How to plan a best IS audit strategy?

As the use of technologies immensely increased in the domains of finance and business, the number of fraudulent activities and data leakage has skyrocketed. As a result, the role of IS audit to verify, validate the controls in such systems to maintain legal compliance has become invaluable.

A typical IS audit process includes the following agendas:

  • Creating the audit plan
  • Selecting the audit procedures
  • Reporting a communicating audit results

The preliminary step of the IS audit is to fulfill the audit charter by planning the audit schedule. The audit schedule determines which audit is to be planned and conducted.

In order to create an audit plan, risk assessment is necessary by including the upcoming plan, past incidents, and portions where management is concerned. At the same time, effective and efficient audit resources should also be planned and finally, scheduling the audit process – when convenient for the business process.

So, audit planning can be summarized as :

  • Determine the scope of the audit.
  • What is the objective of an audit ?
  • Are the sufficient resources allocated to complete the audit process?
  • Is auditee and area of audit available to provide the requested support when needed?
  • What is the project timeline?

How to fulfill the objective of the IS audit?

Every audit process has a specific defined objective.

It is based on:

  • To verify if specific controls are in place.
  • To validate the controls are working effectively by properly performing input validation, configuration management, and output.
  • How the CIA is maintained- Confidentiality, Integrity, and Availability?
  • To ensure legal compliance with the policy and procedures.
  • Are staff aware of processes and procedures? Do they have sufficient knowledge and skills?
  • Review the documented resources on policy and procedures being followed.

The audit planning should be concerned on:

Audit Risk: The risk the audit can miss something?

Limitation: Unavailability of information, or personnel for the support.

Change in scope: Sometimes, a new priority or change may occur.

Reporting: Clearly articulate whom to report the audit result, who will be responsible for the action. Timely reporting on serious findings that may require immediate action.

Use of external experts: Check for cases when an outside expert is required who have required tools and expertise in the respective field and make sure of NDAs (Non-Disclosure Agreements) to protect the information.

DON’T BE:
Checklist Auditor.
The auditor doesn’t know the subject area.
An unprepared auditor.

Audit Planning Process:

Always seek to understand how the business works:

  • Understand the business.
  • Evaluate the risk and challenges.
  • Review documentation like prior audits, policies & procedures, organization chart, laws, regulations, and standards.

Validate the risk:

  • Is the risk assessment up-to-date?
  • Is the risk scope aligned with the audit scope?
  • Review risk register (What are the known risk ? What is the inherent risk?)

Tips for Better Audit Planning:

  • Do not recommend the existing controls or the controls that are being planned.
  • Determine existing controls?
  • Inquire controls being planned?
  • Give credit to those that have been worked on.
  • Notify the auditee of schedules, duration, and required support like system access, documentation, personnel, description of work to be performed, and how that will provide value.

Double spending simply means spending the same money twice. For example, you enter a coffee shop, took some sips of Espresso. Now, you take a 10 $ bill and pay for it. That 10$ bill cannot be simply be paid twice, as the ‘real’ 10$ bill has been handover from you to the waiter. You paid it and it’s gone from you unless you steal from him/her(which have a minimum change of happening and of course other severe consequences !).

By all means, that 10 $ note is gone from you and you have been given a cup of coffee in exchange(a true barter system, right !). Once you give that bill, the payment was instantly made and verified by the waiter.

But, unlike our traditional transaction method, the cryptocurrencies like bitcoin, there is no human involved for the confirmation and verification of the payment you just made. So, it can lead to a double spending problem. Since the digital information can be easily reproduced, the same currency can be copied resulting in double spending problem as there is no actual being to confirm the payment.

The main feature of the Satoshi’s paper(Satoshi Nakamoto: An anonymous individual who pioneered the Bitcoin through his bitcoin white paper) was its unique solution to prevent the double spending problem by introducing a universal ledger system known as the blockchain.

Every single transaction made in bitcoin is included in the shared ledger or blockchain. These transactional blocks are stored in this ledger in an orderly fashion with time-stamp attached to each of these little transactions. That’s why it is known as the blockchain.

The blockchain gets longer and longer over time where more and more transaction records are added. The blockchain is maintained by the network of nodes that use the bitcoin software. Since the process of adding the transaction records to the blockchain required intense computation and algorithms, it takes a certain amount of time to verify it. When a transaction block is added to this public ledger known as the blockchain, all the nodes on the blockchain network keep the copy of the global ledger or blockchain. This entire process requires an intense amount of computational power. It’s really difficult to hack into the system as its complexity increases each seconds.No one can manage such expense of hardware and electricity cost single-handedly just to hack a single bitcoin from the blockchain unless you have control over more than 50% of the hash power of the blockchain network.

The term DevOps has been derived from the combination of two words, ‘Development‘ and ‘Operation.’ In the world of solos’, the concept of DevOps is a disruptive technology that brings the culture of collaboration. Of Course, the inception of DevOps came out of frustration due to the division between the developer team and operation team.

The DevOps movement always gives preference over the collaboration between the people than processes and tools. In DevOps philosophy, outcomes start appearing from ‘Day One.’ People are working on the changes rather than stressing over a plan.


In the past developing trends, the team used to works separately for a while, and the last task is accomplished by merging the changes. This made merging the changes made on the code ‘a headache’ and also resulted in bugs being accumulated for an extended period without being corrected. The final result was slowing the updates and extension of delivery time.

How does a simple DevOps scenario works?

Before initiating a project, developer, tester and operation team meet and discuss on how to create working software that could be readily deployed. After finalizing on the context and working module, the developer team each day deliver with a new code. The working module is then pushed to a central repository using version control system tools like Git. Before performing each commit, the developer might want to run the local unit tests on the code as an extra verification procedure before to integration.

Continuous Integration (CI) tools automatically build and runs unit tests on new code changes to immediately surface any errors. If the particular module is successfully tested over the test server, then deployment can be performed through a single button click.

Advantages of DevOps:

  • Through the concept of microservices and continuous delivery, it is easier and faster to prepare a release update. Thus, it helps the business grow more efficiently.
  • The automation tools used in release process helps to deliver innovation and improve the product more frequently rapidly.
  • The system and application become more reliable and stable due to the practice of continuous integration (CI) and continuous delivery (CD) before being presented to end-users.
  • The scalability is higher due to the concept of microservices and API design.

DevOps Practices:

Here are the top development operation practices you need to follow according to your programming skills.

Continuous Integration:

Continuous integration (CI) is a DevOps practice where the programmer merges their build codes to the central repository. The version of the system is committed to the repositories like Git where after the codes are automatically built and test, and further can be pushed to the production servers. The merging is done regularly, and each version of the build is updated based upon the test result.

Continuous Delivery:

You can’t just ask customers what they want and then try to give that to them. By the time you get it built, they’ll want something new.

Steve Jobs

CD completely redefines how a product is delivered to end users. Each time developers present an application module, it can be automatically built, tested and deployed to the end user through a simple ‘push‘ button. Any feature addition and change just get simpler.

MicroServices:

A monolithic application design always slows down the application development as well as for making changes to the existing design. Because all the services are tightly coupled and always create a dilemma on what be the impact on the portion of the application when change is made on other portion.

The basic principle of microservice architecture is to divide a single application into multiple services. Each of the services has its own scope and any communication necessary required between the services is made through API ‘calls’.

Blue/Green deployment:

The basic concept of blue/green deployment is to have two identical production environment where blue is ‘live‘ and green is ‘idle‘. This greatly reduces the application downtime. As a new application is deployed, it is initially deployed to the ‘green’ server. After the successful testing on the green server, then all the required IP is pointed to the ‘green’ server and it goes ‘live’. If any problem occurs, the switch can be turned back to the ‘idle’ one to direct all the traffic to it.

However, this approach might not be feasible if cost is the factor as well as database-dependent application.

Chaos Monkey:

This practice has been invented and popularized by Netflix.”What will happen when a monkey enters a Data Center? A monkey may randomly rip off the cables and may kick the routers and servers. “This is the situation a DC operation team must be able to face to make a system resilient. Netflix has developed a program that randomly to shut down a server and IT managers need to mitigate this situation by keeping the system operational even without that server.

A developer always thinks of making a system more agile while an operation team want the system to be more stable. So, a delicate balance is required to maintain a good relationship between a developer team and operation team otherwise it might blow up. DevOps culture with the help of numerous automation tools can greatly add value to the development to deployment phase and satisfy the end users on time.

Last but not least, the DevOps is not a magic stick and transformation doesn’t happen overnight. By properly understanding the values of DevOps and making small incremental changes, we can embark on DevOps journey right away.