2017 Information Technology (IT) Audit Plan
Priority IT Audit Hours Start Duration 1 IT Vendors Selection (Procurement) 250 Apr 5-7 Weeks 2 Application Audit HUB (itslearning) 250 Apr 6 8 Weeks 3 Disaster Recovery 250 June 6 8 Weeks 4 Security / VAPT Assessment 300 July 8-10 Weeks 5 IT Resources 250 Aug 6 8 Weeks 6 Remote Network Access 200 Sept 5-7 Weeks 7 IT Risk Assessment 150 Oct 4 6 Weeks 8 Planning, Monitoring and Reporting 200 Mar 12 Months Total 1,850 2
Following are the audit objective and the risks associated with each entity reviewed. 1. IT Vendors Selection The objective of this audit is to determine whether effective measures are in place related to selection of IT Vendors such as executive sponsorship, business and technical requirements, proposal evaluations and contract negotiations. Weak, inadequate, or nonexistent controls around selection of IT Vendors can result in projects not being completed or services not provided which could impact the business and/or execution of the IT strategy. 2. Application Audit HUB (itslearning) Itslearning is the digital learning platform used by educators and students that provides access to instructional material, coursework, and digital textbooks throughout the school year. The objective of this review is to provide management with an assessment of efficiency and effectiveness of the design and operation of internal controls including but not limited to input, processing, output and integrity controls. Failure to implement effective, efficient and appropriate internal controls over applications may result in the following general risks: Invalid or incorrectly processed transactions Loss of reputation due to inability to deliver services or disclosure of internal issues Costly compensating controls Reduced system availability and questionable integrity of information Inability to satisfy audit/assurance charter, requirements of regulators or external auditors 3. Disaster Recovery The objective of this audit is to provide assurance on the adequacy and appropriateness of the internal controls established for maintaining and executing the department s Disaster Recovery plan. Special consideration that the Disaster Recovery plan strategy meets minimum acceptable standards Inability to restore business operations in the event of a disaster. Not aligning business continuity management to support business strategy. 3
4. Security / VAPT Assessment The objectives of this assessment are to evaluate the design of Unauthorized access to the network, systems and/or data that the security environment, look for vulnerabilities in the network could have a negative impact on HISD or its students. and understand the depth of the impact if the network is penetrated via a Vulnerability Assessment and Penetration Test (VAPT). 5. IT Resources The objective of this review is to provide management with an assessment of the IT resources currently in place, identify resource gaps and provide recommendations to better utilize the current resources. A lack of resources and/or resources not allocated properly could severely impact the IT service delivery model in place that provides support to the entire district. 6. Remote Network Access The objective of this audit is to evaluate the controls in place around remote access to ensure that network assets are protected. A lack of effective security controls around remote access could result in a compromise of network assets which may impact the confidentiality, integrity, and availability of IT assets and data. IT Risk Assessment Identify risks that IT presents to the organization that could adversely affect strategic goals. Identify the IT audit universe, examine the IT auditable units and select areas with the greatest risk exposure to review and include in the IT audit plan. Risk Unidentified or unaddressed IT risks could have a negatively impact HISD or its students. 4
Planning, Monitoring and Reporting An effective planning, monitoring and reporting mechanism ensures that the audits being performed address the audit objectives in an efficient and timely manner. Risk Failure to effectively plan, monitor and report on each engagement could result in budget over-runs and scope not being met. 5