Auditing

• The process of obtaining and evaluating

evidence regarding assertions about
economic actions and events in order to
determine how well they correspond with
established criteria
Types of Audit
Types of Audit
 Information System Auditing

1. Procedures to be followed by the Auditor

2. Consideration of inherent risk and control risk
3. Design and performance of tests of controls and
substantive tests.
 Limitation of Manual Auditing

Manual Auditing will be difficult if:

1. The input document is done on-line so there
is no physical evidence available
2. The system cannot generate a visible audit
trail for computer-processed transactions
3. Output reports can not be produced by the
system
 Structure of IT Audit
Audit Planning Test of Controls Substantive
Testing
Review of
Organization’s Perform
Start Policies, Practices,
Perform Tests of
Substantive Tests
Control
and Structure

Review General Evaluate Results

Control and Evaluate Test and Issues
Application Results Auditor’s Report
Control

Plan Tests of
Control and Determine Degree Audit Report
Substantive of Reliance on
Testing Controls
Procedures
IT Governance General Controls

• The concept is relatively new

• Ensuring that effective IT management and
security principles, policies and processes
with appropriate compliance measurement
tools are in place
• Require an active audit committee
 Governance

Policies

IT
Standards

Management
IT General and Application Management and
Controls Hierarchy Organization

Physical and
Environmental Controls

Systems Software Controls

Technical
Systems Development Controls

Application – based controls

 IT/IS Audit

• The process of collecting and evaluating

evidence to determine whether computer system
safeguards assets, maintain data integrity,
achieves organisational goals effectively and
consumes resources effeciently.
1

1 Ron Weber
 Objectives of IT/IS Audit

Improved Data
Integrity

Safeguarding of IT/IS Improved System

Assets Audit Effectiveness

Improved System
Efficiency

Source: Ron Weber

Elements IT/IS Audit

1. Physical and Environmental

2. System Administration
3. Application Software
4. Application Development
5. Network Security
6. Business Continuity
7. Data Integrity
Internal vs External

• Audit function can be performed internally or externally

• Internal audit is an independent appraisal of operations,
conducted under the direction of management, to assess the
effectiveness of internal administrative and accounting
controls and help ensure conformance with managerial
policies
• External Audit is an audit conducted by an individual of a
firm that is independent of the company being audited
Internal Audit Reporting Structure
CEO

Board Audit
Committee

Head of Audit Dept

Head of IT Audit Head of Non-IT

Audit
IT Audit Team Non-IT Audit
Members Team Members
 Roles of IT Audit Team
Financial Auditor

Support for Financial Auditors

Application Information
Systems Auditor
Database

Middleware

IT Auditor Operating System

Network Intra

Physical Facility

Entity-Level Controls

Source: Chris Davis et al

Financial vs IT Audits

• Financial audit
– Official examination of accounts to see that they are in order
• IT audit
– “a review of the controls within an entity's technology
infrastructure” – Wikipedia (www.wikipedia.org)
– Official examination of IT related processes to see that they
are in order
• Problems
– Financial Audit – GAAP
– IT Audit - ??
Financial vs IT Audits

• IT auditors may work on financial audit

engagements
• IT auditors may work on every step of the
financial audit engagement
• Standards, such as SAS No. 94, guide the work of
IT auditors on financial audit engagements
• IT audit work on financial audit engagements is
likely to increase as internal control evaluation
becomes more important
Roles and Responsibilities

• Ensure IT governance by assessing risks and

monitoring controls over those risks
• Works as either internal or external auditor
• Works on many kind of audit engagements
• Reviewing and assessing enterprise
management controls
• Review and perform test of enterprise internal
controls
• Report to management
Job Tasks and Responsibilities

• Design a technology-based audit

approaches; analyzes and evaluates
enterprise IT processes
• Works independently or in a team to review
enterprise IT controls
• Examines the effectiveness of the
information security policies and
procedures
• Develops and presents training workshops
for audit staff
Knowledge, Skills, Abilities

• Knowledge of auditing, IS and network security

• Investigation and process flow analysis skills
• Interpersonal/human relation skills
• Verbal and written communications skills
• Ability to exercise good judgment
• Ability to maintain confidentiality
• Ability to use IT desktop office tools,
vulnerability analysis tools, and other IT tools
Minimum Qualifications

• Bachelor’s degree in Computer Science,

computer programming or accounting
• Certified Information Systems Auditor
(CISA) credentials or candidate
• Certified Internal Auditor credential
preferred
 Develop an understanding and perform
preliminary audit work

Develop audit plan

Evaluate the internal control system

Determine degree of reliance on internal controls

Perform substantive testing

Review work and issue audit report

Conduct follow-up work

Professional Groups and
Certifications – Alphabet Soup

• ISACA – CISA
– The largest professional organization of IT
auditors
• IIA – CIA
• ACFE – CFE
• AICPA – CPA and CITP
Effects of computers on Internal
Controls
• Separation of duties
• Delegation of authority and responsibility
• Competent and trustworthy personnel
• System of authorizations
• Adequate documents and records
• Physical control over asset and records
• Adequate management supervision
• Independent check on performance
• Comparing recorded accountability with
assets
 Effects of computers on auditing

• Changes to evidence collection

• Changes to evidence evaluation
Effective IT Audit
• Early involvement
• Informal audits
• Knowledge sharing
• Self-assessments