IS Evidences

Why IS Auditor requires.?

During one of my audits, a clients HR department inquires “why do I need IT organogram and IT Job Descriptions” ?

Here is Why!

As an Information Systems (IS) auditor performing IT General Controls (ITGC) assessments, requesting an IT organogram and job descriptions of key IT team members according to ISACA (Information Systems Audit and Control Association) are essential for several reasons:

1. Understanding Organizational Structure:

• IT Organogram: An IT organogram (also known as an IT organizational chart) provides a visual representation of the IT department’s structure. It outlines reporting lines, roles, and responsibilities within the IT function.
• Why? Understanding the organizational hierarchy helps us (IS Auditors) identify key personnel, their reporting relationships, and the distribution of IT responsibilities. This knowledge is crucial for assessing segregation of duties (SoD) and identifying potential conflicts of interest.

2. Segregation of Duties (SoD) Assessment:

• What is SoD? SoD ensures that no single individual has control over incompatible functions (e.g., authorization, custody, and record-keeping).
• Why? By reviewing the IT organogram, we (IS Auditors) can assess whether SoD is appropriately maintained. We (IS Auditors) can identify areas where critical functions overlap or where there is a lack of separation.

3. Job Descriptions and Responsibilities:

• Job Descriptions: These documents outline the specific duties, qualifications, and expectations for each IT role.
• Why?
• Risk Assessment: We (IS Auditors) use job descriptions to understand the scope of each role. This helps us (IS Auditors) assess the risk associated with specific positions (e.g., system administrators, network engineers, database administrators).
• Control Testing: We (IS Auditors) compare actual job responsibilities with documented job descriptions. Any discrepancies may indicate control weaknesses.
• Compliance with Policies: Job descriptions often reference policies and procedures. We (IS Auditors) verify whether employees adhere to these guidelines.

4. RACI Matrix:

• In ITGC assessments, understanding roles is critical. A RACI matrix helps define who is responsible for controls, who is accountable for compliance, who needs to be consulted, and who should be informed.

Above is the part of my email response which I composed in a short span of time, do let me know if you would like to add some more.