Company Overview
InnoTechLtd.., a leader in renewable energy technologies, operates in a fastpaced and evolving industry. Thecompany, established 15 years ago, has
carved a niche in developing and implementing innovative energy solutions.
Its product line is diverse, encompassing solar panels, wind turbines, and
advanced energy storage systems. Beyond manufacturing, InnoTech also
extends its expertise to consulting and maintenance services, ensuring the
optimal performance of its energy solutions.
With its headquarters in the United States, InnoTech’s operations span
across more than 20 countries, including significant markets in Europe, Asia,
and South America. This international presence is pivotal to the company’s
business strategy, allowing it to access varied energy markets and adapt to
different regional energy demands.
The company’s workforce of around 8,000 employees is a blend of talent,
including engineers, researchers, sales professionals, and various support
roles. Organized into distinct divisions such as Research and Development
(R&D), Manufacturing, Sales and Marketing, and Customer Support, each
sector contributes uniquely to InnoTech’s overall success.
InnoTech’s IT infrastructure is a cornerstone of its operations and strategic
growth. The company’s extensive use of IT encompasses several key areas.
A comprehensive Enterprise Resource Planning (ERP) system integrates
core business processes, facilitating seamless operations from production to HR
management. The Customer Relationship Management (CRM) software is
integral to managing customer interactions, aiding the sales team in efficiently
tracking and servicing customers.
The R&D division relies heavily on specialized systems for developing
new technologies and testing prototypes. In manufacturing, the
Manufacturing Execution Systems (MES) play a crucial role in overseeing
the production process. The adoption of cloud computing for data storage,
application hosting, and analytics represents InnoTech’s commitment to
modern IT solutions. The network infrastructure, including LANs and
WANs, connects its global operations, while robust cybersecurity measures
protect sensitive data and systems. Managing such a diverse IT landscape
presents unique challenges for InnoTech. The company needs to maintain
strong IT governance to manage technologies across different locations
effectively. Risks such as cybersecurity threats and system failures are
constant concerns. However, these challenges also offer opportunities for
leveraging IT to spur innovation and improve decision-making processes
through data
analytics.
Operating in a heavily regulated industry, InnoTech must adhere to various
environmental, data protection, and quality standards. Compliance is not just
a legal requirement but also a key factor in maintaining the company’s integrity
and reputation.
Required:
1. Identify the categories for a structured approach you will use in developing a
risk based internal audit plan for Infortech Ltd.
2. In each category explain what information you will gather for the internal audit
plan
3.
Using the structure developed in points 1 and 2 above, extract the information
from the case study that will be relevant and aligns with the information
requirements for each category
Solution
Developing a Risk-based Annual IS Audit Plan
As discussed in Section 03.01, a risk-based annual IS Audit plan can be developed using the following structured
approach:
• Understand the Business
◦ Identify the organization’s strategies and business objectives.
◦ Understand the high-risk profile of the organization.
◦ Identify how the organization structures their business operations.
◦ Understand the IT service support model and environment.
• Define the IT Universe
◦ Understand business fundamentals.
◦ Identify applications supporting the business operations.
◦ Identify critical infrastructure for significant applications.
◦ Identify major projects and initiatives.
◦ Determine realistic audit subjects.
• Perform Risk Assessment
◦ Develop processes to identify risks.
◦ Assess risk and rank audit subjects using IT risk factors.
◦ Assess risk and rank subjects using business risk factors.
• Formalize the Audit Plan
◦ Select audit subjects and bundle them into distinct audit engagements.
◦ Determine audit cycle and frequency.
◦ Add appropriate engagements based on management requests or opportunities for consulting.
◦ Validate the plan with business management.
Based on the facts provided in the case study, the following priorities have been identified as the most relevant
considerations while understanding the business:
• ERP System Integration and Efficiency: Concerns around the effectiveness and integration of the ERP
system across business processes including production, HR, and finance.
• CRM System Effectiveness: Challenges in the operational effectiveness of CRM system’s capabilities in
managing customer interactions, data accuracy, and its contribution to sales strategies.
• R&D Systems and Innovation Management: Inefficiencies in the systems supporting R&D for their
effectiveness in fostering innovation, managing prototypes, and integrating with other business units.
• Manufacturing Execution System (MES) Compliance and Performance: Instances of non-compliance
with industry standards and inefficiencies in production processes for MES.
• Cloud Computing and Data Storage Security: Issues noted with cloud services for data security,
compliance with data protection laws, and efficiency in storage and retrieval processes.
• Network Infrastructure and Security: Assess the robustness, security, and efficiency of the company’s LAN
and WAN, including vulnerability to cyber threats.
• Cybersecurity Measures and Protocols: Evaluate the effectiveness of cybersecurity measures including
firewalls and intrusion detection systems, and adherence to security protocols.
• IT Governance and Policy Compliance: Inspect the IT governance framework for its effectiveness in policy
implementation, regulatory compliance, and alignment with corporate objectives.
• Data Analytics and Decision Support Systems: Audit data analytics processes for their role in strategic
decision-making, accuracy of insights, and integration with business functions.
• Employee IT Training and Awareness Programs: Review the effectiveness of IT training programs for
employees, focusing on awareness and adherence to IT policies and cybersecurity best practices.
In terms of the risk assessment, the 10 entities identified in the IT Audit universe above will be ranked on
likelihood and impact along the following five dimensions:
• Impact on the organization’s financial statement reporting (F/S Impact)
• High-level assessment of the quality of existing internal controls (I/C Quality)
• Confidentiality measures are designed to prevent sensitive information (Confidentiality)
• The consistency, accuracy, and trustworthiness of data (Integrity)
• Information should be consistently and readily accessible for authorized parties (Availability)
The rating scale for “likelihood (L)” is defined as follows:
• High (3): High probability that the risk will occur.
• Medium (2): Medium probability that the risk will occur.
• Low (1): Low probability that the risk will occur.
The rating scale for “impact (I)” is defined as follows:
• High (3): There is a potential for material impact on the organization’s earnings, assets, reputation, or
stakeholders.
• Medium (2): The potential impact may be significant to the audit unit, but moderate in terms of the total
organization.
• Low (1): The potential impact on the organization is minor in size or limited in scope.
Using the IT Audit universe, scales for risk assessment ranking, as well as the definitions of rating on the
“impact” and “likelihood”, an illustrated risk assessment output can look like this (using hypothetical risk ratings
compiled from IS Audit team as well as the organization’s executive management):
Table: Illustrated Risk Assessment Output
L
I
L
I
L
I
L
I
L
I
Network Adm & Security
3
2
3
2
3
3
3
2
3
3
36 (H)
Windows Adm & Security
3
3
3
2
3
2
3
3
2
3
36 (H)
OS400 Adm & Security
2
3
3
2
3
3
3
2
2
3
33 (M)
Oracle Adm & Security
3
2
3
1
3
2
3
2
3
3
30 (M)
SAP ERP Application
3
3
2
2
3
3
2
3
3
2
34 (M)
Payroll Application
2
2
3
3
3
3
2
2
3
3
35 (H)
Major Capital Projects
3
3
1
2
1
1
2
3
3
2
24 (L)
Privacy Compliance
2
2
3
3
3
1
1
3
2
3
25 (L)
IT Infrastructure Config.
3
2
2
2
3
3
3
3
3
3
37 (H)
IT Governance
3
2
2
2
3
3
2
1
1
3
24 (L)
Notes:
L = Likelihood; I = Impact; H = High; M = Medium; L = Low
* The final score is calculated as the sum of (likelihood * impact) for each of the five categories per line item.
Now that the risk assessment results are available, the next step is to formalize the audit plan. As discussed
earlier, the audit plan consists of risk-driven audit projects, mandatory compliance reviews, stakeholder
requests, and follow-up audits of previously identified significant issues. Because these tasks need to be
completed using available internal audit resources, some risk-driven audit projects might not be incorporated
in the plan. Before we get to the IS audit plan, we will first prioritize the IT audit universe areas based on the net
scores as shown below:
Table: Prioritized IT Audit Universe Areas
Area
Score
IT Infrastructure Configuration Management
37 (H)
Network Administration and Security
36 (H)
Windows Server Administration and Security
36 (H)
Payroll Application and General Controls
35 (H)
SAP ERP Application and General Controls
34 (M)
OS400 Server Administration and Security
33 (M)
Oracle Database Administration and Security
30 (M)
Corporate Privacy Compliance
25 (L)
Major Capital Projects
24 (L)
IT Governance Practices
24 (L)
InnoTech Inc. has an IS audit staff of five auditors or approximately 1,000 available days for engagements after
considering exception time and training. Based on the risk assessment of available audit subjects, mandatory
activities, and stakeholder requests, the most effective IS audit plan is shown below:
Table: Effective IS Audit Plan
Network Administration and Security
Payroll Application and General Controls
SAP ERP Application and General
Corporate Privacy Compliance
IT Governance Practices
Score
Risk Level
Timeline
Audit Days Allocated
37
High
Q1
175
36
High
Q1
150
36
High
Q2
150
35
High
Q3
120
34
Medium
Q2
100
33
Medium
Q2
90 (Outsourced)
30
Medium
Q4
85 (Outsourced)
25
Low
Q2
60 (Outsourced)
24
Low
Q2
60
24
Low
Q4
60
N/A
N/A
Q3, Q4
100
N/A
N/A
Q3, Q4
85
The audit plan in the table above is based on the Innotech Inc.’s IS audit department’s understanding of the
company’s strategies and objectives, historical knowledge of the control environment, and anticipated changes in
operations during the next audit period.
Next, we will formalize the IS audit plan for InnoTech Inc. to ensure the efficacy and thoroughness of the auditing
process by transforming the results of risk assessments and preliminary analyses into a structured and
actionable audit plan. A crucial aspect of the audit plan’s formalization is its communication and approval by
senior management and key stakeholders. This ensures that the audit objectives are aligned with the broader
organizational goals and that there is a cohesive understanding and agreement on the plan at the highest
levels of the organization. Finally, the plan includes a focus on training and preparing the audit team, especially
for the more complex and high-risk audit areas. This preparation is vital in equipping the auditors with the
necessary skills and knowledge to effectively navigate the intricacies of specific technologies, audit
methodologies, and regulatory requirements they will encounter.
03.06. A Case Study in Developing IS Audit Plan and IS Audit Program | 7