When it comes to computer security, the role of auditors today has never been more crucial. Auditors must ensure that all computers, in particular those dealing with e-business, are secure. The only source for information on the combined areas of computer audit, control, and security, the IT Audit, Control, and Security describes the types of internal controls, security, and integrity procedures that management must build into its automated systems. This very timely book provides auditors with the guidance they need to ensure that their systems are secure from both internal and external threats.
Frequently asked questions
Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go. Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access IT Audit, Control, and Security by Robert R. Moeller in PDF and/or ePUB format, as well as other popular books in Betriebswirtschaft & Buchhaltung. We have over one million books available in our catalogue for you to explore.
PART ONE Auditing Internal Controls in an IT Environment
CHAPTER ONE SOx and the COSO Internal Controls Framework
THE CONCEPT OF INTERNAL controls assessments has been around since the inception of auditing and has been an important concept going back to the early days of information technology (IT) auditing. Although there have been many definitions of internal controls, a good one for IT auditors is that internal control is a process, affected by an entity’s board of directors, management, and other personnel, that is designed to provide reasonable assurance regarding the achievement of objectives in the categories of effectiveness and efficiency of operations, reliability of an enterprise’s financial reporting, and an enterprise’s systems and process compliance with laws and regulations. This well-recognized definition was established by the U.S. Committee of Sponsoring Organizations (COSO), an internal controls standards-setting authority that we will be discussing further in this chapter.
Audit professionals are responsible for reviewing and assessing enterprise management controls. Internal auditors do not construct and administer these controls—that is the responsibility of management. Auditors, acting as independent parties, both review and perform tests of enterprise internal controls to report to management and other parties whether they are adequate. These reviewers consist of both internal and external auditors, with external auditors in the United States following the rules and standards of the American Institute of Certified Public Accountants (AICPA). Internal auditors follow a similar but different set of standards and generally subscribe to the guidelines of the Institute of Internal Auditors (IIA), their international professional organization.
Both of these audit organizations have heritages going back to paper-and-pencil days, before today’s pervasive use and reliance on IT systems and processes. Over the years, the Information Systems Audit and Control Association (ISACA) and its IT audit professionals have provided guidance for IT-related internal controls. IT auditors serve in both external and internal audit roles, although most professionals may serve as internal auditors for their enterprises.
This chapter outlines the role of an IT auditor, particularly an IT internal auditor, in today’s business enterprise. In addition, the chapter discusses two important IT audit concepts: the COSO internal control standards and the Sarbanes-Oxley Act (SOx) internal control review rules. Both COSO internal controls and SOx started as U.S. internal controls guidance rules but have become worldwide standards. They both had their origins as general financial and operations review standards and are now very applicable to IT audit environments as well.
Today’s IT auditor must understand and use the COSO internal controls framework and SOx internal controls review procedures. Although these rules and procedures have origins in financial reporting and auditing, in today’s IT-centric world, COSO internal controls and SOx are equally important to IT auditors. Enterprises need to follow these rules in order to assert or attest to regulators that their organizations have effective internal controls in place and that they are operating in compliance with those newer rules. The chapters in this volume rely on the internal control rules and procedures as we discuss a wide range of other IT audit, control, and security topics.
ROLES AND RESPONSIBILITIES OF IT AUDITORS
Much of this chapter and others focuses on the roles and responsibilities of an internal audit specialist, whom we call an IT or information systems auditor. Although sometimes serving as a member of a public accounting firm or outside consulting organization, IT auditors are generally members of an enterprise internal audit organization. An internal audit group is led by a manager with the title of chief audit executive (CAE) and is staffed by internal auditors with skills in reviewing and understanding operational and financial controls as well as compliance and regulatory issues impacting the enterprise. With IT processes and tools so pervasive in today’s enterprise, all internal auditors should have a good understanding of IT controls and processes, but many internal audit functions require the skills of what we are calling an IT auditor.1
Traditional internal auditors always have had skills in understanding, testing, and evaluating what were once traditional paper-based controls and procedures. Starting in the 1970s, as enterprises started to build and implement more and more computer-based applications, they needed internal audit specialists who understood the new systems. Thus the role of the IT auditor was born.
The field once was called electronic data processing (EDP). Auditors are now sometimes known as information systems (IS) auditors or computer audit specialists; however, we are using the expression IT auditor throughout this book. An IT auditor is a specialist who follows the standards and principles of the IIA and often is a member of ISAC A as well. There are many recognized specialist skills here, including the IT security procedures discussed in Chapter 19 and IT auditors skilled in computer-assisted audit tools and techniques (CAATTs), but most IT auditors are expected to have a strong general set of skills in evaluating IT-based internal controls. Exhibit 1.1 is a position description for a typical senior IT auditor.
EXHIBIT 1.1 IT Auditor Job Description
Auditor, Information Systems
JOB DESCRIPTION
Job Summary: Under direction of the Chief Audit Executive (CAE) and internal audit management, audits, reviews, tests, and evaluates IT-based applications and control procedures and reviews electronic security over the enterprise IT services network.
CHARACTERISTIC JOB TASKS AND RESPONSIBILITIES
May include any and/or all of the following:
Designs a technology-based audit approaches; analyzes and evaluates enterprise IT processes to assess internal controls and minimize risks; performs risk analysis of the enterprise’s information technology infrastructure and services network; evaluates the possible risks of various computer systems; prepares reports documenting findings and risk assessment; evaluates management responses to findings and risk assessment.
Works independently or with other members of internal audit to review enterprise internal controls, following the COSO internal controls framework.
Examines the effectiveness of the information security policies and procedures; identifies inadequacies within the exis...
Table of contents
Cover
Contents
Title Page
Copyright
Dedication
Introduction
PART ONE: AUDITING INTERNAL CONTROLS IN AN IT ENVIRONMENT
PART TWO: Auditing IT General Controls
PART THREE: Auditing and Testing IT Application Controls
