Professional Documents
Culture Documents
Increase revenue
Improve customer satisfaction and loyalty
Recruit and retainthe best talent
Enchance product development and innovation
Enchance brand awareness and customer perception
At the same time, use of sosial media without appropriate oversight can introduce additional
risks, including :
An internal auditor who works extensively in the area of computerized information system must
possess deep IT risk, control, and audit expertise. Suck auditors are commonly reffered to as
information system (IS) auditors or IT auditors. Although all internal auditors need not have the
expertise of an IT audit specialist, at minimum, every internal auditor must have a sound
understanding of certain fundamental IT concept.
This chapter first provides an overview of selected key components of modern information
system. The opportunities and risk associated with IT are then described. This is followed by
coverage of IT governance, risk management, and controls. The chapter then addresses the
implications of IT for internal auditors and concludes with the identification of sources of IT
audit guidance.
Networks. A computer network link two or more computers or devices so they can share
information and/or workload. There are many types of networks :
A client-server network connect one ore more client computers with a server, and data
processing is shared between the client(s) and the server in a manner that optimizes
processing efficiency.
A local area network (LAN) sparis e relatively small area such as a building or group of
adjacent buildings.
A wide area network (WAN) comprises a system of LANs connected together to span a
regional, national, or global area.
An intranet is an organizations private network accessible only to that organizations
personnel.
An extranet accessible to selected third parties such as authorized supplier and/ or
customers
A value-added network (VAN) is third-party network that connects an organization with
is tranding partners
The internet (Interconnected networks) is the very large and complex public system of
computer networks that anables users to communicate globally.
Two devices can share information just between themselves without being attached to
other networks.
Computer software. Computer software includes operating system software, utility software,
database management system (DBMS) software, application software, and firewall software.
Databases. A databases is a large repository of data, typicall contained in many linked files and
stored in a manner that allows the data to be easily accessed, retrieved, and manipulated.
Information. Information is a key resource for all enterprises, and from the time that information
is created of the moment that it is destroyed, technology plays a significant role.
Peopke. Specific information system roles vary significantly from one organization to another.
Typically, these roles include those of a chief information officer (CIO), a database administrator,
system developers, data processing personnel, and end users.
IT OPPORTUNITIES AND RISKS
Opportunities Enabled by IT
Other opportunity that IT advances have enabled include enterprise resource planning (ERP)
system and electronics data enterchange (EDI) :
ERP System. An ERP system is a modular software system that enables organizations to
integrate their business processes using a single operating database.
EDI. EDI involves te computer-to-computer exchange business documents in electronic
from between an organizations and its trading partners.
IT Risks
Each of the key components of information system described earlier in the chapter respresents a
potential source of risk. There are, however, certain types of IT risk that tend to be common
across organizations and industries.
IT GOVERNANCE
Consists of the leadership, organizational structures, and processes that ensure that the
enterprises information technology sustains and supports the organizations strategies and
objectives
IT RISK MANAGEMENT
Consists of the leadership, organizational structures, and processes that ensure that the
enterprises information technology sustains and supports the organizations strategies and
objectives
IT RISK MANAGEMENT
Internal environment
Objective setting
Event identification
Risk assessment
Risk reponse
Control activities
Information and communication
Monitoring
IT CONTROLS
IT Governance Controls
IT Management Contorls
Management is responsible for ensuring that IT controls are designed adequartely and operating
effectively, taking into consideration the organizations objectives, risks that threaten the
achievement of those objectives, and the organizations business processes and resources.
IT standards support IT policies by more specifically defining what is required to achieve the
organizations objectives. These standards should cover, for example :
IT Organization and management controls provide assurance that the organization is structured
with clearly defined lines of reporting and responsibility and has implemented effective control
processes. There important aspects of these controls are segretation of duties, financial controls,
and change management controls :
IT Technical Controls
System software facilitates the use of system haedware and includes, for example, operating
system, network system, database management system, firewalls, and antivirus software. System
software controls restrict logical access to the organizations system and applications, monitor
system usage, and generate audit trails. System software control include, for example :
Access rights allocated and controlled according to the organizations started policy
Division of duties enforced throught systems software and other configuration controls.
Intrusion testing performed on a regular basis
Encryption service applied where confidentiality is a started requirement
Change management proceses-including patch managementin place to ensure a
tightly controlled process for applying all changes and patches to software, system
network components, and data.
Information security controls project an information system from unauthorized physical and
logical access. Physical access controls provide security over tangible IT resources and include
such things as locked doors, surveillance cameras, and securitu guards. Logical access controls
provide security over software and information imbedded in the system and include such things
as firewalls, encryption, login IDs, password, authorization tables, and computer activity logs.
Two Attribute Implementation Standars specifically address the IT proficiency internal auditors
must possess and the consideration they must give to using technology-based audit techniques :
1210.A3 Iinternal auditors must have sufficient knowledge of key information technology
risk and controls and available technology-based audit techniques to perform their assigned
work.
1220-A2 In exercising due professional care, internal auditors must consider the use of
technology-based audit and other data analysis techniques.
2110.A2 The internal audit activity must assess. Whether the information technology
governance of te organization supports the organizations strategies and objective.
2120.A1 The internal audit activity must evaluate risk exposures relating to the
organizations information systems
2130.A1 The internal audit activity must evaluate the adequacy and effectiveness of
controls in responding to risks within the organizations information system
IT Outsourcing
Integrating IT auditing into assurance engagements. The integration of IT controls directly into
business processes, together with the availability of userfriendly CAATs is prompting a growing
number of internal audit functions to modify their audit approach. Instead of conducting separate
assurance engagements focused strictly on process-level IT risk and controls, these internal audit
functions assimilate IT risk and control assessments into assurance engagements conducted to
assess process-level financial reporting, operations, and/or compliance risks and controls.
The audit process is more efficient because : (1) engagements previously conducted separately
are combined and (2) the identification and assessment of all key risks and controls are
consolidated in integrated audit engagements.
The IIA has a growing body of IT audit guidance. Two key components of this guidance are the
Global Technology Audit Guidance (GTAGs) and Guide to the Assessment of IT Risk (GAIN)
practice Guides included in The IIAs International Professional Practices Framework :
The GTAG Practice Guides. The GTAG Practice Guides address timely issues related
to information technology (IT) managements, control, and security.
The GAIT Practice Guides. The GAID Practice Guides describe the relationships among
business risk, key controls within business processes, automated controls and other
critical IT functionality, and key controls within IT general controls. Each guide
addresses a specific aspect of IT risk and control assessment.
10 Opportunities for the internal audit function to provide insight on IT risks and controls
1. Ensure IT risks are included in the annual risk assessment.
2. Provide insight to new systems development and IT infrastructure projects.
3. Integrate the review of IT in every audit.
4. Understand how IT can enhance internal audit productivity and control process
throughout the organization.
5. Provide control recommendations as new technology is deployed.
6. Educate management about emerging IT risks and control that can be implemented to
mitigate those risks.
7. Volumfeer to pilot, emerging IT, projects to provide insight to control issues prior to
deployment of new technology.
8. Employ IT specialists as subject matter experts for audit engagements involving
extensive IT complexity.
9. Keep management and the board apprised of major IT risks that may impact the
organization.
10. Understand new technology that impacts the organization regardless of whether the
organization currently employs it.
Appendix
It is important that audit evidence is documented appropriately in the audit working papaers,
as explained briefly in Chapter 4. Audit working papers perform several functions that are
important to a successful audit :
1. They document and organize the accumulated evidence used to develop the audit report.
2. They provide a central, ongoing reference during the audit, including planning
information and a growing body of evidence, so that the audit can proceed effectively and
efficiently.
3. They provide a convenient reference for audit follow-up, work that largely depends upon
previous audit work, findings, and recommendations.
4. They facilitate a convenient, well-documented review of both the overall performance of
the audit team and the individual auditors.
This appendix discusses five aspects of audit working papers : (1) content and organization,
(2) management, (3) preparation of individual working papers, (4) tick marks, (5)
computerization.
The specific content of a set of working papers will depend on the operation or activity
under examination, the objectives and scope of the audit, the nature of specific audit tests,
and even the personal preferences of the auditors performing the work. Also, different
auditors and auditing departments organize working papers in different ways. Our discussion
presents one approach that describes the general content of audit working papers, their
organization, and system of numbering.
Review. As an audit progresses from step to step, the working papers are reviewed by
the level immediately above that auditor who prepared them. For example, the authorization
form is usually prepared by the audit manager assigned to the audit.
Ownership and Security. The audit working papers belong to the organization and are
not the property of the individual auditor if a personal terminates employment in the internal
auditing department of a an organization, the working papers prepared by that individual
remain filed in the department.
As you have studied the importance of the auditors working papers in general, you
probably have surmised the care with which individual working papers are prepared. These
guidelines include the following :
While these standards are quite general,they outline the warious dimensions required
for the preparation of quality working papers.
4. Tick Marks
In these illustrative working papers, you see an assortment of check marks, tiny
handwritten letters, and geometric figures written next to items related to specific
information in the audit tests.These figures are called tick marks. The tick marks represent
specific audit tests performed on the items listed. Because there are no standard or generally
accepted tickmarks, different auditors and audit departments tend to develop and use their
own system.
5. Computerization of Working Papers
A separate appendix at the end of Chapter 17 discusses microcomputer-assisted
auditing. There we illustrate how modern microcomputing techniques can be used to
facilitate the audit process. In the section, we discuss how typical word processing,
spreadsheet, data management, flowcharting, and statistical software can be used. One of the
primary uses of portable microcomputers in auditing is in the generation of working papers.
The advantages of using these machines to produce working papers are that they are fast,
neat, and can communicate directly from remote sites with other machines in the department
so that an entire audit can be reviewed while the auditors are still in the field. Interestingly,
the nature of the working papers and their formats do not change substantially from those
illustrated here.