565 DB 3

xxi

Introduction

INFORMATION IN THIS CHAPTER:

● Introduction to IT auditing ● Purpose and rationale for this book ● Intended use ● Key audiences ● Structure and content of the book ● Summary descriptions of each chapter

Introduction to IT auditing An audit is a systematic, objective examination of one or more aspects of an organization that compares what the organization does to a defined set of crite- ria or requirements. Information technology (IT) auditing examines processes, IT assets, and controls at multiple levels within an organization to determine the extent to which the organization adheres to applicable standards or requirements. Virtually, all organizations use IT to support their operations and the achievement of their mission and business objectives. This gives organizations a vested interest in ensuring that their use of IT is effective, that IT systems and processes operate as intended, and that IT assets and other resources are efficiently allocated and appro- priately protected. IT auditing helps organizations understand, assess, and improve their use of controls to safeguard IT, measure and correct performance, and achieve objectives and intended outcomes. IT auditing consists of the use of formal audit methodologies to examine IT-specific processes, capabilities, and assets and their role in enabling an organization’s business processes. IT auditing also addresses IT components or capabilities that support other domains subject to auditing, such as financial management and accounting, operational performance, quality assurance, and governance, risk management, and compliance (GRC).

IT audits are performed both by internal auditors working for the organization subject to audit and external auditors hired by the organization. The processes and procedures followed in internal and external auditing are often quite similar, but the roles of the audited organization and its personnel are markedly different. The audit criteria—the standards or requirements against which an organization is compared during an audit—also vary between internal and external audits and for audits of different types or conducted for different purposes. Organizations often engage in IT audits to satisfy legal or regulatory requirements, assess the operational effec- tiveness of business processes, achieve certification against specific standards, demonstrate compliance with policies, rules, or standards, and identify opportuni- ties for improvement in the quality of business processes, products, and services. Organizations have different sources of motivation for each type of audit and

xxii CHAPTER Introduction

different goals, objectives, and expected outcomes. This book explains all of these aspects of IT auditing, describes the establishment of organizational audit programs and the process of conducting audits, and identifies the most relevant standards, methodologies, frameworks, and sources of guidance for IT auditing.

Purpose and rationale The use of IT auditing is increasingly common in many organizations, to validate the effective use of controls to protect IT assets and information or as an element of GRC programs. IT auditing is a specialized discipline not only in its own right, with corresponding standards, methodologies, and professional certifications and experi- ence requirements, but it also intersects significantly with other IT management and operational practices. The subject matter overlap between IT auditing and network monitoring, systems administration, service management, technical support, and information security makes familiarity with IT audit policies, practices, and stand- ards essential for IT personnel and managers of IT operations and the business areas that IT supports. This book provides information about many aspects of IT audits in order to give readers a solid foundation in auditing concepts to help develop an understanding of the important role IT auditing plays in contributing to the achieve- ment of organizational objectives. Many organizations undergo a variety of IT audits, performed by both internal and external auditors, and each often accompanied by different procedures, methods, and criteria. This book tries to highlight the common- alities among audit types while identifying the IT perspectives and characteristics that distinguish financial, operational, compliance, certification, and quality audits.

Intended use This book describes the practice of IT auditing, including why organizations con- duct or are subject to IT audits, different types of audits commonly performed in different organizations, and ways internal and external auditors approach IT audits. It explains many fundamental characteristics of IT audits, the auditors who perform them, and the standards, methodologies, frameworks, and sources of guidance that inform the practice of auditing. This is not a handbook for conducting IT audits nor does it provide detailed instructions for performing any of the audit activities mentioned in the book. Auditors or other readers seeking prescriptive guidance on auditing will find references to many useful sources in this book, but should look elsewhere—potentially including the sources referenced below—for audit check- lists, protocols, or procedural guidance on different types of IT audits. This book is intended to give organizations and their employees an understanding of what to expect when undergoing IT audits and to explain some key points to consider that help ensure their audit engagements meet their objectives. By covering all major types of IT auditing and describing the primary drivers and contexts for IT audits in most organizations, this book complements more detailed but narrowly focused

xxiiiPurpose and Rationale

texts intended to guide or instruct auditors in the step-by-step procedural execution of audits. The following are among recently published books especially relevant to IT auditing:

● IT Auditing: Using Controls to Protect Information Assets (2nd edition) by Chris Davis and Mike Schiller emphasizes auditing practices applicable to different types of technologies and system components.

● Auditor’s Guide to IT Auditing (2nd edition) by Richard Cascarino provides broad coverage of IT audit concepts and practices applicable to information systems, organized and presented in the context of major IT management disciplines.

● IT Audit, Control, and Security by Robert Moeller highlights requirements, expectations, and considerations for auditors of IT systems stemming from prominent laws, frameworks, and standards.

● Information Technology Control and Audit (4th edition) by Sandra Senft, Frederick Gallegos, and Aleksandra Davis approaches IT auditing drawing largely on practice guidance and governance frameworks defined by ISACA, particularly including COBIT.

● The Operational Auditing Handbook: Auditing Business and IT Processes by Andrew Chambers and Graham Rand focuses on operational auditing and uses a process-based approach to describe auditing practices for different organizational functions.

● The ASQ Auditing Handbook (4th edition) edited by J.P. Russell offers prescriptive guidance for quality auditors, particularly those following the quality auditor body of knowledge defined by the American Society for Quality (ASQ) and its Certified Quality Auditor Certification Program.

Key audiences This book provides a treatment of IT auditing that emphasizes breadth rather than depth. Audit professionals engaged in performing IT audits have a variety of stand- ards, guidance, and prescriptive procedures for thoroughly and effectively con- ducting various types of IT audits. Auditors and other consulting or professional services practitioners who regularly conduct audits may find the information in this book useful as a point of reference, but will likely rely on more detailed, purpose- specific sources to assist them in their work. Auditors are important stakeholders in IT auditing, but only one of many groups involved in IT auditing or affected by how it is carried out. The material in this book is intended primarily to help develop an understanding of auditing purposes and practices to nonauditor groups such as operational and administrative personnel, managers, and IT program and project staff, all of whom may be required to furnish information to or otherwise support external or internal audits in their organizations. It also provides an explanation of IT auditing suitable for practitioners focused on other aspects of IT management or on the performance of functions supported by IT audits such as GRC, quality man- agement, continuous improvement, or information assurance.

xxiv CHAPTER Introduction

Structure and content This book could not hope to provide, and is not intended to be, a substitute for for- mal standards, protocols, and practice guidance relevant to IT auditing. What it does offer is a thorough introduction to many aspects of IT auditing and the role of IT audits within the broader context of other major forms of audits. The book is structured in a way that should be equally helpful to readers looking for informa- tion on a specific audit-related subject or for those interested in developing a more general understanding of the IT audit discipline. The material in the early chap- ters focuses on describing why organizations undergo different types of audits and what characteristics distinguish those types of audits from each other. References provided in each chapter, in addition to the information in the last two chapters in the book, should help direct readers to authoritative sources of guidance on vari- ous aspects of auditing and to the major standards organizations and professional associations shaping the evolution of the field. This book does not recommend a particular approach or methodology, but instead highlights the similarities among many of the most prominent frameworks, methodologies, processes, and standards in the hope that readers will recognize the basic aspects of IT auditing in any real- world context.

A brief summary of each chapter follows.

Chapter 1: IT Audit Fundamentals Chapter 1 establishes a foundation for the rest of the material in the book by defin- ing auditing and related key terms and concepts and explaining the nature and rationale for IT auditing in different organizations, differentiating internal from external audits in terms of the reasons and requirements associated with each per- spective. It also identifies organizations and contexts that serve as the subject of IT audit activities and describes the individuals and organizations that perform audits.

Chapter 2: Auditing in Context Chapter 2 emphasizes the practical reality that IT auditing often occurs as a compo- nent of a wider-scope audit not limited to IT concerns alone, or a means to support other organizational processes or functions such as GRC, certification, and quality assurance. Audits performed in the context of these broader programs have different purposes and areas of focus than stand-alone IT-centric audits, and offer different benefits and expected outcomes to organizations.

Chapter 3: Internal Auditing Chapter  3 focuses on internal IT auditing, meaning audits conducted under the direction of an organization’s own audit program and typically using auditors who are employees of the organization under examination. This chapter highlights the

xxvStructure and Content

primary reasons why organizations undergo internal audits, including drivers of mandatory and voluntary audit activities. It also describes some of the benefits and challenges associated with internal auditing and characterizes the role, experience, and career path of internal IT audit personnel.

Chapter 4: External Auditing Chapter  4 provides a direct contrast to Chapter  3 by addressing external auditing, which bears many similarities to internal auditing but is, by definition, conducted by auditors and audit firms wholly separate from the organization being audited. This chapter identifies the key drivers for external audits, explains the role of inter- nal staff in preparing for and supporting external audits, and describes benefits and challenges often encountered by organizations subject to such audits. Because audited organizations often have to choose their external auditors, the chapter also discusses the process of selecting an auditor, the registration requirements applica- ble to auditors in many countries, and key auditor qualifications.

Chapter 5: Types of Audits Chapter  5 offers an overview of the major types of audits organizations undergo, including financial, operational, certification, compliance, and quality audits in addition to IT-specific audits. For each type of audit, the chapter explains charac- teristics such as audit rationale, areas of focus, suitability for internal and external auditing approaches, applicable standards and guidance, and anticipated outcomes.

Chapter 6: IT Audit Components The IT domain is too broad to easily address as a whole, whether the topic is audit- ing, governance, operations, or any other key functions that organizations manage about their IT resources. Chapter 6 breaks down IT and associated controls into dif- ferent categories—reflecting decomposition approaches commonly used in IT audit methodologies and standards—to differentiate among IT audit activities focused on different IT components. The material in this chapter addresses technical as well as nontechnical categories, describing different technologies and architectural layers, key processes and functions, and aspects of IT programs and projects that are also often subject to audits.

Chapter 7: IT Audit Drivers Chapter 7 describes key types of external and internal drivers influencing organiza- tions’ approaches to IT auditing, including major legal and regulatory requirements as well as motivating factors such as certification, quality assurance, and opera- tional effectiveness. This chapter summarizes the audit-related provisions of major U.S. and international laws governing publicly traded firms and organizations in

xxvi CHAPTER Introduction

regulated industries such as financial services, health care, energy, and the public sector. It also explains the motivation provided by internally developed strategies, management objectives, and initiatives on the ways organizations structure their internal audit programs and external audit activities.

Chapter 8: IT Audit Process The IT audit process description provided in Chapter 8 explains in detail the steps organizations and auditors follow when performing audits. Although there is no single accepted standard process applicable in all contexts, most methodologies, frameworks, standards, and authoritative guidance on auditing share many common activities and process attributes, often traceable to the familiar plan-do-check-act (PDCA) model originally developed for quality improvement purposes. Chapter  8 focuses on the activities falling within the generic process areas of audit plan- ning, audit evidence collection and review, analysis and reporting of findings, and responding to findings by taking corrective action or capitalizing on opportunities for improvement.

Chapter 9: Methodologies and Frameworks Although the high-level process of auditing is very similar across organizations, industries, audit purposes, and geographies, there is a wide variety of methodolo- gies and control and process frameworks available for organizations and individual auditors to apply when performing audits. Almost all external auditors follow one or more of these approaches and many organizations choose to adopt established methodologies and frameworks as an alternative to developing their own. Chapter 9 presents the best-known and most widely adopted methodologies and frameworks, including those focused explicitly on auditing as well as those intended to support IT governance, IT management, information security, and control assessment.

Chapter 10: Audit-Related Organizations, Standards, and Certifications There are many standards development bodies and other types of organizations that produce and promote standards relevant to IT auditing and that offer professional certifications for individuals engaged in auditing or related disciplines. Chapter 10 identifies the most prominent organizations and summarizes their contributions to available standards and certifications.