Chapter 1

Information Technology
Environment and IT Audit

LEARNING OBJECTIVES
1. Discuss how technology is constantly evolving and shaping today’s business (IT) environments.
2. Discuss the auditing profession and de!ne !nancial auditing.
3. Di"erentiate between the two types of audit functions that exist today (internal and
external).
4. Explain what IT auditing is and summarize its two broad groupings.
5. Describe current IT auditing trends, and identify the needs to have an IT audit.
6. Explain the various roles of the IT auditor.
7. Support why IT audit is considered a profession.
8. Describe the pro!le of an IT auditor in terms of experience and skills required.
9. Discuss career opportunities available to IT auditors.

Organizations today are more information dependent and conscious of the pervasive nature of
technology across the business enterprise. #e increased connectivity and availability of systems
and open environments have proven to be the lifelines of most business entities. Information tech-
nology (IT) is now used more extensively in all areas of commerce around the world.

IT Environment
#e need for improved control over IT, especially in commerce, has been advanced over the years
in earlier and continuing studies by many national and international organizations. Essentially,
technology has impacted various signi!cant areas of the business environment, including the use
and processing of information, the control process, and the auditing profession.

3
4 ◾ Information Technology Control and Audit

◾ Technology has improved the ability to capture, store, analyze, and process tremendous
amounts of data and information, expanding the empowerment of the business decision
maker. It has also become a primary enabler to production and service processes. #ere is
a residual e"ect in that the increased use of technology has resulted in increased budgets,
increased successes and failures, and better awareness of the need for control.
◾ Technology has signi!cantly impacted the control process around systems. Although con-
trol objectives have generally remained constant, except for some that are technology spe-
ci!c, technology has altered the way in which systems should be controlled. Safeguarding
assets, as a control objective, remains the same whether it is done manually or is automated.
However, the manner by which the control objective is met is certainly impacted.
◾ Technology has impacted the auditing profession in terms of how audits are performed
(information capture and analysis, control concerns) and the knowledge required to
draw conclusions regarding operational or system e"ectiveness, e$ciency, and reporting
integrity. Initially, the impact was focused on dealing with a changed processing envi-
ronment. As the need for auditors with specialized technology skills grew, so did the IT
auditing profession.

Technology is constantly evolving and !nding ways to shape today’s IT environment in the orga-
nization. #e following sections brie%y describe various recent technologies that have and will
certainly continue to revolutionize organizations, how business is done, and the dynamics of the
workplace.

Enterprise Resource Planning (ERP)

According to the June 2016 edition of Apps Run the World, a technology market-research com-
pany devoted to the applications space, the worldwide market of ERP systems will reach $84.1
billion by 2020 versus $82.1 billion in 2015. ERP is software that provides standard business
functionality in an integrated IT environment system (e.g., procurement, inventory, accounting,
and human resources [HR]). Refer to Exhibit 1.1 for an illustration of the ERP modular system.
ERPs allow multiple functions to access a common database—reducing storage costs and
increasing consistency and accuracy of data from a single source. Additionally, ERPs:

◾ Have standard methods in place for automating processes (i.e., information in the HR sys-
tem can be used by payroll, help desk, and so on).
◾ Share real-time information from modules (!nance, HR, etc.) residing in one common
database, hence, !nancial statements, analyses, and reports are generated faster and more
frequently.

Some of the primary ERP suppliers today include SAP, FIS Global, Oracle, Fiserv, Intuit, Inc.,
Cerner Corporation, Microsoft, Ericsson, Infor, and McKesson.
Despite the many advantages of ERPs, they are not much di"erent than purchased or pack-
aged systems, and may therefore require extensive modi!cations to new or existing business pro-
cesses. ERP modi!cations (i.e., software releases) require considerable programming to retro!t all
of the organization-speci!c code. Because packaged systems are generic by nature, organizations
may need to modify their business operations to match the vendor’s method of processing, for
instance. Changes in business operations may not !t well into the organization’s culture or other
processes, and may also be costly due to training. Additionally, as ERPs are o"ered by a single
 Information Technology Environment and IT Audit ◾ 5

Financial
resource
management

Human
Supply chain
resource
management
Enterprise management
resource
planning
(Common DB)

Manufacturing Customer
resource relationship
planning management

Exhibit 1.1 Enterprise resource planning modular system.

vendor, risks associated with having a single supplier apply (e.g., depending on a single supplier for
maintenance and support, speci!c hardware or software requirements, etc.).

Cloud Computing
Cloud computing continues to have an increasing impact on the IT environment. According to
ISACA (formerly known as the Information Systems Audit and Control Association), the cloud
computing’s exponential growth should no longer be considered an emerging technology. Cloud
computing has shaped business across the globe, with some organizations utilizing it to perform
business critical processes. Based on the July 2015’s ISACA Innovation Insights report, cloud
computing is considered one of the key trends driving business strategy. #e International Data
Corporation, in its 2015 publication, also predicts that cloud computing will grow at 19.4% annu-
ally over the next 5 years. Moreover, Deloitte’s 2016 Perspective’s Cloud Computing report (report)
indicates that for private companies, cloud computing will continue to be a dominant factor.
Cloud computing, as de!ned by PC Magazine, refers to the use of the Internet (versus one’s
computer’s hard drive) to store and access data and programs. In a more formal way, the National
Institute of Standards and Technology (NIST) de!nes cloud computing as a “model for enabling
ubiquitous, convenient, on-demand network access to a shared pool of con!gurable computing
resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provi-
sioned and released with minimal management e"ort or service provider interaction.” NIST also
stress that availability is signi!cantly promoted by this particular (cloud) model.
#e highly %exible services that can be managed in the virtual environment makes cloud
computing very attractive for business organizations. Nonetheless, organizations do not yet feel
6 ◾ Information Technology Control and Audit

fully comfortable when storing their information and applications on systems residing outside of
their on-site premises. Migrating information into a shared infrastructure (such as a cloud envi-
ronment) exposes organizations’ sensitive/critical information to risks of potential unauthorized
access and exposure, among others. Deloitte, one of the major global accounting and auditing
!rms, also supports the signi!cance of security and privacy above, and added, based in its report,
that cloud-stored information related to patient data, banking details, and personnel records, to
name a few, is vulnerable and susceptible to misuse if fallen into the wrong hands.

Mobile Device Management (MDM)

MDM, also known as Enterprise Mobility Management, is a relatively new term, but already
shaping the IT environment in organizations. MDM is responsible for managing and administer-
ing mobile devices (e.g., smartphones, laptops, tablets, mobile printers, etc.) provided to employees
as part of their work responsibilities. Speci!cally, and according to PC Magazine, MDM ensures
these mobile devices:

◾ integrate well within the organization and are implemented to comply with organization
policies and procedures
◾ protect corporate information (e.g., emails, corporate documents, etc.) and con!guration
settings for all mobile devices within the organization

Mobile devices are also used by employees for personal reasons. #at is, employees bring their own
mobile (personal) device to the organization (also referred to as bring-your-own-device or BYOD)
to perform their work. Allowing employees to use organization-provided mobile devices for work
and personal reasons has proved to appeal to the average employee. Nevertheless, organizations
should monitor and control the tasks performed by employees when using mobile devices, and
ensure employees remain focused and productive. It does represent a risk to the organization’s
security and a distraction to employees when mobile devices are used for personal and work pur-
poses. Additionally, allowing direct access to corporate information always represents an ongoing
risk, as well as raises security and compliance concerns to the organization.

Other Technology Systems Impacting the IT Environment

#e Internet of #ings (IoT) has a potential transformational e"ect on IT environments, data
centers, technology providers, etc. Gartner, Inc. estimates that by the year 2020, IoT will include
26 billion units installed and revenues will exceed $300 billion generated mostly by IoT product
and service suppliers.
IoT, as de!ned by Gartner, Inc., is a system that allows remote assets from “things” (e.g., devices,
sensors, objects, etc.) to interact and communicate among them and with other network systems.
Assets, for example, communicate information on their actual status, location, and functionality,
among others. #is information not only provides a more accurate understanding of the assets, but
also maximizes their utilization and productivity, resulting in an enhanced decision-making process.
#e huge volumes of raw data or data sets (also referred to as Big Data) generated as a result of these
massive interactions between devices and systems need to be processed and analyzed e"ectively in
order to generate information that is meaningful and useful in the decision-making process.
Big Data, as de!ned by the TechAmerica Foundation’s Federal Big Data Commission (2012),
“describes large volumes of high velocity, complex and variable data that require advanced
 Information Technology Environment and IT Audit ◾ 7

techniques and technologies to enable the capture, storage, distribution, management, and analy-
sis of the information.” Gartner, Inc. further de!nes it as “… high-volume, high-velocity and/
or high-variety information assets that demand cost-e"ective, innovative forms of information
processing that enable enhanced insight, decision making, and process automation.”
Even though accurate Big Data may lead to more con!dent decision-making process, and bet-
ter decisions often result in greater operational e$ciency, cost reduction, and reduced risk, many
challenges currently exist and must be addressed.
Challenges of Big Data include, for instance, analysis, capture, data curation, search, sharing,
storage, transfer, visualization, querying, as well as updating. Ernst & Young, on its EY Center
for Board Matters’ September 2015 publication, states that challenges for auditors include the
limited access to audit relevant data, the scarcity of available and quali!ed personnel to process
and analyze such particular data, and the timely integration of analytics into the audit. #e IoT
also delivers fast-moving data from sensors and devices around the world, and therefore results in
similar challenges for many organizations when making sense of all that data.
Other recent technologies listed on the Gartner’s 2015 Hype Cycle for Emerging Technologies
Report that are currently impacting IT environments include wearables (e.g., smartwatches, etc.),
autonomous vehicles, cryptocurrencies, consumer 3D printing, and speech-to-speech translation,
among others.

IT Environment as Part of the Organization Strategy

In today’s environment, organizations must integrate their IT with business strategies to attain
their overall objectives, get the most value out of their information, and capitalize on the technolo-
gies available to them. Where IT was formerly viewed as an enabler of an organization’s strategy,
it is now regarded as an integral part of that strategy to attain pro!tability and service. At the
same time, issues such as IT governance, international information infrastructure, security, and
privacy and control of public and organization information have driven the need for self-review
and self-assurance.
For the IT manager, the words “audit” and “auditor” send chills up and down the spine. Yes,
the auditor or the audit has been considered an evil that has to be dealt with by all managers. In
the IT !eld, auditors in the past had to be trained or provided orientation in system concepts and
operations to evaluate IT practices and applications. IT managers cringe at the auditor’s ability to
e"ectively and e$ciently evaluate the complexities and grasp the issues. Nowadays, IT auditors are
expected to be well aware of the organization’s IT infrastructure, policies, and operations before
embarking in their reviews and examinations. More importantly, IT auditors must be capable
of determining whether the IT controls in place by the organization ensure data protection and
adequately align with the overall organization goals.
Professional associations and organizations such as ISACA, the American Institute of
Certi!ed Public Accountants (AICPA), the Canadian Institute of Chartered Accountants
(CICA), Institute of Internal Auditors (IIA), Association of Certi!ed Fraud Examiners (ACFE),
and others have issued guidance, instructions, and supported studies and research in audit areas.

The Auditing Profession

Computers have been in use commercially since 1952. Computer-related crimes were reported as
early as 1966. However, it was not until 1973, when the signi!cant problems at Equity Funding
8 ◾ Information Technology Control and Audit

Corporation of America (EFCA) surfaced, that the auditing profession looked seriously at the lack
of controls in computer information systems (IS). In 2002, almost 30 years later, another major
fraud resulted from corporate and accounting scandals (Enron and WorldCom), which brought
skepticism and downfall to the !nancial markets. #is time, neither the major accounting !rms
nor the security- and exchange-regulated businesses in major exchanges were able to avoid the
public outrage, lack of investor con!dence, and increased government regulation that befell the
U.S. economy. Again, in 2008, the U.S. economy su"ered as mortgage banking and mortgage
investment companies (such as Countrywide, IndyMac, etc.) defaulted from unsound lending
strategies and poor risk management.
When EFCA declared bankruptcy in 1973, the minimum direct impact and losses from illegal
activity were reported to be as much as $200 million. Further estimates from this major !nancial
fraud escalated to as much as $2 billion, with indirect costs such as legal fees and depreciation
included. #ese losses were the result of a “computer-assisted fraud” in which a corporation falsi-
!ed the records of its life insurance subsidiary to indicate the issuance of new policies. In addi-
tion to the insurance policies, other assets, such as receivables and marketable securities, were
recorded falsely. #ese !ctitious assets should have been revealed as non-existent during the corpo-
ration’s regular year-end audits but were never discovered. As the computer was used to manipu-
late !les as a means of covering the fraud, the accounting profession realized that conventional,
manual techniques might not be adequate for audit engagements involving computer application.
In 1973, the AICPA (major national professional organization of certi!ed public accountants),
in response to the events at EFCA, appointed a special committee to study whether the auditing
standards of the day were adequate in such situations. #e committee was requested to evaluate
speci!c procedures to be used and the general standards to be approved. In 1975, the commit-
tee issued its !ndings. Even though the special committee found that auditing standards were
adequate, and that no major changes were called for in the procedures used by auditors, there
were several observations and recommendations issued related to the use of computer programs
designed to assist the examination of !nancial statements. Another critical review of the existing
auditing standards was started in 1974, when the AICPA created its !rst standards covering this
area. #en, 29 years later, the Enron–Arthur Andersen !asco of 2002 took us back to 1973.
#e issue of “due professional care” has come to the forefront of the audit community as
a result of major U.S. !nancial scandals and poor management, including but not limited to,
Waste Management (1998), Enron (2001), Worldcom (2002), American Insurance Group (2005),
Lehman Brothers (2008), Bernard L. Mado" Securities LLC (2008), MF Global (2011), Anthem
Inc. (2015), Wells Fargo (2016), and others. #e EFCA scandal of 1973 led to the development of
strong state and federal regulation of the insurance industries and corporate creative accounting
in the aerospace industry, which provided support for the Foreign Corrupt Practices Act (FCPA)
of 1977. Perhaps today, the Sarbanes–Oxley Act of 2002 (SOX) will be a vivid reminder of the
importance of due professional care. SOX is a major reform package, mandating the most far-
reaching changes Congress has imposed on the business world since the FCPA of 1977 and the
Securities and Exchange Commission (SEC) Act of 1934. Examples of some of these signi!cant
changes include the creation of a Public Company Accounting Oversight Board,* as well as the
increase of criminal penalties for violations of securities laws. SOX will be discussed in more detail
in the next chapter.

* #e PCAOB is a non-for-pro!t corporation instituted by Congress to oversee the audits of public companies
in order to protect the interests of investors and further the public interest in the preparation of informative,
accurate, and independent audit reports. http://pcaobus.org/Pages/default.aspx.
 Information Technology Environment and IT Audit ◾ 9

Financial Auditing
Financial auditing encompasses all activities and responsibilities concerned with the rendering
of an opinion on the fairness of !nancial statements. #e basic rules governing audit opinions
indicate clearly that the scope of an audit covers all equipment and procedures used in processing
signi!cant data.
Financial auditing, as carried out today by the independent auditor, was spurred by legislation
in 1933 and 1934 that created the SEC. #is legislation mandated that companies whose securities
were sold publicly be audited annually by a Certi!ed Public Accountant (CPA). CPAs, then, were
charged with attesting to the fairness of !nancial statements issued by companies that reported to
the SEC. #e AICPA issued in 1993 a document called “Reporting on an Entity’s Internal Control
Structure over Financial Reporting (Statement on Standards for Attestation Engagements 2)” to fur-
ther de!ne the importance of internal control in the attestation engagement.
Within the CPA profession in the United States, two groups of principles and standards have
been developed that a"ect the preparation of !nancial statements by publicly held companies
and the procedures for their audit examination by CPA !rms: Generally Accepted Accounting
Principles (GAAP) and Generally Accepted Auditing Standards (GAAS).
GAAP establishes consistent guidelines for !nancial reporting by corporate managers. As
part of the reporting requirement, standards are also established for the maintenance of !nancial
records on which periodic statements are based. An auditor, rendering an opinion indicating that
!nancial statements are stated fairly, stipulates that the !nancial statements conform to GAAP.
#ese accounting principles have been formulated and revised periodically by private-sector orga-
nizations established for this purpose. #e present governing body is the Financial Accounting
Standards Board (FASB). Implementation of GAAP is the responsibility of the management of
the reporting entity.
GAAS, the second group of standards, was adopted in 1949 by the AICPA for audits. #ese
audit standards cover three categories:

◾ General Standards relate to professional and technical competence, independence, and due
professional care.
◾ Standards of Fieldwork encompass planning, evaluation of internal control, su$ciency of
evidential matter, or documentary evidence upon which !ndings are based.
◾ Standards of Reporting stipulate compliance with all accepted auditing standards, consis-
tency with the preceding account period, adequacy of disclosure, and, in the event that an
opinion cannot be reached, the requirement to state the assertion explicitly.

GAAS provide broad guidelines, but not speci!c guidance. #e profession has supplemented the
standards by issuing statements of authoritative pronouncements on auditing. #e most compre-
hensive of these is the SAS series. SAS publications provide procedural guidance relating to many
aspects of auditing. In 1985, the AICPA released a codi!cation of the SAS No. 1–49. Today, the
number of statements exceeds 120.
A third group of standards, called the International Financial Reporting Standards (IFRS),
has been recently created by the International Accounting Standards Board (IASB)* to respond
to the increasing global business environment and address the need to compare !nancial statements

* #e purpose of the IASB is to develop a single set of high-quality, understandable, enforceable, and globally
accepted !nancial reporting standards based upon clearly articulated principles.
10 ◾ Information Technology Control and Audit

prepared in di"erent countries. #e AICPA de!nes IFRS as the “set of accounting standards devel-
oped by the IASB that is becoming the global standard for the preparation of public company
!nancial statements.” While many of the global organizations have already migrated to IFRS, the
United States has yet to do so. Due to the size of the United States and its signi!cant presence glob-
ally, however, U.S. GAAP still has signi!cant global impact. #is results in the two major account-
ing standard-setting e"orts in the world: U.S. GAAP and IFRS. Nevertheless, all major nations
have now established time lines to converge with or to adopt IFRS standards in the near future.

Internal versus External Audit Functions

#ere are two types of audit functions that exist today. #ey have very important roles in assuring
the validity and integrity of !nancial accounting and reporting systems. #ey are the internal and
external audit functions.

Internal Audit Function

#e IIA de!nes internal auditing (IA) as “an independent, objective assurance and consulting
activity designed to add value and improve an organization’s operations.” IA brings organizations
a systematic and disciplined approach to assess and enhance their risk management, control, and
governance processes, as well as to accomplish their goals and objectives.
IA departments are typically led by a Chief Audit Executive (CAE), who directly reports
to the Audit Committee of the Board of Directors. #e CAE also reports to the organiza-
tion’s Chief Executive O"cer (CEO). #e primary purpose of the IA function is to assure that
management-authorized controls are being applied e"ectively. #e IA function, although not
mandatory, exists in most private enterprise or corporate entities, and in government (such as fed-
eral, state, county, and city governments). #e mission, character, and strength of an IA function
vary widely within the style of top executives and traditions of companies and organizations. IT
audits is one of the areas of support for IA.
#e IA group, if appropriately sta"ed with the resources, performs all year long monitoring
and testing of IT activities within the control of the organization. Of particular concern to private
corporations is the processing of data and the generation of information of !nancial relevance or
materiality.
Given management’s large part to play in the e"ectiveness of an IA function, their concern
with the reliability and integrity of computer-generated information from which decisions are
made is critical. In organizations where management shows and demonstrates concern about
internal controls, the role of the IA grows in stature. As the IA function matures through experi-
ence, training, and career development, the external audit function and the public can rely on the
quality of the internal auditor’s work. With a good, continuously improving IA management and
sta", the Audit Committee of the Board of Directors is not hesitant to assign additional reviews,
consultation, and testing responsibilities to the internal auditor. #ese responsibilities are often
broader in scope than those of the external auditor.
Within the United States, internal auditors from government agencies often come together to
meet and exchange experiences through conferences or forums. For example, the Intergovernmental
Audit Forum is an example of an event where auditors come together from city, county, state, and
federal environments to exchange experiences and provide new information regarding audit tech-
niques and methods. #e IIA also holds a national conference that draws an auditor population
 Information Technology Environment and IT Audit ◾ 11

from around the world, both private and government, to share experiences and discuss new audit
methods and techniques.

External Audit Function

#e external audit function evaluates the reliability and the validity of systems controls in all
forms. #e principal objective in such evaluation is to minimize the amount of substantial audit-
ing or testing of transactions required to render an opinion on the !nancial statements.
External auditors are provided by public accounting !rms and also exist in government as well.
For example, the Government Accountability O$ce (GAO) is considered an external reviewer
because it can examine the work of both federal and private organizations where federal funds are
provided. #e Watchdogs of Congressional Spending provide a service to the taxpayer in report-
ing directly to Congress on issues of mismanagement and poor controls. Interestingly, in foreign
countries, an O$ce of the Inspector General or Auditor General’s O$ce within that country
prepares similar functions. Also, the GAO has been a strong supporter of the International Audit
Organization, which provides government audit training and guidance to its international audit
members representing governments worldwide.
From a public accounting !rm standpoint, !rms such as Deloitte, Ernst & Young,
PricewaterhouseCoopers, and KPMG (altogether referred to as the “Big Four”) provide these types
of external audit services worldwide. #e external auditor is responsible for testing the reliability of
client IT systems and should have a special combination of skills and experience. Such an auditor
must be thoroughly familiar with the audit attest function. #e attest function encompasses all
activities and responsibilities associated with the rending of an audit opinion on the fairness of the
!nancial statements. Besides the accounting and auditing skills involved in performing the attest
function, these external auditors also must have substantial IT audit experience. SOX now governs
their role and limits of services that can be o"ered beyond audit.

What Is IT Auditing?
Before de!ning what IT auditing is, let us explain the di"erence between IS and IT. An IS,
represented by three components (i.e., people, process, and IT), is the combination of strategic,
managerial, and operational activities involved in managing information. #e IT component of an
IS involves the hardware, software, communication, and other facilities necessary to manage (i.e.,
input, store, process, transmit, and output) such information. Refer to Exhibit 1.2.
#e term audit, according to ISACA, refers to the formal inspection and veri!cation to check
whether a standard or set of guidelines is being followed, records are accurate, or e$ciency and
e"ectiveness targets are being met. In combining both de!nitions above, IT auditing can be
de!ned as the formal, independent, and objective examination of an organization’s IT infrastructure
to determine whether the activities (e.g., procedures, controls, etc.) involved in gathering, processing,
storing, distributing, and using information comply with guidelines, safeguard assets, maintain data
integrity, and operate e!ectively and e"ciently to achieve the organization’s objectives. IT auditing
provides reasonable assurance (never absolute) that the information generated by applications
within the organization is accurate, complete, and supports e"ective decision making consistent
with the nature and scope of the engagement previously agreed.
IT auditing is needed to evaluate the adequacy of application systems to meet processing needs,
evaluate the adequacy of internal controls, and ensure that assets controlled by those systems are
12 ◾ Information Technology Control and Audit

These involve strategic,

managerial, and opera-
tional activities working
together toward gather-
ing, processing, storing,
Information
distributing, and using
systems
information

Information technology
People Processes integrates hardware, soft-
ware, communication, and
other facilities for:

Inputting Storing Processing Transmitting Outputting

data data data data data

Exhibit 1.2 Information systems versus information technology.

adequately safeguarded. As for the IT auditors of today, their advanced knowledge and skills will
progress in two ways. One direction is continued growth and skill in this profession, leading the
way in computer audit research and development and progressing up the external and internal
audit career paths. #e other direction involves capitalizing on a thorough knowledge of organiza-
tional systems and moving into more responsible career areas in general management. Today, even
in these economic times, the demand for quali!ed IT auditors exceeds the supply. IT governance
has created vast opportunities for the IT auditor.
Learning new ways of auditing is always a priority of internal and external IT auditors. Most
auditors want tools or audit methodologies that will aid them in accomplishing their task faster
and easier. Almost every large organization or company has some sort of IT audit function or
shop that involves an internal audit department. Today, the “Big Four” !rms have designated
special groups that specialize in the IT audit !eld. #ey all have sta" that perform these external
IT audits. Most of these IT auditors assist the !nancial auditors in establishing the correctness of
!nancial statements for the companies in which they audit. Others focus on special projects such
as Internet security dealing with penetration studies, !rewall evaluations, bridges, routers, and
gateway con!gurations, among others.
#ere are two broad groupings of IT audits, both of which are essential to ensure the contin-
ued proper operation of IS. #ese are as follows:

◾ General Computer Controls Audit. It examines IT general controls (“general controls” or

“ITGCs”), including policies and procedures, that relate to many applications and sup-
ports the e"ective functioning of application controls. General controls cover the IT infra-
structure and support services, including all systems and applications. General controls
 Information Technology Environment and IT Audit ◾ 13

commonly include controls over (1) IS operations; (2) information security (ISec); and (3)
change control management (CCM) (i.e., system software acquisition, change and main-
tenance, program change, and application system acquisition, development, and mainte-
nance). Examples of general controls within IS operations address activities such as data
backups and o"site storage, job monitoring and tracking of exceptions to completion, and
access to the job scheduler, among others. Examples of general controls within ISec address
activities such as access requests and user account administration, access terminations, and
physical security. Examples of general controls within CCM may include change request
approvals; application and database upgrades; and network infrastructure monitoring, secu-
rity, and change management.
◾ Application Controls Audit. It examines processing controls speci!c to the application.
Application controls may also be referred to as “automated controls.” #ey are concerned
with the accuracy, completeness, validity, and authorization of the data captured, entered,
processed, stored, transmitted, and reported. Examples of application controls include check-
ing the mathematical accuracy of records, validating data input, and performing numerical
sequence checks, among others. Application controls are likely to be e"ective when general
controls are e"ective.

Refer to Exhibit 1.3 for an illustration of general and application controls, and how they should
be in place in order to mitigate risks and safeguard applications. Notice in the exhibit that the
application system is constantly surrounded by risks. Risks are represented in the exhibit by explo-
sion symbols. #ese risks could be in the form of unauthorized access, loss or theft or equipment
and information, system shutdown, etc. #e general controls, shown in the hexagon symbols,
also surround the application and provide a “protective shield” against the risks. Lastly, there are
the application or automated controls which reside inside the application and provide !rst-hand
protection over the input, processing, and output of the information.

IT Auditing Trends
Computing has become indispensable to the activities of organizations worldwide. #e Control
Objectives for Information and Related Technology (COBIT) Framework was created in 1995
by ISACA. COBIT, now on its !fth edition, emphasizes this point and substantiates the need
to research, develop, publicize, and promote up-to-date, internationally accepted IT control
objectives. In earlier documents such as the 1993 discussion paper “Minimum Skill Levels in
Information Technology for Professional Accountants” and their 1992 !nal report “#e Impact
of Information Technology on the Accountancy Profession,” the International Federation of
Accountants (IFAC) acknowledges the need for better university-level education to address grow-
ing IT control concerns and issues.
Reports of information theft, computer fraud, information abuse, and other related control
concerns are being heard more frequently around the world. Organizations are more information-
conscious, people are scattered due to decentralization, and computers are used more extensively in
all areas of commerce. Owing to the rapid di"usion of computer technologies and the ease of infor-
mation accessibility, knowledgeable and well-trained IT auditors are needed to ensure that more
e"ective controls are put in place to maintain data integrity and manage access to information.
#e need for better controls over IT has been echoed in the past by prior studies such as the AICPA
Committee of Sponsoring Organizations of the Treadway Commission (COSO); International
14 ◾ Information Technology Control and Audit

General
controls
Theft or “protecting
damage to shield”
Unauthorized hardware
modification of
sensitive
information

Access termi- Loss/theft of

nation process information
Physical
security
Implemen-
tation of
application
Monitoring/ changes
tracking of Application
job (Application or
exceptions automated
System
controls) Change
crash
request
approvals
Offsite
storage
Account
administration
Data
backup Unauthorized
disclosure of
Inappropriate confidential
manual data
intervention
Unauthorized
processing

Exhibit 1.3 Relationship between general computer controls and application controls.

Organization for Standardization (ISO) 17799 and 27000; the IIA Systems Auditability and
Control Report; Guidelines for the Security of IS by the OECD; the U.S. President’s Council on
Integrity and E$ciency in Computer Audit Training curriculum; and the United States’ National
Strategy for Securing Cyberspace released in 2002; among others.
#e AICPA’s Assurance Services Executive Committee (ASEC) is responsible for updating and
maintaining the Trust Services Principles and Criteria (TSPC) and creating a framework of prin-
ciples and criteria to provide assurance on the integrity of information. TSPC presents criteria for
use by practitioners when providing professional attestation or advisory services to assess controls
relevant to the following principles:

◾ Security: #e system is protected against unauthorized access (both physical and logical).
◾ Availability: #e system is available for operation and use as committed or agreed.
◾ Processing integrity: System processing is complete, accurate, timely, and authorized.
◾ Con#dentiality: Information designated as con!dential is protected as committed or agreed.
 Information Technology Environment and IT Audit ◾ 15

◾ Privacy: Personal information is collected, used, retained, disclosed, and destroyed in con-
formity with the commitments in the entity’s privacy notice and with criteria set forth in
generally accepted privacy principles issued by the AICPA and CICA.

#e theory and methodologies of IT auditing are integrated from !ve areas: a fundamental under-
standing of business, traditional auditing, IT management, behavioral science, and IT sciences.
Business understanding and knowledge are the cornerstones of the audit process. Traditional
auditing contributes knowledge of internal control practices and overall control philosophy within
a business enterprise. IT management provides methodologies necessary to achieve successful
design and implementation of systems. Behavioral science indicates when and why IT are likely to
fail because of people’s problems. IT sciences contribute to knowledge about control theory and
the formal models that underlie hardware and software designs as a basis for maintaining data
integrity.
Ever since the ISACA was formed there has been a growing demand for well-trained and
skilled IT audit professionals. #e publication $e EDP Auditors Association: $e First Twenty-Five
Years documents the early struggles of the association and evolution of IT audit practices in this
!eld.
#e area of information assurance has also grown and evolved. #e United States in its passage
of the Cyber Security Research and Development Act has pledged almost a billion dollars for the
development of curriculum, research, and skills for future professionals needed in this !eld.

Information Assurance
Organizations increasingly rely on critical digital electronic information capabilities to store,
process, and move essential data in planning, directing, coordinating, and executing opera-
tions. Powerful and sophisticated threats can exploit security weaknesses in many of these
systems. Outsourcing technological development to countries that could have terrorists on their
development sta" causes speculation that the potential exists for code to be implanted that would
cause disruption, havoc, embezzlement, theft, and so on. #ese and other weaknesses that can be
exploited become vulnerabilities that can jeopardize the most sensitive components of informa-
tion capabilities. However, we can employ deep, layered defenses to reduce vulnerabilities and
deter, defeat, and recover from a wide range of threats. From an information assurance perspec-
tive, the capabilities that we must defend can be viewed broadly in terms of four major elements:
local computing environments, their boundaries, networks that link them together, and their
supporting infrastructure. #e U.S. National Strategy for Securing Cyberspace is one of those
initiatives.
#e term “information assurance” is de!ned as information integrity (the level of con!dence
and trust that can be placed on the information) and service availability. In all contexts, whether
business or government, it means safeguarding the collection, storage, transmission, and use
of information. #e ultimate goal of information assurance is to protect users, business units,
and enterprises from the negative e"ects of corruption of information or denial of services. #e
Department of Homeland Security and Supporting Organizations such as the National Security
Agency (NSA), Federal Bureau of Investigation (FBI), and Central Intelligence Agency (CIA)
have all worked toward supporting this goal.
As the nation’s IS and their critical infrastructures are being tied together (government
and business), the points of entry and exposure increase, and thus, risks increase. #e techno-
logical advancement toward higher bandwidth communication and advanced switching systems
16 ◾ Information Technology Control and Audit

has reduced the number of communications lines and further centralized the switching func-
tions. Survey data indicates that the increased risk from these changes is not widely recognized.
Since 9/11, more coordinated e"orts have been made by U.S. defense organizations such as the
Defense& Information Systems Agency to promulgate standards for the Defense Information
Infrastructure and the Global Information Grid, which should have a positive impact on informa-
tion assurance that will extend beyond the U.S. Department of Defense and impact all segments of
the national economy. #e NSA has drafted and produced standards for IT security personnel that
not only impact federal agencies but also corporate entities who contract IT services in support of
the federal government. NIST, for example, has generated security guidance for Health Insurance
Portability and Accountability Act compliance that impacts the medical profession and all cor-
porations/business servicing the health !eld who handle medical information. A similar example
includes the Payment Card Industry Data Security Standards (PCI DSS), maintained, managed,
and promoted by the PCI Security Standards Council (Council) worldwide. #e Council was
founded in 2006 by major credit card companies, such as, American Express, Discover, JCB
International, MasterCard, and Visa, Inc. #ese companies share equally in governance, execu-
tion, and compliance of the Council’s work. PCI DSS refer to technical and operational require-
ments applicable speci!cally to entities that store, process, or transmit cardholder data, with the
intention of protecting such data in order to reduce credit card fraud.

Need for IT Audit

Initially, IT auditing (formerly called electronic data processing [EDP], computer information
systems [CIS], and IS auditing) evolved as an extension of traditional auditing. At that time, the
need for an IT audit came from several directions:

◾ Auditors realized that computers had impacted their ability to perform the attestation
function.
◾ Corporate and information processing management recognized that computers were key
resources for competing in the business environment and similar to other valuable business
resource within the organization, and therefore, the need for control and auditability were
critical.
◾ Professional associations and organizations, and government entities recognized the need for
IT control and auditability.

#e early components of IT auditing were drawn from several areas. First, traditional auditing
contributes knowledge of internal control practices and the overall control philosophy. Another
contributor was IS management, which provides methodologies necessary to achieve successful
design and implementation of systems. #e !eld of behavioral science provided such questions
and analysis to when and why IS are likely to fail because of people problems. Finally, the !eld of
computer science contributes knowledge about control concepts, discipline, theory, and the formal
models that underlie hardware and software design as a basis for maintaining data validity, reli-
ability, and integrity.
IT auditing became an integral part of the audit function because it supports the auditor’s
judgment on the quality of the information processed by computer systems. Auditors with IT
audit skills were viewed as the technological resource for the audit sta". #e audit sta" often
looked to them for technical assistance. #e IT auditor’s role evolved to provide assurance that
 Information Technology Environment and IT Audit ◾ 17

adequate and appropriate controls are in place. Of course, the responsibility for ensuring that
adequate internal controls are in place rests with management. #e audit’s primary role, except
in areas of management advisory services, is to provide a statement of assurance as to whether
adequate and reliable internal controls are in place and are operating in an e$cient and e"ective
manner. Management’s role is to ensure and the auditors’ role is to assure.
#ere are several types of needs within IT auditing, including organizational IT audits (manage-
ment control over IT), technical IT audits (infrastructure, data centers, data communication), and
application IT audits (business/!nancial/operational). #ere are also development/implementation
IT audits (speci!cation/requirements, design, development, and post-implementation phases), and
compliance IT audits involving national or international standards.
When auditing IT, the breadth and depth of knowledge required are extensive. For instance,
auditing IT involves:

◾ Application of risk-oriented audit approaches

◾ Use of computer-assisted audit tools and techniques
◾ Application of standards (national or international) such as the ISO* to improve and imple-
ment quality systems in software development and meet IT security standards
◾ Understanding of business roles and expectations in the auditing of systems under develop-
ment as well as the purchase of software packaging and project management
◾ Assessment of information security, con!dentiality, privacy, and availability issues which
can put the organization at risk
◾ Examination and veri!cation of the organization’s compliance with any IT-related legal
issues that may jeopardize or place the organization at risk
◾ Evaluation of complex systems development life cycles (SDLC) or new develop-
ment techniques (i.e., prototyping, end-user computing, rapid systems, or application
development)
◾ Reporting to management and performing a follow-up review to ensure actions taken at
work

#e auditing of IT and communications protocols typically involves the Internet, intranet,

extranet, electronic data interchange, client servers, local and wide area networks, data commu-
nications, telecommunications, wireless technology, integrated voice/data/video systems, and the
software and hardware that support these processes and functions. Some of the top reasons to
initiate an IT audit include the increased dependence on information by organizations, the rapidly
changing technology with new risks associated with such technology, and the support needed for
!nancial statement audits.
SOX also requires the assessment of internal controls and makes it mandatory for SEC reg-
istrants. As part of the process for assessing the e"ectiveness of internal controls over !nancial
reporting, management needs to consider controls related to the IS (including technologies) that
support relevant business and !nancial processes. #ese controls are referred to as ITGCs (or IT
general controls). As mentioned earlier, ITGCs are IT processes, activities, and/or procedures
that are performed within the IT environment and relate to how the applications and systems are
developed, maintained, managed, secured, accessed, and operated. Exhibit 1.4 illustrates other
top reasons to have IT audits.

* Examples of ISO standards include ISO/IEC 27002, ISO/IEC 27000, and ISO 17799.
18 ◾ Information Technology Control and Audit

To support the effective functioning of

To assess the increase of sophisticated and application controls
“creative” programming

To control and monitor the significant

To support financial statement audits
growth of corporate hackers, either internal
or external

To assess the completeness and accuracy of

information To address the rapidly changing
technology and the new risks associated
with such technology
To assess the integrity of information and
security of data
To identify controls that can address
specific IT risks
To control the easy access to organization
networks from office and remote personal
computers To audit large amounts of data

Exhibit 1.4 Top reasons for having an IT audit.

IT Governance
#ere have been many changes in the way enterprises address IT issues, resulting in a renewed
focus on the concepts of IT governance. CEOs, Chief Financial O"cers, Chief Operating
O"cers, Chief Technology O"cers, and Chief Information O"cers agree on the founding
principles of IT governance, which focus on strategic alignment between IT and enterprise objec-
tives. #is, in turn, creates changes to tactical and day-to-day operational management of IT in
the organization.
IT governance is the process by which an enterprise’s IT is directed and controlled. As de!ned
earlier, IT refers to the hardware, software, communication, and other facilities used to input,
store, process, transmit, and output data in whatever form. E"ective IT governance helps ensure
that IT supports business goals, maximizes business investment in IT, and appropriately manages
IT-related risks. IT governance also helps ensure achievement of critical success factors by e$-
ciently and e"ectively deploying secure, reliable information, and applied technology.
Because IT impacts the operation of an entire organization, everyone within the organization
should have an interest and role in governing its use and application. #is growing awareness
has led organizations to recognize that, if they are to make the most of their IT investment and
protect that investment, they need a formal process to govern it. Reasons for implementing an IT
governance program include:

◾ Increasing dependence on information and the systems that deliver the information
◾ Increasing vulnerabilities and a wide spectrum of threats
◾ Scale and cost of current and future investments in information and IS
◾ Potential for technologies to dramatically change organizations and business practices to
create new opportunities and reduce costs
 Information Technology Environment and IT Audit ◾ 19

As long as these factors remain a part of business, there will be a need for e"ective, interdependent
systems of enterprise and IT governance.
An open-standard IT governance tool that helps nontechnical and technical managers and
auditors understand and manage risks associated with information and related IT is COBIT, devel-
oped by the IT Governance Institute and the Information Systems Audit and Control Foundation.
COBIT is a comprehensive framework of control objectives that helps IT auditors, managers, and
executives discharge !duciary responsibilities, understand the IT systems, and decide what level
of security and control is adequate. COBIT provides an authoritative, international set of gener-
ally accepted IT practices for business managers and auditors. COBIT is discussed in Chapter 3.

Role of the IT Auditor

#e auditor evaluating today’s complex systems must have highly developed technical skills to
understand the evolving methods of information processing. Contemporary systems carry risks
such as non-compatible platforms, new methods to penetrate security through communication
networks (e.g., the Internet), and the rapid decentralization of information processing with the
resulting loss of centralized controls.
As the use of IT in organizations continues to grow, auditing computerized systems must be
accomplished without many of the guidelines established for the traditional auditing e"ort. In
addition, new uses of IT introduce new risks, which in turn require new controls. IT auditors are
in a unique position to evaluate the relevance of a particular system to the enterprise as a whole.
Because of this, the IT auditor often plays a role in senior management decision making.
#e role of IT auditor can be examined through the process of IT governance and the existing
standards of professional practice for this profession. As mentioned earlier, IT governance is an
organizational involvement in the management and review of the use of IT in attaining the goals
and objectives set by the organization.

IT Auditor as Counselor
In the past, users have abdicated responsibility for controlling computer systems, mostly because
of the psychological barriers that surround the computer. As a result, there are few checks and
balances, except for the IT auditor. IT auditors must take an active role in assisting organizations
in developing policies, procedures, standards, and/or best practices on safeguarding of the infor-
mation, auditability, control, testing, etc. A good information security policy, for instance, may
include:

◾ Specifying required security features

◾ De!ning “reasonable expectations” of privacy regarding such issues as monitoring people’s
activities
◾ De!ning access rights and privileges and protecting assets from losses, disclosures, or dam-
ages by specifying acceptable use guidelines for users
◾ Providing guidelines for external communications (networks)
◾ De!ning responsibilities of all users
◾ Establishing trust through an e"ective password policy
◾ Specifying recovery procedures
◾ Requiring violations to be recorded
20 ◾ Information Technology Control and Audit

◾ Acknowledging that owners, custodians, and clients of information need to report irregu-
larities and protect its use and dissemination
◾ Providing users with support information

#e SANS Institute provides general information security policy templates on its Website, which
can be downloaded and be a great starting point for any organization. A good computer secu-
rity policy will di"er for each organization, corporation, or individual depending on security
needs. An information security policy will not guarantee a system’s security or make the network
completely safe from possible attacks from cyberspace. Nevertheless, a security policy, helped by
e"ective security products and a plan for recovery, may help targeting potential losses to levels
considered “acceptable,” and minimize the leaking of private information. #e IT auditor is part
of an institutional team that helps create shared governance over the use, application, and assur-
ance over IT within the organization.
An IT audit sta" in a large corporation can make a major contribution to computer system
control by persuading user groups to insist on a policy of comprehensive testing for all new systems
and all changes to existing systems. By reviewing base-case results, user groups can control the
accuracy of new or changed systems by actually performing a complete control function. Auditors
must convince users and IT personnel of the need for a controlled IT environment.
Insisting that all new systems be reviewed at prede!ned checkpoints throughout the system’s
development life cycle can also enhance control of IT. #e prospect of audit review should prompt
both user and systems groups to de!ne their objectives and assumptions more carefully. Here, too,
IT auditors can subtly extend their in%uence.

IT Auditor as Partner of Senior Management

Although the IT auditor’s roles of counselor and skilled technician are vital to successful company
operation, they may be irrelevant if the auditor fails to view auditing in relation to the organiza-
tion as a whole. A system that appears well controlled may be inconsistent with the operation of
a business.
Decisions concerning the need for a system traditionally belonged to management, but because
of a combination of factors (mostly the complex technology of the computer), computer system
audits were not successfully performed. When allocating funds for new systems, management
has had to rely on the judgment of computer personnel. Although their choices of new and more
e"ective computer systems cannot be faulted, computer personnel have often failed to meet the
true business needs of the organization.
Management needs the support of a skilled computer sta" that understands the organization’s
requirements, and IT auditors are in such a position to provide that information. #ey can provide
management with an independent assessment of the e"ect of IT decisions on the business. In addi-
tion, the IT auditor can verify that all alternatives for a given project have been considered, all risks
have been accurately assessed, the technical hardware and software solutions are correct, business
needs will be satis!ed, and costs are reasonable.

IT Auditor as Investigator
As a result of increased legislation and the use of computer evidence within the courts, the ability
to capture and document computer-generated information related to criminal activity is critical
for purposes of prosecution. #e awareness and use of computer-assisted tools and techniques in
 Information Technology Environment and IT Audit ◾ 21

performing forensic support work have provided new opportunities for the IT auditor, IT security
personnel, and those within law enforcement and investigation. For the IT audit professional,
computer forensics is an exciting, developing !eld. #e IT auditor can work in the !eld of com-
puter forensics or work side by side with a computer forensics specialist, supplying insight into a
particular system or network. #e specialists can ask the IT audit professionals questions pertain-
ing to the system and get responses faster than having to do research and !gure everything out
on their own. Although the specialist is highly trained and can adapt to almost any system or
platform, collaboration can make the jobs of the forensic specialist and the IT professional easier
and more e$cient.
Since its birth in the early 1970s, computer forensics has continuously evolved into what is
now a very large !eld. New technologies and enhancements in protocols are allowing engineers
and developers to create more stable and robust hardware, software, and tools for the specialist to
use in computer-related criminal investigations. As computers become more advanced and more
abundant, so do criminal activities. #erefore, the computer forensics niche is also in constant
progression along with the technological advancements of computers.

IT Audit: The Profession

With the passage of the Homeland Security Act, the Patriot Act, and SOX, the role of the auditor
(internal and external) is more critical to the veri!cation and validation of the !nancial infrastruc-
ture. #e profession of IT auditing can provide a person with exposure to the way information
%ows within an organization and give its members the ability to assess its validity, reliability,&and
security. IT auditing involves people, technology, operations, and systems. It is a dynamic
and&challenging profession with a future that brings growth into new areas such as IT security
and computer forensics, to name a few.
Today, IT auditors interact with managers, users, and technicians from all areas of most orga-
nizations. #ey must have interpersonal skills to interact with multiple levels of personnel and
technical skills to understand the variety of technology used in information processing activity—
especially technology used in generating and/or processing the company’s !nancial informa-
tion (e.g., !nancial statements, etc.). #e IT auditor must also gain an understanding of and be
familiarized with the operational environment to assess the e"ectiveness of the internal control
structure. Finally, the IT auditor must understand the technological complexities of existing and
future systems and the impact they have on operations and decisions at all levels.
IT auditing is a relatively new profession, and employment opportunities are present in all sec-
tors of private industry, public accounting, and government worldwide. A profession is more than
just an occupation. A profession has certain special characteristics, including a common body of
knowledge, certi!cation, continuing education, professional associations and ethical standards,
and educational curriculum.

A Common Body of Knowledge

Since 1975, there have been various studies identifying a common body of knowledge for the
IT audit profession. A common body of knowledge consists of clearly identi!ed areas in which
a person must attain a speci!c level of understanding and competency necessary to successfully
practice within the profession. #ese areas are categorized into core areas. Organizations such
as ISACA, AICPA, IIA, CICA, ISSA, InfoSec, and others around the world have issued major
22 ◾ Information Technology Control and Audit

studies and papers on the topic of the knowledge, skills, and abilities needed to audit computer
systems. Students, especially the ones with business and computer majors, receive a degree of
base-level training in (1) auditing concepts and practices; (2) management concepts and practices;
(3) computer systems, telecommunications, operations, and software; (4) computer information
processing techniques; and (5) understanding of business on local and international scales. #ese
are some of the major core areas of competency identi!ed by the various independent studies for
the individual who enters the IT audit, control, and security !eld.

Certi!cation
Certi!cation is a vital component of a profession. As you prepare for entry into your profession,
whether it is accounting, IS, or other business !elds, certi!cation will be the measure of your level
of knowledge, skills, and abilities in the profession. For example, attainment of the CPA designa-
tion is an important career milestone for the practicing accountant. In IT auditing, the Certi!ed
Information Systems Auditor (CISA) is one of the main levels of recognition and attainment.
#ere are certain requirements for candidates to become CISA certi!ed, such as:

◾ Passing a rigorous written examination

◾ Evidencing a minimum of 5 years of professional IS auditing, control or security work
experience
◾ Adhering to the ISACA’s Code of Professional Ethics and the Information Systems Auditing
Standards as adopted by ISACA
◾ Agreeing to comply with the CISA Continuing Education Policy

#e CISA examination covers areas (or domains) within the process of auditing IS; governance
and management of IT; IS acquisition, development and implementation; IS operations, mainte-
nance and service management; and the protection of information assets. #us, university edu-
cation plays an important part in providing the groundwork toward the certi!cation process.
Other licenses and certi!cations relevant to the IT auditor include the following: CPA, Certi!ed
Chartered Accountant (CA), Certi!ed Internal Auditor (CIA), Certi!ed Computer Professional
(CCP), Certi!ed Government Financial Manager (CGFM), Certi!ed Information Systems
Security Professional (CISSP), Certi!ed Information Security Manager (CISM), Certi!ed in
Risk and Information Systems Control (CRISC), AICPA’s Certi!ed Information Technology
Professional (CITP), and Certi!ed Fraud Examiner (CFE).
Certi!cation is important and a measure of skill attainment within the profession. Attainment
of more than one certi!cation will enhance your knowledge, skills, and abilities within the audit
domain. Pro!ciency in skill application comes from experience and continuing education. #e
dynamic changes in business (commerce), IT, and world events continue to shape the future for
this exciting profession.

Continuing Education
Certi!cation requires continuing education so that those who are certi!ed maintain a level of
pro!ciency and continue their certi!cation. Continuing education is an important element for
career growth. As graduates enter their profession, they will !nd that their academic education
is the foundation for continued development of career-enhancing knowledge, skills, and abilities.
A continuing education requirement exists to support the CISA program. #e IT auditor of the
 Information Technology Environment and IT Audit ◾ 23

future will constantly face change with regard to existing systems and the dynamics of the envi-
ronment (i.e., reorganization, new technology, operational change, and changing requirements).
#e breadth and depth of knowledge required to audit IT is extensive. For example, IT auditing
involves the application of risk-oriented audit approaches; the use of computer-assisted audit tools
and techniques (e.g., EnCase, CaseWare, Idea, ACL, Guardant, eTrust, CA-Examine, etc.); the
application of national or international standards (i.e., ISO 9000/3, ISO 17799, ISO 27000, and
related amendments to improve and implement quality systems in software development); the
auditing of systems under development involving complex SDLC or new development techniques
(e.g., prototyping, end-user computing, rapid systems development, etc.); and the auditing of com-
plex technologies involving electronic data interchange, client servers, local and wide area networks,
data communications, telecommunications, and integrated voice/data/video systems.
Because the organizational environment in which the IT auditor operates is a dynamic one, it
is important that new developments in the profession be understood so that they may be appropri-
ately applied. #us, the continuing education requirement helps the CISA attain new knowledge
and skills to provide the most informed professional opinion. Training courses and programs are
o"ered by a wide variety of associations and organizations to assist in maintaining the necessary
skills that they need to continue to improve and evolve. Methods for receiving such training may
even be global with video teleconferencing and telecommuting and with the Internet playing a
major role in training delivery.

Professional Associations and Ethical Standards

As a manager at any level, one must remember that auditors, whether internal or external, have
standards of practice that they must follow. Like IT professionals, auditors may belong to one or
more professional associations and have code of ethics and professional standards of practices and
guidance that help them in performing their reviews and audits. If they are seen not perform-
ing their work to “standards of practice” for their profession, they know they could be open to a
potential lawsuit or even “decerti!ed.” Some of the organizations that produced such standards of
practice are the AICPA, IIA, IFAC, CICA, GAO, and ISACA.
ISACA, created in 1969, is the leading IT governance, assurance, as well as security and con-
trol professional association today. ISACA:

◾ provides knowledge and education on areas like IS assurance, information security, enter-
prise governance, IT risk management, and compliance.
◾ o"ers globally known certi!cations/designations, such as, CISA, CISM, Certi!ed in the
Governance of Enterprise IT (CGEIT), and Certi!ed in Risk and CRISC.
◾ develops and frequently updates international IS auditing and control standards, such as,
the COBIT standard. COBIT assist both, IT auditors and IT management, in performing
their daily duties and responsibilities in the areas of assurance, security, risk and control, and
deliver value to the business.

To act as an auditor, one must have a high standard of moral ethics. #e term auditor is Latin for
one that hears complaints and makes decisions or acts like a judge. To act as a judge, one de!nitely
must be morally ethical or it defeats the purpose. Ethics are a very important basis for our culture
as a whole. If the auditor loses favor in this area, it is almost impossible to regain the trust the audi-
tor once had with audit management and auditees. Whether an auditor is ethical in the beginning
or not, they should all start o" with the same amount of trust and good favor from the client or
24 ◾ Information Technology Control and Audit

auditee. If the bond is not broken, the auditor establishes a good name as someone who can be
trusted with sensitive material.
In today’s world economy, trust is an unheard-of word. No one can trust anyone these days
and for this reason it is imperative that high ethics are at the top of the manager’s list of topics to
cover with new audit teams. Times are changing and so are the clients requesting audit services.
Most managers will state that they cherish this aspect called ethics because it distinguishes them
from others without it.
For example, say a budget calls for numerous hours. It is unethical to put down hours not
worked. It is also unethical to overlook something during the audit because the client says it is not
important. A !ne line exists between what is ethical and what is legal. Something can be ethically
wrong but still legal. However, with that being said, some things initially thought to be unethical
become illegal over time. If there is a large enough population opposed to something ethically
incorrect, you will see legislation introduced to make it illegal.
When IT auditors attain their CISA certi!cation, they also subscribe to a Code of Professional
Ethics. #is code applies to not only the professional conduct but also the personal conduct of
IT auditors. #e code is actually not in con%ict with codes of ethics from other audit/assurance
related domains (e.g., IIA, AICPA, etc.). It requires that the ISACA standards are adhered to, con-
!dentiality is maintained, any illegal or improper activities are reported, the auditor’s competency
is maintained, due care is used in the course of the audit, the results of audit work are communi-
cated, and high standards of conduct and character are maintained.

Educational Curricula
IT auditing is a profession with conduct, aims, and qualities that are characterized by world-
wide technical and ethical standards. It requires specialized knowledge and often long and inten-
sive academic preparation. Most accounting, auditing, and IT professional societies believe that
improvements in research and education will de!nitely provide a “better-developed theoretical
and empirical knowledge base for the IT audit function.” #ey feel that emphasis should be placed
on education obtained at the college level.
#e academic communities both in the United States and abroad have started to incorporate
portions of the common body of knowledge and the CISA examination domains into courses
taught at the university level. Several recent studies indicate the growth of computer audit courses
emerging in university curricula worldwide.
Various universities have developed curricula tailored to support the profession of IT auditing.
Although the curricula at these universities constantly evolve, they currently exist at institutions
such as Bentley University (Massachusetts), Bowling Green State University (Ohio), California
State Polytechnic University, University of Mississippi, University of Texas, Georgia State
University, University of Maryland, University of Tennessee, National Technological University
(Argentina), University of British Columbia (Canada), York University (Canada), and the Hong
Kong University of Science and Technology, among others. Graduates from these programs qual-
ify for 1 year work experience toward their CISA certi!cation.
A Model Curriculum for undergraduate and graduate education in IS and IT audit education
was initially issued in March 1998 and updated in 2004, 2009, and 2011 by the IS Audit and
Control Association and Foundation. #e purpose of the Model is to provide colleges, universi-
ties, and/or educational institutions the necessary tools to educate students, and prepare them
to enter the IT audit profession. Education through the Model focuses on fundamental course
components of IT audit and control, as well as keeps up with the rapid pace of technological
 Information Technology Environment and IT Audit ◾ 25

change. Such education is also in line with recent events, government regulations, and changes in
business processes, all of which have a"ected the role of IT audit and the methodologies used by
IT auditors.

IT Auditor Profile: Experience and Skills

Experience in IT audit is a de!nite must. Nothing in this world can compare to actual on-the-job,
real-world experiences. #eory is also valuable, and for the most part an IT auditor should rely on
theory to progress through an audit. For example, if IT auditors wish to demonstrate their com-
mitment and knowledge level of the !eld, they can select an area to be tested. A number of profes-
sional certi!cations exist that can bene!t the auditor. In the IT audit area, for instance, to pass the
CISA exam, one must know, understand, and be able to apply the theory of modern IT auditing to
all exam questions posed. #ere are other relevant licenses and certi!cations, as mentioned earlier,
that can be very useful to an IT auditor’s career and future plans.
#e understanding of theory is de!nitely essential to the successful IT auditor. However, the-
ory can only take one so far. #is textbook and others available should be viewed as a guide. In
this !eld, due to the technology complexity and situation, there comes a time when an IT auditor
has to rely on experience to confront a new, never before encountered situation. Experience in the
!eld is a de!nite plus, but having experience in a variety of other !elds can sometimes be more
bene!cial. For example, an IT audit manager working for a Big Four public accounting !rm is
going to be exposed to a wide variety of IT audit situations and scenarios. Such experience will
help broaden horizons and further knowledge in the IT audit !eld. Another example would be an
Internal Audit Supervisor that has performed risk-focused and compliance audits for all depart-
ments within an organization. Such ample experience is nothing but a plus, and likely will allow
the auditor to add signi!cant, above-and-beyond value to the organization’s operations.
Direct entry into the profession, as is the situation today, may change with entry-level require-
ments, including experience in business processes, systems, and technology, as well as sound
knowledge of general auditing theory supplemented by practical experience. Additionally, IT
auditors may require speci!c industry expertise such as banking, telecommunications, transpor-
tation, or !nance and insurance to adequately address the industry-speci!c business/technology
issues. #is book provides current information and approaches to this complex !eld, which can
help the practitioners and those wanting to learn more.
Experience comes with time and perseverance, as is well known, but auditors should not limit
themselves to just one industry, software, or operating system. #ey should challenge themselves
and broaden their horizons with a multitude of exposure in di"erent environments, if possible.
#e broader and well rounded the IT auditor is, the better the chance for a successful audit career.
In addition to the experience, e"ective IT auditors must possess a variety of skills that enable
them to add value to their organizations or clients. #e !nest technical experience or training
does not necessarily fully prepare auditors for the communication and negotiation skills that are
required for success.
Many of the nontechnical or supplemental skills are concerned with gathering information
from and, of comparable importance, presenting information to people. As such, these supple-
mental skills are readily transferable to other disciplines, for example, !nance, management, and
marketing. #e !nal product auditors create is an audit report. If the information within the audit
report is not e"ectively and e$ciently delivered via solid oral and written communication skills,
all value accruing from the audit process could potentially be lost.
26 ◾ Information Technology Control and Audit

Having a diverse set of supplemental or “soft” skills never hurts when one is working with an
auditee. For example, a senior IT auditor was recently conducting an audit in which she was faced
with a client/auditee that was not very cooperative. During the questioning process, the senior IT
auditor established a rapport with the client by using people skills or “soft skills.” #e role of an
auditor is not an easy one when we are asked to review, question, and assess the work of others.
Many times, the auditee must have a clear understanding of our role and that the auditor’s focus is
not to be critical of the individual but of the organizational policies, procedures, and process. #e
audit objectives focus on both the organization’s goals and objectives.

Career Opportunities
#ere are a number of career opportunities available to the individual seeking an opportunity in
IT audit. For the college graduate with the appropriate entry-level knowledge, skills, and abilities,
this career provides many paths for growth and development. Further, as a career develops and
progresses, IT audit can provide mobility into other areas as well. Today’s IT auditors are employed
by public accounting !rms, private industries, management consulting !rms, and the government.

Public Accounting Firms

Public accounting !rms o"er individuals an opportunity to enter the IT auditing !eld. Although
these !rms may require such individuals to begin their careers in !nancial audits to gain experi-
ence in understanding the organization’s audit methodologies, after initial audit experience the
individual who expresses interest in a particular specialization (e.g., forensics, security, etc.) will be
transferred to such specialty for further training and career development. Many who have taken
this career path have been successful, and several have become partners, principals, or directors
within the !rm. #e primary sources for most public accounting !rms are college recruitment and
development within. However, it is not uncommon for a !rm to hire from outside for specialized
expertise (e.g., computer forensics, telecommunication, database systems, etc.).

Private Industry
Like public accounting !rms, private industry o"ers entry-level IT audit professional positions. In
addition, IT auditors gain expertise in more specialized areas (i.e., telecommunications, systems
software, and systems design), which can make them candidates for IT operations, IT forensics,
and IT security positions. Many CEOs view audit experience as a management training func-
tion. #e IT auditor has particular strengths of educational background, practical experience
with corporate IS, and understanding of executive decision making. Some companies have made a
distinction between IT auditors and operational and !nancial auditors. Others require all internal
auditors to be capable of auditing IT systems. Sources for persons to sta" the IT audit function
within a company generally may come from college recruitment, internal transfers, promotions,
and/or outside hiring.

Management Consulting Firms

Another area of opportunity for IT audit personnel is management consulting. #is career area is
usually available to IT auditors with a number of years’ experience. Many management consulting
 Information Technology Environment and IT Audit ◾ 27

practices, especially those that provide services in the computer IS environment, hire experienced
IT auditors. #is career path allows these candidates to use their particular knowledge, skills, and
abilities in diagnosing an array of computer and management information issues and then assist
the organization in implementing the solutions. #e usual resources for such positions are expe-
rienced personnel from public accounting CPA !rms, private industries, and the government. IT
forensics is another growing area in management consulting services.

Government
#e government o"ers another avenue for one to gain IT audit experience. In the United States,
federal, state, county, and city governments employ personnel to conduct IT audit-related respon-
sibilities. Federal organizations such as the NSA, FBI, Department of Justice, and the CIA employ
personnel who have IT audit experience, computer security experience, and IT forensics experi-
ence. Governments worldwide also employ personnel to conduct IT audits.
Government positions o"er training and experience to personnel responsible for performing
IT audit functions. Sources for government IT auditors are college recruits and employees seeking
internal promotion or transfer. #ere are occasions when experienced resources may be hired from
the outside as well.

Conclusion
Business operations are changing at a rapid pace because of the fast continuing improvement of tech-
nology. Technology has impacted various areas of the business environment, including the use and
processing of information, existing control processes, and how audits are performed to draw conclu-
sions regarding operational or system e"ectiveness, e$ciency, and reporting integrity. It is also noted
that technology constantly changes and identi!es ways to shape today’s IT environments in the
organization. #ere were several recent technologies described that have and certainly will continue
to revolutionize organizations, in particular how business is done and the dynamics of the workplace.
Because of major corporate and accounting fraud and scandals, the auditing profession, both
internal and external functions, now looks seriously at the lack of controls in computer infor-
mation systems. Within !nancial auditing, for instance, there are principles and standards that
rule the CPA profession in the United States (i.e., GAAP and GAAS). #ese look for accurate
preparation of !nancial statements as well as e"ective procedures for their audit examinations. A
di"erent type of auditing, IT auditing, has become an integral part of the audit function because
it supports the auditor’s judgment on the quality of the information processed by computer sys-
tems. IT auditing provides reasonable assurance (never absolute) that the information generated
by applications within the organization is accurate, complete, and supports e"ective decision mak-
ing consistent with the nature and scope agreed. #ere are two broad groupings of IT audits (i.e.,
General Computer Controls Audit and Application Controls Audit), both essential to ensure the
continued proper operation of IS.
For the IT auditor, the need for audit remains critical and continues to be a demanding one.
#ere are many challenges ahead; everyone must work together to design, implement, and safe-
guard the integration of new and existing technologies in the workplace. Given the various role
hats IT auditors can wear, they must keep updated with reviews and changes in the existing laws
governing the use of computers and the Internet. IT auditors can provide leverage in helping orga-
nizations understand the risks they face and the potential for consequences.