Abstract
According to modern corporate management theory, ensuring information technology’s effective and safe use in a market economy is a crucial task. The effective fulfillment of this task is only possible with a systematic approach based on the advanced internal control and risk management methodology. This approach became the basis for the IT management system audit project. The primary value and purpose of this study is the risk-oriented application of audit criteria, allowing to consider the specifics and scope of the organization. In the audit, those places of information systems infrastructure, which can entail a series of risks to the business, were identified. Consequently, it allowed the formation improvements for the IT management system – assessments and recommendations.
Introduction and Background
Modern equipment is quickly becoming obsolete and beginning to slow down business development. Processes that seemed streamlined and transparent are becoming a tangled mess. Interconnections become complicated, and control over some systems is already lost, but an independent audit can help regain control over IT. IT infrastructure audit is a complex of actions for inventory, research, and analysis of all information system components. The infrastructure is assessed for compliance with the company’s requirements and the need and possibility of modernization. An indispensable part of the audit is to test the system for reliability and security (anti-virus protection, archiving, and protection against unauthorized access). The audit allows one to calculate the service cost and make a qualified plan for developing the customer’s information system for several years ahead.
Problem Statement
IT infrastructure development is often an improvisational and inconsistent process. It means changes are made depending on current circumstances, business needs, and short-term forecasts. Building IT infrastructure rarely precedes the creation of a long-term development plan, which is a significant problem for many businesses. Such improvisational development is inevitably accompanied by the implementation of temporary and ill-conceived solutions, which do not bring the proper positive effect at a distance. Accumulating, they significantly reduce the efficiency of the IT infrastructure and increase IT costs.
This problem will only progress in the future, so urgent action is necessary. Therefore, an audit will be conducted, during which the company’s most important areas will be evaluated and analyzed. It will include infrastructure, personnel, equipment, user satisfaction, and alignment of current IT systems with the company’s development strategy. The audit and IT report are a necessity in the process of IT development as it provides the client with all the necessary information and contributes to risk minimization and business success.
Objectives of the Project
The project assumes a multi-stage process of verification of many processes of the company with the help of a specific methodology. It should be understood that the strategic audit of information systems is not only an assessment of the resource availability of information systems in the long term (Fullana & Ruiz, 2021). Among the tasks of the project is also the identification of possible risks and problem areas that are associated with business processes and their development. The primary purpose of the project is to assess the state of the IT infrastructure management system of the organization.
Moreover, this assessment allows you to predict the company’s future business processes and information systems. Such work makes it possible to determine which production facilities should be used during the planning phase, how to form reserves, calculate the need for human resources, determine the budget and make strategic settings for implementing some regions of the company’s activities. Firstly, information system audit is designed to obtain an objective and independent assessment of its protection from external and internal attackers. Moreover, it provides the formation of organizational and administrative documentation describing the powers and responsibilities of the organization’s employees having access to the information system.
Literature Review
Information systems’ effectiveness depends on how well they are protected in terms of information security. After all, according to many studies, 70% of attacks are aimed at business applications and databases of organizations (Huang & Vasarhelyi, 2019). In the case of a failure of the IT infrastructure, the company itself will suffer. The main risks include a decrease in overall productivity, a drop in service quality, and additional financial costs. To avoid these dangers, conducting periodic audits of information systems is necessary. Researchers share the opinion that the result of an IT audit is a report detailing all the parameters describing the state of the IT infrastructure or any of its components, depending on the type of audit (Huh et al., 2021). Furthermore, most often receives recommendations to improve the examined parameters and minimize the risk of failures, reducing efficiency.
There are two main stages during an IT audit – IT audit planning and IT audit implementation. Works that are part of IT audit planning can include analysis of the structure of different business processes, information system platforms, role structure, responsibility distribution, business risks, and business strategies (Xiao et al., 2020). Furthermore, at this stage, IT risks are identified, and the level of control of the audited business processes is evaluated.
Owing to IT audit professionals’ activities, the available control mechanisms in the sphere of IT audit are identified; all procedures related to information collection and analysis are documented (Berdik et al., 2021). Likewise, in IT auditing of information systems, the assessment of the effectiveness of existing management mechanisms in performing the assigned tasks is performed. Moreover, detailed testing is performed, which allows further corrective actions to ensure the optimal condition of the IT management system.
Methodology Adopted
In particular, the basis of the entire study is the best practices of IT audit ITAF. At the same time, these standards allow to cover only critical aspects of the audit, and for the realization of additional tasks, other methods were used. During the audit, which allows for assessing the current state of the company’s information systems, control mechanisms, and business processes, the algorithm, consisting of several works, was executed.
Firstly, a risk-oriented program for the audit was formed. Secondly, a self-assessment and interviews with the company’s employees were conducted. Then observations of the activities and documentary evidence of the conducted work were carried out. It was followed by an assessment of the level of consistency of IT processes and the residual level of risk associated with such processes. The work sequence in the IT audit methodology is significant and depends on it. As a result of the audit, conclusions and recommendations were made, an audit report was prepared, and the materials obtained were presented to the customer.
Project Findings
The audit revealed several drawbacks and peculiarities of the company’s work that could be improved. The company’s e-mail server is based on MS Exchange, and the clients on the employees’ workstations, MS Outlook, are set to use POP3 and SMTP protocols. However, access to mailboxes from outside via Outlook Web Access (OWA) or ActiveSync is not implemented. All company mail is stored on employees’ local workstations. Backup of mail messages (mailboxes) regularly needs to be implemented. An internal portal is based on MS Office SharePoint Server, but its employees seldom use it. Backup databases are stored outside the company by a 1C specialist.
Current system administrators do not take part in backup procedures and restore procedures. Internet access is provided without antivirus protection at the proxy server level. The head office hosts two controllers. Until recently, each branch office had one domain controller, which also housed a VPN server. At the time of the audit, the branch office domain controllers were suspended. From time to time, domain controllers are taken out of service due to a high number of errors, and as a consequence of the denial of service, a new domain controller is put in place of the withdrawn one.
The architecture of the IT environment is built without a clear concept and understanding of how it should be. Essential components of the IT environment (e.g., domain controllers) are subjected to frequent and unreasonable changes that carry high risks. The model for connecting branch offices and employees to the primary office often changes and needs a clearer concept. Moreover, server resources are underutilized. Short-term risks include the failure of any component of the IT environment, either at the hardware or the application level, resulting in an interruption in the delivery of business-critical services to the company’s employees. In the long run, the loss of essential data for the company and its impossibility of recovering in principle should also be considered.
Recommendations
As an alternative, the development of the IT environment architecture of the company is supposed to take into account the current needs of the business and the transfer of the project for implementation by the specialists of the IT department of the company. In this option, the success of the project depends to a greater extent on the competence of the IT specialists of the company. It is possible a one-time event of the normalization and optimization of the IT environment of the company, including the configuration of applications, fixing the current state by identifying application errors and their elimination and developing rules and procedures for IT management.
As a final step, the transfer of IT environment management to the IT specialists of the company. In this variant, the event’s success will depend on the competence of the IT specialists in the maintenance of the built IT environment and the absence of ill-considered initiatives to change the IT environment. The safest and most correct variant, considering the current situation, is outsourcing business-critical applications (corporate mail, 1C, ActiveDirectory, Internet access). In this option, the company’s business will consume services on a functional level without thinking about what is behind it and may be able to focus entirely on the business itself.
Conclusion
Every year, the information technology field is becoming more complex. At the same time, maintaining information systems must take a sufficiently large amount of time and effort, but only some companies can afford such costs. In this case, companies sometimes get the appropriate effect if we compare the costs, the work performed, and the result of such activity. During the audit process, you can identify those places of the infrastructure of information systems, which may entail several risks for the business. In the project, the company’s performance was evaluated, based on which the recommendations were formed, and the evidence of the feasibility of their implementation is evident.
References
Berdik, D., Otoum, S., Schmidt, N., Porter, D., & Jararweh, Y. (2021). A survey on blockchain for information systems management and security. Information Processing & Management, 58(1), 102397. Web.
Fullana, O., & Ruiz, J. (2021). Accounting information systems in the blockchain era. International Journal of Intellectual Property Management, 11(1), 63-80. Web.
Huang, F., & Vasarhelyi, M. A. (2019). Applying robotic process automation (RPA) in auditing: A framework. International Journal of Accounting Information Systems, 35, 100433. Web.
Huh, B. G., Lee, S., & Kim, W. (2021). The impact of the input level of information system audit on the audit quality: Korean evidence. International Journal of Accounting Information Systems, 43, 100533. Web.
Xiao, T., Geng, C., & Yuan, C. (2020). How audit effort affects audit quality: An audit process and audit output perspective. China Journal of Accounting Research, 13(1), 109-127. Web.