Chapter OneChapter One

Introduction to IT AuditingIntroduction to IT Auditing

MotivationMotivationHigh proliferation Computer systemsHigh proliferation Computer systems

Large amounts of digital dataLarge amounts of digital data

Electronic Commerce EnvironmentsElectronic Commerce Environments

Virtual Companies Virtual Companies

Electronic Networks, etc.Electronic Networks, etc.

Information SecurityInformation Security

Much opportunity for mis-useMuch opportunity for mis-use

Need Risk Assesment and ControlNeed Risk Assesment and Control

IT/IS Audit - IT/IS Audit - WikipediaWikipediaAn examination of the controls within an An examination of the controls within an Information technology (IT) (IT) infrastructure. .

The process of collecting and evaluating evidence of an The process of collecting and evaluating evidence of an organization’s IS, practices, and operationsorganization’s IS, practices, and operations. .

So what do you do in IT Audit? Info. Systems So what do you do in IT Audit? Info. Systems safeguarding assets, maintaining safeguarding assets, maintaining data integrity, and , and operating effectively to achieve the organization’s goals or operating effectively to achieve the organization’s goals or objectives. objectives.

IT __Governance________IT __Governance________ The process for controlling an organization’s IT The process for controlling an organization’s IT

resources, which include information and resources, which include information and communication systems, and technology.communication systems, and technology.

Two main objectives:Two main objectives:– use IT to promote an organization’s objectives and use IT to promote an organization’s objectives and

enable business processes;enable business processes;– manage and control IT related risks.manage and control IT related risks.

Set ObjectivesMaximize benefits;

Use resources responsibly;Manage risks appropriately.

IT governance frameworkIT governance framework

COSO and CobiTCOSO and CobiT COSO: Committee of Sponsoring OrganizationsCOSO: Committee of Sponsoring Organizations

– Objectives: develop comprehensive guidelines for Objectives: develop comprehensive guidelines for internal internal control control ((Internal Control- Integrated FrameworkInternal Control- Integrated Framework); address the ); address the growing emphasize on risk management (growing emphasize on risk management (Enterprise Risk Enterprise Risk Management- Integrated FrameworkManagement- Integrated Framework).).

CobiT: Control Objectives for Information and CobiT: Control Objectives for Information and Related Technology.Related Technology.– Developed by the Developed by the IT governance instituteIT governance institute, it identifies critical , it identifies critical

success factors, key goal and performance indicators, and an IT success factors, key goal and performance indicators, and an IT governance maturity model.governance maturity model.

COSO: Internal Control FrameworkCOSO: Internal Control Framework

Internal Control- Integrated Internal Control- Integrated FrameworkFramework

Internal control is a Internal control is a processprocess, affected by an entity’s , affected by an entity’s board of directors, management, and other personnel, board of directors, management, and other personnel, designed to provide designed to provide reasonable assurancereasonable assurance regarding regarding the achievement of objectives in: the achievement of objectives in: Effectiveness and efficiency of operations;Effectiveness and efficiency of operations; Reliability of financial reporting;Reliability of financial reporting; Compliance with applicable laws and regulations.Compliance with applicable laws and regulations.

Examples?Examples?

Information System ControlsInformation System Controls

COSO: Enterprise Risk Management FrameworkCOSO: Enterprise Risk Management Framework

IT GovernanceIT Governance……the process for controlling an the process for controlling an organization’s IT resources, including organization’s IT resources, including information and communication systems, information and communication systems, and technology. and technology.

……using IT to promote an organization’s using IT to promote an organization’s objectives and enable business processes objectives and enable business processes and to manage and control IT related and to manage and control IT related risks.risks.

IT Audit’s AgendaIT Audit’s Agenda

Will the organization's computer systems be available for Will the organization's computer systems be available for the business at all times when required? (the business at all times when required? (____________________))

Will the information in the systems be disclosed only to Will the information in the systems be disclosed only to authorized users? (authorized users? (____________________))

Will the information provided by the system always be Will the information provided by the system always be accurate, reliable, and timely? (accurate, reliable, and timely? (____________________))

mitigate these risks by implementing controlsmitigate these risks by implementing controls

COSO-CobiT ConnectionCOSO-CobiT Connection

CobiT carries forward the COSO concepts by CobiT carries forward the COSO concepts by providing the domains, processes, and control providing the domains, processes, and control activities for the IT world that guide an enterprise activities for the IT world that guide an enterprise toward meeting the internal control requirements toward meeting the internal control requirements it deems appropriate for its own environment.it deems appropriate for its own environment.

www.isaca.org More about CobiT later in the course….More about CobiT later in the course….

CobiT’s IT Governance CobiT’s IT Governance Management GuidelineManagement Guideline

Identifies critical success factors, key goal and Identifies critical success factors, key goal and performance indicators, and an IT governance performance indicators, and an IT governance maturity model.maturity model.

IT governance framework begins with setting IT governance framework begins with setting IT objectives and measures and compares IT objectives and measures and compares performance against themperformance against them

Side Note Practice:Side Note Practice:Critical Success Factors Critical Success Factors

Example: McDonalds?Example: McDonalds?

Operationalize them?Operationalize them?

Measure them?Measure them?

IT and Transaction (Tx) IT and Transaction (Tx) ProcessingProcessing

The IS collects transaction dataThe IS collects transaction data

The IS turns data into informationThe IS turns data into information

Computerized Tx systems increase some Computerized Tx systems increase some risks and decrease othersrisks and decrease others

Critical Success FactorsCritical Success Factors

Virginia Tech (Banner System?)Virginia Tech (Banner System?)

Transaction data?Transaction data?

Information?Information?

Risks of Computerization?Risks of Computerization?

COBIT Framework

What do IT auditors do?What do IT auditors do?

Ensure IT governance by assessing risks and Ensure IT governance by assessing risks and monitoring controls over those risksmonitoring controls over those risks

Work as either internal or external auditorWork as either internal or external auditor

Work on many kinds of audit engagementsWork on many kinds of audit engagements

Evaluate Controls over applications (i.e., SAP) Evaluate Controls over applications (i.e., SAP)

Financial vs IT AuditsFinancial vs IT Audits IT auditors may work on financial audit engagementsIT auditors may work on financial audit engagements

IT auditors may work on every step of the financial IT auditors may work on every step of the financial audit engagementaudit engagement

Standards, such as SAS No. 94, guide the work of IT Standards, such as SAS No. 94, guide the work of IT auditors on financial audit engagementsauditors on financial audit engagements

IT audit work on financial audit engagements is likely to IT audit work on financial audit engagements is likely to increase as internal control evaluation becomes more increase as internal control evaluation becomes more important important (More Jobs!)(More Jobs!)

21

IT Audits in the Financial Audits ProcessIT Audits in the Financial Audits Process

Financial Audits IT Audits

Technological innovation Technological innovation process auditprocess audit

Constructs a risk profile for existing and new Constructs a risk profile for existing and new projects. projects.

Assess the length and depth of the company's Assess the length and depth of the company's experience in its chosen technologies, as well as experience in its chosen technologies, as well as its presence in relevant markets, the its presence in relevant markets, the organization of each project, and the structure of organization of each project, and the structure of the portion of the industry that deals with this the portion of the industry that deals with this project or product, organization and industry project or product, organization and industry structure.structure.

Innovative comparison auditInnovative comparison audit

An analysis of the innovative abilities of the An analysis of the innovative abilities of the company being audited, in comparison to its company being audited, in comparison to its competitors. competitors.

Examine company’s research and Examine company’s research and development facilities.development facilities.

Track record in actually producing new Track record in actually producing new products.products.

Technological position auditTechnological position audit

Reviews the technologies that the business Reviews the technologies that the business currently has and that it needs to add. currently has and that it needs to add.

IT Audit SkillsIT Audit Skills College education – IS, computer science, College education – IS, computer science,

accountingaccounting

Certifications – CPA, CFE, CIA, CISA, CISSP, Certifications – CPA, CFE, CIA, CISA, CISSP, and special technical certificationsand special technical certifications

Technical IT audit skills – specialized Technical IT audit skills – specialized technologiestechnologies

General personal and business skillsGeneral personal and business skills

Professional Groups and Professional Groups and Certifications – Alphabet SoupCertifications – Alphabet Soup

ISACA – CISAISACA – CISA

IIA – CIAIIA – CIA

ACFE – CFEACFE – CFE

AICPA – CPA and CITPAICPA – CPA and CITP

How to Structure an IT AuditHow to Structure an IT Audit AICPA Standards and Guidelines – GAAS, AICPA Standards and Guidelines – GAAS,

SAS, and SSAESAS, and SSAE

IFAC Guidelines – harmonized or common IFAC Guidelines – harmonized or common international accounting standards and international accounting standards and guidelinesguidelines

IISACA standards, guidelines, and SACA standards, guidelines, and procedures – includes CobiT and audit procedures – includes CobiT and audit standardsstandards

An Overview of the BookAn Overview of the Book Section I – an introduction to IT audit, the legal and Section I – an introduction to IT audit, the legal and

ethical environment of the IT audit, introduction to ethical environment of the IT audit, introduction to risks and controlsrisks and controls

Section II – risks over specific processes and Section II – risks over specific processes and technologies – deployment of IS, operation of IS, technologies – deployment of IS, operation of IS, network systems, and e-business systemsnetwork systems, and e-business systems

Section III – how to do an It audit – use of CAATTs Section III – how to do an It audit – use of CAATTs and a step-by-step IT audit and a step-by-step IT audit

Appendices – Appendices – ACLACL tutorial and IT audit glossary tutorial and IT audit glossary