INTRODUCTION

An information technology audit, or information systems

audit, is an examination of the controls within an Information
technology (IT) infrastructure. The evaluation of obtained evidence
determines if the information systems are safeguarding assets,
maintaining data integrity, and operating effectively to achieve the
organization's goals or objectives. These reviews may be
performed in conjunction with a financial statement audit, internal
audit, or other form of attestation engagement. IT audits are also
known as automated data processing (ADP) audits and computer
audits. They were formerly called electronic data processing (EDP)
audit. An IT audit is different from a financial statement audit.
While a financial audit's purpose is to evaluate whether an
organization is adhering to standard accounting practices, the
purposes of an IT audit are to evaluate the system's internal control
design and effectiveness. This includes but is not limited to
efficiency and security protocols, development processes, and IT
governance or oversight.
LITERATURE REVIEW

History of IT Auditing
The concept of IT auditing was formed in the mid-1960s. Since
that time, IT auditing has gone through numerous changes, largely
due to advances in technology and the incorporation of technology
into business.

Services provided by the information system audit

IT Governance
IT governance audits include reviews of the organization’s
fiduciary responsibility in satisfying the quality of IT delivery
services while aligning with the business objectives and
establishing an adequate system of internal controls.

Information Systems
Information systems audits focus on security controls of physical
and logical security of the server including change control,
administration of server accounts, system logging and monitoring,
incident handling, system backup and disaster recovery.

Integrated Audits
Integrated audits include reviews of the business operations and
their dependency of automated systems to support the business
process. We consider information technology and financial and
operational processes as mutually dependent for establishing an
effective and efficient control environment. From the technology
perspective, the audit focuses on application controls,
administration of user access, application change control and
backup and recovery to assure reliability, integrity and availability
of the data.

Control Self-assessments
Control Self-assessments are designed for department that
manages and operates a technology environment. These self-
assessment tools can be used to identify potential areas of control
weakness in the management of the technology environment.

Compliance
Compliance audits include University policies and procedures,
Payment Card Industry (PCI), the Health Insurance Portability and
Accountability Act (HIPAA), Family Education Rights and
Privacy Act.
ANALYSIS & DISCUSSION

Types of IT audits
Various authorities have created differing taxonomies to
distinguish the various types of IT audits. Goodman & Lawless
state that there are three specific systematic approaches to carry out
an IT audit:

• Technological innovation process audit.

This audit constructs a risk profile for existing and
new projects. The audit will assess the length and depth of
the company's experience in its chosen technologies, as
well as its presence in relevant markets, the organization
of each project, and the structure of the portion of the
industry that deals with this project or product,
organization and industry structure.

• Innovative comparison audit. This audit is an analysis of

the innovative abilities of the company being audited, in
comparison to its competitors. This requires examination of
company's research and development facilities, as well as its
track record in actually producing new products.

• Technological position audit: This audit reviews the

technologies that the business currently has and that it needs
to add. Technologies are characterized as being either "base",
"key", "pacing", or "emerging".
Others describe the spectrum of IT audits with five categories of
audits:

• Systems and Applications: An audit to verify that systems

and applications are appropriate, are efficient, and are
adequately controlled to ensure valid, reliable, timely, and
secure input, processing, and output at all levels of a system's
activity.
• Information Processing Facilities: An audit to verify that
the processing facility is controlled to ensure timely,
accurate, and efficient processing of applications under
normal and potentially disruptive conditions.
• Systems Development: An audit to verify that the systems
under development meet the objectives of the organization
and to ensure that the systems are developed in accordance
with generally accepted standards for systems development.
• Management of IT and Enterprise Architecture: An audit
to verify that IT management has developed an
organizational structure and procedures to ensure a controlled
and efficient environment for information processing.

• Client/Server, Telecommunications, Intranets, and

Extranets: An audit to verify that controls are in place
on the client (computer receiving services), server, and
on the network connecting the clients and servers.

And some lump all IT audits as being one of only two types:
"general control review" audits or "application control review"
audits.

A number of IT Audit professionals from the Information

Assurance realm consider there to be three fundamental types of
controls regardless of the type of audit to be performed, especially
in the IT realm. Many frameworks and standards try to break
controls into different disciplines or arenas, terming them Security
Controls, Access Controls, IA Controls in an effort to define the
types of controls involved. At a more fundamental level, these
controls can be shown to consist of three types of fundamental
controls: Protective/Preventative Controls, Detective Controls and
Reactive/Corrective Controls.

IT Audit Process
The following are basic steps in performing the Information Technology Audit Process:

1. Planning
2. Studying and Evaluating Controls
3. Testing and Evaluating Controls
4. Reporting
5. Follow-up

AUDIT TOOLS

A record showing who has accessed a computer system and what operations he or she has
performed during a given period of time. Audit trails are useful both for maintaining
security and for recovering lost transactions. Most accounting systems and database
management systems include an audit trail component. In addition, there are separate
audit trail software products that enable network administrators to monitor use of network
resources. A system that provides a means for tracing items of data from processing step
to step, particularly from a machine-produced report or other machine output back to the
original source data.
AUDIT PLANNING

Planning the audit is an important step to conduct the audit. Auditor uses different
planning methods to determine risk assessment, assessment of internal controls etc. The
auditor either internal or external cannot complete all the aspects of the audit in one year.
The auditors plan the audit is such a way they can cover the audit over a period of time.

In the case of internal audit risk assessment provides a better picture of areas which needs
to be audited, for external auditors material items such as high accounts receivable,
frauds detected during the year, assessment of previous year audit reports etc

The audit plan is usually done at the begining of the assignment and the plan is shared
with the management in order for the auditees to be available during the period of audit

A RISK
Audit risk (also referred to as residual risk) refers to acceptable audit risk, i.e. it
indicates the auditor's willingness to accept that the financial statements may be
materially misstated after the audit is completed and an unqualified (clean) opinion was
issued. If the auditor decides to lower audit risk, it means that he wants to be more certain
that the financial statements are not materially misstated.

A REPORT
Audit Report/Evaluation Report/Assessment Report: (i) The document prepared following
a quality assessment peer review team site visit that is generally focused on institutional
quality, academic standards, learning infrastructure, and staffing. The report about an
institution describes the quality assurance (QA) arrangements of the institution and the
effects of these arrangements on the quality of its programmes. The audit report is made
available to the institution, first in draft form for initial comments, and then in its final,
official form. It contains, among other things, the description of the method of the audit,
the findings, the conclusions of the auditors, and various appendices listing the questions
asked. In Europe, the document is often called an “evaluation report” or an “assessment
report”. (ii) Such a report may also be prepared about an accreditation agency, describing
its quality assurance arrangements and the effect of these arrangements on the quality of
the programmes in the institutions for which it is responsible.

Information systems audit is a part of the overall audit process, which is one of the
facilitators for good corporate governance. While there is no single universal definition of
IS audit, Ron Weber has defined it (EDP auditing--as it was previously called) as "the
process of collecting and evaluating evidence to determine whether a computer system
(information system) safeguards assets, maintains data integrity, achieves organizational
goals effectively and consumes resources efficiently."1

Information systems are the lifeblood of any large business. As in years past, computer
systems do not merely record business transactions, but actually drive the key business
processes of the enterprise. In such a scenario, senior management and business managers
do have concerns about information systems. The purpose of IS audit is to review and
provide feedback, assurances and suggestions. These concerns can be grouped under
three broad heads:

1. Availability: Will the information systems on which the business is heavily

dependent be available for the business at all times when required? Are the
systems well protected against all types of losses and disasters?
2. Confidentiality: Will the information in the systems be disclosed only to those
who have a need to see and use it and not to anyone else?
3. Integrity: Will the information provided by the systems always be accurate,
reliable and timely? What ensures that no unauthorized modification can be made
to the data or the software in the systems?

[Author's note: Of course there are other concerns that IS audit should look at, such as
effectiveness, efficiency, value for money, return on investment, culture and people
related issues. Such concerns will be addressed in IT Audit Basics columns in future
issues of the Journal in 2002.]
Elements of IS Audit
An information system is not just a computer. Today's information systems are complex
and have many components that piece together to make a business solution. Assurances
about an information system can be obtained only if all the components are evaluated and
secured. The proverbial weakest link is the total strength of the chain. The major
elements of IS audit can be broadly classified:

1. Physical and environmental review—This includes physical security, power

supply, air conditioning, humidity control and other environmental factors.
2. System administration review—This includes security review of the operating
systems, database management systems, all system administration procedures and
compliance.
3. Application software review—The business application could be payroll,
invoicing, a web-based customer order processing system or an enterprise
resource planning system that actually runs the business. Review of such
application software includes access control and authorizations, validations, error
and exception handling, business process flows within the application software
and complementary manual controls and procedures. Additionally, a review of the
system development lifecycle should be completed.
4. Network security review—Review of internal and external connections to the
system, perimeter security, firewall review, router access control lists, port
scanning and intrusion detection are some typical areas of coverage.
5. Business continuity review—This includes existence and maintenance of fault
tolerant and redundant hardware, backup procedures and storage, and documented
and tested disaster recovery/business continuity plan.
6. Data integrity review—The purpose of this is scrutiny of live data to verify
adequacy of controls and impact of weaknesses, as noticed from any of the above
reviews. Such substantive testing can be done using generalized audit software
(e.g., computer assisted audit techniques).

All these elements need to be addressed to present to management a clear assessment of

the system. For example, application software may be well designed and implemented
with all the security features, but the default super-user password in the operating system
used on the server may not have been changed, thereby allowing someone to access the
data files directly. Such a situation negates whatever security is built into the application.
Likewise, firewalls and technical system security may have been implemented very well,
but the role definitions and access controls within the application software may have been
so poorly designed and implemented that by using their user IDs, employees may get to
see critical and sensitive information far beyond their roles.

It is important to understand that each audit may consist of these elements in varying
measures; some audits may scrutinize only one of these elements or drop some of these
elements. While the fact remains that it is necessary to do all of them, it is not mandatory
to do all of them in one assignment. The skill sets required for each of these are different.
The results of each audit need to be seen in relation to the other. This will enable the
auditor and management to get the total view of the issues and problems. This overview
is critical.

Risk-based Approach
Every organization uses a number of information systems. There may be different
applications for different functions and activities and there may be a number of computer
installations at different geographical locations.

The auditor is faced with the questions of what to audit, when and how frequently. The
answer to this is to adopt a risk-based approach.

While there are risks inherent to information systems, these risks impact different
systems in different ways. The risk of nonavailability even for an hour can be serious for
a billing system at a busy retail store. The risk of unauthorized modification can be a
source of frauds and potential losses to an online banking system. A batch processing
system or a data consolidation system may be relatively less vulnerable to some of these
risks. The technical environments on which the systems run also may affect the risk
associated with the systems.

The steps that can be followed for a risk-based approach to making an audit plan are:

1. Inventory the information systems in use in the organization and categorize them.
2. Determine which of the systems impact critical functions or assets, such as
money, materials, customers, decision making, and how close to real time they
operate.
3. Assess what risks affect these systems and the severity of impact on the business.
4. Rank the systems based on the above assessment and decide the audit priority,
resources, schedule and frequency.

The auditor then can draw up a yearly audit plan that lists the audits that will be
performed during the year, as per a schedule, as well as the resources required.

The Audit Process

The preparation before commencing an audit involves collecting background information
and assessing the resources and skills required to perform the audit. This enables staff
with the right kind of skills to be allotted to the right assignment.

It always is a good practice to have a formal audit commencement meeting with the
senior management responsible for the area under audit to finalize the scope, understand
the special concerns, if any, schedule the dates and explain the methodology for the audit.
Such meetings get senior management involved, allow people to meet each other, clarify
issues and underlying business concerns, and help the audit to be conducted smoothly.
Similarly, after the audit scrutiny is completed, it is better to communicate the audit
findings and suggestions for corrective action to senior management in a formal meeting
using a presentation. This will ensure better understanding and increase buy-in of audit
recommendations. It also gives auditees an opportunity to express their viewpoints on the
issues raised. Writing a report after such a meeting where agreements are reached on all
audit issues can greatly enhance audit effectiveness.

METHODOLOGY & T OOLS FOR IS AUDIT

Information system audit and computer forensics each developed its own set of standards
based on a separate discipline of knowledge. In this paper we analyse the tools and
methodology used by IS auditors and computer forensic experts in the contemporary
world, with the focus on emerging similarities between their needs and goals. We
demonstrate the benefits which could be derived from the increased convergence of tools
and methodology used in both areas, and we discuss possible modifications to existing
tools and methodology to fulfill this goal.
ISA GROUP

The Information Systems (IS) audit group assesses the University's critical systems,
technology architecture and processes to assure information assets are protected, reliable,
available and compliant with University policies and procedures, as well as applicable
laws and regulations. We emphasize the importance of mitigating security risks during
our audit coverage of the University’s application, operating and networking systems.
Through our integrated and IT governance audits, we evaluate information technology’s
impact on the University’s processes and its abilities to achieve its goals and objectives.
Our evaluations are objective and professional, utilizing COBIT (Control Objectives for
Information and related Technology) framework, an international standard for good IT
control practices.