IT Governance and Audit

Overview
 Impact of IT on organizations
 IT governance
 IT auditing
 Work of IT auditors
 Financial and IT audit
 IT collects transaction data
 IT turns data into information
 Computerized transaction systems increase
some risks and decrease others

3
 Opportunities
Transmit
documents
electronically
to customers
and vendors

Risks
Potential failure
of electronic
communication
systems
4
 managing
competencies computer users

good
decision
making

Opportunities for
preserving
Organizations
data

IT application
5
 destruction computer
of self image abuse

high cost of
incorrect
decision
making
Risks for
cost of Organizations
data loss

IT application ? 6
 The process for controlling organizations’
IT resources (including information and
communication systems and technology)

 The use of IT
o to promote an organizations’ objectives
o to enable business processes and
o to manage and control IT related risks.

7
 IT governance begins with setting IT objectives
and measures and compares performance
against them (Cobit)
Provide
Direction

Set Objectives IT Activities

 IT is aligned with the  Increase automation
business (make the business
 IT enables the business effective)
and maximizes benefits Compare  Decrease cost (make
 IT resources are used enterprise efficient)
responsibly  Manage risks (security
 IT-related risks reliability and
managed appropriately compliance)
Measure
Performance

Figure 1.1 The IT Governance Framework 8

 “The process of collecting and
evaluating evidence to determine
whether computer systems safeguard
assets, maintain data integrity,
allow organizational goals
to be achieved effectively, and use

”
resources efficiently.

9
 Organizations
Improve Improve
safeguarding systems
of assets Improve Improve efficiency
data system
integrity effectiveness

Compliance with regulations, rules or conditions

10
Lecture 02-12 Examples on specific applications
 Ensure IT governance by
o assessing risks and
o monitoring controls over those risks

 As internal or external auditor

 Involve in any audit engagement…

11
..audit engagement
 Evaluate controls over specific application
 Provide assurance over specific processes
 Provide third party assurance

 Conduct penetration testing

 Search for IT-based fraud
 Support financial audit

12
 Financial statements in accordance with
generally accepted accounting principles
(GAAP)

 Increase reliance on computer technology in

processing and reporting
 Analyze internal control of systems to access
effectiveness of operation

13
 IT auditors may work on financial audit
engagement
 IT auditors may work on every step of the
financial audit
 Standards (such as SAS94) guide the work
of IT auditors on financial audit
 IT audit work on financial audit engagement
is likely to increase as internal control

14
Figure 1.2 Role of IT auditors in financial audit
15
 traditional computer
auditing science

Information
Technology
Auditing
information
systems behavioral
management science

16
 College education - IS, computer science,
accounting

 Certifications - CPA, CFE, CIA, CISA, CISSP

 Technical IT skills – operating systems,

enterprise resource planning systems, e-business,
network security, specialized technologies

17
 General personal skills - presentation,
interpersonal, teamwork, marketing

 Business process knowledge - financial,

distribution, human resource, manufacturing
processes

18
 ISACA – CISA IIA – CIA

 Information Systems  The Institute of

Audit and Control Internal Auditors (IIA)
Association (ISACA)  Established in 1941
 Founded 1969  Produces journal, host
 The largest, > 25000 professional meetings
members and education
 Certified Information seminars, conducts
System Auditor (CISA) research
 Certified Internal
Auditor (CIA)
19
 ACFE – CFE AICPA – CPA and CITP

 Association of Certified  The American Institute

Fraud Examiners of Certified Public
(ACFE) Accountants (AICPA)
 Specialized in auditing  350,000 accounting
fraud professional
 Certified Fraud membership
Examiner (CFE)  Certified Public
Accountant (CPA)
 Certified Information
Technology
Professional (CITP) 20
 Explain the need for information technology
auditing in IT organizations.

 Differentiate the steps in conducting IT

auditing and types of IT auditing.

 Formulate appropriate internal controls for IT

major threats, based on an IT governance
framework.

21