IT Audit FAQ by Muema Lombe

IT Audit FAQ
(Frequently Asked Questions)

Muema Lombe, CRISC, CSSLP, CGEIT, CISA
Agenda
About IT Audit About IT Audit Careers
What is IT audit? What qualifications do I need to be an IT Auditor?
What is IT audit known as? What certification do I need to be an IT Auditor?
Who needs an IT audit?
Why should I be an IT Auditor?
Why perform an IT audit?
What is IT external audit? What is the IT audit job description?
What is IT internal audit? What is the IT audit reporting structure?
What does IT auditing entail? What are IT audit job titles?
What is the IT audit process? What are IT audit salaries?
What are the two typical roles that IT audit performs? What is the career trajectory for IT auditors?
What does an IT audit include?
What are IT audit types? About IT Audit Tools & Resources
What are the types of IT auditors?
What software is needed for an IT Auditor/IT Audit?
What is the IT audit manual?
What are IT audit standards? What resources are available for IT audit jobs?
What is IT audit strategy? What resources are available for IT auditors to remain c
What is the IT audit universe? urrent?
What is an IT risk assessment?
What is an IT audit program? What websites to ask IT audit related questions?
What is an IT audit report?
What is IT audit co-sourcing?
What is IT audit outsourcing?
What is the IT audit plan?
What is the IT audit schedule?
Who audits the IT auditors?

2
http://itauditfaq.com
About IT Audit

3
What is IT audit?
An IT audit is a review of the controls of a
technology environment. This may include IT
infrastructure, applications, IT operations and
IT projects.

4
What is IT audit known as?
An IT audit is also known as an information
technology audit, a systems audit, an
information systems audit or an electronic
data processing (EDP) audit.

5
Who needs an IT audit?
Publicly traded companies are required by the
S.E.C. to report to their shareholders whether
internal controls are operating effectively. This
includes both operational/business controls
and IT controls.

6
Why perform an IT audit?
An IT audit is typically performed to obtain an
independent assessment of the technology
environment. The technology department is
likely to be less objective in assessing its
environment.

7
What is IT external audit?
An IT external auditor, typically a third party, is independent
of the company, department or organization being
audited. This may include Big 4 Auditors (e.g. EY, PWC,
etc.) or government auditors (e.g. State Insurance
Regulators, etc.).
External audit’s typical role is to express an opinion on the

financial statements of an organization. IT external audit
facilitates this process, by expressing an opinion on the
technology environment of the systems which support,
create and maintain the financial statements.
8
What is IT internal audit?
The IT internal audit team is typically part of the
internal audit department of an organization.
Whereas IT external audit is primarily focused
on controls around financial reporting, IT
internal audit’s focus is more broad. While a
review may include financial reporting
controls, areas such as fraud, regulatory
compliance and operational effectiveness may
also be covered.
9
What does IT auditing entail?
The three objectives of IT audits are to preserve the
confidentiality, integrity, availability of information.
•Confidentiality – Preserving authorized restrictions on

information access and disclosure, including means for
protecting personal privacy and proprietary information.
•Integrity – Guarding against improper information
modification or destruction, and includes ensuring
information non-repudiation and authenticity.
•Availability – Ensuring timely and reliable access to and use of
information
10
What is the IT audit process?
The IT audit process is similar to the audit
process and basically includes three steps:
•audit planning,
•audit execution and
•audit wrap up.

11
What are the two typical roles that IT audit
performs?
IT auditors generally perform

two roles:
–audit and
–consulting.

12
performs? (cont’d)
IT Audit
In this role, the IT auditor performs traditional

functions which include IT audit and IT
Sarbanes-Oxley procedures.

13
performs?
IT Consulting
In the consulting role, IT auditor are asked to perform roles outside of the traditional audit role
including but not limited to the following:
•SAS70 – opine and/or participate in SAS70 reviews,

•Fraud Examination – participate in and/or lead the IT portion of fraud investigations,
•M&A – perform vendor due diligence of IT operations as part of the Mergers & Acquisitions
process,
•Data Analysis – perform data analysis (e.g. expense accounts, procurement cards, etc.)
•Business Process Risk Assessments – participate in team exercises of the evaluation of business
process for IT risks (e.g. infrastructure) and corresponding controls,
•Systems Development – participate in and/or lead pre or post implementation reviews of
systems under development.
•External Audit Coordinator – serve as a liaison to facilitate the expedient provision of external
audit requirements.

14
What does an IT audit include?
IT audit typically evaluates control
design and operational effectiveness.

15
What does an IT audit include? (cont’d)
Control Design
Management is responsible for developing and maintaining effective internal control.

Effective internal control provides assurance that significant weaknesses in the design or
operation of internal control, that could adversely affect the agency’s ability to meet its
objectives, would be prevented or detected in a timely manner.
Assessing the effectiveness of the design of a control is concerned with whether the control
is suitably designed to prevent or detect a material error related to an account or group of
accounts. Procedures to obtain such evidential matter ordinarily include inquiries of
appropriate agency personnel; inspection of documents, reports, or electronic files; and
observation of the application of specific controls. This is sometimes referred to as a
“walk-through” and helps the senior assessment team ensure its understanding of the
controls. An assessment of the control design should identify controls as effective,
moderately effective, or not effective.

16
What does an IT audit include? (cont’d)
Operational Effectiveness
Assessing the effectiveness of the design of a control is concerned

with whether the control is suitably designed to prevent or detect a
material error related to an account or group of accounts.
Procedures to obtain such evidential matter ordinarily include
inquiries of appropriate agency personnel; inspection of documents,
reports, or electronic files; and observation of the application of
specific controls. This is sometimes referred to as a “walk-through”
and helps the senior assessment team ensure its understanding of
the controls. An assessment of the control design should identify
controls as effective, moderately effective, or not effective.

17
What are IT audit types?
IT audits general come in two types:
– Integrated IT Audit
– IT Audit

18
What are IT audit types? (cont’d)
Integrated IT Audit
• These audits are where the IT audit portion of
the review is a subset of a larger business audit
review. For example the Internal Audit
department may audit the Human Resources
function, as a part of that review, the IT
auditors may be asked to review the
application that supports human resources
administration and payroll.
19
What are IT audit types? (cont’d)
IT Audits
These audits are not integrated, but focus on a
particular technology area. Like ice cream,
stand alone IT audits come in a variety of
flavors. Generally IT audits fall into four buckets:
– General Controls Audits
– Application Control Audits
– Network/Infrastructure Audits
– System Development Audits
20
What are the types of IT auditors?
IT auditors generally fall into two categories,
technical and non-technical. The best auditor
is one who can explain a technical deficiency
in non-technical speak for the benefit of
business auditors, the Chief Audit Executive
and the Audit Committee.

21
What is the IT audit manual?
The IT audit manual is a subset of the Internal
Audit manual and includes standards, policies
and procedures.

22
What are IT audit standards?
Start with ISACA’s IS Standards, Guidelines and
Procedures for Auditing and Control
Professionals.
https://www.isaca.org

23
What is IT audit strategy?
The IT audit strategy outlines the approach to
address the items prioritized resulting from
the IT risk assessment. Contingent upon the
organization, the IT audit strategy can be
defined for anywhere from one to five years.
This strategy should not be defined in a silo,
rather it should be co-developed and align
with the Internal Audit strategy.

24
What is the IT audit universe?
The IT audit universe should reflect the universe
of IT locations (e.g. data centers, etc.), IT
functions (e.g. operations, etc.), IT projects, IT
platforms (e.g. VOIP, etc.), operating systems
and applications.

25
What is an IT risk assessment?
An IT risk assessment is a measurement of IT risks to
the business. At a minimum, the IT risk assessment
should include the risk likelihood, impact and risk
rating/prioritization. When preparing the IT risk
assessment, the IT auditor should have a full and
complete understanding of the IT environment. IT
risks rated should include all areas of the IT
organization including but not limited to IT
operations, infrastructure, applications, projects,
etc.
26
What is an IT audit program?
The IT audit program details the steps to be
performed in conducting the IT audit.

27
What is an IT audit report?
The IT audit report summarizes the details of
what was reviewed and the results of review
for the IT audit.

28
What is IT audit co-sourcing?
IT audit co-sourcing is when the resources and/or skills of an
IT audit department are augmented by an external
resource. This resource augmentation could be the result
of staff shortage or technical expertise.
For example a small IT audit department may not have the

budget to maintain a fulltime resident expert in Oracle
databases in house. For an upcoming audit of Oracle
databases, the department may hire a service provider
external to the organization with sufficient expertise to
perform the specific duties required.
29
What is IT audit outsourcing?
IT audit outsourcing is when the IT audit
function is fully outsourced to a third party
service provider. For example, an organization
may have an Internal Audit department, but
fully outsource the IT audit function due to
headcount restrictions and/or the expense of
maintaining a full time IT audit team.

30
What is the IT audit plan?
The IT audit plan is just that, a plan for the coming
year which includes the name of the audit and
corresponding scope. The audit plan is approved
by the Chief Audit executive and the Audit
Committee and vetted with the auditee.
Depending on the Internal Audit (IA)
organization, the IT audit plan may be
incorporated as part of the IA plan. In some cases
the IT audit plan will be a stand alone plan.
31
What is the IT audit schedule?
The audit schedule lists the names of IT audits
for the coming year to which dates have been
assigned (audit have been scheduled). This
document is usually co-developed with the
auditee to agree on timing, working around
employee vacations, IT department busy
periods, etc.

32
Who audits the IT auditors?
The Institute of Internal Auditors (IIA) requires
an independent Quality Assessment Review
(QAR) to be performed at a minimum interval
of every 5 years. This QAR review is to be
performed by an independent third party to
the organization, and includes a review of
both the business and IT audit function.

33
About IT Audit Careers

34
What qualifications do I need to be an IT
Auditor?
The requirements for becoming an IT auditor
vary on the requirements of an organization
and the specific IT audit role you are applying
for (e.g. IT Audit Staff vs IT Audit Director).
Generally, the following are desired baseline
qualifications:

35
Auditor? (cont’d)
Education
Bachelor Degree in Technology (Information

Systems, Computer Science, etc.), Accounting,
Business or related field.

36
Auditor? (cont’d)
Certification
Certified Information Systems Auditor (CISA)

designation.

37
Auditor? (cont’d)
Experience
Two to four years performing IT audits and/or

related functions with Big 4 or similar CPA firm
audit experience.

38
Auditor? (cont’d)
Competencies
•Experience working in a global organization, interacting with all levels of

management.
•Strong knowledge of financial systems, and general internal controls for
information systems and data center operations.
•Experience managing a variety of audit assignments and implementing / testing
compliance with the Sarbanes Oxley Act.
•Ability to work both independently and as a member of a team in a fast paced
environment, handling multiple tasks simultaneously.
•Experience in auditing large scale system implementations and strong knowledge
and understanding of Project / Software Development Life Cycle methodologies
(i.e. Waterfall, Rational Unified Process and Agile Development)
•Strong written, verbal and interpersonal communication skills are required.

39
What certification do I need to be an IT
Auditor?
The unofficial standard designation for IT
auditors is the Certified Information Systems
Auditor (CISA).

40
What certification do I need to be an IT
Auditor? (cont’d)
Other related technology or security related certifications to
consider include:
•Certified Information Security Manager (CISM)

•Certified Information Systems Security Professional (CISSP)
•Certified Computer Professional (CCP)
•Certified Information Technology Professional (CITP)
•Certified in Risk and Information Systems Control (CRISC)
•Certified in the Governance of Enterprise Information
Technology (CGEIT)
41
Why should I be an IT Auditor?
Serving as an IT auditor is a great way to:
•network with all layers of the IT organization (CIO

to Managers to IT staff),
•fully immerse into the IT department and its
functions via auditing different areas,
•serve as a platform to gather the experience and
expertise for a leading career such as Chief
Security Officer or Chief Risk Officer.
42
What is the IT audit job description?
• RISK ASSESSMENT: Participate in the Annual Risk Assessment and Audit Plan
Development with respect to information technology environment of all the
business units;
• BUDGETING: Participate in the preparation of departmental budgets and forecasts;
• SCOPING: Manage the scoping and development of audit programs, working with
business unit and operational management as well as Internal Audit managers on
integration to financial and operational audits;
• PLANNING: Manage all planning and fieldwork activities for IT audits at domestic
and international locations to evaluate and make recommendations for
improvement with respect to the effectiveness and efficiency of the IT related
function and processes, as well as to assess compliance with Company policies and
external regulations;
• AUDIT: Perform integrated audits and reviews of general IT controls, system access
security, and application system controls to ensure the processes and data are in
compliance with policies, standards and procedures;

43
What is the IT audit job description? (cont’d)
• TEST: Prepare, execute and document testing procedures and outcomes,
perform detailed analysis and recognize relevant financial statement issues;
• ANALYZE: Analyze IT environment including: operating systems, applications,
infrastructure, policies and procedures, etc.
• ISSUE IDENTIFICATION: Identify and communicate any control issues, process
inefficiencies, or operational risks and recommend appropriate solutions.
• PROJECT MANAGEMENT: Manage special projects (e.g., reviews of system or
policy implementations);
• QUALITY ASSURANCE: Conduct reviews of work performed to ensure
compliance with auditing standards, including Generally Accepted Auditing
Standards (GAAS) and the Institute of Internal Auditing (IIA);
• REPORT WRITING: Write and/or review/edit audit reports for the review and
approval of the Chief Audit Executive.

44
• PRESENTATION: Present audit observations and recommendations to
management; Assist in developing presentations for senior
management and the Audit Committee of the Board of Directors with
respect to the IT audit scope, coverage, and findings.
• DOCUMENTATION REVIEW: Review management action plans and
monitor implementation of recommendations proposed by Internal
Audit to ensure that issues are adequately addressed and mitigated;
• RELATIONSHIP MANAGEMENT: Establish partnering, yet independent
and objective, relationships with auditees;
• COORDINATION: Coordinate audit activities with the business unit’s
IT function and IT Department as necessary, to minimize duplication
and leverage combined efforts;

45
• RECRUITING: Participate in recruiting and retaining high quality

audit staff and seniors;
• TRAINING: Participate in Departmental training, career
development and professional development activities; and
Provide technical guidance, as well as coach audit staff and
seniors to enhance their technical skill levels;
• COMPLIANCE: Ensure adherence to department policies and
procedures.
• REMAIN CURRENT: Review and analyze new, proposed, or
revised laws, regulations, policies, and procedures in order to
interpret their meaning and determine impact to the company.

46
What is the IT audit reporting structure?
As a best practice, the IT Audit Director (or

equivalent) should report to the Chief Audit
Executive, who in turn reports to the Audit
Committee and the Chief Executive Officer.

47
What are IT audit job titles?
In a multi-layered big 4 accounting firm, IT audit job
titles are typically as follows:
• Staff
• Senior
• Manager
• Senior Manager
• Director
• Principal
• Partner
48
What are IT audit salaries?
IT salaries vary depending on experience,
certifications, type of organization and
location. Generally they are up to 10% to 25%
higher than traditional auditor salaries.
Explore IT audit salaries here:

http://www.glassdoor.com

49
What is the career trajectory for IT auditors?
The career trajectory for an IT auditor is contingent

upon the opportunity within an organization, the
opportunity within the department and the
experience of the auditor. There are generally
three career trajectories for IT auditors:
1.Up or Out
2.Rotation
3.Flatline
50
(cont’d)
Up or Out
• The Up or Out model is typically followed by public
accounting firms. The rotation is approximately two to
five years at each level, after which you are promoted to
the next level (staff, senior, manager, senior manager,
director then partner). If you are not promoted within
this timeframe, or if management does not feel you are
ready for the next level within the organization, you are
“counseled out”, that is, strongly encouraged to seek
employment elsewhere, otherwise you’ll be terminated.

51
(cont’d)
Rotation
• Top tier financial and multinational
organizations often maintain a rotation model
for their audit department. Auditors are
encouraged to join the audit organization for
two to four years, after which they’ve
developed an understanding and expertise and
are rotated into a specific department or
business function.
52
(cont’d)
Flatline
• The flatline trajectory is typically found in small to
medium size Internal Audit departments. By flatline,
we mean, there is minimal room for upward mobility
or growth in the department due to the size of the
department and/or tenure of those there before
you. As such, your career progression is flatlined,
unless someone retires, quits or otherwise leaves the
department, which would create an opportunity for
you to move up.
53
About IT Audit Tools & Resources

54
What software is needed for an IT Auditor/IT
Audit?
There are many types of audit software. There is:
• audit management software (e.g. Team Mate,
Auto Audit, etc),
• risk assessment software (e.g. Compliance 360,
Resolver, etc.)
• data analysis software (e.g. ACL, IDEA, etc.),
• system configuration analysis tools (e.g. EY
Mercury for SQL, OS400 and Windows, etc.)

55
What resources are available for IT audit
jobs?
• http://www.indeed.com/
• http://www.simplyhired.com/
• http://www.dice.com/
• http://www.monster.com/
• http://hotjobs.yahoo.com/
• http://it-audit-jobs.com/

56
What resources are available for IT auditors
to remain current?
http://itauditandsecurity.com/
http://insuranceitaudit.com/
http://twitter.com/itaudit

57
What websites to ask IT audit related
questions?
http://itauditforum.com/

58
Contact
http://www.linkedin.com/in/muemalombe

59

IT Audit FAQ by Muema Lombe

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IT Audit FAQ by Muema Lombe

Uploaded by

Copyright:

Available Formats

IT Audit FAQ

(Frequently Asked Questions)

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

External audit’s typical role is to express an opinion on the

•Confidentiality – Preserving authorized restrictions on

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

IT auditors generally perform

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

In this role, the IT auditor performs traditional

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

•SAS70 – opine and/or participate in SAS70 reviews,

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Management is responsible for developing and maintaining effective internal control.

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Assessing the effectiveness of the design of a control is concerned

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

For example a small IT audit department may not have the

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Bachelor Degree in Technology (Information

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Certified Information Systems Auditor (CISA)

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Two to four years performing IT audits and/or

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

•Experience working in a global organization, interacting with all levels of

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

•Certified Information Security Manager (CISM)

•network with all layers of the IT organization (CIO

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

• RECRUITING: Participate in recruiting and retaining high quality

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

As a best practice, the IT Audit Director (or

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Explore IT audit salaries here:

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

The career trajectory for an IT auditor is contingent

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Muema Lombe, CRISC, CSSLP, CGEIT, CISA