IMPACT OF IT ON INTERNAL

AUDITING AND RISK OF

FRAUD AND ILLEGAL ACTS
 Explain the concerns for internal auditors
around IT auditing.
IT auditing began to develop when it was clear that internal auditors did not
have the technical skills to analyze information stored in computer systems. It
was recognized that it was no longer enough to simply analyze data in and
data out, ignoring what happened to information as it was processed and
stored.
The impacts of auditing in an IT environment are two-fold:
• The concerns for internal auditors: the high degree of reliance organizations
place on the use of IT has raised some specific concerns for auditors.
• The effect of IT on internal auditing: in spite of these concerns, IT also
provides an opportunity to improve controls.
 Explain the concerns for internal auditors
around IT auditing.
Specifically, an IT environment affects the following areas as they relate
to internal audit:
• skills and competence required of the auditor
• work performed by others for which the auditor is responsible
• planning accounting system and internal control
• audit evidence An IT environment also has an impact on the following
aspects
 Explain the concerns for internal auditors
around IT auditing.
An IT environment also has an impact on the following aspects of
internal control:
• organizational structure
• nature of processing
• design and procedural aspects
 Discuss how IT auditing has developed in response
to the specialized skills required to audit IT systems.
• Computer programs (such as ACL) have been developed specifically to assist
auditors to extract information to be used in the audit and to perform data
analysis auditing activities.
• Other computer programs such as application programs, system software, and
other utility programs can also be used by internal auditors to audit IT systems.
• Auditors realized that auditing IT systems required more technical knowledge,
which in turn led to the development of IT auditing. As newer, emerging
technologies are implemented, it is imperative that IT auditors remain current.
• However, as IT systems become an integral component of any enterprise, all
internal auditors must also be computer literate.
 Identify the various IT risks and explain
how they affect an organization.
• IT control frameworks support a risk management-based approach to
control. The following are the risk categories identified in the CICA IT
Control Guidelines:
• Inherent risk: the risk that naturally exists in a particular business or
situation.
• Specific risk: the risk resulting from a location or method of operation
of a particular function.
• Technological risk: the risk of using technology to meet enterprise
objectives
 Identify the various IT risks and explain
how they affect an organization.
• The fact that IT control frameworks support a risk management-based
approach to control means that where such control frameworks are
used, controls are identified and implemented in proportion to the
risk that must be managed. To manage risk effectively in an IT
environment, both risk analysis and risk assessment must be
performed.
• Auditors must be able to explain the impact of IT risk to managers
who are unaware of such risks.
 Discuss the prevalent IT control frameworks governing technology audits:
the IIA’s Global Technology Audit Guide (GTAG) 1, Information
Technology Controls, and ISACA’s Control Objectives for Information and
Related Technology (COBIT).
Control frameworks have been developed to assist with the
comprehensive evaluation of controls in an IT environment, providing
guidelines for both general and applications controls:
• GTAG: Global technology audit guides have been developed by the IIA
as a framework for technology audits.
• COBIT: This framework is becoming increasingly recognized as an
authoritative IT governance model designed to help corporate
management to understand and manage the risks associated with
information technology.
 Identify the types of general controls used to address risks in an IT
environment, and develop audit procedures to test their operating
effectiveness.
General controls are controls implemented to support overall
computerized information processing activities, and include the
following:
• organization and management controls
• separation of duties
• financial controls
• change management controls
• physical and environmental controls
 Identify the types of general controls used to address risks in an IT
environment, and develop audit procedures to test their operating
effectiveness.
• application systems acquisition, development, and maintenance controls
• computer operations controls
• system software controls (security)
• program and data access controls (security)
• physical security
• backup and recovery controls
Audit procedures designed to test the operating effectiveness of general
controls can often be performed using systems-oriented computer-assisted
audit techniques and automated continuous monitoring.
Identify the types of application controls (procedures) used to address
risks in an IT environment and develop audit procedures to test their
operating effectiveness.
Application controls are control standards and techniques that are
designed to meet the control objectives for a specific business process.
Types of application control procedures include the following:
• manual control procedures
• programmed controls
The application processing cycle is comprised of the following steps:
• Input
• processing
• output
• management or transaction trails
Identify the types of application controls (procedures) used
to address risks in an IT environment and develop audit
procedures to test their operating effectiveness.
Limitations to application controls include the following:
• failure to consider controls in relation to business risks, resulting in
ineffective or inefficient control techniques
• over-reliance on application-based control techniques
• errors in application system functions/processing
• failure to provide a management trail for reviewing the processing of
transactions
Identify the types of application controls (procedures) used to address
risks in an IT environment and develop audit procedures to test their
operating effectiveness.
Testing of application controls can be performed by doing the following:
• inspecting system configurations
• inspecting user acceptance testing
• inspecting or re-performing reconciliations
• re-performing the control activity on system data
• inspecting user access listings
• re-performing the control activity using test data
Outline the types of controls used to address risks in an IT
communications and networking environment.
The internal auditor needs to evaluate the following:
• firewalls, designed to separate one network from another for security
purposes
• intranets, designed to provide customers, suppliers, and staff with
timely information in a secure, private corporate network
• other specific network controls put in place by the organization
 Analyze the advantages and risks of an end-user
computing environment and the types of controls used.
• Information processing using end-user computing is outside of the
computer controls traditionally implemented by IT professionals.
Because creating applications is easy for end users, IT departments
have difficulty maintaining control over production and storage of
information. For this reason, accepted control standards are either
absent from end-user applications or inconsistently applied.
• At the same time, there are many benefits to end-user computing
such as reduced bureaucracy and enhanced innovation
 Analyze the advantages and risks of an end-user
computing environment and the types of controls used.
• Classical methods of control need to be adapted to compensate for
the specific risks of end-user computing.
• Intensity, invasiveness, and cost of controls must be balanced with the
risks associated with each end-user application.
• The challenge for internal auditors is to stay abreast of ongoing
advances, evaluate management’s risk assessment, and provide
advice on controls to minimize identified risks
 Analyze the advantages and risks of an end-user
computing environment and the types of controls used.
The following are areas for consideration by management when
evaluating its risk assessment and control framework for end-user
computing:
• Policy directives and standards
• Support
• Application development
• Documentation
• Segregation of non-compatible duties
• Security
 Explain the implications of emerging
technologies for the internal auditing profession.
Emerging technologies are new, and therefore existing control systems may not be
sufficient. Internal auditors are now acting as partners and consultants in business
and IT planning — roles that will continue to grow as new technologies emerge.
• Internal auditors will be challenged to maintain adequate knowledge of
emerging technologies and to propose appropriate security and control
measures to their organizations and clients on a timely basis.
• Internal auditors will require business and technology skills, updated
continuously through training and development.
• They must proactively explore new technologies to achieve auditing efficiencies
through improved communications, sharing of successful practices, greater
collaboration, and a team-based approach to work.
 Determine the impact of e-commerce on
internal auditing.
E-commerce can take many forms; the following are the most common:
• EDI transactions (based on standardized transaction formats between trading
partners)
• Web-based transactions (open to the public over the Internet)
The internal auditor needs to evaluate the following areas of e-
commerce:
• authentication between the trading parties
• confidentiality
• access controls using firewalls to protect the internal IT systems
• virus scanning and eradication systems
• non-repudiation controls
 Determine the impact of e-commerce on
internal auditing.
Hackers pose a specific risk for all organizations, especially those
involved in e-commerce. Hackers are individuals who attack computer
installations and should never be underestimated. The internal auditor
should ensure that all controls are in place to safeguard the
organization from this risk.