TOPIC 6

(CHAP 8 Text Book)

IMPLICATIONS OF
INFORMATION
TECHNOLOGY ON
INTERNAL AUDITING

1
 LEARNING OBJECTIVES
IT Audit SDLC
Describe the Scope of Information
Technology (IT) audit.
01 04 Define and discuss the audit of the
System Development Life Cycle
(SDLC).

Technology Risks E-commerce

Identify technology risks and
challenges to internal auditing.
02 05 Here you could describe the
topic of the section

Controls
Discuss the evaluation of general
and application controls.
03
INTRODUCTION

 Heavy reliance on computers for processing data

and business operations
 Focus on governance of information and
communications technologies
 There are unlimited area of IT auditing, but this
chapter focus on general & application controls,
System Development Life Cycle project,
e-commerce environment and using of Computer-
Assisted Audit Tools and Techniques (CAATs).
PROBLEM VS. SOLUTION

Problem Solution

 System application Error IT audit focuses more

 Hardware Failure  The effectiveness of control procedures in
 Computer Crime minimising related technology risks;
 The compliance with international or Malaysia’s
standard operating practice, policies, procedures
and related law or regulations of the regulatory
body. 
IA Function in an IT Business Environment
 IA – knowledgeable about computers, comfortable
and confident with technology
 IA must be able to visualise impact of technology
on business – good and bad
 Impact of technology on business going concern
 Specialised field – IS auditors
 Standards issued by IIA– Guide to Assessment of
IT General Controls Scope Based on Risk

55 https://youtu.be/oMM-pn2iZ18
 IT AUDIT

HR System Accounting System

Learning Management Enrollment
System System
DEFINITION OF IT AUDIT

 ‘an independent examination of the internal

controls, records, and related information
generated from the system in order to form an
opinion on the integrity of the system of
controls, the compliance with policies and
procedures, and the recommendation of control
improvements to minimise or limit risks.

 IT audit focuses more

• The effectiveness of control procedures in

minimising related technology risks;

• The compliance with international or

Malaysia’s standard operating practice,
policies, procedures and related law or
regulations of the regulatory body. 
 Main Types of IT Audit

Operational
IT application Developing
computer
audits system audit
system audits

Information
IT management
IT process audit security and
audit
control audit

Disaster
contingency or
IT strategy audit
disaster
recovery audit
8
8
 Elements of IT Audit
Physical and environmental review

System administration review

Application software review

Network security review

Business continuity review

Data integrity review

9
 Scope & Objectives of IT Audit
No. Scope Of Audit Objectives Of Audit
1. Security Controls To ensure the establishment of appropriately defined
IT Management structure with a clear framework of
authorities and responsibilities
2. Logical access To ensure that the access controls are reviewed to
controls determine safeguards are in place to prevent
unauthorized acquisition of data resources.
3. Physical Security To prevent unauthorised access to computer
Controls related equipment & ensure an adequate
protection on computer related equipment
against natural hazards.
4. Installation To ensure consistent control of software and
Controls hardware management in its operation of
applications system.
5. Local area network To prevent any unauthorized access to local
controls area of network .

10
 Evaluation of
General & Application Controls
General Application
Controls Controls

Applicable to all aspects of IT

Include control of usage of
functions, for example the
individual transactions specific
administration of IT function,
to certain software application.
hardware or software acquisition
For example, controls over the
and maintenance and physical and
processing of sales
security control over hardware

• Administration of IT function
• Input control
• Physical access control
• Processing control
• Logical access control
• Output control
• Backup and contingency plan
11 Extra : https://youtu.be/bafb1IyUKUU
 General Controls
Control Purpose Of Control

Administration of To ensure proper administration of people and resources of

IT function the department
E.g: List of IT staff with their responsibilities
Physical access To ensure proper control in place for physical access IT
control department and its critical areas.
E.g: Access to Data Centre/Office is for authorized
personnel only
Logical access To ensure a proper control in place for infrastructure,
control applications and data.
E.g: Username and password in laptop, printers
Backup and To ensure a proper backup and contingency plan is in place
contingency plan for unexpected emergencies such as fire, virus attack,
power failure or natural disaster.
E.g: Well-written business contingency and recovery plan
12
 Application Controls
Categories
Purpose Of Control
Of Control
Input control To check the integrity of data entered into an
organization application.

Processing To ensure proper control for data processing so that

control the process is complete, accurate and authorized.

Output control To ensure output results similar with input data. To

ensure computer output is not interrupted by or
shown to unauthorized users.

13
 Steps To Perform IT Audit
Establish the Terms of • The CAE will determine the scope and objectives of the audit of IT functions
such as the scope and objectives of audit, responsibilities of auditor and
the Engagement auditee, authority for auditor to have access to all information of IT functions
and audit schedule.
• The auditor needs to gather information on the IT department to prepare the
Preliminary Review audit plan which includes the auditee’s strategy and responsibilities in
managing and controlling IT’s operations. 

Establish Materiality and • The auditor needs to establish judgement on the materiality of IT’s function as
Assess Risks well as perform an assessment on the auditee’s business risk, in order to set the
scope of the audi
• An audit plan includes the engagement’s objectives, scope, timing and resource
Plan the Audit allocation. A well-developed audit plan will ensure that the audit process is
conducted efficiently and effectively. 

Consider Internal • The auditor has to consider the internal control of the auditee in order to begin
the audit process. Once the process is completed, the auditor could assess the
Control level of auditee’s control risk, which is important to determine the level of
substantive tests to be performed during fieldwork. 
Perform Audit • The auditor will perform the audit process based on the scope stated in the
audit plan. The auditor will use a substantive test approach to audit IT business
Procedures functions.

• The auditor will issue an audit report once all audit procedures have been
Issue the Audit Report completed and evaluated
14
 Guide to Conduct an IT audit
(GAIT)
GAIT Methodology GAIT for IT General GAIT for Business
Control Deficiency and IT Risk 
Assessment 

• to assess the scope • to evaluate any IT • a guideline to help

of IT general
controls using a
top- down and risk-
based approach.
• helps the
management to
identify any
deficiencies in key
IT general controls
that may result in
material errors in
financial statements
general control identify the IT
deficiencies controls that are
identified during critical to achieve
assessment such as business goals and
material objectives.
weaknesses or • Adherence to this
significant guideline would
deficiencies help the CAE and
audit team provide
assurance and the
necessary levels of
consideration to IT
related business
risks. 

4 Principles

15
 4 Principles under GAIT Methodology
• The identification of risks and related controls in IT
general control processes (e.g. in change management,
deployment, access security, and operations) should be a
Principle One:
continuation of the top-down and risk-based approach
used to identify significant accounts, risks to those
accounts, and key controls in the business processes. 
• The IT general control process risks that need to be
Principle Two: identified are those that critically affect IT functionality
in financially significant applications and related data.
• The IT general control process risks that need to be
identified as existing in processes at various IT layers:
Principle Three:
application program code, databases, operating systems
and networks.
• Risks in IT general control processes are mitigated by the
Principle Four: achievement of IT control objectives, not individual
controls. 

16
SDLC
 Auditing Of System Development
 System Development Life Cycle (SDLC)
 a series of steps used to identify the phases of an
information system development project
 Process centric approach to develop and implement
system - set of defined goals and timelines that sets
out the completion date and associated deliverables
within each phases of the life cycle
 Each phase (plan, analyse, design, implement)
sequentially executed – allow proper evaluation
and resolution of problems within each phase

18
18
 The SDLC Process

Systems Systems Conceptual Systems

Planning Analysis Design Selection

Programming
Detail Systems
and Testing
Design Implementation
Systems

19 https://youtu.be/i-QyW8D3ei0
 IA Involvement in SDLC – Life Cycle

IA holds advisory role in every phase of SDLC to

provide an independent view on issue during
development process.
1. Review the project proposal generated during the system planning
phases.
2. Review the relevant documents generated during system testing.
3. Review and examine various documents generated at every
phase of the SDLC process.
Phases of life cycle:
1. Plan – Who build the system
2. Analyse – Who, what, when and where will the system be
3. Design – How will the system work
4. Implement – When, where, how will the system be delivered
5. Support - **not within SDLC – post-implementation phase (but
need to be reviewed by IA as well)
20
20
 IA Involvement in SDLC
To ascertain that the standards and procedures for the SDLC are made
available and followed accordingly; 

To ascertain that resources are effectively and efficiently utilised to enable

the project to meet its deadline; 

To ascertain that proper authorisation/approval is sought at each stage

prior to the commencement of further tasks; 

To ascertain that project documentation is current and properly

maintained for future review; 

To ascertain that test documentation including test plans and results are
adequately maintained;

To ascertain that proper change request procedures exist to ensure all changes
are authorised and attended to on a timely basis. 
21
21
 Risk Factors in SDLC
New system does
not meet business
requirements
• Failure to develop
adequate/complete user
requirements, poor
understanding about the project,
lack of user involvement,
requirements and specifications
keep changing
22
22
Poor project Inadequate change
management/SDLC management
methodology control
• Planned financial resources • Lack of systems and process to
exceeded, late completion of manage change
individual task, missed • Who has made the changes,
deadlines, pressure to agree to what changes are made, when
impossible schedules they are made
E-commerce Audit
 Auditing E-Commerce
 What is E-commerce
 Literally, doing business electronically (through internet
technologies)
 Use of electronic data transmission to implement or
enhance business processes
 Concern with increasing number of security
incidences – security implications affect the trust of
businesses (malicious attacks on company
websites) and consumers (e.g. unauthorised usage
of credit card for online transactions)
 IA involvement – Advisory service during system
development and system/network/software/
information security/system monitoring & recovery

24
24
Issues in E-commerce Environment
 Business continuity
 Information security and privacy
 The lack of audit trails
 Record retention
 Segregation of duties
 Legal liability

25
25
 E-commerce Environment
Electronic commerce (e-commerce) is the process by
which organisations conduct their business over
electronic systems such as the Internet and other
computer networks with their customers, suppliers and
other external business partners.
Threats to e-commerce environments include virus
infections, hacking, cybercrime and failure of the
system and infrastructure.

26
 Areas of Concern for IA in regard to
e-commerce
Knowledge on • Internal auditors should equip themselves with the various security
breach techniques (e.g. hacking, spamming, virus attacks) associated
security exposures with e-commerce transactions to able to address the security issues.
and control • They need to understand that different security threats require
measures different approaches and solutions. 

Skills and
experience in
• Internal auditors need to equip themselves with skill and knowledge
handling e- on the latest development in IT control procedures.
commerce security
issues

• The auditors could also perform a walkthrough of the e-commerce

Question on loss of system to ensure that a proper security control procedure is installed
transaction integrity and implemented at every stage of the transaction. 

27
 Reason for Audit e-Commerce
To assess the effectiveness of the infrastructure and
security measures of an e-commerce.
To evaluate compliance of e-commerce business
operations with an organisation’s IT security
policies as well as with the industry good practices.
To evaluate the readiness of IT functions in the
event of a major failure in e-commerce business
transactions.
To identify other security issues that may affect the
current infrastructure of an e-commerce model.
28
 Information Security Audit
 Purpose – to provide assurance that an
appropriate level of control over the
confidentiality, integrity and availability of information
within e-commerce operation
 E-commerce is opened to threat (e.g. virus attack),
vulnerability of system (e.g. product flaw) and
associated risk
 Business need to have information security policy
 Network environment – e-commerce websites
reside
 Sources of threats to network environment:
network segment, application software, system
software, process integrity and physical security

29
29
Additional Reading

CAATs
Computer-Assisted Audit Tools (CAATs)
 Computer-assisted audit techniques (CAATs) or Computer-
assisted audit tools and techniques (CAATTs) is an approach of
auditing using computers.
 It offers various tools or utilities, which help the auditor to select,
gather, analyze and report audit findings.
 Tools/utilities to help auditor to select, gather, analyse and
report audit findings
 CAATs can be classified:
 Electronic working papers
 Information retrieval and analysis
 Fraud detection
 Network security
 Electronic commerce and internet security
 Continuous monitoring
 Audit reporting
31
31
 CAATs and Its Functions
Information retrieval and analysis
 Auditors could use automated retrieval and analysis tools to assess
data and records and to evaluate and analyse them based on the
criteria or parameters set by them.
Fraud detection tool
Audit reporting function

32
Advantages of CAATs
 Suitable to audit large volumes of transactions. It is valuable
to organisations with complex processes, distributed operations
and high transaction volumes.
 Gain access into audited data in a much effecient way. A direct
access to an organisation’s data will eventually reduce the time
and effort spent in performing audit procedures with
assured accuracy.
 Provide assurance to the area being audited. It allows auditors
to point out errors or fraud easily in order to provide effective
recommendations.
 Provide a standard uniform practice and user-friendly
interface for auditors. It allows auditors to perform various
33
tasks, irrespective of the data format or the underlying
operating system of an organisation.
 Disadvantages of CAATs
 May have compatibility issues with the existing software
applications used by a company/auditee.
 May require considerable computer resources/capacity that may
give rise to question cost vs. benefits. May involve additional
cost as installation process require various computer resources
or facility, for examples the type of processor, size of memory
and storage required.
 The issue of cost outweighs the benefit of purchasing CAATs,
may involve
 Cost of puchasing and installing the software;
 Cost of training the staff in using the software;
 Cost for maintaining the software; and
 Cost for to contact the service centre.
 Sensitive business data such as customers’ detail, business plan and
34
strategy could be compromised by irresponsible persons, if not
 Conclusion
The audit of IT environment is very challenging as it
involves reviewing and reporting very technical
matters
To excellent in the audit, internal auditor should posses
adequate https://youtu.be/oMM-pn2iZ18
IT knowledge, technical skills and
experiences.

35
END CHAPTER 8
 TUTORIALS (Feb 2021)

37
 TUTORIALS (July 2021)

38