- Information technology audit
An information technology audit, or information systems audit, is an examination of the controls within an
Information technology(IT) infrastructure. An IT audit is the process of collecting and evaluating evidence of an organization's information systems, practices, and operations. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively and efficiently to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.
IT audits are also known as automated data processing (ADP) audits and computer audits. They were formerly called
electronic data processing(EDP) audits.
An IT audit should not be confused with a financial statement audit. While there may be some abstract similarities, a financial audit's primary purpose is to evaluate whether an organization is adhering to
standard accounting practices. The primary functions of an IT audit are to evaluate the system's efficacy and security protocols, in particular, to evaluate the organization's ability to protect its information assets and properly dispense information to authorized parties. The IT audit's agenda may be summarized by the following questions:
* Will the organization's computer systems be available for the business at all times when required? ("Availability")
* Will the information in the systems be disclosed only to authorized users? ("Confidentiality")
* Will the information provided by the system always be accurate, reliable, and timely? ("Integrity")The IT audit focuses on determining risks that are relevant to information assets, and in assessing controls in order to reduce or mitigate these risks. By implementing controls, the effect of risks can be minimized, but cannot completely eliminate all risks.
Types of IT audits
Various authorities have created differing taxonomies to distinguish the various types of IT audits. Goodman & Lawless state that there are three specific systematic approaches to carry out an IT audit [Harv |Goodman|Lawless|1994| loc=§8] ::* Technological innovation process audit. The aim of this audit is to construct a risk profile for existing and new projects. The audit will assess the length and depth of the company's experience in its chosen technologies, as well as its presence in relevant markets, the organization of each project, and the structure of the portion of the industry that deals with this project or product. organization and industry structure.:* Innovative comparison audit. This audit, as its name implies, means conducting an analysis of the innovative abilities of the company being audited, in comparison to its competitors. This requires examination of company's research and development facilities, as well as its track record in actually producing new products.:* Technological position audit: This audit reviews the technologies that the business currently has and that it needs to add. Technologies are characterized as being either "base", "key", "pacing", or "emerging".
Others describe the spectrum of IT audits with five categories of audits::* Systems and Applications: An audit to verify that systems and applications are appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity.:* Information Processing Facilities: An audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions.:* Systems Development: An audit to verify that the systems under development meet the objectives of the organization, and to ensure that the systems are developed in accordance with generally accepted standards for systems development.:* Management of IT and Enterprise Architecture: An audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for
information processing.:* Client/Server, Telecommunications, Intranets, and Extranets: An audit to verify that controls are in place on the client (computer receiving services), server, and on the network connecting the clients and servers.And some lump all IT audits as being one of only two type: "general control review" audits or "application control review" audits.
IT Audit Process
The following are basic steps in performing the
Information Technology Audit Process:
# Studying and Evaluating Controls
# Testing and Evaluating Controls
# pursuit By (r.d)
Auditing information securityis a vital part of any IT audit. The broad scope of auditing information security includes such topics as data centers (the physical security of data centers and the logical security of databases), networks and application security. Like most technical realms, these topics are always evolving; IT auditors must constantly continue to expand their knowledge and understanding of the systems and environment& pursuit in system company
History of IT Auditing
The concept of IT auditing was formed in the mid-1960s. Since that time, IT auditing has gone through numerous changes, largely due to advances in technology and the incorporation of technology into business.
International law regarding IT auditing
US Regulations and Legislation Related to IT Audits
Several information technology audit related laws and regulations have been introduced in the
United Statessince 1977. These include the Gramm-Leach-Bliley Act, the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, the London Stock Exchange Combined Code, King II, and the Foreign Corrupt Practices Act.
European Union Regulations and Legislation Related to IT Audits
Directive 95/46/EC on the protection of personal dataexists primarily to ensure the protection of the privacy of individuals in regards to digital information.
As the field is relatively young, not all jurisdictions have developed a pre-defined skill set that is required when evaluating the qualifications of IT audit personnel. Since
auditors will be responsible for evaluating the controls affecting the recording and safekeeping of assets, it is recommended that IT personnel have detailed knowledge regarding information systemswith a general understanding of accountingprinciples.
In the United States, usually it is considered desirable that IT audit personnel have received or qualify to receive the Certified Information Systems Auditor (CISA), Certified Internal Auditor (CIA), Certified Information Systems Security Professional (
CISSP), Certified Public Accountant (CPA), Diploma in Information System Audit (DISA from ICAI) and Certification and Accreditation Professional (CAP) credentials. The CISM and CAP credentials are the two newest security auditing credentials, offered by the ISACA and ISC2, respectively. Strictly speaking, only the CISA title would sufficiently demonstrate competences regarding both information technology and audit aspects.
Outside of the US, various credentials exist, with differing value and safeguards of professionalism. E.g., the
Netherlandshas the RE credential (as granted by the [http://www.norea.nl NOREA] (Dutch site) IT-auditors' association), which among others requires a post-graduate IT-audit education from an accredited university, subscription to a Code of Ethics, and adherence to strict continuous education requirements.
Professional certifications of note
Certified Information System Auditor(CISA)
Certified Internal Auditor(CIA)
Certification and Accreditation Professional(CAP)
Certified Computer Professional(CCP)
Certified Information Systems Security Professional(CISSP)
Certified Information Security Manager(CISM)
Certified Public Accountant(CPA)
ISO 27001 Lead Auditor(ISO27001)
Other employees involved in IT audits
Technology changes rapidly and so do the issues that IT auditors face. Some emerging issues include biometric
retinal scans, changes in physical security, and transmitting data from cell phones.
Backup systems and recovery
Helpdesk and incident reporting auditing
Change management auditing
Software development life cycleauditing
Disaster recovery and business continuity auditing
IT audit resources
Information technology audit - operations
Ethical Hacking - operations
Data Loss Prevention
OBASHIThe OBASHI Business & IT methodology and framework
Irregularities and Illegal Acts
* [http://www.isaca.org/Template.cfm?Section=Home&Template=/ContentManagement/ContentDisplay.cfm&ContentID=20841 ISACA Standard: S9 Irregularities and Illegal Acts]
SAS 99Consideration of Fraud in a Financial Statement Audit
Computer fraud case studies
* [http://www.networkmagazineindia.com/200312/securedview01.shtml A career as Information Systems Auditor] , by Avinash Kadam (Network Magazine)
* [http://www.pleier.com/itaaap.htm IT Auditing: An Adaptive Process] , by Robert E. Davis
* [http://www.ffiec.gov/ffiecinfobase/booklets/audit/audit.pdf Federal Financial Institutions Examination Council] (FFIEC)
* [http://www.isaca.org/ Information Systems Audit & Control Association] (ISACA)
* [http://www.eccouncil.org/ EC-Council]
* [http://iaudit.blogspot.com/2007/08/internal-control-internal-audit-and-it.html IT Audit vs Internal Control]
Wikimedia Foundation. 2010.
Look at other dictionaries:
Information technology audit process — Information technology audit process:Generally Accepted Auditing Standards (GAAS)In 1947, the American Institute of Certified Public Accountants (AICPA) adopted GAAS to establish standards for audits. The standards cover the following three… … Wikipedia
Information security audit — An information security audit is an audit on the level of information security in an organization. Within the broad scope of auditing information security there are multiple type of audits, multiple objectives for different audits, etc. Most… … Wikipedia
Information technology controls — In business and accounting, Information technology controls (or IT controls) are specific activities performed by persons or systems designed to ensure that business objectives are met. They are a subset of an enterprise s internal control. IT… … Wikipedia
Information technology security audit — A computer security audit is a manual or systematic measurable technical assessment of a system or application. Manual assessments include interviewing staff, performing security vulnerability scans, reviewing application and operating system… … Wikipedia
Information technology governance — Information Technology Governance, IT Governance or ICT (Information Communications Technology) Governance, is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management.… … Wikipedia
Information Technology Security Assessment — (IT Security Assessment) is an explicit study to locate IT security vulnerabilities and risks. BackgroundIn an assessment, the assessor should have the full cooperation of the organization being assessed. The organization grants access to its… … Wikipedia
Information Systems Audit and Control Association — Website: www.isaca.org ISACA is an international professional association that deals with IT Governance. It is an affiliate member of IFAC. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its… … Wikipedia
Information Technology Infrastructure Library — Cet article concerne Information Technology Infrastructure Library. Pour la capitale des Khazars, voir Itil. ITIL (Information Technology Infrastructure Library pour « Bibliothèque pour l infrastructure des technologies de l… … Wikipédia en Français
Information Systems Audit and Control Association — Die Information Systems Audit and Control Association (ISACA) ist der Berufsverband der EDV Prüfer (IT Auditoren) und hat in über 140 Ländern mehr als 70.000 Mitglieder. Die Mitglieder sind Mitarbeiter der Internen Revision oder von Prüfungs und… … Deutsch Wikipedia
History of information technology auditing — Information Technology Auditing (IT auditing) began as Electronic Data Process (EDP) Auditing and developed largely as a result of the rise in technology in accounting systems, the need for IT control, and the impact of computers on the ability… … Wikipedia