Technology audit by Magdy El messiry

Technology Audit

1 Dr. Magdy El Messiry

Technology

Audit

Training Course

PART I

By

Dr. MAGDY ELMESSIRY

KNOWLEDGE TRANSFER CENTER

ALEXANDRIA UNIVERSITY

2011

Technology Audit


Technology Audits Will Help Identify

Potential Issues That May Become Serious

Problems for Your Business If Left Unattended

While each organization should insure

an effective continuous auditing for

increase the generated income.

Dr. M.El Messiry

Technology Audit


"A trip of a thousand miles begins with a single step"

PREFACE

The main objectives of this booklet are to give the reader a survey of the different elements of

the Technology Auditing (TA), hence the TA is the only way for the organization to improve

their situation on the market. Technology audits will help identify potential issues that may

become serious problems for your business if left unattended. Technology auditing will be

recognized as the reliable and trusted source for the best application of relevant technology in the

industry. The continuous technology auditing will lead to the following;

Establishing proven methodologies for technology assessments

Establishing proven methodologies for quality control

Establishing a network of reliable and brief information sources

Establishing a periodic review and assessment of technology news and information

Establishing a standard technology assessment model

Establishing a secured database of reports and assessments

Establishing and maintain business models for measuring return on investment and total

cost of ownership

To enhance the effectiveness of organization by providing the tools will be achieved through

information concerning the latest technology and innovation relevant to the particular

industrial fields that is the specific mission and goals of the organization.

The role of the Universities in implementing the Technology Auditing in the different

organizations can be accomplished through the specialists in the technology and other areas of a

globally competitive economy. Their function will be the assistance in:

Promoting competitiveness and job creation.

Enhancing the quality of life.

Developing human resources.

Working towards environmental sustainability.

Promoting an information society.

Producing more knowledge-embedded products and services.

Developing innovation technologies that lead to increasing the number of patents.

The objective of this course is to give the specialists in the technology transfer centers at the universities and the industrial organizations the basic concepts on

TECHNOLOGY AUDITING and to help them in building TA departments.

"A trip of a

thousand miles

begins with a

single step"

Technology Audit


TABLE OF CONTENTS

PREFACE

CHAPTER ONE

TECHNOLOGY AUDTING

1.1 Introduction

1.2 Technology Audit Composition

CHAPTER TWO

INTERNAL AUDIT, EXTERNAL AUDIT, AND CONTINUOUS AUDITING

1. Internal Audit

1.1 Mission of the Internal Audit Function

1.2 Internal Audit Practice in Organization

1.3 Steps for Building the Internal Audit Team

1.4. Suggestion for Successful Internal Audit

1.5 Code of Ethics for Audit Staff

1.6 International Standards for the Professional Practice of Internal Auditing (Standards)

2. External Audit

2.1 Implementation Procedure

2.2. Continuous Auditing

2.3. Key Steps to Implementing Continuous Auditing

2.3.1. Additional Considerations

2.3.2. Organizational Infrastructure

Technology Audit


2.3.3. Impact on Personnel

CHAPTER 3

THE AUDITORS PERFORMANCE IN TECHNOLOGY AUDIT

3.1. Introduction

3.2. Role of Auditor

Phase One: Pre-Audit

Phase Two: On-Site Visit

3.3. Road Map for the External Audit Team Audit Leader

3.4. Notes to the Auditor

3.4. Control objectives

CHAPTER 4

SWOT ANALYSIS

4.1 Introduction

4.2. The Need for SWOT Analysis

4.3. Limitations of SWOT Analysis

4.4. SWOT Analysis Framework

CHAPTER 5

PRACTICAL EXAMPLES OF SWOT ANALYSIS

5.1. Health centers

5.2. University SWOT Analysis

5.3. Retail Industry SWOT Analysis

4.4. Web Business SWOT Analysis

Technology Audit


CHAPTER 6

GLOSSARY

APPENDIX I

SWOT Analysis Template

APPENDIX II

Audit Checklist

APPENDIX III

Audit Checklist ISO/IEC 19770-1

APPENDIX IV

Template to use when writing an audit report

APPENDIX V

Information Technology Audit Report

REFERENCES

Technology Audit


CHAPTER ONE

TECHNOLOGY AUDTING

1.1 Introduction

Today, the products‘ life cycle becomes gradually smaller. Actually in some

sectors such as the computer sector, technological devaluation of the products

occurs within a few months. Therefore it is a great competitive advantage for the

companies to be able to introduce new products to the market before their

competitors, gaining in this way significant sale shares. Today the companies must

be able to be constantly innovative to maintain or improve their position in the

market. In order to achieve this, they must know how to identify the innovation

needs of a business problem. The innovation management tools, which are utilized

for doing this, are Technology Audit and SWOT method1. Technology has become

an increasingly dynamic sector of the global economy. The critical task is now to

maintain a broad awareness of the nature and potential impact of emerging

technologies, the points of junction, and impact on market place trends on a

worldwide basis. Management of technology is an interdisciplinary field that

integrates science, engineering, and management knowledge and practice. The

focus is on technology as the primary factor in wealth creation. Wealth creation

involves more than just fiscal values and it may encompass factors such as

enhancement of knowledge, intellectual capital, effective exploitation of resources,

preservation of the natural environment, and other factors that may contribute to

raising the standard of living and quality of life.

The Technology Audit is a method for identifying the major company

requirements, needs, weaknesses and strengths on human resources and

infrastructure as well as opportunities that should be taken under consideration.

The Technology Audit is also a technique which identifies the management‘s view

of how the company performs as well as strong indications of what the company

really needs2.

The Technology Audit technique examines in tandem the External and Internal

environment of the company and identifies the human resources relation to

company‘s performance. Furthermore, it assists the company to discover the more

significant actions that it should adopt.

Technology Audit


As shown in Figure (1), an organization can perform an audit in order to:

Generate income (or more income) for the technology driven organizations (e.g.

technology based enterprises, research centers, institutes) from their available technology.

Improve the productivity of the technological factors.

Improve business competitiveness and public administration's performance.

Assess your current capabilities before making expensive changes.

Learn how to optimize the use of current technology.

Learn about your technology options.

Get an independent assessment that can help convince your organizational partners of

changes needed.

An audit is merely a ―checkup.‖ As we gather more and more techno-devices

around us, we recognize the need to ensure that they are all accounted for, are

working properly, and are being employed for proper purposes, purposes that

advance the cause for our organizations. Consequently, a technology audit exists at

its very core as an activity that focuses our full attention upon improvement,

sustainable improvement and continuous innovation. Organizational survey and

technology audit will help in understanding the level of attention paid to

technology in the organization and facilitate the involvement of employees from

different departments of the organization in the technology management process.

The organizational survey and technology audit provides an instrument for

auditing the organization‘s technological capabilities and its awareness of

technology as means of improving competition. The organizational survey and

technology audit are used to assess whether the organization‘s management has the

appropriate level of understanding of technology and technology management, and

whether the required climate to use technology is in place.

Formulation of technology strategy addresses the issue of how to recognize the

critical technological needs and identifies the basic dimensions of a technology

strategy. It consists of three steps: technology assessment, technology selection,

and definition of the portfolio of technological projects, and strategic priorities and

actions3. The technology audit is equally applicable to manufacturing and service

firms. The firms should wish to create new products, incorporate new processes,

diversify their activities and be with growth potential. They should have capacity

to survive and innovate and competence for international cooperation. Technology

auditing should consider as means of ensuring business continuity in a

manufacturing organization.

Technology Audit


Figure (1) Objectives of Audit Cycle

Technology Audit


1.2 Technology Audit Composition

The implementation of the technology auditing starts with the answering to;

What is the relationship between technology, business strategy and

innovation in ensuring continuity of the organization?

What does a technology audit consist of and what tools are available to help

conduct the technology audit?

What is the process flow of a technology audit?

The main steps of a technology audit process are4:

Step 1: Company Decision for Technology Audit

The starting point of the technology audit process is the desire or wish of a firm to

carry out a technology audit.

Step 2: Initial phase

The initial phase is important to ensure that the audit proceeds smoothly and

effectively. It includes discussion at the management level to explain and agree

upon the purpose of the audit, to design the questionnaire and the framework for

the report to suit the organization and to select those to be interviewed. Initial

information about the organization (published and unpublished reports) is gathered

at this stage. Analysis of questionnaires should be done prior to the interviews and

might be done at an earlier stage, so that selection of those to be interviewed is

partly based on questionnaires.

Step 3: Interview and report phase

The company is being interviewed with a questionnaire, normally with

participation of the General Manager, aiming at:

Collecting general company data

Shaping company technology profile

Performing SWOT Analysis

Identifying technological areas for further analysis.

Technology Audit


Technology Audit Tool consists of two parts, the questionnaires and the reports.

The results derived from the questionnaires generate the reports that can be easily

accessed by the General Manager of the company, but for a more accurate and less

biased diagnosis, an external specialized consultant is proposed.

Step 4: Technology Audit Report Framework

The final report of the technology audit should include:

Subjects analyzed

Methodology used

Problem areas identified

Solutions proposed for the problems

Steps to be taken for implementing the solutions (action plan)

The expected results from a carefully conducted technology audit mainly concern4:

Complete and comprehensive analysis and evaluation of the requirements of

the organization for its sustainable growth

Thoroughly objective SWOT Analysis

Opportunity spotting for new products / new services / new technologies / new

markets

Networking with technology suppliers, technological sources, other companies

Possible assessment of technology portfolio, intellectual property rights

There are five tasks within the audit process area:

1. Develop and implement a risk-based international audit standards (IS) audit

strategy for the organization in compliance with international audit standards,

guidelines and best practices.

2. Plan specific audits to ensure that IT and business systems are protected and

controlled.

3. Conduct audits in accordance with IS audit standards, guidelines and best practices

Technology Audit


to meet planned audit objectives.

4. Communicate emerging issues, potential risks and audit results to key stakeholders.

5. Advise on the implementation of risk management and control practices within the

organization while maintaining independence.

Technology Audit


CHAPTER TWO

INTERNAL AUDIT, EXTERNAL AUDIT, AND CONTINUOUS AUDITING

The auditing process can be divided into three categories; Internal Audit, External

Audit, and Continuous Audit that might integrate for the fulfillment of the

organization objectives as illustrated in Figure (2).

2.1. Internal Audit

Internal auditing, as defined by the Institute of Internal Auditors (IIA), is an

independent, objective assurance and consulting activity designed to add value and

improve an organization's operations. It helps an organization accomplish its

objectives by bringing a systematic, disciplined approach to evaluate and improve

the effectiveness of risk management, control, and governance processes‖.

2.1.1 Mission of the Internal Audit Function

The mission of the internal audit function is to provide organization management

with systematic assurance, analyses, appraisals, recommendations, advice and

information with a view to assisting it, and other stakeholders, in the effective

discharge of their responsibilities and the achievement of organization‘s mission

and goals5. The role of the internal audit function includes providing reasonable

assurance on the effectiveness, efficiency and economy of the processes in various

areas of operations within the organization, as well as compliance with

organization financial and staff rules and regulations, general assembly decisions,

applicable accounting standards and existing best practice.

2.1.2 Internal Audit Practice in Organization

Each organization should establish Internal Audit. Its original mandate included

both internal audit and evaluation functions. The Internal Audit Department also

informally acted as a focal point for investigation and inspection. The organization

Internal Audit Charter follows Standards for the Professional Practice of Internal

Auditing issued by the Institute of Internal Auditors5 (IIA) in assignments

Technology Audit


performing audit. Audits are conducted in accordance with a detailed annual audit

plan that is developed based on an annual risk-based assessment of internal audit

needs for the whole of organization.

Figure (2) Types of Auditing Models

Figure (3) Steps of Performing Internal Audit

Technology Audit


Risk-based annual audit plans are subject to regular revision, at least annually, in

order to be aligned with the strategic objectives of the organization. Audit needs

are estimated based on a thorough review of organization‘s business and other

systems and processes which make up the audit environment for the Internal

Organization Audit Department. The audit needs assessment is reviewed annually

at the same time as the detailed annual audit plan is set out.

For annual audit planning purposes in line with the new set of strategic goals set

for the Organization, the Internal Organization Audit Department strategy and

annual plans are re-aligned regularly to ensure:

Due emphasis is put on the ―operational efficiency and effectiveness‖ aspect

in the detailed work plans to the extent possible.

Main organization business processes are reviewed to identify strengths and

good practices, as well as gaps and deficiencies. Value adding

recommendations are made to assist management in addressing these issues.

Audit support is provided to key management and governance initiatives

recognizing that the responsibility for such initiatives rests with the

management in the case of a strong indication of any fraudulent activity

found during an audit.

Sufficient audit work is performed to gather factual evidence and the

supporting documentation is handed over to the Investigation Section for

further examination if need be.

2.1.3 Steps for Building the Internal Audit Team

Figure (3) represents the steps for building the Internal Audit Team.

1- Group Formation

Local audit team leaders are chosen. They may appoint an individual to serve as

overall coordinator, as well. The key here is to get the best leadership in place

and functioning quickly.

2- Audit teams

Audit teams are formed and necessary documents needed to support the audit

are gathered (Technology plan, facilities plan, personnel reports, etc.).

Technology Audit


3- Meetings

Meetings are held at each organization department to explain this process to

employees. The purpose is to ensure that all employees know what to expect as

their auditors begin gathering data from a large number of locations to explain

the process, to seek community support and patience, and to forecast some

findings. This serves to get the community ―on board.‖

4- Teams Work

Department-by-Department teams are working within the organization. At the

same time, another team works on the organization as a whole.

5- Individual Team Reports

Reports are written, and then combined into an organization wide document.

6- Team Leader Report

Team leader shares the internal audit report with the organization board.

7- Report Approval

Organization board approves the internal technology audit final report.

8- Report Publication

Team leader authorizes the report publication.

2.1.4. Suggestion for Successful Internal Audit

In order to insure the success of the internal audit processes the following

recommendations6 should be considered by the organization manager for

implementing the Internal Audit;

Recommendation 1:

Invite the Director General to submit Internal Audit Charter to the organization

general assembly. The charter could then cover the activities of the Evaluation

Section and could give a general description of the tasks of the department and a

more detailed description of the tasks of each Section (Director, Internal Audit,

Investigation, and Evaluation & Inspection). After this recommendation has been

accepted, Internal Organization Audit Department supports this recommendation as

it will help clarify the distinct roles of the three main functions, i.e. internal audit,

investigation and evaluation and promote the role of oversight in organization. A

revision of the Internal Audit Charter will be proposed for review by the Program

and Budget Committee which will create an Internal Audit.

Technology Audit


Recommendation 2:

Director of Internal Organization Audit Department should draw up a list of the

training undertaken by all of his staff and update such a file as and when necessary.

This recommendation has been accepted. The recommendation will assist further

the tracking of the professional training being carried out.

Recommendation 3:

Invite the Director of Internal Organization Audit to develop a program (concept)

of quality assurance and improvement that includes documentation on periodic and

ongoing internal assessments of all areas of internal audit activity. Once

established, this concept should be included in the Internal Audit Manual. It seems

clear that ongoing assessments would only be suitable when the Internal Audit

Section has at least two qualified staff members. This recommendation has been

accepted. All audits are done in line with the Institute of Internal Auditors (IIA)

Standards and are subject to review and quality control. It is already Internal

Organization Audit Department‗s stated policy to have regular external and

internal quality assurance in accordance with the (IIA) 7 Standards.

Recommendation 4:

Invite Internal Organization Audit Department for the following:

a. to decide, during its annual planning, on precise audit themes which are then

mentioned in the final reports,

b. to continue to draw up a list of planned, completed and reported audits, which

should be updated as necessary, and

c. to implement long-term audit planning.

Recommendation 5:

The drafting of the audit manual should be completed and made it available to

organization staff and/or over the intranet. This manual should cover all the

essential elements specified in the Audit Standards**.

Recommendation 6:

Suggest that, from now on, Internal Organization Audit Department includes an

evaluation of the following in its reports:

a. exposure to significant risks and the corresponding controls,

b. subjects relating to governance, and

c. any other issue in response to a need or a request of the general management or

the Audit Committee.

Technology Audit


Recommendation 7:

Invite Internal Organization Audit Department to review its strategy on planning

for audits involving medium to low risks in order to concentrate more on

engagements involving higher risks.

Recommendation 8:

The Internal Audit Section should:

a. clarify the work program by linking it with the risk analysis,

b. ensure that the work program includes the priorities and the resource allocation

for each subject to be audited,

c. ensure that the work program allows a connection to be made between the

working papers and the recommendations,

d. ensure that comments concerning the involvement and assignment of external

experts are highlighted in the audit plan, and

e. ensures that the signature of the Director of Internal Organization Audit

Department and the date of approval are systematically placed on the audit

program before the audit begins.

Recommendation 9:

Invite Internal Organization Audit Department:

a. to improve the formalization of working documentation so that a third party

audit professional is always able to compare the objectives of the engagement, the

content of the examinations carried out, the results, the auditor‘s opinion and the

recommendations. The standardization and organization of working papers could

go some way to achieving this,

b. to integrate into the Internal Audit Manual regulations relating to audit

documents, information to be archived and the period for which files must be kept;

rules on access by third parties to working papers should also be included,

c. to create audit notes that include a summary of the work carried out and allow

connections to be made between the work program, interviews, analyzed

documents and the notes and recommendations contained in the report,

d. to establish a system for reviewing working papers and dating and signing them,

and

e. to provide for the establishment of standards relating to documentation in the

audit manual.

Technology Audit


Recommendation 10:

In order to increase the visibility of the internal audit function within organization,

invite the Director of Internal Organization Audit Department to increase his

contact with the Organization General manger.

2.1.5 Code of Ethics for Audit Staff

The internal audit staff is expected to follow the internal audit function in conducting

audits as set out in the Audit Charter8.

The Internal Auditor enjoys operational independence in the conduct of

his/her duties. He/she has the authority to initiate, carry out and report on

any action, which he/she considers necessary to fulfill his/her mandate.

The Internal Auditor shall be independent of the programs, operations and

activities he/she audits to ensure the impartiality and credibility of the audit

work undertaken.

Technology Audit


Internal audit work shall be carried out in a professional, unbiased and

impartial manner.

The conclusions of the audits shall be shared with the managers concerned,

who shall be given the opportunity to respond.

Any situation of conflict of interest shall be avoided.

The Internal Auditor shall have unrestricted, direct and prompt access to all

organization records, officials or personnel holding any organization

contractual status and to all the premises of the Organization.

The Internal Auditor shall respect the confidential nature of information and

shall use such information with discretion and only in so far as it is relevant

to reach an audit opinion.

2.1.6 International Standards for the Professional Practice of Internal Auditing (Standards)

The Institute of Internal Audit published the professional practice that includes

Introduction to the Standards, Attribute Standards, and Performance Standards*.

Internal auditing is conducted in diverse legal and cultural environments; within

organizations that vary in purpose, size, complexity, and structure; and by persons

within or outside the organization. While differences may affect the practice of

internal auditing in each environment, conformance with the IIA‘s International

Standards for the Professional Practice of Internal Auditing (Standards) is essential

in meeting the responsibilities of internal auditors and the internal audit activity.

The purpose of the Standards is to:

1. Define basic principles that represent the practice of internal auditing.

2. Provide a framework for performing and promoting a broad range of value-

added internal auditing.

3. Establish the basis for the evaluation of internal audit performance.

4. Foster improved organizational processes and operations.

The Standards are principles-focused, mandatory requirements consisting of:

Technology Audit


Statements of basic requirements for the professional practice of internal

auditing and for evaluating the effectiveness of performance, which are

internationally applicable at organizational and individual levels.

Interpretations, which clarify terms or concepts within the Statements.

The structure of the Standards is divided between Attribute and Performance

Standards. Attribute Standards address the attributes of organizations and

individuals performing internal auditing. The Performance Standards describe the

nature of internal auditing and provide quality criteria against which the

performance of these services can be measured. The Attribute and Performance

Standards are also provided to apply to all internal audits.

Implementation Standards are also provided to expand upon the Attribute and

Performance standards, by providing the requirements applicable to assurance or

consulting activities. Assurance services involve the internal auditor‘s objective

assessment of evidence to provide an independent opinion or conclusions

regarding an entity, operation, function, process, system, or other subject matter.

The nature and scope of the assurance engagement are determined by the internal

auditor. There are generally three parties involved in assurance services:

1. the person or group directly involved with the entity, operation, function,

process, system, or other subject matter — the process owner,

2. the person or group making the assessment — the internal auditor,

3. the person or group using the assessment — the user.

Consulting services are advisory in nature, and are generally performed at the

specific request of an engagement client. The nature and scope of the consulting

engagement are subject to agreement with the engagement client. Consulting

services generally involve two parties:

1. the person or group offering the advice — the internal auditor,

2. the person or group seeking and receiving the advice — the engagement client.

When performing consulting services the internal auditor should maintain

objectivity and not assume management responsibility.

Technology Audit


2. External Audit

External assessments must be conducted at least once every five years by a

qualified, independent reviewer or review team from outside the organization. The

chief audit executive must discuss with the organization board the need for more

frequent external assessments and the qualifications and independence of the

external reviewer or review team, including any potential conflict of interest. A

qualified auditor or auditing team demonstrates competence in two areas: the

professional practice of internal auditing and the external assessment process.

Competence can be demonstrated through a mixture of experience and theoretical

learning. Experience gained in organizations of similar size, complexity, sector or

industry, and technical issues is more valuable than less relevant experience. In the

case of an auditing team, not all members of the team need to have all the

competencies; it is the team as a whole that is qualified. The chief audit executive

uses professional judgment when assessing whether an auditor or auditing team

demonstrates sufficient competence to be qualified. An independent auditor or

auditing team means not having either a real or an apparent conflict of interest and

not being a part of, or under the control of, the organization to which the internal

audit activity belongs.

2.1 Implementation Procedure

A schematic of the steps that are normally followed while carrying out a

technology audit is shown and described below. Partial techniques per step are the

tools used for the proper implementation of the technique.

STEP 1: Desire/Wish to Carry Out Technology Audit

Desire / wish of the organization to carry out technology audit, if the company

initiates the audit, no particular communication tool is used. However, if the

company is approached by the service provider, it should explain: Scope of

initiative, brief description of technique, potential benefits to the organization, and

main characteristics of the consultant / service provider.

STEP 2: Expert to Carry Out Technology Audit

Once common ground has been established between the organization and external

consultant/expert, the next step can follow.

Technology Audit


STEP 3: First Contact/Visit of Expert for Preparation of Audit Plan

On the first contact / visit to the organization for the audit plan preparation the

expert should have:

o a brochure / flow diagram on the steps to follow: list of benefits, list of other

companies that carried out a TA, formal presentation using data show should

help.

o the audit plan which is devised together with top management. It establishes

issues to investigate how to collect data and from whom, in what time span and

at what cost, what is needed from management to successfully carry out the

audit. The local team shares with auditors all documents gathered, as well as

the internal audit report. Together, the auditors, the local audit team, work to

establishing a strategy that will drive this formal audit. All parties agree upon a

schedule/timeframe for the audit. All parties discuss some possible outcome

objectives10

. Auditors schedule date(s) for on-site visit(s). Auditors meet with

focus groups and other constituencies, as needed.

STEP 4: Preparatory Work by Expert on Collecting Basic

For preparatory work by expert on collecting basic information on the

organization & the sector for the organization: collection of data from published

information, brochures of company, economic data, employees, products, exports

etc.

For the sector: published data on employment, turnover, trends, markets, on

company's products, introduction / use of new technologies.

A short report on the above findings would be handy and would be another step

into building a trusting relationship with the organization. Auditors study all

documents provided. Auditors schedule an on-site visit and make their

observations. It is a process whereby an in-depth evaluation of some aspect of an

organization is performed, and the results compared with representations made by

that organization. Due attentiveness is particularly important for business

transactions in technology-intensive markets, since there is a much higher risk of

misrepresentation or inappropriate application of emerging technologies. It is often

Technology Audit


difficult to find individuals capable of assessing both the technological issues and

their business linkages*. The approach to be followed must be planned and agreed

upon. The process must include the selection of team members from the

organization who will participate11

. The team must be multidisciplinary, and

include both business and technical experts familiar with the areas under

investigation. If staff expertise is lacking in a particular area, engage the services of

experts in that field. Depending on the results of the preliminary visits, different

approaches may be necessary for each organization12

.

STEP 5: GENERAL SHORT DIAGNOSES

General short diagnosis use is made of a questionnaire, either in hard copy or

electronic, which should cover the following main points13

;

ORGANIZATION

Company information, strategy, development planning.

HUMAN RESOURCES

Capabilities, needs, strengths, weaknesses, training, performance, rewards.

TECHNOLOGICAL CAPABILITY

Technological resources, know how, assessment of technological level,

implementation of information technologies, new technologies.

TECHNOLOGICAL INNOVATION

Product development, procedures, new products - number - timeframe, research

and development (in house or external), resources allocated, areas of interest,

sources of acquiring technology.

INNOVATION CAPABILITY

Innovations introduced barriers to innovation, technology watch / searching /

technology diffusion, involvement in R&D joint projects.

Technology Audit


PRODUCTS

Products / markets, production organization and management, production

equipment, walk through shop floor.

COOPERATION NETWORKING

With other companies / local abroad, with technology providers / sources,

participation in R&D programs.

TECHNOLOGICAL NEEDS

Demands for services / equipment / quality improvement, new technologies, access

to information / technology diffusion.

QUALITY

Quality control, products - raw materials, standards, relations with customers /

suppliers.

MARKETING

Markets, local/abroad, marketing plan / strategy.

ENVIRONMENT

Awareness / problems / needs.

STEP 6: DATA ANALYSIS BY EXPERT, REPORT ON FIRST DIAGNOSIS

Data analysis by the expert report on first diagnosis should be brief and should

contain:

- Executive summary

- Overview of company / activities (good for signposting to networks, etc.)

- Overview of sectors / markets

- Synthesis on: Strengths / weaknesses / opportunities / threats identified

Technology Audit


- Potential suggestions (especially if the audit stops at this point) for resolving

problems and exploiting strengths & opportunities, mainly by indicating routes for

solutions with an action plan, isolation of specific areas / departments for further

diagnosis, proposal with justification.

STEP 7: PRESENTATION OF FIRST DIAGNOSIS REPORT TO GENERAL MANAGER AND COMPANY MANAGEMENT

Presentation of first diagnosis report to General Manager and company management is

done with the handing out some time earlier of a hard copy of the report, the

main findings, and the finalization on whether to continue for further diagnosis and

the agreement on the subject(s) to analyze is also performed here.

STEP 8: ADDITIONAL VISITS/INTERVIEWS TO DEPARTMENT HEADS

Entail an in-depth investigation of key areas of the organization being assessed. A

full due diligence audit of an external company can take up to a week at a small

single-site company with a technical staff of 50 or less, several weeks at larger

companies with a localized development team, and even longer examining a larger

company with geographically distributed development teams.

Technology Audit


Obviously, the relationship between company size and inspection effort is non-

linear. This is because a certain set of core elements, such as policies and

procedures, business plans, and infrastructure standards are centrally located.

Typical areas and themes that could be covered with either specific subject tools or

in a less structured way (if done by a specialist) could be:

(a) Quality

· Policy – goals – personnel involvement – training;

· Process quality – monitoring and control systems – handling – storage –packaging;

· Keeping of records/use of results;

· Product quality – raw materials quality control – product quality control;

· ISO issues – presentation – benefits.

Technology Audit


Figure (5) Quality Control Cycle

(b) Human resources

· Skills – availability;

· Satisfaction – rewards;

· Meetings – awareness of company activities/products;

· Team working/project management;

· Continuing education/training;

· Promotion – evolution – record.

(c) Research and development – Product development

· Research and development strategy/partners;

QUALTY

Technology Audit


· Product mix/product lifecycle analysis;

· Analysis of procedures for new product development;

· Analysis of research and development activities;

· Participation in research and development projects;

· Focus on specific research and development area – identification of potential technology

suppliers.

Figure (4) Steps of Product Development throughout R&D

Technology Audit


(d) Production operation

· Walk through production facilities – bottlenecks – problem areas;

· Material flow – flow diagram;

· Overview of system automation/needs – opportunities;

· Floor and product safety;

· Maintenance – procedures – planning – problems;

· Analysis of productivity.

(e) Marketing/sales

· Existence/analysis of marketing plan;

· Strategy – market share/local – exports;

· Competitors analysis/sector analysis/opportunities – threats;

· Distribution networks – problems;

· Use of information technologies for sales/e-commerce – Internetwww.urenio.org.

STEP 9: FINAL REPORT OF THE TECHNOLOGY AUDIT COMPILED BY THE EXPERTS

Final report of the technology audit, as given in Figure (6), compiled by the experts

should contain the following*:

• Executive summary

• Summary of results from first part diagnosis

• Subject(s) analyzed in second part

• Methodology used for analysis

• Problems identified

http://www.urenio.org/

Technology Audit


• Solutions proposed

• Actions to be taken (action plan)

Figure (6) Technology Audit Final Report Contents

Technology Audit


The action plan

Should be:

a) Specific to the subject b) With a time frame c) With determined milestones d) With an estimated budget e) With the listing of expected results f) With identification of potential problem solvers (technology or service providers) g) With indications about provisional funding for implementing the solutions

(e.g. national and / or international R&D programs) h) An implementation monitoring schedule, possibly to be done by the service provider. The action plan should be specific to the subject, with a timeframe, with determined milestones and with an estimated budget. The action plan must list the expected results, identify potential problem solvers (technology or service providers) and indicate provisional funding for implementing the solutions. An implementation, monitoring-schedule must be done by the technology auditor in conjunction with a project manager.

STEP 10: PRESENTATION OF REPORT BY EXPERT TO COMPANY MANAGEMENT

At step 10 the report by the technology auditor to the organization must discuss

issues identified, solutions proposed, the proposed action plan and the monitoring

system that will be used.

The systematic audit program includes initiating the audit, preparing for on-site

audit, conducting on site audit, report preparation and follow-up activities. The

follow-up activities in this context are the improvements activities result from the

audit finding. Figure (7) shows the stages of audit program management.

Technology Audit


Figure (7) Audit Program Management http://www.efrcertification.com/Attachment/ICQR65.pdf

2.3. Continuous Auditing

Continuous auditing is:

"A methodology that enables independent auditors to provide written assurance on

a subject matter using a series of auditors' reports issued simultaneously with, or a

3

nts underlying the subject matter." short period of time after, the occurrence of eve

A continuous audit relies heavily on information technologies such as broad

bandwidth, web application server technology, web scripting solutions and

everywhere database management systems with standard connectivity.

Open database architecture empowers auditors to monitor a company's systems

over the Internet using sensors and digital agents. Incongruities between the

records and the rules defined in the digital agents are transmitted via e-mail to the

client and the auditor. For example, a digital agent performing analytical

procedures on the accounts receivable would e-mail the auditor a huge outstanding

http://www.efrcertification.com/Attachment/ICQR65.pdf

http://www.isaca.org/Journal/Past-Issues/2006/Volume-2/Pages/Continuous-Auditing-Through-Leveraging-Technology1.aspx#f3

Technology Audit


beyond the receivable parameters defined in the digital agent. Once an account

trigger has occurred, the digital agent would move to the transactional level to

verify the authenticity of the sale by seeking an e-mail of the sale organization and

acceptance of the goods/service by the customer.

The audit routine described above is done electronically and automatically on a

real-time basis as a part of continuous monitoring. Continuous audit takes off after

this when an auditor, empowered with data, carries out independent investigation

and collects corroborative evidence to arrive at his/her own deductions.

Technology Audit


Figure (8) Steps of

Implementing

Continuous Audit

.

Technology Audit


2.3.1. KEY STEPS TO IMPLEMENTING CONTINUOUS AUDITING

Once the issues above are understood by managers and auditors alike, the

organization will be in a better position to begin using continuous auditing.

Generally, the implementation of continuous auditing consists of six procedural

steps, demonstrated in Figure (8), which are usually administered by a continuous

audit manager. Knowing about these steps will enable auditors to better monitor

the continuous audit process and provide recommendations for its improvement, if

needed. These steps include:

1. Establishing priority areas.

2. Identifying monitoring and continuous audit rules.

3. Determining the process' frequency.

4. Configuring continuous audit parameters.

5. Following up.

6. Communicating results.

Below is a description of each.

1. Establishing Priority Areas

The activity of choosing which organizational areas to audit should be integrated

as part of the internal audit annual plan and the company's risk management

program. Many Internal Audit Departments also integrate and coordinate with

other compliance plans and activities, if applicable. (Steps 2-6 below are applicable

to all of the priority areas and processes being monitoring as part of the continuous

audit program.)

Typically, when deciding priority areas to continuously audit, internal auditors and

managers should:

Identify the critical business processes that need to be audited by breaking

down and rating risk areas.

Understand the availability of continuous audit data for those risk areas.

Evaluate the costs and benefits of implementing a continuous audit process

for a particular risk area.

Consider the corporate ramifications of continuously auditing the particular

area or function.

Technology Audit


Choose early applications to audit where rapid demonstration of results

might be of great value to the organization. Long extended efforts tend to

decrease support for continuous auditing.

Once a demonstration project is successfully completed, negotiate with

different auditors and internal audit areas, if needed, so that a longer term

implementation plan is implemented.

When performing the actions listed above, auditors need to consider the key

objectives from each audit procedure. Objectives can be classified as one of four

types: detective, deterrent (also known as preventive), financial, and compliance. A

particular audit priority area may satisfy any one of these four objectives. For

instance, it is not uncommon for an audit procedure that is put in place for

preventive purposes to be reconfigured as a detective control once the audited

activity's incidence of compliance failure decreases.

2. Monitoring and Continuous Audit Rules

The second step consists of determining the rules or analytics that will guide the

continuous audit activity, which need to be programmed, repeated frequently, and

reconfigured when needed. For example, banks can monitor all checking accounts

nightly by extracting files that meet the criterion of having a debt balance that is 20

percent larger than the loan threshold and in which the balance is more than US

$1,000.

In addition, monitoring and audit rules must take into consideration legal and

environmental issues, as well as the objectives of the particular process. For

instance, how quickly a management response is provided once an activity is

flagged may depend on the speed of the clearance process (i.e., the environment)

while the activity's overall monitoring approach may depend on the enforceability

of legal actions and existing compliance requirements.

3. Determining the Process' Frequency

Although the process is called continuous auditing, the word continuous is in the

eye of the beholder. Auditors need to consider the natural rhythm of the process

being audited, including the timing of computer and business processes as well as

the timing and availability of auditors trained or with experience in continuous

auditing. For instance, although increased testing frequency has substantial

benefits, extracting, processing, and following up on testing results might increase

the costs of the continuous audit activity. Therefore, the cost-benefit ratio of

continuously auditing a particular area must be considered prior to its monitoring.

Technology Audit


Furthermore, other tools used by the manager of the continuous audit function

include an audit control panel in which frequency and parameter variations can be

activated. Hence, the nature of other continuous audit objectives, such as

deterrence or prevention, may determine their frequency and variation.

4. Configuring Continuous Audit Parameters

Rules used in each audit area need to be configured before the continuous audit

procedure (CAP) is implemented. In addition, the frequency of each parameter

might need to be changed after its initial setup based on changes stemming from

the activity being audited. Hence, rules, initial parameters, and the activity's

frequency ― also a special type of parameter ― should be defined before the

continuous audit process begins and reconfigured based on the activity's

monitoring results.

When defining a CAP, auditors should consider the cost benefits of error detection

and audit and management follow-up activities. For instance, in the example of the

bank described earlier, the excess threshold of US $1,000 could lead to a number

of false negatives (e.g., values that were ignored when the balance was smaller

than US $1,000 but were identified as representing a problem) and a number of

false positives (e.g., values with balances above US $1,000 that were flagged but

were accurate). If the threshold is increased to US $2,000, there will be an increase

in false negatives and a decrease in false positives. Because follow up costs would

go up as the number of false positives increases and the presence of false negatives

may lead to high operational costs for the organization, internal auditors should

regularly reevaluate if error detection and follow-up activities need to be

continued, reconfigured, temporarily halted, or used on an ad hoc basis.

Furthermore, the stratification of audited data into sub-groups allows organizations

to better monitor the activity and reconfigure any parameters (e.g., auditors will be

notified when balances larger than 20 percent of the debt remain that are also

larger than US $5,000). However, the more complex the rule and its conditional

components, the more parameters that must be examined, monitored, and

sometimes reconfigured.

5. Following Up

Another type of parameter relates to the treatment of alarms and detected errors.

Questions such as who will receive the alarm (e.g., line managers, internal

auditors, or both ― usually the alarm is sent to the process manager, the manager's

immediate supervisor, or the auditor in charge of that CAP) and when the follow-

Technology Audit


up activity must be completed, need to be addressed when establishing the

continuous audit process.

Additional follow-up procedures that should be performed as part of the

continuous audit activity include reconciling the alarm prior to following up by

looking at alternate sources of data and waiting for similar alarms to occur before

following up or performing established escalation guidelines. For instance, the

person receiving the alarm might wait to follow up on the issue if the alarm is

purely educational (i.e., the alarm verifies compliance but has no adverse economic

implications), there are no resources available for evaluation, or the area identified

is a low benefit area that is mainly targeted for deterrence.

6. Communicating Results

A final item to be considered is how to communicate with auditors. When

informing auditors of continuous audit activity results, it is important for the

exchange to be independent and consistent. For instance, if multiple system alarms

are issued and distributed to several auditors, it is crucial that steps 1-5 take place

prior to the communication exchange and that detailed guidelines for individual

factor considerations exist. In addition, the development and implementation of

communication guidelines and follow-up procedures must consider the risk of

collusion. Much of the work on fraud indicates that the majority of fraud is

collusive and can be performed by an internal or external party. For example, in

the case of dormant accounts, both the clerk that moves money and the manager

that receives the follow-up money may be in collusion since the manager's key

may have to be used for certain transactions.

ADDITIONAL CONSIDERATIONS

Besides the six steps described in the previous section, two additional issues that

emerge when implementing continuous auditing are the infrastructure needed for

the process to work and its impact on the workplace.

Organizational Infrastructure

Because continuous auditing is a part of the company's audit function, it must be

kept independent of management. Therefore, during the planning stages, auditors

need to keep in mind the process' independence when designing its structure. For

instance, a typical Internal Audit Departments structured so that areas of the

department focus on different cycles or business activities. In addition, the

department may be divided into financial and IT audit functions.

Technology Audit


Sometimes, however, IT audit activities are incorporated as part of existing IT

operations. In organizations such as these, the development of continuous auditing

is usually delayed because the activity may not get the necessary development

priority. Regardless of whether IT audit activities are part of the organization's IT

or Internal Audit Department, the organization must maintain the process'

independence as well as allocate resources in support of continuous audit activities.

Impact on Personnel

In addition, the audit manager in charge of the continuous audit process should

have a more technical understanding of IT as well as extensive experience on the

activities being audited. However, hiring, training, and retaining auditors who can

implement and monitor continuous audit activities might be challenging due to the

scarcity of internal auditors with knowledge in the area. Furthermore, the

continuous audit process might create a daily stream of issues that need to be

resolved, which might prove stressful given current personnel resources, and might

require the continuous audit manager to exert adequate authority in moments of

exceptions.

Technology Audit


CHAPTER 3

PERFORMANCE IN TECHNOLOGY AUDIT

3.1. Introduction

Appointment of Auditor – auditors are usually appointed by the organization

mangers at the administration council meeting.

Terms of Engagement – an engagement letter provides written recognition of the

auditor‘s acceptance of appointment, sets out the scope of the audit plus auditors

and management responsibilities.

Audit Program – sets out the extent and type of audit procedures. Auditors work to

internationally agreed auditing standards. Auditors start by gaining an

understanding of the organization‘s activities. For each major activity listed in the

financial statements, auditors identify and assess risks that could have a significant

impact on the financial position or performance.

Technology Audit


Detailed Examination – auditors perform testing and obtain evidence to satisfy the

requirements of the audit program. Testing may include compliance with the

organization‘s accounting policies, examining accounting records and verifying the

existence of tangible items such as plant and equipment.

Audit Report – contains the audit opinion on the financial report and basis of that

opinion. The scope of the audit plus auditors and management responsibilities are

also restated. The external auditor should maintain independence from

management and directors so that the tests and judgments are made objectively.

Auditors discuss the scope of the audit work with the organization. Auditors

determine the type and extent of the audit procedures they will perform depending

on the risks and controls they have identified. Auditors form an opinion on the

information in the final report. However, the external auditor should not look at

every transaction carried out by the organization, test the adequacy of all of the

organization‘s internal controls, identify all possible irregularities, audit other

information provided to the members of the organization – e.g. the directors‘

report. Figure (9) gives the flowchart of the external audit.

Technology Audit


Figure (9) Flowchart of the external audit Source: www.urenio.org

Technology Audit


3.2. Audit team roles and responsibilities

An audit may be conducted by a single lead auditor or by an audit team consisting

of a lead auditor, one or more auditors and/or a technical adviser. The National

Code of Practice for Auditors and Technical Advisers describe the conditions that

an auditor and technical adviser must adhere to when fulfilling their roles during

audits.

Lead Auditor

The role of the lead auditor, demonstrated in Figure (10), is to:

• Confirm the scope of the audit with the registering body

• Contact the applicant and make an appointment for the audit

• Identify and confirm resources (including audit team members and audit

documentation) required to conduct the audit

• Review documentation and develop a plan and schedule for the audit in

conjunction with the applicant and then confirm these arrangements

• Brief the audit team

• Conduct the opening meeting

• Identify and gather information

• Manage audit team resources by ensuring that there is effective communication

between the members of the audit team, and by working with the applicant‘s

representative to ensure that auditors and technical experts have access to the

materials, sites and personnel they require

• Coordinate the audit findings by meeting with the audit team to synthesize the

evidence collected

• Prepare the audit report with support from the audit team

• Conduct the feedback session with the applicant and confirm follow-up

• Provide information to the applicant about the complaints process and follow-up

action required

• Provide feedback to the audit team.

Technology Audit


Figure (10) Duties of Leader of Auditor Team

Auditors

The role of an auditor, as shown in Figure (11), is to:

• Participate in the opening meeting

• Identify and gather information

• Analyses information

• Evaluate information

• Report findings

• Participate in the feedback session

• Undertake other duties as requested by the lead auditor.

Technology Audit


Figure (11) Role of Auditor

To understand better how a comprehensive, effective technology audit works, the

process can be broken down into its various phases in order to draw a comparison

between the audit process and the activities associated with organization

accreditation. Accreditation visit to occur can be segmented into three phases:

1) Getting ready;

2) On-site visit;

3) Results & follow up.

The greatest quantity of work occurs during the first phase. Therefore, the three

phases will be examined accordingly.

Technology Audit


Phase One: Pre-Audit

Whether the technology audit has been triggered by the organization internal desire

to assess its accountability or whether the impetus has come from outside the

organization, the initial phase is the same. The organization must get ready for the

audit. Thus, this phase is sometimes called the ―pre-audit‖ stage. At a macro level,

the organization might want to establish a set of systems that can be put in place to

make auditors time more valuable, more efficient. Auditor may want to form a

group of teams to perform specific functions; a physical location may be specified

as a ―gathering point‖ for evidentiary documents; a series of focus group meetings

should be scheduled so organization leaders can encourage employees and

community members to voice their opinions and give their perspectives regarding

the organization‘s status; to create a system where all the hard work of engaged

people, the data and reports auditor collect, and the supporting systems can be

perpetuated.

Enrolling team members - To make your technology audit a success, it is essential

to have high-quality teams. The teams will be made up of the specialized members.

The team leaders will ensure a strong and fluid cooperation among teams, all

working on a common end goal. Team building is a significant activity. All

organization leaders realize this fully. Best leaders who build and grow the best

teams so they will accomplish the best results.

The auditor team leader may clarify with organization employees by explaining to

them that a technology audit is coming and he wants to obtain their very best

thinking about some strategies that will assure success for the organization. During

this meeting, the auditor might want to engage in a simple brain storming activity,

asking everyone to call out, as fast as they can, all the areas where is the use of

technologies in the organization. Team leader might ask them to be frank and

candid in their comments, and then ask them to pinpoint areas where they perceive

that improvements could be made. If/when they mention some examples, the

auditor asks for substantiating evidence that may give the clues to other things

needing. The team leader tries to imagine how the auditors will see things/look at

things through their eyes. What would the auditors do? What would they say?

What would they seek? How would they interpret what you give them? What

would they recommend? As the leader and the team of advisors go through these

considerations, they will have prepared themselves well for what lies ahead, and

Technology Audit


will no longer fear the technology audit, or consider it as a negative event. Rather,

they will see this as a profoundly important opportunity to engage in systemic

improvement, as well as great improvement at the individual level.

Phase Two: On-Site Visit

The time has come finally when auditors arrive at the organization and are

examining both the reports (data, information, and evidence) and the actual reality

of technology integration. This guideline is intended to help auditors conduct more

focused reviews of technology acquisitions by enabling them to quickly identify

significant areas of risk. Using these guidelines will help auditors identify critical

factors not addressed by management, make a general evaluation of any

procurement risks, and provide rapid feedback to agency officials so they can take

corrective action in a timely and efficient manner. Use of the guidelines should be

selectively tailored to the requirements of particular reviews and adapted to the

status of the acquisition. Auditors will need to exercise professional judgment in

assessing the significance of audit results or findings. Professional judgment is

necessary to evaluate this information and determine if the agency conducted an

adequate requirements analysis.

There are five tasks within the audit process area:

1. Develop and implement a risk-based audit strategy for the organization in

compliance with audit standards, guidelines and best practices.

2. Plan specific audits to ensure that IT and business systems are protected

and controlled.

3. Conduct audits in accordance with audit standards, guidelines and best

practices to meet planned audit objectives.

4. Communicate emerging issues, potential risks and audit results to key

stakeholders.

5. Advise on the implementation of risk management and control practices

within the organization while maintaining independence.

Technology Audit


3.3. Audit planning

Audit planning consists of both short- and long-term planning, demonstrated in

Figure (12). Short-term planning takes into account audit issues that will be

covered during the year, whereas long-term planning relates to audit plans that will

take into account risk-related issues regarding changes in the organization‘s

technology strategic direction that will affect the organization‘s technology

environment. Analysis of short- and long-term issues should occur at least

annually.

Figure (12) Types of Audit Planning

Technology Audit


Figure (13) Perform Audit Planning Steps

This is necessary to take into account new control issues, changing technologies,

changing business processes and enhanced evaluation techniques. The results of

this analysis for planning future audit activities should be reviewed by senior

management, approved by the audit committee, if available, or alternatively by the

Board of Directors, and communicated to relevant levels of management. In

addition to overall annual planning, each individual audit assignment must be

adequately planned. The auditor should understand that other considerations, such

as risk assessment by management, privacy issues and regulatory requirements,

may impact the overall approach to the audit. The auditor should also take into

consideration system implementation/upgrade deadlines, current and future

technologies, requirements of business process owners, and resource limitations.

When planning an audit, the auditor must have an understanding of the overall

environment under review. This should include a general understanding of the

various business practices and functions relating to the audit subject, as well as the

types of information systems and technology supporting the activity.

To perform audit planning which is shown in Figure (13), the auditor should

perform the following steps in this order:

• Gain an understanding of the business‘s mission, objectives, purpose and

processes, which include information and processing requirements, such as

availability, integrity, security and business technology.

Technology Audit


• Identify stated contents, such as policies, standards and required guidelines,

procedures, and organization structure.

• Evaluate risk assessment and any privacy impact analysis carried out by

management.

• Perform a risk analysis.

• Conduct an internal control review.

• Set the audit scope and audit objectives.

• Develop the audit approach or audit strategy.

• Assign personnel resources to the audit and address engagement logistics.

• Audit planning

– Short-term planning

– Long-term planning

– Things to consider

• New control issues

• Changing technologies

• Changing business processes

• Enhanced evaluation techniques

• Individual audit planning

– Understanding of overall environment

• Business practices and functions

• Information systems and technology

3.4. Road Map for the External Audit Team Audit Leader

The following are steps that the Team audit leader would perform to determine an

organization‘s level of compliance with external requirements:

• Identify those government or other relevant external requirements dealing with:

– Electronic data, copyrights, e-commerce, e-signatures, etc.

Technology Audit


– Computer system practices and controls

– The manner in which computers, programs and data are stored

– The organization or the activities of the information services

• Document applicable laws and regulations

• Assess whether the management of the organization and the information systems

function have considered the relevant external requirements in making plans and in

setting policies, standards and procedures

• Review internal information systems department/function/activity documents that

address adherence to laws applicable to the industry

• Determine adherence to establishing procedures that address these requirements.

3.5. Notes to the Auditor

Auditor will not ask about any specific laws or regulations, but may question

about how one would audit for compliance with laws and regulations.

Auditor should be aware that it is important that the auditor understands the

relationships of control objectives and controls; control objectives and audit

objectives; criteria and sufficiency and competency of evidence; and audit

objective, criteria and audit procedures. Strong understanding of these elements is

a key for the auditor‘s performance.

Auditor is the importance of setting legal advice. There are two key aspects that

control needs to address, what the auditor should to achieve and what to avoid.

Auditor addresses not only to internal controls business/operational objectives,

but need to address undesired events through preventing, detecting, and correcting

undesired events. Types of control;

• Internal accounting controls - Primarily directed at accounting operations, such as

the safeguarding of assets and the reliability of financial records

Technology Audit


• Operational controls - Directed at the day-to-day operations, functions and

activities to ensure that the operation is meeting the business objectives

• Administrative controls - Concerned with operational efficiency in a functional

area and adherence to management policies including operational controls. These

can be described as supporting the operational controls specifically concerned with

operating efficiency and adherence to organizational policy.

Figure (14) Elements to Development of Internal Control Manual

3.6. Control objectives

Every organization needs to have a sound internal control in place to keep the

organization on course toward profitability goals and achievement of its mission,

to minimize surprises along the way and to be able to realize its opportunities.

Elements to Development of Internal Control Manual are illustrated in Figure (14).

Technology Audit


The importance of internal control has been further heightened by the increasing

attention given to corporate governance, of which internal control is now

considered to be vital element. Sound practices of internal control and risk

management enable management to deal with rapidly changing economic and

competitive environments, shifting customer demands and priorities, and

restructuring for future growth. Internal controls and risk management promote

efficiency, reduce risk of asset loss, and help ensure the reliability of financial

statements38

.

It consists of the following;

• Safeguarding of information technology assets

• Compliance to corporate policies or legal requirements

• Authorization/input

• Accuracy and completeness of processing of transactions

• Output

• Reliability of process

• Backup/recovery

• Efficiency and economy of operations.

Controls are generally categorized into 3 major classifications:

Preventive: These controls are to deter problems before they arise.

Detective: Controls that detect and report the occurrence of an error, omission or

malicious act.

Corrective: These controls minimize the impact of a threat, remedy problems

discovered by detective controls, and identify the cause of a problem.

Internal control objectives - Apply to all areas, whether manual or automated.

Therefore, conceptually, control objectives in an information systems environment

Technology Audit


remain unchanged from those of a manual environment. However, control features

may be different. Thus, internal control objectives need to be addressed in a

manner specific to related processes.

Figure (15) Internal Control Pyramid http://www-audits.admin.uillinois.edu/ICT/ICT-summary.html

Internal Control is a process within an organization designed to provide

reasonable assurance:

That information is reliable, accurate, and timely.

Of compliance with policies, plans, procedures, laws, regulations, and

contracts.

That assets (including people) are safeguarded.

Of the most economical and efficient use of resources.

That overall established objectives and goals are met.

Internal controls are intended to prevent errors or irregularities, identify problems,

and ensure that corrective action is taken.

Figure (15) illustrates the internal control pyramid and the information and

communication path.

Technology Audit


CHAPTER 4

SWOT ANALYSIS

4.1 Introduction

SWOT Analysis is a business tool by which, a firm wishing to implement a

strategic analysis, analyses and recognizes it‘s corporate Strengths and Weaknesses

as well as the existed or forthcoming Opportunities and Threats from its external

environment.

Only when these four critical information elements are well elaborated and known,

the enterprise is able to formulate and implement the strategy leading to its

business aims.

4.2. The Need for SWOT Analysis

The SWOT Analysis is an extremely useful tool for understanding and decision-

making for all sorts of situations in business and organizations. SWOT Analysis is

a very effective way of identifying your Strengths and Weaknesses, and of

examining the Opportunities and Threats you face. Carrying out an analysis using

the SWOT framework helps you to focus your activities into areas where you are

strong and where the greatest opportunities lie. By creating a SWOT Analysis, you

can see all the important factors affecting your business together in one place. It‘s

easy to create, easy to read, and easy to communicate.

Technology Audit


Figure (16) SWOT Analysis Framework14

4.3. Limitations of SWOT Analysis

SWOT Analysis is not free from its limitations*. It may cause organizations to

view circumstances as very simple because of which the organizations might

overlook certain key strategic contact which may occur. Moreover, categorizing

aspects as strengths, weaknesses, opportunities and threats might be very

subjective as there is great degree of uncertainty in market. SWOT Analysis does

stress upon the significance of these four aspects, but it does not tell how an

organization can identify these aspects for itself.

There are certain limitations of SWOT Analysis which are not in control of

management. These include:

a. Price increase;

b. Inputs/raw materials;

c. Government legislation;

d. Economic environment;

e. Searching a new market for the product which is not having overseas

Technology Audit


market due to import restrictions; etc.

Internal limitations may include:

a. Insufficient research and development facilities;

b. Faulty products due to poor quality control;

c. Poor industrial relations;

d. Lack of skilled and efficient labor; etc

The SWOT Analysis is an extremely useful tool for understanding and

decision-making for all sorts of situations in business and organizations. A

company can use the SWOT Analysis while developing a strategic plan or

planning a solution to a problem that takes into consideration many different

internal and external factors, and maximizes the potential of the strengths and

opportunities while minimizing the impact of the weaknesses and threats

4.4. SWOT Analysis Framework

Action checklist

1. Establishing the objectives

The first key step in any project is to be clear about what you are doing and why.

The purpose of conducting SWOT Analysis may be wide or narrow, general or

specific.

2. Allocate research and information-gathering tasks. Background preparation is a

vital stage for the subsequent analysis to be effective, and should be divided

among the SWOT participants. This preparation can be carried out in two stages:

Exploratory, followed by data collection.

Detailed, followed by a focused analysis. Gathering information on

Technology Audit


Strengths and Weaknesses should focus on the internal factors of skills,

resources and assets, or lack of them. Gathering information on

Opportunities and Threats should focus on the external factors.

3. Create a workshop environment

If compiling and recording the SWOT lists takes place in meetings, then do

exploit the benefits of workshop sessions. Encourage an atmosphere conducive to

the free flow of information and to participants saying what they feel to be

appropriate, free from blame. The leader/facilitator has a key role and should

allow time for free flow of thought, but not too much. Half an hour is often

enough to spend on Strengths, for example, before moving on. It is important to

be specific, evaluative and analytical at the stage of compiling and recording the

SWOT lists.

4. List Strengths, Weaknesses, Opportunities, Threats in the SWOT Matrix

5. Evaluate listed ideas against objectives.

With the lists compiled, sort and group facts and ideas in relation to the

objectives. It may be necessary for the SWOT participants to select from the list

in order to gain a wider view.

The SWOT Analysis template is normally presented as a grid, comprising four

sections, one for each of the SWOT headings: Strengths, Weaknesses,

Opportunities, and Threats. The SWOT template given in Chapter 5 includes

sample questions, whose answers are inserted into the relevant section of the

SWOT grid. The questions are examples, or discussion points, and obviously can

be altered depending on the subject of the SWOT Analysis.

Technology Audit


Figure (17 ) SWOT Analysis Framework

Technology Audit


CHAPTER 5

EXAMPLE OF FORMATION OF SWOT MATRIX PARAMETERS

Figure (18) SWOT Matrix Environment Analysis

5.1 Introduction

The analysis of the company situation starts by defining the strength, weakness,

opportunities and threats. Table below shows some common parameters which

may be considered.

Technology Audit


Strengths

Advantages of proposition?

Capabilities?

Competitive advantages?

USP's (unique selling points)?

Resources, Assets, People?

Experience, knowledge, data?

Financial reserves, likely returns?

Marketing - reach, distribution,

awareness?

Innovative aspects?

Location and geographical?

Price, value, quality?

Accreditations, qualifications,

certifications?

Processes, systems, IT,

communications?

Cultural, attitudinal, behavioral?

Management cover, succession?

Weaknesses

Disadvantages of proposition?

Gaps in capabilities?

Lack of competitive strength?

Reputation, presence and reach?

Financials?

Own known vulnerabilities?

Timescales deadlines and

pressures?

Cash flow, start-up cash-drain?

Continuity, supply chain

robustness?

Effects on core activities,

distraction?

Reliability of data, plan

predictability?

Moral, commitment, leadership?

Accreditations, etc?

Processes and systems, etc?

Management cover, succession?

Technology Audit


Opportunities

Market developments?

Competitors' vulnerabilities?

Industry or lifestyle trends?

Technology development and

innovation?

Global influences?

New markets, vertical, horizontal?

Niche target markets?

Geographical, export, import?

Tactics - surprise, major

contracts, etc?

Business and product

development?

Information and research?

Partnerships, agencies,

distribution?

Volumes, production, economies?

Seasonal, weather, fashion

influences?

Threats

Political effects?

Legislative effects?

Environmental effects?

IT developments?

Competitor intentions - various?

Market demand?

New technologies, services,

ideas?

Vital contracts and partners?

Sustaining internal capabilities?

Obstacles faced?

Insurmountable weaknesses?

Loss of key staff?

Sustainable financial backing?

Economy - home, abroad?

Seasonality, weather effects?

successful SWOT Analysis

Technology Audit


5.2. Tips for Design Your SWOT Analysis

For the successes of the SWOT Analysis some constrictions depending on the

environment of the origination should be taken into consideration.

Following are some tips 15

for the auditors;

Top Tips But remember …

1 Never copy an existing SWOT Analysis; it will

influence your thinking. Start with a fresh

piece of paper every time

You could use a standard

template to help the ideas flow

2 Set aside enough time to complete it You may need to come back to

it several times before you are

happy

3 The SWOT Analysis itself is NOT the result.

It‘s only a tool to help you analyze your

business

Before you begin any analysis,

you should know what you

intend to do with the results

4 A SWOT Analysis is not a business school fad.

It is a proven technique used throughout the

business community

You need to be comfortable

working with it in your

business

5 Keep your SWOT Analysis simple, readable,

short and sharp

It needs to make sense to

outsiders (e.g. bank managers

or investors) so don’t use

phrases or acronyms that only

you understand

6 Make sure you create an action plan based on

your SWOT Analysis

You need to communicate this

clearly to everyone involved

7 A SWOT Analysis only gives you insight at a

single point in time

You need to review it –

probably quarterly – to see

how the situation has changed

8 Don‘t over-analyze. Try not to worry if it isn‘t

perfect, just get the analysis done

If you are going to act on the

results, it needs to be accurate

Technology Audit


The role of SWOT Analysis is to take the information from the environmental

analysis and separate it into internal issues (strengths and weaknesses) and external

issues (opportunities and threats). Once this is completed, SWOT Analysis

determines if the information indicates something that will assist the firm in

accomplishing its objectives (a strength or opportunity), or if it indicates an

obstacle that must be overcome or minimized to achieve desired results (weakness

or threat). When doing SWOT Analysis, remember that the S and W are

INTERNAL and the O and T are external.

Figure(19) http://www.taygro.co.za/aboutus.html

in all the important areas

http://www.taygro.co.za/aboutus.html

Technology Audit


CHAPTER 5

PRACTICAL EXAMPLES OF SWOT ANALYSIS

5.1. Health centers

Subject of SWOT Analysis example: the achievement of a health centers mission.

The scenario is based on the SWOT Analysis17

, which has been performed by a

health centre in order to determine the forces that promoted or hindered the

achievement of its mission.

Starting position of the health centre:

The staff lack of motivation

The building was really small

The facility was old

There was a lot of paper work and bureaucracy

Those characteristics resulted in this health centre facing up to a lot of problems

with the accommodation of the patients. Moreover, the establishing of a new

advanced hospital in the city made the situation even worse. Therefore, they

decided to perform a SWOT Analysis in order to execute the best decision-making

for all the problems that they faced.

Step 1: Purpose of conducting SWOT Analysis - the achievement of a health

centers mission.

Step 2: The gathering of information on Strengths and Weaknesses focused on the

internal factors of skills, resources and assets, or lack of them. The gathering

information on Opportunities and Threats should focus on the external factors.

Technology Audit


Step 3: The manager of the health centre encouraged all the staff members to

freely express their opinions about what they felt to be appropriate.

Step 4: SWOT matrix

Step 5: After completing the SWOT matrix the SWOT participants had a wider

view of the situation at the centre so they were able to propose the alternatives that

helped considerably in the operation of the health centre.

The alternatives where:

training of the staff in interactive techniques of quality improvement

coordination with other providers to cover all user needs

remodeling of the facility with local government funds and international

help

cost recovery of drugs and lab supplies with user fees

payment of incentives to staff based on performance

review of procedures for decreasing costs and waiting times and increasing

perceived quality.

Strengths:

Willingness of staff to change

Good location of the health centre

Perception of quality services

Weaknesses:

Staff lack of motivation

Building was really small

Paper work and bureaucracy

Cultural differences with users

Opportunities:

Support of local government

Threats:

Low income of users

Technology Audit


High felt need of users

Internationally funded projects

Bad roads

Low salaries

Lack of budget

Paradigms of providers

High competition

This strategic analysis and planning

of the health centre had the below results:

27% increase of patients

reduction of waiting times to

15minutes

20% increase of staff performance

remodeling of the facility

Technology Audit


5.2. University SWOT Analysis

University strengths, weaknesses, opportunities and threats (SWOT Analysis) were

identified by members of University Strategic Goals and Priorities Committee

during a brain storming session. Administrators, faculties, and students reviewed

the analysis and provided input. Background information on the Organization is

opportunities and threats it faces can be useful in considering strategic issues.

The SWOT Analysis was used to develop the attached strategic questions. These

questions and others raised by participants at the workshop will help define

strategic directions important to the university in the next five year.

Technology Audit


SWOT ANALYSIS

Strengths:

Positive reputation in the external

community

- Positive experience with those who

interact with the campus

- Proactive Partnerships with other

universities, community colleges, and

corporations

- Past performance

- Many Accredited Programs

- Successful 6 year graduation rates

- Faculty and staff support the campus

mission

- Proactive student support

- Access to services

- Faculty involvement with students

- Student leadership programs

- Learning communities developing to

enhance learning and student-faculty

interaction

- Campus Characteristics

- Medium size campus with small class size

-Facilities include new and well-maintained,

attractive buildings and grounds with

growth potential

- Potential for growth in Turlock and

Stockton

- Friendly and safe

- Diverse student body, Hispanic Serving

Institution

- Dedicated and Expert faculty

- Campus wide involvement in planning

- Healthy shared governance

- Strong, active external boards

- Residential Campus Development

- Artistic and Cultural Performances

Weaknesses:

Distinguishing qualities and identity not well

known

- Operational structure/bureaucracy

- Sluggish responsiveness to student and

community needs

- Fiscal uncertainty

- Lack of pride of internal community

- Match between research expectation &

support

- High and unequal workloads faculty &

staff

- Ability to hire & retain faculty

- Student preparedness at entrance

- Adjusting to pressures of growth

- Varying perceptions of appropriate

proportions of major employee categories

(faculty, staff, and administrators)

- Lack of strong, pervasive presence in the

external community

- Limited resources for faculty and staff

development

- Highly competitive market for diverse

faculty and staff

- Promulgating egalitarianism

- Reporting perceived as a ritual and

meaningless

- Reporting requirements absorb a large

percentage of resources

Technology Audit


Opportunities:

Partnerships in support of university

initiatives

- Expanded possibilities for the workforce

- Diversity of region (students industry)

- External Community and University

relationships

- Interest in academic program expansion

- Interest in expansion of cultural activities

- Interest in University services (Policy

Center, Bridge,

- Growth potential

- New construction

- Societal trends

- Increased value of higher education

completion

- Growing demand for graduates

- Match between curricular & societal

interests

- Increase demand for mid-career

redirection and lifelong learning

- Increased interest in global initiatives

- Technological advances

- Partnership opportunities

- Increased focus on higher education

- development of university park

- large student pool

- increased interest in university

connections

Threats:

State budget crisis

- Private, for-profit, and on-line universities¡¦

responsiveness to program and student

scheduling demands

- Increase in reporting expected by

government and society

- Shift in focus on numerical achievement

vs. qualitative achievement

- Negative public perception

- Development of another university in the

area

- Societal and student perception of

education as solely a means to a job

- Reporting perceived as a ritual and

meaningless

- Reporting requirements absorb a large

percentage of resources.

- Historical public perceptions/lack of

knowledge about higher Education.

- Historical lack of knowledge.

Technology Audit


SWOT ANALYSIS OF AUC37

I-Introduction:

SWOT analysis: a method of analyzing an organization‘s competitive situation

that involves assessing organizational strengths (S), weaknesses (W),

environmental opportunities (O), and threats (T).

Both strengths and weaknesses are internal factors, that are subject to change

from within the organization itself. Opportunities and threats are the conditions

within the external environment that affects the organization, such as:

technological, economic, legal-political, sociocultural, and the international

element.

II-SWOT ANALYSIS of AUC:

1-Strengths:

a - Highly qualified full time, and part time faculty.

b - Highly skilled students due to the highly competitive selection in admissions.

c - Advanced technology in the University facilities; optic fiber network, ACS

server, well-equipped engineering, natural sciences, and computer labs (relative to

the Egyptian universities) , and research centers (Desert research center).

d - Distinctive rank in the private universities market in Egypt, in comparison to

other universities,

e - Continuous renovations either in facilities (New campuses in Falaki and New

Cairo), technology, and staff.

f - Well defined managerial policy; well-defined hierarchy.

g - Monopolizing the employment market of some majors, such as: construction

management and industrial engineering, business administration, political science,

and computer science.

h - Private university, accredited by several authorities, such as: the Egyptian

ministry of education, Egyptian Syndicates, ABET (Accreditation Board of

Engineering and Technology), the higher council of universities in Egypt, MSA

(Commission on Higher education of the Middle States Association of colleges and

schools) and AACU (American Association for Colleges and Universities).

i - An integrated modern library, containing books, microfilms, periodicals, and

other documents, arranged on the same model of the Congress library. Moreover,

Technology Audit


the university has a special collection library, which is actually a fortune.

j - Paying great care to social sciences research due to the presence in a good

field for research in the Middle East, and Egypt in specific.

k - The university has a hostel, which serves all the international students.

l - Absence of unemployment among AUC graduates due to the presence of

Career Advising and Placement Service (CAPS office).

m - The university appreciates the extra-curricular activities and encourages them,

and that is what makes AUC graduates different.

2-Weaknesses:

a - High tuition fee, relative to the other private universities in Egypt, and even to

the American state-universities.

b - Unbalanced budget, where about 60% of the budget is composed of money

from tuition, while the rest comes through donations from companies, like Esso,

Shlumberger, Ford foundation, General Electric, USAID, etc.

c - Absence of adequate facilities in the field of graduate research, in

comparison to other American Universities.

d - The absence of an undergraduate research program.

e - Weak image in the Egyptian society (market), because of the claim that AUC

westernizes the Egyptian students.

f - Weak marketing techniques, limited to advertisement in the newspapers.

g - The absence of financing source, other than tuition and donations, like

research centers.

h - Currently before the new campuses end, the university suffers from an un-

limited problem of space, in addition to the parking area around the existing

campuses and the traffic from and to them.

3-Opportunities:

a - Dominating the market of the private universities in Egypt with other

competing universities, like 6th of October Univ., and perhaps the Middle East,

Technology Audit


like AUB and AUD, after the construction of the new campuses.

b - The ability to serve more customers of students in the Under-grad, and Grad.

Levels after building the news campuses (Currently AUC serves 3,584 Under-grad,

and 592 Grad. )

c - Attraction of more foreign students.

d - The chance of finding more financial resources through fundraising, by the

newly appointed President.

e - Establishment of well-equipped campus in Falaki that will serve as an

Engineering faculty that will include electronics engineering.

f - The use of optic fibers network in the new Cairo campus to link all the

university through a powerful link.

g - By strengthening the existence of AUC, the AUCians might get better image

and they might be accepted by the all the categories of the society.

4-Threats:

a - Any expected political conflicts in the Middle East, either between Egypt and

Israel, or Egypt and USA itself, or even like Gulf War. This may drop admissions

to a destructive level. Moreover, the university might have to do without the

American faculty and employees, and most of the university supports might

withdraw their support. Thus the budget might be seriously harmed

b - Any expected security or political problems in Egypt, either like terrorism or

any serious changes in the current regime. The admissions of international students

might drop to a serious level.

c - Competition with other low cost competitors, like 6th October Univ., Misr

International Univ.

d - Increase in the Egyptian cultural persistence, and their refusal of the

AUCians. Thus, AUC image continues to deteriorate.

e - Increase in the number of offered AUC graduates to what the market demands.

Thus unemployment appears among the AUC graduates like any Egyptian

university

f - Failure in the process of fundraising for the construction of the new campuses.

Technology Audit


5.3. Retail Industry SWOT Analysis*

This is an example of a SWOT Analysis for a Retail Business, whilst every effort

has been made to ensure our examples are accurate, their accuracy depends on

where you live in the world and what has changed since they were developed.

You may use our SWOT examples as a guide to indicate what your SWOT might

look like but please do not build a plan based on these examples without validating

their accuracy for your business in your region of the world.

The first of our SWOT Analysis examples is for a retail business, the business was

established by an entrepreneur stocks brand name clothing imported from

manufacturers around the world. The business currently only stocks 3 brands of

men‘s clothing, pitched at the 18 to 28 single young adult.

SWOT Analysis Examples: Strengths Possible Strengths Response Is it strength?

Tangible Strengths

Consider your assets including

plant and equipment

Assets are really

only shop fittings

and stock with two

computers and

software.

No

Do you have long-term rental

contracts for your business

locations?

3 + 3 + 3 year lease

in major shopping

center, location

within the shop is at

the will of the

center, poor sales

No, same as our

competitors

Technology Audit


will result in a shift

to a low foot traffic

location.

Are your products unique or

market leading?

No, stock is the

same as our

competitors. We

can pick and choose

what styles to stock.

No

Have you got sufficient

financial resources to fund any

changes you would like to

make?

No, we do trade

profitably, but are

not able to fund an

expansion to a

larger footprint

store.

No

Do you have any cost

advantages over your

competitors?

No, rents are all

pretty standard, you

can save on rent but

loose the foot

traffic, so it is all

relative.

No

Do you use superior

technology in your business?

No No

Is your business high volume? No. We do sell a

lot, but not as much

as some of the

larger retail stores.

Our product is high

quality, high margin

and low volume in

comparison

No

Technology Audit


Can your scale up your volume

if you need to?

Not really, orders

are placed in

advance, shop size

is restrictive.

No

Intangible Strengths

Do you have or stock strong

recognizable brands

Yes, though the

brand space is

becoming cluttered

with more and more

recognizable

brands. Depleting

the value of any one

brand.

Yes

Your reputation - are you

considered a market leader? or

experts in you‘re filed?

No. No

Do you have good relationship

with your customers?

(Goodwill)

Yes, we have a

good connection

with our customers,

our email list grows

and many

customers advise

they were referred

to us by their mates.

We get a lot of

repeat customers.

Yes

Do you have strong

relationships with your

suppliers

Yes, though we are

just another

supplier to them.

We are able to

differentiate from

Yes

Technology Audit


our competitors.

We have long term

agreements in place

with some suppliers

to be their sole

representative in

this region.

Do you have a positive

relationship with your

employees

Yes, though we

only have a few

employees

No, our

competitors also

have good

employee

relations

Do you have any unique

alliances with other

businesses?

No, maybe our

territory agreements

with some

suppliers.

No

Do you own any patents or

proprietary technology?

No No

Do you have a proven

advertising process that works

well?

Email news letter

with specials and

new stock, seems to

work for retaining

customers.

Most new

customers were

attracted to the

shopping complex.

Yes

Do you have more experience

in your field?

No No

Are you managers highly No No

Technology Audit


experienced?

Do you have superior industry

knowledge?

No, though we do

have a good set of

sales skills,

particularly up

selling and forming

relationships.

People feel good

coming by and

seeing us.

No

Are you involved with industry

associations?

No No

Is your business Innovative? No, only in sales

and relationship

building.

No

Other Strengths

Current location Current location in

the center has high

traffic, in an area

with several other

shops targeting the

same market which

draws people to the

area

No

Our innovation is in

our sales technique

and point of sale

displays

Yes

Summary

Technology Audit


The key strengths for the business are

1. Unique brands protected by sole supply agreements

2. Successful relationship marketing, and

3. Innovative sales techniques

SWOT Analysis Examples: Weaknesses

Possible Weaknesses Response Is it a Weakness?

Tangible Weaknesses

Is your plant and

equipment old or

outdated?

N/A N/A

Is your product line too

narrow?

Maybe, we only sell a few

of brands of men clothing,

we could stock more

accessories, but we don‘t

want to confuse the

customer about what line

of business we are in.

Maybe

Have you got

insufficient financial

resources to fund any

changes you would like

to make?

Yes, we often think about

opening a bigger store, but

the rent would be an issue

if we did not get immediate

sales

Yes

Do you have a high

overall unit cost

relative to your

competitors?

No No

Do you use inferior No No

Technology Audit


technology in your

business?

Do you have low

volume and are

restricted in your

ability to scale up?

Yes, it may take a few

weeks to replenish stock,

less early in the season.

But late in the season our

suppliers are often out of

stock of the quick moving

products

No, all retailers

are in the same

situation

Intangible Weaknesses

Do you have a weak or

unrecognizable brand?

Yes, maybe our shop name

is not a public recognizable

brand but our stock is.

Some of our competitors

are franchise and everyone

knows them

Yes

Do you have a weak or

unrecognizable image?

No, our shop frontage

tends to draw people in

No

Do you have a poor or

impersonal relationship

with your customers?

No, we have great

relationships with our

customers

No

Do you have a poor


suppliers?

No No

Do you have a poor


employees?

No No

Is your marketing

failing to meet

No No

Technology Audit


objectives?

Are your managers

inexperienced?

Yes, I have less than 2

years in Retail

Yes

Do you have low

R&D?

n/a N/A

Do you lack industry

knowledge?

Yes, maybe Yes

Do you lack innovative

skills?

No No

Other Weaknesses

Specify None

Summary

The key weaknesses for the business are

1. Small store size and inability to find an expansion, resulting in stocking

a limited product range

2. Shop name is not well known

3. Manager has limited industry experience and industry knowledge

Technology Audit


SWOT Analysis Examples: Opportunities

Possible Opportunities Response Is it an

Opportunity?

Industry Opportunities

Can you expand your

product range?

Yes, there are no

contractual restrictions to

us adding products to the

store, store size is an issue

Yes

Can you diversify

your business

interests?

Maybe, if we had the funds No

Can you expand into

your customer's field?

No, the customer is the

consumer

No

Can you expand into

your supplier's field?

Yes, I don‘t have the skills

to establish an import

business

Yes

Can you expand your

customer base?

(Geographically or

through new

products)

Maybe, through internet

sales and mail order,

maybe open another

location

Yes

Do you have placid

competitors?

Yes, there is not a lot of

competitive advertising in

our niche, and price is not

so much of an issue to our

customers

Yes

Do you have any

export opportunities?

No, we import No

Technology Audit


Will the total market

for your products

grow?

Yes, but not significantly No

Macro Opportunities

Are there any

favorable changes to

legislation pending

No No

Will there be any

changes to any

import/export

constraints that will

be favorable for your

business?

No, almost all clothing is

imported there is little

domestic production and a

lack of ability for domestic

producers to scale up. Any

changes will impact all

retail outlets equally.

No

Is the economic

outlook favorable?

No, however this may play

favorably to our business

as our target market might

postpone larger expenses

as a result a greater share

of purse may be allocated

to clothing – this is yet to

be proven.

No

Are there any

favorable cultural

shifts that will benefit

you?

Due to increases in housing

prices our target customer

has opted to postpone

taking on longer term

debit. Instead to remain in

the ―nest‖ for longer. This

trend increases their

customer life for our

products.

Yes

Technology Audit


Are there any

changes in the use of

technology that your

business can utilize

such as Ecommerce

or Internet sales?

Use of internet to increase

marketing and online sales.

Yes

Other Opportunities

Summary

The key opportunities for the business are

1. Backward integration in the supply chain to include importing

directly

2. Increased geographic coverage

3. Leverage the growth of the internet to enhance business

4. Increase life of customer was 18 – 24 year old males, now 18 –

29 year old males

SWOT Analysis Examples: Threats

Possible Threats Response Is it a

threat?

Industry Threats

Will low cost imports

impact your business?

No, our shop appeals to the

middle income bracket who are

not interested in low cost

alternatives.

Though high quality low cost

imports will increase our

margin.

No

Technology Audit


Do consumers have a

choice to use a

substitute product?

Yes, many other products in the

category

No

Are substitute product

sales increasing?

No more than ours, the market

share is reasonably consistent

No

Is your market in

slow growth or in

decline?

No, our market is relatively

stable, maybe slight growth

No

Is the power of your

customers or

suppliers growing,

can they dictate price?

No, maybe one supplier is

trying to increase prices above

CPI, but we can stop selling

their stock and shift to another

supplier of a similar quality

product

No

Are the needs of your

buyers changing?

Yes, every season fashion

changes, however the need for

medium quality products

remains unchanged.

Yes

Macro Threats

Will foreign exchange

rate changes affect

your imports or

exports?

Yes, declining dollar will

impact us, and all others in our

industry, may also reduce sales

if we pass price on to customer

Yes

Are there any changes

in demographics that

will impact your

business

Maybe an increase in awareness

about the behavior of

governments of low cost

producing nations may

eventually impact our supply

chain.

No

Technology Audit


Is regulation in your

industry increasing?

No No

Other Threats

Rent Rent can go up reducing our

margins

Yes

Location Our rental contract allows the

center to move our business

location, if they believe another

business will make them more

profits.

Yes

Summary

The key threats for the business are

1. Changing fashion trends may shift consumer interest in our

product range

2. Exchange rate variation may impact costs

3. Rents increasing above CPI putting pressure on our margins

4. Center owner shifting us within the center

Technology Audit


SWOT Analysis Examples

Summary – Retail Clothing Business

Internal

Strengths Weaknesses

1. Unique brands protected by

sole supply agreements

2. Successful relationship

marketing, and

3. Innovative sales techniques

1. Small store size and inability

to find an expansion, resulting

in stocking a limited product

range

2. Manager has limited industry

experience and industry

knowledge

External

Opportunities Threats

1. Backward integration in the

supply chain to include

importing directly

2. Increased geographic

coverage

3. Leverage the growth of the

internet to enhance business

4. Increase life of customer

was 18 – 24 year old males,

now 18 – 29 year old males

1. Changing fashion trends may

shift consumer interest in our

product range

2. Exchange rate variation may

impact costs

3. Rents increasing above CPI

putting pressure on our

margins

4. Center owner shifting us

within the center

*http://www.whatmakesagoodleader.com/swot_analysis_examples.html

http://www.whatmakesagoodleader.com/swot_analysis_examples.html

Technology Audit


4.4. Web Business SWOT Analysis

It is often said that the web is the great equalizer, so let‘s look at a SWOT for a

web business that sells toys online. (Fictional Business created for an MBA Class)

Internal

Strengths Weaknesses

1. Global reach of

business

2. Low cost to maintain

and enhance the site, not

restricted by foot print

3. Stock is recognized

brands

4. Purchase price can

be less than off line shops

5. Strong competition

for warehousing and

distribution keeps costs

down

6. Easy to remain in

touch and build

relationships with

customers (Email, SMS,

webzine)

7. Use existing

distribution networks

(Postage)

1. No shop front to

accept returns

2. People need to find

our site, there is no other

marketing

3. Lack of shop brand

recognition

4. Hard to scale up to

respond to peaks and

troughs in demand

5. Limited financial

capital to fund web site

optimization

6. Larger or heavy toys

have high delivery cost

diminishing the online

price advantage.

7. Low web

development skills in house

we are reliant on

outsourcing

External

Opportunities Threats

1. Established traffic

and high number of repeat

customers may enable

increased sales through the

addition of complimentary

1. The internet has no

barriers to entry which

means a better financed

business or an established

retail business may seek to

Technology Audit


product lines

2. Increased use of the

internet for shopping with

the 18 to 35 age group

suggests that additional

sales may come from

stocking toys for this age

group

3. Improve organic

search ranking to reduce

advertising costs

compete in this niche.

2. e'Bay and other

online auction sites have

traders selling similar

products

3. Buyer reluctance to

shop over the net

(Diminishing)

4. Quality issues from

overseas suppliers

damaging the reputation of

brands we sell

5. Lager business with

greater buying power may

undercut our prices to gain

online market share

Sample SWOT Analysis Summary

Trading online has become quite competitive with Search Engine

Optimization critical to a businesses online success, whilst internet

business can undercut traditional retail businesses once the online

business exceeds the ―run from home‖ size it begins to incur additional

warehousing and distribution costs.

Instead of large growth in traffic the business may prefer to look at

slow growth combined with additional products to increase overall

revenue per customer.

The business would do well to identify multiple potential suppliers to

offset any risk from their current suppliers.

Technology Audit


CHAPTER 6

GLOSSARY

TECHNOLOGY

“Technology is the knowledge applied to the creation of goods, provision of services, and improvement of our stewardship of precious and finite resources.” Technology can also be described as the means by which organizations apply understanding of the natural world to the solution of practical problems. Technology is the combination of “hardware” such as buildings and equipment and “software” consisting of skills, knowledge and experience. For technology to be successful it must be applied and maintained.

CLASSIFICATION OF TECHNOLOGY

Technology can be classified in several ways. The following classifications are important in establishing a common vocabulary.

New technology

New technology is any newly introduced or implemented technology that has an explicit impact on the way an organization produces products or provides services. The technology does not have to be new to the world, only to the organization. The technology could have been developed years before and used by others, but it is classified as new whenever introduced for the first time in a new situation. New technology has a profound effect on improving productivity and maintaining a competitive business enterprise

Emerging technology

Emerging technology is any technology that is not yet fully commercialized but will become so within about five years. This technology may be currently in limited use but is expected to evolve significantly, for example genetic engineering, nano-technology, superconductivity, and the Internet. Emerging technologies create new industries and may make existing industries obsolete. Emerging technologies have the potential of triggering large changes in institutions and in society itself.

High technology

High technology refers to advanced or sophisticated technologies. High technologies are utilized by a wide variety of industries having certain characteristics. A company is classified as high-tech when it has the following characteristics:

Technology Audit


· It employs highly educated people; · Its technology is changing at a faster rate than that of other industries; · It competes with technological innovation; · It has high levels of research-and-development expenditure; · It has the potential to use technology for rapid growth; and · Its survival is threatened by the emergence of competing technology.

Low technology

Low technology refers to technologies that are used extensively by society. Low technologies are utilized by a wide variety of industries and have the following characteristics: · They employ people with relatively low levels of education or skill; · They use manual or semiautomatic operations; · They have low levels of research expenditure; · The technology base used is stable with little change; and · Products produced are mostly of the type that satisfies basic human needs, such as food, shelter, clothing, and basic human services.

Medium technology

Medium technology consists of a wide set of technologies that fall between high and low technologies. It refers to mature technologies that are more amenable than others to technology transfer. Examples of industries in this category are consumer products and the automotive industry.

Appropriate technology

Appropriate technology is used to indicate a good match between the technology utilized and the resources required for its optimal use. The technology could be on low, medium, or high level. The use of use high technology when there is a lack of necessary infrastructure or skilled personnel would not make sense. Utilizing the appropriate level of technology results in better use of labor resources and better production efficiency.

Codified versus tacit technology

Technology in coded form can be preserved and effectively transferred among users. A computer program of an optimization algorithm is a codified form that preserves and transmits knowledge about that algorithm. Tacit technology is a non-articulated knowledge. It is based on experiences and therefore remains within the minds of its developers. The technology developers are the ones who have the knowledge in question. Tacit knowledge is transmitted by demonstration or observation, followed by assimilation by those who seek the knowledge. Transfer of tacit technology occurs by close contact and interaction between the sources and the host. Codified technology allows people to know how technology works but not necessarily why it works in a certain way. The brainwave is part of the tacit knowledge kept in the minds of

Technology Audit


developers and shaped by experiences during the development process. Transfer of technology is easier when the technology is in a codified form. It is hard, less precise, and more time-consuming to transfer tacit technology. A complete mastery of the technology requires an understanding of both the explicit codified knowledge and the non-explicit tacit knowledge.

Stages Of Technology Development

Organized technological development follows a hierarchical progression: (1) Basic research, (2) Applied research, (3) Development, and (4) Technology enhancement.

COMPETITIVE ADVANTAGES

A business is said to have a competitive advantage when it has core competencies that are difficult to imitate by the competition. Competitive advantages can be time bound as new technology can narrow the gap between the organization and competition.

MANAGEMENT OF TECHNOLOGIES

Management of technologies is an interdisciplinary field that integrates science, engineering and management knowledge and practice. The focus is on technology as primary factor in the creation of wealth. Wealth is not only money but is intellectual capital, effective exploitation of resources and enhancement of knowledge.

TECHNOLOGY PLANNING

Technology planning is a component of corporate business planning. Strategic information technology planning assists with the awareness, evaluation, and deployment of current and evolving information technologies. Technology planning are critical elements for the organization.

DEFINITIONS OF TECHNOLOGY AUDITS

A technology audit is an analysis of a company's operations with the purpose of identifying opportunities to increase profitability. The audit accommodates the needs of individual manufacturers and emphasizes the importance of appropriate technology and systems (www.reuters.com). A technology audit is a thorough investigation into a particular technology. It will be an independent and confidential review of a technology, which will allow the company to realize the organization’s potential, select an appropriate exploitation route for the technology and find appropriate sources of future funding (www.southwest-irc.org.uk).

http://www.southwest-irc.org.uk/

Technology Audit


TECHNOLOGICAL STRATEGY

In the process of designing a technological strategy it may come in handy to answer the following questions:

What is the scope and frequency of technical activities? When can they be performed? Will the scheduled changes apply to product innovation, process innovation or both? Will the company adopt a pioneering or imitative strategy? What will be the primary source of innovation (company's own or from the surrounding

entities)? What is the feasible and economically justified level of expenditure for particular innovations

(financial sources – outside, inside)? To what extent should company's own research capabilities be developed? What will be the consequences of innovation and technology transfer for the organization

services, changes to production management and supply system? How will the company protect its intellectual and inventive property?

ADD VALUE

The internal audit activity adds value to the organization (and its stakeholders) when it provides

objective and relevant assurance, and contributes to the effectiveness and efficiency of

governance, risk management, and control processes.

ADEQUATE CONTROL

Adequate control present if management has planned and organized (designed) in a manner

that provides reasonable assurance that the organization's risks have been managed effectively

and that the organization's goals and objectives will be achieved efficiently and economically.

ASSURANCE SERVICES

An objective examination of evidence for the purpose of providing an independent assessment

on governance, risk management, and control processes for the organization. Examples may

include financial, performance, compliance, system security, and due diligence engagements.

BOARD

A board is an organization's governing body, such as a board of directors, supervisory board,

head of an agency or legislative body, board of governors or trustees of a nonprofit

organization, or any other designated body of the organization, including the audit committee

Technology Audit


to whom the chief audit executive may functionally report.

CHARTER

The internal audit charter is a formal document that defines the internal audit activity's

purpose, authority, and responsibility. The internal audit charter establishes the internal audit

activity's position within the organization; authorizes access to records, personnel, and physical

properties relevant to the performance of engagements; and defines the scope of internal audit

activities.

CHIEF AUDIT EXECUTIVE

Chief audit executive describes a person in a senior position responsible for effectively managing

the internal audit activity in accordance with the internal audit charter and the Definition of

Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive or others

reporting to the chief audit executive will have appropriate professional certifications and

qualifications. The specific job title of the chief audit executive may vary across organizations.

CODE OF ETHICS

The Code of Ethics of The Institute of Internal Auditors (IIA) is Principles relevant to the

profession and practice of internal auditing, and Rules of Conduct that describe behavior

expected of internal auditors. The Code of Ethics applies to both parties and entities that provide

internal audit services. The purpose of the Code of Ethics is to promote an ethical culture in the

global profession of internal auditing.

COMPLIANCE

Adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements.

CONFLICT OF INTEREST

Any relationship that is, or appears to be, not in the best interest of the organization. A conflict

of interest would prejudice an individual's ability to perform his or her duties and responsibilities

objectively.

CONSULTING SERVICES

Advisory and related client service activities, the nature and scope of which are agreed with the

client, are intended to add value and improve an organization's governance, risk management,

and control processes without the internal auditor assuming management responsibility.

Technology Audit


Examples include counsel, advice, facilitation, and training.

CONTROL

Any action taken by management, the board, and other parties to manage risk and increase the

likelihood that established objectives and goals will be achieved. Management plans, organizes,

and directs the performance of sufficient actions to provide reasonable assurance that

objectives and goals will be achieved.

CONTROL ENVIRONMENT

The attitude and actions of the board and management regarding the importance of control

within the organization. The control environment provides the discipline and structure for the

achievement of the primary objectives of the system of internal control. The control

environment includes the following elements:

Integrity and ethical values.

Management's philosophy and operating style.

Organizational structure.

Assignment of authority and responsibility.

Human resource policies and practices.

Competence of personnel.

CONTROL PROCESSES

The policies, procedures, and activities that are part of a control framework, designed to ensure

that risks are contained within the risk tolerances established by the risk management process.

ENGAGEMENT

A specific internal audit assignment, task, or review activity, such as an internal audit, control

self-assessment review, fraud examination, or consultancy. An engagement may include

multiple tasks or activities designed to accomplish a specific set of related objectives.

ENGAGEMENT OBJECTIVES

Broad statements developed by internal auditors that define intended engagement

accomplishments.

Technology Audit


ENGAGEMENT WORK PROGRAM

A document that lists the procedures to be followed during an engagement, designed to achieve

the engagement plan.

EXTERNAL SERVICE PROVIDER

A person or organization outside of the organization that has special knowledge, skill, and

experience in a particular discipline.

FRAUD

Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not

dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and

organizations to obtain money, property, or services; to avoid payment or loss of services; or to

secure personal or business advantage.

GOVERNANCE

The combination of processes and structures implemented by the board to inform, direct,

manage, and monitor the activities of the organization toward the achievement of its

objectives.

IMPAIRMENT

Impairment to organizational independence and individual objectivity may include personal

conflict of interest, scope limitations, restrictions on access to records, personnel, and

properties, and resource limitations (funding).

INDEPENDENCE

The freedom from conditions that threaten the ability of the internal audit activity to carry out

internal audit responsibilities in an unbiased manner.

INFORMATION TECHNOLOGY CONTROLS

Controls that support business management and governance as well as provide general and

technical controls over information technology infrastructures such as applications, information,

infrastructure, and people.

Technology Audit


INFORMATION TECHNOLOGY GOVERNANCE

Consists of the leadership, organizational structures, and processes that ensure that the

enterprise's information technology supports the organization's strategies and objectives.

INTERNAL AUDIT ACTIVITY

A department, division, team of consultants, or other practitioner(s) that provides independent,

objective assurance and consulting services designed to add value and improve an

organization's operations. The internal audit activity helps an organization accomplish its

objectives by bringing a systematic, disciplined approach to evaluate and improve the

effectiveness of governance, risk management and control processes.

INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK

The conceptual framework that organizes the authoritative guidance promulgated by the IIA.

Authoritative Guidance is comprised of two categories –

(1) mandatory and

(2) strongly recommended.

MUST

The Standards use the word "must" to specify an unconditional requirement?

OBJECTIVITY

An unbiased mental attitude that allows internal auditors to perform engagements in such a

manner that they believe in their work product and that no quality compromises are made.

Objectivity requires that internal auditors do not subordinate their judgment on audit matters to

others.

RESIDUAL RISK

The risk remaining after management takes action to reduce the impact and likelihood of an

adverse event, including control activities in responding to a risk.

RISK

The possibility of an event occurring that will have an impact on the achievement of objectives.

Risk is measured in terms of impact and likelihood.

RISK APPETITE

The level of risk that an organization is willing to accept.

Technology Audit


RISK MANAGEMENT

Processes to identify, assess, manage, and control potential events or situations to provide

reasonable assurance regarding the achievement of the organization's objectives.

SHOULD

The Standards use the word "should" where conformance is expected unless, when applying

professional judgment, circumstances justify deviation.

SIGNIFICANCE

The relative importance of a matter within the context in which it is being considered, including

quantitative and qualitative factors, such as magnitude, nature, effect, relevance, and impact.

Professional judgment assists internal auditors when evaluating the significance of matters

within the context of the relevant objectives.

STANDARD

A professional pronouncement promulgated by the Internal Audit Standards Board that

delineates the requirements for performing a broad range of internal audit activities, and for

evaluating internal audit performance. ASSESSMENT –– the evaluation process used to measure the performance or effectiveness of a system and its elements. As used here, assessment is an all-inclusive term used to denote any of the following: audit, performance evaluation, management review, peer review, inspection, or surveillance. AUDIT – a systematic and independent examination to determine whether quality activities and related results comply with planned arrangements and whether these arrangements are implemented effectively and are suitable to achieve objectives. AUDITEE – the organization being assessed. AUDITOR – a person qualified to perform audits. AUDIT OF DATA QUALITY (ADQ) – an examination of data after they have been collected to determine how well the measurement system performed with respect to the data quality goals specified in the quality assurance project plan. ADQs entail tracing data through processing steps and duplicating intermediate calculations and focus on identifying a clear, logical connection between the steps. BLIND SAMPLE – a subsample submitted for analysis with a composition and identity known to the submitter but unknown to the analyst. Blind samples are used to test the analyst’s or laboratory’s proficiency in the execution of the measurement process. Samples may be either single blind (the analyst knows the sample is a PE sample but does not know what analyses at what concentrations it contains) or double-blind (the analyst does not know the sample is a PE sample). CLIENT – any individual or organization for whom items or services are furnished or work is performed in response to defined requirements and expectations. Compare with user below. CONTRACTOR – any organization or individual that contracts to furnish services or items or perform work; a supplier in a contractual situation.

Technology Audit


Final CORRECTIVE ACTION – an action taken to eliminate the causes of an existing nonconformance, deficiency, or other undesirable situation in order to prevent recurrence. DATA QUALITY ASSESSMENT (DQA) – a scientific and statistical evaluation of validated data to determine if the data are of the right type, quality, and quantity to support their intended use. DATA QUALITY INDICATORS (DQIS) – quantitative statistics and qualitative descriptors used to interpret the degree of acceptability or utility of data to the user. The principal DQIs are bias, precision, accuracy, comparability, completeness, and representativeness. DATA QUALITY OBJECTIVES (DQOS) – qualitative and quantitative statements derived from the DQO Process that clarify study technical and quality objectives, define the appropriate type of data, and specify tolerable levels of potential decision errors that will be used as the basis for establishing the quality and quantity of data needed to support. DEFICIENCY – an unauthorized deviation from acceptable procedures or practices, or a defect in an item. ENVIRONMENTAL DATA – any measurement or information that describes environmental processes, location, or conditions; ecological or health effects and consequences; or the performance of environmental technology. For EPA, environmental data include information collected directly from measurements, produced from models, and compiled from other sources such as databases or the available literature. Aspects of the project, Such persons may be referred to as project manager, project officer, work. EXTRAMURAL AGREEMENT – a legal agreement between EPA and an organization outside EPA for items or services to be provided. Such agreements include contracts, work assignments, delivery orders, task orders, cooperative agreements, research grants, State and local grants, and EPA funded interagency agreements. FINDING – an assessment conclusion that identifies a condition having a significant effect on an item or activity. An assessment finding may be positive or negative, and is normally accompanied by specific examples of the observed condition. GOOD LABORATORY PRACTICES (GLPS) – a quality system concerned with the organizational process and the conditions under which nonclinical health and environmental safety studies are planned, performed, monitored, archived, and reported. GRADED APPROACH – the process of basing the level of application of managerial controls applied to an item or work product according to the intended use of the results and the degree of confidence needed in the quality of the results. GUIDELINE – a suggested practice that is non-mandatory in programs intended to comply with a standard. INDEPENDENT ASSESSMENT – an assessment performed by a qualified individual, group, or organization that is not a part of the organization directly performing and accountable for the work being assessed. INSPECTION – an examination such as measuring, examining, testing, or gauging one or more characteristics of an entity and comparing the results with specified requirements in order to establish whether conformance is achieved for each characteristic. LEAD AUDITOR – an individual qualified to organize and direct a technical assessment, to report

Technology Audit


assessment findings and observations, and to evaluate corrective actions. MANAGEMENT SYSTEM – a structured, nontechnical system describing the policies, objectives, principles, organizational authority, responsibilities, accountability, and implementation plan of an organization for conducting work and producing items and services. NONCONFORMANCE – a deficiency in characteristic, documentation, or procedure that renders the quality of an item or activity unacceptable or indeterminate; no fulfillment of a specified requirement. OBJECTIVE EVIDENCE – any documented statement of fact, other information, or record, either quantitative or qualitative, pertaining to the quality of an item or activity, based on observations, measurements, or tests which can be verified. OBSERVATION – an assessment conclusion that identifies a condition (either positive or negative) which does not represent a significant impact on an item or activity. An observation may identify a condition which does not yet cause a degradation of quality. ORGANIZATION – a company, corporation, firm, enterprise, or institution, or part thereof, whether incorporated or not, public or private, that has its own functions and administration. PEER REVIEW – a documented critical review of work by qualified individuals (or organizations) who are independent of those who performed the work, but are collectively equivalent in technical expertise. A peer review is conducted to ensure that activities are technically adequate, competently performed, properly documented, and satisfy established technical and quality requirements. The peer review is an in-depth assessment of the assumptions, calculations, extrapolations, alternate interpretations, methodology, acceptance criteria, and conclusions pertaining to specific work and of the documentation that supports them. PERFORMANCE EVALUATION (PE) – a type of audit in which the quantitative data generated in a measurement system are obtained independently and compared with routinely obtained data to evaluate the proficiency of an analyst or laboratory. PERFORMANCE EVALUATION (PE) SAMPLE – A sample that mimics actual samples in all possible aspects, except that its composition is known to the auditor and unknown to the auditee. PE samples are provided to test whether a measurement system can produce analytical results within specified performance goals. See also BLIND SAMPLE AND PERFORMANCE EVALUATION PROCESS – a set of interrelated resources and activities that transforms inputs into outputs. Examples of processes include analysis, design, data collection, operation, fabrication, and calculation. PROGRAM – any work involving the environment, including characterization of environmental processes and conditions; environmental monitoring; environmental research and development; design, construction, and operation of environmental technologies; and laboratory operations on environmental samples. PROJECT – an organized set of activities within a program. PROJECT MANAGER – the individual in the auditee who has responsibility and accountability for planning and implementing the project and who has authority to implement corrective action.

Technology Audit


FINAL PROJECT QUALITY ASSURANCE MANAGER – the individual in the auditee who has responsibility for planning, documenting, coordinating, and assessing the effectiveness of the quality system for the auditee. QUALITY – the totality of features and characteristics of a product or service that bears on its ability to meet the stated or implied needs and expectations of the user. QUALITY ASSURANCE (QA) – an integrated system of management activities involving planning, implementation, documentation, assessment, reporting, and quality improvement to ensure that a process, item, or service is of the type and quality needed and expected by the client. QUALITY ASSURANCE MANAGER – the individual designated as the principal manager within the organization having management oversight and responsibility for planning, documenting, coordinating, and assessing the effectiveness of the quality system for the organization. QUALITY ASSURANCE PROJECT PLAN – a document describing in comprehensive detail the necessary QA and QC and other technical activities that must be implemented to ensure that the results of the work performed will satisfy the stated performance criteria. QUALITY CONTROL (QC) – the overall system of technical activities that measures the attributes and performance of a process, item, or service against defined standards to verify that they meet the stated requirements established by the customer; operational techniques and activities that are used to fulfill requirements for quality. QUALITY MANAGEMENT – that aspect of the overall management system of an organization that determines and implements the quality policy. Quality management includes strategic planning, allocation of resources, and other systematic activities (e.g., planning, implementation, documentation, and assessment) pertaining to the quality system. QUALITY MANAGEMENT PLAN (QMP) – a document that describes the quality system in terms of the organizational structure, policy and procedures, functional responsibilities of management and staff, lines of authority, and required interfaces for those planning, implementing, documenting, and assessing all activities conducted. QUALITY SYSTEM – a structured and documented management system describing the policies, objectives, principles, organizational authority, responsibilities, accountability, and implementation plan of an organization for ensuring quality in its work processes, products (items), and services .The quality system provides the framework for planning, implementing, documenting, and assessing work performed by the organization and for carrying out required QA and QC activities. FINAL QUALITY SYSTEM AUDIT– a documented activity performed to verify, by examination and evaluation of objective evidence, that applicable elements of the quality system are suitable and have been developed, documented, and effectively implemented in accordance with specified requirements. READINESS REVIEW – a systematic, documented review of the readiness of the start-up or continued use of a facility, process, or activity. Readiness reviews are typically conducted before proceeding beyond project milestones and prior to initiation of a major phase of work. SAMPLING AND ANALYSIS PLAN (SAP) – a detailed document describing the procedures used to collect, preserve, handle, ship, and analyze samples for detection or assessment monitoring

Technology Audit


parameters. The plan should detail all chain-of-custody and QA and QC measures that will be implemented to ensure that sample collection, analysis, and data presentation activities meet the prescribed requirements. SELF-ASSESSMENT – an assessment of work conducted by individuals, groups, or organizations directly responsible for overseeing and/or performing the work. Standard operating procedure (SOP) – a written document that details the method for an operation, analysis, or action with thoroughly prescribed techniques and steps; a procedure that is officially approved as the method for performing certain routine or repetitive tasks. SURVEILLANCE – continual or frequent monitoring and verification of the status of an entity and the analysis of records to ensure that specified requirements are being fulfilled. TECHNICAL ASSESSMENT – a systematic and objective examination of a project to determine whether environmental data collection activities and related results comply with the project’s QA Project Plan, whether the activities are implemented effectively, and whether they are sufficient and adequate to achieve the QA Project Plan’s data quality goals. Technical assessments document the implementation of the QA Project Plan. TECHNICAL SPECIALIST – an active participant in a technical assessment who has specialized technical knowledge of the project being assessed and basic knowledge of assessment techniques and procedures. TECHNICAL SYSTEMS AUDIT (TSA) – a thorough, systematic, on-site, qualitative audit of facilities, equipment, personnel, training, procedures, recordkeeping, data validation, data management, and reporting aspects of a system. WEAKNESS – a negative assessment finding (i.e., a nonconformance) that does not necessarily result in unacceptable data. AUDIT CRITERIA – The auditor should clarify the specific explicit or implicit criteria against which evidence collected will be evaluated. Criteria are explicit when they are clearly set out in policies, manuals, standard operating procedures, standards, laws and/or regulations. Where management has not yet established goals and objectives or determined the controls needed in a particular area, it may be necessary to develop implicit criteria based on what management considers to be satisfactory performance standards or industry best practices. The acceptability of implicit criteria should always be confirmed with the audited entity. Conducting an audit without agreeing the criteria may result in conclusions and recommendations that may not be accepted by the audited entity and lead to wasted audit effort and fruitless arguments. ANALYSIS AND EVALUATION OF DATA – After data is collected, it should be analyzed and evaluated. Analysis means breaking down data/activities/processes into smaller, more manageable parts to determine attributes, relationships, cause, effect, etc. and make inferences or determine whether further examination is required. Evaluation is the systematic determination of the merit, worth, or significance of the subject matter to arrive at a judgment in terms of adequacy, efficiency or effectiveness.

Technology Audit


– ANALYSIS OF OTHER DATA AND PROCESSES

The principles applied in analyzing financial data can also be utilized in examining other data, activities and processes. Directives, policies, contracts etc. may be analyzed to determine their significant elements, and these assessed against best practices, standards or benchmarks. The work of committees/teams/working groups may be analyzed to determine their mandate, functions, areas of responsibility, reporting lines, frequency of meetings and how decisions are implemented. By breaking activities into their composite elements, auditors may conduct analyses by observing trends, making comparisons and isolating unusual transactions and conditions for follow-up.

EVALUATION

Evaluation is a means of arriving at a professional judgment. As auditors compare circumstances observed against relevant criteria, they evaluate the significance of any variance and determine whether corrective action is necessary. The analysis and evaluation of evidence obtained should give rise to issues (positive and negative), which OIOS wishes to report to management. Auditors should draw conclusions for each audit objective.

RECORDING INFORMATION DURING THE AUDIT

Auditors should record all elements of the assignment in Auto Audit, in accordance with the format THE AUTOAUDIT FILE should be restricted to matters that are relevant to the audit. The file should be detailed enough to enable an experienced auditor, having no previous connection with the audit, to understand the (i) nature, timing, and extent of the audit procedures performed; (ii) results of the procedures and the audit evidence obtained; and (iii) significant matters arising during the audit and the conclusions

AUDIT FINDINGS

OIOS auditors should report audit findings i.e. significant deviations from relevant criteria, to management so that corrective action can be taken. A reportable finding is a significant condition which: a. Warrants the attention of management; b. Is documented by facts, not opinions, and by evidence that is sufficient, competent and relevant; c. Is objectively developed without bias or preconceived ideas; d. Is relevant to the issue involved; and e. Is convincing enough to compel action to correct the defective condition14. Audit findings should contain the elements of criteria, condition, cause effect and recommendation.

Technology Audit


a. Criteria The standards, measures, or expectations used in making an evaluation and/or verification (what should exist). The criteria should be credible, convincing and objective. They should be designed to meet a management goal b. Condition The factual evidence that the internal auditor found in the course of the examination (what does exist). The condition should include sufficient information to promote an adequate understanding of the matter(s) being reported. c. Cause The reason for the difference between the expected and actual conditions. i.e. why the difference exists. The cause should be complete and go to the heart of the problem; not just the symptom. d. Effect The risk or exposure the organization and/or others encounter because the condition is not consistent with the criteria (the impact of the difference). The effect should be logical and likely to occur. e. Recommendations Recommendations are based on the internal auditor’s observations and conclusions. They call for action to correct existing conditions or improve operations. Recommendations may suggest general or specific approaches to correcting or enhancing performance as a guide for management in achieving desired results. They should address the cause of the finding, be implementable and capable of being monitored.

FORMULATING RECOMMENDATIONS

The main objective of an audit is to provide assurance as to the efficiency and effectiveness of established internal controls, to develop recommendations for improving them, and to ensure compliance with the Organization’s regulations, rules and policies. Generally, audit recommendations are most effective and acceptable to the audited entity when they are: a. Constructive and directed at improved or enhanced performance; b. Directed at correcting the cause of the problem identified; c. Action oriented in that they suggest specific steps that should be taken to change, modify, or otherwise perform some action; d. Addressed to officials those are empowered to act; e. Feasible, achievable, practical, cost effective; f. Aiming to recover or save resources.

Technology Audit


TECHNOLOGY-BASED AUDIT TECHNIQUES

Any automated audit tool, such as generalized audit software, test data generators,

computerized audit programs, specialized audit utilities, and computer-assisted audit

techniques.

Technology Audit


APPENDIX I

SWOT Analysis Template16

Situation being analysed: ______________________

This SWOT example is for a new business opportunity. Many criteria can apply to more than one quadrant. Identify criteria appropriate to your own SWOT situation *.

criteria examples

Advantages of proposition? Capabilities? Competitive advantages? USP's (unique selling points)? Resources, Assets, People? Experience, knowledge, data? Financial reserves, likely returns? Marketing - reach, distribution, awareness? Innovative aspects? Location and geographical? Price, value, quality? Accreditations, qualifications, certifications? Processes, systems, IT, communications? Cultural, attitudinal, behavioural? Management cover, succession? Philosophy and values?

strengths weaknesses criteria examples

Disadvantages of proposition? Gaps in capabilities? Lack of competitive strength? Reputation, presence and reach? Financials? Own known vulnerabilities? Timescales, deadlines and pressures? Cashflow, start-up cash-drain? Continuity, supply chain robustness? Effects on core activities, distraction? Reliability of data, plan predictability? Morale, commitment, leadership? Accreditations, etc? Processes and systems, etc? Management cover, succession?

criteria examples

Market developments? Competitors' vulnerabilities? Industry or lifestyle trends? Technology development and innovation? Global influences? New markets, vertical, horizontal? Niche target markets? Geographical, export, import? New USP's? Tactics: eg, surprise, major

contracts? Business and product development? Information and research? Partnerships, agencies, distribution? Volumes, production, economies? Seasonal, weather, fashion influences?

opportunities threats criteria examples

Political effects? Legislative effects? Environmental effects? IT developments? Competitor intentions - various? Market demand? New technologies, services, ideas? Vital contracts and partners? Sustaining internal capabilities? Obstacles faced? Insurmountable weaknesses? Loss of key staff? Sustainable financial backing? Economy - home, abroad? Seasonality, weather effects?

16http://www.businessballs.com/swotanalysisfreetemplate.htm

http://www.businessballs.com/swotanalysisfreetemplate.htm

Technology Audit


I AEDNI AA Audit Checklist

ISO/IEC 19770-1 Audit Checklist17

This checklist has been developed to be used in conjunction with ISO/IEC19770-1

Information technology – Software asset management – Part1: Processes (the ISO

Standard), and should not be used in isolation from this Standard. The checklist

has been developed to assist agencies to perform self-audits to monitor their

progress towards best practice in software license management*. The checklist

outlines elements that should be met in order to be fully compliant with the ISO

Standard. It may be used by Agencies to guide where improvements can be made

in managing software licensing. Each element may be audited separately to check

on progress towards maturity in specifically targeted areas, however, compliance

with all element will ensure that the agency is aligned with industry best practice in

software license management.

The ‗Evidence‘ section of the checklist outlines possible evidence that auditors

may consider when evaluating level of compliance. This list can be modified to

reflect individual agency requirements and is not intended as an exhaustive list.

This checklist includes elements that may not be relevant to every agency, and fall

outside the requirements of IS45 – for example, Software Development Process.

However, as they form part of ISO/IEC19770-1 they have been included in the

checklist.

The timeframes and documentation requirements detailed in the checklist are those

specified by ISO/IEC 19770-1. Agencies may choose to modify the audit

schedule, and/or to limit their documentation, but should be aware that in doing so

will not be considered to be operating at industry best practice levels.

The checklist mirrors the layout of the ISO Standard, and includes the section

numbering of the ISO Standard in brackets.

________________________________________________

71 www.qgcio.qld.gov.au/.../Information%20Standards/.../Templates/ISO1977

http://www.qgcio.qld.gov.au/.../Information%20Standards/.../Templates/ISO1977


Technology Audit


APPENDIX III

ISO/IEC 19770-1 Audit Checklist 17

Date of Audit: Auditor/s:

Description Evidence Comment CONTROL ENVIRONMENT FOR SAM (4.2)

Corporate Governance for SAM (4.2.2) Clear corporate statement including:

1. legal entity or parts of legal entity

included in scope

2. specific single body or individual that

has overall corporate management

responsibility for that entity or parts of

that entity

existing software

contracts based on

specific organizational

scope; existence of ICT

boards

Responsibility for corporate governance of

software and related assets formally recognized

by corporate board or equivalent body

Hard copies of ICT

Board statements,

meeting minutes

Regulations and guidelines for software use

identified and documented and reviewed at

least annually

procedures; audit reports

Assessment of risks and management specified mitigation approaches, documented, updated

annually and approved by the Board or

equivalent, covering at least:

1. risk of regulatory non-compliance

2. risk of licensing non-compliance

3. risk of interruption of operations that

may result from inadequate SAM

4. risk of excessive spending on licensing

and other IT support

5. risk of centralized v non-centralized

management approaches for software

and related assets

6. risk associated with different countries

of operation

Management objectives of SAM are approved by

corporate board or equivalent body, and reviewed

at least annually.

SAM manual, position

paper or similar

Roles and Responsibilities for SAM (4.2.3)

Technology Audit


The role of the SAM owner is clearly defined,

and include responsibilities for:

1. proposing management objectives for SAM

2. Overseeing the development of the SAM

plan

3. Obtaining resources for implementing

the approved SAM plan

4. Delivering results against the SAM plan

SAM manual, PD’s,

Roles and

Responsibilities statement, SAM project

plan

Local roles and responsibilities for corporate

governance of software and related assets are

documented and assigned to specified individuals. Responsibilities assigned include:

1. obtaining resources for implementing the

SAM plan

2. delivering results against the SAM plan

3. adopting and implementing necessary

policies, procedures and processes

4. maintaining accurate records of software

and related assets

5. ensuring management and technical

approvals are required for procurement,

deployment and control of software

assets

6. managing contracts, supplier

relationships and internal customer

relationships

7. identifying and implementing

improvements

Responsibilities are communicated to all parts of

the organization

Policies, processes and procedures for SAM (4.2.4) Demonstrated structured approach to creating,

reviewing, approving, issuing and controlling

policies, processes and procedures

Usually part of agency

wide document control

system, not unique to SAM

Policies and procedures organized by, or cross

reference, process classification in 19770

Documented policies covering at minimum:

1. Individual and corporate responsibilities

for corporate governance of software and

related assets

2. restrictions on personal use of corporate

assets and related software

3. requirement for compliance with legal

and regulatory requirements, including

copyright and data protection

4. procurement requirements

Review documents to

ensure all aspects are

included. May be

embedded in other

documents and policies

Technology Audit


5. approvals for software installation or use

of software whether purchased or not

6. disciplinary implications of violation of

these policies

Policies communicated to all personnel in a way

which:

1. Reaches all new personnel when they start

2. Continuing personnel at least annually

3. Requires positive acknowledgement

4. Readily accessible at all times

Documentation can be in

any form of medium, and

may be in consolidated

documents, such as Code

of Conduct

Competence in SAM (4.2.5) A review is documented and updated at least

annually which covers the availability and uptake

of training and certification by personnel with

SAM responsibilities for:

1. SAM in general

2. Licensing for software manufacturers

whose software is being used

Review and audit

records, training

schedules and registers,

audit records, software

licence registers

Annual review of ―proof of licence‖ Review records Personnel with SAM responsibilities receive

training in SAM and in relevant licensing including both initial training and formal

continuing education annually

Training records and

registers, roles and responsibilities registers

Annual review to ascertain what guidance is

available from software manufacturers to enable

compliance with their licences.

Review records

PLANNING AND IMPLEMENTATIOIN OF SAM PROCESSES (4.3) Planning for SAM (4.3.2)

Management objectives for SAM are developed

and documented and updated at least annually,

and include:

1. clear scope statement

2. clear specification of policies, processes

and procedures are required for assets in

scope

3. clear explanation of the approach to

managing, auditing and improving SAM

4. explanation of the approach to be used in

identifying, assessing and managing

issues and risks related to defined

objectives

5. schedules and responsibilities for periodic activities, including

management reports and performance of

verification and compliance activities

An appropriate level of

automation should be

implemented to ensure

that processes do not

become inefficient, error

prone, or not followed. Audit schedules, monthly

reports, scope and specification documents,

implementation plans

Technology Audit


6. identification of resources including

budget

7. performance measures for tracking

accomplishment against SAM plan,

including target measures

Plan approved by corporate body Implementation plan Implementation of SAM (4.3.3)

Mechanisms in place to collect information about

changes, issues and risks Issues and risk registers

Regular status reports (at least quarterly) detailing

overall progress against SAM plan Check reports go to

Board or equivalent

Follow-up on variances is prompt and

documented Issues and risks reports,

corrective action

registers, or similar

Monitoring and review of SAM (4.3.4) Formal review conducted at least annually:

1. Are management objectives for SAM

and the SAM plan being achieved?

2. Summarize performance against all

performance measures specified in SAM

plan and SLA‘s related to SAM

3. summary of findings of Conformance verification

4. check policies effectively disseminated

and implemented throughout agency

5. summarize exceptions and actions

6. identify opportunities for improvement

Annual audit reports, verification conformance

reports, SLA’s

Continual Improvement of SAM (4.3.5) Mechanism in place to collect and record

suggested improvements in SAM arising from all sources throughout the year.

Suggestions for improvement are periodically

assessed, prioritized and approved for

incorporation in SAM implementation and

improvement plans

INVENTORY PROCESSES FOR SAM (4.4) Software Asset Identification (4.4.2)

Types of assets to be controlled and the

information associated with them are formally

defined.

A register of stores and inventories exists,

clarifying which stores and types of information

are held

Software Asset Inventory Management (4.2.3) Policies and procedures for management and

maintenance of inventories and

physical/electronic stores:

1. protection from unauthorized access, change or corruption

Policy & procedure

documents; access logs,

secure sites

Technology Audit


2. disaster recovery

Inventories exist of:

1. All platforms on which software assets

can be installed and run

2. All authorized software

3. Underlying licenses and effective full

licenses held

Inventories, including

package versions,

update/patch status of

software, platforms

Inventories and physical stores for:

1. Software (DSL)

2. Software builds and releases

3. Contracts relating to software assets

DSL should include

master versions and

distribution copies, hard-copy and electronic

contracts

Methods exist to determine license usage based

on criteria other than software installation Inventories, metering

results and reports, pc

counts, number of users

etc

Documented arrangements to ensure continued

availability of sources listed above

Inventory reports produced has clear description

including identity, purpose, details of data source Hard copies of reports

Software Asset Control (4.2.4) Audit trail is maintained of changes made to

software and related assets Audit trail should include

change in status,

location, custodianship

and version

Policies and procedures for development,

maintenance and management of software

versions, images/builds and releases

Check Policy and

procedures exist and are

current

Policies and procedures for baseline of appropriate assets is taken before release of

software to live environment

These policies and procedures must ensure

that baseline is taken in a

manner that can be used

for subsequent checking

against actual

deployment

VERIFICATION AND COMPLIANCE PROCESSES FOR SAM (4.5) Software Asset Record Verification (4.5.2)

Procedures for software asset verification process

include:

1. At least quarterly reconciliation

2. Hardware inventory including locations

at least 6 monthly

3. Inventory of software programs verified

at least 6 monthly

4. Inventory of software builds verified at

least 6 monthly

5. Physical store of pool of proof of licence

documentation verified at least annually

6. Effective licenses verified at least

Check procedures are

current; check inventory

logs; corrective action

registers; check licence

pools, physical

contractual

documentation for accuracy

Technology Audit


annually

7. Physical store of contractual

documentation verified at least annually

8. Contracts inventory verified at least

annually

9. Follow up corrective actions on

discrepancies or issues documented

Software Licensing Compliance (4.5.3) Procedures for software licensing compliance that

include:

1. reconciliation at least quarterly between effective licenses and licenses owned

2. discrepancies identified promptly

recorded, analyzed and root caused

determined

Ensure this included

particular license

requirements based on

other than installed

copies, such as server

access rights inventory

logs

Follow up actions prioritized and executed check corrective action

registers or similar

Software Asset Security Compliance (4.5.4) Actual practice against policy is reviewed at least

annually Should include access

controls on software

definitive master versions

and distribution copies of

software;

installation/user rights

specified by user or user group

Follow up actions prioritized and executed check corrective action

registers or similar

Conformance Verification for SAM (4.5.5) Policies and procedures which ensure verification

at least on sample basis annually against ALL

requirements specified.

Internal Audit procedures

should include SAM;

audit schedules; audit

reports

Documentary evidence exists that demonstrates

verification procedures are being performed and

corrective follow up action being taken

Corrective action

registers and reports;

internal audit reports

OPERATIONS MANAGEMENT PROCESSES AND INTERFACES FOR SAM (4.6) Relationship and Contract Management for SAM (4.6.2)

Policies and procedures include:

1. Definitions of responsibilities for supplier management

2. Ensure invitations to tender include

considerations for SAM

3. Formal documented review at least 6

monthly of supplier performance,

achievements and issues

Check policies and

procedures – may be

embedded in other

processes. Check invitation to tender

documents Check for documented

conclusions and follow

up of reviews to include

actions taken


1. Responsibilities for managing customer-

Check policies and


Technology Audit


side business relationships with respect

to software and related assets and

services

2. Formal review at least annually of

current and future software requirements

of customers and business

3. Formal documented reviews at least

annually of service provider

performance, customer satisfaction,

achievements and issues

embedded in other

processes. Check for documented conclusions and follow


actions taken


1. Ensuring contractual details are recorded

in an on-going contract management

system

2. Hard copies of signed contractual

documentation to be held securely in

document management system

3. Documented reviews at least 6 monthly

and also prior to contract expiry.

Check policies and


embedded in other

processes. Check for documented

conclusions and follow


actions taken. May be either a manual

or electronic system

Financial Management for SAM (4.6.3) Definitions of financial information relevant to

the management of software and related assets are

agreed and documented

Asset types used in

financial management

should be aligned with or mapped to the asset types

used in SAM if they are

different

Formal budgets are developed for acquisition of

software ICT planning and budget

documents

Actual expenditure on software assets is

accounted against budget This should include

related infrastructure and

support costs

Software asset values financial information

documented and readily available

Formal documented reviews at least quarterly of

actual expenditure against budget

Service Level Management for SAM (4.6.4) SLAs and supporting agreements to include:

1. Services relating to software acquisition, installation, moves, and changes – with

SL targets and workload characteristics

2. Customer and user obligations and

responsibilities defined or referenced

from SLA

Check SLA’s, either in

hardcopy or electronic These SLA’s may cover

more than just the SAM elements

Actual workloads and service levels against

targets for SAM are reported at least quarterly

and reasons for non-conformance documented

Check reports, registers

Reviews at least quarterly of performance against service levels

Check reports, registers

Security Management for SAM (4.6.5)

Technology Audit


Formal policy developed regarding

security/access restrictions to all SAM resources,

including physical/electronic stores of software

Access controls are specified, both physical and logical, to enforce the approval requirements of

SAM policies

Documentary evidence that controls are

implemented in practice Access logs, registers

LIFECYCLE PROCESS INTERFACES FOR SAM (4.7) Change Management Process (4.7.2)

Formal process for change management that

includes:

1. Change requests identified and recorded

2. Change requests are assessed for

possible impacts, prioritized and

approved by the responsible

management

3. The change is made only in accordance

with the approval

4. All changes affecting software or related

assets or services or SAM processes are

recorded

5. The success or failure of changes is

documented and reviewed

Acquisition Process (4.7.3) Standard architectures are defined for the

provision of software services

Standard software configurations are defined, as

are the criteria for deviating from those standards

Policies and procedures for requisitioning and

ordering software and related assets, include:

1. How requirements are specified

2. Management and technical approvals

required

3. Use/redeployment of existing licenses if

available

4. Recording future purchase requirements

in those cases where software can be

deployed before reporting and payment

Policies and procedures for receipt processing

functions related to software and related assets, include:

1. Processing invoices, reconciliations and

retention of copies for license

management purposes

2. Ensuring receipt and safe keeping of

valid proof of license

3. Processing incoming media –

verification, record-keeping and safe

This may include

checking authenticity of proof of license

Include safe keeping of

both physical and

electronic copies

Technology Audit


keeping

Software Development Process (4.7.4) Formal process for software development that

includes consideration of:

1. Standard architectures and standard configurations

2. License constraints and dependencies

Formal process for software development

ensuring software products are placed under

software asset control

Software Release Management Process (4.7.5) Formal process for release management enduring:

1. Controlled acceptance environment is used to build and test all proposed

releases, including patches, prior to

release

2. Frequency and type of releases are

planned and agreed with business and

customers, including frequency of security patch release

3. Planned release dates and deliverables

are recorded with references to related

change requests

4. Release of software and related assets is

approved by the responsible

management

5. Success or failure of releases is recorded

and periodically reviewed

Software Deployment Process (4.7.6) Policies and procedures for installing and

distributing software include:

1. Distribution of software and related assets is approved by responsible

management

2. Back out procedures or method of

remediation in place for each

deployment

3. Security requirements are complied with

4. Changes to status of the relevant

software and related assets are recorded

accurately and on a timely basis

5. Documented control to verify that what

was deployed is the same as what was

authorized.

6. Success or failure of deployments is

recorded and periodically reviewed.

Check procedure

documents Check deployment plans

and back out plans Check security logs and

registers DSL’s and registers

Deployment sign offs Deployment logs (either

manual or electronic) Audit logs

Incident Management Process (4.7.7) Formal process of incident management which This may be included as

Technology Audit


includes:

1. All incidents that affect software or related assets or SAM processes are

recorded and classified as to their

priority resolution

2. All such incidents are resolved in

accordance with their priority for

resolution, and resolution documented

part of a larger incident

management process

Problem Management Process (4.7.8) Formal process of problem management which

includes:

1. All incidents that affect software or

related assets or services or SAM

processed are recorded and classified as

to their impact

2. High priority and repeat incidents are

analyzed for the underlying causes and

prioritized for resolution

3. Underlying causes are documented and

communicated to incident management

4. Problems are resolved in accordance

with their priority, and resolution recorded and communicated to incident

management

Problem Management Process (4.7.9) Policies and procedures for securely retiring

software or hardware on which software is

installed include:

1. Deployed copies of software are removed from retired hardware

2. Licenses and other assets which can be

redeployed are identified for

redeployment

3. Any assets transferred to other parties

take into account confidentiality, licensing or other contractual

requirements

4. Licensed and other assets which cannot

be redeployed are properly disposed of

5. Records are updated to reflect the

changes and audit trails maintained

Corrective Action/Improvement Suggestions Raised:

Technology Audit


No. Details

Auditor: Signature:

Responsible Manager: Signature:

Document Details Document Name ISO/IEC 19770-1 Audit Checklist

Version Number V0.1

Author SLM Program, QGCIO

Contact Details Iris Taylor (07) 3238 3597

Document Status Draft x DPW Release Final Version

Version Control

Version Number Date Reason/Comments

V0.1 14th March 2007 First Draft

Technology Audit


APPENDIX IV

Template to use when writing an audit report

Table of Contents

letiT

IettiA

Dtti

Technology Audit


1. Executive Summary

A short abstract or executive summary here will help draw the reader‘s attention

to important issues.

2. Background/Introduction

Give the Background – Explain why you are doing an audit – was it a

response to concern or complaint, personal interest, national guidance,

repeat of previous audit etc. Give the criteria and standards that you are

using – Explain if you are auditing to national standards, such as NICE, NSF

etc or to established good practice or to a locally agreed standard. eg ―100%

of A&E patients must be assessed within 4 hours (national standard)‖

3. Aims & Objectives

This should state the aims and objectives of the audit and the question being

asked of the audit. Objectives should be measurable, achievable, realistic

and time limited.

4. Method

Give the methodology of your audit –you will want to describe both the size

of your audit and how you selected those who were involved. e.g. ―the first

10 patients attending the 13th

May 2007 afternoon dental clinic were

selected‖ or ―20 notes of patients admitted to the ward in August 2007 were

selected at random”. Ideally, there should be sufficient information for a person reading your report to understand what you have done, and if need be, to repeat the audit themselves.

5. Results

Displaying the results

As a general rule the simplest ways of describing results are the best. Pie-

charts to show the various proportions of responses or bar charts to compare

one thing to another will work well. However, always give the raw numbers

as well as the percentages otherwise it might be over-simplified to the point

of being mis-leading.

e.g. Remember the advertising slogan, ―8 out of 10 cats prefer it‖.

This was a powerful statement indicating an 80% favourable rating,

Missing data

If you have missing data comment on why this happened. e.g.

―questionnaires were given to 10 patients in the waiting room. However one

Technology Audit


patient said he had felt unwell and didn‘t feel he could finish the

questionnaire. Sections 9 and 10 are therefore blank for this patient‖

6. Conclusions Keep you conclusions short and too the point e.g. 95% of patients were

assessed within 48 hours

If you have had any problems with the audit, note them here.

7. Recommendations and Action plans

Make your suggestions as to how the service could be improved – either by

yourself or others

8. Disseminating information and presenting results

Give feedback to all concerned stakeholders. Ensure that all those that need

to know, know. Give positive feedback to all those involved. How are you

going to communicate your findings to others i.e. Circulate the report,

Newsletter, Intranet, Presentations, Open forums etc…

References

Acknowledgements

Give the name and profession of those involved in the Audit project

Appendix

Always attach your audit tool or questionnaire to your report as an appendix – this

will save a lot of explanation.

Technology Audit


Appendix V

Information Technology Audit Report

Alpha Beta Gama (ABC) Co Ltd

Internal Audit Group Division 2009

Audit Objectives:

To assess [Name of Company] compliance with the [Name of Standard] Standard

Overall conclusion:

Based on our observation we noted that the degree of compliance with [Name of

Standard] varied among [Name of Company] and the three Institutes that we

looked at. With the exception of business continuity planning, [Name of Company]

is compliant with [Name of Standard]. However, the three Institutes were less

compliant in key areas such as risk management and the certification and

accreditation of their systems.

Summary of Findings:

The audit team noted a number of strengths with respect to compliance with [Name

of Standard]. For example, [Name of Company] has specified the roles and

responsibilities for managing IT security. It has also issued a comprehensive set of

policies, procedures and standards for managing this function and instituted a

security-awareness program for its employees. [Name of Company] screens staff to

determine who will have access to which sensitive information, and has employed

security zones. These zones partition the network and provide higher levels of

security, depending on the sensitivity of information.

Detailed Findings and Remediation:

Recommendation:

To institute better monitoring and oversight of IT security, [Name of Company]'s

senior management should designate an IT Security Coordinator for [Name of

Company] who has responsibility and authority for IT security throughout the

organization.

Management Response:

Agreed; an IT Security Coordinator for [Name of Company] with organization-

wide responsibility and authority for IT security will be appointed following

consultation with the Senior Executive Committee (SEC). However, such a role

will need to be supported by a strong IM/IT governance structure in general and a

robust information security governance framework in articular. IM/IT governance

Technology Audit


will be addressed as part of a study that [Name of Company] has already initiated –

a comprehensive IM/IT review to examine the current IT service delivery model

and determine how [Name of Company] can enhance effectiveness and cost-

efficiencies in this area. More specifically, the study will be broad in scope,

encompassing all IM/IT services provided to [Name of Company] staff either

centrally by IMSB or locally by individual institutes, branches and programs.

Terms of Reference have been developed and approved by SEC; the Director

General for IMSB will co-lead this effort along with a Director General from a

research institute still to be determined. The issues around IT service delivery will

be examined and reported back to SEC by January 2008. Specific areas of

opportunity or concern will also be identified for further study in a subsequent

phase. It is anticipated that most of the audit recommendations will be addressed

within the context of this review.

Timelines and Deliverables:

Technology Audit


Reference

1. http://www.technology4sme.com

2. http://www.access-ecom.info/article.cfm?id=63&xid=MN

3. http://www.oxin.co.uk/downloads/taudit.pdf

4. http://www.strategicinformation.com/audit.htm

5. http://www.newventuretools.net/technology_audit.html

6. http://www.asosai.org/R_P_auditquality/chapter2.htm

7. http://www.managementstudyguide.com/swot-analysis.htm

8. http://greenhousegas.nsw.gov.au/documents/syn39.asp

9. http://tep- m.org/joomla_1.5.20/index.php?option=com_content&view=article&id=182:technology-

audit-resources&catid=41:other-projects&Itemid=63

10. http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/glossary/

11. http:// www.southwest-irc.org.uk


13. http://www.oxin.co.uk/downloads/taudit.pdf

14. http://www.adi.pt/docs/innoregio_techn_audits.pdf

15. http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/full-standards/

16. http://www.businessballs.com/swotanalysisfreetemplate.htm

17. www.qgcio.qld.gov.au/.../Information%20Standards/.../Templates/ISO1977

18. http://www.nmmu.ac.za/documents/theses/VlokN.pdf 19. http://www.theiia.org/guidance/standards-and-guidance/ippf/code-of-ethics/

20. http://www.theiia.org

21. http://www.urenio.org

22. http://www.clarity-dev.com

23. http://www.clarity-dev.com

24. http://www.newventuretools.net/technology_audit.html

25. http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/glossary/

26. http://pw1.netcom.com/~jstorres/internalaudit/ic_def.html


28. http://www.hc-sc.gc.ca/ahc-asc/alt_formats/pdf/pubs/audit-verif/2011-02/mrap_2011-02_rpad-eng.pdf

29. http://pw1.netcom.com/~jstorres/internalaudit/ic_def.html

30. http://www.gliffy.com/examples/SWOT/

31. http://www.managementstudyguide.com/swot-analysis.htm 32. http://www.whatmakesagoodleader.com/swot_analysis_examples.html

33. http://www.whnt.nhs.uk/document_uploads/CPRU/Auditreporttemp.pdf

34. http://www.whnt.nhs.uk/document_uploads/CPRU/Auditreporttemp.pdf

35. http://www.icsti.su/rus_ten3/1000ventures_e/business_guide

36. http://www.nctp.com/survivor_sample.pdf

37. http://biotsavart.tripod.com/swot.htm

38. http://www.aajassociates.com/servicesContent.asp?p=29&id=42

http://www.access-ecom.info/article.cfm?id=63&xid=MN

http://www.strategicinformation.com/audit.htm

http://www.newventuretools.net/technology_audit.html

http://www.asosai.org/R_P_auditquality/chapter2.htm

http://www.managementstudyguide.com/swot-analysis.htm

http://greenhousegas.nsw.gov.au/documents/syn39.asp

http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/glossary/

http://www.southwest-irc.org.uk/


http://www.adi.pt/docs/innoregio_techn_audits.pdf

http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/full-standards/

http://www.businessballs.com/swotanalysisfreetemplate.htm


http://www.theiia.org/guidance/standards-and-guidance/ippf/code-of-ethics/

http://www.theiia.org/

http://www.urenio.org/

http://www.clarity-dev.com/

http://www.clarity-dev.com/

http://www.newventuretools.net/technology_audit.html

http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/glossary/

http://pw1.netcom.com/~jstorres/internalaudit/ic_def.html


http://www.hc-sc.gc.ca/ahc-asc/alt_formats/pdf/pubs/audit-verif/2011-02/mrap_2011-02_rpad-eng.pdf

http://pw1.netcom.com/~jstorres/internalaudit/ic_def.html

http://www.gliffy.com/examples/SWOT/


http://www.whatmakesagoodleader.com/swot_analysis_examples.html

http://www.whnt.nhs.uk/document_uploads/CPRU/Auditreporttemp.pdf

http://www.icsti.su/rus_ten3/1000ventures_e/business_guide

http://www.nctp.com/survivor_sample.pdf

http://biotsavart.tripod.com/swot.htm

http://www.aajassociates.com/servicesContent.asp?p=29&id=42

Technology Audit
