IT AUDIT REVIEWER

1. IT Governance

Definition:

IT governance is the structure of relationships and processes used to direct and control an
enterprise’s IT functions to achieve business objectives while managing risks and ensuring value
delivery.

Objectives of IT Governance:

1. Strategic Alignment – Ensuring IT aligns with business goals.

2. Value Delivery – Ensuring IT provides promised benefits at optimal costs.

3. Risk Management – Identifying and mitigating IT risks.

4. Resource Management – Ensuring efficient use of IT resources.

5. Performance Management – Using metrics to evaluate IT effectiveness.

2. COBIT Framework

Definition:

COBIT (Control Objectives for Information and Related Technology) is a framework developed by
ISACA to help organizations manage IT governance and control.

COBIT Versions:

 COBIT 1996 – Initial release for IT control objectives.

 COBIT 4.1 (2007) – Expanded governance principles.

 COBIT 5 (2012) – Integrated governance and risk management.

 COBIT 2019 – Introduced a flexible governance system.

COBIT 5 Key Principles:

1. Meeting Stakeholder Needs

2. Covering the Entire Enterprise

3. Applying a Single Integrated Framework

 4. Enabling a Holistic Approach

5. Separating Governance from Management

COBIT 5 Domains:

Governance Domain (EDM – Evaluate, Direct, Monitor)

1. Ensure Governance Framework Setting and Maintenance

2. Ensure Benefits Delivery

3. Ensure Risk Optimization

4. Ensure Resource Optimization

5. Ensure Stakeholder Transparency

Management Domains:

1. Align, Plan, and Organize (APO) – IT strategy, architecture, and innovation.

2. Build, Acquire, and Implement (BAI) – IT development and implementation.

3. Deliver, Service, and Support (DSS) – IT service delivery and operations.

4. Monitor, Evaluate, and Assess (MEA) – IT performance and compliance.

3. The Role of an IT Auditor

Responsibilities:

 Evaluate IT Controls – Analyze risks and controls over IT applications.

 Provide Assurance on IT Processes – Assess IT security, compliance, and performance.

 Third-Party Assurance – Evaluate risks and controls in external IT services.

 Penetration Testing – Identify vulnerabilities in IT security.

 Support Financial Audits – Ensure IT systems support accurate financial reporting.

 Investigate IT Fraud – Assist in fraud detection and forensic investigations.

Skills Required:

 Knowledge of IT risks and controls

 Understanding of cybersecurity principles

  Proficiency in IT frameworks (COBIT, NIST, ISO 27001)

 Strong analytical and problem-solving skills

4. IT Audit Certifications

ISACA Certifications:

 Certified Information Systems Auditor (CISA) – Global standard for IT auditors.

 Certified Information Security Manager (CISM) – Focused on IT risk management.

 Certified in Risk and Information Systems Control (CRISC) – Risk and compliance
expertise.

 Certified in Governance of Enterprise IT (CGEIT) – Specialized in IT governance.

CISA Exam Domains:

1. The Process of Auditing Information Systems

2. Governance and Management of IT

3. Information Systems Acquisition, Development, and Implementation

4. Information Systems Operations and Business Resilience

5. Protection of Information Assets

5. IT Governance Frameworks

1. COBIT – Aligns IT with business objectives and assesses IT processes.

2. ISO/IEC 27001 – International standard for information security management.

3. NIST SP 800-53 – US federal security control standards.

4. ITIL (Information Technology Infrastructure Library) – Best practices for IT service

management.

6. Importance of IT Governance

 Ensures regulatory compliance (e.g., SOX, GDPR, PCI-DSS).

 Reduces IT-related risks and cyber threats.

  Enhances operational efficiency and data security.

 Improves decision-making with accurate IT metrics.

 Aligns IT investments with business priorities.

IT AUDIT REVIEWER: LEGAL AND ETHICAL ISSUES & AUDITOR’S RESPONSIBILITY FOR
DETECTING FRAUD

1. Auditor’s Responsibility for Detecting Fraud

Key Guidelines

 Statement on Auditing Standards (SAS) No. 99: Provides guidelines for auditors on fraud
detection in financial audits.

 AS 2401: Covers fraud characteristics, skepticism, and responses to fraud risks.

Steps in Fraud Detection (SAS No. 99)

1. Understand fraud – Auditors must recognize fraud types and how they occur.

2. Discuss risks – Audit teams assess areas susceptible to fraud.

3. Obtain information – Gather evidence via records, interviews, and inquiries.

4. Identify, assess, and respond to risks – Adjust audit procedures accordingly.

5. Evaluate results – Determine if misstatements suggest fraud.

6. Document and communicate findings – Report fraud to management.

7. Technology focus – Use digital tools to enhance fraud detection.

2. Fraudulent Financial Reporting

Risk Factors

1. Management’s influence over controls – Tone at the top and leadership ethics.

2. Industry conditions – Economic and regulatory challenges increase risk.

3. Operating characteristics – Complex transactions heighten fraud potential.

3. Misappropriation of Assets

Key Risk Factors

1. Susceptibility of assets – Cash and liquid assets are most vulnerable.

2. Weak controls – Poor access controls increase fraud risk.

4. Common Fraud Schemes

 Management fraud – Manipulating financial reports.

 Employee fraud – Asset theft, data breaches, and embezzlement.

5. Auditor’s Response to Risk Assessment

 Adjust audit procedures based on fraud risk levels.

 Consider withdrawal if fraud risks are unmanageable.

Response to Detected Fraud

 Document findings and communicate them to stakeholders.

 Extend audit scope if fraud risks are high.

 Withdraw engagement if fraud cannot be properly addressed.

6. Documentation Requirements

 Auditors must document fraud risk assessments and responses.

 Maintain detailed records in audit working papers.

End of Reviewer