Information Technology Audits
Given the pervasiveness of IT throughout the University (i.e., all major business processes relying on technology in some form or fashion), UT Internal Audit has resources skilled in working with systems-based internal controls. Following are the types of IT audit services our team can provide:
General Controls Reviews. This is an annual internal audit of computer controls impacting all application systems of the University. One can consider it a “report card” of the IT control environment. A general controls review includes areas such as data security, physical security, program changes, and contingency planning. UT’s external auditors are also required to review IT general controls during their annual audit. To that end, the external auditors will review the results of our general controls review and rely on it so they can perform a more efficient and cost-effective audit for the University.
Application Controls Reviews. These are reviews of a specific computer application or computer system (i.e., Banner, Lawson, etc.). A typical application controls review will focus on input controls (i.e., edit checks on data being entered), processing controls (accuracy, efficiency, and integrity), and output controls (security of reports, screens, and processed data, including data transmission and encryption).
Systems Development Life Cycle (SDLC) Reviews. SDLC reviews resemble consulting projects in that we advise on the quality of technology-based controls as they are being built into the application system under development (including post-implementation). Status reports are provided at key strategic points during the project. An SDLC audit is preferred over an application audit approach when possible, as it is less costly to build IT controls into a new system, versus reengineering the system afterward.
A typical SDLC review will include an independent review and evaluation of the testing performed by end users prior to implementation. As a service to these end users, we have prepared some General Testing Guidelines that we hope will be helpful in helping ensure that your testing is comprehensive, and that the system to be implemented is free from errors or "bugs"!
Continuous Controls Monitoring. As mentioned on the UT Internal Audit website, continuous controls monitoring uses IT query tools to identify transactions in the various application systems that suggest that further audit review is necessary. Our IT auditors are key resources in building this functionality.
Telecommunications Billing Reviews. The benefits of telecommunications billing reviews include overcharge recovery, support for contract reviews and negotiations, and finding errors in billing from telecommunications providers. Our internal auditors (in tandem with external subject matter experts as needed) will scrutinize telecommunications invoices for errors in taxes and regulatory fees, for billing services no longer being used, and other billing-type errors.
Systems Penetration Analysis and Information Security Reviews. With the support of the IT department, our internal auditors can perform penetration and security diagnostic reviews. The evaluation of UT security and controls can be compared to those of other organizations to provide comparative information. These projects may use “social engineering” and other techniques to gain access to computer systems or evaluate the implementation of application-level “role-based” security.
Disaster Recovery and Business Continuity Auditing. The Internal Audit department can review your existing plans for recovery and restoration plans from an unplanned IT or non-IT event. In addition, we can participate in the testing of your existing plan to assess the ability of the IT professionals and end users to function under a simulated a real disaster situation.
Functional Areas of Expertise. The UT Internal Audit staff have IT auditors that are experienced and capable of providing audit and advisory services in the following functional areas: managing information resources (including records and information, data and information, organizational knowledge) and managing information technology (including frameworks to align business and technology, technology solution implementation, user support, technical environment, security, and continuity of systems).