IT AUDIT FUNDAMENTALS

CHAPTER 1
OBJECTIVES OVERVIEW
• What is auditing?
• Why audit?
• Who gets audited?
• Who does auditing?
OVERVIEW

• IT is a characteristic common to virtually all

modern organizations eg. hospital.
• Organizations rely on information and the
processes and enabling technology needed to
use and effectively manage information.
• IT is critical for organizational
– Success
– Operating efficiency
– Competitiveness
– Survival
AUDITING DISCIPLINES
• IT Audits
• Financial Audits
• Operational Audits
• Quality Audits
FINANCIAL AUDIT
A financial audit is an independent, objective
evaluation of an organization’s financial reports and
financial reporting processes. The primary purpose
for financial audits is to give regulators, investors,
directors, and managers reasonable assurance that
financial statements are accurate and complete.
OPERATIONAL AUDIT
A review of an organization’s management and its
operating procedures are functioning with respect to
their effectiveness and efficiency in meeting stated
objectives.
For example, a business might perform an operational
audit if its senior management has become
convinced that operational improvements can be
made and need to be identified.
QUALITY AUDIT
Periodic, independent, and documented examination
and verification of activities, records, processes, and
other elements of a quality system to determine
their conformity with the requirements of a quality
standard such as ISO 9000. Any failure in their proper
implementation may be published publicly and may
lead to a revocation of quality certification. Also
called conformity assessment or quality system audit.
WHAT IS IT AUDITING?
• An audit is often described as an independent
examination, inspection, or review.
• For example, the International Organization for
Standardization (ISO) guidelines on auditing use the
term audit to mean a “systematic, independent, and
documented process for obtaining audit evidence
and evaluating it objectively to determine the extent
to which the audit criteria are fulfilled”.
WHAT IS IT AUDITING?
• Information Technology Infrastructure Library (ITIL)
glossary defines audit as “formal inspection and
verification to check whether a standard or set of
guidelines is being followed, that records are
accurate, or that efficiency and effectiveness targets
are being met”
CONTROLS
• Controls are a central element of IT management,
defined and referenced through standards, guidance,
methodologies, and frameworks addressing business
processes; service delivery and management;
information systems design, implementation, and
operation; information security, and IT governance.
INTERNAL CONTROL
A process designed, implemented & maintained by

those charged with governance, management, and other personnel

to provide reasonable assurance

About achievement of entity’s objectives regard to…

Reliability of Compliance Effectiveness

financial Safeguarding
with laws and & efficiency
reporting of assets
regulations of operations
INTERNAL CONTROL
• It is a process “designed to provide reasonable
assurance regarding the achievement of objectives”
including operational effectiveness and efficiency,
reliable reporting, and legal and regulatory
compliance.
• Internal controls are discrete elements applied within
a management process of control in support of an
organizational objective of establishing and
maintaining control.
CATEGORIES OF INTERNAL CONTROLS
• Purpose-based
– Preventive Controls
– Detective Controls
– Corrective Controls
• Function-based
– Administrative Controls
– Technical Controls
– Physical Controls
PURPOSE-BASED
• Preventive Control: Organizations use preventive
controls to try to keep unintended or undesirable
events form occurring.
• Detective Control: Organizations use detective
controls to discover when such things have
happened.
• Corrective Controls: Organizations use corrective
controls to respond or recover after unwanted events
occur.
FUNCTION-BASED
• Administrative Control: This control includes
organizational policies, procedures and plans that specify
what an organization intends to do to safeguard the
integrity of its operations, information and other assets.
E.g the policies of IoBM Uni to safeguard the dresscode,
examination rules, SoPs etc.
• Technical Control: It is the mechanism that includes
technologies, operational procedures, and resources –
implemented and maintained by an organization to
achieve its control objectives.
FUNCTION-BASED
• Physical Control: This control compromise the
provisions an organization has in place to maintain,
keep available, and restrict or monitor access to
facilitates, storage areas, equipment, and
information assets.
 WHAT TO AUDIT?
• Data centers and other • Virtualized servers and
physical facilities environments
• Network infrastructure • Outsourced services and
• Telecommunications operations eg. SMARTz
(Intranet) • Web and application
• Operating systems servers
• Software and packaged
• Databases
applications
• Storage
• User and application
• Mobile devices interfaces
WHAT TO AUDIT
• IT audits can evaluate entire organizations, individual
business units, mission functions and business processes,
services, systems, infrastructure, or technology components.
• Internal IT control elements can be audited in isolation or
together.
• IT audits also address internal control processes and
functions, such as operations and maintenance procedures,
business continuity and disaster recovery, incident response,
network and security monitoring, configuration
management, system development, ad project management.
IT AUDIT CHARACTERISTICS
• Proficiency: In general principles, procedures,
standards, and expectations cuts across all types of
auditing and is equally applicable to IT auditing
contexts.
• Codes of conduct: Codes of conduct, practice, and
ethical behavior are common across all auditing
domains, emphasizing principles and objectives such as
integrity, objectivity, competency, confidentiality, and
adherence to appropriate standards and guidance.
IT AUDIT CHARACTERISTICS
• Auditor independence: A principle applicable to both
internal (from within organization, any experienced
knowledgeable senior person) and external audits
(bound by govt to have an outsider person) and auditors.
• He is professional and committed to values while
delivering the audit task assigned.
• E.g. Sialkot football good export was banned by Europe
due to childlabor. Extinct animal leather goods are also
usually boycotted. Ali Enterprises caught fire.
WHY AUDIT?
• Complying with securities exchange rules that
companies have an internal audit function;
• Evaluating the effectiveness of implemented controls;
• Confirming adherence to internal policies, processes,
and procedures;
• Checking conformity to IT governance or control
frameworks and standards.
• Analyzing vulnerabilities and configuration settings to
support continuous monitoring;
WHY AUDIT?
• Identifying weaknesses and deficiencies as part of
initial or ongoing risk management;
• Measuring performance against quality benchmarks
or service level agreements;
• Verifying and validating systems engineering or IT
project management practices; and
• Self-assessing the organization against standards or
criteria that will be used in anticipated external
audits.
WHO GETS AUDITIED?
• Any organization can undergo internal IT audit,
depending upon their choice.
• However, external audit are legally mandated, not
optional. To the extent that organizations seek
certification or other external validation of their
controls or operations they effectively choose to
subject themselves to external IT audits.
WHO DOES IT AUDITING?
• Organizations need to develop or acquire personnel
with the specialized understanding of control
objectives and experience in IT operations for
internal audits.
• For external auditors, this requirement is equally
true.
TYPES OF ORGANIZATIONS AND INDIVIDUALS THAT PERFORM IT AUDITS

• Internal auditors
• IT auditors working as independent contractors or as
employees of professional service firms that provide
internal or external IT auditing services
• Auditing or accounting firms
• Certification organizations authorized to evaluate
organizational practices and controls and confer
certifications to organizations
TYPES OF ORGANIZATIONS AND INDIVIDUALS THAT PERFORM IT AUDITS

• Organizations with the authority to oversee the

implementation of required controls or enforce
regulations (government agencies)
• Inspectors general, audit executives, or equivalent
officials charged with the authority to provide
independent review of many aspects of the
organizations for which they work
EXTERNAL AUDITORS
• External IT audits are, by definition, performed by
auditors and entities outside the organization subject
to the audits.
• Conducted by a single or group of auditors.
• The relationship between an organization and its
external auditors is typically established and managed
at entity level.
• Independence is not only required but legally
enforced.
INTERNAL AUDITORS
• Internal auditing goes beyond the premises of
external auditing in terms of technical expertise,
operational knowledge, and level of detail required
to effectively conduct internal audits.
• Since the internal auditors are the employees of the
organization, therefore they possess greater
understanding and knowledge of the IT environment.
INTERNAL AUDITORS
• Internal auditors also possess the knowledge of
mission, business processes and organizational goals
and objectives that provide clear context to the IT
resources deployed.
• Just providing them with the audit duties and not any
additional job, there independence could be
maintained.
IT AUDITOR DEVELOPMENT PATHS
• Completion of degree or certificate programs in higher
education institutions.
• On-job training or assigned duties that provide exposure to
IT projects and trainings.
• Employer-provided or self-directed professional training
and skills development.
• Acquired work experience related to risk management, IT
governance, quality management , information assurance,
standards development or adoption, or controls
assessments.
INFORMATION
INFORMATION SYSTEM
SYSTEM MANAGEMENT
MANAGEMENT AUDIT
AUDIT IN
IN BUSINESS
BUSINESS
IT AUDIT PROCESS