With increased focus on cyber-security and consequently efforts by enterprises to ensure resilience against cyber-attacks and data breaches, it is critical that IS audit techniques evolve to ensure its continued importance and effectiveness as an independent assessor of an organisation’s control environment.

1. IT AUDIT
Evolve and Stay in the Game
1

2. Introduction
• Key takeaways:
• Current outdated IT audit methods being employed
• Risks of employing an outdated method
• Benefits of adapting audit approach
• Ways to adapt and evolve IT audit approach
2

3. What is IT Audit
• An IT audit is the examination and evaluation of an
organization's information technology infrastructure,
policies and operations.
• Information technology audits determine whether IT
controls protect corporate assets, ensure data
integrity and are aligned with the business's overall
goals.
3

4. IT Controls
• They are specific activities performed by persons or
systems designed to ensure that business objectives
are met.
• IT control objectives relate to the confidentiality,
integrity, and availability of data and the overall
management of the IT function of the business
enterprise.
4

5. IT Controls Categories
• IT controls are often described in two categories: IT
general controls (ITGC) and IT application controls.
ITGC include controls over the Information
Technology (IT) environment, computer operations,
access to programs and data, program development
and program changes.
• IT application controls refer to transaction processing
controls, sometimes called "input-processing-
output" controls.
5

6. IT Control Assessments
• What are the traditional method?
• The one size fits all approach
• Checklist approach
6

7. Evolution of IT Landscape and Associated
Risks
• How has the IT landscape evolved since?
• How has threat actors evolved since?
• Evolution of risks being faced?
7

8. Data the New Currency
• Your life can be deleted with the press of a button.
8

9. Data Protection
• Regulations
• Fines
• Compliance
• GDPR
• Reducing attack surface
9

10. What can you do to evolve your approach?
• IT Asset, Data and Business process classifications
• An in-depth analysis of risk exposures within your
organization based on classification.
• Ascertain how malicious attacks can be perpetrated
against these assets and processes
• Determine whether preventative or detective
controls are in place to mitigate these attacks.
• Assess and validate these controls through special
audits
10

11. Attack Path Mapping
• Listing IS assets by criticality, that potential attackers
could target
• Identifying paths an attacker could take to access IS
assets
• Validating attack paths identified through focused
technical testing
11

12. Attack Path Mapping (Cont’d)
• Identifying controls to decrease the likelihood of
attackers exploiting weaknesses and increase the
probability of detection
• Assessing how preventive controls can reduce
opportunities and create ‘choke points’
• Identifying opportunities and recommending
controls that will make attacks more arduous and
present a higher chance of detection.
12

13. Benefits
• Identifying key risk mitigations
• Uncovering new vulnerabilities or legitimate
processes that could be exploited
• Saving time on implementing controls or embarking
on remediation that does not materially reduce risks
• Verifying the effectiveness of overall security
controls, to determine true exposure
• Providing assurance by testing extant controls
against modern attack techniques
13

14. Conclusion
What's next for auditors?
• Determine whether or not your IT audit approach is
effective in assessing and evaluating todays IT
environments.
• Ascertain whether additional skills sets are needed
What’s next for business?
• Consider audit as critical to your business achieving its
short term and long term strategic objectives
• Auditors are not the enemy, they’re there to help ensure
the integrity of business processes and reduce risk
exposures that might be detrimental to your business
14

15. Questions
15