06 Aug In Module 3, we’ve learned about IT Auditing. Please review all materials posted in this module, and submit a thoughtful discussion post in response to the readings. Specifically, y
In Module 3, we've learned about IT Auditing. Please review all materials posted in this module, and submit a thoughtful discussion post in response to the readings. Specifically, you’ll have to:
(1) summarize and explain the main points of the articles that you choose from the assigned papers
(2) conclude with your own opinion about the issue being discussed in the article. Your opinion can be supported by personal experience, specialized publications, textbooks, and/or scholarly research.
Discussion posts should be no shorter than 200 words (approx. 10 lines of text) and cite at least three sources outside the textbook and follow APA Format.
Information Technology Auditing
A common mistake people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.
Douglas Adams, author of The Hitchhiker’s Guide to the Galaxy
To err is human, but to really foul things up you need a computer.
Attributed to Paul R. Ehrlich, American biologist, author, and technology commentator
Module H Learning Objectives
Identify how the use of an automated transaction processing system affects the audit examination.
Understand the steps that are taken to determine whether an audit team can rely on IT controls.
Provide examples of general controls and understand how these controls relate to transaction processing in an accounting information system.
Provide examples of automated application controls and understand how these controls relate to transaction processing in an accounting information system.
Describe how the audit team assesses control risk in an IT environment.
Illustration of Automated Processing of Sales Transactions
Issues Introduced In IT Environments
Systematic vs. random processing errors
Lack of an audit trail
Inappropriate access to computer files and programs
Reduced human involvement in processing transactions
Reliance on IT Controls
Three major phases to determine reliability of controls
Determining the scope of the IT testing plan by carefully identifying each of the IT dependencies
Understanding the IT controls and processes that need to be tested for each IT dependency
Testing the IT controls
Types of IT Control Activities
Apply to all applications of an automated accounting information system
Seen as pervasive across the entire technological infrastructure at an audit client
Automated Application Controls
Applied to specific business activities within an accounting information system
Address relevant assertions about significant accounts in the financial statements
Categories of General Controls
Access to programs and data controls
Program change controls
Computer operations controls
Program development controls
Access to Programs and Data Controls
Provides reasonable assurance that access to programs and data is granted only to authorized users
Automatic terminal logoff
Review access rights and compare to usage (through logs)
Report and communicate security breaches
Timeline of the massive Equifax breach
Program Change Controls
Implemented by the entity to provide reasonable assurance that requests for modifications to existing programs
Are properly authorized and conducted in accordance with policies
Involve appropriate users participate in process
Are tested and validated prior to use
Have appropriate documentation
Two additional controls: related to “emergency” change requests and the migration of new programs into operations
Computer Operations Controls
Concerned with providing reasonable assurance that
The processing of transactions is in accordance with the entity’s objectives
Processing failures are resolved on a timely basis
Actions are taken to facilitate the backup and recovery of important data
Examples of Computer Operations Controls
Important roles in an IT environment
Systems analysts, programmers, computer operators, data conversion operators, librarians, control group
Important general control: separation of the duties performed by the
Computer Operations Controls: Files and Data
Three major objectives for files and data used in processing
The files used in automated processing are appropriate
The files are appropriately secured and protected from loss
Files can be reconstructed from earlier versions of information used in processing
Program Development Controls
Provide reasonable assurance that
Acquisition and development of new programs is properly authorized and conducted in accordance with policies
Appropriate users participate in process
Programs and software are tested and validated prior to use
Programs and software have appropriate documentation
Testing General IT Controls
General Controls and Assertions
General Controls: Category, Examples, and Objectives
Automated Application Controls
Controls applied to specific business activities within an accounting information system to mitigate the risk of material misstatement
Specific to each cycle (revenue and collection, acquisition and expenditure)
Organized into 3 Categories
Designed to provide reasonable assurance that data received for processing by the computer department have been
Accurately entered or converted for processing
Provide reasonable assurance that
Data processing has been performed accurately without any omission or duplicate processing of transactions
Test processing accuracy of programs
File and operator controls
Control total reports
Limit and reasonableness tests
Error correction and resubmission procedures
Provide reasonable assurance that
Output reflects accurate processing
Only authorized persons receive output or have access to files generated from processing
Review of output for reasonableness
Control total reports
Master file changes
Output distribution limited to appropriate person(s)
Automated Application Controls
Assessing Control Risk in an IT Environment
Identify specific types of misstatement that could occur
Identify points in the flow of transactions where misstatements could occur
Identify control procedures designed to prevent or detect misstatements
General controls and automated application controls
Evaluate design of control procedures
Are tests of controls cost-effective?
Does the design suggest a low control risk?
Points of Potential Misstatement in an IT Environment
Examples of Controls to Mitigate Risk of Material Misstatement
Testing Controls in an IT Environment
Inspection of documentation
Characteristics auditors must consider when evaluating
Possibility of temporary transaction trails
Uniform processing of transactions
Potential for errors and frauds
Potential for increased management supervision
Initiation or subsequent execution of transactions by computer
Use of cloud computing applications
Methods of Testing General Controls
Methods of Testing Automated Application Controls
Test Data Approach
Test data: Simulated transactions containing known errors to test the client’s controls
The Test of One
Only one type of each kind of transaction error needs to be tested
Because a client’s IT system processes transactions in the same manner every time, once the audit team is satisfied based on testing performed that an automated internal control activity operates effectively, there is no need to test the control activity again
Test Approach Data – Test of One
End-User Computing and other Environments
Lack of separation of duties
Lack of physical security
Lack of program documentation and testing
Limited computer knowledge of personnel
End-User Computing Control Considerations
Computer Operations Controls
Data Entry Controls
restricted access, standard screens and computer prompting, online editing and sight verification
transaction logs, control totals, data comparisons, audit trail
System Development and Modification Controls
End-User Computing in Service Organizations
Limit concentration of functions and increase supervision
Access to program and data controls are critical
Computer Abuse and Computer Fraud
The use of computer technology by perpetrator to achieve gains at the expense of a victim
Preventative: Stop fraud from entering system
Detective: Identify fraud when it enters system
Damage-limiting: Designed to limit the damage if a fraud does occur
Levels of Controls
Protecting the Computer from Fraud (Selected Controls)
INFORMATION IN THIS CHAPTER:
● Introduction to IT auditing ● Purpose and rationale for this book ● Intended use ● Key audiences ● Structure and content of the book ● Summary descriptions of each chapter
Introduction to IT auditing An audit is a systematic, objective examination of one or more aspects of an organization that compares what the organization does to a defined set of crite- ria or requirements. Information technology (IT) auditing examines processes, IT assets, and controls at multiple levels within an organization to determine the extent to which the organization adheres to applicable standards or requirements. Virtually, all organizations use IT to support their operations and the achievement of their mission and business objectives. This gives organizations a vested interest in ensuring that their use of IT is effective, that IT systems and processes operate as intended, and that IT assets and other resources are efficiently allocated and appro- priately protected. IT auditing helps organizations understand, assess, and improve their use of controls to safeguard IT, measure and correct performance, and achieve objectives and intended outcomes. IT auditing consists of the use of formal audit methodologies to examine IT-specific processes, capabilities, and assets and their role in enabling an organization’s business processes. IT auditing also addresses IT components or capabilities that support other domains subject to auditing, such as financial management and accounting, operational performance, quality assurance, and governance, risk management, and compliance (GRC).
IT audits are performed both by internal auditors working for the organization subject to audit and external auditors hired by the organization. The processes and procedures followed in internal and external auditing are often quite similar, but the roles of the audited organization and its personnel are markedly different. The audit criteria—the standards or requirements against which an organization is compared during an audit—also vary between internal and external audits and for audits of different types or conducted for different purposes. Organizations often engage in IT audits to satisfy legal or regulatory requirements, assess the operational effec- tiveness of business processes, achieve certification against specific standards, demonstrate compliance with policies, rules, or standards, and identify opportuni- ties for improvement in the quality of business processes, products, and services. Organizations have different sources of motivation for each type of audit and
xxii CHAPTER Introduction
different goals, objectives, and expected outcomes. This book explains all of these aspects of IT auditing, describes the establishment of organizational audit programs and the process of conducting audits, and identifies the most relevant standards, methodologies, frameworks, and sources of guidance for IT auditing.
Purpose and rationale The use of IT auditing is increasingly common in many organizations, to validate the effective use of controls to protect IT assets and information or as an element of GRC programs. IT auditing is a specialized discipline not only in its own right, with corresponding standards, methodologies, and professional certifications and experi- ence requirements, but it also intersects significantly with other IT management and operational practices. The subject matter overlap between IT auditing and network monitoring, systems administration, service management, technical support, and information security makes familiarity with IT audit policies, practices, and stand- ards essential for IT personnel and managers of IT operations and the business areas that IT supports. This book provides information about many aspects of IT audits in order to give readers a solid foundation in auditing concepts to help develop an understanding of the important role IT auditing plays in contributing to the achieve- ment of organizational objectives. Many organizations undergo a variety of IT audits, performed by both internal and external auditors, and each often accompanied by different procedures, methods, and criteria. This book tries to highlight the common- alities among audit types while identifying the IT perspectives and characteristics that distinguish financial, operational, compliance, certification, and quality audits.
Intended use This book describes the practice of IT auditing, including why organizations con- duct or are subject to IT audits, different types of audits commonly performed in different organizations, and ways internal and external auditors approach IT audits. It explains many fundamental characteristics of IT audits, the auditors who perform them, and the standards, methodologies, frameworks, and sources of guidance that inform the practice of auditing. This is not a handbook for conducting IT audits nor does it provide detailed instructions for performing any of the audit activities mentioned in the book. Auditors or other readers seeking prescriptive guidance on auditing will find references to many useful sources in this book, but should look elsewhere—potentially including the sources referenced below—for audit check- lists, protocols, or procedural guidance on different types of IT audits. This book is intended to give organizations and their employees an understanding of what to expect when undergoing IT audits and to explain some key points to consider that help ensure their audit engagements meet their objectives. By covering all major types of IT auditing and describing the primary drivers and contexts for IT audits in most organizations, this book complements more detailed but narrowly focused
xxiiiPurpose and Rationale
texts intended to guide or instruct auditors in the step-by-step procedural execution of audits. The following are among recently published books especially relevant to IT auditing:
● IT Auditing: Using Controls to Protect Information Assets (2nd edition) by Chris Davis and Mike Schiller emphasizes auditing practices applicable to different types of technologies and system components.
● Auditor’s Guide to IT Auditing (2nd edition) by Richard Cascarino provides broad coverage of IT audit concepts and practices applicable to information systems, organized and presented in the context of major IT management disciplines.
● IT Audit, Control, and Security by Robert Moeller highlights requirements, expectations, and considerations for auditors of IT systems stemming from prominent laws, frameworks, and standards.
● Information Technology Control and Audit (4th edition) by Sandra Senft, Frederick Gallegos, and Aleksandra Davis approaches IT auditing drawing largely on practice guidance and governance frameworks defined by ISACA, particularly including COBIT.
● The Operational Auditing Handbook: Auditing Business and IT Processes by Andrew Chambers and Graham Rand focuses on operational auditing and uses a process-based approach to describe auditing practices for different organizational functions.
● The ASQ Auditing Handbook (4th edition) edited by J.P. Russell offers prescriptive guidance for quality auditors, particularly those following the quality auditor body of knowledge defined by the American Society for Quality (ASQ) and its Certified Quality Auditor Certification Program.
Key audiences This book provides a treatment of IT auditing that emphasizes breadth rather than depth. Audit professionals engaged in performing IT audits have a variety of stand- ards, guidance, and prescriptive procedures for thoroughly and effectively con- ducting various types of IT audits. Auditors and other consulting or professional services practitioners who regularly conduct audits may find the information in this book useful as a point of reference, but will likely rely on more detailed, purpose- specific sources to assist them in their work. Auditors are important stakeholders in IT auditing, but only one of many groups involved in IT auditing or affected by how it is carried out. The material in this book is intended primarily to help develop an understanding of auditing purposes and practices to nonauditor groups such as operational and administrative personnel, managers, and IT program and project staff, all of whom may be required to furnish information to or otherwise support external or internal audits in their organizations. It also provides an explanation of IT auditing suitable for practitioners focused on other aspects of IT management or on the performance of functions supported by IT audits such as GRC, quality man- agement, continuous improvement, or information assurance.
xxiv CHAPTER Introduction
Structure and content This book could not hope to provide, and is not intended to be, a substitute for for- mal standards, protocols, and practice guidance relevant to IT auditing. What it does offer is a thorough introduction to many aspects of IT auditing and the role of IT audits within the broader context of other major forms of audits. The book is structured in a way that should be equally helpful to readers looking for informa- tion on a specific audit-related subject or for those interested in developing a more general understanding of the IT audit discipline. The material in the early chap- ters focuses on describing why organizations undergo different types of audits and what characteristics distinguish those types of audits from each other. References provided in each chapter, in addition to the information in the last two chapters in the book, should help direct readers to authoritative sources of guidance on vari- ous aspects of auditing and to the major standards organizations and professional associations shaping the evolution of the field. This book does not recommend a particular approach or methodology, but instead highlights the similarities among many of the most prominent frameworks, methodologies, processes, and standards in the hope that readers will recognize the basic aspects of IT auditing in any real- world context.
A brief summary of each chapter follows.
Chapter 1: IT Audit Fundamentals Chapter 1 establishes a foundation for the rest of the material in the book by defin- ing auditing and related key terms and concepts and explaining the nature and rationale for IT auditing in different organizations, differentiating internal from external audits in terms of the reasons and requirements associated with each per- spective. It also identifies organizations and contexts that serve as the subject of IT audit activities and describes the individuals and organizations that perform audits.
Chapter 2: Auditing in Context Chapter 2 emphasizes the practical reality that IT auditing often occurs as a compo- nent of a wider-scope audit not limited to IT concerns alone, or a means to support other organizational processes or functions such as GRC, certification, and quality assurance. Audits performed in the context of these broader programs have different purposes and areas of focus than stand-alone IT-centric audits, and offer different benefits and expected outcomes to organizations.
Chapter 3: Internal Auditing Chapter 3 focuses on internal IT auditing, meaning audits conducted under the direction of an organization’s own audit program and typically using auditors who are employees of the organization under examination. This chapter highlights the
xxvStructure and Content
primary reasons why organizations undergo internal audits, including drivers of mandatory and voluntary audit activities. It also describes some of the benefits and challenges associated with internal auditing and characterizes the role, experience, and career path of internal IT audit personnel.
Chapter 4: External Auditing Chapter 4 provides a direct contrast to Chapter 3 by addressing external auditing, which bears many similarities to internal auditing but is, by definition, conducted by auditors and audit firms wholly separate from the organization being audited. This chapter identifies the key drivers for external audits, explains the role of inter- nal staff in preparing for and supporting external audits, and describes benefits and challenges often encountered by organizations subject to such audits. Because audited organizations often have to choose their external auditors, the chapter also discusses the process of selecting an auditor, the registration requirements applica- ble to auditors in many countries, and key auditor qualifications.
Chapter 5: Types of Audits Chapter 5 offers an overview of the major types of audits organizations undergo, including financial, operational, certification, compliance, and quality audits in addition to IT-specific audits. For each type of audit, the chapter explains charac- teristics such as audit rationale, areas of focus, suitability for internal and external auditing approaches, applicable standards and guidance, and anticipated outcomes.
Chapter 6: IT Audit Components The IT domain is too broad to easily address as a whole, whether the topic is audit- ing, governance, operations, or any other key functions that organizations manage about their IT resources. Chapter 6 breaks down IT and associated controls into dif- ferent categories—reflecting decomposition approaches commonly used in IT audit methodologies and standards—to differentiate among IT audit activities focused on different IT components. The material in this chapter addresses technical as well as nontechnical categories, describing different technologies and architectural layers, key processes and functions, and aspects of IT programs and projects that are also often subject to audits.
Chapter 7: IT Audit Drivers Chapter 7 describes key types of external and internal drivers influencing organiza- tions’ approaches to IT auditing, including major legal and regulatory requirements as well as motivating factors such as certification, quality assurance, and opera- tional effectiveness. This chapter summarizes the audit-related provisions of major U.S. and international laws governing publicly traded firms and organizations in
xxvi CHAPTER Introduction
regulated industries such as financial services, health care, energy, and the public sector. It also explains the motivation provided by internally developed strategies, management objectives, and initiatives on the ways organizations structure their internal audit programs and external audit activities.
Chapter 8: IT Audit Process The IT audit process description provided in Chapter 8 explains in detail the steps organizations and auditors follow when performing audits. Although there is no single accepted standard process applicable in all contexts, most methodologies, frameworks, standards, and authoritative guidance on auditing share many common activities and process attributes, often traceable to the familiar plan-do-check-act (PDCA) model originally developed for quality improvement purposes. Chapter 8 focuses on the activities falling within the generic process areas of audit plan- ning, audit evidence collection and review, analysis and reporting of findings, and responding to findings by taking corrective action or capitalizing on opportunities for improvement.
Chapter 9: Methodologies and Frameworks Although the high-level process of auditing is very similar across organizations, industries, audit purposes, and geographies, there is a wide variety of methodolo- gies and control and process frameworks available for organizations and individual auditors to apply when performing audits. Almost all external auditors follow one or more of these approaches and many organizations choose to adopt established methodologies and frameworks as an alternative to developing their own. Chapter 9 presents the best-known and most widely adopted methodologies and frameworks, including those focused explicitly on auditing as well as those intended to support IT governance, IT management, information security, and control assessment.
Chapter 10: Audit-Related Organizations, Standards, and Certifications There are many standards development bodies and other types of organizations that produce and promote standards relevant to IT auditing and that offer professional certifications for individuals engaged in auditing or related disciplines. Chapter 10 identifies the most prominent organizations and summarizes their contributions to available standards and certifications.
- Information in this chapter:
- Introduction to IT auditing
- Purpose and rationale
- Intended use
- Key audiences
- Structure and content
- Chapter 1: IT Audit Fundamentals
- Chapter 2: Auditing in Context
- Chapter 3: Internal Auditing
- Chapter 4: External Auditing
- Chapter 5: Types of Audits
- Chapter 6: IT Audit Components
- Chapter 7: IT Audit Drivers
- Chapter 8: IT Audit Process
- Chapter 9: Methodologies and Frameworks
- Chapter 10: Audit-Related Organizations, Standards, and Certifications
Information Technology Risk and Controls
IPPF – Practice Guide
120366 PRO-GTAG_1_COVER.indd 1 3/28/12 2:18 PM
Our website has a team of professional writers who can help you write any of your homework. They will write your papers from scratch. We also have a team of editors just to make sure all papers are of HIGH QUALITY & PLAGIARISM FREE. To make an Order you only need to click Ask A Question and we will direct you to our Order Page at WriteEdu. Then fill Our Order Form with all your assignment instructions. Select your deadline and pay for your paper. You will get it few hours before your set deadline.
Do you need help with this question?
Get assignment help from WriteEdu.com Paper Writing Website and forget about your problems.
WriteEdu provides custom & cheap essay writing 100% original, plagiarism free essays, assignments & dissertations.
With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Chat with us today! We are always waiting to answer all your questions.