The Status of IT Audit Education

1. Sam A. Hicks, PhD Department of Accounting & Information Systems Audit track at VA SCAN Virginia Tech October 6 ,2008 The Status of IT Audit Education

2. What is Information Systems Audit What is an Audit

Auditing:Systematic processof objectively obtaining and evaluatingevidenceregarding assertions about economic actions and events to ascertain thedegree of correspondencebetween those assertions andestablished criteriaandcommunicating the resultsto interested users.

Financial Statement Auditors Established criteria is Generally Accepted Accounting Principles [GAAP]

Financial Statement Auditors Must attest to the amounts on the financial statements, theycannot only attest to the system

An audit compares actual to standard established criteriafor IS Audit is COSO, COBIT, Basel II Accord, ITIL, and several ISO standards.

Sarbanes Oxley requires that management attest to Internal control over the Accounting system and

Auditors audit managements assertions as to Internal Control

Again, standard for Internal Control is COSO, COBIT, Basel II Accord, ITIL, and several ISO standards.

4. IS Audit

A specialized audit focusing on the controls of the information systems of the entity.

Most frequently the IS Auditor is a part of the internal audit team.As such, the IS Auditor is an integral part of the

Design and Development of the system reviews the system analysis and design of the system, the purchase or programming of the system, the installation, and the post-implementation review

5. IS Audit

Security [Availability, Confidentiality and Integrity] of the system access, back-up, separation of duties, training of users, documentation of system

Change management

Control of software

Enhance operations with changes

Do the tasks of the IS Auditor matter?

6. AICPA Top Ten IT Concerns Ranking 2008 2007 2006 2005 2004 1 Information Security Management Information Security Management Information Security . Information Security Information Security 2 IT Governance Identity and Access Management Assurance and Compliance Applications Electronic Document Management Spam Technology 3 Business Continuity Management (BCM) and Disaster Recovery Planning (DRP) Conforming to Assurance and Compliance Standards Disaster and Business Continuity Planning . Data Integration Digital Optimization 7. AICPA Top Ten IT Concerns 4 PrivacyManagement Privacy Management IT Governance . Spam Technology Database and Application Integration 5 Business Process Improvement (BPI), Workflow and Process Exception Alerts Disaster Recovery Planning and Business continuity Management Privacy Management Disaster Recovery Wireless Technologies 6 Identity and Access Management IT Governance Digital Identity and Authentication Technologies Collaboration and Messaging Applications Disaster Recovery 7 Conforming to Assurance and Compliance Standards Securing and Controlling Information Distribution Wireless Technologies Wireless Technologies Data Mining 8. AICPA Top Ten IT Concerns 88 Business Intelligence (BI) Mobile and Remote Computing Application and Data Integration Authentication Technologies Virtual Office 9 Mobile and Remote Computing Electronic Archiving and Data Retention Paperless Digital Technologies Storage Technologies Business Exchange Technology 10 Document, Forms, Content and Knowledge Management Document, Content and Knowledge Management Spyware Detection and Removal Learning and Training Competency Messaging Applications 9. Public Company Accounting Oversight Board's (PCAOB)

Auditors who sign reports tend to be financial statement auditors with little knowledge of systems

PCAOB suggests that financial statement auditors have more IT education

Expressed concern of PCAOB Advisory Group

10. Department of Defense

In May 2006, required about 80,000 professionals in the area of Information Assurance Workforce, to acquired one of 13 professional certifications.Certified Information Systems Auditor [CISA] was one of the 13.

11. Certified Information Systems Auditor[CISA]

Pass the CISA Exam

Have IS Audit experience 5 years

Abide by Code of Ethics

Continuing Professional Education

Follow IS Auditing Standards issued by ISACA

12. CISA Exam

200 multiple choice questions

Topics

The IS Audit Process

IT Governance

Systems Life Cycle

IT Service Delivery and Support [Operations]

Security

BusinessContinuity and Disaster Recovery

13. Salary Info

Premium of 10 to 15% for certification

CISA, CISSP and CISM were among the highest

Certification Magazines 2007 Salary Survey report

CISM came in second at $115,720 -- ISACA reports about 8,000 professional world-wide have CISM

CISA came in fifth at $98,740 ISACA reports about 55,000 professional world-wide have CISA

14. So What

From this kind of information, Demand for IS Auditors is strong.

Most of our students have multiple offers

15. ISACA Student Members

Website reports that over 800 students have student memberships representing 200 schools

Thus only about 4 per school!

16. Students Graduating from ACIS Students graduating 12 months periodending June 30 Goal 2008 2007 2006 2005 2004 Accounting Option90 128 155 132 134 116 Systems Assurance Option[IS Audit] 45 12 11 13 19 20 Systems Development Option 40 5 4 15 13 19 Total Graduates 175 145 170 160 166 155 17. Information Systems Audit and Control Association (ISACA) model curriculum

General Education and General Business

Three parts

Accounting

Systems

Auditing

18. ISACA model curriculum Accounting

Accounting Principles I

Accounting Principles II

Intermediate Accounting I or Management Accounting

Process Control/Internal Control

Accounting Information Systems

19. ISACA model curriculum Information Systems

Introduction to Computers

Computer Programming

Systems Analysis & Design

Data Base Management Systems

Computer-based Communication Networks

Management of Information Systems

20. ISACA model curriculum Auditing

Internal Auditing I

Introduction to Information Systems Auditing/CAATs

Special Topics (e.g., IS Integrity and Confidentiality, Audit Ethics)

21. IS Audit at Virginia Tech Undergraduate

General Education 50 credits

General Business 33 Credits

Accounting 15 Credits

Intermediate6

Cost 3

Accounting Systems and Controls 3

Information Systems 12 Credits

Information Systems Development

Database Management systems

Networks and Telecommunications in Business

Personal Computers in Business

Auditing 9 Credits

Auditing Governance and Professional Ethics

Financial Statement Auditing

Information Systems Audit and Control

Electives 6 Credits

24. What would you Change? 25. Alternative pathsto IS Audit knowledge

Business Information Technology

Computer Science

Computer Engineering

26. Other CERTIFICATIONS

CFE Certified Fraud Examiner

CIA Certified Internal Auditor

CISSP Certification for Information SystemSecurity Professional

CNE Certified Novell Engineer

CPA Certified Public Accountant

CRP Certified Risk Professional

MCSE Microsoft Certified Systems Engineer

CISA Certified Information SystemsAuditor

CITP Certified Information TechnologyProfessional [from AICPA]

27. Additional Cerifications

CCM Certified Cash Manager

CCSA Certification in Control Self Assessment

CCDA Cisco Certified Design Associate

CCNA Cisco Certified Network Administrator

CMA Certified Management Accountant

CFM Certified in Financial Management

SAPTASAPTechnical Auditor

CMC Certified Management Consultant

CFA Certified Financial Analyst

CBCP Certified Business Continuity Professional

CIDA Certified Investments & Derivatives

28. Why a certificate?

Connected to a professional group

Documents some level of knowledge

Recognition to you

Parting Words

29. Advice From CIOs

Getun comfortable

Be willing to admit to errors that you make take responsibility

Go with your gut listen, learn, then go with your instinct

Get dirty be willing to try

Love it or Leave it Life is too short to do what you do not love to do, move on and try something different

CIO January 29, 2008

The Status of IT Audit Education

Documents

Transcript of The Status of IT Audit Education