Chapter 1: The Nature Of IT Audit PDF

Summary

This document is a chapter on the nature of IT audit. It covers learning objectives including how to analyze and interpret audit findings. It also discusses the importance of IT audits in maintaining security and efficiency in an organization's IT infrastructure.

Full Transcript

PRE108: IT AUDIT (Auditing in CIS Environment)
Chapter 1: The Nature of IT Audit
BY: Robert E. Regala

LECTURE VIDEO
LINK: https://youtu.be/O_uwWX2Yrp8
LENGTH: 01:13:27

Video script: https://drive.google.com/file/d/1F9ILmI1D9AJC3P8ol6LhP1doEnOH2N-
2/view?usp=drive_link
SUPPLEMENTARY LEARNING MATERIALS:
Introduction to Information Systems - Principles of Business Information Systems
LENGTH: 00:28:00
LINK: https://youtu.be/7GRiW8zHjWg

IT Audit: The ultimate guide
LINK: https://zapier.com/blog/it-audit

IT Audit (Information Technology Audit)
LINK: https://www.techtarget.com/searchcio/definition/IT-audit-information-technology-
audit
LEARNING OBJECTIVES
A. Primary: Develop a set of recommendations for mitigating identified risks and
improving IT processes for a specific organization, based on a comprehensive IT
audit plan and incorporating relevant insights from the sources. This objective
encourages learners to synthesize information from the learning materials, apply their
understanding to a real-world scenario, and propose actionable solutions. It requires
learners to:
 Analyze and Interpret Audit Findings: Learners must carefully examine the results
of their IT audit plan, identifying areas of concern, potential vulnerabilities, and non-
compliant practices. This involves applying critical thinking skills to interpret the
significance of findings and their potential impact on the organization. For
example, they would need to assess the severity of a security breach or a
weakness in data integrity controls.

 Synthesize Knowledge and Insights: Learners must draw on the information and
insights from the sources, along with their own analysis of the audit plan, to
formulate relevant and effective recommendations. This requires them to connect
theoretical knowledge to practical application, recognizing how concepts like IT
governance, security protocols, or data integrity apply to the specific organization.

 Problem-Solve and Develop Solutions: Learners must devise creative and feasible
solutions for addressing identified risks and improving IT processes. This might
 involve recommending new security software, revising data management
procedures, or strengthening access controls. For example, if the audit uncovered
a lack of two-factor authentication, learners might recommend implementing 2FA
for all critical systems.

 Communicate Effectively: Learners must present their recommendations in a
clear, concise, and persuasive manner, justifying their choices and outlining the
expected benefits. This could involve creating a formal report, developing a
presentation, or leading a discussion with stakeholders. Learners must be able to
articulate technical concepts in a way that is understandable to non-technical
audiences, such as management or board members.
This objective emphasizes the practical application of IT audit knowledge, challenging
learners to develop actionable solutions that enhance the security and efficiency of an
organization's IT environment.
An opportunity to apply the learning objective with the case study involving a fictitious
enterprise, “InnovateTech” in the section “Learning Objective Activity.”
B. Secondary (Enabling)
1. Explain the purpose and importance of IT audits in maintaining the security and
efficiency of an organization's IT infrastructure. This objective draws on the definition
and benefits of IT audits discussed in the sources. For example, the lecture video
explains that "regular IT audits ensure your IT operations are keeping up with evolving
standards in software and hardware while staying vigilant in the face of smarter and
smarter cyber attackers." Additionally, the video “IT Audit for Beginners” states,
"periodic audits ensure an IT organization is following accepted standards, best
practices, regulations, legislation, and other requirements." By achieving this objective,
learners will develop a foundational understanding of the role of IT audits in mitigating
risks and ensuring compliance.

2. Differentiate between the various types of IT audits and their specific areas of focus.
The sources describe different types of IT audits, including cybersecurity, enterprise-
level IT structure, systems and applications (existing and developing), physical IT
facility, third-party, and server audits. “IT Audit (The Ultimate Guide)” and “IT Audit
(Information Technology Audit) provide detailed explanations of these different types.
This objective encourages learners to analyze the nuances between each type and
recognize the unique considerations for each audit category.

3. Describe the five steps involved in the IT audit process and their practical application
within an organization. The sources provide a comprehensive breakdown of the five
steps: planning, preparation, conducting the audit, reporting findings, and following
up. “IT Audit (The Ultimate Guide)” and “IT Audit (Information Technology Audit) offer
specific details on each step. This objective guides learners through the practical
execution of an IT audit, enabling them to apply the theoretical knowledge gained in
the previous objectives. By mastering this objective, learners can actively participate
in or manage IT audits within their organizations.

PRE-ASSESSMENT (NOT GRADED): https://forms.gle/S6hnrtnsPdAFL6HW8
SUMMARY OF LESSONS
The central theme in this chapter is the definition, nature, and role of Accounting
Information Systems (AIS) within a broader business context. They explain how AIS
integrates traditional accounting practices with modern Information and Communication
Technology (ICT) to manage and leverage financial data effectively.
1. What is an IT Audit?
An IT audit is a systematic examination and evaluation of an organization's information
technology infrastructure, policies, and procedures. Its primary purpose is to ensure that
IT systems function securely, efficiently, and effectively, aligning with the organization's
goals and objectives.
"IT Audit is an internal or independent external examination of the management controls
within an Information technology (IT) infrastructure and business applications." - Ch01
The Nature of IS Audit
2. Objectives of an IT Audit
The core objectives of an IT audit are multifaceted:
 Safeguarding Assets: Protecting hardware, software, and data from unauthorized
access, use, disclosure, modification, destruction, and theft.
 Maintaining Data Integrity: Ensuring the accuracy, consistency, and reliability of
data throughout its lifecycle.
 Using Resources Efficiently: Optimizing the allocation and management of IT
resources like personnel, finances, and technology.
 Operating Effectively: Ensuring that IT systems effectively support operations,
management decision-making, and achievement of organizational goals.
"The threefold objective of IT Audit, in relation to a risk-based audit, are as follows: (1)
Evaluate the information system and business processes in place that secure company
data; (2) Ensure compliance with the policies and procedures related to IT use; (3) Help
identify methods to minimize those risks." - Ch01 The Nature of IS Audit
3. Why Conduct Regular IT Audits?
Regular IT audits are crucial for businesses operating in today's rapidly evolving
technological landscape for several reasons:
 Mitigate Security Risks: Identifying and addressing vulnerabilities to protect
against cyberattacks and data breaches.
 Ensure Compliance: Demonstrating adherence to relevant laws, regulations, and
industry standards.
 Optimize Performance: Enhancing the efficiency and effectiveness of IT systems
and processes.
 Promote Continuous Improvement: Identifying areas for improvement and
implementing corrective actions.
 Build Trust: Increasing stakeholder confidence in the organization's IT security
posture.
"Regular IT audits ensure your IT operations are keeping up with evolving standards in
software and hardware while staying vigilant in the face of smarter and smarter cyber
attackers." - IT Audit: The Ultimate Guide
4. Key Areas of an IT Audit
A typical IT audit covers five crucial areas:
 System Security: Evaluating the effectiveness of measures protecting against
unauthorized access and data breaches.
 Standards and Procedures: Assessing compliance with established IT policies
and procedures.
 Documentation and Reporting: Reviewing the completeness and accuracy of IT
documentation and reporting practices.
 Performance Monitoring: Analyzing IT systems and applications' efficiency and
effectiveness.
 Systems Development: Evaluating the security and effectiveness of processes for
developing and implementing new IT systems.
"There are five key areas of an IT audit that more or less correspond with an IT manager's
key responsibilities: System security, Standards and procedures, Documentation and
reporting, Performance monitoring, and Systems development." - IT Audit: The Ultimate
Guide
5. IT Audit Process
A standard IT audit process generally includes five steps:
1. Planning: Defining audit objectives, scope, methodology, and resources.
2. Preparation: Gathering information, interviewing stakeholders, and developing an
audit plan.
3. Conducting the Audit: Performing tests, gathering evidence, and documenting
findings.
4. Reporting: Communicating findings, recommendations, and conclusions to
management.
5. Follow-up: Monitoring the implementation of recommended corrective actions.
"An IT audit generally has these steps: Secure approval; Create a plan; Start
preparations; Secure a work area; Launch the audit; Prepare work papers; Prepare and
deliver the audit report." - What is IT audit
6. Peculiar Characteristics of IT Audit
IT audits differ from traditional financial audits due to inherent IT characteristics:
 Lack of Visible Audit Trail: Difficulty tracing individual transactions without
properly designed and implemented audit trails.
 Consistency of Performance: Consistent processing based on programmed rules,
enabling projection of errors and simpler corrections.
 Ease of Access to Data and Programs: Increased vulnerability to unauthorized
access and data breaches despite efficient data retrieval benefits.
  Concentration of Functions: Potential for significant disruptions and control
weaknesses due to centralized processing and data storage.
"The auditor must be aware of the differences between the two systems: certain
differences may result in improved controls, while other differences may result in
reduced controls." - Ch01 The Nature of IS Audit
7. IT Audit and Internal Controls
IT audits play a critical role in evaluating the effectiveness of an organization's internal
control system, especially in the context of financial reporting. Auditors assess controls
at various levels:
 Entity-Level Controls: Broad controls covering the overall control environment, risk
assessment processes, and monitoring of internal controls.
 General IT Controls: Controls addressing risks arising from the use of IT, impacting
the entire IT environment.
 Application-Level Controls: Controls specific to individual applications, ensuring
data accuracy, completeness, and validity.
"PSA 315 lays down the responsibility of the auditor as regards internal controls in
general. (...) the auditor to obtain an understanding of the information system, including
the related business processes, relevant to financial reporting." - Ch01 The Nature of IS
Audit
8. Importance of Soft Skills for IT Auditors
While technical skills are paramount for IT auditors, soft skills are equally crucial for
effective performance. These include:
 Communication Skills: Clearly and concisely conveying technical information to
both technical and non-technical audiences.
 Interpersonal Skills: Building strong relationships with stakeholders, fostering
collaboration, and promoting teamwork.
 Analytical and Problem-Solving Skills: Identifying and analyzing complex IT
issues and developing practical solutions.
 Risk Assessment and Management: Understanding and assessing IT risks and
recommending appropriate mitigation strategies.
"The IT auditor has to be familiar with what the landscape of risks is and those are ever
changing so I look for somebody who has a that constant burning desire for continuing
education for always wanting to learn and expand their skill sets in all things related to
IT and security." - IT Audit for Beginners
9. IT Audit Certifications
Several reputable certifications validate an IT auditor's expertise and enhance their
credibility:
 Certified Information Systems Auditor (CISA)
 Certification in Risk and Information Systems Control (CRISC)
 Certified Information Systems Security Professional (CISSP)
  GIAC Systems and Network Auditor (GSNA)
 Certified Internal Auditor (CIA)
Conclusion
IT audits are indispensable for organizations seeking to ensure the security, efficiency,
and effectiveness of their IT systems. By regularly evaluating IT infrastructure, policies,
and procedures, organizations can mitigate risks, achieve compliance, optimize
performance, and foster continuous improvement. While technical expertise is
fundamental for IT auditors, strong soft skills are equally vital for effectively
communicating findings, collaborating with stakeholders, and driving positive change.

POST-ASSESSMENT (NOT GRADED): https://forms.gle/F9g2w73g8TWjsDnA8

TEAM ACTIVITY in aid of review and subsequent graded chapter TEST will be
conducted in-person.

LEARNING OBJECTIVE ACTIVITY
Case Study: The Vulnerable Startup
- end of module -