IOP Conference Series: Materials Science and Engineering

PAPER • OPEN ACCESS You may also like

- Cyclic behavior of Ground Granulated
IT Audit Guidance: Side by Side Comparison Blast Furnace Slag (GGBFS) concrete
beams
H Fikri, Y P Krisologus, R Permana et al.
To cite this article: B R Aditya and Y Menzelthe 2019 IOP Conf. Ser.: Mater. Sci. Eng. 662 022055
- The gaseous hydrocarbon fuel combustion
process diagnostics using laser-spark
emission spectrometry
M A Vaganov and V I Kazakov

View the article online for updates and enhancements. - Application Research on Energy-saving
Control Technology of Central Air
Conditioning
Changbao Guo and yuping Li

This content was downloaded from IP address 109.175.103.202 on 17/12/2023 at 20:07

INCITEST 2019 IOP Publishing
IOP Conf. Series: Materials Science and Engineering 662 (2019) 022055 doi:10.1088/1757-899X/662/2/022055

IT Audit Guidance: Side by Side Comparison

B R Aditya1 and Y Menzelthe2

1
School of Applied Science, Telkom University, Bandung, Indonesia
2
Faculty of Economics and Business, University of Padjajaran, Bandung, Indonesia

E-mail: bayu@tass.telkomuniversity.ac.id,

Abstract. This study aims to provide an overview of various IT guidance that is most frequently
used in current IT audit practices. The methodology of this research uses a qualitative approach
with side-by-side comparison techniques. The result of this study is a comparison of eight IT
audit guidance with the five aspects: institution/source, category, main target, purpose, and
scope. In addition, this research also provides practical guidance that contains the key factors
that should be considered when determining IT audit guidance.

1. Introduction
The IT audit guidance is a guideline for a systematic IT audit process in order to assist the process of
data collection and technical process [1]. In practice, there are many IT audit guidance with different
forms that can be used by IT auditor [2]. The main purpose of using an IT audit guidance is to get value
from the implementation of the IT audit [2]. Meanwhile, the value can be in the form of accountability,
saving in the IT audit costs, an efficiency of the IT audit process, and better identification of IT risks. In
particular, IT audit guidance can also be used for the process of defining the IT audit universe [3].
In recent years, IT audit guidance is still an important issue in the domain of IT audit [4]. A number
of studies have confirmed that IT auditors still have difficulties in determining the IT audit guidance
that will be used [5][6]. In other words, there are still frequent errors in the selection of IT audit guidance.
Based on research conducted by [2], there are several things that cause mistakenness in choosing IT
audit guidance: 1) do not understand the scope of the IT audit guidance, 2) do not carry out mapping
between the objectives of IT audit and the IT audit guidance, and 3) do not adjust the application of IT
audit guidance to the needs of IT audit. These are all barrier for IT auditor to realize effective IT auditor
practices. Therefore, the general guidance is needed to help the IT auditor in choosing IT audit guidance.
Previous research has tried to discuss the comparison of IT audit guidance [7][8], but the discussion
still contains general information, so it does not provide specific information needed by the auditor in
the selection process. Therefore, this study will try to complement the shortcomings of the study, so that
a more comprehensive knowledge of IT audit guidance will be obtained.

2. Methods
This research includes a general review category that uses a qualitative approach with emphasis on the
comparative side-by-side analysis of various IT guidance related to IT audit practices [9]. The selection
of IT guidance for comparison in this study is based on previous studies on IT audit practices. The
comparative analysis carried out focuses on the important aspects that are often used as references by
IT auditors in choosing IT audit guidance, such as institution/source, category, the main target, purpose,
and scope [10][11].

Content from this work may be used under the terms of the Creative Commons Attribution 3.0 licence. Any further distribution
of this work must maintain attribution to the author(s) and the title of the work, journal citation and DOI.
Published under licence by IOP Publishing Ltd 1
INCITEST 2019 IOP Publishing
IOP Conf. Series: Materials Science and Engineering 662 (2019) 022055 doi:10.1088/1757-899X/662/2/022055

3. Result and Discussion

Based on the results from the analysis of the existing literature [1, 2, 7, 8, 12], it can be concluded that
in general, there is eight IT guidance that is relevant for IT audit and has been accepted globally (see
Figure 1).

Figure 1. Most Used IT Audit Guidance

In more detail are explained as follows: IT audit and assurance (the initial knowledge in implementing
IT audit). In this guidance, there are 17 standards, 18 guidelines, and 5 tools & techniques which are
grouped into three groups, namely general, performance and reporting (see Table 1).

Table 1. ITAF scope.

Standards General: audit charter, organizational independence,

professional independence, a reasonable expectation, due to
professional care, proficiency, assertions, and criteria.

Performance: engagement planning, risk assessment in

planning, performance and supervision, materiality, evidence,
using the work of other experts, and irregularity & illegal acts.

Reporting: reporting and follow-up activities.

Guidelines General: audit charter, organizational independence,
professional independence, a reasonable expectation, due to
professional care, proficiency, assertions, and criteria.

Performance: engagement planning, risk assessment in audit

planning, performance and supervision, materiality, evidence,
using the work of other experts, irregularity & illegal acts, and
sampling.

Reporting: reporting and follow-up activities.

Tools & White papers, audit/assurance program, COBIT 5 family of
Techniques products, technical and risk management reference series, and
journal IT audit basic columns.

2
INCITEST 2019 IOP Publishing
IOP Conf. Series: Materials Science and Engineering 662 (2019) 022055 doi:10.1088/1757-899X/662/2/022055

Provide practical guidance for IT auditor in understanding technology and other needs related to IT
audit.
There are currently 17 guides with different focus areas, which are created by combining concepts and
practical guidelines. In this guidance, the focus area is divided into three parts (see Table 2).
Table 2. GTAG scope.

Auditing different Application controls, IT governance, IT projects,

areas of IT smart devices, user-developed applications, IT
outsourcing, IT risks and controls, and Big Data.

Auditing IT securityCybersecurity risk, change and patch management

controls, fraud prevention and detection in an
automated world, identify and access management,
and Information security governance.
Auditing technology Data analysis technologies, IT audit plan,
and concepts continuous auditing, and management of IT
auditing.

Provide educational resources about how to manage and conduct IT audit in the context of specific
business.
Currently, there are 54 audit programs with the distribution of the focus areas based on the version of
COBIT (see Table 3).

Table 3. Audit programs scope.

Audit Programs based Secure shell protocol, mobile computing, data privacy,
on COBIT 5 Outsourced IT, Cybersecurity, BYOD security, change
management, cloud computing, IT risk management,
and PCI DSS compliance program (in addition, there is
also an audit program for SAP ERP).
Audit Programs based Apache web service server, biometrics audit, business
on COBIT 4.1 continuity management, crisis management,
cybercrime, e-commerce, generic application, identity
management, information security, IPV6 security, IT
continuity planning, IT Strategic Management, IT
tactical management, mobile computing security,
network perimeter security, outsourced, PII, security
incident management, social media, software
assurance, systems development and project
management, VM Ware software virtualization, VOIP,
and VPN security. In addition, there are also program
audits for Microsoft, My SQL, Oracle, Windows, and
UNIX / LINUX.

Provide guidance on the planning process, determining of scope, and initiation of the implementing of
IT assurance based on COBIT.
This guide is used to help IT organizations in evaluating COBIT implementation.
Provide guidance for specific IT audit: information security system management (ISMS).

3
INCITEST 2019 IOP Publishing
IOP Conf. Series: Materials Science and Engineering 662 (2019) 022055 doi:10.1088/1757-899X/662/2/022055

ISO 27007 focuses on management systems based on ISMS at ISO 27001, while ISO TR 20078 focuses
on information security controls based on ISO 27002. As for ISO 27007, focus areas are grouped into
three (see Table 4).

Table 4. ISO 27007 scope.

Managing the ISMS Determining what to audit, when and how, assigning
audit program appropriate auditors, managing audit risks, maintaining
audit records, and continuous process improvement.
Performing an ISMS Audit process - planning, conduct, key audit activities
audit including fieldwork, analysis, and reporting and
follow-up.
Managing ISMS auditor Competencies, skills, attributes, and evaluation.

Provide reports related to how internal control is carried out by the service provider (excluding financial
reporting)
The trust service category is divided into 5 categories: security, availability, processing integrity,
confidentiality, and privacy. Currently, the TSP has 61 criteria for all categories.
Provide guidance on managing IT services.
ISO 20000 is standard, and ITIL is a practical set. Both are aimed to align IT services with business
needs and overall management of IT services (configuration management, capacity management, release
management, supplier management, application management and management of continuity of IT
services. Including the processes needed to design, implement, test and maintain IT processes).
Based on the discussion of the side-by-side comparison, it can be analyzed the relevance of each IT
audit guidance as can be seen in Table 5.
Table 5. Relevance level of the IT audit guidance
Guidance Level of Relevance
ITAF Very High
GTAG Very High
Audit Programs Very High
IT Assurance Guide Using COBIT High
ISO 27007 and ISO TR 27008 High
TSP section 100 High
ISO 20000 Very Low
ITIL Very Low

Based on the overall analysis, then, in determining IT audit guidance, there are several things that should
be considered by IT auditor:

• IT audit needs.
The IT auditor does not need to use IT audit guidance if the objectives of IT audit can be
achieved only by using policies, processes, and procedures owned by the company.
• The scope of IT audit guidance.
The IT auditor must be aware of the scope of IT audit guidance, whether to be used for a general
issue (for example about IT governance frameworks), or for a specific issue (for example about
web application security).
• Adjustments to IT audit guidance.

4
INCITEST 2019 IOP Publishing
IOP Conf. Series: Materials Science and Engineering 662 (2019) 022055 doi:10.1088/1757-899X/662/2/022055

The IT auditor can integrate several parts of different IT audit guidance in order to make
adjustments to the IT audit objectives.
• Recommendation from other parties.
The IT auditor must understand the underlying reasons when deciding to implement certain IT
audit guidance based on recommendations from the board of commissioners or other parties.

4. Conclusion
In the process of determining the IT audit guidance, there are many considerations. Thus, with the side-
by-side comparison of the various IT audit guidance, it can be clearly described the functions and uses
of each IT audit guidance. It is important for an IT auditor to understand the IT audit guidance needed
in the IT audit process and their suitability with the objectives of the IT audit to be carried out. Therefore,
the auditor's expectations of IT audit guidance can be relevant according to the needs and objectives of
the IT audit.

References
[1] Drljaca D and Latinovic B 2016 Frameworks for Audit of an Information System in Practice
Journal of Information Technology and Applications 6 p 78-85.
[2] Pratap K 2012 IT Audit Standards, Frameworks, and Guidelines for Auditee and Auditor Gartner
Inc 13.
[3] Aditya B R, Hartanto R and Nugroho L E 2018 The Role of IT Audit in the Era of Digital
Transformation IOP Conference Series: Materials Science and Engineering 407.
[4] Aditya B R, Ferdiana R and Santosa P I 2018 Toward Modern IT Audit- Current Issues and
Literature Review IEEE 4th International Conference on Science and Technology p 1-6.
[5] Rosário T, Pereira R and da Silva M M 2013 IT Audit Management Architecture and Process
Model International Conference on Business Information Systems p 187-198.
[6] Rosário T, Pereira R and da Silva M M 2012 Formalization of The IT Audit Management Process
IEEE 16th International Enterprise Distributed Object Computing Conference Workshops p
1-10.
[7] Karya G, and Moertini V S 2013 The Customization of the ISACA’s Framework as an Audit
Model for Large Scale (Enterprise) Web Applications International Systems International
Conference p 134-139.
[8] Parvizi R, Oghbaei F, and Khayani S R 2013 Using COBIT and ITIL Frameworks to Establish
the Alignment of Business and IT Organizations as One of the Critical Success Factors in ERP
Implementation 5th Conference on Information and Knowledge Technology pp 274-278.
[9] Mansour M and et al 2001 A side-by-side comparison of sampling methods for settled, indoor
allergens Environ Res 87 p 37–46.
[10] Mohammadi J, Toujaki M, and Mohammadi K 2013 IT Auditing, Types and Dimensions
European Online Journal of Natural and Social Sciences 2 p 2298-2303.
[11] Lovaas P and Wagner S 2012 IT Audit Challenges for Small and Medium Sized Financial
Institutions Annual Symposium on Information Assurance and Secure Knowledge
Management p 16-22.
[12] Tingliao L 2016 The IT Audit Research based on The Information System Success Model and
COBIT 10th International Conference on Intelligent Systems and Control pp.101-102.