ers' requirements. Systems development and acquisition controls include, for.

example: • User
requitements should be documented, and their achievement shouldl be measured. • Systems design
should follow a formal process to ensure that userl requirements and controls are designed into the
system. • Systems development should be conducted in a structured manner to ensure that
requirements and approved design features are incorporated. into the finished product. • Testing
should ensure that individual systern elements work as required, system interfaces operate as
expected, and that the system owner has confirmed that the intended functionality has been
provided. • Application maintenance processes should ensure that changes in application systems
follow a consistent pattern of control. Change management should be subject to structured
assurance validation processes. Application-based controls are implemented to ensure that: • All
input data is accurate, complete, authorized, and correct. • All data is processed as intended. • All
data stored is accurate and complete. • All output is accurate and complere. • A record is
maintained to track the process of data from input to storage. and to the eventual output.
Application-based controls include, for example: • Input controls. These controls are used mainly to
check the integrity. of data entered into a business application, whether the source is input i directly
by staft, remotely by a business partner, or through a Web- enabled application. • Processing
controls. These controls provide automated means to ensurel processing is complete, accurate, and
authorized. • Output controls. These controls address what is done with the data. They should
compare results with the intended result and check them. against the input. • Integrity controls.
These controls can monitor data in the process and/or storage to ensure that data remains
consistent and correct. • Management trail. Processing history controls, often referred to as an.
audit trail, enable management to track transactions from the source to the ultimate result and to
trace backward from results to identify thel transactions and events they record.22 Specific
examples of application-based controls are presented in exhibit 7-5. Information Security Controls
Information security controls are not explicitly presented in exhibit 7-4 be- cause "Information
security is an integral part of IT controls."3Information security controls protect an information
system from unauthorized physicall and logical access. Physical access controls provide security over
tangible IT resources and include such things as locked doors, surveillance cameras, and

Input Controls: Designed to ensure that data input into the system is valid, complete, and - dccurdte.
•Source document controls: -Access to documents used to initiate transactions is restricted to
authorized indivduals. - Documents used to initiate transactions are prenumbered when feasible.
The source. documents are used in numerical sequence and the sequence is verified periodically.
Control totals: -Record count. A count of the records input for processing. Example: The number of1
time catds submitted for payroll processing -Batch total. A total of an amount indluded in each
record batched for processing. Example: The total of the number of hours worked in the batch of
time cards submitted | or pavroll processing. -Hash total. An otherwise meaningless total that is
used to ensure the completenes of data input for processing. Example: The sum of the employvee
numbers in the batch of time cards submitted for processing. •Programmed edit checks:
Completeness check. Examines the data input to ensure that all citical fields contain . values. Field
check. Examines a field to determine whether it contains the appropriate type of. data (alpha or
numeric). -Sign check. Examines a field to determine whether the amount sion is correct (postive |
or negative). -Limit check. Examines a field to determine whether the amount is s a prescibed upoer
limit or a a prescribed lower limit. - Range check. Examines a field to determine whether the amount
falls within a . orescribed range. Reasonableness check. Compares the data in a field with data in
related fields to determine whether the value is reasonable. -Validity check. Compares the data in a
field with a predetermined set of authorized. values to ensure the field contains valid data.
Processing Controls: Desiqned to prevent or detect and correct errors that occur during . processing.
• Run-to-run control totals: Control totals are calculated and checked at designated points as
transactions are processed. Error listings: Error listings are automatically generated by the computer
and errors identified are remediated expeditiously. Output Controls: Designed to ensure that
application system outputs are valid, complete, and accurate and that security over outputs is
properly maintained. Output review controls: Application system outputs are reviewed for validity,
completeness, and accuracy before being distributed to users. • Distribution controls: Distribution of
application system outputs is restricted to authorized recipients. • End-user controls: End users
review the application system outputs they receive for validity, completeness, and accuracy.
Management Trail Controls: Designed to provide a permanent record of input, proesing,. and output
activity. . Transaction logging: The application system automatically logs the transactions processed.
• Programmed control logging: The application system automatically los the imbedded controls
executed during input, processing, and output. .Eror tings f teter n 838 ing gnerated and emedated
dirng rcsin 18 are retained.
security guards. Logical access controls provide security over software and in- formation imbedded
in the system and include such things as hrewalls, encryp- tion, login IDs, passwords, authorization
tables, and computer activity logs. Deficiencies in intormation security controls compromise the
ettectiveness of Il other II governance, management, and technical controls. ue to the increased risk
to an organization from cybersecurity threats, ad- ditional disclosure reporting regulations tor
hnancial reporting have been. imposed by the U.S. Securities and Exchange Commission (SEC)
effective )ctober 2011. Internal audits of information security controls will help ensure that
organizations take a proactive approach to managing cybersecurity risk nd adhere to the more
stringent SEC reporting requirements. IMPLICATIONS OF IT FOR INTERNAL AUDITORSI The previous
sections of this chapter describe how IT has affected organiza- ions. IT has changed the manner in
which organizations tormulate strate- es, conduct day•to-day operations, and make decisions. These
changes have. enerated new risks and forced organizations to modify their governance, risk.
management, and control processes. The pervasive impact of IT on organiza- ions has in turn
compelled internal auditors to upgrade their IT knowledge . and skills and adjust how they perform
their work. IT Proficiency and Due Professional Care Iwo Attribute Implementation Standards
specifically address the IT proficien- y internal auditors must possess and the consideration they
must give to using technology-based audit techniques:

1210.A3 -Internal auditors must have sufhicient knowledge of key in- tormation technology risks and
controls and available technology-based. audit techniques to perform their assigned work. However,
not all in- ternal auditors are expected to have the expertise of an internal auditor. whose primary
responsibility is information technology auditing. 1220.A2 -In exercising due protessional care,
internal auditors must consider the use of technology•based audit and other data analysis.
techniques. Standards 1210.A3 and 1220.A2 clearly indicate that all internal auditors providing
assurance services need at least a baseline level of TT risk, control, and audit expertise. Fundamental
IT risk and control concepts that all internal auditors need to understand are discussed in previous
sections of this chapter. Technology-based audit techniques, also reterred to as computer-assisted
audit. techniques (CAATS), are described in chapter 10, "Audit Evidence and Work. ing Papers."
CAATs include generalized audit software (GAS) such as ACL and IDEA, both of which are on the DVD-
ROM accompanying this textbook. GAS is an example of an IT audit tool that internal audit functions
are increas- Ingly expecting all statt members to understand and apply effectively. Utility. software,
test data, application sofrware tracing and mapping, audit expert systems, and continuous auditing
are other CAATs described in chapter 10. In addition, most internal audit functions have some type
of automated work. ing paper system such as TeamMate, which also is included on the DVD-ROM
accompanying this textbook, to docunent, organize, and cross reference inter. nal audit work.
Automated working paper systems have signihcantly improved the docunentation aspects of
internal audit work by improving the effective. ness and efficiency of the work performed.

tandard 1210.A3 also indicates that every internal auditor need not have the. evel of IT audit
expertise expected of an IT audit specialist. However, because . he demand for highly skilled IT
auditors continues to exceed the supply, eaders with an interest in this area are encouraged to
investigate further the . ompetencies and credentials needed to succeed as an IT audit specialist.
Such . ndividuals may want to pursue TT control-related certifcations to complement heir Certified
Internal Auditor (CIA) credential. Such certifications include, or example, the Certified Information
Systems Auditor (CISA) sponsored by. SACA (www.isaca.org) and the Certifhed Information Systems
Security Profes ional (CISSP) sponsored by the Information Systems Security Association.
www.issa.org). Is is the case with all other areas of relevant expertise, the chief audit execu. ive
(CAE) is responsible for ensuring that the internal audit function has the. T proficiency needed to
fulfill is assurance engagement responsibilities. Some nternal audit functions have a sufficient
complement of IT audit experts on. taff. Those that do not have such experts on staff look to sources
outside the. nternal audit function for such expertise., In some cases, qualified individuals. rom other
areas of the organization may be asked to assist on internal audirt. ngagements requiring IT
competencies that the internal audit function does . ot have. In other cases, the CAE may hire
external service providers with the. equisite IT knowledge and skils. Assurance Engagement IT
Responsibilities T'hree Performance Implementation Standards specifically address internal uditors'
assurance engagement responsibilities regarding information systerns . ind technology:
2110.A2 -The internal audit activity must assess whether the informa- tion technology governance of
the organization supports the organ1za- tion's strategies and objectives. 2120.A1 -The internal audit
activity must evaluate risk exposures relating to the organization's... Information systems... 2130.A1
The internal audit activity must evaluate the adequacy and ettectiveness of controls in responding to
risks within the organization's ... intormation systems.. These three standards retlect the fact that an
internal audit function cannot et. fectively evaluate governance, risk management, and control
processes withouti giving due consideration to information systems and technology. To fulfll its: T-
related responsibilities, an internal audit function must: • Include the organization's information
systems in its annual auditi planning process. . Identify and assess the organization's IT risks. •
Ensure that it has sufhcient IT audit expertise. • Assess IT governance, management, and technical
controls. Assign auditors with appropriate levels of IT expertise to each assurance engagement. •
Use technology-based audit techniques as appropriate. IT Outsourcing. na snt ea e o

processes to an outside provider to achieve cost reductions while improving. service quality and
eficiency. It is for these reasons that organizations arel increasingly outsourcing IT functions to
vendors that specialize in providing IT. services. As is the case with any kind of outsourcing, IT
outsourcing brings with it risks. that an organization's board and management must understand and
manage. Accordingly, they will seek assurance regarding the information upon which . their
outsourcing decisions are based. The internal audit function can provide. such assurance and, in
addition, advise the board and management about thel risk and control implications of outsourcing
IT. The board and management also retain responsibility for the controls over. the outsourced IT
functions and will call upon the CAE to provide them with. assurance regarding the design adequacy
and operating effectiveness of these . controls. Depending on the circumstances, the CAE may rely,
to some extent, on the reports of the IT service provider's internal and/or independent outside.
auditors when formulating a conclusion about the controls over outsourced IT. functions. If high-risk
IT functions have been outsourced, the CAE should allo- cate an appropriate level of internal audit
resources to testing the controls over. those functions. GTAG 7: Information Techmology
Outsourcing describes in detail some of the key IT outsourcing considerations that warrant the
attention of internal audit functions.
Integrated and Continuous Auditing Internal audits have historically been conducted retrospectively,
for example, alter transactions have occurred. This after-the-tact audit approach is rapidly.
becoming outdated as advances in technology give rise to IT-enabled business. processes in which
online, real-time processing of transactions is common. Paper-based audit trails of transaction
processing and controls are increasingly. being replaced with paperless audit trails and imbedded
automated controlsi designed to test the propriety of transactions as they occur. In this information.
systems environment, direct evidence of transaction processing and controlsi implementation often
is temporary in nature. This means that it is becoming . less and less feasible for internal auditors to
"audt around the computer" and reach a valid conclusion about the overall ettectiveness of controls
over hnan- cial reporting, operations, and compliance. They must instead "audit through the
computer," using CAATS to evaluate IT controls built into the system. Integrating II auditing into
assurance engagements. The integration of IT controls directly into business processes, together
with the availability of user. friendly CAATs, is prompting a growing number of internal audit
functions to. modify their audit approach. Instead of conducting separate assurance engage. ments
focused strictly on process•level TT risks and controls, these internal au- dit functions assimilate IT
risk and control assessments into assurance engage- ments conducted to assess process-level
hnancial reporting, operations, and/or. compliance risks and controls. Internal audit functions that
have adopted this approach are finding that it . benefits their organizations by improving both the
effectiveness and efhciency . of their internal audit assurance services. Integrated assurance
engagements are. more effective because the internal auditors are in a much better position to.
asess the auditee's entire risk portiolio and reach an overall conclusion about . the design adequacy
and operating eftectiveness of controls. The audit process is more efficient because (1) engagements
previously conducted separately are.

combined and (2) the identification and assessment of all key risks and con. trols are consolidated in
integrated audit engagements. Continuous auditing. Continuous auditing is defined in GTAG 3:
Contintous . Auditing: Implications for Assurance, Momitoring, and Risk Assessment as. "any method
used by internal auditors to perform audit-related activities on. a more continuous or continual
basis. "4 As descrbed in GTAG 3, continuous . auditing comprises two main activities: Continious
controls assessment, the purpose of which is "to focus audit . attention on control dehciencies as
carly as possible," and Continous risk assessment, the purpose of which is "to highlight processes or
systems that are experiencing igher than expected levels of. risk."as i Assessment of contimuous
montoring is a third integral component of continu ous auditing. As indicated earlier in the chapter,
management is responsible . for montitoring the organization's risk management process, including
the. contro process, over time to ensure that it continues to operate etfectively and . ethiciently. The
internal audit function's continuous audit responsibility is to assess the ettectiveness of
management's continuous monitoring activities. In. areas of the organization in which management
has implemented an effective . ongoing monitoring process, internal auditors can conduct less
stringent con- tinuous assessments of risk and controls. Conversely, If continuous monitoring . is
nonexistent or inetfective, the internal audit tunction must pertorm more. rigorous ongoing risk and
control assessments.
SOURCES OF IT AUDIT GUIDANCE The IIA has a growing body of II audit guidance. Iwo key
components of this. guidance are the Global Technology Audit Guides (GTAGs) and Guide to the
Assessment of IT Risk (GAIN) Practice Guides included in The IIA's Interna- tional Professional
Practices Framework: . The GTAG Practice Guides. The GTAG Practice Guides "..ddress timely issues
related to intormation technology (IT) management, control, and security."26 The GTAGs available
when this textbook was published are listed in exhibit 7-1. • The GAIT Practice Guides. The GAIT
Practice Guides describe "the relationships among business risk, key controls within business
processes, automated controls and other critical IT functionality, and key controlsi within IT general
controls. Each guide addresses a specihic aspect of IT risk and control assessment."27 The GAIT
guides available when this textbook was published are listed in exhibit 7-1. IIA members can
download Practice Guides free of charge at https://na.theia. org/standards-
guidance/recommended-guidance/practice-guides/. They also can be purchased from The IIA
Research Foundation Bookstore at htp:// www.theila.org/bookstore/. Other II audit guidance
available through The IA includes: • Numerous publications, including IIA Research Foundation
handbooks and research monographs, which can be purchased from The IIA Research Foundation
Bookstore. .The ITAudit portion of Internal Auditor Online, which, before January: 2009, was a
separate online publication of IT audit articles. Both current and archived ITAudit articles can be
downloaded by anyone at www.theila.orgintAuditor/itaudit/.

Many other organizations have published online IT audit information of rel- evance to internal
auditors that is available for downloading. These organiza- tions include, for example: • The IT
Governance Institute (www.itgi.org). • The IT Compliance Institute (www.itcinstitute.com). • The IT
Process Institute (www.itpi.org). • ISACA (www.isaca.org). • The Information Systems Security
Association (www.issa.org). • The American Institute of Certified Public Accountants
(www.aicpa.org). • The Canadian Institute of Chartered Accountants (www.cica.org). Emerging
Information Technology Risk Issues New and emerging information technologies will continue to be
introduced . at a rapid pace. Typically these technologies are developed with a business . purpose
and controls are introduced later to mitigate the associated IT risks.. IT advances originating outside
the organization can no longer be ignored. As indicated earlier in the chapter, many of the recent IT
advances such as. smartphones, social media, and cloud computing have an impact on the risk.
profile of an organization even if it chooses not to employ the technologv. It is important for the
organization to anticipate technology innovations on thel horizon and factor them into their IT risk
assessment. The internal audit func- tion can provide valuable insight to the organization on how
new technologyi will impact the future of the organization and how to proactively address the.
impending risks. OPPORTUNITIES FOR INSIGHT As discussed throughout the chapter. IT is vital to an
organization's success. The internal audit function can provide consulting services that help manage-
ment deal with new IT risks as they emerge. Exhibit 7-6 describes 10 opportu-