Professional Documents
Culture Documents
IA 1-3 IT Audit Introduction
IA 1-3 IT Audit Introduction
IA 1-3 IT Audit Introduction
IT Audit Types/Objectives/Purposes/Uses/Works/Projects:
IT audit (IT general and application controls audit) may be performed in support of a financial statement
audit (primarily audit of Income Statement and Balance Sheet), internal audit (which typically performs
annual internal control testing such as SOX), or other form of attestation engagement (such as SAS
70/SSAE 16/Service Organization Control (SOC) audit) or to simply identify and correct internal
control weaknesses (typically for audit readiness).
IT Audit performed as part of internal audit is typically done by the Internal Audit department (typically
following established internal audit plan and audit program) to meet the management’s annual internal
control testing requirement for controls relating to financial reporting. This is also done on financial systems
(those that support the production of financial statements). It is performed for Sarbanes-Oxley (SOX)
compliance in commercial public companies registered with the Stock Exchange Commission (SEC)
evidenced with its shares trading on the Stock Exchange. The equivalent of the SOX testing at the federal
government departments/agencies is known as Office of Management and Budget (OMB) Circular A-123
Audit.
Note that internal audit plan is typically an annual plan of the Internal Audit department which
contains all the type of audits/projects they plan to execute during that year, including the period and
priority of execution based on risk assessment of the activities/transactions considered for audit (mission
critical operations that could affect the company’s staying in business are considered high risk). Regular
audit plan such as one supporting financial statement audit will also consider the audit tasks, period of
performance and resources needed for the audit. Audit program is the detailed steps required to test or
audit a control. Audit programs for different types of audit are available in the course of this training, online
or on free-trial at AuditNet.org. Financial internal auditors in addition to performing SOX audit, also
perform operational audit (auditing the effectiveness, efficiency and economy of operation of each
department/product in line with industry standards/benchmarks (such as testing if an Airline is able to
make the same number of daily flights as its leading competitors at the same or better profit margin) and
compliance audit in which they test compliance with the organization’s policy and procedures and
applicable contractual and regulatory requirements (such as testing if a bank’s mortgage charges
comply with company’s policy, customers’ contracts and regulations). IT auditors may be asked (in some
1
cases) to test IT related controls or components of these operational and compliance tests performed by
financial auditors in addition to IT general and application controls. Internal Audit also serve as referees in
internal control self-assessment environment where different departments assess/test internal controls
related to them, both financial and IT. Internal Audit just ensures that key controls (such as ITGC) are
covered in the audit program, the different departments are conducting the assessment at the prescribed
frequency, and promptly correcting noted audit findings.
With respect to financial statements audit, IT auditors are often engaged in IT general and application
controls audit. They perform IT audit as part of financial statements audit so that financial audit team could
rely on the IT controls in the organizations they are auditing in order to reduce the amount of substantive
test or vouching that they perform, with the objective of saving their audit time and budget. IT auditors
perform audit of IT general and application controls to determine if the IT environment is effective and if
the financial systems could be relied upon for generating accurate financial statements. They do this on
private and public companies. They also do same on federal financial statement audit using FISCAM
(Federal Information System Controls Audit Manual) framework.
Note that IT Auditors that work in consulting firms are engaged (through their company) by CPA firms to
perform IT Audit procedures supporting financial statements audit, since only CPA firms are authorized to
perform financial statements audit. Note also that financial statement audit is not applicable to those who
work in the Internal Audit department of their companies as such IT Auditors will typically perform annual
SOX or A-123 testing as indicated below. Similar to the financial statement audit, IT Auditors could be
hired by CPA firms to perform attestation engagement (such as SAS 70/SSAE 16/Service Organization
Control (SOC) audit). Also, only CPA firms are authorized to perform attestation engagement/SOC
audit, and they typically use their own employees or hire the service of IT Auditors who work for consulting
companies/firms. The objective of the SOC auditor or report is to attest or confirm whether or not the
internal controls in place at the service organization are properly designed and operating effectively.
IT auditors are sometime engaged (through their firm/company) by Internal Audit departments of public
companies to assist with the annual testing of their IT SOX controls, in which they test if the controls
(these are often limited to IT general controls) are effective and prepare IT weaknesses and
recommendation where they find exceptions. They do same on federal A-123 annual internal control testing
using FISCAM framework.
IT auditors are also engaged by Internal Audit departments (especially of private companies that do not
have annual SOX testing requirement or by federal agencies) to identify and correct internal control
weaknesses in order to strengthen their internal controls or as an audit readiness effort to reduce the
number of audit findings/weaknesses discovered when their external auditors arrive to audit their financial
statements. IT general and application controls or FISCAM audit is also performed here depending on
whether the client is commercial or government entity.
If the ITGC environment is found to be effective, the internal auditors/management can communicate
effective internal control in their annual internal control reporting, while financial auditors can rely on IT
controls and reduce the amount of detail test/vouching that they perform which often saves their budget.
2
ITGCs are also known as General Computer Controls (GCC) which are defined as: Controls, other than
application controls, which relate to the environment within which computer-based application systems are
developed, maintained and operated, and which are therefore applicable to all applications.
The objective of access control testing as part of IT general controls is to confirm there are effective
controls in place around adding, updating, deleting and restricting user access to financial data and
that access to that data is appropriately restricted.
Note that Logical Access (LA) is usually used to refer to Access Control (AC). LA refers to user’s access
within the system. Access Control is made up of logical access and physical access. LA represents all the
access controls (6 of the 7 above) beside the physical access to the server room/data center.
Note that SDLC (also called Investment Lifecycle, ILC) is similar to program change as the process of
planning, testing, and deploying information system to production (except that approval is at the highest
level of the organization, such as by the IT Steering Committee, and will include CIO and sometime
CEO, being an IT capital investment)
5
7. Disposition (system retirement via destruction or after due sanitization from sensitive data; system is
removed from the system inventory/list)
The simplest and one of the oldest SDLC model/type is the waterfall model, which goes through the
phases of Initiation, Analysis, Design, Testing, Production/Implementation, and Maintenance one after the
other like the motion of a waterfall. The team cannot move on to a phase till the previous phase is complete.
The positive thing about this method, even though it is time consuming, is that if the bugs are found early
on it saves a lot of time and money later. Agile model which is another popular model is based on iterative
and incremental approach to software development, in which small modules of the final products are
released for the users to review and then are changed accordingly if any issue is discovered. The focus in
Agile is on delivering a working software within the shortest possible time, and the SDLC steps are
therefore not followed in strict order.
Data recovery process is part of the IT Operations backup and recovery control. It is simply a test of
whether the client tries to recover from their backup data to determine that those backup are truly
recoverable.
They could do it quarterly, semi-annually or even annually. What matters is that they test their backup
during a financial year. Some companies may have Contingency Plan test or disaster recovery test
arrangement during which they perform this backup recovery test to confirm that they can truly recover
from a disaster. Evidence is typically help desk ticket opened for the recovery event or the documented
Contingency Plan test result.
6
(2) IT Application Controls
IT application or program controls are fully automated (i.e., performed automatically by the systems)
designed to ensure the complete and accurate processing of data, from input through output.(input-
processing-output controls) These controls vary based on the business purpose of the specific application.
These controls may also help ensure the privacy and security of data transmitted between applications.
Categories of IT application controls are typically the following 5 controls:
1. Completeness checks - controls that ensure all records were processed from initiation to completion.
2. Data edit/Validity checks - controls that ensure only valid data is input or processed.
3. Calculation checks- controls that ensure that computation is occurring accurately( e.g., that the system
automatically extends and foots an invoice)
4. Interface check- controls that limit the risk of incomplete transfer or exchange of data among different
systems
5. Authorization check- controls that ensure that approvals and overrides are performed by only the
authorized users, and that individuals do not have capabilities that are in conflict with segregation of
duties and fraud prevention measures.