GS BUSA 497 CH 1 Information Technology Environment and IT Audit
Learning Objectives
1. Discuss how technology is constantly evolving and shaping today's business (IT) environments. 2. Discuss the auditing profession and define financial auditing. 3. Differentiate between the two types of audit functions that exist today (internal and external). 4. Explain what IT auditing is and summarize its two broad groupings. 5. Describe current IT auditing trends, and identify the needs to have an IT audit. 6. Explain the various roles of the IT auditor. 7. Support why IT audit is considered a profession. 8. Describe the profile of an IT auditor in terms of experience and skills required. 9. Discuss career opportunities available to IT auditors.
Educational Curricula Various universities have developed curricula tailored to support the profession of IT auditing. Although the curricula at these universities constantly evolve, they currently exist at institutions such as Bentley University (Massachusetts), Bowling Green State University (Ohio), California State Polytechnic University, University of Mississippi, University of Texas, Georgia State University, University of Maryland, University of Tennessee, National Technological University (Argentina), University of British Columbia (Canada), York University (Canada), and the Hong Kong University of Science and Technology, among others. Graduates from these programs qualify for 1 year work experience toward their CISA certification.
A Model Curriculum for undergraduate and graduate education in IS and IT audit education was initially issued in March 1998 and updated in 2004, 2009, and 2011 by the IS Audit and Control Association and Foundation. The purpose of the Model is to provide colleges, universities, and/or educational institutions the necessary tools to educate students, and prepare them to enter the IT audit profession.
The Auditing Profession Computers have been in use commercially since 1952. Computer-related crimes were reported as early as 1966. However, it was not until 1973, when the significant problems at Equity Funding Corporation of America (EFCA) surfaced, that the auditing profession looked seriously at the lack of controls in computer information systems (IS).
In 2002, almost 30 years later, another major fraud resulted from corporate and accounting scandals (Enron and WorldCom), which brought skepticism and downfall to the financial markets.
The attest function encompasses
all activities and responsibilities associated with the rending of an audit opinion on the fairness of the financial statements. Besides the accounting and auditing skills involved in performing the attest function, these external auditors also must have substantial IT audit experience. SOX now governs their role and limits of services that can be offered beyond audit.
Challenges of Big Data include, for instance,
analysis, capture, data curation, search, sharing, storage, transfer, visualization, querying, as well as updating.
Nowadays, IT auditors are expected to be well aware of the organization's IT infrastructure, policies, and operations
before embarking in their reviews and examinations. More importantly, IT auditors must be capable of determining whether the IT controls in place by the organization ensure data protection and adequately align with the overall organization goals. Professional associations and organizations such as ISACA, the American Institute of Certified Public Accountants (AICPA), the Canadian Institute of Chartered Accountants (CICA), Institute of Internal Auditors (IIA), Association of Certified Fraud Examiners (ACFE), and others have issued guidance, instructions, and supported studies and research in audit areas.
A third group of standards, called the International Financial Reporting Standards (IFRS), has been recently created by the International Accounting Standards Board (IASB)* to respond to the
increasing global business environment and address the need to compare financial statements prepared in different countries. The AICPA defines IFRS as the "set of accounting standards developed by the IASB that is becoming the global standard for the preparation of public company financial statements." While many of the global organizations have already migrated to IFRS, the United States has yet to do so.
The term "information assurance" is defined as
information integrity (the level of confidence and trust that can be placed on the information) and service availability. In all contexts, whether business or government, it means safeguarding the collection, storage, transmission, and use of information. The ultimate goal of information assurance is to protect users, business units, and enterprises from the negative effects of corruption of information or denial of services.
An IS, represented by three components (i.e., people, process, and IT), is
the combination of strategic, managerial, and operational activities involved in managing information. The IT component of an IS involves the hardware, software, communication, and other facilities necessary to manage (i.e., input, store, process, transmit, and output) such information. Refer to Exhibit 1.2.
Within the United States, internal auditors from government agencies often come together to meet and exchange experiences through conferences or forums. For example,
the Intergovernmental Audit Forum is an example of an event where auditors come together from city, county, state, and federal environments to exchange experiences and provide new information regarding audit techniques and methods. The IIA also holds a national conference that draws an auditor population from around the world, both private and government, to share experiences and discuss new audit methods and techniques.
From an information assurance perspective, the capabilities that we must defend can be viewed broadly in terms of four major elements:
local computing environments, their boundaries, networks that link them together, and their supporting infrastructure. The U.S. National Strategy for Securing Cyberspace is one of those initiatives.
Of course, the responsibility for ensuring that adequate internal controls are in place rests with
management. The audit's primary role, except in areas of management advisory services, is to provide a statement of assurance as to whether adequate and reliable internal controls are in place and are operating in an efficient and effective manner. Management's role is to ensure and the auditors' role is to assure.
Nevertheless, organizations should monitor and control the tasks performed by employees when using mobile devices, and ensure employees remain focused and productive. It does represent a risk to the organization's security and a distraction to employees when
mobile devices are used for personal and work purposes. Additionally, allowing direct access to corporate information always represents an ongoing risk, as well as raises security and compliance concerns to the organization.
A fine line exists between what is ethical and what is legal. Something can be ethically wrong but still legal. However, with that being said,
some things initially thought to be unethical become illegal over time. If there is a large enough population opposed to something ethically incorrect, you will see legislation introduced to make it illegal.
The AICPA issued in 1993 a document called
"Reporting on an Entity's Internal Control Structure over Financial Reporting (Statement on Standards for Attestation Engagements 2)" to further define the importance of internal control in the attestation engagement. Within the CPA profession in the United States, two groups of principles and standards have been developed that affect the preparation of financial statements by publicly held companies and the procedures for their audit examination by CPA firms: Generally Accepted Accounting Principles (GAAP) and Generally Accepted Auditing Standards (GAAS).
When EFCA declared bankruptcy in 1973, the minimum direct impact and losses from illegal activity were reported to be as much as
$200 million. Further estimates from this major financial fraud escalated to as much as $2 billion, with indirect costs such as legal fees and depreciation included. These losses were the result of a "computer-assisted fraud" in which a corporation falsified the records of its life insurance subsidiary to indicate the issuance of new policies. In addition to the insurance policies, other assets, such as receivables and marketable securities, were recorded falsely. These fictitious assets should have been revealed as non-existent during the corporation's regular year-end audits but were never discovered.
The need for better controls over IT has been echoed in the past by prior studies such as the
AICPA Committee of Sponsoring Organizations of the Treadway Commission (COSO); International Organization for Standardization (ISO) 17799 and 27000; the IIA Systems Auditability and Control Report; Guidelines for the Security of IS by the OECD; the U.S. President's Council on Integrity and Efficiency in Computer Audit Training curriculum; and the United States' National Strategy for Securing Cyberspace released in 2002; among others.
Role of the IT Auditor The auditor evaluating today's complex systems must have highly developed technical skills to understand the evolving methods of information processing. Contemporary systems carry risks such as non-compatible platforms, new methods to penetrate security through communication networks (e.g., the Internet), and the rapid decentralization of information processing with the resulting loss of centralized controls.
As the use of IT in organizations continues to grow, auditing computerized systems must be accomplished without many of the guidelines established for the traditional auditing effort. In addition, new uses of IT introduce new risks, which in turn require new controls. IT auditors are in a unique position to evaluate the relevance of a particular system to the enterprise as a whole. Because of this, the IT auditor often plays a role in senior management decision making.
Cloud Computing Cloud computing, as defined by PC Magazine, refers to the use of the Internet (versus one's computer's hard drive) to store and access data and programs. In a more formal way, the National Institute of Standards and Technology (NIST) defines cloud computing as a "model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction." NIST also stress that availability is significantly promoted by this particular (cloud) model.
Based on the July 2015's ISACA Innovation Insights report, cloud computing is considered one of the key trends driving business strategy. The International Data Corporation, in its 2015 publication, also predicts that cloud computing will grow at 19.4% annually over the next 5 years.
IT Governance There have been many changes in the way enterprises address IT issues, resulting in a renewed focus on the concepts of IT governance.
CEOs, Chief Financial Officers, Chief Operating Officers, Chief Technology Officers, and Chief Information Officers agree on the founding principles of IT governance, which focus on strategic alignment between IT and enterprise objectives. This, in turn, creates changes to tactical and day-to-day operational management of IT in the organization.
IT Auditing Trends Computing has become indispensable to the activities of organizations worldwide. The Control Objectives for Information and Related Technology (COBIT) Framework was created in 1995 by ISACA.
COBIT, now on its fifth edition, emphasizes this point and substantiates the need to research, develop, publicize, and promote up-to-date, internationally accepted IT control objectives. In earlier documents such as the 1993 discussion paper "Minimum Skill Levels in Information Technology for Professional Accountants" and their 1992 final report "The Impact of Information Technology on the Accountancy Profession," the International Federation of Accountants (IFAC) acknowledges the need for better university-level education to address growing IT control concerns and issues.
Other licenses and certifications relevant to the IT auditor include the following:
CPA, Certified Chartered Accountant (CA), Certified Internal Auditor (CIA), Certified Computer Professional (CCP), Certified Government Financial Manager (CGFM), Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), AICPA's Certified Information Technology Professional (CITP), and Certified Fraud Examiner (CFE).
The early components of IT auditing were drawn from several areas. IT auditing became an integral part of the audit function because it supports the auditor's judgment on the quality of the information processed by computer systems.
First, traditional auditing contributes knowledge of internal control practices and the overall control philosophy. Another contributor was IS management, which provides methodologies necessary to achieve successful design and implementation of systems. The field of behavioral science provided such questions and analysis to when and why IS are likely to fail because of people problems. Finally, the field of computer science contributes knowledge about control concepts, discipline, theory, and the formal models that underlie hardware and software design as a basis for maintaining data validity, reliability, and integrity.
IT Auditor as Partner of Senior Management Although the IT auditor's roles of counselor and skilled technician are vital to successful company operation, they may be irrelevant if the auditor fails to view auditing in relation to the organization as a whole. A system that appears well controlled may be inconsistent with the operation of a business.
Decisions concerning the need for a system traditionally belonged to management, but because of a combination of factors (mostly the complex technology of the computer), computer system audits were not successfully performed. Management needs the support of a skilled computer staff that understands the organization's requirements, and IT auditors are in such a position to provide that information. They can provide management with an independent assessment of the effect of IT decisions on the business. In addition, the IT auditor can verify that all alternatives for a given project have been considered, all risks have been accurately assessed, the technical hardware and software solutions are correct, business needs will be satisfied, and costs are reasonable.
From a public accounting firm standpoint, firms such as
Deloitte, Ernst & Young, Pricewaterhouse Coopers, and KPMG (altogether referred to as the "Big Four") provide these types of external audit services worldwide. The external auditor is responsible for testing the reliability of client IT systems and should have a special combination of skills and experience.
Cons of ERP systems
Despite the many advantages of ERPs, they are not much different than purchased or packaged systems, and may therefore require extensive modifications to new or existing business processes. ERP modifications (i.e., software releases) require considerable programming to retrofit all of the organization-specific code. Because packaged systems are generic by nature, organizations may need to modify their business operations to match the vendor's method of processing, for instance. Changes in business operations may not fit well into the organization's culture or other processes, and may also be costly due to training. Additionally, as ERPs are offered by a single vendor, risks associated with having a single supplier apply (e.g., depending on a single supplier for maintenance and support, specific hardware or software requirements, etc.).
Enterprise Resource Planning (ERP)
ERP is software that provides standard business functionality in an integrated IT environment system (e.g., procurement, inventory, accounting, and human resources [HR]). Refer to Exhibit 1.1 for an illustration of the ERP modular system.
IT governance is the process by which an enterprise's IT is directed and controlled.
Effective IT governance helps ensure that IT supports business goals, maximizes business investment in IT, and appropriately manages IT-related risks. IT governance also helps ensure achievement of critical success factors by efficiently and effectively deploying secure, reliable information, and applied technology.
IT Auditor Prole: Experience and Skills Experience in IT audit is a definite must. Nothing in this world can compare to actual on-the-job, real-world experiences. Theory is also valuable, and for the most part an IT auditor should rely on theory to progress through an audit.
Experience comes with time and perseverance, as is well known, but auditors should not limit themselves to just one industry, software, or operating system. They should challenge themselves and broaden their horizons with a multitude of exposure in different environments, if possible. The broader and well rounded the IT auditor is, the better the chance for a successful audit career.
IT Auditor as Investigator As a result of increased legislation and the use of computer evidence within the courts, the ability to capture and document computer-generated information related to criminal activity is critical for purposes of prosecution. The awareness and use of computer-assisted tools and techniques in performing forensic support work have provided new opportunities for the IT auditor, IT security personnel, and those within law enforcement and investigation.
For the IT audit professional, computer forensics is an exciting, developing field. The IT auditor can work in the field of computer forensics or work side by side with a computer forensics specialist, supplying insight into a particular system or network. The specialists can ask the IT audit professionals questions pertaining to the system and get responses faster than having to do research and figure everything out on their own.
The IA group, if appropriately staffed with the resources, performs all year long monitoring and testing of IT activities within the control of the organization. Of particular concern to private corporations is the processing of data and the generation of information of financial relevance or materiality.
Given management's large part to play in the effectiveness of an IA function, their concern with the reliability and integrity of computer-generated information from which decisions are made is critical. In organizations where management shows and demonstrates concern about internal controls, the role of the IA grows in stature.
IT Audit: The Profession With the passage of the Homeland Security Act, the Patriot Act, and SOX, the role of the auditor (internal and external) is more critical to the verification and validation of the financial infrastructure.
IT auditing involves people, technology, operations, and systems. It is a dynamic and challenging profession with a future that brings growth into new areas such as IT security and computer forensics, to name a few. Today, IT auditors interact with managers, users, and technicians from all areas of most organizations. They must have interpersonal skills to interact with multiple levels of personnel and technical skills to understand the variety of technology used in information processing activity— especially technology used in generating and/or processing the company's financial information (e.g., financial statements, etc.). The IT auditor must also gain an understanding of and be familiarized with the operational environment to assess the effectiveness of the internal control structure. Finally, the IT auditor must understand the technological complexities of existing and future systems and the impact they have on operations and decisions at all levels.
Certification Certification is a vital component of a profession. As you prepare for entry into your profession, whether it is accounting, IS, or other business fields, certification will be the measure of your level of knowledge, skills, and abilities in the profession.
In IT auditing, the Certified Information Systems Auditor (CISA) is one of the main levels of recognition and attainment. There are certain requirements for candidates to become CISA certified, such as: ◾ Passing a rigorous written examination ◾ Evidencing a minimum of 5 years of professional IS auditing, control or security work experience ◾ Adhering to the ISACA's Code of Professional Ethics and the Information Systems Auditing Standards as adopted by ISACA ◾ Agreeing to comply with the CISA Continuing Education Policy
Internal versus External Audit Functions There are two types of audit functions that exist today. They have very important roles in assuring the validity and integrity of financial accounting and reporting systems.
Internal Audit Function The IIA defines internal auditing (IA) as "an independent, objective assurance and consulting activity designed to add value and improve an organization's operations." IA brings organizations a systematic and disciplined approach to assess and enhance their risk management, control, and governance processes, as well as to accomplish their goals and objectives. • Provides assurance to management that policies and procedures are implemented and working as intended, through: • monitoring and testing system reliability • detailed test work throughout the year External Audit Function The external audit function evaluates the reliability and the validity of systems controls in all forms. The principal objective in such evaluation is to minimize the amount of substantial auditing or testing of transactions required to render an opinion on the financial statements. • Independently evaluates the reliability of computer controls and the validity of the information: • To help render an opinion on the F/S and ICFR
Cloud computing risks
Nonetheless, organizations do not yet feel fully comfortable when storing their information and applications on systems residing outside of their on-site premises. Migrating information into a shared infrastructure (such as a cloud environment) exposes organizations' sensitive/critical information to risks of potential unauthorized access and exposure, among others.
As for the IT auditors of today, their advanced knowledge and skills will progress in two ways.
One direction is continued growth and skill in this profession, leading the way in computer audit research and development and progressing up the external and internal audit career paths. The other direction involves capitalizing on a thorough knowledge of organizational systems and moving into more responsible career areas in general management. Today, even in these economic times, the demand for qualified IT auditors exceeds the supply. IT governance has created vast opportunities for the IT auditor.
A Common Body of Knowledge Since 1975, there have been various studies identifying a common body of knowledge for the IT audit profession. A common body of knowledge consists of clearly identified areas in which a person must attain a specific level of understanding and competency necessary to successfully practice within the profession. These areas are categorized into core areas.
Organizations such as ISACA, AICPA, IIA, CICA, ISSA, InfoSec, and others around the world have issued major studies and papers on the topic of the knowledge, skills, and abilities needed to audit computer systems. Students, especially the ones with business and computer majors, receive a degree of base-level training in (1) auditing concepts and practices; (2) management concepts and practices; (3) computer systems, telecommunications, operations, and software; (4) computer information processing techniques; and (5) understanding of business on local and international scales.
Information Assurance Organizations increasingly rely on critical digital electronic information capabilities to store, process, and move essential data in planning, directing, coordinating, and executing operations. Powerful and sophisticated threats can exploit security weaknesses in many of these systems.
Outsourcing technological development to countries that could have terrorists on their development staff causes speculation that the potential exists for code to be implanted that would cause disruption, havoc, embezzlement, theft, and so on. These and other weaknesses that can be exploited become vulnerabilities that can jeopardize the most sensitive components of information capabilities. However, we can employ deep, layered defenses to reduce vulnerabilities and deter, defeat, and recover from a wide range of threats.
Career Opportunities There are a number of career opportunities available to the individual seeking an opportunity in IT audit. For the college graduate with the appropriate entry-level knowledge, skills, and abilities, this career provides many paths for growth and development.
Public Accounting Firms Public accounting firms offer individuals an opportunity to enter the IT auditing field. Although these firms may require such individuals to begin their careers in financial audits to gain experience in understanding the organization's audit methodologies, after initial audit experience the individual who expresses interest in a particular specialization (e.g., forensics, security, etc.) will be transferred to such specialty for further training and career development. Private Industry Like public accounting firms, private industry offers entry-level IT audit professional positions. In addition, IT auditors gain expertise in more specialized areas (i.e., telecommunications, systems software, and systems design), which can make them candidates for IT operations, IT forensics, and IT security positions. Many CEOs view audit experience as a management training function. The IT auditor has particular strengths of educational background, practical experience with corporate IS, and understanding of executive decision making. Management Consulting Firms Another area of opportunity for IT audit personnel is management consulting. This career area is usually available to IT auditors with a number of years' experience. Many management consulting practices, especially those that provide services in the computer IS environment, hire experienced IT auditors. This career path allows these candidates to use their particular knowledge, skills, and abilities in diagnosing an array of computer and management information issues and then assist the organization in implementing the solutions. Government The government offers another avenue for one to gain IT audit experience. In the United States, federal, state, county, and city governments employ personnel to conduct IT audit-related responsibilities. Federal organizations such as the NSA, FBI, Department of Justice, and the CIA employ personnel who have IT audit experience, computer security experience, and IT forensics experience. Governments worldwide also employ personnel to conduct IT audits. Government positions offer training and experience to personnel responsible for performing IT audit functions. Sources for government IT auditors are college recruits and employees seeking internal promotion or transfer. There are occasions when experienced resources may be hired from the outside as well.
GAAS provide broad guidelines, but not specific guidance. The profession has supplemented the standards by issuing statements of authoritative pronouncements on auditing. The most comprehensive of these is the SAS series.
SAS publications provide procedural guidance relating to many aspects of auditing. In 1985, the AICPA released a codification of the SAS No. 1-49. Today, the number of statements exceeds 120.
Perhaps today, the Sarbanes-Oxley Act of 2002 (SOX) will be a vivid reminder of the importance of due professional care.
SOX is a major reform package, mandating the most farreaching changes Congress has imposed on the business world since the FCPA of 1977 and the Securities and Exchange Commission (SEC) Act of 1934. Examples of some of these significant changes include the creation of a Public Company Accounting Oversight Board,* as well as the increase of criminal penalties for violations of securities laws.
Since 9/11, more coordinated efforts have been made by U.S. defense organizations such as the Defense Information Systems Agency to promulgate standards for the Defense Information Infrastructure and the Global Information Grid, which should have a positive impact on information assurance that will extend beyond the U.S. Department of Defense and impact all segments of the national economy.
The NSA has drafted and produced standards for IT security personnel that not only impact federal agencies but also corporate entities who contract IT services in support of the federal government. NIST, for example, has generated security guidance for Health Insurance Portability and Accountability Act compliance that impacts the medical profession and all corporations/ business servicing the health field who handle medical information. A similar example includes the Payment Card Industry Data Security Standards (PCI DSS), maintained, managed, and promoted by the PCI Security Standards Council (Council) worldwide.
External Audit Function External auditors are provided by public accounting firms and also exist in government as well. For example, the Government Accountability Office (GAO) is considered an external reviewer because it can examine the work of both federal and private organizations where federal funds are provided.
The Watchdogs of Congressional Spending provide a service to the taxpayer in reporting directly to Congress on issues of mismanagement and poor controls. Interestingly, in foreign countries, an Office of the Inspector General or Auditor General's Office within that country prepares similar functions. Also, the GAO has been a strong supporter of the International Audit Organization, which provides government audit training and guidance to its international audit members representing governments worldwide.
Continuing Education Certification requires continuing education so that those who are certified maintain a level of proficiency and continue their certification.
The breadth and depth of knowledge required to audit IT is extensive. For example, IT auditing involves the application of risk-oriented audit approaches; the use of computer-assisted audit tools and techniques (e.g., EnCase, CaseWare, Idea, ACL, Guardant, eTrust, CA-Examine, etc.); the application of national or international standards (i.e., ISO 9000/3, ISO 17799, ISO 27000, and related amendments to improve and implement quality systems in software development); the auditing of systems under development involving complex SDLC or new development techniques (e.g., prototyping, end-user computing, rapid systems development, etc.); and the auditing of complex technologies involving electronic data interchange, client servers, local and wide area networks, data communications, telecommunications, and integrated voice/data/video systems.
In 1973, the AICPA (major national professional organization of certified public accountants), in response to the events at EFCA, appointed a special committee to study whether the auditing standards of the day were adequate in such situations.
The committee was requested to evaluate specific procedures to be used and the general standards to be approved. In 1975, the committee issued its findings. Even though the special committee found that auditing standards were adequate, and that no major changes were called for in the procedures used by auditors, there were several observations and recommendations issued related to the use of computer programs designed to assist the examination of financial statements. Another critical review of the existing auditing standards was started in 1974, when the AICPA created its first standards covering this area. Then, 29 years later, the Enron-Arthur Andersen fiasco of 2002 took us back to 1973.
Other Technology Systems Impacting the IT Environment The Internet of Things (IoT) has a potential transformational effect on IT environments, data centers, technology providers, etc. Gartner, Inc. estimates that by the year 2020, IoT will include 26 billion units installed and revenues will exceed $300 billion generated mostly by IoT product and service suppliers. IoT, as defined by Gartner, Inc., is a system that allows remote assets from "things" (e.g., devices, sensors, objects, etc.) to interact and communicate among them and with other network systems. Assets, for example, communicate information on their actual status, location, and functionality, among others. This information not only provides a more accurate understanding of the assets, but also maximizes their utilization and productivity, resulting in an enhanced decision-making process.
The huge volumes of raw data or data sets (also referred to as Big Data) generated as a result of these massive interactions between devices and systems need to be processed and analyzed effectively in order to generate information that is meaningful and useful in the decision-making process. Big Data, as defined by the TechAmerica Foundation's Federal Big Data Commission (2012), "describes large volumes of high velocity, complex and variable data that require advanced techniques and technologies to enable the capture, storage, distribution, management, and analysis of the information." Gartner, Inc. further defines it as "... high-volume, high-velocity and/ or high-variety information assets that demand cost-effective, innovative forms of information processing that enable enhanced insight, decision making, and process automation."
Internal Audit Function IA departments are typically led by a Chief Audit Executive (CAE), who directly reports to the Audit Committee of the Board of Directors. The CAE also reports to the organization's Chief Executive Officer (CEO).
The primary purpose of the IA function is to assure that management-authorized controls are being applied effectively. The IA function, although not mandatory, exists in most private enterprise or corporate entities, and in government (such as federal, state, county, and city governments). The mission, character, and strength of an IA function vary widely within the style of top executives and traditions of companies and organizations. IT audits is one of the areas of support for IA.
Professional Associations and Ethical Standards As a manager at any level, one must remember that auditors, whether internal or external, have standards of practice that they must follow. Like IT professionals, auditors may belong to one or more professional associations and have code of ethics and professional standards of practices and guidance that help them in performing their reviews and audits.
To act as an auditor, one must have a high standard of moral ethics. The term auditor is Latin for one that hears complaints and makes decisions or acts like a judge. To act as a judge, one definitely must be morally ethical or it defeats the purpose. Ethics are a very important basis for our culture as a whole. If the auditor loses favor in this area, it is almost impossible to regain the trust the auditor once had with audit management and auditees.
As the nation's IS and their critical infrastructures are being tied together (government and business), the points of entry and exposure increase,
and thus, risks increase. The technological advancement toward higher bandwidth communication and advanced switching systems has reduced the number of communications lines and further centralized the switching functions. Survey data indicates that the increased risk from these changes is not widely recognized.
The issue of "due professional care" has come to the forefront of the audit community as a result of major U.S. financial scandals and poor management, including but not limited to,
Waste Management (1998), Enron (2001), Worldcom (2002), American Insurance Group (2005), Lehman Brothers (2008), Bernard L. Madoff Securities LLC (2008), MF Global (2011), Anthem Inc. (2015), Wells Fargo (2016), and others. The EFCA scandal of 1973 led to the development of strong state and federal regulation of the insurance industries and corporate creative accounting in the aerospace industry, which provided support for the Foreign Corrupt Practices Act (FCPA) of 1977.
IT Environment as Part of the Organization Strategy In today's environment, organizations must integrate their IT with business strategies to attain their overall objectives, get the most value out of their information, and capitalize on the technologies available to them.
Where IT was formerly viewed as an enabler of an organization's strategy, it is now regarded as an integral part of that strategy to attain profitability and service. At the same time, issues such as IT governance, international information infrastructure, security, and privacy and control of public and organization information have driven the need for self-review and self-assurance.
The theory and methodologies of IT auditing are integrated from five areas:
a fundamental understanding of business, traditional auditing, IT management, behavioral science, and IT sciences. Business understanding and knowledge are the cornerstones of the audit process. Traditional auditing contributes knowledge of internal control practices and overall control philosophy within a business enterprise. IT management provides methodologies necessary to achieve successful design and implementation of systems. Behavioral science indicates when and why IT are likely to fail because of people's problems. IT sciences contribute to knowledge about control theory and the formal models that underlie hardware and software designs as a basis for maintaining data integrity.
General controls
commonly include controls over (1) IS operations; (2) information security (ISec); and (3) change control management (CCM) (i.e., system software acquisition, change and maintenance, program change, and application system acquisition, development, and maintenance). Examples of general controls within IS operations address activities such as data backups and offsite storage, job monitoring and tracking of exceptions to completion, and access to the job scheduler, among others. Examples of general controls within ISec address activities such as access requests and user account administration, access terminations, and physical security. Examples of general controls within CCM may include change request approvals; application and database upgrades; and network infrastructure monitoring, security, and change management.
GAAP establishes consistent guidelines for
financial reporting by corporate managers. As part of the reporting requirement, standards are also established for the maintenance of financial records on which periodic statements are based. These accounting principles have been formulated and revised periodically by private-sector organizations established for this purpose. The present governing body is the Financial Accounting Standards Board (FASB). Implementation of GAAP is the responsibility of the management of the reporting entity.
The term audit, according to ISACA, refers to the
formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met.
In combining both definitions above, IT auditing can be defined as the
formal, independent, and objective examination of an organization's IT infrastructure to determine whether the activities (e.g., procedures, controls, etc.) involved in gathering, processing, storing, distributing, and using information comply with guidelines, safeguard assets, maintain data integrity, and operate effectively and efficiently to achieve the organization's objectives.
The CISA examination covers areas (or domains) within the process of auditing IS;
governance and management of IT; IS acquisition, development and implementation; IS operations, maintenance and service management; and the protection of information assets. Thus, university education plays an important part in providing the groundwork toward the certification process.
An information security policy will not
guarantee a system's security or make the network completely safe from possible attacks from cyberspace. Nevertheless, a security policy, helped by effective security products and a plan for recovery, may help targeting potential losses to levels considered "acceptable," and minimize the leaking of private information. The IT auditor is part of an institutional team that helps create shared governance over the use, application, and assurance over IT within the organization.
Some of the top reasons to initiate an IT audit include
the increased dependence on information by organizations, the rapidly changing technology with new risks associated with such technology, and the support needed for financial statement audits. SOX also requires the assessment of internal controls and makes it mandatory for SEC registrants.
IT auditing provides reasonable assurance (never absolute) that
the information generated by applications within the organization is accurate, complete, and supports effective decision making consistent with the nature and scope of the engagement previously agreed. IT auditing is needed to evaluate the adequacy of application systems to meet processing needs, evaluate the adequacy of internal controls, and ensure that assets controlled by those systems are adequately safeguarded.
Ernst & Young, on its EY Center for Board Matters' September 2015 publication, states that challenges for auditors include
the limited access to audit relevant data, the scarcity of available and qualified personnel to process and analyze such particular data, and the timely integration of analytics into the audit. The IoT also delivers fast-moving data from sensors and devices around the world, and therefore results in similar challenges for many organizations when making sense of all that data.
Financial Auditing Financial auditing encompasses all activities and responsibilities concerned with
the rendering of an opinion on the fairness of financial statements. The basic rules governing audit opinions indicate clearly that the scope of an audit covers all equipment and procedures used in processing significant data. Financial auditing, as carried out today by the independent auditor, was spurred by legislation in 1933 and 1934 that created the SEC. This legislation mandated that companies whose securities were sold publicly be audited annually by a Certified Public Accountant (CPA). CPAs, then, were charged with attesting to the fairness of financial statements issued by companies that reported to the SEC.
Due to the size of the United States and its significant presence globally, however, U.S. GAAP still has significant global impact. This results in
the two major accounting standard-setting efforts in the world: U.S. GAAP and IFRS. Nevertheless, all major nations have now established time lines to converge with or to adopt IFRS standards in the near future.
The AICPA's Assurance Services Executive Committee (ASEC) is responsible for
updating and maintaining the Trust Services Principles and Criteria (TSPC) and creating a framework of principles and criteria to provide assurance on the integrity of information. TSPC presents criteria for use by practitioners when providing professional attestation or advisory services to assess controls relevant to the following principles: ◾ Security: The system is protected against unauthorized access (both physical and logical). ◾ Availability: The system is available for operation and use as committed or agreed. ◾ Processing integrity: System processing is complete, accurate, timely, and authorized. ◾ Confidentiality: Information designated as confidential is protected as committed or agreed. ◾ Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity's privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and CICA.
Other recent technologies listed on the Gartner's 2015 Hype Cycle for Emerging Technologies Report that are currently impacting IT environments include
wearables (e.g., smartwatches, etc.), autonomous vehicles, cryptocurrencies, consumer 3D printing, and speech-to-speech translation, among others.
Roles of IT Department
• Colocation - Provides facility to house servers/hardware • IAAS - Infrastructure as a Service : Facility and hardware provided by 3rd party • PAAS - Platform as a Service : Includes operating system in addition to hardware (Windows Server / SQL server, etc). • SAAS - Software as a service : includes application support, example Quickbooks, Oracle, SAP, payroll software
What is Financial Auditing*?* • Activities and procedures for examining financial information and rendering an opinion on the fairness of such financial information (i.e., financial statements (F/S))
• Two groups of U.S. principles and standards affect the preparation of F/S and audit procedures • Generally Accepted Accounting Principles (GAAP) • Generally Accepted Auditing Standards (GAAS)
When auditing IT, the breadth and depth of knowledge required are extensive. For instance, auditing IT involves:
◾ Application of risk-oriented audit approaches ◾ Use of computer-assisted audit tools and techniques ◾ Application of standards (national or international) such as the ISO* to improve and implement quality systems in software development and meet IT security standards ◾ Understanding of business roles and expectations in the auditing of systems under development as well as the purchase of software packaging and project management ◾ Assessment of information security, confidentiality, privacy, and availability issues which can put the organization at risk ◾ Examination and verification of the organization's compliance with any IT-related legal issues that may jeopardize or place the organization at risk ◾ Evaluation of complex systems development life cycles (SDLC) or new development techniques (i.e., prototyping, end-user computing, rapid systems, or application development) ◾ Reporting to management and performing a follow-up review to ensure actions taken at work
ERPs allow multiple functions to access a common database—reducing storage costs and increasing consistency and accuracy of data from a single source. Additionally, ERPs:
◾Have standard methods in place for automating processes (i.e., information in the HR system can be used by payroll, help desk, and so on). ◾Share real-time information from modules (finance, HR, etc.) residing in one common database, hence, financial statements, analyses, and reports are generated faster and more frequently.
Need for IT Audit Initially, IT auditing (formerly called electronic data processing [EDP], computer information systems [CIS], and IS auditing) evolved as an extension of traditional auditing. At that time, the need for an IT audit came from several directions:
◾ Auditors realized that computers had impacted their ability to perform the attestation function. ◾ Corporate and information processing management recognized that computers were key resources for competing in the business environment and similar to other valuable business resource within the organization, and therefore, the need for control and auditability were critical. ◾ Professional associations and organizations, and government entities recognized the need for IT control and auditability.
There are two broad groupings of IT audits, both of which are essential to ensure the continued proper operation of IS. These are as follows:
◾ General Computer Controls Audit. It examines IT general controls ("general controls" or "ITGCs"), including policies and procedures, that relate to many applications and supports the effective functioning of application controls. General controls cover the IT infrastructure and support services, including all systems and applications. ◾ Application Controls Audit. It examines processing controls specific to the application. Application controls may also be referred to as "automated controls." They are concerned with the accuracy, completeness, validity, and authorization of the data captured, entered, processed, stored, transmitted, and reported. Application controls are likely to be effective when general controls are effective.
GAAS, the second group of standards, was adopted in 1949 by the AICPA for audits. These audit standards cover three categories:
◾ General Standards relate to professional and technical competence, independence, and due professional care. ◾ Standards of Fieldwork encompass planning, evaluation of internal control, sufficiency of evidential matter, or documentary evidence upon which findings are based. ◾ Standards of Reporting stipulate compliance with all accepted auditing standards, consistency with the preceding account period, adequacy of disclosure, and, in the event that an opinion cannot be reached, the requirement to state the assertion explicitly.
This growing awareness has led organizations to recognize that, if they are to make the most of their IT investment and protect that investment, they need a formal process to govern it. Reasons for implementing an IT governance program include:
◾ Increasing dependence on information and the systems that deliver the information ◾ Increasing vulnerabilities and a wide spectrum of threats ◾ Scale and cost of current and future investments in information and IS ◾ Potential for technologies to dramatically change organizations and business practices to create new opportunities and reduce costs An open-standard IT governance tool that helps nontechnical and technical managers and auditors understand and manage risks associated with information and related IT is COBIT, developed by the IT Governance Institute and the Information Systems Audit and Control Foundation. COBIT is a comprehensive framework of control objectives that helps IT auditors, managers, and executives discharge fiduciary responsibilities, understand the IT systems, and decide what level of security and control is adequate. COBIT provides an authoritative, international set of generally accepted IT practices for business managers and auditors. COBIT is discussed in Chapter 3.
IT Auditor as Counselor In the past, users have abdicated responsibility for controlling computer systems, mostly because of the psychological barriers that surround the computer. As a result, there are few checks and balances, except for the IT auditor. IT auditors must take an active role in assisting organizations in developing policies, procedures, standards, and/or best practices on safeguarding of the information, auditability, control, testing, etc. A good information security policy, for instance, may include:
◾ Specifying required security features ◾ Defining "reasonable expectations" of privacy regarding such issues as monitoring people's activities ◾ Defining access rights and privileges and protecting assets from losses, disclosures, or damages by specifying acceptable use guidelines for users ◾ Providing guidelines for external communications (networks) ◾ Defining responsibilities of all users ◾ Establishing trust through an effective password policy ◾ Specifying recovery procedures ◾ Requiring violations to be recorded ◾ Acknowledging that owners, custodians, and clients of information need to report irregularities and protect its use and dissemination ◾ Providing users with support information
IT Environment The need for improved control over IT, especially in commerce, has been advanced over the years in earlier and continuing studies by many national and international organizations. ◾ Technology has improved the ability to capture, store, analyze, and process tremendous amounts of data and information, expanding the empowerment of the business decision maker. It has also become a primary enabler to production and service processes. There is a residual effect in that the increased use of technology has resulted in increased budgets, increased successes and failures, and better awareness of the need for control.
◾ Technology has significantly impacted the control process around systems. Although control objectives have generally remained constant, except for some that are technology specific, technology has altered the way in which systems should be controlled. Safeguarding assets, as a control objective, remains the same whether it is done manually or is automated. However, the manner by which the control objective is met is certainly impacted. ◾ Technology has impacted the auditing profession in terms of how audits are performed (information capture and analysis, control concerns) and the knowledge required to draw conclusions regarding operational or system effectiveness, efficiency, and reporting integrity. Initially, the impact was focused on dealing with a changed processing environment. As the need for auditors with specialized technology skills grew, so did the IT auditing profession.
Mobile Device Management (MDM) MDM, also known as Enterprise Mobility Management, is a relatively new term, but already shaping the IT environment in organizations. MDM is responsible for managing and administering mobile devices (e.g., smartphones, laptops, tablets, mobile printers, etc.) provided to employees as part of their work responsibilities. Specifically, and according to PC Magazine, MDM ensures these mobile devices:
◾ integrate well within the organization and are implemented to comply with organization policies and procedures ◾ protect corporate information (e.g., emails, corporate documents, etc.) and configuration settings for all mobile devices within the organization