IT Control and Audit - Chapter 01
IT Control and Audit - Chapter 01
IT Control and Audit - Chapter 01
Information Technology
Environment and IT Audit
LEARNING OBJECTIVES
1. Discuss how technology is constantly evolving and shaping today’s business (IT) environments.
2. Discuss the auditing profession and define financial auditing.
3. Differentiate between the two types of audit functions that exist today (internal and
external).
4. Explain what IT auditing is and summarize its two broad groupings.
5. Describe current IT auditing trends, and identify the needs to have an IT audit.
6. Explain the various roles of the IT auditor.
7. Support why IT audit is considered a profession.
8. Describe the profile of an IT auditor in terms of experience and skills required.
9. Discuss career opportunities available to IT auditors.
Organizations today are more information dependent and conscious of the pervasive nature of
technology across the business enterprise. The increased connectivity and availability of systems
and open environments have proven to be the lifelines of most business entities. Information tech-
nology (IT) is now used more extensively in all areas of commerce around the world.
IT Environment
The need for improved control over IT, especially in commerce, has been advanced over the years
in earlier and continuing studies by many national and international organizations. Essentially,
technology has impacted various significant areas of the business environment, including the use
and processing of information, the control process, and the auditing profession.
3
4 ◾ Information Technology Control and Audit
◾◾ Technology has improved the ability to capture, store, analyze, and process tremendous
amounts of data and information, expanding the empowerment of the business decision
maker. It has also become a primary enabler to production and service processes. There is
a residual effect in that the increased use of technology has resulted in increased budgets,
increased successes and failures, and better awareness of the need for control.
◾◾ Technology has significantly impacted the control process around systems. Although con-
trol objectives have generally remained constant, except for some that are technology spe-
cific, technology has altered the way in which systems should be controlled. Safeguarding
assets, as a control objective, remains the same whether it is done manually or is automated.
However, the manner by which the control objective is met is certainly impacted.
◾◾ Technology has impacted the auditing profession in terms of how audits are performed
(information capture and analysis, control concerns) and the knowledge required to
draw conclusions regarding operational or system effectiveness, efficiency, and reporting
integrity. Initially, the impact was focused on dealing with a changed processing envi-
ronment. As the need for auditors with specialized technology skills grew, so did the IT
auditing profession.
Technology is constantly evolving and finding ways to shape today’s IT environment in the orga-
nization. The following sections briefly describe various recent technologies that have and will
certainly continue to revolutionize organizations, how business is done, and the dynamics of the
workplace.
◾◾ Have standard methods in place for automating processes (i.e., information in the HR sys-
tem can be used by payroll, help desk, and so on).
◾◾ Share real-time information from modules (finance, HR, etc.) residing in one common
database, hence, financial statements, analyses, and reports are generated faster and more
frequently.
Some of the primary ERP suppliers today include SAP, FIS Global, Oracle, Fiserv, Intuit, Inc.,
Cerner Corporation, Microsoft, Ericsson, Infor, and McKesson.
Despite the many advantages of ERPs, they are not much different than purchased or pack-
aged systems, and may therefore require extensive modifications to new or existing business pro-
cesses. ERP modifications (i.e., software releases) require considerable programming to retrofit all
of the organization-specific code. Because packaged systems are generic by nature, organizations
may need to modify their business operations to match the vendor’s method of processing, for
instance. Changes in business operations may not fit well into the organization’s culture or other
processes, and may also be costly due to training. Additionally, as ERPs are offered by a single
Information Technology Environment and IT Audit ◾ 5
Financial
resource
management
Human
Supply chain
resource
management
Enterprise management
resource
planning
(Common DB)
Manufacturing Customer
resource relationship
planning management
vendor, risks associated with having a single supplier apply (e.g., depending on a single supplier for
maintenance and support, specific hardware or software requirements, etc.).
Cloud Computing
Cloud computing continues to have an increasing impact on the IT environment. According to
ISACA (formerly known as the Information Systems Audit and Control Association), the cloud
computing’s exponential growth should no longer be considered an emerging technology. Cloud
computing has shaped business across the globe, with some organizations utilizing it to perform
business critical processes. Based on the July 2015’s ISACA Innovation Insights report, cloud
computing is considered one of the key trends driving business strategy. The International Data
Corporation, in its 2015 publication, also predicts that cloud computing will grow at 19.4% annu-
ally over the next 5 years. Moreover, Deloitte’s 2016 Perspective’s Cloud Computing report (report)
indicates that for private companies, cloud computing will continue to be a dominant factor.
Cloud computing, as defined by PC Magazine, refers to the use of the Internet (versus one’s
computer’s hard drive) to store and access data and programs. In a more formal way, the National
Institute of Standards and Technology (NIST) defines cloud computing as a “model for enabling
ubiquitous, convenient, on-demand network access to a shared pool of configurable computing
resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provi-
sioned and released with minimal management effort or service provider interaction.” NIST also
stress that availability is significantly promoted by this particular (cloud) model.
The highly flexible services that can be managed in the virtual environment makes cloud
computing very attractive for business organizations. Nonetheless, organizations do not yet feel
6 ◾ Information Technology Control and Audit
fully comfortable when storing their information and applications on systems residing outside of
their on-site premises. Migrating information into a shared infrastructure (such as a cloud envi-
ronment) exposes organizations’ sensitive/critical information to risks of potential unauthorized
access and exposure, among others. Deloitte, one of the major global accounting and auditing
firms, also supports the significance of security and privacy above, and added, based in its report,
that cloud-stored information related to patient data, banking details, and personnel records, to
name a few, is vulnerable and susceptible to misuse if fallen into the wrong hands.
◾◾ integrate well within the organization and are implemented to comply with organization
policies and procedures
◾◾ protect corporate information (e.g., emails, corporate documents, etc.) and configuration
settings for all mobile devices within the organization
Mobile devices are also used by employees for personal reasons. That is, employees bring their own
mobile (personal) device to the organization (also referred to as bring-your-own-device or BYOD)
to perform their work. Allowing employees to use organization-provided mobile devices for work
and personal reasons has proved to appeal to the average employee. Nevertheless, organizations
should monitor and control the tasks performed by employees when using mobile devices, and
ensure employees remain focused and productive. It does represent a risk to the organization’s
security and a distraction to employees when mobile devices are used for personal and work pur-
poses. Additionally, allowing direct access to corporate information always represents an ongoing
risk, as well as raises security and compliance concerns to the organization.
techniques and technologies to enable the capture, storage, distribution, management, and analy-
sis of the information.” Gartner, Inc. further defines it as “… high-volume, high-velocity and/
or high-variety information assets that demand cost-effective, innovative forms of information
processing that enable enhanced insight, decision making, and process automation.”
Even though accurate Big Data may lead to more confident decision-making process, and bet-
ter decisions often result in greater operational efficiency, cost reduction, and reduced risk, many
challenges currently exist and must be addressed.
Challenges of Big Data include, for instance, analysis, capture, data curation, search, sharing,
storage, transfer, visualization, querying, as well as updating. Ernst & Young, on its EY Center
for Board Matters’ September 2015 publication, states that challenges for auditors include the
limited access to audit relevant data, the scarcity of available and qualified personnel to process
and analyze such particular data, and the timely integration of analytics into the audit. The IoT
also delivers fast-moving data from sensors and devices around the world, and therefore results in
similar challenges for many organizations when making sense of all that data.
Other recent technologies listed on the Gartner’s 2015 Hype Cycle for Emerging Technologies
Report that are currently impacting IT environments include wearables (e.g., smartwatches, etc.),
autonomous vehicles, cryptocurrencies, consumer 3D printing, and speech-to-speech translation,
among others.
Corporation of America (EFCA) surfaced, that the auditing profession looked seriously at the lack
of controls in computer information systems (IS). In 2002, almost 30 years later, another major
fraud resulted from corporate and accounting scandals (Enron and WorldCom), which brought
skepticism and downfall to the financial markets. This time, neither the major accounting firms
nor the security- and exchange-regulated businesses in major exchanges were able to avoid the
public outrage, lack of investor confidence, and increased government regulation that befell the
U.S. economy. Again, in 2008, the U.S. economy suffered as mortgage banking and mortgage
investment companies (such as Countrywide, IndyMac, etc.) defaulted from unsound lending
strategies and poor risk management.
When EFCA declared bankruptcy in 1973, the minimum direct impact and losses from illegal
activity were reported to be as much as $200 million. Further estimates from this major financial
fraud escalated to as much as $2 billion, with indirect costs such as legal fees and depreciation
included. These losses were the result of a “computer-assisted fraud” in which a corporation falsi-
fied the records of its life insurance subsidiary to indicate the issuance of new policies. In addi-
tion to the insurance policies, other assets, such as receivables and marketable securities, were
recorded falsely. These fictitious assets should have been revealed as non-existent during the corpo-
ration’s regular year-end audits but were never discovered. As the computer was used to manipu-
late files as a means of covering the fraud, the accounting profession realized that conventional,
manual techniques might not be adequate for audit engagements involving computer application.
In 1973, the AICPA (major national professional organization of certified public accountants),
in response to the events at EFCA, appointed a special committee to study whether the auditing
standards of the day were adequate in such situations. The committee was requested to evaluate
specific procedures to be used and the general standards to be approved. In 1975, the commit-
tee issued its findings. Even though the special committee found that auditing standards were
adequate, and that no major changes were called for in the procedures used by auditors, there
were several observations and recommendations issued related to the use of computer programs
designed to assist the examination of financial statements. Another critical review of the existing
auditing standards was started in 1974, when the AICPA created its first standards covering this
area. Then, 29 years later, the Enron–Arthur Andersen fiasco of 2002 took us back to 1973.
The issue of “due professional care” has come to the forefront of the audit community as
a result of major U.S. financial scandals and poor management, including but not limited to,
Waste Management (1998), Enron (2001), Worldcom (2002), American Insurance Group (2005),
Lehman Brothers (2008), Bernard L. Madoff Securities LLC (2008), MF Global (2011), Anthem
Inc. (2015), Wells Fargo (2016), and others. The EFCA scandal of 1973 led to the development of
strong state and federal regulation of the insurance industries and corporate creative accounting
in the aerospace industry, which provided support for the Foreign Corrupt Practices Act (FCPA)
of 1977. Perhaps today, the Sarbanes–Oxley Act of 2002 (SOX) will be a vivid reminder of the
importance of due professional care. SOX is a major reform package, mandating the most far-
reaching changes Congress has imposed on the business world since the FCPA of 1977 and the
Securities and Exchange Commission (SEC) Act of 1934. Examples of some of these significant
changes include the creation of a Public Company Accounting Oversight Board,* as well as the
increase of criminal penalties for violations of securities laws. SOX will be discussed in more detail
in the next chapter.
* The PCAOB is a non-for-profit corporation instituted by Congress to oversee the audits of public companies
in order to protect the interests of investors and further the public interest in the preparation of informative,
accurate, and independent audit reports. http://pcaobus.org/Pages/default.aspx.
Information Technology Environment and IT Audit ◾ 9
Financial Auditing
Financial auditing encompasses all activities and responsibilities concerned with the rendering
of an opinion on the fairness of financial statements. The basic rules governing audit opinions
indicate clearly that the scope of an audit covers all equipment and procedures used in processing
significant data.
Financial auditing, as carried out today by the independent auditor, was spurred by legislation
in 1933 and 1934 that created the SEC. This legislation mandated that companies whose securities
were sold publicly be audited annually by a Certified Public Accountant (CPA). CPAs, then, were
charged with attesting to the fairness of financial statements issued by companies that reported to
the SEC. The AICPA issued in 1993 a document called “Reporting on an Entity’s Internal Control
Structure over Financial Reporting (Statement on Standards for Attestation Engagements 2)” to fur-
ther define the importance of internal control in the attestation engagement.
Within the CPA profession in the United States, two groups of principles and standards have
been developed that affect the preparation of financial statements by publicly held companies
and the procedures for their audit examination by CPA firms: Generally Accepted Accounting
Principles (GAAP) and Generally Accepted Auditing Standards (GAAS).
GAAP establishes consistent guidelines for financial reporting by corporate managers. As
part of the reporting requirement, standards are also established for the maintenance of financial
records on which periodic statements are based. An auditor, rendering an opinion indicating that
financial statements are stated fairly, stipulates that the financial statements conform to GAAP.
These accounting principles have been formulated and revised periodically by private-sector orga-
nizations established for this purpose. The present governing body is the Financial Accounting
Standards Board (FASB). Implementation of GAAP is the responsibility of the management of
the reporting entity.
GAAS, the second group of standards, was adopted in 1949 by the AICPA for audits. These
audit standards cover three categories:
◾◾ General Standards relate to professional and technical competence, independence, and due
professional care.
◾◾ Standards of Fieldwork encompass planning, evaluation of internal control, sufficiency of
evidential matter, or documentary evidence upon which findings are based.
◾◾ Standards of Reporting stipulate compliance with all accepted auditing standards, consis-
tency with the preceding account period, adequacy of disclosure, and, in the event that an
opinion cannot be reached, the requirement to state the assertion explicitly.
GAAS provide broad guidelines, but not specific guidance. The profession has supplemented the
standards by issuing statements of authoritative pronouncements on auditing. The most compre-
hensive of these is the SAS series. SAS publications provide procedural guidance relating to many
aspects of auditing. In 1985, the AICPA released a codification of the SAS No. 1–49. Today, the
number of statements exceeds 120.
A third group of standards, called the International Financial Reporting Standards (IFRS),
has been recently created by the International Accounting Standards Board (IASB)* to respond
to the increasing global business environment and address the need to compare financial statements
* The purpose of the IASB is to develop a single set of high-quality, understandable, enforceable, and globally
accepted financial reporting standards based upon clearly articulated principles.
10 ◾ Information Technology Control and Audit
prepared in different countries. The AICPA defines IFRS as the “set of accounting standards devel-
oped by the IASB that is becoming the global standard for the preparation of public company
financial statements.” While many of the global organizations have already migrated to IFRS, the
United States has yet to do so. Due to the size of the United States and its significant presence glob-
ally, however, U.S. GAAP still has significant global impact. This results in the two major account-
ing standard-setting efforts in the world: U.S. GAAP and IFRS. Nevertheless, all major nations
have now established time lines to converge with or to adopt IFRS standards in the near future.
from around the world, both private and government, to share experiences and discuss new audit
methods and techniques.
What Is IT Auditing?
Before defining what IT auditing is, let us explain the difference between IS and IT. An IS,
represented by three components (i.e., people, process, and IT), is the combination of strategic,
managerial, and operational activities involved in managing information. The IT component of an
IS involves the hardware, software, communication, and other facilities necessary to manage (i.e.,
input, store, process, transmit, and output) such information. Refer to Exhibit 1.2.
The term audit, according to ISACA, refers to the formal inspection and verification to check
whether a standard or set of guidelines is being followed, records are accurate, or efficiency and
effectiveness targets are being met. In combining both definitions above, IT auditing can be
defined as the formal, independent, and objective examination of an organization’s IT infrastructure
to determine whether the activities (e.g., procedures, controls, etc.) involved in gathering, processing,
storing, distributing, and using information comply with guidelines, safeguard assets, maintain data
integrity, and operate effectively and efficiently to achieve the organization’s objectives. IT auditing
provides reasonable assurance (never absolute) that the information generated by applications
within the organization is accurate, complete, and supports effective decision making consistent
with the nature and scope of the engagement previously agreed.
IT auditing is needed to evaluate the adequacy of application systems to meet processing needs,
evaluate the adequacy of internal controls, and ensure that assets controlled by those systems are
12 ◾ Information Technology Control and Audit
Information technology
People Processes integrates hardware, soft-
ware, communication, and
other facilities for:
adequately safeguarded. As for the IT auditors of today, their advanced knowledge and skills will
progress in two ways. One direction is continued growth and skill in this profession, leading the
way in computer audit research and development and progressing up the external and internal
audit career paths. The other direction involves capitalizing on a thorough knowledge of organiza-
tional systems and moving into more responsible career areas in general management. Today, even
in these economic times, the demand for qualified IT auditors exceeds the supply. IT governance
has created vast opportunities for the IT auditor.
Learning new ways of auditing is always a priority of internal and external IT auditors. Most
auditors want tools or audit methodologies that will aid them in accomplishing their task faster
and easier. Almost every large organization or company has some sort of IT audit function or
shop that involves an internal audit department. Today, the “Big Four” firms have designated
special groups that specialize in the IT audit field. They all have staff that perform these external
IT audits. Most of these IT auditors assist the financial auditors in establishing the correctness of
financial statements for the companies in which they audit. Others focus on special projects such
as Internet security dealing with penetration studies, firewall evaluations, bridges, routers, and
gateway configurations, among others.
There are two broad groupings of IT audits, both of which are essential to ensure the contin-
ued proper operation of IS. These are as follows:
commonly include controls over (1) IS operations; (2) information security (ISec); and (3)
change control management (CCM) (i.e., system software acquisition, change and main-
tenance, program change, and application system acquisition, development, and mainte-
nance). Examples of general controls within IS operations address activities such as data
backups and offsite storage, job monitoring and tracking of exceptions to completion, and
access to the job scheduler, among others. Examples of general controls within ISec address
activities such as access requests and user account administration, access terminations, and
physical security. Examples of general controls within CCM may include change request
approvals; application and database upgrades; and network infrastructure monitoring, secu-
rity, and change management.
◾◾ Application Controls Audit. It examines processing controls specific to the application.
Application controls may also be referred to as “automated controls.” They are concerned
with the accuracy, completeness, validity, and authorization of the data captured, entered,
processed, stored, transmitted, and reported. Examples of application controls include check-
ing the mathematical accuracy of records, validating data input, and performing numerical
sequence checks, among others. Application controls are likely to be effective when general
controls are effective.
Refer to Exhibit 1.3 for an illustration of general and application controls, and how they should
be in place in order to mitigate risks and safeguard applications. Notice in the exhibit that the
application system is constantly surrounded by risks. Risks are represented in the exhibit by explo-
sion symbols. These risks could be in the form of unauthorized access, loss or theft or equipment
and information, system shutdown, etc. The general controls, shown in the hexagon symbols,
also surround the application and provide a “protective shield” against the risks. Lastly, there are
the application or automated controls which reside inside the application and provide first-hand
protection over the input, processing, and output of the information.
IT Auditing Trends
Computing has become indispensable to the activities of organizations worldwide. The Control
Objectives for Information and Related Technology (COBIT) Framework was created in 1995
by ISACA. COBIT, now on its fifth edition, emphasizes this point and substantiates the need
to research, develop, publicize, and promote up-to-date, internationally accepted IT control
objectives. In earlier documents such as the 1993 discussion paper “Minimum Skill Levels in
Information Technology for Professional Accountants” and their 1992 final report “The Impact
of Information Technology on the Accountancy Profession,” the International Federation of
Accountants (IFAC) acknowledges the need for better university-level education to address grow-
ing IT control concerns and issues.
Reports of information theft, computer fraud, information abuse, and other related control
concerns are being heard more frequently around the world. Organizations are more information-
conscious, people are scattered due to decentralization, and computers are used more extensively in
all areas of commerce. Owing to the rapid diffusion of computer technologies and the ease of infor-
mation accessibility, knowledgeable and well-trained IT auditors are needed to ensure that more
effective controls are put in place to maintain data integrity and manage access to information.
The need for better controls over IT has been echoed in the past by prior studies such as the AICPA
Committee of Sponsoring Organizations of the Treadway Commission (COSO); International
14 ◾ Information Technology Control and Audit
General
controls
Theft or “protecting
damage to shield”
Unauthorized hardware
modification of
sensitive
information
Exhibit 1.3 Relationship between general computer controls and application controls.
Organization for Standardization (ISO) 17799 and 27000; the IIA Systems Auditability and
Control Report; Guidelines for the Security of IS by the OECD; the U.S. President’s Council on
Integrity and Efficiency in Computer Audit Training curriculum; and the United States’ National
Strategy for Securing Cyberspace released in 2002; among others.
The AICPA’s Assurance Services Executive Committee (ASEC) is responsible for updating and
maintaining the Trust Services Principles and Criteria (TSPC) and creating a framework of prin-
ciples and criteria to provide assurance on the integrity of information. TSPC presents criteria for
use by practitioners when providing professional attestation or advisory services to assess controls
relevant to the following principles:
◾◾ Security: The system is protected against unauthorized access (both physical and logical).
◾◾ Availability: The system is available for operation and use as committed or agreed.
◾◾ Processing integrity: System processing is complete, accurate, timely, and authorized.
◾◾ Confidentiality: Information designated as confidential is protected as committed or agreed.
Information Technology Environment and IT Audit ◾ 15
◾◾ Privacy: Personal information is collected, used, retained, disclosed, and destroyed in con-
formity with the commitments in the entity’s privacy notice and with criteria set forth in
generally accepted privacy principles issued by the AICPA and CICA.
The theory and methodologies of IT auditing are integrated from five areas: a fundamental under-
standing of business, traditional auditing, IT management, behavioral science, and IT sciences.
Business understanding and knowledge are the cornerstones of the audit process. Traditional
auditing contributes knowledge of internal control practices and overall control philosophy within
a business enterprise. IT management provides methodologies necessary to achieve successful
design and implementation of systems. Behavioral science indicates when and why IT are likely to
fail because of people’s problems. IT sciences contribute to knowledge about control theory and
the formal models that underlie hardware and software designs as a basis for maintaining data
integrity.
Ever since the ISACA was formed there has been a growing demand for well-trained and
skilled IT audit professionals. The publication The EDP Auditors Association: The First Twenty-Five
Years documents the early struggles of the association and evolution of IT audit practices in this
field.
The area of information assurance has also grown and evolved. The United States in its passage
of the Cyber Security Research and Development Act has pledged almost a billion dollars for the
development of curriculum, research, and skills for future professionals needed in this field.
Information Assurance
Organizations increasingly rely on critical digital electronic information capabilities to store,
process, and move essential data in planning, directing, coordinating, and executing opera-
tions. Powerful and sophisticated threats can exploit security weaknesses in many of these
systems. Outsourcing technological development to countries that could have terrorists on their
development staff causes speculation that the potential exists for code to be implanted that would
cause disruption, havoc, embezzlement, theft, and so on. These and other weaknesses that can be
exploited become vulnerabilities that can jeopardize the most sensitive components of informa-
tion capabilities. However, we can employ deep, layered defenses to reduce vulnerabilities and
deter, defeat, and recover from a wide range of threats. From an information assurance perspec-
tive, the capabilities that we must defend can be viewed broadly in terms of four major elements:
local computing environments, their boundaries, networks that link them together, and their
supporting infrastructure. The U.S. National Strategy for Securing Cyberspace is one of those
initiatives.
The term “information assurance” is defined as information integrity (the level of confidence
and trust that can be placed on the information) and service availability. In all contexts, whether
business or government, it means safeguarding the collection, storage, transmission, and use
of information. The ultimate goal of information assurance is to protect users, business units,
and enterprises from the negative effects of corruption of information or denial of services. The
Department of Homeland Security and Supporting Organizations such as the National Security
Agency (NSA), Federal Bureau of Investigation (FBI), and Central Intelligence Agency (CIA)
have all worked toward supporting this goal.
As the nation’s IS and their critical infrastructures are being tied together (government
and business), the points of entry and exposure increase, and thus, risks increase. The techno-
logical advancement toward higher bandwidth communication and advanced switching systems
16 ◾ Information Technology Control and Audit
has reduced the number of communications lines and further centralized the switching func-
tions. Survey data indicates that the increased risk from these changes is not widely recognized.
Since 9/11, more coordinated efforts have been made by U.S. defense organizations such as the
Defense Information Systems Agency to promulgate standards for the Defense Information
Infrastructure and the Global Information Grid, which should have a positive impact on informa-
tion assurance that will extend beyond the U.S. Department of Defense and impact all segments of
the national economy. The NSA has drafted and produced standards for IT security personnel that
not only impact federal agencies but also corporate entities who contract IT services in support of
the federal government. NIST, for example, has generated security guidance for Health Insurance
Portability and Accountability Act compliance that impacts the medical profession and all cor-
porations/business servicing the health field who handle medical information. A similar example
includes the Payment Card Industry Data Security Standards (PCI DSS), maintained, managed,
and promoted by the PCI Security Standards Council (Council) worldwide. The Council was
founded in 2006 by major credit card companies, such as, American Express, Discover, JCB
International, MasterCard, and Visa, Inc. These companies share equally in governance, execu-
tion, and compliance of the Council’s work. PCI DSS refer to technical and operational require-
ments applicable specifically to entities that store, process, or transmit cardholder data, with the
intention of protecting such data in order to reduce credit card fraud.
◾◾ Auditors realized that computers had impacted their ability to perform the attestation
function.
◾◾ Corporate and information processing management recognized that computers were key
resources for competing in the business environment and similar to other valuable business
resource within the organization, and therefore, the need for control and auditability were
critical.
◾◾ Professional associations and organizations, and government entities recognized the need for
IT control and auditability.
The early components of IT auditing were drawn from several areas. First, traditional auditing
contributes knowledge of internal control practices and the overall control philosophy. Another
contributor was IS management, which provides methodologies necessary to achieve successful
design and implementation of systems. The field of behavioral science provided such questions
and analysis to when and why IS are likely to fail because of people problems. Finally, the field of
computer science contributes knowledge about control concepts, discipline, theory, and the formal
models that underlie hardware and software design as a basis for maintaining data validity, reli-
ability, and integrity.
IT auditing became an integral part of the audit function because it supports the auditor’s
judgment on the quality of the information processed by computer systems. Auditors with IT
audit skills were viewed as the technological resource for the audit staff. The audit staff often
looked to them for technical assistance. The IT auditor’s role evolved to provide assurance that
Information Technology Environment and IT Audit ◾ 17
adequate and appropriate controls are in place. Of course, the responsibility for ensuring that
adequate internal controls are in place rests with management. The audit’s primary role, except
in areas of management advisory services, is to provide a statement of assurance as to whether
adequate and reliable internal controls are in place and are operating in an efficient and effective
manner. Management’s role is to ensure and the auditors’ role is to assure.
There are several types of needs within IT auditing, including organizational IT audits (manage-
ment control over IT), technical IT audits (infrastructure, data centers, data communication), and
application IT audits (business/financial/operational). There are also development/implementation
IT audits (specification/requirements, design, development, and post-implementation phases), and
compliance IT audits involving national or international standards.
When auditing IT, the breadth and depth of knowledge required are extensive. For instance,
auditing IT involves:
The auditing of IT and communications protocols typically involves the Internet, intranet,
extranet, electronic data interchange, client servers, local and wide area networks, data commu-
nications, telecommunications, wireless technology, integrated voice/data/video systems, and the
software and hardware that support these processes and functions. Some of the top reasons to
initiate an IT audit include the increased dependence on information by organizations, the rapidly
changing technology with new risks associated with such technology, and the support needed for
financial statement audits.
SOX also requires the assessment of internal controls and makes it mandatory for SEC reg-
istrants. As part of the process for assessing the effectiveness of internal controls over financial
reporting, management needs to consider controls related to the IS (including technologies) that
support relevant business and financial processes. These controls are referred to as ITGCs (or IT
general controls). As mentioned earlier, ITGCs are IT processes, activities, and/or procedures
that are performed within the IT environment and relate to how the applications and systems are
developed, maintained, managed, secured, accessed, and operated. Exhibit 1.4 illustrates other
top reasons to have IT audits.
* Examples of ISO standards include ISO/IEC 27002, ISO/IEC 27000, and ISO 17799.
18 ◾ Information Technology Control and Audit
IT Governance
There have been many changes in the way enterprises address IT issues, resulting in a renewed
focus on the concepts of IT governance. CEOs, Chief Financial Officers, Chief Operating
Officers, Chief Technology Officers, and Chief Information Officers agree on the founding
principles of IT governance, which focus on strategic alignment between IT and enterprise objec-
tives. This, in turn, creates changes to tactical and day-to-day operational management of IT in
the organization.
IT governance is the process by which an enterprise’s IT is directed and controlled. As defined
earlier, IT refers to the hardware, software, communication, and other facilities used to input,
store, process, transmit, and output data in whatever form. Effective IT governance helps ensure
that IT supports business goals, maximizes business investment in IT, and appropriately manages
IT-related risks. IT governance also helps ensure achievement of critical success factors by effi-
ciently and effectively deploying secure, reliable information, and applied technology.
Because IT impacts the operation of an entire organization, everyone within the organization
should have an interest and role in governing its use and application. This growing awareness
has led organizations to recognize that, if they are to make the most of their IT investment and
protect that investment, they need a formal process to govern it. Reasons for implementing an IT
governance program include:
◾◾ Increasing dependence on information and the systems that deliver the information
◾◾ Increasing vulnerabilities and a wide spectrum of threats
◾◾ Scale and cost of current and future investments in information and IS
◾◾ Potential for technologies to dramatically change organizations and business practices to
create new opportunities and reduce costs
Information Technology Environment and IT Audit ◾ 19
As long as these factors remain a part of business, there will be a need for effective, interdependent
systems of enterprise and IT governance.
An open-standard IT governance tool that helps nontechnical and technical managers and
auditors understand and manage risks associated with information and related IT is COBIT, devel-
oped by the IT Governance Institute and the Information Systems Audit and Control Foundation.
COBIT is a comprehensive framework of control objectives that helps IT auditors, managers, and
executives discharge fiduciary responsibilities, understand the IT systems, and decide what level
of security and control is adequate. COBIT provides an authoritative, international set of gener-
ally accepted IT practices for business managers and auditors. COBIT is discussed in Chapter 3.
IT Auditor as Counselor
In the past, users have abdicated responsibility for controlling computer systems, mostly because
of the psychological barriers that surround the computer. As a result, there are few checks and
balances, except for the IT auditor. IT auditors must take an active role in assisting organizations
in developing policies, procedures, standards, and/or best practices on safeguarding of the infor-
mation, auditability, control, testing, etc. A good information security policy, for instance, may
include:
◾◾ Acknowledging that owners, custodians, and clients of information need to report irregu-
larities and protect its use and dissemination
◾◾ Providing users with support information
The SANS Institute provides general information security policy templates on its Website, which
can be downloaded and be a great starting point for any organization. A good computer secu-
rity policy will differ for each organization, corporation, or individual depending on security
needs. An information security policy will not guarantee a system’s security or make the network
completely safe from possible attacks from cyberspace. Nevertheless, a security policy, helped by
effective security products and a plan for recovery, may help targeting potential losses to levels
considered “acceptable,” and minimize the leaking of private information. The IT auditor is part
of an institutional team that helps create shared governance over the use, application, and assur-
ance over IT within the organization.
An IT audit staff in a large corporation can make a major contribution to computer system
control by persuading user groups to insist on a policy of comprehensive testing for all new systems
and all changes to existing systems. By reviewing base-case results, user groups can control the
accuracy of new or changed systems by actually performing a complete control function. Auditors
must convince users and IT personnel of the need for a controlled IT environment.
Insisting that all new systems be reviewed at predefined checkpoints throughout the system’s
development life cycle can also enhance control of IT. The prospect of audit review should prompt
both user and systems groups to define their objectives and assumptions more carefully. Here, too,
IT auditors can subtly extend their influence.
IT Auditor as Investigator
As a result of increased legislation and the use of computer evidence within the courts, the ability
to capture and document computer-generated information related to criminal activity is critical
for purposes of prosecution. The awareness and use of computer-assisted tools and techniques in
Information Technology Environment and IT Audit ◾ 21
performing forensic support work have provided new opportunities for the IT auditor, IT security
personnel, and those within law enforcement and investigation. For the IT audit professional,
computer forensics is an exciting, developing field. The IT auditor can work in the field of com-
puter forensics or work side by side with a computer forensics specialist, supplying insight into a
particular system or network. The specialists can ask the IT audit professionals questions pertain-
ing to the system and get responses faster than having to do research and figure everything out
on their own. Although the specialist is highly trained and can adapt to almost any system or
platform, collaboration can make the jobs of the forensic specialist and the IT professional easier
and more efficient.
Since its birth in the early 1970s, computer forensics has continuously evolved into what is
now a very large field. New technologies and enhancements in protocols are allowing engineers
and developers to create more stable and robust hardware, software, and tools for the specialist to
use in computer-related criminal investigations. As computers become more advanced and more
abundant, so do criminal activities. Therefore, the computer forensics niche is also in constant
progression along with the technological advancements of computers.
studies and papers on the topic of the knowledge, skills, and abilities needed to audit computer
systems. Students, especially the ones with business and computer majors, receive a degree of
base-level training in (1) auditing concepts and practices; (2) management concepts and practices;
(3) computer systems, telecommunications, operations, and software; (4) computer information
processing techniques; and (5) understanding of business on local and international scales. These
are some of the major core areas of competency identified by the various independent studies for
the individual who enters the IT audit, control, and security field.
Certification
Certification is a vital component of a profession. As you prepare for entry into your profession,
whether it is accounting, IS, or other business fields, certification will be the measure of your level
of knowledge, skills, and abilities in the profession. For example, attainment of the CPA designa-
tion is an important career milestone for the practicing accountant. In IT auditing, the Certified
Information Systems Auditor (CISA) is one of the main levels of recognition and attainment.
There are certain requirements for candidates to become CISA certified, such as:
The CISA examination covers areas (or domains) within the process of auditing IS; governance
and management of IT; IS acquisition, development and implementation; IS operations, mainte-
nance and service management; and the protection of information assets. Thus, university edu-
cation plays an important part in providing the groundwork toward the certification process.
Other licenses and certifications relevant to the IT auditor include the following: CPA, Certified
Chartered Accountant (CA), Certified Internal Auditor (CIA), Certified Computer Professional
(CCP), Certified Government Financial Manager (CGFM), Certified Information Systems
Security Professional (CISSP), Certified Information Security Manager (CISM), Certified in
Risk and Information Systems Control (CRISC), AICPA’s Certified Information Technology
Professional (CITP), and Certified Fraud Examiner (CFE).
Certification is important and a measure of skill attainment within the profession. Attainment
of more than one certification will enhance your knowledge, skills, and abilities within the audit
domain. Proficiency in skill application comes from experience and continuing education. The
dynamic changes in business (commerce), IT, and world events continue to shape the future for
this exciting profession.
Continuing Education
Certification requires continuing education so that those who are certified maintain a level of
proficiency and continue their certification. Continuing education is an important element for
career growth. As graduates enter their profession, they will find that their academic education
is the foundation for continued development of career-enhancing knowledge, skills, and abilities.
A continuing education requirement exists to support the CISA program. The IT auditor of the
Information Technology Environment and IT Audit ◾ 23
future will constantly face change with regard to existing systems and the dynamics of the envi-
ronment (i.e., reorganization, new technology, operational change, and changing requirements).
The breadth and depth of knowledge required to audit IT is extensive. For example, IT auditing
involves the application of risk-oriented audit approaches; the use of computer-assisted audit tools
and techniques (e.g., EnCase, CaseWare, Idea, ACL, Guardant, eTrust, CA-Examine, etc.); the
application of national or international standards (i.e., ISO 9000/3, ISO 17799, ISO 27000, and
related amendments to improve and implement quality systems in software development); the
auditing of systems under development involving complex SDLC or new development t echniques
(e.g., prototyping, end-user computing, rapid systems development, etc.); and the auditing of com-
plex technologies involving electronic data interchange, client servers, local and wide area n
etworks,
data communications, telecommunications, and integrated voice/data/video systems.
Because the organizational environment in which the IT auditor operates is a dynamic one, it
is important that new developments in the profession be understood so that they may be appropri-
ately applied. Thus, the continuing education requirement helps the CISA attain new knowledge
and skills to provide the most informed professional opinion. Training courses and programs are
offered by a wide variety of associations and organizations to assist in maintaining the necessary
skills that they need to continue to improve and evolve. Methods for receiving such training may
even be global with video teleconferencing and telecommuting and with the Internet playing a
major role in training delivery.
◾◾ provides knowledge and education on areas like IS assurance, information security, enter-
prise governance, IT risk management, and compliance.
◾◾ offers globally known certifications/designations, such as, CISA, CISM, Certified in the
Governance of Enterprise IT (CGEIT), and Certified in Risk and CRISC.
◾◾ develops and frequently updates international IS auditing and control standards, such as,
the COBIT standard. COBIT assist both, IT auditors and IT management, in performing
their daily duties and responsibilities in the areas of assurance, security, risk and control, and
deliver value to the business.
To act as an auditor, one must have a high standard of moral ethics. The term auditor is Latin for
one that hears complaints and makes decisions or acts like a judge. To act as a judge, one definitely
must be morally ethical or it defeats the purpose. Ethics are a very important basis for our culture
as a whole. If the auditor loses favor in this area, it is almost impossible to regain the trust the audi-
tor once had with audit management and auditees. Whether an auditor is ethical in the beginning
or not, they should all start off with the same amount of trust and good favor from the client or
24 ◾ Information Technology Control and Audit
auditee. If the bond is not broken, the auditor establishes a good name as someone who can be
trusted with sensitive material.
In today’s world economy, trust is an unheard-of word. No one can trust anyone these days
and for this reason it is imperative that high ethics are at the top of the manager’s list of topics to
cover with new audit teams. Times are changing and so are the clients requesting audit services.
Most managers will state that they cherish this aspect called ethics because it distinguishes them
from others without it.
For example, say a budget calls for numerous hours. It is unethical to put down hours not
worked. It is also unethical to overlook something during the audit because the client says it is not
important. A fine line exists between what is ethical and what is legal. Something can be ethically
wrong but still legal. However, with that being said, some things initially thought to be unethical
become illegal over time. If there is a large enough population opposed to something ethically
incorrect, you will see legislation introduced to make it illegal.
When IT auditors attain their CISA certification, they also subscribe to a Code of Professional
Ethics. This code applies to not only the professional conduct but also the personal conduct of
IT auditors. The code is actually not in conflict with codes of ethics from other audit/assurance
related domains (e.g., IIA, AICPA, etc.). It requires that the ISACA standards are adhered to, con-
fidentiality is maintained, any illegal or improper activities are reported, the auditor’s competency
is maintained, due care is used in the course of the audit, the results of audit work are communi-
cated, and high standards of conduct and character are maintained.
Educational Curricula
IT auditing is a profession with conduct, aims, and qualities that are characterized by world-
wide technical and ethical standards. It requires specialized knowledge and often long and inten-
sive academic preparation. Most accounting, auditing, and IT professional societies believe that
improvements in research and education will definitely provide a “better-developed theoretical
and empirical knowledge base for the IT audit function.” They feel that emphasis should be placed
on education obtained at the college level.
The academic communities both in the United States and abroad have started to incorporate
portions of the common body of knowledge and the CISA examination domains into courses
taught at the university level. Several recent studies indicate the growth of computer audit courses
emerging in university curricula worldwide.
Various universities have developed curricula tailored to support the profession of IT auditing.
Although the curricula at these universities constantly evolve, they currently exist at institutions
such as Bentley University (Massachusetts), Bowling Green State University (Ohio), California
State Polytechnic University, University of Mississippi, University of Texas, Georgia State
University, University of Maryland, University of Tennessee, National Technological University
(Argentina), University of British Columbia (Canada), York University (Canada), and the Hong
Kong University of Science and Technology, among others. Graduates from these programs qual-
ify for 1 year work experience toward their CISA certification.
A Model Curriculum for undergraduate and graduate education in IS and IT audit education
was initially issued in March 1998 and updated in 2004, 2009, and 2011 by the IS Audit and
Control Association and Foundation. The purpose of the Model is to provide colleges, universi-
ties, and/or educational institutions the necessary tools to educate students, and prepare them
to enter the IT audit profession. Education through the Model focuses on fundamental course
components of IT audit and control, as well as keeps up with the rapid pace of technological
Information Technology Environment and IT Audit ◾ 25
change. Such education is also in line with recent events, government regulations, and changes in
business processes, all of which have affected the role of IT audit and the methodologies used by
IT auditors.
Having a diverse set of supplemental or “soft” skills never hurts when one is working with an
auditee. For example, a senior IT auditor was recently conducting an audit in which she was faced
with a client/auditee that was not very cooperative. During the questioning process, the senior IT
auditor established a rapport with the client by using people skills or “soft skills.” The role of an
auditor is not an easy one when we are asked to review, question, and assess the work of others.
Many times, the auditee must have a clear understanding of our role and that the auditor’s focus is
not to be critical of the individual but of the organizational policies, procedures, and process. The
audit objectives focus on both the organization’s goals and objectives.
Career Opportunities
There are a number of career opportunities available to the individual seeking an opportunity in
IT audit. For the college graduate with the appropriate entry-level knowledge, skills, and abilities,
this career provides many paths for growth and development. Further, as a career develops and
progresses, IT audit can provide mobility into other areas as well. Today’s IT auditors are employed
by public accounting firms, private industries, management consulting firms, and the government.
Private Industry
Like public accounting firms, private industry offers entry-level IT audit professional positions. In
addition, IT auditors gain expertise in more specialized areas (i.e., telecommunications, systems
software, and systems design), which can make them candidates for IT operations, IT forensics,
and IT security positions. Many CEOs view audit experience as a management training func-
tion. The IT auditor has particular strengths of educational background, practical experience
with corporate IS, and understanding of executive decision making. Some companies have made a
distinction between IT auditors and operational and financial auditors. Others require all internal
auditors to be capable of auditing IT systems. Sources for persons to staff the IT audit function
within a company generally may come from college recruitment, internal transfers, promotions,
and/or outside hiring.
practices, especially those that provide services in the computer IS environment, hire experienced
IT auditors. This career path allows these candidates to use their particular knowledge, skills, and
abilities in diagnosing an array of computer and management information issues and then assist
the organization in implementing the solutions. The usual resources for such positions are expe-
rienced personnel from public accounting CPA firms, private industries, and the government. IT
forensics is another growing area in management consulting services.
Government
The government offers another avenue for one to gain IT audit experience. In the United States,
federal, state, county, and city governments employ personnel to conduct IT audit-related respon-
sibilities. Federal organizations such as the NSA, FBI, Department of Justice, and the CIA employ
personnel who have IT audit experience, computer security experience, and IT forensics experi-
ence. Governments worldwide also employ personnel to conduct IT audits.
Government positions offer training and experience to personnel responsible for performing
IT audit functions. Sources for government IT auditors are college recruits and employees seeking
internal promotion or transfer. There are occasions when experienced resources may be hired from
the outside as well.
Conclusion
Business operations are changing at a rapid pace because of the fast continuing improvement of tech-
nology. Technology has impacted various areas of the business environment, including the use and
processing of information, existing control processes, and how audits are performed to draw conclu-
sions regarding operational or system effectiveness, efficiency, and reporting integrity. It is also noted
that technology constantly changes and identifies ways to shape today’s IT environments in the
organization. There were several recent technologies described that have and certainly will continue
to revolutionize organizations, in particular how business is done and the dynamics of the workplace.
Because of major corporate and accounting fraud and scandals, the auditing profession, both
internal and external functions, now looks seriously at the lack of controls in computer infor-
mation systems. Within financial auditing, for instance, there are principles and standards that
rule the CPA profession in the United States (i.e., GAAP and GAAS). These look for accurate
preparation of financial statements as well as effective procedures for their audit examinations. A
different type of auditing, IT auditing, has become an integral part of the audit function because
it supports the auditor’s judgment on the quality of the information processed by computer sys-
tems. IT auditing provides reasonable assurance (never absolute) that the information generated
by applications within the organization is accurate, complete, and supports effective decision mak-
ing consistent with the nature and scope agreed. There are two broad groupings of IT audits (i.e.,
General Computer Controls Audit and Application Controls Audit), both essential to ensure the
continued proper operation of IS.
For the IT auditor, the need for audit remains critical and continues to be a demanding one.
There are many challenges ahead; everyone must work together to design, implement, and safe-
guard the integration of new and existing technologies in the workplace. Given the various role
hats IT auditors can wear, they must keep updated with reviews and changes in the existing laws
governing the use of computers and the Internet. IT auditors can provide leverage in helping orga-
nizations understand the risks they face and the potential for consequences.
28 ◾ Information Technology Control and Audit
Review Questions
1.
Technology has impacted the business environment in three areas. Summarize those areas.
2.
Differentiate between internal and external auditors in terms of their roles and responsibilities.
3.
How is IT auditing defined?
4.
General Computer Controls Audit and Application Controls Audit are the two broad group-
ings of IT audits. Summarize both audits and provide specific examples supporting the
controls evaluated within each type of audit.
5. The TSPC, maintained by the AICPA’s ASEC, presents criteria for use by practitioners when
providing professional attestation or advisory services to assess controls relevant to five prin-
ciples. Describe in your own words these principles.
6. Explain what information assurance is.
7. One of the roles of the IT auditor is to act as a Counselor to organizations. As a Counselor,
IT auditors can assist organizations in developing policies, procedures, standards, and/or
best practices, such as an information security policy. Using the characteristics of a good
information security policy listed in the chapter, develop five information security policies
you would share with your client.
8. Explain why IT audit is considered a profession. Describe the requirements for candidates to
become CISA certified.
9. What is ISACA and how does it helps the IT audit profession?
10. Where are the current career opportunities for the IT auditor? Search the Internet and iden-
tify at least one job profile/description for each career opportunity identified above. For each
job profile identified, list the following in a table form:
a. Job description
b. Duties, tasks, and responsibilities required
c. Minimum job requirements (or qualifications)
d. Minimum education and/or certification requirements
e. Knowledge, skills, and abilities required, etc.
Exercises
1. After reading this chapter, you should feel comfortable about the general roles and responsi-
bilities of an IT auditor.
a. Describe in your own words what do IT auditors do.
b. Why should they be part of the overall audit team when performing the annual financial
audit of a client?
2. List five Websites you can go to for information about:
a. IT auditing
b. IT security and privacy issues
3. Visit the Websites of four external audit organizations: two private and two government
sites. Provide a summary of who they are and their roles, function, and responsibilities.
4. Interview an IT auditor and gather the following information:
a. Position and company?
b. Number of years of experience in IT auditing?
c. Degree(s) and professional certifications?
d. Career path?
Information Technology Environment and IT Audit ◾ 29
Further Reading
1. AICPA IFRS Resources. What Is IFRS? www.ifrs.com/ifrs_faqs.html#q1 (accessed October 2016).
2. American Institute of Certified Public Accountants (AICPA). (2011). Top Technology Initiatives,
www.aicpa.org/InterestAreas/InformationTechnology/Resources/TopTechnologyInitiatives/
Pages/2011TopTechInitiatives.aspx
3. Chen, Y., Paxson, V., and Katz, R. H. (2010). What’s New about Cloud Computing Security?
Technical report UCB/EECS-2010-5, EECS Department, University of California, Berkeley, 2010,
www.eecs.berkeley.edu/Pubs/TechRpts/2010/EECS-2010-5.html
4. Deloitte. Cloud Computing in 2016-Private Company Issues and Opportunities, www2.deloitte.com/
us/en/pages/deloitte-growth-enterprise-services/articles/private-company-cloud-computing.html
(accessed October 2016).
5. EY Center for Board Matters. (September 2015). EY Big Data and Analytics in the Audit Process,
www.ey.com/Publication/vwLUAssets/ey-big-data-and-analytics-in-the-audit-process/$FILE/ey-
big-data-and-analytics-in-the-audit-process.pdf (accessed December 2015).
6. NIST. Final version of NIST cloud computing definition published, www.nist.gov/news-events/
news/2011/10/final-version-nist-cloud-computing-definition-published (accessed October 2011).
7. Gallegos, F. (2002). Due professional care. Inf. Syst. Control J., 2, 25–28.
8. Gallegos, F. (2003). IT auditor careers: IT governance provides new roles and opportunities. IS
Control J., 3, 40–43.
9. Gallegos, F. and Carlin, A. (July 2007). IT audit: A critical business process. Comput. Mag., 40(7),
87–89.
10. Gartner IT Glossary. (n.d.). www.gartner.com/it-glossary/big-data/ (accessed October 2016).
11. Gartner’s 2015 hype cycle for emerging technologies identifies the computing innovations that
Organizations Should Monitor, www.gartner.com/newsroom/id/3114217 (accessed July 2015).
12. Gartner says the Internet of Things will transform the data center, www.gartner.com/newsroom/
id/2684616 (accessed October 2014).
13. High Technology Crime Investigation Association. HTCIA.org
14. Ibrahim, N. IT Audit 101: Internal audit is responsible for evaluating whether IT risks are appropri-
ately understood, managed, and controlled. Internal Auditor, http://go.galegroup.com/ps/i.do?id=GA
LE%7CA372553480&sid=googleScholar&v=2.1&it=r&linkaccess=fulltext&issn=00205745&p=AO
NE&sw=w&authCount=1&u=melb26933&selfRedirect=true (accessed June 2014).
15. IDC. Worldwide public cloud services spending forecast to reach $266 billion in 2021, according to
IDC. USA, www.idc.com/getdoc.jsp?containerId=prUS42889917 (accessed July 2017).
16. Information Systems Audit and Control Foundation. COBIT, 5th Edition. Information Systems
Audit and Control Foundation, Rolling Meadows, IL, www.isaca.org/Knowledge-Center/COBIT/
Pages/Overview.aspx (accessed June 2012).
17. Information Systems Audit and Control Association. (2011). CISA Examination Domain, ISACA
Certification Board, Rolling Meadows, IL.
18. ISACA. Innovation insights: Top digital trends that affect strategy. www.isaca.org/knowledge-Center/
Research/Pages/isaca-innovation-insights.aspx (accessed March 2015).
30 ◾ Information Technology Control and Audit