MODULE 1

The need for improved control over IT, especially in commerce, has been advanced over
the years in earlier and continuing studies by many national and international
organizations. Essentially, technology has impacted various significant areas of the
business environment, including the use and processing of information, the control
process, and the auditing profession.

• Technology has improved the ability to capture, store, analyze, and process
tremendous amounts of data and information, expanding the empowerment
of the business decision maker. It has also become a primary enabler to
production and service processes. There is a residual effect in that the
increased use of technology has resulted in increased budgets, increased
successes and failures, and better awareness of the need for control.
• Technology has significantly impacted the control process around systems.
Although control objectives have generally remained constant, except for
some that are technology specific, technology has altered the way in which
systems should be controlled. Safeguarding assets, as a control objective,
remains the same whether it is done manually or is automated. However, the
manner by which the control objective is met is certainly impacted.
• Technology has impacted the auditing profession in terms of how audits are
performed (information capture and analysis, control concerns) and the
knowledge required to draw conclusions regarding operational or system
effectiveness, efficiency, and reporting integrity. Initially, the impact was
focused on dealing with a changed processing environment. As the need
for auditors with specialized technology skills grew, so did the IT auditing
profession.

Technology is constantly evolving and finding ways to shape today’s IT environment in

the organization. The following sections briefly describe various recent technologies that
have and will certainly continue to revolutionize organizations, how business is done, and
the dynamics of the workplace.
Enterprise Resource Planning (ERP)
According to the June 2016 edition of Apps Run the World, a technology market-
research company devoted to the applications space, the worldwide market of ERP
systems will reach $84.1 billion by 2020 versus $82.1 billion in 2015. ERP is software
that provides standard business functionality in an integrated IT environment system
(e.g., procurement, inventory, accounting, and human resources [HR]). Refer to Exhibit 1
for an illustration of the ERP modular system.
ERPs allow multiple functions to access a common database—reducing storage costs and
increasing consistency and accuracy of data from a single source. Additionally, ERPs:

• Have standard methods in place for automating processes (i.e., information in

the HR system can be used by payroll, help desk, and so on).
• Share real-time information from modules (finance, HR, etc.) residing in one
common database, hence, financial statements, analyses, and reports are
generated faster and more frequently.

Some of the primary ERP suppliers today include SAP, FIS Global, Oracle, Fiserv, Intuit,
Inc., Cerner Corporation, Microsoft, Ericsson, Infor, and McKesson.
Despite the many advantages of ERPs, they are not much different than purchased or
packaged systems and may therefore require extensive modifications to new or existing
business processes. ERP modifications (i.e., software releases) require considerable
programming to retrofit all of the organization-specific code. Because packaged systems
are generic by nature, organizations may need to modify their business operations to
match the vendor’s method of processing, for instance. Changes in business operations
may not fit well into the organization’s culture or other processes and may also be costly
due to training. Additionally, as ERPs are offered by a single vendor, risks associated with
having a single supplier apply (e.g., depending on a single supplier for maintenance and
support, specific hardware, or software requirements, etc.).
Cloud Computing
Cloud computing continues to have an increasing impact on the IT environment.
According to ISACA (formerly known as the Information Systems Audit and Control
Association), the cloud computing’s exponential growth should no longer be considered
an emerging technology. Cloud computing has shaped business across the globe, with
some organizations utilizing it to perform business critical processes. Based on the July
2015’s ISACA Innovation Insights report, cloud computing is considered one of the key
trends driving business strategy. The International Data Corporation, in its 2015
publication, also predicts that cloud computing will grow at 19.4% annually over the next
5 years. Moreover, Deloitte’s 2016 Perspective’s Cloud Computing report (report)
indicates that for private companies, cloud computing will continue to be a dominant
factor.
Cloud computing, as defined by PC Magazine, refers to the use of the Internet (versus
one’s computer’s hard drive) to store and access data and programs. In a more formal
way, the National Institute of Standards and Technology (NIST) defines cloud computing
as a “model for enabling ubiquitous, convenient, on-demand network access to a shared
pool of configurable computing resources (e.g., networks, servers, storage, applications,
and services) that can be rapidly provisioned and released with minimal management
effort or service provider interaction.” NIST also stress that availability is significantly
promoted by this particular (cloud) model.
The highly flexible services that can be managed in the virtual environment makes cloud
computing very attractive for business organizations. Nonetheless, organizations do not
yet feel fully comfortable when storing their information and applications on systems
residing outside of their on-site premises. Migrating information into a shared
infrastructure (such as a cloud environment) exposes organizations’ sensitive/critical
information to risks of potential unauthorized access and exposure, among others.
Deloitte, one of the major global accounting and auditing firms, also supports the
significance of security and privacy above, and added, based in its report, that cloud-
stored information related to patient data, banking details, and personnel records, to
name a few, is vulnerable and susceptible to misuse if fallen into the wrong hands.
Mobile Device Management (MDM)
MDM, also known as Enterprise Mobility Management, is a relatively new term, but
already shaping the IT environment in organizations. MDM is responsible for managing
and administering mobile devices (e.g., smartphones, laptops, tablets, mobile printers,
etc.) provided to employees as part of their work responsibilities. Specifically, and
according to PC Magazine, MDM ensures these mobile devices:

• integrate well within the organization and are implemented to comply with
organization policies and procedures
• protect corporate information (e.g., emails, corporate documents, etc.) and
configuration settings for all mobile devices within the organization

Mobile devices are also used by employees for personal reasons. That is, employees
bring their own mobile (personal) device to the organization (also referred to as bring-
your-own-device or BYOD) to perform their work. Allowing employees to use
organization-provided mobile devices for work and personal reasons has proved to
appeal to the average employee. Nevertheless, organizations should monitor and control
the tasks performed by employees when using mobile devices, and ensure employees
remain focused and productive. It does represent a risk to the organization’s security and
a distraction to employees when mobile devices are used for personal and work
purposes. Additionally, allowing direct access to corporate information always represents
an ongoing risk, as well as raises security and compliance concerns to the organization.
Other Technology Systems Impacting the IT Environment
The Internet of Things (IoT) has a potential transformational effect on IT environments,
data centers, technology providers, etc. Gartner, Inc. estimates that by the year 2020,
IoT will include 26 billion units installed and revenues will exceed $300 billion generated
mostly by IoT product and service suppliers.
IoT, as defined by Gartner, Inc., is a system that allows remote assets from “things” (e.g.,
devices, sensors, objects, etc.) to interact and communicate among them and with other
network systems. Assets, for example, communicate information on their actual status,
location, and functionality, among others. This information not only provides a more
accurate understanding of the assets, but also maximizes their utilization and
productivity, resulting in an enhanced decision-making process. The huge volumes of
raw data or data sets (also referred to as Big Data) generated as a result of these massive
interactions between devices and systems need to be processed and analyzed effectively
in order to generate information that is meaningful and useful in the decision-making
process.
Big Data, as defined by the TechAmerica Foundation’s Federal Big Data Commission
(2012), “describes large volumes of high velocity, complex and variable data that require
advanced techniques and technologies to enable the capture, storage, distribution,
management, and analysis of the information.” Gartner, Inc. further defines it as “… high-
volume, high-velocity and/or high-variety information assets that demand cost-effective,
innovative forms of information processing that enable enhanced insight, decision
making, and process automation.”
Even though accurate Big Data may lead to more confident decision-making process,
and better decisions often result in greater operational efficiency, cost reduction, and
reduced risk, many challenges currently exist and must be addressed.
Challenges of Big Data include, for instance, analysis, capture, data curation, search,
sharing, storage, transfer, visualization, querying, as well as updating. Ernst & Young, on
its EY Center for Board Matters’ September 2015 publication, states that challenges for
auditors include the limited access to audit relevant data, the scarcity of available and
qualified personnel to process and analyze such particular data, and the timely
integration of analytics into the audit. The IoT also delivers fast-moving data from
sensors and devices around the world, and therefore results in similar challenges for
many organizations when making sense of all that data.
Other recent technologies listed on the Gartner’s 2015 Hype Cycle for Emerging
Technologies Report that are currently impacting IT environments include wearables
(e.g., smartwatches, etc.), autonomous vehicles, cryptocurrencies, consumer 3D printing,
and speech-to-speech translation, among others.
IT Environment as Part of the Organization Strategy
In today’s environment, organizations must integrate their IT with business strategies to
attain their overall objectives, get the most value out of their information, and capitalize
on the technologies available to them. Where IT was formerly viewed as an enabler of an
organization’s strategy, it is now regarded as an integral part of that strategy to attain
profitability and service. At the same time, issues such as IT governance, international
information infrastructure, security, and privacy and control of public and organization
information have driven the need for self-review and self-assurance.
For the IT manager, the words “audit” and “auditor” send chills up and down the spine.
Yes, the auditor or the audit has been considered an evil that has to be dealt with by all
managers. In the IT field, auditors in the past had to be trained or provided orientation in
system concepts and operations to evaluate IT practices and applications. IT managers
cringe at the auditor’s ability to evaluate the complexities and grasp the issues
effectively and efficiently. Nowadays, IT auditors are expected to be well aware of the
organization’s IT infrastructure, policies, and operations before embarking in their
reviews and examinations. More importantly, IT auditors must be capable of determining
whether the IT controls in place by the organization ensure data protection and
adequately align with the overall organization goals.
Professional associations and organizations such as ISACA, the American Institute of
Certified Public Accountants (AICPA), the Canadian Institute of Chartered Accountants
(CICA), Institute of Internal Auditors (IIA), Association of Certified Fraud Examiners
(ACFE), and others have issued guidance, instructions, and supported studies and
research in audit areas.
What Is IT Auditing?
Before defining what IT auditing is, let us explain the difference between IS and IT. An IS,
represented by three components (i.e., people, process, and IT), is the combination of
strategic, managerial, and operational activities involved in managing information. The IT
component of an IS involves the hardware, software, communication, and other facilities
necessary to manage (i.e., input, store, process, transmit, and output) such information.
Refer to Exhibit 1.2.

The term audit, according to ISACA, refers to the formal inspection and verification to
check whether a standard or set of guidelines is being followed, records are accurate, or
efficiency and effectiveness targets are being met. In combining both definitions above,
IT auditing can be defined as the formal, independent, and objective examination of an
organization’s IT infrastructure to determine whether the activities (e.g., procedures, controls,
etc.) involved in gathering, processing, storing, distributing, and using information comply with
guidelines, safeguard assets, maintain data integrity, and operate effectively and efficiently to
achieve the organization’s objectives. IT auditing provides reasonable assurance (never
absolute) that the information generated by applications within the organization is
accurate, complete, and supports effective decision making consistent with the nature
and scope of the engagement previously agreed.
IT auditing is needed to evaluate the adequacy of application systems to meet
processing needs, evaluate the adequacy of internal controls, and ensure that assets
controlled by those systems are adequately safeguarded. As for the IT auditors of today,
their advanced knowledge and skills will progress in two ways. One direction is
continued growth and skill in this profession, leading the way in computer audit research
and development and progressing up the external and internal audit career paths. The
other direction involves capitalizing on a thorough knowledge of organizational systems
and moving into more responsible career areas in general management. Today, even in
these economic times, the demand for qualified IT auditors exceeds the supply. IT
governance has created vast opportunities for the IT auditor.
Learning new ways of auditing is always a priority of internal and external IT auditors.
Most auditors want tools or audit methodologies that will aid them in accomplishing
their task faster and easier. Almost every large organization or company has some sort of
IT audit function or shop that involves an internal audit department. Today, the “Big
Four” firms have designated special groups that specialize in the IT audit field. They all
have staff that perform these external IT audits. Most of these IT auditors assist the
financial auditors in establishing the correctness of financial statements for the
companies in which they audit. Others focus on special projects such as Internet security
dealing with penetration studies, firewall evaluations, bridges, routers, and gateway
configurations, among others.
There are two broad groupings of IT audits, both of which are essential to ensure the
continued proper operation of IS. These are as follows:

• General Computer Controls Audit. It examines IT general controls (“general

controls” or “ITGCs”), including policies and procedures, that relate to many
applications and supports the effective functioning of application controls.
General controls cover the IT infrastructure and support services, including all
systems and applications. General controls commonly include controls over (1)
IS operations; (2) information security (ISec); and (3) change control
management (CCM) (i.e., system software acquisition, change and
maintenance, program change, and application system acquisition,
development, and maintenance). Examples of general controls within IS
operations address activities such as data backups and offsite storage, job
monitoring and tracking of exceptions to completion, and access to the job
scheduler, among others. Examples of general controls within ISec address
activities such as access requests and user account administration, access
terminations, and physical security. Examples of general controls within CCM
may include change request approvals; application and database upgrades;
and network infrastructure monitoring, security, and change management.
• Application Controls Audit. It examines processing controls specific to the
application. Application controls may also be referred to as “automated
controls.” They are concerned with the accuracy, completeness, validity, and
authorization of the data captured, entered, processed, stored, transmitted,
and reported. Examples of application controls include checking the
mathematical accuracy of records, validating data input, and performing
numerical sequence checks, among others. Application controls are likely to be
effective when general controls are effective.

Refer to Exhibit 1.3 for an illustration of general and application controls, and how they
should be in place in order to mitigate risks and safeguard applications. Notice in the
exhibit that the application system is constantly surrounded by risks. Risks are
represented in the exhibit by explosion symbols. These risks could be in the form of
unauthorized access, loss or theft or equipment and information, system shutdown, etc.
The general controls, shown in the hexagon symbols, also surround the application and
provide a “protective shield” against the risks. Lastly, there are the application or
automated controls which reside inside the application and provide first-hand protection
over the input, processing, and output of the information.

Computing has become indispensable to the activities of organizations worldwide. The

Control Objectives for Information and Related Technology (COBIT) Framework was
created in 1995 by ISACA. COBIT, now on its fifth edition, emphasizes this point and
substantiates the need to research, develop, publicize, and promote up-to-date,
internationally accepted IT control objectives. In earlier documents such as the 1993
discussion paper “Minimum Skill Levels in Information Technology for Professional
Accountants” and their 1992 final report “The Impact of Information Technology on the
Accountancy Profession,” the International Federation of Accountants (IFAC)
acknowledges the need for better university-level education to address growing IT
control concerns and issues.
Reports of information theft, computer fraud, information abuse, and other related
control concerns are being heard more frequently around the world. Organizations are
more information conscious, people are scattered due to decentralization, and
computers are used more extensively in all areas of commerce. Owing to the rapid
diffusion of computer technologies and the ease of information accessibility,
knowledgeable and well-trained IT auditors are needed to ensure that more effective
controls are put in place to maintain data integrity and manage access to information.
The need for better controls over IT has been echoed in the past by prior studies such as
the AICPA Committee of Sponsoring Organizations of the Treadway Commission
(COSO); International Organization for Standardization (ISO) 17799 and 27000; the IIA
Systems Auditability and Control Report; Guidelines for the Security of IS by the OECD;
the U.S. President’s Council on Integrity and Efficiency in Computer Audit Training
curriculum; and the United States’ National Strategy for Securing Cyberspace released in
2002; among others.
The AICPA’s Assurance Services Executive Committee (ASEC) is responsible for updating
and maintaining the Trust Services Principles and Criteria (TSPC) and creating a
framework of principles and criteria to provide assurance on the integrity of information.
TSPC presents criteria for use by practitioners when providing professional attestation
or advisory services to assess controls relevant to the following principles:

• Security: The system is protected against unauthorized access (both physical

and logical).
• Availability: The system is available for operation and use as committed or
agreed.
• Processing integrity: System processing is complete, accurate, timely, and
authorized.
• Confidentiality: Information designated as confidential is protected as
committed or agreed.
 • Privacy: Personal information is collected, used, retained, disclosed, and
destroyed in conformity with the commitments in the entity’s privacy notice
and with criteria set forth in generally accepted privacy principles issued by
the AICPA and CICA.

The theory and methodologies of IT auditing are integrated from five areas: a
fundamental understanding of business, traditional auditing, IT management, behavioral
science, and IT sciences. Business understanding and knowledge are the cornerstones of
the audit process. Traditional auditing contributes knowledge of internal control
practices and overall control philosophy within a business enterprise. IT management
provides methodologies necessary to achieve successful design and implementation of
systems. Behavioral science indicates when and why IT are likely to fail because of
people’s problems. IT sciences contribute to knowledge about control theory and the
formal models that underlie hardware and software designs as a basis for maintaining
data integrity.
Ever since the ISACA was formed there has been a growing demand for well-trained and
skilled IT audit professionals. The publication The EDP Auditors Association: The First
Twenty-Five Years documents the early struggles of the association and evolution of IT
audit practices in this field.
The area of information assurance has also grown and evolved. The United States in its
passage of the Cyber Security Research and Development Act has pledged almost a
billion dollars for the development of curriculum, research, and skills for future
professionals needed in this field.
Information Assurance
Organizations increasingly rely on critical digital electronic information capabilities to
store, process, and move essential data in planning, directing, coordinating, and
executing operations. Powerful and sophisticated threats can exploit security
weaknesses in many of these systems. Outsourcing technological development to
countries that could have terrorists on their development staff causes speculation that
the potential exists for code to be implanted that would cause disruption, havoc,
embezzlement, theft, and so on. These and other weaknesses that can be exploited
become vulnerabilities that can jeopardize the most sensitive components of information
capabilities. However, we can employ deep, layered defenses to reduce vulnerabilities
and deter, defeat, and recover from a wide range of threats. From an information
assurance perspective, the capabilities that we must defend can be viewed broadly in
terms of four major elements: local computing environments, their boundaries, networks
that link them together, and their supporting infrastructure. The U.S. National Strategy
for Securing Cyberspace is one of those initiatives.
The term “information assurance” is defined as information integrity (the level of
confidence and trust that can be placed on the information) and service availability. In all
contexts, whether business or government, it means safeguarding the collection, storage,
transmission, and use of information. The ultimate goal of information assurance is to
protect users, business units, and enterprises from the negative effects of corruption of
information or denial of services. The Department of Homeland Security and Supporting
Organizations such as the National Security Agency (NSA), Federal Bureau of
Investigation (FBI), and Central Intelligence Agency (CIA) have all worked toward
supporting this goal.
As the nation’s IS and their critical infrastructures are being tied together (government
and business), the points of entry and exposure increase, and thus, risks increase. The
technological advancement toward higher bandwidth communication and advanced
switching systems. has reduced the number of communications lines and further
centralized the switching functions. Survey data indicates that the increased risk from
these changes is not widely recognized. Since 9/11, more coordinated efforts have been
made by U.S. defense organizations such as the Defense Information Systems Agency to
promulgate standards for the Defense Information Infrastructure and the Global
Information Grid, which should have a positive impact on information assurance that will
extend beyond the U.S. Department of Defense and impact all segments of the national
economy. The NSA has drafted and produced standards for IT security personnel that
not only impact federal agencies but also corporate entities who contract IT services in
support of the federal government. NIST, for example, has generated security guidance
for Health Insurance Portability and Accountability Act compliance that impacts the
medical profession and all corporations/business servicing the health field who handle
medical information. A similar example includes the Payment Card Industry Data
Security Standards (PCI DSS), maintained, managed, and promoted by the PCI Security
Standards Council (Council) worldwide. The Council was founded in 2006 by major
credit card companies, such as, American Express, Discover, JCB International,
MasterCard, and Visa, Inc. These companies share equally in governance, execution, and
compliance of the Council’s work. PCI DSS refer to technical and operational
requirements applicable specifically to entities that store, process, or transmit cardholder
data, with the intention of protecting such data in order to reduce credit card fraud.
Initially, IT auditing (formerly called electronic data processing [EDP], computer
information systems [CIS], and IS auditing) evolved as an extension of traditional
auditing. At that time, the need for an IT audit came from several directions:

• Auditors realized that computers had impacted their ability to perform the
attestation function.
• Corporate and information processing management recognized that
computers were key resources for competing in the business environment and
similar to other valuable business resource within the organization, and
therefore, the need for control and auditability were critical.
• Professional associations and organizations, and government entities
recognized the need for IT control and auditability.
The early components of IT auditing were drawn from several areas. First, traditional
auditing contributes knowledge of internal control practices and the overall control
philosophy. Another contributor was IS management, which provides methodologies
necessary to achieve successful design and implementation of systems. The field of
behavioral science provided such questions and analysis to when and why IS are likely to
fail because of people problems. Finally, the field of computer science contributes
knowledge about control concepts, discipline, theory, and the formal models that
underlie hardware and software design as a basis for maintaining data validity, reliability,
and integrity.
IT auditing became an integral part of the audit function because it supports the
auditor’s judgment on the quality of the information processed by computer systems.
Auditors with IT audit skills were viewed as the technological resource for the audit staff.
The audit staff often looked to them for technical assistance. The IT auditor’s role
evolved to provide assurance that adequate and appropriate controls are in place. Of
course, the responsibility for ensuring that
adequate internal controls are in place rests with management. The audit’s primary role,
except in areas of management advisory services, is to provide a statement of assurance
as to whether adequate and reliable internal controls are in place and are operating in an
efficient and effective manner. Management’s role is to ensure and the auditors’ role is
to assure. There are several types of needs within IT auditing, including organizational IT
audits (management control over IT), technical IT audits (infrastructure, data centers,
data communication), and application IT audits (business/financial/operational). There
are also development/implementation IT audits (specification/requirements, design,
development, and post-implementation phases), and compliance IT audits involving
national or international standards.
When auditing IT, the breadth and depth of knowledge required are extensive. For
instance, auditing IT involves:

• Application of risk-oriented audit approaches

• Use of computer-assisted audit tools and techniques
• Application of standards (national or international) such as the ISO* to
improve and implement quality systems in software development and meet IT
security standards
• Understanding of business roles and expectations in the auditing of systems
under development as well as the purchase of software packaging and project
management
• Assessment of information security, confidentiality, privacy, and availability
issues which can put the organization at risk
• Examination and verification of the organization’s compliance with any IT-
related legal issues that may jeopardize or place the organization at risk
• Evaluation of complex systems development life cycles (SDLC) or new
development techniques (i.e., prototyping, end-user computing, rapid systems,
or application development)
 • Reporting to management and performing a follow-up review to ensure
actions taken at work

The auditing of IT and communications protocols typically involves the Internet, intranet,
extranet, electronic data interchange, client servers, local and wide area networks, data
communications, telecommunications, wireless technology, integrated voice/data/video
systems, and the software and hardware that support these processes and functions.
Some of the top reasons to initiate an IT audit include the increased dependence on
information by organizations, the rapidly changing technology with new risks associated
with such technology, and the support needed for financial statement audits.
SOX also requires the assessment of internal controls and makes it mandatory for SEC
registrants. As part of the process for assessing the effectiveness of internal controls
over financial reporting, management needs to consider controls related to the IS
(including technologies) that support relevant business and financial processes. These
controls are referred to as ITGCs (or IT general controls). As mentioned earlier, ITGCs are
IT processes, activities, and/or procedures that are performed within the IT environment
and relate to how the applications and systems are developed, maintained, managed,
secured, accessed, and operated. Exhibit 1.4 illustrates other top reasons to have IT
audits.
IT Governance
There have been many changes in the way enterprises address IT issues, resulting in a
renewed focus on the concepts of IT governance. CEOs, Chief Financial Officers, Chief
Operating Officers, Chief Technology Officers, and Chief Information Officers agree on
the founding principles of IT governance, which focus on strategic alignment between IT
and enterprise objectives. This, in turn, creates changes to tactical and day-to-day
operational management of IT in the organization.
IT governance is the process by which an enterprise’s IT is directed and controlled. As
defined earlier, IT refers to the hardware, software, communication, and other facilities
used to input, store, process, transmit, and output data in whatever form. Effective IT
governance helps ensure that IT supports business goals, maximizes business investment
in IT, and appropriately manages IT-related risks. IT governance also helps ensure
achievement of critical success factors by efficiently and effectively deploying secure,
reliable information, and applied technology.
Because IT impacts the operation of an entire organization, everyone within the
organization should have an interest and role in governing its use and application. This
growing awareness has led organizations to recognize that, if they are to make the most
of their IT investment and protect that investment, they need a formal process to govern
it. Reasons for implementing an IT governance program include:

• Increasing dependence on information and the systems that deliver the

information
 • Increasing vulnerabilities and a wide spectrum of threats
• Scale and cost of current and future investments in information and IS
• Potential for technologies to dramatically change organizations and business
practices to create new opportunities and reduce costs

As long as these factors remain a part of business, there will be a need for effective,
interdependent systems of enterprise and IT governance.
An open-standard IT governance tool that helps nontechnical and technical managers
and auditors understand and manage risks associated with information and related IT is
COBIT, developed by the IT Governance Institute and the Information Systems Audit
and Control Foundation. COBIT is a comprehensive framework of control objectives that
helps IT auditors, managers, and executives discharge fiduciary responsibilities,
understand the IT systems, and decide what level of security and control is adequate.
COBIT provides an authoritative, international set of generally accepted IT practices for
business managers and auditors. COBIT is discussed in later chapters.
The auditor evaluating today’s complex systems must have highly developed technical
skills to understand the evolving methods of information processing. Contemporary
systems carry risks such as non-compatible platforms, new methods to penetrate
security through communication networks (e.g., the Internet), and the rapid
decentralization of information processing with the resulting loss of centralized controls.
As the use of IT in organizations continues to grow, auditing computerized systems must
be accomplished without many of the guidelines established for the traditional auditing
effort. In addition, new uses of IT introduce new risks, which in turn require new
controls. IT auditors are in a unique position to evaluate the relevance of a particular
system to the enterprise as a whole. Because of this, the IT auditor often plays a role in
senior management decision making.
The role of IT auditor can be examined through the process of IT governance and the
existing standards of professional practice for this profession. As mentioned earlier, IT
governance is an organizational involvement in the management and review of the use
of IT in attaining the goals and objectives set by the organization.
IT Auditor as Counselor
In the past, users have abdicated responsibility for controlling computer systems, mostly
because of the psychological barriers that surround the computer. As a result, there are
few checks and balances, except for the IT auditor. IT auditors must take an active role in
assisting organizations in developing policies, procedures, standards, and/or best
practices on safeguarding of the information, auditability, control, testing, etc. A good
information security policy, for instance, may include:

• Specifying required security features

• Defining “reasonable expectations” of privacy regarding such issues as
monitoring people’s activities
 • Defining access rights and privileges and protecting assets from losses,
disclosures, or damages by specifying acceptable use guidelines for users
• Providing guidelines for external communications (networks)
• Defining responsibilities of all users
• Establishing trust through an effective password policy
• Specifying recovery procedures
• Requiring violations to be recorded
• Acknowledging that owners, custodians, and clients of information need to
report irregularities and protect its use and dissemination
• Providing users with support information

The SANS Institute provides general information security policy templates on its
Website, which can be downloaded and be a great starting point for any organization. A
good computer security policy will differ for each organization, corporation, or individual
depending on security needs. An information security policy will not guarantee a
system’s security or make the network completely safe from possible attacks from
cyberspace. Nevertheless, a security policy, helped by effective security products and a
plan for recovery, may help targeting potential losses to levels considered “acceptable,”
and minimize the leaking of private information. The IT auditor is part of an institutional
team that helps create shared governance over the use, application, and assurance over
IT within the organization.
An IT audit staff in a large corporation can make a major contribution to computer
system control by persuading user groups to insist on a policy of comprehensive testing
for all new systems and all changes to existing systems. By reviewing base-case results,
user groups can control the accuracy of new or changed systems by actually performing
a complete control function. Auditors must convince users and IT personnel of the need
for a controlled IT environment. Insisting that all new systems be reviewed at predefined
checkpoints throughout the system’s development life cycle can also enhance control of
IT. The prospect of audit review should prompt both user and systems groups to define
their objectives and assumptions more carefully. Here, too, IT auditors can subtly extend
their influence.
IT Auditor as Partner of Senior Management
Although the IT auditor’s roles of counselor and skilled technician are vital to successful
company operation, they may be irrelevant if the auditor fails to view auditing in relation
to the organization as a whole. A system that appears well controlled may be
inconsistent with the operation of a business. Decisions concerning the need for a
system traditionally belonged to management, but because of a combination of factors
(mostly the complex technology of the computer), computer system audits were not
successfully performed. When allocating funds for new systems, management has had to
rely on the judgment of computer personnel. Although their choices of new and more
effective computer systems cannot be faulted, computer personnel have often failed to
meet the true business needs of the organization.
Management needs the support of a skilled computer staff that understands the
organization’s requirements, and IT auditors are in such a position to provide that
information. They can provide management with an independent assessment of the
effect of IT decisions on the business. In addition, the IT auditor can verify that all
alternatives for a given project have been considered, all risks have been accurately
assessed, the technical hardware and software solutions are correct, business needs will
be satisfied, and costs are reasonable.
IT Auditor as Investigator
As a result of increased legislation and the use of computer evidence within the courts,
the ability to capture and document computer-generated information related to criminal
activity is critical for purposes of prosecution. The awareness and use of computer-
assisted tools and techniques in performing forensic support work have provided new
opportunities for the IT auditor, IT security personnel, and those within law enforcement
and investigation. For the IT audit professional, computer forensics is an exciting,
developing field. The IT auditor can work in the field of computer forensics or work side
by side with a computer forensics specialist, supplying insight into a particular system or
network. The specialists can ask the IT audit professionals questions pertaining to the
system and get responses faster than having to do research and figure everything out on
their own. Although the specialist is highly trained and can adapt to almost any system or
platform, collaboration can make the jobs of the forensic specialist and the IT
professional easier and more efficient.
Since its birth in the early 1970s, computer forensics has continuously evolved into what
is now a very large field. New technologies and enhancements in protocols are allowing
engineers and developers to create more stable and robust hardware, software, and
tools for the specialist to use in computer-related criminal investigations. As computers
become more advanced and more abundant, so do criminal activities. Therefore, the
computer forensics niche is also in constant progression along with the technological
advancements of computers.
With the passage of the Homeland Security Act, the Patriot Act, and SOX, the role of the
auditor (internal and external) is more critical to the verification and validation of the
financial infrastructure. The profession of IT auditing can provide a person with exposure
to the way information flows within an organization and give its members the ability to
assess its validity, reliability, and security. IT auditing involves people, technology,
operations, and systems. It is a dynamic and challenging profession with a future that
brings growth into new areas such as IT security and computer forensics, to name a few.
Today, IT auditors interact with managers, users, and technicians from all areas of most
organizations. They must have interpersonal skills to interact with multiple levels of
personnel and technical skills to understand the variety of technology used in
information processing activity— especially technology used in generating and/or
processing the company’s financial information (e.g., financial statements, etc.). The IT
auditor must also gain an understanding of and be familiarized with the operational
environment to assess the effectiveness of the internal control structure. Finally, the IT
auditor must understand the technological complexities of existing and future systems
and the impact they have on operations and decisions at all levels.
IT auditing is a relatively new profession, and employment opportunities are present in
all sectors of private industry, public accounting, and government worldwide. A
profession is more than just an occupation. A profession has certain special
characteristics, including a common body of knowledge, certification, continuing
education, professional associations and ethical standards, and educational curriculum.
A Common Body of Knowledge
Since 1975, there have been various studies identifying a common body of knowledge
for the IT audit profession. A common body of knowledge consists of clearly identified
areas in which a person must attain a specific level of understanding and competency
necessary to successfully practice within the profession. These areas are categorized into
core areas. Organizations such as ISACA, AICPA, IIA, CICA, ISSA, InfoSec, and others
around the world have issued major studies and papers on the topic of the knowledge,
skills, and abilities needed to audit computer systems. Students, especially the ones with
business and computer majors, receive a degree of base-level training in (1) auditing
concepts and practices; (2) management concepts and practices; (3) computer systems,
telecommunications, operations, and software; (4) computer information processing
techniques; and (5) understanding of business on local and international scales. These are
some of the major core areas of competency identified by the various independent
studies for the individual who enters the IT audit, control, and security field.
Certification
Certification is a vital component of a profession. As you prepare for entry into your
profession, whether it is accounting, IS, or other business fields, certification will be the
measure of your level of knowledge, skills, and abilities in the profession. For example,
attainment of the CPA designation is an important career milestone for the practicing
accountant. In IT auditing, the Certified Information Systems Auditor (CISA) is one of the
main levels of recognition and attainment. There are certain requirements for candidates
to become CISA certified, such as:

• Passing a rigorous written examination

• Evidencing a minimum of 5years of professional IS auditing, control or security
work experience
• Adhering to the ISACA’s Code of Professional Ethics and the Information
Systems Auditing
• Standards as adopted by ISACA
• Agreeing to comply with the CISA Continuing Education Policy

The CISA examination covers areas (or domains) within the process of auditing IS;
governance and management of IT; IS acquisition, development and implementation; IS
operations, maintenance and service management; and the protection of information
assets. Thus, university education plays an important part in providing the groundwork
toward the certification process.
Other licenses and certifications relevant to the IT auditor include the following: CPA,
Certified Chartered Accountant (CA), Certified Internal Auditor (CIA), Certified Computer
Professional (CCP), Certified Government Financial Manager (CGFM), Certified
Information Systems Security Professional (CISSP), Certified Information Security
Manager (CISM), Certified in Risk and Information Systems Control (CRISC), AICPA’s
Certified Information Technology Professional (CITP), and Certified Fraud Examiner
(CFE).
Certification is important and a measure of skill attainment within the profession.
Attainment of more than one certification will enhance your knowledge, skills, and
abilities within the audit domain. Proficiency in skill application comes from experience
and continuing education. The dynamic changes in business (commerce), IT, and world
events continue to shape the future for this exciting profession.
Continuing Education
Certification requires continuing education so that those who are certified maintain a
level of proficiency and continue their certification. Continuing education is an important
element for career growth. As graduates enter their profession, they will find that their
academic education is the foundation for continued development of career-enhancing
knowledge, skills, and abilities. A continuing education requirement exists to support the
CISA program. The IT auditor of the future will constantly face change with regard to
existing systems and the dynamics of the environment (i.e., reorganization, new
technology, operational change, and changing requirements).
The breadth and depth of knowledge required to audit IT is extensive. For example, IT
auditing involves the application of risk-oriented audit approaches; the use of computer-
assisted audit tools and techniques (e.g., EnCase, CaseWare, Idea, ACL, Guardant, eTrust,
CA-Examine, etc.); the application of national or international standards (i.e., ISO 9000/3,
ISO 17799, ISO 27000, and related amendments to improve and implement quality
systems in software development); the auditing of systems under development involving
complex SDLC or new development techniques (e.g., prototyping, end-user computing,
rapid systems development, etc.); and the auditing of complex technologies involving
electronic data interchange, client servers, local and wide area networks, data
communications, telecommunications, and integrated voice/data/video systems.
Because the organizational environment in which the IT auditor operates is a dynamic
one, it is important that new developments in the profession be understood so that they
may be appropriately applied. Thus, the continuing education requirement helps the
CISA attain new knowledge and skills to provide the most informed professional opinion.
Training courses and programs are offered by a wide variety of associations and
organizations to assist in maintaining the necessary skills that they need to continue to
improve and evolve. Methods for receiving such training may even be global with video
teleconferencing and telecommuting and with the Internet playing a major role in
training delivery.
Professional Associations and Ethical Standards
As a manager at any level, one must remember that auditors, whether internal or
external, have standards of practice that they must follow. Like IT professionals, auditors
may belong to one or more professional associations and have code of ethics and
professional standards of practices and guidance that help them in performing their
reviews and audits. If they are seen not performing their work to “standards of practice”
for their profession, they know they could be open to a potential lawsuit or even
“decertified.” Some of the organizations that produced such standards of practice are the
AICPA, IIA, IFAC, CICA, GAO, and ISACA.
ISACA, created in 1969, is the leading IT governance, assurance, as well as security and
control professional association today. ISACA:

• provides knowledge and education on areas like IS assurance, information

security, enterprise governance, IT risk management, and compliance.
• offers globally known certifications/designations, such as, CISA, CISM,
Certified in the Governance of Enterprise IT (CGEIT), and Certified in Risk and
CRISC.
• develops and frequently updates international IS auditing and control
standards, such as, the COBIT standard. COBIT assist both, IT auditors and IT
management, in performing their daily duties and responsibilities in the areas
of assurance, security, risk and control, and deliver value to the business.

To act as an auditor, one must have a high standard of moral ethics. The term auditor is
Latin for one that hears complaints and makes decisions or acts like a judge. To act as a
judge, one definitely must be morally ethical or it defeats the purpose. Ethics are a very
important basis for our culture as a whole. If the auditor loses favor in this area, it is
almost impossible to regain the trust the auditor once had with audit management and
auditees. Whether an auditor is ethical in the beginning or not, they should all start off
with the same amount of trust and good favor from the client or auditee. If the bond is
not broken, the auditor establishes a good name as someone who can be trusted with
sensitive material.
In today’s world economy, trust is an unheard-of word. No one can trust anyone these
days and for this reason it is imperative that high ethics are at the top of the manager’s
list of topics to cover with new audit teams. Times are changing and so are the clients
requesting audit services. Most managers will state that they cherish this aspect called
ethics because it distinguishes them from others without it.
For example, say a budget calls for numerous hours. It is unethical to put down hours not
worked. It is also unethical to overlook something during the audit because the client
says it is not important. A fine line exists between what is ethical and what is legal.
Something can be ethically wrong but still legal. However, with that being said, some
things initially thought to be unethical become illegal over time. If there is a large enough
population opposed to something ethically incorrect, you will see legislation introduced
to make it illegal. When IT auditors attain their CISA certification, they also subscribe to
a Code of Professional Ethics. This code applies to not only the professional conduct but
also the personal conduct of IT auditors. The code is actually not in conflict with codes
of ethics from other audit/assurance related domains (e.g., IIA, AICPA, etc.). It requires
that the ISACA standards are adhered to, confidentiality is maintained, any illegal or
improper activities are reported, the auditor’s competency is maintained, due care is
used in the course of the audit, the results of audit work are communicated, and high
standards of conduct and character are maintained.
Career Opportunities
There are a number of career opportunities available to the individual seeking an
opportunity in IT audit. For the college graduate with the appropriate entry-level
knowledge, skills, and abilities, this career provides many paths for growth and
development. Further, as a career develops and progresses, IT audit can provide mobility
into other areas as well. Today’s IT auditors are employed by public accounting firms,
private industries, management consulting firms, and the government.
Public Accounting Firms
Public accounting firms offer individuals an opportunity to enter the IT auditing field.
Although these firms may require such individuals to begin their careers in financial
audits to gain experience in understanding the organization’s audit methodologies, after
initial audit experience the individual who expresses interest in a particular specialization
(e.g., forensics, security, etc.) will be transferred to such specialty for further training and
career development. Many who have taken this career path have been successful, and
several have become partners, principals, or directors within the firm. The primary
sources for most public accounting firms are college recruitment and development
within. However, it is not uncommon for a firm to hire from outside for specialized
expertise (e.g., computer forensics, telecommunication, database systems, etc.).
Private Industry
Like public accounting firms, private industry offers entry-level IT audit professional
positions. In addition, IT auditors gain expertise in more specialized areas (i.e.,
telecommunications, systems software, and systems design), which can make them
candidates for IT operations, IT forensics, and IT security positions. Many CEOs view
audit experience as a management training function. The IT auditor has particular
strengths of educational background, practical experience with corporate IS, and
understanding of executive decision making. Some companies have made a distinction
between IT auditors and operational and financial auditors. Others require all internal
auditors to be capable of auditing IT systems. Sources for persons to staff the IT audit
function within a company generally may come from college recruitment, internal
transfers, promotions, and/or outside hiring.
Management Consulting Firms
Another area of opportunity for IT audit personnel is management consulting. This
career area is usually available to IT auditors with a number of years’ experience. Many
management consulting practices, especially those that provide services in the computer
IS environment, hire experienced IT auditors. This career path allows these candidates to
use their particular knowledge, skills, and abilities in diagnosing an array of computer and
management information issues and then assist the organization in implementing the
solutions. The usual resources for such positions are experienced personnel from public
accounting CPA firms, private industries, and the government. IT forensics is another
growing area in management consulting services.
Government
The government offers another avenue for one to gain IT audit experience. In the United
States, federal, state, county, and city governments employ personnel to conduct IT
audit-related responsibilities. Federal organizations such as the NSA, FBI, Department of
Justice, and the CIA employ personnel who have IT audit experience, computer security
experience, and IT forensics experience. Governments worldwide also employ personnel
to conduct IT audits.
Government positions offer training and experience to personnel responsible for
performing IT audit functions. Sources for government IT auditors are college recruits
and employees seeking internal promotion or transfer. There are occasions when
experienced resources may be hired from the outside as well.

MODULE 2

In today's digital age, information technology (IT) has become an integral part of
businesses, and its effective governance has become essential. IT governance involves
the management of IT resources in a manner that aligns with the organization's goals and
objectives, while also ensuring that IT investments generate business value and mitigate
IT-related risks. It involves the development of a set of processes, structures, and
communication channels that ensure that IT operations are in line with the organization's
overall strategies. The objective of this chapter is to provide an overview of IT
governance, its significance, and its frameworks relevant to IT auditing.

Definition of IT Governance
IT governance refers to the processes and structures in place to manage and control IT
resources within an organization. It involves defining the policies, procedures, and
guidelines that guide decision-making and ensure that IT investments and operations are
aligned with business objectives.
IT governance is critical to the success of organizations as it helps ensure that IT
resources are utilized effectively and efficiently. Effective IT governance provides a
framework for managing IT investments, risks, and performance, while ensuring that IT
supports the organization's objectives and meets the needs of stakeholders.

IT governance also plays a critical role in managing IT-related risks and compliance
requirements. Effective IT governance helps organizations identify and manage risks
related to the use of IT resources, such as data breaches, system failures, and non-
compliance with laws and regulations.

In summary, IT governance is an essential component of organizational management,

and its importance cannot be overstated. Effective IT governance can help organizations
achieve their business objectives, manage risks, and ensure compliance with laws and
regulations.

Significance of aligning IT with business objectives

Information technology (IT) has become an essential part of today's business
environment, and organizations increasingly rely on IT to support their operations and
achieve their objectives. However, the effective use of IT requires careful planning,
management, and governance to ensure that it aligns with the organization's goals and
objectives.

The significance of aligning IT with business objectives lies in the fact that technology
has become an integral part of modern business operations. IT is no longer viewed as a
mere support function, but as an essential enabler of business strategies and objectives.
The alignment of IT with business objectives ensures that technology investments are
focused on meeting the needs of the business, and that IT projects and initiatives are
closely linked to business objectives.

In order to achieve alignment, organizations need to have a clear understanding of their

business objectives and strategies, and must be able to translate these into specific IT
objectives and initiatives. This requires effective communication and collaboration
between business and IT leaders, and the development of a shared vision for how
technology can support and enable business success.

Effective IT governance is a critical enabler of alignment, as it provides the framework

and processes for ensuring that IT investments and activities are aligned with business
objectives. IT governance involves the development and implementation of policies,
procedures, and controls to ensure that IT resources are used in a way that supports
business goals, and that risks are managed effectively. In this way, IT governance helps
organizations to maximize the value of their IT investments, and to ensure that
technology supports rather than hinders business success.

IT Governance Frameworks
IT Governance Frameworks refer to a set of guidelines and practices that provide a
structure for aligning IT activities with business objectives. These frameworks are
designed to help organizations manage and control their IT processes and systems, and
to ensure that IT investments are aligned with business goals. The use of IT governance
frameworks has become increasingly important due to the rapid growth of technology
and its impact on organizations. IT governance frameworks provide a comprehensive
approach to managing IT risks, compliance, and performance, and help organizations
achieve their strategic objectives.

In this section, we will discuss some of the commonly used IT governance frameworks
and their key features.

Commonly used IT governance frameworks typically provide guidance on best practices

for IT governance and management. These frameworks are designed to help
organizations improve the effectiveness, efficiency, and reliability of their IT systems and
processes, and to ensure that IT activities are aligned with the organization's objectives
and business goals. Some of the most commonly used IT governance frameworks are:

COBIT (Control Objectives for Information and Related Technology): This framework
was developed by ISACA (Information Systems Audit and Control Association) to provide
a comprehensive set of guidelines for IT governance and management. COBIT helps
organizations to identify and manage IT-related risks, ensure compliance with relevant
laws and regulations, and optimize IT investments. COBIT is widely used in many
industries and is recognized as a leading framework for IT governance.

ITIL (Information Technology Infrastructure Library): This framework was developed by

the UK government and is widely used by organizations around the world. ITIL provides
a set of best practices for IT service management, including processes for service design,
transition, operation, and improvement. ITIL helps organizations to deliver high-quality IT
services that meet business needs and customer requirements.
ISO/IEC 38500: This standard was developed by the International Organization for
Standardization (ISO) to provide guidance on the effective, efficient, and acceptable use
of IT in organizations. ISO/IEC 38500 helps organizations to establish clear roles and
responsibilities for IT governance, and to ensure that IT activities are aligned with
business objectives.

ISO/IEC 27001: This standard was also developed by the International Organization for
Standardization (ISO). ISO 27001 is an IT governance framework that focuses on
information security management. The key features of ISO 27001 include a risk
management approach, a process-based approach to implementing an information
security management system (ISMS), and a strong emphasis on continual improvement.
The framework includes a set of controls that can be used to address information
security risks and can be customized to meet the needs of different organizations. ISO
27001 also emphasizes the importance of monitoring, reviewing, and improving the
ISMS to ensure it remains effective over time. It is a widely recognized standard and can
help organizations demonstrate their commitment to information security to
stakeholders.

NIST Cybersecurity Framework: This framework was developed by the National Institute
of Standards and Technology (NIST) to provide a set of guidelines for managing and
reducing cybersecurity risks. The framework helps organizations to identify, assess, and
manage cybersecurity risks, and to develop and implement effective cybersecurity
policies and procedures.

Each of these frameworks has its own unique features and benefits. However, they all
share a common goal of improving IT governance and management practices, and
aligning IT activities with the needs of the organization.

Relevant Legislation for IT Auditing

As technology continues to be an integral part of organizations' operations, it has also
brought with it various challenges and risks, including cybersecurity threats and data
privacy concerns. These challenges have prompted governments worldwide to develop
legislation to regulate the use of technology and ensure that organizations are held
accountable for the protection of sensitive information. As a result, IT auditors need to
have a good understanding of the relevant legislation to effectively perform their duties.
This section will discuss the key legislation that IT auditors should be aware of, including
financial integrity legislation such as the Sarbanes-Oxley Act of 2002, privacy-related
and data protection legislation, and Philippine laws relevant to IT auditors.
Sarbanes-Oxley Act of 2002
The Sarbanes-Oxley Act of 2002, also known as SOX, is a United States federal law that
was enacted in response to financial scandals involving corporations such as Enron,
WorldCom, and Tyco International. The Act was enacted to restore public trust in the
financial reporting of publicly traded companies by establishing new or enhanced
standards for financial reporting, internal controls, and corporate governance. SOX
applies to all public companies in the United States and foreign companies that are listed
on US stock exchanges or that conduct business in the US.

The Act mandates that public companies establish and maintain an adequate system of
internal controls to ensure the accuracy and integrity of their financial statements, and to
comply with SEC rules and regulations. The Act also requires public companies to have
an independent external auditor review their internal control over financial reporting and
to attest to the effectiveness of those controls.

SOX has a number of provisions that impact IT auditors, including sections 302, 404, and
409.

Section 302 requires that company management certify the accuracy and completeness
of financial reports, including the effectiveness of internal controls over financial
reporting. This means that IT auditors must ensure that the company's financial reporting
systems are secure, reliable, and accurate.

Section 404 of SOX requires that companies implement and maintain an internal control
framework and that they test and report on the effectiveness of those controls. This
includes controls related to information technology systems and processes, such as
access controls, change management, and data security. IT auditors play a key role in
testing and reporting on the effectiveness of these controls.

Section 409 of SOX requires that companies disclose material changes in their financial
condition or operations on a real-time basis. IT auditors must ensure that the company's
systems are capable of providing real-time financial reporting, and that they are reliable
and accurate.

Other sections of SOX that impact IT auditors include section 906, which imposes
criminal penalties for false statements made in financial reports, and section 802, which
increases the penalties for document destruction and provides protection for
whistleblowers who report accounting fraud.

In addition to these requirements, SOX also established the Public Company Accounting
Oversight Board (PCAOB), which is responsible for overseeing the audits of public
companies, registering public accounting firms, and enforcing compliance with SOX
requirements. The Act also imposes severe penalties, including fines and imprisonment,
for individuals and companies that violate its provisions.

The Sarbanes-Oxley Act of 2002 has had a significant impact on corporate governance
and financial reporting practices, and it continues to be an important consideration for IT
auditors who are involved in assessing the effectiveness of internal controls over
financial reporting.

Privacy and Data Protection Legislation

In addition to financial integrity legislation, IT auditors must also be aware of privacy and
data protection legislation, which is essential in safeguarding sensitive information.
Privacy and data protection refer to the practices and regulations put in place to
safeguard sensitive information collected by organizations from unauthorized access,
use, disclosure, and destruction. As auditors, understanding privacy and data protection
is essential because it enables us to assess and report on an organization's compliance
with relevant laws and regulations. It is also crucial to know the risks associated with
privacy breaches and data mishandling as this information can help us identify areas
where controls need to be improved to mitigate such risks. Privacy and data protection
laws are rapidly evolving, and it is essential to keep abreast of the latest regulations and
best practices to effectively audit an organization's compliance with these regulations.

In the United States, one of the most significant pieces of privacy legislation is the
Health Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA was
enacted in 1996 in the United States to protect the privacy and security of patients'
personal health information (PHI) and establish standards for the electronic exchange of
PHI. It applies to covered entities, which include healthcare providers, health plans, and
healthcare clearinghouses. IT auditors need to ensure that covered entities comply with
HIPAA's security and privacy rules by conducting regular audits, risk assessments, and
implementing appropriate technical, physical, and administrative safeguards.
Another essential legislation in the US is the Children's Online Privacy Protection Act
(COPPA), which provides specific guidelines for websites or online services that collect
information from children under 13 years of age.

In the European Union, the General Data Protection Regulation (GDPR) is a

comprehensive privacy and data protection regulation that became effective in 2018.
GDPR is a data protection regulation that applies to all EU member states and regulates
the processing and transfer of personal data of EU residents. The GDPR establishes a
framework for the collection, processing, and transfer of personal data for all
organizations operating within the EU or handling data of EU citizens, regardless of
where they are based. The GDPR empowers data subjects with rights such as the right
to access their data, the right to erasure, and the right to data portability. It also requires
organizations to implement technical and organizational measures to ensure the security
and privacy of personal data.

GDPR has a significant impact on IT auditing as it mandates organizations to implement

measures to ensure the confidentiality, integrity, and availability of personal data,
including technical and organizational measures. IT auditors need to ensure that
organizations comply with GDPR by conducting data protection impact assessments,
identifying risks, and implementing appropriate security measures to protect personal
data.

In addition to these significant legislations, many other countries have their own laws
regarding privacy and data protection, such as Canada's Personal Information Protection
and Electronic Documents Act (PIPEDA) and Japan's Act on the Protection of Personal
Information (APPI).

IT auditors need to stay informed and updated on changes to these privacy and data
protection laws to ensure that organizations comply with these regulations and protect
sensitive information. Failure to comply with these laws can lead to significant fines,
legal penalties, and reputational damage for organizations.

Philippine Laws Relevant to IT Auditors

As the focus of this book is the Philippines, we also take a look at the Philippine Laws
relevant to IT Auditors in this section. The Philippines has several laws and regulations
that are relevant to IT auditors, including the Data Privacy Act of 2012 (DPA), the
Cybercrime Prevention Act of 2012, Electronic Commerce Act of 2000 (ECA) and the
Department of Information and Communications Technology Act of 2015.
The Data Privacy Act (DPA), also known as Republic Act 10173, is a law that regulates
the processing of personal data by both private and public entities in the Philippines. The
DPA requires organizations to comply with certain principles, such as ensuring the lawful
and fair processing of personal data, providing notice to data subjects about the
collection and processing of their personal data, obtaining consent from data subjects for
the processing of their personal data, and implementing appropriate security measures
to protect personal data. Failure to comply with the DPA can result in fines,
imprisonment, or both.

The Cybercrime Prevention Act, also known as Republic Act 10175, is a law that aims to
prevent and combat cybercrime in the Philippines. The law covers a range of
cybercrimes, including cybersex, cyber-bullying, and hacking. The law also provides for
the creation of a Cybercrime Investigation and Coordinating Center (CICC) to coordinate
the investigation and prosecution of cybercrimes in the country.

The Electronic Commerce Act (ECA), also known as Republic Act 8792, is a law that
provides a legal framework for electronic commerce in the Philippines. The law aims to
facilitate electronic transactions, promote the use of electronic data messages, and
provide for the recognition of electronic documents in legal proceedings.

The Department of Information and Communications Technology Act of 2015, also

known as Republic Act No. 10844 provides for the creation of a government agency, the
Department of Information and Communications Technology (DICT), to oversee and
regulate electronic commerce in the country.

It is important for IT auditors to be familiar with these laws and regulations in order to
assess an organization's compliance with them. Failure to comply with these laws can
result in significant legal and financial consequences for organizations, including fines,
imprisonment, and damage to their reputation.

Ethical Issues and Code of Ethics for IT Auditors

Ethics play a critical role in the IT auditing profession, as auditors are responsible for
assessing the ethical conduct of the organization's operations. An IT auditor must have a
strong sense of ethics and must adhere to a code of ethics that guides their actions and
decisions. In this section, we will discuss the ethical issues that IT auditors commonly
face, as well as the code of ethics that guides their professional behavior.
Definition of Ethics
Ethics is a set of moral principles that guide behavior and decision-making. In the IT
auditing profession, ethical behavior is critical to ensuring trust, accountability, and
reliability in the auditing process. Ethical behavior involves upholding values such as
honesty, integrity, objectivity, and impartiality. The Code of Ethics for IT Auditors
provides a set of guidelines that outline the principles and values that IT auditors must
adhere to in the performance of their duties. It serves as a standard for the profession
and helps ensure that IT auditors maintain the highest level of professionalism in their
work. This section will explore the importance of ethical behavior in the IT auditing
profession and the code of ethics that IT auditors must follow.

Importance of Ethics in IT Auditing

Ethics play a critical role in IT auditing. IT auditors must be ethical in their practices to
ensure that they maintain their professional integrity and ensure that their work is
unbiased and objective. The integrity of an IT auditor is paramount in ensuring that their
findings and recommendations are taken seriously and acted upon by management.

Furthermore, adherence to ethical practices helps to maintain the trust and confidence
of stakeholders in the IT audit profession. The IT auditor’s role requires them to be
independent, objective, and impartial, and the adherence to ethical standards helps to
ensure that they are fulfilling these requirements. An IT auditor who breaches ethical
standards risks damaging their reputation and the reputation of the profession as a
whole.

In addition to the above, ethical standards play a role in ensuring that the IT auditor is
conducting their work within legal and regulatory frameworks. This is because some
regulations require that auditors adhere to certain ethical standards, and as such, the IT
auditor must be familiar with these regulations and ensure that their practices are in
compliance with them. In summary, ethics play a vital role in ensuring the effectiveness
and credibility of IT auditing.

Code of Ethics for IT auditors

IT auditors are expected to adhere to a strict code of ethics that guides their behavior,
decisions, and actions. The code of ethics for IT auditors is designed to promote
integrity, objectivity, confidentiality, and professional behavior. The Information Systems
Audit and Control Association (ISACA) has developed a Code of Professional Ethics and
Conduct for its members, including Certified Information Systems Auditors (CISA). This
code sets the standards for ethical and professional behavior for ISACA members and
requires them to act with integrity, diligence, and competence in their professional work.
The code is designed to help IT auditors maintain their professional independence,
uphold their professional standards, and promote trust and confidence in the IT auditing
profession.

The Code of Professional Ethics and Conduct for ISACA members consists of four parts:

1. Introduction and Applicability – This section outlines the purpose of the code
of ethics and explains how it applies to ISACA members.

1. Code of Ethics – This section sets out the ethical principles and standards that
ISACA members are expected to uphold.

The principles that underpin the Code of Ethics for IT Auditors are as follows:

Integrity: IT auditors are expected to be honest and straightforward in all their dealings
and to maintain their professional independence and objectivity at all times. They should
avoid conflicts of interest and refrain from engaging in any activities that might impair
their professional judgment.

Objectivity: IT auditors should remain impartial and free from bias when performing their
work. They should ensure that their opinions and recommendations are based on sound
and objective analysis of the facts, and not influenced by personal or external factors.

Confidentiality: IT auditors are entrusted with sensitive information about the

organizations they audit, and they must maintain the confidentiality of this information
at all times. They should also respect the privacy of individuals whose personal
information may be involved in the audit.

Competence: IT auditors should possess the knowledge, skills, and experience necessary
to perform their work competently and professionally. They should maintain their
professional knowledge and skills through continuing education and professional
development.
Professional behavior: IT auditors should act in a manner that reflects positively on the
profession and maintains the public's trust and confidence in the integrity of the
profession. They should be aware of and comply with all applicable laws, regulations, and
professional standards.

These principles are intended to guide the behavior and actions of IT auditors, and to
ensure that they uphold the highest standards of professional conduct in their work.

1. Rules of Conduct – This section outlines specific rules of conduct that ISACA
members must follow. These rules cover areas such as professional
competence, due care, confidentiality, and conflicts of interest.

1. Disciplinary Procedures – This section outlines the procedures that ISACA

follows when investigating and disciplining members who violate the code of
ethics. It includes a range of disciplinary actions that may be taken against
members who breach the code, from private reprimands to expulsion from the
association.

Importance of objectivity and independence in IT auditing

Objectivity and independence are crucial in the IT auditing process because they help to
ensure the credibility and integrity of the audit results.

Objectivity means that the IT auditor must approach the audit with an open mind, free
from any biases, personal interests, or conflicts of interest. The IT auditor must evaluate
the evidence objectively and report the findings truthfully and accurately, without fear
or favor.

Independence, on the other hand, means that the IT auditor must be free from any
influences or pressures that may compromise their judgment or the audit results. This
includes both actual independence (being free from any financial or personal
relationships that could affect their judgment) and perceived independence (the
appearance of being free from such relationships). The IT auditor must also be
independent of the audited entity and any management or other parties involved in the
audited area.

The importance of objectivity and independence in IT auditing cannot be overstated.

Without these principles, the IT auditor's credibility and the integrity of the audit process
may be questioned, which could lead to mistrust, disputes, and legal and financial
consequences. Therefore, it is essential that IT auditors remain objective and
independent throughout the audit process to maintain their credibility and ensure the
validity and reliability of the audit results.

MODULE 3

One of the best practices for an audit function is to have an audit universe. The audit
universe is an inventory of all the potential audit areas within an organization. Basic
functional audit areas within an organization include sales, marketing, customer service,
operations, research and development, finance, human resource, information
technology, and legal. An audit universe documents the key business processes and risks
of an organization. Documenting processes and, particularly, risks have proved to be a
best practice for organizations. The IIA’s Performance Standard 2010 encourages the
establishment of risk-based plans to determine the priorities for internal audit activity.
An audit universe includes the basic functional audit area, organization objectives, key
business processes that support those organization objectives, specific audit objectives,
risks of not achieving those objectives, and controls that mitigate the risks. Tying the
audit universe to organizational objectives links the entire audit process to business
objectives and risks, making it easier to communicate the impact of control
deficiencies. Exhibit 1Links to an external site. shows an example of an audit universe
related to the IT area of an organization.
The audit universe is also an essential building block to a properly risk-based internal
audit process. Typically, internal audit groups prepare annual audit schedules to
determine the number of hours available and the number of audits that can be
performed. The audit universe is an ongoing process; as an organization changes, new
risks arise or existing risks change, and new regulations are introduced. Organizations
can either remove lower-priority audits from the schedule or hire external auditors to
supplement internal staff.IT audits, for example, have specific IT processes to include in
the audit universe. Control Objectives for Information and Related Technology (COBIT)
provides a comprehensive list of critical IT processes, which can be used as a starting
point.

COBIT is an authoritative, international set of generally accepted IT practices or control

objectives that help employees, managers, executives, and auditors in: understanding IT
systems, discharging fiduciary responsibilities, and deciding adequate levels of security
and controls.
COBIT supports the need to research, develop, publicize, and promote up-to-date
internationally accepted IT control objectives. The primary emphasis of the COBIT
framework issued by Information Systems Audit and Control Foundation in 1996 is to
ensure that technology provides businesses with relevant, timely, and quality
information for decision-making purposes. The COBIT framework, now on its fifth
edition (COBIT 5), has evolved over the years and each time
there are major changes to the framework, the framework is numbered to its current
version.
The benefit of a standard framework for IT controls, such as COBIT, is that it allows
management to benchmark its environment and compare it to other organizations. IT
auditors can also use COBIT to substantiate their internal control assessments and
opinions. Because the framework is comprehensive, it provides assurances that IT
security and controls exist.
The COBIT framework makes a clear distinction between governance and management.
These two disciplines encompass different activities, require different organizational
structures and serve different purposes.

• Governance ensures that:

o Stakeholder needs, conditions and options are evaluated to
determine balanced, agreed-on enterprise objectives.
o Direction is set through prioritization and decision making.
o Performance and compliance are monitored against agreed-on
direction and objectives.

In most enterprises, overall governance is the responsibility of the board of directors,

under the leadership of the chairperson. Specific governance responsibilities may be
delegated to special organizational structures at an appropriate level, particularly in
larger, complex enterprises.

• Management plans, builds, runs and monitors activities, in alignment with the
direction set by the governance body, to achieve the enterprise objectives.

In most enterprises, management is the responsibility of the executive management,

under the leadership of the chief
executive officer (CEO).
COBIT defines the components to build and sustain a governance system: processes,
organizational structures, policies and procedures, information flows, culture and
behaviors, skills, and infrastructure.
COBIT defines the design factors that should be considered by the enterprise to build a
best-fit governance system.
COBIT addresses governance issues by grouping relevant governance components into
governance and management objectives that can be managed to the required capability
levels.
Several misconceptions about COBIT should be dispelled:

• COBIT is not a full description of the whole IT environment of an enterprise.

• COBIT is not a framework to organize business processes.
• COBIT is not an (IT-)technical framework to manage all technology.
• COBIT does not make or prescribe any IT-related decisions. It will not decide
what the best IT strategy is, what the best architecture is, or how much IT can
or should cost. Rather, COBIT defines all the components that describe which
decisions should be taken, and how and by whom they should be taken.

COBIT® 2019 was developed based on two sets of principles:

• Principles that describe the core requirements of a governance system for

enterprise information and technology
• Principles for a governance framework that can be used to build a governance
system for the enterprise

The six principles for a governance system are (figure 2):

1. Each enterprise needs a governance system to satisfy stakeholder needs and

to generate value from the use of I&T. Value reflects a balance among
benefits, risk and resources, and enterprises need an actionable strategy and
governance system to realize this value.
2. A governance system for enterprise I&T is built from a number of components
that can be of different types and
that work together in a holistic way.
3. A governance system should be dynamic. This means that each time one or
more of the design factors are changed (e.g., a change in strategy or
technology), the impact of these changes on the enterprise governance of
information and technology (EGIT) system must be considered. A dynamic
view of EGIT will lead toward a viable and future-proof EGIT system
4. A governance system should clearly distinguish between governance and
management activities and structures
5. A governance system should be tailored to the enterprise’s needs, using a set
of design factors as parameters to customize and prioritize the governance
system components.
6. A governance system should cover the enterprise end to end, focusing not
only on the IT function but on all technology and information processing the
 enterprise puts in place to achieve its goals, regardless where the processing is
located in the enterprise.

COBIT 5’s framework is valuable for all size types organizations, including commercial,
not-for-profit, or in the public sector. The comprehensive framework provides a set of
control objectives that not only helps IT management and governance professionals
manage their IT operations, but also IT auditors in their quests for examining those
objectives.
The COBIT processes can be customized to the organization’s environment. IT auditors
can help audit management identify the applications associated with the critical business
and financial processes, as well as controls that are necessary to make the area being
audited free from
significant exposures to risk. This objective also encompasses validating adherence of
the application systems under examination to appropriate standards (e.g., financial
accounting should conform to GAAP, etc.).
The next step in the planning process is to perform a risk assessment for each universe
item from Exhibit 1. The risk assessment will analyze exposures and help prioritize “high
risk” audit projects.

Risk assessments are considered the foundation of the audit function as they assist in
developing the process for planning individual audits. Specifically, risk assessment:

• improve the quality, quantity, and accessibility of planning data, such as risk
areas, past audits and results, and budget information
• examine potential audit projects in the audit universe and choose those that
have the greatest risk exposure to be performed first; and
• provide a framework for allocating audit resources to achieve maximum
benefits.

Given the high number of potential audits that can be performed and often the limited
amount of audit resources, it is important to focus on the right audits. The risk
assessment
approach provides explicit criteria for systematically evaluating and selecting these
audits.
In today’s environment, it is difficult to keep pace with organization and regulatory
changes to provide timely information on internal controls. Change increases the audit
universe, the number of business partners (i.e., vendors), and the number of projects
where an objective and independent perspective is needed. An effective risk assessment
planning process allows auditing to be more flexible and efficient to meet the needs of a
changing organization, such as:
 • identifying new risk areas
• identifying changes in existing risk areas
• accessing current regulatory and legal information
• taking advantage of information gathered during the audit process to improve
risk assessment

Audit areas can be evaluated using a weighted scoring mechanism. However, audit
management must evaluate the results using their knowledge of the organization
objectives and environment to make sure the priorities reflect reality. Audit areas may
also be grouped to improve audit efficiency when reviewing similar processes. The
auditing function is cyclical in that it uses historical and current information for risk
assessment, evaluates controls, communicates results, and incorporates those results
back into the risk assessment.
In an IT risk assessment, for instance, financial applications are common audits/projects
to be ranked. Their risks can be identified, assessed, and prioritized. Controls
(safeguards) are also identified to be put in place to address and mitigate such risks. IT
risks surrounding financial applications can be identified through:

• Audits, reviews, inspections

• Reading flowcharts of operations
• Using risk analysis questionnaires
• Analyzing financial statement trends
• Completing insurance policy checklists

Absolute security from threads and risks in today’s technology environments is

unrealistic. Risk assessments, according to the National Institute of Standards and
Technology (NIST) Special Publication 800-30, are used to assist organizations determine
the extent of potential threats and the risks associated with IT systems and applications.
The results of the above assist management in identifying and implementing appropriate
IT controls for reducing or eliminating those threats and risks during the mitigation
process. NIST recommends that for a risk assessment, it is important that organizations
follow these steps:

1. Have a process in place to identify or characterize assets (e.g., financial

applications, etc.).
2. Define vulnerabilities on those assets and the threat-sources that can trigger
them.
3. Determine the likelihood or probability levels (e.g., very high, high, medium,
etc.) that vulnerabilities may be exercised. For example, probabilities of very
high = 1.00, high = 0.75, medium = 0.50, low = 0.25, and very low = 0.10 may
be assigned for each vulnerability based on the organization’s estimate of their
likelihood level.
4. Assign a magnitude of impact to determine how sensitive the asset may be
against successfully exercised threats. Magnitudes of impact and impact level
 values are typically assigned by management for every successful threat that
may exercise a vulnerability.
5. Associate assets with correspondent IT and/or business risks.
6. Compute risk rating by multiplying the probability assigned from Step 3 above
(e.g., 1.00, 0.75, etc.) times the impact level value assigned in Step 4.
7. Recommend the controls that are needed to mitigate the risks according to
their priority or ranking.

It is up to the organization to determine how to deal with the risks they have identified:
take a chance and live with them or take action to protect their assets. At the same time,
they must consider the costs associated with implementing controls, their impact on
users, the manpower required to implement and manage them, and the scope of the
action. Exhibit 3Links to an external site. shows an example of an IT risk assessment
performed to identify and prioritize risks within financial applications. Risk assessment is
covered in more detail in a later chapter.

The audit function should formulate both long-range and annual plans. Planning is a
basic function necessary to describe what must be accomplished, include budgets of
time and costs, and state priorities according to organizational goals and policies. The
objective of audit planning is to optimize the use of audit resources. To effectively
allocate audit resources, internal audit departments must obtain a comprehensive
understanding of the audit universe and the risks associated with each universe item.
Failure to select appropriate items can result in missed opportunities to enhance controls
and operational efficiencies. Internal audit departments that develop and maintain audit
universe files provide themselves with a solid framework for audit planning.
The intent of the audit plan is to provide an overall approach within which audit
engagements can be conducted. It provides the guidance for auditing the organization’s
integral processes.
The organization and its management must participate in and support this effort fully.
Commitment can be gained if participants recognize that a good plan can help pinpoint
problems in a highly dynamic, automated IT environment, for instance. Thus, it should be
the responsibility of all participants not only to help pinpoint such problems, but also to
assist in the measurement and quantification of problems.
Identifying, measuring, and quantifying problems in the IT area are difficult. The IT field
is technologically complex and has a language of its own. Participants in the formulation
of an IT audit plan, and particularly the IT auditors themselves, must have sufficient
experience and training in technical matters to be able to grasp key concepts and
abstractions about application systems. For example, abstractions about IT might include
significant aspects that are susceptible to naming, counting, or conceptualizing.
Understanding the systems at this level can lead to the identification of major problem
areas. Audit concentration, then, may be directed to the major problem areas most likely
to yield significant results.
Based on this identification of problems, the IT auditor determines what additional data
might be required to reach evaluation decisions. The audit process, therefore, must be
flexible enough to combine skilled personnel, new technology, and audit techniques in
new ways to suit each situation. However, this flexibility of approach requires
documentation in planned, directed steps. Systems that are understood poorly (or that
have been designed without adequate controls) can result in lost revenues, increased
costs, and perhaps disaster or fraud.
During the audit planning phase, the IT audit manager should meet with the chief
information officer (CIO) and senior members of IT management to gain their input and
concurrence with the risk assessment of the IT processes in the audit universe. If there is
an IT steering committee, the audit universe should be reviewed with it as well. This will
help ensure alignment between IT, business, and audit on the key risk areas. The meeting
with the CIO and IT managers must also introduce the audit staff and communicate the
scope, objectives, schedule, budget, and communication process to be used throughout
the engagement. This is also an opportunity for an open discussion of IT management’s
perception of risk areas, significant changes in the area under review, and identification
of appropriate contacts in IT.
An IT audit plan partitions the audit into discrete segments that describe application
systems as a series of manageable audit engagements and steps. At the detailed planning
or engagement level, these segments will have objectives that are custom-tailored to
implement organizational goals and objectives within the circumstances of the audit.
Thus, IT auditing does not call for “canned” approaches. There is no single series of
detailed steps that can be outlined once and then repeated in every audit. The audit plan,
therefore, is an attempt to provide an orderly approach within which flexibility can be
exercised. At a minimum, an IT audit plan, after gathering a comprehensive
understanding of the audit universe and the risks associated with each universe item,
should:

1. List the audit objectives and describe the context

2. Develop the audit schedule
3. Create the audit budget and define scope
4. List audit team members, describe audit tasks, determine deadline

Objectives and Context

The objective and context of the work are key elements in any audit environment and
should not be overlooked. They are simply the basis by which all audits should be
approached. The objective is what is trying to be accomplished. The context is the
environment in which the work will be performed. Thus, everything ultimately depends
on both the objective and the context of the work to be performed. That is, the decisions
made about the scope, nature, and timing of the audit work depends on what the
auditor’s trying to do (e.g., gain assurance of an Accounts Receivable balance, ensure
that a newly-implemented financial application will work correctly, assess whether a
client Website is secure, etc.) and the environment he/she is working in (e.g., a large
versus a small company, a domestic organization with a centralized system versus a
multinational with multiple divisions, a New York-based organization versus one based in
North Dakota, etc.).
Keep in mind what works well for one organization, may not work as well in another
based on many combinations of objective and context. For example, if the IT auditor has
a General Controls Assessment, the audit objectives may be to verify that all controls
surrounding financial applications and related to the data center, information systems
operations, information security, and change control management are adequate.
Therefore, the IT auditor needs to verify the controls because the financial auditors were
relying on such financial computer system to provide them with the correct financial
information. The context is where the auditor’s true analytical skills come into play. Here,
the environment is for the most part always different from shop to shop. The auditor
must assess the context for which he or she has entered and make a decision as to how
the environment should be addressed (e.g., big company, small company, large staff,
small staff, etc.).
By defining appropriate objectives and context of the work, management can ensure
that the audit will verify the correct functioning and control of all key audit areas. A
common objective/ context set for IT audits is to support financial statement audits.
IT Audits Conducted to Support Financial Statement Audits
Once the auditor has gained a general familiarity with the client’s accounting and
financial procedures, specific areas of audit interest must be identified. The auditor must
decide what applications will have to be examined at a more detailed level. For
applications used to support significant business processes, the auditor must determine
their sophistication and extent of use. This preliminary study goes just deep enough for
the auditor to evaluate the complexity and sophistication of the applications and
determine the procedures to be followed in evaluating their internal controls.
Understanding financial applications and determining whether IT controls are in place to
effectively secure them and the information generated represent a significant process as
it relates to the overall financial statement audit. Results of an IT audit over financial
applications have direct bearing on the substantive testing performed by financial
auditors. Substantive testing involves audit procedures necessary to examine and
support the financial statements (e.g., confirming account balances, examining
documentation, re-performing procedures, inquiring about or observing a transaction,
etc.). These procedures provide the evidence needed to support the assertion that
financial records of the organization are indeed valid, accurate, and complete.
The results or findings from an IT audit typically determine the amount of substantive
tests that will be performed by financial auditors. If results are effective (i.e., IT controls
are found to be in place and operating properly), the work of the financial auditor would
most likely be less on that particular part of the audit. On the other hand, if there are no
IT controls in place protecting the financial applications, or if existing IT controls are not
operating effectively, the amount of substantive testing performed by the financial
auditor will be much higher. This can have significant implications to the audit, such as
the time it takes to complete the audit, increased costs to the client, etc. The remainder
of this chapter is focused on IT audits conducted to support financial statement audits.
The next step within the audit plan is the development of an audit schedule.
Audit Schedule
Internal auditing departments create annual audit schedules to gain agreement from the
board on audit areas, communicate audit areas with the functional departments, and
create a project/resource plan for the year. The audit schedule should be linked to
current business objectives and risks based on their relative cost in terms of potential
loss of goodwill, loss of revenue, or noncompliance with laws and regulations.
Annual schedule creation is the process of determining the total audit hours available,
then assigning universe items (audit areas) to fill the available time. As mentioned
previously, to maximize the risk assessment process, “high risk” universe items should be
given top audit priority. Schedule creation should be performed in conjunction with the
annual risk assessment process; this will enable internal audit departments to account for
the changes in risk rankings and make any necessary additions or deletions to the audit
universe. Of course, the audit schedule will also need to be agreed with the audit
committee as part of the overall audit planning process. Once the available audit hours
are determined, audit management can continue preparing the audit plan.
Planning and scheduling are ongoing tasks as risks, priorities, available resources, and
timelines change. When these changes take place, it is important to communicate them
to the audit committee, board, and all other impacted functional departments.
Audit Budget and Scoping
Ideally, the audit budget should be created after the audit schedule is determined.
However, most organizations have budget and resource constraints. An alternative
approach may be necessary when building the audit schedule. After determining the
audit priorities, audit management will determine the number of available hours to
decide how many audits they can complete in a year. For a particular IT audit, available
hours are listed per area, staff personnel, etc. Exhibit 4Links to an external site. illustrates
an example of a budget in an IT audit.
The scope of an audit defines the area(s) (e.g., relevant financial applications, databases,
operating systems, networks, etc.) to be reviewed. The names of the financial
applications and databases should also be described along with their hosting information
(e.g., server location, etc.). The scope should clearly identify the critical business process
supported by the selected financial application. This association typically justifies the
relevance of the application and, hence, its inclusion as part of the audit. The scope
should further state the general control areas, control objectives, and control activities
that would undergo review. Exhibit 5aLinks to an external site., and Exhibit 5bLinks to
an external site. shows examples of scoping for applications and control objectives,
respectively, in an IT audit.
Audit Team, Tasks, and Deadlines
The audit plan must include a section listing the members of the audit, their titles and
positions, and the general tasks they will have. For instance, a typical audit involves staff
members, seniors, managers, or senior managers, and a partner, principal, or director
(PPD) who will be overseeing the entire audit. At a staff level (usually those auditors with
less than 3 years of experience), most of the field work is performed, including gathering
documentation, meeting with personnel, and creating audit work papers, among others.
Senior-level auditors not only supervise the work of staff auditors, but guide them in
performing the work (e.g., accompany staff auditors to meet with users, assist the staff in
selecting what specific information should be gathered, how to document such
information in the working papers, etc.). Next are the managers or senior managers
(senior managers are typically involved as part of large audits) that supervise the audit
work prepared by the staff and reviewed by the senior. Managers perform detailed
reviews of the work papers and ensure the audit objectives have been achieved.
Managers meet frequently with audit clients, and provide them with audit status,
preliminary findings identified, hours incurred and left to finish, etc. Managers also
provide frequent status of the audit work to the PPD assigned, to which they report
directly. Lastly, the PPD performs a high-level review of the work (as provided by
managers), focusing on high-risk areas, controls in place that are not adequately
designed nor operating effectively, findings identified and their impact to the overall
audit, etc. PPDs tend to rely on the detailed reviews performed by managers or senior
managers, and also ensure the overall objectives of the audit have been achieved.
Deadlines are a critical component of an audit plan. They should be reviewed and agreed
with the client organization from the start of the audit so that they comply with
requirements established by third parties (e.g., banks, financial institutions, etc.) and
regulators (e.g., government, private organizations, etc.). Deadlines should be well-
thought of taking into account the information and resources that must be available to
perform the audit work within the established requirements.
An audit planning memo (“planning memo”) is part of the auditor working papers and
documents the sections just described. The planning memo is typically prepared by the
audit engagement senior, and reviewed by the manager before submitting it to the PPD
for approval. Appendix 1Links to an external site. shows the format of a typical IT
planning memo, including the procedures which may be performed by an IT auditor in
connection with an audit engagement. The planning memo may be tailored for the
specific facts and circumstances of the audit engagement. This includes removing
sections which are not applicable. The memo in Appendix 1Links to an external
site. includes some wording in italics that is either enclosed within brackets or
parentheses. This format is used to indicate information to be replaced as applicable, or
that guides the completion of the memo.
Audit Process
Statement on Auditing Standards (SAS No. 1) has the effect of mandating a uniform,
process-oriented approach to audit engagements. The approach depicted is a true
process technique. That is, audits follow a series of logical, orderly steps, each designed
to accomplish specific end results. This is also the case for an IT audit. The difference in
an IT audit is the specialized approach to the audit work and the skills needed to
understand technology and the IT control environment. The phases of auditing activities
typically overlap and involve some reassessment and retracing of procedures performed
earlier. Common phases of an audit engagement are shown in Exhibit 6. The first two
phases, Risk Assessment and Audit Plan, have been explained above. Following are
explanations of the remaining phases related to an IT audit.
Preliminary Review
In this phase, the auditor should obtain and review summary-level information and
evaluate it in relation to the audit objectives. The purpose of the preliminary review
phase of an IT audit engagement is to gather an understanding of the IT environment,
including the controls in place that are essential to meet the overall audit objectives. The
IT auditor conducts this preliminary review at a general level, without examining details
of individual applications and the processes involved. Instead, the IT auditor interviews
key personnel to determine policies and practices and prepares supplemental audit
information as required. Preliminary review information serves as a basis for supporting
the information included in the IT audit plan.
General Information about IT Environment
As previously discussed, IT is defined as the hardware, software, communication, and
other facilities used to input, store, process, transmit, and output data in whatever form.
The IT environment refers to the policies, procedures, and practices implemented by
organizations to program, test, deliver, monitor, control, and support their IT
infrastructure (e.g., hardware, software, networks, etc.). The IT environment also includes
the applications and programs used by organizations to support critical business
operations (i.e., financial operations) and achieve business strategies.
The IT auditor begins the examination process by becoming acquainted, generally, with
the company, its line of business, and the IT environment, including its financial
application systems. Typically, an IT auditor would tour the client company’s facilities
and observe general business operations that bear upon customer service as well as on
strictly financial functions.
Given this familiarity, the next level of general data gathering would include the
preparation of organizational charts, particularly those for the accounting and IT
functions. If organizational charts are unavailable, the IT auditor should develop them.
Once drawn, the charts should be reviewed and verified with appropriate personnel (i.e.,
key executives in the accounting and IT areas) to secure an agreement that they
represent the actual organization structure. During these interviews, the IT auditor
would also secure copies of the company’s chart of accounts and an accounting
standards manual, if available.
IT auditors must gain a deep understanding of the IT environment, particularly how the
organization responds to risks arising from IT, and whether the IT controls in place have
been adequately designed and operate effectively to address those risks. From a
financial standpoint, knowledge about the IT environment is crucial for IT auditors in
order to understand how financial transactions are initiated, authorized, recorded,
processed, and reported in the financial statements.
For application systems which the organization uses computers to process significant
financial data, the IT auditor would gather a number of specific items of evidential
matter, such as:

• Policies and procedures that the organization implements and the IT

infrastructure and application software that it uses to support business
operations and achieve business strategies.
• Narratives or overview flowcharts of the financial applications, including
server names, make and model, supporting operating systems, databases, and
physical locations, among others.
• Whether the financial applications are in-house developed, purchased with
little or no customization, purchased with significant customization, or
proprietary provided by a service organization.
• Whether service organizations host financial applications and if so, what are
these applications and which relevant services they perform.
• Controls in place supporting the area of information systems operations, such
as those supporting job scheduling, data and restoration, backups, and offsite
storage.
• Controls in place supporting the area of information security, such as those
supporting
• authentication techniques (i.e., passwords), new access or termination
procedures, use of firewalls and how are they configured, physical security,
etc.
• Controls in place supporting the area of change control management, such as
those supporting the implementation of changes into applications, operating
systems, and databases; testing whether access of programmers is adequate;
etc.

Methods applied in gathering these data include reviewing computer information

systems and human interface practices, procedures, documents, narratives, flowcharts,
and record layouts. Other audit procedures implemented to gather data include:
observing, interviewing, inspecting existing documentation, and flowcharting, among
others. Physical inspection techniques are used both to gather data and to validate
existing documents or representations made during the interviews. For example, a single
visit to the computer/data center can provide both data gathering and validation
opportunities for determining equipment configurations, library procedures, operating
procedures, physical security controls, existing environmental controls, and other data
control procedures.
Many of these procedures are substantially the same regardless of whether the
accounting system is computerized or not. Differences associated with the audit of
computerized systems center around changes in controls, documentation, audit
techniques, and technical qualifications required by audit staff members. Appendix
2Links to an external site. shows an example of the types of questions and
information that should be documented when gathering an understanding of an IT
environment.
Design Audit Procedures
In this phase, the IT auditor must prepare an audit program for the areas being audited,
select control objectives applicable to each area, and identify procedures or activities to
assess such objectives. An audit program differs from an internal control questionnaire
(ICQ) in that an ICQ involves questions to evaluate the design of the internal control
system. Particularly, ICQs check whether controls are implemented to detect, prevent, or
correct a material misstatement. Controls not in place would represent a deviation or
deficiency in the internal control structure. An audit program, on the other hand,
contains specific procedures to test the responses received from the questions asked,
thus substantiating that the controls identified are in place and work as expected by
management.
An audit program is a formal plan for reviewing and testing each significant audit subject
area disclosed during fact gathering. The auditor should select subject areas for testing
that have a significant impact on the control of the application and those that are within
the scope defined by the audit objectives. IT audit areas are very specific to the type of
audit. For IT, COBIT is an excellent starting point as it lists risks, objectives, and key
controls per IT audit area. This information then has to be customized to the particular
organization objectives, processes, and technology. Appendix 3Links to an external
site. illustrates examples of IT Audit Programs for the general control IT areas.
Identifying Financial Applications
With the help of management, the IT auditor must decide what application systems will
have to be examined at a more detailed level (i.e., scoping). As a basis for preparation of
the audit plan, the IT auditor must also determine, in general, how much time will be
required, what types of people and skills will be needed to conduct the examination; and,
roughly, what the schedule will be. The identification of financial applications can be
accomplished with the auditor gaining familiarity with the organization’s accounting
procedures and processes. The importance of determining the significant financial
applications has to be derived through preliminary analysis.
The assessment of the sophistication of the application, its complexity, the business
process they support, and extent of use are factors that come into play in deciding
whether to select such application and how one might evaluate it. As stated before, the
preliminary review phase is a critical step in the audit process that examines an
organization’s financial systems and provides the auditor with a basis for selecting audit
areas for more detailed analysis and evaluation whether they are manual or
computerized.
Auditors involved in reviewing financial applications should focus their concerns on the
application’s control aspects. This requires their involvement from the time a transaction
is initiated until it is posted into the organization’s general ledger. Specifically, auditors
must ensure that provisions are made for:

• An adequate audit trail so that transactions can be traced forward and

backward through the financial application
• The documentation and existence of controls over the accounting for all data
(e.g., transactions, etc.) entered into the application and controls to ensure the
integrity of those transactions throughout the computerized segment of the
application
• Handling exceptions to, and rejections from, the financial application
• Unit and integrated testing, with controls in place to determine whether the
applications perform as stated
• Controls over changes to the application to determine whether the proper
authorization has been given and documented
• Authorization procedures for application system overrides and documentation
of those processes
• Determining whether organization and government policies and procedures
are adhered to in system implementation
• Training user personnel in the operation of the financial application
• Developing detailed evaluation criteria so that it is possible to determine
whether the implemented application has met predetermined specifications
• Adequate controls between interconnected application systems
• Adequate security procedures to protect the user’s data
• Backup and recovery procedures for the operation of the application and
assurance of business continuity
• Ensuring technology provided by different vendors (i.e., operational platforms)
is compatible and controlled
• Adequately designed and controlled databases to ensure that common
definitions of data are used throughout the organization, redundancy is
eliminated or controlled, and data existing in multiple databases is updated
concurrently

This list affirms that the IT auditor is primarily concerned with adequate controls to
safeguard the organization’s assets.
Test Controls
The IT auditor executes several procedures in order to test controls, processes, and
apparent exposures. These audit procedures may include examining documentary
evidence, as well as performing corroborating interviews, inspections, and personal
observations. Documentary evidence may consist of a variety of forms of documentation
on the application system under review. Examples include notes from meetings on
subject system, programmer notes, systems documentation, screenshots, user manuals,
and change control documentation from any system or operation changes since
inception, and a copy of the contract if third parties involved. Examining such
documentary evidence may require the IT auditor to ask questions of the user, developer
and managers to help him or her establish the appropriate test criteria to be used. It also
helps in identifying the critical application and processes to be tested. Corroborating
interviews are also part of the testing process, and may include procedures such as:

• Asking different personnel the same question and comparing their answers
• Asking the same question in different ways at different times
• Comparing answers to supporting documentation, work papers, programs,
tests, or other verifiable results
• Comparing answers to observations and actual system results

An example would involve interviewing a programmer for an application under review.

The programmer states that the application has undergone recent changes not reflected
in the current documentation. It is very important to identify what those changes were if
those areas of the application were to be selected for control testing.
For inspection of documentation, the IT auditor can obtain the logical settings (i.e.,
passwords) currently configured at the organization’s network, operating system, and
financial application levels. Of particular importance is to obtain and assess the
network’s configured logical settings as this is the first level of authentication before
users can gain access to the financial applications. The settings received are then
compared against the organization’s password policy to determine whether they are or
not in compliance with such policies. In the absence of a password policy, the
organization’s logical settings configured are compared against industry standards or
best practices. Documentation supporting the above settings is usually first obtained
through interviewing information security personnel.
Another common audit procedure to test and validate information would be to observe
actual procedures taking place. In the example above, the IT auditor would observe the
settings configured in the financial application and request organization personnel to
print out a screenshot for documentation in the audit working papers.
Exhibit 7a shows an example of common documentation obtained supporting the
password settings configured. In this case, settings such as enforced password history,
minimum (or maximum) password age, minimum password length, password complexity,
account lockout duration and threshold, and whether passwords have been stored using
reversible encryption are some of the setting that are typically gathered. An IT auditor
working paper documenting testing of some of these settings would look like the one
in Exhibit 7bLinks to an external site.. Notice on the table the actual password settings
configured documented at the network (or the first authentication level), operating
system, and financial applications levels. Also notice notes and tickmarks (explanations)
about the information therein and, most importantly, the assessment of whether the
client password settings comply with either the existing company policy, or industry
standards and best practices. When settings do not comply with the policy or industry
standards or best practices, audit exceptions (findings) are written up and listed in a
separate working paper. This working paper will eventually assist when writing up the
findings/deficiency section of the Management Letter. A second example of observation
as a test procedure would involve an IT auditor examining a disaster recovery exercise.
Here, the IT auditor could determine whether personnel followed appropriate
procedures and processes. Through personal observations, the auditor can assess and
determine whether personnel is following operating procedures and plans, and is
adequately prepared for the disaster simulated.
Substantive Testing
Where controls are determined not to be effective, substantive testing may be required
to determine whether there is a material issue with the resulting financial information. In
an IT audit, substantive testing is used to determine the accuracy and completeness of
information being generated by a process or application. Contrary to compliance testing
where the auditor’s goal is to confirm whether the organization is adhering to applicable
policies, procedures, rules, and regulations. An example of a compliance test procedure
would be verifying that a change or upgrade in a financial application was adequately
tested, approved, and documented prior to its implementation.
Substantive audit tests are designed and conducted to verify the functional accuracy,
efficiency, and control of the audit subject. During the audit of a financial application, for
example, the IT auditor would build and process test data to verify the processing steps
of such an application.
Auditing-through-the-computer is a term that involves steps in addition to those
mentioned previously. Programs are executed on the computer to test and authenticate
application programs that are run in normal processing. Usually, the financial audit team
will select one of the many Generalized Audit Software packages such as SAS, SPSS,
Computer-Assisted Audit Techniques (CAATs), or CA-Easytrieve(T) and determine what
changes are necessary to run the software at the installation. Financial auditors use this
specific software to do sampling, data extraction, exception reporting, summarize and
foot totals, and other tasks. They also use packages such as Microsoft Access, Excel,
IDEA, or ACL because of their in-depth analyses and reporting capabilities.
CAATs, for example, use auditor-supplied specifications to generate a program that
performs audit functions, such as evaluating application controls, selecting and analyzing
computerized data for substantive audit tests, etc. In essence, CAATs automate and
simplify the audit process, and this is why audit teams (external and internal) are
increasingly using them. In fact, many organizations have Generalized Audit Software
already installed for their internal auditors to allow them to gather information and
conduct the planned audit tests. The appropriate selection and effective use of these
audit tools are essential not only to perform adequate audit testing but also to document
results.
Document Results
The next phase of an audit involves documenting results of the work performed, as well
as reporting on the findings. Audit results should include a description of audit findings,
conclusions, and recommendations.
Audit Findings
The terms finding, exception, deficiency, deviation, problem, and issue are basically
synonymous in the audit world, and mean the auditor identified a situation where
controls, procedures, or efficiencies can be improved. Findings identify and describe
inaccurate, inefficient, or inadequately controlled audit subjects. An example of an IT
audit finding would be a change implemented into a financial application that did not
include proper management authorization. Another example would include the IT
auditor discovering that the organization’s procedures manual does not require
management’s permission before implementing changes into applications.
Audit findings should be individually documented and should at least include the
following:

• Name of the IT environment (operating system hosting the relevant financial

application(s)) evaluated
• IT area affected (IS operations, information security, change control
management)
• Working paper test reference where the finding was identified
• General control objective(s) and activity(ies) that failed
• Brief description of the finding
• Where is the finding formally communicated to management (this should
reference the Management Letter within the Auditor Report)
• The individual classification of the finding per audit standard AU 325,
Communications About Control Deficiencies in an Audit of Financial
Statements, as either a deficiency, significant deficiency, or a material
weakness*
• Evaluation of the finding, specifically whether it was identified at the design
level (i.e., there is no general control in place) or at the operational level (i.e.,
the general control was in place, but did not test effectively)
 • Whether the finding represents or not a pervasive or entity-level risk
• Whether the finding can be mitigated by other compensating general controls,
and if so, include reference to where these controls have been tested
successfully

An audit finding form (e.g., General Computer Controls Findings Form, etc.) can be used
to review the control issues identified with the responsible IT manager in order to agree
on corrective action. This information can then be used to prepare the formal
Management Letter that will accompany the Audit Report and the corrective action
follow-ups. Taking corrective action could
result in enhanced productivity; the deterrence of fraud; or the prevention of monetary
loss, personal injury, or environmental damage. Exhibit 8Links to an external site. shows
an example of a worksheet that may be used to summarize the individual findings
identified during an IT audit.
Conclusions and Recommendations
Conclusions are auditor opinions, based on documented evidence, that determine
whether an audit subject area meets the audit objective. All conclusions must be based
on factual data obtained and documented by the auditor as a result of audit activity. The
degree to which the conclusions are supported by the evidence is a function of the
amount of evidence secured by the auditor. Conclusions are documented in the audit
working papers and should support the audit procedures performed. Working papers are
the formal collection of pertinent writings, documents, flowcharts, correspondence,
results of observations, plans and results of tests, the audit plan, minutes of meetings,
computerized records, data files or application results, and evaluations that document
the auditor activity for the entire audit period. A complete, well-organized, cross-
referenced, and legible set of working papers is essential to support the findings,
conclusions, and recommendations as stated in the Audit Report. Typically, a copy of the
final Audit Report is filed in the working papers.
Recommendations are formal statements that describe a course of action that should be
implemented by the company’s management to restore or provide accuracy, efficiency,
or adequate control of audit subjects. A recommendation should be provided by the
auditor for each audit finding for the report to be useful to management.
Communication
The value of an audit depends, in large part, on how efficiently and effectively its results
are communicated. At the conclusion of audit tests, it is best to discuss the identified
findings with IT management to gain their agreement and begin any necessary corrective
action. Findings, risks as a result of those findings, and audit recommendations are
usually documented on the Management Letter (in a separate section of the Audit
Report). Refer to Exhibit 9Links to an external site. for an example of the format of a
Management Letter from an IT audit.
On receipt of the Management Letter, IT management and affected staff should review
the document immediately. Those items not already completed should be handled and
followed-up. Within a relatively short time, the fact that all discrepancies have been
corrected should be transmitted to the audit staff in a formal manner. These actions are
noted in the audit files, and such cooperation reflects favorably in future audits.
It is important to track corrective action to verify that findings have been remediated.
This requires a formal process to track corrective actions, target dates, and status for
reporting to IT management, the audit committee, and the board.
At the close of the audit, a draft Audit Report is issued for review by all impacted parties.
The review process will go much faster if findings have already been agreed with
management during the testing and conclusion phase. After the Audit Report has been
finalized, it is a good practice to schedule an exit meeting involving both, IT and financial
sides. Typically, invitations to the exit meeting are sent to the CIO and the Chief
Financial Officer (CFO) (or Controller if the CFO is not available) to discuss the audit, as
well as to review the audit objectives and ask for feedback on the performance of the
audit team. This meeting will provide valuable information into the performance of the
audit staff and lessons learned for improving future engagements.
To summarize the audit process explained in this chapter, refer to Exhibit 10.
Besides supporting financial statement audits, there are other highly-demanded audit
areas conducted in IT. These are briefly described next.
Enterprise Architecture
IT management must develop organizational procedures to ensure a controlled and
efficient architecture for information processing. These procedures should also specify
the computers and peripheral equipment required to support all functions in an
economic and timely manner. With enterprise systems being very critical to medium-size
and large businesses today, the need to monitor and validate operational integrity of an
enterprise resource planning system is an important process. IT audit plays an important
role in maintaining, validating, and monitoring the enterprise architecture.
Computerized Systems and Applications
A computerized systems and applications type of audit verifies that the organization’s
systems and applications (operational and non-financial in nature) are:

• appropriate to the users’ needs,

• efficient, and
• adequately controlled to ensure valid, reliable, timely, and secure input,
processing, and output at current and projected levels of system activity.

Information Processing Facilities

An audit of the information processing facility ensures timely, accurate, and efficient
processing of applications under normal and potentially disruptive conditions.
Systems Development
An IT audit related to systems development would make certain that applications and
systems under development meet the objectives of the organization, satisfy user
requirements, and provide efficient, accurate, and cost-effective applications and
systems. This type of audit ensures that applications and systems are written, tested, and
installed in accordance with generally accepted standards for systems development.
Business Continuity Planning/Disaster Recovery Planning
According to the SysAdmin, Audit, Network, Security (SANS) Institute, a business
continuity (or resiliency) plan (BCP) incorporates activities and procedures to recover all
business operations (no just IT) from interruptions or adverse events.*Links to an
external site. A disaster recovery plan (DRP) incorporates a set of procedures to recover
and protect the organization’s IT infrastructure in the event of an emergency or disaster.
Both plans should be formally documented, and kept updated within the organization.
A BCP audit evaluates how an organization’s continuity processes are being managed.
This type of audit defines the risks or threats to the success of the plan, and assesses the
controls in place to determine whether those risks or threats are acceptable and in line
with the organization’s objectives.†Links to an external site. This audit also quantifies the
impact of weaknesses of the plan and offers recommendations for business continuity
plan improvements.
DRP audits help ensure that the IT infrastructure and all related equipment used to
develop, test, operate, monitor, manage, and/or support IT services (e.g., hardware,
software, networks, data centers, etc.) are adequately maintained and protected to
ensure their continued availability consistent with organizational objectives. A DRP audit
considers factors such as alternate site designation, training of personnel, and insurance
issues, among others.