Innovation and technological pace have caused that Mexican institutions are more dependant on information technology. This fact has incremented the related information technology risks that these institutions face; due to this situation, this paper has been prepared to show how an IT audit organization, might be implemented in the Control Intern Organism (CIO) of the Mexican Congress. This organism is responsible for all of the legislation work in the country. This is an important aspect, because part of the future of this country lies in their hands, that is why is very important to provide them with the tools and appropriate mechanisms to leverage their work.
Not in an ideal way, but using more proactive actions, it has to do with changing the status quo within its most important face, the legislative powefr; introducing new forms of government practices; To do that, it's determinant to analyze every aspect of the organization. Due to this analysis, it's important to notice that the Direction of Technology and Information of this organism leverages its potential constantly, attending the normal requirements. These days, the CIO (Contraloría Interna) doesn't have an organization that leads the audit practices in IT. The mission of this audit organization would be ensuring that all of the procedures related to information management, such as confidentiality and availability will be met. It's also important to manage the risks related to information security, manage the back out plans and disaster recovery plans to handle information. Due to the nature of the information that is being handled, it is necessary to control IT infrastructure. Another mission would be to guide the development and direction of the IT organization.
This analysis is based on checklists, interviews, on site visits, all of these activities lead to know the different areas and the research of tools that might help them; we built a business case, with a benefit-cost analysis attached, and the P&L analysis to know the aspects that the new IT audit organization requires. A comparative analysis about the software tools for audit processes has also been prepared, and a research about best practices that can be used and adapted.
A comparative matrix is being presented to show the different best practices and automated tools that are available, with their capabilities and costs. Covering the long term investments, the paper presents a cost analysis about the different commercial certifications in audit practices, outlining the benefits to the organism, without putting aside the practical elements to take this project to be up and running.
This paper also covers the analysis of IT audit standards. These standards are very important, because they have been created by international organisms, and they are used broadly, and provide benefits that can be measured with process improvement methods and information and asset management practices.
About CAAT's, it's determined that even without creating an IT audit organization, the use of an audit technique would be very useful to improve actual work, because a former audit person needs to retrieve information using all of the resources available, but using a software tool it is easier. In this paper, we present some techniques that can be used to analyze the tools, how to select a CAAT, how to use it once it is chosen. We also present how to use a methodology with a tool, including all of the paperwork and reports. As a complementary report, we show different demonstrations to the personnel of internal auditing, guided by the actual companies that distribute the tools in the market. As an extra activity we applied questionnaires to audit personnel to know their opinions and recommendations about each tool and to know what they state as the most convenient feature for each area.
A study about different techniques and procedures to conduct an IT audit is also presented, in order to select the most appropriate to the organism. It's important to mention that the IT audit people should know the software tools that have been developed and have a clear understanding of IT concepts.
It's also mentioned that there are different procedures in IT audit, in order to provide information, gather characteristics, show the results and leverage the conclusions.
In this paper we present the necessary steps to build an IT audit area from scratch. The first step is related to the necessary structure and requirements, strategic planning, mission, objectives, vision, functional charts, etc. The second step is related to gather the correct people skills and human resources to score the desired results. As a third step, we recommend to define an IT management strategy and a tool that meets the requirements at a 100%.
As a conclusion we state that the implementation of an IT audit area within the internal auditing area of the Mexican's Congress is not only suggested but it is necessary, because it will provide the appropiate elements so the organism is capable of facing the challenge to bring the organism to new and modern status quo, including qualified professionals, international standards, automated audit tools, best practices. These set of elements must enhance the overall performance of the organism, with key indicators such as efficiency, quality, service level, etc. The use of these key performance indicators will contribute to a transparent and optimal use of public resources, because that is what all of Mexican people ask for.