IT Control and Audit - Chapter 01

Download as pdf or txt
Download as pdf or txt
You are on page 1of 28

Chapter 1

Information Technology
Environment and IT Audit

LEARNING OBJECTIVES
1. Discuss how technology is constantly evolving and shaping today’s business (IT) environments.
2. Discuss the auditing profession and define financial auditing.
3. Differentiate between the two types of audit functions that exist today (internal and
external).
4. Explain what IT auditing is and summarize its two broad groupings.
5. Describe current IT auditing trends, and identify the needs to have an IT audit.
6. Explain the various roles of the IT auditor.
7. Support why IT audit is considered a profession.
8. Describe the profile of an IT auditor in terms of experience and skills required.
9. Discuss career opportunities available to IT auditors.

Organizations today are more information dependent and conscious of the pervasive nature of
technology across the business enterprise. The increased connectivity and availability of systems
and open environments have proven to be the lifelines of most business entities. Information tech-
nology (IT) is now used more extensively in all areas of commerce around the world.

IT Environment
The need for improved control over IT, especially in commerce, has been advanced over the years
in earlier and continuing studies by many national and international organizations. Essentially,
technology has impacted various significant areas of the business environment, including the use
and processing of information, the control process, and the auditing profession.

3
4 ◾ Information Technology Control and Audit

◾◾ Technology has improved the ability to capture, store, analyze, and process tremendous
amounts of data and information, expanding the empowerment of the business decision
maker. It has also become a primary enabler to production and service processes. There is
a residual effect in that the increased use of technology has resulted in increased budgets,
increased successes and failures, and better awareness of the need for control.
◾◾ Technology has significantly impacted the control process around systems. Although con-
trol objectives have generally remained constant, except for some that are technology spe-
cific, technology has altered the way in which systems should be controlled. Safeguarding
assets, as a control objective, remains the same whether it is done manually or is automated.
However, the manner by which the control objective is met is certainly impacted.
◾◾ Technology has impacted the auditing profession in terms of how audits are performed
­(information capture and analysis, control concerns) and the knowledge required to
draw conclusions regarding operational or system effectiveness, efficiency, and reporting
­integrity. Initially, the impact was focused on dealing with a changed processing envi-
ronment. As the need for auditors with specialized technology skills grew, so did the IT
­auditing profession.

Technology is constantly evolving and finding ways to shape today’s IT environment in the orga-
nization. The following sections briefly describe various recent technologies that have and will
certainly continue to revolutionize organizations, how business is done, and the dynamics of the
workplace.

Enterprise Resource Planning (ERP)


According to the June 2016 edition of Apps Run the World, a technology market-research com-
pany devoted to the applications space, the worldwide market of ERP systems will reach $84.1
billion by 2020 versus $82.1 billion in 2015. ERP is software that provides standard business
functionality in an integrated IT environment system (e.g., procurement, inventory, accounting,
and human resources [HR]). Refer to Exhibit 1.1 for an illustration of the ERP modular system.
ERPs allow multiple functions to access a common database—reducing storage costs and
increasing consistency and accuracy of data from a single source. Additionally, ERPs:

◾◾ Have standard methods in place for automating processes (i.e., information in the HR sys-
tem can be used by payroll, help desk, and so on).
◾◾ Share real-time information from modules (finance, HR, etc.) residing in one common
database, hence, financial statements, analyses, and reports are generated faster and more
frequently.

Some of the primary ERP suppliers today include SAP, FIS Global, Oracle, Fiserv, Intuit, Inc.,
Cerner Corporation, Microsoft, Ericsson, Infor, and McKesson.
Despite the many advantages of ERPs, they are not much different than purchased or pack-
aged systems, and may therefore require extensive modifications to new or existing business pro-
cesses. ERP modifications (i.e., software releases) require considerable programming to retrofit all
of the organization-specific code. Because packaged systems are generic by nature, organizations
may need to modify their business operations to match the vendor’s method of processing, for
instance. Changes in business operations may not fit well into the organization’s culture or other
processes, and may also be costly due to training. Additionally, as ERPs are offered by a single
Information Technology Environment and IT Audit ◾ 5

Financial
resource
management

Human
Supply chain
resource
management
Enterprise management
resource
planning
(Common DB)

Manufacturing Customer
resource relationship
planning management

Exhibit 1.1 Enterprise resource planning modular system.

vendor, risks associated with having a single supplier apply (e.g., depending on a single supplier for
maintenance and support, specific hardware or software requirements, etc.).

Cloud Computing
Cloud computing continues to have an increasing impact on the IT environment. According to
ISACA (formerly known as the Information Systems Audit and Control Association), the cloud
computing’s exponential growth should no longer be considered an emerging technology. Cloud
computing has shaped business across the globe, with some organizations utilizing it to perform
business critical processes. Based on the July 2015’s ISACA Innovation Insights report, cloud
computing is considered one of the key trends driving business strategy. The International Data
Corporation, in its 2015 publication, also predicts that cloud computing will grow at 19.4% annu-
ally over the next 5 years. Moreover, Deloitte’s 2016 Perspective’s Cloud Computing report (report)
indicates that for private companies, cloud computing will continue to be a dominant factor.
Cloud computing, as defined by PC Magazine, refers to the use of the Internet (versus one’s
computer’s hard drive) to store and access data and programs. In a more formal way, the National
Institute of Standards and Technology (NIST) defines cloud computing as a “model for enabling
ubiquitous, convenient, on-demand network access to a shared pool of configurable computing
resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provi-
sioned and released with minimal management effort or service provider interaction.” NIST also
stress that availability is significantly promoted by this particular (cloud) model.
The highly flexible services that can be managed in the virtual environment makes cloud
computing very attractive for business organizations. Nonetheless, organizations do not yet feel
6 ◾ Information Technology Control and Audit

fully comfortable when storing their information and applications on systems residing outside of
their on-site premises. Migrating information into a shared infrastructure (such as a cloud envi-
ronment) exposes organizations’ sensitive/critical information to risks of potential unauthorized
access and exposure, among others. Deloitte, one of the major global accounting and auditing
firms, also supports the significance of security and privacy above, and added, based in its report,
that cloud-stored information related to patient data, banking details, and personnel records, to
name a few, is vulnerable and susceptible to misuse if fallen into the wrong hands.

Mobile Device Management (MDM)


MDM, also known as Enterprise Mobility Management, is a relatively new term, but already
shaping the IT environment in organizations. MDM is responsible for managing and administer-
ing mobile devices (e.g., smartphones, laptops, tablets, mobile printers, etc.) provided to employees
as part of their work responsibilities. Specifically, and according to PC Magazine, MDM ensures
these mobile devices:

◾◾ integrate well within the organization and are implemented to comply with organization
policies and procedures
◾◾ protect corporate information (e.g., emails, corporate documents, etc.) and configuration
settings for all mobile devices within the organization

Mobile devices are also used by employees for personal reasons. That is, employees bring their own
mobile (personal) device to the organization (also referred to as bring-your-own-device or BYOD)
to perform their work. Allowing employees to use organization-provided mobile devices for work
and personal reasons has proved to appeal to the average employee. Nevertheless, organizations
should monitor and control the tasks performed by employees when using mobile devices, and
ensure employees remain focused and productive. It does represent a risk to the organization’s
security and a distraction to employees when mobile devices are used for personal and work pur-
poses. Additionally, allowing direct access to corporate information always represents an ongoing
risk, as well as raises security and compliance concerns to the organization.

Other Technology Systems Impacting the IT Environment


The Internet of Things (IoT) has a potential transformational effect on IT environments, data
centers, technology providers, etc. Gartner, Inc. estimates that by the year 2020, IoT will include
26 billion units installed and revenues will exceed $300 billion generated mostly by IoT product
and service suppliers.
IoT, as defined by Gartner, Inc., is a system that allows remote assets from “things” (e.g., devices,
sensors, objects, etc.) to interact and communicate among them and with other network systems.
Assets, for example, communicate information on their actual status, location, and functionality,
among others. This information not only provides a more accurate understanding of the assets, but
also maximizes their utilization and productivity, resulting in an enhanced decision-making process.
The huge volumes of raw data or data sets (also referred to as Big Data) generated as a result of these
massive interactions between devices and systems need to be processed and analyzed effectively in
order to generate information that is meaningful and useful in the decision-making process.
Big Data, as defined by the TechAmerica Foundation’s Federal Big Data Commission (2012),
“describes large volumes of high velocity, complex and variable data that require advanced
Information Technology Environment and IT Audit ◾ 7

techniques and technologies to enable the capture, storage, distribution, management, and analy-
sis of the information.” Gartner, Inc. further defines it as “… high-volume, high-velocity and/
or high-variety information assets that demand cost-effective, innovative forms of information
processing that enable enhanced insight, decision making, and process automation.”
Even though accurate Big Data may lead to more confident decision-making process, and bet-
ter decisions often result in greater operational efficiency, cost reduction, and reduced risk, many
challenges currently exist and must be addressed.
Challenges of Big Data include, for instance, analysis, capture, data curation, search, sharing,
storage, transfer, visualization, querying, as well as updating. Ernst & Young, on its EY Center
for Board Matters’ September 2015 publication, states that challenges for auditors include the
limited access to audit relevant data, the scarcity of available and qualified personnel to process
and analyze such particular data, and the timely integration of analytics into the audit. The IoT
also delivers fast-moving data from sensors and devices around the world, and therefore results in
similar challenges for many organizations when making sense of all that data.
Other recent technologies listed on the Gartner’s 2015 Hype Cycle for Emerging Technologies
Report that are currently impacting IT environments include wearables (e.g., smartwatches, etc.),
autonomous vehicles, cryptocurrencies, consumer 3D printing, and speech-to-speech translation,
among others.

IT Environment as Part of the Organization Strategy


In today’s environment, organizations must integrate their IT with business strategies to attain
their overall objectives, get the most value out of their information, and capitalize on the technolo-
gies available to them. Where IT was formerly viewed as an enabler of an organization’s strategy,
it is now regarded as an integral part of that strategy to attain profitability and service. At the
same time, issues such as IT governance, international information infrastructure, security, and
privacy and control of public and organization information have driven the need for self-review
and self-assurance.
For the IT manager, the words “audit” and “auditor” send chills up and down the spine. Yes,
the auditor or the audit has been considered an evil that has to be dealt with by all managers. In
the IT field, auditors in the past had to be trained or provided orientation in system concepts and
operations to evaluate IT practices and applications. IT managers cringe at the auditor’s ability to
effectively and efficiently evaluate the complexities and grasp the issues. Nowadays, IT auditors are
expected to be well aware of the organization’s IT infrastructure, policies, and operations before
embarking in their reviews and examinations. More importantly, IT auditors must be capable
of determining whether the IT controls in place by the organization ensure data protection and
adequately align with the overall organization goals.
Professional associations and organizations such as ISACA, the American Institute of
Certified Public Accountants (AICPA), the Canadian Institute of Chartered Accountants
(CICA), Institute of Internal Auditors (IIA), Association of Certified Fraud Examiners (ACFE),
and others have issued guidance, instructions, and supported studies and research in audit areas.

The Auditing Profession


Computers have been in use commercially since 1952. Computer-related crimes were reported as
early as 1966. However, it was not until 1973, when the significant problems at Equity Funding
8 ◾ Information Technology Control and Audit

Corporation of America (EFCA) surfaced, that the auditing profession looked seriously at the lack
of controls in computer information systems (IS). In 2002, almost 30 years later, another major
fraud resulted from corporate and accounting scandals (Enron and WorldCom), which brought
skepticism and downfall to the financial markets. This time, neither the major accounting firms
nor the security- and exchange-regulated businesses in major exchanges were able to avoid the
public outrage, lack of investor confidence, and increased government regulation that befell the
U.S. economy. Again, in 2008, the U.S. economy suffered as mortgage banking and mortgage
investment companies (such as Countrywide, IndyMac, etc.) defaulted from unsound lending
strategies and poor risk management.
When EFCA declared bankruptcy in 1973, the minimum direct impact and losses from illegal
activity were reported to be as much as $200 million. Further estimates from this major financial
fraud escalated to as much as $2 billion, with indirect costs such as legal fees and depreciation
included. These losses were the result of a “computer-assisted fraud” in which a corporation falsi-
fied the records of its life insurance subsidiary to indicate the issuance of new policies. In addi-
tion to the insurance policies, other assets, such as receivables and marketable securities, were
recorded falsely. These fictitious assets should have been revealed as non-existent during the corpo-
ration’s regular year-end audits but were never discovered. As the computer was used to manipu-
late files as a means of covering the fraud, the accounting profession realized that conventional,
manual techniques might not be adequate for audit engagements involving computer application.
In 1973, the AICPA (major national professional organization of certified public accountants),
in response to the events at EFCA, appointed a special committee to study whether the auditing
standards of the day were adequate in such situations. The committee was requested to evaluate
specific procedures to be used and the general standards to be approved. In 1975, the commit-
tee issued its findings. Even though the special committee found that auditing standards were
adequate, and that no major changes were called for in the procedures used by auditors, there
were several observations and recommendations issued related to the use of computer programs
designed to assist the examination of financial statements. Another critical review of the existing
auditing standards was started in 1974, when the AICPA created its first standards covering this
area. Then, 29 years later, the Enron–Arthur Andersen fiasco of 2002 took us back to 1973.
The issue of “due professional care” has come to the forefront of the audit community as
a result of major U.S. financial scandals and poor management, including but not limited to,
Waste Management (1998), Enron (2001), Worldcom (2002), American Insurance Group (2005),
Lehman Brothers (2008), Bernard L. Madoff Securities LLC (2008), MF Global (2011), Anthem
Inc. (2015), Wells Fargo (2016), and others. The EFCA scandal of 1973 led to the development of
strong state and federal regulation of the insurance industries and corporate creative accounting
in the aerospace industry, which provided support for the Foreign Corrupt Practices Act (FCPA)
of 1977. Perhaps today, the Sarbanes–Oxley Act of 2002 (SOX) will be a vivid reminder of the
importance of due professional care. SOX is a major reform package, mandating the most far-
reaching changes Congress has imposed on the business world since the FCPA of 1977 and the
Securities and Exchange Commission (SEC) Act of 1934. Examples of some of these significant
changes include the creation of a Public Company Accounting Oversight Board,* as well as the
increase of criminal penalties for violations of securities laws. SOX will be discussed in more detail
in the next chapter.

* The PCAOB is a non-for-profit corporation instituted by Congress to oversee the audits of public companies
in order to protect the interests of investors and further the public interest in the preparation of informative,
accurate, and independent audit reports. http://pcaobus.org/Pages/default.aspx.
Information Technology Environment and IT Audit ◾ 9

Financial Auditing
Financial auditing encompasses all activities and responsibilities concerned with the rendering
of an opinion on the fairness of financial statements. The basic rules governing audit opinions
indicate clearly that the scope of an audit covers all equipment and procedures used in processing
significant data.
Financial auditing, as carried out today by the independent auditor, was spurred by legislation
in 1933 and 1934 that created the SEC. This legislation mandated that companies whose securities
were sold publicly be audited annually by a Certified Public Accountant (CPA). CPAs, then, were
charged with attesting to the fairness of financial statements issued by companies that reported to
the SEC. The AICPA issued in 1993 a document called “Reporting on an Entity’s Internal Control
Structure over Financial Reporting (Statement on Standards for Attestation Engagements 2)” to fur-
ther define the importance of internal control in the attestation engagement.
Within the CPA profession in the United States, two groups of principles and standards have
been developed that affect the preparation of financial statements by publicly held companies
and the procedures for their audit examination by CPA firms: Generally Accepted Accounting
Principles (GAAP) and Generally Accepted Auditing Standards (GAAS).
GAAP establishes consistent guidelines for financial reporting by corporate managers. As
part of the reporting requirement, standards are also established for the maintenance of financial
records on which periodic statements are based. An auditor, rendering an opinion indicating that
financial statements are stated fairly, stipulates that the financial statements conform to GAAP.
These accounting principles have been formulated and revised periodically by private-sector orga-
nizations established for this purpose. The present governing body is the Financial Accounting
Standards Board (FASB). Implementation of GAAP is the responsibility of the management of
the reporting entity.
GAAS, the second group of standards, was adopted in 1949 by the AICPA for audits. These
audit standards cover three categories:

◾◾ General Standards relate to professional and technical competence, independence, and due
professional care.
◾◾ Standards of Fieldwork encompass planning, evaluation of internal control, sufficiency of
evidential matter, or documentary evidence upon which findings are based.
◾◾ Standards of Reporting stipulate compliance with all accepted auditing standards, consis-
tency with the preceding account period, adequacy of disclosure, and, in the event that an
opinion cannot be reached, the requirement to state the assertion explicitly.

GAAS provide broad guidelines, but not specific guidance. The profession has supplemented the
standards by issuing statements of authoritative pronouncements on auditing. The most compre-
hensive of these is the SAS series. SAS publications provide procedural guidance relating to many
aspects of auditing. In 1985, the AICPA released a codification of the SAS No. 1–49. Today, the
number of statements exceeds 120.
A third group of standards, called the International Financial Reporting Standards (IFRS),
has been recently created by the International Accounting Standards Board (IASB)* to respond
to the increasing global business environment and address the need to compare financial statements

* The purpose of the IASB is to develop a single set of high-quality, understandable, enforceable, and globally
accepted financial reporting standards based upon clearly articulated principles.
10 ◾ Information Technology Control and Audit

prepared in different countries. The AICPA defines IFRS as the “set of accounting standards devel-
oped by the IASB that is becoming the global standard for the preparation of public company
financial statements.” While many of the global organizations have already migrated to IFRS, the
United States has yet to do so. Due to the size of the United States and its significant presence glob-
ally, however, U.S. GAAP still has significant global impact. This results in the two major account-
ing standard-setting efforts in the world: U.S. GAAP and IFRS. Nevertheless, all major nations
have now established time lines to converge with or to adopt IFRS standards in the near future.

Internal versus External Audit Functions


There are two types of audit functions that exist today. They have very important roles in assuring
the validity and integrity of financial accounting and reporting systems. They are the internal and
external audit functions.

Internal Audit Function


The IIA defines internal auditing (IA) as “an independent, objective assurance and consulting
activity designed to add value and improve an organization’s operations.” IA brings organizations
a systematic and disciplined approach to assess and enhance their risk management, control, and
governance processes, as well as to accomplish their goals and objectives.
IA departments are typically led by a Chief Audit Executive (CAE), who directly reports
to the Audit Committee of the Board of Directors. The CAE also reports to the organiza-
tion’s Chief Executive Officer (CEO). The primary purpose of the IA function is to assure that
management-authorized controls are being applied effectively. The IA function, although not
mandatory, exists in most private enterprise or corporate entities, and in government (such as fed-
eral, state, county, and city governments). The mission, character, and strength of an IA function
vary widely within the style of top executives and traditions of companies and organizations. IT
audits is one of the areas of support for IA.
The IA group, if appropriately staffed with the resources, performs all year long monitoring
and testing of IT activities within the control of the organization. Of particular concern to private
corporations is the processing of data and the generation of information of financial relevance or
materiality.
Given management’s large part to play in the effectiveness of an IA function, their concern
with the reliability and integrity of computer-generated information from which decisions are
made is critical. In organizations where management shows and demonstrates concern about
internal controls, the role of the IA grows in stature. As the IA function matures through experi-
ence, training, and career development, the external audit function and the public can rely on the
quality of the internal auditor’s work. With a good, continuously improving IA management and
staff, the Audit Committee of the Board of Directors is not hesitant to assign additional reviews,
consultation, and testing responsibilities to the internal auditor. These responsibilities are often
broader in scope than those of the external auditor.
Within the United States, internal auditors from government agencies often come together to
meet and exchange experiences through conferences or forums. For example, the Intergovernmental
Audit Forum is an example of an event where auditors come together from city, county, state, and
federal environments to exchange experiences and provide new information regarding audit tech-
niques and methods. The IIA also holds a national conference that draws an auditor population
Information Technology Environment and IT Audit ◾ 11

from around the world, both private and government, to share experiences and discuss new audit
methods and techniques.

External Audit Function


The external audit function evaluates the reliability and the validity of systems controls in all
forms. The principal objective in such evaluation is to minimize the amount of substantial audit-
ing or testing of transactions required to render an opinion on the financial statements.
External auditors are provided by public accounting firms and also exist in government as well.
For example, the Government Accountability Office (GAO) is considered an external reviewer
because it can examine the work of both federal and private organizations where federal funds are
provided. The Watchdogs of Congressional Spending provide a service to the taxpayer in report-
ing directly to Congress on issues of mismanagement and poor controls. Interestingly, in foreign
countries, an Office of the Inspector General or Auditor General’s Office within that country
prepares similar functions. Also, the GAO has been a strong supporter of the International Audit
Organization, which provides government audit training and guidance to its international audit
members representing governments worldwide.
From a public accounting firm standpoint, firms such as Deloitte, Ernst & Young,
PricewaterhouseCoopers, and KPMG (altogether referred to as the “Big Four”) provide these types
of external audit services worldwide. The external auditor is responsible for testing the reliability of
client IT systems and should have a special combination of skills and experience. Such an auditor
must be thoroughly familiar with the audit attest function. The attest function encompasses all
activities and responsibilities associated with the rending of an audit opinion on the fairness of the
financial statements. Besides the accounting and auditing skills involved in performing the attest
function, these external auditors also must have substantial IT audit experience. SOX now governs
their role and limits of services that can be offered beyond audit.

What Is IT Auditing?
Before defining what IT auditing is, let us explain the difference between IS and IT. An IS,
represented by three components (i.e., people, process, and IT), is the combination of strategic,
managerial, and operational activities involved in managing information. The IT component of an
IS involves the hardware, software, communication, and other facilities necessary to manage (i.e.,
input, store, process, transmit, and output) such information. Refer to Exhibit 1.2.
The term audit, according to ISACA, refers to the formal inspection and verification to check
whether a standard or set of guidelines is being followed, records are accurate, or efficiency and
effectiveness targets are being met. In combining both definitions above, IT auditing can be
defined as the formal, independent, and objective examination of an organization’s IT infrastructure
to determine whether the activities (e.g., procedures, controls, etc.) involved in gathering, processing,
storing, distributing, and using information comply with guidelines, safeguard assets, maintain data
integrity, and operate effectively and efficiently to achieve the organization’s objectives. IT auditing
provides reasonable assurance (never absolute) that the information generated by applications
within the organization is accurate, complete, and supports effective decision making consistent
with the nature and scope of the engagement previously agreed.
IT auditing is needed to evaluate the adequacy of application systems to meet processing needs,
evaluate the adequacy of internal controls, and ensure that assets controlled by those systems are
12 ◾ Information Technology Control and Audit

These involve strategic,


managerial, and opera-
tional activities working
together toward gather-
ing, processing, storing,
Information
distributing, and using
systems
information

Information technology
People Processes integrates hardware, soft-
ware, communication, and
other facilities for:

Inputting Storing Processing Transmitting Outputting


data data data data data

Exhibit 1.2 Information systems versus information technology.

adequately safeguarded. As for the IT auditors of today, their advanced knowledge and skills will
progress in two ways. One direction is continued growth and skill in this profession, leading the
way in computer audit research and development and progressing up the external and internal
audit career paths. The other direction involves capitalizing on a thorough knowledge of organiza-
tional systems and moving into more responsible career areas in general management. Today, even
in these economic times, the demand for qualified IT auditors exceeds the supply. IT governance
has created vast opportunities for the IT auditor.
Learning new ways of auditing is always a priority of internal and external IT auditors. Most
auditors want tools or audit methodologies that will aid them in accomplishing their task faster
and easier. Almost every large organization or company has some sort of IT audit function or
shop that involves an internal audit department. Today, the “Big Four” firms have designated
special groups that specialize in the IT audit field. They all have staff that perform these external
IT audits. Most of these IT auditors assist the financial auditors in establishing the correctness of
financial statements for the companies in which they audit. Others focus on special projects such
as Internet security dealing with penetration studies, firewall evaluations, bridges, routers, and
gateway configurations, among others.
There are two broad groupings of IT audits, both of which are essential to ensure the contin-
ued proper operation of IS. These are as follows:

◾◾ General Computer Controls Audit. It examines IT general controls (“general controls” or


“ITGCs”), including policies and procedures, that relate to many applications and sup-
ports the effective functioning of application controls. General controls cover the IT infra-
structure and support services, including all systems and applications. General controls
Information Technology Environment and IT Audit ◾ 13

commonly include controls over (1) IS operations; (2) information security (ISec); and (3)
change control management (CCM) (i.e., system software acquisition, change and main-
tenance, program change, and application system acquisition, development, and mainte-
nance). Examples of general controls within IS operations address activities such as data
backups and offsite storage, job monitoring and tracking of exceptions to completion, and
access to the job scheduler, among others. Examples of general controls within ISec address
activities such as access requests and user account administration, access terminations, and
physical security. Examples of general controls within CCM may include change request
approvals; application and database upgrades; and network infrastructure monitoring, secu-
rity, and change management.
◾◾ Application Controls Audit. It examines processing controls specific to the application.
Application controls may also be referred to as “automated controls.” They are concerned
with the accuracy, completeness, validity, and authorization of the data captured, entered,
processed, stored, transmitted, and reported. Examples of application controls include check-
ing the mathematical accuracy of records, validating data input, and performing numerical
sequence checks, among others. Application controls are likely to be effective when general
controls are effective.

Refer to Exhibit 1.3 for an illustration of general and application controls, and how they should
be in place in order to mitigate risks and safeguard applications. Notice in the exhibit that the
application system is constantly surrounded by risks. Risks are represented in the exhibit by explo-
sion symbols. These risks could be in the form of unauthorized access, loss or theft or equipment
and information, system shutdown, etc. The general controls, shown in the hexagon symbols,
also surround the application and provide a “protective shield” against the risks. Lastly, there are
the application or automated controls which reside inside the application and provide first-hand
protection over the input, processing, and output of the information.

IT Auditing Trends
Computing has become indispensable to the activities of organizations worldwide. The Control
Objectives for Information and Related Technology (COBIT) Framework was created in 1995
by ISACA. COBIT, now on its fifth edition, emphasizes this point and substantiates the need
to research, develop, publicize, and promote up-to-date, internationally accepted IT control
objectives. In earlier documents such as the 1993 discussion paper “Minimum Skill Levels in
Information Technology for Professional Accountants” and their 1992 final report “The Impact
of Information Technology on the Accountancy Profession,” the International Federation of
Accountants (IFAC) acknowledges the need for better university-level education to address grow-
ing IT control concerns and issues.
Reports of information theft, computer fraud, information abuse, and other related control
concerns are being heard more frequently around the world. Organizations are more information-
conscious, people are scattered due to decentralization, and computers are used more extensively in
all areas of commerce. Owing to the rapid diffusion of computer technologies and the ease of infor-
mation accessibility, knowledgeable and well-trained IT auditors are needed to ensure that more
effective controls are put in place to maintain data integrity and manage access to information.
The need for better controls over IT has been echoed in the past by prior studies such as the AICPA
Committee of Sponsoring Organizations of the Treadway Commission (COSO); International
14 ◾ Information Technology Control and Audit

General
controls
Theft or “protecting
damage to shield”
Unauthorized hardware
modification of
sensitive
information

Access termi- Loss/theft of


nation process information
Physical
security
Implemen-
tation of
application
Monitoring/ changes
tracking of Application
job (Application or
exceptions automated
System
controls) Change
crash
request
approvals
Offsite
storage
Account
administration
Data
backup Unauthorized
disclosure of
Inappropriate confidential
manual data
intervention
Unauthorized
processing

Exhibit 1.3 Relationship between general computer controls and application controls.

Organization for Standardization (ISO) 17799 and 27000; the IIA Systems Auditability and
Control Report; Guidelines for the Security of IS by the OECD; the U.S. President’s Council on
Integrity and Efficiency in Computer Audit Training curriculum; and the United States’ National
Strategy for Securing Cyberspace released in 2002; among others.
The AICPA’s Assurance Services Executive Committee (ASEC) is responsible for updating and
maintaining the Trust Services Principles and Criteria (TSPC) and creating a framework of prin-
ciples and criteria to provide assurance on the integrity of information. TSPC presents criteria for
use by practitioners when providing professional attestation or advisory services to assess controls
relevant to the following principles:

◾◾ Security: The system is protected against unauthorized access (both physical and logical).
◾◾ Availability: The system is available for operation and use as committed or agreed.
◾◾ Processing integrity: System processing is complete, accurate, timely, and authorized.
◾◾ Confidentiality: Information designated as confidential is protected as committed or agreed.
Information Technology Environment and IT Audit ◾ 15

◾◾ Privacy: Personal information is collected, used, retained, disclosed, and destroyed in con-
formity with the commitments in the entity’s privacy notice and with criteria set forth in
generally accepted privacy principles issued by the AICPA and CICA.

The theory and methodologies of IT auditing are integrated from five areas: a fundamental under-
standing of business, traditional auditing, IT management, behavioral science, and IT sciences.
Business understanding and knowledge are the cornerstones of the audit process. Traditional
auditing contributes knowledge of internal control practices and overall control philosophy within
a business enterprise. IT management provides methodologies necessary to achieve successful
design and implementation of systems. Behavioral science indicates when and why IT are likely to
fail because of people’s problems. IT sciences contribute to knowledge about control theory and
the formal models that underlie hardware and software designs as a basis for maintaining data
integrity.
Ever since the ISACA was formed there has been a growing demand for well-trained and
skilled IT audit professionals. The publication The EDP Auditors Association: The First Twenty-Five
Years documents the early struggles of the association and evolution of IT audit practices in this
field.
The area of information assurance has also grown and evolved. The United States in its passage
of the Cyber Security Research and Development Act has pledged almost a billion dollars for the
development of curriculum, research, and skills for future professionals needed in this field.

Information Assurance
Organizations increasingly rely on critical digital electronic information capabilities to store,
process, and move essential data in planning, directing, coordinating, and executing opera-
tions. Powerful and sophisticated threats can exploit security weaknesses in many of these
­systems. Outsourcing technological development to countries that could have terrorists on their
­development staff causes speculation that the potential exists for code to be implanted that would
cause disruption, havoc, embezzlement, theft, and so on. These and other weaknesses that can be
exploited become vulnerabilities that can jeopardize the most sensitive components of informa-
tion capabilities. However, we can employ deep, layered defenses to reduce vulnerabilities and
deter, defeat, and recover from a wide range of threats. From an information assurance perspec-
tive, the capabilities that we must defend can be viewed broadly in terms of four major elements:
local computing environments, their boundaries, networks that link them together, and their
supporting infrastructure. The U.S. National Strategy for Securing Cyberspace is one of those
initiatives.
The term “information assurance” is defined as information integrity (the level of confidence
and trust that can be placed on the information) and service availability. In all contexts, whether
business or government, it means safeguarding the collection, storage, transmission, and use
of information. The ultimate goal of information assurance is to protect users, business units,
and enterprises from the negative effects of corruption of information or denial of services. The
Department of Homeland Security and Supporting Organizations such as the National Security
Agency (NSA), Federal Bureau of Investigation (FBI), and Central Intelligence Agency (CIA)
have all worked toward supporting this goal.
As the nation’s IS and their critical infrastructures are being tied together (government
and business), the points of entry and exposure increase, and thus, risks increase. The techno-
logical advancement toward higher bandwidth communication and advanced switching systems
16 ◾ Information Technology Control and Audit

has reduced the number of communications lines and further centralized the switching func-
tions. Survey data indicates that the increased risk from these changes is not widely recognized.
Since 9/11, more coordinated efforts have been made by U.S. defense organizations such as the
Defense Information Systems Agency to promulgate standards for the Defense Information
Infrastructure and the Global Information Grid, which should have a positive impact on informa-
tion assurance that will extend beyond the U.S. Department of Defense and impact all segments of
the national economy. The NSA has drafted and produced standards for IT security personnel that
not only impact federal agencies but also corporate entities who contract IT services in support of
the federal government. NIST, for example, has generated security guidance for Health Insurance
Portability and Accountability Act compliance that impacts the medical profession and all cor-
porations/business servicing the health field who handle medical information. A similar example
includes the Payment Card Industry Data Security Standards (PCI DSS), maintained, managed,
and promoted by the PCI Security Standards Council (Council) worldwide. The Council was
founded in 2006 by major credit card companies, such as, American Express, Discover, JCB
International, MasterCard, and Visa, Inc. These companies share equally in governance, execu-
tion, and compliance of the Council’s work. PCI DSS refer to technical and operational require-
ments applicable specifically to entities that store, process, or transmit cardholder data, with the
intention of protecting such data in order to reduce credit card fraud.

Need for IT Audit


Initially, IT auditing (formerly called electronic data processing [EDP], computer information
systems [CIS], and IS auditing) evolved as an extension of traditional auditing. At that time, the
need for an IT audit came from several directions:

◾◾ Auditors realized that computers had impacted their ability to perform the attestation
function.
◾◾ Corporate and information processing management recognized that computers were key
resources for competing in the business environment and similar to other valuable business
resource within the organization, and therefore, the need for control and auditability were
critical.
◾◾ Professional associations and organizations, and government entities recognized the need for
IT control and auditability.

The early components of IT auditing were drawn from several areas. First, traditional auditing
contributes knowledge of internal control practices and the overall control philosophy. Another
contributor was IS management, which provides methodologies necessary to achieve successful
design and implementation of systems. The field of behavioral science provided such questions
and analysis to when and why IS are likely to fail because of people problems. Finally, the field of
computer science contributes knowledge about control concepts, discipline, theory, and the formal
models that underlie hardware and software design as a basis for maintaining data validity, reli-
ability, and integrity.
IT auditing became an integral part of the audit function because it supports the auditor’s
judgment on the quality of the information processed by computer systems. Auditors with IT
audit skills were viewed as the technological resource for the audit staff. The audit staff often
looked to them for technical assistance. The IT auditor’s role evolved to provide assurance that
Information Technology Environment and IT Audit ◾ 17

adequate and appropriate controls are in place. Of course, the responsibility for ensuring that
adequate internal controls are in place rests with management. The audit’s primary role, except
in areas of management advisory services, is to provide a statement of assurance as to whether
adequate and reliable internal controls are in place and are operating in an efficient and effective
manner. Management’s role is to ensure and the auditors’ role is to assure.
There are several types of needs within IT auditing, including organizational IT audits (manage-
ment control over IT), technical IT audits (infrastructure, data centers, data communication), and
application IT audits (business/financial/operational). There are also development/­implementation
IT audits (specification/requirements, design, development, and post-implementation phases), and
compliance IT audits involving national or international standards.
When auditing IT, the breadth and depth of knowledge required are extensive. For instance,
auditing IT involves:

◾◾ Application of risk-oriented audit approaches


◾◾ Use of computer-assisted audit tools and techniques
◾◾ Application of standards (national or international) such as the ISO* to improve and imple-
ment quality systems in software development and meet IT security standards
◾◾ Understanding of business roles and expectations in the auditing of systems under develop-
ment as well as the purchase of software packaging and project management
◾◾ Assessment of information security, confidentiality, privacy, and availability issues which
can put the organization at risk
◾◾ Examination and verification of the organization’s compliance with any IT-related legal
issues that may jeopardize or place the organization at risk
◾◾ Evaluation of complex systems development life cycles (SDLC) or new develop-
ment ­techniques (i.e., prototyping, end-user computing, rapid systems, or application
development)
◾◾ Reporting to management and performing a follow-up review to ensure actions taken at
work

The auditing of IT and communications protocols typically involves the Internet, intranet,
extranet, electronic data interchange, client servers, local and wide area networks, data commu-
nications, telecommunications, wireless technology, integrated voice/data/video systems, and the
software and hardware that support these processes and functions. Some of the top reasons to
initiate an IT audit include the increased dependence on information by organizations, the rapidly
changing technology with new risks associated with such technology, and the support needed for
financial statement audits.
SOX also requires the assessment of internal controls and makes it mandatory for SEC reg-
istrants. As part of the process for assessing the effectiveness of internal controls over financial
reporting, management needs to consider controls related to the IS (including technologies) that
support relevant business and financial processes. These controls are referred to as ITGCs (or IT
general controls). As mentioned earlier, ITGCs are IT processes, activities, and/or procedures
that are performed within the IT environment and relate to how the applications and systems are
developed, maintained, managed, secured, accessed, and operated. Exhibit 1.4 illustrates other
top reasons to have IT audits.

* Examples of ISO standards include ISO/IEC 27002, ISO/IEC 27000, and ISO 17799.
18 ◾ Information Technology Control and Audit

To support the effective functioning of


To assess the increase of sophisticated and application controls
“creative” programming

To control and monitor the significant


To support financial statement audits
growth of corporate hackers, either internal
or external

To assess the completeness and accuracy of


information To address the rapidly changing
technology and the new risks associated
with such technology
To assess the integrity of information and
security of data
To identify controls that can address
specific IT risks
To control the easy access to organization
networks from office and remote personal
computers To audit large amounts of data

Exhibit 1.4 Top reasons for having an IT audit.

IT Governance
There have been many changes in the way enterprises address IT issues, resulting in a renewed
focus on the concepts of IT governance. CEOs, Chief Financial Officers, Chief Operating
Officers, Chief Technology Officers, and Chief Information Officers agree on the founding
principles of IT governance, which focus on strategic alignment between IT and enterprise objec-
tives. This, in turn, creates changes to tactical and day-to-day operational management of IT in
the organization.
IT governance is the process by which an enterprise’s IT is directed and controlled. As defined
earlier, IT refers to the hardware, software, communication, and other facilities used to input,
store, process, transmit, and output data in whatever form. Effective IT governance helps ensure
that IT supports business goals, maximizes business investment in IT, and appropriately manages
IT-related risks. IT governance also helps ensure achievement of critical success factors by effi-
ciently and effectively deploying secure, reliable information, and applied technology.
Because IT impacts the operation of an entire organization, everyone within the organization
should have an interest and role in governing its use and application. This growing awareness
has led organizations to recognize that, if they are to make the most of their IT investment and
protect that investment, they need a formal process to govern it. Reasons for implementing an IT
governance program include:

◾◾ Increasing dependence on information and the systems that deliver the information
◾◾ Increasing vulnerabilities and a wide spectrum of threats
◾◾ Scale and cost of current and future investments in information and IS
◾◾ Potential for technologies to dramatically change organizations and business practices to
create new opportunities and reduce costs
Information Technology Environment and IT Audit ◾ 19

As long as these factors remain a part of business, there will be a need for effective, interdependent
systems of enterprise and IT governance.
An open-standard IT governance tool that helps nontechnical and technical managers and
auditors understand and manage risks associated with information and related IT is COBIT, devel-
oped by the IT Governance Institute and the Information Systems Audit and Control Foundation.
COBIT is a comprehensive framework of control objectives that helps IT auditors, managers, and
executives discharge fiduciary responsibilities, understand the IT systems, and decide what level
of security and control is adequate. COBIT provides an authoritative, international set of gener-
ally accepted IT practices for business managers and auditors. COBIT is discussed in Chapter 3.

Role of the IT Auditor


The auditor evaluating today’s complex systems must have highly developed technical skills to
understand the evolving methods of information processing. Contemporary systems carry risks
such as non-compatible platforms, new methods to penetrate security through communication
networks (e.g., the Internet), and the rapid decentralization of information processing with the
resulting loss of centralized controls.
As the use of IT in organizations continues to grow, auditing computerized systems must be
accomplished without many of the guidelines established for the traditional auditing effort. In
addition, new uses of IT introduce new risks, which in turn require new controls. IT auditors are
in a unique position to evaluate the relevance of a particular system to the enterprise as a whole.
Because of this, the IT auditor often plays a role in senior management decision making.
The role of IT auditor can be examined through the process of IT governance and the existing
standards of professional practice for this profession. As mentioned earlier, IT governance is an
organizational involvement in the management and review of the use of IT in attaining the goals
and objectives set by the organization.

IT Auditor as Counselor
In the past, users have abdicated responsibility for controlling computer systems, mostly because
of the psychological barriers that surround the computer. As a result, there are few checks and
balances, except for the IT auditor. IT auditors must take an active role in assisting organizations
in developing policies, procedures, standards, and/or best practices on safeguarding of the infor-
mation, auditability, control, testing, etc. A good information security policy, for instance, may
include:

◾◾ Specifying required security features


◾◾ Defining “reasonable expectations” of privacy regarding such issues as monitoring people’s
activities
◾◾ Defining access rights and privileges and protecting assets from losses, disclosures, or dam-
ages by specifying acceptable use guidelines for users
◾◾ Providing guidelines for external communications (networks)
◾◾ Defining responsibilities of all users
◾◾ Establishing trust through an effective password policy
◾◾ Specifying recovery procedures
◾◾ Requiring violations to be recorded
20 ◾ Information Technology Control and Audit

◾◾ Acknowledging that owners, custodians, and clients of information need to report irregu-
larities and protect its use and dissemination
◾◾ Providing users with support information

The SANS Institute provides general information security policy templates on its Website, which
can be downloaded and be a great starting point for any organization. A good computer secu-
rity policy will differ for each organization, corporation, or individual depending on security
needs. An information security policy will not guarantee a system’s security or make the network
completely safe from possible attacks from cyberspace. Nevertheless, a security policy, helped by
effective security products and a plan for recovery, may help targeting potential losses to levels
considered “acceptable,” and minimize the leaking of private information. The IT auditor is part
of an institutional team that helps create shared governance over the use, application, and assur-
ance over IT within the organization.
An IT audit staff in a large corporation can make a major contribution to computer system
control by persuading user groups to insist on a policy of comprehensive testing for all new systems
and all changes to existing systems. By reviewing base-case results, user groups can control the
accuracy of new or changed systems by actually performing a complete control function. Auditors
must convince users and IT personnel of the need for a controlled IT environment.
Insisting that all new systems be reviewed at predefined checkpoints throughout the system’s
development life cycle can also enhance control of IT. The prospect of audit review should prompt
both user and systems groups to define their objectives and assumptions more carefully. Here, too,
IT auditors can subtly extend their influence.

IT Auditor as Partner of Senior Management


Although the IT auditor’s roles of counselor and skilled technician are vital to successful company
operation, they may be irrelevant if the auditor fails to view auditing in relation to the organiza-
tion as a whole. A system that appears well controlled may be inconsistent with the operation of
a business.
Decisions concerning the need for a system traditionally belonged to management, but because
of a combination of factors (mostly the complex technology of the computer), computer system
audits were not successfully performed. When allocating funds for new systems, management
has had to rely on the judgment of computer personnel. Although their choices of new and more
effective computer systems cannot be faulted, computer personnel have often failed to meet the
true business needs of the organization.
Management needs the support of a skilled computer staff that understands the organization’s
requirements, and IT auditors are in such a position to provide that information. They can provide
management with an independent assessment of the effect of IT decisions on the business. In addi-
tion, the IT auditor can verify that all alternatives for a given project have been considered, all risks
have been accurately assessed, the technical hardware and software solutions are correct, business
needs will be satisfied, and costs are reasonable.

IT Auditor as Investigator
As a result of increased legislation and the use of computer evidence within the courts, the ability
to capture and document computer-generated information related to criminal activity is critical
for purposes of prosecution. The awareness and use of computer-assisted tools and techniques in
Information Technology Environment and IT Audit ◾ 21

performing forensic support work have provided new opportunities for the IT auditor, IT security
personnel, and those within law enforcement and investigation. For the IT audit professional,
computer forensics is an exciting, developing field. The IT auditor can work in the field of com-
puter forensics or work side by side with a computer forensics specialist, supplying insight into a
particular system or network. The specialists can ask the IT audit professionals questions pertain-
ing to the system and get responses faster than having to do research and figure everything out
on their own. Although the specialist is highly trained and can adapt to almost any system or
platform, collaboration can make the jobs of the forensic specialist and the IT professional easier
and more efficient.
Since its birth in the early 1970s, computer forensics has continuously evolved into what is
now a very large field. New technologies and enhancements in protocols are allowing engineers
and developers to create more stable and robust hardware, software, and tools for the specialist to
use in computer-related criminal investigations. As computers become more advanced and more
abundant, so do criminal activities. Therefore, the computer forensics niche is also in constant
progression along with the technological advancements of computers.

IT Audit: The Profession


With the passage of the Homeland Security Act, the Patriot Act, and SOX, the role of the auditor
(internal and external) is more critical to the verification and validation of the financial infrastruc-
ture. The profession of IT auditing can provide a person with exposure to the way information
flows within an organization and give its members the ability to assess its validity, reliability, and
security. IT auditing involves people, technology, operations, and systems. It is a dynamic
and challenging profession with a future that brings growth into new areas such as IT security
and computer forensics, to name a few.
Today, IT auditors interact with managers, users, and technicians from all areas of most orga-
nizations. They must have interpersonal skills to interact with multiple levels of personnel and
technical skills to understand the variety of technology used in information processing a­ ctivity—
especially technology used in generating and/or processing the company’s financial informa-
tion (e.g., financial statements, etc.). The IT auditor must also gain an understanding of and be
­familiarized with the operational environment to assess the effectiveness of the internal control
structure. Finally, the IT auditor must understand the technological complexities of existing and
future systems and the impact they have on operations and decisions at all levels.
IT auditing is a relatively new profession, and employment opportunities are present in all sec-
tors of private industry, public accounting, and government worldwide. A profession is more than
just an occupation. A profession has certain special characteristics, including a common body of
knowledge, certification, continuing education, professional associations and ethical standards,
and educational curriculum.

A Common Body of Knowledge


Since 1975, there have been various studies identifying a common body of knowledge for the
IT audit profession. A common body of knowledge consists of clearly identified areas in which
a person must attain a specific level of understanding and competency necessary to successfully
practice within the profession. These areas are categorized into core areas. Organizations such
as ISACA, AICPA, IIA, CICA, ISSA, InfoSec, and others around the world have issued major
22 ◾ Information Technology Control and Audit

studies and papers on the topic of the knowledge, skills, and abilities needed to audit computer
systems. Students, especially the ones with business and computer majors, receive a degree of
base-level training in (1) auditing concepts and practices; (2) management concepts and practices;
(3) computer systems, telecommunications, operations, and software; (4) computer information
processing techniques; and (5) understanding of business on local and international scales. These
are some of the major core areas of competency identified by the various independent studies for
the individual who enters the IT audit, control, and security field.

Certification
Certification is a vital component of a profession. As you prepare for entry into your profession,
whether it is accounting, IS, or other business fields, certification will be the measure of your level
of knowledge, skills, and abilities in the profession. For example, attainment of the CPA designa-
tion is an important career milestone for the practicing accountant. In IT auditing, the Certified
Information Systems Auditor (CISA) is one of the main levels of recognition and attainment.
There are certain requirements for candidates to become CISA certified, such as:

◾◾ Passing a rigorous written examination


◾◾ Evidencing a minimum of 5 years of professional IS auditing, control or security work
experience
◾◾ Adhering to the ISACA’s Code of Professional Ethics and the Information Systems Auditing
Standards as adopted by ISACA
◾◾ Agreeing to comply with the CISA Continuing Education Policy

The CISA examination covers areas (or domains) within the process of auditing IS; governance
and management of IT; IS acquisition, development and implementation; IS operations, mainte-
nance and service management; and the protection of information assets. Thus, university edu-
cation plays an important part in providing the groundwork toward the certification process.
Other licenses and certifications relevant to the IT auditor include the following: CPA, Certified
Chartered Accountant (CA), Certified Internal Auditor (CIA), Certified Computer Professional
(CCP), Certified Government Financial Manager (CGFM), Certified Information Systems
Security Professional (CISSP), Certified Information Security Manager (CISM), Certified in
Risk and Information Systems Control (CRISC), AICPA’s Certified Information Technology
Professional (CITP), and Certified Fraud Examiner (CFE).
Certification is important and a measure of skill attainment within the profession. Attainment
of more than one certification will enhance your knowledge, skills, and abilities within the audit
domain. Proficiency in skill application comes from experience and continuing education. The
dynamic changes in business (commerce), IT, and world events continue to shape the future for
this exciting profession.

Continuing Education
Certification requires continuing education so that those who are certified maintain a level of
proficiency and continue their certification. Continuing education is an important element for
career growth. As graduates enter their profession, they will find that their academic education
is the foundation for continued development of career-enhancing knowledge, skills, and abilities.
A continuing education requirement exists to support the CISA program. The IT auditor of the
Information Technology Environment and IT Audit ◾ 23

future will constantly face change with regard to existing systems and the dynamics of the envi-
ronment (i.e., reorganization, new technology, operational change, and changing requirements).
The breadth and depth of knowledge required to audit IT is extensive. For example, IT ­auditing
involves the application of risk-oriented audit approaches; the use of computer-assisted audit tools
and techniques (e.g., EnCase, CaseWare, Idea, ACL, Guardant, eTrust, CA-Examine, etc.); the
application of national or international standards (i.e., ISO 9000/3, ISO 17799, ISO 27000, and
related amendments to improve and implement quality systems in software development); the
auditing of systems under development involving complex SDLC or new development t­ echniques
(e.g., prototyping, end-user computing, rapid systems development, etc.); and the auditing of com-
plex technologies involving electronic data interchange, client servers, local and wide area n
­ etworks,
data communications, telecommunications, and integrated voice/data/video systems.
Because the organizational environment in which the IT auditor operates is a dynamic one, it
is important that new developments in the profession be understood so that they may be appropri-
ately applied. Thus, the continuing education requirement helps the CISA attain new knowledge
and skills to provide the most informed professional opinion. Training courses and programs are
offered by a wide variety of associations and organizations to assist in maintaining the necessary
skills that they need to continue to improve and evolve. Methods for receiving such training may
even be global with video teleconferencing and telecommuting and with the Internet playing a
major role in training delivery.

Professional Associations and Ethical Standards


As a manager at any level, one must remember that auditors, whether internal or external, have
standards of practice that they must follow. Like IT professionals, auditors may belong to one or
more professional associations and have code of ethics and professional standards of practices and
guidance that help them in performing their reviews and audits. If they are seen not perform-
ing their work to “standards of practice” for their profession, they know they could be open to a
potential lawsuit or even “decertified.” Some of the organizations that produced such standards of
practice are the AICPA, IIA, IFAC, CICA, GAO, and ISACA.
ISACA, created in 1969, is the leading IT governance, assurance, as well as security and con-
trol professional association today. ISACA:

◾◾ provides knowledge and education on areas like IS assurance, information security, enter-
prise governance, IT risk management, and compliance.
◾◾ offers globally known certifications/designations, such as, CISA, CISM, Certified in the
Governance of Enterprise IT (CGEIT), and Certified in Risk and CRISC.
◾◾ develops and frequently updates international IS auditing and control standards, such as,
the COBIT standard. COBIT assist both, IT auditors and IT management, in performing
their daily duties and responsibilities in the areas of assurance, security, risk and control, and
deliver value to the business.

To act as an auditor, one must have a high standard of moral ethics. The term auditor is Latin for
one that hears complaints and makes decisions or acts like a judge. To act as a judge, one definitely
must be morally ethical or it defeats the purpose. Ethics are a very important basis for our culture
as a whole. If the auditor loses favor in this area, it is almost impossible to regain the trust the audi-
tor once had with audit management and auditees. Whether an auditor is ethical in the beginning
or not, they should all start off with the same amount of trust and good favor from the client or
24 ◾ Information Technology Control and Audit

auditee. If the bond is not broken, the auditor establishes a good name as someone who can be
trusted with sensitive material.
In today’s world economy, trust is an unheard-of word. No one can trust anyone these days
and for this reason it is imperative that high ethics are at the top of the manager’s list of topics to
cover with new audit teams. Times are changing and so are the clients requesting audit services.
Most managers will state that they cherish this aspect called ethics because it distinguishes them
from others without it.
For example, say a budget calls for numerous hours. It is unethical to put down hours not
worked. It is also unethical to overlook something during the audit because the client says it is not
important. A fine line exists between what is ethical and what is legal. Something can be ethically
wrong but still legal. However, with that being said, some things initially thought to be unethical
become illegal over time. If there is a large enough population opposed to something ethically
incorrect, you will see legislation introduced to make it illegal.
When IT auditors attain their CISA certification, they also subscribe to a Code of Professional
Ethics. This code applies to not only the professional conduct but also the personal conduct of
IT auditors. The code is actually not in conflict with codes of ethics from other audit/assurance
related domains (e.g., IIA, AICPA, etc.). It requires that the ISACA standards are adhered to, con-
fidentiality is maintained, any illegal or improper activities are reported, the auditor’s competency
is maintained, due care is used in the course of the audit, the results of audit work are communi-
cated, and high standards of conduct and character are maintained.

Educational Curricula
IT auditing is a profession with conduct, aims, and qualities that are characterized by world-
wide technical and ethical standards. It requires specialized knowledge and often long and inten-
sive academic preparation. Most accounting, auditing, and IT professional societies believe that
improvements in research and education will definitely provide a “better-developed theoretical
and empirical knowledge base for the IT audit function.” They feel that emphasis should be placed
on education obtained at the college level.
The academic communities both in the United States and abroad have started to incorporate
portions of the common body of knowledge and the CISA examination domains into courses
taught at the university level. Several recent studies indicate the growth of computer audit courses
emerging in university curricula worldwide.
Various universities have developed curricula tailored to support the profession of IT auditing.
Although the curricula at these universities constantly evolve, they currently exist at institutions
such as Bentley University (Massachusetts), Bowling Green State University (Ohio), California
State Polytechnic University, University of Mississippi, University of Texas, Georgia State
University, University of Maryland, University of Tennessee, National Technological University
(Argentina), University of British Columbia (Canada), York University (Canada), and the Hong
Kong University of Science and Technology, among others. Graduates from these programs qual-
ify for 1 year work experience toward their CISA certification.
A Model Curriculum for undergraduate and graduate education in IS and IT audit education
was initially issued in March 1998 and updated in 2004, 2009, and 2011 by the IS Audit and
Control Association and Foundation. The purpose of the Model is to provide colleges, universi-
ties, and/or educational institutions the necessary tools to educate students, and prepare them
to enter the IT audit profession. Education through the Model focuses on fundamental course
components of IT audit and control, as well as keeps up with the rapid pace of technological
Information Technology Environment and IT Audit ◾ 25

change. Such education is also in line with recent events, government regulations, and changes in
business processes, all of which have affected the role of IT audit and the methodologies used by
IT auditors.

IT Auditor Profile: Experience and Skills


Experience in IT audit is a definite must. Nothing in this world can compare to actual on-the-job,
real-world experiences. Theory is also valuable, and for the most part an IT auditor should rely on
theory to progress through an audit. For example, if IT auditors wish to demonstrate their com-
mitment and knowledge level of the field, they can select an area to be tested. A number of profes-
sional certifications exist that can benefit the auditor. In the IT audit area, for instance, to pass the
CISA exam, one must know, understand, and be able to apply the theory of modern IT auditing to
all exam questions posed. There are other relevant licenses and certifications, as mentioned earlier,
that can be very useful to an IT auditor’s career and future plans.
The understanding of theory is definitely essential to the successful IT auditor. However, the-
ory can only take one so far. This textbook and others available should be viewed as a guide. In
this field, due to the technology complexity and situation, there comes a time when an IT auditor
has to rely on experience to confront a new, never before encountered situation. Experience in the
field is a definite plus, but having experience in a variety of other fields can sometimes be more
beneficial. For example, an IT audit manager working for a Big Four public accounting firm is
going to be exposed to a wide variety of IT audit situations and scenarios. Such experience will
help broaden horizons and further knowledge in the IT audit field. Another example would be an
Internal Audit Supervisor that has performed risk-focused and compliance audits for all depart-
ments within an organization. Such ample experience is nothing but a plus, and likely will allow
the auditor to add significant, above-and-beyond value to the organization’s operations.
Direct entry into the profession, as is the situation today, may change with entry-level require-
ments, including experience in business processes, systems, and technology, as well as sound
knowledge of general auditing theory supplemented by practical experience. Additionally, IT
auditors may require specific industry expertise such as banking, telecommunications, transpor-
tation, or finance and insurance to adequately address the industry-specific business/technology
issues. This book provides current information and approaches to this complex field, which can
help the practitioners and those wanting to learn more.
Experience comes with time and perseverance, as is well known, but auditors should not limit
themselves to just one industry, software, or operating system. They should challenge themselves
and broaden their horizons with a multitude of exposure in different environments, if possible.
The broader and well rounded the IT auditor is, the better the chance for a successful audit career.
In addition to the experience, effective IT auditors must possess a variety of skills that enable
them to add value to their organizations or clients. The finest technical experience or training
does not necessarily fully prepare auditors for the communication and negotiation skills that are
required for success.
Many of the nontechnical or supplemental skills are concerned with gathering information
from and, of comparable importance, presenting information to people. As such, these supple-
mental skills are readily transferable to other disciplines, for example, finance, management, and
marketing. The final product auditors create is an audit report. If the information within the audit
report is not effectively and efficiently delivered via solid oral and written communication skills,
all value accruing from the audit process could potentially be lost.
26 ◾ Information Technology Control and Audit

Having a diverse set of supplemental or “soft” skills never hurts when one is working with an
auditee. For example, a senior IT auditor was recently conducting an audit in which she was faced
with a client/auditee that was not very cooperative. During the questioning process, the senior IT
auditor established a rapport with the client by using people skills or “soft skills.” The role of an
auditor is not an easy one when we are asked to review, question, and assess the work of others.
Many times, the auditee must have a clear understanding of our role and that the auditor’s focus is
not to be critical of the individual but of the organizational policies, procedures, and process. The
audit objectives focus on both the organization’s goals and objectives.

Career Opportunities
There are a number of career opportunities available to the individual seeking an opportunity in
IT audit. For the college graduate with the appropriate entry-level knowledge, skills, and abilities,
this career provides many paths for growth and development. Further, as a career develops and
progresses, IT audit can provide mobility into other areas as well. Today’s IT auditors are employed
by public accounting firms, private industries, management consulting firms, and the government.

Public Accounting Firms


Public accounting firms offer individuals an opportunity to enter the IT auditing field. Although
these firms may require such individuals to begin their careers in financial audits to gain experi-
ence in understanding the organization’s audit methodologies, after initial audit experience the
individual who expresses interest in a particular specialization (e.g., forensics, security, etc.) will be
transferred to such specialty for further training and career development. Many who have taken
this career path have been successful, and several have become partners, principals, or directors
within the firm. The primary sources for most public accounting firms are college recruitment and
development within. However, it is not uncommon for a firm to hire from outside for specialized
expertise (e.g., computer forensics, telecommunication, database systems, etc.).

Private Industry
Like public accounting firms, private industry offers entry-level IT audit professional positions. In
addition, IT auditors gain expertise in more specialized areas (i.e., telecommunications, systems
software, and systems design), which can make them candidates for IT operations, IT forensics,
and IT security positions. Many CEOs view audit experience as a management training func-
tion. The IT auditor has particular strengths of educational background, practical experience
with corporate IS, and understanding of executive decision making. Some companies have made a
distinction between IT auditors and operational and financial auditors. Others require all internal
auditors to be capable of auditing IT systems. Sources for persons to staff the IT audit function
within a company generally may come from college recruitment, internal transfers, promotions,
and/or outside hiring.

Management Consulting Firms


Another area of opportunity for IT audit personnel is management consulting. This career area is
usually available to IT auditors with a number of years’ experience. Many management consulting
Information Technology Environment and IT Audit ◾ 27

practices, especially those that provide services in the computer IS environment, hire experienced
IT auditors. This career path allows these candidates to use their particular knowledge, skills, and
abilities in diagnosing an array of computer and management information issues and then assist
the organization in implementing the solutions. The usual resources for such positions are expe-
rienced personnel from public accounting CPA firms, private industries, and the government. IT
forensics is another growing area in management consulting services.

Government
The government offers another avenue for one to gain IT audit experience. In the United States,
federal, state, county, and city governments employ personnel to conduct IT audit-related respon-
sibilities. Federal organizations such as the NSA, FBI, Department of Justice, and the CIA employ
personnel who have IT audit experience, computer security experience, and IT forensics experi-
ence. Governments worldwide also employ personnel to conduct IT audits.
Government positions offer training and experience to personnel responsible for performing
IT audit functions. Sources for government IT auditors are college recruits and employees seeking
internal promotion or transfer. There are occasions when experienced resources may be hired from
the outside as well.

Conclusion
Business operations are changing at a rapid pace because of the fast continuing improvement of tech-
nology. Technology has impacted various areas of the business environment, including the use and
processing of information, existing control processes, and how audits are performed to draw conclu-
sions regarding operational or system effectiveness, efficiency, and reporting integrity. It is also noted
that technology constantly changes and identifies ways to shape today’s IT environments in the
organization. There were several recent technologies described that have and certainly will continue
to revolutionize organizations, in particular how business is done and the dynamics of the workplace.
Because of major corporate and accounting fraud and scandals, the auditing profession, both
internal and external functions, now looks seriously at the lack of controls in computer infor-
mation systems. Within financial auditing, for instance, there are principles and standards that
rule the CPA profession in the United States (i.e., GAAP and GAAS). These look for accurate
preparation of financial statements as well as effective procedures for their audit examinations. A
different type of auditing, IT auditing, has become an integral part of the audit function because
it supports the auditor’s judgment on the quality of the information processed by computer sys-
tems. IT auditing provides reasonable assurance (never absolute) that the information generated
by applications within the organization is accurate, complete, and supports effective decision mak-
ing consistent with the nature and scope agreed. There are two broad groupings of IT audits (i.e.,
General Computer Controls Audit and Application Controls Audit), both essential to ensure the
continued proper operation of IS.
For the IT auditor, the need for audit remains critical and continues to be a demanding one.
There are many challenges ahead; everyone must work together to design, implement, and safe-
guard the integration of new and existing technologies in the workplace. Given the various role
hats IT auditors can wear, they must keep updated with reviews and changes in the existing laws
governing the use of computers and the Internet. IT auditors can provide leverage in helping orga-
nizations understand the risks they face and the potential for consequences.
28 ◾ Information Technology Control and Audit

Review Questions
1.
Technology has impacted the business environment in three areas. Summarize those areas.
2.
Differentiate between internal and external auditors in terms of their roles and responsibilities.
3.
How is IT auditing defined?
4.
General Computer Controls Audit and Application Controls Audit are the two broad group-
ings of IT audits. Summarize both audits and provide specific examples supporting the
controls evaluated within each type of audit.
5. The TSPC, maintained by the AICPA’s ASEC, presents criteria for use by practitioners when
providing professional attestation or advisory services to assess controls relevant to five prin-
ciples. Describe in your own words these principles.
6. Explain what information assurance is.
7. One of the roles of the IT auditor is to act as a Counselor to organizations. As a Counselor,
IT auditors can assist organizations in developing policies, procedures, standards, and/or
best practices, such as an information security policy. Using the characteristics of a good
information security policy listed in the chapter, develop five information security policies
you would share with your client.
8. Explain why IT audit is considered a profession. Describe the requirements for candidates to
become CISA certified.
9. What is ISACA and how does it helps the IT audit profession?
10. Where are the current career opportunities for the IT auditor? Search the Internet and iden-
tify at least one job profile/description for each career opportunity identified above. For each
job profile identified, list the following in a table form:
a. Job description
b. Duties, tasks, and responsibilities required
c. Minimum job requirements (or qualifications)
d. Minimum education and/or certification requirements
e. Knowledge, skills, and abilities required, etc.

Exercises
1. After reading this chapter, you should feel comfortable about the general roles and responsi-
bilities of an IT auditor.
a. Describe in your own words what do IT auditors do.
b. Why should they be part of the overall audit team when performing the annual financial
audit of a client?
2. List five Websites you can go to for information about:
a. IT auditing
b. IT security and privacy issues
3. Visit the Websites of four external audit organizations: two private and two government
sites. Provide a summary of who they are and their roles, function, and responsibilities.
4. Interview an IT auditor and gather the following information:
a. Position and company?
b. Number of years of experience in IT auditing?
c. Degree(s) and professional certifications?
d. Career path?
Information Technology Environment and IT Audit ◾ 29

e. Why did he or she join IT auditing?


f. Likes and dislikes about IT auditing?
g. Where do they see themselves 5 years from now?
5. You are asked by your IT audit manager to:
a. Prepare a list of at least five professional certifications/designations that would be helpful
for the IT audit staff to have. In a three-column table format, document the name of the
professional certification or designation, name of the issuance professional organization,
reasons why you think it would be relevant for the IT auditor, and the source link of the
Website or source examined.

Further Reading
1. AICPA IFRS Resources. What Is IFRS? www.ifrs.com/ifrs_faqs.html#q1 (accessed October 2016).
2. American Institute of Certified Public Accountants (AICPA). (2011). Top Technology Initiatives,
www.aicpa.org/InterestAreas/InformationTechnology/Resources/TopTechnologyInitiatives/
Pages/2011TopTechInitiatives.aspx
3. Chen, Y., Paxson, V., and Katz, R. H. (2010). What’s New about Cloud Computing Security?
Technical report UCB/EECS-2010-5, EECS Department, University of California, Berkeley, 2010,
www.eecs.berkeley.edu/Pubs/TechRpts/2010/EECS-2010-5.html
4. Deloitte. Cloud Computing in 2016-Private Company Issues and Opportunities, www2.deloitte.com/
us/en/pages/deloitte-growth-enterprise-services/articles/private-company-cloud-computing.html
(accessed October 2016).
5. EY Center for Board Matters. (September 2015). EY Big Data and Analytics in the Audit Process,
www.ey.com/Publication/vwLUAssets/ey-big-data-and-analytics-in-the-audit-process/$FILE/ey-
big-data-and-analytics-in-the-audit-process.pdf (accessed December 2015).
6. NIST. Final version of NIST cloud computing definition published, www.nist.gov/news-events/
news/2011/10/final-version-nist-cloud-computing-definition-published (accessed October 2011).
7. Gallegos, F. (2002). Due professional care. Inf. Syst. Control J., 2, 25–28.
8. Gallegos, F. (2003). IT auditor careers: IT governance provides new roles and opportunities. IS
Control J., 3, 40–43.
9. Gallegos, F. and Carlin, A. (July 2007). IT audit: A critical business process. Comput. Mag., 40(7),
87–89.
10. Gartner IT Glossary. (n.d.). www.gartner.com/it-glossary/big-data/ (accessed October 2016).
11. Gartner’s 2015 hype cycle for emerging technologies identifies the computing innovations that
Organizations Should Monitor, www.gartner.com/newsroom/id/3114217 (accessed July 2015).
12. Gartner says the Internet of Things will transform the data center, www.gartner.com/newsroom/
id/2684616 (accessed October 2014).
13. High Technology Crime Investigation Association. HTCIA.org
14. Ibrahim, N. IT Audit 101: Internal audit is responsible for evaluating whether IT risks are appropri-
ately understood, managed, and controlled. Internal Auditor, http://go.galegroup.com/ps/i.do?id=GA
LE%7CA372553480&sid=googleScholar&v=2.1&it=r&linkaccess=fulltext&issn=00205745&p=AO
NE&sw=w&authCount=1&u=melb26933&selfRedirect=true (accessed June 2014).
15. IDC. Worldwide public cloud services spending forecast to reach $266 billion in 2021, according to
IDC. USA, www.idc.com/getdoc.jsp?containerId=prUS42889917 (accessed July 2017).
16. Information Systems Audit and Control Foundation. COBIT, 5th Edition. Information Systems
Audit and Control Foundation, Rolling Meadows, IL, www.isaca.org/Knowledge-Center/COBIT/
Pages/Overview.aspx (accessed June 2012).
17. Information Systems Audit and Control Association. (2011). CISA Examination Domain, ISACA
Certification Board, Rolling Meadows, IL.
18. ISACA. Innovation insights: Top digital trends that affect strategy. www.isaca.org/knowledge-Center/
Research/Pages/isaca-innovation-insights.aspx (accessed March 2015).
30 ◾ Information Technology Control and Audit

19. ISACA. ISACA innovation insights, www.isaca.org/knowledge-center/research/pages/cloud.aspx


(accessed September 2016).
20. ISACA. ISACA innovation insights, www.isaca.org/knowledge-Center/Research/Pages/isaca-innovation-
insights.aspx (accessed September 2016).
21. ISACA. ISACA’s glossary, www.isaca.org/Pages/Glossary.aspx?tid=1095&char=A (accessed October
2016).
22. ISACA. ISACA’s glossary, www.isaca.org/Pages/Glossary.aspx?tid=1490&char=I (accessed October
2016).
23. ISACA. ISACA’s glossary, www.isaca.org/Pages/Glossary.aspx?tid=1489&char=I (accessed October
2016).
24. ISACA. The code of professional ethics, Information Systems Audit Control Association Website,
www.isaca.org
25. ISACA. ISACA’s programs aligned with the model curriculum for IS audit and control, http://www.
isaca.org/Knowledge-Center/Academia/Pages/Programs-Aligned-with-Model-Curriculum-for-IS-
Audit-and-Control.aspx (accessed October 2016).
26. Nelson, B., Phillips, A., and Steuart, C. (2010). Guide to Computer Forensics and Investigations, Course
Technology, Cengage Learning, Boston, MA.
27. Otero, A. R. (2015). Impact of IT auditors’ involvement in financial audits. Int. J. Res. Bus. Technol.,
6(3), 841–849.
28. PCI Security. PCI Security Standards Council, www.pcisecuritystandards.org/pci_security/ (accessed
October 2016).
29. SANS’ Information Security Policy Templates. www.sans.org/security-resources/policies/general
(accessed October 2016).
30. Senft, S., Gallegos, F., and Davis, A. (2012). Information Technology Control and Audit. CRC Press/
Taylor & Francis, Boca Raton, FL.
31. Singleton, T. (2003). The ramifications of the Sarbanes–Oxley. IS Control J., 3, 11–16.
32. AICPA. Statements on auditing standards, www.aicpa.org/research/standards/auditattest/pages/sas.
aspx#SAS117 (accessed October 2016).
33. Takabi, H., Joshi, J. B. D., and Ahn, G. (2011). Security and privacy challenges in cloud computing
environments. IEEE Secur. Priv., 8(6), 24–31.
34. TechAmerica Foundation Federal Big Data Commission. (2012). Demystifying big data: A practical
guide to transforming the business of government, https://bigdatawg.nist.gov/_uploadfiles/M0068_
v1_3903747095.pdf (accessed December 2012).
35. The best mobile device management (MDM) solutions of 2016. PC Magazine, www.pcmag.com/
article/342695/the-best-mobile-device-management-mdm-software-of-2016 (accessed November 2016).
36. Comprehensive National Cybersecurity Initiative. www.whitehouse.gov/cybersecurity/comprehensive-
national-cybersecurity-initiative (accessed July 2012).
37. Institute of Internal Auditors. Definition of internal auditing, www.iia.org.au/aboutIIA/definition­
OfIA.aspx (accessed October 2016).
38. Top 10 ERP software vendors and market forecast 2015–2020. Apps run the world. www.­
appsruntheworld.com/top-10-erp-software-vendors-and-market-forecast-2015-2020/ (accessed October
2016).
39. U.S. Securities and Exchange Commission. SEC Announces Financial Fraud Cases. Press Release,
www.sec.gov/news/pressrelease/2016-74.html (accessed October 2016).
40. What is cloud computing? PC Magazine, www.pcmag.com/article2/0,2817,2372163,00.asp (accessed
November 2016).
41. Worldwide public cloud services spending forecast to double by 2019, according to IDC, https://
www.informationweek.com/cloud/infrastructure-as-a-service/idc-public-cloud-spending-to-double-
by-2019/d/d-id/1324014 (accessed October 2016).

You might also like