefits to the organization, andmain characteristics of the consultant / service provider.STEP 2: Expert to Carry Out Technology AuditOnce common ground has been established between the organization and externalconsultant/expert, the next step can follow.22 Dr. Magdy El Messiry
  23. 23. Technology AuditSTEP 3: First Contact/Visit of Expert for Preparation of Audit PlanOn the first contact / visit to the organization for the audit plan preparation theexpert should have:o a brochure / flow diagram on the steps to follow: list of benefits, list of other companies that carried out a TA, formal presentation using data show should help.o the audit plan which is devised together with top management. It establishes issues to investigate how to collect data and from whom, in what time span and at what cost, what is needed from management to successfully carry out the audit. The local team shares with auditors all documents gathered, as well as the internal audit report. Together, the auditors, the local audit team, work to establishing a strategy that will drive this formal audit. All parties agree upon a schedule/timeframe for the audit. All parties discuss some possible outcome objectives10. Auditors schedule date(s) for on-site visit(s). Auditors meet with focus groups and other constituencies, as needed.STEP 4: Preparatory Work by Expert on Collecting Basic For preparatory work by expert on collecting basic information on theorganization & the sector for the organization: collection of data from publishedinformation, brochures of company, economic data, employees, products, exportsetc. For the sector: published data on employment, turnover, trends, markets, oncompanys products, introduction / use of new technologies.A short report on the above findings would be handy and would be another stepinto building a trusting relationship with the organization. Auditors study alldocuments provided. Auditors schedule an on-site visit and make theirobservations. It is a process whereby an in-depth evaluation of some aspect of anorganization is performed, and the results compared with representations made bythat organization. Due attentiveness is particularly important for businesstransactions in technology-intensive markets, since there is a much higher risk ofmisrepresentation or inappropriate application of emerging technologies. It is often23 Dr. Magdy El Messiry
  24. 24. Technology Auditdifficult to find individuals capable of assessing both the technological issues andtheir business linkages*. The approach to be followed must be planned and agreedupon. The process must include the selection of team members from theorganization who will participate11. The team must be multidisciplinary, andinclude both business and technical experts familiar with the areas underinvestigation. If staff expertise is lacking in a particular area, engage the services ofexperts in that field. Depending on the results of the preliminary visits, differentapproaches may be necessary for each organization12.STEP 5: GENERAL SHORT DIAGNOSESGeneral short diagnosis use is made of a questionnaire, either in hard copy orelectronic, which should cover the following main points 13;ORGANIZATIONCompany information, strategy, development planning.HUMAN RESOURCESCapabilities, needs, strengths, weaknesses, training, performance, rewards.TECHNOLOGICAL CAPABILITYTechnological resources, know how, assessment of technological level,implementation of information technologies, new technologies.TECHNOLOGICAL INNOVATIONProduct development, procedures, new products - number - timeframe, researchand development (in house or external), resources allocated, areas of interest,sources of acquiring technology.INNOVATION CAPABILITYInnovations introduced barriers to innovation, technology watch / searching /technology diffusion, involvement in R&D joint projects.24 Dr. Magdy El Messiry
  25. 25. Technology AuditPRODUCTSProducts / markets, production organization and management, productionequipment, walk through shop floor.COOPERATION NETWORKINGWith other companies / local abroad, with technology providers / sources,participation in R&D programs.TECHNOLOGICAL NEEDSDemands for services / equipment / quality improvement, new technologies, accessto information / technology diffusion.QUALITYQuality control, products - raw materials, standards, relations with customers /suppliers.MARKETINGMarkets, local/abroad, marketing plan / strategy.ENVIRONMENTAwareness / problems / needs.STEP 6: DATA ANALYSIS BY EXPERT, REPORT ON FIRST DIAGNOSISData analysis by the expert report on first diagnosis should be brief and shouldcontain:- Executive summary- Overview of company / activities (good for signposting to networks, etc.)- Overview of sectors / markets- Synthesis on: Strengths / weaknesses / opportunities / threats identified25 Dr. Magdy El Messiry
  26. 26. Technology Audit- Potential suggestions (especially if the audit stops at this point) for resolvingproblems and exploiting strengths & opportunities, mainly by indicating routes forsolutions with an action plan, isolation of specific areas / departments for furtherdiagnosis, proposal with justification.STEP 7: PRESENTATION OF FIRST DIAGNOSIS REPORT TO GENERAL MANAGER ANDCOMPANY MANAGEMENTPresentation of first diagnosis report to General Manager and company management isdone with the handing out some time earlier of a hard copy of the report, themain findings, and the finalization on whether to continue for further diagnosis andthe agreement on the subject(s) to analyze is also performed here.STEP 8: ADDITIONAL VISITS/INTERVIEWS TO DEPARTMENT HEADSEntail an in-depth investigation of key areas of the organization being assessed. Afull due diligence audit of an external company can take up to a week at a smallsingle-site company with a technical staff of 50 or less, several weeks at largercompanies with a localized development team, and even longer examining a largercompany with geographically distributed development teams.26 Dr. Magdy El Messiry
  27. 27. Technology AuditObviously, the relationship between company size and inspection effort is non-linear. This is because a certain set of core elements, such as policies andprocedures, business plans, and infrastructure standards are centrally located.Typical areas and themes that could be covered with either specific subject tools orin a less structured way (if done by a specialist) could be:(a) Quality· Policy – goals – personnel involvement – training;· Process quality – monitoring and control systems – handling – storage –packaging;· Keeping of records/use of results;· Product quality – raw materials quality control – product quality control;· ISO issues – presentation – benefits.27 Dr. Magdy El Messiry
  28. 28. Technology Audit QUALTY Figure (5) Quality Control Cycle(b) Human resources· Skills – availability;· Satisfaction – rewards;· Meetings – awareness of company activities/products;· Team working/project management;· Continuing education/training;· Promotion – evolution – record.(c) Research and development – Product development· Research and development strategy/partners;28 Dr. Magdy El Messiry
  29. 29. Technology Audit· Product mix/product lifecycle analysis ;· Analysis of procedures for new product development;· Analysis of research and development activities;· Participation in research and development projects;· Focus on specific research and development area – identification of potential technologysuppliers. Figure (4) Steps of Product Development throughout R&D29 Dr. Magdy El Messiry
  30. 30. Technology Audit(d) Production operation· Walk through production facilities – bottlenecks – problem areas;· Material flow – flow diagram;· Overview of system automation/needs – opportunities;· Floor and product safety;· Maintenance – procedures – planning – problems;· Analysis of productivity.(e) Marketing/sales· Existence/analysis of marketing plan;· Strategy – market share/local – exports;· Competitors analysis/sector analysis/opportunities – threats;· Distribution networks – problems;· Use of information technologies for sales/e-commerce – 9: FINAL REPORT OF THE TECHNOLOGY AUDIT COMPILED BY THE EXPERTSFinal report of the technology audit, as given in Figure (6), compiled by the expertsshould contain the following*:• Executive summary• Summary of results from first part diagnosis• Subject(s) analyzed in second part• Methodology used for analysis• Problems identified30 Dr. Magdy El Messiry
  31. 31. Technology Audit• Solutions proposed• Actions to be taken (action plan)Figure (6) Technology Audit Final Report Contents31 Dr. Magdy El Messiry
  32. 32. Technology AuditThe action planShould be:a) Specific to the subjectb) With a time framec) With determined milestonesd) With an estimated budgete) With the listing of expected resultsf) With identification of potential problem solvers (technology or service providers)g) With indications about provisional funding for implementing the solutions(e.g. national and / or international R&D programs)h) An implementation monitoring schedule, possibly to be done by the service provider.The action plan should be specific to the subject, with a timeframe, with determinedmilestones and with an estimated budget. The action plan must list the expectedresults, identify potential problem solvers (technology or service providers) andindicate provisional funding for implementing the solutions. An implementation,monitoring-schedule must be done by the technology auditor in conjunction with aproject manager. STEP 10: PRESENTATION OF REPORT BY EXPERT TO COMPANY MANAGEMENTAt step 10 the report by the technology auditor to the organization must discussissues identified, solutions proposed, the proposed action plan and the monitoringsystem that will be used.The systematic audit program includes initiating the audit, preparing for on-siteaudit, conducting on site audit, report preparation and follow-up activities. Thefollow-up activities in this context are the improvements activities result from theaudit finding. Figure (7) shows the stages of audit program management.32 Dr. Magdy El Messiry
  33. 33. Technology AuditFigure (7) Audit Program Management Continuous AuditingContinuous auditing is:"A methodology that enables independent auditors to provide written assurance ona subject matter using a series of auditors reports issued simultaneously with, or ashort period of time after, the occurrence of eve nts underlying the subject matter." 3A continuous audit relies heavily on information technologies such as broadbandwidth, web application server technology, web scripting solutions andeverywhere database management systems with standard connectivity.Open database architecture empowers auditors to monitor a companys systemsover the Internet using sensors and digital agents. Incongruities between therecords and the rules defined in the digital agents are transmitted via e-mail to theclient and the auditor. For example, a digital agent performing analyticalprocedures on the accounts receivable would e-mail the auditor a huge outstanding33 Dr. Magdy El Messiry
  34. 34. Technology Auditbeyond the receivable parameters defined in the digital agent. Once an accounttrigger has occurred, the digital agent would move to the transactional level toverify the authenticity of the sale by seeking an e-mail of the sale organization andacceptance of the goods/service by the customer.The audit routine described above is done electronically and automatically on areal-time basis as a part of continuous monitoring. Continuous audit takes off afterthis when an auditor, empowered with data, carries out independent investigationand collects corroborative evidence to arrive at his/her own deductions.34 Dr. Magdy El Messiry
  35. 35. Technology Audit Figure (8) Steps of Implementing Continuous Audit.35 Dr. Magdy El Messiry
  36. 36. Technology Audit 2.3.1. KEY STEPS TO IMPLEMENTING CONTINUOUS AUDITING Once the issues above are understood by managers and auditors alike, the organization will be in a better position to begin using continuous auditing. Generally, the implementation of continuous auditing consists of six procedural steps, demonstrated in Figure (8), which are usually administered by a continuous audit manager. Knowing about these steps will enable auditors to better monitor the continuous audit process and provide recommendations for its improvement, if needed. These steps include: 1. Establishing priority areas. 2. Identifying monitoring and continuous audit rules. 3. Determining the process frequency. 4. Configuring continuous audit parameters. 5. Following up. 6. Communicating results. Below is a description of each. 1. Establishing Priority Areas The activity of choosing which organizational areas to audit should be integrated as part of the internal audit annual plan and the companys risk management program. Many Internal Audit Departments also integrate and coordinate with other compliance plans and activities, if applicable. (Steps 2-6 below are applicable to all of the priority areas and processes being monitoring as part of the continuous audit program.) Typically, when deciding priority areas to continuously audit, internal auditors and managers should: Identify the critical business processes that need to be audited by breaking down and rating risk areas. Understand the availability of continuous audit data for those risk areas. Evaluate the costs and benefits of implementing a continuous audit process for a particular risk area. Consider the corporate ramifications of continuously auditing the particular area or function. 36 Dr. Magdy El Messiry
  37. 37. Technology Audit Choose early applications to audit where rapid demonstration of results might be of great value to the organization. Long extended efforts tend to decrease support for continuous auditing. Once a demonstration project is successfully completed, negotiate with different auditors and internal audit areas, if needed, so that a longer term implementation plan is implemented. When performing the actions listed above, auditors need to consider the key objectives from each audit procedure. Objectives can be classified as one of four types: detective, deterrent (also known as preventive), financial, and compliance. A particular audit priority area may satisfy any one of these four objectives. For instance, it is not uncommon for an audit procedure that is put in place for preventive purposes to be reconfigured as a detective control once the audited activitys incidence of compliance failure decreases. 2. Monitoring and Continuous Audit Rules The second step consists of determining the rules or analytics that will guide the continuous audit activity, which need to be programmed, repeated frequently, and reconfigured when needed. For example, banks can monitor all checking accounts nightly by extracting files that meet the criterion of having a debt balance that is 20 percent larger than the loan threshold and in which the balance is more than US $1,000. In addition, monitoring and audit rules must take into consideration legal and environmental issues, as well as the objectives of the particular process. For instance, how quickly a management response is provided once an activity is flagged may depend on the speed of the clearance process (i.e., the environment) while the activitys overall monitoring approach may depend on the enforceability of legal actions and existing compliance requirements. 3. Determining the Process Frequency Although the process is called continuous auditing, the word continuous is in the eye of the beholder. Auditors need to consider the natural rhythm of the process being audited, including the timing of computer and business processes as well as the timing and availability of auditors trained or with experience in continuous auditing. For instance, although increased testing frequency has substantial benefits, extracting, processing, and following up on testing results might increase the costs of the continuous audit activity. Therefore, the cost-benefit ratio of continuously auditing a particular area must be considered prior to its monitoring. 37 Dr. Magdy El Messiry
  38. 38. Technology AuditFurthermore, other tools used by the manager of the continuous audit functioninclude an audit control panel in which frequency and parameter variations can beactivated. Hence, the nature of other continuous audit objectives, such asdeterrence or prevention, may determine their frequency and variation.4. Configuring Continuous Audit ParametersRules used in each audit area need to be configured before the continuous auditprocedure (CAP) is implemented. In addition, the frequency of each parametermight need to be changed after its initial setup based on changes stemming fromthe activity being audited. Hence, rules, initial parameters, and the activitysfrequency ― also a special type of parameter ― should be defined before thecontinuous audit process begins and reconfigured based on the activitysmonitoring results.When defining a CAP, auditors should consider the cost benefits of error detectionand audit and management follow-up activities. For instance, in the example of thebank described earlier, the excess threshold of US $1,000 could lead to a numberof false negatives (e.g., values that were ignored when the balance was smallerthan US $1,000 but were identified as representing a problem) and a number offalse positives (e.g., values with balances above US $1,000 that were flagged butwere accurate). If the threshold is increased to US $2,000, there will be an increasein false negatives and a decrease in false positives. Because follow up costs wouldgo up as the number of false positives increases and the presence of false negativesmay lead to high operational costs for the organization, internal auditors shouldregularly reevaluate if error detection and follow-up activities need to becontinued, reconfigured, temporarily halted, or used on an ad hoc basis.Furthermore, the stratification of audited data into sub-groups allows organizationsto better monitor the activity and reconfigure any parameters (e.g., auditors will benotified when balances larger than 20 percent of the debt remain that are alsolarger than US $5,000). However, the more complex the rule and its conditionalcomponents, the more parameters that must be examined, monitored, andsometimes reconfigured.5. Following UpAnother type of parameter relates to the treatment of alarms and detected errors.Questions such as who will receive the alarm (e.g., line managers, internalauditors, or both ― usually the alarm is sent to the process manager, the managersimmediate supervisor, or the auditor in charge of that CAP) and when the follow-38 Dr. Magdy El Messiry
  39. 39. Technology Auditup activity must be completed, need to be addressed when establishing thecontinuous audit process.Additional follow-up procedures that should be performed as part of thecontinuous audit activity include reconciling the alarm prior to following up bylooking at alternate sources of data and waiting for similar alarms to occur beforefollowing up or performing established escalation guidelines. For instance, theperson receiving the alarm might wait to follow up on the issue if the alarm ispurely educational (i.e., the alarm verifies compliance but has no adverse economicimplications), there are no resources available for evaluation, or the area identifiedis a low benefit area that is mainly targeted for deterrence.6. Communicating ResultsA final item to be considered is how to communicate with auditors. Wheninforming auditors of continuous audit activity results, it is important for theexchange to be independent and consistent. For instance, if multiple system alarmsare issued and distributed to several auditors, it is crucial that steps 1-5 take placeprior to the communication exchange and that detailed guidelines for individualfactor considerations exist. In addition, the development and implementation ofcommunication guidelines and follow-up procedures must consider the risk ofcollusion. Much of the work on fraud indicates that the majority of fraud iscollusive and can be performed by an internal or external party. For example, inthe case of dormant accounts, both the clerk that moves money and the managerthat receives the follow-up money may be in collusion since the managers keymay have to be used for certain transactions.ADDITIONAL CONSIDERATIONSBesides the six steps described in the previous section, two additional issues thatemerge when implementing continuous auditing are the infrastructure needed forthe process to work and its impact on the workplace.Organizational InfrastructureBecause continuous auditing is a part of the companys audit function, it must bekept independent of management. Therefore, during the planning stages, auditorsneed to keep in mind the process independence when designing its structure. Forinstance, a typical Internal Audit Departments structured so that areas of thedepartment focus on different cycles or business activities. In addition, thedepartment may be divided into financial and IT audit functions.39 Dr. Magdy El Messiry
  40. 40. Technology AuditSometimes, however, IT audit activities are incorporated as part of existing IToperations. In organizations such as these, the development of continuous auditingis usually delayed because the activity may not get the necessary developmentpriority. Regardless of whether IT audit activities are part of the organizations ITor Internal Audit Department, the organization must maintain the processindependence as well as allocate resources in support of continuous audit activities.Impact on PersonnelIn addition, the audit manager in charge of the continuous audit process shouldhave a more technical understanding of IT as well as extensive experience on theactivities being audited. However, hiring, training, and retaining auditors who canimplement and monitor continuous audit activities might be challenging due to thescarcity of internal auditors with knowledge in the area. Furthermore, thecontinuous audit process might create a daily stream of issues that need to beresolved, which might prove stressful given current personnel resources, and mightrequire the continuous audit manager to exert adequate authority in moments ofexceptions.40 Dr. Magdy El Messiry
  41. 41. Technology Audit CHAPTER 3 PERFORMANCE IN TECHNOLOGY AUDIT3.1. IntroductionAppointment of Auditor – auditors are usually appointed by the organizationmangers at the administration council meeting.Terms of Engagement – an engagement letter provides written recognition of theauditor‘s acceptance of appointment, sets out the scope of the audit plus auditorsand management responsibilities.Audit Program – sets out the extent and type of audit procedures. Auditors work tointernationally agreed auditing standards. Auditors start by gaining anunderstanding of the organization‘s activities. For each major activity listed in thefinancial statements, auditors identify and assess risks that could have a significantimpact on the financial position or performance.41 Dr. Magdy El Messiry
  42. 42. Technology AuditDetailed Examination – auditors perform testing and obtain evidence to satisfy therequirements of the audit program. Testing may include compliance with theorganization‘s accounting policies, examining accounting records and verifying theexistence of tangible items such as plant and equipment.Audit Report – contains the audit opinion on the financial report and basis of thatopinion. The scope of the audit plus auditors and management responsibilities arealso restated. The external auditor should maintain independence frommanagement and directors so that the tests and judgments are made objectively.Auditors discuss the scope of the audit work with the organization. Auditorsdetermine the type and extent of the audit procedures they will perform dependingon the risks and controls they have identified. Auditors form an opinion on theinformation in the final report. However, the external auditor should not look atevery transaction carried out by the organization, test the adequacy of all of theorganization‘s internal controls, identify all possible irregularities, audit otherinformation provided to the members of the organization – e.g. the directors‘report. Figure (9) gives the flowchart of the external audit.42 Dr. Magdy El Messiry
  43. 43. Technology Audit Figure (9) Flowchart of the external audit Source: www.urenio.org43 Dr. Magdy El Messiry
  44. 44. Technology Audit3.2. Audit team roles and responsibilitiesAn audit may be conducted by a single lead auditor or by an audit team consistingof a lead auditor, one or more auditors and/or a technical adviser. The NationalCode of Practice for Auditors and Technical Advisers describe the conditions thatan auditor and technical adviser must adhere to when fulfilling their roles duringaudits.Lead AuditorThe role of the lead auditor, demonstrated in Figure (10), is to:• Confirm the scope of the audit with the registering body• Contact the applicant and make an appointment for the audit• Identify and confirm resources (including audit team members and auditdocumentation) required to conduct the audit• Review documentation and develop a plan and schedule for the audit inconjunction with the applicant and then confirm these arrangements• Brief the audit team• Conduct the opening meeting• Identify and gather information• Manage audit team resources by ensuring that there is effective communicationbetween the members of the audit team, and by working with the applicant‘srepresentative to ensure that auditors and technical experts have access to thematerials, sites and personnel they require• Coordinate the audit findings by meeting with the audit team to synthesize theevidence collected• Prepare the audit report with support from the audit team• Conduct the feedback session with the applicant and confirm follow-up• Provide information to the applicant about the complaints process and follow-upaction required• Provide feedback to the audit team.44 Dr. Magdy El Messiry
  45. 45. Technology Audit Figure (10) Duties of Leader of Auditor TeamAuditorsThe role of an auditor, as shown in Figure (11), is to:• Participate in the opening meeting• Identify and gather information• Analyses information• Evaluate information• Report findings• Participate in the feedback session• Undertake other duties as requested by the lead auditor.45 Dr. Magdy El Messiry
  46. 46. Technology Audit Figure (11) Role of AuditorTo understand better how a comprehensive, effective technology audit works, theprocess can be broken down into its various phases in order to draw a comparisonbetween the audit process and the activities associated with organizationaccreditation. Accreditation visit to occur can be segmented into three phases:1) Getting ready;2) On-site visit;3) Results & follow up. The greatest quantity of work occurs during the first phase. Therefore, the threephases will be examined accordingly.46 Dr. Magdy El Messiry
  47. 47. Technology AuditPhase One: Pre-AuditWhether the technology audit has been triggered by the organization internal desireto assess its accountability or whether the impetus has come from outside theorganization, the initial phase is the same. The organization must get ready for theaudit. Thus, this phase is sometimes called the ―pre-audit‖ stage. At a macro level,the organization might want to establish a set of systems that can be put in place tomake auditors time more valuable, more efficient. Auditor may want to form agroup of teams to perform specific functions; a physical location may be specifiedas a ―gathering point‖ for evidentiary documents; a series of focus group meetingsshould be scheduled so organization leaders can encourage employees andcommunity members to voice their opinions and give their perspectives regardingthe organization‘s status; to create a system where all the hard work of engagedpeople, the data and reports auditor collect, and the supporting systems can beperpetuated. Enrolling team members - To make your technology audit a success, it is essentialto have high-quality teams. The teams will be made up of the specialized members.The team leaders will ensure a strong and fluid cooperation among teams, allworking on a common end goal. Team building is a significant activity. Allorganization leaders realize this fully. Best leaders who build and grow the bestteams so they will accomplish the best results.The auditor team leader may clarify with organization employees by explaining tothem that a technology audit is coming and he wants to obtain their very bestthinking about some strategies that will assure success for the organization. Duringthis meeting, the auditor might want to engage in a simple brain storming activity,asking everyone to call out, as fast as they can, all the areas where is the use oftechnologies in the organization. Team leader might ask them to be frank andcandid in their comments, and then ask them to pinpoint areas where they perceivethat improvements could be made. If/when they mention some examples, theauditor asks for substantiating evidence that may give the clues to other thingsneeding. The team leader tries to imagine how the auditors will see things/look atthings through their eyes. What would the auditors do? What would they say?What would they seek? How would they interpret what you give them? Whatwould they recommend? As the leader and the team of advisors go through theseconsiderations, they will have prepared themselves well for what lies ahead, and47 Dr. Magdy El Messiry
  48. 48. Technology Auditwill no longer fear the technology audit, or consider it as a negative event. Rather,they will see this as a profoundly important opportunity to engage in systemicimprovement, as well as great improvement at the individual level.Phase Two: On-Site VisitThe time has come finally when auditors arrive at the organization and areexamining both the reports (data, information, and evidence) and the actual realityof technology integration. This guideline is intended to help auditors conduct morefocused reviews of technology acquisitions by enabling them to quickly identifysignificant areas of risk. Using these guidelines will help auditors identify criticalfactors not addressed by management, make a general evaluation of anyprocurement risks, and provide rapid feedback to agency officials so they can takecorrective action in a timely and efficient manner. Use of the guidelines should beselectively tailored to the requirements of particular reviews and adapted to thestatus of the acquisition. Auditors will need to exercise professional judgment inassessing the significance of audit results or findings. Professional judgment isnecessary to evaluate this information and determine if the agency conducted anadequate requirements analysis.There are five tasks within the audit process area: 1. Develop and implement a risk-based audit strategy for the organization incompliance with audit standards, guidelines and best practices. 2. Plan specific audits to ensure that IT and business systems are protectedand controlled. 3. Conduct audits in accordance with audit standards, guidelines and bestpractices to meet planned audit objectives. 4. Communicate emerging issues, potential risks and audit results to keystakeholders. 5. Advise on the implementation of risk management and control practiceswithin the organization while maintaining independence.48 Dr. Magdy El Messiry
  49. 49. Technology Audit3.3. Audit planningAudit planning consists of both short- and long-term planning, demonstrated inFigure (12). Short-term planning takes into account audit issues that will becovered during the year, whereas long-term planning relates to audit plans that willtake into account risk-related issues regarding changes in the organization‘stechnology strategic direction that will affect the organization‘s technologyenvironment. Analysis of short- and long-term issues should occur at leastannually. Figure (12) Types of Audit Planning49 Dr. Magdy El Messiry
  50. 50. Technology Audit Figure (13) Perform Audit Planning StepsThis is necessary to take into account new control issues, changing technologies,changing business processes and enhanced evaluation techniques. The results ofthis analysis for planning future audit activities should be reviewed by seniormanagement, approved by the audit committee, if available, or alternatively by theBoard of Directors, and communicated to relevant levels of management. Inaddition to overall annual planning, each individual audit assignment must beadequately planned. The auditor should understand that other considerations, suchas risk assessment by management, privacy issues and regulatory requirements,may impact the overall approach to the audit. The auditor should also take intoconsideration system implementation/upgrade deadlines, current and futuretechnologies, requirements of business process owners, and resource limitations.When planning an audit, the auditor must have an understanding of the overallenvironment under review. This should include a general understanding of thevarious business practices and functions relating to the audit subject, as well as thetypes of information systems and technology supporting the activity.To perform audit planning which is shown in Figure (13), the auditor shouldperform the following steps in this order: • Gain an understanding of the business‘s mission, objectives, purpose and processes, which include information and processing requirements, such as availability, integrity, security and business technology.50 Dr. Magdy El Messiry
  51. 51. Technology Audit • Identify stated contents, such as policies, standards and required guidelines, procedures, and organization structure. • Evaluate risk assessment and any privacy impact analysis carried out by management. • Perform a risk analysis. • Conduct an internal control review. • Set the audit scope and audit objectives. • Develop the audit approach or audit strategy. • Assign personnel resources to the audit and address engagement logistics. • Audit planning – Short-term planning – Long-term planning – Things to consider • New control issues • Changing technologies • Changing business processes • Enhanced evaluation techniques • Individual audit planning – Understanding of overall environment • Business practices and functions • Information systems and technology3.4. Road Map for the External Audit Team Audit LeaderThe following are steps that the Team audit leader would perform to determine anorganization‘s level of compliance with external requirements:• Identify those government or other relevant external requirements dealing with: – Electronic data, copyrights, e-commerce, e-signatures, etc.51 Dr. Magdy El Messiry
  52. 52. Technology Audit – Computer system practices and controls – The manner in which computers, programs and data are stored – The organization or the activities of the information services• Document applicable laws and regulations• Assess whether the management of the organization and the information systemsfunction have considered the relevant external requirements in making plans and insetting policies, standards and procedures• Review internal information systems department/function/activity documents thataddress adherence to laws applicable to the industry• Determine adherence to establishing procedures that address these requirements.3.5. Notes to the AuditorAuditor will not ask about any specific laws or regulations, but may questionabout how one would audit for compliance with laws and regulations.Auditor should be aware that it is important that the auditor understands therelationships of control objectives and controls; control objectives and auditobjectives; criteria and sufficiency and competency of evidence; and auditobjective, criteria and audit procedures. Strong understanding of these elements isa key for the auditor‘s performance.Auditor is the importance of setting legal advice. There are two key aspects thatcontrol needs to address, what the auditor should to achieve and what to avoid. Auditor addresses not only to internal controls business/operational objectives,but need to address undesired events through preventing, detecting, and correctingundesired events. Types of control;• Internal accounting controls - Primarily directed at accounting operations, such asthe safeguarding of assets and the reliability of financial records52 Dr. Magdy El Messiry
  53. 53. Technology Audit• Operational controls - Directed at the day-to-day operations, functions andactivities to ensure that the operation is meeting the business objectives• Administrative controls - Concerned with operational efficiency in a functionalarea and adherence to management policies including operational controls. Thesecan be described as supporting the operational controls specifically concerned withoperating efficiency and adherence to organizational policy.Figure (14) Elements to Development of Internal Control Manual3.6. Control objectivesEvery organization needs to have a sound internal control in place to keep theorganization on course toward profitability goals and achievement of its mission,to minimize surprises along the way and to be able to realize its opportunities.Elements to Development of Internal Control Manual are illustrated in Figure (14).53 Dr. Magdy El Messiry
  54. 54. Technology AuditThe importance of internal control has been further heightened by the increasingattention given to corporate governance, of which internal control is nowconsidered to be vital element. Sound practices of internal control and riskmanagement enable management to deal with rapidly changing economic andcompetitive environments, shifting customer demands and priorities, andrestructuring for future growth. Internal controls and risk management promoteefficiency, reduce risk of asset loss, and help ensure the reliability of financialstatements38.It consists of the following;• Safeguarding of information technology assets• Compliance to corporate policies or legal requirements• Authorization/input• Accuracy and completeness of processing of transactions• Output• Reliability of process• Backup/recovery• Efficiency and economy of operations.Controls are generally categorized into 3 major classifications:Preventive: These controls are to deter problems before they arise.Detective: Controls that detect and report the occurrence of an error, omission ormalicious act.Corrective: These controls minimize the impact of a threat, remedy problemsdiscovered by detective controls, and identify the cause of a problem.Internal control objectives - Apply to all areas, whether manual or automated.Therefore, conceptually, control objectives in an information systems environment54 Dr. Magdy El Messiry
  55. 55. Technology Auditremain unchanged from those of a manual environment. However, control featuresmay be different. Thus, internal control objectives need to be addressed in amanner specific to related processes. Figure (15) Internal Control Pyramid Internal Control is a process within an organization designed to providereasonable assurance:  That information is reliable, accurate, and timely.  Of compliance with policies, plans, procedures, laws, regulations, and contracts.  That assets (including people) are safeguarded.  Of the most economical and efficient use of resources.  That overall established objectives and goals are met.Internal controls are intended to prevent errors or irregularities, identify problems,and ensure that corrective action is taken.Figure (15) illustrates the internal control pyramid and the information andcommunication path.55 Dr. Magdy El Messiry
  56. 56. Technology Audit CHAPTER 4 SWOT ANALYSIS4.1 IntroductionSWOT Analysis is a business tool by which, a firm wishing to implement astrategic analysis, analyses and recognizes it‘s corporate Strengths and Weaknessesas well as the existed or forthcoming Opportunities and Threats from its externalenvironment.Only when these four critical information elements are well elaborated and known,the enterprise is able to formulate and implement the strategy leading to itsbusiness aims.4.2. The Need for SWOT AnalysisThe SWOT Analysis is an extremely useful tool for understanding and decision-making for all sorts of situations in business and organizations. SWOT Analysis isa very effective way of identifying your Strengths and Weaknesses, and ofexamining the Opportunities and Threats you face. Carrying out an analysis usingthe SWOT framework helps you to focus your activities into areas where you arestrong and where the greatest opportunities lie. By creating a SWOT Analysis, youcan see all the important factors affecting your business together in one place. It‘seasy to create, easy to read, and easy to communicate.56 Dr. Magdy El Messiry
  57. 57. Technology Audit Figure (16) SWOT Analysis Framework144.3. Limitations of SWOT AnalysisSWOT Analysis is not free from its limitations*. It may cause organizations toview circumstances as very simple because of which the organizations mightoverlook certain key strategic contact which may occur. Moreover, categorizingaspects as strengths, weaknesses, opportunities and threats might be verysubjective as there is great degree of uncertainty in market. SWOT Analysis doesstress upon the significance of these four aspects, but it does not tell how anorganization can identify these aspects for itself.There are certain limitations of SWOT Analysis which are not in control ofmanagement. These include: a. Price increase; b. Inputs/raw materials; c. Government legislation; d. Economic environment; e. Searching a new market for the product which is not having overseas57 Dr. Magdy El Messiry
  58. 58. Technology Audit market due to import restrictions; etc.Internal limitations may include: a. Insufficient research and development facilities; b. Faulty products due to poor quality control; c. Poor industrial relations; d. Lack of skilled and efficient labor; etc The SWOT Analysis is an extremely useful tool for understanding and decision-making for all sorts of situations in business and organizations. A company can use the SWOT Analysis while developing a strategic plan or planning a solution to a problem that takes into consideration many different internal and external factors, and maximizes the potential of the strengths and opportunities while minimizing the impact of the weaknesses and threats4.4. SWOT Analysis FrameworkAction checklist1. Establishing the objectivesThe first key step in any project is to be clear about what you are doing and why.The purpose of conducting SWOT Analysis may be wide or narrow, general orspecific.2. Allocate research and information-gathering tasks. Background preparation is avital stage for the subsequent analysis to be effective, and should be dividedamong the SWOT participants. This preparation can be carried out in two stages:  Exploratory, followed by data collection.  Detailed, followed by a focused analysis. Gathering information on58 Dr. Magdy El Messiry
  59. 59. Technology Audit Strengths and Weaknesses should focus on the internal factors of skills, resources and assets, or lack of them. Gathering information on Opportunities and Threats should focus on the external factors.3. Create a workshop environmentIf compiling and recording the SWOT lists takes place in meetings, then doexploit the benefits of workshop sessions. Encourage an atmosphere conducive tothe free flow of information and to participants saying what they feel to beappropriate, free from blame. The leader/facilitator has a key role and shouldallow time for free flow of thought, but not too much. Half an hour is oftenenough to spend on Strengths, for example, before moving on. It is important tobe specific, evaluative and analytical at the stage of compiling and recording theSWOT lists.4. List Strengths, Weaknesses, Opportunities, Threats in the SWOT Matrix5. Evaluate listed ideas against objectives.With the lists compiled, sort and group facts and ideas in relation to theobjectives. It may be necessary for the SWOT participants to select from the listin order to gain a wider view.The SWOT Analysis template is normally presented as a grid, comprising foursections, one for each of the SWOT headings: Strengths, Weaknesses,Opportunities, and Threats. The SWOT template given in Chapter 5 includessample questions, whose answers are inserted into the relevant section of theSWOT grid. The questions are examples, or discussion points, and obviously canbe altered depending on the subject of the SWOT Analysis.59 Dr. Magdy El Messiry
  60. 60. Technology Audit Figure (17 ) SWOT Analysis Framework60 Dr. Magdy El Messiry
  61. 61. Technology Audit CHAPTER 5 EXAMPLE OF FORMATION OF SWOT MATRIX PARAMETERS Figure (18) SWOT Matrix Environment Analysis5.1 IntroductionThe analysis of the company situation starts by defining the strength, weakness,opportunities and threats. Table below shows some common parameters whichmay be considered.61 Dr. Magdy El Messiry
  62. 62. Technology Audit Strengths Weaknesses  Advantages of proposition?  Disadvantages of proposition?  Capabilities?  Gaps in capabilities?  Competitive advantages?  Lack of competitive strength?  USPs (unique selling points)?  Reputation, presence and reach?  Resources, Assets, People?  Financials?  Experience, knowledge, data?  Own known vulnerabilities?  Financial reserves, likely returns?  Timescales deadlines and  Marketing - reach, distribution, pressures? awareness?  Cash flow, start-up cash-drain?  Innovative aspects?  Continuity, supply chain  Location and geographical? robustness?  Price, value, quality?  Effects on core activities, distraction?  Accreditations, qualifications, certifications?  Reliability of data, plan predictability?  Processes, systems, IT, communications?  Moral, commitment, leadership?  Cultural, attitudinal, behavioral?  Accreditations, etc?  Management cover, succession?  Processes and systems, etc?  Management cover, succession?62 Dr. Magdy El Messiry
  63. 63. Technology Audit Opportunities Threats  Market developments?  Political effects?  Competitors vulnerabilities?  Legislative effects?  Industry or lifestyle trends?  Environmental effects?  Technology development and  IT developments? innovation?  Competitor intentions - various?  Global influences?  Market demand?  New markets, vertical, horizontal?  New technologies, services,  Niche target markets? ideas?  Geographical, export, import?  Vital contracts and partners?  Tactics - surprise, major  Sustaining internal capabilities? contracts, etc?  Obstacles faced?  Business and product  Insurmountable weaknesses? development?  Loss of key staff?  Information and research?  Sustainable financial backing?  Partnerships, agencies, distribution?  Economy - home, abroad?  Volumes, production, economies?  Seasonality, weather effects?  Seasonal, weather, fashion influences?successful SWOT Analysis63 Dr. Magdy El Messiry
  64. 64. Technology Audit5.2. Tips for Design Your SWOT AnalysisFor the successes of the SWOT Analysis some constrictions depending on theenvironment of the origination should be taken into consideration.Following are some tips 15for the auditors; Top Tips But remember …1 Never copy an existing SWOT Analysis; it will You could use a standard influence your thinking. Start with a fresh template to help the ideas flow piece of paper every time2 Set aside enough time to complete it You may need to come back to it several times before you are happy3 The SWOT Analysis itself is NOT the result. Before you begin any analysis, It‘s only a tool to help you analyze your you should know what you business intend to do with the results4 A SWOT Analysis is not a business school fad. You need to be comfortable It is a proven technique used throughout the working with it in your business community business5 Keep your SWOT Analysis simple, readable, It needs to make sense to short and sharp outsiders (e.g. bank managers or investors) so don’t use phrases or acronyms that only you understand6 Make sure you create an action plan based on You need to communicate this your SWOT Analysis clearly to everyone involved7 A SWOT Analysis only gives you insight at a You need to review it – single point in time probably quarterly – to see how the situation has changed8 Don‘t over-analyze. Try not to worry if it isn‘t If you are going to act on the perfect, just get the analysis done results, it needs to be accurate64 Dr. Magdy El Messiry
  65. 65. Technology Audit in all the important areasThe role of SWOT Analysis is to take the information from the environmentalanalysis and separate it into internal issues (strengths and weaknesses) and externalissues (opportunities and threats). Once this is completed, SWOT Analysisdetermines if the information indicates something that will assist the firm inaccomplishing its objectives (a strength or opportunity), or if it indicates anobstacle that must be overcome or minimized to achieve desired results (weaknessor threat). When doing SWOT Analysis, remember that the S and W areINTERNAL and the O and T are external.Figure(19) Dr. Magdy El Messiry
  66. 66. Technology AuditCHAPTER 5PRACTICAL EXAMPLES OF SWOT ANALYSIS5.1. Health centersSubject of SWOT Analysis example: the achievement of a health centers mission.The scenario is based on the SWOT Analysis 17, which has been performed by ahealth centre in order to determine the forces that promoted or hindered theachievement of its mission.Starting position of the health centre:  The staff lack of motivation  The building was really small  The facility was old  There was a lot of paper work and bureaucracyThose characteristics resulted in this health centre facing up to a lot of problemswith the accommodation of the patients. Moreover, the establishing of a newadvanced hospital in the city made the situation even worse. Therefore, theydecided to perform a SWOT Analysis in order to execute the best decision-makingfor all the problems that they faced.Step 1: Purpose of conducting SWOT Analysis - the achievement of a healthcenters mission.Step 2: The gathering of information on Strengths and Weaknesses focused on theinternal factors of skills, resources and assets, or lack of them. The gatheringinformation on Opportunities and Threats should focus on the external factors.66 Dr. Magdy El Messiry
  67. 67. Technology AuditStep 3: The manager of the health centre encouraged all the staff members tofreely express their opinions about what they felt to be appropriate.Step 4: SWOT matrixStep 5: After completing the SWOT matrix the SWOT participants had a widerview of the situation at the centre so they were able to propose the alternatives thathelped considerably in the operation of the health centre.The alternatives where:  training of the staff in interactive techniques of quality improvement  coordination with other providers to cover all user needs  remodeling of the facility with local government funds and international help  cost recovery of drugs and lab supplies with user fees  payment of incentives to staff based on performance  review of procedures for decreasing costs and waiting times and increasing perceived quality.Strengths: Weaknesses:  Willingness of staff to change  Staff lack of motivation  Good location of the health centre  Building was really small  Perception of quality services  Paper work and bureaucracy  Cultural differences with usersOpportunities: Threats:  Support of local government  Low income of users67 Dr. Magdy El Messiry
  68. 68. Technology Audit  High felt need of users  Bad roads  Internationally funded projects  Low salaries  Lack of budget  Paradigms of providers  High competitionThis strategic analysis and planningof the health centre had the below results:  27% increase of patients  reduction of waiting times to 15minutes  20% increase of staff performance  remodeling of the facility68 Dr. Magdy El Messiry
  69. 69. Technology Audit5.2. University SWOT AnalysisUniversity strengths, weaknesses, opportunities and threats (SWOT Analysis) wereidentified by members of University Strategic Goals and Priorities Committeeduring a brain storming session. Administrators, faculties, and students reviewedthe analysis and provided input. Background information on the Organization isopportunities and threats it faces can be useful in considering strategic issues.The SWOT Analysis was used to develop the attached strategic questions. Thesequestions and others raised by participants at the workshop will help definestrategic directions important to the university in the next five year.69 Dr. Magdy El Messiry
  70. 70. Technology AuditSWOT ANALYSISStrengths: Weaknesses:Positive reputation in the external Distinguishing qualities and identity not wellcommunity known- Positive experience with those who - Operational structure/bureaucracyinteract with the campus - Sluggish responsiveness to student and- Proactive Partnerships with other community needsuniversities, community colleges, and - Fiscal uncertaintycorporations - Lack of pride of internal community- Past performance - Match between research expectation &- Many Accredited Programs support- Successful 6 year graduation rates - High and unequal workloads faculty &- Faculty and staff support the campus staffmission - Ability to hire & retain faculty- Proactive student support - Student preparedness at entrance- Access to services - Adjusting to pressures of growth- Faculty involvement with students - Varying perceptions of appropriate- Student leadership programs proportions of major employee categories- Learning communities developing to (faculty, staff, and administrators)enhance learning and student-faculty - Lack of strong, pervasive presence in theinteraction external community- Campus Characteristics - Limited resources for faculty and staff- Medium size campus with small class size development-Facilities include new and well-maintained, - Highly competitive market for diverseattractive buildings and grounds with faculty and staffgrowth potential - Promulgating egalitarianism- Potential for growth in Turlock and - Reporting perceived as a ritual andStockton meaningless- Friendly and safe - Reporting requirements absorb a large- Diverse student body, Hispanic Serving percentage of resourcesInstitution- Dedicated and Expert faculty- Campus wide involvement in planning- Healthy shared governance- Strong, active external boards- Residential Campus Development- Artistic and Cultural Performances70 Dr. Magdy El Messiry