The problem with hard and fast rules about information system auditing is that each IT environment itself is unique (the snowflake theory). For example, each system will have the following ingredients.
- Centralisation
- Hardware
- Empowerment of users
- Software
- Size
- Customisation
- Operating System
- Managed In House
Another thing about IT risk is that the risks are both dynamic and overlapping.
When deciding what and how to audit the following should be considered
- Security, Effectiveness & Efficiency
- Whether issues are pervasive or system specific
- Whether to plan separately or as part of the overall internal audit plan
At the following links we describe an
IT audit plan and
some types of IT audit.
