by KB Mandefro

When it comes to IT audits, it can feel daunting to figure out what documentation is needed. Depending on the audit goal and scope, auditors routinely request supporting documents to validate the effectiveness, efficiency and compliance of Information Technology General Controls (ITGCs.

Very often, IT system owners, custodians and audit liaisons wonder what to document and what information to gather for auditors. But not knowing is no excuse. Proper documentation and maintenance of IT key supporting documents (KSDs) is essential.

According to a report by Department of Defense (DoD) Inspector General (IG) on management challenges, more than 1,000 IT and financial management system Notice and Finding Report (NFR) were issued for FY2018 alone. The good news is that many of these findings are easily preventable.

Here are four ways federal agencies can prepare proper documentation for their IT audits.

• First: identify and track systems and data. Maintain an inventory of all the certified and accredited systems that are part of the business process.
• Second: develop and document policies and procedures. These are the documents upon which the auditors rely to assess the controls and provide their opinions.
• Third: document applicable laws, regulations and controls. At a bare minimum, document general and application controls, risk assessments, manuals, standard operating procedures (SOPs), memorandums of understandings (MOUs), service level agreements (SLAs), cycle understandings, roles and responsibilities, flowcharts, system diagrams, audit trails, reports and any other IT-related artifacts that are considered part of the system business process.
• Finally, maintain IT control documentation. DoD Financial Improvement and Audit Readiness (FIAR) guidance recommends IT control documentation that identifies each of the controls, who performs the controls, the frequency of reviewing and approving, and “the evidence (hardcopy or electronic) demonstrating the control was performed as described” in the policies and procedures.

In addition to supporting an audit, proper KSDs also support confidentiality, integrity and availability. Detailed and complete supporting documents should also include internal controls for all applicable systems.

Be sure these document requirements are communicated to all responsible parties and understood by IT and non-IT individuals alike, so your organization is prepared long before the audit takes place.

REFERENCES

• Department of Defense Office of Inspector General | Fiscal Year 2020 Top Management Challenges | https://tinyurl.com/xj2r296h
• Office of the Undersecretary of the Defense (Comptroller)/Chief Financial Officer | Financial Improvement And Readiness (FIAR) Guidance | https://comptroller.defense.gov/Portals/45/documents/fiar/FIAR_Guidance.pdf