This is my experience on handling IT audit . How do we collect artifacts, what precautions should we take to keep and maintain those artifacts? What tool should we use to accomplish this task?
Audit is something which reviews..and sometime this is such misleading that instead of reviewing and thus instead ensuring a business about the return, reliability and usablity of its IT investment (This includes both the fixed and variable cost pockets) it becames a fraud identifying squad. In result whether actually it is happening or not companies and business ends up with creation of lot of documents. And more often these documents are so poorly organised or written that it needs another / set of supporting documents. An artifact supporting existance and practice or execution of the IT practices adopted/approved by business should be simple, to the point and leak proof/ self sufficient (I mean it should not require another set of documents which can be asked/called for ensuring its reliability).
Let us consider a classic example. Backup is one most important methodology ensuring the availability of the data, but IT audit point of view question arises the reliability of the availabilty. So one need to go thru the logs of the backup, most of the backup software now a days have the checking tag enabled, which does an automatic check on the backup and write data into the logs. Besides on the point of reliabilty of the availability, one should do periodic testing of the backup media (usually magnetic tapes) because all kind of backup media are prone to corruption uptill a certain level /degree. Now the big brainstorm awaiting….How do the restoration will be done (partial / full), how the restoration operation will be validated as successfull or unsuccessfull? Do you have an option to test and do partial restoration? Or do you need a full restoration or recovery? Do you involve business users in testing?