Você está na página 1de 11

2012 IEEE 16th International Enterprise Distributed Object Computing Conference Workshops

Formalization of the IT Audit Management Process

Tiago Rosrio

Rben Pereira

Miguel Mira da Silva

Instituto Superior Tcnico,


Universidade Tcnica de Lisboa
Lisboa, Portugal
tiago.rosario@ist.utl.pt

Instituto Superior Tcnico,


Universidade Tcnica de Lisboa
Lisboa, Portugal
rubenfspereira@ist.utl.pt

Instituto Superior Tcnico,


Universidade Tcnica de Lisboa
Lisboa, Portugal
mms@ist.utl.pt

management process, taking into consideration the most


important frameworks of the area.
So, we propose to design the IT audit management
process and formalize it, using the Business Process Model
Notation (BPMN), considered a de-facto standard for
business process modelling [7], to represent it.
By formalization we mean the use of frameworks to
elicit IT Audit Management best practices and also the use
of BPMN development good practices to design the
process. Some IT frameworks describe activities and best
practices about how to perform an IT audit. To formalize
the process we elicit those practices, mitigate the overlaps,
and relate them to design the complete process.
To evaluate our proposal, we use Petri-Net which is a
modeling language that could be used to evaluate the good
construction of a BPMN design [8].
The research methodology used in this research is
Design Science Research (DSR). We will only use
constructs and models. Our constructs will be leveraged
based on literature review and practitioners expertise.
Afterwards we will integrate our constructs in order to
achieve our model in a complete and coherent context.
In the next section, we will describe the research
methodology used in this article. In section 3, we introduce
the problem we intend to help solve, followed by section 4
in which we perform a literature review that will be crucial
for our proposals coherence. Building on these findings, a
proposal for positioning and detailing the artifacts of IT
audit management is made in section 5. Then, we detail the
evaluation of our artifacts in section 6 and end with our
conclusion and future work in section 7.

Abstract Audit is an independent activity that employs


standardized methods to evaluate and improve the effect in the
process of compliance and control in order to help the
organization achieve its goals. Nowadays, the current audit
management process is costly and requires a high effort since
there is a high amount of resources and used assets needed.
This happens due to the large number of regulations with
which it is crucial to comply. However, there are several
frameworks which bring uncertainty and complexity to an
organization. We intend to analyze the most important
frameworks, elicit the needed requirements and use them to
formalize the IT audit management process. Our work is
important since a formalization of the IT audit management
process is still missing and organizations keep struggling with
so many frameworks in the market. Thus, organizations can
achieve an improvement in their audits performance and an
improvement on the analyses of their internal controls and
compliance requirements.
Keywords - IT Audit Management; Formal Process;
Compliance; Petri Nets; Business Process Model
I.

INTRODUCTION

Audit is an important way for organizations to


guarantee a good internal control system and compliance
with all requirements [1] since it is an independent and
objective assurance activity that employs systemized and
standardized methods to obtain evidences [2], evaluate and
improve the effect in governance, risk management, control
and compliance [3].
Despite the importance of auditing, its costs are high
due to both the existence of the many regulations and
frameworks [1], and the costs of ensuring control
implementation [4]. Besides that, the audit activity has
become more complex due to the introduction of
information technology (IT) in organizations [4]. This
makes the effectiveness of the audit low since there is an
excessive consumption of assets and resources [5] as well
as more misunderstandings and frameworks to consider.
Since the definition of formal procedures to perform
audits can bring benefits to organizations [5], and it is
known that IT has become crucial to the support,
sustainability and growth of the business [6], in this
research we want to build a formalization of the IT audit
978-0-7695-4786-2/12 $26.00 2012 IEEE
DOI 10.1109/EDOCW.2012.11

II.

PROBLEM

Nowadays organizations are facing an increasing


number of regulations and frameworks with which it is
necessary to be compliant [5][9] as well as an increasing
number of required internal controls [10]. However,
frameworks are seen as complex [11], too general [12],
lacking a theoretical foundation from a scientific viewpoint
[13], overlapping each other [14] [15], and hard to
implement [16]. In addition, the way frameworks are
analyzed has also become more complex over the time

[17]. Given such facts, audit has grown increasingly more


complex [4] and how it is perform is affected.
Since audit is a crucial way for organizations to achieve
their goals and it is known that IT has become crucial to the
support, sustainability and growth of the business [6], IT
audit management process activities need to be well
defined so that they may have a high level of maturity [5],
and not be carried out in an ad-hoc way [5]. To achieve
these intents, activities need to be standardized and the IT
audit management process needs to be well defined [1][5].

composed by two stages whereas and the evaluation


process is comprised by only one (Table I). This kind of
research approach was already used in other authors
articles as [8] or [20].
The approach used in this paper follows the conceptcentric methodology of IS literature reviews as outlined in
Webster and Watson [22].
In this article we evaluated our artifacts through
interviews and Petri-Nets. In addition, by submitting
scientific publications to respected international
conferences, we also used the appraisal of the scientific
community as evaluation criteria.

We intend to formalize the IT audit management


process by taking into consideration the most important
frameworks of the area and contribute to solve this
problem. Without the formalization of the process audit
will, in most cases, keep being performed in an ad-hoc
way.
III.

IV.

In this section we will begin by defining some concepts


in the studied domain. As we read the literature, we can
find that for some authors same concepts have different
meanings. We also provide a literature review about the
main concepts of the studied domain, hoping to bring some
clarification to the area.
Therefore, as our work focus is IT, we will specify the
concept and objectives of the compliance and audit for IT.

RESEARCH METHODOLOGY

We constructed and evaluated new and innovative


artifacts following the design research paradigm [18].
Based on the four design artifacts produced by design
science research in information systems - constructs,
models, methods and instantiations - we will focus on
constructs and models. Constructs are necessary to describe
certain aspects of a problem domain [19]. In other words,
they provide the language in which problems
TABLE I.

A. Main Concepts Definition


The main identified concepts of the area were
compliance, audit, assessment and assurance. These
concepts are crucial to our study domain and they have
many points in common, despite their differences. As a
result, we intend to help clarify these concepts as well their
relations.
We finish this section by presenting a graphical
representation [23] of the relation between the concepts.
1) Compliance
In an organizational context, compliance describes the
processes that ensure the adherence of an organization to
regulatory, legal, contractual and other obligations.
Compliance needs to be aligned with governance since
there is a set of policies and procedures which deal with
aspects of these legal and regulatory requirements [24]. For
each new law or regulation, new internal policies and
procedures are designed to deal with the rule specifications
[25]. In order to achieve compliance with regulations,
organizations must ensure that their business practices are
in accordance with these requirements [26].
Compliance is responsible for design compliant
business processes. However, auditors need to complement
this task because some deviations from an

RESEARCH METHODOLOGY
Build

Evaluate

Constructs Definition:

IT audit management
process Construction:

Evaluation
:

- Domain definition
- Audit Phases
- IT Audit roles
- IT Audit main activities

- Analyze the
relationship between
constructs
- Integrate constructs

- Petri-nets
-Interviews

LITERATURE REVIEW

and solutions are defined and communicated in [20].


Models use constructs to represent a real world situation,
the design problem and the solution space [21]. Our
constructs will be: domain definition, audit phases, IT audit
roles and IT audit main activities. The model will be the
formalized IT audit management process.
The methodology applied is divided according to the
two processes of design science research in Information
Systems (IS), build and evaluate. The build process is

Figure 1. Compliance Structure

B. IT Compliance
Since IT is becoming pervasive in any organization of
the world [22], IT decisions cannot be primarily based upon
technology updates, storage capacity or cost savings
independently of legal and compliance considerations [29],
so it is imperative for IT departments to ensure that their
applications meet all compliance requirements that govern
their products, services, and other activities [8].
When we talk of IT compliance, we are mainly
focusing on metering and auditing software licenses,
authorization and authentication for IT resource usage,
physical security for computer systems, data centers,
policies and procedures for IT operations and help desk
support, protecting the privacy of data stored on computer
systems, and prevention and detection of illegal activities
[5].
IT influences the achievement of compliance because
automation is a way to perform an efficient validation of
compliance requirements and it also improves controls
[26]. Since corporations heavily depend on IT systems for
their daily operations, it is natural that IT systems play a
greater role in meeting the compliance requirements [8].

expected business process might occur [2].


Compliance Management can be described as the
process of adherence to professional codes of practice,
policies and decisions as well as the process that assures
conformity within regulations, controlling all the activities
of the organization and reporting the right information to
the right people [27].
Figure 1 presents the structure of compliance field
containing all compliance subjects that must be taken into
consideration [5][ 21][28].
2) Audit
Audit is an independent and objective assurance activity
[2][26] that employs systemized and standardized methods
[5] to evaluate and improve the process of governance, risk
management, control and treatment, so as to help the
organization achieve its objectives [3].
3) Assurance
Assurance is one of the audits main functions [26] and
it includes an objective examination of evidence [5]
intended to provide confidence as well as providing
accurate and current information about the efficiency and
effectiveness of policies and operations, and the status of
compliance with the statutory obligations [1].
The other audit functions are oversight, control,
advisory services, assessments and recommendations [26].
4) Assessment
Assessment is a concept which is more difficult to
define since this term is used in many different ways.
However, the main assessment approaches were identified:

C. IT Audit
Audit is a systematic, independent and documented
process for obtaining audit evidences and its objective
assessment in order to determine the extent to which audit
criteria are satisfied [2]. Audit evidences are records,
statements or other information that is verifiable and
relevant to audit criteria. Audit criteria are a set of policies,
procedures or requirements.
IT auditors role is becoming crucial to organization
success since their work evolved from monitoring and
evaluation to the identification, consultation [43] and
partner of senior management [42]. They are now,
counsellors in advising on IT control issues as they relate to
business processes [42], promoting the collaboration and
integration of the corporate governance and modern
internal controls [43]. They are also a partner in helping
managers develop and implement the policies needed to
attain information assurance [42]. The transformation is
also conducive to the unity of the external accountability
and the internal accountability of all types of enterprises
[43].
So, IT audits ensure that organizations monitor how
they do business and protect the interests of main
stakeholders as managers, employees, customers, and
investors [42].
One of the audits fundamental purposes is to ensure the
correct implementation of certain frameworks and
standards [1][30]. To improve the management of IT,
organizations are using practice frameworks (Cobit, ITIL,
etc) to ease the work [30]. It is the responsibility of the
audit team to test if they are well implemented [1]. IT audit
represents a procedure used to assess whether the IT acts in
the function are successfully accomplishing the business
objectives. An IT audit definition is given by [1]:
IT audit is the process of gathering and
evaluating evidence based on which one can

Risk assessment: is a way to estimate the


probability and the consequences of negative
outcomes for humans, property or the environment
[26]. Risk assessments are typically conducted on
regulations, policies, processes, strategies, and
other attributes of an organization [1][5].
Assessment as part of audit function: Audit adds value
by assessing and making recommendations on the
effectiveness of the mechanisms that are in place to ensure
an organization achieves its objectives [21] by performing
this function in a way that demonstrates informed and
accountable decision-making with regard to ethics,
compliance, risk, economy, and efficiency [5].
5) Conceptual Map
Figure 2 shows a representation of the defined concepts
and the relationships between them.

Figure 2. Conceptual Map

TABLE II.
Phases
Planning

Sub-Phases

Frameworks /
References

Description
Determination of what is intended to be accomplish with the audit accordingly with the
requirements analysis
Scheduling of audit in cooperation with the audit entity

[32], [41], [42]


ISO 19011 ([2])
[1], [31], [32], [41], [42]

Selection of auditors to perform the audit


Performance of a preliminary survey of the area to be audited to understand what the
audit will entail

ISO 19011
[1], [32]

Define procedures

Preparation of audit procedures list for the area being audited

[1], ISO 19011

Audit support documents


preparation

Development of standard audit checklists and other support documents for the areas
being audited

[31] , [32], ISO 19011

Kick-off meeting

Performance of a kick-off meeting with the audited entity to communicate what is in and

[32], ISO 19011

Establish audit objectives


Establish audit scope and
schedule
Audit team selection
Obtain preliminary background
of audited areas

Preparation

AUDIT PHASES

out of audit scope, and also establishment of procedures needed to perform the audit
Execution

Reporting

Collection of evidences and


issues
Audit findings analysis and
recommendations elaboration
Closing meeting

Collection of information to assess the actual state of audited areas and elicit issues
Analysis of collected information and proposal of recommendations and action plans

Audit report preparation,

Performance of a closing meeting with the audited entity to communicate what is the
main findings
Writing of an audit report which document all information about the audit and approval

approval and distribution

and distribution of the audit report

evaluate the performance of IT systems, i.e., to


determine whether the operation of IS in the
function of preserving the property and maintain
data integrity.
IT audit also includes the use of IT to support audits [1]
which allows more efficient ways of analyzing the
effectiveness of the implemented controls [5].
V.

PROPOSAL

Our proposal starts with an analysis of the main


frameworks and literature to elicit the phases, roles and
activities included in the IT audit management process.
Then, after leveraging this information, we design the IT
audit management process. Each phase have associated
multiple activities which are the basis of processes, subprocesses and tasks in the proposed IT Audit Management
Process.
A. Audit Phases
IT audit management process could be described as a
set of phases, each one with a well defined purpose [1].
Through the analysis of some audit management processes
descriptions [1][2][5][6][31][32], we were able to
distinguish four major general phases (Table II).
These phases are the sub-processes of the IT Audit
Management Process and they have another decomposition
in another sub-processes also described in
TABLE III.

AUDIT ROLES AND REFERENCES

Role
Audit Manager or Board Audit
Committee
Audit Team
Audited Entity

Reference
[1][2][5][6][24][26][32]
COBIT([40])
[1][2] [6] [31][32]
[2][5] [6] [26][31]

[1], [31], [32], [41], [42]


ISO 19011
[1], [31]. [32], [41], [42]
ISO 19011
[1], [31], ISO 19011
[1], [31], [32], [41], [42]
ISO 19011

table II.
Besides the described steps, there are other more
specific steps that an auditor should consider, e.g. to
identify events that have not yet been analyzed [1].
Building on these facts and taking into consideration that
IT is becoming increasingly important for audits [8][29]
and more frameworks and regulations appear daily [1][30],
to develop our solution we will analyze some of the most
known frameworks of the area (IT frameworks and also
non IT frameworks) as well as some of the most relevant
literature.
B. Audit Roles
The audit roles as well as the references from where we
elicit them are listed in table III.
C. Audit Activities
After a deep analysis of the main literature and
frameworks of the area, we identified what we consider to
be the main activities for IT audit management that we list
in Table IV as well as the correspondent references.
D. IT Audit Management Process in BPMN
After the definition of our constructs artifacts (IT audit
phases, roles and IT audit activities), we are able to design
the IT audit management process. In Figure 3 we present
our IT audit management process which is composed by
several sub-processes which will not be detailed in this
article given to space limitations. Also due to these
limitations, since internal and external audits are very
similar, we only include the representation of the internal
audit process BPMN.
VI.

EVALUATION

We conducted our research in order to avoid and fill


literature gaps. Since we based our research on the main

TABLE IV.

AUDIT ACTIVITIES AND REFERENCES

Responsibility/ Functionality
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

Frameworks/ Ref.

Periodically conduct internal audits to verify anyone follow relevant guidelines for professional behavior, and process
compliance
Regularly evaluate the extent to which IT satisfies obligations (regulatory, legislation, law, contractual), internal policies,
standards, and professional guidelines ensuring that are timely, comprehensive, and suitable for the evaluation of the extent of
satisfaction of the business
Ensure that all actions relating to IT are ethical
Ensure auditors independence which constitutes the base of the audit impartiality
Regularly evaluate the organizations internal conformance to its system for governance of IT
Regularly check SI for compliance security implementation standards
Obtain assurance of compliance and adherence to all internal policies derived from obligations
Ensure that there are executing all security procedures to achieve compliance with security policies and standards
Assess/Reviewing performance against agreed-upon targets
Report performance
Monitor the performance of independent reviews, audits and examinations
Audit must contribute to the improvement of risk management processes in the firm
Form an independent committee to communicate with of board of directors
Perform internal and external audits in a similarly way. The differences should remain in the formality of the process (external
audit is more formal) and in the objectives (external audit also compromise audits to obtain certification)
Plan and agree audit requirements
Plan and agree audit activities
Use SI audit tools when possible, to prevent any possible misuse or compromise
Associate evidences to all audit findings
Analyze all findings in an objective way, to assess if audit criteria is reached
Write an audit plan which must describe the objectives of an audit
Write an audit plan which must describe the scope of an audit which describes the extent and boundaries of the audit, such as
physical locations, organizational units, activities and processes to be audited
Write an audit report that must include: audit objectives, audit scope, audited entity, audit team description, identification of the
organizational and functional units or processes audited and the time period covered, dates and places where audit occurred,
audit criterias, findings and conclusions
Ensure that audit report is reviewed, approved, and distributed to interested entities
Establish audit procedures
Allocate resources to established audit procedures
Perform team selection
Schedule audit and include this information in the audit plan document
Develop a list of feasible recommendations accordingly with audit findings
Develop a list of action plans accordingly with audit findings
Automate audit procedures when possible
Perform automated tests when applicable and collect evidences to determine if requirements are being followed
Perform a kick-off meeting so that audited entity know all the details behind audit
Gain preliminary understanding about the audited areas
Auditor should plan the application of audit techniques useful in a specific audit
The allocation of audit team should have in account the knowledge and competences of the auditors and their roles and
responsibilities should be assigned accordingly with this knowledge
The allocation of audit team should have in account budget associated with the audit
Appoint the audit team leader
Report to interested parts, the overall achievements of the audit
Ensure review and approval of audit report, and ensure it distribution to the audit interested parties
Establish an audit criteria which are used as a reference against which conformity is determined
Develop support documents which must be used to assess audit criteria compliance
Determine the feasibility of the audit accordingly with the existent time and resources
Take into account the audit objectives, scope, criteria and estimated duration of the audit in the allocation of resources
Perform an initial contact with the audited entity to explain the objectives, main procedures, to establish communication
channels and request access to the needed information
Perform documents and information assess about relevant aspects of the audited entity
Establish the roles and responsibilities of the audit team members accordingly with the needed procedures to perform the audit
Assign tasks to each team member accordingly with specific processes, functions, sites, areas or activities.
Review the information relevant to audit assignments
Prepare work documents as necessary for reference and for recording audit proceedings
Prepare support documents such as checklists and audit sampling plans, and forms for recording information
Raise evidences using methods such as interviews, observation of activities and review of documents
Evaluate evidences against the audit criteria to generate the audit findings
Perform a close meeting to present the audit findings and main conclusion to audited entity
Perform a close meeting to discuss and explain the recommendations and action plans to audited entity

literature of the area, we argue that the limitation pointed


out by Goeken [13] was fulfilled (frameworks lack
theoretical foundations). Plus, with the merging of the
frameworks in IT audit management activities, we argue

ISO 38500 ([37])


ITIL ([38])
COBIT ([40])
ISO 38500
ITIL
ISO 38500
ISO 19011
ISO 38500
ISO 27001
COBIT
ISO 27001
COBIT, ITIL
COBIT, ITIL
COBIT, ITIL
[5],[32]
[1],[24], [26]
[1],[5]
ISO 27001 ([39])
[1], [32], [42]
ISO 27001 ([39])
ISO 27001, ISO 38500
ISO 19011([2])
ISO 19011, [42]
ISO 19011, [1], [5], [26], [41]
ISO 19011
[1],[5], [26], [32]
ISO 19011, [41]
ISO 19011, [41]
ISO 19011, [1], [5]
ISO 19011, [1],[ 5], [31]
ISO 19011
ISO 19011
[1],[ 5],[31]
[5],[31]
[5],[31]
[1],[5],[32]
[3],[5]
[1],[6], [42]
[5], [1], [31]
[1], [32], [42]
ISO 19011
ISO 19011
ISO 19011
[5], [26], [31]
[5], [26], [31]
ISO 19011, [1], [31]
ISO 19011, [1], [42]
[5], [32], [42]
ISO 19011, [41], [42]
ISO 19011, [32]
[1], [42]
ISO 19011, [1], [42]
ISO 19011, [1], [31], [32], [41], [42]
ISO 19011, [1], [42]
ISO 19011, [1], [42]
ISO 19011, [1], [42]
ISO 19011, [1], [31], [32], [41], [42]
ISO 19011, [1], [32]
ISO 19011, [1], [31], [32], [41], [42]
ISO 19011, [31], [32], [41]

that the limitation stated by Pereira and Mira da Silva [14]


was fulfilled too (frameworks overlap each other).
To evaluate our proposal we will use both petri-nets to
understand if our IT audit management process is formal

Figure 3. IT Audit Management Process

PN is a formal modeling language that allows processes


analyzes [33]. Indeed, some attempts at defining a formal
semantics for a subset of BPMN have been done using PN
[34][45]. However there are some limitations in converting
BPMN to PN: (i) parallel multi-instance activities; (ii)
exception handling in the context of sub processes that are
executed multiple times concurrently; and (iii) OR-join
gateways [33].
So, in our evaluation we used YAWL net which is a
state-based language [34] that solves these limitations [35].
Since YAWL is based on PN, it also provides a firm basis
for the formal analysis of real-world services [34].
To evaluate the good construction of our BPMN
diagrams, we convert BPMNs into YAWL Nets using a
plug-in (BPMN2YAWL) and then we use YAWL editor
[34] which has a verification tool [36]. With the verification
tool we can ensure a lot of properties such as the deadlock
free, no dead task, proper completion, no OR-join and
soundness, etc [36].
An example of an obtained YAWL net is shown in
Figure 4 that was created through the conversion of the
macro IT Audit Management Process BPMN (the BPMN of
Figure 4). Given to space limitations we do not show the
other YAWL Nets created but this is an example of the
results.

Figure 4. YAWL Net associated to Collection of evidences

and use interviews in order to elicit some practitioner


viewpoint.
A. Petri-Nets
The modeling language used was BPMN. However, the
specification of BPMN notation does not include formal
semantics [44][34]. BPMN does not provide any meta
model for abstract syntax nor formal semantics [44]. Given
such facts we decided to use Petri-Nets (PN) to evaluate
our proposed process. Therefore we used YAWL that are
based on PN [34] to determine if our BPMN model of the
IT Audit Management Process was soundness as well as its
abstraction.
TABLE V.
Id
1

Type
Telecommu
nications

Consultant

Area
Information

Position
Director

RESPONDENTS DETAILS

Work Experience
Manager of Operations, Data Base Administration and Technical Support from 2002 to 2010

Systems

Sourcing and Staffing Manager since 2010

IT

SI Advisor from 1997 to 2001

Governance
and Project
Management

Senior Project
Manager

Process Manager from 2001 to 2005


Practice Manager from 2009 to 2011 in the areas of IT Governance

Risk
Management
and IT
Quality

Executive

Director at an IT Consulting firm from 1999 to 2000

Administrator

Software Administrator at IT Services from 2000 to 2003

Standards and

Executive

Operations

Coordinator

Administrator at an IT Consulting firm from 2003 to 2006 in the areas of SI Architecture, Risk
Management and Processes and IT Quality
Executive Coordinator from 1998 to 2012 in the area of Methodologies and Standards,
Processes and Procedures, Organizational Good Practices, Control Department and Software
Quality
Director at IT Risk and Compliance Department from 2007 to 2012

Senior Manager from 2009 to 2011 in the areas of IT Governance


Professor at Instituto Superior Tcnico from 1995 to 2005

Banking

Banking

Banking

Risk and
Compliance

Director

Banking

IT
Management

Executive
Manager

Software Development Manager from 2000 to 2005


IS Architectures Manager
Project Office Manager from 2008 to 2010
IT Users Relationship and Logical Architecture Manager from 2010 to 1012
Quality Management in the implementation of systems from 1994 to 1997
Perform of audits in IT Infrastructures and Systems from 1997 to 2001
Design and Development of systems compliant with ISO 9001 from 1997 to 2001

IT Services
7

Consultant

Management

CEO

Audit manager in security area in some projects


Coordinator to Audit and Quality area at Instituto de Informtica from Ministrio do
Trabalho e da Solidariedade Social (MTSS) from 2001 to 2011
CEO at an IT Services consulting firm

In the interviews, we used open-response questions


because of the nature of the information we need to elicit.
Complementarily, there are some questions in which
respondents should give a list of required concepts or ideas.

B. Interviews
We have already designed our solution based on the
main literature and frameworks of the area which gave us a
strong theoretical viewpoint. So, in order to provide some
practitioner viewpoint, we evaluated our proposal by
performing seven interviews at Portuguese organizations.
We used structured interviews to elicit IT audit
requirements from the field, covering a diverse sample of
organization types, sizes, and roles. Detailed information
about the respondents is provided in Table V. In spite of not
having a great number of interviews, the respondents have a
lot of experience in the area.
To support the interviews, we designed a questionnaire
in order to support and lead the discussion. The
questionnaire was divided into two sections. The first one
elicits requirements associated to the relationship of the IT
audit management. The second section elicits requirements
about how to perform the IT audit management process.

TABLE VI.
N
1

5
6
7

10

Furthermore, clarifications regarding the various


concepts used by the respondents were sought during the
conversation, so that later these descriptions could be
examined and matched to the more standard designations.
The interviews were conducted by one of the authors
over a one month period. Each session lasted from 1 to 2
hours and was transcribed into digital data for analysis.
1) Results Description
With the interviews, we could draw some conclusions
that provide insight into the current IT audit management
process. In table VI we describe the raised conclusions and
the interviewees that supported these conclusions. In the
results descriptions we rejected conclusions that were not
appointed by more than one interviewee or ill-founded
conclusions by respondents.
1) Requirements Elicited
We are then able to elicit the main requirements of the
IT audit management process based on practitioners
viewpoint. In Table VII we can see a summary of the elicit
requirements.
These requirements are the basis for a good IT audit
management process. In other words, IT audit management
process activities must ensure that these requirements are
provided. If indeed they are provided, the process can
ensure the needs of real organizations.
Looking at our proposal, we can note that the designed
BPMN activities ensure that these requirements are
included in the proposed IT Audit Management Process
(Table IX).

CONCLUSIONS RAISED

Conclusion
Interviewees
Audits are carried out mostly in the
1, 2, 3, 4, 5,
traditional manner. For example, audits are
performed using excel spreadsheets, which
6,7,8
are used in the form of a checklist.
Risk and compliance departments should be
independent and the audit department should
1, 3, 4, 5, 6
be completely independent. However, it is
essential that risk, compliance and audit
departments are strongly related.
Audit is still seen as something negative by
audited entities. The perception is that
1, 3, 4, 5, 6
auditors serve only to encounter problems
that affect the entities.
Audit objectives must be established
according to the managements needs. When
an audit is requested, there are specific needs 1, 2, 3, 4, 5, 7
by the entities who request it. So, the
objectives should be established according to
those requirements.
The audit report should include all the
findings and recommendations proposed by
1, 2, 3, 7
auditors.
All the information needed should be
collected, even if that implies to directly
2, 3, 7
interact with the audited entity individuals.
Related with the above conclusion, audit
team members can access all the information
2, 3, 7
needed, and use it as evidence when
necessary.
When a new audit begins, the audit team
should assess information about the oldest
2, 3, 4, 5, 7
audits that may help to conduct the new one.
Internal and external audits have separate
processes. Actually, the activities behind
1, 3, 4, 5, 6
both are very similar but in practice, internal
audits are less formal, and some activities
are not performing as theory suggests.
Internal audits results are compared to
external audits and this is a type of
1, 3, 6
evaluation made by an organization to
internal auditors since external audits are
seen as an accuracy audit.

TABLE VII.
Req. N
1

Conclusion
1

Ensure an efficient way to present audit

with accurate results.

results, i.e., reports should be prepared

Even pointing out problems, auditors


should propose recommendations and
action plans in the audit report to help
improve the audited entity.
During audit, the team must interview
individuals and access information (risk
reports, old audit reports, etc...).
Audit teams can collect all the needed
information and use it as evidence.

9
10

Design two separate processes


internal and external audits.

Elicit Requirement
Ensure a good selection of procedures
necessary to perform audits.
Continuously request
independent
external audits.
Ensure a relationship between audit and
risk management: audit
needs to reassess risks and test internal controls
associated to them; an audit could find
new threats that must be analyzed by
risk management.

REQUIREMENTS ELICITED

to

TABLE IX.
Concl.

Establish audit
objectives
Establish audit scope
and schedule

Obtain preliminary
background of
audited areas
Define procedures

Audit support
documents
preparation
Audit Management

Establish audit
objectives
Reporting

representation of the data elicited in table IV. In this graph,


it is possible to understand what activities are included in
each framework or literature. With this, we can also
understand the gaps and overlaps existing in audit
management process activities, which are present in all
frameworks and literature review.

REQUIREMENTS MAPPED ON PROPOSED PROCESS

Sub-Processes

Reporting

Tasks
Establish audit objectives
Understand time needed to perform audit
Understand resources needed to perform
audit
Understand audit boundaries
Define audit scope
Assess audited entity information
Assess information about audit
assignments
Define audit criteria
Plan audit procedures
Understand if some procedures could be
automatized
Understand if some procedures could be
automatized
Understand the needed audit techniques
Develop new support documents
Choose support documents
-

D. Proposal Limitations
Our proposal is based on literature review. We use it to
raise a set of audit related information. Of course that we
could analyze more references to further strengthen the
foundations behind our design.
Furthermore, a part of our proposal evaluation is based
on the elicitation of the actual IT audit management
process requirements in real organizations. We could
interview a bigger number of people so that it is possible to
ensure that there is no lack of requirements and to study
other types of organizations.
VII. CONCLUSION

Assess new requirements


Analize requirements
Write a detailed description of findings
Write a detailed description of issues

Our work aims to contribute to the IT audit


management process design, so that it is possible to have a
formal way of performing audits. Knowing that the
formalization of audit tasks is a difficult goal to achieve,
we believe that our work is another step to turn it a reality.
The main contributes of this research are:

The formalization of the IT Audit


Management Process based on both
theoretical and practitioners viewpoints;

The formalizations of the IT Audit


Management
Process
taking
into
consideration the best of each framework.

We demonstrated that our IT Audit


Management Process is formal which proves
its strong empirical validation.
In the future, this research can be complete with a more
empirical work in which we will be able to observe in real
organizations if their actual IT audit management process
is performed as designed here. Also the use of the proposed
IT audit management process in a real situation can give us
an idea of how ad-hoc is actually processed and what the
benefits of implementing a more formal IT audit
management process are.

Write a detailed description of


Recommendations
Write a detailed description of proposed
Action plans

Obtain preliminary

background of
audited areas

All

Collection of

All

evidences and issues


Audit findings
analysis and
recommendations
elaboration

Audit Management

All

C. Learnings
With this work, we can see that there is a lack of
frameworks that can cover the whole domain of the IT
audit management process. This is conveyed in the graph of
figure 5 where we can observe some statistical

REFERENCES
[1]
[2]
[3]

L.J. Tao, On How to Improve Organizations Internal Audit, IEEE


Jiaozuo, China, 2nd International Conference on Management Science
and Electronic Commerce, pp. 12581260, 2011.

[4]

P.F. Pai, M.F. Hsu and M.C. Wang, Computer-Assisted Audit


Techniques based on an Enhanced Rough Set Model, Seoul,
South Korea, Sixth International Conference on Networked
Computing and Advanced Information Management (NCM), pp.
207 212, 2007.
A. Tarantino, Governance, Risk and Compliance Handbook:
Technology, Finance, Environmental and International Guidance
and Best Practices. John Wiley & Sons, Hoboken, 2009

[5]

Figure 5. Statistical Results

S. Senft and F. Gallegos, IT Control and Audit, 3 rd ed., Taylor &


Francis Group, 2009.
ISO 19011, Guidelines for quality and/or environmental
management systems auditing , 2002.

[24] R. M. Steinberg, Governance, Risk Management, and


Compliance: It Can't happen To Us - Avoiding Corporate Disaster
While Driving Success, John Wiley & Sons, EUA, 2011.
[25] A. Mcdonough and S. Sackmann, Compliance and Organization
Value: How Markets React to Reported Lapses in Corporate
Governance, Organization Computing CEC '09 IEEE
Conference on Commerce, IEEE Computer Society, pp. 239-244., Austria, 2009.
[26] Thomson Reuters, Fundamental of GRC, The Connected Roles
of Internal Audit and Compliance, 2011.
[27] J. Bace and C. Rozwell, C., Understanding the Components of
Compliance, Gartner ID:G00137902, 2006.
[28] Banca DItalia, Supervisory Regulations: The Compliance
Function, 2007.
[29] B. Little, Whose Data is it Anyway?, Information Professional.
Vol. 4, Issue: 3, pp. 38-40, 2007.
[30] B. Adrian,Y. Beres and S. Shiu, Using Assurance Models in IT
Audit Engagements, Hewlett-Packard Development Company,
L.P., 2008.
[31] W. V. Grembergen and S. D. Haes, Enterprise Governance of
Information Technology: Achieving Strategic Alignment and
Value, Springer, 2009.
[32] C. Davis, M. Schiller and K. Wheler, IT Auditing: Using Controls
to Protect Information Assets, 2nd ed., 2011.
[33] R. M. Dijkman, M. Dumas and C. Ouyang, Formal Semantics
and Analysis of BPMN Process Models using Petri Nets,
Computer and Information Science, pp. 130, 2007.
[34] S. Sun, W.Song and L. Wen, Formal Semantics of BPMN
Process Models using YAWL, Intelligent Information
Technology Application on Second International Symposium
(IITA), IEEE pp. 70-74, 2008.
[35] G. Decker, R. Dijkman, M. Dumas and L. Garca-Nanuelos,
Transforming BPMN Diagrams into YAWL Nets, BPM '08
Proceedings of the 6th International Conference on Business
Process Management Decker, R. Dijkman, M. Dumas and L.
Garca-Banuelos, Springer-Verlag Berlin, Heidelberg, 2008.
[36] J. H. Ye, S. X. Sun L. Wen, W. Song, Transformation of BPMN to

[6] S. De Haes, W. Grembergen, Analysing the Relationship


between IT Governance and Business/IT Alignment Maturity, in
Proc. of the 41st Hawaii International Conference on System
Sciences (HICSS 08), IEEE, Jan. 2008, pp. 428-428, doi:
10.1109/HICSS.2008.66.
[7] G. Decker and A. Barros, Interaction Modeling using BPMN,
Proc. of the 2007 international conference on Business process
management (BPM'07), Sep. 2007, pp. 208-219, doi:
10.1007/BPM.2007.22.
[8] V. N. Gudivada and J. Nandigam, Corporate Compliance and its
Implications to IT Professionals, International Conference on
Information Technology: New Generations, ITNG. pp. 725-729,
USA, 2009.
[9] D. Radovanovic, T. Radojevic, D. Lucix and M. Sarac, IT audit
in accordance with Cobit standard, Proc. of the 33rd
International Convention on MIPR (MIPRO 10), IEEE, May
2010, pp. 1137-1141.
[10] D. Searcy, J. Woodproof and B. Behn, Continuous Audit: The
Motivations, Benefits, Problems, and Challenges Identified by Partners of
a Big 4 Accounting Firm, Proc. of the 36th Annual Hawaii International
Conference on System Sciences (HICSS03), IEEE, Jan. 2003, pp. 10, doi:
http://10.1109/HICSS.2003.1174565

[11] R. Pereira and M. Mira da Silva, A Maturity Model for


Implementing ITIL v3, 6th World Congress on Services
(SERVICES-1), , USA, 2010.
[12] S. Morimoto, Application of COBIT to Security Management in
Information Systems Development, Fourth International
Conference on Frontier of Computer Science and Technology
(FCST), China, 2009.
[13] M. Goeken and S. Alter, Towards Conceptual Metamodeling of
IT Governance Frameworks Approach Use Benefits, Annual
Hawaii International Conference on System Sciences (HICSS),
Hawaii, USA, 2009.
[14] R. Pereira and M. Mira da Silva, A Maturity Model for
Implementing ITIL V3 in Practice, 15th IEEE International
Enterprise Distributed Object Computing Conference Workshops
(EDOCW), Finland, 2011.
[15] S. Sahibudin, M. Sharifi, and M. Ayat, Combining ITIL, COBIT and
ISO/IEC 27002 in Order to Design a Comprehensive IT Framework in
Organizations, Second Asia International Conference on Modeling &
Simulation (AICMS), Malaysia, 2008.
[16] D. Nicewicz-Modrzewska and P. Stolarski, ITIL implementation roadmap
based on process governance, European University of Information
Systems (EUNIS), Denmark, 2008.

YAWL, Proc. of the 2008 International Conference on Computer Science


and Software Engineering (CSSE '08), Volume 02, Dec. 2008, pp. 354359, doi: http://10.1109/CSSE.2008.980.

[37] ISO 38500, Corporate governance of information technology,


2008.
[38] S. Taylor, M. Iqbal and M. Nieves, ITIL:TSO publications,
Norwith, 2007.
[39] ISO 27001, Information technology - Security techniques Information security management systems - Requirements,2005.
[40] IT Governance Institute, COBIT 4.1 Framework, 2007
[41] C. H. Wu, Y. E. Shao, B. Y. Ho and T. Y. Chang, On an Agentbased Architecture for Collaborative Continuous Auditing, Proc.
of the 12th International Conference on CSCW in Design
(CSCWD 2008), April, 2008.
[42] A. Carlin and F. Gallegos, IT Audit: A Critical Business
Process," Computer, vol. 40, no. 7, pp. 87-89, July 2007,
doi:10.1109/MC.2007.246.
[43] L. Yang, Study on the improvement of the Internal Audit Work in IT

[17] P. A. Griffin and D. H. Lont., An Analysis of Audit Fees


Following the Passage of Sarbanes-Oxley, Asia-Pacific Journal
of Accounting and Economics on Forthcoming, 2007.
[18] A. R. Hevner, S. T. March, J. Park and S. Ram, Design Science
in Information Systems Research,. Management Information
Systems Quarterly 28, pp. 75-105, 2004.
[19] D. A. Schon, Reflective practitioner: How Professionals Think in
Action, Basic Books, NY, 1983.
[20] H. A. Simon, The Sciences of the Artificial, MIT Press,
Massachusetts, 1996.
[21] P. Vicent and M. Mira Da Silva, A Conceptual Model for
Integrated Governance, Risk and Compliance,. H. Mouratidis &
C. Rolland, eds., 23rd International Conference on Ad-vanced
Information Systems Engineering, 6741, pp. 199-213. Springer,
London , 2011.
[22] J. Webster and R. T. Watson, Analyzing the Past to Prepare for
the Future: Writing a Literature Review, MISQ, 26, 2, xiii-xxiii ,
2002.
[23] M. Schermann T. Ohmann and H. Krcmar, Explicating Design
Theories with Conceptual Models: Towards a Theoretical Role of
Reference Models, In J. Becker, H. Krcmar & B. Niehaves, eds.,
Wissenschaftstheorie
und
gestaltungsorientierte
Wirtschaftsinformatik, pp. 175194, 2009.

Environment, Fourth International Symposium on Knowledge


Acquisition and Modeling (KAM), pp. 233 236, Oct. 2011.
[44] T. Takemura, Formal Semantics and Verification of BPMN Transaction
and Compensation, Asia-Pacific Services Computing Conference, IEEE
Press, pp. 284-290, New York, 2008.

[45] Verbeek, H., Aalst, W.: Woflan 2.0: A Petri-net-based Workflow


Diagnosis Tool. In: Nielsen, M., Simpson, D. (eds) Application
and Theory of Petri Nets 2000. LNCS, vol. 1825, pp. 475484.
Springer-Verlag, Berlin (2000)

10

Você também pode gostar