The role of information technology (IT) control and audit has become a critical mechanism for ensuring the integrity of information systems (IS) and the reporting of organization finances to avoid and hopefully prevent future financial fiascos such as Enron and WorldCom. Global economies are more interdependent than ever and geopolitical risks impact everyone. Electronic infrastructure and commerce are integrated in business processes around the globe. The need to control and audit IT has never been greater.
Initially, IT auditing (formerly called electronic data processing (EDP), computer information systems (CIS), and IS auditing) evolved as an extension of traditional auditing. At that time, the need for an IT audit function came from several directions
- Auditors realized that computers had impacted their ability to perform the attestation function.
- Corporate and information processing management recognized that computers were key resources for competing in the business environment and similar to other valuable business resource within the organization, and therefore, the need for control and auditability is critical.
- Professional associations and organizations, and government entities recognized the need for IT control and auditability.
The early components of IT auditing were drawn from several areas. First, traditional auditing contributes knowledge of internal control practices and the overall control philosophy. Another contributor was IS management, which provides methodologies necessary to achieve successful design and implementation of systems. The field of behavioral science provided such questions and analysis to when and why IS are likely to fail because of people problems. Finally, the field of computer science contributes knowledge about control concepts, discipline, theory, and the formal models that underlie hardware and software design as a basis for maintaining data validity, reliability, and integrity.
IT auditing is an integral part of the audit function because it supports the auditor’s judgment on the quality of the information processed by computer systems. Initially, auditors with IT audit skills are viewed as the technological resource for the audit staff. The audit staff often looked to them for technical assistance. As you will see in this textbook, there are many types of audit needs within IT auditing, such as organizational IT audits (management control over IT), technical IT audits (infrastructure, data centers, data communication), application IT audit (business/financial/operational), development/implementation IT audits (specification/ requirements, design, development, and post-implementation phases), and compliance IT audits involving national or international standards. The IT auditor’s role has evolved to provide assurance that adequate and appropriate controls are in place. Of course, the responsibility for ensuring that adequate internal controls are in place rests with the management. The audit’s primary role, except in areas of management advisory services, is to provide a statement of assurance as to whether adequate and reliable internal controls are in place and are operating in an efficient and effective manner. Therefore, whereas management is to ensure, auditors are to assure.
Today, IT auditing is a profession with conduct, aims, and qualities that are characterized by worldwide technical standards, an ethical set of rules (Information Systems Audit and Control Association [ISACA] Code of Ethics), and a professional certification program (Certified Information Systems Auditor [CISA]). It requires specialized knowledge and practicable ability, and often long and intensive academic preparation. Often, where academic programs were unavailable, significant in-house training and professional development had to be expended by employers. Most accounting, auditing, and IT professional societies believe that improvements in research and education will definitely provide an IT auditor with better theoretical and empirical knowledge base to the IT audit function. They feel that emphasis should be placed on education obtained at the university level.
The breadth and depth of knowledge required to audit IT systems are extensive. For example, IT auditing involves the
- Application of risk-oriented audit approaches
- Use of computer-assisted audit tools and techniques
- Application of standards (national or international) such as ISO 9000/3 and ISO 17799 to improve and implement quality systems in software development and meet security standards
- Understanding of business roles and expectations in the auditing of systems under development as well as the purchase of software packaging and project management
- Assessment of information security and privacy issues which can put the organization at risk
- Examination and verification of the organization’s compliance with any IT-related legal issues that may jeopardize or place the organization at risk
- Evaluation of complex systems development life cycles (SDLC) or new development techniques; e.g., prototyping, end user computing, rapid systems, or application development
- Reporting to management and performing a follow-up review to ensure actions taken at work
The auditing of complex technologies and communications protocols involves the Internet, intranet, extranet, electronic data interchange, client servers, local and wide area networks, data communications, telecommunications, wireless technology, and integrated voice/data/video systems.