This chapter gives a broad overview of IT auditing, explaining what auditing is, why auditing is performed, the subjects of audits, and who conducts audits, and defining key terms and concepts referenced throughout the book. It seeks to answer the basic questions someone new to IT auditing would ask—the who, what, when, where, and why—and subsequently sets up more detailed chapters that go into more depth as to how auditing is done. This chapter distinguishes between internal and external auditing in terms of the purposes, rationale, and requirements for each and carries this distinction through to the types of organizations and auditors involved. It also describes the various career paths and professional development activities associated with developing IT auditors.
Auditing IT differs in significant ways from auditing financial records, general operations, or business processes. Each of these auditing disciplines, however, shares a common foundation of auditing principles, standards of practice, and high-level processes and activities. IT auditing is also a component of other major types of auditing, as illustrated conceptually in Figure 1.1. To the extent that financial and accounting practices in audited organizations use IT, financial audits must address technology-based controls and their contribution to effectively supporting internal financial controls. Operational audits examine the effectiveness of one or more business processes or organizational functions and the efficient use of resources in support of organizational goals and objectives. Information systems and other technology represent key resources often included in the scope of operational audits. Quality audits apply to many aspects of organizations, including business processes or other operational focus areas, IT management, and information security programs and practices. A common set of auditing standards, principles, and practices informs these types of auditing, centered as they are on an organization’s internal controls. IT auditing, however, exhibits a greater breadth and variety than financial, operational, or quality auditing alone in the sense that it not only represents an element of other major types of audits but also comprises many different approaches, subject matter areas, and perspectives corresponding to the nature of an organization’s IT environment, governance model, and audit objectives.
Figure 1.1 IT auditing has much in common with other types of audit and overlaps in many respects with financial, operational, and quality audit practices.
What is IT auditing?
An audit is often defined as an independent examination, inspection, or review. While the term applies to evaluations of many different subjects, the most frequent usage is with respect to examining an organization’s financial statements or accounts. In contrast to conventional dictionary definitions and sources focused on the accounting connotation of audit, definitions used by broad-scope audit standards bodies and in IT auditing contexts neither constrain nor presume the subject to which an audit applies. For example, the International Organization for Standardization (ISO) guidelines on auditing use the term audit to mean a “systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled” [1] and the Information Technology Infrastructure Library (ITIL) glossary defines audit as “formal inspection and verification to check whether a standard or set of guidelines is being followed, that records are accurate, or that efficiency and effectiveness targets are being met [2].” Such general interpretations are well suited to IT auditing, which comprises a wide range of standards, requirements, and other audit criteria corresponding to processes, systems, technologies, or entire organizations subject to IT audits.
It is important to use “IT” to qualify IT audit and distinguish it from the more common financial connotation of the word audit used alone. Official definitions emphasizing the financial context appear in many standards and even in the text of the Sarbanes–Oxley Act, which defines audit to mean “the examination of financial statements of any issuer” of securities (i.e., a publicly traded company) [3]. The Act also uses both the terms evaluation and assessment when referring to required audits of companies’ internal control structure and procedures. When developing IT audit plans and other materials that reference standards, principles, processes, or other prescriptive guidance for conducting IT audits, it helps to be specific, particularly if the audience for such documentation extends beyond IT auditors or other IT-focused personnel.
The definitions cited above also emphasize a characteristic that differentiates audits from other types of evaluations or assessments by referring to explicit criteria that provide the basis for comparison between what is expected or required in an organization and what is actually observed or demonstrated through evidence. Words like assessment, evaluation, and review are often used synonymously with the term audit and while it is certainly true that an audit is a type of evaluation, some specific characteristics of auditing distinguish it from concepts implied by the use of more general terms. An audit always has a baseline or standard of reference against which the subject of the audit is compared. An audit is not intended to check on the use of best practices or (with the possible exception of operational audits) to see if opportunities exist to improve or optimize processes or operational characteristics. Instead, there is a set standard providing a basis for comparison established prior to initiating the audit. Auditors compare the subjects of the audit—processes, systems, components, software, or organizations overall—explicitly to that predefined standard to determine if the subject satisfies the criteria. Audit determinations tend to be more binary than results of other types of assessments or evaluations, in the sense that a given item either meets or fails to meet applicable requirements—auditors often articulate audit findings in terms of controls’ conformity or nonconformity to criteria [1]. Audit findings identify deficiencies where what the auditor observes or discovered through analysis of audit evidence differs from what was expected or required such that the audit subject cannot satisfy a requirement. In contrast, a typical assessment might have a quantitative (i.e., score) or qualitative scale of ratings (e.g., poor, fair, good, excellent) and produce findings and recommendations for improvement in areas observed to be operating effectively or those considered deficient. Because auditors work from an established standard or set of criteria, IT audits using comprehensive or well thought-out requirements may be less subjective and more reliable than other types of evaluations or assessments.
It is impossible to overstate the importance of the baseline to an effective audit. In both external and internal audits, an auditor’s obligation is to fully understand the baseline and use that knowledge to accurately and objectively compare the subject of the audit to the criteria specified in the baseline. The use of formally specified audit criteria also means that an organization anticipating or undergoing an audit should not be surprised by the nature of the audit, what it covers, or what requirements the organization is expected to meet. External audits—especially those driven by regulatory mandates or certification standards—follow procedures and apply criteria that should be available and just as well known to organizations being audited as by the external auditors conducting the audits. Internal audits follow strategies, plans, and procedures dictated by the organization itself in its audit program, so internal auditors and the business units, system owners, project managers, operations staff, and personnel subject to or supporting audits should also be familiar with the audit criteria to be used.
Like other types of audits, IT audits compare actual organizational processes, practices, capabilities, or controls against a predefined baseline. For an external audit, the audit baseline is usually defined in rules or legal or regulatory requirements related to the purpose and objectives of the external audit. For internal audits, organizations often have some flexibility to define their own baseline or to adopt standards, frameworks, or requirements specified by other organizations, including those described in Chapters 9 and 10.
Internal controls
External and internal IT audits share a common focus: the internal controls implemented and maintained by the organization being audited. Controls are a central element of IT management, defined and referenced through standards, guidance, methodologies, and frameworks addressing business processes; service delivery and management; information systems design, implementation, and operation; information security; and IT governance. Leading sources of IT governance and IT auditing guidance distinguish between internal control and internal controls. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines internal control as a process “designed to provide reasonable assurance regarding the achievement of objectives” including operational effectiveness and efficiency, reliable reporting, and legal and regulatory compliance. In this context, a control is “a policy or procedure that is part of internal control,” the result of policies and procedures designed to effect control [4]. The IT Governance Institute offers a definition consistent with COSO: “policies, plans and procedures, and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected [5].” This makes for a somewhat circular and potentially confusing formulation in which internal controls are discrete elements applied within a management process of control in support of an organizational objective of establishing and maintaining control.
From the perspective of planning and performing IT audits, internal controls represent the substance of auditing activities, as the controls are the items that are examined, tested, analyzed, or otherwise evaluated. Organizations often implement large numbers of internal controls intended to achieve a wide variety of control objectives. Categorizing internal controls facilitates the documentation, tracking, and management of the diverse sets of controls present in many organizations. The prevalent control categorization schemes used in internal control frameworks, IT audit, and assessment guidance, and applicable legislation classify controls by purpose, by functional type, or both. Purpose-based categories include preventive, detective, and corrective controls, where organizations use preventive controls to try to keep unintended or undesirable events from occurring, detective controls to discover when such things have happened, and corrective controls to respond or recover after unwanted events occur. Controls are further separated by function into administrative, technical, and physical control types, as illustrated in Figure 1.2. Administrative controls include organizational policies, procedures, and p...