CHAPTER 1 CISB424 IT Audit

Overview
 WHAT WILL BE COVERED?

 Overview of IT audit function

 Description of the work of IT Auditors & skills needed
 Explanation of how to become an IT Auditor
 Description of the structure of IT Audits
 Discussion of IT audit’s relationship with accounting and
financial audit
 Professional IT Auditors Organizations
 DID YOU KNOW???

 “The need for IT Auditors far outstrips the supply of qualified

candidates”

 IT Auditors are in demand, but their work is interesting and

challenging
 IT Auditors evaluate an organizational entity’s IS (Info.
Technologies, data and information, and systems of
communication)
 Evaluation includes studying documents, interviewing people,
entering/manipulating data in a computer.
 IT Auditors do the above because business processes use IT to
function and IT is integral to an enterprise’s vialibility
 IMPACT OF IT ON ORGANIZATIONS

 IT is important in all kinds of organizations; IT also influences

organizational risks and controls.
 IT creates opportunities, but these opportunities bring risks

 E.g., the ability to transmit document electronically to

customers & vendors allows improving ef ficiency in the supply
chain; but it (electronic communication systems) also poses
new risk
 IT GOVERNANCE

 A process for controlling organization’s information

technology resources ( systems and technology).
 An organization’s mgmt and owners (board of directors) are
responsible for governing enterprise and IT.
 Enterprise governance – process of setting and implementing
corporate strategy, making sure that the organization
achieves its objectives ef ficiently, and manage risks.
 The objectives of IT governance are to set strategies for IT so
that it is aligned closely with organizational goals, and to use
IT for maximum opportunity, but minimum risk.
 Two parts of IT Governance; 1 . concerns the use of IT to
promote an organization’s objectives and enable business
processes; 2. involves managing and controlling IT -related
risks
 IT GOVERNANCE - CONTINUED

 It begins with
 The development of IT Governance plan (set the strategic purposes of
IT acquisition and deployment or use)
 It is on on-going process, mgmt needs to regularly evaluate and
update plans
Provide IT Activities
Set Objectives • Increase automation
direction
• IT is aligned with the (make business
business effective)
• IT enables the business and • Decrease cost
maximizes benefits compare (make enterprise
• IT resources are used efficient)
responsibly • Manage risks
• IT-related risks managed (security reliability
appropriately Measure and compliance
performanc
e
 IT GOVERNANCE - CONTINUED

 ISACA established the IT Governance Institute (1998) – to

clarify and provide guidance on current and future issues
pertaining to IT governance, control and assurance.
 It developed CobiT (Control Objectives of Information and
Related Technology, 3 rd Edition) and COEG (Control Objectives
for Enterprise Governance)
 CobiT provides guidance on IT governance – providing the
structure that links IT processes, IT resources and information
to enterprise strategies and objectives.
 CobiT also includes an IT Governance Management Guidelines
– identifies critical success factors, key goal and performance
indicators, matured model for IT governance. It is a guideline
that allows management to use in evaluating performance
with regards to IT
 IT AND TRANSACTION PROCESSING

 One of the concern in IT Governance is controlling IT risks.

This is important in enterprises as they use IT to process data
about ongoing transaction or activities. Business and other
organizational entities are involved in and af fected in many
ways. IS collects data about all.

 A computerized IS may increase risks and decrease others. Or

IT can reduce risks due to human error. How is it possible?
 Scenario 1 – sales clerk manually record data about sale of
the day; entered the wrong inventory code. IT can reduced this
risk. But, if database admin accidently mismatch the
inventory item and its code, then every sale of that inventory
item will be recorded incorrectly.
 THE WORK OF IT AUDITOR

 IT Auditor exists as long as IT exists. They ensure IT

governance, and to do so, they assess IT risks and
implement/monitor the controls over those risks.

 Roles and level of expertise varies, might be internal/external

auditor.

 They will provide assurance or give comfort about anything

related to information systems.
 THE WORK OF IT AUDITOR - CONTINUED

 Evaluating controls over specific applications – analyze risks

& controls over applications
 Provide assurance over specific processes – agreed upon
procedures only; client and IT auditor determine the scope of
assurance required
 Provide third-party assurance – evaluate the risks and
controls over third party’s IS and provide assurance to others
 Penetration testing – trying to gain access to info resources in
order to discover security weaknesses
 Supporting the financial audit – evaluate IT risks and controls
that may af fect the reliability of financial reporting system
 Searching for IT-based fraud – to help investigate computer
records in fraud investigations
RELATIONSHIP BET WEEN FINANCIAL AND IT
AUDITS

 The objective of a financial statement audit is to ensure that

the organization’s public financial statements are presented
in accordance with generally accepted accounting principles
(GAAP). Thus, FS Auditors analyze organization’s internal
control system to assess the degree which it appears to be
operating ef fectively.

 As computer technology is increasingly relied for processing

transactions and reporting information, it is dif ficult for FS
auditors to ignore IT in their audits. Thus, there is a need to
evaluate information systems as part of financial audit.
RELATIONSHIP BET WEEN FINANCIAL AND IT
AUDITS
Develop an
Evaluate the internal
understanding of the Develop audit plan
control system
client and perform
preliminary audit work IT Auditors work with IT Auditors & FS
IT Auditors evaluate financial auditors to Auditors jointly
complexity of IT develop audit plan evaluate internal
control system

Review work and Perform substantive Determine degree of

issue audit report testing reliance on internal
IT Auditors review controls
IT Auditors may
report & write report perform some data IT Auditors & FS
to mgmt with IT- analysis to assist FS Auditors jointly
related auditors determine the
recommendations degree of reliance on
IT Auditors work with internal controls
Conduct follow-up
mgmt & FS auditors
work
on follow-up
 IT AUDIT SKILLS

 To become an IT Auditor, you need training and education (at

least a bachelor’s degree)
 Other than that, you need special certifications or licenses
(e.g., Certified Public Accountant – CPA , Certified Fraud
Examiner – CFE, Certified Internal Auditor – CIA , Certified
Information Systems Auditor - CISA
 Skills required from IT Auditor;
 TECHNICAL SKILLS

 IT Auditors requires specialized technology skills – dif ferent

platforms, OS, software applications, network security, ERP
systems

 Let say that the IT Auditor is auditing an OS, he/she will have
a guide – description of specific features of that OS and steps
to follow in extracting data and testing controls

 IT Auditors must have the interest of learning and updating

themselves with technical topics as IT changes constantly.
 PERSONAL SKILLS

 Personal Skills – communication skills

 IT Auditors must write and present reports. They frequently
make presentations to internal/external clients
 Thus, written and oral communication skills are crucial

 Personal skills – Interpersonal and teamwork

 Rarely, IT Auditors do their jobs in isolation. They need
support from other auditors and cooperation from those they
are auditing
 IT Auditors must have good interpersonal skills to overcome
negative bias of others towards auditors
 BUSINESS SKILLS

 Business skills – must understand business processes

(financial, distribution, HR, manufacturing)
 IT Auditors will evaluate the IT used by business organizations
to support their processes.
 Other skills – financial processes, accounting, marketing
skills and decision sciences
PROFESSIONAL IT AUDITOR ORGANIZATIONS
AND CERTIFICATIONS

 IT Auditors may choose the many professional organizations

to belong to.
 These organizations issue certifications to their members who
meet the various service and knowledge requirements.
 Among the many professional organizations available are;
 ISACA – Information Systems Audit and Control
Association
 IIA – Institute of Internal Auditors
 ACFE – Association of Certified Fraud Examiners
 AICPA – American Institute of Certified Public
Accountants
ISACA – INFORMATION SYSTEMS AUDIT AND
CONTROL ASSOCIATION

 Founded in 1969
 The largest professional organization of IT Auditors
 It has more than 25000 members over 100 countries, and has
certified more than 29000 IT Auditors
 ISACA has its research unit – the Information Systems Audit
and Control Foundation >> conduct research and issues
publications that guide IT audit professionals.
 ISACA has it IT Governance Institute, K -Net – knowledge
network repository of information about IT Governance,
control and assurance
 CISA

 Certified Information Systems Auditor (CISA) designation is

highly valued for IT Auditors. A CISA must successfully
complete an examination (administered annually), meet
professional experience requirements, abide the group’s
Code of Professional Ethics, and meet continuing education
requirements
 CISA examination test knowledge in 7 technical areas (refer
figure 1-3, pp 9).
 You need at least 5 years’ of experience in IT Auditing,
control, or security to apply for the CISA.
 CISA professionals must agree to a code of professional
ethics, abide to ISACA’s IS Auditing Standards, complete 20
contact hours of continuing education each year and 120
contact hours in a 3 -year period in order to maintain
certification
 Besides CISA, CISM – Certified Information Security Manager
is another credential for non -audit security professionals
IIA – INSTITUTE OF INTERNAL AUDITORS

 Established in 1941 – international organization of internal

auditing professionals
 It produces a journal, hosts professional meetings and
educational seminars, conducts research through IIA
Research Foundation, issues the Certified Internal Auditor
(CIA) credential along with certifications in control self -
assessment, government auditing and financial services
auditing.
 It promotes the practices of internal auditing through quality
assurance and the issuance of standards, guidelines and
best practices.
 It is one of the primary professional organization that serve
accountants in their various roles. The membership is made
up of internal auditors.
 CIA
 IT Auditor may be external auditor or a member of the organization’s
internal audit staf fs.
 Internal Auditor may choose to be cer tified as CISA or CPA . And, they
may also become a Cer tified Internal Auditor (CIA)
 CIA requires a bachelor’s degree or meet international standards,
provide a character reference, have 24 -months of internal
audit/equivalent experience, and pass the CIA -exam
 CIA must agree to abide to professional code of ethics, complete 80
hour s of continuing professional education (CPE) in ever y 2 -year
period.
 CIA exam conducted twice per -year covers Professional Practices
Framework (internal audit process, internal audit skills, mgmt control
and IT, audit environment) & IT (IS strategies, policies and
procedures; hardware, platforms, networks & telecommunications;
data processing; system development, acquisition & maintenance; IS
security & contingency planning)
 Internal auditors involved in assessing their organization’s IT risks
and controls – provide over sight for security activities and ensure
appropriate resources are directed toward controlling IT risks
 ACFE – ASSOCIATION OF CERTIFIED FRAUD
EXAMINERS

 ACFE issues CFE (Certified Fraud Examiner) – professionals

who specialize in auditing for fraud.
 CFE is based on point system. Points are awarded for higher
education and professional experiences (directly in fraud
examination or related area – accounting, criminology,
sociology, fraud investigation, loss prevention, legal fields)
 Must pass exam administered by ACFE (500 objective
questions, computer-based; areas covered – fraudulent
financial transactions, fraud investigations, legal elements of
fraud, criminology, ethics. Does not cover IT) and agree to
abide to organization’s Code of Ethics and Bylaws
AICPA – AMERICAN INSTITUTE OF CERTIFIED
PUBLIC ACCOUNTANTS

 Of fers CPA (Certified Public Accountant) license

 It has a membership of 350,000 accounting professionals
 Public companies must have their financial statements
audited by CPAs. CPAs will look into all aspects of accounting
(tax, consulting, IT auditing). CPA is a good foundation to IT
Auditor, because it ensures that the auditor having thorough
understanding of financial processes and reporting
 CITP (Certified Information Technology Professional)
certification is introduced in 2000 – to demonstrate that a
CPA has specialized expertise in IT (refer Figure 1 -4, pp. 11)
 STRUCTURING IT AUDITS

 So how do you do IT Audit?

 It varies as there are many types of IT audits

 Among them are;

 Attestations or agreed upon procedures audits
 Statement on auditing standards #70 audits
 IT audits in support of external financial audits
 Findings and recommendation reviews

will be covered in Chapter 9

 STANDARDS AND GUIDELINES

 AICPA Audit Standards and Guidelines – Auditing Standards

Board (ASB) of AICPA issues auditing standards, opinions and
guidance for public accountants to follow in conducting
financial statement audits and others.
 In 1947 – GAAS – the 10 generally accepted auditing
standards
 SAS – statements on auditing standards
 SSAE – statements on standards for attestation engagements
 In 2001 – ASB issued SSAE no. 10 (Attestation Standards:
Revision and Recodification). This latest standard allows
auditors to look into nonfinancial information and concerns
on IT.
 STANDARDS AND GUIDELINES
 IFAC (International Federation of Accountants) Guidelines
 IFAC is an international organization of national professional
accountancy groups. Members are classified as full members, associate
members, af filiate members.
 Full members – AICPA , IMA (Institute of Mgmt Accountants), NASBA
(National Association of State Boards of Accountancy
 The mission of IFAC – develop harmonized/ common international
accounting standards and guidelines to assist professionals in their
work
 IFAC issued IFAC Handbook of International IT Guidelines – provides
direction concerning IT matter s – security, mgmt of IT , acquisition of
IT, operations, monitoring, implementation
 IFAC issued ISAs (International Standards on Auditing) – used in
financial statement audits; IAPSs (International Auditing Practice
Statements) – provides help to auditors in implementing the standards
 E.g., ISA no 401 Auditing in a Computer Information Systems
Environment – provides both financial and IT auditors guidance in
conducting financial statement audits that involve IT (e -commerce,
database systems, standalone computer systems)
 STANDARDS AND GUIDELINES

 ISACA Standards, Guidelines and Procedures – prescribe the

minimum performance levels required to comply with ISACA’s
Code of Professional Ethics, and also enable for better
understanding of what an IT audit should encompass.
 A licensed CISA must comply with ISACA standards or face
investigation, and possible disciplinary actions.
 Guidelines provide help in applying the standards, and
procedures are steps an IT Auditor would take during the audit
process
 Refer Figure 1 .5 pp.14 for the ISACA’s IT audit standards
 CobiT, ISACA’s IT governance framework may be used by
auditors in accessing and advising mgmt about internal
controls. It includes a set of audit guidelines – a structure for
internal control evaluations