9/19/2014

ISTN 715
Individual
Assignment
IT/IS Auditing

Rowen Sewmungal
209509607

Contents
Introduction ........................................................................................................................................... 2
Background ........................................................................................................................................... 2
Literature Review ................................................................................................................................. 3
What is an Audit ................................................................................................................................. 3
What is an Information System........................................................................................................... 3
Information Systems Audit ................................................................................................................. 3
IS Security Audit................................................................................................................................. 4
Methodology .......................................................................................................................................... 4
Authors Perspective ............................................................................................................................ 4
My perspective .................................................................................................................................... 5
Advantages and Disadvantages ........................................................................................................... 5
Advantages.......................................................................................................................................... 5
Disadvantages ..................................................................................................................................... 6
Challenges and Issues ........................................................................................................................... 6
Conclusion ............................................................................................................................................. 6
Reference List ........................................................................................................................................ 7

Page | 1

Introduction
An Audit is an attempt to enhance or add credibility to a statement, figures or an event. The auditing
profession has blossomed over the years (Jackson & Stent, 2010)
An information technology audit, or information systems audit, is an inspection of the administration
controls inside an Information technology (IT) infrastructure (IT Audit & Advisory services 2014). The
assessment of acquired evidence verifies if the information systems are safeguarding properties,
preserving data reliability, and operating efficiently to accomplish the organization's targets or
objectives (IT Audit & Advisory services 2014). These assessments may be done concurrently with
a financial statement audit, internal audit, or other form of verification arrangement (IT Audit &
Advisory services 2014).

Background
The concept of IT auditing was formed in the mid-1960s. Since that time, IT auditing has gone through
numerous changes, largely due to advances in technology and the incorporation of technology into
business. Currently, there are many IT dependent companies that rely on the Information Technology
in order to operate their business. This led to the incorporation of the EDP (Electronic Data Processing)
Auditors Association on October 23, 1969. Communicating standards and controls necessary to ensure
the effective organization and utilization of data processing resources where implemented the fostering
training in EDP audit techniques and approaches useful in problem solving. As well as establishing a
concept of EDP Auditors (Gunn, 2010).
In 1976- 1977, Six international districts formed, four in US, Canada and Rest of World, the EDP
Auditor became the The EDP Auditor Journal (Gunn, 2010).
In 1978 Certified Data Processing Auditor designation established (became Certified Information
System Auditor designation). In 1979 Formal on-going education program for CISAs founded, first
chapters formed in Europe: Tel Aviv (July) and Milan (December). In 1992 first chapter started in
Africa, South Africa Chapter (Gunn, 2010). In 1993 members agree name change to Information
Systems Audit and Control Association (ISACA) and a new logo introduced. 1994 The EDP Auditor
Journal develops into the IS Audit and Control Journal. In 1996 Erik Guldentops advocates the first
addition of CobiT, Control Objectives over Information and Related Technology (Gunn, 2010). In
1998 IT Governance Institute founded to advance international thinking and standards in directing and
controlling an enterprises information technology. Today, ISACA has Over 98,000 members with
88,000 CISAs issued. 21,000 Candidates in the 2010 examinations. 190 chapters in 170 countries and
assets of over $66 million (US) (Gunn, 2010).
Page | 2

Literature Review
What is an Audit
An Audit is merely an assessment of past history. The IS auditor is expected to abide by the outlined
audit procedure, establish audit standards, gather significant evidence, and deliver an independent
judgement about internal controls (Cannon D.L. et al, 2006). If the proclamations of management and
the auditors report are conforming, you can anticipate the findings to be truthful (Cannon D.L. et al,
2006). If management declarations and the auditors report do not conform, that would indicate a
concern that warrants further consideration (Cannon D.L. et al, 2006).
What is an Information System
Information Systems have become an essential part of our everyday life. From morning till evening, all
individuals interact with systems, in one form or another (ICAI Knowledge Gateway, no date). The
amplified usage of technology has its drawbacks (ICAI Knowledge Gateway, no date). Organizations
need to depend on more on technology for their everyday tasks, e.g. management decision making and
all business associated activities (ICAI Knowledge Gateway, no date). As the usage of technology and
information system is enlarging, associated risk with technology is also inflicting several threats to the
information systems (ICAI Knowledge Gateway, no date). More and more use of technology and the
increased instances has made it vital for establishments to place appropriate controls (ICAI Knowledge
Gateway, no date). Controls can be categorized based on nature say, preventive, detective and corrective
or based on some other factors like physical, logical or environmental(ICAI Knowledge Gateway, no
date).

As computers became more sophisticated, auditors acknowledged that they had less and less discoveries
associated to the appropriateness of calculations and more and more on the part of unauthorized ways
in (Bayuk, 2009). Furthermore, the inspections and balances that were formulated to sustain accuracy
of calculations were put into effect as software change control instruments (Bayuk, 2009). These depend
strongly on security to administer controls over separation of duties between programming, testing, and
deployment staff (Bayuk, 2009). This meant that even programming modifications relied in some
measure for their effectiveness on computer security controls (Bayuk, 2009). In this day and age,
information systems audit seems practically synonymous with information security control testing
(Bayuk, 2009).
Information Systems Audit
Effective administration of information and associated Information Technology (IT) has become of
significant importance to the existence and longstanding accomplishment of any organization
(Cascarino, 2007). This has risen because of the increasing dependency on information and the
associated systems that convey this information, together with the costs and scope of forthcoming use
Page | 3

of IT (Cascarino, 2007). As a consequence, management has an intensified anticipation of delivery from

IT functions and stresses improved excellence with a reduced delivery time and better-quality service
levels at decreased costs (Cascarino, 2007). In addition, the growing potential from threats such as
information warfare or cyber terrorism has added a new consciousness (Cascarino, 2007). At the same
time, the potential for technology to transform organizations and their business procedures create new
business opportunities and offer the prospective to tremendously reduce costs (Cascarino, 2007).

IS Audit has conventionally been based upon the paradigms that control = management control, that
management control starts with governance, that top management can control the whole thing, and that
control is forced (Cascarino, 2007). Todays business conditions advocates that a more suitable reengineered paradigm could be that constant improvement emphases control with owners of the process
(Cascarino, 2007). The part of IS Audit must change to reflect this new reality. That IS Audit is
ultimately accountable to the organization will not change; however, the owners of the process are
becoming the custodians of internal control and not necessarily conventional management arrangements
(Cascarino, 2007). IS Auditors commonly become specialists at describing the best design and
implementation of all types of controls (Cascarino, 2007) .IS Auditors are not, however, expected to
equal, let alone exceed, the technical and operational knowledge concerning to the numerous activities
of the organization (Cascarino, 2007). Nevertheless, they may help the responsible individuals
accomplish more effective outcomes by appraising the existing controls and providing a basis for
helping to enhance those controls (Cascarino, 2007).
IS Security Audit
The stealing of information, designs, plans, and customer lists could be disastrous to an institute as an
auditor needs to contemplate the controls in place to prevent theft of money or embezzlement (Cannon
D.L. et al, 2006). Falsification to gain an advantage is the description of fraud. Electronic archives may
be subject to remote forgery for the intention of deceit, suppression, or deceitful turnover (Cannon D.L.
et al, 2006). The main difficulty when dealing with IS/IT Security during an audit is double-checking
who is authorized to gain access to certain data which the company has on its databases and to make
sure that the data is not being manipulated by anyone who has no authorization in the company (Cannon
D.L. et al, 2006).

Methodology
Authors Perspective
The main methodology used for IT Audits is that of Cobit (Control Objectives for Information and
Related Technology). Cobit was established by ICASA. Cobit control model comprises of: Security
(Confidentiality, Integrity, Availability), Fiduciary (Effectiveness, Efficiency, Compliance, Reliability
Page | 4

of Information) and IT Resources (Data, Application Systems, Technology, Facilities, People)

(Spremic, 2011). The main purposes of the Cobit Methodology is that of: Planning & Organizing,
Acquisition & Implementation, Delivery & Support and Monitoring (Spremic, 2011). Under each of
these main functions, there are roughly 34 processes in total that the auditor should adhere by
(Cascarino, 2007).
For each IT control objective CobiT defines:

Performance goals and metrics (for example, RPO, RTO, availability time),

KRI (Key Risk Indicator), KPI (Key Performance Indicator)

Maturity models (0-5 scale) to help in benchmarking and decision-making for process
enhancements, (Spremic, 2011)

A RACI chart identifying who is Responsible, Accountable, Consulted, and/or Informed for
specific IT control objective.

My perspective
From reading articles that where included and those not included in the assignment, one can choose
which path to go about doing an IT/IS audit. My perspective on the methods used in conducting an
IS/IT audit would not differ much from those that I have read up on. The first action that which I would
comply with is that of creating a plan on what and how to audit the IT/IS in the business. Once an audit
plan has been created, the systems and technology being used would be reviewed to check for any odd
activities being taken place on the system. This audit would take into account the network, computers,
software used as well as the users of these systems in order to see for efficiency and to see if the business
is complying with the standards and policies that are governed by the IT sector. If any issues where to
be found, these would be in a report form so that the manger/s of the business can easily read through
them and form a plan of action whereby they can try and get the issues fixed so that they are on par
when the next audit is to take place.

Advantages and Disadvantages

Advantages

Paying attention to the issues concerned with establishing and preserving an IT system can put
a stop to wasting of money and resources, loss of trust, and reputational harm.

Timely participation by internal auditors can help to guarantee that complications are
recognized and resolved at an early period (QFinance, 2014).

IT auditors can function as a connection between individual business components and the IT
function, point out previously unknown risks, and propose controls for improving outcomes.

An IT audit can recognize IT weaknesses that could be exploited by a fraudster or which could
compromise agreement with data safety laws (QFinance, 2014).
Page | 5

Disadvantages

Carrying out an IT audit and guaranteeing that staffs have the compulsory training can be time
consuming and expensive (even though not doing so can be far more expensive) (QFinance,
2014).

Challenges and Issues

Insufficient management participation may lead to a meaningless IT function which, in turn

does not assist the business needs. This may give rise to difficulties with the financial systems
being incapable of meeting new reporting requirements (which may happen due a alteration in
national accounting standards, or a change in government requirements) (Scribd.com, 2014).

Poor reporting arrangements leading to insufficient decision making. This might affect the
organisations capability to deliver its services and might affect its prospects as a going
concern (one of the fundamental accounting principles) (Scribd.com, 2014).

Unsuitable or no IT development leading to business evolution being hampered by an absence

of IT assets; e.g. the manager reports to the chief executive that the system is unable to deal
with an escalation in sales. Overburdening a computer system may lead to degradation or
unavailability through communication bottle- necks or system crashes (Scribd.com, 2014).

Unproductive staff who are not aware of their positions (either through incompetent
employment procedures or a lack of staff preparation or management). This intensifies the
threat of staff making blunders and faults (Scribd.com, 2014).

Dissatisfied staff being able to sabotage the system, for instance when staff discovers that they
are going to be disciplined or terminated

Unsuccessful internal audit function which cannot adequately assess the computer systems and
accompanying controls (Scribd.com, 2014).

Loss of the audit path due to insufficient manuscript preservation guidelines (comprises of
both paper and magnetic, optical media)

Security policies not in place or not imposed, leading to security infringements, data loss, fraud
and mistakes (Scribd.com, 2014).

Conclusion
In conclusion, IT/IS is highly need in todays ever growing technology dependent businesses. As a
result these IT/IS need to be checked on and verified by people who have a good understanding of the
way they work and to ensure that they are working efficiently to help businesses reap the full benefits
of having these IT/IS in place. As can be seen IT/IS Auditing is needed in todays world as companies
sometimes go to extra extents to gain advantages over competitors include cyber-attacks on anothers
information system and this is one of the reason companies need to be audited for more than just
financial statements.
Page | 6

Reference List

1. Bayuk, J. (2009) Information Systems Audit: The Basics [Internet]. Available from:
<http://www.csoonline.com/article/2124025/it-audit/information-systems-audit--thebasics.html> [Accessed 29 August]
2. Cannon D.L. et al (2006) Certified Information Systems Auditor Study Guide
3. Cascarino, R. (2007) Auditors Guide to Information Systems Auditing
4. Gunn, G.S. (2010). The History of the Information Systems Audit and Control Association
[Internet]. Available from:
<http://www.isacavictoria.ca/Resources/Documents/EventDocs/2011-1214%20Gordon%20Gunn-History%20of%20ISACA.pdf> [Accessed 15 August]
5. ICAI Knowledge Gateway (no date) Auditing of Information Systems [Internet]. Available
from:<http://www.icaiknowledgegateway.org/littledms/folder1/chapter-6-auditing-ofinformation-systems.pdf>[Accessed 6 September]
6. IT Audit & Advisory services (2014) Role of IT Auditors in the Financial Audit Process
[Internet]. Available from:<https://www.linkedin.com/pulse/article/20140717231932268966477-role-of-it-auditors-in-the-financial-audit-process>[Accessed 19 August]
7. Jackson & Stent (2010) Auditing Notes for South African Students, 7th Edition
8. QFinance (2014) Auditing Information Technology and Information Systems [Internet].
Available from:<http://www.qfinance.com/auditing-checklists/auditing-informationtechnology-and-information-systems>[Accessed 12 September]
9. Scribd.com (2014) No Title [Internet]. Available
from<http://www.scribd.com/doc/236462495/4261-itauditmanualasosaidoc>[Accessed 13
September]
10. Spremic, M. (2011) Standards and Frameworks for Information System Security Auditing and
Assurance. Proceedings of The World Congress on Engineering [Internet]. Available
from:<http://www.iaeng.org/publication/WCE2011/WCE2011_pp514-519.pdf> [Accessed 26
August]

Page | 7