IT Audit and Controls Module PDF

Summary

This module provides learning materials for IT Audit and Controls. The module aims to present IT Systems Audit and Control concepts, discussing management practices and relevant topics like the roles of IT Auditors in organizations.

Full Transcript

MODULE

IT Audit and Controls

ACADEMIC YEAR 2022-2023

Prepared by:

Course Instructor
 GUIDE ON HOW TO USE THE LEARNING MODULE

A. For Faculty

1. The Course Instructor must review and check the list of the enrolled learners in
the course together with the contact information, the learners have provided such
as cell phone number and email address.

2. Before distributing the Learning Modules make sure it has been checked and
reviewed by the College Program Chair, Department Chair and the College Dean
and with the recommending approval from the CLAMDev (Center for Learning
and Assessment Materials Development).

3. Once it has been checked and approved, the Course Instructor must provide each
learner a softcopy of the Learning Modules through a provided LMS (Learning
Management System); any social media platforms will also be considered.

4. It is the responsibility of the Course Instructor to ensure that all of the learners
have downloaded a softcopy of the Learning Modules.

5. Encourage the class that it is way better if they will print a hardcopy of the
Learning Modules; but consider this as an option if they lack of resources.

6. Orient the class on how to properly use the Learning Modules and explain the
content especially the lesson proper, the activities and exercises, the grading
rubrics and criteria, and the submission format.

7. The Course Instructor must be open to any concerns and inquiries of each learner
regarding the lessons and activities in the Learning Modules inclusively.

8. Always provide each learner a constructive feedback and a key to correction for
every quizzes, activities and exercises they have done. Motivate them!

9. Give each learner enough time to accomplish and submit the requirements or any
activities; especially not all learners have sufficient resources. Be considerate.

10. Keep Safe! Stay Healthy!
Enjoy Teaching! Fist Bumps! XDD

2|P age
 GUIDE ON HOW TO USE THE LEARNING MODULE

B. For Learners

1. Each learners enrolled in the course will be provided by their Course Instructor a
softcopy of the Learning Modules through an LMS (preferably Google
Classroom) or any social media platforms available such as Facebook Messenger.

2. It is recommended for each learner to print a hardcopy of the Learning Modules
for ease and clear understanding of the lessons; but again consider it as an option.

3. Different set of Learning Modules will be sent to each learner: weekly or
monthly; depending on their Course Instructors.

4. Each Learning Modules contains different topics and lessons; and at the end of
each lesson the learner must accomplished different activities and exercises.

5. The activities varies to every topics covered on the Learning Modules, this
activities consists of Academic and Life Activity. Academic Activities contains
Quizzes and Individual or Group Activities.

6. For every group works and activities provided in the Learning Modules, make
sure to work well with your teammates and collaborate with them to accomplish
the work assigned smoothly.

7. When submitting an activity or exercises online, learners must follow the mode
and format of submissions included in the Learning Modules.

8. Learners must ensure a good time management and prioritization regarding the
tasks and activities given to them. This is a very helpful reminder since classes are
all done online.

9. If learners have any questions and queries regarding the course, lessons or any
activities, do not hesitate to contact and ask your Course Instructor. Always
remember that we are here not only to teach you but also to help you, especially
in this time of Pandemic.

10. Keep Safe! Stay Healthy!
Enjoy Learning! Fist Bumps! XDD

3|P age
 FOREWORD

IT Audit and Control is a three (3) unit elective course prefer for the third year students of the
Bachelor of Science in Information System (BSIS) from the College of Computer Studies and
Technology in the Pamantasan ng Lungsod ng San Pablo.

This course presents Information Technology / Systems Audit and Control concepts and
management practices. As business continues towards a more substantial reliance upon the
capabilities of Information Systems, it becomes increasingly important for auditors to
understand Information Systems and how they relate to financial and general organizational
controls. This course presumes prior exposure to general audit concepts and a general
knowledge of Information Systems.

Keep Safe.. God Bless..

4|P age
 MODULES FOR IT AUDIT AND CONTROLS

Credits : 3 Units (3 Hours Laboratory, 2 Hours Lecture)
Pre-Requisite : 3rd Year Standing

Lesson Title:

Lesson 1 – Introduction to IT Audit and Controls
A. Auditing in Relation to IT
B. Role of the IT Auditor in an Organization
C. Types of Risks
D. Objectives of Audit and Control

Lesson Objective:

At the end of the module, the learners will be able to:
1. Express and discuss pre – existing knowledge of Auditing.
2. Identify the areas where IT Audit is involved.
3. Learn about the IT Audit’s role within the organization.
4. Learn Audit and control objectives to be accomplished by the IT Auditor.

Lectures and Annotations:

AUDITING

Auditing is an evaluation of a person, organization, system, process, enterprise, project
or product, performed to ascertain the validity and reliability of information; and also to provide
an assessment of a System’s Internal Controls. The goal of an Audit is to express an opinion
based on the work done and since due to practical constraints, an Audit provides only reasonable
assurance that the statement are free from material error and typically rely on statistical
sampling.
Auditing in Relation to IT

IT Auditing takes that one step further and evaluates the controls around the Information
with respect to Confidentiality, Integrity, and Availability. While a Financial Audit will attest to
the Validity and Reliability of Information, the IT Audit will attest to the confidentiality of the
information, the integrity of the information and in situations where availability is a key factor
will also attest to the availability and the ability to recover in the event of an incident.

5|P age
 One of the key factors in IT Auditing and one that audit management struggles with
constantly, is to ensure that adequate IT Audit resources are available to perform the IT Audits.
Unlike Financial Audits, IT Audits are very knowledge intensive, for example, if an IT Auditor
is performing a Web Application Audit, then they need to be trained in Web Applications; if
they are doing an Oracle Database Audit, they need to be trained in Oracle; if they are doing a
Windows Operating System Audit, they need to have some training in Windows and not just
XP, they’ll need exposure to Vista, Windows 7, Server 2003, Server 2008, IIS, SQL-Server,
Exchange, etc.. As you can appreciate being an IT Auditor requires extensive technical training
in addition to the normal auditor and project management training.

IT Auditing has much in common with other types of audit and overlaps in many
respects with Financial, Operational, and Quality Audit practices.

Since there is a limited amount of time and a limited amount of professional qualified IT
Auditors, IT Auditing is more and more moving to a risk – based audit approach which is
usually adapted to develop and improve the continuous audit approach.

Role of the IT Auditor in an Organization

IT Auditing extends to other departments of an organization as long as they uses
technology. IT Auditor should undergo training to be able to perform the specific task they are
given.

6|P age
 IT Audit’s role is to provide an opinion on the controls which are in place to provide
confidentiality, integrity and availability for the organization’s IT infrastructure and data which
supports the organization’s business processes.

Now in order to do that there has to be some overall planning to determine which
business processes to audit. IT Auditing is moving towards a risk – based audit approach and
the planning process starts with a review of the organization and gaining an understanding of the
business.

Typically, this starts with a review of the Business Impact Analysis, which the
organization has prepared for all of its business functions, after which the organization will have
established ranking criteria and determined which functions are essential to the business. Those
essential functions will then have been ranked according to which ones are most critical to the
organization and the IT Auditor can start at the top of the list.

There are some other reasons to use Risk Assessment to determine the areas to be
audited, including:

 Enables management to effectively allocate limited audit resources.
 Ensures that relevant information has been obtained from all levels of management.
 Establishes a basis for effectively managing the IT Audit department / function.
 Provides a summary of how the individual audit subject area is related to the overall
organization as well as to the business plans.

Types of Risks

1. Audit Risk

It is a risk that information may contain a material error that may go undetected during
the course of the audit.

2. Inherent Risk

The risk that an error exists that could be material or significant when combined with
other errors encountered during the audit, assuming that there are no related
compensating controls. Inherent Risks exist independent of an audit and can occur
because of the nature of the business.

7|P age
 3. Control Risk

It is a risk that a material error exists that will not be prevented or detected in a timely
manner by the Internal Control Systems.

4. Detection Risk

The risk that an IT Auditor uses an inadequate test procedure and concludes that
material errors do not exist when, in fact, they do.

Objectives of Audit and Control

Audit Objectives refer to the specific goals that must be accomplished by the IT Auditor,
and in contrast, a Control Objective refers to how an Internal Control should function. Audit
Objectives most often, focus on substantiating that the Internal Controls exist to minimize
business risks, and that they function as expected.

Example:

In a Financial Audit, an Internal Control Objective could be to ensure that financial
transactions are posted properly to the General Ledger, whereas the IT Audit Objective
will probably be extended to ensure that editing features are in place to detect erroneous
data entry.

 What is a Control or an Internal Control?

Internal Controls are normally composed of policies, procedures, practices and
organizational structures which are implemented to reduce risks to the organization.

There are two key aspects that Controls should address:

a. What should be achieved?
b. What should be avoided?

Controls are generally classified as either:
 Preventive Control
 Detective Control
 Corrective Control

8|P age
 First, Preventive Controls; the controls should detect problems before they arise
such as a numeric edit check on a dollar data entry field. By not allowing anything
other than numeric characters you are preventing things like cross – site scripting or
SQL injection.

Next Detective Controls; like exception reports from log files which show that an
unauthorized user was attempting to access data outside of their job requirements.

Then finally, Corrective Controls: something as simple as taking backups so that
in the event of a system failure, you can correct the problem by restoring the
database; the backup procedures being the Corrective Control.

 The Objectives of IT Audit include assessment and evaluation of processes that ensure:

1. Asset Safeguarding –‘Assets’ which include the following five types of Assets:

 Data Objects in their widest sense, (i.e., External and Internal, Structured and
Non – Structured, Graphics, Sound, System Documentation etc.)

 Application System is understood to be the sum of Manual and Programmed
Procedures.

 Technology covers Hardware, Operating Systems, Database Management
Systems, Networking, Multimedia, etc.

 Resources to house and support Information Systems, Supplies etc.

 Staff Skills, Awareness and Productivity to Plan, Organize, Acquire, Deliver,
Support and Monitor Information Systems and Services.

2. Ensures that the following seven Attributes of Data or Information are maintained:

 Effectiveness – deals with Information being relevant and pertinent to the
business process as well as being delivered in a timely, correct, consistent and
usable manner.

 Efficiency – concerns the provision of Information through the optimal (most
productive and economical) usage of resources.

 Confidentiality – concerns protection of sensitive Information from unauthorized
disclosure.
9|P age
  Integrity – relates to the accuracy and completeness of Information as well as to
its validity in accordance with the business' set of values and expectations.

 Availability – relates to Information being available when required by the
business process, and hence also concerns the safeguarding of resources.

 Compliance – deals with complying with those laws, regulations and contractual
arrangements to which the business process is subject; (i.e., externally imposed
business criteria. This essentially means that systems need to operate within the
ambit of rules, regulations and/or conditions of the organization.

 Reliability of Information.

When you look at business functions, one of the things an IT Auditor should look for is
where in the process is there a potential for compromise of Confidentiality, Integrity or
Availability.

Example:

If data is gathered via a Web Front – End which is then reformatted and sent to the
Database either for storage or inquiry and then returned to the Web Front – End for
redisplay to the user there a number of control points to consider:

 The Web Front – End itself, who has access and how are they authenticated
 The connection between the Web Front – End and the Database, how is this
connection protected
 The Database, who is allowed to update, what data can be returned to the Web
Front – End.
 The Network, is traffic restricted to just the traffic required to support the Web
Application

There are a lot of more points to consider:

 In trying to determine all the control points, an IT Auditor must consider the
system boundary which should be part of the Business Impact Analysis we
discussed earlier. And from that Business Impact Analysis, the IT Auditor should
be able to construct a Data Flow Diagram and to identify all the control points
that will need to be reviewed as part of their audit.

10 | P a g e
  It is part of the job to identify the risks and to help management understand what
the risk to the business would be if a control at a specific point malfunctions and
the information is compromised.

XDXDXDXDXDXDXDXDXDXDXDXDXDXDXDXDXDXDXDXDXDX

References:

Gantz, S. D. (2014). The Basics of IT Audit: Purposes, Processes, and Practical Information (1 st
Edition). Elsevier Inc.
Hall, J. A. (2016). Information Technology Auditing (4th Edition). Cengage Learning.
Otero, A. R. (2019). Information Technology Control and Audit (Fifth Edition). CRC Press
Taylor and Francis Group.

11 | P a g e