Assurance and Audit
- Buy now
- Learn more
- Discussions
Information System Auditing Process

Part A: Audit Planning Frameworks and Strategic Foundations
Activity -Emerging Audit Areas
Part B: Audit Execution, Evidence, and Reporting
TY - What is EDI? - An Overview (5 min)
Activity - IS Auditing Process
Governance and Management

Part A: IT Governance
Activity - Read and Reflect
SANS - The Five Must-Haves of an AI Governance Framework [30 min]
Part B: IT Management
Activity - Governance - Management Quiz.
Information Systems Acquisition, Development, and Implementation

Part A: Information Systems Acquisition and Development
Activity - SDLC - part01
Part B: Information Systems Implementation
Activity 2 - SDLC - Part 02
Information Systems Operations and Business Resilience

Part A: Information System Operations
Activity - IS Operations
YB: Database Normalization (5 min)
Part B: Business Resilience
Activity - Business Resilience
YT: Types of databases (16 min)

Part A: Information System Operations

The primary objective of information system operations auditing is to ensure that the organisation’s IT services are reliable, secure, and aligned with business goals. This is achieved through a structured evaluation of service delivery elements, infrastructure management, and administrative controls.

Service Management Frameworks: Auditors must evaluate the efficacy of frameworks such as ITIL and ISO/IEC 20000. The objective is to determine if the controls and service levels expected by the organisation are being adhered to and whether they support strategic objectives.
Infrastructure and Asset Management: The scope includes identifying and managing all IT assets, as an organisation cannot protect what it has not identified. This involves evaluating enterprise architecture (EA) to ensure that the design of business system components facilitates optimal performance and security.
A critical objective is to assess IT operations, including job scheduling, configuration management, and capacity planning. Auditors confirm that these processes are effectively controlled to support continuous organisational productivity.
Data Governance and Quality: Operations assurance includes evaluating database optimisation and data lifecycle management. This ensures that data remains accurate, complete, and accessible throughout its ageing and retention phases.
Management of Disruptions and Changes: The audit objective here is to evaluate problem and incident management practices. This ensures that disruptions are resolved quickly to support service levels and that change management processes prevent unauthorised modifications to the environment.

Information System Operaciones.

Recent studies show ISO 27001 remains the benchmark for managing information assets. While it offers a management framework, its success depends on alignment with business processes and on top management's commitment. Integrating ISO 27001 with COBIT creates synergy: COBIT defines strategic control objectives, while ISO guides operational security controls.

Further research on ITSM within ITIL v4 shows a shift from process-heavy to value-stream approaches. DevSecOps literature suggests that the old separation between development and operations is outdated and advocates for "continuous security integration" through automated testing in deployment pipelines. This shift poses challenges for standardised practices and tool compatibility, which auditors must address.

Theoretical models like Management System Theory and Control and Audit Theory highlight that an effective ISMS should be documented, iterative, and follow the PDCA cycle. Information security is not just technical but managerial, involving policies, risk analysis, and regular audits to combat emerging threats like AI-driven social engineering and malware.lware.

Professional Analysis of Operational Controls

The integrity of IS operations is maintained through a web of technical and administrative controls. These controls are viewed as interdependent mechanisms that together create a trustworthy environment.

IT Service Management (ITSM) and Framework Alignment

ITSM is the practice of aligning IT services with business needs. The auditor's role is to evaluate whether these services are delivered in accordance with formal agreements and best practices. The use of frameworks like ITIL provides a reference body of knowledge for service delivery.

Service Strategy and Design: Focuses on ensuring IT services are designed to meet specific business outcomes.
Service Level Agreements (SLAs): Documented targets for performance and availability. If these aren't met, it indicates a lack of operational control or resource misalignment.
Operational Level Agreements (OLAs): Internal agreements between IT departments that underpin the external SLAs.

The implementation of ISO/IEC 20000 requires organisations to follow the PDCA methodology, transforming service quality into an auditable process. When these standards are applied, the organisation shifts from a reactive "break-fix" mentality to a proactive service improvement model.

Infrastructure Auditing and Asset Management

The infrastructure forms the physical and logical backbone of the operations. Enterprise Architecture (EA) documents an organisation’s IT assets in a structured format, enabling better strategic alignment. The auditor utilises EA as a primary source of information to ensure that all systems comply with organisational standards.

IT Asset Management (ITAM) is fundamentally linked to information security. Without a comprehensive inventory of hardware and software, an organisation cannot effectively patch vulnerabilities or manage licensing risks. Master-level assurance requires that ITAM systems track resources throughout their entire lifecycle, from acquisition to secure disposal.

Job Scheduling and Production Automation

Operational efficiency often depends on the automation of routine tasks. Job scheduling ensures that computer processing requirements are met and that resource utilisation is optimised. Auditors look for exception handling within these schedules—if a critical batch job fails, is there a formal process to detect and remediate the failure before it impacts the business?.

Capacity and Performance Management

Capacity planning involves predicting future IT needs based on historical usage and business projections. Auditors evaluate capacity management tools and monitoring techniques to ensure that the organisation does not face performance bottlenecks that could lead to service degradation. This includes monitoring network analysers, system utilisation reports, and load balancing mechanisms.

Database Management and Data Quality

Databases are the core repositories of corporate intelligence. Assurance in this area focuses on optimisation and integrity.

Normalisation: A systematic approach to organising data to eliminate redundancy and prevent update or deletion anomalies.
Referential Integrity: Ensures that relationships between database tables remain consistent.
Data Lifecycle Management: Addressing the ageing, retention, and secure deletion of data based on regulatory and business requirements.

Data quality must be assessed for completeness, accuracy, and integrity. Inaccurate data in a production database can lead to flawed decision-making and operational failures.

Incident and Problem Management

While often grouped, incident and problem management serve different objectives. Incident management is reactive, aiming to restore service as quickly as possible following a disruption. Problem management is proactive and analytical, seeking to identify the root causes of recurring incidents to prevent their recurrence.

A well-implemented incident management process is characterised by response times that consistently fall within defined SLAs. If an organisation experiences frequent incidents but lacks a robust problem management function, the auditor identifies this as a significant risk of systemic instability.

Change, Configuration, and Patch Management

The absence of a formal change management process is one of the most critical operational risks. Without it, unauthorised changes can be made to systems, compromising integrity and availability. Auditors verify that all changes are authorised, tested, and documented.

Patch management is a subset of this effort, focusing on installing code updates to fix vulnerabilities. An effective program requires maintaining current knowledge of available patches and testing them in a non-production environment before deployment. Quality Assurance (QA) personnel play a vital role here, verifying that changes meet standards before they reach production.

Deep Insights: The Convergence of Operations and Assurance

IS operations recognises that technical failures are often symptoms of governance failures. The rise of AI-powered threats in 2025 has added a layer of complexity to traditional operational monitoring. Organisations are now using AI for threat detection and endpoint security, but this also introduces risks related to AI alignment and model reliability.

The reliance on third-party vendors and cloud service providers has shifted the operational perimeter. Auditors must now evaluate supply chains for IT risk factors and integrity issues, ensuring that vendors adhere to the same security standards as the host organisation. This "extended enterprise" model requires a shift from point-in-time audits to continuous monitoring and real-time data sharing between partners.

Furthermore, the "human factor" remains a central operational risk. Low awareness among personnel often leads to security breaches, regardless of the sophistication of technical controls. Therefore, operational assurance must include an evaluation of security awareness training and its effectiveness in building a security-conscious culture.