AUDITING IN CIS ENVIRONMENT

ACT1208
MODULE 1

Information Technology Environment and

IT Audit
 1. Discuss how technology is constantly evolving and shaping
today's business (IT) environments.
2. Explain what IT auditing is and summarize its two broad
groupings.
3. Describe current IT auditing trends and identify the needs to
have an IT audit.
LEARNING OBJECTIVES 4. Explain the various roles of the IT auditor.
5. Support why IT audit is considered a profession.
6. Describe the profile of an IT auditor in terms of experience and
skills required.
7. Discuss career opportunities available to IT auditors
IT ENVIRONMENT
How technology is constantly evolving and shaping
today's business (IT) environments.
 WHY IS THERE A NEED FOR CONTROLS IN IT

• IT is EVERYWHERE
• Computers are both broadly and deeply useful in the business world
• IT has impacted significant areas of the business environment, including the use and
processing of information, the control process, and the auditing profession

DATA &
INFORMATION
Technology allows business
decision makers to capture,
store, analyze, and process
massive amounts of data and
information.
Technology has increased
budgets, successes, and
failures, resulting in a better
understanding of control as a
residual effect.
IT ENVIRONMENT
CONTROL PROCESS
Technology has significantly
impacted the control process
around systems.
Although control objectives have
generally remained constant,
except for some that are
technology specific, technology
has altered the way in which
systems should be controlled.
Safeguarding assets, as a
control objective, remains the
same whether it is done
manually or is automated.
AUDIT PROFESSION
Technology has impacted the
auditing profession in terms of
how audits are performed
(information capture and
analysis, control concerns) and
the knowledge required to draw
conclusions regarding
operational or system
effectiveness, efficiency, and
reporting integrity.
 TECHNOLOGY SYSTEMS IMPACTING
IT ENVIRONMENT

E n te r p r i s e Re s o u rc e M o b i l e D ev i c e
Cloud Computing In te r n e t o f Th i n g s
P l a n n i n g (E R P) M a n a g e m e n t (M D M)
The objective of Cloud computing is MDM is a solution The internet of things,
ERP is to integrate the on-demand that uses software as or IoT, is a system of
delivery of IT a component to interrelated
key processes of resources, including provision mobile computing devices,
the organization servers, databases, devices while mechanical and
s u c h a s o r d e r e n t r y, storage, software, protecting an digital machines,
manufacturing, analytics, and organization’s assets, objects, animals or
procurement and intelligence, over the such as data. people that are
internet. Organizations practice provided with unique
accounts payable, identifiers (UIDs) and
MDM by applying
payroll, and human Public, Private, Hybrid software, processes the ability to transfer
resources. and security policies data over a network
onto mobile devices without requiring
and toward their use. human-to-human or
human-to-computer
interaction.
 IT CONTROLS FOR IT ENVIRONMENT

• Organizations must integrate IT with business strategies to attain their overall objectives.
• Issues such as IT governance, international information infrastructure, security, privacy, and
control of public and organizational information must be addressed.
• IT controls shall be established, implemented, maintained, and continually improved.
• Audits determine conformity with the controls and if it is effectively implemented and
maintained.
 THE AUDITING PROFESSION

Financial Audit Internal Audit External Audit

Financial auditing encompasses
all activities and responsibilities
concerned with the rendering of
an opinion on the fairness of
financial statements.
he IIA defines internal auditing
(IA) as “an independent,
objective assurance and
consulting activity designed to
add value and improve an
organization’s operations.”
The external audit function
evaluates the reliability and the
validity of systems controls in
all forms.
IT AUDITING
IT Auditing and its two groupings
IT AUDITING

IS IT

Represented by three components: People, Subset of IS

Process, Systems
Combination of strategic, managerial, and
operational activities involved in managing
information.
Deals with the technology involved in the
systems
Hardware, software, database, networks and
other facilities necessary to manage the
system
 IT AUDITING

Formal, independent, and objective examination of an organization’s IT infrastructure to

determine whether the activities (e.g., procedures, controls, etc.) involved in gathering,
processing, storing, distributing, and using information comply with guidelines, safeguarding
assets, maintaining data integrity, and operate effectively and efficiently to achieve the
organization’s objectives.

IT auditing provides reasonable assurance (never absolute) that the information generated by
applications within the organization is accurate, complete, and supports effective decision
making consistent with the nature and scope of the engagement previously agreed.
 IT AUDITING
General Computer Controls Audit
Examines IT general controls or “ITGCs”, including
policies and procedures, that relate to many
applications and supports the effective functioning of
application controls.
General controls cover the IT infrastructure and
support services, including all systems and
applications.
Commonly include controls over (1) IS operations; (2)
information security (ISec); and (3) change control
management (CCM)
Applications Control Audit
Examines processing controls specific to the
application. Also referred to as “automated controls.”
They are concerned with the accuracy, completeness,
validity, and authorization of the data captured,
entered, processed, stored, transmitted, and reported.
Examples of application controls include checking the
mathematical accuracy of records, validating data
input, and performing numerical sequence checks,
among others. Application controls are likely to be
effective when general controls are effective.
THE NEED FOR IT
AUDIT
How IT Auditing is a necessary
 THE NEED FOR IT AUDIT

IT presents risk factors that are unique to accounting, auditing, and systems. That is, IT itself
brings risk to the entity regarding its systems, business processes, and financial/accounting
processing. That risk is unique to IT; without IT being present, that risk would not exist—at
least not to the same level. It takes a professional, such as an IT auditor, to identify and
assess the inherent risk associated with IT.

Reports of information theft, computer fraud, information abuse, and other related control
concerns are being heard more frequently around the world, and better IT controls are
required.
 THE NEED FOR IT AUDIT

Nature of work and system used (F&A, Non-F&A)

Data exposure
Data owner and data processor
Laws and regulations
THE NEED FOR IT AUDIT
OUR ROLE
The roles of IT Auditor
 IT CONTROLS FOR IT ENVIRONMENT

• Organizations must integrate IT with business strategies to attain their overall objectives.
• Issues such as IT governance, international information infrastructure, security, privacy, and
control of public and organizational information must be addressed.
• IT controls shall be established, implemented, maintained, and continually improved.
• Audits determine conformity with the controls and if it is effectively implemented and
maintained.
 IT CONTROLS FOR IT ENVIRONMENT

• Organizations must integrate IT with business strategies to attain their overall objectives.
• Issues such as IT governance, international information infrastructure, security, privacy, and
control of public and organizational information must be addressed.
• IT controls shall be established, implemented, maintained, and continually improved.
• Audits determine conformity with the controls and if it is effectively implemented and
maintained.
 IT AUDITOR AS COUNSELOR

• IT auditors must take an active role in assisting organizations in developing policies,

procedures, standards, and/or best practices on the safeguarding of information,
auditability, control, testing, etc.
• IT auditors can contribute to computer system control by persuading user groups to insist on
comprehensive testing for all new systems and all changes to existing systems.
 IT AUDITOR AS PARTNER OF SENIOR MANAGEMENT

• IT auditors can provide management with an independent assessment of the effect of IT

decisions on the business. In addittion, the IT auditor can verify that all alternatives for a
given project have been considered, all risks have been accurately assessed, the technical
hardware and software solutions are correct, business needs will be satisfied, and costs are
reasonable.
 IT AUDITOR AS INVESTIGATOR

• IT auditors can work in the field of computer forensics or work side by side with a computer
forensics specialist, supplying insight into a particular system or network. The specialists
can ask the IT audit professionals questions pertaining to the system and get responses
faster than having to do research and figure everything out on their own.
IT AUDITOR
PROFILE
Experience and Skills
 IT AUDITOR PROFILE

Experience Skills Certifications Education Standards

Work experience Industry-specific ISACA, IIA, ISO, BS / BA degrees ITAF

On the job skills ISC2 with courses on IPPF
trainings Technical auditing
Non-technical Continuing
education
CAREER
OPPORTUNITIES
 CAREER OPPORTUNITIES

Private and Consulting Firms

Public Accounting Education
Government

External auditors IT auditors (internal) Technology Lecturers

Risk and Compliance consultants Reviewers
IS analysts
 QUESTIONS?

2023 ACT1208
 THANK YOU

2023 ACT1208