FRAUD AND ILLEGAL ACTS Explain the concerns for internal auditors around IT auditing. IT auditing began to develop when it was clear that internal auditors did not have the technical skills to analyze information stored in computer systems. It was recognized that it was no longer enough to simply analyze data in and data out, ignoring what happened to information as it was processed and stored. The impacts of auditing in an IT environment are two-fold: • The concerns for internal auditors: the high degree of reliance organizations place on the use of IT has raised some specific concerns for auditors. • The effect of IT on internal auditing: in spite of these concerns, IT also provides an opportunity to improve controls. Explain the concerns for internal auditors around IT auditing. Specifically, an IT environment affects the following areas as they relate to internal audit: • skills and competence required of the auditor • work performed by others for which the auditor is responsible • planning accounting system and internal control • audit evidence An IT environment also has an impact on the following aspects Explain the concerns for internal auditors around IT auditing. An IT environment also has an impact on the following aspects of internal control: • organizational structure • nature of processing • design and procedural aspects Discuss how IT auditing has developed in response to the specialized skills required to audit IT systems. • Computer programs (such as ACL) have been developed specifically to assist auditors to extract information to be used in the audit and to perform data analysis auditing activities. • Other computer programs such as application programs, system software, and other utility programs can also be used by internal auditors to audit IT systems. • Auditors realized that auditing IT systems required more technical knowledge, which in turn led to the development of IT auditing. As newer, emerging technologies are implemented, it is imperative that IT auditors remain current. • However, as IT systems become an integral component of any enterprise, all internal auditors must also be computer literate. Identify the various IT risks and explain how they affect an organization. • IT control frameworks support a risk management-based approach to control. The following are the risk categories identified in the CICA IT Control Guidelines: • Inherent risk: the risk that naturally exists in a particular business or situation. • Specific risk: the risk resulting from a location or method of operation of a particular function. • Technological risk: the risk of using technology to meet enterprise objectives Identify the various IT risks and explain how they affect an organization. • The fact that IT control frameworks support a risk management-based approach to control means that where such control frameworks are used, controls are identified and implemented in proportion to the risk that must be managed. To manage risk effectively in an IT environment, both risk analysis and risk assessment must be performed. • Auditors must be able to explain the impact of IT risk to managers who are unaware of such risks. Discuss the prevalent IT control frameworks governing technology audits: the IIA’s Global Technology Audit Guide (GTAG) 1, Information Technology Controls, and ISACA’s Control Objectives for Information and Related Technology (COBIT). Control frameworks have been developed to assist with the comprehensive evaluation of controls in an IT environment, providing guidelines for both general and applications controls: • GTAG: Global technology audit guides have been developed by the IIA as a framework for technology audits. • COBIT: This framework is becoming increasingly recognized as an authoritative IT governance model designed to help corporate management to understand and manage the risks associated with information technology. Identify the types of general controls used to address risks in an IT environment, and develop audit procedures to test their operating effectiveness. General controls are controls implemented to support overall computerized information processing activities, and include the following: • organization and management controls • separation of duties • financial controls • change management controls • physical and environmental controls Identify the types of general controls used to address risks in an IT environment, and develop audit procedures to test their operating effectiveness. • application systems acquisition, development, and maintenance controls • computer operations controls • system software controls (security) • program and data access controls (security) • physical security • backup and recovery controls Audit procedures designed to test the operating effectiveness of general controls can often be performed using systems-oriented computer-assisted audit techniques and automated continuous monitoring. Identify the types of application controls (procedures) used to address risks in an IT environment and develop audit procedures to test their operating effectiveness. Application controls are control standards and techniques that are designed to meet the control objectives for a specific business process. Types of application control procedures include the following: • manual control procedures • programmed controls The application processing cycle is comprised of the following steps: • Input • processing • output • management or transaction trails Identify the types of application controls (procedures) used to address risks in an IT environment and develop audit procedures to test their operating effectiveness. Limitations to application controls include the following: • failure to consider controls in relation to business risks, resulting in ineffective or inefficient control techniques • over-reliance on application-based control techniques • errors in application system functions/processing • failure to provide a management trail for reviewing the processing of transactions Identify the types of application controls (procedures) used to address risks in an IT environment and develop audit procedures to test their operating effectiveness. Testing of application controls can be performed by doing the following: • inspecting system configurations • inspecting user acceptance testing • inspecting or re-performing reconciliations • re-performing the control activity on system data • inspecting user access listings • re-performing the control activity using test data Outline the types of controls used to address risks in an IT communications and networking environment. The internal auditor needs to evaluate the following: • firewalls, designed to separate one network from another for security purposes • intranets, designed to provide customers, suppliers, and staff with timely information in a secure, private corporate network • other specific network controls put in place by the organization Analyze the advantages and risks of an end-user computing environment and the types of controls used. • Information processing using end-user computing is outside of the computer controls traditionally implemented by IT professionals. Because creating applications is easy for end users, IT departments have difficulty maintaining control over production and storage of information. For this reason, accepted control standards are either absent from end-user applications or inconsistently applied. • At the same time, there are many benefits to end-user computing such as reduced bureaucracy and enhanced innovation Analyze the advantages and risks of an end-user computing environment and the types of controls used. • Classical methods of control need to be adapted to compensate for the specific risks of end-user computing. • Intensity, invasiveness, and cost of controls must be balanced with the risks associated with each end-user application. • The challenge for internal auditors is to stay abreast of ongoing advances, evaluate management’s risk assessment, and provide advice on controls to minimize identified risks Analyze the advantages and risks of an end-user computing environment and the types of controls used. The following are areas for consideration by management when evaluating its risk assessment and control framework for end-user computing: • Policy directives and standards • Support • Application development • Documentation • Segregation of non-compatible duties • Security Explain the implications of emerging technologies for the internal auditing profession. Emerging technologies are new, and therefore existing control systems may not be sufficient. Internal auditors are now acting as partners and consultants in business and IT planning — roles that will continue to grow as new technologies emerge. • Internal auditors will be challenged to maintain adequate knowledge of emerging technologies and to propose appropriate security and control measures to their organizations and clients on a timely basis. • Internal auditors will require business and technology skills, updated continuously through training and development. • They must proactively explore new technologies to achieve auditing efficiencies through improved communications, sharing of successful practices, greater collaboration, and a team-based approach to work. Determine the impact of e-commerce on internal auditing. E-commerce can take many forms; the following are the most common: • EDI transactions (based on standardized transaction formats between trading partners) • Web-based transactions (open to the public over the Internet) The internal auditor needs to evaluate the following areas of e- commerce: • authentication between the trading parties • confidentiality • access controls using firewalls to protect the internal IT systems • virus scanning and eradication systems • non-repudiation controls Determine the impact of e-commerce on internal auditing. Hackers pose a specific risk for all organizations, especially those involved in e-commerce. Hackers are individuals who attack computer installations and should never be underestimated. The internal auditor should ensure that all controls are in place to safeguard the organization from this risk.