examination of the management controls within an Information technology

infrastructure. The evaluation of obtained evidence determines if the

information systems are safeguarding assets, maintaining data integrity, and

operating effectively to achieve the organization's goals or objectives.

These reviews may be performed in conjunction with a financial statement

audit, internal audit, or other form of attestation engagement.

IT audits are also known as "automated data processing audits" and "computer

audits". They were formerly called "electronic data processing audits".

Purpose An IT audit is different from a

financial statement audit. While a financial audit's purpose is to evaluate

whether an organization is adhering to standard accounting practices, the

purposes of an IT audit are to evaluate the system's internal control design and

effectiveness. This includes, but is not limited to, efficiency and security

protocols, development processes, and IT governance or oversight. Installing

controls are necessary but not sufficient to provide adequate security.

People responsible for security must consider if the controls are installed

as intended, if they are effective if any breach in security has occurred and

if so, what actions can be done to prevent future breaches. These inquiries

must be answered by independent and unbiased observers. These observers are

performing the task of information systems auditing. In an Information

Systems environment, an audit is an examination of information systems,

their inputs, outputs, and processing. The primary functions of an IT audit are

to evaluate the systems that are in place to guard an organization's

information. Specifically, information technology audits are used to evaluate

the organization's ability to protect its information assets and to properly

dispense information to authorized parties. The IT audit aims to evaluate

the following: Will the organization's computer systems

be available for the business at all times when required? Will the

information in the systems be disclosed only to authorized users? Will the

information provided by the system always be accurate, reliable, and

timely? In this way, the audit hopes to assess the risk to the company's

valuable asset and establish methods of minimizing those risks.

Also Known As: Information Systems Audit, ADP audits, EDP audits, computer

audits Types of IT audits

Various authorities have created differing taxonomies to distinguish the

various types of IT audits. Goodman & Lawless state that there are three

specific systematic approaches to carry out an IT audit:

Technological innovation process audit. This audit constructs a risk profile for

existing and new projects. The audit will assess the length and depth of the

company's experience in its chosen technologies, as well as its presence in

relevant markets, the organization of each project, and the structure of the

portion of the industry that deals with this project or product, organization

and industry structure. Innovative comparison audit. This audit

is an analysis of the innovative abilities of the company being audited,

in comparison to its competitors. This requires examination of company's

research and development facilities, as well as its track record in actually

producing new products. Technological position audit: This audit

reviews the technologies that the business currently has and that it needs

to add. Technologies are characterized as being either "base", "key", "pacing"

or "emerging". Others describe the spectrum of IT

audits with five categories of audits: Systems and Applications: An audit to

verify that systems and applications are appropriate, are efficient, and are

adequately controlled to ensure valid, reliable, timely, and secure input,

processing, and output at all levels of a system's activity.

Information Processing Facilities: An audit to verify that the processing

facility is controlled to ensure timely, accurate, and efficient processing of

applications under normal and potentially disruptive conditions.

Systems Development: An audit to verify that the systems under development meet

the objectives of the organization, and to ensure that the systems are developed

in accordance with generally accepted standards for systems development.

Management of IT and Enterprise Architecture: An audit to verify that IT

management has developed an organizational structure and procedures

to ensure a controlled and efficient environment for information processing.

Client/Server, Telecommunications, Intranets, and Extranets: An audit to

verify that telecommunications controls are in place on the client, server, and

on the network connecting the clients and servers.

And some lump all IT audits as being one of only two type: "general control

review" audits or "application control review" audits.

A number of IT Audit professionals from the Information Assurance realm consider

there to be three fundamental types of controls regardless of the type of audit

to be performed, especially in the IT realm. Many frameworks and standards try

to break controls into different disciplines or arenas, terming them

“Security Controls“, ”Access Controls“, “IA Controls” in an effort to define the

types of controls involved. At a more fundamental level, these controls can be

shown to consist of three types of fundamental controls:

Protective/Preventative Controls, Detective Controls and

Reactive/Corrective Controls. In an IS system, there are two types of

auditors and audits: internal and external. IS auditing is usually a part

of accounting internal auditing, and is frequently performed by corporate

internal auditors. An external auditor reviews the findings of the internal

audit as well as the inputs, processing and outputs of information systems. The

external audit of information systems is frequently a part of the overall

external auditing performed by a Certified Public Accountant firm.

IS auditing considers all the potential hazards and controls in information

systems. It focuses on issues like operations, data, integrity, software

applications, security, privacy, budgets and expenditures, cost control, and

productivity. Guidelines are available to assist auditors in their jobs, such

as those from Information Systems Audit and Control Association.

IT Audit process The following are basic steps in

performing the Information Technology Audit Process:

Planning Studying and Evaluating Controls

Testing and Evaluating Controls Reporting

Follow-up reports

= Security = Auditing information security is a vital

part of any IT audit and is often understood to be the primary purpose of

an IT Audit. The broad scope of auditing information security includes such

topics as data centers, networks and application security. Like most

technical realms, these topics are always evolving; IT auditors must

constantly continue to expand their knowledge and understanding of the

systems and environment& pursuit in system company.

Several training and certification organizations have evolved. Currently,

the major certifying bodies, in the field, are the Institute of Internal

Auditors, the SANS Institute and ISACA. While CPAs and other traditional

auditors can be engaged for IT Audits, organizations are well advised to

require that individuals with some type of IT specific audit certification are

employed when validating the controls surrounding IT systems.

History of IT Auditing The concept of IT auditing was formed in

the mid-1960s. Since that time, IT auditing has gone through numerous

changes, largely due to advances in technology and the incorporation of

technology into business. Currently, there are many IT dependent

companies that rely on the Information Technology in order to operate their

business e.g. Telecommunication or Banking company. For the other types of

business, IT plays the big part of company including the applying of

workflow instead of using the paper request form, using the application

control instead of manual control which is more reliable or implementing the ERP

application to facilitate the organization by using only 1

application. According to these, the importance of IT Audit is constantly

increased. One of the most important role of the IT Audit is to audit over

the critical system in order to support the Financial audit or to support the

specific regulations announced e.g. SOX. Audit personnel

= Qualifications = The CISM and CAP credentials are the two

newest security auditing credentials, offered by the ISACA and², respectively.

Strictly speaking, only the CISA or GSNA title would sufficiently demonstrate

competences regarding both information technology and audit aspects with the

CISA being more audit focused and the GSNA being more information technology

focused. Outside of the US, various credentials

exist. For example, the Netherlands has the RE credential, which among others

requires a post-graduate IT-audit education from an accredited university,

subscription to a Code of Ethics, and adherence to continuous education

requirements. = Professional certifications =

Certified Information Systems Auditor Certified Internal Auditor

Certified in Risk and Information Systems Control

Certification and Accreditation Professional

Certified Computer Professional Certified Information Privacy

Professional Certified Information Systems Security

Professional Certified Information Security Manager

Certified Public Accountant Certified Internal Controls Auditor

Forensics Certified Public Accountant Certified Fraud Examiner

Chartered Accountant Certified Commercial Professional

Accountant Certified Accounts Executive

Certified Professional Internal Auditor Certified Professional Management

Auditor Chartered Certified Accountant

GIAC Certified System & Network Auditor Certified Information Technology

Professional, to certify, auditors should have 3 years experience.

Certified e-Forensic Accounting Professional

Certified ERP Audit Professional Emerging Issues

There are also new audits being imposed by various standard boards which are

required to be performed, depending upon the audited organization, which will

affect IT and ensure that IT departments are performing certain functions and

controls appropriately to be considered compliant. Examples of such audits are

SSAE 16, ISAE 3402, and ISO27001:2013. = Web Presence Audits =

The extension of the corporate IT presence beyond the corporate firewall

has elevated the importance of incorporating web presence audits into

the IT/IS audit. The purposes of these audits include ensuring the company is

taking the necessary steps to: rein in use of unauthorized tools

minimize brand and reputation damage maintain regulatory compliance

prevent information leakage mitigate third-party risk

minimize governance risk See also

= Computer Forensics = Computer forensics

Data analysis = Operations =

Helpdesk and incident reporting auditing Change management auditing

Disaster recovery and business continuity auditing

SAS 70 = Miscellaneous =

XBRL assurance OBASHI The OBASHI Business & IT

methodology and framework = Irregularities and Illegal Acts =

AICPA Standard: SAS 99 Consideration of Fraud in a Financial Statement Audit

Computer fraud case studies References

External links A career as Information Systems Auditor,

by Avinash Kadam IT Audit Careers guide

Federal Financial Institutions Examination Council

Information Systems Audit & Control Association

The need for CAAT Technology Open Security Architecture- Controls and

patterns to secure IT systems American Institute of Certified Public

Accountants IT Services Library