Information Technology Control and Audit, Third Edition

Book Preface

Information Technology  Environment: Why Are Controls and Audit Important?

Ā e role of information technology (IT) control and audit has become a critical mechanism for ensuring the integrity of information systems (IS) and the reporting of organization fi nances to avoid and hopefully prevent future fi nancial fi ascos such as Enron and WorldCom. Global economies are more interdependent than ever and geopolitical risks impact everyone. Electronic infrastructure and commerce are integrated in business processes around the globe. Ā e need to control and audit IT has never been greater.

Initially, IT auditing (formerly called electronic data processing [EDP], computer information systems [CIS], and IS auditing) evolved as an extension of traditional auditing. At that time, the need for an IT audit function came from several directions

• Auditors realized that computers had impacted their ability to perform the attestation function.
• Corporate and information processing management recognized that computers were key resources for competing in the business environment and similar to other valuable business resource within the organization, and therefore, the need for control and auditability is critical.
• Professional associations and organizations, and government entities recognized the need for IT control and auditability.

Ā e early components of IT auditing were drawn from several areas. First, traditional auditing contributes knowledge of internal control practices and the overall control philosophy. Another contributor was IS management, which provides methodologies necessary to achieve successful design and implementation of systems. Ā e fi eld of behavioral science provided such questions and analysis to when and why IS are likely to fail because of people problems. Finally, the fi eld of computer science contributes knowledge about control concepts, discipline, theory, and the formal models that underlie hardware and software design as a basis for maintaining data validity, reliability, and integrity.

IT auditing is an integral part of the audit function because it supports the auditor’s judgmenton the quality of the information processed by computer systems. Initially, auditors with IT audit skills are viewed as the technological resource for the audit staff . Ā e audit staff often looked to them for technical assistance. As you will see in this textbook, there are many types of audit needs within IT auditing, such as organizational IT audits (management control over IT), technical IT audits (infrastructure, data centers, data communication), application IT audit (business/fi nancial/operational), development/implementation IT audits (specifi cation/ requirements, design, development, and postimplementation phases), and compliance IT audits involving national or international standards. Ā e IT auditor’s role has evolved to provide assurance that adequate and appropriate controls are in place. Of course, the responsibility for ensuring that adequate internal controls are in place rests with the management. Ā e audit’s primary role, except in areas of management advisory services, is to provide a statement of assurance as to whether adequate and reliable internal controls are in place and are operating in an effi cient and effective manner. Ā erefore, whereas management is to ensure, auditors are to assure.

Today, IT auditing is a profession with conduct, aims, and qualities that are characterized by worldwide technical standards, an ethical set of rules (Information Systems Audit and Control Association [ISACA] Code of Ethics), and a professional certifi cation program (Certifi ed Information Systems Auditor [CISA]). It requires specialized knowledge and practicable ability, and often long and intensive academic preparation. Often, where academic programs were unavailable, signifi cant in-house training and professional development had to be expended by employers. Most accounting, auditing, and IT professional societies believe that improvements in research and education will defi nitely provide an IT auditor with better theoretical and empirical knowledge base to the IT audit function. Ā ey feel that emphasis should be placed on education obtained at the university level.

Ä€ e breadth and depth of knowledge required to audit IT systems are extensive. For example, IT auditing involves the

• Application of risk-oriented audit approaches
• Use of computer-assisted audit tools and techniques
• Application of standards (national or international) such as ISO 9000/3 and ISO 17799 to improve and implement quality systems in software development and meet security standards
• Understanding of business roles and expectations in the auditing of systems under development as well as the purchase of software packaging and project management
• Assessment of information security and privacy issues which can put the organization at risk
• Examination and verifi cation of the organization’s compliance with any IT-related  legal issues that may jeopardize or place the organization at risk
• Evaluation of complex systems development life cycles (SDLC) or new development techniques (e.g., prototyping, end user computing, rapid systems, or application development)
• Reporting to management and performing a follow-up review to ensure actions taken at work