Use of social media provides many opportunities for organization to increase the likehood of

achieving objectives. Used effectively, social media can help organizations :

Increase revenue
Improve customer satisfaction and loyalty
Recruit and retainthe best talent
Enchance product development and innovation
Enchance brand awareness and customer perception

At the same time, use of sosial media without appropriate oversight can introduce additional
risks, including :

Lack of, or ineffective, corporate governance around social media use

Lack of consideration of regulatory requirements
Failure to establish or monitor metrics around social media
Failure to establish an effective social networking policy

An internal auditor who works extensively in the area of computerized information system must
possess deep IT risk, control, and audit expertise. Suck auditors are commonly reffered to as
information system (IS) auditors or IT auditors. Although all internal auditors need not have the
expertise of an IT audit specialist, at minimum, every internal auditor must have a sound
understanding of certain fundamental IT concept.

This chapter first provides an overview of selected key components of modern information
system. The opportunities and risk associated with IT are then described. This is followed by
coverage of IT governance, risk management, and controls. The chapter then addresses the
implications of IT for internal auditors and concludes with the identification of sources of IT
audit guidance.

KEY COMPONENTS OF MODERN INFORMATION SYSTEM

Computer hardware. Computer hardware comprises the physical components of an information

system. Hardware includes, for example, central processing of an information system. Hardware
includes, for example, central processing units (CPUs), server, workstations and terminals,
computer chips, input/output devices such as scanners and printers, storage devices suck as disk
driver, and communication devices such as modems and wireless routers.

Networks. A computer network link two or more computers or devices so they can share
information and/or workload. There are many types of networks :

A client-server network connect one ore more client computers with a server, and data
processing is shared between the client(s) and the server in a manner that optimizes
processing efficiency.
A local area network (LAN) sparis e relatively small area such as a building or group of
adjacent buildings.
A wide area network (WAN) comprises a system of LANs connected together to span a
regional, national, or global area.
An intranet is an organizations private network accessible only to that organizations
personnel.
An extranet accessible to selected third parties such as authorized supplier and/ or
customers
A value-added network (VAN) is third-party network that connects an organization with
is tranding partners
The internet (Interconnected networks) is the very large and complex public system of
computer networks that anables users to communicate globally.
Two devices can share information just between themselves without being attached to
other networks.

Computer software. Computer software includes operating system software, utility software,
database management system (DBMS) software, application software, and firewall software.

Databases. A databases is a large repository of data, typicall contained in many linked files and
stored in a manner that allows the data to be easily accessed, retrieved, and manipulated.

Information. Information is a key resource for all enterprises, and from the time that information
is created of the moment that it is destroyed, technology plays a significant role.

Peopke. Specific information system roles vary significantly from one organization to another.
Typically, these roles include those of a chief information officer (CIO), a database administrator,
system developers, data processing personnel, and end users.
IT OPPORTUNITIES AND RISKS

Opportunities Enabled by IT

Other opportunity that IT advances have enabled include enterprise resource planning (ERP)
system and electronics data enterchange (EDI) :

ERP System. An ERP system is a modular software system that enables organizations to
integrate their business processes using a single operating database.
EDI. EDI involves te computer-to-computer exchange business documents in electronic
from between an organizations and its trading partners.

IT Risks

Each of the key components of information system described earlier in the chapter respresents a
potential source of risk. There are, however, certain types of IT risk that tend to be common
across organizations and industries.

Selection Rik. Selection of an IT solution that is misaligned with a strategic objective

may preclude the execution of the IT-dependent strategy.
Development/acquisition and deployment risk. Problem encountered as the IT solution is
being developed/acquired and deployed may cause unforessen delays, cost overruns, or
even abandonment of the project.
Availability risk. Unavailability of the system when needed may cause delays in decision-
making business interruptions, lost revenue, and customer dissatisfaction.
Hardware/software risk. Failure of hardware/software to perform properly may cause
business interruptions, temporary or permanent damage to or destruction of data, and
hardware/software repair or replacement costs.
Access risk. Unauthorized physical or logical access to the system may result in thef or
misuse of hardware, malicious software modifications, and theft, misuse, or destruction
of data.
System realibility and information integrity risk. Systematic errors or inconsistencies in
processing may produce irrelevant, incomplete, inaccurate, and/or untimely information.
Confidentiality and privacy risk. Unauthorized disclosure of business partners
proprietary information or individuals personal information may result in loss of
business, lawsuits, negative press, and reputation impairment.
 Fraud and malicious acts risk. Theft of IT resources, intentional misuse of IT resources,
or intentional distortion or destruction of information may result in financial losses and/or
misstated information that decision makers rely upon.

IT GOVERNANCE

As defined by the IIA, IT Governance :

Consists of the leadership, organizational structures, and processes that ensure that the
enterprises information technology sustains and supports the organizations strategies and
objectives

IT RISK MANAGEMENT

As defined by the IIA, IT Governance :

Consists of the leadership, organizational structures, and processes that ensure that the
enterprises information technology sustains and supports the organizations strategies and
objectives

IT RISK MANAGEMENT

Each of these components is relevant to IT risk management. For example :

Internal environment
Objective setting
Event identification
Risk assessment
Risk reponse
Control activities
Information and communication
Monitoring

IT CONTROLS

IT Governance Controls

As illustrated in exhibit 7-4, IT governance controls comprise IT policies. These policies

establish the nature of the controls that should be in place and address, for example :
 A general policy on the level of security and privacy throughout the organization
A statement on the classification of information and the rights of access at each level
A definition of the concepts of data and system ownership, as well as the authority
necessary to originate, modify, or delete information.
Personnel policies that define and enforce conditions for staff in sensitive areas.
Definitions of overall business continuity planning requirements

IT Management Contorls

Management is responsible for ensuring that IT controls are designed adequartely and operating
effectively, taking into consideration the organizations objectives, risks that threaten the
achievement of those objectives, and the organizations business processes and resources.

IT standards support IT policies by more specifically defining what is required to achieve the
organizations objectives. These standards should cover, for example :

System development processes

System software configuration
Application controls
Data structures
Documentation

IT Organization and management controls provide assurance that the organization is structured
with clearly defined lines of reporting and responsibility and has implemented effective control
processes. There important aspects of these controls are segretation of duties, financial controls,
and change management controls :

Segregation of duties is a viral element of many controls. An organizations structure

should not allow responsibility for all aspects of processing data to rest with one
individual.
Because organizations make considerable investments in IT, budgetary and other
financial controls are necessary to ensure the technology yields processes should be in
place to collect, analyze, and report on these issues.
Change management processes ensure that changes to the IT environment, system
software, application system, and data are applied in a manner that enforces appropriate
 segregation of duties; ensures that changes work and are implemented as required; and
prevents changes from being exploited for fraudulent purposes.

IT physical and environtmental controls protect information system resources (hardware,

software, documentation, and information) from accidental or intentional damage, misuse, or
loss. Such controls include, for example.

Locating serves in locked rooms to which access is restricted

Restricting server access to specific individuals
Providing fire detection and suppression equipment
Housing sensitive equipment, applications, and data away from environmental hazards
such as flood plains, flight paths, or flammable liquid stores.

IT Technical Controls

System software facilitates the use of system haedware and includes, for example, operating
system, network system, database management system, firewalls, and antivirus software. System
software controls restrict logical access to the organizations system and applications, monitor
system usage, and generate audit trails. System software control include, for example :

Access rights allocated and controlled according to the organizations started policy
Division of duties enforced throught systems software and other configuration controls.
Intrusion testing performed on a regular basis
Encryption service applied where confidentiality is a started requirement
Change management proceses-including patch managementin place to ensure a
tightly controlled process for applying all changes and patches to software, system
network components, and data.

Information Security Control

Information security controls project an information system from unauthorized physical and
logical access. Physical access controls provide security over tangible IT resources and include
such things as locked doors, surveillance cameras, and securitu guards. Logical access controls
provide security over software and information imbedded in the system and include such things
as firewalls, encryption, login IDs, password, authorization tables, and computer activity logs.

IMPLICATIONS OF IT FOR INTERNAL AUDITORS

IT Proficiency and Due Professional Care

Two Attribute Implementation Standars specifically address the IT proficiency internal auditors
must possess and the consideration they must give to using technology-based audit techniques :

1210.A3 Iinternal auditors must have sufficient knowledge of key information technology
risk and controls and available technology-based audit techniques to perform their assigned
work.

1220-A2 In exercising due professional care, internal auditors must consider the use of
technology-based audit and other data analysis techniques.

Assurance Engangement IT Responsibilities

2110.A2 The internal audit activity must assess. Whether the information technology
governance of te organization supports the organizations strategies and objective.

2120.A1 The internal audit activity must evaluate risk exposures relating to the
organizations information systems

2130.A1 The internal audit activity must evaluate the adequacy and effectiveness of
controls in responding to risks within the organizations information system

IT Outsourcing

GTAG 7 : Information Technology Outsourcing describes in detail some of the key IT

outsourcing considerations that warrant the attention of internal audit function.

IT Sourching. Transfering IT functions to an outside provider to achieve cost reductions while

improving service quality and efficiency.

Integrated and Continous Auditing

Integrating IT auditing into assurance engagements. The integration of IT controls directly into
business processes, together with the availability of userfriendly CAATs is prompting a growing
number of internal audit functions to modify their audit approach. Instead of conducting separate
assurance engagements focused strictly on process-level IT risk and controls, these internal audit
functions assimilate IT risk and control assessments into assurance engagements conducted to
assess process-level financial reporting, operations, and/or compliance risks and controls.

The audit process is more efficient because : (1) engagements previously conducted separately
are combined and (2) the identification and assessment of all key risks and controls are
consolidated in integrated audit engagements.

As described in GTAC 3, continuous auditing comprises two main activities :

Continuous controls assessments, the purpose of which is to focus audit attention on

control deficiencies as early as possible
Continuous risk assessement, the purpose of which is to highlight processes or system
that are experiencing higher than expected levels of risk.

SOURCES OF IT AUDIT GUIDANCE

The IIA has a growing body of IT audit guidance. Two key components of this guidance are the
Global Technology Audit Guidance (GTAGs) and Guide to the Assessment of IT Risk (GAIN)
practice Guides included in The IIAs International Professional Practices Framework :

The GTAG Practice Guides. The GTAG Practice Guides address timely issues related
to information technology (IT) managements, control, and security.
The GAIT Practice Guides. The GAID Practice Guides describe the relationships among
business risk, key controls within business processes, automated controls and other
critical IT functionality, and key controls within IT general controls. Each guide
addresses a specific aspect of IT risk and control assessment.

Other IT audit guidance available through The IIA includes :

Numerous publications including IIA Research Foundation handbooks and research

monographs, which can be purchased from The IIA Research Foundation Bookstore.
The ITAudit portion of Internal Auditor Online, which, before January 2009, was a
separate online publication of IT audit articles.

OPPORTUNITIES FOR INSIGHT

10 Opportunities for the internal audit function to provide insight on IT risks and controls
 1. Ensure IT risks are included in the annual risk assessment.
2. Provide insight to new systems development and IT infrastructure projects.
3. Integrate the review of IT in every audit.
4. Understand how IT can enhance internal audit productivity and control process
throughout the organization.
5. Provide control recommendations as new technology is deployed.
6. Educate management about emerging IT risks and control that can be implemented to
mitigate those risks.
7. Volumfeer to pilot, emerging IT, projects to provide insight to control issues prior to
deployment of new technology.
8. Employ IT specialists as subject matter experts for audit engagements involving
extensive IT complexity.
9. Keep management and the board apprised of major IT risks that may impact the
organization.
10. Understand new technology that impacts the organization regardless of whether the
organization currently employs it.

Appendix

DOCUMENTING AUDIT EVIDENCE: WORKING PAPERS

It is important that audit evidence is documented appropriately in the audit working papaers,
as explained briefly in Chapter 4. Audit working papers perform several functions that are
important to a successful audit :

1. They document and organize the accumulated evidence used to develop the audit report.
2. They provide a central, ongoing reference during the audit, including planning
information and a growing body of evidence, so that the audit can proceed effectively and
efficiently.
3. They provide a convenient reference for audit follow-up, work that largely depends upon
previous audit work, findings, and recommendations.
4. They facilitate a convenient, well-documented review of both the overall performance of
the audit team and the individual auditors.
 This appendix discusses five aspects of audit working papers : (1) content and organization,
(2) management, (3) preparation of individual working papers, (4) tick marks, (5)
computerization.

1. Content and Organization

The specific content of a set of working papers will depend on the operation or activity
under examination, the objectives and scope of the audit, the nature of specific audit tests,
and even the personal preferences of the auditors performing the work. Also, different
auditors and auditing departments organize working papers in different ways. Our discussion
presents one approach that describes the general content of audit working papers, their
organization, and system of numbering.

2. Management of Working Papers

Two important considerations in the management of working papers include (1)

review, (2) ownership and security.

Review. As an audit progresses from step to step, the working papers are reviewed by
the level immediately above that auditor who prepared them. For example, the authorization
form is usually prepared by the audit manager assigned to the audit.

Ownership and Security. The audit working papers belong to the organization and are
not the property of the individual auditor if a personal terminates employment in the internal
auditing department of a an organization, the working papers prepared by that individual
remain filed in the department.

3. Prepartion of Individual Working Papers

As you have studied the importance of the auditors working papers in general, you
probably have surmised the care with which individual working papers are prepared. These
guidelines include the following :

1. Completeness and accuracy

2. Clarity and understandability
3. Legibility and neatness
4. Relevance and an appropriate level of detail
 5. Attention to design and layout

While these standards are quite general,they outline the warious dimensions required
for the preparation of quality working papers.

4. Tick Marks
In these illustrative working papers, you see an assortment of check marks, tiny
handwritten letters, and geometric figures written next to items related to specific
information in the audit tests.These figures are called tick marks. The tick marks represent
specific audit tests performed on the items listed. Because there are no standard or generally
accepted tickmarks, different auditors and audit departments tend to develop and use their
own system.
5. Computerization of Working Papers
A separate appendix at the end of Chapter 17 discusses microcomputer-assisted
auditing. There we illustrate how modern microcomputing techniques can be used to
facilitate the audit process. In the section, we discuss how typical word processing,
spreadsheet, data management, flowcharting, and statistical software can be used. One of the
primary uses of portable microcomputers in auditing is in the generation of working papers.
The advantages of using these machines to produce working papers are that they are fast,
neat, and can communicate directly from remote sites with other machines in the department
so that an entire audit can be reviewed while the auditors are still in the field. Interestingly,
the nature of the working papers and their formats do not change substantially from those
illustrated here.