An information system is not just a computer. Today’s information systems are complex and have many components that piece together to make a business solution. Assurances about an information system can be obtained only if all the components are evaluated and secured. The proverbial weakest link is the total strength of the chain. The major elements of ICT audit can be broadly classified as follows:

  1. Physical and environmental review -- This includes physical security, power supply, air conditioning, humidity control and other environmental factors.
  2. System administration review --This includes security review of the operating systems, database management systems, all system administration procedures and compliance.
  3. Application software review -- The business application could be payroll, invoicing, a web-based customer order processing system or an enterprise resource planning system that actually runs the business. Review of such application software includes access control and authorizations, validations, error and exception handling, business process flows within the application software and complementary manual controls and procedures. Additionally, a review of the system development lifecycle should be completed.
  4. Network security review -- Review of internal and external connections to the system, perimeter security, firewall review, router access control lists, port scanning and intrusion detection are some typical areas of coverage.
  5. Business continuity review -- This includes existence and maintenance of fault tolerant and redundant hardware, backup procedures and storage, and documented and tested disaster recovery/business continuity plan.
  6. Data integrity review -- The purpose of this is scrutiny of live data to verify adequacy of controls and impact of weaknesses, as noticed from any of the above reviews. Such substantive testing can be done using generalized audit software (e.g., computer assisted audit techniques).

All these elements need to be addressed to present to management a clear assessment of the system. For example, application software may be well designed and implemented with all the security features, but the default super-user password in the operating system used on the server may not have been changed, thereby allowing someone to access the data files directly. Such a situation negates whatever security is built into the application. Likewise, firewalls and technical system security may have been implemented very well, but the role definitions and access controls within the application software may have been so poorly designed and implemented that by using their user IDs, employees may get to see critical and sensitive information far beyond their roles.