IT assurance (audits) is the examination and evaluation of an organisation's information technology infrastructure, applications, strategies, policies, procedures and standards. IT audits determine whether IT controls protect corporate assets, ensure data integrity and are aligned with the business's overall strategy and objectives.
An IT audit (also called an information systems audit) is today an integral part of an external and internal audit. Our IT audit services are geared towards providing our clients with robust independent assurance that their IT risks, key management (governance) priorities and core systems are being appropriately managed. Engagements can range from where we express an audit opinion (e.g. under international standards like International Standard on Assurance Engagements (ISAE) 3402 / 3000) to agreed-upon-procedures (e.g. under the International Standard on Related Services) where we simply report on risks and control weaknesses found.
BDO South Africa has a dedicated team of career IT auditors that are able to support your organisation with the skills and experience you require. Whether it’s a co-sourced or fully outsourced assignment, our team of dedicated professionals have the ability to deliver.
For IT-specific audit assignments the methodology not only draws from the COBIT framework, but also other international standards and frameworks, where necessary (e.g. AICPA’s Technical Practice Aids, TSP sec. 100; the ISO27001 standard etc.).
BDO provides the following IT assurance services:
General IT Control, Business Process and Application Control Audits
General IT controls are designed to protect critical business applications of an organisation. A general IT controls audit examines and evaluates a number of security, change control and data / system availability controls.
Business process and application controls are automated and manual procedural controls over data input, processing and output. Application controls are automated process controls and are designed to protect the validity and integrity of business data in an organisation’s application. An application controls audit examines and evaluates a number of data input, processing and output controls.
Sarbanes Oxley Act (SOX) Audits
A SOX compliance audit is a measure of how well an organisation manages its internal controls – including internal IT controls that protect the IT infrastructure and applications, handling the organisation’s financial data processing.
ISAE 3402 Audits (SOC 1)
When an organisation provides critical services, relevant to their client’s financial reporting, the organisation can obtain an independent assurance report (ISAE 3402 report*) from BDO, expressing an opinion on the design and operational effectiveness of the organisation’s internal controls, that are most likely relevant to the their client’s internal control over financial reporting. This report can then be issued to the organisation’s client and their auditors, who can rely on the opinion during the client’s statutory audit.
* The International Auditing and Assurance Standards Board’s (IAASB) International Standard on Assurance Engagements 3402, Assurance Reports on Controls at a Service Organisation (ISAE 3402).
ISAE 3000 Audits (SOC 2)
When an organisation provides services to a client who is concerned about the design and operational effectiveness of their service organisation’s security / privacy controls, controls over data availability as well as the processing integrity of their systems, the service organisation can obtain an ISAE 3000* report from BDO, expressing an opinion on the design and operational effectiveness of these internal controls. This report can then be issued to the organisation’s client and their auditors, who can rely on the opinion during the statutory or any other audit.
* International Standard on Assurance Engagements (ISAE) – ISAE 3000: Assurance Engagements Other Than Audits or Reviews of Historical Financial Information – established by the International Auditing and Assurance Standards Board (“IAASB”).
Privacy Audits (POPI, PAIA & GDPR)
BDO’s privacy audits focus on compliance with both the regulations of the Protection of Personal Information (POPI) Act and the Promotion of Access to Information (PAIA) Act – acts that have been promulgated to protect South African citizens’ personal information. In cases where an organisation also processes European Union (EU) citizens’ personal data, the audit should include compliance verification with General Data Protection Regulation (GDPR) as well.
Disaster Recovery Planning (DRP) / Business Continuity Planning (BCP) Audits
BDO’s DRP and BCP audits focus on an organisation’s continuity planning to offset the impact of manmade or natural disasters.
IT Governance (King IV) Audits
During our IT Governance audits, BDO normally covers the following aspects: strategic alignment, value delivery, risk management, resource management, and performance measurement.
Project Assurance and/or System Development and Implementation (Systems Development Life Cycle (SDLC)) Audits
Organisations developing new systems or implementing off-the-shelf systems should not only enforce a sound project management methodology but also follow a customized SDLC methodology to ensure that the new system will be implemented within time, within budget, and providing in the needs of the business – at an operational and strategic level. A SDLC audit examines and evaluates a number of best practices.
Network, IT and Cyber Security
Various IT / network / cyber security audit services are provided by BDO, including application penetration testing, external and internal network penetration testing, and other logical and physical security audits. (See cybersecurity for more information.)
Revenue assurance is considered a process whereby verification of the completeness, accuracy and integrity of the capturing, recording, billing and reporting of all billable events occurs. This is an end to end process from customer entry through to the collection or the revenue.
IT Security Certification (SOC 3)
Under SOC3 two types of audit reports can be issued, namely SysTrust (geared primarily towards a service organisation using a wide variety of IT systems) and WebTrust (geared primarily towards e-commerce companies).