UNIT 1:

IT Overview

AFRICA. DATOR. FRANCISCO. YU

Introduction
The demand for IT auditors outweighs the supply of
qualified candidates due to advances in
technology and appreciation of the profession in
the business sector.
Not only IT auditors are in demand, but their work is
interesting and challenging.
IT auditors evaluate an entitys information
system. This may include examining
documents and interviewing people as well.
These must be done because businesses processes
use IT to function and IT is likely to be integral
to an entitys viability
AFRICA. DATOR. FRANCISCO. YU

Impact of IT in Organizations
IT influences organizational risks and controls
IT creates opportunities but carries with them
many kinds of risks
Example:
Ability to transmit documents electronically to
customers and vendors
Opportunity: Improved efficiency in the supply
chain
Risk: Potential failure of electronic communication

AFRICA. DATOR. FRANCISCO. YU

IT GOVERNANCE

IT governance is the process of

controlling an organizations
information technology resources which
include information and communication
system as well as technology.

Enterprise Governance is the process of

setting and implementing corporate
strategy

The management and owners shares

responsibility for managing both the
DATOR. FRANCISCO. YU
enterpriseAFRICA.
and IT

IT governance is an important part of

enterprise governance because of:
- organizational dependency on
information and communication
- scale of It investment
- potential strategic opportunities
- level of IT risk
IT governance also requires controlling
the IT process to ensure that it complies
with the regulatory, legal, and contractual
requirements

AFRICA. DATOR. FRANCISCO. YU

IT GOVERNANCE
Objective of IT Governance:
To set strategies for IT so that it is
closely aligned with organizational
goals and to use IT for maximum
opportunity but minimum risk.
The first part concerns the use of IT to
promote organizations objectives and
enable business processes.
The second part involves managing and
controlling IT- related risks.
AFRICA. DATOR. FRANCISCO. YU

IT GOVERNANCE
This process begins with the development
of an IT governance plan. Such plan will
help set the strategic course of IT
acquisition and deployment or use.
IT governance is an ongoing process and
management needs to regularly evaluate
and update plans.

AFRICA. DATOR. FRANCISCO. YU

IT GOVERNANCE INSTITUTE
The Information Systems Audit and Control
Association (ISACA) established IT Governance
Institute in 1998.
This institute exists to clarify and provide
guidance on current and future issues
pertaining to IT governance, control and
assurance.
It developed CobiT and COEG
CobiT provides guidance on IT governance by
providing the structure that links IT processes,
IT resources and information to enterprise
strategies and objectives

AFRICA. DATOR. FRANCISCO. YU

Guideline:
Governance over information technology and its processes
with the business goal of adding value, while balancing risk
versus return, ensures delivery of information to the
business that addresses the required Information Criteria
and is measured by Key Goal Indicators, is enabled by
creating and maintaining a system of process and control
excellence appropriate for the business that directs and
monitors the business value and delivery of IT, considers
Critical Success Factors that leverage all IT Resources
and is measured by Key Performance Indicators.

AFRICA. DATOR. FRANCISCO. YU

IT GOVERNANCE FRAMEWORK
Provide
Direction
Set Objectives:
-IT is aligned with
the business
-IT enables the
business and
maximizes benefits
-IT resources are
used responsibly
- IT- related risks
managed
appropriately

Compare

IT Activities
-Increase
automation (make
business effective)
-Decrease cost
(make enterprise
efficient)
-Manage risks
(security reliability
and reliance)

Measure
Performance

AFRICA. DATOR. FRANCISCO. YU

While IT is just plain good business practice,

it is also a possible source of competitive
advantage.
Organizations that leverage IT effectively
are likely to create more value for
customers and other stakeholders.
Lack on return on IT investments and
security failures are also reasons why
organizations should invest in developing IT
governance plans and policies.

AFRICA. DATOR. FRANCISCO. YU

IT AND TRANSACTION
PROCESSING
Part of IT governance concerns controlling
IT risk. This is important in enterprises
because management uses IT to process
data about ongoing transactions or events.
A computerized information system for
transaction processing may increase
some risks and decrease others.

AFRICA. DATOR. FRANCISCO. YU

Example 1:
In sales, compare a sales clerk who manually
records data may make an data entry error
with a computer system that scans an
inventory barcode that will not make that
mistake.
Therefore, it decrease the risk

Example 2:

The database administrator has accidentally

made a mismatch of inventory item
description and item number, then every
sale of that inventory item will be recorded
incorrectly.
Overall, use of IT can reduce risk due to
human error, but it can also increase them.

WORK OF AN IT AUDITOR

Change of risks dictates changes in how an auditor

needs to work.
Example: An auditor may need to look at a computer
program to make sure the system logic is correct.
Auditors ensure IT governance and , in doing so,
assess IT risks and implement or monitor the
controls over those risks.
The roles of IT auditors vary with their position
within or outside the organization and with each
individual project. Level of expertise needed for
engagement laso varies.

AFRICA. DATOR. FRANCISCO. YU

WORK OF AN IT AUDITOR
Basically, an IT auditor can provide assurance
or give comfort over just about anything
related to information systems, but some of
the specific types of engagements an IT
auditor might perform include:
Evaluating controls over specific
applications
Providing assurance over specific
processes
Providing third-party assurance
Penetration Test
Supporting financial audit
AFRICA.
FRANCISCO.
Searching
for DATOR.
IT-based
fraud YU

Relationship Between Financial

and IT Audits

The objective of a financial statement audit

is to ensure that an organizations public
financial instruments are presented with the
generally accepted accounting principles

Relationship Between Financial

and IT Audits
In the course of an audit engagement,
financial auditors analyze an organizations
internal control system to assess the degree
to which it appears to be operating effectively
As organizations have increased their reliance
on computer technology in processing
transactions and reporting information, it has
become increasingly difficult for financial
auditors to ignore IT in their audits

Relationship Between Financial

and IT Audits
Todays complex IT environments call for an
evaluation of the information system as part
of the financial audit
SAS No. 94, The Effect of Information
Technology on the Auditors Consideration of
Internal Control in a Financial Statement
Audit, requires auditors to understand both
manual and computerized processes for
financial statement presentation and to
recognize the additional risks and benefits of
IT relative to internal control

Relationship Between Financial

and IT Audits
It also notes that auditors need specialized
skills in order to be able to understand IT
controls and the impact of IT on a financial
statement audit
Auditors are to acquire those skills
themselves or obtain assistance from a
specialized IT auditor

Relationship Between Financial

and IT Audits
Sarbanes-Oxley Act of 2002 mandates that
management assess and make
representations about internal controls
Auditors will need to test those controls and
provide assurance about managements
representation

IT Audit Skills

Technical Skills

IT auditors acquire specialized technology

skills as they work with different platforms
and software application

IT Audit Skills

General Personal and Business Skills

Communication Skills
Interpersonal Skill and Teamwork
Business Education
Decision Sciences

Professional IT Auditor Organizations and

Certifications
Information Systems Audit and Control Association (ISACA)
1969
Largest professional organization of IT auditors
Information Systems Audit and Control Foundation- conducts
research and issues publications that guide IT audit professionals
IT Governance Institute
CISA- most highly valued global credential for IT auditors
1978- CISA certification
CISM- non-audit security professionals

Professional IT Auditor Organizations and

Certifications
Institute of Internal Auditors (IIA)
1941
International organization of internal auditing
professionals
Issues the CIA credential
Promotes the practice of internal auditing through
quality assurance
IIAs membership internal auditors (AICPA), (IMA)
IT auditor- may be either an external auditor or a
member of an organizations internal audit staff

Professional IT Auditor Organizations and

Certifications

Association of Certified Fraud Examiners

(ACFE)
Issues the CFE credential to professionals
who specialize in auditing for fraud

Professional IT Auditor Organizations and

Certifications

American Institute of Certified Public

Accountants (AICPA)
Confers the CPA license
1934- SEC required companies to have
their FS audited by CPAs
CPA- provides a good foundation for an IT
auditor
2000- introduced CITP- CPA has
specialized expertise in IT

Structuring IT Audits
Types of IT audits
1. Attestations or agreed-upon procedures audits
2. Statement on Auditing Standards #70 auditsservice organization has been through an in-depth
audit of their control objectives and control
activities, which often include controls over
information technology and related processes.
3. IT audits in support of external financial audits
4. Findings and recommendations reviews

Standards and Guidelines IT auditors use:

AICPA Audit Standards and Guidelines
. ASB
. 1947- issued GAAS (general, fieldwork, reporting standards)
. SAS- interpretations of GAAS
. SSAE- perform an attestation
.
Issues a report stating a conclusion about the reliability of
subject matter that is the responsibility of someone else
. SSAE no. 10 Attestation Standards: Revision and Recodificationsuperseded all previous attestation engagement statements
.
- Auditors are increasingly involved in providing assurance over
nonfinancial information
1.

Standards and Guidelines IT auditors use:

International Federation of Accountants (IFAC) Guidelines
. International umbrella organization of national professional accountancy
groups (management, auditing, education, tax)
. Classification of the member organizations:
. Full members
. Associate members
. Affiliate members
. Mission: develop harmonized or common international accounting
standards and guidelines to assist professionals in their work
. Types of guidance of use to IT auditors:
. IFAC Handbook of International IT Guidelines- provides direction
concerning IT areas
. ISAs- financial statement audits
. IAPSs- implementing the standards
2.

Standards and Guidelines IT auditors use:

ISACA Standards, Guidelines, and Procedures
. Standards: Prescribe minimum performance levels required to
comply with ISACAs Code of Professional Ethics
. Licensed CISA- must comply with ISACA standards
. Guidelines: Provide help in applying the standards
. CobiT- ISACAs IT governance framework
.
- assessing and advising management about internal controls
.
- includes a set of audit guidelines that provide IT auditors with
a structure for internal control evealuation
3.

COBIT FRAMEWORK

ISSUE

Good IT governance
Possible KEY

COBIT Framework
AFRICA. DATOR. FRANCISCO. YU

COBIT FRAMEWORK

Review
One of many Control frameworks developed to help
companies develop good internal control.
Developed by the IASCF (Information System Audit and
Control Foundation)
Allows
1. Management to benchmark other IT practices.
2. Users of IT services to be assured that adequate
security and control exist
3. Auditors to substantiate their opinions on
internal control and advise on IT security and control
matters.
AFRICA. DATOR. FRANCISCO. YU

COBIT FRAMEWORK

Review

Addresses the issue of control in 3 vantage points:

1. Business objectives - conform with business
requirements

3. IT resources people, application systems,

technology, facilities and data.

5. IT processes (a) planning and organizing, (b)

acquisition and implementation, (c) delivery and
support, (d) monitoring and evaluation
. Consolidates 36 standards in a single framework.
. Helps in balance of risk and control
AFRICA. DATOR. FRANCISCO. YU

COBIT FRAMEWORK

ccording to ISACA:
Accepted

globally as a set of tools that ensures IT is

working effectively
Functions as an overarching framework
Provides common language to communicate goals,
objectives and expected results to all stakeholders
Based on, and integrates, industry standards and good
practices in:

Strategic alignment of IT with business goals

Value delivery of services and new projects
Risk management
Resource management
Performance measurement

AFRICA. DATOR. FRANCISCO. YU

COBIT FRAMEWORK
ISACA:
How does COBIT support the governance of
IT?
COBIT supports IT governance by
providing a framework to ensure that:
IT is aligned with the business
IT enables the business and maximizes
benefits
IT resources are used responsibly
IT risks are managed appropriately
AFRICA. DATOR. FRANCISCO. YU

COBIT FRAMEWORK

ccording to ISACA:

Man Risk
age
me
nt

e
a nc t
form en
Per surem
Mea

COBIT is based on the analysis

and harmonization of existing IT
ic t
standards and good practices
g
De Val
e
n
ue
t e
l
and conforms to generally
a
i
r
v
m
t
e
n
S ig
ry
accepted governance
l
A
principles. It is positioned at a
high level, driven by business
requirements, covers the full
range of IT activities, and
IT
concentrates on what should
Governance
be achieved rather than how to
achieve effective governance,
management and control.
Therefore, it appeals to
Resource
Management
executive management;
business and IT management;
governance, assurance and
security professionals;
and IT
AFRICA. DATOR. FRANCISCO.
YU

COBIT FRAMEWORK

ccording to ISACA:

AFRICA. DATOR. FRANCISCO. YU

COBIT FRAMEWORK

SACA updates
ISACA has started on a multiyear strategic initiative
to develop the next generation of the COBIT
Framework, COBIT 5, and supporting products.
Building on more than fifteen years
of practical use of COBIT by many IT professionals
from the business, IT, risk management, security
and assurance communities, the COBIT 5
deliverables will be designed to meet
the current and future needs of stakeholders and
align with the most up-to-date thinking in enterprise
governance and IT management practices
AFRICA. DATOR. FRANCISCO. YU