Auditing methodology on legal compliance of enterprise information systems

In spite of the scepticism, that information technology (IT) compliance is useless enforcement, which does not contribute to an economic balance of the organisations, IT compliance is a mandatory responsibility of the organisations for their survival enforced by legalised rules. To review and update enterprise information systems to be in compliance with various laws is not an easy work because previous studies on information engineering or security engineering do not provide a specialised methodology for IT compliance. The most critical problem that the organisations are facing is that it is very difficult to identify what they should do for IT compliance. An auditing methodology, which identifies the problems of and provides guides on IT compliance would be the solution for the problems that organisations are facing. This paper provides an auditing methodology, which consists of an auditing target, checklist, process model, evaluation indices and reference model. The methodology proposed in this paper helps IT staffs, managements and auditors to improve the level of IT compliance and manage an auditing project effectively.