Building

an Eec.ve IT Audit
Func.on
Learning Objec.ves
At the end of this module, you should be able to
Dene IT audi.ng
Discuss the historical drivers that mo.vated the
development of IT audi.ng as a profession
Dis.nguish between the various roles that IT auditors
oEen assume
Dieren.ate between assurance, aFesta.on and
consul.ng services
Discuss the dierent types of IT auditors, and their
service sweet spots
What is IT Audi.ng: Deni.on
IT audi.ng can be dened as the evalua.on of
IT , prac.ces, and opera.ons to insure the
integrity of an en.tys informa.on, and can
include assessments of the eciency,
eec.veness and economy of computer-based
prac.ces.
Typically involves evalua.ng
conden'ality, integrity and availability of informa.on
systems
design and opera'ng eec'veness of internal controls
within the IT environment
eciency and eec'veness of IT environment, processes and
services
What is IT Audi.ng: Historical Drivers
Audi.ng around the Security of data
system didnt lend itself became more dicult to
to reliance on data enforce / assess
Audi.ng through the Migra.on of business
system provided comfort processes to IT plaUorms
in opera.ng eec.veness Rise of networks and
of controls connec.vity (at home and
Rise of payroll systems / oce)
databases created Large amounts of data
ques.ons in data Rise of hacker
accuracy genera.on
What is IT Audi.ng: Role of the IT
Auditor
IT Auditor as Advisor
counsel users and management on
best prac.ces for IT governance and control
emerging IT trends and risks
IT project management prac.ces
IT Auditor as Inves.gator
Forensics
IT Auditor as Objec.ve Observer
validate and provide assurance on
ICoFR
compliance with laws and regula.ons
control objec.ves and asser.ons
What is IT Audi.ng: Services
Assurance Services Consul.ng Services

AFesta.on
Audit / Agreed upon
Examina.on procedures
Review
What is IT Audi.ng: Services
Assurance Services represent a broad category of services
that are designed to provide an objec.ve, unbiased
assessment. In an IT audit context, they tend to focus on
improving the quality of nancial and non-nancial
informa.on for decision making
A9esta'on services are a subset of assurance services and
represent an engagement in which a prac..oner is engaged to
issue, or does issue, a wriFen communica.on that expresses a
conclusion about the reliability of a wriFen asser.on that is the
responsibility of another party. (SSAE No. 1)
require wriFen asser.ons and a prac..oners wriFen report
require formal establishment of measurement criteria or their
descrip.on
are limited to examina.on, review, and applica.on of agreed-upon
procedures
What is IT Audi.ng: Services
Consul'ng Services are advisory in nature and
involve the IT auditor provide advice or
counsel as an agreed-upon basis
Opportuni.es for consul.ng services include
early involvement in IT projects
informal evalua.ons / gap analyses / post-mortems
knowledge sharing and educa.on
self assessment facilita.on
Role of IT Audi.ng: Overview
Role of IT Audi.ng: Types of IT Auditors
Generalists vs. Specialists
Generalists tend to have a working
knowledge of network and
infrastructure components (breadth)
and an in-depth knowledge of
business processes and IT governance
Sweet spot:
Working with nancial auditors on
ICoFR issues and planning
Business process audits
General Controls

Specialists tend to have in-depth
knowledge of specic network and
infrastructure components and a
working knowledge (breadth) of
business processes and IT governance
Sweet spot:
Technical components of
applica.on controls
AFack & Penetra.on
Technical components of networks
and infrastructure

Role of IT Audi.ng: Types of IT Auditors
Internal vs. External
Internal IT Auditors focus on
governance, risk and control as they
relate to strategic, opera.ons,
repor.ng and compliance objec.ves

External IT Auditors focus primarily on
factors rela.ng to ICoFR, secondarily
on governance, risk and control as
they relate to strategic, opera.ons,
repor.ng and compliance objec.ves
Play cri.cal role in audit support

Internal IT Auditors are usually employed by the organiza.on they service,

while External IT Auditors are usually employed by a public accoun.ng rm
Insourcing, Cosourcing and Outsourcing arrangements
IT Auditors: Key Traits
Ability to dig into Balance between
technical details needing to know how
without gebng and know why
overwhelmed Analy.cal skills
Ability to quickly learn Communica.on skills
new technologies and Rela.onship building
associated risks skills
IT Auditors: Challenges and
Cer.ca.ons
Challenges
Understanding the business implica.ons of technology
Understanding how IT risk translates to business / repor.ng /
fraud risk
Balancing technical considera.ons with business considera.ons
(GRCs)
Communica.ng with cons.tuents
Being technical enough to talk to IT, and business enough to
talk to line management / nancial / ops auditors
Cer.ca.ons
First Tier / Generalists
CPA, CIA, CISA
Specialists
CISSP, CISM, CRISC, CGEIT, PMP, C???
Summary
IT audi.ng is the evalua.on of IT , prac.ces, and
opera.ons to insure the integrity of an en.tys informa.on,
and can include assessments of the eciency, eec.veness
and economy of computer-based prac.ces.
There are various historical drivers which have inuenced
the development of the IT audit profession
IT auditors act primarily in three roles: advisor, inves.gator
and objec.ve observer
IT auditors can primarily provide assurance and consul.ng
services, with aFesta.on services being a subset of
assurance services
IT auditors can be either generalists or specialists, internal
or external