FACULTY OF BUSINESS

ACCOUNTING SCHOOL

ACADEMIC REPORT

COURSE:
Comprehensive audit

AUTHOR:
Lizárraga Hernández, Frank Arturo

TEACHER:
Nancy Margot Esquives Chunga

LIMA PERU

2023 – I
 2

INDEX
INTRODUCTION.................................................................................................................................3
II. DEVELOPMENT..........................................................................................................................4
Objectives of the Computer Audit.............................................................................................4
Rules and Regulations...............................................................................................................4
IT Audit Procedures....................................................................................................................6
IT Audit Tools..............................................................................................................................6
Stages of the IT Audit Process.................................................................................................7
Results and Conclusions of the Computer Audit....................................................................7
Recommendations and Action Plans.......................................................................................8
REFERENCES......................................................................................................................................9
 3

I. INTRODUCTION
The IT audit is a comprehensive assessment of an organization's information
systems to assess the effectiveness and efficiency of recovery, security, risk
mitigation, and compliance with local and international standards and regulations.

Computer auditing is a discipline that is responsible for the review and evaluation
of an organization's computer systems, with the aim of verifying their correct
operation, their security and compliance with applicable standards and regulations.
This discipline has become increasingly relevant due to the growing importance of
technology in business and in society in general.

According to the author Antonio Muñoz, he considers that computer auditing

should be seen as "a means to guarantee trust and security in information and
systems, through the evaluation of controls and compliance with established
regulations and standards" (Muñoz, 2016).

On the other hand, the author Félix Eyzaguirre del Sante, a Peruvian national who
has published in the field of computer auditing, is the one who wrote the book
"Audit of Computer Systems" where he presents the basic concepts of computer
auditing and its application in the Peruvian context. , as well as the use of auditing
techniques and tools to assess the security and performance of computer systems
in an organization. The work of Eyzaguirre del Sante is considered an important
reference for professionals and students interested in computer auditing in Peru.
(Felix, 2016)

The computer audit focuses on guaranteeing the quality and security of an

organization's computer systems, and is supported by specialized techniques and
tools to achieve its objectives. In addition, it is a discipline in constant evolution
due to changes in technology and in the business environment, so it is important
to be updated and follow the best practices and applicable regulations.
 4

II. DEVELOPMENT
Objectives of the Computer Audit
The objectives of the computer audit refer to the goals and purposes that are
sought to be achieved through the performance of an audit of information systems
and technologies. According to Alarcón and Casanueva (2016)

The main objective of the computer audit is to evaluate the effectiveness,

efficiency, security and regulatory compliance of information systems and
information technologies used in an organization. Some of the specific objectives
of the IT audit include:

 Evaluate the security of computer systems: Computer auditors must

analyze and evaluate the computer systems of the organization to identify
possible vulnerabilities and security risks.
 Verify regulatory compliance: IT auditors must review and verify whether
the organization complies with regulations and laws related to privacy,
information security and other relevant aspects.
 Evaluate the efficiency and effectiveness of computer systems: Computer
auditors must evaluate the efficiency and effectiveness of computer
systems, to determine if the technology is used appropriately and efficiently.
 Identify opportunities for improvement: IT auditors must also identify
opportunities for improvement and make recommendations to improve the
management and use of IT systems in the organization.

The objectives of the IT audit are to ensure the integrity, confidentiality and
availability of information, assess regulatory compliance, verify the efficiency and
effectiveness of IT systems, and make recommendations to improve the
management of IT systems in the organization.

Rules and Regulations

The norms and regulations in computer auditing are legal frameworks and
standards that establish the requirements and procedures that organizations must
follow to guarantee the security of their systems and data. These regulations also
 5

establish the obligations and responsibilities of the parties involved in the IT audit
process. According to Sánchez Alfonso (2015)

Computer auditing is an activity that seeks to evaluate the effectiveness of controls

and processes related to information technology in an organization. In this sense,
it is important to know the rules and regulations that apply to the technological
environment in order to carry out an adequate evaluation. The norms and
regulations in computer auditing may vary depending on the country and sector of
the audited company. Some of the most important standards and regulations in IT
auditing include:

 Personal Data Protection Law (Law 29733) in Peru

 General Data Protection Regulation (GDPR) in the European Union
 Sarbanes-Oxley Act (SOX) in the United States
 Health Insurance Portability and Accountability Act (HIPAA) in the United
States
 ISO 27001 on information security
 Cobit in IT governance

It is important to note that these rules and regulations are intended to guarantee
legality, transparency and security in the handling of company information.
Therefore, it is critical that IT auditors are aware of these regulations and apply
them appropriately during the audit.

The norms and regulations in computer auditing are essential to guarantee the
protection of information and transparency in the management of information
systems of companies.

IT Audit Procedures
Computer audit procedures are the techniques and methods used to assess the
effectiveness, efficiency, and reliability of an organization's information systems.
These procedures are carried out to identify potential risks and weaknesses in
security controls and to ensure that systems comply with established rules and
regulations. According to Alfonso E. (2015)

Information technology audit procedures refer to the specific techniques used

during an audit to assess the effectiveness of information technology controls and
 6

processes in an organization. These procedures can vary depending on the type

of audit and the company being audited, but some of the more common
procedures include:

 Risk Assessment: This procedure is used to identify the potential risks an

organization faces in relation to its information technology. This includes the
identification of vulnerabilities and threats, as well as the assessment of the
impact they would have on the business if they materialized.
 Policies and Procedures Review: During this procedure, the organization's
information technology security and acceptable use policies and procedures
are reviewed. Its adequacy and effectiveness are evaluated to guarantee
data protection and business continuity.
 Testing of Controls: This procedure involves testing to assess the
effectiveness of existing controls in the organization. This may include
system access testing, change controls, security controls, among others.
 Vulnerability Scan: During this procedure, penetration tests are performed
on the organization's systems to identify vulnerabilities and determine if
existing controls are sufficient to protect against potential attacks.
 Incident Management Review: This procedure involves reviewing the
organization's ability to respond to security incidents and ensure business
continuity.

Computer audit procedures are essential to ensure the effectiveness of controls

and processes related to information technology in an organization. Proper use of
these procedures can help detect and mitigate risks, protect data, and ensure
business continuity.

IT Audit Tools
Computer audit tools is Mario Piattini, who in his book "Computer Audit" explains
how the tools can be used for data collection, analysis and presentation of results,
as well as providing an overview of the most commonly used tools. in systems
auditing. According to Piattini, M. (2017)

 Computer audit tools are software solutions that allow auditors to test,
monitor, and analyze systems and applications to identify potential risks
 7

and vulnerabilities. Some of the more common tools used in IT auditing

include:
 Vulnerability Scanning Tools: These tools perform automated testing for
vulnerabilities and weaknesses in computer systems. These tests include
port scanning, evaluation of operating systems and software, among others.
 Network Monitoring Tools – These tools monitor and analyze network traffic
to identify potential threats, as well as assess the effectiveness of network
security controls.
 Forensic analysis tools: These tools are used to analyze and recover data
from systems and devices that have been compromised, to identify the
causes and effects of security incidents.
 Records Management Tools: These tools are used to record and store data
and audit trails, and to create audit reports.
 Penetration testing tools: these tools are used to simulate attacks on
systems and applications in order to detect and correct vulnerabilities.

Computer audit tools are essential for the identification and evaluation of security
risks in an organization's computer systems. The use of these tools can help
detect vulnerabilities and weaknesses, in order to take preventive and corrective
measures.

Stages of the IT Audit Process

The stages of the computer audit process are the steps that are followed to carry
out the audit of information systems. These stages include planning, data
collection, data analysis, risk assessment, problem identification,
recommendations, and reporting. The computer audit process is Dan Shoemaker,
who in his book "Information Systems Audit" details the stages of the audit
process and provides detailed information on the tasks and techniques involved in
each of them. according to Shoemaker, D. (2011)

The stages of the IT audit process are divided into several steps that are carried
out to ensure a complete and exhaustive audit of the information systems. Each
stage is described in detail below:
 8

 Planning: In this stage, the scope and objectives of the audit are
determined, a work plan is established and the resources necessary to
carry out the audit are defined.
 Data Collection: In this stage, the necessary data for the audit is collected,
such as policies and procedures, system documentation, previous audit
records, etc.
 Data analysis: In this stage, the collected data is analyzed to assess the
effectiveness of the information system and to identify possible problems or
weaknesses.
 Risk assessment: In this stage, the risk associated with the possible
problems identified is evaluated and their priority is determined.
 Problem identification: In this stage, problems and weaknesses in the
information system are identified.
 Recommendations: In this stage, recommendations are developed to
address the identified problems.
 Reporting: At this stage, a detailed report is presented that includes the
results of the audit, recommendations to address the problems identified,
and any other relevant information.

It is important to note that these stages are not necessarily linear and may require
iterations to ensure that a full and thorough audit has been performed.

Results and Conclusions of the Computer Audit

 Results
The audit findings and discoveries are presented, such as
Vulnerabilities or breaches of regulations.
 conclusions
An analysis of the results is shown and possible
Risks and effects on the business.

Recommendations and Action Plans

recommendations

 Update the software and hardware of the information systems.

 Increase encryption systems to protect sensitive data.
 Improve the contingency plan for cybersecurity disasters.
 9

Action plan

 Establish a cybersecurity team.

 Develop cybersecurity protocols and policies.
 Train staff in security measures
Cybernetics and information protection.
 10

REFERENCES

Alarcón, J., & Casanueva, C. (2016). Computer Audit. Mexico DF: Limousa.

Cárdenas, R., & Ortiz, M. (2017). Audit of computer systems. Lima: Pearson
Education.

Hernández, A., & Romero, A. (2015). Introduction to Computer Audit. Mexico DF:
Alphaomega.

Chen, D., & Huang, H. (2018). Introduction to the Special Issue on Cyber Security
and Information Management. Journal of Management Information Systems,
35(4), 1006-1009. doi:10.1080/07421222.2018.1508017.

Sanchez Alfonso, CA (2015). Norms and regulations in computer auditing. Cuban

Journal of Informatics Sciences, 9(1), 13-26. Recovered
fromhttps://www.redalyc.org/pdf/1051/105146574002.pdf

Alfonso, E. (2015). Computer Audit. Pearson Education.

Piattini, M. (2017). Computer Audit. Auditorium.

Shoemaker, D. (2011). Information Systems Audit. Cengage Learning.