Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Methods and Techniques of Quality Management for ICT Audit Processes

Methods and Techniques of Quality Management for ICT Audit Processes

Ratings: (0)|Views: 98 |Likes:

More info:

Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Methods and Techniques of Quality Management forICT Audit Processes
Marius Popa
Department of Computer Science in Economics Academy of Economic Studies,Faculty of Cybernetics, Statistics and Economic Informatics
Piaţa Romană no. 6, Bucharest 
In modern organizations, Information and Communication Technologies are used to support the
organizations’ acti
vities. To manage the quality of the organization processes, audit processes are implemented. Also, the audit processes can aim the quality of ICT systems themselves because their involvement inorganization processes. The paper investigates the ways in which a quality management can be applied for auditprocesses in order to obtain a high level of quality for the audit recommendations.
ICT audit, quality management, quality implementation.
1. ICT Audit ProcessFramework
In [3], [6], [7], [8], [9], [10], [11],[12], [13], [14], [15], [16] and [17],the computer audit terminology,framework, methodologies, auditmethods and techniques are highlighted.The audit concept signifies evaluation of 
an organization’s processes and controls.
The evaluation is made againststandards or documented processes. Asresult, an independent assessment isprovided to evaluate the system orprocess [18].IT security audit is a form of thecomputer audit during which controlsregarding the IT security of the systemor process are implemented. Itrepresents a systematic evaluation of the IT system or process security toevaluate the measure in which it isconformed to the established criteria.Depending on who does audits, thecomputer audit has two forms:
Internal audit 
is made by auditteam that belongs to theorganization; the audit reportsrepresents a tool for seniormanagement to adjust the system orprocesses to documented
specifications or organization’s
strategies; internal audit reportscontain advices and other opinionsabout the state of the auditedsystem or processes; the internalaudit team has limited capabilities toinvestigate the all aspects, and theaudit restricts advices to thecompetencies of the audit team;
External audit 
is made by anindependent audit team; this teamhas not the capability to alter orupdate the audited system orprocesses [18]; a set of acceptedprinciples must be considered to leadthe audit client to how the systemshould look like; such a framework isrepresented by COBIT to indicate thematurity of the system against theexternal standards.COBIT is a control framework toresearch, develop, publicize andpromote IT governance [5].Management wants to know moreinformation about IT&C field tounderstand how IT systems are operatedto increase the competitive advantagesof the organization.IT systems increase benefits of anorganization and introduce new risksthat should be understood bymanagement.A control framework should beconsidered to ensure the followingelements [5]:
Journal of Mobile, Embedded and Distributed Systems, vol. III, no. 3, 2011
ISSN 2067
Linking to the businessrequirements;
Transparency of the performanceagainst the business requirements;
Organizing the activities into anaccepted process model;
Identifying the major resources;
Defining the management controlobjectives.The stakeholder categories served bythe control framework are [5]:
Stakeholders who have interest togenerate value from IT investments;they are the ones who:
Make investment decisions;
Decide about requirements;
Use IT services;
Stakeholders who provide ITservices; they are the ones who:
Manage the IT organization andprocesses;
Develop capabilities;
Operate the services;
Stakeholders who have a control orrisk responsibility; they are the oneswho:
Have security, privacy and/orrisk responsibilities;
Perform compliance functions;
Require or provide assuranceservices.The COBIT control framework has thefollowing characteristics [5]:
Business focus to enable alignmentbetween business and IT objectives;
Process orientation to define thescope and extent of coverage;
Being consistent with IT goodpractices and standards;
Supplying a common language withdefinitions understandable by allstakeholders;
Being consistent by meetingregulatory requirements.COBIT control framework considers thefollowing information criteria to satisfythe business objectives [5]:
information should berelevant and pertinent and mustmeet the following characteristics:opportunity, correctness, consistencyand usability;
information should beobtained with an optimal use of resource;
sensitiveinformation is protected fromunauthorized disclosure;
information should beaccurate, complete and valid inaccordance with business values andexpectations;
information should beavailable when business processrequires it;
information should bein accordance to the laws,regulations and contractualarrangements, external imposedbusiness criteria and internalpolicies;
information should beoperational for management.An audit must follow a rigorousprogram. Each step of the audit processmust be documented and justified. Also,the program should conform toestablished criteria to meet the auditobjectives.Some characteristics of an auditprogram are presented in [18], as itfollows:
Flexibility and permission to theauditor to use judgment to deviatefrom the prescribed procedures;when a major deviation is proposed,the management must be informed;
Un-cluttering the audit program withreadily available information; it isrecommended to make references tothe external information sources;
Avoidance of the unnecessaryinformation; only the necessaryinformation about how the process iscarrying out is included in auditprogram.Information used to elaborate the auditprogram is included as introduction tothe final report to the audit client. Thisinformation aims the following issues[18]:
Introduction and background 
thissection contains information aboutthe audit client concerning:activities, function, history andobjectives, principal locations andsites;
Purpose and scope
they areincluded early in the process andspecifies: types of services and tests
 included in the process, and anyexcluded services or systems;
it clearly states thegoals of the audit process; thereasons and outcomes of the processare documented;
Definition of terms
terms andabbreviations used within the reportare defined or explained; this isimportant for those who use thereport in other audit process; also,distribution of the report to differentparties imposes this section in theaudit program;
procedures that will befollowed are stipulated in theprogram; stipulation should notrestrict the professional judgment of the auditors.Time management is an importantrequirement for audit program. Thecharacteristic of opportunity is a criticalone to ensure a quality audit program. Alate or a close to the deadline auditprogram could fail.There many types of computer audit andmany standards that can be used asevaluation criteria for audit systems andprocesses.Implementation of an audit process ismade by controls. The control is theprocesses that give evaluations of theaudit object.In [8], the IT&C areas in which auditteam implements controls and reviewsare presented and these areas are:
IT&C strategy;
IT&C organizing;
Application management;
Service management;
Data and database management;
Computer network management;
Hardware and workstationmanagement;
Computer operation management;
Security management;
Business continuity management;
Asset management;
Change management;
Solution development andimplementation.The computer audit process usesstandards or documented processes ascriteria to assess systems or processes.In IT&C security field, one of the mostimportant standards is ISO/IEC 17799.This standard approaches audit issuesregarding:
Information technology;
Security techniques;
Code of practice for informationsecurity management.The standard ISO/IEC 17799 establishesguidelines and general principles forinitiating, implementing, maintaining,and improving information securitymanagement in an organization [4].The following controls are considered tobe common practice for informationsecurity, as they are defined in [4]:
Information security policydocument;
Allocation of information securityresponsibilities;
Information security awareness,education, and training;
Correct processing in applications;
Technical vulnerability management;
Business continuity management;
Management of information securityincidents and improvements.The IT security audit identifies theweaknesses within the IT system of anorganization. It is an organized,supervised and focused process toobtain information about the systemvulnerabilities and to base an action planto manage the system risks.Also, IT security audit indicatesimprovement and corrective actionswhich senior management shouldimplement them to ensure effectivenessof the processes carrying out withinorganization.
2. Issues of QualityManagement
The ISO 8402-94 standard definesquality as:
“The set of characteristics of 
an entity that give that entity the ability 
to satisfy expressed and implicit needs” 
.In ISO 9000:2000 standard the qualityis defined as:
“The ability of a set of 
intrinsic characteristics to satisfy 
.There are two types of quality [22]:

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->