Information technology audit
Encyclopedia
An information technology audit, or information systems audit, is an examination of the management controls within an Information technology
(IT) infrastructure
. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity
, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit
, internal audit
, or other form of attestation engagement.
IT audits are also known as "automated data processing (ADP) audits" and "computer audits". They were formerly called "electronic data processing
(EDP) audits".
. While a financial audit's purpose is to evaluate whether an organization is adhering to standard accounting practices, the purposes of an IT audit are to evaluate the system's internal control design and effectiveness. This includes, but is not limited to, efficiency and security protocols, development processes, and IT governance or oversight.
have created differing taxonomies
to distinguish the various types of IT audits. Goodman & Lawless state that there are three specific systematic approaches to carry out an IT audit:
Others describe the spectrum of IT audits with five categories of audits:
And some lump all IT audits as being one of only two type: "general control review" audits or "application control review" audits.
A number of IT Audit professionals from the Information Assurance
realm consider there to be three fundamental types of controls regardless of the type of audit to be performed, especially in the IT realm. Many frameworks and standards try to break controls into different disciplines or arenas, terming them “Security Controls“, ”Access Controls“, “IA Controls” in an effort to define the types of controls involved. At a more fundamental level, these controls can be shown to consist of three types of fundamental controls: Protective/Preventative Controls, Detective Controls and Reactive/Corrective Controls.
is a vital part of any IT audit and is often understood to be the primary purpose of an IT Audit. The broad scope of auditing information security includes such topics as data centers (the physical security of data centers and the logical security of databases, servers and network infrastructure components), networks and application security. Like most technical realms, these topics are always evolving; IT auditors must constantly continue to expand their knowledge and understanding of the systems and environment& pursuit in system company.
Several training and certification organizations have evolved. Currently, the major certifying bodies, in the field, are the Institute of Internal Auditors
(IIA), the SANS Institute (specifically, the audit specific branch of SANS and GIAC) and ISACA. While CPAs and other traditional auditors can be engaged for IT Audits, organizations are well advised to require that individuals with some type of IT specific audit certification are employed when validating the controls surrounding IT systems.
Outside of the US, various credentials exist. For example, the Netherlands
has the RE credential (as granted by the NOREA [Dutch site] IT-auditors' association), which among others requires a post-graduate IT-audit education from an accredited university
, subscription to a Code of Ethics, and adherence to strict continuous education requirements.
Information technology
Information technology is the acquisition, processing, storage and dissemination of vocal, pictorial, textual and numerical information by a microelectronics-based combination of computing and telecommunications...
(IT) infrastructure
Infrastructure
Infrastructure is basic physical and organizational structures needed for the operation of a society or enterprise, or the services and facilities necessary for an economy to function...
. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity
Data integrity
Data Integrity in its broadest meaning refers to the trustworthiness of system resources over their entire life cycle. In more analytic terms, it is "the representational faithfulness of information to the true state of the object that the information represents, where representational faithfulness...
, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit
Financial audit
A financial audit, or more accurately, an audit of financial statements, is the verification of the financial statements of a legal entity, with a view to express an audit opinion...
, internal audit
Internal audit
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk...
, or other form of attestation engagement.
IT audits are also known as "automated data processing (ADP) audits" and "computer audits". They were formerly called "electronic data processing
Electronic data processing
Electronic Data Processing can refer to the use of automated methods to process commercial data. Typically, this uses relatively simple, repetitive activities to process large volumes of similar information...
(EDP) audits".
Purpose
An IT audit is different from a financial statement auditFinancial audit
A financial audit, or more accurately, an audit of financial statements, is the verification of the financial statements of a legal entity, with a view to express an audit opinion...
. While a financial audit's purpose is to evaluate whether an organization is adhering to standard accounting practices, the purposes of an IT audit are to evaluate the system's internal control design and effectiveness. This includes, but is not limited to, efficiency and security protocols, development processes, and IT governance or oversight.
Types of IT audits
Various authoritiesSchool (discipline)
A school of thought is a collection or group of people who share common characteristics of opinion or outlook of a philosophy, discipline, belief, social movement, cultural movement, or art movement....
have created differing taxonomies
Taxonomy
Taxonomy is the science of identifying and naming species, and arranging them into a classification. The field of taxonomy, sometimes referred to as "biological taxonomy", revolves around the description and use of taxonomic units, known as taxa...
to distinguish the various types of IT audits. Goodman & Lawless state that there are three specific systematic approaches to carry out an IT audit:
- Technological innovation process audit. This audit constructs a risk profile for existing and new projects. The audit will assess the length and depth of the company's experience in its chosen technologies, as well as its presence in relevant markets, the organization of each project, and the structure of the portion of the industry that deals with this project or product, organization and industry structure.
- Innovative comparison audit. This audit is an analysis of the innovative abilities of the company being audited, in comparison to its competitors. This requires examination of company's research and development facilities, as well as its track record in actually producing new products.
- Technological position audit: This audit reviews the technologies that the business currently has and that it needs to add. Technologies are characterized as being either "base", "key", "pacing" or "emerging".
Others describe the spectrum of IT audits with five categories of audits:
- Systems and Applications: An audit to verify that systems and applications are appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity.
- Information Processing Facilities: An audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions.
- Systems Development: An audit to verify that the systems under development meet the objectives of the organization, and to ensure that the systems are developed in accordance with generally accepted standards for systems developmentSystems Development Life CycleThe systems development life cycle , or software development life cycle in systems engineering, information systems and software engineering, is a process of creating or altering information systems, and the models and methodologies that people use to develop these systems.In software engineering...
. - Management of IT and Enterprise Architecture: An audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processingInformation processingInformation processing is the change of information in any manner detectable by an observer. As such, it is a process which describes everything which happens in the universe, from the falling of a rock to the printing of a text file from a digital computer system...
. - Client/Server, Telecommunications, Intranets, and Extranets: An audit to verify that telecommunications controls are in place on the client (computer receiving services), server, and on the networkComputer networkA computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
connecting the clients and servers.
And some lump all IT audits as being one of only two type: "general control review" audits or "application control review" audits.
A number of IT Audit professionals from the Information Assurance
Information Assurance
Information assurance is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes...
realm consider there to be three fundamental types of controls regardless of the type of audit to be performed, especially in the IT realm. Many frameworks and standards try to break controls into different disciplines or arenas, terming them “Security Controls“, ”Access Controls“, “IA Controls” in an effort to define the types of controls involved. At a more fundamental level, these controls can be shown to consist of three types of fundamental controls: Protective/Preventative Controls, Detective Controls and Reactive/Corrective Controls.
IT Audit Process
The following are basic steps in performing the Information Technology Audit Process:- Planning
- Studying and Evaluating Controls
- Testing and Evaluating Controls
- Reporting
- Follow-up
Security
Auditing information securityAuditing information security
An information security audit is an audit on the level of information security in an organization. Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized...
is a vital part of any IT audit and is often understood to be the primary purpose of an IT Audit. The broad scope of auditing information security includes such topics as data centers (the physical security of data centers and the logical security of databases, servers and network infrastructure components), networks and application security. Like most technical realms, these topics are always evolving; IT auditors must constantly continue to expand their knowledge and understanding of the systems and environment& pursuit in system company.
Several training and certification organizations have evolved. Currently, the major certifying bodies, in the field, are the Institute of Internal Auditors
Institute of Internal Auditors
Established in 1941, The Institute of Internal Auditors is a guidance-setting body. Serving members in 165 countries, The IIA is the internal audit profession's global voice, chief advocate, recognized authority, and principal educator, with global headquarters in Altamonte Springs, Fla., United...
(IIA), the SANS Institute (specifically, the audit specific branch of SANS and GIAC) and ISACA. While CPAs and other traditional auditors can be engaged for IT Audits, organizations are well advised to require that individuals with some type of IT specific audit certification are employed when validating the controls surrounding IT systems.
History of IT Auditing
The concept of IT auditing was formed in the mid-1960s. Since that time, IT auditing has gone through numerous changes, largely due to advances in technology and the incorporation of technology into business.Qualifications
The CISM and CAP credentials are the two newest security auditing credentials, offered by the ISACA and ISC2, respectively. Strictly speaking, only the CISA or GSNA title would sufficiently demonstrate competences regarding both information technology and audit aspects with the CISA being more audit focused and the GSNA being more information technology focused.Outside of the US, various credentials exist. For example, the Netherlands
Netherlands
The Netherlands is a constituent country of the Kingdom of the Netherlands, located mainly in North-West Europe and with several islands in the Caribbean. Mainland Netherlands borders the North Sea to the north and west, Belgium to the south, and Germany to the east, and shares maritime borders...
has the RE credential (as granted by the NOREA [Dutch site] IT-auditors' association), which among others requires a post-graduate IT-audit education from an accredited university
University
A university is an institution of higher education and research, which grants academic degrees in a variety of subjects. A university is an organisation that provides both undergraduate education and postgraduate education...
, subscription to a Code of Ethics, and adherence to strict continuous education requirements.
Professional certifications
- Certified Information System AuditorCertified Information System AuditorCertified Information Systems Auditor is a professional certification for Information Technology Audit professionals sponsored by ISACA, formerly the Information Systems Audit and Control Association...
(CISA) - Certified in Risk and Information Systems Control (CRISC)
- Certified Internal Auditor (CIA)
- Certification and Accreditation Professional (CAP)
- Certified Computer Professional (CCP)
- Certified Information Privacy Professional (CIPP)
- Certified Information Systems Security ProfessionalCertified Information Systems Security ProfessionalCertified Information Systems Security Professional is an independent information security certification governed by International Information Systems Security Certification Consortium ²...
(CISSP) - Certified Information Security ManagerCertified Information Security ManagerCertified Information Security Manager is a certification for information security managers awarded by ISACA...
(CISM) - Certified Public AccountantCertified Public AccountantCertified Public Accountant is the statutory title of qualified accountants in the United States who have passed the Uniform Certified Public Accountant Examination and have met additional state education and experience requirements for certification as a CPA...
(CPA) - Certified Internal Controls Auditor (CICA)
- Forensics Certified Public Accountant (FCPA)
- Certified Fraud ExaminerCertified Fraud ExaminerThe Certified Fraud Examiner is a credential awarded by the Association of Certified Fraud Examiners . The ACFE association is the world's largest anti-fraud organization and premier provider of anti-fraud training and education...
(CFE) - Chartered AccountantChartered AccountantChartered Accountants were the first accountants to form a professional body, initially established in Britain in 1854. The Edinburgh Society of Accountants , the Glasgow Institute of Accountants and Actuaries and the Aberdeen Society of Accountants were each granted a royal charter almost from...
(CA) - Chartered Certified AccountantChartered Certified AccountantChartered Certified Accountant was historically seen as a British qualified accountant designation awarded by the Association of Chartered Certified Accountants . However, although ACCA is UK based, it is a global body for professional accountants with 147,000 qualified members and 424,000...
(CCA) - GIAC Certified System & Network Auditor (GSNA)
- Certified Information Technology Professional Certified Information Technology ProfessionalCertified Information Technology Professional is a Certified Public Accountant recognized for their technology expertise and unique ability to bridge the gap between business and technology...
(CITP), to certify, auditors should have 3 years experience.
Emerging Issues
There are also new audits being imposed by various standard boards which are required to be performed, depending upon the audited organization, which will affect IT and ensure that IT departments are performing certain functions and controls appropriately to be considered compliant. An example of such an audit is the newly minted SSAE 16.Computer Forensics
- Computer forensicsComputer forensicsComputer forensics is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media...
- Data analysisData analysis (information technology)Computer-assisted audit techniques or computer-aided audit tools , also known as computer-assisted audit tools and techniques , is a growing field within the financial audit profession. CAATTs is the practice of using computers to automate or simplify the audit process...
Operations
- Helpdesk and incident reporting auditingHelpdesk and incident reporting auditingHelp desk and incident reporting auditing is an examination of the controls within the help desk operations. The audit process collects and evaluates evidence of an organization's help desk and incident reporting practices, and operations...
- Change management auditingChange management auditingChange management is an auditing procedure for mitigating risks associated with the changes made to an IT system. Limiting unauthorized changes and having proper segregation of duties controls in place is essential to reduce the risk of implementing IT changes into production environments which...
- Disaster recovery and business continuity auditingDisaster recovery and business continuity auditingDisaster recovery and business continuity refers to an organization’s ability to recover from a disaster and/or unexpected event and resume or continue operations. Organizations should have a plan in place that outlines how this will be accomplished...
- SAS 70
Miscellaneous
- XBRL assuranceXBRL assuranceXBRL assurance is the auditor’s opinion on whether a financial statement or other business report published in XBRL, is relevant, accurate, complete, and fairly presented. An XBRL report is an electronic file and called instance in XBRL terminology....
- OBASHIOBASHIThe OBASHI® methodology provides a framework and method for capturing, illustrating and modeling the relationships, dependencies and dataflows between business and Information technology assets and resources in a business context....
The OBASHI Business & IT methodology and framework
Irregularities and Illegal Acts
- AICPA Standard: SAS 99SAS 99Statement on Auditing Standards No. 99: Consideration of Fraud in a Financial Statement Audit, commonly abbreviated as SAS 99, is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants in October 2002. The original exposure draft was...
Consideration of Fraud in a Financial Statement Audit - Computer fraud case studiesComputer fraud case studiesComputer fraud is the use of information technology to commit fraud. In the United States, computer fraud is specifically proscribed by the Computer Fraud and Abuse Act, which provides for jail time and fines.-Notable incidents:...
External links
- A career as Information Systems Auditor, by Avinash Kadam (Network Magazine)
- IT Audit Careers guide
- Federal Financial Institutions Examination Council (FFIEC)
- Information Systems Audit & Control Association (ISACA)
- Open Security Architecture- Controls and patterns to secure IT systems
- American Institute of Certified Public Accountants (AICPA)
- IT Services Library (ITIL)