Introduction to IT Auditing
the process for controlling an organizations IT resources, including information and communication
systems, and technology.
using IT to promote an organizations objectives and enable business processes and to manage and
control IT related risks.
CobiTs IT Governance Management Guideline
Identifies critical success factors, key goal and performance indicators, and an IT governance
IT governance framework begins with setting IT objectives and measures and compares
performance against them.
IT and Transaction (Tx) Processing
The IS collects transaction data
The IS turns data into information
Computerized Tx systems increase some risks and decrease others
What do IT auditors do?
Ensure IT governance by assessing risks and monitoring controls over those risks
Works as either internal or external auditor
Works on many kind of audit engagements
Financial vs IT Audits
IT auditors may work on financial audit engagements
IT auditors may work on every step of the financial audit engagement
Standards, such as SAS No. 94, guide the work of IT auditors on financial audit engagements
IT audit work on financial audit engagements is likely to increase as internal control evaluation
becomes more important
IT Audit Skills
College education IS, computer science, accounting
Certifications CPA, CFE, CIA, CISA, CISSP, and special technical certifications
Technical IT audit skills specialized technologies
General personal and business skills Professional Groups and Certifications Alphabet Soup
AICPA CPA and CITP
How to Structure an IT Audit
AICPA Standards and Guidelines GAAS, SAS, and SSAE
IFAC Guidelines harmonized or common international accounting standards and guidelines
ISACA standards, guidelines, and procedures includes CobiT and audit standards
An Overview of the Book
Section I an introduction to IT audit, the legal and ethical environment of the IT audit,
introduction to risks and controls
Section II risks over specific processes and technologies deployment of IS, operation of IS,
network systems, and e-business systems
Section III how to do an It audit use of CAATs and a step-by-step IT audit
Appendices ACL tutorial and IT audit glossary
Ethical & Legal Issues (Intro)
Why a Code of Ethics?
Not all people act ethically under all circumstances.
Written guidelines are not a guarantee, but ethical codes help keep honest people honest!
Six Good Reasons for Organizations to Develop Codes of Ethical conduct.
1. Define acceptable behaviors for relevant parties;
2. Promote high standards of practice throughout the organization;
3. Provide a benchmark for organizational members to use for self evaluation;
4. Establish a framework for professional behavior, obligations and responsibilities;
5. Offer a vehicle for occupational identity;
6. Reflect a mark of occupational maturity. Ten Ethical Standards set forth by ISACA
1. Support the implementation of, and encourage compliance with, appropriate standards,
procedures and controls for information systems.
2. Serve in the interest of relevant parties in a diligent, loyal and honest manner, and shall not
knowingly be a party to any illegal or improper activities.
3. Maintain the privacy and confidentiality of information obtained in the course of their duties
unless disclosure is required by legal authority. Such information shall not be used for personal
benefit or released to inappropriate parties.
4. Perform their duties in an independent and objective manner and avoid activities that impair, or
may appear to impair, their independence or objectivity.
5. Maintain competency in their respective fields of auditing and information systems control.
6. Agree to undertake only those activities which they can reasonably expect to complete with
7. Perform their duties with due professional care.
8. Inform the appropriate parties of the results of information systems audit and/or control work
performed, revealing all material facts known to them, which if not revealed could either distort
reports of operations or conceal unlawful practices.
9. Support the education of clients, colleagues, the general public, management, and boards of
directors in enhancing their understanding of information systems auditing and control.
10. Maintain high standards of conduct and character and not engage in acts discreditable to the
Failure to comply:
Can result in investigation
Ultimately in disciplinary action
IRREGULAR AND ILLEGAL ACTS
Irregular act: reflects an intentional violation of
corporate policies or regulatory requirements
or an unintentional breach of law
Illegal act: represents a willful violation of law EXAMPLES
Nonconformity with agreements & contracts between the organization & third parties
Violations of intellectual property rights
Noncompliance with other regulations & laws.
Who is responsible for prevention, detection, and reporting?
Management is responsible for the prevention and detection of irregular and illegal acts, not the
Characterization should be made by qualified expert.
CPA s are qualified to determine if acts are material to financial statements.
What is the IT Auditors Responsibility?
ISACA guideline :
IT auditors are not qualified to determine whether an irregular, illegal or erroneous act has occurred.
Overview of Responsibilities
1. Plan the IT audit engagement based on an assessed level of risk that irregular and illegal acts
might occur, and that such acts could be material to the subject matter of the IT auditors report.
2. Design audit procedures that consider the assessed risk level for irregular and illegal acts.
3. Review the results of audit procedures for indications of irregular and illegal acts.
4. Report suspected irregular and illegal acts to one or more of the following parties:
The IT auditors immediate supervisor and possibly corporate governance bodies, such as the board of
directors or audit committee;
Appropriate personnel within the organization, such as a manager who is at least one level above those
who are suspected to have engaged in such acts.
If top management is suspected, then refer to corporate governance bodies only.
Legal counsel or other appropriate external experts.
5. Assume that the act is not isolated;
6. Determine how the act slipped through the internal control system;
7. Broaden audit procedures to consider the possibility of more acts of this nature;