From an IT perspective, an adequacy audit ensures controls perform sufficiently for the tasks associated with them. Adequacy audits can be performed for current operational controls or for controls performed in the course of developing and deploying a new or modified system. They can be performed when a system has been completed and moved into production and at various stages of the project.
Adequacy audits can provide assurance to IT leadership and senior management that controls in use are appropriate for the work being performed. Results of adequacy audits can identify opportunities for improvement after the system has entered production, as well as performance issues during the development process that need to be addressed and remediated.
Depending on IT leadership’s needs for periodic project performance assessments, adequacy audits may be initiated at specific points in the project — for example, at the completion of key project milestones. An audit ensures all project activities are being performed according to the project plan, and that anomalies are identified and remedied.
Adequacy audit checklist example
Many organizations use the software development lifecycle (SDLC) as a framework when developing or acquiring a new application. Learn more about the suggested activities and adequacy audit considerations associated with each SDLC phase below.
Planning phase activities
- Gather information needed to define criteria for the new system.
- Interview subject matter experts who are knowledgeable of the issues to be addressed.
- Identify the desired results of the new system.
- Identify resources needed for the system, such as user requirements, data, databases and networks.
Planning phase adequacy audit items
- Has sufficient background information been gathered?
- Have enough subject matter experts been interviewed?
- Has the desired outcome for the system been defined?
- Have all required resources been identified?
Analysis phase activities
- Once the base data regarding the new system has been identified, define potential issues associated with achieving the desired performance level.
- Identify and quantify design criteria.
Analysis phase adequacy audit items
- Have performance issues for the new system been defined?
- Have design criteria for the system been defined?
- Have financial requirements for the new system been identified?
Design phase activities
- Use previously defined criteria to design the system, its platform, inputs and outputs, and UI, among other criteria.
- If organizations select an existing product or service, the design criteria can be used as part of the request for proposal or request for quotation.
Design phase adequacy audit items
- Have design criteria been used to design the system?
- Have additional design criteria been used in the system design?
- Has the design data been used to prepare a request for proposal and/or request for quotation?
- Has a request for proposal or request for quotation been prepared and approved?
Build phase activities
- Approve the design criteria.
- Select a project team.
- Develop a project plan.
- Identify technical development, programming, testing and other staff and assign them to the project.
- Schedule processing facilities, unless a separate R&D department with its own infrastructure is available.
- Schedule other build phase activities, such as testing time.
- For an off-the-shelf product, use the build phase to further examine the new product to identify any possible issues in advance of testing and deployment.
Build phase adequacy audit items
- Have design criteria been approved?
- Has a project team been selected?
- Has a project plan been developed and approved?
- Have additional technical staff been identified and assigned?
- Have processing resources been scheduled?
- Have other activities, such as testing, been scheduled?
- Has any new product been examined by staff prior to rollout and production?
Testing phase activities
- Identify and schedule testing activities.
- Identify performance testing criteria.
- Perform and document tests and analyze the results.
- Run live data sessions.
- Examine user access and data management.
- Test the system’s security features.
- Review vendor documentation and the vendor’s technical support.
- Deliver user training.
- Ensure the vendor’s post-cutover support has been defined.
Testing phase adequacy audit items
- Have testing activities been identified and scheduled?
- Have testing performance criteria been established and approved?
- Have tests been conducted and documented?
- Have ancillary and support activities been identified and performed?
Deployment phase activities
- Train users and system administrators on the system.
- Schedule and deliver project briefings to senior management.
- Prepare and disseminate announcements regarding the new system to all employees.
- Outline a deployment schedule.
- Ready internal IT infrastructure resources to accept the new system.
- Place the system into production and commence deployment.
- Send questionnaires to gather users’ feedback on the system.
Deployment phase adequacy audit items
- Have users and sys admins been trained on the system?
- Has senior management been briefed on the system?
- Have announcements on the new system been prepared and distributed to employees?
- Has a deployment schedule been prepared and approved?
- Are the required internal IT infrastructure resources available and ready for the system?
- Has the system been deployed and placed into production?
- Have users been surveyed on their experiences with the new system?
Maintenance phase activities
- Define and schedule post-installation maintenance activities.
- Identify system performance metrics for measurement.
- Schedule system performance tests.
- Set patching schedules.
- Incorporate the system into the company change management process.
Maintenance phase adequacy audit items
- Have maintenance activities been identified and scheduled?
- Have performance metrics been defined?
- Have performance tests been scheduled?
- Have patching schedules been established?
- Has the system been added to the change management process?
How auditors should prepare
As with any IT audit, check if adequacy auditors are familiar with issues associated with the system to be audited. For an internal audit, provide background materials on the overall project so the auditors can prepare accordingly. For external audits, ask if the prospective audit firm is familiar with the nuances of the system being deployed.
Timeline for performing an adequacy audit
The following is a recommended sequence of steps in an adequacy audit activity:
- Prepare the adequacy audit plan, including the audit scope, approach and schedule.
- Review and summarize information gathered for the audit, such as technical documentation, questionnaires, risk reports and previous audit documents.
- Identify gaps in existing documentation and update as appropriate.
- Review and apply relevant standards, regulations, legislation and good practice documents to validate preliminary adequacy findings.
- Identify audit controls and prepare work papers that reflect adequacy audit metrics established and defined by standards groups, regulators and legislators.
- Following audit interviews and discovery activities, prepare a draft adequacy audit opinion report for discussion with interested internal parties.
- Complete a final adequacy audit report that includes results of discussions and recommended actions.
- Complete an action plan and timeline to remediate adequacy audit findings and recommendations.
- Ensure the remediation action plan is implemented within the agreed-upon timeframe.
- Schedule the next adequacy audit.
How to review an adequacy audit report
Once an adequacy audit report has been completed and delivered to the organization, review the findings and recommendations. Next, brief senior IT management on the report and prepare to address any serious performance or operational issues identified in the report. Then, the IT audit team should prepare a response to the adequacy audit report, with proposed actions and dates to address the audit recommendations. Be sure to note any proposed deadlines for responding to the auditors.
Dig Deeper on Information technology governance