Trillium’s audit framework is used to evaluate an organization’s IT environment. It is a review of the people, process and technology that make up the environment.

The audit identifies risks and evaluates them against levels of acceptability from both a management and industry perspective.    It all starts with identifying the specific areas of interest to be reviewed.  Within the areas of interest, the high level processes that are performed are documented and then mapped to the systems/ infrastructure used to support them.  This will provide the organization with an understanding of potential places to focus additional controls to minimize risk.  It will also provide the organization with a list of some quick hit initiatives that may be undertaken in the short term to address existing risks or gaps. 

The Audit Framework consists of four major phases.  Here are some of activities for each phase:

Preliminary Review.  The initial phase of an audit consists of gathering the information required to plan for the audit.  It includes identifying an organizations strategy and the roles/responsibilities for controlling risks.  This phase also includes defining the scope of the audit and developing an inventory of the processes/ controls to be evaluated as part of the audit.

Plan for Audit.  The second phase of an audit includes determining what level of risk is acceptable.  It also includes determining which standards or criteria that the audited procedures are going to be evaluated against.  The objectives and framework for the audit are also confirmed with executives at this time in order to ensure that the most effective use of time for the personnel performing the audit.  It also includes documenting the audit process that will be performed.

Conducting the Audit.  The third phase of an audit is to conduct the audit.   It includes evaluating an organization’s processes against different types of controls that include:

  • Organizational Controls – includes segregation of duties controls.
  • Data Center and Network Operations Controls – ensures the proper entry of data into an application system and proper oversight of error correction.
  • Hardware & Software Acquisition and Maintenance Controls – includes controls to compare data for accuracy when it is input twice by two separate components.
  • Access Security Controls – ensures the physical protection of computer equipment, software, and data, and is concerned with the loss of assets and information through theft or unauthorized use.
  • Application System Acquisition, Development, and Maintenance Controls – ensures the reliability of information processing.
  • Managerial controls- To ensure that there is no unauthorized access to IT assets.

The audit is performed by doing inquiries, observing, inspecting or monitoring systems to determine how the area is going to be evaluated and reported on.   The sampling method that was identified in the planning phase will be used to determine what portion of the environment will be evaluated as part of the audit.

Completing Audit.  An audit report is then created.  The report should state the scope, objectives, period of coverage, and the nature, timing, and extent of the audit work performed. The report should state the findings, conclusions, and recommendations and any reservations, qualifications or limitations of scope that IT auditor has with respect to the audit.  It should also include any quick hit recommendations that were identified through the audit process.

Success Stories

Our client’s success in meeting their goals is our most important objective.