IT Audit Overview - PowerPoint PPT Presentation

1 / 27
About This Presentation

IT Audit Overview


IT Governance General Controls The concept is relatively new Ensuring that effective IT management and security ... IS and network security Investigation and ... – PowerPoint PPT presentation

Number of Views:245
Avg rating:3.0/5.0
Slides: 28
Provided by: Rubijesmi


Transcript and Presenter's Notes

Title: IT Audit Overview

Chapter 1 CISB424
  • IT Audit Overview

What will be covered?
  • Overview of IT audit function
  • Description of the work of IT Auditors skills
  • Explanation of how to become an IT Auditor
  • Description of the structure of IT Audits
  • Discussion of IT audits relationship with
    accounting and financial audit
  • Professional IT Auditors Organizations

Did you know???
  • The need for IT Auditors far outstrips the
    supply of qualified candidates
  • IT Auditors are in demand, but their work is
    interesting and challenging
  • IT Auditors evaluate an organizational entitys
    IS (Info. Technologies, data and information, and
    systems of communication)
  • Evaluation includes studying documents,
    interviewing people, entering/manipulating data
    in a computer.
  • IT Auditors do the above because business
    processes use IT to function and IT is integral
    to an enterprises vialibility

Impact of IT on Organizations
  • IT is important in all kinds of organizations IT
    also influences organizational risks and
  • IT creates opportunities, but these opportunities
    bring risks
  • E.g., the ability to transmit document
    electronically to customers vendors allows
    improving efficiency in the supply chain but it
    (electronic communication systems) also poses new

IT Governance
  • A process for controlling organizations
    information technology resources ( systems and
  • An organizations mgmt and owners (board of
    directors) are responsible for governing
    enterprise and IT.
  • Enterprise governance process of setting and
    implementing corporate strategy, making sure that
    the organization achieves its objectives
    efficiently, and manage risks.
  • The objectives of IT governance are to set
    strategies for IT so that it is aligned closely
    with organizational goals, and to use IT for
    maximum opportunity, but minimum risk.
  • Two parts of IT Governance 1. concerns the use
    of IT to promote an organizations objectives and
    enable business processes 2. involves managing
    and controlling IT-related risks

IT Governance - continued
  • It begins with
  • The development of IT Governance plan (set the
    strategic purposes of IT acquisition and
    deployment or use)
  • It is on on-going process, mgmt needs to
    regularly evaluate and update plans

Provide direction
  • IT Activities
  • Increase automation (make business effective)
  • Decrease cost (make enterprise efficient)
  • Manage risks (security reliability and compliance
  • Set Objectives
  • IT is aligned with the business
  • IT enables the business and maximizes benefits
  • IT resources are used responsibly
  • IT-related risks managed appropriately

Measure performance
IT Governance - continued
  • ISACA established the IT Governance Institute
    (1998) to clarify and provide guidance on
    current and future issues pertaining to IT
    governance, control and assurance.
  • It developed CobiT (Control Objectives of
    Information and Related Technology, 3rd Edition)
    and COEG (Control Objectives for Enterprise
  • CobiT provides guidance on IT governance
    providing the structure that links IT processes,
    IT resources and information to enterprise
    strategies and objectives.
  • CobiT also includes an IT Governance Management
    Guidelines identifies critical success factors,
    key goal and performance indicators, matured
    model for IT governance. It is a guideline that
    allows management to use in evaluating
    performance with regards to IT

IT and Transaction Processing
  • One of the concern in IT Governance is
    controlling IT risks. This is important in
    enterprises as they use IT to process data about
    ongoing transaction or activities. Business and
    other organizational entities are involved in and
    affected in many ways. IS collects data about
  • A computerized IS may increase risks and decrease
    others. Or IT can reduce risks due to human
    error. How is it possible?
  • Scenario 1 sales clerk manually record data
    about sale of the day entered the wrong
    inventory code. IT can reduced this risk. But, if
    database admin accidently mismatch the inventory
    item and its code, then every sale of that
    inventory item will be recorded incorrectly.

The Work of IT Auditor
  • IT Auditor exists as long as IT exists. They
    ensure IT governance, and to do so, they assess
    IT risks and implement/monitor the controls over
    those risks.
  • Roles and level of expertise varies, might be
    internal/external auditor.
  • They will provide assurance or give comfort about
    anything related to information systems.

The Work of IT Auditor - continued
  • Evaluating controls over specific applications
    analyze risks controls over applications
  • Provide assurance over specific processes
    agreed upon procedures only client and IT
    auditor determine the scope of assurance required
  • Provide third-party assurance evaluate the
    risks and controls over third partys IS and
    provide assurance to others
  • Penetration testing trying to gain access to
    info resources in order to discover security
  • Supporting the financial audit evaluate IT
    risks and controls that may affect the
    reliability of financial reporting system
  • Searching for IT-based fraud to help
    investigate computer records in fraud

Relationship between Financial and IT Audits
  • The objective of a financial statement audit is
    to ensure that the organizations public
    financial statements are presented in accordance
    with generally accepted accounting principles
    (GAAP). Thus, FS Auditors analyze organizations
    internal control system to assess the degree
    which it appears to be operating effectively.
  • As computer technology is increasingly relied for
    processing transactions and reporting
    information, it is difficult for FS auditors to
    ignore IT in their audits. Thus, there is a need
    to evaluate information systems as part of
    financial audit.

Relationship between Financial and IT Audits
Develop an understanding of the client and
perform preliminary audit work
Develop audit plan
Evaluate the internal control system
IT Auditors FS Auditors jointly evaluate
internal control system
IT Auditors work with financial auditors to
develop audit plan
IT Auditors evaluate complexity of IT
Perform substantive testing
Review work and issue audit report
Determine degree of reliance on internal controls
IT Auditors review report write report to mgmt
with IT-related recommendations
IT Auditors may perform some data analysis to
assist FS auditors
IT Auditors FS Auditors jointly determine the
degree of reliance on internal controls
IT Auditors work with mgmt FS auditors on
Conduct follow-up work
IT Audit Skills
  • To become an IT Auditor, you need training and
    education (at least a bachelors degree)
  • Other than that, you need special certifications
    or licenses (e.g., Certified Public Accountant
    CPA, Certified Fraud Examiner CFE, Certified
    Internal Auditor CIA, Certified Information
    Systems Auditor - CISA
  • Skills required from IT Auditor

Technical Skills
  • IT Auditors requires specialized technology
    skills different platforms, OS, software
    applications, network security, ERP systems
  • Let say that the IT Auditor is auditing an OS,
    he/she will have a guide description of
    specific features of that OS and steps to follow
    in extracting data and testing controls
  • IT Auditors must have the interest of learning
    and updating themselves with technical topics as
    IT changes constantly.

Personal Skills
  • Personal Skills communication skills
  • IT Auditors must write and present reports. They
    frequently make presentations to
    internal/external clients
  • Thus, written and oral communication skills are
  • Personal skills Interpersonal and teamwork
  • Rarely, IT Auditors do their jobs in isolation.
    They need support from other auditors and
    cooperation from those they are auditing
  • IT Auditors must have good interpersonal skills
    to overcome negative bias of others towards

Business Skills
  • Business skills must understand business
    processes (financial, distribution, HR,
  • IT Auditors will evaluate the IT used by business
    organizations to support their processes.
  • Other skills financial processes, accounting,
    marketing skills and decision sciences

Professional IT Auditor Organizations and
  • IT Auditors may choose the many professional
    organizations to belong to.
  • These organizations issue certifications to their
    members who meet the various service and
    knowledge requirements.
  • Among the many professional organizations
    available are
  • ISACA Information Systems Audit and Control
  • IIA Institute of Internal Auditors
  • ACFE Association of Certified Fraud Examiners
  • AICPA American Institute of Certified Public

ISACA Information Systems Audit and Control
  • Founded in 1969
  • The largest professional organization of IT
  • It has more than 25000 members over 100
    countries, and has certified more than 29000 IT
  • ISACA has its research unit the Information
    Systems Audit and Control Foundation gtgt conduct
    research and issues publications that guide IT
    audit professionals.
  • ISACA has it IT Governance Institute, K-Net
    knowledge network repository of information about
    IT Governance, control and assurance

  • Certified Information Systems Auditor (CISA)
    designation is highly valued for IT Auditors. A
    CISA must successfully complete an examination
    (administered annually), meet professional
    experience requirements, abide the groups Code
    of Professional Ethics, and meet continuing
    education requirements
  • CISA examination test knowledge in 7 technical
    areas (refer figure 1-3, pp 9).
  • You need at least 5 years of experience in IT
    Auditing, control, or security to apply for the
  • CISA professionals must agree to a code of
    professional ethics, abide to ISACAs IS Auditing
    Standards, complete 20 contact hours of
    continuing education each year and 120 contact
    hours in a 3-year period in order to maintain
  • Besides CISA, CISM Certified Information
    Security Manager is another credential for
    non-audit security professionals

IIA Institute of Internal Auditors
  • Established in 1941 international organization
    of internal auditing professionals
  • It produces a journal, hosts professional
    meetings and educational seminars, conducts
    research through IIA Research Foundation, issues
    the Certified Internal Auditor (CIA) credential
    along with certifications in control
    self-assessment, government auditing and
    financial services auditing.
  • It promotes the practices of internal auditing
    through quality assurance and the issuance of
    standards, guidelines and best practices.
  • It is one of the primary professional
    organization that serve accountants in their
    various roles. The membership is made up of
    internal auditors.

  • IT Auditor may be external auditor or a member of
    the organizations internal audit staffs.
  • Internal Auditor may choose to be certified as
    CISA or CPA. And, they may also become a
    Certified Internal Auditor (CIA)
  • CIA requires a bachelors degree or meet
    international standards, provide a character
    reference, have 24-months of internal
    audit/equivalent experience, and pass the
  • CIA must agree to abide to professional code of
    ethics, complete 80 hours of continuing
    professional education (CPE) in every 2-year
  • CIA exam conducted twice per-year covers
    Professional Practices Framework (internal audit
    process, internal audit skills, mgmt control and
    IT, audit environment) IT (IS strategies,
    policies and procedures hardware, platforms,
    networks telecommunications data processing
    system development, acquisition maintenance IS
    security contingency planning)
  • Internal auditors involved in assessing their
    organizations IT risks and controls provide
    oversight for security activities and ensure
    appropriate resources are directed toward
    controlling IT risks

ACFE Association of Certified Fraud Examiners
  • ACFE issues CFE (Certified Fraud Examiner)
    professionals who specialize in auditing for
  • CFE is based on point system. Points are awarded
    for higher education and professional experiences
    (directly in fraud examination or related area
    accounting, criminology, sociology, fraud
    investigation, loss prevention, legal fields)
  • Must pass exam administered by ACFE (500
    objective questions, computer-based areas
    covered fraudulent financial transactions,
    fraud investigations, legal elements of fraud,
    criminology, ethics. Does not cover IT) and agree
    to abide to organizations Code of Ethics and

AICPA American Institute of Certified Public
  • Offers CPA (Certified Public Accountant) license
  • It has a membership of 350,000 accounting
  • Public companies must have their financial
    statements audited by CPAs. CPAs will look into
    all aspects of accounting (tax, consulting, IT
    auditing). CPA is a good foundation to IT
    Auditor, because it ensures that the auditor
    having thorough understanding of financial
    processes and reporting
  • CITP (Certified Information Technology
    Professional) certification is introduced in 2000
    to demonstrate that a CPA has specialized
    expertise in IT (refer Figure 1-4, pp. 11)

Structuring IT Audits
  • So how do you do IT Audit?
  • It varies as there are many types of IT audits
  • Among them are
  • Attestations or agreed upon procedures audits
  • Statement on auditing standards 70 audits
  • IT audits in support of external financial audits
  • Findings and recommendation reviews
  • will be covered in Chapter 9

Standards and Guidelines
  • AICPA Audit Standards and Guidelines Auditing
    Standards Board (ASB) of AICPA issues auditing
    standards, opinions and guidance for public
    accountants to follow in conducting financial
    statement audits and others.
  • In 1947 GAAS the 10 generally accepted
    auditing standards
  • SAS statements on auditing standards
  • SSAE statements on standards for attestation
  • In 2001 ASB issued SSAE no. 10 (Attestation
    Standards Revision and Recodification). This
    latest standard allows auditors to look into
    nonfinancial information and concerns on IT.

Standards and Guidelines
  • IFAC (International Federation of Accountants)
  • IFAC is an international organization of national
    professional accountancy groups. Members are
    classified as full members, associate members,
    affiliate members.
  • Full members AICPA, IMA (Institute of Mgmt
    Accountants), NASBA (National Association of
    State Boards of Accountancy
  • The mission of IFAC develop harmonized/ common
    international accounting standards and guidelines
    to assist professionals in their work
  • IFAC issued IFAC Handbook of International IT
    Guidelines provides direction concerning IT
    matters security, mgmt of IT , acquisition of
    IT, operations, monitoring, implementation
  • IFAC issued ISAs (International Standards on
    Auditing) used in financial statement audits
    IAPSs (International Auditing Practice
    Statements) provides help to auditors in
    implementing the standards
  • E.g., ISA no 401 Auditing in a Computer
    Information Systems Environment provides both
    financial and IT auditors guidance in conducting
    financial statement audits that involve IT
    (e-commerce, database systems, standalone
    computer systems)

Standards and Guidelines
  • ISACA Standards, Guidelines and Procedures
    prescribe the minimum performance levels required
    to comply with ISACAs Code of Professional
    Ethics, and also enable for better understanding
    of what an IT audit should encompass.
  • A licensed CISA must comply with ISACA standards
    or face investigation, and possible disciplinary
  • Guidelines provide help in applying the
    standards, and procedures are steps an IT Auditor
    would take during the audit process
  • Refer Figure 1.5 pp.14 for the ISACAs IT audit
  • CobiT, ISACAs IT governance framework may be
    used by auditors in accessing and advising mgmt
    about internal controls. It includes a set of
    audit guidelines a structure for internal
    control evaluations
Write a Comment
User Comments (0)