IT Audit Introduction

Meaning and Types of IT Audit

Information technology (IT) audit is an examination or audit of the IT general and application controls
within an information system (i.e. applications such as SAP, Oracle Financials and PeopleSoft (Enterprise
Resource Planning (ERP) systems), and regular applications such as Microsoft Dynamics, Sage, NetSuite
and Deltek Costpoint) and its underlying IT infrastructure (operating system, database and network
devices), to determine if those controls(risk/what could go wrong safeguards) are appropriately
designed (control being proper and in place) and operating effectively(consistently) to achieve the
organization's internal control objectives of achieving effectiveness and efficiency of operation,
reliability of financial reporting and compliance with applicable laws and regulations (per Committee of
Sponsoring Organizations( COSO) defined internal controls objectives).

IT Audit Types/Objectives/Purposes/Uses/Works/Projects:
IT audit (IT general and application controls audit) may be performed in support of a financial statement
audit (primarily audit of Income Statement and Balance Sheet), internal audit (which typically performs
annual internal control testing such as SOX), or other form of attestation engagement (such as SAS
70/SSAE 16/Service Organization Control (SOC) audit) or to simply identify and correct internal
control weaknesses (typically for audit readiness).

Financial statement audit's purpose is to evaluate whether an organization is adhering to standard

accounting practices with the aim of producing accurate financial statements. IT Audit performed as part of
financial statement audit is to determine if the IT controls in that organization are effective and if the
financial systems could be relied upon for generating accurate financial statements.

IT Audit performed as part of internal audit is typically done by the Internal Audit department (typically
following established internal audit plan and audit program) to meet the management’s annual internal
control testing requirement for controls relating to financial reporting. This is also done on financial systems
(those that support the production of financial statements). It is performed for Sarbanes-Oxley (SOX)
compliance in commercial public companies registered with the Stock Exchange Commission (SEC)
evidenced with its shares trading on the Stock Exchange. The equivalent of the SOX testing at the federal
government departments/agencies is known as Office of Management and Budget (OMB) Circular A-123
Audit.

Note that internal audit plan is typically an annual plan of the Internal Audit department which
contains all the type of audits/projects they plan to execute during that year, including the period and
priority of execution based on risk assessment of the activities/transactions considered for audit (mission
critical operations that could affect the company’s staying in business are considered high risk). Regular
audit plan such as one supporting financial statement audit will also consider the audit tasks, period of
performance and resources needed for the audit. Audit program is the detailed steps required to test or
audit a control. Audit programs for different types of audit are available in the course of this training, online
or on free-trial at AuditNet.org. Financial internal auditors in addition to performing SOX audit, also
perform operational audit (auditing the effectiveness, efficiency and economy of operation of each
department/product in line with industry standards/benchmarks (such as testing if an Airline is able to
make the same number of daily flights as its leading competitors at the same or better profit margin) and
compliance audit in which they test compliance with the organization’s policy and procedures and
applicable contractual and regulatory requirements (such as testing if a bank’s mortgage charges
comply with company’s policy, customers’ contracts and regulations). IT auditors may be asked (in some
1
 cases) to test IT related controls or components of these operational and compliance tests performed by
financial auditors in addition to IT general and application controls. Internal Audit also serve as referees in
internal control self-assessment environment where different departments assess/test internal controls
related to them, both financial and IT. Internal Audit just ensures that key controls (such as ITGC) are
covered in the audit program, the different departments are conducting the assessment at the prescribed
frequency, and promptly correcting noted audit findings.

With respect to financial statements audit, IT auditors are often engaged in IT general and application
controls audit. They perform IT audit as part of financial statements audit so that financial audit team could
rely on the IT controls in the organizations they are auditing in order to reduce the amount of substantive
test or vouching that they perform, with the objective of saving their audit time and budget. IT auditors
perform audit of IT general and application controls to determine if the IT environment is effective and if
the financial systems could be relied upon for generating accurate financial statements. They do this on
private and public companies. They also do same on federal financial statement audit using FISCAM
(Federal Information System Controls Audit Manual) framework.

Note that IT Auditors that work in consulting firms are engaged (through their company) by CPA firms to
perform IT Audit procedures supporting financial statements audit, since only CPA firms are authorized to
perform financial statements audit. Note also that financial statement audit is not applicable to those who
work in the Internal Audit department of their companies as such IT Auditors will typically perform annual
SOX or A-123 testing as indicated below. Similar to the financial statement audit, IT Auditors could be
hired by CPA firms to perform attestation engagement (such as SAS 70/SSAE 16/Service Organization
Control (SOC) audit). Also, only CPA firms are authorized to perform attestation engagement/SOC
audit, and they typically use their own employees or hire the service of IT Auditors who work for consulting
companies/firms. The objective of the SOC auditor or report is to attest or confirm whether or not the
internal controls in place at the service organization are properly designed and operating effectively.

IT auditors are sometime engaged (through their firm/company) by Internal Audit departments of public
companies to assist with the annual testing of their IT SOX controls, in which they test if the controls
(these are often limited to IT general controls) are effective and prepare IT weaknesses and
recommendation where they find exceptions. They do same on federal A-123 annual internal control testing
using FISCAM framework.

IT auditors are also engaged by Internal Audit departments (especially of private companies that do not
have annual SOX testing requirement or by federal agencies) to identify and correct internal control
weaknesses in order to strengthen their internal controls or as an audit readiness effort to reduce the
number of audit findings/weaknesses discovered when their external auditors arrive to audit their financial
statements. IT general and application controls or FISCAM audit is also performed here depending on
whether the client is commercial or government entity.

IT General and Application Controls

(1) IT General Controls (ITGC)
ITGC testing is the process of assessing an organization’s access control, change management controls,
and IT operations controls to evaluate the system's internal control design and operating effectiveness.

If the ITGC environment is found to be effective, the internal auditors/management can communicate
effective internal control in their annual internal control reporting, while financial auditors can rely on IT
controls and reduce the amount of detail test/vouching that they perform which often saves their budget.
2
 ITGCs are also known as General Computer Controls (GCC) which are defined as: Controls, other than
application controls, which relate to the environment within which computer-based application systems are
developed, maintained and operated, and which are therefore applicable to all applications.

The most common ITGCs are as follows:

1. Access Controls- include logical access and data center physical access controls over infrastructure,
applications, and data.
2. Change Management Controls- include program change management and system development life
cycle (SDLC) controls.
3. IT/Computer Operations Controls- include system and data backup and recovery controls, and job
scheduling controls.

Detailed ITGCs and Test Objectives

-
(A) Access Controls
Objective: Only authorized persons have access to data and applications and that they can perform only
specifically authorized functions.

The objective of access control testing as part of IT general controls is to confirm there are effective
controls in place around adding, updating, deleting and restricting user access to financial data and
that access to that data is appropriately restricted.

Detailed ITGCs and Objectives

1. Password settings are appropriate.
2. User access is authorized and appropriately established.
3. Physical access to computer hardware is limited to appropriate individuals.
4. Access to privileged IT functions is limited to appropriate individuals.
5. Logical access process is monitored.
6. General system security settings are appropriate (IT Infrastructure controls)
7. Segregation of incompatible duties exists within access control environment.

Note that Logical Access (LA) is usually used to refer to Access Control (AC). LA refers to user’s access
within the system. Access Control is made up of logical access and physical access. LA represents all the
access controls (6 of the 7 above) beside the physical access to the server room/data center.

(B) Change Management Controls

Objective: Only appropriately authorized, tested, and approved changes are made to applications,
databases, and operating systems.

Detailed ITGCs and Objectives

1. Changes are authorized.
2. Changes are tested.
3. Changes are approved before being migrated to production environment.
4. Segregation of incompatible duties exists within the change management environment.

(C) IT Operations Controls

Objectives: Data supporting financial information is properly backed up so such data can be accurately and
completely recovered if there is a system outage or data integrity issue.
3
 Programs are executed as planned and deviations from scheduled processing are identified and resolved in a
timely manner.

Detailed ITGCs and Objectives

1. Financial data has been backed-up and is recoverable.
2. Deviations from scheduled processing are identified and resolved in a timely manner.

IT Audit Programs-Primary Controls:

(A) Audit Programs- Access Controls

1. Test Password Settings:

Determine and, obtain evidence of the organization’s settings for the following security configurations:

Minimum password length

Initial log-on uses a one-time password
Password composition (e.g., alpha/numeric characters, not words in dictionary)
Frequency of forced password changes
The number of unsuccessful log on attempts allowed before lockout
Ability of users to assign their own passwords
Number of passwords that must be used prior to using a password again
Idle session time out

2. Test User Access Authorization:

Test New User Set-up: Determine that employees are only granted access to data that is appropriate
based on their job function and their access approval, and that their access is appropriately approved (i.e.,
user access is in line with job function, it is approved by the appropriate person, and the access granted on
the system by the system administrator is in line with approval).
Test Terminated Users: Determine that terminated employees have been removed timely from the
systems to prevent unauthorized access to data.
Test Transferred Users: Determine that transferred employees are only granted access that is appropriate
based on their new job function and that access for their previous function has been removed or
deactivated.

User access authorization is also known as user provisioning.

3. Testing of Physical Security:

Obtain a list of employees with access to the data center, determine it is complete and review for
appropriateness. Confirm that controls are in place to restrict access to only those individuals (i.e. access is
restricted to only the appropriate individuals (testing attribute).
Also confirm the existence of physical access review.

4. Test Privileged User Rights:

Determine that the ability to perform sensitive IT functions is limited to only appropriate individuals based
on their job function.
Include users with the ability to access sensitive utilities when identifying privileged user rights.
4
 A utility is a program or set of programs that allows a particular task to be executed.
Determine if the users’ sensitive access is appropriate based on their job description/function
(should include the review of sensitive system accounts).

5. Test that Logical access process is monitored.

Identify relevant monitoring controls and test that the controls functioned as expected over the
audit period. These controls might include:
Periodic logical access review for continued appropriateness
Violation or violation attempts reporting and review
Review of logs (e.g., surrounding privileged user access)

6. General system security settings are appropriate (IT infrastructure controls)

Details to be discussed under IT Infrastructure session

7. Test Segregation of Incompatible Duties:

Determine that individuals performing the control activities over user access do not have conflicting duties.
Determine both organizationally and logically that different individuals perform the following duties related
to logical access:
Requesting access, approving access, setting up access, and monitoring access
violations/violation attempts
Performing rights of a “privileged” user and monitoring use of a “privileged” user account.

(B) Audit Programs- Change Management Controls

Type of changes:
System Development/Acquisition (normally referred to as SDLC-system development lifecycle) –
Development and implementation of new applications or systems
 Program change– Changes being made to existing applications, interfaces and the DBMS (database
management system, i.e, database)
 Maintenance- Technical changes made to the DBMS, operating systems, and other system
software (e.g., patches, operating system upgrades)
 Emergency Changes– Changes made in an emergency situation (change documentation including
approval are usually obtained after the fact or changes have been made; and the changes are mostly made
directly in production environment, and therefor may not have evidence of testing).

Note that SDLC (also called Investment Lifecycle, ILC) is similar to program change as the process of
planning, testing, and deploying information system to production (except that approval is at the highest
level of the organization, such as by the IT Steering Committee, and will include CIO and sometime
CEO, being an IT capital investment)

SDLC involves the following typical 7 phases:

1. Initiation (system need is identified),
2. Planning and Requirements Definition (end-user information needs are gathered by Business Analysts),
3. Design (desired features and operations are done in demo state),
4. Development and Testing (source codes are written in programming language; and unit, integration,
performance and acceptance testing),
5. Implementation (system is installed/deployed to production)
6. Operations and Maintenance (regular program changes and upgrades are performed here),

5
 7. Disposition (system retirement via destruction or after due sanitization from sensitive data; system is
removed from the system inventory/list)

The simplest and one of the oldest SDLC model/type is the waterfall model, which goes through the
phases of Initiation, Analysis, Design, Testing, Production/Implementation, and Maintenance one after the
other like the motion of a waterfall. The team cannot move on to a phase till the previous phase is complete.
The positive thing about this method, even though it is time consuming, is that if the bugs are found early
on it saves a lot of time and money later. Agile model which is another popular model is based on iterative
and incremental approach to software development, in which small modules of the final products are
released for the users to review and then are changed accordingly if any issue is discovered. The focus in
Agile is on delivering a working software within the shortest possible time, and the SDLC steps are
therefore not followed in strict order.

Test Changes: Determine changes are appropriately:

 Authorized;
 Tested;
Approved before being migrated into production environment

Test Segregation of Incompatible Duties:

Determine that individuals performing the manage change controls do not have conflicting duties both
organizationally and logically.
Determine that different individuals within the organization perform the following duties:
 Request/Approve the development or change
 Program the development or change
 Move changes in and out of production

(C) Audit Programs- IT Operations Controls

1. Test Backup and Recovery

Determine that the data supporting financial information is properly backed-up so such data can be
accurately and completely recovered if there is a system outage or data integrity issue.

Data recovery process is part of the IT Operations backup and recovery control. It is simply a test of
whether the client tries to recover from their backup data to determine that those backup are truly
recoverable.

They could do it quarterly, semi-annually or even annually. What matters is that they test their backup
during a financial year. Some companies may have Contingency Plan test or disaster recovery test
arrangement during which they perform this backup recovery test to confirm that they can truly recover
from a disaster. Evidence is typically help desk ticket opened for the recovery event or the documented
Contingency Plan test result.

2. Test Job Scheduling

Determine that programs are executed as planned and deviations from scheduled processing are
identified and resolved in a timely manner.

6
(2) IT Application Controls
IT application or program controls are fully automated (i.e., performed automatically by the systems)
designed to ensure the complete and accurate processing of data, from input through output.(input-
processing-output controls) These controls vary based on the business purpose of the specific application.
These controls may also help ensure the privacy and security of data transmitted between applications.
Categories of IT application controls are typically the following 5 controls:

1. Completeness checks - controls that ensure all records were processed from initiation to completion.
2. Data edit/Validity checks - controls that ensure only valid data is input or processed.
3. Calculation checks- controls that ensure that computation is occurring accurately( e.g., that the system
automatically extends and foots an invoice)
4. Interface check- controls that limit the risk of incomplete transfer or exchange of data among different
systems
5. Authorization check- controls that ensure that approvals and overrides are performed by only the
authorized users, and that individuals do not have capabilities that are in conflict with segregation of
duties and fraud prevention measures.