An Introductory Guide to Audit Readiness – Part 3


Continuing from Part Two where we covered three of the four competencies within an organization and their procedures for audit readiness – Information Technology (IT) can turn out to be the most complex.

IT audit readiness may include, but is not limited to the following:

  • Resource planning for the organization and readiness procedures
  • IT General Controls
  • IT Systems and application controls

IT resource planning for audit readiness

As discussed in part two of the audit readiness guide, one of the roles in the planning process is to help identify experienced team members who can contribute towards the IT department’s audit readiness, as they are the ones who have most likely undergone at least one or more IT audits. These individuals would be most familiar with the processes involved and would understand what the auditors would be requesting, the types of audits they would run, and the systems and applications involved.

Identifying IT internal systems and applications for audit readiness

Audit readiness activities for the IT environment require the identification and evaluation of in-scope systems within the organization. The organization should be tracking, recording and reporting on any activities taking place that involve the selected systems and/or applications involved in the audit readiness plan and within any department reliant on these the IT systems.

Activities may include:

  • Documented system certification and accreditation packages
  • Plans regarding system or application security controls
  • Project plans and/or agreements on any application interfaces
  • IT compliance procedures

Once the appropriate systems and applications have been identified, the audit process should move onto assessing the following two groups of controls:

  • IT general controls
  • IT application controls

IT general controls and IT applications controls

The objective or intent of IT General Controls (ITGC) is to apply assurance over the system environment(s) of in-scope systems and/or applications. The ITGCs establish the integrity of:

  • Processes and computer operations
  • Data and data files
  • Components and programs

ITGCs most commonly known are:

  • Computer operations controls
  • Data recover and backup controls
  • Data center security controls
  • Program management and program change management controls
  • SDLC also known as system development lifecycle controls
  • Access controls for data, applications and infrastructure

Furthermore, the objective or intent for IT application controls is to apply control(s) over an individual application or system, intending to support business processes.

Consideration and preparation are key to any audit assessment.  Ensuring the organization’s environments, systems and applications are identified and assessed will improve the overall efficiency during any audit or assessment related activity.

Global Shield IS specializes in IT audit readiness procedures. We are a global audit and advisory services company ready to help you become audit ready. Contact us today for advice.



Please note: These guidelines from Global Shield IS, are for an organization’s general information purposes only. It is not intended to advise or give any legal or business analysis. Global Shield IS, rather offers the services to any business who have further questions related to their uncommon or unique circumstances, to contact the office for further council.  We will then assign the most appropriate adviser to address each question specifically.



With the Department of Defense (DoD) continuing its efforts of moving to the Risk Management Framework (RMF), Washington Headquarters Services (WHS) Financial Management Directorate (FMD) has established an independent team, which includes Global Shield IS, to perform a Federal Information Systems Controls Audit Manual (FISCAM) assessment of its Enterprise Resource Planning application and its surrounding environment.

FISCAM was established by the Government Accountability Office (GAO) and the President’s Council on Integrity and Efficiency (PCIE) as a complement to the Financial Audit Manual (FAM). FISCAM presents a methodology for performing information system control audits of Federal and other governmental entities in accordance with professional standards such as National Institute of Standards and Technology (NIST), Special Publication (SP) 800-53.

The FISCAM methodology provides a top-down, risk-based approach which evaluates:

  • Entity-wide controls and their effect on audit risk
  • IT General and Application controls and their impact on transaction processing

The FISCAM IT controls model is depicted below. Starting with the General Control categories and ending in the Business Process Application Controls.


The FISCAM team is conducting on-going testing efforts through March 31, 2015.