INFORMATION SYSTEMS AUDITING

What is IT Audit?
An information technology audit, or information systems audit, is an examination of the
management controls within an Information technology (IT) infrastructure. The evaluation of
obtained evidence determines if the information systems are safeguarding assets, maintaining
data integrity, and operating effectively to achieve the organization's goals or objectives. These
reviews may be performed in conjunction with a financial statement audit, internal audit, or
other form of attestation engagement. Another definition for IT Audit can be "the process of
collecting and evaluating evidence to determine whether a computer system (information
system) safeguards assets, maintains data integrity, achieves organizational goals effectively
and consumes resources efficiently."

Information systems are the lifeblood of any large business. As in years past, computer systems
do not merely record business transactions, but actually drive the key business processes of the
enterprise. In such a scenario, senior management and business managers do have concerns
about information systems. The purpose of IS audit is to review and provide feedback,
assurances and suggestions. These concerns can be grouped under three broad heads:

1. Availability: Will the information systems on which the business is heavily dependent
is available for the business at all times when required? Are the systems well protected
against all types of losses and disasters?
2. Confidentiality: Will the information in the systems be disclosed only to those who
have a need to see and use it and not to anyone else?
3. Integrity: Will the information provided by the systems always be accurate, reliable
and timely? Whatensures that no unauthorized modification can be made to the data or
the software in the systems?
IT audits are also known as "automated data processing (ADP) audits" and "computer audits".
They were formerly called "electronic data processing (EDP) audits". An IT audit is different
from a financial statement audit. While a financial audit's purpose is to evaluate whether an
organization is adhering to standard accounting practices, the purposes of an IT audit are to
evaluate the system's internal control design and effectiveness. This includes, but is not limited
to, efficiency and security protocols, development processes, and IT governance or oversight.

Types of IT audits
Various authorities have created differing taxonomies to distinguish the various types of IT
audits. Goodman & Lawless state that there are three specific systematic approaches to carry
out an IT audit:
Technological innovation process audit: This audit constructs a risk profile for existing and
newprojects. The audit will assess the length and depth of the company's experience in its
chosen technologies, as well as its presence in relevant markets, the organization of each
project, and the structure of the portion of the industry that deals with this project or product,
organization and industry structure.
Innovative comparison audit: This audit is an analysis of the innovative abilities of the
companybeing audited, in comparison to its competitors. This requires examination of
company's research and development facilities, as well as its track record in actually producing
new products.
Technological position audit: This audit reviews the technologies that the business currently
hasand that it needs to add. Technologies are characterized as being either "base", "key",
"pacing" or "emerging".

Others describe the spectrum of IT audits with five categories of audits:

• Systems and Applications: An audit to verify that systems and applications are
appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely,
and secure input, processing, and output at all levels of a system's activity.
• Information Processing Facilities: An audit to verify that the processing facility is
controlled toensure timely, accurate, and efficient processing of applications under
normal and potentially disruptive conditions.
• Systems Development: An audit to verify that the systems under development meet the
objectivesof the organization and to ensure that the systems are developed in
accordance with generally accepted standards for systems development.
• Management of IT and Enterprise Architecture: An audit to verify that IT
management has developed an organizational structure and procedures to ensure a
controlled and efficient environment for information processing.
• Client/Server, Telecommunications, Intranets, and Extranets: An audit to verify
that telecommunications controls are in place on the client (computer receiving
services), server, and on the network connecting the clients and servers.

Elements of Information System Audit

An information system is not just a computer. Today's information systems are complex and
have many components that piece together to make a business solution. Assurances about an
information system can be obtained only if all the components are evaluated and secured. The
proverbial weakest link is the total strength of the chain. The major elements of IS audit can be
broadly classified:
1. Physical and environmental review: This includes physical security, power supply, air
conditioning, humidity control and other environmental factors.
 2. System administration review: This includes security review of the operating systems,
databasemanagement systems, all system administration procedures and compliance.
3. Application software review: The business application could be payroll, invoicing, a
web-basedcustomer order processing system or an enterprise resource planning system
that actually runs the business. Review of such application software includes access
control and authorizations, validations, error and exception handling, business process
flows within the application software and complementary manual controls and
procedures. Additionally, a review of the system development lifecycle should be
completed.
4. Network security review: Review of internal and external connections to the system,
perimetersecurity, firewall review, router access control lists, port scanning and
intrusion detection are some typical areas of coverage.
5. Business continuity review: This includes existence and maintenance of fault tolerant
and redundanthardware, backup procedures and storage, and documented and tested
disaster recovery/business continuity plan.
6. Data integrity review: The purpose of this is scrutiny of live data to verify adequacy of
controls andimpact of weaknesses, as noticed from any of the above reviews. Such
substantive testing can be done using generalized audit software (e.g., computer assisted
audit techniques). To organize the audit, an audit plan shall be developed.

Importance of IT audit
IT auditing is essential of three types – performance, the concession to applicable laws,
standards and policies, and financial statements audits. The main objective of audits is to see
whether there are any unreliable and ineffectiveness in the management and use of the IT
system for a business.
This system first recognizes the risks in an entity. It then evaluates them with the help of
advanced design controls, therefore allowing the companies to think of a suitable solution to
obstruct the threats. Thus, IT auditing is crucial for companies and businesses looking to
preserve their IT system and valuable data and information.
Following are the points which are necessary for an IT audit:
• Organization risks are reduced: IT audit consists of the identification and
approximation of IT risks in a company. It usually protects risks related to integrity,
confidentiality and availability of IT infrastructure and processes. Additional troubles,
including efficiency, effectiveness, and reliability of IT, can also be solved by regular
identification and assessment of risks in a company.
• Fraud detection and prevention: The IT audit also helps the companies in fraud
prevention. Systematic analysis of a company’s operations and implementing rigorous
 internal control systems can prevent and detect various fraud and other accounting
irregularities.
• Improves the security of data: The IT audit instills availability, confidentiality, and
integrity of the relevant data of an organization. It guarantees the security of diplomatic
data against any threat.
• Enhances IT governance: IT auditing serves an essential function in ensuring all the
businesses laws, regulations, and consent are met by all employees and the IT
department. This, in turn, enhances IT authority since IT management has a strong
understanding of the risks, controls, and value of an organization’s technological
environment.
• Enhances communication within the organization: Performing an IT audit can
upgrade all interactions between the company’s business and technology management.
The completion of a computer audit generates this intense need for communication
between companies and their technology department. The company’s technology exists
to support its functions, strategies, and operations. Arrangement of business and
supporting technology is crucial, and IT auditing maintains this alignment.

Planning IT Audit
As technology becomes more integral to the organization's operations and activities, a major
challenge for internal auditors is how to best approach a companywide assessment of IT risks
and controls within the scope of their overall assurance and consulting services. Therefore,
auditors need to understand the organization's IT environment; the applications and computer
operations that are part of the IT infrastructure; how IT applications and operations are
managed; and how IT applications and operations link back to the organization.
Completing an inventory of IT infrastructure components will provide auditors with
information regarding the infrastructure's vulnerabilities. "The complete inventory of the
organization's IT hardware, software, network, and data components forms the foundation for
assessing the vulnerabilities within the IT infrastructures that may impact internal controls.
Many organizational factors are considered when developing the audit plan, such as the
organization's industry sector, revenue size, type, complexity of business processes, and
geographic locations of operations. Two factors having a direct impact on the risk assessment
and in determining what is audited within the IT environment are its components and role. For
example:

• What technologies are used to perform daily business functions?

• Is the IT environment relatively simple or complex?
• Is the IT environment centralized or decentralized?
• To what degree are business applications customized?
• Are some or all IT maintenance activities outsourced?
 • To what degree does the IT environment change every year?
These IT factors are some of the components Chief Audit Executives (CAE) and internal
auditors need to understand to adequately assess risks relative to the organization and the
creation of the annual audit plan.In addition to factors impacting the risk assessment, it is
important for CAEs and internal auditors to use an approach that ascertains the impact and
likelihood of risk occurrence; links back to the business; and defines the high, medium, and
low-risk areas through quantitative and qualitative analyses. Unfortunately, IT changes may
hinder the IT auditor's efforts to identify and understand the impact of risks. To help IT
auditors, CAEs can:

• Perform independent IT risk assessments every year to identify the new technologies
that are impacting the organization.
• Become familiar with the IT department's yearly short-term plans and analyze how plan
initiatives impact the IT risk assessment.
• Begin each IT audit by reviewing its risk assessment component.
• Be flexible with the IT audit universe — monitor the organization's IT-related risk
profile and adopt audit procedures as it evolves Several IT governance frameworks
exist that can help CAEs and internal audit teams develop the most appropriate risk
assessment approach for their organization.
Mapping business processes, inventorying and understanding the IT environment, and
performing a companywide risk assessment will enable CAEs and internal auditors to
determine what needs to be audited and how often. This GTAG provides information that can
help CAEs and internal audit teams identify audit areas in the IT environment that are part of
the IT audit universe. Due to the high degree of organizational reliance on IT, it is crucial that
CAEs and internal auditors understand how to create the IT audit plan, the frequency of audits,
and the breadth and depth of each audit. To this end, this GTAG can help CAEs and internal
auditors:
• Understand the organization and the level of IT support received.
• Define and understand the IT environment.
• Identify the role of risk assessment in determining the IT audit universe.
• Formalize the annual IT audit plan.
Finally, this GTAG provides an example of a hypothetical organization to show CAEs and
internal auditors how to execute the steps necessary to define the IT audit universe.
 IT CONTROLS
In this chapter we discuss the knowledge needed by members of governing bodies, executives,
IT professionals, and internal auditors to address technology control issues and their impact on
business. The chapter also provides information on available frameworks for assessing IT
controls and describes how to establish the right framework for an organization. Our objectives
are to:
• Explain IT controls from an executive perspective.
• Explain the importance of IT controls within the overall system of internal controls.
• Describe the organizational roles and responsibilities for ensuring IT controls are
addressed adequately within the overall system of internal controls.
• Describe the concepts of risk inherent in the use and management of technology by any
organization.
• Describe the basic knowledge and understanding of IT controls needed by the CAE to
ensure effective internal audit assessments of IT controls.
• Describe the relevant elements of the IT controls assessment process as provided by the
internal audit function.

Introduction to IT Controls
An IT control is a procedure or policy that provides a reasonable assurance that the information
technology (IT) used by an organization operates as intended, that data is reliable and that the
organization is in compliance with applicable laws and regulations. IT Controls can be
categorized as either general controls (ITGC) or application controls (ITAC).
An IT general control should demonstrate that the organization has a procedure or policy in
place for technology that affects the management of fundamental organizational processes such
as risk management, change management, disaster recovery and security. IT application
controls, which are actions that a software application does automatically, should demonstrate
that software applications used for specific business processes (such as payroll) are properly
maintained, are only used with proper authorization, are monitored and are creating audit trails.
IT controls are a subset of the more general term, internal controls.IT controls do not exist in
isolation. They form an interdependent continuum of protection, but they may also be subject to
compromise due to a weak link. They are subject to error and management override, may range
from simple to highly technical, and may exist in a dynamic environment.IT controls have two
significant elements: the automation of business controls and control of IT. Thus, IT controls
support business management and governance as well as provide general and technical controls
over IT infrastructures. The internal auditor’s role in IT controls begins with a sound
conceptual understanding and culminates in providing the results of risk and control
assessments. Internal auditing involves significant interaction with the people in positions of
responsibility for controls and requires continuous learning and reassessment as new
technologies emerge and the organization’s opportunities, uses, dependencies, strategies, risks,
and requirements change.

Understanding IT Controls
IT controls provide for assurance related to the reliability of information and information
services. IT controls help mitigate the risks associated with an organization’s use of
technology. They range from corporate policies to their physical implementation within coded
instructions; from physical access protection through the ability to trace actions and
transactions to responsible individuals; and from automatic edits to reasonability analysis for
large bodies of data.You don’t need to know everything about IT controls, but remember two
key control concepts:
• Assurance must be provided by the IT controls within the system of internal controls.
This assurance must be continuous and provide a reliable and continuous trail of
evidence.
• The auditor’s assurance is an independent and objective assessment of the first
assurance. Auditor assurance is based on understanding, examining, and assessing the
key controls related to the risks they manage, and performing sufficient testing to ensure
the controls are designed appropriately and functioning effectively and continuously.
Importance of IT Controls
Many issues drive the need for IT controls, ranging from the need to control costs and remain
competitive through the need for compliance with internal and external governance. IT controls
promote reliability and efficiency and allow the organization to adapt to changing risk
environments. Any control that mitigates or detects fraud or cyber-attacks enhances the
organization’s resiliency because it helps the organization uncover the risk and manage its
impact. Resiliency is a result of a strong system of internal controls because a well-controlled
organization has the ability to manage challenges or disruptions seamlessly.

Key indicators of effective IT controls include:

• The ability to execute and plan new work such as IT infrastructure upgrades required to
support new products and services.
• Development projects that are delivered on time and within budget, resulting in cost-
effective and better product and service offerings compared to competitors.
• Ability to allocate resources predictably.
• Consistent availability and reliability of information and IT services across the
organization and for customers, business partners, and other external interfaces.
• Clear communication to management of key indicators of effective controls.
• The ability to protect against new vulnerabilities and threats and to recover from any
disruption of IT services quickly and efficiently.
• The efficient use of a customer support centre or help desk.
 • Heightened security awareness on the part of the users and a security-conscious culture
throughout the organization.

Assessing IT Control
When CAEs review and assess the controls over IT, they should ask:
• What do we mean by IT controls?
• Why do we need IT controls?
• Who is responsible for IT controls?
• When is it appropriate to apply IT controls?
• Where exactly are IT controls applied?
• How do we perform IT control assessments?

The audit process provides a formal structure for addressing IT controls within the overall
system of internal controls. Figure 1, The Structure of IT Auditing, below, divides the
assessment into a logical series of steps. The internal auditor’s role in IT controls begins with a
sound conceptual understanding and culminates in providing the results of risk and control
assessments. Internal auditors interact with the people responsible for controls and must pursue
continuous learning and reassessment as new technologies emerge and the organization’s
opportunities, uses, dependencies, strategies, risks, and requirements change.

Standards
Standards exist to support the requirements of policies. They are intended to define ways of
working that achieve the required objectives of the organization. Adopting and enforcing
standards also promotes efficiency because staff are not required to reinvent the wheel every
time a new business application is built or a new network is installed. Standards also enable the
organization to maintain the whole IT operating environment more efficiently.Large
organizations with significant resources are in a position to devise their own standards. On the
other hand, smaller organizations rarely have sufficient resources for this exercise.
As a guideline, the CAE should expect to see standards adopted for:
• Systems Development Processes: When organizations develop their ownapplications,
standards apply to the processes for designing, developing, testing, implementing, and
maintaining systems and programs. If organizations outsource application development
or acquire systems from vendors, the CAE should ascertain that agreements require the
providers to apply standards consistent with the organization’s standards, or acceptable
to the organization.
• Systems Software Configuration: Because systems software provides a large element
of control in the IT environment, standards related to secure system configurations, such
as the CIS Benchmarks from the Centre for Internet Security, are beginning to gain
wide acceptance by leading organizations and technology providers. The way products
 such as operating systems, networking software, and database management systems are
configured can either enhance security or create weaknesses that can be exploited.
• Application Controls: All applications which support business activities need to
becontrolled. Standards are necessary for all applications the organization develops or
purchases that define the types of controls that must be present across the whole range
of business activities, as well as the specific controls that should apply to sensitive
processes and information.
• Data Structures: Having consistent data definitions across the full range ofapplications
ensures disparate systems can access data seamlessly and security controls for private
and other sensitive data can be applied uniformly.
• Documentation: Standards should specify the minimum level of
documentationrequired for each application system or IT installation, as well as for
different classes of applications, processes, and processing centres.
As with policies, standards should be approved by management, should be written in clear and
understandable language, and should be made available to all who implement them.

Organization and Management

Organization and management plays a major role in the whole system of IT control, as it does
with every aspect of an organization’s operations. An appropriate organization structure allows
lines of reporting and responsibility to be defined and effective control systems to be
implemented.

Separation of Duties
Separation of duties is a vital element of many controls. An organization’s structure should not
allow responsibility for all aspects of processing data to rest upon one individual or department.
The functions of initiating, authorizing, inputting, processing, and checking data should be
separated to ensure no individual can both create an error, omission, or other irregularity and
authorize it and/or obscure the evidence. Separation-of-duties controls for application systems
are provided by granting access privileges only in accordance with job requirements for
processing functions and accessing sensitive information.
Traditional separation of duties within the IT environment is divided between systems
development and operations. Operations should be responsible for running production systems
except for change deployment and should have little or no contact with the development
process. This control includes restrictions preventing operators from accessing or modifying
production programs, systems, or data. Similarly, systems development personnel should have
little contact with production systems. By assigning specific roles during implementation and
other change processes to both the personnel responsible for application systems and those
responsible for operations, appropriate separation of duties can be enforced. In large
organizations, many other functions should be considered to ensure appropriate separation of
duties, and these controls can be quite detailed. For example, privileged accounts, such as the
Administrator group in Windows and Super User in UNIX, can modify log entries, access any
file, and in many cases act as any user or role. It is important to restrict the number of
individuals with this privilege to a minimum.Software tools are also available and should be
considered to limit the power and monitor the activities of individuals with privileged accounts.

Financial Controls
Because organizations make considerable investments in IT, budgetary and other financial
controls are necessary to ensure the technology yields the protected return on investment or
proposed savings. Management processes should be in place to collect, analyze, and report
information related to these issues. Unfortunately, new IT developments often suffer massive
cost over-runs and fail to deliver the expected cost savings because of insufficient planning.
Budgetary controls can help identify potential failings early in the process and allow
management to take positive action. They may also produce historical data that organizations
can use in future projects.

Change Management
Change management processes can be specified under organizational and management control
elements. These processes should ensure that changes to the IT environment, systems software,
application systems and data are applied in a manner that enforces appropriate division of
duties; makes sure changes work as required; prevents changes from being exploited for
fraudulent purposes; and reveals the true costs of inefficiencies and system outages that can be
obscured by ineffective monitoring and reporting processes. Change management is one of the
most sensitive areas of IT controls and can seriously impact system and service availability if
not administered effectively. The IT Process Institute has published research demonstrating that
effective IT change management can bring significant benefits organizations.

Other Management Controls

Other typical management controls include vetting procedures for new staff, performance
measurement, provision of specialist training for IT staff, and disciplinary procedures. These
are listed in the Information Security Program Elements in Appendix A and will be covered in
greater detail in other GTAG publications.

Physical and Environmental Controls

IT equipment represents a considerable investment for many organizations. It must be protected
from accidental or deliberate damage or loss. Physical and environmental controls, originally
developed for large data centres that house mainframe computers, are equally important in the
modern world of distributed client-server and Web-based systems. Although the equipment
commonly used today is designed for ease of use in a normal office environment, its value to
the business and the cost and sensitivity of applications running business processes can be
significant. All equipment must be protected, including the servers and workstations that allow
staff access to the applications. Some typical physical and environmental controls include:
• Locating servers in locked rooms to which access is restricted.
• Restricting server access to specific individuals.
• Providing fire detection and suppression equipment.
• Housing sensitive equipment, applications, and data away from environmental hazards
such as low-lying flood plains or flammable liquid stores.
When considering physical and environmental security, it is also appropriate to consider
contingency planning — also known as disaster recovery planning — which includes response
to security incidents. What will the organization do if there is a fire or flood, or if any other
threat manifests itself? How will the organization restore the business and related IT facilities
and services to ensure normal processing continues with minimum effect on regular operations?
This type of planning goes beyond merely providing for alternative IT processing power to be
available and routine backup of production data; it must consider the logistics and coordination
needed for the full scope of business activity. Finally, history consistently demonstrates that a
disaster recovery plan that has not been tested successfully in a realistic simulation is not
reliable.

Systems Software Controls

Systems software products enable the IT equipment to be used by the application systems and
users. These products include operating systems such as Windows, UNIX, and Linux; network
and communications software; firewalls; antivirus products; and database management systems
(DBMS) such as Oracle and DB2. Systems software can be highly complex and can apply to
components and appliances within the systems and networkenvironment. It may be configured
to accommodate highly specialized needs and normally requires a high degree of specialization
to maintain it securely. Configuration techniques can control logical access to the applications,
although some application systems contain their own access controls, and may provide an
opening for hackers to use to break into a system. Configuration techniques also provide the
means to enforce division of duties, generate specialized audit trails, and apply data integrity
controls through access control lists, filters, and activity logs.

IT audit specialists are required to assess controls in this area. Small organizations are unlikely
to have the resources to employ such specialists and should consider outsourcing the work.
Whether IT auditors are employed or outsourced, they require a highly specific set of
knowledge. Much of this knowledge can come from experience, but such knowledge must be
updated constantly to remain current and useful. Certification confirms that a technical
specialist has acquired a specified set of knowledge and experience and has passed a related
examination. In the IT audit world, global certificates include the Qualification in Computer
Auditing (QiCA), from IIA–United Kingdom and Ireland; Certified Information Systems
Auditor (CISA), available through the Information Systems Audit and Control Association
(ISACA); and Global Information Assurance Certification (GIAC) SystemsNetwork Auditor
(GSNA), from the SANS Institute’s GIAC program. Additional certifications address general
and specialized competence in information security, network administration, and other areas
closely related to IT auditing and are useful for identifying an IT auditor’s potential
ability.Some key technical controls the CAE should expect to find in a well-managed IT
environment include:
• Access rights allocated and controlled according to the organization’s stated policy.
• Division of duties enforced through systems software and other configuration controls.
• Intrusion and vulnerability assessment, prevention, and detection in place and
continuously monitored.
• Intrusion testing performed on a regular basis.
• Encryption services applied where confidentiality is a stated requirement.
• Change management processes — including patch management — in place to ensure a
tightly controlled process for applying all changes and patches to software, systems,
network components, and data.

Systems Development and Acquisition Controls

Organizations rarely adopt a single methodology for all systems development projects.
Methodologies are chosen to suit the particular circumstances of each project. The IT auditor
should assess whether or not the organization develops or acquires application systems using a
controlled method that subsequently provides effective controls over and within the
applications and data they process. All computer application systems should perform only those
functions the user requires in an efficient way. By examining application development
procedures, the auditor can gain assurance that applications work in a controlled manner.
Some basic control issues should be evident in all systems development and acquisition work:
• User requirements should be documented, and their achievement should be measured.
• Systems design should follow a formal process to ensure that user requirements and
controls are designed into the system.
• Systems development should be conducted in a structured manner to ensure that
requirements and design features are incorporated into the finished product.
• Testing should ensure that individual system elements work as required, system
interfaces operate as expected, users are involved in the testing process, and the
intended functionality has been provided.
• Application maintenance processes should ensure that changes in application systems
follow a consistent pattern of control. Change management should be subject to
structured assurance validation processes.
Where systems development is outsourced, the outsourcer or provider contracts should require
similar controls.Project management techniques and controls need to be part of the
development process, whether developments are performed in-house or are outsourced.
Management should know projects are on time and within budget and that resources are used
efficiently. Reporting processes should ensure that management completely understands the
current status of development projects and does not receive any surprises when the end product
is delivered.

Application-based Controls
The objective of internal controls over application systems is to ensure that:
• All input data is accurate, complete, authorized, and correct.
• All data is processed as intended.
• All data stored is accurate and complete.
• All output is accurate and complete.
• A record is maintained to track the process of data from input to storage, and to the
eventual output.
Reviewing the application controls traditionally has been the “bread and butter” of the IT
auditor. However, because application controls now represent a huge percentage of business
controls, they should be the priority of every internal auditor. All internal auditors need to be
able to evaluate a business process and understand and assess the controls provided by
automated processes.There are several types of generic controls that the CAE should expect to
see in any application:

• Input Controls – These controls are used mainly to check the integrity of data entered
into a business application, whether the source is input directly by staff, remotely by a
business partner, or through a Web-enabled application. Input is checked to ensure that
it remains within specified parameters.
• Processing Controls – These controls provide automated means to ensure processing is
complete, accurate, and authorized.
• Output Controls – These controls address what is done with the data. They should
compare results with the intended result and check them against the input.
• Integrity Controls – These controls can monitor data in process and/or in storage to
ensure that data remains consistent and correct.
• Management Trail – Processing history controls, often referred to as an audit trail,
enable management to track transactions from the source to the ultimate result and to
trace backward from results to identify the transactions and events they record. These
controls should be adequate to monitor the effectiveness of overall controls and identify
errors as close as possible to their sources.