The document provides an overview of technology auditing and internal auditing processes. It discusses:
1. The objectives and composition of technology audits, which identify potential issues, assess capabilities, and optimize technology use.
2. The types of audits - internal audits assess processes, external audits are implemented by external parties, and continuous auditing is ongoing.
3. The steps for internal audits, which include developing audit strategies, planning specific audits, conducting audits, communicating results, and advising on improvements.
2. Technology Audit
Technology Audits Will Help Identify
Potential Issues That May Become Serious
Problems for Your Business If Left Unattended
While each organization should insure
an effective continuous auditing for
increase the generated income.
Dr. M.El Messiry
2 Dr. Magdy El Messiry
3. thousand miles
begins with a
single step"
Technology Audit
"A trip of a thousand miles begins with a single step"
PREFACE
The main objectives of this booklet are to give the reader a survey of the different elements of
the Technology Auditing (TA), hence the TA is the only way for the organization to improve
their situation on the market. Technology audits will help identify potential issues that may
become serious problems for your business if left unattended. Technology auditing will be
recognized as the reliable and trusted source for the best application of relevant technology in the
industry. The continuous technology auditing will lead to the following;
Establishing proven methodologies for technology assessments
Establishing proven methodologies for quality control
Establishing a network of reliable and brief information sources
Establishing a periodic review and assessment of technology news and information
Establishing a standard technology assessment model
Establishing a secured database of reports and assessments
Establishing and maintain business models for measuring return on investment and total
cost of ownership
To enhance the effectiveness of organization by providing the tools will be achieved through
information concerning the latest technology and innovation relevant to the particular
industrial fields that is the specific mission and goals of the organization.
The role of the Universities in implementing the Technology Auditing in the different
organizations can be accomplished through the specialists in the technology and other areas of a
globally competitive economy. Their function will be the assistance in:
Promoting competitiveness and job creation.
Enhancing the quality of life.
Developing human resources.
Working towards environmental sustainability.
Promoting an information society.
Producing more knowledge-embedded products and services.
Developing innovation technologies that lead to increasing the number of patents.
The objective of this course is to give the specialists in the technology transfer
centers at the universities and the industrial organizations the basic concepts on
TECHNOLOGY AUDITING and to help them in building TA departments.
3 Dr. Magdy El Messiry
4. Technology Audit
TABLE OF CONTENTS
PREFACE
CHAPTER ONE
TECHNOLOGY AUDTING
1.1 Introduction
1.2 Technology Audit Composition
CHAPTER TWO
INTERNAL AUDIT, EXTERNAL AUDIT, AND CONTINUOUS AUDITING
1. Internal Audit
1.1 Mission of the Internal Audit Function
1.2 Internal Audit Practice in Organization
1.3 Steps for Building the Internal Audit Team
1.4. Suggestion for Successful Internal Audit
1.5 Code of Ethics for Audit Staff
1.6 International Standards for the Professional Practice of Internal
Auditing (Standards)
2. External Audit
2.1 Implementation Procedure
2.2. Continuous Auditing
2.3. Key Steps to Implementing Continuous Auditing
2.3.1. Additional Considerations
2.3.2. Organizational Infrastructure
4 Dr. Magdy El Messiry
5. Technology Audit
2.3.3. Impact on Personnel
CHAPTER 3
THE AUDITORS PERFORMANCE IN TECHNOLOGY AUDIT
3.1. Introduction
3.2. Role of Auditor
Phase One: Pre-Audit
Phase Two: On-Site Visit
3.3. Road Map for the External Audit Team Audit Leader
3.4. Notes to the Auditor
3.4. Control objectives
CHAPTER 4
SWOT ANALYSIS
4.1 Introduction
4.2. The Need for SWOT Analysis
4.3. Limitations of SWOT Analysis
4.4. SWOT Analysis Framework
CHAPTER 5
PRACTICAL EXAMPLES OF SWOT ANALYSIS
5.1. Health centers
5.2. University SWOT Analysis
5.3. Retail Industry SWOT Analysis
4.4. Web Business SWOT Analysis
5 Dr. Magdy El Messiry
6. Technology Audit
CHAPTER 6
GLOSSARY
APPENDIX I
SWOT Analysis Template
APPENDIX II
Audit Checklist
APPENDIX III
Audit Checklist ISO/IEC 19770-1
APPENDIX IV
Template to use when writing an audit report
APPENDIX V
Information Technology Audit Report
REFERENCES
6 Dr. Magdy El Messiry
7. Technology Audit
CHAPTER ONE
TECHNOLOGY AUDTING
1.1 Introduction
Today, the products‘ life cycle becomes gradually smaller. Actually in some
sectors such as the computer sector, technological devaluation of the products
occurs within a few months. Therefore it is a great competitive advantage for the
companies to be able to introduce new products to the market before their
competitors, gaining in this way significant sale shares. Today the companies must
be able to be constantly innovative to maintain or improve their position in the
market. In order to achieve this, they must know how to identify the innovation
needs of a business problem. The innovation management tools, which are utilized
for doing this, are Technology Audit and SWOT method1. Technology has become
an increasingly dynamic sector of the global economy. The critical task is now to
maintain a broad awareness of the nature and potential impact of emerging
technologies, the points of junction, and impact on market place trends on a
worldwide basis. Management of technology is an interdisciplinary field that
integrates science, engineering, and management knowledge and practice. The
focus is on technology as the primary factor in wealth creation. Wealth creation
involves more than just fiscal values and it may encompass factors such as
enhancement of knowledge, intellectual capital, effective exploitation of resources,
preservation of the natural environment, and other factors that may contribute to
raising the standard of living and quality of life.
The Technology Audit is a method for identifying the major company
requirements, needs, weaknesses and strengths on human resources and
infrastructure as well as opportunities that should be taken under consideration.
The Technology Audit is also a technique which identifies the management‘s view
of how the company performs as well as strong indications of what the company
really needs2.
The Technology Audit technique examines in tandem the External and Internal
environment of the company and identifies the human resources relation to
company‘s performance. Furthermore, it assists the company to discover the more
significant actions that it should adopt.
7 Dr. Magdy El Messiry
8. Technology Audit
As shown in Figure (1), an organization can perform an audit in order to:
Generate income (or more income) for the technology driven organizations (e.g.
technology based enterprises, research centers, institutes) from their available technology.
Improve the productivity of the technological factors.
Improve business competitiveness and public administration's performance.
Assess your current capabilities before making expensive changes.
Learn how to optimize the use of current technology.
Learn about your technology options.
Get an independent assessment that can help convince your organizational partners of
changes needed.
An audit is merely a ―checkup.‖ As we gather more and more techno-devices
around us, we recognize the need to ensure that they are all accounted for, are
working properly, and are being employed for proper purposes, purposes that
advance the cause for our organizations. Consequently, a technology audit exists at
its very core as an activity that focuses our full attention upon improvement,
sustainable improvement and continuous innovation. Organizational survey and
technology audit will help in understanding the level of attention paid to
technology in the organization and facilitate the involvement of employees from
different departments of the organization in the technology management process.
The organizational survey and technology audit provides an instrument for
auditing the organization‘s technological capabilities and its awareness of
technology as means of improving competition. The organizational survey and
technology audit are used to assess whether the organization‘s management has the
appropriate level of understanding of technology and technology management, and
whether the required climate to use technology is in place.
Formulation of technology strategy addresses the issue of how to recognize the
critical technological needs and identifies the basic dimensions of a technology
strategy. It consists of three steps: technology assessment, technology selection,
and definition of the portfolio of technological projects, and strategic priorities and
actions3. The technology audit is equally applicable to manufacturing and service
firms. The firms should wish to create new products, incorporate new processes,
diversify their activities and be with growth potential. They should have capacity
to survive and innovate and competence for international cooperation. Technology
auditing should consider as means of ensuring business continuity in a
manufacturing organization.
8 Dr. Magdy El Messiry
9. Technology Audit
Figure (1) Objectives of Audit Cycle
9 Dr. Magdy El Messiry
10. Technology Audit
1.2 Technology Audit Composition
The implementation of the technology auditing starts with the answering to;
What is the relationship between technology, business strategy and
innovation in ensuring continuity of the organization?
What does a technology audit consist of and what tools are available to help
conduct the technology audit?
What is the process flow of a technology audit?
The main steps of a technology audit process are 4:
Step 1: Company Decision for Technology Audit
The starting point of the technology audit process is the desire or wish of a firm to
carry out a technology audit.
Step 2: Initial phase
The initial phase is important to ensure that the audit proceeds smoothly and
effectively. It includes discussion at the management level to explain and agree
upon the purpose of the audit, to design the questionnaire and the framework for
the report to suit the organization and to select those to be interviewed. Initial
information about the organization (published and unpublished reports) is gathered
at this stage. Analysis of questionnaires should be done prior to the interviews and
might be done at an earlier stage, so that selection of those to be interviewed is
partly based on questionnaires.
Step 3: Interview and report phase
The company is being interviewed with a questionnaire, normally with
participation of the General Manager, aiming at:
Collecting general company data
Shaping company technology profile
Performing SWOT Analysis
Identifying technological areas for further analysis.
10 Dr. Magdy El Messiry
11. Technology Audit
Technology Audit Tool consists of two parts, the questionnaires and the reports.
The results derived from the questionnaires generate the reports that can be easily
accessed by the General Manager of the company, but for a more accurate and less
biased diagnosis, an external specialized consultant is proposed.
Step 4: Technology Audit Report Framework
The final report of the technology audit should include:
Subjects analyzed
Methodology used
Problem areas identified
Solutions proposed for the problems
Steps to be taken for implementing the solutions (action plan)
The expected results from a carefully conducted technology audit mainly concern4:
Complete and comprehensive analysis and evaluation of the requirements of
the organization for its sustainable growth
Thoroughly objective SWOT Analysis
Opportunity spotting for new products / new services / new technologies / new
markets
Networking with technology suppliers, technological sources, other companies
Possible assessment of technology portfolio, intellectual property rights
There are five tasks within the audit process area:
1. Develop and implement a risk-based international audit standards (IS) audit
strategy for the organization in compliance with international audit standards,
guidelines and best practices.
2. Plan specific audits to ensure that IT and business systems are protected and
controlled.
3. Conduct audits in accordance with IS audit standards, guidelines and best practices
11 Dr. Magdy El Messiry
12. Technology Audit
to meet planned audit objectives.
4. Communicate emerging issues, potential risks and audit results to key stakeholders.
5. Advise on the implementation of risk management and control practices within the
organization while maintaining independence.
12 Dr. Magdy El Messiry
13. Technology Audit
CHAPTER TWO
INTERNAL AUDIT, EXTERNAL AUDIT, AND CONTINUOUS AUDITING
The auditing process can be divided into three categories; Internal Audit, External
Audit, and Continuous Audit that might integrate for the fulfillment of the
organization objectives as illustrated in Figure (2).
2.1. Internal Audit
Internal auditing, as defined by the Institute of Internal Auditors (IIA), is an
independent, objective assurance and consulting activity designed to add value and
improve an organization's operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve
the effectiveness of risk management, control, and governance processes‖.
2.1.1 Mission of the Internal Audit Function
The mission of the internal audit function is to provide organization management
with systematic assurance, analyses, appraisals, recommendations, advice and
information with a view to assisting it, and other stakeholders, in the effective
discharge of their responsibilities and the achievement of organization‘s mission
and goals5. The role of the internal audit function includes providing reasonable
assurance on the effectiveness, efficiency and economy of the processes in various
areas of operations within the organization, as well as compliance with
organization financial and staff rules and regulations, general assembly decisions,
applicable accounting standards and existing best practice.
2.1.2 Internal Audit Practice in Organization
Each organization should establish Internal Audit. Its original mandate included
both internal audit and evaluation functions. The Internal Audit Department also
informally acted as a focal point for investigation and inspection. The organization
Internal Audit Charter follows Standards for the Professional Practice of Internal
Auditing issued by the Institute of Internal Auditors5 (IIA) in assignments
13 Dr. Magdy El Messiry
14. Technology Audit
performing audit. Audits are conducted in accordance with a detailed annual audit
plan that is developed based on an annual risk-based assessment of internal audit
needs for the whole of organization.
Figure (2) Types of Auditing Models
Figure (3) Steps of Performing Internal Audit
14 Dr. Magdy El Messiry
15. Technology Audit
Risk-based annual audit plans are subject to regular revision, at least annually, in
order to be aligned with the strategic objectives of the organization. Audit needs
are estimated based on a thorough review of organization‘s business and other
systems and processes which make up the audit environment for the Internal
Organization Audit Department. The audit needs assessment is reviewed annually
at the same time as the detailed annual audit plan is set out.
For annual audit planning purposes in line with the new set of strategic goals set
for the Organization, the Internal Organization Audit Department strategy and
annual plans are re-aligned regularly to ensure:
Due emphasis is put on the ―operational efficiency and effectiveness‖ aspect
in the detailed work plans to the extent possible.
Main organization business processes are reviewed to identify strengths and
good practices, as well as gaps and deficiencies. Value adding
recommendations are made to assist management in addressing these issues.
Audit support is provided to key management and governance initiatives
recognizing that the responsibility for such initiatives rests with the
management in the case of a strong indication of any fraudulent activity
found during an audit.
Sufficient audit work is performed to gather factual evidence and the
supporting documentation is handed over to the Investigation Section for
further examination if need be.
2.1.3 Steps for Building the Internal Audit Team
Figure (3) represents the steps for building the Internal Audit Team.
1- Group Formation
Local audit team leaders are chosen. They may appoint an individual to serve as
overall coordinator, as well. The key here is to get the best leadership in place
and functioning quickly.
2- Audit teams
Audit teams are formed and necessary documents needed to support the audit
are gathered (Technology plan, facilities plan, personnel reports, etc.).
15 Dr. Magdy El Messiry
16. Technology Audit
3- Meetings
Meetings are held at each organization department to explain this process to
employees. The purpose is to ensure that all employees know what to expect as
their auditors begin gathering data from a large number of locations to explain
the process, to seek community support and patience, and to forecast some
findings. This serves to get the community ―on board.‖
4- Teams Work
Department-by-Department teams are working within the organization. At the
same time, another team works on the organization as a whole.
5- Individual Team Reports
Reports are written, and then combined into an organization wide document.
6- Team Leader Report
Team leader shares the internal audit report with the organization board.
7- Report Approval
Organization board approves the internal technology audit final report.
8- Report Publication
Team leader authorizes the report publication.
2.1.4. Suggestion for Successful Internal Audit
In order to insure the success of the internal audit processes the following
recommendations6 should be considered by the organization manager for
implementing the Internal Audit;
Recommendation 1:
Invite the Director General to submit Internal Audit Charter to the organization
general assembly. The charter could then cover the activities of the Evaluation
Section and could give a general description of the tasks of the department and a
more detailed description of the tasks of each Section (Director, Internal Audit,
Investigation, and Evaluation & Inspection). After this recommendation has been
accepted, Internal Organization Audit Department supports this recommendation as
it will help clarify the distinct roles of the three main functions, i.e. internal audit,
investigation and evaluation and promote the role of oversight in organization. A
revision of the Internal Audit Charter will be proposed for review by the Program
and Budget Committee which will create an Internal Audit.
16 Dr. Magdy El Messiry
17. Technology Audit
Recommendation 2:
Director of Internal Organization Audit Department should draw up a list of the
training undertaken by all of his staff and update such a file as and when necessary.
This recommendation has been accepted. The recommendation will assist further
the tracking of the professional training being carried out.
Recommendation 3:
Invite the Director of Internal Organization Audit to develop a program (concept)
of quality assurance and improvement that includes documentation on periodic and
ongoing internal assessments of all areas of internal audit activity. Once
established, this concept should be included in the Internal Audit Manual. It seems
clear that ongoing assessments would only be suitable when the Internal Audit
Section has at least two qualified staff members. This recommendation has been
accepted. All audits are done in line with the Institute of Internal Auditors (IIA)
Standards and are subject to review and quality control. It is already Internal
Organization Audit Department‗s stated policy to have regular external and
internal quality assurance in accordance with the (IIA) 7 Standards.
Recommendation 4:
Invite Internal Organization Audit Department for the following:
a. to decide, during its annual planning, on precise audit themes which are then
mentioned in the final reports,
b. to continue to draw up a list of planned, completed and reported audits, which
should be updated as necessary, and
c. to implement long-term audit planning.
Recommendation 5:
The drafting of the audit manual should be completed and made it available to
organization staff and/or over the intranet. This manual should cover all the
essential elements specified in the Audit Standards**.
Recommendation 6:
Suggest that, from now on, Internal Organization Audit Department includes an
evaluation of the following in its reports:
a. exposure to significant risks and the corresponding controls,
b. subjects relating to governance, and
c. any other issue in response to a need or a request of the general management or
the Audit Committee.
17 Dr. Magdy El Messiry
18. Technology Audit
Recommendation 7:
Invite Internal Organization Audit Department to review its strategy on planning
for audits involving medium to low risks in order to concentrate more on
engagements involving higher risks.
Recommendation 8:
The Internal Audit Section should:
a. clarify the work program by linking it with the risk analysis,
b. ensure that the work program includes the priorities and the resource allocation
for each subject to be audited,
c. ensure that the work program allows a connection to be made between the
working papers and the recommendations,
d. ensure that comments concerning the involvement and assignment of external
experts are highlighted in the audit plan, and
e. ensures that the signature of the Director of Internal Organization Audit
Department and the date of approval are systematically placed on the audit
program before the audit begins.
Recommendation 9:
Invite Internal Organization Audit Department:
a. to improve the formalization of working documentation so that a third party
audit professional is always able to compare the objectives of the engagement, the
content of the examinations carried out, the results, the auditor‘s opinion and the
recommendations. The standardization and organization of working papers could
go some way to achieving this,
b. to integrate into the Internal Audit Manual regulations relating to audit
documents, information to be archived and the period for which files must be kept;
rules on access by third parties to working papers should also be included,
c. to create audit notes that include a summary of the work carried out and allow
connections to be made between the work program, interviews, analyzed
documents and the notes and recommendations contained in the report,
d. to establish a system for reviewing working papers and dating and signing them,
and
e. to provide for the establishment of standards relating to documentation in the
audit manual.
18 Dr. Magdy El Messiry
19. Technology Audit
Recommendation 10:
In order to increase the visibility of the internal audit function within organization,
invite the Director of Internal Organization Audit Department to increase his
contact with the Organization General manger.
2.1.5 Code of Ethics for Audit Staff
The internal audit staff is expected to follow the internal audit function in conducting
audits as set out in the Audit Charter8.
The Internal Auditor enjoys operational independence in the conduct of
his/her duties. He/she has the authority to initiate, carry out and report on
any action, which he/she considers necessary to fulfill his/her mandate.
The Internal Auditor shall be independent of the programs, operations and
activities he/she audits to ensure the impartiality and credibility of the audit
work undertaken.
19 Dr. Magdy El Messiry
20. Technology Audit
Internal audit work shall be carried out in a professional, unbiased and
impartial manner.
The conclusions of the audits shall be shared with the managers concerned,
who shall be given the opportunity to respond.
Any situation of conflict of interest shall be avoided.
The Internal Auditor shall have unrestricted, direct and prompt access to all
organization records, officials or personnel holding any organization
contractual status and to all the premises of the Organization.
The Internal Auditor shall respect the confidential nature of information and
shall use such information with discretion and only in so far as it is relevant
to reach an audit opinion.
2.1.6 International Standards for the Professional Practice of Internal Auditing
(Standards)
The Institute of Internal Audit published the professional practice that includes
Introduction to the Standards, Attribute Standards, and Performance Standards*.
Internal auditing is conducted in diverse legal and cultural environments; within
organizations that vary in purpose, size, complexity, and structure; and by persons
within or outside the organization. While differences may affect the practice of
internal auditing in each environment, conformance with the IIA‘s International
Standards for the Professional Practice of Internal Auditing (Standards) is essential
in meeting the responsibilities of internal auditors and the internal audit activity.
The purpose of the Standards is to:
1. Define basic principles that represent the practice of internal auditing.
2. Provide a framework for performing and promoting a broad range of value-
added internal auditing.
3. Establish the basis for the evaluation of internal audit performance.
4. Foster improved organizational processes and operations.
The Standards are principles-focused, mandatory requirements consisting of:
20 Dr. Magdy El Messiry
21. Technology Audit
Statements of basic requirements for the professional practice of internal
auditing and for evaluating the effectiveness of performance, which are
internationally applicable at organizational and individual levels.
Interpretations, which clarify terms or concepts within the Statements.
The structure of the Standards is divided between Attribute and Performance
Standards. Attribute Standards address the attributes of organizations and
individuals performing internal auditing. The Performance Standards describe the
nature of internal auditing and provide quality criteria against which the
performance of these services can be measured. The Attribute and Performance
Standards are also provided to apply to all internal audits.
Implementation Standards are also provided to expand upon the Attribute and
Performance standards, by providing the requirements applicable to assurance or
consulting activities. Assurance services involve the internal auditor‘s objective
assessment of evidence to provide an independent opinion or conclusions
regarding an entity, operation, function, process, system, or other subject matter.
The nature and scope of the assurance engagement are determined by the internal
auditor. There are generally three parties involved in assurance services:
1. the person or group directly involved with the entity, operation, function,
process, system, or other subject matter — the process owner,
2. the person or group making the assessment — the internal auditor,
3. the person or group using the assessment — the user.
Consulting services are advisory in nature, and are generally performed at the
specific request of an engagement client. The nature and scope of the consulting
engagement are subject to agreement with the engagement client. Consulting
services generally involve two parties:
1. the person or group offering the advice — the internal auditor,
2. the person or group seeking and receiving the advice — the engagement client.
When performing consulting services the internal auditor should maintain
objectivity and not assume management responsibility.
21 Dr. Magdy El Messiry
22. Technology Audit
2. External Audit
External assessments must be conducted at least once every five years by a
qualified, independent reviewer or review team from outside the organization. The
chief audit executive must discuss with the organization board the need for more
frequent external assessments and the qualifications and independence of the
external reviewer or review team, including any potential conflict of interest. A
qualified auditor or auditing team demonstrates competence in two areas: the
professional practice of internal auditing and the external assessment process.
Competence can be demonstrated through a mixture of experience and theoretical
learning. Experience gained in organizations of similar size, complexity, sector or
industry, and technical issues is more valuable than less relevant experience. In the
case of an auditing team, not all members of the team need to have all the
competencies; it is the team as a whole that is qualified. The chief audit executive
uses professional judgment when assessing whether an auditor or auditing team
demonstrates sufficient competence to be qualified. An independent auditor or
auditing team means not having either a real or an apparent conflict of interest and
not being a part of, or under the control of, the organization to which the internal
audit activity belongs.
2.1 Implementation Procedure
A schematic of the steps that are normally followed while carrying out a
technology audit is shown and described below. Partial techniques per step are the
tools used for the proper implementation of the technique.
STEP 1: Desire/Wish to Carry Out Technology Audit
Desire / wish of the organization to carry out technology audit, if the company
initiates the audit, no particular communication tool is used. However, if the
company is approached by the service provider, it should explain: Scope of
initiative, brief description of technique, potential benefits to the organization, and
main characteristics of the consultant / service provider.
STEP 2: Expert to Carry Out Technology Audit
Once common ground has been established between the organization and external
consultant/expert, the next step can follow.
22 Dr. Magdy El Messiry
23. Technology Audit
STEP 3: First Contact/Visit of Expert for Preparation of Audit Plan
On the first contact / visit to the organization for the audit plan preparation the
expert should have:
o a brochure / flow diagram on the steps to follow: list of benefits, list of other
companies that carried out a TA, formal presentation using data show should
help.
o the audit plan which is devised together with top management. It establishes
issues to investigate how to collect data and from whom, in what time span and
at what cost, what is needed from management to successfully carry out the
audit. The local team shares with auditors all documents gathered, as well as
the internal audit report. Together, the auditors, the local audit team, work to
establishing a strategy that will drive this formal audit. All parties agree upon a
schedule/timeframe for the audit. All parties discuss some possible outcome
objectives10. Auditors schedule date(s) for on-site visit(s). Auditors meet with
focus groups and other constituencies, as needed.
STEP 4: Preparatory Work by Expert on Collecting Basic
For preparatory work by expert on collecting basic information on the
organization & the sector for the organization: collection of data from published
information, brochures of company, economic data, employees, products, exports
etc.
For the sector: published data on employment, turnover, trends, markets, on
company's products, introduction / use of new technologies.
A short report on the above findings would be handy and would be another step
into building a trusting relationship with the organization. Auditors study all
documents provided. Auditors schedule an on-site visit and make their
observations. It is a process whereby an in-depth evaluation of some aspect of an
organization is performed, and the results compared with representations made by
that organization. Due attentiveness is particularly important for business
transactions in technology-intensive markets, since there is a much higher risk of
misrepresentation or inappropriate application of emerging technologies. It is often
23 Dr. Magdy El Messiry
24. Technology Audit
difficult to find individuals capable of assessing both the technological issues and
their business linkages*. The approach to be followed must be planned and agreed
upon. The process must include the selection of team members from the
organization who will participate11. The team must be multidisciplinary, and
include both business and technical experts familiar with the areas under
investigation. If staff expertise is lacking in a particular area, engage the services of
experts in that field. Depending on the results of the preliminary visits, different
approaches may be necessary for each organization12.
STEP 5: GENERAL SHORT DIAGNOSES
General short diagnosis use is made of a questionnaire, either in hard copy or
electronic, which should cover the following main points 13;
ORGANIZATION
Company information, strategy, development planning.
HUMAN RESOURCES
Capabilities, needs, strengths, weaknesses, training, performance, rewards.
TECHNOLOGICAL CAPABILITY
Technological resources, know how, assessment of technological level,
implementation of information technologies, new technologies.
TECHNOLOGICAL INNOVATION
Product development, procedures, new products - number - timeframe, research
and development (in house or external), resources allocated, areas of interest,
sources of acquiring technology.
INNOVATION CAPABILITY
Innovations introduced barriers to innovation, technology watch / searching /
technology diffusion, involvement in R&D joint projects.
24 Dr. Magdy El Messiry
25. Technology Audit
PRODUCTS
Products / markets, production organization and management, production
equipment, walk through shop floor.
COOPERATION NETWORKING
With other companies / local abroad, with technology providers / sources,
participation in R&D programs.
TECHNOLOGICAL NEEDS
Demands for services / equipment / quality improvement, new technologies, access
to information / technology diffusion.
QUALITY
Quality control, products - raw materials, standards, relations with customers /
suppliers.
MARKETING
Markets, local/abroad, marketing plan / strategy.
ENVIRONMENT
Awareness / problems / needs.
STEP 6: DATA ANALYSIS BY EXPERT, REPORT ON FIRST DIAGNOSIS
Data analysis by the expert report on first diagnosis should be brief and should
contain:
- Executive summary
- Overview of company / activities (good for signposting to networks, etc.)
- Overview of sectors / markets
- Synthesis on: Strengths / weaknesses / opportunities / threats identified
25 Dr. Magdy El Messiry
26. Technology Audit
- Potential suggestions (especially if the audit stops at this point) for resolving
problems and exploiting strengths & opportunities, mainly by indicating routes for
solutions with an action plan, isolation of specific areas / departments for further
diagnosis, proposal with justification.
STEP 7: PRESENTATION OF FIRST DIAGNOSIS REPORT TO GENERAL MANAGER AND
COMPANY MANAGEMENT
Presentation of first diagnosis report to General Manager and company management is
done with the handing out some time earlier of a hard copy of the report, the
main findings, and the finalization on whether to continue for further diagnosis and
the agreement on the subject(s) to analyze is also performed here.
STEP 8: ADDITIONAL VISITS/INTERVIEWS TO DEPARTMENT HEADS
Entail an in-depth investigation of key areas of the organization being assessed. A
full due diligence audit of an external company can take up to a week at a small
single-site company with a technical staff of 50 or less, several weeks at larger
companies with a localized development team, and even longer examining a larger
company with geographically distributed development teams.
26 Dr. Magdy El Messiry
27. Technology Audit
Obviously, the relationship between company size and inspection effort is non-
linear. This is because a certain set of core elements, such as policies and
procedures, business plans, and infrastructure standards are centrally located.
Typical areas and themes that could be covered with either specific subject tools or
in a less structured way (if done by a specialist) could be:
(a) Quality
· Policy – goals – personnel involvement – training;
· Process quality – monitoring and control systems – handling – storage –packaging;
· Keeping of records/use of results;
· Product quality – raw materials quality control – product quality control;
· ISO issues – presentation – benefits.
27 Dr. Magdy El Messiry
28. Technology Audit
QUALTY
Figure (5) Quality Control Cycle
(b) Human resources
· Skills – availability;
· Satisfaction – rewards;
· Meetings – awareness of company activities/products;
· Team working/project management;
· Continuing education/training;
· Promotion – evolution – record.
(c) Research and development – Product development
· Research and development strategy/partners;
28 Dr. Magdy El Messiry
29. Technology Audit
· Product mix/product lifecycle analysis ;
· Analysis of procedures for new product development;
· Analysis of research and development activities;
· Participation in research and development projects;
· Focus on specific research and development area – identification of potential technology
suppliers.
Figure (4) Steps of Product Development throughout R&D
29 Dr. Magdy El Messiry
30. Technology Audit
(d) Production operation
· Walk through production facilities – bottlenecks – problem areas;
· Material flow – flow diagram;
· Overview of system automation/needs – opportunities;
· Floor and product safety;
· Maintenance – procedures – planning – problems;
· Analysis of productivity.
(e) Marketing/sales
· Existence/analysis of marketing plan;
· Strategy – market share/local – exports;
· Competitors analysis/sector analysis/opportunities – threats;
· Distribution networks – problems;
· Use of information technologies for sales/e-commerce – Internetwww.urenio.org.
STEP 9: FINAL REPORT OF THE TECHNOLOGY AUDIT COMPILED BY THE EXPERTS
Final report of the technology audit, as given in Figure (6), compiled by the experts
should contain the following*:
• Executive summary
• Summary of results from first part diagnosis
• Subject(s) analyzed in second part
• Methodology used for analysis
• Problems identified
30 Dr. Magdy El Messiry
31. Technology Audit
• Solutions proposed
• Actions to be taken (action plan)
Figure (6) Technology Audit Final Report Contents
31 Dr. Magdy El Messiry
32. Technology Audit
The action plan
Should be:
a) Specific to the subject
b) With a time frame
c) With determined milestones
d) With an estimated budget
e) With the listing of expected results
f) With identification of potential problem solvers (technology or service providers)
g) With indications about provisional funding for implementing the solutions
(e.g. national and / or international R&D programs)
h) An implementation monitoring schedule, possibly to be done by the service provider.
The action plan should be specific to the subject, with a timeframe, with determined
milestones and with an estimated budget. The action plan must list the expected
results, identify potential problem solvers (technology or service providers) and
indicate provisional funding for implementing the solutions. An implementation,
monitoring-schedule must be done by the technology auditor in conjunction with a
project manager.
STEP 10: PRESENTATION OF REPORT BY EXPERT TO COMPANY MANAGEMENT
At step 10 the report by the technology auditor to the organization must discuss
issues identified, solutions proposed, the proposed action plan and the monitoring
system that will be used.
The systematic audit program includes initiating the audit, preparing for on-site
audit, conducting on site audit, report preparation and follow-up activities. The
follow-up activities in this context are the improvements activities result from the
audit finding. Figure (7) shows the stages of audit program management.
32 Dr. Magdy El Messiry
33. Technology Audit
Figure (7) Audit Program Management http://www.efrcertification.com/Attachment/ICQR65.pdf
2.3. Continuous Auditing
Continuous auditing is:
"A methodology that enables independent auditors to provide written assurance on
a subject matter using a series of auditors' reports issued simultaneously with, or a
short period of time after, the occurrence of eve nts underlying the subject matter." 3
A continuous audit relies heavily on information technologies such as broad
bandwidth, web application server technology, web scripting solutions and
everywhere database management systems with standard connectivity.
Open database architecture empowers auditors to monitor a company's systems
over the Internet using sensors and digital agents. Incongruities between the
records and the rules defined in the digital agents are transmitted via e-mail to the
client and the auditor. For example, a digital agent performing analytical
procedures on the accounts receivable would e-mail the auditor a huge outstanding
33 Dr. Magdy El Messiry
34. Technology Audit
beyond the receivable parameters defined in the digital agent. Once an account
trigger has occurred, the digital agent would move to the transactional level to
verify the authenticity of the sale by seeking an e-mail of the sale organization and
acceptance of the goods/service by the customer.
The audit routine described above is done electronically and automatically on a
real-time basis as a part of continuous monitoring. Continuous audit takes off after
this when an auditor, empowered with data, carries out independent investigation
and collects corroborative evidence to arrive at his/her own deductions.
34 Dr. Magdy El Messiry
35. Technology Audit
Figure (8) Steps of
Implementing
Continuous Audit
.
35 Dr. Magdy El Messiry
36. Technology Audit
2.3.1. KEY STEPS TO IMPLEMENTING CONTINUOUS AUDITING
Once the issues above are understood by managers and auditors alike, the
organization will be in a better position to begin using continuous auditing.
Generally, the implementation of continuous auditing consists of six procedural
steps, demonstrated in Figure (8), which are usually administered by a continuous
audit manager. Knowing about these steps will enable auditors to better monitor
the continuous audit process and provide recommendations for its improvement, if
needed. These steps include:
1. Establishing priority areas.
2. Identifying monitoring and continuous audit rules.
3. Determining the process' frequency.
4. Configuring continuous audit parameters.
5. Following up.
6. Communicating results.
Below is a description of each.
1. Establishing Priority Areas
The activity of choosing which organizational areas to audit should be integrated
as part of the internal audit annual plan and the company's risk management
program. Many Internal Audit Departments also integrate and coordinate with
other compliance plans and activities, if applicable. (Steps 2-6 below are applicable
to all of the priority areas and processes being monitoring as part of the continuous
audit program.)
Typically, when deciding priority areas to continuously audit, internal auditors and
managers should:
Identify the critical business processes that need to be audited by breaking
down and rating risk areas.
Understand the availability of continuous audit data for those risk areas.
Evaluate the costs and benefits of implementing a continuous audit process
for a particular risk area.
Consider the corporate ramifications of continuously auditing the particular
area or function.
36 Dr. Magdy El Messiry
37. Technology Audit
Choose early applications to audit where rapid demonstration of results
might be of great value to the organization. Long extended efforts tend to
decrease support for continuous auditing.
Once a demonstration project is successfully completed, negotiate with
different auditors and internal audit areas, if needed, so that a longer term
implementation plan is implemented.
When performing the actions listed above, auditors need to consider the key
objectives from each audit procedure. Objectives can be classified as one of four
types: detective, deterrent (also known as preventive), financial, and compliance. A
particular audit priority area may satisfy any one of these four objectives. For
instance, it is not uncommon for an audit procedure that is put in place for
preventive purposes to be reconfigured as a detective control once the audited
activity's incidence of compliance failure decreases.
2. Monitoring and Continuous Audit Rules
The second step consists of determining the rules or analytics that will guide the
continuous audit activity, which need to be programmed, repeated frequently, and
reconfigured when needed. For example, banks can monitor all checking accounts
nightly by extracting files that meet the criterion of having a debt balance that is 20
percent larger than the loan threshold and in which the balance is more than US
$1,000.
In addition, monitoring and audit rules must take into consideration legal and
environmental issues, as well as the objectives of the particular process. For
instance, how quickly a management response is provided once an activity is
flagged may depend on the speed of the clearance process (i.e., the environment)
while the activity's overall monitoring approach may depend on the enforceability
of legal actions and existing compliance requirements.
3. Determining the Process' Frequency
Although the process is called continuous auditing, the word continuous is in the
eye of the beholder. Auditors need to consider the natural rhythm of the process
being audited, including the timing of computer and business processes as well as
the timing and availability of auditors trained or with experience in continuous
auditing. For instance, although increased testing frequency has substantial
benefits, extracting, processing, and following up on testing results might increase
the costs of the continuous audit activity. Therefore, the cost-benefit ratio of
continuously auditing a particular area must be considered prior to its monitoring.
37 Dr. Magdy El Messiry
38. Technology Audit
Furthermore, other tools used by the manager of the continuous audit function
include an audit control panel in which frequency and parameter variations can be
activated. Hence, the nature of other continuous audit objectives, such as
deterrence or prevention, may determine their frequency and variation.
4. Configuring Continuous Audit Parameters
Rules used in each audit area need to be configured before the continuous audit
procedure (CAP) is implemented. In addition, the frequency of each parameter
might need to be changed after its initial setup based on changes stemming from
the activity being audited. Hence, rules, initial parameters, and the activity's
frequency ― also a special type of parameter ― should be defined before the
continuous audit process begins and reconfigured based on the activity's
monitoring results.
When defining a CAP, auditors should consider the cost benefits of error detection
and audit and management follow-up activities. For instance, in the example of the
bank described earlier, the excess threshold of US $1,000 could lead to a number
of false negatives (e.g., values that were ignored when the balance was smaller
than US $1,000 but were identified as representing a problem) and a number of
false positives (e.g., values with balances above US $1,000 that were flagged but
were accurate). If the threshold is increased to US $2,000, there will be an increase
in false negatives and a decrease in false positives. Because follow up costs would
go up as the number of false positives increases and the presence of false negatives
may lead to high operational costs for the organization, internal auditors should
regularly reevaluate if error detection and follow-up activities need to be
continued, reconfigured, temporarily halted, or used on an ad hoc basis.
Furthermore, the stratification of audited data into sub-groups allows organizations
to better monitor the activity and reconfigure any parameters (e.g., auditors will be
notified when balances larger than 20 percent of the debt remain that are also
larger than US $5,000). However, the more complex the rule and its conditional
components, the more parameters that must be examined, monitored, and
sometimes reconfigured.
5. Following Up
Another type of parameter relates to the treatment of alarms and detected errors.
Questions such as who will receive the alarm (e.g., line managers, internal
auditors, or both ― usually the alarm is sent to the process manager, the manager's
immediate supervisor, or the auditor in charge of that CAP) and when the follow-
38 Dr. Magdy El Messiry
39. Technology Audit
up activity must be completed, need to be addressed when establishing the
continuous audit process.
Additional follow-up procedures that should be performed as part of the
continuous audit activity include reconciling the alarm prior to following up by
looking at alternate sources of data and waiting for similar alarms to occur before
following up or performing established escalation guidelines. For instance, the
person receiving the alarm might wait to follow up on the issue if the alarm is
purely educational (i.e., the alarm verifies compliance but has no adverse economic
implications), there are no resources available for evaluation, or the area identified
is a low benefit area that is mainly targeted for deterrence.
6. Communicating Results
A final item to be considered is how to communicate with auditors. When
informing auditors of continuous audit activity results, it is important for the
exchange to be independent and consistent. For instance, if multiple system alarms
are issued and distributed to several auditors, it is crucial that steps 1-5 take place
prior to the communication exchange and that detailed guidelines for individual
factor considerations exist. In addition, the development and implementation of
communication guidelines and follow-up procedures must consider the risk of
collusion. Much of the work on fraud indicates that the majority of fraud is
collusive and can be performed by an internal or external party. For example, in
the case of dormant accounts, both the clerk that moves money and the manager
that receives the follow-up money may be in collusion since the manager's key
may have to be used for certain transactions.
ADDITIONAL CONSIDERATIONS
Besides the six steps described in the previous section, two additional issues that
emerge when implementing continuous auditing are the infrastructure needed for
the process to work and its impact on the workplace.
Organizational Infrastructure
Because continuous auditing is a part of the company's audit function, it must be
kept independent of management. Therefore, during the planning stages, auditors
need to keep in mind the process' independence when designing its structure. For
instance, a typical Internal Audit Departments structured so that areas of the
department focus on different cycles or business activities. In addition, the
department may be divided into financial and IT audit functions.
39 Dr. Magdy El Messiry
40. Technology Audit
Sometimes, however, IT audit activities are incorporated as part of existing IT
operations. In organizations such as these, the development of continuous auditing
is usually delayed because the activity may not get the necessary development
priority. Regardless of whether IT audit activities are part of the organization's IT
or Internal Audit Department, the organization must maintain the process'
independence as well as allocate resources in support of continuous audit activities.
Impact on Personnel
In addition, the audit manager in charge of the continuous audit process should
have a more technical understanding of IT as well as extensive experience on the
activities being audited. However, hiring, training, and retaining auditors who can
implement and monitor continuous audit activities might be challenging due to the
scarcity of internal auditors with knowledge in the area. Furthermore, the
continuous audit process might create a daily stream of issues that need to be
resolved, which might prove stressful given current personnel resources, and might
require the continuous audit manager to exert adequate authority in moments of
exceptions.
40 Dr. Magdy El Messiry
41. Technology Audit
CHAPTER 3
PERFORMANCE IN TECHNOLOGY AUDIT
3.1. Introduction
Appointment of Auditor – auditors are usually appointed by the organization
mangers at the administration council meeting.
Terms of Engagement – an engagement letter provides written recognition of the
auditor‘s acceptance of appointment, sets out the scope of the audit plus auditors
and management responsibilities.
Audit Program – sets out the extent and type of audit procedures. Auditors work to
internationally agreed auditing standards. Auditors start by gaining an
understanding of the organization‘s activities. For each major activity listed in the
financial statements, auditors identify and assess risks that could have a significant
impact on the financial position or performance.
41 Dr. Magdy El Messiry
42. Technology Audit
Detailed Examination – auditors perform testing and obtain evidence to satisfy the
requirements of the audit program. Testing may include compliance with the
organization‘s accounting policies, examining accounting records and verifying the
existence of tangible items such as plant and equipment.
Audit Report – contains the audit opinion on the financial report and basis of that
opinion. The scope of the audit plus auditors and management responsibilities are
also restated. The external auditor should maintain independence from
management and directors so that the tests and judgments are made objectively.
Auditors discuss the scope of the audit work with the organization. Auditors
determine the type and extent of the audit procedures they will perform depending
on the risks and controls they have identified. Auditors form an opinion on the
information in the final report. However, the external auditor should not look at
every transaction carried out by the organization, test the adequacy of all of the
organization‘s internal controls, identify all possible irregularities, audit other
information provided to the members of the organization – e.g. the directors‘
report. Figure (9) gives the flowchart of the external audit.
42 Dr. Magdy El Messiry
43. Technology Audit
Figure (9) Flowchart of the external audit Source: www.urenio.org
43 Dr. Magdy El Messiry
44. Technology Audit
3.2. Audit team roles and responsibilities
An audit may be conducted by a single lead auditor or by an audit team consisting
of a lead auditor, one or more auditors and/or a technical adviser. The National
Code of Practice for Auditors and Technical Advisers describe the conditions that
an auditor and technical adviser must adhere to when fulfilling their roles during
audits.
Lead Auditor
The role of the lead auditor, demonstrated in Figure (10), is to:
• Confirm the scope of the audit with the registering body
• Contact the applicant and make an appointment for the audit
• Identify and confirm resources (including audit team members and audit
documentation) required to conduct the audit
• Review documentation and develop a plan and schedule for the audit in
conjunction with the applicant and then confirm these arrangements
• Brief the audit team
• Conduct the opening meeting
• Identify and gather information
• Manage audit team resources by ensuring that there is effective communication
between the members of the audit team, and by working with the applicant‘s
representative to ensure that auditors and technical experts have access to the
materials, sites and personnel they require
• Coordinate the audit findings by meeting with the audit team to synthesize the
evidence collected
• Prepare the audit report with support from the audit team
• Conduct the feedback session with the applicant and confirm follow-up
• Provide information to the applicant about the complaints process and follow-up
action required
• Provide feedback to the audit team.
44 Dr. Magdy El Messiry
45. Technology Audit
Figure (10) Duties of Leader of Auditor Team
Auditors
The role of an auditor, as shown in Figure (11), is to:
• Participate in the opening meeting
• Identify and gather information
• Analyses information
• Evaluate information
• Report findings
• Participate in the feedback session
• Undertake other duties as requested by the lead auditor.
45 Dr. Magdy El Messiry
46. Technology Audit
Figure (11) Role of Auditor
To understand better how a comprehensive, effective technology audit works, the
process can be broken down into its various phases in order to draw a comparison
between the audit process and the activities associated with organization
accreditation. Accreditation visit to occur can be segmented into three phases:
1) Getting ready;
2) On-site visit;
3) Results & follow up.
The greatest quantity of work occurs during the first phase. Therefore, the three
phases will be examined accordingly.
46 Dr. Magdy El Messiry
47. Technology Audit
Phase One: Pre-Audit
Whether the technology audit has been triggered by the organization internal desire
to assess its accountability or whether the impetus has come from outside the
organization, the initial phase is the same. The organization must get ready for the
audit. Thus, this phase is sometimes called the ―pre-audit‖ stage. At a macro level,
the organization might want to establish a set of systems that can be put in place to
make auditors time more valuable, more efficient. Auditor may want to form a
group of teams to perform specific functions; a physical location may be specified
as a ―gathering point‖ for evidentiary documents; a series of focus group meetings
should be scheduled so organization leaders can encourage employees and
community members to voice their opinions and give their perspectives regarding
the organization‘s status; to create a system where all the hard work of engaged
people, the data and reports auditor collect, and the supporting systems can be
perpetuated.
Enrolling team members - To make your technology audit a success, it is essential
to have high-quality teams. The teams will be made up of the specialized members.
The team leaders will ensure a strong and fluid cooperation among teams, all
working on a common end goal. Team building is a significant activity. All
organization leaders realize this fully. Best leaders who build and grow the best
teams so they will accomplish the best results.
The auditor team leader may clarify with organization employees by explaining to
them that a technology audit is coming and he wants to obtain their very best
thinking about some strategies that will assure success for the organization. During
this meeting, the auditor might want to engage in a simple brain storming activity,
asking everyone to call out, as fast as they can, all the areas where is the use of
technologies in the organization. Team leader might ask them to be frank and
candid in their comments, and then ask them to pinpoint areas where they perceive
that improvements could be made. If/when they mention some examples, the
auditor asks for substantiating evidence that may give the clues to other things
needing. The team leader tries to imagine how the auditors will see things/look at
things through their eyes. What would the auditors do? What would they say?
What would they seek? How would they interpret what you give them? What
would they recommend? As the leader and the team of advisors go through these
considerations, they will have prepared themselves well for what lies ahead, and
47 Dr. Magdy El Messiry
48. Technology Audit
will no longer fear the technology audit, or consider it as a negative event. Rather,
they will see this as a profoundly important opportunity to engage in systemic
improvement, as well as great improvement at the individual level.
Phase Two: On-Site Visit
The time has come finally when auditors arrive at the organization and are
examining both the reports (data, information, and evidence) and the actual reality
of technology integration. This guideline is intended to help auditors conduct more
focused reviews of technology acquisitions by enabling them to quickly identify
significant areas of risk. Using these guidelines will help auditors identify critical
factors not addressed by management, make a general evaluation of any
procurement risks, and provide rapid feedback to agency officials so they can take
corrective action in a timely and efficient manner. Use of the guidelines should be
selectively tailored to the requirements of particular reviews and adapted to the
status of the acquisition. Auditors will need to exercise professional judgment in
assessing the significance of audit results or findings. Professional judgment is
necessary to evaluate this information and determine if the agency conducted an
adequate requirements analysis.
There are five tasks within the audit process area:
1. Develop and implement a risk-based audit strategy for the organization in
compliance with audit standards, guidelines and best practices.
2. Plan specific audits to ensure that IT and business systems are protected
and controlled.
3. Conduct audits in accordance with audit standards, guidelines and best
practices to meet planned audit objectives.
4. Communicate emerging issues, potential risks and audit results to key
stakeholders.
5. Advise on the implementation of risk management and control practices
within the organization while maintaining independence.
48 Dr. Magdy El Messiry
49. Technology Audit
3.3. Audit planning
Audit planning consists of both short- and long-term planning, demonstrated in
Figure (12). Short-term planning takes into account audit issues that will be
covered during the year, whereas long-term planning relates to audit plans that will
take into account risk-related issues regarding changes in the organization‘s
technology strategic direction that will affect the organization‘s technology
environment. Analysis of short- and long-term issues should occur at least
annually.
Figure (12) Types of Audit Planning
49 Dr. Magdy El Messiry
50. Technology Audit
Figure (13) Perform Audit Planning Steps
This is necessary to take into account new control issues, changing technologies,
changing business processes and enhanced evaluation techniques. The results of
this analysis for planning future audit activities should be reviewed by senior
management, approved by the audit committee, if available, or alternatively by the
Board of Directors, and communicated to relevant levels of management. In
addition to overall annual planning, each individual audit assignment must be
adequately planned. The auditor should understand that other considerations, such
as risk assessment by management, privacy issues and regulatory requirements,
may impact the overall approach to the audit. The auditor should also take into
consideration system implementation/upgrade deadlines, current and future
technologies, requirements of business process owners, and resource limitations.
When planning an audit, the auditor must have an understanding of the overall
environment under review. This should include a general understanding of the
various business practices and functions relating to the audit subject, as well as the
types of information systems and technology supporting the activity.
To perform audit planning which is shown in Figure (13), the auditor should
perform the following steps in this order:
• Gain an understanding of the business‘s mission, objectives, purpose and
processes, which include information and processing requirements, such as
availability, integrity, security and business technology.
50 Dr. Magdy El Messiry
51. Technology Audit
• Identify stated contents, such as policies, standards and required guidelines,
procedures, and organization structure.
• Evaluate risk assessment and any privacy impact analysis carried out by
management.
• Perform a risk analysis.
• Conduct an internal control review.
• Set the audit scope and audit objectives.
• Develop the audit approach or audit strategy.
• Assign personnel resources to the audit and address engagement logistics.
• Audit planning
– Short-term planning
– Long-term planning
– Things to consider
• New control issues
• Changing technologies
• Changing business processes
• Enhanced evaluation techniques
• Individual audit planning
– Understanding of overall environment
• Business practices and functions
• Information systems and technology
3.4. Road Map for the External Audit Team Audit Leader
The following are steps that the Team audit leader would perform to determine an
organization‘s level of compliance with external requirements:
• Identify those government or other relevant external requirements dealing with:
– Electronic data, copyrights, e-commerce, e-signatures, etc.
51 Dr. Magdy El Messiry
52. Technology Audit
– Computer system practices and controls
– The manner in which computers, programs and data are stored
– The organization or the activities of the information services
• Document applicable laws and regulations
• Assess whether the management of the organization and the information systems
function have considered the relevant external requirements in making plans and in
setting policies, standards and procedures
• Review internal information systems department/function/activity documents that
address adherence to laws applicable to the industry
• Determine adherence to establishing procedures that address these requirements.
3.5. Notes to the Auditor
Auditor will not ask about any specific laws or regulations, but may question
about how one would audit for compliance with laws and regulations.
Auditor should be aware that it is important that the auditor understands the
relationships of control objectives and controls; control objectives and audit
objectives; criteria and sufficiency and competency of evidence; and audit
objective, criteria and audit procedures. Strong understanding of these elements is
a key for the auditor‘s performance.
Auditor is the importance of setting legal advice. There are two key aspects that
control needs to address, what the auditor should to achieve and what to avoid.
Auditor addresses not only to internal controls business/operational objectives,
but need to address undesired events through preventing, detecting, and correcting
undesired events. Types of control;
• Internal accounting controls - Primarily directed at accounting operations, such as
the safeguarding of assets and the reliability of financial records
52 Dr. Magdy El Messiry
53. Technology Audit
• Operational controls - Directed at the day-to-day operations, functions and
activities to ensure that the operation is meeting the business objectives
• Administrative controls - Concerned with operational efficiency in a functional
area and adherence to management policies including operational controls. These
can be described as supporting the operational controls specifically concerned with
operating efficiency and adherence to organizational policy.
Figure (14) Elements to Development of Internal Control Manual
3.6. Control objectives
Every organization needs to have a sound internal control in place to keep the
organization on course toward profitability goals and achievement of its mission,
to minimize surprises along the way and to be able to realize its opportunities.
Elements to Development of Internal Control Manual are illustrated in Figure (14).
53 Dr. Magdy El Messiry
54. Technology Audit
The importance of internal control has been further heightened by the increasing
attention given to corporate governance, of which internal control is now
considered to be vital element. Sound practices of internal control and risk
management enable management to deal with rapidly changing economic and
competitive environments, shifting customer demands and priorities, and
restructuring for future growth. Internal controls and risk management promote
efficiency, reduce risk of asset loss, and help ensure the reliability of financial
statements38.
It consists of the following;
• Safeguarding of information technology assets
• Compliance to corporate policies or legal requirements
• Authorization/input
• Accuracy and completeness of processing of transactions
• Output
• Reliability of process
• Backup/recovery
• Efficiency and economy of operations.
Controls are generally categorized into 3 major classifications:
Preventive: These controls are to deter problems before they arise.
Detective: Controls that detect and report the occurrence of an error, omission or
malicious act.
Corrective: These controls minimize the impact of a threat, remedy problems
discovered by detective controls, and identify the cause of a problem.
Internal control objectives - Apply to all areas, whether manual or automated.
Therefore, conceptually, control objectives in an information systems environment
54 Dr. Magdy El Messiry
55. Technology Audit
remain unchanged from those of a manual environment. However, control features
may be different. Thus, internal control objectives need to be addressed in a
manner specific to related processes.
Figure (15) Internal Control Pyramid http://www-audits.admin.uillinois.edu/ICT/ICT-summary.html
Internal Control is a process within an organization designed to provide
reasonable assurance:
That information is reliable, accurate, and timely.
Of compliance with policies, plans, procedures, laws, regulations, and
contracts.
That assets (including people) are safeguarded.
Of the most economical and efficient use of resources.
That overall established objectives and goals are met.
Internal controls are intended to prevent errors or irregularities, identify problems,
and ensure that corrective action is taken.
Figure (15) illustrates the internal control pyramid and the information and
communication path.
55 Dr. Magdy El Messiry
56. Technology Audit
CHAPTER 4
SWOT ANALYSIS
4.1 Introduction
SWOT Analysis is a business tool by which, a firm wishing to implement a
strategic analysis, analyses and recognizes it‘s corporate Strengths and Weaknesses
as well as the existed or forthcoming Opportunities and Threats from its external
environment.
Only when these four critical information elements are well elaborated and known,
the enterprise is able to formulate and implement the strategy leading to its
business aims.
4.2. The Need for SWOT Analysis
The SWOT Analysis is an extremely useful tool for understanding and decision-
making for all sorts of situations in business and organizations. SWOT Analysis is
a very effective way of identifying your Strengths and Weaknesses, and of
examining the Opportunities and Threats you face. Carrying out an analysis using
the SWOT framework helps you to focus your activities into areas where you are
strong and where the greatest opportunities lie. By creating a SWOT Analysis, you
can see all the important factors affecting your business together in one place. It‘s
easy to create, easy to read, and easy to communicate.
56 Dr. Magdy El Messiry
57. Technology Audit
Figure (16) SWOT Analysis Framework14
4.3. Limitations of SWOT Analysis
SWOT Analysis is not free from its limitations*. It may cause organizations to
view circumstances as very simple because of which the organizations might
overlook certain key strategic contact which may occur. Moreover, categorizing
aspects as strengths, weaknesses, opportunities and threats might be very
subjective as there is great degree of uncertainty in market. SWOT Analysis does
stress upon the significance of these four aspects, but it does not tell how an
organization can identify these aspects for itself.
There are certain limitations of SWOT Analysis which are not in control of
management. These include:
a. Price increase;
b. Inputs/raw materials;
c. Government legislation;
d. Economic environment;
e. Searching a new market for the product which is not having overseas
57 Dr. Magdy El Messiry
58. Technology Audit
market due to import restrictions; etc.
Internal limitations may include:
a. Insufficient research and development facilities;
b. Faulty products due to poor quality control;
c. Poor industrial relations;
d. Lack of skilled and efficient labor; etc
The SWOT Analysis is an extremely useful tool for understanding and
decision-making for all sorts of situations in business and organizations. A
company can use the SWOT Analysis while developing a strategic plan or
planning a solution to a problem that takes into consideration many different
internal and external factors, and maximizes the potential of the strengths and
opportunities while minimizing the impact of the weaknesses and threats
4.4. SWOT Analysis Framework
Action checklist
1. Establishing the objectives
The first key step in any project is to be clear about what you are doing and why.
The purpose of conducting SWOT Analysis may be wide or narrow, general or
specific.
2. Allocate research and information-gathering tasks. Background preparation is a
vital stage for the subsequent analysis to be effective, and should be divided
among the SWOT participants. This preparation can be carried out in two stages:
Exploratory, followed by data collection.
Detailed, followed by a focused analysis. Gathering information on
58 Dr. Magdy El Messiry
59. Technology Audit
Strengths and Weaknesses should focus on the internal factors of skills,
resources and assets, or lack of them. Gathering information on
Opportunities and Threats should focus on the external factors.
3. Create a workshop environment
If compiling and recording the SWOT lists takes place in meetings, then do
exploit the benefits of workshop sessions. Encourage an atmosphere conducive to
the free flow of information and to participants saying what they feel to be
appropriate, free from blame. The leader/facilitator has a key role and should
allow time for free flow of thought, but not too much. Half an hour is often
enough to spend on Strengths, for example, before moving on. It is important to
be specific, evaluative and analytical at the stage of compiling and recording the
SWOT lists.
4. List Strengths, Weaknesses, Opportunities, Threats in the SWOT Matrix
5. Evaluate listed ideas against objectives.
With the lists compiled, sort and group facts and ideas in relation to the
objectives. It may be necessary for the SWOT participants to select from the list
in order to gain a wider view.
The SWOT Analysis template is normally presented as a grid, comprising four
sections, one for each of the SWOT headings: Strengths, Weaknesses,
Opportunities, and Threats. The SWOT template given in Chapter 5 includes
sample questions, whose answers are inserted into the relevant section of the
SWOT grid. The questions are examples, or discussion points, and obviously can
be altered depending on the subject of the SWOT Analysis.
59 Dr. Magdy El Messiry
60. Technology Audit
Figure (17 ) SWOT Analysis Framework
60 Dr. Magdy El Messiry
61. Technology Audit
CHAPTER 5
EXAMPLE OF FORMATION OF SWOT MATRIX PARAMETERS
Figure (18) SWOT Matrix Environment Analysis
5.1 Introduction
The analysis of the company situation starts by defining the strength, weakness,
opportunities and threats. Table below shows some common parameters which
may be considered.
61 Dr. Magdy El Messiry
62. Technology Audit
Strengths Weaknesses
Advantages of proposition? Disadvantages of proposition?
Capabilities? Gaps in capabilities?
Competitive advantages? Lack of competitive strength?
USP's (unique selling points)? Reputation, presence and reach?
Resources, Assets, People? Financials?
Experience, knowledge, data? Own known vulnerabilities?
Financial reserves, likely returns? Timescales deadlines and
Marketing - reach, distribution, pressures?
awareness? Cash flow, start-up cash-drain?
Innovative aspects? Continuity, supply chain
Location and geographical? robustness?
Price, value, quality? Effects on core activities,
distraction?
Accreditations, qualifications,
certifications? Reliability of data, plan
predictability?
Processes, systems, IT,
communications? Moral, commitment, leadership?
Cultural, attitudinal, behavioral? Accreditations, etc?
Management cover, succession? Processes and systems, etc?
Management cover, succession?
62 Dr. Magdy El Messiry
63. Technology Audit
Opportunities Threats
Market developments? Political effects?
Competitors' vulnerabilities? Legislative effects?
Industry or lifestyle trends? Environmental effects?
Technology development and IT developments?
innovation? Competitor intentions - various?
Global influences? Market demand?
New markets, vertical, horizontal? New technologies, services,
Niche target markets? ideas?
Geographical, export, import? Vital contracts and partners?
Tactics - surprise, major Sustaining internal capabilities?
contracts, etc? Obstacles faced?
Business and product Insurmountable weaknesses?
development?
Loss of key staff?
Information and research?
Sustainable financial backing?
Partnerships, agencies,
distribution? Economy - home, abroad?
Volumes, production, economies? Seasonality, weather effects?
Seasonal, weather, fashion
influences?
successful SWOT Analysis
63 Dr. Magdy El Messiry
64. Technology Audit
5.2. Tips for Design Your SWOT Analysis
For the successes of the SWOT Analysis some constrictions depending on the
environment of the origination should be taken into consideration.
Following are some tips 15for the auditors;
Top Tips But remember …
1 Never copy an existing SWOT Analysis; it will You could use a standard
influence your thinking. Start with a fresh template to help the ideas flow
piece of paper every time
2 Set aside enough time to complete it You may need to come back to
it several times before you are
happy
3 The SWOT Analysis itself is NOT the result. Before you begin any analysis,
It‘s only a tool to help you analyze your you should know what you
business intend to do with the results
4 A SWOT Analysis is not a business school fad. You need to be comfortable
It is a proven technique used throughout the working with it in your
business community business
5 Keep your SWOT Analysis simple, readable, It needs to make sense to
short and sharp outsiders (e.g. bank managers
or investors) so don’t use
phrases or acronyms that only
you understand
6 Make sure you create an action plan based on You need to communicate this
your SWOT Analysis clearly to everyone involved
7 A SWOT Analysis only gives you insight at a You need to review it –
single point in time probably quarterly – to see
how the situation has changed
8 Don‘t over-analyze. Try not to worry if it isn‘t If you are going to act on the
perfect, just get the analysis done results, it needs to be accurate
64 Dr. Magdy El Messiry
65. Technology Audit
in all the important areas
The role of SWOT Analysis is to take the information from the environmental
analysis and separate it into internal issues (strengths and weaknesses) and external
issues (opportunities and threats). Once this is completed, SWOT Analysis
determines if the information indicates something that will assist the firm in
accomplishing its objectives (a strength or opportunity), or if it indicates an
obstacle that must be overcome or minimized to achieve desired results (weakness
or threat). When doing SWOT Analysis, remember that the S and W are
INTERNAL and the O and T are external.
Figure(19) http://www.taygro.co.za/aboutus.html
65 Dr. Magdy El Messiry
66. Technology Audit
CHAPTER 5
PRACTICAL EXAMPLES OF SWOT ANALYSIS
5.1. Health centers
Subject of SWOT Analysis example: the achievement of a health centers mission.
The scenario is based on the SWOT Analysis 17, which has been performed by a
health centre in order to determine the forces that promoted or hindered the
achievement of its mission.
Starting position of the health centre:
The staff lack of motivation
The building was really small
The facility was old
There was a lot of paper work and bureaucracy
Those characteristics resulted in this health centre facing up to a lot of problems
with the accommodation of the patients. Moreover, the establishing of a new
advanced hospital in the city made the situation even worse. Therefore, they
decided to perform a SWOT Analysis in order to execute the best decision-making
for all the problems that they faced.
Step 1: Purpose of conducting SWOT Analysis - the achievement of a health
centers mission.
Step 2: The gathering of information on Strengths and Weaknesses focused on the
internal factors of skills, resources and assets, or lack of them. The gathering
information on Opportunities and Threats should focus on the external factors.
66 Dr. Magdy El Messiry
67. Technology Audit
Step 3: The manager of the health centre encouraged all the staff members to
freely express their opinions about what they felt to be appropriate.
Step 4: SWOT matrix
Step 5: After completing the SWOT matrix the SWOT participants had a wider
view of the situation at the centre so they were able to propose the alternatives that
helped considerably in the operation of the health centre.
The alternatives where:
training of the staff in interactive techniques of quality improvement
coordination with other providers to cover all user needs
remodeling of the facility with local government funds and international
help
cost recovery of drugs and lab supplies with user fees
payment of incentives to staff based on performance
review of procedures for decreasing costs and waiting times and increasing
perceived quality.
Strengths: Weaknesses:
Willingness of staff to change Staff lack of motivation
Good location of the health centre Building was really small
Perception of quality services Paper work and bureaucracy
Cultural differences with users
Opportunities: Threats:
Support of local government Low income of users
67 Dr. Magdy El Messiry
68. Technology Audit
High felt need of users Bad roads
Internationally funded projects Low salaries
Lack of budget
Paradigms of providers
High competition
This strategic analysis and planning
of the health centre had the below results:
27% increase of patients
reduction of waiting times to
15minutes
20% increase of staff performance
remodeling of the facility
68 Dr. Magdy El Messiry
69. Technology Audit
5.2. University SWOT Analysis
University strengths, weaknesses, opportunities and threats (SWOT Analysis) were
identified by members of University Strategic Goals and Priorities Committee
during a brain storming session. Administrators, faculties, and students reviewed
the analysis and provided input. Background information on the Organization is
opportunities and threats it faces can be useful in considering strategic issues.
The SWOT Analysis was used to develop the attached strategic questions. These
questions and others raised by participants at the workshop will help define
strategic directions important to the university in the next five year.
69 Dr. Magdy El Messiry
70. Technology Audit
SWOT ANALYSIS
Strengths: Weaknesses:
Positive reputation in the external Distinguishing qualities and identity not well
community known
- Positive experience with those who - Operational structure/bureaucracy
interact with the campus - Sluggish responsiveness to student and
- Proactive Partnerships with other community needs
universities, community colleges, and - Fiscal uncertainty
corporations - Lack of pride of internal community
- Past performance - Match between research expectation &
- Many Accredited Programs support
- Successful 6 year graduation rates - High and unequal workloads faculty &
- Faculty and staff support the campus staff
mission - Ability to hire & retain faculty
- Proactive student support - Student preparedness at entrance
- Access to services - Adjusting to pressures of growth
- Faculty involvement with students - Varying perceptions of appropriate
- Student leadership programs proportions of major employee categories
- Learning communities developing to (faculty, staff, and administrators)
enhance learning and student-faculty - Lack of strong, pervasive presence in the
interaction external community
- Campus Characteristics - Limited resources for faculty and staff
- Medium size campus with small class size development
-Facilities include new and well-maintained, - Highly competitive market for diverse
attractive buildings and grounds with faculty and staff
growth potential - Promulgating egalitarianism
- Potential for growth in Turlock and - Reporting perceived as a ritual and
Stockton meaningless
- Friendly and safe - Reporting requirements absorb a large
- Diverse student body, Hispanic Serving percentage of resources
Institution
- Dedicated and Expert faculty
- Campus wide involvement in planning
- Healthy shared governance
- Strong, active external boards
- Residential Campus Development
- Artistic and Cultural Performances
70 Dr. Magdy El Messiry
71. Technology Audit
Opportunities: Threats:
Partnerships in support of university State budget crisis
initiatives - Private, for-profit, and on-line universities¡¦
- Expanded possibilities for the workforce responsiveness to program and student
- Diversity of region (students industry) scheduling demands
- External Community and University - Increase in reporting expected by
relationships government and society
- Interest in academic program expansion - Shift in focus on numerical achievement
- Interest in expansion of cultural activities vs. qualitative achievement
- Interest in University services (Policy - Negative public perception
Center, Bridge, - Development of another university in the
- Growth potential area
- New construction - Societal and student perception of
- Societal trends education as solely a means to a job
- Increased value of higher education - Reporting perceived as a ritual and
completion meaningless
- Growing demand for graduates - Reporting requirements absorb a large
- Match between curricular & societal percentage of resources.
interests - Historical public perceptions/lack of
- Increase demand for mid-career knowledge about higher Education.
redirection and lifelong learning - Historical lack of knowledge.
- Increased interest in global initiatives
- Technological advances
- Partnership opportunities
- Increased focus on higher education
- development of university park
- large student pool
- increased interest in university
connections
71 Dr. Magdy El Messiry
72. Technology Audit
SWOT ANALYSIS OF AUC37
I-Introduction:
SWOT analysis: a method of analyzing an organization‘s competitive situation
that involves assessing organizational strengths (S), weaknesses (W),
environmental opportunities (O), and threats (T).
Both strengths and weaknesses are internal factors, that are subject to change
from within the organization itself. Opportunities and threats are the conditions
within the external environment that affects the organization, such as:
technological, economic, legal-political, sociocultural, and the international
element.
II-SWOT ANALYSIS of AUC:
1-Strengths:
a - Highly qualified full time, and part time faculty.
b - Highly skilled students due to the highly competitive selection in admissions.
c - Advanced technology in the University facilities; optic fiber network, ACS
server, well-equipped engineering, natural sciences, and computer labs (relative to
the Egyptian universities) , and research centers (Desert research center).
d - Distinctive rank in the private universities market in Egypt, in comparison to
other universities,
e - Continuous renovations either in facilities (New campuses in Falaki and New
Cairo), technology, and staff.
f - Well defined managerial policy; well-defined hierarchy.
g - Monopolizing the employment market of some majors, such as: construction
management and industrial engineering, business administration, political science,
and computer science.
h - Private university, accredited by several authorities, such as: the Egyptian
ministry of education, Egyptian Syndicates, ABET (Accreditation Board of
Engineering and Technology), the higher council of universities in Egypt, MSA
(Commission on Higher education of the Middle States Association of colleges and
schools) and AACU (American Association for Colleges and Universities).
i - An integrated modern library, containing books, microfilms, periodicals, and
other documents, arranged on the same model of the Congress library. Moreover,
72 Dr. Magdy El Messiry