Title: IT Audit Overview
1Chapter 1 CISB424
2What will be covered?
- Overview of IT audit function
- Description of the work of IT Auditors skills
needed - Explanation of how to become an IT Auditor
- Description of the structure of IT Audits
- Discussion of IT audits relationship with
accounting and financial audit - Professional IT Auditors Organizations
3Did you know???
- The need for IT Auditors far outstrips the
supply of qualified candidates - IT Auditors are in demand, but their work is
interesting and challenging - IT Auditors evaluate an organizational entitys
IS (Info. Technologies, data and information, and
systems of communication) - Evaluation includes studying documents,
interviewing people, entering/manipulating data
in a computer. - IT Auditors do the above because business
processes use IT to function and IT is integral
to an enterprises vialibility
4Impact of IT on Organizations
- IT is important in all kinds of organizations IT
also influences organizational risks and
controls. - IT creates opportunities, but these opportunities
bring risks - E.g., the ability to transmit document
electronically to customers vendors allows
improving efficiency in the supply chain but it
(electronic communication systems) also poses new
risk
5IT Governance
- A process for controlling organizations
information technology resources ( systems and
technology). - An organizations mgmt and owners (board of
directors) are responsible for governing
enterprise and IT. - Enterprise governance process of setting and
implementing corporate strategy, making sure that
the organization achieves its objectives
efficiently, and manage risks. - The objectives of IT governance are to set
strategies for IT so that it is aligned closely
with organizational goals, and to use IT for
maximum opportunity, but minimum risk. - Two parts of IT Governance 1. concerns the use
of IT to promote an organizations objectives and
enable business processes 2. involves managing
and controlling IT-related risks
6IT Governance - continued
- It begins with
- The development of IT Governance plan (set the
strategic purposes of IT acquisition and
deployment or use) - It is on on-going process, mgmt needs to
regularly evaluate and update plans
Provide direction
- IT Activities
- Increase automation (make business effective)
- Decrease cost (make enterprise efficient)
- Manage risks (security reliability and compliance
- Set Objectives
- IT is aligned with the business
- IT enables the business and maximizes benefits
- IT resources are used responsibly
- IT-related risks managed appropriately
compare
Measure performance
7IT Governance - continued
- ISACA established the IT Governance Institute
(1998) to clarify and provide guidance on
current and future issues pertaining to IT
governance, control and assurance. - It developed CobiT (Control Objectives of
Information and Related Technology, 3rd Edition)
and COEG (Control Objectives for Enterprise
Governance) - CobiT provides guidance on IT governance
providing the structure that links IT processes,
IT resources and information to enterprise
strategies and objectives. - CobiT also includes an IT Governance Management
Guidelines identifies critical success factors,
key goal and performance indicators, matured
model for IT governance. It is a guideline that
allows management to use in evaluating
performance with regards to IT
8IT and Transaction Processing
- One of the concern in IT Governance is
controlling IT risks. This is important in
enterprises as they use IT to process data about
ongoing transaction or activities. Business and
other organizational entities are involved in and
affected in many ways. IS collects data about
all. - A computerized IS may increase risks and decrease
others. Or IT can reduce risks due to human
error. How is it possible? - Scenario 1 sales clerk manually record data
about sale of the day entered the wrong
inventory code. IT can reduced this risk. But, if
database admin accidently mismatch the inventory
item and its code, then every sale of that
inventory item will be recorded incorrectly.
9The Work of IT Auditor
- IT Auditor exists as long as IT exists. They
ensure IT governance, and to do so, they assess
IT risks and implement/monitor the controls over
those risks. - Roles and level of expertise varies, might be
internal/external auditor. - They will provide assurance or give comfort about
anything related to information systems.
10The Work of IT Auditor - continued
- Evaluating controls over specific applications
analyze risks controls over applications - Provide assurance over specific processes
agreed upon procedures only client and IT
auditor determine the scope of assurance required - Provide third-party assurance evaluate the
risks and controls over third partys IS and
provide assurance to others - Penetration testing trying to gain access to
info resources in order to discover security
weaknesses - Supporting the financial audit evaluate IT
risks and controls that may affect the
reliability of financial reporting system - Searching for IT-based fraud to help
investigate computer records in fraud
investigations
11Relationship between Financial and IT Audits
- The objective of a financial statement audit is
to ensure that the organizations public
financial statements are presented in accordance
with generally accepted accounting principles
(GAAP). Thus, FS Auditors analyze organizations
internal control system to assess the degree
which it appears to be operating effectively. - As computer technology is increasingly relied for
processing transactions and reporting
information, it is difficult for FS auditors to
ignore IT in their audits. Thus, there is a need
to evaluate information systems as part of
financial audit.
12Relationship between Financial and IT Audits
Develop an understanding of the client and
perform preliminary audit work
Develop audit plan
Evaluate the internal control system
IT Auditors FS Auditors jointly evaluate
internal control system
IT Auditors work with financial auditors to
develop audit plan
IT Auditors evaluate complexity of IT
Perform substantive testing
Review work and issue audit report
Determine degree of reliance on internal controls
IT Auditors review report write report to mgmt
with IT-related recommendations
IT Auditors may perform some data analysis to
assist FS auditors
IT Auditors FS Auditors jointly determine the
degree of reliance on internal controls
IT Auditors work with mgmt FS auditors on
follow-up
Conduct follow-up work
13IT Audit Skills
- To become an IT Auditor, you need training and
education (at least a bachelors degree) - Other than that, you need special certifications
or licenses (e.g., Certified Public Accountant
CPA, Certified Fraud Examiner CFE, Certified
Internal Auditor CIA, Certified Information
Systems Auditor - CISA - Skills required from IT Auditor
Technical
business
Personal
14Technical Skills
- IT Auditors requires specialized technology
skills different platforms, OS, software
applications, network security, ERP systems - Let say that the IT Auditor is auditing an OS,
he/she will have a guide description of
specific features of that OS and steps to follow
in extracting data and testing controls - IT Auditors must have the interest of learning
and updating themselves with technical topics as
IT changes constantly.
15Personal Skills
- Personal Skills communication skills
- IT Auditors must write and present reports. They
frequently make presentations to
internal/external clients - Thus, written and oral communication skills are
crucial - Personal skills Interpersonal and teamwork
- Rarely, IT Auditors do their jobs in isolation.
They need support from other auditors and
cooperation from those they are auditing - IT Auditors must have good interpersonal skills
to overcome negative bias of others towards
auditors
16Business Skills
- Business skills must understand business
processes (financial, distribution, HR,
manufacturing) - IT Auditors will evaluate the IT used by business
organizations to support their processes. - Other skills financial processes, accounting,
marketing skills and decision sciences
17Professional IT Auditor Organizations and
Certifications
- IT Auditors may choose the many professional
organizations to belong to. - These organizations issue certifications to their
members who meet the various service and
knowledge requirements. - Among the many professional organizations
available are - ISACA Information Systems Audit and Control
Association - IIA Institute of Internal Auditors
- ACFE Association of Certified Fraud Examiners
- AICPA American Institute of Certified Public
Accountants
18ISACA Information Systems Audit and Control
Association
- Founded in 1969
- The largest professional organization of IT
Auditors - It has more than 25000 members over 100
countries, and has certified more than 29000 IT
Auditors - ISACA has its research unit the Information
Systems Audit and Control Foundation gtgt conduct
research and issues publications that guide IT
audit professionals. - ISACA has it IT Governance Institute, K-Net
knowledge network repository of information about
IT Governance, control and assurance
19CISA
- Certified Information Systems Auditor (CISA)
designation is highly valued for IT Auditors. A
CISA must successfully complete an examination
(administered annually), meet professional
experience requirements, abide the groups Code
of Professional Ethics, and meet continuing
education requirements - CISA examination test knowledge in 7 technical
areas (refer figure 1-3, pp 9). - You need at least 5 years of experience in IT
Auditing, control, or security to apply for the
CISA. - CISA professionals must agree to a code of
professional ethics, abide to ISACAs IS Auditing
Standards, complete 20 contact hours of
continuing education each year and 120 contact
hours in a 3-year period in order to maintain
certification - Besides CISA, CISM Certified Information
Security Manager is another credential for
non-audit security professionals
20IIA Institute of Internal Auditors
- Established in 1941 international organization
of internal auditing professionals - It produces a journal, hosts professional
meetings and educational seminars, conducts
research through IIA Research Foundation, issues
the Certified Internal Auditor (CIA) credential
along with certifications in control
self-assessment, government auditing and
financial services auditing. - It promotes the practices of internal auditing
through quality assurance and the issuance of
standards, guidelines and best practices. - It is one of the primary professional
organization that serve accountants in their
various roles. The membership is made up of
internal auditors.
21CIA
- IT Auditor may be external auditor or a member of
the organizations internal audit staffs. - Internal Auditor may choose to be certified as
CISA or CPA. And, they may also become a
Certified Internal Auditor (CIA) - CIA requires a bachelors degree or meet
international standards, provide a character
reference, have 24-months of internal
audit/equivalent experience, and pass the
CIA-exam - CIA must agree to abide to professional code of
ethics, complete 80 hours of continuing
professional education (CPE) in every 2-year
period. - CIA exam conducted twice per-year covers
Professional Practices Framework (internal audit
process, internal audit skills, mgmt control and
IT, audit environment) IT (IS strategies,
policies and procedures hardware, platforms,
networks telecommunications data processing
system development, acquisition maintenance IS
security contingency planning) - Internal auditors involved in assessing their
organizations IT risks and controls provide
oversight for security activities and ensure
appropriate resources are directed toward
controlling IT risks
22ACFE Association of Certified Fraud Examiners
- ACFE issues CFE (Certified Fraud Examiner)
professionals who specialize in auditing for
fraud. - CFE is based on point system. Points are awarded
for higher education and professional experiences
(directly in fraud examination or related area
accounting, criminology, sociology, fraud
investigation, loss prevention, legal fields) - Must pass exam administered by ACFE (500
objective questions, computer-based areas
covered fraudulent financial transactions,
fraud investigations, legal elements of fraud,
criminology, ethics. Does not cover IT) and agree
to abide to organizations Code of Ethics and
Bylaws
23AICPA American Institute of Certified Public
Accountants
- Offers CPA (Certified Public Accountant) license
- It has a membership of 350,000 accounting
professionals - Public companies must have their financial
statements audited by CPAs. CPAs will look into
all aspects of accounting (tax, consulting, IT
auditing). CPA is a good foundation to IT
Auditor, because it ensures that the auditor
having thorough understanding of financial
processes and reporting - CITP (Certified Information Technology
Professional) certification is introduced in 2000
to demonstrate that a CPA has specialized
expertise in IT (refer Figure 1-4, pp. 11)
24Structuring IT Audits
- So how do you do IT Audit?
- It varies as there are many types of IT audits
- Among them are
- Attestations or agreed upon procedures audits
- Statement on auditing standards 70 audits
- IT audits in support of external financial audits
- Findings and recommendation reviews
- will be covered in Chapter 9
25Standards and Guidelines
- AICPA Audit Standards and Guidelines Auditing
Standards Board (ASB) of AICPA issues auditing
standards, opinions and guidance for public
accountants to follow in conducting financial
statement audits and others. - In 1947 GAAS the 10 generally accepted
auditing standards - SAS statements on auditing standards
- SSAE statements on standards for attestation
engagements - In 2001 ASB issued SSAE no. 10 (Attestation
Standards Revision and Recodification). This
latest standard allows auditors to look into
nonfinancial information and concerns on IT.
26Standards and Guidelines
- IFAC (International Federation of Accountants)
Guidelines - IFAC is an international organization of national
professional accountancy groups. Members are
classified as full members, associate members,
affiliate members. - Full members AICPA, IMA (Institute of Mgmt
Accountants), NASBA (National Association of
State Boards of Accountancy - The mission of IFAC develop harmonized/ common
international accounting standards and guidelines
to assist professionals in their work - IFAC issued IFAC Handbook of International IT
Guidelines provides direction concerning IT
matters security, mgmt of IT , acquisition of
IT, operations, monitoring, implementation - IFAC issued ISAs (International Standards on
Auditing) used in financial statement audits
IAPSs (International Auditing Practice
Statements) provides help to auditors in
implementing the standards - E.g., ISA no 401 Auditing in a Computer
Information Systems Environment provides both
financial and IT auditors guidance in conducting
financial statement audits that involve IT
(e-commerce, database systems, standalone
computer systems)
27Standards and Guidelines
- ISACA Standards, Guidelines and Procedures
prescribe the minimum performance levels required
to comply with ISACAs Code of Professional
Ethics, and also enable for better understanding
of what an IT audit should encompass. - A licensed CISA must comply with ISACA standards
or face investigation, and possible disciplinary
actions. - Guidelines provide help in applying the
standards, and procedures are steps an IT Auditor
would take during the audit process - Refer Figure 1.5 pp.14 for the ISACAs IT audit
standards - CobiT, ISACAs IT governance framework may be
used by auditors in accessing and advising mgmt
about internal controls. It includes a set of
audit guidelines a structure for internal
control evaluations