Chat with us, powered by LiveChat In Module 3, we've learned about IT Auditing. Please review all materials posted in this module, and submit a thoughtful discussion post in response to the readings. Specifically, y - Writeedu

In Module 3, we’ve learned about IT Auditing. Please review all materials posted in this module, and submit a thoughtful discussion post in response to the readings. Specifically, y

In Module 3, we've learned about IT Auditing. Please review all materials posted in this module, and submit a thoughtful discussion post in response to the readings. Specifically, you’ll have to:

(1) summarize and explain the main points of the articles that you choose from the assigned papers

(2) conclude with your own opinion about the issue being discussed in the article. Your opinion can be supported by personal experience, specialized publications, textbooks, and/or scholarly research.

 Discussion posts should be no shorter than 200 words (approx. 10 lines of text) and cite at least three sources outside the textbook and follow APA Format.


Information Technology Auditing

A common mistake people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.

Douglas Adams, author of The Hitchhiker’s Guide to the Galaxy

To err is human, but to really foul things up you need a computer.

Attributed to Paul R. Ehrlich, American biologist, author, and technology commentator


©McGraw-Hill Education


Module H Learning Objectives

Identify how the use of an automated transaction processing system affects the audit examination.

Understand the steps that are taken to determine whether an audit team can rely on IT controls.

Provide examples of general controls and understand how these controls relate to transaction processing in an accounting information system.

Provide examples of automated application controls and understand how these controls relate to transaction processing in an accounting information system.

Describe how the audit team assesses control risk in an IT environment.


©McGraw-Hill Education.


Illustration of Automated Processing of Sales Transactions


©McGraw-Hill Education.


Issues Introduced In IT Environments

Input errors

Systematic vs. random processing errors

Lack of an audit trail

Inappropriate access to computer files and programs

Reduced human involvement in processing transactions


©McGraw-Hill Education.


Reliance on IT Controls

Three major phases to determine reliability of controls

Determining the scope of the IT testing plan by carefully identifying each of the IT dependencies

Understanding the IT controls and processes that need to be tested for each IT dependency

Testing the IT controls

©McGraw-Hill Education.


Types of IT Control Activities

General Controls

Apply to all applications of an automated accounting information system

Seen as pervasive across the entire technological infrastructure at an audit client

Automated Application Controls

Applied to specific business activities within an accounting information system

Address relevant assertions about significant accounts in the financial statements


©McGraw-Hill Education.


Categories of General Controls

Access to programs and data controls

Program change controls

Computer operations controls

Program development controls


©McGraw-Hill Education.


Access to Programs and Data Controls

Provides reasonable assurance that access to programs and data is granted only to authorized users



Automatic terminal logoff

Review access rights and compare to usage (through logs)

Report and communicate security breaches


©McGraw-Hill Education.


Timeline of the massive Equifax breach

©McGraw-Hill Education.


Program Change Controls

Implemented by the entity to provide reasonable assurance that requests for modifications to existing programs

Are properly authorized and conducted in accordance with policies

Involve appropriate users participate in process

Are tested and validated prior to use

Have appropriate documentation

Two additional controls: related to “emergency” change requests and the migration of new programs into operations


©McGraw-Hill Education.


Computer Operations Controls

Concerned with providing reasonable assurance that

The processing of transactions is in accordance with the entity’s objectives

Processing failures are resolved on a timely basis

Actions are taken to facilitate the backup and recovery of important data


©McGraw-Hill Education.


Examples of Computer Operations Controls

Important roles in an IT environment

Systems analysts, programmers, computer operators, data conversion operators, librarians, control group

Important general control: separation of the duties performed by the

Systems analysts


Computer operators


©McGraw-Hill Education.


Computer Operations Controls: Files and Data

Three major objectives for files and data used in processing

The files used in automated processing are appropriate

The files are appropriately secured and protected from loss

Files can be reconstructed from earlier versions of information used in processing

©McGraw-Hill Education.


Program Development Controls

Provide reasonable assurance that

Acquisition and development of new programs is properly authorized and conducted in accordance with policies

Appropriate users participate in process

Programs and software are tested and validated prior to use

Programs and software have appropriate documentation


©McGraw-Hill Education.

Testing General IT Controls

©McGraw-Hill Education.


General Controls and Assertions


©McGraw-Hill Education.


General Controls: Category, Examples, and Objectives


©McGraw-Hill Education.

Automated Application Controls

Controls applied to specific business activities within an accounting information system to mitigate the risk of material misstatement

Specific to each cycle (revenue and collection, acquisition and expenditure)

Organized into 3 Categories

Input controls

Processing controls

Output controls

©McGraw-Hill Education.


Input Controls

Designed to provide reasonable assurance that data received for processing by the computer department have been

Properly authorized

Accurately entered or converted for processing


©McGraw-Hill Education.


Processing Controls

Provide reasonable assurance that

Data processing has been performed accurately without any omission or duplicate processing of transactions


Test processing accuracy of programs

File and operator controls

Run-to-run totals

Control total reports

Limit and reasonableness tests

Error correction and resubmission procedures


©McGraw-Hill Education.


Output Controls

Provide reasonable assurance that

Output reflects accurate processing

Only authorized persons receive output or have access to files generated from processing


Review of output for reasonableness

Control total reports

Master file changes

Output distribution limited to appropriate person(s)


©McGraw-Hill Education.


Automated Application Controls


©McGraw-Hill Education.


Assessing Control Risk in an IT Environment

Identify specific types of misstatement that could occur

Identify points in the flow of transactions where misstatements could occur

Identify control procedures designed to prevent or detect misstatements

General controls and automated application controls

Evaluate design of control procedures

Are tests of controls cost-effective?

Does the design suggest a low control risk?


©McGraw-Hill Education.


Points of Potential Misstatement in an IT Environment


©McGraw-Hill Education.


Examples of Controls to Mitigate Risk of Material Misstatement

©McGraw-Hill Education.


Testing Controls in an IT Environment

Testing controls



Inspection of documentation


Characteristics auditors must consider when evaluating

Possibility of temporary transaction trails

Uniform processing of transactions

Potential for errors and frauds

Potential for increased management supervision

Initiation or subsequent execution of transactions by computer

Use of cloud computing applications


©McGraw-Hill Education.


Methods of Testing General Controls


©McGraw-Hill Education.


Methods of Testing Automated Application Controls


©McGraw-Hill Education.

Test Data Approach

Test data: Simulated transactions containing known errors to test the client’s controls

The Test of One

Only one type of each kind of transaction error needs to be tested

Because a client’s IT system processes transactions in the same manner every time, once the audit team is satisfied based on testing performed that an automated internal control activity operates effectively, there is no need to test the control activity again









©McGraw-Hill Education.


Test Approach Data – Test of One

©McGraw-Hill Education.

End-User Computing and other Environments

Control issues

Lack of separation of duties

Lack of physical security

Lack of program documentation and testing

Limited computer knowledge of personnel


©McGraw-Hill Education.


End-User Computing Control Considerations

Computer Operations Controls

Data Entry Controls

restricted access, standard screens and computer prompting, online editing and sight verification

Processing Controls

transaction logs, control totals, data comparisons, audit trail

System Development and Modification Controls


©McGraw-Hill Education.


End-User Computing in Service Organizations

Service Organizations

Limit concentration of functions and increase supervision

Access to program and data controls are critical

©McGraw-Hill Education.


Computer Abuse and Computer Fraud

The use of computer technology by perpetrator to achieve gains at the expense of a victim


Preventative: Stop fraud from entering system

Detective: Identify fraud when it enters system

Damage-limiting: Designed to limit the damage if a fraud does occur

Levels of Controls

Administrative controls

Physical controls

Technical controls


©McGraw-Hill Education.


Protecting the Computer from Fraud (Selected Controls)


©McGraw-Hill Education.






● Introduction to IT auditing ● Purpose and rationale for this book ● Intended use ● Key audiences ● Structure and content of the book ● Summary descriptions of each chapter

Introduction to IT auditing An audit is a systematic, objective examination of one or more aspects of an organization that compares what the organization does to a defined set of crite- ria or requirements. Information technology (IT) auditing examines processes, IT assets, and controls at multiple levels within an organization to determine the extent to which the organization adheres to applicable standards or requirements. Virtually, all organizations use IT to support their operations and the achievement of their mission and business objectives. This gives organizations a vested interest in ensuring that their use of IT is effective, that IT systems and processes operate as intended, and that IT assets and other resources are efficiently allocated and appro- priately protected. IT auditing helps organizations understand, assess, and improve their use of controls to safeguard IT, measure and correct performance, and achieve objectives and intended outcomes. IT auditing consists of the use of formal audit methodologies to examine IT-specific processes, capabilities, and assets and their role in enabling an organization’s business processes. IT auditing also addresses IT components or capabilities that support other domains subject to auditing, such as financial management and accounting, operational performance, quality assurance, and governance, risk management, and compliance (GRC).

IT audits are performed both by internal auditors working for the organization subject to audit and external auditors hired by the organization. The processes and procedures followed in internal and external auditing are often quite similar, but the roles of the audited organization and its personnel are markedly different. The audit criteria—the standards or requirements against which an organization is compared during an audit—also vary between internal and external audits and for audits of different types or conducted for different purposes. Organizations often engage in IT audits to satisfy legal or regulatory requirements, assess the operational effec- tiveness of business processes, achieve certification against specific standards, demonstrate compliance with policies, rules, or standards, and identify opportuni- ties for improvement in the quality of business processes, products, and services. Organizations have different sources of motivation for each type of audit and

xxii CHAPTER Introduction

different goals, objectives, and expected outcomes. This book explains all of these aspects of IT auditing, describes the establishment of organizational audit programs and the process of conducting audits, and identifies the most relevant standards, methodologies, frameworks, and sources of guidance for IT auditing.

Purpose and rationale The use of IT auditing is increasingly common in many organizations, to validate the effective use of controls to protect IT assets and information or as an element of GRC programs. IT auditing is a specialized discipline not only in its own right, with corresponding standards, methodologies, and professional certifications and experi- ence requirements, but it also intersects significantly with other IT management and operational practices. The subject matter overlap between IT auditing and network monitoring, systems administration, service management, technical support, and information security makes familiarity with IT audit policies, practices, and stand- ards essential for IT personnel and managers of IT operations and the business areas that IT supports. This book provides information about many aspects of IT audits in order to give readers a solid foundation in auditing concepts to help develop an understanding of the important role IT auditing plays in contributing to the achieve- ment of organizational objectives. Many organizations undergo a variety of IT audits, performed by both internal and external auditors, and each often accompanied by different procedures, methods, and criteria. This book tries to highlight the common- alities among audit types while identifying the IT perspectives and characteristics that distinguish financial, operational, compliance, certification, and quality audits.

Intended use This book describes the practice of IT auditing, including why organizations con- duct or are subject to IT audits, different types of audits commonly performed in different organizations, and ways internal and external auditors approach IT audits. It explains many fundamental characteristics of IT audits, the auditors who perform them, and the standards, methodologies, frameworks, and sources of guidance that inform the practice of auditing. This is not a handbook for conducting IT audits nor does it provide detailed instructions for performing any of the audit activities mentioned in the book. Auditors or other readers seeking prescriptive guidance on auditing will find references to many useful sources in this book, but should look elsewhere—potentially including the sources referenced below—for audit check- lists, protocols, or procedural guidance on different types of IT audits. This book is intended to give organizations and their employees an understanding of what to expect when undergoing IT audits and to explain some key points to consider that help ensure their audit engagements meet their objectives. By covering all major types of IT auditing and describing the primary drivers and contexts for IT audits in most organizations, this book complements more detailed but narrowly focused

xxiiiPurpose and Rationale

texts intended to guide or instruct auditors in the step-by-step procedural execution of audits. The following are among recently published books especially relevant to IT auditing:

● IT Auditing: Using Controls to Protect Information Assets (2nd edition) by Chris Davis and Mike Schiller emphasizes auditing practices applicable to different types of technologies and system components.

● Auditor’s Guide to IT Auditing (2nd edition) by Richard Cascarino provides broad coverage of IT audit concepts and practices applicable to information systems, organized and presented in the context of major IT management disciplines.

● IT Audit, Control, and Security by Robert Moeller highlights requirements, expectations, and considerations for auditors of IT systems stemming from prominent laws, frameworks, and standards.

● Information Technology Control and Audit (4th edition) by Sandra Senft, Frederick Gallegos, and Aleksandra Davis approaches IT auditing drawing largely on practice guidance and governance frameworks defined by ISACA, particularly including COBIT.

● The Operational Auditing Handbook: Auditing Business and IT Processes by Andrew Chambers and Graham Rand focuses on operational auditing and uses a process-based approach to describe auditing practices for different organizational functions.

● The ASQ Auditing Handbook (4th edition) edited by J.P. Russell offers prescriptive guidance for quality auditors, particularly those following the quality auditor body of knowledge defined by the American Society for Quality (ASQ) and its Certified Quality Auditor Certification Program.

Key audiences This book provides a treatment of IT auditing that emphasizes breadth rather than depth. Audit professionals engaged in performing IT audits have a variety of stand- ards, guidance, and prescriptive procedures for thoroughly and effectively con- ducting various types of IT audits. Auditors and other consulting or professional services practitioners who regularly conduct audits may find the information in this book useful as a point of reference, but will likely rely on more detailed, purpose- specific sources to assist them in their work. Auditors are important stakeholders in IT auditing, but only one of many groups involved in IT auditing or affected by how it is carried out. The material in this book is intended primarily to help develop an understanding of auditing purposes and practices to nonauditor groups such as operational and administrative personnel, managers, and IT program and project staff, all of whom may be required to furnish information to or otherwise support external or internal audits in their organizations. It also provides an explanation of IT auditing suitable for practitioners focused on other aspects of IT management or on the performance of functions supported by IT audits such as GRC, quality man- agement, continuous improvement, or information assurance.

xxiv CHAPTER Introduction

Structure and content This book could not hope to provide, and is not intended to be, a substitute for for- mal standards, protocols, and practice guidance relevant to IT auditing. What it does offer is a thorough introduction to many aspects of IT auditing and the role of IT audits within the broader context of other major forms of audits. The book is structured in a way that should be equally helpful to readers looking for informa- tion on a specific audit-related subject or for those interested in developing a more general understanding of the IT audit discipline. The material in the early chap- ters focuses on describing why organizations undergo different types of audits and what characteristics distinguish those types of audits from each other. References provided in each chapter, in addition to the information in the last two chapters in the book, should help direct readers to authoritative sources of guidance on vari- ous aspects of auditing and to the major standards organizations and professional associations shaping the evolution of the field. This book does not recommend a particular approach or methodology, but instead highlights the similarities among many of the most prominent frameworks, methodologies, processes, and standards in the hope that readers will recognize the basic aspects of IT auditing in any real- world context.

A brief summary of each chapter follows.

Chapter 1: IT Audit Fundamentals Chapter 1 establishes a foundation for the rest of the material in the book by defin- ing auditing and related key terms and concepts and explaining the nature and rationale for IT auditing in different organizations, differentiating internal from external audits in terms of the reasons and requirements associated with each per- spective. It also identifies organizations and contexts that serve as the subject of IT audit activities and describes the individuals and organizations that perform audits.

Chapter 2: Auditing in Context Chapter 2 emphasizes the practical reality that IT auditing often occurs as a compo- nent of a wider-scope audit not limited to IT concerns alone, or a means to support other organizational processes or functions such as GRC, certification, and quality assurance. Audits performed in the context of these broader programs have different purposes and areas of focus than stand-alone IT-centric audits, and offer different benefits and expected outcomes to organizations.

Chapter 3: Internal Auditing Chapter  3 focuses on internal IT auditing, meaning audits conducted under the direction of an organization’s own audit program and typically using auditors who are employees of the organization under examination. This chapter highlights the

xxvStructure and Content

primary reasons why organizations undergo internal audits, including drivers of mandatory and voluntary audit activities. It also describes some of the benefits and challenges associated with internal auditing and characterizes the role, experience, and career path of internal IT audit personnel.

Chapter 4: External Auditing Chapter  4 provides a direct contrast to Chapter  3 by addressing external auditing, which bears many similarities to internal auditing but is, by definition, conducted by auditors and audit firms wholly separate from the organization being audited. This chapter identifies the key drivers for external audits, explains the role of inter- nal staff in preparing for and supporting external audits, and describes benefits and challenges often encountered by organizations subject to such audits. Because audited organizations often have to choose their external auditors, the chapter also discusses the process of selecting an auditor, the registration requirements applica- ble to auditors in many countries, and key auditor qualifications.

Chapter 5: Types of Audits Chapter  5 offers an overview of the major types of audits organizations undergo, including financial, operational, certification, compliance, and quality audits in addition to IT-specific audits. For each type of audit, the chapter explains charac- teristics such as audit rationale, areas of focus, suitability for internal and external auditing approaches, applicable standards and guidance, and anticipated outcomes.

Chapter 6: IT Audit Components The IT domain is too broad to easily address as a whole, whether the topic is audit- ing, governance, operations, or any other key functions that organizations manage about their IT resources. Chapter 6 breaks down IT and associated controls into dif- ferent categories—reflecting decomposition approaches commonly used in IT audit methodologies and standards—to differentiate among IT audit activities focused on different IT components. The material in this chapter addresses technical as well as nontechnical categories, describing different technologies and architectural layers, key processes and functions, and aspects of IT programs and projects that are also often subject to audits.

Chapter 7: IT Audit Drivers Chapter 7 describes key types of external and internal drivers influencing organiza- tions’ approaches to IT auditing, including major legal and regulatory requirements as well as motivating factors such as certification, quality assurance, and opera- tional effectiveness. This chapter summarizes the audit-related provisions of major U.S. and international laws governing publicly traded firms and organizations in

xxvi CHAPTER Introduction

regulated industries such as financial services, health care, energy, and the public sector. It also explains the motivation provided by internally developed strategies, management objectives, and initiatives on the ways organizations structure their internal audit programs and external audit activities.

Chapter 8: IT Audit Process The IT audit process description provided in Chapter 8 explains in detail the steps organizations and auditors follow when performing audits. Although there is no single accepted standard process applicable in all contexts, most methodologies, frameworks, standards, and authoritative guidance on auditing share many common activities and process attributes, often traceable to the familiar plan-do-check-act (PDCA) model originally developed for quality improvement purposes. Chapter  8 focuses on the activities falling within the generic process areas of audit plan- ning, audit evidence collection and review, analysis and reporting of findings, and responding to findings by taking corrective action or capitalizing on opportunities for improvement.

Chapter 9: Methodologies and Frameworks Although the high-level process of auditing is very similar across organizations, industries, audit purposes, and geographies, there is a wide variety of methodolo- gies and control and process frameworks available for organizations and individual auditors to apply when performing audits. Almost all external auditors follow one or more of these approaches and many organizations choose to adopt established methodologies and frameworks as an alternative to developing their own. Chapter 9 presents the best-known and most widely adopted methodologies and frameworks, including those focused explicitly on auditing as well as those intended to support IT governance, IT management, information security, and control assessment.

Chapter 10: Audit-Related Organizations, Standards, and Certifications There are many standards development bodies and other types of organizations that produce and promote standards relevant to IT auditing and that offer professional certifications for individuals engaged in auditing or related disciplines. Chapter 10 identifies the most prominent organizations and summarizes their contributions to available standards and certifications.

  • Introduction
    • Information in this chapter:
    • Introduction to IT auditing
    • Purpose and rationale
      • Intended use
      • Key audiences
    • Structure and content
      • Chapter 1: IT Audit Fundamentals
      • Chapter 2: Auditing in Context
      • Chapter 3: Internal Auditing
      • Chapter 4: External Auditing
      • Chapter 5: Types of Audits
      • Chapter 6: IT Audit Components
      • Chapter 7: IT Audit Drivers
      • Chapter 8: IT Audit Process
      • Chapter 9: Methodologies and Frameworks
      • Chapter 10: Audit-Related Organizations, Standards, and Certifications


Information Technology Risk and Controls

2nd Edition

IPPF – Practice Guide

120366 PRO-GTAG_1_COVER.indd 1 3/28/12 2:18 PM


Our website has a team of professional writers who can help you write any of your homework. They will write your papers from scratch. We also have a team of editors just to make sure all papers are of HIGH QUALITY & PLAGIARISM FREE. To make an Order you only need to click Ask A Question and we will direct you to our Order Page at WriteEdu. Then fill Our Order Form with all your assignment instructions. Select your deadline and pay for your paper. You will get it few hours before your set deadline.

Fill in all the assignment paper details that are required in the order form with the standard information being the page count, deadline, academic level and type of paper. It is advisable to have this information at hand so that you can quickly fill in the necessary information needed in the form for the essay writer to be immediately assigned to your writing project. Make payment for the custom essay order to enable us to assign a suitable writer to your order. Payments are made through Paypal on a secured billing page. Finally, sit back and relax.

Do you need an answer to this or any other questions?

Do you need help with this question?

Get assignment help from Paper Writing Website and forget about your problems.

WriteEdu provides custom & cheap essay writing 100% original, plagiarism free essays, assignments & dissertations.

With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Chat with us today! We are always waiting to answer all your questions.

Click here to Place your Order Now