Auditing Information Technology and Information Systems

Definition
The benefits of information technology (IT) are accompanied by a need to manage the complexities, risks, and challenges that come with it. Auditing IT and information systems involves auditing an organizations hardware, software, and data organization and processing methods to ensure quality control and security. It certainly does not involve the popularly held belief that it amounts to merely counting computers. Even the smallest companies are dependent on IT systems, and in order for an organization to take full advantage of the IT system at its disposal it is vital that any system can be controlled and is reliable. Moreover, fraudsters can exploit IT systems, so it is vital these systems are secure and that safeguards have been implemented to detect and deter fraud. Data protection legislation also requires that data are secure and remain confidential. According to the Institute of Internal Auditors, some of the more obvious results of information system failures include reputational damage, placing the organization at a competitive disadvantage, and contractual noncompliance.

Advantages
Paying attention to the challenges involved in establishing and maintaining an IT system can prevent waste of money and resources, loss of trust, and reputational damage. Timely involvement by internal auditors can help to assure that problems are identified and solved at an early stage. IT auditors can serve as a bridge between individual business units and the IT function, point out previously unidentified risks, and recommend controls for enhancing outcomes. An IT audit can identify IT weaknesses that could be exploited by a fraudster or which could compromise compliance with data protection laws.

Disadvantages
Carrying out an IT audit and ensuring that staff have the necessary training can be timeconsuming and costly (although not doing so can be far more costly).

Action Checklist
Develop an IT audit plan. This can help chief audit executives and internal auditors to understand the organization and how IT supports it, to define and understand the IT environment, to identify the role of risk assessments in determining the IT audit universe, and to formalize the annual IT audit plan. Develop an audit checklist to ensure that the auditors focus on areas and issues of concern.

Dos and Donts

Do
Make sure that your IT audit staff receive the latest technology and training, given the rapid pace of development in the IT world. Consider external IT auditors if the necessary skills are not available inhouse. Make sure that your staff are aware of all the legal requirements regarding data protection.

Dont
Dont carry out IT internal audits at fixed times. If staff know the timing of audits, they may adjust the way they use their IT resources, giving an inaccurate impression of their effectiveness, efficiency.
1 of 2 www.qfinance.com

Auditing Information Technology and Information Systems

More Info
Books:
Cascarino, Richard E. Auditors Guide to Information Systems Auditing. Hoboken, NJ: Wiley, 2007. Champlain, Jack J. Auditing Information Systems. 2nd ed. Hoboken, NJ: Wiley, 2003. Wright, Craig, Brian Freedman, and Dale Liu. The IT Regulatory and Standards Compliance Handbook: How to Survive an Information Systems Audit and Assessments. Rockland, MA: Syngress Publishing, 2008.

Article:
Bayuk Jennifer. Information systems audit: The basics. IT World (May 26, 2009). Online at: tinyurl.com/p3ly99

Websites:
Chartered Institute of Internal Auditors (UK and Ireland): www.iia.org.uk Institute of Internal Auditors (IIA): www.theiia.org

See Also
Checklists Understanding Internal Audits Industry Profile Information Technology

To see this article on-line, please visit

http://www.qfinance.com/auditing-checklists/auditing-information-technology-and-information-systems

Auditing Information Technology and Information Systems

2 of 2 www.qfinance.com