Information technology audit: Difference between revisions
m Reverted edits by Bradgarland (talk) to last version by GLKeeney |
→US Regulations and Legislation Related to IT Audits: Removed external link in article body. My bad. |
||
| Line 57: | Line 57: | ||
Companies with Sarbanes-Oxley certification delays and material weaknesses caused by IT issues: |
Companies with Sarbanes-Oxley certification delays and material weaknesses caused by IT issues: |
||
* [ |
* [[Captaris Inc.]] - material weakness and filing delay due to inadequate internal controls and related IT controls per SOX requirements |
||
* [[Cray Inc.]] - numerous material weaknesses in internal control over financial reporting, specifically, inadequate review of third-party contracts and lack of software application controls and documentation |
* [[Cray Inc.]] - numerous material weaknesses in internal control over financial reporting, specifically, inadequate review of third-party contracts and lack of software application controls and documentation |
||
Revision as of 04:16, 29 September 2007
 |
An information technology audit, or information systems audit, is an examination of the controls within an Information technology (IT) infrastructure. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement. Formerly called an Electronic data processing (EDP) audit, an IT audit is the process of collecting and evaluating evidence of an organization's information systems, practices, and operations. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively and efficiently to achieve the organization's goals or objectives.
IT audits are also known as automated data processing (ADP) audits and computer audits.
Purpose
An IT audit is not entirely similar to a financial statement audit. An evaluation of internal controls may or may not take place in an IT audit. Reliance on internal controls is a unique characteristic of a financial audit. An evaluation of internal controls is necessary in a financial audit, in order to allow the auditor to place reliance on the internal controls, and therefore, substantially reduce the amount of testing necessary to form an opinion regarding the financial statements of the company. An IT audit, on the other hand, tends to focus on determining risks that are relevant to information assets, and in assessing controls in order to reduce or mitigate these risks. An IT audit may take the form of a "general control review" or an "application control review". Regarding the protection of information assets, one purpose of an IT audit is to review and evaluate an organization's information system's availability, confidentiality, and integrity by answering questions like:
- Will the organization's computer systems be available for the business at all times when required? (Availability)
- Will the information in the systems be disclosed only to authorized users? (Confidentiality)
- Will the information provided by the system always be accurate, reliable, and timely? (Integrity).
There are 3 systematic approaches to carry out an IT audit(goodman and lawless) [citation needed]:
- technological innovation process audit: the aim is to construct a risk profile for existing and new projects by assessing the length and depth of company's experience in its chosen technologies, markets, project organization and industry structure
- innovative comparison audit: analysis of innovative abilities compared to competitors. It requires examination of company's track record in new products, research and development facilities, etc.
- technological position audit: this reviews the technologies needed by the business and places them in one of the four categories of base, key, pacing and emerging
Types of IT
- Systems and Applications: an audit to verify that systems and applications are appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity.
- Information Processing Facilities: an audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions.
- Systems Development: an audit to verify that the systems under development meet the objectives of the organization, and to ensure that the systems are developed in accordance with generally accepted standards for systems development.
- Management of IT and Enterprise Architecture: an audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing.
- Client/Server, Telecommunications, Intranets, and Extranets: an audit to verify that controls are in place on the client (computer receiving services), server, and on the network connecting the clients and servers.
IT Audit Process
The following are basic steps in performing the Information Technology Audit Process:
- Planning
- Studying and Evaluating Controls
- Testing and Evaluating Controls
- Reporting
- Follow-up
History of IT Auditing
The concept of IT auditing was formed in the mid-1960s and has gone through numerous changes due to advances in technology and the incorporation of technology into business.
IT Audit Topics
US Regulations and Legislation Related to IT Audits
Several information technology audit related laws and regulations have been introduced in the United States since 1977. These include the Gramm Leach Bliley Act, the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, the London Stock Exchange Combined Code, King II, and the Foreign Corrupt Practices Act.
- Health Insurance Portability and Accountability Act (HIPAA)
- Gramm-Leach-Bliley Act (GLBA)
- Sarbanes-Oxley Act (SOX)
- Foreign Corrupt Practices Act (FCPA)
Companies with Sarbanes-Oxley certification delays and material weaknesses caused by IT issues:
- Captaris Inc. - material weakness and filing delay due to inadequate internal controls and related IT controls per SOX requirements
- Cray Inc. - numerous material weaknesses in internal control over financial reporting, specifically, inadequate review of third-party contracts and lack of software application controls and documentation
European Union Regulations and Legislation Related to IT Audits
Security
Auditing information security is a vital part of any IT audit. Within the broad scope of auditing information security we find topics such as data centers, networks and application security. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases, highlighting key components and methods for auditing these areas. This technical realm is always changing, requiring IT auditors to continue expanding their knowledge and understanding of the systems and environment.
Evaluating IT Audit Personnel Qualifications
There is no pre-defined skill set that is required when evaluating the qualifications of IT audit personnel. Since auditors will be responsible for evaluating the controls affecting the recording and safekeeping of assets, it is recommended that IT personnel have detail knowledge regarding information systems with a general understanding of accounting principles. Usually, it is desirable that IT audit personnel have received or qualify to receive the Certified Information Systems Auditor (CISA), Certified Internal Auditor (CIA), Certified Information Systems Security Professional (CISSP), Certified Public Accountant (CPA), Diploma in Information System Audit (DISA from ICAI) and Certification and Accreditation Professional (CAP) credentials. The CISM and CAP credentials are the two newest security auditing credentials, offered by the ISACA and ISC2, respectively. Strictly speaking, only the CISA title would sufficiently demonstrate competences regarding both information technology and audit aspects.
Outside of the US, various credentials exist, with differing value and safeguards of professionalism. E.g., the Netherlands has the RE credential (as granted by the NOREA(Dutch site) IT-auditors' association), which among others requires a post-graduate IT-audit education from an accredited university, subscription to a Code of Ethics, and adherence to strict continuous education requirements.
Employees involved in IT audits
- Board of directors
- Senior management
- Audit management
- External audit staff
- Internal audit staff
- Operations managers
Professional certifications of note
- Certified Information System Auditor (CISA)
- Certified Internal Auditor (CIA)
- Certification and Accreditation Professional (CAP)
- Certified Computer Professional (CCP)
- Certified Information Systems Security Professional (CISSP)
- Certified Information Security Manager (CISM)
- Certified Public Accountant (CPA)
- Chartered Accountant (CA)
Emerging Issues
Technology changes rapidly and so do the issues that IT auditors face. Some emerging issues include biometric retinal scans, changes in physical security, and transmitting data from cell phones.
See also
- IT audit resources
- Famous IT Auditors & Experts
- Information technology audit - operations
- Ethical Hacking - operations
Operations
- Backup systems and recovery
- Helpdesk and incident reporting auditing
- Change management auditing
- Software development life cycle auditing
- Disaster recovery and business continuity auditing
- SAS 70
Computer Forensics
Irregularities and Illegal Acts
- ISACA Standard: S9 Irregularities and Illegal Acts
- AICPA Standard: SAS 99 Consideration of Fraud in a Financial Statement Audit
- Computer fraud case studies
External links
- A career as Information Systems Auditor, by Avinash Kadam (Network Magazine)
- IT Auditing: An Adaptive Process, by Robert E. Davis
- Federal Financial Institutions Examination Council (FFIEC)
- Information Systems Audit & Control Association (ISACA)
- EC-Council
- IT Audit and Infromation Security blog