IT Audit

IT Audit

An information technology audit, or information systems audit, is an examination of the management controls within an information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit internal audit, or other form of attestation engagement.

 

IT audits are also known as "automated data processing (ADP) audits" and "computer audits". They were formerly called "electronic data processing(EDP) audits".

IT audit is different from a financial statement audit. While a financial audit's purpose is to evaluate whether an organization is adhering to standard

accounting practices, the purposes of an IT audit are to evaluate the system's internal control design and effectiveness. This includes, but is not limited to, efficiency and security protocols, development processes, and IT governance or oversight. Installing controls are necessary but not sufficient to provide adequate security. People responsible for security must consider if the controls are installed as intended, if they are effective if any breach in security has occurred and if so, what actions can be done to prevent future breaches. These inquiries must be answered by independent and unbiased observers. These observers are performing the task of information systems auditing. In an Information Systems (IS) environment, an audit is an examination of information systems, their inputs, outputs, and processing. IS Audit is the process of collecting and evaluating evidence to determine whether a computer system has been designed to maintain data integrity,

I

 

safeguard assets, allows organizational goals to be achieved effectively, and uses resources efficiently. Data integrity relates to the accuracy and completeness of information as well as to its validity in accordance with the norms. An effective information system leads the organization to achieve its objectives and an efficient information system uses minimum resources in achieving the required objectives. IS auditors must know the characteristics of users of the information system and the decision making environment in the auditee organization while evaluating the effectiveness of any system. Use of computer facilities has

 

brought about radically different ways of processing, recording and controlling information and has combined many previously separated functions. The potential for material systems error has thereby been greatly increased causing great costs to the organization, e.g., the highly repetitive nature of many computer applications means that small errors  may lead to large losses. An error in the calculation of income tax paid by employees in a manual system  will not occur in each case but once an error is introduced in a computerized system, it will affect each case. This makes it imperative for the auditor to

 

test the invisible processes, and to identify 4 the vulnerabilities in a computer information system as the costs involved, because of errors and irregularities, can be high.

IT Audit Process

Audits are a critical component of the regulatory compliance process. In general, it is the auditors who will determine whether your organization is in

compliance with the regulations and standards that it must address. For example, in regard to Sarbanes-Oxley (SOX), external auditors will often determine

 the adequacy of the internal controls in your organization as part of the audit in relation to annual financial reporting. Understanding how the audit process works and how auditors operate is important because it informs IT managers how to establish an environment that is compliant and easy to audit. This topic focuses on how auditors conduct the IT audit process.

It is important to understand what auditors look for during a compliance audit. During the audit, the auditors look for evidence that indicates:

  • The organization has designed effective controls to address their compliance requirements and that there are no design deficiencies.

  • The organization consistently applies the controls they have designed and that there are no operational deficiencies.

If the auditors do not find evidence of an effective control program, or they find that the organization is not adhering to the control program, they note

these deficiencies in their final audit report. This audit report is generally provided to the organization’s audit committee so that identified issues get the appropriate level of management exposure. Obviously, it is preferable that there be no deficiencies noted in this report.

The following process describes the general activities that auditors conduct during an audit. Your auditor might conduct the audit using a slightly different approach:

  • Step 1: Plan the audit (auditor)

  • Step 2: Hold audit kickoff meeting (auditor/organization)

  • Step 3: Gather data and test IT controls (auditor/organization)

  • Step 4: Remediate identified deficiencies (organization)

  • Step 5: Test remediated controls (auditor/organization)

  • Step 6: Analyze and report findings (auditor)

  • Step 7: Respond to findings (organization)

  • Step 8: Issue final report (auditor)

Understanding the steps in the IT audit process positions IT managers to know what to expect from the audit. In this way, you can better achieve your organization's regulatory compliance objectives, and optimize the audit process to complete it more efficiently.

How to Optimize the Audit Process

There are many ways to make the audit process more efficient and less difficult. These include:

  • Work with the auditor early in the process to understand the key areas on which they plan to focus during the audit. In some cases, you can

  •  reprioritize projects to ensure that you address what the auditors see as key risks in the environment, thus avoiding deficiencies in the audit.

  • Implement automated IT controls whenever possible. These controls are superior to manual ones because auditors can more easily test and

    validate them. The best way to optimize the efficiency and lower the cost of the IT audit process for your organization is to:

    • Maintain clean and concise documentation of IT controls and keep it updated.

    • Organize your IT controls to work with the framework that your auditors use. This will help ensure that you and your auditors communicate

    • clearly about the regulatory objectives.

    • Take advantage of an IT controls framework. This will help you to more effectively address a variety of regulations with a single set of controls.

Objectives of an IT audit

Most often, IT audit objectives concentrate on substantiating that the internal controls exist and are functioning as expected to minimize business risk.  These audit objectives include assuring compliance with legal and regulatory requirements, as well as the confidentiality, integrity, and availability (CIA –  no not the federal agency, but information security) of information systems and data.

 

IT audit strategies

There are two areas to talk about here, the first is whether to do compliance or substantive testing and the second is “How do I go about getting the evidence to allow me to audit the application and make my report to management?”  So what is the difference between compliance and substantive testing?  Compliance testing is gathering evidence to test to see if an organization is following its control procedures.  On the other hand substantive testing is gathering evidence to evaluate the integrity of individual data and other information.  For example, compliance testing of controls can be described with the following example.  An organization has a control procedure which states that all application changes must go through change control.  As an IT auditor you might take the current running configuration of a router as well as a copy of the -1 generation of the configuration file for the same router, run a file compare to see what the differences were; and then take those differences and look for supporting change control documentation.  Don’t be surprised to find that network admins, when they are simply re-sequencing rules, forget to put the change through change control.  For substantive testing, let’s say that an organization has policy/procedure concerning backup tapes at the offsite storage location which includes 3 generations (grandfather, father, son).  An IT auditor would do a physical inventory of the tapes at the offsite storage location and compare that inventory to the organizations inventory as well as looking to ensure that all 3 generations were present.

 

 

 

The second area deals with “How do I go about getting the evidence to allow me to audit the application and make my report to management?”  It should come as no surprise that you need to:

  • Review IT organizational structure
  • Review IT policies and procedures
  • Review IT standards
  • Review IT documentation
  • Review the organization’s BIA
  • Interview the appropriate personnel
  • Observe the processes and employee performance
  • Examination, which incorporates by necessity, the testing of controls, and therefore includes the results of the tests.

As additional commentary of gathering evidence, observation of what an individual actually does versus what they are supposed to do, can provide the IT auditor with valuable evidence when it comes to control implementation and understanding by the user.   

 

 Image result for it audit

 

An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.

IT audits are also known as automated data processing audits (ADP audits) and computer audits.

They were formerly called electronic data processing audits (EDP audits).

 

An IT audit is different from a financial statement audit. While a financial audit's purpose is to evaluate whether the financial statements present fairly, in all material respects, an entity's financial position, results of operations, and cash flows in conformity to standard accounting practices, the purposes of an IT audit is to evaluate the system's internal control design and effectiveness. This includes, but is not limited to, efficiency and security protocols, development processes, and IT governance or oversight. Installing controls are necessary but not sufficient to provide adequate security. People responsible for security must consider if the controls are installed as intended, if they are effective, or if any breach in security has occurred and if so, what actions can be done to prevent future breaches. These inquiries must be answered by independent and unbiased observers. These observers are performing the task of information systems auditing. In an Information Systems (IS) environment, an audit is an examination of information systems, their inputs, outputs, and processing. [1]

The primary functions of an IT audit are to evaluate the systems that are in place to guard an organization's information. Specifically, information technology audits are used to evaluate the organization's ability to protect its information assets and to properly dispense information to authorized parties. The IT audit aims to evaluate the following:

Will the organization's computer systems be available for the business at all times when required? (known as availability) Will the information in the systems be disclosed only to authorized users? (known as security and confidentiality) Will the information provided by the system always be accurate, reliable, and timely? (measures the integrity) In this way, the audit hopes to assess the risk to the company's valuable asset (its information) and establish methods of minimizing those risks.

 

Types of IT audits

Various authorities have created differing taxonomies to distinguish the various types of IT audits. Goodman & Lawless state that there are three specific systematic approaches to carry out an IT audit:

  • Technological innovation process audit. This audit constructs a risk profile for existing and new projects. The audit will assess the length and depth of the company's experience in its chosen technologies, as well as its presence in relevant markets, the organization of each project, and the structure of the portion of the industry that deals with this project or product, organization and industry structure.
  • Innovative comparison audit. This audit is an analysis of the innovative abilities of the company being audited, in comparison to its competitors. This requires examination of company's research and development facilities, as well as its track record in actually producing new products.
  • Technological position audit: This audit reviews the technologies that the business currently has and that it needs to add. Technologies are characterized as being either "base", "key", "pacing" or "emerging".

Others describe the spectrum of IT audits with five categories of audits:

  • Systems and Applications: An audit to verify that systems and applications are appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity. System and process assurance audits form a subtype, focussing on business process-centric business IT systems. Such audits have the objective to assist financial auditors.
  • Information Processing Facilities: An audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions.
  • Systems Development: An audit to verify that the systems under development meet the objectives of the organization, and to ensure that the systems are developed in accordance with generally accepted standards for systems development.
  • Management of IT and Enterprise Architecture: An audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing.
  • Client/Server, Telecommunications, Intranets, and Extranets: An audit to verify that telecommunications controls are in place on the client (computer receiving services), server, and on the network connecting the clients and servers.

And some lump all IT audits as being one of only two type: "general control review" audits or "application control review" audits.

A number[who?] of IT audit professionals from the Information Assurance realm consider there to be three fundamental types of controls regardless of the type of audit to be performed, especially in the IT realm. Many frameworks and standards try to break controls into different disciplines or arenas, terming them “Security Controls“, ”Access Controls“, “IA Controls” in an effort to define the types of controls involved. At a more fundamental level, these controls can be shown to consist of three types of fundamental controls: Protective/Preventative Controls, Detective Controls and Reactive/Corrective Controls.

In an IS, there are two types of auditors and audits: internal and external. IS auditing is usually a part of accounting internal auditing, and is frequently performed by corporate internal auditors. An external auditor reviews the findings of the internal audit as well as the inputs, processing and outputs of information systems. The external audit of information systems is frequently a part of the overall external auditing performed by a Certified Public Accountant (CPA) firm.

IS auditing considers all the potential hazards and controls in information systems. It focuses on issues like operations, data, integrity, software applications, security, privacy, budgets and expenditures, cost control, and productivity. Guidelines are available to assist auditors in their jobs, such as those from Information Systems Audit and Control Association.

 

 

IT audit process

The following are basic steps in performing the Information Technology Audit Process:[4]

  1. Planning IN
  2. Studying and Evaluating Controls
  3. Testing and Evaluating Controls
  4. Reporting
  5. Follow-up
  6. Reports

Information security

 

Auditing information security is a vital part of any IT audit and is often understood to be the primary purpose of an IT Audit. The broad scope of auditing information security includes such topics as data centers (the physical security of data centers and the logical security of databases, servers and network infrastructure components), networks and application security. Like most technical realms, these topics are always evolving; IT auditors must constantly continue to expand their knowledge and understanding of the systems and environment& pursuit in system company.

 

 

History of IT auditing

The concept of IT auditing was formed in the mid-1960s. Since that time, IT auditing has gone through numerous changes, largely due to advances in technology and the incorporation of technology into business.

Currently, there are many IT-dependent companies that rely on information technology in order to operate their business e.g. Telecommunication or Banking company. For the other types of business, IT plays the big part of company including the applying of workflow instead of using the paper request form, using the application control instead of manual control which is more reliable or implementing the ERP application to facilitate the organization by using only 1 application. According to these, the importance of IT Audit is constantly increased. One of the most important roles of the IT audit is to audit over the critical system in order to support the financial audit or to support the specific regulations announced e.g. SOX.

 

 

 

 

 

 

 

 

 

Visforms

Form is missing
           
Head Office OAG On Google Map Dessie Branch Office
    Email: anrsoag@ethionet.et

    anrsoag11@gmail.com

    Tel +251-58-222-0275

    Tel +251-58-220-0634

    Fax +251-58-220-1694

    P.O.Box 479

    Bahir Dar City, Tana Subcity FelegeHiwot Hospital area

    Email: anrsoag@ethionet.et

    anrsoag11@gmail.com

    Tel   +251-333-117356

        +251-333-117357

    Fax   +251-333

    P.O.Box 479

    Dessie Twon, Bunbua Wuha Subcity

Copyright © 2025 ANRSOAG. All Right Reserved. Design By Ghion Alemay.