December 22, 2011


What is IT auditing all about?
IT auditing is a branch of general auditing concerned with governance (control) of information and Communications technologies (computers). IT auditors primarily study computer systems and networks from the point of view of examining the effectiveness of their technical and procedural controls to minimize risks. Actually, to be honest, like all auditors we spend the bulk of our time dealing with the people who specify, develop, test, manage, administer, use and abuse the computer systems but it¶s being able competently to audit the information technology that sets us apart from the riff-raff. What do IT auditors actually do? In short, IT auditors review risks relating to IT systems and processes including: 1. Inadequate information security (e.g. missing or out of date antivirus controls) 2. Inefficient use of corporate resources, or poor governance (e.g. spending large on unnecessary IT projects) 3. Ineffective IT strategies, policies and practices (including a lack of policies etc. 4. IT-related frauds Management calls the auditors in to review stuff and they in turn produce formal reports and Recommendations that circulate to management, but they operate independently in order to avoid management telling them what answers they want to hear.

So what is auditing then?
Auditing, in general, is formally described as: ³The independent examination of records and other information in order to form an opinion on the integrity of a system of controls and recommend control improvements to limit risks´. There are several significant, if somewhat boring terms in that description: ‡Independent: the auditors should not be directly involved with the operations or management of a function being audited. They should report to a separate line of management and be free to state the facts of a situation and their honest opinions without fear of recrimination from those in the subject area. Just as importantly, independence is also a state of mind For example: Freethinking, able to consider situations objectively. Switzerland has the right idea. Some judicial systems come close.



of course. auditors may recommend removing controls. all auditors normally interview staff in the business areas under review and may use other observational techniques to examine business process in action. like fraudulent politicians. system-generated reports and. Auditors need to refer to information regarding the business processes and systems under review (such as completed data-entry forms. justification and persuasion. Political clout. As a last resort. Good business involves minimizing risks cost-effectively. IT auditors work with technical controls built-in to the computer systems. disruptive or wasteful. ‡Records and other information. ‡System of controls: different types of control operate at many levels. 2011 [THE INFORMATION SYSTEM AUDITING] ‡Examination: auditing involved the gathering and assessment of factual information from various sources. you¶d better be ready for a µfull and frank discussion. accuracy and trustworthiness. of course. In rare cases. and persuading management to apply the necessary resources and direction in order to address the risks. explaining the risks represented by control weaknesses. Although subjective. spam emails and bugs. Recommend: auditors generate ³audit recommendations´ but have neither the authority to implement suggested changes nor can we force management to do so. SALMAN SARWAR 348 MBA ITM /S09 2 .). their opinions are based on an interpretation of the facts and are open to legitimate challenge. We achieve improvements mostly by a process of explanation. or it may give a false sense of security: either way.December 22. audit¶s big stick comes out i. justifying the need to change systems and/or processes. It is important that the formal outputs of the auditing process (primarily audit reports containing recommendations for control improvements) are traceable to valid information sources.e. ‡Limit: risks.). and being prepared forthe worst if things go wrong (contingency planning). the people involved in doing or managing the relevant business processes). You don¶t have to agree with us but if you do. Human Resources controls (employment contracts etc. ‡Integrity: literally means completeness. ‡Control improvements: improving the system of controls generally means adding necessary controls that were missing. can be reduced but not totally eliminated. A control system which is only partially effective may be better than nothing. Furthermore. IT auditors often use data analysis tools to examine computer records. legal controls (software licenses etc. Opinion: auditors provide both objective facts and subjective opinions on a given situation. including what are often called ³audit records´. the auditor will probably not be impressed. generally because they are ineffective. but also procedural controls (operations procedures etc.

in comparison to its competitors. Technological position audit: This audit reviews the technologies that the business currently has and that it needs to add. and are adequately controlled to ensure valid. This requires examination of company's research and development facilities. and secure input. accurate. the organization of each project. as well as its track record in actually producing new products. are efficient. typically due to a lack of controls in many computer systems and operating procedures) to cause impacts (adverse outcomes i. SALMAN SARWAR 348 MBA ITM /S09 3 . Innovative comparison audit. acting on vulnerabilities (weaknesses in µthe system¶. "key". as well as its presence in relevant markets.December 22. sometimes just due to carelessness or incompetence). and output at all levels of a system's activity. processing. Management of IT and Enterprise Architecture: An audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing. and efficient processing of applications under normal and potentially disruptive conditions. The audit will assess the length and depth of the company's experience in its chosen technologies. human and political fallout when the brown stuff hits the fan). processes. reliable. Financial. "pacing" or "emerging". Systems Development: An audit to verify that the systems under development meet the objectives of the organization and to ensure that the systems are developed in accordance with generally accepted standards for systems development. Information Processing Facilities: An audit to verify that the processing facility is controlled to ensure timely. Formally. TYPES OF IT AUDITING Technological innovation process audit. risks and controls. risk is the chance combination of threats (usually caused by someone with malicious intent. organization and industry structure. 2011 [THE INFORMATION SYSTEM AUDITING] ‡Risk: is the chance that something might go horribly wrong. timely.Here¶s another view: auditing is a mechanism for examining the effectiveness of organizations. systems. Technologies are characterized as being either "base". Others describe the spectrum of IT audits with five categories of audits: Systems and Applications: An audit to verify that systems and applications are appropriate.e. This audit constructs a risk profile for existing and new projects. and the structure of the portion of the industry that deals with this project or product. This audit is an analysis of the innovative abilities of the company being audited.

The organization¶s response (or lack thereof) to any business risks will impact the auditor¶s assessed level of audit risk. and rapid growth to name a few. and on the network connecting the clients and servers. Evaluate Results and Issue Audit Report: At this level. objectives and strategies. Identify Risks that May Result in Material Misstatements: The auditor must evaluate an organization¶s business risks (threats to the organization¶s ability to achieve its objectives). To eliminate the possibility of assessing audit risk too low the auditor should perform the following steps: Obtain an Understanding of the Organization and its Environment: The understanding of the organization and its environment is used to assess the risk of material misstatement/weakness and to set the scope of the audit. new or restructured information systems. An organization¶s business risks can arise or change due to new personnel.December 22. Intranets. SALMAN SARWAR 348 MBA ITM /S09 4 . the auditor then assesses the risk of material misstatements and determines specific audit procedures that are necessary based on that risk assessment. the auditor should then obtain evidence of management¶s actions toward those risks. corporate restructuring. Telecommunications. server. Information Technology Audit Process Overview The auditor must plan and conduct the audit to ensure their audit risk (the risk of reaching an incorrect conclusion based on the audit findings) will be limited to an acceptable level. governance. The auditor will issue either an unqualified or qualified audit report based on their findings. 2011 [THE INFORMATION SYSTEM AUDITING] Client/Server. Evaluate the Organization¶s Response to those Risks: Based on the knowledge obtained in evaluating the organization¶s responses to business risks. and Extranets: An audit to verify that telecommunications controls are in place on the client (computer receiving services). the auditor should determine if the assessments of risks were appropriate and whether sufficient evidence was obtained. The auditor¶s understanding should include information on the nature of the entity. management. and business processes. Evaluate the Organization¶s Response to those Risks: Once the auditor has evaluated the organization¶s response to the assessed risks.

control risk (the risk a material weakness will not be prevented or detected by internal controls). Conclude and Report. 3. While planning the audit. In addition to budgeted time needed to perform the audit. y Operating Effectiveness. the less the risk that a weakness will go undetected and the auditor will issue an inappropriate report. SALMAN SARWAR 348 MBA ITM /S09 5 . Audit risk is dependent on the auditors assessed levels of inherent risk (the susceptibility of an audit area to error which could be material. Understand the Process(s). The more effective and extensive the audit work is. the auditor decides what level of audit risk (the risk of reaching an incorrect conclusion based on the audit findings) he or she is willing to accept. The IT audit manager must know the capabilities of the audit staff assigned to the project.´ One of the first tasks an auditor must do when planning the audit is to develop a working budget. 2011 [THE INFORMATION SYSTEM AUDITING] A Typical IS Audit Cycle 1. and detection risk (the risk substantive tests will not detect an error which could be material). Planning. y Design of control. 4. PAHSES OF IT AUDITING: Planning the Audit The IT auditor should plan the information systems audit coverage to address the audit objectives and comply with applicable laws and professional auditing standards. assuming there are no related internal controls). Walkthrough the Process/Controls. the IT audit manager should also budget time needed to train the audit staff (if needed) and allow time for any error correction purposes. Test the Controls. These risks are determined when the auditor performs a risk assessment of the organization. 5. 2.December 22.

the auditor should document the following in their work papers: 1. Audit procedures to be performed. Additionally.December 22. The Audit Plan The audit plan details the audit objectives and steps the auditor must take to ensure all of the important issues in the audit are covered. and confidentiality/privacy of information. The risks the audit is going to address. 3. risk assessment will aid in planning decisions such as: 1. the IT auditor. and timing of audit procedures. the IT auditor should consider: 1. Risk Assessment A risk is any event or action. 4. A description of the risk assessment technique used. 2. The amount of time and resources to be allocated to an audit Documentation of Risk Assessment Once the assessed level of risk has been determined. SALMAN SARWAR 348 MBA ITM /S09 6 . 4. The potential for the cumulative effect of small errors or weaknesses to become material. 3. 2. The identification of significant risks. The areas or business functions to be audited. 3. timeliness of the information for decision making. ability to access the system. The audit evidence used to support the IS auditor¶s assessment of risk. 2011 [THE INFORMATION SYSTEM AUDITING] Materiality In assessing materiality. The audit plan includes: 1. 2. The nature. generated internally or externally. Risk assessment allows the auditor to determine the scope of the audit and assess the level of audit risk and error risk (the risk of errors occurring in the area being audited). The auditor understands of the client. The aggregate level of error acceptable to management. Potential audit risks. extent. to name a few. 2. and appropriate regulatory agencies. Risks affect control objectives in the areas of data integrity and accuracy. A basic framework for how the audit resources (budgeted audit hours) are to be allocated throughout the audit. which prevents an organization from achieving its goals and/or objectives.

Data Capture Controls: ensures that all transactions are recorded in the application system. Tests of Controls Tests of controls are audit procedures performed to evaluate the effectiveness of either the design or the operation of an internal control. Application Controls Application controls apply to the processing of individual accounting applications and help ensure the completeness and accuracy of transaction processing. Tests of controls directed toward the design of the control focuses on evaluating whether the control is suitably designed to prevent material weaknesses.December 22. and validity. The memo outlines for the audited the areas within the audit the auditor is planning to spend most of their time. 3. Error Controls: ensures that errors are corrected and resubmitted to the application system at the correct point in processing. 2011 [THE INFORMATION SYSTEM AUDITING] The objective of the audit plan is to assist the auditor in conducting an effective and efficient audit. Planning Memo A planning memo outlines for the audited the tone and course of action the IT audit manager plans to take. Data Validation Controls: ensures that all transactions are properly valued. and reentered into the system. and who applied it. 2. authorization. In addition to inquiring with appropriate personnel and observation of the application of the control. 4. Output Controls: ensures that computer output is not distributed or displayed to unauthorized users. and it gives the audited the opportunity to voice any concerns. Types of application controls include: 1. corrected. transactions are recorded only once. SALMAN SARWAR 348 MBA ITM /S09 7 . controlled. an IT auditor¶s main focus when testing the controls is to do a re-performance of the application of the control themselves. the consistency with which it was applied. Processing Controls: ensures the proper processing of transactions. Tests of controls directed toward the operation of the control focuses on assessing how the control was applied. and rejected transactions are identified. 5.

Procedures used to gather audit evidence varies depending on the information system being audited. The following procedures should be considered: 1. Finally. Audit evidence should be sufficient. The auditor should select the most appropriate procedure for the audit objective. and useful in order for the auditor to form an opinion and to support their findings and conclusions. 5. 3.December 22. reliable. the nature of the population. Inquiry and/or Observation Inspection Performance Monitoring The audit evidence gathered by the auditor should be documented and organized to support the auditor¶s findings and conclusions. If the auditor cannot form an opinion based on the audit evidence obtained. 2011 [THE INFORMATION SYSTEM AUDITING] IT Audit Procedures: Audit Sampling Audit sampling is the application of an audit procedure to less than 100% of the population to enable the IT auditor to evaluate audit evidence within a class of transactions for the purpose of forming a conclusion concerning the population. SALMAN SARWAR 348 MBA ITM /S09 8 . When designing the size and structure of an audit sample. Generalized Audit Software (GAS) Custom Audit Software (CAS) Test Data Parallel Simulation Integrated test facility Evidence Through the use of CAATs. 2. 3. Computer Assisted Auditing Techniques (CAATs) CAATs are used to test application controls as well as perform substantive tests on sample items. Types of CAATs include: 1. the auditor will be able to obtain evidence to support their final conclusions developed on the audit. 4. 2. and the sampling and selection methods. the auditor should then obtain additional audit evidence. relevant. the IT auditor should consider the audit objectives determined when planning the audit. when an auditor believes that sufficient audit evidence cannot be obtained. 4. the auditor should disclose this fact as a scope limitation within the audit report.

period of coverage. and the nature.December 22. 3.e. 2. 5. CONCLUSION: Information systems provide both the means for organizations to transact business and the ability to report the financial results of their operations. 4. if managed properly. computerized records. and recommendations and any reservations. SALMAN SARWAR 348 MBA ITM /S09 9 . information technology auditing is often looked upon as a ³necessary evil´ or is overlooked entirely by IT management We argue that IT audit activities can provide additional value beyond the primary objective of assurance. Unqualified Audit Report Unqualified Audit Report with Explanation Qualified Report Qualified Report with Disclaimer Qualified Report with an Adverse Opinion Audit Documentation Audit documentation is the formal collection of auditor¶s notes. and extent of the audit work performed. Information technology auditing is an integral part of corporate governance. 2011 [THE INFORMATION SYSTEM AUDITING] Completing the Audit Reporting IS Auditing Standard 070 (Reporting) states. data files or application results. correspondence. assuming the organization embraces IT governance partnerships between IT management and the audit function. can lead to high-quality IT audit products (i.. flowcharts. plans and results of tests. However. conclusions. We close with a discussion of future research directions. minutes of meetings. The report should state the findings. the audit plan. documents. objectives. upon the completion of the audit? The report should state the scope. We also analyze factors developed from field study research that suggest IT audits are special projects requiring a quality audit process and sound project management principles. ³The IT auditor should provide a report in an appropriate form. results of observations. qualifications or limitations of scope that IT auditor has with respect to the audit. engagements) that could conceivably free audit resources for more value-added projects and enterprise oversight. timing. These success factors.´ Types of Reports 1.

2. Jr. Khan Executive Director Technology and Security Risk Services Ernst & Young Ford Rhodes Sidat Hyder report.3 IS Auditing Guideline G2 Audit Evidence Requirement.5. Paragraph 3. Messier. page 45 IS Auditing Guideline G13 Use of Risk Assessment in Audit Planning.1 Sajid H. SALMAN SARWAR 348 MBA ITM /S09 10 .. 3rd Edition. Paragraph 2. 2011 [THE INFORMATION SYSTEM AUDITING] REFFRENCES Auditing & Assurance Services.December 22. William F.

Sign up to vote on this title
UsefulNot useful