E.

Information Technology

An IT audit is the examination and evaluation of an organization's information technology

infrastructure, policies and operations.

Information technology audits determine whether IT controls protect corporate assets, ensure data
integrity and are aligned with the business's overall goals. IT auditors examine not only physical security
controls, but also overall business and financial controls that involve information technology systems.
Because operations at modern companies are increasingly computerized, IT audits are used to ensure
information-related controls and processes are working properly. The primary objectives of an IT audit
include:

Evaluate the systems and processes in place that secure company data.

Determine risks to a company's information assets, and help identify methods to minimize those
risks.

Ensure information management processes are in compliance with IT-specific laws, policies and
standards.

Determine inefficiencies in IT systems and associated management.

SKILLS OF AN IT AUDITOR
Detail-Oriented
IT auditors need an eye for detail. This allows them to spot red flags such as errors in record keeping, fraud or theft,
elevated costs in a certain area, or items for improvement.
Business-Minded
Although an IT-focused college degree can get your foot in the door of this profession, many candidates have an
accounting degree or experience in business mathematics and accounting. The IT auditor must also possess a
background in, or at least a rounded knowledge of, the particular business he is auditing for a proper analysis.
Professional
The IT auditor must be diplomatic and a clear communicator. Communicating less-than-ideal information to upper
management and taking a fine-tooth comb to an employee's work are two of many situations where an auditor is
required to exercise tact while sharing and gathering necessary information with a sometimes unreceptive audience.
To avoid confusion, written and spoken communication must be polished and straightforward.
Tech-Savvy (knowledgeable about technology especially, computers)
The IT auditor needs a solid base of computer skills related to hardware, software, networks, and cloud computing -from installation to operation and repair. Programming knowledge is helpful, since IT auditing uses computer-assisted
audit tools to perform many job functions. The auditor must learn and monitor advancements in these tools, then
apply the correct ones to each task.
Certified
Although a certified public accountant designation may provide an edge in hiring, it's generally not a requirement.
Two programs geared specifically toward work in IT auditing include certified internal auditor (CIA) and certified
information systems auditor (CISA), which are available through the Institute of Internal Auditors and the ISACA,
formerly the Information Systems Audit and Control Association.

 Objectives of an IT audit
Most often, IT audit objectives concentrate on substantiating that the internal controls exist and are
functioning as expected to minimize business risk. These audit objectives include assuring compliance with
legal and regulatory requirements, as well as the confidentiality, integrity, and availability (CIA no not the
federal agency, but information security) of information systems and data.
F. Fraud Audit

Introduction to fraud
Fraud encompasses a variety of irregularities and illegal acts characterized by intentional deception. The elements of
fraud are:

A representation about a material fact

Which is false
And made intentionally, knowingly, or recklessly
Which is believed
And acted upon by the victim
To the victims damage
Employees who commit fraud generally are able to do so because there is opportunity, pressure, and a
rationalization. Opportunity is generally provided through weaknesses in the internal controls. Some
examples include inadequate or no:

Supervision
Separation of duties
Management approval
System controls
Pressure can be imposed due to:

Personal financial problems

Personal vices such as gambling, drugs, extensive debt, etc.
Unrealistic deadlines and performance goals
Who is responsible for deterring fraud?
Management. Internal Audit is responsible for examining and evaluating the adequacy and the effectiveness
of actions taken by management to fulfill this obligation. Deterrence consists of actions taken to discourage
fraud and limit financial losses if it does occur. The principal mechanism for deterring fraud is strong
internal controls (i.e., policies and procedures, segregation of duties, account reconciliations, etc.)

Who is responsible for detecting fraud?

Fraud should be detected by personnel in the normal course of performing their duties, if strong controls exist.
Internal auditors should have sufficient knowledge of fraud to ensure that they may identify indicators that fraud might
have been committed. If significant control weaknesses are detected, additional tests conducted by internal auditors
should include tests directed toward identification of other indicators of fraud. Internal auditors are not expected to
have knowledge equivalent to that of a person whose primary responsibility is to detect and investigate fraud. Audit
procedures alone, even when carried out with due professional care, do not guarantee that fraud will be detected.

Who is responsible for reporting suspected or actual fraud?

Anyone within the University who has reasonable suspicions of an alleged fraud or actual evidence of a fraud. All
employees have an obligation to ensure that the University is a well controlled environment free from wrongdoing or
criminal activities.

How should I report an alleged fraud?

An alleged fraud or financial misconduct should be reported to the supervisor, department head, or the Director of
Internal Audit.

Rationalization occurs when the individual develops a justification for the fraudulent activities. The rationalization
varies by case and individual. Some examples include:
o

I really need this money and Ill put it back when I get my paycheck. In many cases they replace the
money only to take more later and not repay it. I just cant afford to lose everything my home, car,
everything. Besides, the company owes me.