In this paper, the author provides an evaluation of information technology (IT) auditing and its importance in today’s global business environment. Risks associated with IT auditing are also evaluated. The author explains how organizations should implement controls to achieve compliance with legal requirements and industry best practices for auditing. Finally, the author provides justification of the importance of implementing controls and auditing guidelines that allow successful governance of organizations.
Concepts of IT Auditing Auditing involves a systematic process of gathering evidence and objectively evaluating it and then communicating the findings to the appropriate stakeholders. The audit process requires auditors to have knowledge of the persons, processes, or technology under review. Often, auditors have extraordinary access to confidential data. Therefore, auditors must exhibit the highest degree of integrity and must act ethically at all times. The IT audit profession has become increasingly important to business and other organizations and plays a critical role in their overall success, compliance, and effectiveness.
Audit Standards Audit standards exist as a means to bring conformity to an otherwise complex process. Many audit standards help ensure that the basic principles of internal auditing are adequately delineated (The IIA, 2012). Basic audit principles help ensure that audits are conducted in accordance with agreed upon and established methods. These methods allow for an auditor to conduct fieldwork and thus evaluate the data in such a way that any other competent auditor should arrive at the same basic conclusions as the original. The author reviews the audit standards of two authoritative bodies: The Institute of Internal Auditors (The IIA) and The Information Systems Audit and Control Association (ISACA).
The IIA. Many different types of audit standards have been established by various credentialing organizations. The IIA has established the International Standards for the Professional Practice of Internal Auditing (Standards). The IIA standards address the auditing profession from a holistic perspective, incorporating internal audit and IT audit (The IIA, 2012). IIA standards allow the conjunctive use of standards issued by other authoritative bodies provided that the auditor declares the use of additional standards (The IIA, 2012). In these cases, the auditor must comply with the IIA standard as a baseline, but may use the other standard if they are more restrictive (The IIA, 2012). The IIA standard establishes minimum guidelines for auditor independence, proficiency and due professional care, quality assurance and improvement, internal audit management, audit planning and execution, and the communication of audit results (The IIA, 2012).
Proficiency and due professional care. The IIA requires auditors to execute audit engagements with the necessary skills and knowledge (competencies) to perform their individual responsibilities (The IIA, 2012). Likewise, the internal audit team must collectively (or institutionally) have the requisite skills to adequately perform its responsibilities (The IIA, 2012). With regard to due professional care, auditors are required to take several factors into consideration and must act reasonably prudent and competent (The IIA, 2012). Due professional care requires auditors to consider the work effort required to achieve the engagement’s objectives, the materiality of matters, the effectiveness of controls, the probability of errors, and the cost/benefit of controls (The IIA, 2012).
Quality assurance and improvement. Due professional care notwithstanding, auditors are not infallible. Since humans, who are by definition fallible creatures, conduct the audit there is the possibility of error. Therefore, auditors should work collaboratively with the audit team to help prevent the error rate. Quality assurance programs help audit teams ensure they are complying with audit standards and monitor the performance of audit activity (The IIA, 2012). The IIA (2012) requires a formal assessment of audit activity at least once every five years and must be conducted by an authorized assessor independent of the audit team.
Internal audit management. The management of internal audit activity is one of the standards defined by the IIA. Proper audit management requires audits to be planned using a risk-based approach; a methodology that requires an annual risk assessment (The IIA, 2012). Senior management and the board must approve yearly audit activity. Planning helps to ensure adequate resources are available and that any limitations are noted in the yearly schedule. The IIA also requires comprehensive policies and procedures that guide internal audit activity (The IIA, 2012).
Audit planning and execution. Audit engagements must be planned based on the objectives of the activity being assessed and the significant risk to the activity (The IIA, 2012). When establishing audit scope, consideration must be given with regard to the relevancy of systems, records, personnel, and properties. The IIA standard (2012) has limitations on consulting activity identified during internal audits. The primary purpose of these limitations is to help maintain audit independence. In any event, audit activity must include the development and documentation of audit work programs. Audit work programs identify the specific procedures used for identifying, analyzing, evaluating, and documenting information during the engagement (The IIA, 2012). The IIA allow significant latitude in the creation of work programs recognizing that they will likely vary based on the nature of the audit engagement undertaken.
Communication of audit results. The IIA has established very specific audit engagement requirements for reports and other communications. All communications must include the engagement’s scope and objective and any conclusions or recommendations (The IIA, 2012). Auditors are encouraged to acknowledge satisfactory performance in audit communications and state any limitations on the use and distribution of results (The IIA, 2012).
ISACA. ISACA standards were established to address the needs of information systems (IS) and IT audit. Individuals who have achieved the status as Certified Information Systems Auditors (CISAs) must conform to ISACA standards when performing IS audits (ISACA, 2005). ISACA (2005) standards establish the minimum level of acceptable performance required to meet the ISACA Code of Professional Ethics. The ISACA standard is much less defined than the IIA standard but includes requirements for audit scope, independence, professional ethics and standards, competence, planning, performance of work, reporting, and follow-up activity.
Audit scope. ISACA (2005) standards stipulate that the responsibility, authority, and accountability of IS control functions be documented and approved by management. The scope of the audit establishes the area to be reviewed and should state the process areas, controls, or functional areas and any other necessary information to properly delineate the area to be reviewed (Senft, Gallegos, & Davis, 2013). It is necessary for management to approve audit scope to ensure organizational cooperation and ensure the necessary levels of access required to perform audit activity.
Professional ethics and standards. ISACA (2005) requires IS auditors to adhere to the Code of Professional Ethics. A simple statement of due professional care requires auditors to exercise due professional care and observe professional standards. Auditors must maintain professional skepticism and to approach topics with a questioning mind that is capable of critically analyzing audit evidence (ISACA, 2005). Other aspects of ISACA (2005) due professional care helps ensure that audits are conducted with integrity and care and that auditors have sufficient skills necessary to achieve engagement objectives. ISACA (2005) certified auditors face the possibility of disciplinary action for failure to abide by the Code of Professional Ethics.
Competence. ISACA (2005) requires auditors to be professionally competent and to maintain competency through systematic training and continuing education. If auditors do not have sufficient skills for an assigned engagement, they should decline the opportunity. Continuing education is necessary for career growth and development. Since IT is rapidly changing, regular training is necessary to maintain acceptable competence levels (Senft, et al., 2013). Competence is directly related to the quality of audits and is not limited to competency with IT systems (Stoel, Havelka, & Merhout, 2012). IT auditors must be conversant with complex business systems that rely on IT controls, electronic commerce, various types of emerging technology, and extremely sophisticated legal requirements such as the Sarbanes-Oxley Act of 2002 (SOA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Abdolmohammadi & Boss, 2010). The SOA created significant opportunities for IT professionals. While the auditing of financial statements is a task primarily performed by accountants, IT professionals are necessary to evaluate the design and implementation of technology systems directly involved with financial transaction processing (Schneider & Bruton, 2007). Therefore, IT auditors involved with engagements reviewing financial systems should have knowledge of financial systems to help ensure that IT design and implementation meets the intent and rigor of SOA and other regulations.
Planning. An auditor who is using ISACA standards must plan IS audits to address the audit objectives and comply with laws and professional auditing standards. Auditors are required to use a risk-based approach and document their approach in the appropriate engagement documentation (ISACA, 2005). As with the IIA standard, a yearly audit plan, approved by the audit committee, is required (ISACA, 2005). In order to properly plan audits, it is necessary to understand the business being reviewed (Rehage, Hunt, & Nikitin, 2008). The auditor should have a working knowledge of the organization’s business objective and strategy. This understanding will help the auditor develop a risk profile that is appropriate to the business. Secondly, the auditor should identify critical infrastructure in the IT environment and any supporting technologies used (Rehage, et al., 2008). A formal risk assessment should be conducted and updated on an annual basis before the audit plan is finalized and approved by management (Rehage, et al., 2008).
Performance of work. Audit engagements should be organized and documented using defined procedures and conforming to ISACA standards. ISACA requires that audit documentation be sufficient to allow another independent auditor to re-perform the tasks and obtain the same results as the original auditor (ISACA, 2005). Thus, documentation should be detailed and specify the audit program, testing procedures, and contain all the audit evidence and detailed artifacts.
Reporting. There is no specific audit report format required by ISACA; however, engagement reports must be completed at the completion of each audit. The report should include the scope, objectives, period of coverage, and the nature, timing, and coverage of the work performed (ISACA, 2005). The results reported in the documentation must be substantiated by appropriate audit evidence. Initially, a draft report should be provided to management and allow for any comments. Moreover, if deficiencies are identified during the audit, these findings must be communicated to the audit committee or board (ISACA, 2005). Audit reports must be free of personal bias or influence. The final audit report should be well organized and cross-referenced (Senft, et al., 2013).
Follow-up activity. Typically, follow-up actions should be documented in the final report. Follow-up actions usually include management’s plan to implement recommendations and should be included in the management response section of the audit documentation (ISACA, 2005). The follow-up process must also include a process to help ensure that management actions have been properly and effectively implemented. If management decides to accept the risk, the follow up process should ensure the finding has been properly documented and accepted by an approving authority. Other important items to document as follow-up activity include agreed recommendations not yet implemented. In these cases, the follow-up activity should be specifically communicated to the audit committee or board; however, the auditor should consider if the not yet implemented recommendations are still relevant (ISACA, 2005).
Audit Independence All reviewed audit standards have some type of declaration regarding auditor independence. Independence refers to the capability for auditors to remain objective in performing their work and communicating results. Moreover, independent auditors (internal and external) are prohibited from having a financial interest in the business being audited. Organizations subject to provisions contained in the SOA are legally required to have an independent audit function (USC, 2002). Independence contributes to the validity of any findings or recommendations and adds value to the audit function (Senft, et al., 2013). If auditors lack independence, there is an increased risk of inadequate risk management, internal controls, and ineffective corporate governance. The independence of auditors contributes to public trust and is a primary element of any legitimate organization.
Audit charters typically help ensure independence and are required for companies subject to the SOA. As a result, audit groups often report to a Chief Audit Executive (CAE) who has in turn reports to the audit committee or board of directors. Thus, independence is further enhanced due to organizational independence of the audit group as a whole. External organizations performing audit work for publicly traded companies in the United States (U.S.) are prohibited from also providing consulting services. Mandatory rotation of audit partners is also required by the SOA and prohibits external audit partners from accepting positions of influence with their former client for a period of time (USC, 2002). Separation of duties and audit partner rotation contributes to real and perceived independence. These requirements are designed to help improve public confidence for publicly traded companies. The Securities and Exchange Commission (SEC) enforces independence requirements established in the SOA (USC, 2002).
Independence allows the auditor to select the appropriate method to perform engagements and the freedom to pick audit topics based on the auditor’s discretion. Accordingly, auditors must have nearly unlimited access to company information (based on the security principle of least privilege and business need-to-know).
Ethical standards. Ethical standards are closely related to independence since auditors cannot act ethically if they are not independent of the organization they are reviewing. Accordingly ethical standards are regulations placed on auditors designed to regulate behavior and auditors should exhibit a high standard of moral ethics. The public often relies on the opinions and reports of auditors to make important financial decisions. If any auditor does not have the public trust, the entire financial system could be placed in jeopardy. Sometimes an auditor may be in a position where an activity is legal but not ethical. In these cases, the auditor should act in the interest of the public trust and choose the ethical course of action. Ethical actions are those that are objective, legal, competent, and performed in accordance with established professional standards. Auditors must defend their integrity with consistent actions that support the high professional standards of the auditing profession.
Auditor Skills and Abilities Auditors must have the knowledge, skills, and abilities necessary for the audit engagement they are performing. There are several credentialing bodies that help establish a baseline for minimum training and qualifications for auditors. ISACA certifies CISAs who must have completed 60 university credit hours and 5 years of professional experience in auditing or information systems (ISACA, n.d.). Furthermore, CISAs must achieve a passing score on the certification exam. The exam closely mirrors the work practice areas of a typical IS auditor and includes
Auditors help organizations by providing assurance, reviewing services, and assisting with the protection and control of IS. Therefore, it is necessary to have the skills required to perform risk assessments and make judgments about the protection of assets. Providing the governance and management of IT requires auditors show leadership and understanding of organizational hierarchies. The audit profession also requires practitioners to have the business and technical acumen to understand technology and business processes for the acquisition, development, and implementation of IT. This knowledge will also permit auditors to properly evaluate the operational, maintenance, and support aspects of IT and thus place them in a position to skillfully review those areas of business. Auditors must also have significant information security and assurance knowledge and experience. These skillsets permit auditors to review security policies and work practices and make informed decisions about the effectiveness of the reviewed material.
Auditors must be able to perform due diligence and closely examine relevant aspects of business transactions (Delak, 2008). Due diligence requires a careful analysis to determine information about the current state of an organization based on assets, resources, documentation, compliance, and risk (Delak, 2008). The point of due diligence is to provide a general risk assessment so that stakeholders can make informed business decisions (Delak, 2008). This needful task is often the complete synthesis of the auditor’s skills, knowledge, and abilities.
Internal and External Audits There are two types of auditors: internal and external. External auditors are accountable to shareholders and other entities external to the organization’s governance structure. The objective for an external auditor is to enhance credibility and reliability of financial statements and transaction processing. External auditors primarily review financial reports and statements and report and findings or problems uncovered as a result of their audit activity. External auditors work for public accounting firms and are regulated by the Public Company Accounting Oversight Board (PCAOB) (Braganza & Desouza, 2006).
Internal auditors report to an entity within the organization and perform audits that evaluate and improve governance, risk management, and controls. Internal auditors help ensure compliance with policies, standards, and regulations by reviewing corporate business decisions. In this capacity, internal auditors play a vital role in corporate governance. Internal auditors occasional perform work in support of external auditors. External auditors can use the work of internal auditors in three ways: (a) external auditors rely on the internal audit function as part of the organization’s internal control; (b) internal auditors assist external auditors by testing internal controls, accounts, and transactions; and, (c) external auditors may task internal auditors by tasking them with conducting audit procedures (Schneider, 2009).
Importance of IT Auditing in the Global Business Environment Within the global context, IT audit assists organizations by reviewing and evaluating dynamic multi-enterprise environments. Globalized operations presents the requirement for control and audit to mobilize in all locations where business is conducted. Planning audits on a global scale is a difficult task. Successful completion of the audit plan assists organizations in making informed decisions about IT initiatives and other strategic concerns. Global business systems rely on complex IT controls; thus, anytime the environment is modified an audit should be conducted to help assure compliance with standards and regulations (Abdolmohammadi & Boss, 2010). Reviewing IT operations on a global scale provides business regulation of day-to-day administrative functions and specific operation duties (Kelson, 2011).
Analysis of the Risk Associated with IT Auditing Increased audit controls and regulations create negative criticism and the perception that audit activity impedes business operations (Li, Richardson, & Weidenmier-Watson, 2012). Other analysts contend that increased regulation and control serve as a mechanism for improving organizations by identifying material weaknesses (Li, et al., 2012). There are, however, risks associated with IT auditing. Audit risk is often a function of the size of the project, scope of organizational change, system complexity, staff members involved, and value of the project (Senft, et al., 2013). With any audit engagement, there is a risk that the auditor will not identify errors, miscalculations, or make a judgment error on the materiality of a particular matter.
Within the profession of IT audit, there are risks specific to the review of technology. Ignoring controls used to help mitigate inherent risk and focusing on the strength of internal controls designed to mitigate control risk is the suggested method used to assess inherent risk. Inherent risk within the context of IT audit can relate to infrastructure, software development and acquisition, and IT security controls. For example, there are inherent risks associated with operating an e-commerce business. In this case, a firewall helps mitigate inherent risk; however, the auditor should focus on internal controls designed to manage the firewall, change management processes, and infrastructure redundancy used to increase service availability of transaction processing.
IT control risk is the risk that internal controls failed to prevent an error condition or properly secure an enterprise. Internal controls are designed to mitigate control risks; however, there is always the possibility that a control failed and allowed for anomalous activity or behavior to exist within the system. If the IT auditor does not have enough knowledge of the control design, it is not possible to properly assess the control and determine its effectiveness.
The final type of IT audit risk is detection risk. Detection risk is the possibility that the IT auditor will not identify issues within the infrastructure due to ineffective testing and review. Detection risk is increased if the auditor is not knowledgeable of IT systems and infrastructure. Most types of audit risk can be mitigated through the application of audit standards, due professional care, and ethical actions on behalf of the audit team.
Implementing Measures to Meet Compliance Organizations should implement measures to help ensure that they are compliant with legal guidelines. To accomplish this task, a comprehensive legal review should be conducted. The purpose of the legal review is to identify precisely which legal guidelines must be complied with. Often, organizations are subject to statutory, contractual, and other requirements. All of these requirements should be identified to enable effective implementation planning.
For organizations that are subject to several requirements, there is often significant overlap in the controls required to achieve compliance. For example, organizations subject to HIPAA and the protection of healthcare information may find that their HIPAA controls can be leveraged to help achieve compliance with the SOA.
The various requirements identified should be integrated into an implementation plan that has senior management approval. The compliance measures should be implemented throughout the organization using a phased approach. An initial review should be conducted to ensure that the compliance requirements are properly implemented. Formal audits can identify any residual issues and plans to improve over time. Each subsequent audit should identify changes against the initial baseline and strive to continually improve the organization by automating and formalizing control processes.
Justification of the Importance of Implementing Controls Governance and control implementation helps organizations achieve its strategic and tactical business objectives in an efficient manner. Proper corporate governances helps ensure that scarce resources are allocated within the organization in a way that maximizes the derived benefit of their use.
Controls are required to help regulate businesses and assure compliance with standards, policies, laws, and regulations. Most users perceive themselves as low risk takers and thus of limited risk to the organization (Anderson, 2008). One study showed that up to 75% of all users engaged in some type of activity that put their organization at risk (Anderson, 2008). Therefore, IT controls help ensure that organizations are secure from the inside and outside.
References Abdolmohammadi, M. J., & Boss, S. R. (2010). Factors associated with IT audits by the internal audit function☆. International Journal of Accounting Information Systems, (3), 140-151. doi: 10.1016/j.accinf.2010.07.004
Anderson, K. (2008). Dysfunctional operations in IT. Information Systems Audit and Control Association, , 1-2.
Braganza, A., & Desouza, K. C. (2006). Implementing section 404 of the Sarbanes Oxley Act: Recommendations for information systems organizations. Communications of the Association for Information Systems, , 464-487.
Delak, B. (2008). Initial due diligence of information technology as risk identification before capital investment in finance industry. CAiSE Doctoral Consortium 2008, 95-105.
The IIA. (2012). International standards for the professional practice of internal auditing (standards). Altamonte Springs, FL: The Institute of Internal Auditors.
ISACA. (2005). Standards for Information Systems Control Professionals. Rolling Meadows, IL: Information Systems Audit and Control Association.
Kelson, N. (2011). IT strategic management audit/assurance program. Rolling Meadows, IL: Information Systems Audit and Control Association.
Li, C., Peters, G. F., Richardson, V. J., & Weidenmier-Watson, M. (2012). The consequences of information technology control weaknesses on management information systems: The case of Sarbanes-Oxley internal control reports. MIS Quarterly, (1), 179-204.
Rehage, K., Hunt, S., & Nikitin, F. (2008). Developing the IT audit plan. Altamonte Springs, FL: The Institute of Internal Auditors.
Schneider, G. P., & Bruton, C. M. (2007). Sarbanes-Oxley compliance: New opportunities for information technology professionals. Academy of Information and Management Sciences Journal, 102(2), 79-89.
Senft, S., Gallegos, F., & Davis, A. (2013). Information technology control and audit (Kindle ed.). Boca Raton: CRC Press.
Stoel, D., Havelka, D., & Merhout, J. (2012). An analysis of attributes that impact information technology audit quality: A study of IT and financial audit practitioners. International Journal of Accounting Information Systems, (1), 60-79. doi: 10.1016/j.accinf.2011.11.001
United States Code (2002). Sarbanes-Oxley Act of 2002, Public Law No. 107-204, codified at 15 U.S.C. § 7201