The document provides an overview of technology auditing and internal auditing processes. It discusses: 1. The objectives and composition of technology audits, which identify potential issues, assess capabilities, and optimize technology use. 2. The types of audits - internal audits assess processes, external audits are implemented by external parties, and continuous auditing is ongoing. 3. The steps for internal audits, which include developing audit strategies, planning specific audits, conducting audits, communicating results, and advising on improvements.

1. Technology Audit
Technology
Audit
Training Course
PART I
By
Dr. MAGDY ELMESSIRY
KNOWLEDGE TRANSFER CENTER
ALEXANDRIA UNIVERSITY
2011
1 Dr. Magdy El Messiry

2. Technology Audit
Technology Audits Will Help Identify
Potential Issues That May Become Serious
Problems for Your Business If Left Unattended
While each organization should insure
an effective continuous auditing for
increase the generated income.
Dr. M.El Messiry
2 Dr. Magdy El Messiry

3. thousand miles
begins with a
single step"
Technology Audit
"A trip of a thousand miles begins with a single step"
PREFACE
The main objectives of this booklet are to give the reader a survey of the different elements of
the Technology Auditing (TA), hence the TA is the only way for the organization to improve
their situation on the market. Technology audits will help identify potential issues that may
become serious problems for your business if left unattended. Technology auditing will be
recognized as the reliable and trusted source for the best application of relevant technology in the
industry. The continuous technology auditing will lead to the following;
 Establishing proven methodologies for technology assessments
 Establishing proven methodologies for quality control
 Establishing a network of reliable and brief information sources
 Establishing a periodic review and assessment of technology news and information
 Establishing a standard technology assessment model
 Establishing a secured database of reports and assessments
 Establishing and maintain business models for measuring return on investment and total
cost of ownership
To enhance the effectiveness of organization by providing the tools will be achieved through
information concerning the latest technology and innovation relevant to the particular
industrial fields that is the specific mission and goals of the organization.
The role of the Universities in implementing the Technology Auditing in the different
organizations can be accomplished through the specialists in the technology and other areas of a
globally competitive economy. Their function will be the assistance in:
 Promoting competitiveness and job creation.
 Enhancing the quality of life.
 Developing human resources.
 Working towards environmental sustainability.
 Promoting an information society.
 Producing more knowledge-embedded products and services.
 Developing innovation technologies that lead to increasing the number of patents.
The objective of this course is to give the specialists in the technology transfer
centers at the universities and the industrial organizations the basic concepts on
TECHNOLOGY AUDITING and to help them in building TA departments.
3 Dr. Magdy El Messiry

4. Technology Audit
TABLE OF CONTENTS
PREFACE
CHAPTER ONE
TECHNOLOGY AUDTING
1.1 Introduction
1.2 Technology Audit Composition
CHAPTER TWO
INTERNAL AUDIT, EXTERNAL AUDIT, AND CONTINUOUS AUDITING
1. Internal Audit
1.1 Mission of the Internal Audit Function
1.2 Internal Audit Practice in Organization
1.3 Steps for Building the Internal Audit Team
1.4. Suggestion for Successful Internal Audit
1.5 Code of Ethics for Audit Staff
1.6 International Standards for the Professional Practice of Internal
Auditing (Standards)
2. External Audit
2.1 Implementation Procedure
2.2. Continuous Auditing
2.3. Key Steps to Implementing Continuous Auditing
2.3.1. Additional Considerations
2.3.2. Organizational Infrastructure
4 Dr. Magdy El Messiry

5. Technology Audit
2.3.3. Impact on Personnel
CHAPTER 3
THE AUDITORS PERFORMANCE IN TECHNOLOGY AUDIT
3.1. Introduction
3.2. Role of Auditor
Phase One: Pre-Audit
Phase Two: On-Site Visit
3.3. Road Map for the External Audit Team Audit Leader
3.4. Notes to the Auditor
3.4. Control objectives
CHAPTER 4
SWOT ANALYSIS
4.1 Introduction
4.2. The Need for SWOT Analysis
4.3. Limitations of SWOT Analysis
4.4. SWOT Analysis Framework
CHAPTER 5
PRACTICAL EXAMPLES OF SWOT ANALYSIS
5.1. Health centers
5.2. University SWOT Analysis
5.3. Retail Industry SWOT Analysis
4.4. Web Business SWOT Analysis
5 Dr. Magdy El Messiry

6. Technology Audit
CHAPTER 6
GLOSSARY
APPENDIX I
SWOT Analysis Template
APPENDIX II
Audit Checklist
APPENDIX III
Audit Checklist ISO/IEC 19770-1
APPENDIX IV
Template to use when writing an audit report
APPENDIX V
Information Technology Audit Report
REFERENCES
6 Dr. Magdy El Messiry

7. Technology Audit
CHAPTER ONE
TECHNOLOGY AUDTING
1.1 Introduction
Today, the products‘ life cycle becomes gradually smaller. Actually in some
sectors such as the computer sector, technological devaluation of the products
occurs within a few months. Therefore it is a great competitive advantage for the
companies to be able to introduce new products to the market before their
competitors, gaining in this way significant sale shares. Today the companies must
be able to be constantly innovative to maintain or improve their position in the
market. In order to achieve this, they must know how to identify the innovation
needs of a business problem. The innovation management tools, which are utilized
for doing this, are Technology Audit and SWOT method1. Technology has become
an increasingly dynamic sector of the global economy. The critical task is now to
maintain a broad awareness of the nature and potential impact of emerging
technologies, the points of junction, and impact on market place trends on a
worldwide basis. Management of technology is an interdisciplinary field that
integrates science, engineering, and management knowledge and practice. The
focus is on technology as the primary factor in wealth creation. Wealth creation
involves more than just fiscal values and it may encompass factors such as
enhancement of knowledge, intellectual capital, effective exploitation of resources,
preservation of the natural environment, and other factors that may contribute to
raising the standard of living and quality of life.
The Technology Audit is a method for identifying the major company
requirements, needs, weaknesses and strengths on human resources and
infrastructure as well as opportunities that should be taken under consideration.
The Technology Audit is also a technique which identifies the management‘s view
of how the company performs as well as strong indications of what the company
really needs2.
The Technology Audit technique examines in tandem the External and Internal
environment of the company and identifies the human resources relation to
company‘s performance. Furthermore, it assists the company to discover the more
significant actions that it should adopt.
7 Dr. Magdy El Messiry

8. Technology Audit
As shown in Figure (1), an organization can perform an audit in order to:
 Generate income (or more income) for the technology driven organizations (e.g.
technology based enterprises, research centers, institutes) from their available technology.
 Improve the productivity of the technological factors.
 Improve business competitiveness and public administration's performance.
 Assess your current capabilities before making expensive changes.
 Learn how to optimize the use of current technology.
 Learn about your technology options.
 Get an independent assessment that can help convince your organizational partners of
changes needed.
An audit is merely a ―checkup.‖ As we gather more and more techno-devices
around us, we recognize the need to ensure that they are all accounted for, are
working properly, and are being employed for proper purposes, purposes that
advance the cause for our organizations. Consequently, a technology audit exists at
its very core as an activity that focuses our full attention upon improvement,
sustainable improvement and continuous innovation. Organizational survey and
technology audit will help in understanding the level of attention paid to
technology in the organization and facilitate the involvement of employees from
different departments of the organization in the technology management process.
The organizational survey and technology audit provides an instrument for
auditing the organization‘s technological capabilities and its awareness of
technology as means of improving competition. The organizational survey and
technology audit are used to assess whether the organization‘s management has the
appropriate level of understanding of technology and technology management, and
whether the required climate to use technology is in place.
Formulation of technology strategy addresses the issue of how to recognize the
critical technological needs and identifies the basic dimensions of a technology
strategy. It consists of three steps: technology assessment, technology selection,
and definition of the portfolio of technological projects, and strategic priorities and
actions3. The technology audit is equally applicable to manufacturing and service
firms. The firms should wish to create new products, incorporate new processes,
diversify their activities and be with growth potential. They should have capacity
to survive and innovate and competence for international cooperation. Technology
auditing should consider as means of ensuring business continuity in a
manufacturing organization.
8 Dr. Magdy El Messiry

9. Technology Audit
Figure (1) Objectives of Audit Cycle
9 Dr. Magdy El Messiry

10. Technology Audit
1.2 Technology Audit Composition
The implementation of the technology auditing starts with the answering to;
 What is the relationship between technology, business strategy and
innovation in ensuring continuity of the organization?
 What does a technology audit consist of and what tools are available to help
conduct the technology audit?
 What is the process flow of a technology audit?
The main steps of a technology audit process are 4:
Step 1: Company Decision for Technology Audit
The starting point of the technology audit process is the desire or wish of a firm to
carry out a technology audit.
Step 2: Initial phase
The initial phase is important to ensure that the audit proceeds smoothly and
effectively. It includes discussion at the management level to explain and agree
upon the purpose of the audit, to design the questionnaire and the framework for
the report to suit the organization and to select those to be interviewed. Initial
information about the organization (published and unpublished reports) is gathered
at this stage. Analysis of questionnaires should be done prior to the interviews and
might be done at an earlier stage, so that selection of those to be interviewed is
partly based on questionnaires.
Step 3: Interview and report phase
The company is being interviewed with a questionnaire, normally with
participation of the General Manager, aiming at:
 Collecting general company data
 Shaping company technology profile
 Performing SWOT Analysis
 Identifying technological areas for further analysis.
10 Dr. Magdy El Messiry

11. Technology Audit
Technology Audit Tool consists of two parts, the questionnaires and the reports.
The results derived from the questionnaires generate the reports that can be easily
accessed by the General Manager of the company, but for a more accurate and less
biased diagnosis, an external specialized consultant is proposed.
Step 4: Technology Audit Report Framework
The final report of the technology audit should include:
 Subjects analyzed
 Methodology used
 Problem areas identified
 Solutions proposed for the problems
 Steps to be taken for implementing the solutions (action plan)
The expected results from a carefully conducted technology audit mainly concern4:
 Complete and comprehensive analysis and evaluation of the requirements of
the organization for its sustainable growth
 Thoroughly objective SWOT Analysis
 Opportunity spotting for new products / new services / new technologies / new
markets
 Networking with technology suppliers, technological sources, other companies
 Possible assessment of technology portfolio, intellectual property rights
There are five tasks within the audit process area:
1. Develop and implement a risk-based international audit standards (IS) audit
strategy for the organization in compliance with international audit standards,
guidelines and best practices.
2. Plan specific audits to ensure that IT and business systems are protected and
controlled.
3. Conduct audits in accordance with IS audit standards, guidelines and best practices
11 Dr. Magdy El Messiry

12. Technology Audit
to meet planned audit objectives.
4. Communicate emerging issues, potential risks and audit results to key stakeholders.
5. Advise on the implementation of risk management and control practices within the
organization while maintaining independence.
12 Dr. Magdy El Messiry

13. Technology Audit
CHAPTER TWO
INTERNAL AUDIT, EXTERNAL AUDIT, AND CONTINUOUS AUDITING
The auditing process can be divided into three categories; Internal Audit, External
Audit, and Continuous Audit that might integrate for the fulfillment of the
organization objectives as illustrated in Figure (2).
2.1. Internal Audit
Internal auditing, as defined by the Institute of Internal Auditors (IIA), is an
independent, objective assurance and consulting activity designed to add value and
improve an organization's operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve
the effectiveness of risk management, control, and governance processes‖.
2.1.1 Mission of the Internal Audit Function
The mission of the internal audit function is to provide organization management
with systematic assurance, analyses, appraisals, recommendations, advice and
information with a view to assisting it, and other stakeholders, in the effective
discharge of their responsibilities and the achievement of organization‘s mission
and goals5. The role of the internal audit function includes providing reasonable
assurance on the effectiveness, efficiency and economy of the processes in various
areas of operations within the organization, as well as compliance with
organization financial and staff rules and regulations, general assembly decisions,
applicable accounting standards and existing best practice.
2.1.2 Internal Audit Practice in Organization
Each organization should establish Internal Audit. Its original mandate included
both internal audit and evaluation functions. The Internal Audit Department also
informally acted as a focal point for investigation and inspection. The organization
Internal Audit Charter follows Standards for the Professional Practice of Internal
Auditing issued by the Institute of Internal Auditors5 (IIA) in assignments
13 Dr. Magdy El Messiry

14. Technology Audit
performing audit. Audits are conducted in accordance with a detailed annual audit
plan that is developed based on an annual risk-based assessment of internal audit
needs for the whole of organization.
Figure (2) Types of Auditing Models
Figure (3) Steps of Performing Internal Audit
14 Dr. Magdy El Messiry

15. Technology Audit
Risk-based annual audit plans are subject to regular revision, at least annually, in
order to be aligned with the strategic objectives of the organization. Audit needs
are estimated based on a thorough review of organization‘s business and other
systems and processes which make up the audit environment for the Internal
Organization Audit Department. The audit needs assessment is reviewed annually
at the same time as the detailed annual audit plan is set out.
For annual audit planning purposes in line with the new set of strategic goals set
for the Organization, the Internal Organization Audit Department strategy and
annual plans are re-aligned regularly to ensure:
 Due emphasis is put on the ―operational efficiency and effectiveness‖ aspect
in the detailed work plans to the extent possible.
 Main organization business processes are reviewed to identify strengths and
good practices, as well as gaps and deficiencies. Value adding
recommendations are made to assist management in addressing these issues.
 Audit support is provided to key management and governance initiatives
recognizing that the responsibility for such initiatives rests with the
management in the case of a strong indication of any fraudulent activity
found during an audit.
 Sufficient audit work is performed to gather factual evidence and the
supporting documentation is handed over to the Investigation Section for
further examination if need be.
2.1.3 Steps for Building the Internal Audit Team
Figure (3) represents the steps for building the Internal Audit Team.
1- Group Formation
Local audit team leaders are chosen. They may appoint an individual to serve as
overall coordinator, as well. The key here is to get the best leadership in place
and functioning quickly.
2- Audit teams
Audit teams are formed and necessary documents needed to support the audit
are gathered (Technology plan, facilities plan, personnel reports, etc.).
15 Dr. Magdy El Messiry

16. Technology Audit
3- Meetings
Meetings are held at each organization department to explain this process to
employees. The purpose is to ensure that all employees know what to expect as
their auditors begin gathering data from a large number of locations to explain
the process, to seek community support and patience, and to forecast some
findings. This serves to get the community ―on board.‖
4- Teams Work
Department-by-Department teams are working within the organization. At the
same time, another team works on the organization as a whole.
5- Individual Team Reports
Reports are written, and then combined into an organization wide document.
6- Team Leader Report
Team leader shares the internal audit report with the organization board.
7- Report Approval
Organization board approves the internal technology audit final report.
8- Report Publication
Team leader authorizes the report publication.
2.1.4. Suggestion for Successful Internal Audit
In order to insure the success of the internal audit processes the following
recommendations6 should be considered by the organization manager for
implementing the Internal Audit;
Recommendation 1:
Invite the Director General to submit Internal Audit Charter to the organization
general assembly. The charter could then cover the activities of the Evaluation
Section and could give a general description of the tasks of the department and a
more detailed description of the tasks of each Section (Director, Internal Audit,
Investigation, and Evaluation & Inspection). After this recommendation has been
accepted, Internal Organization Audit Department supports this recommendation as
it will help clarify the distinct roles of the three main functions, i.e. internal audit,
investigation and evaluation and promote the role of oversight in organization. A
revision of the Internal Audit Charter will be proposed for review by the Program
and Budget Committee which will create an Internal Audit.
16 Dr. Magdy El Messiry

17. Technology Audit
Recommendation 2:
Director of Internal Organization Audit Department should draw up a list of the
training undertaken by all of his staff and update such a file as and when necessary.
This recommendation has been accepted. The recommendation will assist further
the tracking of the professional training being carried out.
Recommendation 3:
Invite the Director of Internal Organization Audit to develop a program (concept)
of quality assurance and improvement that includes documentation on periodic and
ongoing internal assessments of all areas of internal audit activity. Once
established, this concept should be included in the Internal Audit Manual. It seems
clear that ongoing assessments would only be suitable when the Internal Audit
Section has at least two qualified staff members. This recommendation has been
accepted. All audits are done in line with the Institute of Internal Auditors (IIA)
Standards and are subject to review and quality control. It is already Internal
Organization Audit Department‗s stated policy to have regular external and
internal quality assurance in accordance with the (IIA) 7 Standards.
Recommendation 4:
Invite Internal Organization Audit Department for the following:
a. to decide, during its annual planning, on precise audit themes which are then
mentioned in the final reports,
b. to continue to draw up a list of planned, completed and reported audits, which
should be updated as necessary, and
c. to implement long-term audit planning.
Recommendation 5:
The drafting of the audit manual should be completed and made it available to
organization staff and/or over the intranet. This manual should cover all the
essential elements specified in the Audit Standards**.
Recommendation 6:
Suggest that, from now on, Internal Organization Audit Department includes an
evaluation of the following in its reports:
a. exposure to significant risks and the corresponding controls,
b. subjects relating to governance, and
c. any other issue in response to a need or a request of the general management or
the Audit Committee.
17 Dr. Magdy El Messiry

18. Technology Audit
Recommendation 7:
Invite Internal Organization Audit Department to review its strategy on planning
for audits involving medium to low risks in order to concentrate more on
engagements involving higher risks.
Recommendation 8:
The Internal Audit Section should:
a. clarify the work program by linking it with the risk analysis,
b. ensure that the work program includes the priorities and the resource allocation
for each subject to be audited,
c. ensure that the work program allows a connection to be made between the
working papers and the recommendations,
d. ensure that comments concerning the involvement and assignment of external
experts are highlighted in the audit plan, and
e. ensures that the signature of the Director of Internal Organization Audit
Department and the date of approval are systematically placed on the audit
program before the audit begins.
Recommendation 9:
Invite Internal Organization Audit Department:
a. to improve the formalization of working documentation so that a third party
audit professional is always able to compare the objectives of the engagement, the
content of the examinations carried out, the results, the auditor‘s opinion and the
recommendations. The standardization and organization of working papers could
go some way to achieving this,
b. to integrate into the Internal Audit Manual regulations relating to audit
documents, information to be archived and the period for which files must be kept;
rules on access by third parties to working papers should also be included,
c. to create audit notes that include a summary of the work carried out and allow
connections to be made between the work program, interviews, analyzed
documents and the notes and recommendations contained in the report,
d. to establish a system for reviewing working papers and dating and signing them,
and
e. to provide for the establishment of standards relating to documentation in the
audit manual.
18 Dr. Magdy El Messiry

19. Technology Audit
Recommendation 10:
In order to increase the visibility of the internal audit function within organization,
invite the Director of Internal Organization Audit Department to increase his
contact with the Organization General manger.
2.1.5 Code of Ethics for Audit Staff
The internal audit staff is expected to follow the internal audit function in conducting
audits as set out in the Audit Charter8.
 The Internal Auditor enjoys operational independence in the conduct of
his/her duties. He/she has the authority to initiate, carry out and report on
any action, which he/she considers necessary to fulfill his/her mandate.
 The Internal Auditor shall be independent of the programs, operations and
activities he/she audits to ensure the impartiality and credibility of the audit
work undertaken.
19 Dr. Magdy El Messiry

20. Technology Audit
 Internal audit work shall be carried out in a professional, unbiased and
impartial manner.
 The conclusions of the audits shall be shared with the managers concerned,
who shall be given the opportunity to respond.
 Any situation of conflict of interest shall be avoided.
 The Internal Auditor shall have unrestricted, direct and prompt access to all
organization records, officials or personnel holding any organization
contractual status and to all the premises of the Organization.
 The Internal Auditor shall respect the confidential nature of information and
shall use such information with discretion and only in so far as it is relevant
to reach an audit opinion.
2.1.6 International Standards for the Professional Practice of Internal Auditing
(Standards)
The Institute of Internal Audit published the professional practice that includes
Introduction to the Standards, Attribute Standards, and Performance Standards*.
Internal auditing is conducted in diverse legal and cultural environments; within
organizations that vary in purpose, size, complexity, and structure; and by persons
within or outside the organization. While differences may affect the practice of
internal auditing in each environment, conformance with the IIA‘s International
Standards for the Professional Practice of Internal Auditing (Standards) is essential
in meeting the responsibilities of internal auditors and the internal audit activity.
The purpose of the Standards is to:
1. Define basic principles that represent the practice of internal auditing.
2. Provide a framework for performing and promoting a broad range of value-
added internal auditing.
3. Establish the basis for the evaluation of internal audit performance.
4. Foster improved organizational processes and operations.
The Standards are principles-focused, mandatory requirements consisting of:
20 Dr. Magdy El Messiry

21. Technology Audit
 Statements of basic requirements for the professional practice of internal
auditing and for evaluating the effectiveness of performance, which are
internationally applicable at organizational and individual levels.
 Interpretations, which clarify terms or concepts within the Statements.
The structure of the Standards is divided between Attribute and Performance
Standards. Attribute Standards address the attributes of organizations and
individuals performing internal auditing. The Performance Standards describe the
nature of internal auditing and provide quality criteria against which the
performance of these services can be measured. The Attribute and Performance
Standards are also provided to apply to all internal audits.
Implementation Standards are also provided to expand upon the Attribute and
Performance standards, by providing the requirements applicable to assurance or
consulting activities. Assurance services involve the internal auditor‘s objective
assessment of evidence to provide an independent opinion or conclusions
regarding an entity, operation, function, process, system, or other subject matter.
The nature and scope of the assurance engagement are determined by the internal
auditor. There are generally three parties involved in assurance services:
1. the person or group directly involved with the entity, operation, function,
process, system, or other subject matter — the process owner,
2. the person or group making the assessment — the internal auditor,
3. the person or group using the assessment — the user.
Consulting services are advisory in nature, and are generally performed at the
specific request of an engagement client. The nature and scope of the consulting
engagement are subject to agreement with the engagement client. Consulting
services generally involve two parties:
1. the person or group offering the advice — the internal auditor,
2. the person or group seeking and receiving the advice — the engagement client.
When performing consulting services the internal auditor should maintain
objectivity and not assume management responsibility.
21 Dr. Magdy El Messiry

22. Technology Audit
2. External Audit
External assessments must be conducted at least once every five years by a
qualified, independent reviewer or review team from outside the organization. The
chief audit executive must discuss with the organization board the need for more
frequent external assessments and the qualifications and independence of the
external reviewer or review team, including any potential conflict of interest. A
qualified auditor or auditing team demonstrates competence in two areas: the
professional practice of internal auditing and the external assessment process.
Competence can be demonstrated through a mixture of experience and theoretical
learning. Experience gained in organizations of similar size, complexity, sector or
industry, and technical issues is more valuable than less relevant experience. In the
case of an auditing team, not all members of the team need to have all the
competencies; it is the team as a whole that is qualified. The chief audit executive
uses professional judgment when assessing whether an auditor or auditing team
demonstrates sufficient competence to be qualified. An independent auditor or
auditing team means not having either a real or an apparent conflict of interest and
not being a part of, or under the control of, the organization to which the internal
audit activity belongs.
2.1 Implementation Procedure
A schematic of the steps that are normally followed while carrying out a
technology audit is shown and described below. Partial techniques per step are the
tools used for the proper implementation of the technique.
STEP 1: Desire/Wish to Carry Out Technology Audit
Desire / wish of the organization to carry out technology audit, if the company
initiates the audit, no particular communication tool is used. However, if the
company is approached by the service provider, it should explain: Scope of
initiative, brief description of technique, potential benefits to the organization, and
main characteristics of the consultant / service provider.
STEP 2: Expert to Carry Out Technology Audit
Once common ground has been established between the organization and external
consultant/expert, the next step can follow.
22 Dr. Magdy El Messiry

23. Technology Audit
STEP 3: First Contact/Visit of Expert for Preparation of Audit Plan
On the first contact / visit to the organization for the audit plan preparation the
expert should have:
o a brochure / flow diagram on the steps to follow: list of benefits, list of other
companies that carried out a TA, formal presentation using data show should
help.
o the audit plan which is devised together with top management. It establishes
issues to investigate how to collect data and from whom, in what time span and
at what cost, what is needed from management to successfully carry out the
audit. The local team shares with auditors all documents gathered, as well as
the internal audit report. Together, the auditors, the local audit team, work to
establishing a strategy that will drive this formal audit. All parties agree upon a
schedule/timeframe for the audit. All parties discuss some possible outcome
objectives10. Auditors schedule date(s) for on-site visit(s). Auditors meet with
focus groups and other constituencies, as needed.
STEP 4: Preparatory Work by Expert on Collecting Basic
For preparatory work by expert on collecting basic information on the
organization & the sector for the organization: collection of data from published
information, brochures of company, economic data, employees, products, exports
etc.
For the sector: published data on employment, turnover, trends, markets, on
company's products, introduction / use of new technologies.
A short report on the above findings would be handy and would be another step
into building a trusting relationship with the organization. Auditors study all
documents provided. Auditors schedule an on-site visit and make their
observations. It is a process whereby an in-depth evaluation of some aspect of an
organization is performed, and the results compared with representations made by
that organization. Due attentiveness is particularly important for business
transactions in technology-intensive markets, since there is a much higher risk of
misrepresentation or inappropriate application of emerging technologies. It is often
23 Dr. Magdy El Messiry

24. Technology Audit
difficult to find individuals capable of assessing both the technological issues and
their business linkages*. The approach to be followed must be planned and agreed
upon. The process must include the selection of team members from the
organization who will participate11. The team must be multidisciplinary, and
include both business and technical experts familiar with the areas under
investigation. If staff expertise is lacking in a particular area, engage the services of
experts in that field. Depending on the results of the preliminary visits, different
approaches may be necessary for each organization12.
STEP 5: GENERAL SHORT DIAGNOSES
General short diagnosis use is made of a questionnaire, either in hard copy or
electronic, which should cover the following main points 13;
ORGANIZATION
Company information, strategy, development planning.
HUMAN RESOURCES
Capabilities, needs, strengths, weaknesses, training, performance, rewards.
TECHNOLOGICAL CAPABILITY
Technological resources, know how, assessment of technological level,
implementation of information technologies, new technologies.
TECHNOLOGICAL INNOVATION
Product development, procedures, new products - number - timeframe, research
and development (in house or external), resources allocated, areas of interest,
sources of acquiring technology.
INNOVATION CAPABILITY
Innovations introduced barriers to innovation, technology watch / searching /
technology diffusion, involvement in R&D joint projects.
24 Dr. Magdy El Messiry

25. Technology Audit
PRODUCTS
Products / markets, production organization and management, production
equipment, walk through shop floor.
COOPERATION NETWORKING
With other companies / local abroad, with technology providers / sources,
participation in R&D programs.
TECHNOLOGICAL NEEDS
Demands for services / equipment / quality improvement, new technologies, access
to information / technology diffusion.
QUALITY
Quality control, products - raw materials, standards, relations with customers /
suppliers.
MARKETING
Markets, local/abroad, marketing plan / strategy.
ENVIRONMENT
Awareness / problems / needs.
STEP 6: DATA ANALYSIS BY EXPERT, REPORT ON FIRST DIAGNOSIS
Data analysis by the expert report on first diagnosis should be brief and should
contain:
- Executive summary
- Overview of company / activities (good for signposting to networks, etc.)
- Overview of sectors / markets
- Synthesis on: Strengths / weaknesses / opportunities / threats identified
25 Dr. Magdy El Messiry

26. Technology Audit
- Potential suggestions (especially if the audit stops at this point) for resolving
problems and exploiting strengths & opportunities, mainly by indicating routes for
solutions with an action plan, isolation of specific areas / departments for further
diagnosis, proposal with justification.
STEP 7: PRESENTATION OF FIRST DIAGNOSIS REPORT TO GENERAL MANAGER AND
COMPANY MANAGEMENT
Presentation of first diagnosis report to General Manager and company management is
done with the handing out some time earlier of a hard copy of the report, the
main findings, and the finalization on whether to continue for further diagnosis and
the agreement on the subject(s) to analyze is also performed here.
STEP 8: ADDITIONAL VISITS/INTERVIEWS TO DEPARTMENT HEADS
Entail an in-depth investigation of key areas of the organization being assessed. A
full due diligence audit of an external company can take up to a week at a small
single-site company with a technical staff of 50 or less, several weeks at larger
companies with a localized development team, and even longer examining a larger
company with geographically distributed development teams.
26 Dr. Magdy El Messiry

27. Technology Audit
Obviously, the relationship between company size and inspection effort is non-
linear. This is because a certain set of core elements, such as policies and
procedures, business plans, and infrastructure standards are centrally located.
Typical areas and themes that could be covered with either specific subject tools or
in a less structured way (if done by a specialist) could be:
(a) Quality
· Policy – goals – personnel involvement – training;
· Process quality – monitoring and control systems – handling – storage –packaging;
· Keeping of records/use of results;
· Product quality – raw materials quality control – product quality control;
· ISO issues – presentation – benefits.
27 Dr. Magdy El Messiry

28. Technology Audit
QUALTY
Figure (5) Quality Control Cycle
(b) Human resources
· Skills – availability;
· Satisfaction – rewards;
· Meetings – awareness of company activities/products;
· Team working/project management;
· Continuing education/training;
· Promotion – evolution – record.
(c) Research and development – Product development
· Research and development strategy/partners;
28 Dr. Magdy El Messiry

29. Technology Audit
· Product mix/product lifecycle analysis ;
· Analysis of procedures for new product development;
· Analysis of research and development activities;
· Participation in research and development projects;
· Focus on specific research and development area – identification of potential technology
suppliers.
Figure (4) Steps of Product Development throughout R&D
29 Dr. Magdy El Messiry

30. Technology Audit
(d) Production operation
· Walk through production facilities – bottlenecks – problem areas;
· Material flow – flow diagram;
· Overview of system automation/needs – opportunities;
· Floor and product safety;
· Maintenance – procedures – planning – problems;
· Analysis of productivity.
(e) Marketing/sales
· Existence/analysis of marketing plan;
· Strategy – market share/local – exports;
· Competitors analysis/sector analysis/opportunities – threats;
· Distribution networks – problems;
· Use of information technologies for sales/e-commerce – Internetwww.urenio.org.
STEP 9: FINAL REPORT OF THE TECHNOLOGY AUDIT COMPILED BY THE EXPERTS
Final report of the technology audit, as given in Figure (6), compiled by the experts
should contain the following*:
• Executive summary
• Summary of results from first part diagnosis
• Subject(s) analyzed in second part
• Methodology used for analysis
• Problems identified
30 Dr. Magdy El Messiry

31. Technology Audit
• Solutions proposed
• Actions to be taken (action plan)
Figure (6) Technology Audit Final Report Contents
31 Dr. Magdy El Messiry

32. Technology Audit
The action plan
Should be:
a) Specific to the subject
b) With a time frame
c) With determined milestones
d) With an estimated budget
e) With the listing of expected results
f) With identification of potential problem solvers (technology or service providers)
g) With indications about provisional funding for implementing the solutions
(e.g. national and / or international R&D programs)
h) An implementation monitoring schedule, possibly to be done by the service provider.
The action plan should be specific to the subject, with a timeframe, with determined
milestones and with an estimated budget. The action plan must list the expected
results, identify potential problem solvers (technology or service providers) and
indicate provisional funding for implementing the solutions. An implementation,
monitoring-schedule must be done by the technology auditor in conjunction with a
project manager.
STEP 10: PRESENTATION OF REPORT BY EXPERT TO COMPANY MANAGEMENT
At step 10 the report by the technology auditor to the organization must discuss
issues identified, solutions proposed, the proposed action plan and the monitoring
system that will be used.
The systematic audit program includes initiating the audit, preparing for on-site
audit, conducting on site audit, report preparation and follow-up activities. The
follow-up activities in this context are the improvements activities result from the
audit finding. Figure (7) shows the stages of audit program management.
32 Dr. Magdy El Messiry

33. Technology Audit
Figure (7) Audit Program Management http://www.efrcertification.com/Attachment/ICQR65.pdf
2.3. Continuous Auditing
Continuous auditing is:
"A methodology that enables independent auditors to provide written assurance on
a subject matter using a series of auditors' reports issued simultaneously with, or a
short period of time after, the occurrence of eve nts underlying the subject matter." 3
A continuous audit relies heavily on information technologies such as broad
bandwidth, web application server technology, web scripting solutions and
everywhere database management systems with standard connectivity.
Open database architecture empowers auditors to monitor a company's systems
over the Internet using sensors and digital agents. Incongruities between the
records and the rules defined in the digital agents are transmitted via e-mail to the
client and the auditor. For example, a digital agent performing analytical
procedures on the accounts receivable would e-mail the auditor a huge outstanding
33 Dr. Magdy El Messiry

34. Technology Audit
beyond the receivable parameters defined in the digital agent. Once an account
trigger has occurred, the digital agent would move to the transactional level to
verify the authenticity of the sale by seeking an e-mail of the sale organization and
acceptance of the goods/service by the customer.
The audit routine described above is done electronically and automatically on a
real-time basis as a part of continuous monitoring. Continuous audit takes off after
this when an auditor, empowered with data, carries out independent investigation
and collects corroborative evidence to arrive at his/her own deductions.
34 Dr. Magdy El Messiry

35. Technology Audit
Figure (8) Steps of
Implementing
Continuous Audit
.
35 Dr. Magdy El Messiry

36. Technology Audit
2.3.1. KEY STEPS TO IMPLEMENTING CONTINUOUS AUDITING
Once the issues above are understood by managers and auditors alike, the
organization will be in a better position to begin using continuous auditing.
Generally, the implementation of continuous auditing consists of six procedural
steps, demonstrated in Figure (8), which are usually administered by a continuous
audit manager. Knowing about these steps will enable auditors to better monitor
the continuous audit process and provide recommendations for its improvement, if
needed. These steps include:
1. Establishing priority areas.
2. Identifying monitoring and continuous audit rules.
3. Determining the process' frequency.
4. Configuring continuous audit parameters.
5. Following up.
6. Communicating results.
Below is a description of each.
1. Establishing Priority Areas
The activity of choosing which organizational areas to audit should be integrated
as part of the internal audit annual plan and the company's risk management
program. Many Internal Audit Departments also integrate and coordinate with
other compliance plans and activities, if applicable. (Steps 2-6 below are applicable
to all of the priority areas and processes being monitoring as part of the continuous
audit program.)
Typically, when deciding priority areas to continuously audit, internal auditors and
managers should:
 Identify the critical business processes that need to be audited by breaking
down and rating risk areas.
 Understand the availability of continuous audit data for those risk areas.
 Evaluate the costs and benefits of implementing a continuous audit process
for a particular risk area.
 Consider the corporate ramifications of continuously auditing the particular
area or function.
36 Dr. Magdy El Messiry

37. Technology Audit
 Choose early applications to audit where rapid demonstration of results
might be of great value to the organization. Long extended efforts tend to
decrease support for continuous auditing.
 Once a demonstration project is successfully completed, negotiate with
different auditors and internal audit areas, if needed, so that a longer term
implementation plan is implemented.
When performing the actions listed above, auditors need to consider the key
objectives from each audit procedure. Objectives can be classified as one of four
types: detective, deterrent (also known as preventive), financial, and compliance. A
particular audit priority area may satisfy any one of these four objectives. For
instance, it is not uncommon for an audit procedure that is put in place for
preventive purposes to be reconfigured as a detective control once the audited
activity's incidence of compliance failure decreases.
2. Monitoring and Continuous Audit Rules
The second step consists of determining the rules or analytics that will guide the
continuous audit activity, which need to be programmed, repeated frequently, and
reconfigured when needed. For example, banks can monitor all checking accounts
nightly by extracting files that meet the criterion of having a debt balance that is 20
percent larger than the loan threshold and in which the balance is more than US
$1,000.
In addition, monitoring and audit rules must take into consideration legal and
environmental issues, as well as the objectives of the particular process. For
instance, how quickly a management response is provided once an activity is
flagged may depend on the speed of the clearance process (i.e., the environment)
while the activity's overall monitoring approach may depend on the enforceability
of legal actions and existing compliance requirements.
3. Determining the Process' Frequency
Although the process is called continuous auditing, the word continuous is in the
eye of the beholder. Auditors need to consider the natural rhythm of the process
being audited, including the timing of computer and business processes as well as
the timing and availability of auditors trained or with experience in continuous
auditing. For instance, although increased testing frequency has substantial
benefits, extracting, processing, and following up on testing results might increase
the costs of the continuous audit activity. Therefore, the cost-benefit ratio of
continuously auditing a particular area must be considered prior to its monitoring.
37 Dr. Magdy El Messiry

38. Technology Audit
Furthermore, other tools used by the manager of the continuous audit function
include an audit control panel in which frequency and parameter variations can be
activated. Hence, the nature of other continuous audit objectives, such as
deterrence or prevention, may determine their frequency and variation.
4. Configuring Continuous Audit Parameters
Rules used in each audit area need to be configured before the continuous audit
procedure (CAP) is implemented. In addition, the frequency of each parameter
might need to be changed after its initial setup based on changes stemming from
the activity being audited. Hence, rules, initial parameters, and the activity's
frequency ― also a special type of parameter ― should be defined before the
continuous audit process begins and reconfigured based on the activity's
monitoring results.
When defining a CAP, auditors should consider the cost benefits of error detection
and audit and management follow-up activities. For instance, in the example of the
bank described earlier, the excess threshold of US $1,000 could lead to a number
of false negatives (e.g., values that were ignored when the balance was smaller
than US $1,000 but were identified as representing a problem) and a number of
false positives (e.g., values with balances above US $1,000 that were flagged but
were accurate). If the threshold is increased to US $2,000, there will be an increase
in false negatives and a decrease in false positives. Because follow up costs would
go up as the number of false positives increases and the presence of false negatives
may lead to high operational costs for the organization, internal auditors should
regularly reevaluate if error detection and follow-up activities need to be
continued, reconfigured, temporarily halted, or used on an ad hoc basis.
Furthermore, the stratification of audited data into sub-groups allows organizations
to better monitor the activity and reconfigure any parameters (e.g., auditors will be
notified when balances larger than 20 percent of the debt remain that are also
larger than US $5,000). However, the more complex the rule and its conditional
components, the more parameters that must be examined, monitored, and
sometimes reconfigured.
5. Following Up
Another type of parameter relates to the treatment of alarms and detected errors.
Questions such as who will receive the alarm (e.g., line managers, internal
auditors, or both ― usually the alarm is sent to the process manager, the manager's
immediate supervisor, or the auditor in charge of that CAP) and when the follow-
38 Dr. Magdy El Messiry

39. Technology Audit
up activity must be completed, need to be addressed when establishing the
continuous audit process.
Additional follow-up procedures that should be performed as part of the
continuous audit activity include reconciling the alarm prior to following up by
looking at alternate sources of data and waiting for similar alarms to occur before
following up or performing established escalation guidelines. For instance, the
person receiving the alarm might wait to follow up on the issue if the alarm is
purely educational (i.e., the alarm verifies compliance but has no adverse economic
implications), there are no resources available for evaluation, or the area identified
is a low benefit area that is mainly targeted for deterrence.
6. Communicating Results
A final item to be considered is how to communicate with auditors. When
informing auditors of continuous audit activity results, it is important for the
exchange to be independent and consistent. For instance, if multiple system alarms
are issued and distributed to several auditors, it is crucial that steps 1-5 take place
prior to the communication exchange and that detailed guidelines for individual
factor considerations exist. In addition, the development and implementation of
communication guidelines and follow-up procedures must consider the risk of
collusion. Much of the work on fraud indicates that the majority of fraud is
collusive and can be performed by an internal or external party. For example, in
the case of dormant accounts, both the clerk that moves money and the manager
that receives the follow-up money may be in collusion since the manager's key
may have to be used for certain transactions.
ADDITIONAL CONSIDERATIONS
Besides the six steps described in the previous section, two additional issues that
emerge when implementing continuous auditing are the infrastructure needed for
the process to work and its impact on the workplace.
Organizational Infrastructure
Because continuous auditing is a part of the company's audit function, it must be
kept independent of management. Therefore, during the planning stages, auditors
need to keep in mind the process' independence when designing its structure. For
instance, a typical Internal Audit Departments structured so that areas of the
department focus on different cycles or business activities. In addition, the
department may be divided into financial and IT audit functions.
39 Dr. Magdy El Messiry

40. Technology Audit
Sometimes, however, IT audit activities are incorporated as part of existing IT
operations. In organizations such as these, the development of continuous auditing
is usually delayed because the activity may not get the necessary development
priority. Regardless of whether IT audit activities are part of the organization's IT
or Internal Audit Department, the organization must maintain the process'
independence as well as allocate resources in support of continuous audit activities.
Impact on Personnel
In addition, the audit manager in charge of the continuous audit process should
have a more technical understanding of IT as well as extensive experience on the
activities being audited. However, hiring, training, and retaining auditors who can
implement and monitor continuous audit activities might be challenging due to the
scarcity of internal auditors with knowledge in the area. Furthermore, the
continuous audit process might create a daily stream of issues that need to be
resolved, which might prove stressful given current personnel resources, and might
require the continuous audit manager to exert adequate authority in moments of
exceptions.
40 Dr. Magdy El Messiry

41. Technology Audit
CHAPTER 3
PERFORMANCE IN TECHNOLOGY AUDIT
3.1. Introduction
Appointment of Auditor – auditors are usually appointed by the organization
mangers at the administration council meeting.
Terms of Engagement – an engagement letter provides written recognition of the
auditor‘s acceptance of appointment, sets out the scope of the audit plus auditors
and management responsibilities.
Audit Program – sets out the extent and type of audit procedures. Auditors work to
internationally agreed auditing standards. Auditors start by gaining an
understanding of the organization‘s activities. For each major activity listed in the
financial statements, auditors identify and assess risks that could have a significant
impact on the financial position or performance.
41 Dr. Magdy El Messiry

42. Technology Audit
Detailed Examination – auditors perform testing and obtain evidence to satisfy the
requirements of the audit program. Testing may include compliance with the
organization‘s accounting policies, examining accounting records and verifying the
existence of tangible items such as plant and equipment.
Audit Report – contains the audit opinion on the financial report and basis of that
opinion. The scope of the audit plus auditors and management responsibilities are
also restated. The external auditor should maintain independence from
management and directors so that the tests and judgments are made objectively.
Auditors discuss the scope of the audit work with the organization. Auditors
determine the type and extent of the audit procedures they will perform depending
on the risks and controls they have identified. Auditors form an opinion on the
information in the final report. However, the external auditor should not look at
every transaction carried out by the organization, test the adequacy of all of the
organization‘s internal controls, identify all possible irregularities, audit other
information provided to the members of the organization – e.g. the directors‘
report. Figure (9) gives the flowchart of the external audit.
42 Dr. Magdy El Messiry

43. Technology Audit
Figure (9) Flowchart of the external audit Source: www.urenio.org
43 Dr. Magdy El Messiry

44. Technology Audit
3.2. Audit team roles and responsibilities
An audit may be conducted by a single lead auditor or by an audit team consisting
of a lead auditor, one or more auditors and/or a technical adviser. The National
Code of Practice for Auditors and Technical Advisers describe the conditions that
an auditor and technical adviser must adhere to when fulfilling their roles during
audits.
Lead Auditor
The role of the lead auditor, demonstrated in Figure (10), is to:
• Confirm the scope of the audit with the registering body
• Contact the applicant and make an appointment for the audit
• Identify and confirm resources (including audit team members and audit
documentation) required to conduct the audit
• Review documentation and develop a plan and schedule for the audit in
conjunction with the applicant and then confirm these arrangements
• Brief the audit team
• Conduct the opening meeting
• Identify and gather information
• Manage audit team resources by ensuring that there is effective communication
between the members of the audit team, and by working with the applicant‘s
representative to ensure that auditors and technical experts have access to the
materials, sites and personnel they require
• Coordinate the audit findings by meeting with the audit team to synthesize the
evidence collected
• Prepare the audit report with support from the audit team
• Conduct the feedback session with the applicant and confirm follow-up
• Provide information to the applicant about the complaints process and follow-up
action required
• Provide feedback to the audit team.
44 Dr. Magdy El Messiry

45. Technology Audit
Figure (10) Duties of Leader of Auditor Team
Auditors
The role of an auditor, as shown in Figure (11), is to:
• Participate in the opening meeting
• Identify and gather information
• Analyses information
• Evaluate information
• Report findings
• Participate in the feedback session
• Undertake other duties as requested by the lead auditor.
45 Dr. Magdy El Messiry

46. Technology Audit
Figure (11) Role of Auditor
To understand better how a comprehensive, effective technology audit works, the
process can be broken down into its various phases in order to draw a comparison
between the audit process and the activities associated with organization
accreditation. Accreditation visit to occur can be segmented into three phases:
1) Getting ready;
2) On-site visit;
3) Results & follow up.
The greatest quantity of work occurs during the first phase. Therefore, the three
phases will be examined accordingly.
46 Dr. Magdy El Messiry

47. Technology Audit
Phase One: Pre-Audit
Whether the technology audit has been triggered by the organization internal desire
to assess its accountability or whether the impetus has come from outside the
organization, the initial phase is the same. The organization must get ready for the
audit. Thus, this phase is sometimes called the ―pre-audit‖ stage. At a macro level,
the organization might want to establish a set of systems that can be put in place to
make auditors time more valuable, more efficient. Auditor may want to form a
group of teams to perform specific functions; a physical location may be specified
as a ―gathering point‖ for evidentiary documents; a series of focus group meetings
should be scheduled so organization leaders can encourage employees and
community members to voice their opinions and give their perspectives regarding
the organization‘s status; to create a system where all the hard work of engaged
people, the data and reports auditor collect, and the supporting systems can be
perpetuated.
Enrolling team members - To make your technology audit a success, it is essential
to have high-quality teams. The teams will be made up of the specialized members.
The team leaders will ensure a strong and fluid cooperation among teams, all
working on a common end goal. Team building is a significant activity. All
organization leaders realize this fully. Best leaders who build and grow the best
teams so they will accomplish the best results.
The auditor team leader may clarify with organization employees by explaining to
them that a technology audit is coming and he wants to obtain their very best
thinking about some strategies that will assure success for the organization. During
this meeting, the auditor might want to engage in a simple brain storming activity,
asking everyone to call out, as fast as they can, all the areas where is the use of
technologies in the organization. Team leader might ask them to be frank and
candid in their comments, and then ask them to pinpoint areas where they perceive
that improvements could be made. If/when they mention some examples, the
auditor asks for substantiating evidence that may give the clues to other things
needing. The team leader tries to imagine how the auditors will see things/look at
things through their eyes. What would the auditors do? What would they say?
What would they seek? How would they interpret what you give them? What
would they recommend? As the leader and the team of advisors go through these
considerations, they will have prepared themselves well for what lies ahead, and
47 Dr. Magdy El Messiry

48. Technology Audit
will no longer fear the technology audit, or consider it as a negative event. Rather,
they will see this as a profoundly important opportunity to engage in systemic
improvement, as well as great improvement at the individual level.
Phase Two: On-Site Visit
The time has come finally when auditors arrive at the organization and are
examining both the reports (data, information, and evidence) and the actual reality
of technology integration. This guideline is intended to help auditors conduct more
focused reviews of technology acquisitions by enabling them to quickly identify
significant areas of risk. Using these guidelines will help auditors identify critical
factors not addressed by management, make a general evaluation of any
procurement risks, and provide rapid feedback to agency officials so they can take
corrective action in a timely and efficient manner. Use of the guidelines should be
selectively tailored to the requirements of particular reviews and adapted to the
status of the acquisition. Auditors will need to exercise professional judgment in
assessing the significance of audit results or findings. Professional judgment is
necessary to evaluate this information and determine if the agency conducted an
adequate requirements analysis.
There are five tasks within the audit process area:
1. Develop and implement a risk-based audit strategy for the organization in
compliance with audit standards, guidelines and best practices.
2. Plan specific audits to ensure that IT and business systems are protected
and controlled.
3. Conduct audits in accordance with audit standards, guidelines and best
practices to meet planned audit objectives.
4. Communicate emerging issues, potential risks and audit results to key
stakeholders.
5. Advise on the implementation of risk management and control practices
within the organization while maintaining independence.
48 Dr. Magdy El Messiry

49. Technology Audit
3.3. Audit planning
Audit planning consists of both short- and long-term planning, demonstrated in
Figure (12). Short-term planning takes into account audit issues that will be
covered during the year, whereas long-term planning relates to audit plans that will
take into account risk-related issues regarding changes in the organization‘s
technology strategic direction that will affect the organization‘s technology
environment. Analysis of short- and long-term issues should occur at least
annually.
Figure (12) Types of Audit Planning
49 Dr. Magdy El Messiry

50. Technology Audit
Figure (13) Perform Audit Planning Steps
This is necessary to take into account new control issues, changing technologies,
changing business processes and enhanced evaluation techniques. The results of
this analysis for planning future audit activities should be reviewed by senior
management, approved by the audit committee, if available, or alternatively by the
Board of Directors, and communicated to relevant levels of management. In
addition to overall annual planning, each individual audit assignment must be
adequately planned. The auditor should understand that other considerations, such
as risk assessment by management, privacy issues and regulatory requirements,
may impact the overall approach to the audit. The auditor should also take into
consideration system implementation/upgrade deadlines, current and future
technologies, requirements of business process owners, and resource limitations.
When planning an audit, the auditor must have an understanding of the overall
environment under review. This should include a general understanding of the
various business practices and functions relating to the audit subject, as well as the
types of information systems and technology supporting the activity.
To perform audit planning which is shown in Figure (13), the auditor should
perform the following steps in this order:
• Gain an understanding of the business‘s mission, objectives, purpose and
processes, which include information and processing requirements, such as
availability, integrity, security and business technology.
50 Dr. Magdy El Messiry

51. Technology Audit
• Identify stated contents, such as policies, standards and required guidelines,
procedures, and organization structure.
• Evaluate risk assessment and any privacy impact analysis carried out by
management.
• Perform a risk analysis.
• Conduct an internal control review.
• Set the audit scope and audit objectives.
• Develop the audit approach or audit strategy.
• Assign personnel resources to the audit and address engagement logistics.
• Audit planning
– Short-term planning
– Long-term planning
– Things to consider
• New control issues
• Changing technologies
• Changing business processes
• Enhanced evaluation techniques
• Individual audit planning
– Understanding of overall environment
• Business practices and functions
• Information systems and technology
3.4. Road Map for the External Audit Team Audit Leader
The following are steps that the Team audit leader would perform to determine an
organization‘s level of compliance with external requirements:
• Identify those government or other relevant external requirements dealing with:
– Electronic data, copyrights, e-commerce, e-signatures, etc.
51 Dr. Magdy El Messiry

52. Technology Audit
– Computer system practices and controls
– The manner in which computers, programs and data are stored
– The organization or the activities of the information services
• Document applicable laws and regulations
• Assess whether the management of the organization and the information systems
function have considered the relevant external requirements in making plans and in
setting policies, standards and procedures
• Review internal information systems department/function/activity documents that
address adherence to laws applicable to the industry
• Determine adherence to establishing procedures that address these requirements.
3.5. Notes to the Auditor
Auditor will not ask about any specific laws or regulations, but may question
about how one would audit for compliance with laws and regulations.
Auditor should be aware that it is important that the auditor understands the
relationships of control objectives and controls; control objectives and audit
objectives; criteria and sufficiency and competency of evidence; and audit
objective, criteria and audit procedures. Strong understanding of these elements is
a key for the auditor‘s performance.
Auditor is the importance of setting legal advice. There are two key aspects that
control needs to address, what the auditor should to achieve and what to avoid.
Auditor addresses not only to internal controls business/operational objectives,
but need to address undesired events through preventing, detecting, and correcting
undesired events. Types of control;
• Internal accounting controls - Primarily directed at accounting operations, such as
the safeguarding of assets and the reliability of financial records
52 Dr. Magdy El Messiry

53. Technology Audit
• Operational controls - Directed at the day-to-day operations, functions and
activities to ensure that the operation is meeting the business objectives
• Administrative controls - Concerned with operational efficiency in a functional
area and adherence to management policies including operational controls. These
can be described as supporting the operational controls specifically concerned with
operating efficiency and adherence to organizational policy.
Figure (14) Elements to Development of Internal Control Manual
3.6. Control objectives
Every organization needs to have a sound internal control in place to keep the
organization on course toward profitability goals and achievement of its mission,
to minimize surprises along the way and to be able to realize its opportunities.
Elements to Development of Internal Control Manual are illustrated in Figure (14).
53 Dr. Magdy El Messiry

54. Technology Audit
The importance of internal control has been further heightened by the increasing
attention given to corporate governance, of which internal control is now
considered to be vital element. Sound practices of internal control and risk
management enable management to deal with rapidly changing economic and
competitive environments, shifting customer demands and priorities, and
restructuring for future growth. Internal controls and risk management promote
efficiency, reduce risk of asset loss, and help ensure the reliability of financial
statements38.
It consists of the following;
• Safeguarding of information technology assets
• Compliance to corporate policies or legal requirements
• Authorization/input
• Accuracy and completeness of processing of transactions
• Output
• Reliability of process
• Backup/recovery
• Efficiency and economy of operations.
Controls are generally categorized into 3 major classifications:
Preventive: These controls are to deter problems before they arise.
Detective: Controls that detect and report the occurrence of an error, omission or
malicious act.
Corrective: These controls minimize the impact of a threat, remedy problems
discovered by detective controls, and identify the cause of a problem.
Internal control objectives - Apply to all areas, whether manual or automated.
Therefore, conceptually, control objectives in an information systems environment
54 Dr. Magdy El Messiry

55. Technology Audit
remain unchanged from those of a manual environment. However, control features
may be different. Thus, internal control objectives need to be addressed in a
manner specific to related processes.
Figure (15) Internal Control Pyramid http://www-audits.admin.uillinois.edu/ICT/ICT-summary.html
Internal Control is a process within an organization designed to provide
reasonable assurance:
 That information is reliable, accurate, and timely.
 Of compliance with policies, plans, procedures, laws, regulations, and
contracts.
 That assets (including people) are safeguarded.
 Of the most economical and efficient use of resources.
 That overall established objectives and goals are met.
Internal controls are intended to prevent errors or irregularities, identify problems,
and ensure that corrective action is taken.
Figure (15) illustrates the internal control pyramid and the information and
communication path.
55 Dr. Magdy El Messiry

56. Technology Audit
CHAPTER 4
SWOT ANALYSIS
4.1 Introduction
SWOT Analysis is a business tool by which, a firm wishing to implement a
strategic analysis, analyses and recognizes it‘s corporate Strengths and Weaknesses
as well as the existed or forthcoming Opportunities and Threats from its external
environment.
Only when these four critical information elements are well elaborated and known,
the enterprise is able to formulate and implement the strategy leading to its
business aims.
4.2. The Need for SWOT Analysis
The SWOT Analysis is an extremely useful tool for understanding and decision-
making for all sorts of situations in business and organizations. SWOT Analysis is
a very effective way of identifying your Strengths and Weaknesses, and of
examining the Opportunities and Threats you face. Carrying out an analysis using
the SWOT framework helps you to focus your activities into areas where you are
strong and where the greatest opportunities lie. By creating a SWOT Analysis, you
can see all the important factors affecting your business together in one place. It‘s
easy to create, easy to read, and easy to communicate.
56 Dr. Magdy El Messiry

57. Technology Audit
Figure (16) SWOT Analysis Framework14
4.3. Limitations of SWOT Analysis
SWOT Analysis is not free from its limitations*. It may cause organizations to
view circumstances as very simple because of which the organizations might
overlook certain key strategic contact which may occur. Moreover, categorizing
aspects as strengths, weaknesses, opportunities and threats might be very
subjective as there is great degree of uncertainty in market. SWOT Analysis does
stress upon the significance of these four aspects, but it does not tell how an
organization can identify these aspects for itself.
There are certain limitations of SWOT Analysis which are not in control of
management. These include:
a. Price increase;
b. Inputs/raw materials;
c. Government legislation;
d. Economic environment;
e. Searching a new market for the product which is not having overseas
57 Dr. Magdy El Messiry

58. Technology Audit
market due to import restrictions; etc.
Internal limitations may include:
a. Insufficient research and development facilities;
b. Faulty products due to poor quality control;
c. Poor industrial relations;
d. Lack of skilled and efficient labor; etc
The SWOT Analysis is an extremely useful tool for understanding and
decision-making for all sorts of situations in business and organizations. A
company can use the SWOT Analysis while developing a strategic plan or
planning a solution to a problem that takes into consideration many different
internal and external factors, and maximizes the potential of the strengths and
opportunities while minimizing the impact of the weaknesses and threats
4.4. SWOT Analysis Framework
Action checklist
1. Establishing the objectives
The first key step in any project is to be clear about what you are doing and why.
The purpose of conducting SWOT Analysis may be wide or narrow, general or
specific.
2. Allocate research and information-gathering tasks. Background preparation is a
vital stage for the subsequent analysis to be effective, and should be divided
among the SWOT participants. This preparation can be carried out in two stages:
 Exploratory, followed by data collection.
 Detailed, followed by a focused analysis. Gathering information on
58 Dr. Magdy El Messiry

59. Technology Audit
Strengths and Weaknesses should focus on the internal factors of skills,
resources and assets, or lack of them. Gathering information on
Opportunities and Threats should focus on the external factors.
3. Create a workshop environment
If compiling and recording the SWOT lists takes place in meetings, then do
exploit the benefits of workshop sessions. Encourage an atmosphere conducive to
the free flow of information and to participants saying what they feel to be
appropriate, free from blame. The leader/facilitator has a key role and should
allow time for free flow of thought, but not too much. Half an hour is often
enough to spend on Strengths, for example, before moving on. It is important to
be specific, evaluative and analytical at the stage of compiling and recording the
SWOT lists.
4. List Strengths, Weaknesses, Opportunities, Threats in the SWOT Matrix
5. Evaluate listed ideas against objectives.
With the lists compiled, sort and group facts and ideas in relation to the
objectives. It may be necessary for the SWOT participants to select from the list
in order to gain a wider view.
The SWOT Analysis template is normally presented as a grid, comprising four
sections, one for each of the SWOT headings: Strengths, Weaknesses,
Opportunities, and Threats. The SWOT template given in Chapter 5 includes
sample questions, whose answers are inserted into the relevant section of the
SWOT grid. The questions are examples, or discussion points, and obviously can
be altered depending on the subject of the SWOT Analysis.
59 Dr. Magdy El Messiry

60. Technology Audit
Figure (17 ) SWOT Analysis Framework
60 Dr. Magdy El Messiry

61. Technology Audit
CHAPTER 5
EXAMPLE OF FORMATION OF SWOT MATRIX PARAMETERS
Figure (18) SWOT Matrix Environment Analysis
5.1 Introduction
The analysis of the company situation starts by defining the strength, weakness,
opportunities and threats. Table below shows some common parameters which
may be considered.
61 Dr. Magdy El Messiry

62. Technology Audit
Strengths Weaknesses
 Advantages of proposition?  Disadvantages of proposition?
 Capabilities?  Gaps in capabilities?
 Competitive advantages?  Lack of competitive strength?
 USP's (unique selling points)?  Reputation, presence and reach?
 Resources, Assets, People?  Financials?
 Experience, knowledge, data?  Own known vulnerabilities?
 Financial reserves, likely returns?  Timescales deadlines and
 Marketing - reach, distribution, pressures?
awareness?  Cash flow, start-up cash-drain?
 Innovative aspects?  Continuity, supply chain
 Location and geographical? robustness?
 Price, value, quality?  Effects on core activities,
distraction?
 Accreditations, qualifications,
certifications?  Reliability of data, plan
predictability?
 Processes, systems, IT,
communications?  Moral, commitment, leadership?
 Cultural, attitudinal, behavioral?  Accreditations, etc?
 Management cover, succession?  Processes and systems, etc?
 Management cover, succession?
62 Dr. Magdy El Messiry

63. Technology Audit
Opportunities Threats
 Market developments?  Political effects?
 Competitors' vulnerabilities?  Legislative effects?
 Industry or lifestyle trends?  Environmental effects?
 Technology development and  IT developments?
innovation?  Competitor intentions - various?
 Global influences?  Market demand?
 New markets, vertical, horizontal?  New technologies, services,
 Niche target markets? ideas?
 Geographical, export, import?  Vital contracts and partners?
 Tactics - surprise, major  Sustaining internal capabilities?
contracts, etc?  Obstacles faced?
 Business and product  Insurmountable weaknesses?
development?
 Loss of key staff?
 Information and research?
 Sustainable financial backing?
 Partnerships, agencies,
distribution?  Economy - home, abroad?
 Volumes, production, economies?  Seasonality, weather effects?
 Seasonal, weather, fashion
influences?
successful SWOT Analysis
63 Dr. Magdy El Messiry

64. Technology Audit
5.2. Tips for Design Your SWOT Analysis
For the successes of the SWOT Analysis some constrictions depending on the
environment of the origination should be taken into consideration.
Following are some tips 15for the auditors;
Top Tips But remember …
1 Never copy an existing SWOT Analysis; it will You could use a standard
influence your thinking. Start with a fresh template to help the ideas flow
piece of paper every time
2 Set aside enough time to complete it You may need to come back to
it several times before you are
happy
3 The SWOT Analysis itself is NOT the result. Before you begin any analysis,
It‘s only a tool to help you analyze your you should know what you
business intend to do with the results
4 A SWOT Analysis is not a business school fad. You need to be comfortable
It is a proven technique used throughout the working with it in your
business community business
5 Keep your SWOT Analysis simple, readable, It needs to make sense to
short and sharp outsiders (e.g. bank managers
or investors) so don’t use
phrases or acronyms that only
you understand
6 Make sure you create an action plan based on You need to communicate this
your SWOT Analysis clearly to everyone involved
7 A SWOT Analysis only gives you insight at a You need to review it –
single point in time probably quarterly – to see
how the situation has changed
8 Don‘t over-analyze. Try not to worry if it isn‘t If you are going to act on the
perfect, just get the analysis done results, it needs to be accurate
64 Dr. Magdy El Messiry

65. Technology Audit
in all the important areas
The role of SWOT Analysis is to take the information from the environmental
analysis and separate it into internal issues (strengths and weaknesses) and external
issues (opportunities and threats). Once this is completed, SWOT Analysis
determines if the information indicates something that will assist the firm in
accomplishing its objectives (a strength or opportunity), or if it indicates an
obstacle that must be overcome or minimized to achieve desired results (weakness
or threat). When doing SWOT Analysis, remember that the S and W are
INTERNAL and the O and T are external.
Figure(19) http://www.taygro.co.za/aboutus.html
65 Dr. Magdy El Messiry

66. Technology Audit
CHAPTER 5
PRACTICAL EXAMPLES OF SWOT ANALYSIS
5.1. Health centers
Subject of SWOT Analysis example: the achievement of a health centers mission.
The scenario is based on the SWOT Analysis 17, which has been performed by a
health centre in order to determine the forces that promoted or hindered the
achievement of its mission.
Starting position of the health centre:
 The staff lack of motivation
 The building was really small
 The facility was old
 There was a lot of paper work and bureaucracy
Those characteristics resulted in this health centre facing up to a lot of problems
with the accommodation of the patients. Moreover, the establishing of a new
advanced hospital in the city made the situation even worse. Therefore, they
decided to perform a SWOT Analysis in order to execute the best decision-making
for all the problems that they faced.
Step 1: Purpose of conducting SWOT Analysis - the achievement of a health
centers mission.
Step 2: The gathering of information on Strengths and Weaknesses focused on the
internal factors of skills, resources and assets, or lack of them. The gathering
information on Opportunities and Threats should focus on the external factors.
66 Dr. Magdy El Messiry

67. Technology Audit
Step 3: The manager of the health centre encouraged all the staff members to
freely express their opinions about what they felt to be appropriate.
Step 4: SWOT matrix
Step 5: After completing the SWOT matrix the SWOT participants had a wider
view of the situation at the centre so they were able to propose the alternatives that
helped considerably in the operation of the health centre.
The alternatives where:
 training of the staff in interactive techniques of quality improvement
 coordination with other providers to cover all user needs
 remodeling of the facility with local government funds and international
help
 cost recovery of drugs and lab supplies with user fees
 payment of incentives to staff based on performance
 review of procedures for decreasing costs and waiting times and increasing
perceived quality.
Strengths: Weaknesses:
 Willingness of staff to change  Staff lack of motivation
 Good location of the health centre  Building was really small
 Perception of quality services  Paper work and bureaucracy
 Cultural differences with users
Opportunities: Threats:
 Support of local government  Low income of users
67 Dr. Magdy El Messiry

68. Technology Audit
 High felt need of users  Bad roads
 Internationally funded projects  Low salaries
 Lack of budget
 Paradigms of providers
 High competition
This strategic analysis and planning
of the health centre had the below results:
 27% increase of patients
 reduction of waiting times to
15minutes
 20% increase of staff performance
 remodeling of the facility
68 Dr. Magdy El Messiry

69. Technology Audit
5.2. University SWOT Analysis
University strengths, weaknesses, opportunities and threats (SWOT Analysis) were
identified by members of University Strategic Goals and Priorities Committee
during a brain storming session. Administrators, faculties, and students reviewed
the analysis and provided input. Background information on the Organization is
opportunities and threats it faces can be useful in considering strategic issues.
The SWOT Analysis was used to develop the attached strategic questions. These
questions and others raised by participants at the workshop will help define
strategic directions important to the university in the next five year.
69 Dr. Magdy El Messiry

70. Technology Audit
SWOT ANALYSIS
Strengths: Weaknesses:
Positive reputation in the external Distinguishing qualities and identity not well
community known
- Positive experience with those who - Operational structure/bureaucracy
interact with the campus - Sluggish responsiveness to student and
- Proactive Partnerships with other community needs
universities, community colleges, and - Fiscal uncertainty
corporations - Lack of pride of internal community
- Past performance - Match between research expectation &
- Many Accredited Programs support
- Successful 6 year graduation rates - High and unequal workloads faculty &
- Faculty and staff support the campus staff
mission - Ability to hire & retain faculty
- Proactive student support - Student preparedness at entrance
- Access to services - Adjusting to pressures of growth
- Faculty involvement with students - Varying perceptions of appropriate
- Student leadership programs proportions of major employee categories
- Learning communities developing to (faculty, staff, and administrators)
enhance learning and student-faculty - Lack of strong, pervasive presence in the
interaction external community
- Campus Characteristics - Limited resources for faculty and staff
- Medium size campus with small class size development
-Facilities include new and well-maintained, - Highly competitive market for diverse
attractive buildings and grounds with faculty and staff
growth potential - Promulgating egalitarianism
- Potential for growth in Turlock and - Reporting perceived as a ritual and
Stockton meaningless
- Friendly and safe - Reporting requirements absorb a large
- Diverse student body, Hispanic Serving percentage of resources
Institution
- Dedicated and Expert faculty
- Campus wide involvement in planning
- Healthy shared governance
- Strong, active external boards
- Residential Campus Development
- Artistic and Cultural Performances
70 Dr. Magdy El Messiry

71. Technology Audit
Opportunities: Threats:
Partnerships in support of university State budget crisis
initiatives - Private, for-profit, and on-line universities¡¦
- Expanded possibilities for the workforce responsiveness to program and student
- Diversity of region (students industry) scheduling demands
- External Community and University - Increase in reporting expected by
relationships government and society
- Interest in academic program expansion - Shift in focus on numerical achievement
- Interest in expansion of cultural activities vs. qualitative achievement
- Interest in University services (Policy - Negative public perception
Center, Bridge, - Development of another university in the
- Growth potential area
- New construction - Societal and student perception of
- Societal trends education as solely a means to a job
- Increased value of higher education - Reporting perceived as a ritual and
completion meaningless
- Growing demand for graduates - Reporting requirements absorb a large
- Match between curricular & societal percentage of resources.
interests - Historical public perceptions/lack of
- Increase demand for mid-career knowledge about higher Education.
redirection and lifelong learning - Historical lack of knowledge.
- Increased interest in global initiatives
- Technological advances
- Partnership opportunities
- Increased focus on higher education
- development of university park
- large student pool
- increased interest in university
connections
71 Dr. Magdy El Messiry

72. Technology Audit
SWOT ANALYSIS OF AUC37
I-Introduction:
SWOT analysis: a method of analyzing an organization‘s competitive situation
that involves assessing organizational strengths (S), weaknesses (W),
environmental opportunities (O), and threats (T).
Both strengths and weaknesses are internal factors, that are subject to change
from within the organization itself. Opportunities and threats are the conditions
within the external environment that affects the organization, such as:
technological, economic, legal-political, sociocultural, and the international
element.
II-SWOT ANALYSIS of AUC:
1-Strengths:
a - Highly qualified full time, and part time faculty.
b - Highly skilled students due to the highly competitive selection in admissions.
c - Advanced technology in the University facilities; optic fiber network, ACS
server, well-equipped engineering, natural sciences, and computer labs (relative to
the Egyptian universities) , and research centers (Desert research center).
d - Distinctive rank in the private universities market in Egypt, in comparison to
other universities,
e - Continuous renovations either in facilities (New campuses in Falaki and New
Cairo), technology, and staff.
f - Well defined managerial policy; well-defined hierarchy.
g - Monopolizing the employment market of some majors, such as: construction
management and industrial engineering, business administration, political science,
and computer science.
h - Private university, accredited by several authorities, such as: the Egyptian
ministry of education, Egyptian Syndicates, ABET (Accreditation Board of
Engineering and Technology), the higher council of universities in Egypt, MSA
(Commission on Higher education of the Middle States Association of colleges and
schools) and AACU (American Association for Colleges and Universities).
i - An integrated modern library, containing books, microfilms, periodicals, and
other documents, arranged on the same model of the Congress library. Moreover,
72 Dr. Magdy El Messiry

73. Technology Audit
the university has a special collection library, which is actually a fortune.
j - Paying great care to social sciences research due to the presence in a good
field for research in the Middle East, and Egypt in specific.
k - The university has a hostel, which serves all the international students.
l - Absence of unemployment among AUC graduates due to the presence of
Career Advising and Placement Service (CAPS office).
m - The university appreciates the extra-curricular activities and encourages them,
and that is what makes AUC graduates different.
2-Weaknesses:
a - High tuition fee, relative to the other private universities in Egypt, and even to
the American state-universities.
b - Unbalanced budget, where about 60% of the budget is composed of money
from tuition, while the rest comes through donations from companies, like Esso,
Shlumberger, Ford foundation, General Electric, USAID, etc.
c - Absence of adequate facilities in the field of graduate research, in
comparison to other American Universities.
d - The absence of an undergraduate research program.
e - Weak image in the Egyptian society (market), because of the claim that AUC
westernizes the Egyptian students.
f - Weak marketing techniques, limited to advertisement in the newspapers.
g - The absence of financing source, other than tuition and donations, like
research centers.
h - Currently before the new campuses end, the university suffers from an un-
limited problem of space, in addition to the parking area around the existing
campuses and the traffic from and to them.
3-Opportunities:
a - Dominating the market of the private universities in Egypt with other
competing universities, like 6th of October Univ., and perhaps the Middle East,
73 Dr. Magdy El Messiry

74. Technology Audit
like AUB and AUD, after the construction of the new campuses.
b - The ability to serve more customers of students in the Under-grad, and Grad.
Levels after building the news campuses (Currently AUC serves 3,584 Under-grad,
and 592 Grad. )
c - Attraction of more foreign students.
d - The chance of finding more financial resources through fundraising, by the
newly appointed President.
e - Establishment of well-equipped campus in Falaki that will serve as an
Engineering faculty that will include electronics engineering.
f - The use of optic fibers network in the new Cairo campus to link all the
university through a powerful link.
g - By strengthening the existence of AUC, the AUCians might get better image
and they might be accepted by the all the categories of the society.
4-Threats:
a - Any expected political conflicts in the Middle East, either between Egypt and
Israel, or Egypt and USA itself, or even like Gulf War. This may drop admissions
to a destructive level. Moreover, the university might have to do without the
American faculty and employees, and most of the university supports might
withdraw their support. Thus the budget might be seriously harmed
b - Any expected security or political problems in Egypt, either like terrorism or
any serious changes in the current regime. The admissions of international students
might drop to a serious level.
c - Competition with other low cost competitors, like 6th October Univ., Misr
International Univ.
d - Increase in the Egyptian cultural persistence, and their refusal of the
AUCians. Thus, AUC image continues to deteriorate.
e - Increase in the number of offered AUC graduates to what the market demands.
Thus unemployment appears among the AUC graduates like any Egyptian
university
f - Failure in the process of fundraising for the construction of the new campuses.
74 Dr. Magdy El Messiry

75. Technology Audit
5.3. Retail Industry SWOT Analysis*
This is an example of a SWOT Analysis for a Retail Business, whilst every effort
has been made to ensure our examples are accurate, their accuracy depends on
where you live in the world and what has changed since they were developed.
You may use our SWOT examples as a guide to indicate what your SWOT might
look like but please do not build a plan based on these examples without validating
their accuracy for your business in your region of the world.
The first of our SWOT Analysis examples is for a retail business, the business was
established by an entrepreneur stocks brand name clothing imported from
manufacturers around the world. The business currently only stocks 3 brands of
men‘s clothing, pitched at the 18 to 28 single young adult.
SWOT Analysis Examples: Strengths
Possible Strengths Response Is it strength?
Tangible Strengths
Consider your assets including Assets are really No
plant and equipment only shop fittings
and stock with two
computers and
software.
Do you have long-term rental 3 + 3 + 3 year lease No, same as our
contracts for your business in major shopping competitors
locations? center, location
within the shop is at
the will of the
center, poor sales
75 Dr. Magdy El Messiry

76. Technology Audit
will result in a shift
to a low foot traffic
location.
Are your products unique or No, stock is the No
market leading? same as our
competitors. We
can pick and choose
what styles to stock.
Have you got sufficient No, we do trade No
financial resources to fund any profitably, but are
changes you would like to not able to fund an
make? expansion to a
larger footprint
store.
Do you have any cost No, rents are all No
advantages over your pretty standard, you
competitors? can save on rent but
loose the foot
traffic, so it is all
relative.
Do you use superior No No
technology in your business?
Is your business high volume? No. We do sell a No
lot, but not as much
as some of the
larger retail stores.
Our product is high
quality, high margin
and low volume in
comparison
76 Dr. Magdy El Messiry

77. Technology Audit
Can your scale up your volume Not really, orders No
if you need to? are placed in
advance, shop size
is restrictive.
Intangible Strengths
Do you have or stock strong Yes, though the Yes
recognizable brands brand space is
becoming cluttered
with more and more
recognizable
brands. Depleting
the value of any one
brand.
Your reputation - are you No. No
considered a market leader? or
experts in you‘re filed?
Do you have good relationship Yes, we have a Yes
with your customers? good connection
(Goodwill) with our customers,
our email list grows
and many
customers advise
they were referred
to us by their mates.
We get a lot of
repeat customers.
Do you have strong Yes, though we are Yes
relationships with your just another
suppliers supplier to them.
We are able to
differentiate from
77 Dr. Magdy El Messiry

78. Technology Audit
our competitors.
We have long term
agreements in place
with some suppliers
to be their sole
representative in
this region.
Do you have a positive Yes, though we No, our
relationship with your only have a few competitors also
employees employees have good
employee
relations
Do you have any unique No, maybe our No
alliances with other territory agreements
businesses? with some
suppliers.
Do you own any patents or No No
proprietary technology?
Do you have a proven Email news letter Yes
advertising process that works with specials and
well? new stock, seems to
work for retaining
customers.
Most new
customers were
attracted to the
shopping complex.
Do you have more experience No No
in your field?
Are you managers highly No No
78 Dr. Magdy El Messiry

79. Technology Audit
experienced?
Do you have superior industry No, though we do No
knowledge? have a good set of
sales skills,
particularly up
selling and forming
relationships.
People feel good
coming by and
seeing us.
Are you involved with industry No No
associations?
Is your business Innovative? No, only in sales No
and relationship
building.
Other Strengths
Current location Current location in No
the center has high
traffic, in an area
with several other
shops targeting the
same market which
draws people to the
area
Our innovation is in Yes
our sales technique
and point of sale
displays
Summary
79 Dr. Magdy El Messiry

80. Technology Audit
The key strengths for the business are
1. Unique brands protected by sole supply agreements
2. Successful relationship marketing, and
3. Innovative sales techniques
SWOT Analysis Examples: Weaknesses
Possible Weaknesses Response Is it a Weakness?
Tangible Weaknesses
Is your plant and N/A N/A
equipment old or
outdated?
Is your product line too Maybe, we only sell a few Maybe
narrow? of brands of men clothing,
we could stock more
accessories, but we don‘t
want to confuse the
customer about what line
of business we are in.
Have you got Yes, we often think about Yes
insufficient financial opening a bigger store, but
resources to fund any the rent would be an issue
changes you would like if we did not get immediate
to make? sales
Do you have a high No No
overall unit cost
relative to your
competitors?
Do you use inferior No No
80 Dr. Magdy El Messiry

81. Technology Audit
technology in your
business?
Do you have low Yes, it may take a few No, all retailers
volume and are weeks to replenish stock, are in the same
restricted in your less early in the season. situation
ability to scale up? But late in the season our
suppliers are often out of
stock of the quick moving
products
Intangible Weaknesses
Do you have a weak or Yes, maybe our shop name Yes
unrecognizable brand? is not a public recognizable
brand but our stock is.
Some of our competitors
are franchise and everyone
knows them
Do you have a weak or No, our shop frontage No
unrecognizable image? tends to draw people in
Do you have a poor or No, we have great No
impersonal relationship relationships with our
with your customers? customers
Do you have a poor No No
relationship with your
suppliers?
Do you have a poor No No
relationship with your
employees?
Is your marketing No No
failing to meet
81 Dr. Magdy El Messiry

82. Technology Audit
objectives?
Are your managers Yes, I have less than 2 Yes
inexperienced? years in Retail
Do you have low n/a N/A
R&D?
Do you lack industry Yes, maybe Yes
knowledge?
Do you lack innovative No No
skills?
Other Weaknesses
Specify None
Summary
The key weaknesses for the business are
1. Small store size and inability to find an expansion, resulting in stocking
a limited product range
2. Shop name is not well known
3. Manager has limited industry experience and industry knowledge
82 Dr. Magdy El Messiry

83. Technology Audit
SWOT Analysis Examples: Opportunities
Possible Opportunities Response Is it an
Opportunity?
Industry Opportunities
Can you expand your Yes, there are no Yes
product range? contractual restrictions to
us adding products to the
store, store size is an issue
Can you diversify Maybe, if we had the funds No
your business
interests?
Can you expand into No, the customer is the No
your customer's field? consumer
Can you expand into Yes, I don‘t have the skills Yes
your supplier's field? to establish an import
business
Can you expand your Maybe, through internet Yes
customer base? sales and mail order,
(Geographically or maybe open another
through new location
products)
Do you have placid Yes, there is not a lot of Yes
competitors? competitive advertising in
our niche, and price is not
so much of an issue to our
customers
Do you have any No, we import No
export opportunities?
83 Dr. Magdy El Messiry

84. Technology Audit
Will the total market Yes, but not significantly No
for your products
grow?
Macro Opportunities
Are there any No No
favorable changes to
legislation pending
Will there be any No, almost all clothing is No
changes to any imported there is little
import/export domestic production and a
constraints that will lack of ability for domestic
be favorable for your producers to scale up. Any
business? changes will impact all
retail outlets equally.
Is the economic No, however this may play No
outlook favorable? favorably to our business
as our target market might
postpone larger expenses
as a result a greater share
of purse may be allocated
to clothing – this is yet to
be proven.
Are there any Due to increases in housing Yes
favorable cultural prices our target customer
shifts that will benefit has opted to postpone
you? taking on longer term
debit. Instead to remain in
the ―nest‖ for longer. This
trend increases their
customer life for our
products.
84 Dr. Magdy El Messiry

85. Technology Audit
Are there any Use of internet to increase Yes
changes in the use of marketing and online sales.
technology that your
business can utilize
such as Ecommerce
or Internet sales?
Other Opportunities
Summary
The key opportunities for the business are
1. Backward integration in the supply chain to include importing
directly
2. Increased geographic coverage
3. Leverage the growth of the internet to enhance business
4. Increase life of customer was 18 – 24 year old males, now 18 –
29 year old males
SWOT Analysis Examples: Threats
Possible Threats Response Is it a
threat?
Industry Threats
Will low cost imports No, our shop appeals to the No
impact your business? middle income bracket who are
not interested in low cost
alternatives.
Though high quality low cost
imports will increase our
margin.
85 Dr. Magdy El Messiry

86. Technology Audit
Do consumers have a Yes, many other products in the No
choice to use a category
substitute product?
Are substitute product No more than ours, the market No
sales increasing? share is reasonably consistent
Is your market in No, our market is relatively No
slow growth or in stable, maybe slight growth
decline?
Is the power of your No, maybe one supplier is No
customers or trying to increase prices above
suppliers growing, CPI, but we can stop selling
can they dictate price? their stock and shift to another
supplier of a similar quality
product
Are the needs of your Yes, every season fashion Yes
buyers changing? changes, however the need for
medium quality products
remains unchanged.
Macro Threats
Will foreign exchange Yes, declining dollar will Yes
rate changes affect impact us, and all others in our
your imports or industry, may also reduce sales
exports? if we pass price on to customer
Are there any changes Maybe an increase in awareness No
in demographics that about the behavior of
will impact your governments of low cost
business producing nations may
eventually impact our supply
chain.
86 Dr. Magdy El Messiry

87. Technology Audit
Is regulation in your No No
industry increasing?
Other Threats
Rent Rent can go up reducing our Yes
margins
Location Our rental contract allows the Yes
center to move our business
location, if they believe another
business will make them more
profits.
Summary
The key threats for the business are
1. Changing fashion trends may shift consumer interest in our
product range
2. Exchange rate variation may impact costs
3. Rents increasing above CPI putting pressure on our margins
4. Center owner shifting us within the center
87 Dr. Magdy El Messiry

88. Technology Audit
SWOT Analysis Examples
Summary – Retail Clothing Business
Internal
Strengths Weaknesses
1. Unique brands protected by 1. Small store size and inability
sole supply agreements to find an expansion, resulting
2. Successful relationship in stocking a limited product
marketing, and range
3. Innovative sales techniques 2. Manager has limited industry
experience and industry
knowledge
External
Opportunities Threats
1. Backward integration in the 1. Changing fashion trends may
supply chain to include shift consumer interest in our
importing directly product range
2. Increased geographic 2. Exchange rate variation may
coverage impact costs
3. Leverage the growth of the 3. Rents increasing above CPI
internet to enhance business putting pressure on our
4. Increase life of customer margins
was 18 – 24 year old males, 4. Center owner shifting us
now 18 – 29 year old males within the center
*http://www.whatmakesagoodleader.com/swot_analysis_examples.html
88 Dr. Magdy El Messiry

89. Technology Audit
4.4. Web Business SWOT Analysis
It is often said that the web is the great equalizer, so let‘s look at a SWOT for a
web business that sells toys online. (Fictional Business created for an MBA Class)
Internal
Strengths Weaknesses
1. Global reach of 1. No shop front to
business accept returns
2. Low cost to maintain 2. People need to find
and enhance the site, not our site, there is no other
restricted by foot print marketing
3. Stock is recognized 3. Lack of shop brand
brands recognition
4. Purchase price can 4. Hard to scale up to
be less than off line shops respond to peaks and
5. Strong competition troughs in demand
for warehousing and 5. Limited financial
distribution keeps costs capital to fund web site
down optimization
6. Easy to remain in 6. Larger or heavy toys
touch and build have high delivery cost
relationships with diminishing the online
customers (Email, SMS, price advantage.
webzine) 7. Low web
7. Use existing development skills in house
distribution networks we are reliant on
(Postage) outsourcing
External
Opportunities Threats
1. Established traffic 1. The internet has no
and high number of repeat barriers to entry which
customers may enable means a better financed
increased sales through the business or an established
addition of complimentary retail business may seek to
89 Dr. Magdy El Messiry

90. Technology Audit
product lines compete in this niche.
2. Increased use of the 2. e'Bay and other
internet for shopping with online auction sites have
the 18 to 35 age group traders selling similar
suggests that additional products
sales may come from 3. Buyer reluctance to
stocking toys for this age shop over the net
group (Diminishing)
3. Improve organic 4. Quality issues from
search ranking to reduce overseas suppliers
advertising costs damaging the reputation of
brands we sell
5. Lager business with
greater buying power may
undercut our prices to gain
online market share
Sample SWOT Analysis Summary
Trading online has become quite competitive with Search Engine
Optimization critical to a businesses online success, whilst internet
business can undercut traditional retail businesses once the online
business exceeds the ―run from home‖ size it begins to incur additional
warehousing and distribution costs.
Instead of large growth in traffic the business may prefer to look at
slow growth combined with additional products to increase overall
revenue per customer.
The business would do well to identify multiple potential suppliers to
offset any risk from their current suppliers.
90 Dr. Magdy El Messiry

91. Technology Audit
CHAPTER 6
GLOSSARY
TECHNOLOGY
“Technology is the knowledge applied to the creation of goods, provision of services, and
improvement of our stewardship of precious and finite resources.” Technology can also be
described as the means by which organizations apply understanding of the natural world to the
solution of practical problems. Technology is the combination of “hardware” such as buildings
and equipment and “software” consisting of skills, knowledge and experience. For technology to
be successful it must be applied and maintained.
CLASSIFICATION OF TECHNOLOGY
Technology can be classified in several ways. The following classifications are important in
establishing a common vocabulary.
New technology
New technology is any newly introduced or implemented technology that has an explicit impact
on the way an organization produces products or provides services. The technology does not
have to be new to the world, only to the organization. The technology could have been
developed years before and used by others, but it is classified as new whenever introduced for
the first time in a new situation. New technology has a profound effect on improving
productivity and maintaining a competitive business enterprise
Emerging technology
Emerging technology is any technology that is not yet fully commercialized but will become so
within about five years. This technology may be currently in limited use but is expected to evolve
significantly, for example genetic engineering, nano-technology, superconductivity, and the
Internet.
Emerging technologies create new industries and may make existing
industries obsolete. Emerging technologies have the potential of triggering large changes in
institutions and in society itself.
High technology
High technology refers to advanced or sophisticated technologies. High
technologies are utilized by a wide variety of industries having certain
characteristics. A company is classified as high-tech when it has the
following characteristics:
91 Dr. Magdy El Messiry

92. Technology Audit
· It employs highly educated people;
· Its technology is changing at a faster rate than that of other industries;
· It competes with technological innovation;
· It has high levels of research-and-development expenditure;
· It has the potential to use technology for rapid growth; and
· Its survival is threatened by the emergence of competing technology.
Low technology
Low technology refers to technologies that are used extensively by society.
Low technologies are utilized by a wide variety of industries and have the following
characteristics:
· They employ people with relatively low levels of education or skill;
· They use manual or semiautomatic operations;
· They have low levels of research expenditure;
· The technology base used is stable with little change; and
· Products produced are mostly of the type that satisfies basic human needs, such as food,
shelter, clothing, and basic human services.
Medium technology
Medium technology consists of a wide set of technologies that fall between high and low
technologies. It refers to mature technologies that are more amenable than others to
technology transfer. Examples of industries in this category are consumer products and the
automotive industry.
Appropriate technology
Appropriate technology is used to indicate a good match between the technology utilized and
the resources required for its optimal use. The technology could be on low, medium, or high
level. The use of use high technology when there is a lack of necessary infrastructure or skilled
personnel would not make sense. Utilizing the appropriate level of technology results in better
use of labor resources and better production efficiency.
Codified versus tacit technology
Technology in coded form can be preserved and effectively transferred among users. A
computer program of an optimization algorithm is a codified form that preserves and transmits
knowledge about that algorithm. Tacit technology is a non-articulated knowledge. It is based on
experiences and therefore remains within the minds of its developers. The technology
developers are the ones who have the knowledge in question. Tacit knowledge is transmitted by
demonstration or observation, followed by assimilation by those who seek the knowledge.
Transfer of tacit technology occurs by close contact and interaction between the sources and the
host. Codified technology allows people to know how technology works but not necessarily why
it works in a certain way. The brainwave is part of the tacit knowledge kept in the minds of
92 Dr. Magdy El Messiry

93. Technology Audit
developers and shaped by experiences during the development process. Transfer of technology
is easier when the technology is in a codified form. It is hard, less precise, and more time-
consuming to transfer tacit technology. A complete mastery of the technology requires an
understanding of both the explicit codified knowledge and the non-explicit tacit knowledge.
Stages Of Technology Development
Organized technological development follows a hierarchical progression:
(1) Basic research, (2) Applied research, (3) Development, and (4)
Technology enhancement.
COMPETITIVE ADVANTAGES
A business is said to have a competitive advantage when it has core competencies that are
difficult to imitate by the competition. Competitive advantages can be time bound as new
technology can narrow the gap between the organization and competition.
MANAGEMENT OF TECHNOLOGIES
Management of technologies is an interdisciplinary field that integrates
science, engineering and management knowledge and practice. The focus
is on technology as primary factor in the creation of wealth. Wealth is not
only money but is intellectual capital, effective exploitation of resources
and enhancement of knowledge.
TECHNOLOGY PLANNING
Technology planning is a component of corporate business planning.
Strategic information technology planning assists with the awareness,
evaluation, and deployment of current and evolving information technologies. Technology
planning are critical elements for the
organization.
DEFINITIONS OF TECHNOLOGY AUDITS
A technology audit is an analysis of a company's operations with the
purpose of identifying opportunities to increase profitability. The audit
accommodates the needs of individual manufacturers and emphasizes the
importance of appropriate technology and systems (www.reuters.com).
A technology audit is a thorough investigation into a particular technology. It will be an
independent and confidential review of a technology, which will allow the company to realize
the organization’s potential, select an appropriate exploitation route for the technology and find
appropriate sources of future funding (www.southwest-irc.org.uk).
93 Dr. Magdy El Messiry

94. Technology Audit
TECHNOLOGICAL STRATEGY
In the process of designing a technological strategy it may come in handy to answer the
following questions:
 What is the scope and frequency of technical activities? When can they be performed?
 Will the scheduled changes apply to product innovation, process innovation or both?
 Will the company adopt a pioneering or imitative strategy?
 What will be the primary source of innovation (company's own or from the surrounding
entities)?
 What is the feasible and economically justified level of expenditure for particular innovations
(financial sources – outside, inside)?
 To what extent should company's own research capabilities be developed?
 What will be the consequences of innovation and technology transfer for the organization
services, changes to production management and supply system?
 How will the company protect its intellectual and inventive property?
ADD VALUE
The internal audit activity adds value to the organization (and its stakeholders) when it provides
objective and relevant assurance, and contributes to the effectiveness and efficiency of
governance, risk management, and control processes.
ADEQUATE CONTROL
Adequate control present if management has planned and organized (designed) in a manner
that provides reasonable assurance that the organization's risks have been managed effectively
and that the organization's goals and objectives will be achieved efficiently and economically.
ASSURANCE SERVICES
An objective examination of evidence for the purpose of providing an independent assessment
on governance, risk management, and control processes for the organization. Examples may
include financial, performance, compliance, system security, and due diligence engagements.
BOARD
A board is an organization's governing body, such as a board of directors, supervisory board,
head of an agency or legislative body, board of governors or trustees of a nonprofit
organization, or any other designated body of the organization, including the audit committee
94 Dr. Magdy El Messiry

95. Technology Audit
to whom the chief audit executive may functionally report.
CHARTER
The internal audit charter is a formal document that defines the internal audit activity's
purpose, authority, and responsibility. The internal audit charter establishes the internal audit
activity's position within the organization; authorizes access to records, personnel, and physical
properties relevant to the performance of engagements; and defines the scope of internal audit
activities.
CHIEF AUDIT EXECUTIVE
Chief audit executive describes a person in a senior position responsible for effectively managing
the internal audit activity in accordance with the internal audit charter and the Definition of
Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive or others
reporting to the chief audit executive will have appropriate professional certifications and
qualifications. The specific job title of the chief audit executive may vary across organizations.
CODE OF ETHICS
The Code of Ethics of The Institute of Internal Auditors (IIA) is Principles relevant to the
profession and practice of internal auditing, and Rules of Conduct that describe behavior
expected of internal auditors. The Code of Ethics applies to both parties and entities that provide
internal audit services. The purpose of the Code of Ethics is to promote an ethical culture in the
global profession of internal auditing.
COMPLIANCE
Adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements.
CONFLICT OF INTEREST
Any relationship that is, or appears to be, not in the best interest of the organization. A conflict
of interest would prejudice an individual's ability to perform his or her duties and responsibilities
objectively.
CONSULTING SERVICES
Advisory and related client service activities, the nature and scope of which are agreed with the
client, are intended to add value and improve an organization's governance, risk management,
and control processes without the internal auditor assuming management responsibility.
95 Dr. Magdy El Messiry

96. Technology Audit
Examples include counsel, advice, facilitation, and training.
CONTROL
Any action taken by management, the board, and other parties to manage risk and increase the
likelihood that established objectives and goals will be achieved. Management plans, organizes,
and directs the performance of sufficient actions to provide reasonable assurance that
objectives and goals will be achieved.
CONTROL ENVIRONMENT
The attitude and actions of the board and management regarding the importance of control
within the organization. The control environment provides the discipline and structure for the
achievement of the primary objectives of the system of internal control. The control
environment includes the following elements:
Integrity and ethical values.
Management's philosophy and operating style.
Organizational structure.
Assignment of authority and responsibility.
Human resource policies and practices.
Competence of personnel.
CONTROL PROCESSES
The policies, procedures, and activities that are part of a control framework, designed to ensure
that risks are contained within the risk tolerances established by the risk management process.
ENGAGEMENT
A specific internal audit assignment, task, or review activity, such as an internal audit, control
self-assessment review, fraud examination, or consultancy. An engagement may include
multiple tasks or activities designed to accomplish a specific set of related objectives.
ENGAGEMENT OBJECTIVES
Broad statements developed by internal auditors that define intended engagement
accomplishments.
96 Dr. Magdy El Messiry

97. Technology Audit
ENGAGEMENT WORK PROGRAM
A document that lists the procedures to be followed during an engagement, designed to achieve
the engagement plan.
EXTERNAL SERVICE PROVIDER
A person or organization outside of the organization that has special knowledge, skill, and
experience in a particular discipline.
FRAUD
Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not
dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and
organizations to obtain money, property, or services; to avoid payment or loss of services; or to
secure personal or business advantage.
GOVERNANCE
The combination of processes and structures implemented by the board to inform, direct,
manage, and monitor the activities of the organization toward the achievement of its
objectives.
IMPAIRMENT
Impairment to organizational independence and individual objectivity may include personal
conflict of interest, scope limitations, restrictions on access to records, personnel, and
properties, and resource limitations (funding).
INDEPENDENCE
The freedom from conditions that threaten the ability of the internal audit activity to carry out
internal audit responsibilities in an unbiased manner.
INFORMATION TECHNOLOGY CONTROLS
Controls that support business management and governance as well as provide general and
technical controls over information technology infrastructures such as applications, information,
infrastructure, and people.
97 Dr. Magdy El Messiry

98. Technology Audit
INFORMATION TECHNOLOGY GOVERNANCE
Consists of the leadership, organizational structures, and processes that ensure that the
enterprise's information technology supports the organization's strategies and objectives.
INTERNAL AUDIT ACTIVITY
A department, division, team of consultants, or other practitioner(s) that provides independent,
objective assurance and consulting services designed to add value and improve an
organization's operations. The internal audit activity helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of governance, risk management and control processes.
INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK
The conceptual framework that organizes the authoritative guidance promulgated by the IIA.
Authoritative Guidance is comprised of two categories –
(1) mandatory and
(2) strongly recommended.
MUST
The Standards use the word "must" to specify an unconditional requirement?
OBJECTIVITY
An unbiased mental attitude that allows internal auditors to perform engagements in such a
manner that they believe in their work product and that no quality compromises are made.
Objectivity requires that internal auditors do not subordinate their judgment on audit matters to
others.
RESIDUAL RISK
The risk remaining after management takes action to reduce the impact and likelihood of an
adverse event, including control activities in responding to a risk.
RISK
The possibility of an event occurring that will have an impact on the achievement of objectives.
Risk is measured in terms of impact and likelihood.
RISK APPETITE
The level of risk that an organization is willing to accept.
98 Dr. Magdy El Messiry

99. Technology Audit
RISK MANAGEMENT
Processes to identify, assess, manage, and control potential events or situations to provide
reasonable assurance regarding the achievement of the organization's objectives.
SHOULD
The Standards use the word "should" where conformance is expected unless, when applying
professional judgment, circumstances justify deviation.
SIGNIFICANCE
The relative importance of a matter within the context in which it is being considered, including
quantitative and qualitative factors, such as magnitude, nature, effect, relevance, and impact.
Professional judgment assists internal auditors when evaluating the significance of matters
within the context of the relevant objectives.
STANDARD
A professional pronouncement promulgated by the Internal Audit Standards Board that
delineates the requirements for performing a broad range of internal audit activities, and for
evaluating internal audit performance.
ASSESSMENT –– the evaluation process used to measure the performance or effectiveness of a
system and its elements. As used here, assessment is an all-inclusive term used to denote any of
the following: audit, performance evaluation, management review, peer review, inspection, or
surveillance.
AUDIT – a systematic and independent examination to determine whether quality activities and
related results comply with planned arrangements and whether these arrangements are
implemented effectively and are suitable to achieve objectives.
AUDITEE – the organization being assessed.
AUDITOR – a person qualified to perform audits.
AUDIT OF DATA QUALITY (ADQ) – an examination of data after they have been collected to
determine how well the measurement system performed with respect to the data quality goals
specified in the quality assurance project plan. ADQs entail tracing data through processing
steps and duplicating intermediate calculations and focus on identifying a clear, logical
connection between the steps.
BLIND SAMPLE – a subsample submitted for analysis with a composition and identity known to
the submitter but unknown to the analyst. Blind samples are used to test the analyst’s or
laboratory’s proficiency in the execution of the measurement process. Samples may be either
single blind (the analyst knows the sample is a PE sample but does not know what analyses at
what concentrations it contains) or double-blind (the analyst does not know the sample is a PE
sample).
CLIENT – any individual or organization for whom items or services are furnished or work is
performed in response to defined requirements and expectations. Compare with user below.
CONTRACTOR – any organization or individual that contracts to furnish services or items or
perform work; a supplier in a contractual situation.
99 Dr. Magdy El Messiry

100. Technology Audit
Final CORRECTIVE ACTION – an action taken to eliminate the causes of an existing
nonconformance, deficiency, or other undesirable situation in order to prevent recurrence.
DATA QUALITY ASSESSMENT (DQA) – a scientific and statistical evaluation of validated data to
determine if the data are of the right type, quality, and quantity to support their intended use.
DATA QUALITY INDICATORS (DQIS) – quantitative statistics and qualitative descriptors used to
interpret the degree of acceptability or utility of data to the user. The principal DQIs are bias,
precision, accuracy, comparability, completeness, and representativeness.
DATA QUALITY OBJECTIVES (DQOS) – qualitative and quantitative statements derived from the
DQO Process that clarify study technical and quality objectives, define the appropriate type of
data, and specify tolerable levels of potential decision errors that will be used as the basis for
establishing the quality and quantity of data needed to support.
DEFICIENCY – an unauthorized deviation from acceptable procedures or practices, or a defect in
an item.
ENVIRONMENTAL DATA – any measurement or information that describes environmental
processes, location, or conditions; ecological or health effects and consequences; or the
performance of environmental technology. For EPA, environmental data include information
collected directly from measurements, produced from models, and compiled from other sources
such as databases or the available literature. Aspects of the project, Such persons may be
referred to as project manager, project officer, work.
EXTRAMURAL AGREEMENT – a legal agreement between EPA and an organization outside EPA
for items or services to be provided. Such agreements include contracts, work assignments,
delivery orders, task orders, cooperative agreements, research grants, State and local grants,
and EPA funded interagency agreements.
FINDING – an assessment conclusion that identifies a condition having a significant effect on an
item or activity. An assessment finding may be positive or negative, and is normally
accompanied by specific examples of the observed condition.
GOOD LABORATORY PRACTICES (GLPS) – a quality system concerned with the organizational
process and the conditions under which nonclinical health and environmental safety studies are
planned, performed, monitored, archived, and reported.
GRADED APPROACH – the process of basing the level of application of managerial controls
applied to an item or work product according to the intended use of the results and the degree
of confidence needed in the quality of the results.
GUIDELINE – a suggested practice that is non-mandatory in programs intended to comply with
a standard.
INDEPENDENT ASSESSMENT – an assessment performed by a qualified individual, group, or
organization that is not a part of the organization directly performing and accountable for the
work being assessed.
INSPECTION – an examination such as measuring, examining, testing, or gauging one or more
characteristics of an entity and comparing the results with specified requirements in order to
establish whether conformance is achieved for each characteristic.
LEAD AUDITOR – an individual qualified to organize and direct a technical assessment, to report
100 Dr. Magdy El Messiry

101. Technology Audit
assessment findings and observations, and to evaluate corrective actions.
MANAGEMENT SYSTEM – a structured, nontechnical system describing the policies, objectives,
principles, organizational authority, responsibilities, accountability, and implementation plan of
an organization for conducting work and producing items and services.
NONCONFORMANCE – a deficiency in characteristic, documentation, or procedure that renders
the quality of an item or activity unacceptable or indeterminate; no fulfillment of a specified
requirement.
OBJECTIVE EVIDENCE – any documented statement of fact, other information, or record, either
quantitative or qualitative, pertaining to the quality of an item or activity, based on
observations, measurements, or tests which can be verified.
OBSERVATION – an assessment conclusion that identifies a condition (either positive or
negative) which does not represent a significant impact on an item or activity. An observation
may identify a condition which does not yet cause a degradation of quality.
ORGANIZATION – a company, corporation, firm, enterprise, or institution, or part thereof,
whether incorporated or not, public or private, that has its own functions and administration.
PEER REVIEW – a documented critical review of work by qualified individuals (or organizations)
who are independent of those who performed the work, but are collectively equivalent in
technical expertise. A peer review is conducted to ensure that activities are technically
adequate, competently performed, properly documented, and satisfy established technical and
quality requirements. The peer review is an in-depth assessment of the assumptions,
calculations, extrapolations, alternate interpretations, methodology, acceptance criteria, and
conclusions pertaining to specific work and of the documentation that supports them.
PERFORMANCE EVALUATION (PE) – a type of audit in which the quantitative data generated in
a measurement system are obtained independently and compared with routinely obtained data
to evaluate the proficiency of an analyst or laboratory.
PERFORMANCE EVALUATION (PE) SAMPLE – A sample that mimics actual samples in all
possible aspects, except that its composition is known to the auditor and unknown to the
auditee. PE samples are provided to test whether a measurement system can produce analytical
results within specified performance goals. See also BLIND SAMPLE AND PERFORMANCE
EVALUATION PROCESS – a set of interrelated resources and activities that transforms inputs
into outputs. Examples of processes include analysis, design, data collection, operation,
fabrication, and calculation.
PROGRAM – any work involving the environment, including characterization of environmental
processes and conditions; environmental monitoring; environmental research and development;
design, construction, and operation of environmental technologies; and laboratory operations
on environmental samples.
PROJECT – an organized set of activities within a program.
PROJECT MANAGER – the individual in the auditee who has responsibility and accountability for
planning and implementing the project and who has authority to implement corrective action.
101 Dr. Magdy El Messiry

102. Technology Audit
FINAL PROJECT QUALITY ASSURANCE MANAGER – the individual in the auditee who has
responsibility for planning, documenting, coordinating, and assessing the effectiveness of the
quality system for the auditee.
QUALITY – the totality of features and characteristics of a product or service that bears on its
ability to meet the stated or implied needs and expectations of the user.
QUALITY ASSURANCE (QA) – an integrated system of management activities involving planning,
implementation, documentation, assessment, reporting, and quality improvement to ensure
that a process, item, or service is of the type and quality needed and expected by the client.
QUALITY ASSURANCE MANAGER – the individual designated as the principal manager within
the organization having management oversight and responsibility for planning, documenting,
coordinating, and assessing the effectiveness of the quality system for the organization.
QUALITY ASSURANCE PROJECT PLAN – a document describing in comprehensive detail the
necessary QA and QC and other technical activities that must be implemented to ensure that the
results of the work performed will satisfy the stated performance criteria.
QUALITY CONTROL (QC) – the overall system of technical activities that measures the attributes
and performance of a process, item, or service against defined standards to verify that they
meet the stated requirements established by the customer; operational techniques and
activities that are used to fulfill requirements for quality.
QUALITY MANAGEMENT – that aspect of the overall management system of an organization
that determines and implements the quality policy. Quality management includes strategic
planning, allocation of resources, and other systematic activities (e.g., planning,
implementation, documentation, and assessment) pertaining to the quality system.
QUALITY MANAGEMENT PLAN (QMP) – a document that describes the quality system in terms
of the organizational structure, policy and procedures, functional responsibilities of
management and staff, lines of authority, and required interfaces for those planning,
implementing, documenting, and assessing all activities conducted.
QUALITY SYSTEM – a structured and documented management system describing the policies,
objectives, principles, organizational authority, responsibilities, accountability, and
implementation plan of an organization for ensuring quality in its work processes, products
(items), and services .The quality system provides the framework for planning, implementing,
documenting, and assessing work performed by the organization and for carrying out required
QA and QC activities.
FINAL QUALITY SYSTEM AUDIT– a documented activity performed to verify, by examination and
evaluation of objective evidence, that applicable elements of the quality system are suitable and
have been developed, documented, and effectively implemented in accordance with specified
requirements.
READINESS REVIEW – a systematic, documented review of the readiness of the start-up or
continued use of a facility, process, or activity. Readiness reviews are typically conducted before
proceeding beyond project milestones and prior to initiation of a major phase of work.
SAMPLING AND ANALYSIS PLAN (SAP) – a detailed document describing the procedures used to
collect, preserve, handle, ship, and analyze samples for detection or assessment monitoring
102 Dr. Magdy El Messiry

103. Technology Audit
parameters. The plan should detail all chain-of-custody and QA and QC measures that will be
implemented to ensure that sample collection, analysis, and data presentation activities meet
the prescribed requirements.
SELF-ASSESSMENT – an assessment of work conducted by individuals, groups, or organizations
directly responsible for overseeing and/or performing the work.
Standard operating procedure (SOP) – a written document that details the method for an
operation, analysis, or action with thoroughly prescribed techniques and steps; a procedure that
is officially approved as the method for performing certain routine or repetitive tasks.
SURVEILLANCE – continual or frequent monitoring and verification of the status of an entity and
the analysis of records to ensure that specified requirements are being fulfilled.
TECHNICAL ASSESSMENT – a systematic and objective examination of a project to determine
whether environmental data collection activities and related results comply with the project’s
QA Project Plan, whether the activities are implemented effectively, and whether they are
sufficient and adequate to achieve the QA Project Plan’s data quality goals. Technical
assessments document the implementation of the QA Project Plan.
TECHNICAL SPECIALIST – an active participant in a technical assessment who has specialized
technical knowledge of the project being assessed and basic knowledge of assessment
techniques and procedures.
TECHNICAL SYSTEMS AUDIT (TSA) – a thorough, systematic, on-site, qualitative audit of
facilities, equipment, personnel, training, procedures, recordkeeping, data validation, data
management, and reporting aspects of a system.
WEAKNESS – a negative assessment finding (i.e., a nonconformance) that does not necessarily
result in unacceptable data.
AUDIT CRITERIA – The auditor should clarify the specific explicit or implicit criteria against which
evidence collected will be evaluated. Criteria are explicit when they are clearly set out in policies,
manuals, standard operating procedures, standards, laws and/or regulations. Where
management has not yet established goals and objectives or determined the controls needed in
a particular area, it may be necessary to develop implicit criteria based on what management
considers to be satisfactory performance standards or industry best practices. The acceptability
of implicit criteria should always be confirmed with the audited entity. Conducting an audit
without agreeing the criteria may result in conclusions and recommendations that may not be
accepted by the audited entity and lead to wasted audit effort and fruitless arguments.
ANALYSIS AND EVALUATION OF DATA – After data is collected, it should be analyzed and
evaluated. Analysis means breaking down data/activities/processes into smaller, more
manageable parts to determine attributes, relationships, cause, effect, etc. and make inferences
or determine whether further examination is required. Evaluation is the systematic
determination of the merit, worth, or significance of the subject matter to arrive at a judgment
in terms of adequacy, efficiency or effectiveness.
103 Dr. Magdy El Messiry

104. Technology Audit
ANALYSIS OF OTHER DATA AND PROCESSES –
The principles applied in analyzing financial data can also be utilized in examining
other data, activities and processes. Directives, policies, contracts etc. may be analyzed to
determine their significant elements, and these assessed against best practices, standards or
benchmarks. The work of committees/teams/working groups may be analyzed to determine
their mandate, functions, areas of responsibility, reporting lines, frequency of meetings and how
decisions are implemented. By breaking activities into their composite elements, auditors may
conduct analyses by observing trends, making comparisons and isolating unusual transactions
and conditions for follow-up.
EVALUATION
Evaluation is a means of arriving at a professional judgment. As auditors compare
circumstances observed against relevant criteria, they evaluate the significance of any variance
and determine whether corrective action is necessary. The analysis and evaluation of evidence
obtained should give rise to issues (positive and negative), which OIOS wishes to report to
management. Auditors should draw conclusions for each audit objective.
RECORDING INFORMATION DURING THE AUDIT
Auditors should record all elements of the assignment in Auto Audit, in accordance with the
format
THE AUTOAUDIT FILE should be restricted to matters that are relevant to the audit. The file
should be detailed enough to enable an experienced auditor, having no previous connection
with the audit, to understand the (i) nature, timing, and extent of the audit procedures
performed; (ii) results of the procedures and the audit evidence obtained; and (iii) significant
matters arising during the audit and the conclusions
AUDIT FINDINGS
OIOS auditors should report audit findings i.e. significant deviations from relevant criteria, to
management so that corrective action can be taken. A reportable finding is a significant
condition which:
a. Warrants the attention of management;
b. Is documented by facts, not opinions, and by evidence that is sufficient, competent and
relevant;
c. Is objectively developed without bias or preconceived ideas;
d. Is relevant to the issue involved; and
e. Is convincing enough to compel action to correct the defective condition14.
Audit findings should contain the elements of criteria, condition, cause effect and
recommendation.
104 Dr. Magdy El Messiry

105. Technology Audit
a. Criteria
The standards, measures, or expectations used in making an evaluation and/or verification
(what should exist). The criteria should be credible, convincing and objective. They should be
designed to meet a management goal
b. Condition
The factual evidence that the internal auditor found in the course of the examination (what does
exist). The condition should include sufficient information to promote an adequate
understanding of the matter(s) being reported.
c. Cause
The reason for the difference between the expected and actual conditions. i.e. why the
difference exists. The cause should be complete and go to the heart of the problem; not just the
symptom.
d. Effect The risk or exposure the organization and/or others encounter because the condition is
not consistent with the criteria (the impact of the difference). The effect should be logical and
likely to occur.
e. Recommendations
Recommendations are based on the internal auditor’s observations and conclusions. They call
for action to correct existing conditions or improve operations. Recommendations may suggest
general or specific approaches to correcting or enhancing performance as a guide for
management in achieving desired results. They should address the cause of the finding, be
implementable and capable of being monitored.
FORMULATING RECOMMENDATIONS
The main objective of an audit is to provide assurance as to the efficiency and effectiveness of
established internal controls, to develop recommendations for improving them, and to ensure
compliance with the Organization’s regulations, rules and policies.
Generally, audit recommendations are most effective and acceptable to the audited entity when
they are:
a. Constructive and directed at improved or enhanced performance;
b. Directed at correcting the cause of the problem identified;
c. Action oriented in that they suggest specific steps that should be taken to
change, modify, or otherwise perform some action;
d. Addressed to officials those are empowered to act;
e. Feasible, achievable, practical, cost effective;
f. Aiming to recover or save resources.
105 Dr. Magdy El Messiry

106. Technology Audit
TECHNOLOGY-BASED AUDIT TECHNIQUES
Any automated audit tool, such as generalized audit software, test data generators,
computerized audit programs, specialized audit utilities, and computer-assisted audit
techniques.
106 Dr. Magdy El Messiry

107. Technology Audit
APPENDIX I
SWOT Analysis Template16
Situation being analysed: ______________________
This SWOT example is for a new business opportunity. Many criteria can apply to more than one
quadrant. Identify criteria appropriate to your own SWOT situation *.
criteria examples strengths weaknesses criteria examples
Disadvantages of proposition?
Advantages of proposition?
Gaps in capabilities?
Capabilities?
Lack of competitive strength?
Competitive advantages?
Reputation, presence and reach?
USP's (unique selling points)?
Financials?
Resources, Assets, People?
Own known vulnerabilities?
Experience, knowledge, data?
Timescales, deadlines and pressures?
Financial reserves, likely returns?
Cashflow, start-up cash-drain?
Marketing - reach, distribution,
Continuity, supply chain robustness?
awareness?
Effects on core activities, distraction?
Innovative aspects?
Reliability of data, plan predictability?
Location and geographical?
Morale, commitment, leadership?
Price, value, quality?
Accreditations, etc?
Accreditations, qualifications,
Processes and systems, etc?
certifications?
Management cover, succession?
Processes, systems, IT,
communications?
Cultural, attitudinal, behavioural?
Management cover, succession?
Philosophy and values?
criteria examples opportunities threats criteria examples
Market developments? Political effects?
Competitors' vulnerabilities? Legislative effects?
Industry or lifestyle trends? Environmental effects?
Technology development and IT developments?
innovation? Competitor intentions - various?
Global influences? Market demand?
New markets, vertical, horizontal? New technologies, services, ideas?
Niche target markets? Vital contracts and partners?
Geographical, export, import? Sustaining internal capabilities?
New USP's? Obstacles faced?
Tactics: eg, surprise, major Insurmountable weaknesses?
contracts? Loss of key staff?
Business and product development? Sustainable financial backing?
Information and research? Economy - home, abroad?
Partnerships, agencies, distribution? Seasonality, weather effects?
Volumes, production, economies?
Seasonal, weather, fashion
influences?
16http://www.businessballs.com/swotanalysisfreetemplate.htm
107 Dr. Magdy El Messiry

108. Technology Audit
I AEDNI AA Audit Checklist
ISO/IEC 19770-1 Audit Checklist17
This checklist has been developed to be used in conjunction with ISO/IEC19770-1
Information technology – Software asset management – Part1: Processes (the ISO
Standard), and should not be used in isolation from this Standard. The checklist
has been developed to assist agencies to perform self-audits to monitor their
progress towards best practice in software license management*. The checklist
outlines elements that should be met in order to be fully compliant with the ISO
Standard. It may be used by Agencies to guide where improvements can be made
in managing software licensing. Each element may be audited separately to check
on progress towards maturity in specifically targeted areas, however, compliance
with all element will ensure that the agency is aligned with industry best practice in
software license management.
The ‗Evidence‘ section of the checklist outlines possible evidence that auditors
may consider when evaluating level of compliance. This list can be modified to
reflect individual agency requirements and is not intended as an exhaustive list.
This checklist includes elements that may not be relevant to every agency, and fall
outside the requirements of IS45 – for example, Software Development Process.
However, as they form part of ISO/IEC19770-1 they have been included in the
checklist.
The timeframes and documentation requirements detailed in the checklist are those
specified by ISO/IEC 19770-1. Agencies may choose to modify the audit
schedule, and/or to limit their documentation, but should be aware that in doing so
will not be considered to be operating at industry best practice levels.
The checklist mirrors the layout of the ISO Standard, and includes the section
numbering of the ISO Standard in brackets.
________________________________________________
71www.qgcio.qld.gov.au/.../Information%20Standards/.../Templates/ISO1977
108 Dr. Magdy El Messiry

109. Technology Audit
APPENDIX III
ISO/IEC 19770-1 Audit Checklist 17
Date of Audit: Auditor/s:
Description Evidence Comment
CONTROL ENVIRONMENT FOR SAM (4.2)
Corporate Governance for SAM (4.2.2)
Clear corporate statement including: existing software
1. legal entity or parts of legal entity contracts based on
included in scope specific organizational
scope; existence of ICT
2. specific single body or individual that
boards
has overall corporate management
responsibility for that entity or parts of
that entity
Responsibility for corporate governance of Hard copies of ICT
software and related assets formally recognized Board statements,
by corporate board or equivalent body meeting minutes
procedures; audit reports
Regulations and guidelines for software use
identified and documented and reviewed at
least annually
Assessment of risks and management specified
mitigation approaches, documented, updated
annually and approved by the Board or
equivalent, covering at least:
1. risk of regulatory non-compliance
2. risk of licensing non-compliance
3. risk of interruption of operations that
may result from inadequate SAM
4. risk of excessive spending on licensing
and other IT support
5. risk of centralized v non-centralized
management approaches for software
and related assets
6. risk associated with different countries
of operation
Management objectives of SAM are approved by SAM manual, position
corporate board or equivalent body, and reviewed paper or similar
at least annually.
Roles and Responsibilities for SAM (4.2.3)
109 Dr. Magdy El Messiry

110. Technology Audit
The role of the SAM owner is clearly defined, SAM manual, PD’s,
and include responsibilities for: Roles and
1. proposing management objectives for Responsibilities
SAM statement, SAM project
plan
2. Overseeing the development of the SAM
plan
3. Obtaining resources for implementing
the approved SAM plan
4. Delivering results against the SAM plan
Local roles and responsibilities for corporate
governance of software and related assets are
documented and assigned to specified individuals.
Responsibilities assigned include:
1. obtaining resources for implementing the
SAM plan
2. delivering results against the SAM plan
3. adopting and implementing necessary
policies, procedures and processes
4. maintaining accurate records of software
and related assets
5. ensuring management and technical
approvals are required for procurement,
deployment and control of software
assets
6. managing contracts, supplier
relationships and internal customer
relationships
7. identifying and implementing
improvements
Responsibilities are communicated to all parts of
the organization
Policies, processes and procedures for SAM (4.2.4)
Demonstrated structured approach to creating, Usually part of agency
reviewing, approving, issuing and controlling wide document control
policies, processes and procedures system, not unique to
SAM
Policies and procedures organized by, or cross
reference, process classification in 19770
Documented policies covering at minimum: Review documents to
1. Individual and corporate responsibilities ensure all aspects are
for corporate governance of software and included. May be
related assets embedded in other
documents and policies
2. restrictions on personal use of corporate
assets and related software
3. requirement for compliance with legal
and regulatory requirements, including
copyright and data protection
4. procurement requirements
110 Dr. Magdy El Messiry

111. Technology Audit
5. approvals for software installation or use
of software whether purchased or not
6. disciplinary implications of violation of
these policies
Policies communicated to all personnel in a way Documentation can be in
which: any form of medium, and
1. Reaches all new personnel when they may be in consolidated
start documents, such as Code
of Conduct
2. Continuing personnel at least annually
3. Requires positive acknowledgement
4. Readily accessible at all times
Competence in SAM (4.2.5)
A review is documented and updated at least Review and audit
annually which covers the availability and uptake records, training
of training and certification by personnel with schedules and registers,
SAM responsibilities for: audit records, software
1. SAM in general licence registers
2. Licensing for software manufacturers
whose software is being used
Annual review of ―proof of licence‖ Review records
Personnel with SAM responsibilities receive Training records and
training in SAM and in relevant licensing registers, roles and
including both initial training and formal responsibilities registers
continuing education annually
Annual review to ascertain what guidance is Review records
available from software manufacturers to enable
compliance with their licences.
PLANNING AND IMPLEMENTATIOIN OF SAM PROCESSES (4.3)
Planning for SAM (4.3.2)
Management objectives for SAM are developed An appropriate level of
and documented and updated at least annually, automation should be
and include: implemented to ensure
1. clear scope statement that processes do not
become inefficient, error
2. clear specification of policies, processes
prone, or not followed.
and procedures are required for assets in
Audit schedules, monthly
scope
reports, scope and
3. clear explanation of the approach to specification documents,
managing, auditing and improving SAM implementation plans
4. explanation of the approach to be used in
identifying, assessing and managing
issues and risks related to defined
objectives
5. schedules and responsibilities for
periodic activities, including
management reports and performance of
verification and compliance activities
111 Dr. Magdy El Messiry

112. Technology Audit
6. identification of resources including
budget
7. performance measures for tracking
accomplishment against SAM plan,
including target measures
Plan approved by corporate body Implementation plan
Implementation of SAM (4.3.3)
Mechanisms in place to collect information about Issues and risk registers
changes, issues and risks
Regular status reports (at least quarterly) detailing Check reports go to
overall progress against SAM plan Board or equivalent
Follow-up on variances is prompt and Issues and risks reports,
documented corrective action
registers, or similar
Monitoring and review of SAM (4.3.4)
Formal review conducted at least annually: Annual audit reports,
1. Are management objectives for SAM verification conformance
and the SAM plan being achieved? reports, SLA’s
2. Summarize performance against all
performance measures specified in SAM
plan and SLA‘s related to SAM
3. summary of findings of Conformance
verification
4. check policies effectively disseminated
and implemented throughout agency
5. summarize exceptions and actions
6. identify opportunities for improvement
Continual Improvement of SAM (4.3.5)
Mechanism in place to collect and record
suggested improvements in SAM arising from all
sources throughout the year.
Suggestions for improvement are periodically
assessed, prioritized and approved for
incorporation in SAM implementation and
improvement plans
INVENTORY PROCESSES FOR SAM (4.4)
Software Asset Identification (4.4.2)
Types of assets to be controlled and the
information associated with them are formally
defined.
A register of stores and inventories exists,
clarifying which stores and types of information
are held
Software Asset Inventory Management (4.2.3)
Policies and procedures for management and Policy & procedure
maintenance of inventories and documents; access logs,
physical/electronic stores: secure sites
1. protection from unauthorized access,
change or corruption
112 Dr. Magdy El Messiry

113. Technology Audit
2. disaster recovery
Inventories exist of: Inventories, including
1. All platforms on which software assets package versions,
can be installed and run update/patch status of
software, platforms
2. All authorized software
3. Underlying licenses and effective full
licenses held
Inventories and physical stores for: DSL should include
1. Software (DSL) master versions and
distribution copies, hard-
2. Software builds and releases
copy and electronic
3. Contracts relating to software assets contracts
Methods exist to determine license usage based Inventories, metering
on criteria other than software installation results and reports, pc
counts, number of users
etc
Documented arrangements to ensure continued
availability of sources listed above
Inventory reports produced has clear description Hard copies of reports
including identity, purpose, details of data source
Software Asset Control (4.2.4)
Audit trail is maintained of changes made to Audit trail should include
software and related assets change in status,
location, custodianship
and version
Policies and procedures for development, Check Policy and
maintenance and management of software procedures exist and are
versions, images/builds and releases current
Policies and procedures for baseline of These policies and
appropriate assets is taken before release of procedures must ensure
software to live environment that baseline is taken in a
manner that can be used
for subsequent checking
against actual
deployment
VERIFICATION AND COMPLIANCE PROCESSES FOR SAM (4.5)
Software Asset Record Verification (4.5.2)
Procedures for software asset verification process Check procedures are
include: current; check inventory
1. At least quarterly reconciliation logs; corrective action
registers; check licence
2. Hardware inventory including locations
pools, physical
at least 6 monthly
contractual
3. Inventory of software programs verified documentation for
at least 6 monthly accuracy
4. Inventory of software builds verified at
least 6 monthly
5. Physical store of pool of proof of licence
documentation verified at least annually
6. Effective licenses verified at least
113 Dr. Magdy El Messiry

114. Technology Audit
annually
7. Physical store of contractual
documentation verified at least annually
8. Contracts inventory verified at least
annually
9. Follow up corrective actions on
discrepancies or issues documented
Software Licensing Compliance (4.5.3)
Procedures for software licensing compliance that Ensure this included
include: particular license
1. reconciliation at least quarterly between requirements based on
effective licenses and licenses owned other than installed
copies, such as server
2. discrepancies identified promptly
access rights inventory
recorded, analyzed and root caused
logs
determined
Follow up actions prioritized and executed check corrective action
registers or similar
Software Asset Security Compliance (4.5.4)
Actual practice against policy is reviewed at least Should include access
annually controls on software
definitive master versions
and distribution copies of
software;
installation/user rights
specified by user or user
group
Follow up actions prioritized and executed check corrective action
registers or similar
Conformance Verification for SAM (4.5.5)
Policies and procedures which ensure verification Internal Audit procedures
at least on sample basis annually against ALL should include SAM;
requirements specified. audit schedules; audit
reports
Documentary evidence exists that demonstrates Corrective action
verification procedures are being performed and registers and reports;
corrective follow up action being taken internal audit reports
OPERATIONS MANAGEMENT PROCESSES AND INTERFACES FOR SAM (4.6)
Relationship and Contract Management for SAM (4.6.2)
Policies and procedures include: Check policies and
1. Definitions of responsibilities for procedures – may be
supplier management embedded in other
processes.
2. Ensure invitations to tender include
Check invitation to tender
considerations for SAM
documents
3. Formal documented review at least 6 Check for documented
monthly of supplier performance, conclusions and follow
achievements and issues up of reviews to include
actions taken
Policies and procedures include: Check policies and
1. Responsibilities for managing customer- procedures – may be
114 Dr. Magdy El Messiry

115. Technology Audit
side business relationships with respect embedded in other
to software and related assets and processes.
services Check for documented
2. Formal review at least annually of conclusions and follow
current and future software requirements up of reviews to include
of customers and business actions taken
3. Formal documented reviews at least
annually of service provider
performance, customer satisfaction,
achievements and issues
Policies and procedures include: Check policies and
1. Ensuring contractual details are recorded procedures – may be
in an on-going contract management embedded in other
system processes.
Check for documented
2. Hard copies of signed contractual
conclusions and follow
documentation to be held securely in
up of reviews to include
document management system
actions taken.
3. Documented reviews at least 6 monthly May be either a manual
and also prior to contract expiry. or electronic system
Financial Management for SAM (4.6.3)
Definitions of financial information relevant to Asset types used in
the management of software and related assets are financial management
agreed and documented should be aligned with or
mapped to the asset types
used in SAM if they are
different
Formal budgets are developed for acquisition of ICT planning and budget
software documents
Actual expenditure on software assets is This should include
accounted against budget related infrastructure and
support costs
Software asset values financial information
documented and readily available
Formal documented reviews at least quarterly of
actual expenditure against budget
Service Level Management for SAM (4.6.4)
SLAs and supporting agreements to include: Check SLA’s, either in
1. Services relating to software acquisition, hardcopy or electronic
installation, moves, and changes – with These SLA’s may cover
SL targets and workload characteristics more than just the SAM
elements
2. Customer and user obligations and
responsibilities defined or referenced
from SLA
Actual workloads and service levels against Check reports, registers
targets for SAM are reported at least quarterly
and reasons for non-conformance documented
Reviews at least quarterly of performance against Check reports, registers
service levels
Security Management for SAM (4.6.5)
115 Dr. Magdy El Messiry

116. Technology Audit
Formal policy developed regarding
security/access restrictions to all SAM resources,
including physical/electronic stores of software
Access controls are specified, both physical and
logical, to enforce the approval requirements of
SAM policies
Documentary evidence that controls are Access logs, registers
implemented in practice
LIFECYCLE PROCESS INTERFACES FOR SAM (4.7)
Change Management Process (4.7.2)
Formal process for change management that
includes:
1. Change requests identified and recorded
2. Change requests are assessed for
possible impacts, prioritized and
approved by the responsible
management
3. The change is made only in accordance
with the approval
4. All changes affecting software or related
assets or services or SAM processes are
recorded
5. The success or failure of changes is
documented and reviewed
Acquisition Process (4.7.3)
Standard architectures are defined for the
provision of software services
Standard software configurations are defined, as
are the criteria for deviating from those standards
Policies and procedures for requisitioning and
ordering software and related assets, include:
1. How requirements are specified
2. Management and technical approvals
required
3. Use/redeployment of existing licenses if
available
4. Recording future purchase requirements
in those cases where software can be
deployed before reporting and payment
Policies and procedures for receipt processing This may include
functions related to software and related assets, checking authenticity of
include: proof of license
1. Processing invoices, reconciliations and Include safe keeping of
retention of copies for license both physical and
management purposes electronic copies
2. Ensuring receipt and safe keeping of
valid proof of license
3. Processing incoming media –
verification, record-keeping and safe
116 Dr. Magdy El Messiry

117. Technology Audit
keeping
Software Development Process (4.7.4)
Formal process for software development that
includes consideration of:
1. Standard architectures and standard
configurations
2. License constraints and dependencies
Formal process for software development
ensuring software products are placed under
software asset control
Software Release Management Process (4.7.5)
Formal process for release management enduring:
1. Controlled acceptance environment is
used to build and test all proposed
releases, including patches, prior to
release
2. Frequency and type of releases are
planned and agreed with business and
customers, including frequency of
security patch release
3. Planned release dates and deliverables
are recorded with references to related
change requests
4. Release of software and related assets is
approved by the responsible
management
5. Success or failure of releases is recorded
and periodically reviewed
Software Deployment Process (4.7.6)
Policies and procedures for installing and Check procedure
distributing software include: documents
1. Distribution of software and related Check deployment plans
assets is approved by responsible and back out plans
management Check security logs and
registers
2. Back out procedures or method of
DSL’s and registers
remediation in place for each
Deployment sign offs
deployment
Deployment logs (either
3. Security requirements are complied with manual or electronic)
4. Changes to status of the relevant Audit logs
software and related assets are recorded
accurately and on a timely basis
5. Documented control to verify that what
was deployed is the same as what was
authorized.
6. Success or failure of deployments is
recorded and periodically reviewed.
Incident Management Process (4.7.7)
Formal process of incident management which This may be included as
117 Dr. Magdy El Messiry

118. Technology Audit
includes: part of a larger incident
1. All incidents that affect software or management process
related assets or SAM processes are
recorded and classified as to their
priority resolution
2. All such incidents are resolved in
accordance with their priority for
resolution, and resolution documented
Problem Management Process (4.7.8)
Formal process of problem management which
includes:
1. All incidents that affect software or
related assets or services or SAM
processed are recorded and classified as
to their impact
2. High priority and repeat incidents are
analyzed for the underlying causes and
prioritized for resolution
3. Underlying causes are documented and
communicated to incident management
4. Problems are resolved in accordance
with their priority, and resolution
recorded and communicated to incident
management
Problem Management Process (4.7.9)
Policies and procedures for securely retiring
software or hardware on which software is
installed include:
1. Deployed copies of software are
removed from retired hardware
2. Licenses and other assets which can be
redeployed are identified for
redeployment
3. Any assets transferred to other parties
take into account confidentiality,
licensing or other contractual
requirements
4. Licensed and other assets which cannot
be redeployed are properly disposed of
5. Records are updated to reflect the
changes and audit trails maintained
Corrective Action/Improvement Suggestions Raised:
118 Dr. Magdy El Messiry

119. Technology Audit
No. Details
Signature:
Auditor:
Signature:
Responsible Manager:
Document Details
Document Name ISO/IEC 19770-1 Audit Checklist
Version Number V0.1
Author SLM Program, QGCIO
Contact Details Iris Taylor (07) 3238 3597
Document Status Draft x DPW Release Final Version
Version Control
Version Number Date Reason/Comments
V0.1 14th March 2007 First Draft
119 Dr. Magdy El Messiry

120. Technology Audit
APPENDIX IV
Template to use when writing an audit report
Table of Contents
letiT
IettiA
Dtti
120 Dr. Magdy El Messiry

121. Technology Audit
1. Executive Summary
A short abstract or executive summary here will help draw the reader‘s attention
to important issues.
2. Background/Introduction
Give the Background – Explain why you are doing an audit – was it a
response to concern or complaint, personal interest, national guidance,
repeat of previous audit etc. Give the criteria and standards that you are
using – Explain if you are auditing to national standards, such as NICE, NSF
etc or to established good practice or to a locally agreed standard. eg ―100%
of A&E patients must be assessed within 4 hours (national standard)‖
3. Aims & Objectives
This should state the aims and objectives of the audit and the question being
asked of the audit. Objectives should be measurable, achievable, realistic
and time limited.
4. Method
Give the methodology of your audit –you will want to describe both the size
of your audit and how you selected those who were involved. e.g. ―the first
th
10 patients attending the 13 May 2007 afternoon dental clinic were
selected‖ or ―20 notes of patients admitted to the ward in August 2007 were
selected at random”.
Ideally, there should be sufficient information for a person reading your report to
understand what you have done, and if need be, to repeat the audit themselves.
5. Results
Displaying the results
As a general rule the simplest ways of describing results are the best. Pie-
charts to show the various proportions of responses or bar charts to compare
one thing to another will work well. However, always give the raw numbers
as well as the percentages otherwise it might be over-simplified to the point
of being mis-leading.
e.g. Remember the advertising slogan, ―8 out of 10 cats prefer it‖.
This was a powerful statement indicating an 80% favourable rating,
Missing data
If you have missing data comment on why this happened. e.g.
―questionnaires were given to 10 patients in the waiting room. However one
121 Dr. Magdy El Messiry

122. Technology Audit
patient said he had felt unwell and didn‘t feel he could finish the
questionnaire. Sections 9 and 10 are therefore blank for this patient‖
6. Conclusions
Keep you conclusions short and too the point e.g. 95% of patients were
assessed within 48 hours
If you have had any problems with the audit, note them here.
7. Recommendations and Action plans
Make your suggestions as to how the service could be improved – either by
yourself or others
8. Disseminating information and presenting results
Give feedback to all concerned stakeholders. Ensure that all those that need
to know, know. Give positive feedback to all those involved. How are you
going to communicate your findings to others i.e. Circulate the report,
Newsletter, Intranet, Presentations, Open forums etc…
References
Acknowledgements
Give the name and profession of those involved in the Audit project
Appendix
Always attach your audit tool or questionnaire to your report as an appendix – this
will save a lot of explanation.
122 Dr. Magdy El Messiry

123. Technology Audit
Appendix V
Information Technology Audit Report
Alpha Beta Gama (ABC) Co Ltd
Internal Audit Group Division 2009
Audit Objectives:
To assess [Name of Company] compliance with the [Name of Standard] Standard
Overall conclusion:
Based on our observation we noted that the degree of compliance with [Name of
Standard] varied among [Name of Company] and the three Institutes that we
looked at. With the exception of business continuity planning, [Name of Company]
is compliant with [Name of Standard]. However, the three Institutes were less
compliant in key areas such as risk management and the certification and
accreditation of their systems.
Summary of Findings:
The audit team noted a number of strengths with respect to compliance with [Name
of Standard]. For example, [Name of Company] has specified the roles and
responsibilities for managing IT security. It has also issued a comprehensive set of
policies, procedures and standards for managing this function and instituted a
security-awareness program for its employees. [Name of Company] screens staff to
determine who will have access to which sensitive information, and has employed
security zones. These zones partition the network and provide higher levels of
security, depending on the sensitivity of information.
Detailed Findings and Remediation:
Recommendation:
To institute better monitoring and oversight of IT security, [Name of Company]'s
senior management should designate an IT Security Coordinator for [Name of
Company] who has responsibility and authority for IT security throughout the
organization.
Management Response:
Agreed; an IT Security Coordinator for [Name of Company] with organization-
wide responsibility and authority for IT security will be appointed following
consultation with the Senior Executive Committee (SEC). However, such a role
will need to be supported by a strong IM/IT governance structure in general and a
robust information security governance framework in articular. IM/IT governance
123 Dr. Magdy El Messiry

124. Technology Audit
will be addressed as part of a study that [Name of Company] has already initiated –
a comprehensive IM/IT review to examine the current IT service delivery model
and determine how [Name of Company] can enhance effectiveness and cost-
efficiencies in this area. More specifically, the study will be broad in scope,
encompassing all IM/IT services provided to [Name of Company] staff either
centrally by IMSB or locally by individual institutes, branches and programs.
Terms of Reference have been developed and approved by SEC; the Director
General for IMSB will co-lead this effort along with a Director General from a
research institute still to be determined. The issues around IT service delivery will
be examined and reported back to SEC by January 2008. Specific areas of
opportunity or concern will also be identified for further study in a subsequent
phase. It is anticipated that most of the audit recommendations will be addressed
within the context of this review.
Timelines and Deliverables:
124 Dr. Magdy El Messiry

125. Technology Audit
Reference
1. http://www.technology4sme.com
2. http://www.access-ecom.info/article.cfm?id=63&xid=MN
3. http://www.oxin.co.uk/downloads/taudit.pdf
4. http://www.strategicinformation.com/audit.htm
5. http://www.newventuretools.net/technology_audit.html
6. http://www.asosai.org/R_P_auditquality/chapter2.htm
7. http://www.managementstudyguide.com/swot-analysis.htm
8. http://greenhousegas.nsw.gov.au/documents/syn39.asp
9. http://tep- m.org/joomla_1.5.20/index.php?option=com_content&view=article&id=182:technology-
audit-resources&catid=41:other-projects&Itemid=63
10. http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/glossary/
11. http:// www.southwest-irc.org.uk
12. http://www.managementstudyguide.com/swot-analysis.htm
13. http://www.oxin.co.uk/downloads/taudit.pdf
14. http://www.adi.pt/docs/innoregio_techn_audits.pdf
15. http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/full-standards/
16. http://www.businessballs.com/swotanalysisfreetemplate.htm
17. www.qgcio.qld.gov.au/.../Information%20Standards/.../Templates/ISO1977
18. http://www.nmmu.ac.za/documents/theses/VlokN.pdf
19. http://www.theiia.org/guidance/standards-and-guidance/ippf/code-of-ethics/
20. http://www.theiia.org
21. http://www.urenio.org
22. http://www.clarity-dev.com
23. http://www.clarity-dev.com
24. http://www.newventuretools.net/technology_audit.html
25. http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/glossary/
26. http://pw1.netcom.com/~jstorres/internalaudit/ic_def.html
27. http://www.managementstudyguide.com/swot-analysis.htm
28. http://www.hc-sc.gc.ca/ahc-asc/alt_formats/pdf/pubs/audit-verif/2011-02/mrap_2011-02_rpad-eng.pdf
29. http://pw1.netcom.com/~jstorres/internalaudit/ic_def.html
30. http://www.gliffy.com/examples/SWOT/
31. http://www.managementstudyguide.com/swot-analysis.htm
32. http://www.whatmakesagoodleader.com/swot_analysis_examples.html
33. http://www.whnt.nhs.uk/document_uploads/CPRU/Auditreporttemp.pdf
34. http://www.whnt.nhs.uk/document_uploads/CPRU/Auditreporttemp.pdf
35. http://www.icsti.su/rus_ten3/1000ventures_e/business_guide
36. http://www.nctp.com/survivor_sample.pdf
37. http://biotsavart.tripod.com/swot.htm
38. http://www.aajassociates.com/servicesContent.asp?p=29&id=42
125 Dr. Magdy El Messiry

126. Technology Audit
126 Dr. Magdy El Messiry