icte1073

auditing in a cis environment

Handout #2 – audit and review: THEIR ROLE IN INFORMATION TECHNOLOGY

Financial auditing – encompasses all activities and responsibilities concerned with the rendering of an opinion on the
fairness of financial statements.

Two groups of standards that affect the preparation of financial statements and the procedures for their audit by CPA firms:

1. Generally Accepted Accounting Principles (GAAP) – establishes consistent guidelines for financial reporting by
corporate managers. These principles have been formulated and revised periodically. An auditor rendering an
opinion that the financial statements are presented fairly stipulates that those financial statements conform to GAAP.

2. Generally Accepted Auditing Standards (GAAS) – standards for audits which cover three categories:
a. General standards – relate to professional and technical competence, independence, and due professional
care
b. Fieldwork standards – encompasses planning, evaluation of internal control, sufficiency of evidential matter,
or documentary evidence upon which findings are based.
c. Reporting standards – stipulate compliance with all accepted auditing standards, consistency with the
preceding account period, adequacy of disclosure, and, in the event that an opinion cannot be reached, the
requirement to state the assertion explicitly.

Note: These standards provide broad guidelines, but not specific guidelines.

IT Audit – evaluation of IT, practices, and operations to assure the integrity of an entity’s information.
– Assessment of the efficiency, effectiveness, and economy of computer-based practices.
– Involves the use of computer as an audit tool.

IT Auditor’s evaluation of systems, practices, and operations may include one or both of the following:

 Assessment of internal controls within the CIS environment to assure the validity, reliability, and security of
information
 Assessment of the efficiency and effectiveness of the CIS environment in economic terms.

The advanced knowledge and skills of IT auditors can progress in two ways:

1. Continued growth and skill in this profession – leading the way in computer audit research and development and
progressing up the external and internal audit career paths
2. Capitalizing on a thorough knowledge of organizational systems and moving into more responsible career areas in
general management.

NEED FOR IT AUDIT FUNCTION

With the increased reliance on computers to perform daily transactions and with the higher risks associated with the new
technology, management needs assurance that the controls governing its computer operations are adequate.

Top 10 reasons for the start-up of IT Auditing:

1. Auditing around the computer was becoming unsatisfactory for the purpose of data reliance.
2. Reliance on controls was becoming highly questionable.
3. Financial institutions were losing money due to creative programming.
4. Payroll databases could not be relied on for accuracy due to sophisticated programmers.
5. The security of data could no longer be enforced effectively.
6. Advancements occurred in technology.
7. Internal networks were being accessed by employees’ desktop computers.
8. Personal computers became accessible for office and home use.
9. Large amounts of data required advanced software programs to audit them, known as CAATs.
10. The tremendous growth of corporate hackers, either internal or external, warranted the need for IT auditors.

BASIC THINGS AUDITORS MUST REMEMBER

 Auditors must have Standards of Practice. Just like Christians pattern their deeds after what the Bible says,
auditors are also supposed to follow standards of practice, which guides them on how auditing should be done, and
what deeds to avoid in order to maintain their integrity as auditors.

 Auditors must have Independence. To add value and credibility to the audit opinion to be issued by the auditor,
he must have independence. He must be free from any bias towards, or influence from, management.

 Auditors must have High Ethical Standards. To act as an auditor is to be a judge, a judge of the fairness and
faithfulness of the reporting of financial information by management. Therefore, a judge must uphold a high standard
 of moral ethics. If an auditor is low on ethics, it will be hard for auditees to trust the auditor and believe in his
credibility to judge their financial statements.

 Auditors must be equipped with Knowledge, Skills, and Abilities.

Three commonly accepted sources of obtaining an IT auditing education:

1. Traditional University Academic Environment

2. Participation in seminars presented by professional organizations
3. Participation in on-the-job trainings and in-house programs

SUPPLEMENTAL SKILLS

Technical Skills/Hard Skills – these are skills that relate to the conduct of the audit per se. Full knowledge of the audit
process, and the techniques used in examining audit evidence are included in this category.

Nontechnical Skills/Soft Skills – these are the skills that are not though in an academic setting. These are gained through
experience, or it is an innate skill by a certain person. Communication, negotiation, and interpersonal skills fall under this
category.

ROLE OF THE IT AUDITOR

 IT Auditor as Counselor. Auditors must take an active role in developing policies on auditability, control, testing
and standards of an information system. Auditors must also convince users and IT personnel of the need for a
controlled IT environment. IT audit staff can persuade users to insist on a policy of comprehensive testing for all
new systems and all changes to existing ones. Insisting that all new systems be reviewed at predefined checkpoints
throughout the system’s SDLC can also enhance IT control.

 IT Auditor as Partner of Senior Management. Although the IT auditor’s roles of counselor and skilled technician
are vital to successful company operation, they may be irrelevant if the auditor fails to view auditing in relation to
the organization as a whole. A system that appears well-controlled may be inconsistent with the operation of a
business. Management needs the support of a skilled computer staff that understands the organization’s
requirements, and IT auditors are in such a position to provide that information.

 IT Auditor as Investigator. As a result of increased legislation and the use of computer evidence within the courts,
the ability to capture and document computer-generated information related to criminal activity is critical for
purposes of prosecution. The awareness and use of CAATTs in performing forensic support work have provided
new opportunities for the IT auditor, IT security personnel, and those within law enforcement and investigation.

TYPES OF AUDIT FUNCTIONS

 Internal – a control function within a company or organization.

– Primary purpose is to assure that management-authorized controls are being applied effectively
– Not mandatory, but exists in most private companies or organizations
– Performs the monitoring and testing of IT activities within the control of the company or organization

 External – provided by public accounting firms (who are outside, i.e., not part, of the company or organization)
– Evaluates the reliability and validity of systems controls in all forms, to minimize the amount of substantial
auditing or testing of transactions required to render an opinion.
– Responsible for testing the reliability of client IT systems