Escolar Documentos
Profissional Documentos
Cultura Documentos
evaluation of automated information processing systems, related non-automated processes and the
interfaces among them. Planning the IT audit involves two major steps. The first step is to gather
information and do some planning the second step is to gain an understanding of the existing
internal control structure. More and more organizations are moving to a risk-based audit approach
which is used to assess risk and helps an IT auditor make the decision as to whether to perform
compliance testing or substantive testing. In a risk-based approach, IT auditors are relying on
internal and operational controls as well as the knowledge of the company or the business. This
type of risk assessment decision can help relate the cost-benefit analysis of the control to the known
risk. In the Gathering Information step the IT auditor needs to identify five items:
Regulatory statutes
A side note on Inherent risks, is to define it as the risk that an error exists that could be material or
significant when combined with other errors encountered during the audit, assuming there are no
related compensating controls. As an example, complex database updates are more likely to be
miswritten than simple ones, and thumb drives are more likely to be stolen (misappropriated) than
blade servers in a server cabinet. Inherent risks exist independent of the audit and can occur
because of the nature of the business.
In the Gain an Understanding of the Existing Internal Control Structure step, the IT auditor needs to
identify five other areas/items:
Control environment
Control procedures
Once the IT auditor has Gathered Information and Understands the Control then they are ready
to begin the planning, or selection of areas, to be audited. Remember one of the key pieces of
information that you will need in the initial steps is a current Business Impact Analysis (BIA), to assist
you in selecting the application which support the most critical or sensitive business functions.
Objectives of an IT audit
Most often, IT audit objectives concentrate on substantiating that the internal controls exist and are
functioning as expected to minimize business risk. These audit objectives include assuring
compliance with legal and regulatory requirements, as well as the confidentiality, integrity, and
availability (CIA no not the federal agency, but information security) of information systems and
data.
IT audit strategies
There are two areas to talk about here, the first is whether to do compliance or substantive testing
and the second is How do I go about getting the evidence to allow me to audit the application and
make my report to management? So what is the difference between compliance and substantive
testing? Compliance testing is gathering evidence to test to see if an organization is following its
control procedures. On the other hand substantive testing is gathering evidence to evaluate the
integrity of individual data and other information. For example, compliance testing of controls can be
described with the following example. An organization has a control procedure which states that all
application changes must go through change control. As an IT auditor you might take the current
running configuration of a router as well as a copy of the -1 generation of the configuration file for the
same router, run a file compare to see what the differences were; and then take those differences
and look for supporting change control documentation. Dont be surprised to find that network
admins, when they are simply re-sequencing rules, forget to put the change through change control.
For substantive testing, lets say that an organization has policy/procedure concerning backup tapes
at the offsite storage location which includes 3 generations (grandfather, father, son). An IT auditor
would do a physical inventory of the tapes at the offsite storage location and compare that inventory
to the organizations inventory as well as looking to ensure that all 3 generations were present.
The second area deals with How do I go about getting the evidence to allow me to audit the
application and make my report to management? It should come as no surprise that you need to:
Review IT standards
Review IT documentation
Operational controls
Administrative controls
Overall policies for the design and use of adequate documents and records
Physical and logical security policies for all data centers and IT resources
Application controls refer to the transactions and data relating to each computer-based application
system; therefore, they are specific to each application. The objectives of application controls are to
ensure the completeness and accuracy of the records and the validity of the entries made to them.
Application controls are controls over IPO (input, processing, output) functions, and include methods
for ensuring that:
Only complete, accurate and valid data are entered and updated in an
application system
Data is maintained
As an IT auditor, your tasks when performing an application control audit should include:
Identifying the application control strengths and evaluating the impact, if any,
of weaknesses you find in the application controls
Evaluating your test results and any other audit evidence to determine if the
control objectives were achieved
So whats included in the audit documentation and what does the IT auditor need to do once their
audit is finished. Heres the laundry list of what should be included in your audit documentation:
Audit program
Whether services of other auditors and experts were used and their
contributions
When you communicate the audit results to the organization it will typically be done at an exit
interview where you will have the opportunity to discuss with management any findings and
recommendations. You need to be absolutely certain of:
The
recommended
implementation
dates
will
be
agreed
to
for
the
Finally, there are a few other considerations which you need to be cognizant of when preparing and
presenting your final report. Who is the audience? If the report is going to the audit committee, they
may not need to see the minutia that goes into the local business unit report. You will need to identify
the organizational, professional and governmental criteria applied such as GAO-Yellow Book, CobiT
or NIST SP 800-53. Your report will want to be timely so as to encourage prompt corrective action.
And as a final, final parting comment, if during the course of an IT audit, you come across a
materially significant finding, it should be communicated to management immediately, not at the end
of the audit.