Information technology assurance and advisory

IT audit – reduce risk, add value and improve security

The investment in IT systems within the Higher Education sector has been relentless. The investment in support systems is being followed by the implementation of student facing systems, with the core activities of teaching and learning, research and enterprise being increasingly system dependant. The quality and reliability of information provided to the student’s own PCs and mobile devices is becoming a key aspect of the student experience. At the same time, institutions are becoming data rich, seeing their data as a critical strategic resource in much the same way as any consumer business, rather than just as a compliance issue.

We provide bespoke IT assurance and advisory services to each member organisation which reflects the high rate of change within the IT and information environments and because at any point in time each member has a unique combination of organisational structure, technology, operational processes and project priorities driving their audit requirements. Key IT audit services which deliver a tailored internal audit programme that meets the needs of Board Executives, CIOs and Heads of IT Services include:

IT Governance and risk management –providing expertise in developing effective governance systems and managing IT and information risks and considers arrangements to ensure the effective direction of IT by the organisation and provision by IT of appropriate decision making information. An effective governance framework provides the right strategy and the appropriate management of data and information.

IT operations (ITIL framework) – supporting IT Directors to maximise the effectiveness and value of available IT resources through review tailored to the size of the organisation. Techniques include gap analysis and identification of quick wins for service level management, configuration management, change control and release management, incident and problem management, availability and capacity management and functional integration. Developing continual service improvement processes ensures IT talent is demonstrably focussed on refinement and innovation.

Cyber security – protecting organisations against compromise of information through staff error or by the deliberate actions of an outsider. A ‘cyber attack’ could have a permanent or long-term impact such as loss of reputational standing, of intellectual property and research data and material financial loss. In the short term there is loss of productivity, potential downtime, recovery costs and investigation time to consider. Audit ensures that security activities or the Information Security Management System are proportionate to the risks faced through comparison with recognised frameworks such as the ‘ten steps’ published by the UK government’s National Technical Authority for Information Assurance (CESG) and the Centre for the Protection of National Infrastructure (CPNI) and the ISO 27000 security standard.

Project management – delivering successful projects through implementing controls to increase the probability that organisations complete projects which are customer focused and satisfy users, which are on time and on budget, provide increasing ROI, and effect positive business change.

Networks and telecommunications – building secure IT systems processing capability, increasing resilience through fault tolerant planning and generating value for money benefits by reducing significant recurring telecommunications costs.

Benchmarking against IT best practice frameworks – There are a range of both bespoke and internationally accepted frameworks against which we can assess Institutions, providing assurance that cyber risks are being effectively managed. Frameworks with which we are experienced in working include;

  1. COBIT 5 – a high level diagnostic of the control environment, supporting internal and external benchmarking
  2. Ten steps to Cyber Security – a data security focussed framework supported by the UK government
  3. ISO 27001 – an international standard for data security
  4. ITIL – a set of standards for effective delivery of operational IT services
  5. KCG systems health check – a facilitated self-assessment framework of the control environment specially tailored for smaller institutions and which allows benchmarking against peer groups.