1

Information Technology (IT) Auditing & Control

Instructor: Dr. Princely Ifinedo Cape Breton University (CBU)

2

Key Terms

Audit: 1. An official examination of business and financial records to see that they are true and correct. 2. An official examination of the quality or standard of something.

Control: 1. To exercise authoritative or dominating influence over something. 2. To adjust to a requirement; regulate: e.g. controlled trading on the stock market; controls the flow of water. 3. To verify or regulate (a scientific experiment) by conducting a parallel experiment or by comparing with another standard. 4. To verify (an account, for example) by using a duplicate register for comparison.

3

What is IT Auditing?

Management ensures that organizational controls are in place.

It is the job of the auditor to provide a statement of assurance that reliable and adequate internal controls are in place.

IT auditing is an integral part of the audit function because it supports the auditor’s judgment of the quality of the information processed by computer systems.

4

What is IT Auditing? (Contd.)

IT auditing has many aspects including:

- Organizational IT audit ( management control over IT) - Technical IT audit (infrastructure, data centers, data

communication) - Application IT audit (business, financial, operational

systems) - Development/Implementation IT audit (specification,

requirements, design, development, and implementation of IT

systems)

Definition

Information technology (IT) audit is an examination of the management controls within an information technology (IT) infrastructure. The evaluation of the information systems determines whether data asset are being safeguarded and data integrity maintained. The assessment also provides information regarding how organization's goals or objectives are being met through the use of IS/IT. These reviews are usually performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.

5

6

What is IT Auditing? (Contd.)

The need for IT auditing

Auditors realized that computers impacted their jobs and functions

Businesses realized that computer systems have become key resources for competing in the business environment.

Professional associations, govt bodies, etc. recognized the need for IT control.

7

What is IT Auditing? (Contd.)

Early components of IT auditing came from several areas including:

-- Traditional auditing – in accountancy - with its knowledge of internal control practices and control philosophy

-- IS management which provides methodologies for systems design and implementation

-- Behavioral sciences which provides insights as to nature of man.

-- Computer science which contributes knowledge about control concepts, discipline, theory and model that underpin software design.

8

What is IT Auditing? (Contd.)

Nowadays, IT auditing is a profession with its own standards, ethics, and rules.

In fact, one could acquire a professional certification from notable bodies in the field. The most popular being the Information Systems Audit and Control Association (ISACA)

(http://www.isaca.org/). (CISA).

What is IT Auditing? (Contd.)

COBIT

The Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management created by ISACA and the IT Governance Institute (ITGI) in 1992. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company.

Source: http://en.wikipedia.org/wiki/COBIT

9

10

Technology and the Business Environment

Three ways that technology has impact the business environment are:

It has become an enabler to various production and service processes.

It has impacted the control process.

It has impacted the auditing profession in terms of how audits are performed.

11

Technology and the Business (Contd.)

Information Technology governance, (IT governance) is a subset discipline of Corporate Governance that focuses on IT systems, their performance and risk management. The rising interest in IT governance is partly due to compliance initiatives (e.g. Sarbanes-Oxley (USA) and Basel II (Europe)), as well as the acknowledgment that IT projects can easily get out of control and profoundly affect the performance of an organization.

The Sarbanes-Oxley Act of 2002 (Pub. L. No. 107-204, 116 Stat. 745), also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or Sarbox; is a United States federal law signed into law on July 30, 2002 in response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Peregrine Systems and WorldCom. These scandals resulted in a decline of public trust in accounting and reporting practices. Named after sponsors Senator Paul Sarbanes (D-MD) and Representative Michael G. Oxley (R-OH), the Act was approved by the House by a vote of 423-3.

Source: http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act

12

Knowledge Required to Audit IT Systems

13

The Top-Ten Reasons for the Start-up of IT Auditing

14

Top Requirements for an IT Auditor

Must belong to a professional body having appropriate standards of practice (Ch. 2, p33).

Must have independence (Ch. 2, p34).

Must continue to reassess auditing goals (Ch. 2, p36).

Must have high ethical standards (Ch. 2, p36).

Must be able to update his or her skills (Ch. 2, p37).