Information Technology Audit and Assurance

Information Technology Audit and Assurance

In today’s world, technology is an integral part of every organization and underpins almost every piece of data, every transaction or calculation, and every process or business activity. As Internal auditors we need a basic understanding of underlying information technology (IT) concepts and operations. Without this, we will not fully comprehend IT objectives and the associated risks, and we may lack the ability to assess or audit the design or effectiveness of controls related to those risks.

The Information Technology Audit and Assurance unit of Masegare & Associates Incorporated provides services that address organisations exposure to new and emerging risks stemming from changes in the environment in which businesses operates as they become more dependent on technology to support business processes. As IT environments within organisations become more complex and critical for normal business operations some of the IT risk exposures that Masegare & Associates Incorporated is able to assess for their clients include:

  • IT Governance Overview
  • Full dependence or reliance on services provided by application system vendors
  • Inadequate level of information security for the environment, which could lead to system vulnerabilities
  • Inadequate level of user management within the IT applications which could lead to data leakage, loss or manipulation
  • Limitation of normal operations due to unreliable systems availability

 

IT Audit and Assurance

Masegare & Associates Incorporated provides IT audits of organisations’ IT environments either independently or in cooperation with the organisations’ external or internal audit functions that examine the IT environment, the internal processes followed within the IT environment, assess the design of internal controls, conclude on the adequacy and effectiveness of controls, and provide suggestions for addressing those risks that are not being managed appropriately.

Some of our IT Audit and Assurance services which we offer include:

An evaluation of IT processes and activities to ensure if controls are in place to manage the needs of the business while providing the necessary assurance over business processes and underlying systems, including: –

  • Application control reviews
  • Risk management review, including IT activity’s processes to identify, assess, and monitor/mitigate risks within the IT environment.
  • Assess firewall-related controls implemented
  • Assessment of server configuration
  • Conversion reviews
  • General control reviews
  • IT governance reviews
  • Review IT policies — including IT controls and its existence
  • Assess IT responsibilities controls, including definition, assigning and acceptance (SoD)
  • Network vulnerability assessments
  • Project pre, post and implementation reviews
  • Software license management reviews
  • System development life cycle reviews
  • User access reviews

IT Advisory Services

Masegare & Associates Incorporated also provide IT advisory services to address the issues related to both risk and performance improvement by providing assistance to management in the development and implementation of:

  • IT Organizational Structures
  • IT steering committee setup
  • IT governance frameworks
  • Information Security & Infrastructure
  • IT policies, procedures, and processes
  • IT programme and project management
  • IT risk frameworks & registers
  • IT strategies
  • Responses to IT audit queries to ensure IT compliance

Data Analytics

Change can be difficult for anyone, and the world hates change, yet it is the only thing that has brought progress. This adage is particularly true when it comes to moving beyond the tried-and-true methods of manual auditing towards computer assisted audit techniques (CAATs) and the use of data analysis. Because all organizations today are impacted by IT in various forms, it is nearly impossible to conduct an effective audit without using technology. The current audit standards already require consideration of the use of data analysis for various good reasons, eg the use of data analysis allows us to view high level organizational operations and drill down into the data, and it can be used throughout all phases of an audit, etc.

Our data analytics service comprises processes and activities designed to obtain and evaluate data to extract useful information. These results may be used to identify areas of key risks i.e. fraud, errors or misuse, improve business efficiencies, verify process effectiveness and influence business decisions. Masegare & Associates Incorporated offer data analytics services in response to ad-hoc requests, or the implementation of continuous auditing processes.

Computer Assisted Audit Techniques (CAATs)

Businesses may process thousands or even many millions of transactions every year. To properly test that controls are operating effectively and consistently is virtually impossible using traditional audit methods. CAATs allow auditors to determine whether a control has operated effectively for every transaction as easily as testing a single one using traditional methods.

Continuous Auditing

Continuous auditing is an automated method used to perform auditing activities, such as control and risk assessments, on a more frequent basis. Technology plays a key role in continuous audit activities by helping to automate the identification of exceptions or anomalies, analyse patterns within the digits of key numeric fields, review trends, and test controls, among other activities. Not only does it enable the integrity of information to be evaluated at any given point in time, it also means that the information is able to be verified constantly for errors, fraud, and inefficiencies. The activity is continuous in that it allows for testing throughout the year as opposed to an end of year snapshot.

Cybersecurity Governance & Data Protection Risk

As the business world becomes digitally interconnected, cyber security and data protection have become priorities for most organisations. Cyber threats are complex and often costly challenges that few companies can afford to suffer. The MAI specialists will help to put systems and processes in place which will make you feel confident that your business is protected.

Our approach

With technology evolving at a fast pace, it is more important than ever to protect your systems and data. Security challenges are constantly arising, making it more difficult to protect data and information from theft, damage, and misuse. Cyber security breaches can have significant financial, reputational, and legal consequences for organisations. With the number of cyber threats escalating, it has become one of the largest concerns for a wide range of stakeholders including boards, investors, and customers. Successfully managing threats to systems and data requires a proactive and adaptive approach.

Our team of technology and cyber specialists will help you to implement a framework that will enable you to monitor key activities and put you in a position to quickly react to cyber-attacks as they emerge adequately and continuously. We will help you assess your internal and external cyber risks, as well as develop and strengthen your cyber security and resilience.

We have developed a suite of privacy and data protection offerings to help our clients meet their regulatory and compliance needs. Each is tailored to ensure maximum benefit. We believe that compliance should be achieved with minimal business disruption, as this is another form of penalty that should be considered in addition to potential fines for non-compliance. We take the time to understand your organisation and can help wherever you are in your compliance journey.

We can offer:
  • Cyber risk assessments and programme reviews
  • Cyber breach readiness assessments
  • Cyber security maturity assessment
  • Cyber security compliance and audit
  • Cyber security open source intelligence (OSINT)
  • Cloud adoption assessment and support
  • Cyber resiliency and business continuity
  • Vulnerability assessments and penetration testing
  • Red teaming assessments, including physical social engineering, scenario based testing, phishing services & purple teaming
  • Hardware and OT/IoT security testing, and Code reviews
  • Incident response, including incident response retainers, incident readiness & post incident review
  • Privacy and data protection audits, reviews, compliance and maturity assessments
  • Privacy and data protection advisory and technical services
  • Compliance with electronic communication laws
  • Data privacy and protection, advisory, compliance and audit
  • Data protection officer services
  • Cyber security awareness training for boards and audit committees
  • Security audits against recognisable frameworks
  • ISO 27001 and PCI-DSS readiness assessments and support
  • Security architecture reviews
  • Identity and access management (IdAM), etc.

IT Governance

Helping you create a resilient framework and culture that keeps you a step ahead of uncertainty. The business and regulatory environment is in a constant state of change. Navigating these complexities and seizing opportunities requires new approaches and rethinking the way you do business. We can help you transform your governance framework so that you are resilient to risks and can meet and exceed stakeholder expectations.

Our approach

Good governance forms the foundation of resilient and sustainable organisations and enhances confidence in the marketplace. The stronger your governance framework, the better your organisation will respond to external challenges and emerging risks.

At MAI, we can help you align your governance framework with your performance drivers and your desired corporate culture. This ensures your business reaches its full potential and meets expectations of shareholders, regulators and financiers alike. The importance of cultural tone at the top is undiminished. Our team will work with you to understand your objectives and develop a framework that meets your obligations, expresses your

values and contributes to positive outcomes. With our global footprint, we offer a team of specialists who have an international perspective and can provide you with actionable insights into governance, risk and strategy that suit your long-term ambitions.

Our experts can help you to:
  • Create an effective and efficient governance
  • Identify, articulate and enhance your business culture and governance
  • Develop clear and effective decision-making

Forensic Auditing /Fraud Investigations

Fraud negatively impacts organizations in many ways including financial, reputation, psychological and social implications. Depending on the severity of the loss, organizations can be irreparably harmed due to the financial impact of fraud activity, and therefore, it is important for organizations to have a strong fraud program that includes awareness, prevention, and detection programs, as well as a fraud risk assessment process to identify fraud risks within the organization.

Masegare & Associates Inc., has been helping clients about fraud-related audits, including the evaluation of risks faced by their organizations; based on audit plans with appropriate testing, assistance with the deterrence of fraud by examining and evaluating the adequacy and the effectiveness of risk management, as well as management assurance in establishing effective fraud prevention measures, by knowing the organization’s strengths and weaknesses and providing consulting expertise, conducting the initial or full investigation of suspected fraud, root cause analysis and control improvement recommendations, monitoring of a reporting/ whistle blower hotline and providing ethics training sessions and Testing Operating Effectiveness of Fraud Prevention and Detection Controls.

Our fraud investigations consists of the various oral, written, interim, or final communications to senior management and/or the board regarding the status and results of fraud investigations. Reports can be preliminary and ongoing throughout the investigation. Our reports may also include the reason for beginning an investigation, time frames, observations, conclusions, resolution, and corrective action is taken (or recommendations) to improve controls. Depending on how the investigation was resolved, our report may need to be written in a manner that provides confidentiality for some of the people involved. In writing the report, our investigator will consider the needs of the board and management while complying with legal requirements and restrictions, and the organization’s policies and procedures.