IT Audit, roles within the overall

audit function.
V1.0.0.1
January 2018
Profesor: Mtro. Ing. Félix Ferreiras, PIS, MIS
felix.ferreiras@gmail.com

13:19 IT Audit Roles 1

 IT auditing
• The IT Auditing encompasses review and evaluation of each of the
elements of an automated information processing system (IPS), such as:

• Systems softwares( OS, DBMS, ...),

• Applications Development, They are of
• Applications, immediate interest
• Database Systems, in this course.
• Information Processing Facilities,
• Software acquisition,
• Management of IT and Enterprise Architecture Client/Server,
• Telecommunications ( Intranets, and Extranets )
• Related non-automated processes and the interfaces among them.

13:19 IT Audit Roles 2

 IT auditing
• The processes of an IT audit collect and evaluate evidence of an organization's
information systems, practices, and operations.

• IT audit or IS audit make examination of the controls within an organization's

IT infrastructure.

• Obtained evidence evaluation can ensure whether the organization's information

systems safeguard assets, maintains data integrity, and is operating effectively and
efficiently to achieve the organization's goals or objectives.

• Long time ago, IT audits are also known as “Automated Data Processing Audits
or, simply, as ADP Audits“, also like “Computer Audits“; They were formerly called
“Electronic Data Processing audits or, simply as EDP Audits".

13:19 IT Audit Roles 3

 IT auditing
Categories of IT audits or areas under Information System Audit are :

• Systems and Applications: An audit to verify that systems and applications are
appropriate, are efficient, and are adequately controlled to ensure valid, reliable,
timely, and secure input, processing, and output at all levels of a system's activity.
• Information Processing Facilities: An audit to verify that the processing facility is
controlled to ensure timely, accurate, and efficient processing of applications
under normal and potentially disruptive conditions.
• Systems Development: An audit to verify that the systems under development
meet the objectives of the organization, and to ensure that the systems are
developed in accordance with generally accepted standards for systems
development.
• Management of IT and Enterprise Architecture: An audit to verify that IT
management has developed an organizational structure and procedures to ensure
a controlled and efficient environment for information processing.
• Client/Server, Telecommunications, Intranets, and Extranets: An audit to verify
that telecommunications controls are in place on the client (computer receiving
services), server, and on the network connecting the clients and servers. [Idem]

13:19 IT Audit Roles 4

 Extent of IT audit
IT auditing has a
role in financial,
operational,
certification, and
compliance
audits, but also
constitutes a
specific auditing
domain on its
own, focusing on
IT-specific assets,
processes, and
controls
13:19 IT Audit Roles 5
 Extent of IT audit
The range of
potential IT audit
subjects spans all
types of physical,
administrative,
and technical
controls
implemented at
any level of
granularity within
an organization.

13:19 IT Audit Roles 6

 Potential areas for IT audit T
The potential technical subject areas that an IT audit group
might be called on to review are:

1. Entity-level controls
2. Physical facility
3. Networking and communications infrastructure
4. Operating system
5. Middleware
6. Database
7. Application
...

13:19 IT Audit Roles 7

 Potential areas for IT audit T
In details:

1.Entity-level controls

• These are controls that are pervasive across the organization and
provide the basic foundation for the control environment at the
company.

• Examples are company policies and mechanisms for complying with

regulations such as Sarbanes-Oxley and the Health Insurance
Portability and Accountability Act (HIPPA) of the Department Of
Labor, in USA. For the HIPPA See:
• http://www.dol.gov/ebsa/newsroom/fshipaa.html
• http://www.compliance.com/industry-news/omb-hipaa-audit-
program-protocol

13:19 IT Audit Roles 8

 Potential areas for IT audit T
In details: ...

1. Entity-level controls
2. Physical facility

• Is the physical building and data center housing the

computer equipment on which the system in question
resides.

13:19 IT Audit Roles 9

 Potential areas for IT audit T
In details: ...
1. Entity-level controls
2. Physical facility

3. Networking and communications infrastructure

• This is what allows other systems and users to

communicate with the system in question when they do
not have physical access to it.

• Typically, this layer includes basic networking devices

such as firewalls, switches, and routers.

13:19 IT Audit Roles 10

 Potential areas for IT audit T
In details: ...
1. Entity-level controls
2. Physical facility
3. Networking and communications infrastructure

4. Operating system

• This is what provides the basic operating environment on

which the higher-level applications runs.

• Examples are:
• Unix
• Linux
• Windows
• OS X
• ...
13:19 IT Audit Roles 11
 Potential areas for IT audit T
In details: ...
1. Entity-level controls
2. Physical facility
3. Networking and communications infrastructure
4. Operating system

5. Middleware
• This is software that provides additional integration
between two separate “programs” that were not
originally designed to communicate with each other ( e.
g. between a database system and a web server or
between an application and a database that it was not
originally designed to access – JDBC, for example-)

13:19 IT Audit Roles 12

 Potential areas for IT audit T
In details: ...
1.Entity-level controls
2.Physical facility
3.Networking and communications infrastructure
4.Operating system
5.Middleware

6.Database

• This is the tool that organizes and provides access to the

data being run by the end application.

• The audit database is one of the objectives

of this course.

13:19 IT Audit Roles 13

 Potential areas for IT audit T
In details: ...
1.Entity-level controls
2.Physical facility
3.Networking and communications infrastructure
4.Operating system
5.Middleware
6.Database

7.Application

• This is the end application, which actually is seen and

accessed by the en user. This could be an Enterprise
Resource Planning (ERP) application providing basic
business function, an e-mail applications, or one that
allows conference rooms to be scheduled.

• There are a huge number of other applications

• Application audit is the other objective of

this course.
13:19 IT Audit Roles 14
 Role of the IT audit, within the overall
audit function.
Within the overall audit function, there are a number of variations and
interpretations as to the role of the IT audit group.

Below are some styles of IT auditing that describe the role of an IT audit group within
the overall audit function:

1. Information System auditors

2. Support for the financial auditors
3. IT auditors

13:19 IT Audit Roles 15

 Role of the IT audit, within the overall
audit function.
• Information System auditors

• They focus on the application layer because that is all they understand;
• They miss most or all of the other layers, meaning that they only see part of
the picture;
• Really, they aren't IT audit groups at all;
• These groups generally contain no true IT auditors but instead are made up
of business or financial folks who know how to use business application
systems.
• These audit teams focus almost solely on the application layer.
• They do a very thorough job of ensuring that access is properly controlled
and that segregation of duties issues dos not exists;
• They likely will do a good job of ensuring that unauthorized changes to the
application cannot occur and that good controls are in place to ensure the
integrity of data being entered into the system.

13:19 IT Audit Roles 16

 Role of the IT audit, within the overall
audit function.
• Information System auditors

• They do not review the foundational controls on which all system rely, such
as the security of the network and of operating system environment.

• [ Remember that: If such aspect are not controlled properly, it's like locking
the door but leaving the windows open, which are way for people to
exploit security weaknesses at those other layers to disrupt the integrity,
reliability, and security of the applications. ]

• This approach occurs when it has not been hired people with the
appropriate technical skill in the IT area that would lead the IT group to
understand and review all the layers implicated.

13:19 IT Audit Roles 17

 Role of the IT audit, within the overall
audit function.
• Support for the financial auditors

• They are not truly auditors.

• They are likely to be experts at data extraction and analysis tools, such as
Audit Command Language (ACL) ;

• They spend the majority of their time pulling data for the financial auditors
and helping them analyze it.

• They receive requirements from the financial auditors and execute those
requirements.

13:19 IT Audit Roles 18

 Role of the IT audit, within the overall
audit function.
• Support for the financial auditors ...

• For example: The financial audit team may be reviewing an accounts

receivable process and asks the “IT Auditors” to pull a list of all invoices
grater that 90 days past due.

• They are a valuable part of an audit department, but if they constitute the
entire IT audit function, a lot of the risk is missed of be taken in account.

• ...

13:19 IT Audit Roles 19

 Role of the IT audit, within the overall
audit function.
• IT auditors: Cobbler, to your shoes [Zapatero, a tus zapatos.]

• Consist of IT professionals, as opposed to business folks who only

understand how to use the applications;

• It is the most thorough and effective style of IT audit because it ensures that
all layers are being covered and that they are being covered by the people
with the highest level of subject matter knowledge.

• They understand how the audit process works and the important concepts
of testing and substantiation with test cases.

• They ensure that the core infrastructure ( Hardware, Software, Network,

Meatware - Human users - ) supporting the company’s systems has the
proper security and controls.

13:19 IT Audit Roles 20

 Role of the IT audit, within the overall
audit function.
• IT auditors Cobbler, to your shoes [Zapatero, a tus zapatos.] ...

• They help to review the general application controls, such as change control
(Software Configuration Management or Change Control Management) and
overall system access administration.

• Its domain consists of the data layer (database) and the other following
layers (communication, transportation, security, ...)

• They provide support to the financial auditors in application audit looking at

the database layer and below as to they apply to a specific application.

13:19 IT Audit Roles 21

 Role of the IT audit, within the overall
audit function.
Mix of the three styles

• Some companies have developed a mix of the three

styles, and that also can be very successful.

• The key is that companies need some IT auditing

that goes beyond the application layer in order to
truly perform the function successfully.

13:19 IT Audit Roles 22

Key features of a successful IT auditor
• Must have a bachelor degree in Information Technology and, additionally,
knowledge in business administration.
• Must be well versed in audit theory and internal controls at a conceptual level.
• Ability to perform risk assessment with business analysis impact.
• Strong IT skills, heavy IT knowledge, experience or training.
• Ability to excavate into technical details without getting lost in those details
• Analytical skills.
• Communication skills to understand technical jargon and to translate this into
business-related decisions for management and clients.
• Ability to quickly learn the key concepts of new technologies, and identify key risk
points within those technologies.
• Willingness not to be touching a specific technology daily.
• Able to work independently and at a team at the same time
• Patience and an ability to learn and teach IT to others in the company work
environment.
• Exceptional communication and reporting skill on both verbal and written; and has a
quick eye for even the smallest details, can analyze data and evaluate results in any
given time.
13:19 IT Audit Roles 23
 Key features of a successful IT auditor
Education and Training Requirements: It is necessary to obtain a four-year degree in
Information Technology (IT), knowledge in Accounting, or related field such as Finance,
then 3-5 year of IT Audit experience, a CPA (Certified Public Accountant), CIA (Certified
Internal Auditor) or CISA (Certified Information Systems Auditor); must be able to work
independently and a team player at the same time.

13:19 IT Audit Roles 24

 Now, it's your turn
• Referring to the issue recently
shown in this PPT-Book, please
write your opinion (based on
experience or studies) in a one-
page summary in a PDF file, and
send it as instructed below:
DIRECTIONS IMPORTANTE !!

SEND TO: felix.ferreiras@gmail.com 1. La cubierta del archivo PDF a enviar es

File: como indicado en la siguiente diapositiva
MASI-8240-TC01-<ID NUMBER>.PDF
Subject: titulada “Cover format for sending
MASI-8240-T01-<ID NUMBER> deliverables”;
EXAMPLE
File:
MASI-8240-TC01-00100125160.PDF
2. El ID es su número de Cédula de
Subject: Identidad y Electoral de la República
MASI-8240-TC01-00100125160 Dominicana.
DEADLINE: Saturday 20, January 2018.at
2400 Hr.

13:19 IT Audit Roles 25

 Cover format for sending deliverables
UNIVERSIDAD AUTONÓMA DE SANTO DOMINGO
FACULTAD DE CIENCIAS
ESCUELA DE INFORMÁTICA

MAESTRÍA EN AUDITORÍA Y SEGURIDAD INFORMÁTICA (MASI)

MÓDULO: Auditoría de aplicaciones Electrónica y base de datos (INF-8240)
Profesor: Mtro. Ing. Félix Ferreiras, PIS, MIS
TEMA: “0-IT audit, roles within the overall audit function”

TCNo: 01-12
ID: <Su número de cédula>
GRUPO MASI: STGO 2017-2019
COORDINADOR: Mtro. Francisco Acosta

Santiago de los Caballeros

República Dominicana
Fecha: dd-mm-aaaa

13:19 Database Topics, Ferreiras 26

 References
• The Basics of IT Audit: Purposes, Processes, and Practical Information; Stepeh
D. Gantz; Syngress, 2014.

• IT Auditing: Using Control to Protect information assets; Chris Davis, Mike

Schiller, and Kevin Wheeler; McGraw-Hill, 2007

• ...

13:19 IT Audit Roles 27