Technology Audit
1 Dr. Magdy El Messiry
Technology
Audit
Training Course
PART I
By
Dr. MAGDY ELMESSIRY
KNOWLEDGE TRANSFER CENTER
ALEXANDRIA UNIVERSITY
2011
Technology Audit
2 Dr. Magdy El Messiry
Technology Audits Will Help Identify
Potential Issues That May Become Serious
Problems for Your Business If Left Unattended
While each organization should insure
an effective continuous auditing for
increase the generated income.
Dr. M.El Messiry
Technology Audit
3 Dr. Magdy El Messiry
"A trip of a thousand miles begins with a single step"
PREFACE
The main objectives of this booklet are to give the reader a survey of the different elements of
the Technology Auditing (TA), hence the TA is the only way for the organization to improve
their situation on the market. Technology audits will help identify potential issues that may
become serious problems for your business if left unattended. Technology auditing will be
recognized as the reliable and trusted source for the best application of relevant technology in the
industry. The continuous technology auditing will lead to the following;
Establishing proven methodologies for technology assessments
Establishing proven methodologies for quality control
Establishing a network of reliable and brief information sources
Establishing a periodic review and assessment of technology news and information
Establishing a standard technology assessment model
Establishing a secured database of reports and assessments
Establishing and maintain business models for measuring return on investment and total
cost of ownership
To enhance the effectiveness of organization by providing the tools will be achieved through
information concerning the latest technology and innovation relevant to the particular
industrial fields that is the specific mission and goals of the organization.
The role of the Universities in implementing the Technology Auditing in the different
organizations can be accomplished through the specialists in the technology and other areas of a
globally competitive economy. Their function will be the assistance in:
Promoting competitiveness and job creation.
Enhancing the quality of life.
Developing human resources.
Working towards environmental sustainability.
Promoting an information society.
Producing more knowledge-embedded products and services.
Developing innovation technologies that lead to increasing the number of patents.
The objective of this course is to give the specialists in the technology transfer centers at the universities and the industrial organizations the basic concepts on
TECHNOLOGY AUDITING and to help them in building TA departments.
"A trip of a
thousand miles
begins with a
single step"
Technology Audit
4 Dr. Magdy El Messiry
TABLE OF CONTENTS
PREFACE
CHAPTER ONE
TECHNOLOGY AUDTING
1.1 Introduction
1.2 Technology Audit Composition
CHAPTER TWO
INTERNAL AUDIT, EXTERNAL AUDIT, AND CONTINUOUS AUDITING
1. Internal Audit
1.1 Mission of the Internal Audit Function
1.2 Internal Audit Practice in Organization
1.3 Steps for Building the Internal Audit Team
1.4. Suggestion for Successful Internal Audit
1.5 Code of Ethics for Audit Staff
1.6 International Standards for the Professional Practice of Internal Auditing (Standards)
2. External Audit
2.1 Implementation Procedure
2.2. Continuous Auditing
2.3. Key Steps to Implementing Continuous Auditing
2.3.1. Additional Considerations
2.3.2. Organizational Infrastructure
Technology Audit
5 Dr. Magdy El Messiry
2.3.3. Impact on Personnel
CHAPTER 3
THE AUDITORS PERFORMANCE IN TECHNOLOGY AUDIT
3.1. Introduction
3.2. Role of Auditor
Phase One: Pre-Audit
Phase Two: On-Site Visit
3.3. Road Map for the External Audit Team Audit Leader
3.4. Notes to the Auditor
3.4. Control objectives
CHAPTER 4
SWOT ANALYSIS
4.1 Introduction
4.2. The Need for SWOT Analysis
4.3. Limitations of SWOT Analysis
4.4. SWOT Analysis Framework
CHAPTER 5
PRACTICAL EXAMPLES OF SWOT ANALYSIS
5.1. Health centers
5.2. University SWOT Analysis
5.3. Retail Industry SWOT Analysis
4.4. Web Business SWOT Analysis
Technology Audit
6 Dr. Magdy El Messiry
CHAPTER 6
GLOSSARY
APPENDIX I
SWOT Analysis Template
APPENDIX II
Audit Checklist
APPENDIX III
Audit Checklist ISO/IEC 19770-1
APPENDIX IV
Template to use when writing an audit report
APPENDIX V
Information Technology Audit Report
REFERENCES
Technology Audit
7 Dr. Magdy El Messiry
CHAPTER ONE
TECHNOLOGY AUDTING
1.1 Introduction
Today, the products‘ life cycle becomes gradually smaller. Actually in some
sectors such as the computer sector, technological devaluation of the products
occurs within a few months. Therefore it is a great competitive advantage for the
companies to be able to introduce new products to the market before their
competitors, gaining in this way significant sale shares. Today the companies must
be able to be constantly innovative to maintain or improve their position in the
market. In order to achieve this, they must know how to identify the innovation
needs of a business problem. The innovation management tools, which are utilized
for doing this, are Technology Audit and SWOT method1. Technology has become
an increasingly dynamic sector of the global economy. The critical task is now to
maintain a broad awareness of the nature and potential impact of emerging
technologies, the points of junction, and impact on market place trends on a
worldwide basis. Management of technology is an interdisciplinary field that
integrates science, engineering, and management knowledge and practice. The
focus is on technology as the primary factor in wealth creation. Wealth creation
involves more than just fiscal values and it may encompass factors such as
enhancement of knowledge, intellectual capital, effective exploitation of resources,
preservation of the natural environment, and other factors that may contribute to
raising the standard of living and quality of life.
The Technology Audit is a method for identifying the major company
requirements, needs, weaknesses and strengths on human resources and
infrastructure as well as opportunities that should be taken under consideration.
The Technology Audit is also a technique which identifies the management‘s view
of how the company performs as well as strong indications of what the company
really needs2.
The Technology Audit technique examines in tandem the External and Internal
environment of the company and identifies the human resources relation to
company‘s performance. Furthermore, it assists the company to discover the more
significant actions that it should adopt.
Technology Audit
8 Dr. Magdy El Messiry
As shown in Figure (1), an organization can perform an audit in order to:
Generate income (or more income) for the technology driven organizations (e.g.
technology based enterprises, research centers, institutes) from their available technology.
Improve the productivity of the technological factors.
Improve business competitiveness and public administration's performance.
Assess your current capabilities before making expensive changes.
Learn how to optimize the use of current technology.
Learn about your technology options.
Get an independent assessment that can help convince your organizational partners of
changes needed.
An audit is merely a ―checkup.‖ As we gather more and more techno-devices
around us, we recognize the need to ensure that they are all accounted for, are
working properly, and are being employed for proper purposes, purposes that
advance the cause for our organizations. Consequently, a technology audit exists at
its very core as an activity that focuses our full attention upon improvement,
sustainable improvement and continuous innovation. Organizational survey and
technology audit will help in understanding the level of attention paid to
technology in the organization and facilitate the involvement of employees from
different departments of the organization in the technology management process.
The organizational survey and technology audit provides an instrument for
auditing the organization‘s technological capabilities and its awareness of
technology as means of improving competition. The organizational survey and
technology audit are used to assess whether the organization‘s management has the
appropriate level of understanding of technology and technology management, and
whether the required climate to use technology is in place.
Formulation of technology strategy addresses the issue of how to recognize the
critical technological needs and identifies the basic dimensions of a technology
strategy. It consists of three steps: technology assessment, technology selection,
and definition of the portfolio of technological projects, and strategic priorities and
actions3. The technology audit is equally applicable to manufacturing and service
firms. The firms should wish to create new products, incorporate new processes,
diversify their activities and be with growth potential. They should have capacity
to survive and innovate and competence for international cooperation. Technology
auditing should consider as means of ensuring business continuity in a
manufacturing organization.
Technology Audit
9 Dr. Magdy El Messiry
Figure (1) Objectives of Audit Cycle
Technology Audit
10 Dr. Magdy El Messiry
1.2 Technology Audit Composition
The implementation of the technology auditing starts with the answering to;
What is the relationship between technology, business strategy and
innovation in ensuring continuity of the organization?
What does a technology audit consist of and what tools are available to help
conduct the technology audit?
What is the process flow of a technology audit?
The main steps of a technology audit process are4:
Step 1: Company Decision for Technology Audit
The starting point of the technology audit process is the desire or wish of a firm to
carry out a technology audit.
Step 2: Initial phase
The initial phase is important to ensure that the audit proceeds smoothly and
effectively. It includes discussion at the management level to explain and agree
upon the purpose of the audit, to design the questionnaire and the framework for
the report to suit the organization and to select those to be interviewed. Initial
information about the organization (published and unpublished reports) is gathered
at this stage. Analysis of questionnaires should be done prior to the interviews and
might be done at an earlier stage, so that selection of those to be interviewed is
partly based on questionnaires.
Step 3: Interview and report phase
The company is being interviewed with a questionnaire, normally with
participation of the General Manager, aiming at:
Collecting general company data
Shaping company technology profile
Performing SWOT Analysis
Identifying technological areas for further analysis.
Technology Audit
11 Dr. Magdy El Messiry
Technology Audit Tool consists of two parts, the questionnaires and the reports.
The results derived from the questionnaires generate the reports that can be easily
accessed by the General Manager of the company, but for a more accurate and less
biased diagnosis, an external specialized consultant is proposed.
Step 4: Technology Audit Report Framework
The final report of the technology audit should include:
Subjects analyzed
Methodology used
Problem areas identified
Solutions proposed for the problems
Steps to be taken for implementing the solutions (action plan)
The expected results from a carefully conducted technology audit mainly concern4:
Complete and comprehensive analysis and evaluation of the requirements of
the organization for its sustainable growth
Thoroughly objective SWOT Analysis
Opportunity spotting for new products / new services / new technologies / new
markets
Networking with technology suppliers, technological sources, other companies
Possible assessment of technology portfolio, intellectual property rights
There are five tasks within the audit process area:
1. Develop and implement a risk-based international audit standards (IS) audit
strategy for the organization in compliance with international audit standards,
guidelines and best practices.
2. Plan specific audits to ensure that IT and business systems are protected and
controlled.
3. Conduct audits in accordance with IS audit standards, guidelines and best practices
Technology Audit
12 Dr. Magdy El Messiry
to meet planned audit objectives.
4. Communicate emerging issues, potential risks and audit results to key stakeholders.
5. Advise on the implementation of risk management and control practices within the
organization while maintaining independence.
Technology Audit
13 Dr. Magdy El Messiry
CHAPTER TWO
INTERNAL AUDIT, EXTERNAL AUDIT, AND CONTINUOUS AUDITING
The auditing process can be divided into three categories; Internal Audit, External
Audit, and Continuous Audit that might integrate for the fulfillment of the
organization objectives as illustrated in Figure (2).
2.1. Internal Audit
Internal auditing, as defined by the Institute of Internal Auditors (IIA), is an
independent, objective assurance and consulting activity designed to add value and
improve an organization's operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve
the effectiveness of risk management, control, and governance processes‖.
2.1.1 Mission of the Internal Audit Function
The mission of the internal audit function is to provide organization management
with systematic assurance, analyses, appraisals, recommendations, advice and
information with a view to assisting it, and other stakeholders, in the effective
discharge of their responsibilities and the achievement of organization‘s mission
and goals5. The role of the internal audit function includes providing reasonable
assurance on the effectiveness, efficiency and economy of the processes in various
areas of operations within the organization, as well as compliance with
organization financial and staff rules and regulations, general assembly decisions,
applicable accounting standards and existing best practice.
2.1.2 Internal Audit Practice in Organization
Each organization should establish Internal Audit. Its original mandate included
both internal audit and evaluation functions. The Internal Audit Department also
informally acted as a focal point for investigation and inspection. The organization
Internal Audit Charter follows Standards for the Professional Practice of Internal
Auditing issued by the Institute of Internal Auditors5 (IIA) in assignments
Technology Audit
14 Dr. Magdy El Messiry
performing audit. Audits are conducted in accordance with a detailed annual audit
plan that is developed based on an annual risk-based assessment of internal audit
needs for the whole of organization.
Figure (2) Types of Auditing Models
Figure (3) Steps of Performing Internal Audit
Technology Audit
15 Dr. Magdy El Messiry
Risk-based annual audit plans are subject to regular revision, at least annually, in
order to be aligned with the strategic objectives of the organization. Audit needs
are estimated based on a thorough review of organization‘s business and other
systems and processes which make up the audit environment for the Internal
Organization Audit Department. The audit needs assessment is reviewed annually
at the same time as the detailed annual audit plan is set out.
For annual audit planning purposes in line with the new set of strategic goals set
for the Organization, the Internal Organization Audit Department strategy and
annual plans are re-aligned regularly to ensure:
Due emphasis is put on the ―operational efficiency and effectiveness‖ aspect
in the detailed work plans to the extent possible.
Main organization business processes are reviewed to identify strengths and
good practices, as well as gaps and deficiencies. Value adding
recommendations are made to assist management in addressing these issues.
Audit support is provided to key management and governance initiatives
recognizing that the responsibility for such initiatives rests with the
management in the case of a strong indication of any fraudulent activity
found during an audit.
Sufficient audit work is performed to gather factual evidence and the
supporting documentation is handed over to the Investigation Section for
further examination if need be.
2.1.3 Steps for Building the Internal Audit Team
Figure (3) represents the steps for building the Internal Audit Team.
1- Group Formation
Local audit team leaders are chosen. They may appoint an individual to serve as
overall coordinator, as well. The key here is to get the best leadership in place
and functioning quickly.
2- Audit teams
Audit teams are formed and necessary documents needed to support the audit
are gathered (Technology plan, facilities plan, personnel reports, etc.).
Technology Audit
16 Dr. Magdy El Messiry
3- Meetings
Meetings are held at each organization department to explain this process to
employees. The purpose is to ensure that all employees know what to expect as
their auditors begin gathering data from a large number of locations to explain
the process, to seek community support and patience, and to forecast some
findings. This serves to get the community ―on board.‖
4- Teams Work
Department-by-Department teams are working within the organization. At the
same time, another team works on the organization as a whole.
5- Individual Team Reports
Reports are written, and then combined into an organization wide document.
6- Team Leader Report
Team leader shares the internal audit report with the organization board.
7- Report Approval
Organization board approves the internal technology audit final report.
8- Report Publication
Team leader authorizes the report publication.
2.1.4. Suggestion for Successful Internal Audit
In order to insure the success of the internal audit processes the following
recommendations6 should be considered by the organization manager for
implementing the Internal Audit;
Recommendation 1:
Invite the Director General to submit Internal Audit Charter to the organization
general assembly. The charter could then cover the activities of the Evaluation
Section and could give a general description of the tasks of the department and a
more detailed description of the tasks of each Section (Director, Internal Audit,
Investigation, and Evaluation & Inspection). After this recommendation has been
accepted, Internal Organization Audit Department supports this recommendation as
it will help clarify the distinct roles of the three main functions, i.e. internal audit,
investigation and evaluation and promote the role of oversight in organization. A
revision of the Internal Audit Charter will be proposed for review by the Program
and Budget Committee which will create an Internal Audit.
Technology Audit
17 Dr. Magdy El Messiry
Recommendation 2:
Director of Internal Organization Audit Department should draw up a list of the
training undertaken by all of his staff and update such a file as and when necessary.
This recommendation has been accepted. The recommendation will assist further
the tracking of the professional training being carried out.
Recommendation 3:
Invite the Director of Internal Organization Audit to develop a program (concept)
of quality assurance and improvement that includes documentation on periodic and
ongoing internal assessments of all areas of internal audit activity. Once
established, this concept should be included in the Internal Audit Manual. It seems
clear that ongoing assessments would only be suitable when the Internal Audit
Section has at least two qualified staff members. This recommendation has been
accepted. All audits are done in line with the Institute of Internal Auditors (IIA)
Standards and are subject to review and quality control. It is already Internal
Organization Audit Department‗s stated policy to have regular external and
internal quality assurance in accordance with the (IIA) 7 Standards.
Recommendation 4:
Invite Internal Organization Audit Department for the following:
a. to decide, during its annual planning, on precise audit themes which are then
mentioned in the final reports,
b. to continue to draw up a list of planned, completed and reported audits, which
should be updated as necessary, and
c. to implement long-term audit planning.
Recommendation 5:
The drafting of the audit manual should be completed and made it available to
organization staff and/or over the intranet. This manual should cover all the
essential elements specified in the Audit Standards**.
Recommendation 6:
Suggest that, from now on, Internal Organization Audit Department includes an
evaluation of the following in its reports:
a. exposure to significant risks and the corresponding controls,
b. subjects relating to governance, and
c. any other issue in response to a need or a request of the general management or
the Audit Committee.
Technology Audit
18 Dr. Magdy El Messiry
Recommendation 7:
Invite Internal Organization Audit Department to review its strategy on planning
for audits involving medium to low risks in order to concentrate more on
engagements involving higher risks.
Recommendation 8:
The Internal Audit Section should:
a. clarify the work program by linking it with the risk analysis,
b. ensure that the work program includes the priorities and the resource allocation
for each subject to be audited,
c. ensure that the work program allows a connection to be made between the
working papers and the recommendations,
d. ensure that comments concerning the involvement and assignment of external
experts are highlighted in the audit plan, and
e. ensures that the signature of the Director of Internal Organization Audit
Department and the date of approval are systematically placed on the audit
program before the audit begins.
Recommendation 9:
Invite Internal Organization Audit Department:
a. to improve the formalization of working documentation so that a third party
audit professional is always able to compare the objectives of the engagement, the
content of the examinations carried out, the results, the auditor‘s opinion and the
recommendations. The standardization and organization of working papers could
go some way to achieving this,
b. to integrate into the Internal Audit Manual regulations relating to audit
documents, information to be archived and the period for which files must be kept;
rules on access by third parties to working papers should also be included,
c. to create audit notes that include a summary of the work carried out and allow
connections to be made between the work program, interviews, analyzed
documents and the notes and recommendations contained in the report,
d. to establish a system for reviewing working papers and dating and signing them,
and
e. to provide for the establishment of standards relating to documentation in the
audit manual.
Technology Audit
19 Dr. Magdy El Messiry
Recommendation 10:
In order to increase the visibility of the internal audit function within organization,
invite the Director of Internal Organization Audit Department to increase his
contact with the Organization General manger.
2.1.5 Code of Ethics for Audit Staff
The internal audit staff is expected to follow the internal audit function in conducting
audits as set out in the Audit Charter8.
The Internal Auditor enjoys operational independence in the conduct of
his/her duties. He/she has the authority to initiate, carry out and report on
any action, which he/she considers necessary to fulfill his/her mandate.
The Internal Auditor shall be independent of the programs, operations and
activities he/she audits to ensure the impartiality and credibility of the audit
work undertaken.
Technology Audit
20 Dr. Magdy El Messiry
Internal audit work shall be carried out in a professional, unbiased and
impartial manner.
The conclusions of the audits shall be shared with the managers concerned,
who shall be given the opportunity to respond.
Any situation of conflict of interest shall be avoided.
The Internal Auditor shall have unrestricted, direct and prompt access to all
organization records, officials or personnel holding any organization
contractual status and to all the premises of the Organization.
The Internal Auditor shall respect the confidential nature of information and
shall use such information with discretion and only in so far as it is relevant
to reach an audit opinion.
2.1.6 International Standards for the Professional Practice of Internal Auditing (Standards)
The Institute of Internal Audit published the professional practice that includes
Introduction to the Standards, Attribute Standards, and Performance Standards*.
Internal auditing is conducted in diverse legal and cultural environments; within
organizations that vary in purpose, size, complexity, and structure; and by persons
within or outside the organization. While differences may affect the practice of
internal auditing in each environment, conformance with the IIA‘s International
Standards for the Professional Practice of Internal Auditing (Standards) is essential
in meeting the responsibilities of internal auditors and the internal audit activity.
The purpose of the Standards is to:
1. Define basic principles that represent the practice of internal auditing.
2. Provide a framework for performing and promoting a broad range of value-
added internal auditing.
3. Establish the basis for the evaluation of internal audit performance.
4. Foster improved organizational processes and operations.
The Standards are principles-focused, mandatory requirements consisting of:
Technology Audit
21 Dr. Magdy El Messiry
Statements of basic requirements for the professional practice of internal
auditing and for evaluating the effectiveness of performance, which are
internationally applicable at organizational and individual levels.
Interpretations, which clarify terms or concepts within the Statements.
The structure of the Standards is divided between Attribute and Performance
Standards. Attribute Standards address the attributes of organizations and
individuals performing internal auditing. The Performance Standards describe the
nature of internal auditing and provide quality criteria against which the
performance of these services can be measured. The Attribute and Performance
Standards are also provided to apply to all internal audits.
Implementation Standards are also provided to expand upon the Attribute and
Performance standards, by providing the requirements applicable to assurance or
consulting activities. Assurance services involve the internal auditor‘s objective
assessment of evidence to provide an independent opinion or conclusions
regarding an entity, operation, function, process, system, or other subject matter.
The nature and scope of the assurance engagement are determined by the internal
auditor. There are generally three parties involved in assurance services:
1. the person or group directly involved with the entity, operation, function,
process, system, or other subject matter — the process owner,
2. the person or group making the assessment — the internal auditor,
3. the person or group using the assessment — the user.
Consulting services are advisory in nature, and are generally performed at the
specific request of an engagement client. The nature and scope of the consulting
engagement are subject to agreement with the engagement client. Consulting
services generally involve two parties:
1. the person or group offering the advice — the internal auditor,
2. the person or group seeking and receiving the advice — the engagement client.
When performing consulting services the internal auditor should maintain
objectivity and not assume management responsibility.
Technology Audit
22 Dr. Magdy El Messiry
2. External Audit
External assessments must be conducted at least once every five years by a
qualified, independent reviewer or review team from outside the organization. The
chief audit executive must discuss with the organization board the need for more
frequent external assessments and the qualifications and independence of the
external reviewer or review team, including any potential conflict of interest. A
qualified auditor or auditing team demonstrates competence in two areas: the
professional practice of internal auditing and the external assessment process.
Competence can be demonstrated through a mixture of experience and theoretical
learning. Experience gained in organizations of similar size, complexity, sector or
industry, and technical issues is more valuable than less relevant experience. In the
case of an auditing team, not all members of the team need to have all the
competencies; it is the team as a whole that is qualified. The chief audit executive
uses professional judgment when assessing whether an auditor or auditing team
demonstrates sufficient competence to be qualified. An independent auditor or
auditing team means not having either a real or an apparent conflict of interest and
not being a part of, or under the control of, the organization to which the internal
audit activity belongs.
2.1 Implementation Procedure
A schematic of the steps that are normally followed while carrying out a
technology audit is shown and described below. Partial techniques per step are the
tools used for the proper implementation of the technique.
STEP 1: Desire/Wish to Carry Out Technology Audit
Desire / wish of the organization to carry out technology audit, if the company
initiates the audit, no particular communication tool is used. However, if the
company is approached by the service provider, it should explain: Scope of
initiative, brief description of technique, potential benefits to the organization, and
main characteristics of the consultant / service provider.
STEP 2: Expert to Carry Out Technology Audit
Once common ground has been established between the organization and external
consultant/expert, the next step can follow.
Technology Audit
23 Dr. Magdy El Messiry
STEP 3: First Contact/Visit of Expert for Preparation of Audit Plan
On the first contact / visit to the organization for the audit plan preparation the
expert should have:
o a brochure / flow diagram on the steps to follow: list of benefits, list of other
companies that carried out a TA, formal presentation using data show should
help.
o the audit plan which is devised together with top management. It establishes
issues to investigate how to collect data and from whom, in what time span and
at what cost, what is needed from management to successfully carry out the
audit. The local team shares with auditors all documents gathered, as well as
the internal audit report. Together, the auditors, the local audit team, work to
establishing a strategy that will drive this formal audit. All parties agree upon a
schedule/timeframe for the audit. All parties discuss some possible outcome
objectives10
. Auditors schedule date(s) for on-site visit(s). Auditors meet with
focus groups and other constituencies, as needed.
STEP 4: Preparatory Work by Expert on Collecting Basic
For preparatory work by expert on collecting basic information on the
organization & the sector for the organization: collection of data from published
information, brochures of company, economic data, employees, products, exports
etc.
For the sector: published data on employment, turnover, trends, markets, on
company's products, introduction / use of new technologies.
A short report on the above findings would be handy and would be another step
into building a trusting relationship with the organization. Auditors study all
documents provided. Auditors schedule an on-site visit and make their
observations. It is a process whereby an in-depth evaluation of some aspect of an
organization is performed, and the results compared with representations made by
that organization. Due attentiveness is particularly important for business
transactions in technology-intensive markets, since there is a much higher risk of
misrepresentation or inappropriate application of emerging technologies. It is often
Technology Audit
24 Dr. Magdy El Messiry
difficult to find individuals capable of assessing both the technological issues and
their business linkages*. The approach to be followed must be planned and agreed
upon. The process must include the selection of team members from the
organization who will participate11
. The team must be multidisciplinary, and
include both business and technical experts familiar with the areas under
investigation. If staff expertise is lacking in a particular area, engage the services of
experts in that field. Depending on the results of the preliminary visits, different
approaches may be necessary for each organization12
.
STEP 5: GENERAL SHORT DIAGNOSES
General short diagnosis use is made of a questionnaire, either in hard copy or
electronic, which should cover the following main points13
;
ORGANIZATION
Company information, strategy, development planning.
HUMAN RESOURCES
Capabilities, needs, strengths, weaknesses, training, performance, rewards.
TECHNOLOGICAL CAPABILITY
Technological resources, know how, assessment of technological level,
implementation of information technologies, new technologies.
TECHNOLOGICAL INNOVATION
Product development, procedures, new products - number - timeframe, research
and development (in house or external), resources allocated, areas of interest,
sources of acquiring technology.
INNOVATION CAPABILITY
Innovations introduced barriers to innovation, technology watch / searching /
technology diffusion, involvement in R&D joint projects.
Technology Audit
25 Dr. Magdy El Messiry
PRODUCTS
Products / markets, production organization and management, production
equipment, walk through shop floor.
COOPERATION NETWORKING
With other companies / local abroad, with technology providers / sources,
participation in R&D programs.
TECHNOLOGICAL NEEDS
Demands for services / equipment / quality improvement, new technologies, access
to information / technology diffusion.
QUALITY
Quality control, products - raw materials, standards, relations with customers /
suppliers.
MARKETING
Markets, local/abroad, marketing plan / strategy.
ENVIRONMENT
Awareness / problems / needs.
STEP 6: DATA ANALYSIS BY EXPERT, REPORT ON FIRST DIAGNOSIS
Data analysis by the expert report on first diagnosis should be brief and should
contain:
- Executive summary
- Overview of company / activities (good for signposting to networks, etc.)
- Overview of sectors / markets
- Synthesis on: Strengths / weaknesses / opportunities / threats identified
Technology Audit
26 Dr. Magdy El Messiry
- Potential suggestions (especially if the audit stops at this point) for resolving
problems and exploiting strengths & opportunities, mainly by indicating routes for
solutions with an action plan, isolation of specific areas / departments for further
diagnosis, proposal with justification.
STEP 7: PRESENTATION OF FIRST DIAGNOSIS REPORT TO GENERAL MANAGER AND COMPANY MANAGEMENT
Presentation of first diagnosis report to General Manager and company management is
done with the handing out some time earlier of a hard copy of the report, the
main findings, and the finalization on whether to continue for further diagnosis and
the agreement on the subject(s) to analyze is also performed here.
STEP 8: ADDITIONAL VISITS/INTERVIEWS TO DEPARTMENT HEADS
Entail an in-depth investigation of key areas of the organization being assessed. A
full due diligence audit of an external company can take up to a week at a small
single-site company with a technical staff of 50 or less, several weeks at larger
companies with a localized development team, and even longer examining a larger
company with geographically distributed development teams.
Technology Audit
27 Dr. Magdy El Messiry
Obviously, the relationship between company size and inspection effort is non-
linear. This is because a certain set of core elements, such as policies and
procedures, business plans, and infrastructure standards are centrally located.
Typical areas and themes that could be covered with either specific subject tools or
in a less structured way (if done by a specialist) could be:
(a) Quality
· Policy – goals – personnel involvement – training;
· Process quality – monitoring and control systems – handling – storage –packaging;
· Keeping of records/use of results;
· Product quality – raw materials quality control – product quality control;
· ISO issues – presentation – benefits.
Technology Audit
28 Dr. Magdy El Messiry
Figure (5) Quality Control Cycle
(b) Human resources
· Skills – availability;
· Satisfaction – rewards;
· Meetings – awareness of company activities/products;
· Team working/project management;
· Continuing education/training;
· Promotion – evolution – record.
(c) Research and development – Product development
· Research and development strategy/partners;
QUALTY
Technology Audit
29 Dr. Magdy El Messiry
· Product mix/product lifecycle analysis;
· Analysis of procedures for new product development;
· Analysis of research and development activities;
· Participation in research and development projects;
· Focus on specific research and development area – identification of potential technology
suppliers.
Figure (4) Steps of Product Development throughout R&D
Technology Audit
30 Dr. Magdy El Messiry
(d) Production operation
· Walk through production facilities – bottlenecks – problem areas;
· Material flow – flow diagram;
· Overview of system automation/needs – opportunities;
· Floor and product safety;
· Maintenance – procedures – planning – problems;
· Analysis of productivity.
(e) Marketing/sales
· Existence/analysis of marketing plan;
· Strategy – market share/local – exports;
· Competitors analysis/sector analysis/opportunities – threats;
· Distribution networks – problems;
· Use of information technologies for sales/e-commerce – Internetwww.urenio.org.
STEP 9: FINAL REPORT OF THE TECHNOLOGY AUDIT COMPILED BY THE EXPERTS
Final report of the technology audit, as given in Figure (6), compiled by the experts
should contain the following*:
• Executive summary
• Summary of results from first part diagnosis
• Subject(s) analyzed in second part
• Methodology used for analysis
• Problems identified
Technology Audit
31 Dr. Magdy El Messiry
• Solutions proposed
• Actions to be taken (action plan)
Figure (6) Technology Audit Final Report Contents
Technology Audit
32 Dr. Magdy El Messiry
The action plan
Should be:
a) Specific to the subject b) With a time frame c) With determined milestones d) With an estimated budget e) With the listing of expected results f) With identification of potential problem solvers (technology or service providers) g) With indications about provisional funding for implementing the solutions
(e.g. national and / or international R&D programs) h) An implementation monitoring schedule, possibly to be done by the service provider. The action plan should be specific to the subject, with a timeframe, with determined milestones and with an estimated budget. The action plan must list the expected results, identify potential problem solvers (technology or service providers) and indicate provisional funding for implementing the solutions. An implementation, monitoring-schedule must be done by the technology auditor in conjunction with a project manager.
STEP 10: PRESENTATION OF REPORT BY EXPERT TO COMPANY MANAGEMENT
At step 10 the report by the technology auditor to the organization must discuss
issues identified, solutions proposed, the proposed action plan and the monitoring
system that will be used.
The systematic audit program includes initiating the audit, preparing for on-site
audit, conducting on site audit, report preparation and follow-up activities. The
follow-up activities in this context are the improvements activities result from the
audit finding. Figure (7) shows the stages of audit program management.
Technology Audit
33 Dr. Magdy El Messiry
Figure (7) Audit Program Management http://www.efrcertification.com/Attachment/ICQR65.pdf
2.3. Continuous Auditing
Continuous auditing is:
"A methodology that enables independent auditors to provide written assurance on
a subject matter using a series of auditors' reports issued simultaneously with, or a
3
nts underlying the subject matter." short period of time after, the occurrence of eve
A continuous audit relies heavily on information technologies such as broad
bandwidth, web application server technology, web scripting solutions and
everywhere database management systems with standard connectivity.
Open database architecture empowers auditors to monitor a company's systems
over the Internet using sensors and digital agents. Incongruities between the
records and the rules defined in the digital agents are transmitted via e-mail to the
client and the auditor. For example, a digital agent performing analytical
procedures on the accounts receivable would e-mail the auditor a huge outstanding
Technology Audit
34 Dr. Magdy El Messiry
beyond the receivable parameters defined in the digital agent. Once an account
trigger has occurred, the digital agent would move to the transactional level to
verify the authenticity of the sale by seeking an e-mail of the sale organization and
acceptance of the goods/service by the customer.
The audit routine described above is done electronically and automatically on a
real-time basis as a part of continuous monitoring. Continuous audit takes off after
this when an auditor, empowered with data, carries out independent investigation
and collects corroborative evidence to arrive at his/her own deductions.
Technology Audit
35 Dr. Magdy El Messiry
Figure (8) Steps of
Implementing
Continuous Audit
.
Technology Audit
36 Dr. Magdy El Messiry
2.3.1. KEY STEPS TO IMPLEMENTING CONTINUOUS AUDITING
Once the issues above are understood by managers and auditors alike, the
organization will be in a better position to begin using continuous auditing.
Generally, the implementation of continuous auditing consists of six procedural
steps, demonstrated in Figure (8), which are usually administered by a continuous
audit manager. Knowing about these steps will enable auditors to better monitor
the continuous audit process and provide recommendations for its improvement, if
needed. These steps include:
1. Establishing priority areas.
2. Identifying monitoring and continuous audit rules.
3. Determining the process' frequency.
4. Configuring continuous audit parameters.
5. Following up.
6. Communicating results.
Below is a description of each.
1. Establishing Priority Areas
The activity of choosing which organizational areas to audit should be integrated
as part of the internal audit annual plan and the company's risk management
program. Many Internal Audit Departments also integrate and coordinate with
other compliance plans and activities, if applicable. (Steps 2-6 below are applicable
to all of the priority areas and processes being monitoring as part of the continuous
audit program.)
Typically, when deciding priority areas to continuously audit, internal auditors and
managers should:
Identify the critical business processes that need to be audited by breaking
down and rating risk areas.
Understand the availability of continuous audit data for those risk areas.
Evaluate the costs and benefits of implementing a continuous audit process
for a particular risk area.
Consider the corporate ramifications of continuously auditing the particular
area or function.
Technology Audit
37 Dr. Magdy El Messiry
Choose early applications to audit where rapid demonstration of results
might be of great value to the organization. Long extended efforts tend to
decrease support for continuous auditing.
Once a demonstration project is successfully completed, negotiate with
different auditors and internal audit areas, if needed, so that a longer term
implementation plan is implemented.
When performing the actions listed above, auditors need to consider the key
objectives from each audit procedure. Objectives can be classified as one of four
types: detective, deterrent (also known as preventive), financial, and compliance. A
particular audit priority area may satisfy any one of these four objectives. For
instance, it is not uncommon for an audit procedure that is put in place for
preventive purposes to be reconfigured as a detective control once the audited
activity's incidence of compliance failure decreases.
2. Monitoring and Continuous Audit Rules
The second step consists of determining the rules or analytics that will guide the
continuous audit activity, which need to be programmed, repeated frequently, and
reconfigured when needed. For example, banks can monitor all checking accounts
nightly by extracting files that meet the criterion of having a debt balance that is 20
percent larger than the loan threshold and in which the balance is more than US
$1,000.
In addition, monitoring and audit rules must take into consideration legal and
environmental issues, as well as the objectives of the particular process. For
instance, how quickly a management response is provided once an activity is
flagged may depend on the speed of the clearance process (i.e., the environment)
while the activity's overall monitoring approach may depend on the enforceability
of legal actions and existing compliance requirements.
3. Determining the Process' Frequency
Although the process is called continuous auditing, the word continuous is in the
eye of the beholder. Auditors need to consider the natural rhythm of the process
being audited, including the timing of computer and business processes as well as
the timing and availability of auditors trained or with experience in continuous
auditing. For instance, although increased testing frequency has substantial
benefits, extracting, processing, and following up on testing results might increase
the costs of the continuous audit activity. Therefore, the cost-benefit ratio of
continuously auditing a particular area must be considered prior to its monitoring.
Technology Audit
38 Dr. Magdy El Messiry
Furthermore, other tools used by the manager of the continuous audit function
include an audit control panel in which frequency and parameter variations can be
activated. Hence, the nature of other continuous audit objectives, such as
deterrence or prevention, may determine their frequency and variation.
4. Configuring Continuous Audit Parameters
Rules used in each audit area need to be configured before the continuous audit
procedure (CAP) is implemented. In addition, the frequency of each parameter
might need to be changed after its initial setup based on changes stemming from
the activity being audited. Hence, rules, initial parameters, and the activity's
frequency ― also a special type of parameter ― should be defined before the
continuous audit process begins and reconfigured based on the activity's
monitoring results.
When defining a CAP, auditors should consider the cost benefits of error detection
and audit and management follow-up activities. For instance, in the example of the
bank described earlier, the excess threshold of US $1,000 could lead to a number
of false negatives (e.g., values that were ignored when the balance was smaller
than US $1,000 but were identified as representing a problem) and a number of
false positives (e.g., values with balances above US $1,000 that were flagged but
were accurate). If the threshold is increased to US $2,000, there will be an increase
in false negatives and a decrease in false positives. Because follow up costs would
go up as the number of false positives increases and the presence of false negatives
may lead to high operational costs for the organization, internal auditors should
regularly reevaluate if error detection and follow-up activities need to be
continued, reconfigured, temporarily halted, or used on an ad hoc basis.
Furthermore, the stratification of audited data into sub-groups allows organizations
to better monitor the activity and reconfigure any parameters (e.g., auditors will be
notified when balances larger than 20 percent of the debt remain that are also
larger than US $5,000). However, the more complex the rule and its conditional
components, the more parameters that must be examined, monitored, and
sometimes reconfigured.
5. Following Up
Another type of parameter relates to the treatment of alarms and detected errors.
Questions such as who will receive the alarm (e.g., line managers, internal
auditors, or both ― usually the alarm is sent to the process manager, the manager's
immediate supervisor, or the auditor in charge of that CAP) and when the follow-
Technology Audit
39 Dr. Magdy El Messiry
up activity must be completed, need to be addressed when establishing the
continuous audit process.
Additional follow-up procedures that should be performed as part of the
continuous audit activity include reconciling the alarm prior to following up by
looking at alternate sources of data and waiting for similar alarms to occur before
following up or performing established escalation guidelines. For instance, the
person receiving the alarm might wait to follow up on the issue if the alarm is
purely educational (i.e., the alarm verifies compliance but has no adverse economic
implications), there are no resources available for evaluation, or the area identified
is a low benefit area that is mainly targeted for deterrence.
6. Communicating Results
A final item to be considered is how to communicate with auditors. When
informing auditors of continuous audit activity results, it is important for the
exchange to be independent and consistent. For instance, if multiple system alarms
are issued and distributed to several auditors, it is crucial that steps 1-5 take place
prior to the communication exchange and that detailed guidelines for individual
factor considerations exist. In addition, the development and implementation of
communication guidelines and follow-up procedures must consider the risk of
collusion. Much of the work on fraud indicates that the majority of fraud is
collusive and can be performed by an internal or external party. For example, in
the case of dormant accounts, both the clerk that moves money and the manager
that receives the follow-up money may be in collusion since the manager's key
may have to be used for certain transactions.
ADDITIONAL CONSIDERATIONS
Besides the six steps described in the previous section, two additional issues that
emerge when implementing continuous auditing are the infrastructure needed for
the process to work and its impact on the workplace.
Organizational Infrastructure
Because continuous auditing is a part of the company's audit function, it must be
kept independent of management. Therefore, during the planning stages, auditors
need to keep in mind the process' independence when designing its structure. For
instance, a typical Internal Audit Departments structured so that areas of the
department focus on different cycles or business activities. In addition, the
department may be divided into financial and IT audit functions.
Technology Audit
40 Dr. Magdy El Messiry
Sometimes, however, IT audit activities are incorporated as part of existing IT
operations. In organizations such as these, the development of continuous auditing
is usually delayed because the activity may not get the necessary development
priority. Regardless of whether IT audit activities are part of the organization's IT
or Internal Audit Department, the organization must maintain the process'
independence as well as allocate resources in support of continuous audit activities.
Impact on Personnel
In addition, the audit manager in charge of the continuous audit process should
have a more technical understanding of IT as well as extensive experience on the
activities being audited. However, hiring, training, and retaining auditors who can
implement and monitor continuous audit activities might be challenging due to the
scarcity of internal auditors with knowledge in the area. Furthermore, the
continuous audit process might create a daily stream of issues that need to be
resolved, which might prove stressful given current personnel resources, and might
require the continuous audit manager to exert adequate authority in moments of
exceptions.
Technology Audit
41 Dr. Magdy El Messiry
CHAPTER 3
PERFORMANCE IN TECHNOLOGY AUDIT
3.1. Introduction
Appointment of Auditor – auditors are usually appointed by the organization
mangers at the administration council meeting.
Terms of Engagement – an engagement letter provides written recognition of the
auditor‘s acceptance of appointment, sets out the scope of the audit plus auditors
and management responsibilities.
Audit Program – sets out the extent and type of audit procedures. Auditors work to
internationally agreed auditing standards. Auditors start by gaining an
understanding of the organization‘s activities. For each major activity listed in the
financial statements, auditors identify and assess risks that could have a significant
impact on the financial position or performance.
Technology Audit
42 Dr. Magdy El Messiry
Detailed Examination – auditors perform testing and obtain evidence to satisfy the
requirements of the audit program. Testing may include compliance with the
organization‘s accounting policies, examining accounting records and verifying the
existence of tangible items such as plant and equipment.
Audit Report – contains the audit opinion on the financial report and basis of that
opinion. The scope of the audit plus auditors and management responsibilities are
also restated. The external auditor should maintain independence from
management and directors so that the tests and judgments are made objectively.
Auditors discuss the scope of the audit work with the organization. Auditors
determine the type and extent of the audit procedures they will perform depending
on the risks and controls they have identified. Auditors form an opinion on the
information in the final report. However, the external auditor should not look at
every transaction carried out by the organization, test the adequacy of all of the
organization‘s internal controls, identify all possible irregularities, audit other
information provided to the members of the organization – e.g. the directors‘
report. Figure (9) gives the flowchart of the external audit.
Technology Audit
43 Dr. Magdy El Messiry
Figure (9) Flowchart of the external audit Source: www.urenio.org
Technology Audit
44 Dr. Magdy El Messiry
3.2. Audit team roles and responsibilities
An audit may be conducted by a single lead auditor or by an audit team consisting
of a lead auditor, one or more auditors and/or a technical adviser. The National
Code of Practice for Auditors and Technical Advisers describe the conditions that
an auditor and technical adviser must adhere to when fulfilling their roles during
audits.
Lead Auditor
The role of the lead auditor, demonstrated in Figure (10), is to:
• Confirm the scope of the audit with the registering body
• Contact the applicant and make an appointment for the audit
• Identify and confirm resources (including audit team members and audit
documentation) required to conduct the audit
• Review documentation and develop a plan and schedule for the audit in
conjunction with the applicant and then confirm these arrangements
• Brief the audit team
• Conduct the opening meeting
• Identify and gather information
• Manage audit team resources by ensuring that there is effective communication
between the members of the audit team, and by working with the applicant‘s
representative to ensure that auditors and technical experts have access to the
materials, sites and personnel they require
• Coordinate the audit findings by meeting with the audit team to synthesize the
evidence collected
• Prepare the audit report with support from the audit team
• Conduct the feedback session with the applicant and confirm follow-up
• Provide information to the applicant about the complaints process and follow-up
action required
• Provide feedback to the audit team.
Technology Audit
45 Dr. Magdy El Messiry
Figure (10) Duties of Leader of Auditor Team
Auditors
The role of an auditor, as shown in Figure (11), is to:
• Participate in the opening meeting
• Identify and gather information
• Analyses information
• Evaluate information
• Report findings
• Participate in the feedback session
• Undertake other duties as requested by the lead auditor.
Technology Audit
46 Dr. Magdy El Messiry
Figure (11) Role of Auditor
To understand better how a comprehensive, effective technology audit works, the
process can be broken down into its various phases in order to draw a comparison
between the audit process and the activities associated with organization
accreditation. Accreditation visit to occur can be segmented into three phases:
1) Getting ready;
2) On-site visit;
3) Results & follow up.
The greatest quantity of work occurs during the first phase. Therefore, the three
phases will be examined accordingly.
Technology Audit
47 Dr. Magdy El Messiry
Phase One: Pre-Audit
Whether the technology audit has been triggered by the organization internal desire
to assess its accountability or whether the impetus has come from outside the
organization, the initial phase is the same. The organization must get ready for the
audit. Thus, this phase is sometimes called the ―pre-audit‖ stage. At a macro level,
the organization might want to establish a set of systems that can be put in place to
make auditors time more valuable, more efficient. Auditor may want to form a
group of teams to perform specific functions; a physical location may be specified
as a ―gathering point‖ for evidentiary documents; a series of focus group meetings
should be scheduled so organization leaders can encourage employees and
community members to voice their opinions and give their perspectives regarding
the organization‘s status; to create a system where all the hard work of engaged
people, the data and reports auditor collect, and the supporting systems can be
perpetuated.
Enrolling team members - To make your technology audit a success, it is essential
to have high-quality teams. The teams will be made up of the specialized members.
The team leaders will ensure a strong and fluid cooperation among teams, all
working on a common end goal. Team building is a significant activity. All
organization leaders realize this fully. Best leaders who build and grow the best
teams so they will accomplish the best results.
The auditor team leader may clarify with organization employees by explaining to
them that a technology audit is coming and he wants to obtain their very best
thinking about some strategies that will assure success for the organization. During
this meeting, the auditor might want to engage in a simple brain storming activity,
asking everyone to call out, as fast as they can, all the areas where is the use of
technologies in the organization. Team leader might ask them to be frank and
candid in their comments, and then ask them to pinpoint areas where they perceive
that improvements could be made. If/when they mention some examples, the
auditor asks for substantiating evidence that may give the clues to other things
needing. The team leader tries to imagine how the auditors will see things/look at
things through their eyes. What would the auditors do? What would they say?
What would they seek? How would they interpret what you give them? What
would they recommend? As the leader and the team of advisors go through these
considerations, they will have prepared themselves well for what lies ahead, and
Technology Audit
48 Dr. Magdy El Messiry
will no longer fear the technology audit, or consider it as a negative event. Rather,
they will see this as a profoundly important opportunity to engage in systemic
improvement, as well as great improvement at the individual level.
Phase Two: On-Site Visit
The time has come finally when auditors arrive at the organization and are
examining both the reports (data, information, and evidence) and the actual reality
of technology integration. This guideline is intended to help auditors conduct more
focused reviews of technology acquisitions by enabling them to quickly identify
significant areas of risk. Using these guidelines will help auditors identify critical
factors not addressed by management, make a general evaluation of any
procurement risks, and provide rapid feedback to agency officials so they can take
corrective action in a timely and efficient manner. Use of the guidelines should be
selectively tailored to the requirements of particular reviews and adapted to the
status of the acquisition. Auditors will need to exercise professional judgment in
assessing the significance of audit results or findings. Professional judgment is
necessary to evaluate this information and determine if the agency conducted an
adequate requirements analysis.
There are five tasks within the audit process area:
1. Develop and implement a risk-based audit strategy for the organization in
compliance with audit standards, guidelines and best practices.
2. Plan specific audits to ensure that IT and business systems are protected
and controlled.
3. Conduct audits in accordance with audit standards, guidelines and best
practices to meet planned audit objectives.
4. Communicate emerging issues, potential risks and audit results to key
stakeholders.
5. Advise on the implementation of risk management and control practices
within the organization while maintaining independence.
Technology Audit
49 Dr. Magdy El Messiry
3.3. Audit planning
Audit planning consists of both short- and long-term planning, demonstrated in
Figure (12). Short-term planning takes into account audit issues that will be
covered during the year, whereas long-term planning relates to audit plans that will
take into account risk-related issues regarding changes in the organization‘s
technology strategic direction that will affect the organization‘s technology
environment. Analysis of short- and long-term issues should occur at least
annually.
Figure (12) Types of Audit Planning
Technology Audit
50 Dr. Magdy El Messiry
Figure (13) Perform Audit Planning Steps
This is necessary to take into account new control issues, changing technologies,
changing business processes and enhanced evaluation techniques. The results of
this analysis for planning future audit activities should be reviewed by senior
management, approved by the audit committee, if available, or alternatively by the
Board of Directors, and communicated to relevant levels of management. In
addition to overall annual planning, each individual audit assignment must be
adequately planned. The auditor should understand that other considerations, such
as risk assessment by management, privacy issues and regulatory requirements,
may impact the overall approach to the audit. The auditor should also take into
consideration system implementation/upgrade deadlines, current and future
technologies, requirements of business process owners, and resource limitations.
When planning an audit, the auditor must have an understanding of the overall
environment under review. This should include a general understanding of the
various business practices and functions relating to the audit subject, as well as the
types of information systems and technology supporting the activity.
To perform audit planning which is shown in Figure (13), the auditor should
perform the following steps in this order:
• Gain an understanding of the business‘s mission, objectives, purpose and
processes, which include information and processing requirements, such as
availability, integrity, security and business technology.
Technology Audit
51 Dr. Magdy El Messiry
• Identify stated contents, such as policies, standards and required guidelines,
procedures, and organization structure.
• Evaluate risk assessment and any privacy impact analysis carried out by
management.
• Perform a risk analysis.
• Conduct an internal control review.
• Set the audit scope and audit objectives.
• Develop the audit approach or audit strategy.
• Assign personnel resources to the audit and address engagement logistics.
• Audit planning
– Short-term planning
– Long-term planning
– Things to consider
• New control issues
• Changing technologies
• Changing business processes
• Enhanced evaluation techniques
• Individual audit planning
– Understanding of overall environment
• Business practices and functions
• Information systems and technology
3.4. Road Map for the External Audit Team Audit Leader
The following are steps that the Team audit leader would perform to determine an
organization‘s level of compliance with external requirements:
• Identify those government or other relevant external requirements dealing with:
– Electronic data, copyrights, e-commerce, e-signatures, etc.
Technology Audit
52 Dr. Magdy El Messiry
– Computer system practices and controls
– The manner in which computers, programs and data are stored
– The organization or the activities of the information services
• Document applicable laws and regulations
• Assess whether the management of the organization and the information systems
function have considered the relevant external requirements in making plans and in
setting policies, standards and procedures
• Review internal information systems department/function/activity documents that
address adherence to laws applicable to the industry
• Determine adherence to establishing procedures that address these requirements.
3.5. Notes to the Auditor
Auditor will not ask about any specific laws or regulations, but may question
about how one would audit for compliance with laws and regulations.
Auditor should be aware that it is important that the auditor understands the
relationships of control objectives and controls; control objectives and audit
objectives; criteria and sufficiency and competency of evidence; and audit
objective, criteria and audit procedures. Strong understanding of these elements is
a key for the auditor‘s performance.
Auditor is the importance of setting legal advice. There are two key aspects that
control needs to address, what the auditor should to achieve and what to avoid.
Auditor addresses not only to internal controls business/operational objectives,
but need to address undesired events through preventing, detecting, and correcting
undesired events. Types of control;
• Internal accounting controls - Primarily directed at accounting operations, such as
the safeguarding of assets and the reliability of financial records
Technology Audit
53 Dr. Magdy El Messiry
• Operational controls - Directed at the day-to-day operations, functions and
activities to ensure that the operation is meeting the business objectives
• Administrative controls - Concerned with operational efficiency in a functional
area and adherence to management policies including operational controls. These
can be described as supporting the operational controls specifically concerned with
operating efficiency and adherence to organizational policy.
Figure (14) Elements to Development of Internal Control Manual
3.6. Control objectives
Every organization needs to have a sound internal control in place to keep the
organization on course toward profitability goals and achievement of its mission,
to minimize surprises along the way and to be able to realize its opportunities.
Elements to Development of Internal Control Manual are illustrated in Figure (14).
Technology Audit
54 Dr. Magdy El Messiry
The importance of internal control has been further heightened by the increasing
attention given to corporate governance, of which internal control is now
considered to be vital element. Sound practices of internal control and risk
management enable management to deal with rapidly changing economic and
competitive environments, shifting customer demands and priorities, and
restructuring for future growth. Internal controls and risk management promote
efficiency, reduce risk of asset loss, and help ensure the reliability of financial
statements38
.
It consists of the following;
• Safeguarding of information technology assets
• Compliance to corporate policies or legal requirements
• Authorization/input
• Accuracy and completeness of processing of transactions
• Output
• Reliability of process
• Backup/recovery
• Efficiency and economy of operations.
Controls are generally categorized into 3 major classifications:
Preventive: These controls are to deter problems before they arise.
Detective: Controls that detect and report the occurrence of an error, omission or
malicious act.
Corrective: These controls minimize the impact of a threat, remedy problems
discovered by detective controls, and identify the cause of a problem.
Internal control objectives - Apply to all areas, whether manual or automated.
Therefore, conceptually, control objectives in an information systems environment
Technology Audit
55 Dr. Magdy El Messiry
remain unchanged from those of a manual environment. However, control features
may be different. Thus, internal control objectives need to be addressed in a
manner specific to related processes.
Figure (15) Internal Control Pyramid http://www-audits.admin.uillinois.edu/ICT/ICT-summary.html
Internal Control is a process within an organization designed to provide
reasonable assurance:
That information is reliable, accurate, and timely.
Of compliance with policies, plans, procedures, laws, regulations, and
contracts.
That assets (including people) are safeguarded.
Of the most economical and efficient use of resources.
That overall established objectives and goals are met.
Internal controls are intended to prevent errors or irregularities, identify problems,
and ensure that corrective action is taken.
Figure (15) illustrates the internal control pyramid and the information and
communication path.
Technology Audit
56 Dr. Magdy El Messiry
CHAPTER 4
SWOT ANALYSIS
4.1 Introduction
SWOT Analysis is a business tool by which, a firm wishing to implement a
strategic analysis, analyses and recognizes it‘s corporate Strengths and Weaknesses
as well as the existed or forthcoming Opportunities and Threats from its external
environment.
Only when these four critical information elements are well elaborated and known,
the enterprise is able to formulate and implement the strategy leading to its
business aims.
4.2. The Need for SWOT Analysis
The SWOT Analysis is an extremely useful tool for understanding and decision-
making for all sorts of situations in business and organizations. SWOT Analysis is
a very effective way of identifying your Strengths and Weaknesses, and of
examining the Opportunities and Threats you face. Carrying out an analysis using
the SWOT framework helps you to focus your activities into areas where you are
strong and where the greatest opportunities lie. By creating a SWOT Analysis, you
can see all the important factors affecting your business together in one place. It‘s
easy to create, easy to read, and easy to communicate.
Technology Audit
57 Dr. Magdy El Messiry
Figure (16) SWOT Analysis Framework14
4.3. Limitations of SWOT Analysis
SWOT Analysis is not free from its limitations*. It may cause organizations to
view circumstances as very simple because of which the organizations might
overlook certain key strategic contact which may occur. Moreover, categorizing
aspects as strengths, weaknesses, opportunities and threats might be very
subjective as there is great degree of uncertainty in market. SWOT Analysis does
stress upon the significance of these four aspects, but it does not tell how an
organization can identify these aspects for itself.
There are certain limitations of SWOT Analysis which are not in control of
management. These include:
a. Price increase;
b. Inputs/raw materials;
c. Government legislation;
d. Economic environment;
e. Searching a new market for the product which is not having overseas
Technology Audit
58 Dr. Magdy El Messiry
market due to import restrictions; etc.
Internal limitations may include:
a. Insufficient research and development facilities;
b. Faulty products due to poor quality control;
c. Poor industrial relations;
d. Lack of skilled and efficient labor; etc
The SWOT Analysis is an extremely useful tool for understanding and
decision-making for all sorts of situations in business and organizations. A
company can use the SWOT Analysis while developing a strategic plan or
planning a solution to a problem that takes into consideration many different
internal and external factors, and maximizes the potential of the strengths and
opportunities while minimizing the impact of the weaknesses and threats
4.4. SWOT Analysis Framework
Action checklist
1. Establishing the objectives
The first key step in any project is to be clear about what you are doing and why.
The purpose of conducting SWOT Analysis may be wide or narrow, general or
specific.
2. Allocate research and information-gathering tasks. Background preparation is a
vital stage for the subsequent analysis to be effective, and should be divided
among the SWOT participants. This preparation can be carried out in two stages:
Exploratory, followed by data collection.
Detailed, followed by a focused analysis. Gathering information on
Technology Audit
59 Dr. Magdy El Messiry
Strengths and Weaknesses should focus on the internal factors of skills,
resources and assets, or lack of them. Gathering information on
Opportunities and Threats should focus on the external factors.
3. Create a workshop environment
If compiling and recording the SWOT lists takes place in meetings, then do
exploit the benefits of workshop sessions. Encourage an atmosphere conducive to
the free flow of information and to participants saying what they feel to be
appropriate, free from blame. The leader/facilitator has a key role and should
allow time for free flow of thought, but not too much. Half an hour is often
enough to spend on Strengths, for example, before moving on. It is important to
be specific, evaluative and analytical at the stage of compiling and recording the
SWOT lists.
4. List Strengths, Weaknesses, Opportunities, Threats in the SWOT Matrix
5. Evaluate listed ideas against objectives.
With the lists compiled, sort and group facts and ideas in relation to the
objectives. It may be necessary for the SWOT participants to select from the list
in order to gain a wider view.
The SWOT Analysis template is normally presented as a grid, comprising four
sections, one for each of the SWOT headings: Strengths, Weaknesses,
Opportunities, and Threats. The SWOT template given in Chapter 5 includes
sample questions, whose answers are inserted into the relevant section of the
SWOT grid. The questions are examples, or discussion points, and obviously can
be altered depending on the subject of the SWOT Analysis.
Technology Audit
60 Dr. Magdy El Messiry
Figure (17 ) SWOT Analysis Framework
Technology Audit
61 Dr. Magdy El Messiry
CHAPTER 5
EXAMPLE OF FORMATION OF SWOT MATRIX PARAMETERS
Figure (18) SWOT Matrix Environment Analysis
5.1 Introduction
The analysis of the company situation starts by defining the strength, weakness,
opportunities and threats. Table below shows some common parameters which
may be considered.
Technology Audit
62 Dr. Magdy El Messiry
Strengths
Advantages of proposition?
Capabilities?
Competitive advantages?
USP's (unique selling points)?
Resources, Assets, People?
Experience, knowledge, data?
Financial reserves, likely returns?
Marketing - reach, distribution,
awareness?
Innovative aspects?
Location and geographical?
Price, value, quality?
Accreditations, qualifications,
certifications?
Processes, systems, IT,
communications?
Cultural, attitudinal, behavioral?
Management cover, succession?
Weaknesses
Disadvantages of proposition?
Gaps in capabilities?
Lack of competitive strength?
Reputation, presence and reach?
Financials?
Own known vulnerabilities?
Timescales deadlines and
pressures?
Cash flow, start-up cash-drain?
Continuity, supply chain
robustness?
Effects on core activities,
distraction?
Reliability of data, plan
predictability?
Moral, commitment, leadership?
Accreditations, etc?
Processes and systems, etc?
Management cover, succession?
Technology Audit
63 Dr. Magdy El Messiry
Opportunities
Market developments?
Competitors' vulnerabilities?
Industry or lifestyle trends?
Technology development and
innovation?
Global influences?
New markets, vertical, horizontal?
Niche target markets?
Geographical, export, import?
Tactics - surprise, major
contracts, etc?
Business and product
development?
Information and research?
Partnerships, agencies,
distribution?
Volumes, production, economies?
Seasonal, weather, fashion
influences?
Threats
Political effects?
Legislative effects?
Environmental effects?
IT developments?
Competitor intentions - various?
Market demand?
New technologies, services,
ideas?
Vital contracts and partners?
Sustaining internal capabilities?
Obstacles faced?
Insurmountable weaknesses?
Loss of key staff?
Sustainable financial backing?
Economy - home, abroad?
Seasonality, weather effects?
successful SWOT Analysis
Technology Audit
64 Dr. Magdy El Messiry
5.2. Tips for Design Your SWOT Analysis
For the successes of the SWOT Analysis some constrictions depending on the
environment of the origination should be taken into consideration.
Following are some tips 15
for the auditors;
Top Tips But remember …
1 Never copy an existing SWOT Analysis; it will
influence your thinking. Start with a fresh
piece of paper every time
You could use a standard
template to help the ideas flow
2 Set aside enough time to complete it You may need to come back to
it several times before you are
happy
3 The SWOT Analysis itself is NOT the result.
It‘s only a tool to help you analyze your
business
Before you begin any analysis,
you should know what you
intend to do with the results
4 A SWOT Analysis is not a business school fad.
It is a proven technique used throughout the
business community
You need to be comfortable
working with it in your
business
5 Keep your SWOT Analysis simple, readable,
short and sharp
It needs to make sense to
outsiders (e.g. bank managers
or investors) so don’t use
phrases or acronyms that only
you understand
6 Make sure you create an action plan based on
your SWOT Analysis
You need to communicate this
clearly to everyone involved
7 A SWOT Analysis only gives you insight at a
single point in time
You need to review it –
probably quarterly – to see
how the situation has changed
8 Don‘t over-analyze. Try not to worry if it isn‘t
perfect, just get the analysis done
If you are going to act on the
results, it needs to be accurate
Technology Audit
65 Dr. Magdy El Messiry
The role of SWOT Analysis is to take the information from the environmental
analysis and separate it into internal issues (strengths and weaknesses) and external
issues (opportunities and threats). Once this is completed, SWOT Analysis
determines if the information indicates something that will assist the firm in
accomplishing its objectives (a strength or opportunity), or if it indicates an
obstacle that must be overcome or minimized to achieve desired results (weakness
or threat). When doing SWOT Analysis, remember that the S and W are
INTERNAL and the O and T are external.
Figure(19) http://www.taygro.co.za/aboutus.html
in all the important areas
Technology Audit
66 Dr. Magdy El Messiry
CHAPTER 5
PRACTICAL EXAMPLES OF SWOT ANALYSIS
5.1. Health centers
Subject of SWOT Analysis example: the achievement of a health centers mission.
The scenario is based on the SWOT Analysis17
, which has been performed by a
health centre in order to determine the forces that promoted or hindered the
achievement of its mission.
Starting position of the health centre:
The staff lack of motivation
The building was really small
The facility was old
There was a lot of paper work and bureaucracy
Those characteristics resulted in this health centre facing up to a lot of problems
with the accommodation of the patients. Moreover, the establishing of a new
advanced hospital in the city made the situation even worse. Therefore, they
decided to perform a SWOT Analysis in order to execute the best decision-making
for all the problems that they faced.
Step 1: Purpose of conducting SWOT Analysis - the achievement of a health
centers mission.
Step 2: The gathering of information on Strengths and Weaknesses focused on the
internal factors of skills, resources and assets, or lack of them. The gathering
information on Opportunities and Threats should focus on the external factors.
Technology Audit
67 Dr. Magdy El Messiry
Step 3: The manager of the health centre encouraged all the staff members to
freely express their opinions about what they felt to be appropriate.
Step 4: SWOT matrix
Step 5: After completing the SWOT matrix the SWOT participants had a wider
view of the situation at the centre so they were able to propose the alternatives that
helped considerably in the operation of the health centre.
The alternatives where:
training of the staff in interactive techniques of quality improvement
coordination with other providers to cover all user needs
remodeling of the facility with local government funds and international
help
cost recovery of drugs and lab supplies with user fees
payment of incentives to staff based on performance
review of procedures for decreasing costs and waiting times and increasing
perceived quality.
Strengths:
Willingness of staff to change
Good location of the health centre
Perception of quality services
Weaknesses:
Staff lack of motivation
Building was really small
Paper work and bureaucracy
Cultural differences with users
Opportunities:
Support of local government
Threats:
Low income of users
Technology Audit
68 Dr. Magdy El Messiry
High felt need of users
Internationally funded projects
Bad roads
Low salaries
Lack of budget
Paradigms of providers
High competition
This strategic analysis and planning
of the health centre had the below results:
27% increase of patients
reduction of waiting times to
15minutes
20% increase of staff performance
remodeling of the facility
Technology Audit
69 Dr. Magdy El Messiry
5.2. University SWOT Analysis
University strengths, weaknesses, opportunities and threats (SWOT Analysis) were
identified by members of University Strategic Goals and Priorities Committee
during a brain storming session. Administrators, faculties, and students reviewed
the analysis and provided input. Background information on the Organization is
opportunities and threats it faces can be useful in considering strategic issues.
The SWOT Analysis was used to develop the attached strategic questions. These
questions and others raised by participants at the workshop will help define
strategic directions important to the university in the next five year.
Technology Audit
70 Dr. Magdy El Messiry
SWOT ANALYSIS
Strengths:
Positive reputation in the external
community
- Positive experience with those who
interact with the campus
- Proactive Partnerships with other
universities, community colleges, and
corporations
- Past performance
- Many Accredited Programs
- Successful 6 year graduation rates
- Faculty and staff support the campus
mission
- Proactive student support
- Access to services
- Faculty involvement with students
- Student leadership programs
- Learning communities developing to
enhance learning and student-faculty
interaction
- Campus Characteristics
- Medium size campus with small class size
-Facilities include new and well-maintained,
attractive buildings and grounds with
growth potential
- Potential for growth in Turlock and
Stockton
- Friendly and safe
- Diverse student body, Hispanic Serving
Institution
- Dedicated and Expert faculty
- Campus wide involvement in planning
- Healthy shared governance
- Strong, active external boards
- Residential Campus Development
- Artistic and Cultural Performances
Weaknesses:
Distinguishing qualities and identity not well
known
- Operational structure/bureaucracy
- Sluggish responsiveness to student and
community needs
- Fiscal uncertainty
- Lack of pride of internal community
- Match between research expectation &
support
- High and unequal workloads faculty &
staff
- Ability to hire & retain faculty
- Student preparedness at entrance
- Adjusting to pressures of growth
- Varying perceptions of appropriate
proportions of major employee categories
(faculty, staff, and administrators)
- Lack of strong, pervasive presence in the
external community
- Limited resources for faculty and staff
development
- Highly competitive market for diverse
faculty and staff
- Promulgating egalitarianism
- Reporting perceived as a ritual and
meaningless
- Reporting requirements absorb a large
percentage of resources
Technology Audit
71 Dr. Magdy El Messiry
Opportunities:
Partnerships in support of university
initiatives
- Expanded possibilities for the workforce
- Diversity of region (students industry)
- External Community and University
relationships
- Interest in academic program expansion
- Interest in expansion of cultural activities
- Interest in University services (Policy
Center, Bridge,
- Growth potential
- New construction
- Societal trends
- Increased value of higher education
completion
- Growing demand for graduates
- Match between curricular & societal
interests
- Increase demand for mid-career
redirection and lifelong learning
- Increased interest in global initiatives
- Technological advances
- Partnership opportunities
- Increased focus on higher education
- development of university park
- large student pool
- increased interest in university
connections
Threats:
State budget crisis
- Private, for-profit, and on-line universities¡¦
responsiveness to program and student
scheduling demands
- Increase in reporting expected by
government and society
- Shift in focus on numerical achievement
vs. qualitative achievement
- Negative public perception
- Development of another university in the
area
- Societal and student perception of
education as solely a means to a job
- Reporting perceived as a ritual and
meaningless
- Reporting requirements absorb a large
percentage of resources.
- Historical public perceptions/lack of
knowledge about higher Education.
- Historical lack of knowledge.
Technology Audit
72 Dr. Magdy El Messiry
SWOT ANALYSIS OF AUC37
I-Introduction:
SWOT analysis: a method of analyzing an organization‘s competitive situation
that involves assessing organizational strengths (S), weaknesses (W),
environmental opportunities (O), and threats (T).
Both strengths and weaknesses are internal factors, that are subject to change
from within the organization itself. Opportunities and threats are the conditions
within the external environment that affects the organization, such as:
technological, economic, legal-political, sociocultural, and the international
element.
II-SWOT ANALYSIS of AUC:
1-Strengths:
a - Highly qualified full time, and part time faculty.
b - Highly skilled students due to the highly competitive selection in admissions.
c - Advanced technology in the University facilities; optic fiber network, ACS
server, well-equipped engineering, natural sciences, and computer labs (relative to
the Egyptian universities) , and research centers (Desert research center).
d - Distinctive rank in the private universities market in Egypt, in comparison to
other universities,
e - Continuous renovations either in facilities (New campuses in Falaki and New
Cairo), technology, and staff.
f - Well defined managerial policy; well-defined hierarchy.
g - Monopolizing the employment market of some majors, such as: construction
management and industrial engineering, business administration, political science,
and computer science.
h - Private university, accredited by several authorities, such as: the Egyptian
ministry of education, Egyptian Syndicates, ABET (Accreditation Board of
Engineering and Technology), the higher council of universities in Egypt, MSA
(Commission on Higher education of the Middle States Association of colleges and
schools) and AACU (American Association for Colleges and Universities).
i - An integrated modern library, containing books, microfilms, periodicals, and
other documents, arranged on the same model of the Congress library. Moreover,
Technology Audit
73 Dr. Magdy El Messiry
the university has a special collection library, which is actually a fortune.
j - Paying great care to social sciences research due to the presence in a good
field for research in the Middle East, and Egypt in specific.
k - The university has a hostel, which serves all the international students.
l - Absence of unemployment among AUC graduates due to the presence of
Career Advising and Placement Service (CAPS office).
m - The university appreciates the extra-curricular activities and encourages them,
and that is what makes AUC graduates different.
2-Weaknesses:
a - High tuition fee, relative to the other private universities in Egypt, and even to
the American state-universities.
b - Unbalanced budget, where about 60% of the budget is composed of money
from tuition, while the rest comes through donations from companies, like Esso,
Shlumberger, Ford foundation, General Electric, USAID, etc.
c - Absence of adequate facilities in the field of graduate research, in
comparison to other American Universities.
d - The absence of an undergraduate research program.
e - Weak image in the Egyptian society (market), because of the claim that AUC
westernizes the Egyptian students.
f - Weak marketing techniques, limited to advertisement in the newspapers.
g - The absence of financing source, other than tuition and donations, like
research centers.
h - Currently before the new campuses end, the university suffers from an un-
limited problem of space, in addition to the parking area around the existing
campuses and the traffic from and to them.
3-Opportunities:
a - Dominating the market of the private universities in Egypt with other
competing universities, like 6th of October Univ., and perhaps the Middle East,
Technology Audit
74 Dr. Magdy El Messiry
like AUB and AUD, after the construction of the new campuses.
b - The ability to serve more customers of students in the Under-grad, and Grad.
Levels after building the news campuses (Currently AUC serves 3,584 Under-grad,
and 592 Grad. )
c - Attraction of more foreign students.
d - The chance of finding more financial resources through fundraising, by the
newly appointed President.
e - Establishment of well-equipped campus in Falaki that will serve as an
Engineering faculty that will include electronics engineering.
f - The use of optic fibers network in the new Cairo campus to link all the
university through a powerful link.
g - By strengthening the existence of AUC, the AUCians might get better image
and they might be accepted by the all the categories of the society.
4-Threats:
a - Any expected political conflicts in the Middle East, either between Egypt and
Israel, or Egypt and USA itself, or even like Gulf War. This may drop admissions
to a destructive level. Moreover, the university might have to do without the
American faculty and employees, and most of the university supports might
withdraw their support. Thus the budget might be seriously harmed
b - Any expected security or political problems in Egypt, either like terrorism or
any serious changes in the current regime. The admissions of international students
might drop to a serious level.
c - Competition with other low cost competitors, like 6th October Univ., Misr
International Univ.
d - Increase in the Egyptian cultural persistence, and their refusal of the
AUCians. Thus, AUC image continues to deteriorate.
e - Increase in the number of offered AUC graduates to what the market demands.
Thus unemployment appears among the AUC graduates like any Egyptian
university
f - Failure in the process of fundraising for the construction of the new campuses.
Technology Audit
75 Dr. Magdy El Messiry
5.3. Retail Industry SWOT Analysis*
This is an example of a SWOT Analysis for a Retail Business, whilst every effort
has been made to ensure our examples are accurate, their accuracy depends on
where you live in the world and what has changed since they were developed.
You may use our SWOT examples as a guide to indicate what your SWOT might
look like but please do not build a plan based on these examples without validating
their accuracy for your business in your region of the world.
The first of our SWOT Analysis examples is for a retail business, the business was
established by an entrepreneur stocks brand name clothing imported from
manufacturers around the world. The business currently only stocks 3 brands of
men‘s clothing, pitched at the 18 to 28 single young adult.
SWOT Analysis Examples: Strengths Possible Strengths Response Is it strength?
Tangible Strengths
Consider your assets including
plant and equipment
Assets are really
only shop fittings
and stock with two
computers and
software.
No
Do you have long-term rental
contracts for your business
locations?
3 + 3 + 3 year lease
in major shopping
center, location
within the shop is at
the will of the
center, poor sales
No, same as our
competitors
Technology Audit
76 Dr. Magdy El Messiry
will result in a shift
to a low foot traffic
location.
Are your products unique or
market leading?
No, stock is the
same as our
competitors. We
can pick and choose
what styles to stock.
No
Have you got sufficient
financial resources to fund any
changes you would like to
make?
No, we do trade
profitably, but are
not able to fund an
expansion to a
larger footprint
store.
No
Do you have any cost
advantages over your
competitors?
No, rents are all
pretty standard, you
can save on rent but
loose the foot
traffic, so it is all
relative.
No
Do you use superior
technology in your business?
No No
Is your business high volume? No. We do sell a
lot, but not as much
as some of the
larger retail stores.
Our product is high
quality, high margin
and low volume in
comparison
No
Technology Audit
77 Dr. Magdy El Messiry
Can your scale up your volume
if you need to?
Not really, orders
are placed in
advance, shop size
is restrictive.
No
Intangible Strengths
Do you have or stock strong
recognizable brands
Yes, though the
brand space is
becoming cluttered
with more and more
recognizable
brands. Depleting
the value of any one
brand.
Yes
Your reputation - are you
considered a market leader? or
experts in you‘re filed?
No. No
Do you have good relationship
with your customers?
(Goodwill)
Yes, we have a
good connection
with our customers,
our email list grows
and many
customers advise
they were referred
to us by their mates.
We get a lot of
repeat customers.
Yes
Do you have strong
relationships with your
suppliers
Yes, though we are
just another
supplier to them.
We are able to
differentiate from
Yes
Technology Audit
78 Dr. Magdy El Messiry
our competitors.
We have long term
agreements in place
with some suppliers
to be their sole
representative in
this region.
Do you have a positive
relationship with your
employees
Yes, though we
only have a few
employees
No, our
competitors also
have good
employee
relations
Do you have any unique
alliances with other
businesses?
No, maybe our
territory agreements
with some
suppliers.
No
Do you own any patents or
proprietary technology?
No No
Do you have a proven
advertising process that works
well?
Email news letter
with specials and
new stock, seems to
work for retaining
customers.
Most new
customers were
attracted to the
shopping complex.
Yes
Do you have more experience
in your field?
No No
Are you managers highly No No
Technology Audit
79 Dr. Magdy El Messiry
experienced?
Do you have superior industry
knowledge?
No, though we do
have a good set of
sales skills,
particularly up
selling and forming
relationships.
People feel good
coming by and
seeing us.
No
Are you involved with industry
associations?
No No
Is your business Innovative? No, only in sales
and relationship
building.
No
Other Strengths
Current location Current location in
the center has high
traffic, in an area
with several other
shops targeting the
same market which
draws people to the
area
No
Our innovation is in
our sales technique
and point of sale
displays
Yes
Summary
Technology Audit
80 Dr. Magdy El Messiry
The key strengths for the business are
1. Unique brands protected by sole supply agreements
2. Successful relationship marketing, and
3. Innovative sales techniques
SWOT Analysis Examples: Weaknesses
Possible Weaknesses Response Is it a Weakness?
Tangible Weaknesses
Is your plant and
equipment old or
outdated?
N/A N/A
Is your product line too
narrow?
Maybe, we only sell a few
of brands of men clothing,
we could stock more
accessories, but we don‘t
want to confuse the
customer about what line
of business we are in.
Maybe
Have you got
insufficient financial
resources to fund any
changes you would like
to make?
Yes, we often think about
opening a bigger store, but
the rent would be an issue
if we did not get immediate
sales
Yes
Do you have a high
overall unit cost
relative to your
competitors?
No No
Do you use inferior No No
Technology Audit
81 Dr. Magdy El Messiry
technology in your
business?
Do you have low
volume and are
restricted in your
ability to scale up?
Yes, it may take a few
weeks to replenish stock,
less early in the season.
But late in the season our
suppliers are often out of
stock of the quick moving
products
No, all retailers
are in the same
situation
Intangible Weaknesses
Do you have a weak or
unrecognizable brand?
Yes, maybe our shop name
is not a public recognizable
brand but our stock is.
Some of our competitors
are franchise and everyone
knows them
Yes
Do you have a weak or
unrecognizable image?
No, our shop frontage
tends to draw people in
No
Do you have a poor or
impersonal relationship
with your customers?
No, we have great
relationships with our
customers
No
Do you have a poor
relationship with your
suppliers?
No No
Do you have a poor
relationship with your
employees?
No No
Is your marketing
failing to meet
No No
Technology Audit
82 Dr. Magdy El Messiry
objectives?
Are your managers
inexperienced?
Yes, I have less than 2
years in Retail
Yes
Do you have low
R&D?
n/a N/A
Do you lack industry
knowledge?
Yes, maybe Yes
Do you lack innovative
skills?
No No
Other Weaknesses
Specify None
Summary
The key weaknesses for the business are
1. Small store size and inability to find an expansion, resulting in stocking
a limited product range
2. Shop name is not well known
3. Manager has limited industry experience and industry knowledge
Technology Audit
83 Dr. Magdy El Messiry
SWOT Analysis Examples: Opportunities
Possible Opportunities Response Is it an
Opportunity?
Industry Opportunities
Can you expand your
product range?
Yes, there are no
contractual restrictions to
us adding products to the
store, store size is an issue
Yes
Can you diversify
your business
interests?
Maybe, if we had the funds No
Can you expand into
your customer's field?
No, the customer is the
consumer
No
Can you expand into
your supplier's field?
Yes, I don‘t have the skills
to establish an import
business
Yes
Can you expand your
customer base?
(Geographically or
through new
products)
Maybe, through internet
sales and mail order,
maybe open another
location
Yes
Do you have placid
competitors?
Yes, there is not a lot of
competitive advertising in
our niche, and price is not
so much of an issue to our
customers
Yes
Do you have any
export opportunities?
No, we import No
Technology Audit
84 Dr. Magdy El Messiry
Will the total market
for your products
grow?
Yes, but not significantly No
Macro Opportunities
Are there any
favorable changes to
legislation pending
No No
Will there be any
changes to any
import/export
constraints that will
be favorable for your
business?
No, almost all clothing is
imported there is little
domestic production and a
lack of ability for domestic
producers to scale up. Any
changes will impact all
retail outlets equally.
No
Is the economic
outlook favorable?
No, however this may play
favorably to our business
as our target market might
postpone larger expenses
as a result a greater share
of purse may be allocated
to clothing – this is yet to
be proven.
No
Are there any
favorable cultural
shifts that will benefit
you?
Due to increases in housing
prices our target customer
has opted to postpone
taking on longer term
debit. Instead to remain in
the ―nest‖ for longer. This
trend increases their
customer life for our
products.
Yes
Technology Audit
85 Dr. Magdy El Messiry
Are there any
changes in the use of
technology that your
business can utilize
such as Ecommerce
or Internet sales?
Use of internet to increase
marketing and online sales.
Yes
Other Opportunities
Summary
The key opportunities for the business are
1. Backward integration in the supply chain to include importing
directly
2. Increased geographic coverage
3. Leverage the growth of the internet to enhance business
4. Increase life of customer was 18 – 24 year old males, now 18 –
29 year old males
SWOT Analysis Examples: Threats
Possible Threats Response Is it a
threat?
Industry Threats
Will low cost imports
impact your business?
No, our shop appeals to the
middle income bracket who are
not interested in low cost
alternatives.
Though high quality low cost
imports will increase our
margin.
No
Technology Audit
86 Dr. Magdy El Messiry
Do consumers have a
choice to use a
substitute product?
Yes, many other products in the
category
No
Are substitute product
sales increasing?
No more than ours, the market
share is reasonably consistent
No
Is your market in
slow growth or in
decline?
No, our market is relatively
stable, maybe slight growth
No
Is the power of your
customers or
suppliers growing,
can they dictate price?
No, maybe one supplier is
trying to increase prices above
CPI, but we can stop selling
their stock and shift to another
supplier of a similar quality
product
No
Are the needs of your
buyers changing?
Yes, every season fashion
changes, however the need for
medium quality products
remains unchanged.
Yes
Macro Threats
Will foreign exchange
rate changes affect
your imports or
exports?
Yes, declining dollar will
impact us, and all others in our
industry, may also reduce sales
if we pass price on to customer
Yes
Are there any changes
in demographics that
will impact your
business
Maybe an increase in awareness
about the behavior of
governments of low cost
producing nations may
eventually impact our supply
chain.
No
Technology Audit
87 Dr. Magdy El Messiry
Is regulation in your
industry increasing?
No No
Other Threats
Rent Rent can go up reducing our
margins
Yes
Location Our rental contract allows the
center to move our business
location, if they believe another
business will make them more
profits.
Yes
Summary
The key threats for the business are
1. Changing fashion trends may shift consumer interest in our
product range
2. Exchange rate variation may impact costs
3. Rents increasing above CPI putting pressure on our margins
4. Center owner shifting us within the center
Technology Audit
88 Dr. Magdy El Messiry
SWOT Analysis Examples
Summary – Retail Clothing Business
Internal
Strengths Weaknesses
1. Unique brands protected by
sole supply agreements
2. Successful relationship
marketing, and
3. Innovative sales techniques
1. Small store size and inability
to find an expansion, resulting
in stocking a limited product
range
2. Manager has limited industry
experience and industry
knowledge
External
Opportunities Threats
1. Backward integration in the
supply chain to include
importing directly
2. Increased geographic
coverage
3. Leverage the growth of the
internet to enhance business
4. Increase life of customer
was 18 – 24 year old males,
now 18 – 29 year old males
1. Changing fashion trends may
shift consumer interest in our
product range
2. Exchange rate variation may
impact costs
3. Rents increasing above CPI
putting pressure on our
margins
4. Center owner shifting us
within the center
*http://www.whatmakesagoodleader.com/swot_analysis_examples.html
Technology Audit
89 Dr. Magdy El Messiry
4.4. Web Business SWOT Analysis
It is often said that the web is the great equalizer, so let‘s look at a SWOT for a
web business that sells toys online. (Fictional Business created for an MBA Class)
Internal
Strengths Weaknesses
1. Global reach of
business
2. Low cost to maintain
and enhance the site, not
restricted by foot print
3. Stock is recognized
brands
4. Purchase price can
be less than off line shops
5. Strong competition
for warehousing and
distribution keeps costs
down
6. Easy to remain in
touch and build
relationships with
customers (Email, SMS,
webzine)
7. Use existing
distribution networks
(Postage)
1. No shop front to
accept returns
2. People need to find
our site, there is no other
marketing
3. Lack of shop brand
recognition
4. Hard to scale up to
respond to peaks and
troughs in demand
5. Limited financial
capital to fund web site
optimization
6. Larger or heavy toys
have high delivery cost
diminishing the online
price advantage.
7. Low web
development skills in house
we are reliant on
outsourcing
External
Opportunities Threats
1. Established traffic
and high number of repeat
customers may enable
increased sales through the
addition of complimentary
1. The internet has no
barriers to entry which
means a better financed
business or an established
retail business may seek to
Technology Audit
90 Dr. Magdy El Messiry
product lines
2. Increased use of the
internet for shopping with
the 18 to 35 age group
suggests that additional
sales may come from
stocking toys for this age
group
3. Improve organic
search ranking to reduce
advertising costs
compete in this niche.
2. e'Bay and other
online auction sites have
traders selling similar
products
3. Buyer reluctance to
shop over the net
(Diminishing)
4. Quality issues from
overseas suppliers
damaging the reputation of
brands we sell
5. Lager business with
greater buying power may
undercut our prices to gain
online market share
Sample SWOT Analysis Summary
Trading online has become quite competitive with Search Engine
Optimization critical to a businesses online success, whilst internet
business can undercut traditional retail businesses once the online
business exceeds the ―run from home‖ size it begins to incur additional
warehousing and distribution costs.
Instead of large growth in traffic the business may prefer to look at
slow growth combined with additional products to increase overall
revenue per customer.
The business would do well to identify multiple potential suppliers to
offset any risk from their current suppliers.
Technology Audit
91 Dr. Magdy El Messiry
CHAPTER 6
GLOSSARY
TECHNOLOGY
“Technology is the knowledge applied to the creation of goods, provision of services, and improvement of our stewardship of precious and finite resources.” Technology can also be described as the means by which organizations apply understanding of the natural world to the solution of practical problems. Technology is the combination of “hardware” such as buildings and equipment and “software” consisting of skills, knowledge and experience. For technology to be successful it must be applied and maintained.
CLASSIFICATION OF TECHNOLOGY
Technology can be classified in several ways. The following classifications are important in establishing a common vocabulary.
New technology
New technology is any newly introduced or implemented technology that has an explicit impact on the way an organization produces products or provides services. The technology does not have to be new to the world, only to the organization. The technology could have been developed years before and used by others, but it is classified as new whenever introduced for the first time in a new situation. New technology has a profound effect on improving productivity and maintaining a competitive business enterprise
Emerging technology
Emerging technology is any technology that is not yet fully commercialized but will become so within about five years. This technology may be currently in limited use but is expected to evolve significantly, for example genetic engineering, nano-technology, superconductivity, and the Internet. Emerging technologies create new industries and may make existing industries obsolete. Emerging technologies have the potential of triggering large changes in institutions and in society itself.
High technology
High technology refers to advanced or sophisticated technologies. High technologies are utilized by a wide variety of industries having certain characteristics. A company is classified as high-tech when it has the following characteristics:
Technology Audit
92 Dr. Magdy El Messiry
· It employs highly educated people; · Its technology is changing at a faster rate than that of other industries; · It competes with technological innovation; · It has high levels of research-and-development expenditure; · It has the potential to use technology for rapid growth; and · Its survival is threatened by the emergence of competing technology.
Low technology
Low technology refers to technologies that are used extensively by society. Low technologies are utilized by a wide variety of industries and have the following characteristics: · They employ people with relatively low levels of education or skill; · They use manual or semiautomatic operations; · They have low levels of research expenditure; · The technology base used is stable with little change; and · Products produced are mostly of the type that satisfies basic human needs, such as food, shelter, clothing, and basic human services.
Medium technology
Medium technology consists of a wide set of technologies that fall between high and low technologies. It refers to mature technologies that are more amenable than others to technology transfer. Examples of industries in this category are consumer products and the automotive industry.
Appropriate technology
Appropriate technology is used to indicate a good match between the technology utilized and the resources required for its optimal use. The technology could be on low, medium, or high level. The use of use high technology when there is a lack of necessary infrastructure or skilled personnel would not make sense. Utilizing the appropriate level of technology results in better use of labor resources and better production efficiency.
Codified versus tacit technology
Technology in coded form can be preserved and effectively transferred among users. A computer program of an optimization algorithm is a codified form that preserves and transmits knowledge about that algorithm. Tacit technology is a non-articulated knowledge. It is based on experiences and therefore remains within the minds of its developers. The technology developers are the ones who have the knowledge in question. Tacit knowledge is transmitted by demonstration or observation, followed by assimilation by those who seek the knowledge. Transfer of tacit technology occurs by close contact and interaction between the sources and the host. Codified technology allows people to know how technology works but not necessarily why it works in a certain way. The brainwave is part of the tacit knowledge kept in the minds of
Technology Audit
93 Dr. Magdy El Messiry
developers and shaped by experiences during the development process. Transfer of technology is easier when the technology is in a codified form. It is hard, less precise, and more time-consuming to transfer tacit technology. A complete mastery of the technology requires an understanding of both the explicit codified knowledge and the non-explicit tacit knowledge.
Stages Of Technology Development
Organized technological development follows a hierarchical progression: (1) Basic research, (2) Applied research, (3) Development, and (4) Technology enhancement.
COMPETITIVE ADVANTAGES
A business is said to have a competitive advantage when it has core competencies that are difficult to imitate by the competition. Competitive advantages can be time bound as new technology can narrow the gap between the organization and competition.
MANAGEMENT OF TECHNOLOGIES
Management of technologies is an interdisciplinary field that integrates science, engineering and management knowledge and practice. The focus is on technology as primary factor in the creation of wealth. Wealth is not only money but is intellectual capital, effective exploitation of resources and enhancement of knowledge.
TECHNOLOGY PLANNING
Technology planning is a component of corporate business planning. Strategic information technology planning assists with the awareness, evaluation, and deployment of current and evolving information technologies. Technology planning are critical elements for the organization.
DEFINITIONS OF TECHNOLOGY AUDITS
A technology audit is an analysis of a company's operations with the purpose of identifying opportunities to increase profitability. The audit accommodates the needs of individual manufacturers and emphasizes the importance of appropriate technology and systems (www.reuters.com). A technology audit is a thorough investigation into a particular technology. It will be an independent and confidential review of a technology, which will allow the company to realize the organization’s potential, select an appropriate exploitation route for the technology and find appropriate sources of future funding (www.southwest-irc.org.uk).
Technology Audit
94 Dr. Magdy El Messiry
TECHNOLOGICAL STRATEGY
In the process of designing a technological strategy it may come in handy to answer the following questions:
What is the scope and frequency of technical activities? When can they be performed? Will the scheduled changes apply to product innovation, process innovation or both? Will the company adopt a pioneering or imitative strategy? What will be the primary source of innovation (company's own or from the surrounding
entities)? What is the feasible and economically justified level of expenditure for particular innovations
(financial sources – outside, inside)? To what extent should company's own research capabilities be developed? What will be the consequences of innovation and technology transfer for the organization
services, changes to production management and supply system? How will the company protect its intellectual and inventive property?
ADD VALUE
The internal audit activity adds value to the organization (and its stakeholders) when it provides
objective and relevant assurance, and contributes to the effectiveness and efficiency of
governance, risk management, and control processes.
ADEQUATE CONTROL
Adequate control present if management has planned and organized (designed) in a manner
that provides reasonable assurance that the organization's risks have been managed effectively
and that the organization's goals and objectives will be achieved efficiently and economically.
ASSURANCE SERVICES
An objective examination of evidence for the purpose of providing an independent assessment
on governance, risk management, and control processes for the organization. Examples may
include financial, performance, compliance, system security, and due diligence engagements.
BOARD
A board is an organization's governing body, such as a board of directors, supervisory board,
head of an agency or legislative body, board of governors or trustees of a nonprofit
organization, or any other designated body of the organization, including the audit committee
Technology Audit
95 Dr. Magdy El Messiry
to whom the chief audit executive may functionally report.
CHARTER
The internal audit charter is a formal document that defines the internal audit activity's
purpose, authority, and responsibility. The internal audit charter establishes the internal audit
activity's position within the organization; authorizes access to records, personnel, and physical
properties relevant to the performance of engagements; and defines the scope of internal audit
activities.
CHIEF AUDIT EXECUTIVE
Chief audit executive describes a person in a senior position responsible for effectively managing
the internal audit activity in accordance with the internal audit charter and the Definition of
Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive or others
reporting to the chief audit executive will have appropriate professional certifications and
qualifications. The specific job title of the chief audit executive may vary across organizations.
CODE OF ETHICS
The Code of Ethics of The Institute of Internal Auditors (IIA) is Principles relevant to the
profession and practice of internal auditing, and Rules of Conduct that describe behavior
expected of internal auditors. The Code of Ethics applies to both parties and entities that provide
internal audit services. The purpose of the Code of Ethics is to promote an ethical culture in the
global profession of internal auditing.
COMPLIANCE
Adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements.
CONFLICT OF INTEREST
Any relationship that is, or appears to be, not in the best interest of the organization. A conflict
of interest would prejudice an individual's ability to perform his or her duties and responsibilities
objectively.
CONSULTING SERVICES
Advisory and related client service activities, the nature and scope of which are agreed with the
client, are intended to add value and improve an organization's governance, risk management,
and control processes without the internal auditor assuming management responsibility.
Technology Audit
96 Dr. Magdy El Messiry
Examples include counsel, advice, facilitation, and training.
CONTROL
Any action taken by management, the board, and other parties to manage risk and increase the
likelihood that established objectives and goals will be achieved. Management plans, organizes,
and directs the performance of sufficient actions to provide reasonable assurance that
objectives and goals will be achieved.
CONTROL ENVIRONMENT
The attitude and actions of the board and management regarding the importance of control
within the organization. The control environment provides the discipline and structure for the
achievement of the primary objectives of the system of internal control. The control
environment includes the following elements:
Integrity and ethical values.
Management's philosophy and operating style.
Organizational structure.
Assignment of authority and responsibility.
Human resource policies and practices.
Competence of personnel.
CONTROL PROCESSES
The policies, procedures, and activities that are part of a control framework, designed to ensure
that risks are contained within the risk tolerances established by the risk management process.
ENGAGEMENT
A specific internal audit assignment, task, or review activity, such as an internal audit, control
self-assessment review, fraud examination, or consultancy. An engagement may include
multiple tasks or activities designed to accomplish a specific set of related objectives.
ENGAGEMENT OBJECTIVES
Broad statements developed by internal auditors that define intended engagement
accomplishments.
Technology Audit
97 Dr. Magdy El Messiry
ENGAGEMENT WORK PROGRAM
A document that lists the procedures to be followed during an engagement, designed to achieve
the engagement plan.
EXTERNAL SERVICE PROVIDER
A person or organization outside of the organization that has special knowledge, skill, and
experience in a particular discipline.
FRAUD
Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not
dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and
organizations to obtain money, property, or services; to avoid payment or loss of services; or to
secure personal or business advantage.
GOVERNANCE
The combination of processes and structures implemented by the board to inform, direct,
manage, and monitor the activities of the organization toward the achievement of its
objectives.
IMPAIRMENT
Impairment to organizational independence and individual objectivity may include personal
conflict of interest, scope limitations, restrictions on access to records, personnel, and
properties, and resource limitations (funding).
INDEPENDENCE
The freedom from conditions that threaten the ability of the internal audit activity to carry out
internal audit responsibilities in an unbiased manner.
INFORMATION TECHNOLOGY CONTROLS
Controls that support business management and governance as well as provide general and
technical controls over information technology infrastructures such as applications, information,
infrastructure, and people.
Technology Audit
98 Dr. Magdy El Messiry
INFORMATION TECHNOLOGY GOVERNANCE
Consists of the leadership, organizational structures, and processes that ensure that the
enterprise's information technology supports the organization's strategies and objectives.
INTERNAL AUDIT ACTIVITY
A department, division, team of consultants, or other practitioner(s) that provides independent,
objective assurance and consulting services designed to add value and improve an
organization's operations. The internal audit activity helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of governance, risk management and control processes.
INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK
The conceptual framework that organizes the authoritative guidance promulgated by the IIA.
Authoritative Guidance is comprised of two categories –
(1) mandatory and
(2) strongly recommended.
MUST
The Standards use the word "must" to specify an unconditional requirement?
OBJECTIVITY
An unbiased mental attitude that allows internal auditors to perform engagements in such a
manner that they believe in their work product and that no quality compromises are made.
Objectivity requires that internal auditors do not subordinate their judgment on audit matters to
others.
RESIDUAL RISK
The risk remaining after management takes action to reduce the impact and likelihood of an
adverse event, including control activities in responding to a risk.
RISK
The possibility of an event occurring that will have an impact on the achievement of objectives.
Risk is measured in terms of impact and likelihood.
RISK APPETITE
The level of risk that an organization is willing to accept.
Technology Audit
99 Dr. Magdy El Messiry
RISK MANAGEMENT
Processes to identify, assess, manage, and control potential events or situations to provide
reasonable assurance regarding the achievement of the organization's objectives.
SHOULD
The Standards use the word "should" where conformance is expected unless, when applying
professional judgment, circumstances justify deviation.
SIGNIFICANCE
The relative importance of a matter within the context in which it is being considered, including
quantitative and qualitative factors, such as magnitude, nature, effect, relevance, and impact.
Professional judgment assists internal auditors when evaluating the significance of matters
within the context of the relevant objectives.
STANDARD
A professional pronouncement promulgated by the Internal Audit Standards Board that
delineates the requirements for performing a broad range of internal audit activities, and for
evaluating internal audit performance. ASSESSMENT –– the evaluation process used to measure the performance or effectiveness of a system and its elements. As used here, assessment is an all-inclusive term used to denote any of the following: audit, performance evaluation, management review, peer review, inspection, or surveillance. AUDIT – a systematic and independent examination to determine whether quality activities and related results comply with planned arrangements and whether these arrangements are implemented effectively and are suitable to achieve objectives. AUDITEE – the organization being assessed. AUDITOR – a person qualified to perform audits. AUDIT OF DATA QUALITY (ADQ) – an examination of data after they have been collected to determine how well the measurement system performed with respect to the data quality goals specified in the quality assurance project plan. ADQs entail tracing data through processing steps and duplicating intermediate calculations and focus on identifying a clear, logical connection between the steps. BLIND SAMPLE – a subsample submitted for analysis with a composition and identity known to the submitter but unknown to the analyst. Blind samples are used to test the analyst’s or laboratory’s proficiency in the execution of the measurement process. Samples may be either single blind (the analyst knows the sample is a PE sample but does not know what analyses at what concentrations it contains) or double-blind (the analyst does not know the sample is a PE sample). CLIENT – any individual or organization for whom items or services are furnished or work is performed in response to defined requirements and expectations. Compare with user below. CONTRACTOR – any organization or individual that contracts to furnish services or items or perform work; a supplier in a contractual situation.
Technology Audit
100 Dr. Magdy El Messiry
Final CORRECTIVE ACTION – an action taken to eliminate the causes of an existing nonconformance, deficiency, or other undesirable situation in order to prevent recurrence. DATA QUALITY ASSESSMENT (DQA) – a scientific and statistical evaluation of validated data to determine if the data are of the right type, quality, and quantity to support their intended use. DATA QUALITY INDICATORS (DQIS) – quantitative statistics and qualitative descriptors used to interpret the degree of acceptability or utility of data to the user. The principal DQIs are bias, precision, accuracy, comparability, completeness, and representativeness. DATA QUALITY OBJECTIVES (DQOS) – qualitative and quantitative statements derived from the DQO Process that clarify study technical and quality objectives, define the appropriate type of data, and specify tolerable levels of potential decision errors that will be used as the basis for establishing the quality and quantity of data needed to support. DEFICIENCY – an unauthorized deviation from acceptable procedures or practices, or a defect in an item. ENVIRONMENTAL DATA – any measurement or information that describes environmental processes, location, or conditions; ecological or health effects and consequences; or the performance of environmental technology. For EPA, environmental data include information collected directly from measurements, produced from models, and compiled from other sources such as databases or the available literature. Aspects of the project, Such persons may be referred to as project manager, project officer, work. EXTRAMURAL AGREEMENT – a legal agreement between EPA and an organization outside EPA for items or services to be provided. Such agreements include contracts, work assignments, delivery orders, task orders, cooperative agreements, research grants, State and local grants, and EPA funded interagency agreements. FINDING – an assessment conclusion that identifies a condition having a significant effect on an item or activity. An assessment finding may be positive or negative, and is normally accompanied by specific examples of the observed condition. GOOD LABORATORY PRACTICES (GLPS) – a quality system concerned with the organizational process and the conditions under which nonclinical health and environmental safety studies are planned, performed, monitored, archived, and reported. GRADED APPROACH – the process of basing the level of application of managerial controls applied to an item or work product according to the intended use of the results and the degree of confidence needed in the quality of the results. GUIDELINE – a suggested practice that is non-mandatory in programs intended to comply with a standard. INDEPENDENT ASSESSMENT – an assessment performed by a qualified individual, group, or organization that is not a part of the organization directly performing and accountable for the work being assessed. INSPECTION – an examination such as measuring, examining, testing, or gauging one or more characteristics of an entity and comparing the results with specified requirements in order to establish whether conformance is achieved for each characteristic. LEAD AUDITOR – an individual qualified to organize and direct a technical assessment, to report
Technology Audit
101 Dr. Magdy El Messiry
assessment findings and observations, and to evaluate corrective actions. MANAGEMENT SYSTEM – a structured, nontechnical system describing the policies, objectives, principles, organizational authority, responsibilities, accountability, and implementation plan of an organization for conducting work and producing items and services. NONCONFORMANCE – a deficiency in characteristic, documentation, or procedure that renders the quality of an item or activity unacceptable or indeterminate; no fulfillment of a specified requirement. OBJECTIVE EVIDENCE – any documented statement of fact, other information, or record, either quantitative or qualitative, pertaining to the quality of an item or activity, based on observations, measurements, or tests which can be verified. OBSERVATION – an assessment conclusion that identifies a condition (either positive or negative) which does not represent a significant impact on an item or activity. An observation may identify a condition which does not yet cause a degradation of quality. ORGANIZATION – a company, corporation, firm, enterprise, or institution, or part thereof, whether incorporated or not, public or private, that has its own functions and administration. PEER REVIEW – a documented critical review of work by qualified individuals (or organizations) who are independent of those who performed the work, but are collectively equivalent in technical expertise. A peer review is conducted to ensure that activities are technically adequate, competently performed, properly documented, and satisfy established technical and quality requirements. The peer review is an in-depth assessment of the assumptions, calculations, extrapolations, alternate interpretations, methodology, acceptance criteria, and conclusions pertaining to specific work and of the documentation that supports them. PERFORMANCE EVALUATION (PE) – a type of audit in which the quantitative data generated in a measurement system are obtained independently and compared with routinely obtained data to evaluate the proficiency of an analyst or laboratory. PERFORMANCE EVALUATION (PE) SAMPLE – A sample that mimics actual samples in all possible aspects, except that its composition is known to the auditor and unknown to the auditee. PE samples are provided to test whether a measurement system can produce analytical results within specified performance goals. See also BLIND SAMPLE AND PERFORMANCE EVALUATION PROCESS – a set of interrelated resources and activities that transforms inputs into outputs. Examples of processes include analysis, design, data collection, operation, fabrication, and calculation. PROGRAM – any work involving the environment, including characterization of environmental processes and conditions; environmental monitoring; environmental research and development; design, construction, and operation of environmental technologies; and laboratory operations on environmental samples. PROJECT – an organized set of activities within a program. PROJECT MANAGER – the individual in the auditee who has responsibility and accountability for planning and implementing the project and who has authority to implement corrective action.
Technology Audit
102 Dr. Magdy El Messiry
FINAL PROJECT QUALITY ASSURANCE MANAGER – the individual in the auditee who has responsibility for planning, documenting, coordinating, and assessing the effectiveness of the quality system for the auditee. QUALITY – the totality of features and characteristics of a product or service that bears on its ability to meet the stated or implied needs and expectations of the user. QUALITY ASSURANCE (QA) – an integrated system of management activities involving planning, implementation, documentation, assessment, reporting, and quality improvement to ensure that a process, item, or service is of the type and quality needed and expected by the client. QUALITY ASSURANCE MANAGER – the individual designated as the principal manager within the organization having management oversight and responsibility for planning, documenting, coordinating, and assessing the effectiveness of the quality system for the organization. QUALITY ASSURANCE PROJECT PLAN – a document describing in comprehensive detail the necessary QA and QC and other technical activities that must be implemented to ensure that the results of the work performed will satisfy the stated performance criteria. QUALITY CONTROL (QC) – the overall system of technical activities that measures the attributes and performance of a process, item, or service against defined standards to verify that they meet the stated requirements established by the customer; operational techniques and activities that are used to fulfill requirements for quality. QUALITY MANAGEMENT – that aspect of the overall management system of an organization that determines and implements the quality policy. Quality management includes strategic planning, allocation of resources, and other systematic activities (e.g., planning, implementation, documentation, and assessment) pertaining to the quality system. QUALITY MANAGEMENT PLAN (QMP) – a document that describes the quality system in terms of the organizational structure, policy and procedures, functional responsibilities of management and staff, lines of authority, and required interfaces for those planning, implementing, documenting, and assessing all activities conducted. QUALITY SYSTEM – a structured and documented management system describing the policies, objectives, principles, organizational authority, responsibilities, accountability, and implementation plan of an organization for ensuring quality in its work processes, products (items), and services .The quality system provides the framework for planning, implementing, documenting, and assessing work performed by the organization and for carrying out required QA and QC activities. FINAL QUALITY SYSTEM AUDIT– a documented activity performed to verify, by examination and evaluation of objective evidence, that applicable elements of the quality system are suitable and have been developed, documented, and effectively implemented in accordance with specified requirements. READINESS REVIEW – a systematic, documented review of the readiness of the start-up or continued use of a facility, process, or activity. Readiness reviews are typically conducted before proceeding beyond project milestones and prior to initiation of a major phase of work. SAMPLING AND ANALYSIS PLAN (SAP) – a detailed document describing the procedures used to collect, preserve, handle, ship, and analyze samples for detection or assessment monitoring
Technology Audit
103 Dr. Magdy El Messiry
parameters. The plan should detail all chain-of-custody and QA and QC measures that will be implemented to ensure that sample collection, analysis, and data presentation activities meet the prescribed requirements. SELF-ASSESSMENT – an assessment of work conducted by individuals, groups, or organizations directly responsible for overseeing and/or performing the work. Standard operating procedure (SOP) – a written document that details the method for an operation, analysis, or action with thoroughly prescribed techniques and steps; a procedure that is officially approved as the method for performing certain routine or repetitive tasks. SURVEILLANCE – continual or frequent monitoring and verification of the status of an entity and the analysis of records to ensure that specified requirements are being fulfilled. TECHNICAL ASSESSMENT – a systematic and objective examination of a project to determine whether environmental data collection activities and related results comply with the project’s QA Project Plan, whether the activities are implemented effectively, and whether they are sufficient and adequate to achieve the QA Project Plan’s data quality goals. Technical assessments document the implementation of the QA Project Plan. TECHNICAL SPECIALIST – an active participant in a technical assessment who has specialized technical knowledge of the project being assessed and basic knowledge of assessment techniques and procedures. TECHNICAL SYSTEMS AUDIT (TSA) – a thorough, systematic, on-site, qualitative audit of facilities, equipment, personnel, training, procedures, recordkeeping, data validation, data management, and reporting aspects of a system. WEAKNESS – a negative assessment finding (i.e., a nonconformance) that does not necessarily result in unacceptable data. AUDIT CRITERIA – The auditor should clarify the specific explicit or implicit criteria against which evidence collected will be evaluated. Criteria are explicit when they are clearly set out in policies, manuals, standard operating procedures, standards, laws and/or regulations. Where management has not yet established goals and objectives or determined the controls needed in a particular area, it may be necessary to develop implicit criteria based on what management considers to be satisfactory performance standards or industry best practices. The acceptability of implicit criteria should always be confirmed with the audited entity. Conducting an audit without agreeing the criteria may result in conclusions and recommendations that may not be accepted by the audited entity and lead to wasted audit effort and fruitless arguments. ANALYSIS AND EVALUATION OF DATA – After data is collected, it should be analyzed and evaluated. Analysis means breaking down data/activities/processes into smaller, more manageable parts to determine attributes, relationships, cause, effect, etc. and make inferences or determine whether further examination is required. Evaluation is the systematic determination of the merit, worth, or significance of the subject matter to arrive at a judgment in terms of adequacy, efficiency or effectiveness.
Technology Audit
104 Dr. Magdy El Messiry
– ANALYSIS OF OTHER DATA AND PROCESSES
The principles applied in analyzing financial data can also be utilized in examining other data, activities and processes. Directives, policies, contracts etc. may be analyzed to determine their significant elements, and these assessed against best practices, standards or benchmarks. The work of committees/teams/working groups may be analyzed to determine their mandate, functions, areas of responsibility, reporting lines, frequency of meetings and how decisions are implemented. By breaking activities into their composite elements, auditors may conduct analyses by observing trends, making comparisons and isolating unusual transactions and conditions for follow-up.
EVALUATION
Evaluation is a means of arriving at a professional judgment. As auditors compare circumstances observed against relevant criteria, they evaluate the significance of any variance and determine whether corrective action is necessary. The analysis and evaluation of evidence obtained should give rise to issues (positive and negative), which OIOS wishes to report to management. Auditors should draw conclusions for each audit objective.
RECORDING INFORMATION DURING THE AUDIT
Auditors should record all elements of the assignment in Auto Audit, in accordance with the format THE AUTOAUDIT FILE should be restricted to matters that are relevant to the audit. The file should be detailed enough to enable an experienced auditor, having no previous connection with the audit, to understand the (i) nature, timing, and extent of the audit procedures performed; (ii) results of the procedures and the audit evidence obtained; and (iii) significant matters arising during the audit and the conclusions
AUDIT FINDINGS
OIOS auditors should report audit findings i.e. significant deviations from relevant criteria, to management so that corrective action can be taken. A reportable finding is a significant condition which: a. Warrants the attention of management; b. Is documented by facts, not opinions, and by evidence that is sufficient, competent and relevant; c. Is objectively developed without bias or preconceived ideas; d. Is relevant to the issue involved; and e. Is convincing enough to compel action to correct the defective condition14. Audit findings should contain the elements of criteria, condition, cause effect and recommendation.
Technology Audit
105 Dr. Magdy El Messiry
a. Criteria The standards, measures, or expectations used in making an evaluation and/or verification (what should exist). The criteria should be credible, convincing and objective. They should be designed to meet a management goal b. Condition The factual evidence that the internal auditor found in the course of the examination (what does exist). The condition should include sufficient information to promote an adequate understanding of the matter(s) being reported. c. Cause The reason for the difference between the expected and actual conditions. i.e. why the difference exists. The cause should be complete and go to the heart of the problem; not just the symptom. d. Effect The risk or exposure the organization and/or others encounter because the condition is not consistent with the criteria (the impact of the difference). The effect should be logical and likely to occur. e. Recommendations Recommendations are based on the internal auditor’s observations and conclusions. They call for action to correct existing conditions or improve operations. Recommendations may suggest general or specific approaches to correcting or enhancing performance as a guide for management in achieving desired results. They should address the cause of the finding, be implementable and capable of being monitored.
FORMULATING RECOMMENDATIONS
The main objective of an audit is to provide assurance as to the efficiency and effectiveness of established internal controls, to develop recommendations for improving them, and to ensure compliance with the Organization’s regulations, rules and policies. Generally, audit recommendations are most effective and acceptable to the audited entity when they are: a. Constructive and directed at improved or enhanced performance; b. Directed at correcting the cause of the problem identified; c. Action oriented in that they suggest specific steps that should be taken to change, modify, or otherwise perform some action; d. Addressed to officials those are empowered to act; e. Feasible, achievable, practical, cost effective; f. Aiming to recover or save resources.
Technology Audit
106 Dr. Magdy El Messiry
TECHNOLOGY-BASED AUDIT TECHNIQUES
Any automated audit tool, such as generalized audit software, test data generators,
computerized audit programs, specialized audit utilities, and computer-assisted audit
techniques.
Technology Audit
107 Dr. Magdy El Messiry
APPENDIX I
SWOT Analysis Template16
Situation being analysed: ______________________
This SWOT example is for a new business opportunity. Many criteria can apply to more than one quadrant. Identify criteria appropriate to your own SWOT situation *.
criteria examples
Advantages of proposition? Capabilities? Competitive advantages? USP's (unique selling points)? Resources, Assets, People? Experience, knowledge, data? Financial reserves, likely returns? Marketing - reach, distribution, awareness? Innovative aspects? Location and geographical? Price, value, quality? Accreditations, qualifications, certifications? Processes, systems, IT, communications? Cultural, attitudinal, behavioural? Management cover, succession? Philosophy and values?
strengths weaknesses criteria examples
Disadvantages of proposition? Gaps in capabilities? Lack of competitive strength? Reputation, presence and reach? Financials? Own known vulnerabilities? Timescales, deadlines and pressures? Cashflow, start-up cash-drain? Continuity, supply chain robustness? Effects on core activities, distraction? Reliability of data, plan predictability? Morale, commitment, leadership? Accreditations, etc? Processes and systems, etc? Management cover, succession?
criteria examples
Market developments? Competitors' vulnerabilities? Industry or lifestyle trends? Technology development and innovation? Global influences? New markets, vertical, horizontal? Niche target markets? Geographical, export, import? New USP's? Tactics: eg, surprise, major
contracts? Business and product development? Information and research? Partnerships, agencies, distribution? Volumes, production, economies? Seasonal, weather, fashion influences?
opportunities threats criteria examples
Political effects? Legislative effects? Environmental effects? IT developments? Competitor intentions - various? Market demand? New technologies, services, ideas? Vital contracts and partners? Sustaining internal capabilities? Obstacles faced? Insurmountable weaknesses? Loss of key staff? Sustainable financial backing? Economy - home, abroad? Seasonality, weather effects?
16http://www.businessballs.com/swotanalysisfreetemplate.htm
Technology Audit
108 Dr. Magdy El Messiry
I AEDNI AA Audit Checklist
ISO/IEC 19770-1 Audit Checklist17
This checklist has been developed to be used in conjunction with ISO/IEC19770-1
Information technology – Software asset management – Part1: Processes (the ISO
Standard), and should not be used in isolation from this Standard. The checklist
has been developed to assist agencies to perform self-audits to monitor their
progress towards best practice in software license management*. The checklist
outlines elements that should be met in order to be fully compliant with the ISO
Standard. It may be used by Agencies to guide where improvements can be made
in managing software licensing. Each element may be audited separately to check
on progress towards maturity in specifically targeted areas, however, compliance
with all element will ensure that the agency is aligned with industry best practice in
software license management.
The ‗Evidence‘ section of the checklist outlines possible evidence that auditors
may consider when evaluating level of compliance. This list can be modified to
reflect individual agency requirements and is not intended as an exhaustive list.
This checklist includes elements that may not be relevant to every agency, and fall
outside the requirements of IS45 – for example, Software Development Process.
However, as they form part of ISO/IEC19770-1 they have been included in the
checklist.
The timeframes and documentation requirements detailed in the checklist are those
specified by ISO/IEC 19770-1. Agencies may choose to modify the audit
schedule, and/or to limit their documentation, but should be aware that in doing so
will not be considered to be operating at industry best practice levels.
The checklist mirrors the layout of the ISO Standard, and includes the section
numbering of the ISO Standard in brackets.
________________________________________________
71 www.qgcio.qld.gov.au/.../Information%20Standards/.../Templates/ISO1977
Technology Audit
109 Dr. Magdy El Messiry
APPENDIX III
ISO/IEC 19770-1 Audit Checklist 17
Date of Audit: Auditor/s:
Description Evidence Comment CONTROL ENVIRONMENT FOR SAM (4.2)
Corporate Governance for SAM (4.2.2) Clear corporate statement including:
1. legal entity or parts of legal entity
included in scope
2. specific single body or individual that
has overall corporate management
responsibility for that entity or parts of
that entity
existing software
contracts based on
specific organizational
scope; existence of ICT
boards
Responsibility for corporate governance of
software and related assets formally recognized
by corporate board or equivalent body
Hard copies of ICT
Board statements,
meeting minutes
Regulations and guidelines for software use
identified and documented and reviewed at
least annually
procedures; audit reports
Assessment of risks and management specified mitigation approaches, documented, updated
annually and approved by the Board or
equivalent, covering at least:
1. risk of regulatory non-compliance
2. risk of licensing non-compliance
3. risk of interruption of operations that
may result from inadequate SAM
4. risk of excessive spending on licensing
and other IT support
5. risk of centralized v non-centralized
management approaches for software
and related assets
6. risk associated with different countries
of operation
Management objectives of SAM are approved by
corporate board or equivalent body, and reviewed
at least annually.
SAM manual, position
paper or similar
Roles and Responsibilities for SAM (4.2.3)
Technology Audit
110 Dr. Magdy El Messiry
The role of the SAM owner is clearly defined,
and include responsibilities for:
1. proposing management objectives for SAM
2. Overseeing the development of the SAM
plan
3. Obtaining resources for implementing
the approved SAM plan
4. Delivering results against the SAM plan
SAM manual, PD’s,
Roles and
Responsibilities statement, SAM project
plan
Local roles and responsibilities for corporate
governance of software and related assets are
documented and assigned to specified individuals. Responsibilities assigned include:
1. obtaining resources for implementing the
SAM plan
2. delivering results against the SAM plan
3. adopting and implementing necessary
policies, procedures and processes
4. maintaining accurate records of software
and related assets
5. ensuring management and technical
approvals are required for procurement,
deployment and control of software
assets
6. managing contracts, supplier
relationships and internal customer
relationships
7. identifying and implementing
improvements
Responsibilities are communicated to all parts of
the organization
Policies, processes and procedures for SAM (4.2.4) Demonstrated structured approach to creating,
reviewing, approving, issuing and controlling
policies, processes and procedures
Usually part of agency
wide document control
system, not unique to SAM
Policies and procedures organized by, or cross
reference, process classification in 19770
Documented policies covering at minimum:
1. Individual and corporate responsibilities
for corporate governance of software and
related assets
2. restrictions on personal use of corporate
assets and related software
3. requirement for compliance with legal
and regulatory requirements, including
copyright and data protection
4. procurement requirements
Review documents to
ensure all aspects are
included. May be
embedded in other
documents and policies
Technology Audit
111 Dr. Magdy El Messiry
5. approvals for software installation or use
of software whether purchased or not
6. disciplinary implications of violation of
these policies
Policies communicated to all personnel in a way
which:
1. Reaches all new personnel when they start
2. Continuing personnel at least annually
3. Requires positive acknowledgement
4. Readily accessible at all times
Documentation can be in
any form of medium, and
may be in consolidated
documents, such as Code
of Conduct
Competence in SAM (4.2.5) A review is documented and updated at least
annually which covers the availability and uptake
of training and certification by personnel with
SAM responsibilities for:
1. SAM in general
2. Licensing for software manufacturers
whose software is being used
Review and audit
records, training
schedules and registers,
audit records, software
licence registers
Annual review of ―proof of licence‖ Review records Personnel with SAM responsibilities receive
training in SAM and in relevant licensing including both initial training and formal
continuing education annually
Training records and
registers, roles and responsibilities registers
Annual review to ascertain what guidance is
available from software manufacturers to enable
compliance with their licences.
Review records
PLANNING AND IMPLEMENTATIOIN OF SAM PROCESSES (4.3) Planning for SAM (4.3.2)
Management objectives for SAM are developed
and documented and updated at least annually,
and include:
1. clear scope statement
2. clear specification of policies, processes
and procedures are required for assets in
scope
3. clear explanation of the approach to
managing, auditing and improving SAM
4. explanation of the approach to be used in
identifying, assessing and managing
issues and risks related to defined
objectives
5. schedules and responsibilities for periodic activities, including
management reports and performance of
verification and compliance activities
An appropriate level of
automation should be
implemented to ensure
that processes do not
become inefficient, error
prone, or not followed. Audit schedules, monthly
reports, scope and specification documents,
implementation plans
Technology Audit
112 Dr. Magdy El Messiry
6. identification of resources including
budget
7. performance measures for tracking
accomplishment against SAM plan,
including target measures
Plan approved by corporate body Implementation plan Implementation of SAM (4.3.3)
Mechanisms in place to collect information about
changes, issues and risks Issues and risk registers
Regular status reports (at least quarterly) detailing
overall progress against SAM plan Check reports go to
Board or equivalent
Follow-up on variances is prompt and
documented Issues and risks reports,
corrective action
registers, or similar
Monitoring and review of SAM (4.3.4) Formal review conducted at least annually:
1. Are management objectives for SAM
and the SAM plan being achieved?
2. Summarize performance against all
performance measures specified in SAM
plan and SLA‘s related to SAM
3. summary of findings of Conformance verification
4. check policies effectively disseminated
and implemented throughout agency
5. summarize exceptions and actions
6. identify opportunities for improvement
Annual audit reports, verification conformance
reports, SLA’s
Continual Improvement of SAM (4.3.5) Mechanism in place to collect and record
suggested improvements in SAM arising from all sources throughout the year.
Suggestions for improvement are periodically
assessed, prioritized and approved for
incorporation in SAM implementation and
improvement plans
INVENTORY PROCESSES FOR SAM (4.4) Software Asset Identification (4.4.2)
Types of assets to be controlled and the
information associated with them are formally
defined.
A register of stores and inventories exists,
clarifying which stores and types of information
are held
Software Asset Inventory Management (4.2.3) Policies and procedures for management and
maintenance of inventories and
physical/electronic stores:
1. protection from unauthorized access, change or corruption
Policy & procedure
documents; access logs,
secure sites
Technology Audit
113 Dr. Magdy El Messiry
2. disaster recovery
Inventories exist of:
1. All platforms on which software assets
can be installed and run
2. All authorized software
3. Underlying licenses and effective full
licenses held
Inventories, including
package versions,
update/patch status of
software, platforms
Inventories and physical stores for:
1. Software (DSL)
2. Software builds and releases
3. Contracts relating to software assets
DSL should include
master versions and
distribution copies, hard-copy and electronic
contracts
Methods exist to determine license usage based
on criteria other than software installation Inventories, metering
results and reports, pc
counts, number of users
etc
Documented arrangements to ensure continued
availability of sources listed above
Inventory reports produced has clear description
including identity, purpose, details of data source Hard copies of reports
Software Asset Control (4.2.4) Audit trail is maintained of changes made to
software and related assets Audit trail should include
change in status,
location, custodianship
and version
Policies and procedures for development,
maintenance and management of software
versions, images/builds and releases
Check Policy and
procedures exist and are
current
Policies and procedures for baseline of appropriate assets is taken before release of
software to live environment
These policies and procedures must ensure
that baseline is taken in a
manner that can be used
for subsequent checking
against actual
deployment
VERIFICATION AND COMPLIANCE PROCESSES FOR SAM (4.5) Software Asset Record Verification (4.5.2)
Procedures for software asset verification process
include:
1. At least quarterly reconciliation
2. Hardware inventory including locations
at least 6 monthly
3. Inventory of software programs verified
at least 6 monthly
4. Inventory of software builds verified at
least 6 monthly
5. Physical store of pool of proof of licence
documentation verified at least annually
6. Effective licenses verified at least
Check procedures are
current; check inventory
logs; corrective action
registers; check licence
pools, physical
contractual
documentation for accuracy
Technology Audit
114 Dr. Magdy El Messiry
annually
7. Physical store of contractual
documentation verified at least annually
8. Contracts inventory verified at least
annually
9. Follow up corrective actions on
discrepancies or issues documented
Software Licensing Compliance (4.5.3) Procedures for software licensing compliance that
include:
1. reconciliation at least quarterly between effective licenses and licenses owned
2. discrepancies identified promptly
recorded, analyzed and root caused
determined
Ensure this included
particular license
requirements based on
other than installed
copies, such as server
access rights inventory
logs
Follow up actions prioritized and executed check corrective action
registers or similar
Software Asset Security Compliance (4.5.4) Actual practice against policy is reviewed at least
annually Should include access
controls on software
definitive master versions
and distribution copies of
software;
installation/user rights
specified by user or user group
Follow up actions prioritized and executed check corrective action
registers or similar
Conformance Verification for SAM (4.5.5) Policies and procedures which ensure verification
at least on sample basis annually against ALL
requirements specified.
Internal Audit procedures
should include SAM;
audit schedules; audit
reports
Documentary evidence exists that demonstrates
verification procedures are being performed and
corrective follow up action being taken
Corrective action
registers and reports;
internal audit reports
OPERATIONS MANAGEMENT PROCESSES AND INTERFACES FOR SAM (4.6) Relationship and Contract Management for SAM (4.6.2)
Policies and procedures include:
1. Definitions of responsibilities for supplier management
2. Ensure invitations to tender include
considerations for SAM
3. Formal documented review at least 6
monthly of supplier performance,
achievements and issues
Check policies and
procedures – may be
embedded in other
processes. Check invitation to tender
documents Check for documented
conclusions and follow
up of reviews to include
actions taken
Policies and procedures include:
1. Responsibilities for managing customer-
Check policies and
procedures – may be
Technology Audit
115 Dr. Magdy El Messiry
side business relationships with respect
to software and related assets and
services
2. Formal review at least annually of
current and future software requirements
of customers and business
3. Formal documented reviews at least
annually of service provider
performance, customer satisfaction,
achievements and issues
embedded in other
processes. Check for documented conclusions and follow
up of reviews to include
actions taken
Policies and procedures include:
1. Ensuring contractual details are recorded
in an on-going contract management
system
2. Hard copies of signed contractual
documentation to be held securely in
document management system
3. Documented reviews at least 6 monthly
and also prior to contract expiry.
Check policies and
procedures – may be
embedded in other
processes. Check for documented
conclusions and follow
up of reviews to include
actions taken. May be either a manual
or electronic system
Financial Management for SAM (4.6.3) Definitions of financial information relevant to
the management of software and related assets are
agreed and documented
Asset types used in
financial management
should be aligned with or mapped to the asset types
used in SAM if they are
different
Formal budgets are developed for acquisition of
software ICT planning and budget
documents
Actual expenditure on software assets is
accounted against budget This should include
related infrastructure and
support costs
Software asset values financial information
documented and readily available
Formal documented reviews at least quarterly of
actual expenditure against budget
Service Level Management for SAM (4.6.4) SLAs and supporting agreements to include:
1. Services relating to software acquisition, installation, moves, and changes – with
SL targets and workload characteristics
2. Customer and user obligations and
responsibilities defined or referenced
from SLA
Check SLA’s, either in
hardcopy or electronic These SLA’s may cover
more than just the SAM elements
Actual workloads and service levels against
targets for SAM are reported at least quarterly
and reasons for non-conformance documented
Check reports, registers
Reviews at least quarterly of performance against service levels
Check reports, registers
Security Management for SAM (4.6.5)
Technology Audit
116 Dr. Magdy El Messiry
Formal policy developed regarding
security/access restrictions to all SAM resources,
including physical/electronic stores of software
Access controls are specified, both physical and logical, to enforce the approval requirements of
SAM policies
Documentary evidence that controls are
implemented in practice Access logs, registers
LIFECYCLE PROCESS INTERFACES FOR SAM (4.7) Change Management Process (4.7.2)
Formal process for change management that
includes:
1. Change requests identified and recorded
2. Change requests are assessed for
possible impacts, prioritized and
approved by the responsible
management
3. The change is made only in accordance
with the approval
4. All changes affecting software or related
assets or services or SAM processes are
recorded
5. The success or failure of changes is
documented and reviewed
Acquisition Process (4.7.3) Standard architectures are defined for the
provision of software services
Standard software configurations are defined, as
are the criteria for deviating from those standards
Policies and procedures for requisitioning and
ordering software and related assets, include:
1. How requirements are specified
2. Management and technical approvals
required
3. Use/redeployment of existing licenses if
available
4. Recording future purchase requirements
in those cases where software can be
deployed before reporting and payment
Policies and procedures for receipt processing
functions related to software and related assets, include:
1. Processing invoices, reconciliations and
retention of copies for license
management purposes
2. Ensuring receipt and safe keeping of
valid proof of license
3. Processing incoming media –
verification, record-keeping and safe
This may include
checking authenticity of proof of license
Include safe keeping of
both physical and
electronic copies
Technology Audit
117 Dr. Magdy El Messiry
keeping
Software Development Process (4.7.4) Formal process for software development that
includes consideration of:
1. Standard architectures and standard configurations
2. License constraints and dependencies
Formal process for software development
ensuring software products are placed under
software asset control
Software Release Management Process (4.7.5) Formal process for release management enduring:
1. Controlled acceptance environment is used to build and test all proposed
releases, including patches, prior to
release
2. Frequency and type of releases are
planned and agreed with business and
customers, including frequency of security patch release
3. Planned release dates and deliverables
are recorded with references to related
change requests
4. Release of software and related assets is
approved by the responsible
management
5. Success or failure of releases is recorded
and periodically reviewed
Software Deployment Process (4.7.6) Policies and procedures for installing and
distributing software include:
1. Distribution of software and related assets is approved by responsible
management
2. Back out procedures or method of
remediation in place for each
deployment
3. Security requirements are complied with
4. Changes to status of the relevant
software and related assets are recorded
accurately and on a timely basis
5. Documented control to verify that what
was deployed is the same as what was
authorized.
6. Success or failure of deployments is
recorded and periodically reviewed.
Check procedure
documents Check deployment plans
and back out plans Check security logs and
registers DSL’s and registers
Deployment sign offs Deployment logs (either
manual or electronic) Audit logs
Incident Management Process (4.7.7) Formal process of incident management which This may be included as
Technology Audit
118 Dr. Magdy El Messiry
includes:
1. All incidents that affect software or related assets or SAM processes are
recorded and classified as to their
priority resolution
2. All such incidents are resolved in
accordance with their priority for
resolution, and resolution documented
part of a larger incident
management process
Problem Management Process (4.7.8) Formal process of problem management which
includes:
1. All incidents that affect software or
related assets or services or SAM
processed are recorded and classified as
to their impact
2. High priority and repeat incidents are
analyzed for the underlying causes and
prioritized for resolution
3. Underlying causes are documented and
communicated to incident management
4. Problems are resolved in accordance
with their priority, and resolution recorded and communicated to incident
management
Problem Management Process (4.7.9) Policies and procedures for securely retiring
software or hardware on which software is
installed include:
1. Deployed copies of software are removed from retired hardware
2. Licenses and other assets which can be
redeployed are identified for
redeployment
3. Any assets transferred to other parties
take into account confidentiality, licensing or other contractual
requirements
4. Licensed and other assets which cannot
be redeployed are properly disposed of
5. Records are updated to reflect the
changes and audit trails maintained
Corrective Action/Improvement Suggestions Raised:
Technology Audit
119 Dr. Magdy El Messiry
No. Details
Auditor: Signature:
Responsible Manager: Signature:
Document Details Document Name ISO/IEC 19770-1 Audit Checklist
Version Number V0.1
Author SLM Program, QGCIO
Contact Details Iris Taylor (07) 3238 3597
Document Status Draft x DPW Release Final Version
Version Control
Version Number Date Reason/Comments
V0.1 14th March 2007 First Draft
Technology Audit
120 Dr. Magdy El Messiry
APPENDIX IV
Template to use when writing an audit report
Table of Contents
letiT
IettiA
Dtti
Technology Audit
121 Dr. Magdy El Messiry
1. Executive Summary
A short abstract or executive summary here will help draw the reader‘s attention
to important issues.
2. Background/Introduction
Give the Background – Explain why you are doing an audit – was it a
response to concern or complaint, personal interest, national guidance,
repeat of previous audit etc. Give the criteria and standards that you are
using – Explain if you are auditing to national standards, such as NICE, NSF
etc or to established good practice or to a locally agreed standard. eg ―100%
of A&E patients must be assessed within 4 hours (national standard)‖
3. Aims & Objectives
This should state the aims and objectives of the audit and the question being
asked of the audit. Objectives should be measurable, achievable, realistic
and time limited.
4. Method
Give the methodology of your audit –you will want to describe both the size
of your audit and how you selected those who were involved. e.g. ―the first
10 patients attending the 13th
May 2007 afternoon dental clinic were
selected‖ or ―20 notes of patients admitted to the ward in August 2007 were
selected at random”. Ideally, there should be sufficient information for a person reading your report to understand what you have done, and if need be, to repeat the audit themselves.
5. Results
Displaying the results
As a general rule the simplest ways of describing results are the best. Pie-
charts to show the various proportions of responses or bar charts to compare
one thing to another will work well. However, always give the raw numbers
as well as the percentages otherwise it might be over-simplified to the point
of being mis-leading.
e.g. Remember the advertising slogan, ―8 out of 10 cats prefer it‖.
This was a powerful statement indicating an 80% favourable rating,
Missing data
If you have missing data comment on why this happened. e.g.
―questionnaires were given to 10 patients in the waiting room. However one
Technology Audit
122 Dr. Magdy El Messiry
patient said he had felt unwell and didn‘t feel he could finish the
questionnaire. Sections 9 and 10 are therefore blank for this patient‖
6. Conclusions Keep you conclusions short and too the point e.g. 95% of patients were
assessed within 48 hours
If you have had any problems with the audit, note them here.
7. Recommendations and Action plans
Make your suggestions as to how the service could be improved – either by
yourself or others
8. Disseminating information and presenting results
Give feedback to all concerned stakeholders. Ensure that all those that need
to know, know. Give positive feedback to all those involved. How are you
going to communicate your findings to others i.e. Circulate the report,
Newsletter, Intranet, Presentations, Open forums etc…
References
Acknowledgements
Give the name and profession of those involved in the Audit project
Appendix
Always attach your audit tool or questionnaire to your report as an appendix – this
will save a lot of explanation.
Technology Audit
123 Dr. Magdy El Messiry
Appendix V
Information Technology Audit Report
Alpha Beta Gama (ABC) Co Ltd
Internal Audit Group Division 2009
Audit Objectives:
To assess [Name of Company] compliance with the [Name of Standard] Standard
Overall conclusion:
Based on our observation we noted that the degree of compliance with [Name of
Standard] varied among [Name of Company] and the three Institutes that we
looked at. With the exception of business continuity planning, [Name of Company]
is compliant with [Name of Standard]. However, the three Institutes were less
compliant in key areas such as risk management and the certification and
accreditation of their systems.
Summary of Findings:
The audit team noted a number of strengths with respect to compliance with [Name
of Standard]. For example, [Name of Company] has specified the roles and
responsibilities for managing IT security. It has also issued a comprehensive set of
policies, procedures and standards for managing this function and instituted a
security-awareness program for its employees. [Name of Company] screens staff to
determine who will have access to which sensitive information, and has employed
security zones. These zones partition the network and provide higher levels of
security, depending on the sensitivity of information.
Detailed Findings and Remediation:
Recommendation:
To institute better monitoring and oversight of IT security, [Name of Company]'s
senior management should designate an IT Security Coordinator for [Name of
Company] who has responsibility and authority for IT security throughout the
organization.
Management Response:
Agreed; an IT Security Coordinator for [Name of Company] with organization-
wide responsibility and authority for IT security will be appointed following
consultation with the Senior Executive Committee (SEC). However, such a role
will need to be supported by a strong IM/IT governance structure in general and a
robust information security governance framework in articular. IM/IT governance
Technology Audit
124 Dr. Magdy El Messiry
will be addressed as part of a study that [Name of Company] has already initiated –
a comprehensive IM/IT review to examine the current IT service delivery model
and determine how [Name of Company] can enhance effectiveness and cost-
efficiencies in this area. More specifically, the study will be broad in scope,
encompassing all IM/IT services provided to [Name of Company] staff either
centrally by IMSB or locally by individual institutes, branches and programs.
Terms of Reference have been developed and approved by SEC; the Director
General for IMSB will co-lead this effort along with a Director General from a
research institute still to be determined. The issues around IT service delivery will
be examined and reported back to SEC by January 2008. Specific areas of
opportunity or concern will also be identified for further study in a subsequent
phase. It is anticipated that most of the audit recommendations will be addressed
within the context of this review.
Timelines and Deliverables:
Technology Audit
125 Dr. Magdy El Messiry
Reference
1. http://www.technology4sme.com
2. http://www.access-ecom.info/article.cfm?id=63&xid=MN
3. http://www.oxin.co.uk/downloads/taudit.pdf
4. http://www.strategicinformation.com/audit.htm
5. http://www.newventuretools.net/technology_audit.html
6. http://www.asosai.org/R_P_auditquality/chapter2.htm
7. http://www.managementstudyguide.com/swot-analysis.htm
8. http://greenhousegas.nsw.gov.au/documents/syn39.asp
9. http://tep- m.org/joomla_1.5.20/index.php?option=com_content&view=article&id=182:technology-
audit-resources&catid=41:other-projects&Itemid=63
10. http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/glossary/
11. http:// www.southwest-irc.org.uk
12. http://www.managementstudyguide.com/swot-analysis.htm
13. http://www.oxin.co.uk/downloads/taudit.pdf
14. http://www.adi.pt/docs/innoregio_techn_audits.pdf
15. http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/full-standards/
16. http://www.businessballs.com/swotanalysisfreetemplate.htm
17. www.qgcio.qld.gov.au/.../Information%20Standards/.../Templates/ISO1977
18. http://www.nmmu.ac.za/documents/theses/VlokN.pdf 19. http://www.theiia.org/guidance/standards-and-guidance/ippf/code-of-ethics/
20. http://www.theiia.org
21. http://www.urenio.org
22. http://www.clarity-dev.com
23. http://www.clarity-dev.com
24. http://www.newventuretools.net/technology_audit.html
25. http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/glossary/
26. http://pw1.netcom.com/~jstorres/internalaudit/ic_def.html
27. http://www.managementstudyguide.com/swot-analysis.htm
28. http://www.hc-sc.gc.ca/ahc-asc/alt_formats/pdf/pubs/audit-verif/2011-02/mrap_2011-02_rpad-eng.pdf
29. http://pw1.netcom.com/~jstorres/internalaudit/ic_def.html
30. http://www.gliffy.com/examples/SWOT/
31. http://www.managementstudyguide.com/swot-analysis.htm 32. http://www.whatmakesagoodleader.com/swot_analysis_examples.html
33. http://www.whnt.nhs.uk/document_uploads/CPRU/Auditreporttemp.pdf
34. http://www.whnt.nhs.uk/document_uploads/CPRU/Auditreporttemp.pdf
35. http://www.icsti.su/rus_ten3/1000ventures_e/business_guide
36. http://www.nctp.com/survivor_sample.pdf
37. http://biotsavart.tripod.com/swot.htm
38. http://www.aajassociates.com/servicesContent.asp?p=29&id=42
Technology Audit
126 Dr. Magdy El Messiry