OVERVIEW

OF IT AUDIT
• IT Governance
• CobiT 4.1 vs. CobiT 5
• The work of an IT Auditor
• IT Audit Skills
• The CISA Exam
 IT GOVERNANCE
• Is the responsibility of the Board of Directors and
the executive management.

• It is an integral part of enterprise governance and

consists of the leadership and organizational
structures and processes that ensure that the
organization’s IT sustains and extends the
organization’s strategies and objectives
Aligning w/ the Executing the
business and value
providing proposition
collaborative throughout
solution delivery cycle

Focus
Areas
Monitoring Safeguarding
results for assets, disaster
corrective recovery and
Resource
actions Management compliance

Optimizing the development

and use of available
resources
 Why is IT Governance Important?

• “Governance” generally has taken on even greater significance.

• IT has a pivotal role to play in improving corporate governance
practices.
• Management’s awareness of IT related risks has increased.
• There is a focus on IT costs in all organizations.
• There is a growing realization that more management
commitment is needed to improve the management and control
of IT activities.
 Benefits of IT Governance

• Transparency and Accountability

• Return on Investment and Stockholder Value
• Opportunities and Partnerships
• Performance Improvement
• External Compliance
 What is IT Governance best practice?

• Enterprise-wide approach should be adopted

• Top level commitment backed up by clear accountability is a
necessity
• An agreed IT governance and control framework is required
• Trust needs to be gained from the IT function
• Measurement systems will ensure objectives are owned and
monitored
• Focus on costs
BASIC IT GOVERNANCE
ARRANGEMENTS
 COBIT
(CONTROL OBJECTIVES FOR INFORMATION
AND RELATED TECHNOLOGY)
• is a comprehensive framework of "globally
accepted practices, analytical tools and
models“ designed for governance and
management of enterprise IT.
COBIT SUPPORTS IT GOVERNANCE BY
PROVIDING A FRAMEWORK TO
ENSURE THAT:

• IT is aligned with the business

• IT enables the business and maximizes benefits
• IT resources are used responsibly
• IT risks are managed appropriately
CobiT 4.1 Framework
PO 1 Define a strategic IT Plan
PO 2 Define the information architecture
PO 3 Define the technological direction
PO 4 Define the IT processes, organization
and relationships
PO 5 Manage the IT investment
PO 6 Communicate management aims and
directions
PO 7 Manage IT Human resources
PO 8 Manage quality
PO 9 Assess and manage risks
PO 10 Manage projects
AI 1 Identify automated solutions
AI 2 Acquire and maintain
application software
AI 3 Acquire and maintain
technology infrastructure
AI 4 Enable operation and use
AI 5 Procure IT resources
AI 6 Manage changes
AI 7 Install and accredit solutions
and changes
DS 1 Define service levels
DS 2 Manage 3rd party services
DS 3 Manage performance & capacity
DS 4 Ensure continuous service
DS 5 Ensure systems security
DS 6 Identify & attribute costs
DS 7 Educate and train users
DS 8 Manage service desk & incidents
DS 9 Manage the configuration
DS 10 Manage problems
DS 11 Manage data
DS 12 Manage the physical environment
DS 13 Manage operations
ME 1 Monitor & evaluate IT
performance
ME 2 Monitor & evaluate internal
control
ME 3 Ensure regulatory compliance
ME 4 Provide IT governance
 CobiT 4.1

Val IT 2.0
CobiT 5

Risk IT
Management
Practices
EDM 1 Ensure Governance Framework
Setting & Maintenance
EDM 2 Ensure Benefits Delivery
EDM 3 Ensure Risk Optimization
EDM 4 Ensure Resource Optimization
EDM 5 Ensure Stakeholder
Transparency
APO 1 Manage IT Management Framework
APO 2 Manage Strategy
APO 3 Manage Enterprise Architecture
APO 4 Manage Innovation
APO 5 Manage Portfolio
APO 6 Manage Budget & Costs
APO 7 Manage Human Relations
APO 8 Manage Relationships
APO 9 Manage Service Agreements
APO 10 Manage Suppliers
APO 11 Manage Quality
APO 12 Manage Risks
APO 13 Manage Security
BAI 1 Manage Programs & Projects
BAI 2 Manage Requirements Definition
BAI 3 Manage Solutions Identification &
Build
BAI 4 Manage Availability & Capacity
BAI 5 Manage Organizational Change
Enablement
BAI 6 Manage Changes
BAI 7 Manage Changes Acceptance &
Transitioning
BAI 8 Manage Knowledge
BAI 9 Manage Assets
BAI 10 Manage Configuration
DSS 1 Manage Operations
DSS 2 Manage Service Requests and Incidents
DSS 3 Manage Problems
DSS 4 Manage Continuity
DSS 5 Manage Security Services
DSS 6 Manage Business Process Controls
MEA 1 Monitor, Evaluate & Assess Performance
& Conformance
MEA 2 Monitor, Evaluate & Assess the System
of Internal Control
MEA 3 Evaluate & Assess Compliance with
External Requirements
 CobiT 4.1 CobiT 5

• Plan & Organize • Evaluate, Direct & Monitor

• Acquire & Implement • Align, Plan & Organize
• Deliver & Support • Build, Acquire & Implement
• Monitor & Evaluate • Deliver, Service & Support
• Monitor, Evaluate & Assess
PO 7 Manage IT Human resources Education & Human
DS 7 Educate and train users Resources
PO 1 Define a strategic IT Plan Management
PO 6 Communicate management Communications &
aims and directions Management
PO 2 Define the information
architecture Information & Technical
PO 3 Define the technological Architectures
direction
AI 2 Acquire and maintain
application software Application Software &
AI 3 Acquire and maintain Infrastructure
technology infrastructure Components
 ME 4 – Provide IT
Governance

EDM 1 EDM 2 EDM 3 EDM 4 EDM 5

PO 1 - Define a APO 2 - Manage
strategic IT Plan Strategy

PO 4 - Define APO 1 - Manage

the IT processes, IT Management
organization and Framework
relationships
• EDMI 1 – Set & Maintain Governance
Framework
• APO1 – Define the Management Framework
• APO 4 – Manage Innovation
• APO 8 – Manage Relationships
• BAI 8 – Knowledge Management
• DSS 2 – Manage Assets
• DSS 8 – Manage Business Processes
 Business Needs

Evaluate

Direct Monitor

Management Feedback

Plan Build Run Monitor

 IT AUDITOR

• An IT auditor participates in projects and

assignments that improve internal
processes and performances.
DUTIES AND RESPONSIBILITIES:

• IT analyzing & maintenance

• Internal Audit Procedures
• Customer Service
IT ANALYZING & MAINTENANCE

• The employee in this role will work on specific

projects that include analyzing information
security systems, programs and software for any
type of IT system. They can work in designing
new systems to meet operational needs, or test
existing systems to make sure they are working
correctly and are not prone to security breaches.
INTERNAL AUDIT PROCEDURES

• This person may either lead, or work under the

direction of a senior IT professional to create internal
audit processes, or internal reviews, of the core
control structure and other IT system components,
and compile associated audit reports that include
relevant information about each audit, such as
potential risks that were prevented, problems that
were fixed and recommendations for smoother
operations.
CUSTOMER SERVICE

• IT Auditors work with either internal customers

(company employees) or external clients in order
to help them with their computer network
security concerns. This involves responding to
phone and email requests in a timely fashion,
creating work orders, prioritizing the most
important tasks and keeping notes of the errors
and solutions.
• Performs general and application control reviews for simple to complex
computer information systems.
• Performs information control reviews to include system development
standards, operating procedures, system security, programming controls,
communication controls, backup and disaster recovery, and system
maintenance.
• Directs and/or performs reviews of internal control procedures and
security for systems under development and/or enhancements to current
systems.
• Maintains and develops computerized audit software.
• Prepares audit finding memoranda and working papers to ensure that
adequate documentation exists to support the completed audit and
conclusions.
• Prepares and presents written and oral reports and other technical
information in a pertinent, concise, and accurate manner for
distribution to management.
• Consults with and advises administrators, faculty, and staff on various
operational issues related to computerized information systems, and
on general business operations as needed.
• Follows up on audit findings to ensure that management has taken
corrective action(s).
• Coordinates and interacts with external auditors, administrators,
faculty, staff and law enforcement officials as appropriate; may be
required to testify in court.
• Assists and trains other audit staff in the use of computerized audit
techniques, and in developing methods for review and analysis of
computerized information systems.
 Core
IT Audit
Skills
Advanced
Core •• Risk assessment ability
Skills •• Internal audit experience
•• Communication skills
•• Interpersonal skills
•• Security testing experience
•• IT security and infrastructure knowledge
•• Knowledge of operating system platforms
•• Report writing skills
•• Analytical skills
Advanced
Skills •• The ability to self educate
•• Accounting experience
•• Management experience
• Detail-Oriented

• Business Minded

• Professional

• Tech Savy

• Certified
 CISA EXAMINATION
(CERTIFIED INFORMATION SYSTEMS
AUDITOR)
• Certified Information Systems Auditor
(CISA) is a certification issued
by ISACA for the people in charge of
ensuring that an organization's IT and
business systems are monitored, managed
and protected.
• One of the four certifications provided by ISACA

• ISACA, an association established in 1969 for information systems

audit, assurance, security, risk, privacy and governance professionals.

• The CISA certification itself was launched in 1976

• In order to become CISA certified, applicants must pass the CISA

examination with a score of 450 or higher and possess a minimum of
five years of professional experience in the fields of information
systems auditing, control, assurance or security.
 CISA EXAM SYLLABUS

• Domain 1: The process of auditing information systems (21%)

• Domain 2: Governance and management of IT (16%)
• Domain 3: Information systems acquisition, development, and
implementation (18%)
• Domain 4: Information systems operations, maintenance and
support (20%)
• Domain 5: Protection of information assets (25%)
 WHO SHOULD TAKE CISA
EXAMINATION?
The CISA Certification was specifically created for
professionals with work experience in information
systems auditing, control or security that include:
• IS/IT Auditors
• Security Professionals
• IS/IT Consultants
• IS/IT Audit Managers
 BENEFITS OF CISA EXAMINATION

• Confirms your knowledge and experience

• Quantifies and markets your expertise
• Demonstrates that you have gained and maintained the level of
knowledge required to meet the dynamic challenges of a
modern enterprise
• Is globally recognized as the mark of excellence for the IS audit
professional
 BENEFITS OF CISA EXAMINATION

• Combines the achievement of passing a comprehensive exam

with recognition of work and educational experience, providing
you with credibility in the marketplace.
• Increases your value to your organization
• Gives you a competitive advantage over peers when seeking job
growth
• Helps you achieve a high professional standard through ISACA’s
requirements for continuing education and ethical conduct
 General Internal Audit
IT Audit Salary
Salary

Entry level $63,000 – $74,000 $52,000 – $67,000

Junior $71,000 – $100,000 $60,000 – $87,000

Senior $91,000 – $132,000 $78,000 – $111,000

Manager $108,000 – $166,000 $92,000 – $151,000