IT Audit Overview

1
Chapter 1 CISB424

• IT Audit Overview

2
What will be covered?

• Overview of IT audit function
• Description of the work of IT Auditors skills
  needed
• Explanation of how to become an IT Auditor
• Description of the structure of IT Audits
• Discussion of IT audits relationship with
  accounting and financial audit
• Professional IT Auditors Organizations

3
Did you know???

• The need for IT Auditors far outstrips the
  supply of qualified candidates
• IT Auditors are in demand, but their work is
  interesting and challenging
• IT Auditors evaluate an organizational entitys
  IS (Info. Technologies, data and information, and
  systems of communication)
• Evaluation includes studying documents,
  interviewing people, entering/manipulating data
  in a computer.
• IT Auditors do the above because business
  processes use IT to function and IT is integral
  to an enterprises vialibility

4
Impact of IT on Organizations

• IT is important in all kinds of organizations IT
  also influences organizational risks and
  controls.
• IT creates opportunities, but these opportunities
  bring risks
• E.g., the ability to transmit document
  electronically to customers vendors allows
  improving efficiency in the supply chain but it
  (electronic communication systems) also poses new
  risk

5
IT Governance

• A process for controlling organizations
  information technology resources ( systems and
  technology).
• An organizations mgmt and owners (board of
  directors) are responsible for governing
  enterprise and IT.
• Enterprise governance process of setting and
  implementing corporate strategy, making sure that
  the organization achieves its objectives
  efficiently, and manage risks.
• The objectives of IT governance are to set
  strategies for IT so that it is aligned closely
  with organizational goals, and to use IT for
  maximum opportunity, but minimum risk.
• Two parts of IT Governance 1. concerns the use
  of IT to promote an organizations objectives and
  enable business processes 2. involves managing
  and controlling IT-related risks

6
IT Governance - continued

• It begins with
• The development of IT Governance plan (set the
  strategic purposes of IT acquisition and
  deployment or use)
• It is on on-going process, mgmt needs to
  regularly evaluate and update plans

Provide direction

• IT Activities
• Increase automation (make business effective)
• Decrease cost (make enterprise efficient)
• Manage risks (security reliability and compliance

• Set Objectives
• IT is aligned with the business
• IT enables the business and maximizes benefits
• IT resources are used responsibly
• IT-related risks managed appropriately

compare
Measure performance
7
IT Governance - continued

• ISACA established the IT Governance Institute
  (1998) to clarify and provide guidance on
  current and future issues pertaining to IT
  governance, control and assurance.
• It developed CobiT (Control Objectives of
  Information and Related Technology, 3rd Edition)
  and COEG (Control Objectives for Enterprise
  Governance)
• CobiT provides guidance on IT governance
  providing the structure that links IT processes,
  IT resources and information to enterprise
  strategies and objectives.
• CobiT also includes an IT Governance Management
  Guidelines identifies critical success factors,
  key goal and performance indicators, matured
  model for IT governance. It is a guideline that
  allows management to use in evaluating
  performance with regards to IT

8
IT and Transaction Processing

• One of the concern in IT Governance is
  controlling IT risks. This is important in
  enterprises as they use IT to process data about
  ongoing transaction or activities. Business and
  other organizational entities are involved in and
  affected in many ways. IS collects data about
  all.
• A computerized IS may increase risks and decrease
  others. Or IT can reduce risks due to human
  error. How is it possible?
• Scenario 1 sales clerk manually record data
  about sale of the day entered the wrong
  inventory code. IT can reduced this risk. But, if
  database admin accidently mismatch the inventory
  item and its code, then every sale of that
  inventory item will be recorded incorrectly.

9
The Work of IT Auditor

• IT Auditor exists as long as IT exists. They
  ensure IT governance, and to do so, they assess
  IT risks and implement/monitor the controls over
  those risks.
• Roles and level of expertise varies, might be
  internal/external auditor.
• They will provide assurance or give comfort about
  anything related to information systems.

10
The Work of IT Auditor - continued

• Evaluating controls over specific applications
  analyze risks controls over applications
• Provide assurance over specific processes
  agreed upon procedures only client and IT
  auditor determine the scope of assurance required
• Provide third-party assurance evaluate the
  risks and controls over third partys IS and
  provide assurance to others
• Penetration testing trying to gain access to
  info resources in order to discover security
  weaknesses
• Supporting the financial audit evaluate IT
  risks and controls that may affect the
  reliability of financial reporting system
• Searching for IT-based fraud to help
  investigate computer records in fraud
  investigations

11
Relationship between Financial and IT Audits

• The objective of a financial statement audit is
  to ensure that the organizations public
  financial statements are presented in accordance
  with generally accepted accounting principles
  (GAAP). Thus, FS Auditors analyze organizations
  internal control system to assess the degree
  which it appears to be operating effectively.
• As computer technology is increasingly relied for
  processing transactions and reporting
  information, it is difficult for FS auditors to
  ignore IT in their audits. Thus, there is a need
  to evaluate information systems as part of
  financial audit.

12
Relationship between Financial and IT Audits
Develop an understanding of the client and
perform preliminary audit work
Develop audit plan
Evaluate the internal control system
IT Auditors FS Auditors jointly evaluate
internal control system
IT Auditors work with financial auditors to
develop audit plan
IT Auditors evaluate complexity of IT
Perform substantive testing
Review work and issue audit report
Determine degree of reliance on internal controls
IT Auditors review report write report to mgmt
with IT-related recommendations
IT Auditors may perform some data analysis to
assist FS auditors
IT Auditors FS Auditors jointly determine the
degree of reliance on internal controls
IT Auditors work with mgmt FS auditors on
follow-up
Conduct follow-up work
13
IT Audit Skills

• To become an IT Auditor, you need training and
  education (at least a bachelors degree)
• Other than that, you need special certifications
  or licenses (e.g., Certified Public Accountant
  CPA, Certified Fraud Examiner CFE, Certified
  Internal Auditor CIA, Certified Information
  Systems Auditor - CISA
• Skills required from IT Auditor

Technical
business
Personal
14
Technical Skills

• IT Auditors requires specialized technology
  skills different platforms, OS, software
  applications, network security, ERP systems
• Let say that the IT Auditor is auditing an OS,
  he/she will have a guide description of
  specific features of that OS and steps to follow
  in extracting data and testing controls
• IT Auditors must have the interest of learning
  and updating themselves with technical topics as
  IT changes constantly.

15
Personal Skills

• Personal Skills communication skills
• IT Auditors must write and present reports. They
  frequently make presentations to
  internal/external clients
• Thus, written and oral communication skills are
  crucial
• Personal skills Interpersonal and teamwork
• Rarely, IT Auditors do their jobs in isolation.
  They need support from other auditors and
  cooperation from those they are auditing
• IT Auditors must have good interpersonal skills
  to overcome negative bias of others towards
  auditors

16
Business Skills

• Business skills must understand business
  processes (financial, distribution, HR,
  manufacturing)
• IT Auditors will evaluate the IT used by business
  organizations to support their processes.
• Other skills financial processes, accounting,
  marketing skills and decision sciences

17
Professional IT Auditor Organizations and
Certifications

• IT Auditors may choose the many professional
  organizations to belong to.
• These organizations issue certifications to their
  members who meet the various service and
  knowledge requirements.
• Among the many professional organizations
  available are
• ISACA Information Systems Audit and Control
  Association
• IIA Institute of Internal Auditors
• ACFE Association of Certified Fraud Examiners
• AICPA American Institute of Certified Public
  Accountants

18
ISACA Information Systems Audit and Control
Association

• Founded in 1969
• The largest professional organization of IT
  Auditors
• It has more than 25000 members over 100
  countries, and has certified more than 29000 IT
  Auditors
• ISACA has its research unit the Information
  Systems Audit and Control Foundation gtgt conduct
  research and issues publications that guide IT
  audit professionals.
• ISACA has it IT Governance Institute, K-Net
  knowledge network repository of information about
  IT Governance, control and assurance

19
CISA

• Certified Information Systems Auditor (CISA)
  designation is highly valued for IT Auditors. A
  CISA must successfully complete an examination
  (administered annually), meet professional
  experience requirements, abide the groups Code
  of Professional Ethics, and meet continuing
  education requirements
• CISA examination test knowledge in 7 technical
  areas (refer figure 1-3, pp 9).
• You need at least 5 years of experience in IT
  Auditing, control, or security to apply for the
  CISA.
• CISA professionals must agree to a code of
  professional ethics, abide to ISACAs IS Auditing
  Standards, complete 20 contact hours of
  continuing education each year and 120 contact
  hours in a 3-year period in order to maintain
  certification
• Besides CISA, CISM Certified Information
  Security Manager is another credential for
  non-audit security professionals

20
IIA Institute of Internal Auditors

• Established in 1941 international organization
  of internal auditing professionals
• It produces a journal, hosts professional
  meetings and educational seminars, conducts
  research through IIA Research Foundation, issues
  the Certified Internal Auditor (CIA) credential
  along with certifications in control
  self-assessment, government auditing and
  financial services auditing.
• It promotes the practices of internal auditing
  through quality assurance and the issuance of
  standards, guidelines and best practices.
• It is one of the primary professional
  organization that serve accountants in their
  various roles. The membership is made up of
  internal auditors.

21
CIA

• IT Auditor may be external auditor or a member of
  the organizations internal audit staffs.
• Internal Auditor may choose to be certified as
  CISA or CPA. And, they may also become a
  Certified Internal Auditor (CIA)
• CIA requires a bachelors degree or meet
  international standards, provide a character
  reference, have 24-months of internal
  audit/equivalent experience, and pass the
  CIA-exam
• CIA must agree to abide to professional code of
  ethics, complete 80 hours of continuing
  professional education (CPE) in every 2-year
  period.
• CIA exam conducted twice per-year covers
  Professional Practices Framework (internal audit
  process, internal audit skills, mgmt control and
  IT, audit environment) IT (IS strategies,
  policies and procedures hardware, platforms,
  networks telecommunications data processing
  system development, acquisition maintenance IS
  security contingency planning)
• Internal auditors involved in assessing their
  organizations IT risks and controls provide
  oversight for security activities and ensure
  appropriate resources are directed toward
  controlling IT risks

22
ACFE Association of Certified Fraud Examiners

• ACFE issues CFE (Certified Fraud Examiner)
  professionals who specialize in auditing for
  fraud.
• CFE is based on point system. Points are awarded
  for higher education and professional experiences
  (directly in fraud examination or related area
  accounting, criminology, sociology, fraud
  investigation, loss prevention, legal fields)
• Must pass exam administered by ACFE (500
  objective questions, computer-based areas
  covered fraudulent financial transactions,
  fraud investigations, legal elements of fraud,
  criminology, ethics. Does not cover IT) and agree
  to abide to organizations Code of Ethics and
  Bylaws

23
AICPA American Institute of Certified Public
Accountants

• Offers CPA (Certified Public Accountant) license
• It has a membership of 350,000 accounting
  professionals
• Public companies must have their financial
  statements audited by CPAs. CPAs will look into
  all aspects of accounting (tax, consulting, IT
  auditing). CPA is a good foundation to IT
  Auditor, because it ensures that the auditor
  having thorough understanding of financial
  processes and reporting
• CITP (Certified Information Technology
  Professional) certification is introduced in 2000
  to demonstrate that a CPA has specialized
  expertise in IT (refer Figure 1-4, pp. 11)

24
Structuring IT Audits

• So how do you do IT Audit?
• It varies as there are many types of IT audits
• Among them are
• Attestations or agreed upon procedures audits
• Statement on auditing standards 70 audits
• IT audits in support of external financial audits
• Findings and recommendation reviews
• will be covered in Chapter 9

25
Standards and Guidelines

• AICPA Audit Standards and Guidelines Auditing
  Standards Board (ASB) of AICPA issues auditing
  standards, opinions and guidance for public
  accountants to follow in conducting financial
  statement audits and others.
• In 1947 GAAS the 10 generally accepted
  auditing standards
• SAS statements on auditing standards
• SSAE statements on standards for attestation
  engagements
• In 2001 ASB issued SSAE no. 10 (Attestation
  Standards Revision and Recodification). This
  latest standard allows auditors to look into
  nonfinancial information and concerns on IT.

26
Standards and Guidelines

• IFAC (International Federation of Accountants)
  Guidelines
• IFAC is an international organization of national
  professional accountancy groups. Members are
  classified as full members, associate members,
  affiliate members.
• Full members AICPA, IMA (Institute of Mgmt
  Accountants), NASBA (National Association of
  State Boards of Accountancy
• The mission of IFAC develop harmonized/ common
  international accounting standards and guidelines
  to assist professionals in their work
• IFAC issued IFAC Handbook of International IT
  Guidelines provides direction concerning IT
  matters security, mgmt of IT , acquisition of
  IT, operations, monitoring, implementation
• IFAC issued ISAs (International Standards on
  Auditing) used in financial statement audits
  IAPSs (International Auditing Practice
  Statements) provides help to auditors in
  implementing the standards
• E.g., ISA no 401 Auditing in a Computer
  Information Systems Environment provides both
  financial and IT auditors guidance in conducting
  financial statement audits that involve IT
  (e-commerce, database systems, standalone
  computer systems)

27
Standards and Guidelines

• ISACA Standards, Guidelines and Procedures
  prescribe the minimum performance levels required
  to comply with ISACAs Code of Professional
  Ethics, and also enable for better understanding
  of what an IT audit should encompass.
• A licensed CISA must comply with ISACA standards
  or face investigation, and possible disciplinary
  actions.
• Guidelines provide help in applying the
  standards, and procedures are steps an IT Auditor
  would take during the audit process
• Refer Figure 1.5 pp.14 for the ISACAs IT audit
  standards
• CobiT, ISACAs IT governance framework may be
  used by auditors in accessing and advising mgmt
  about internal controls. It includes a set of
  audit guidelines a structure for internal
  control evaluations