IT audit is the process of collecting and evaluating evidence to determine whether a computer system of an organization has been designed to maintain data integrity, safeguard assets, allows organizational goals to be achieved effectively and uses resources efficiently. IT auditors must know the characteristics of users of the information system and the decision-making environment in the audit organization while evaluating the effectiveness of any system. Use of computer facilities has brought about radically different ways of processing, recording and controlling information and has combined many previously separated functions. The highly repetitive nature of many computer applications means that small errors may lead to large losses. For example, an error in the calculation of income tax to be paid by employees in a manual system will not occur in each case, but once an error is introduced in a computerized system, it will affect each case. This makes it imperative for the auditor to test the invisible processes and to identify the vulnerabilities in a computer information system, as through errors and irregularities, the costs involved can be high.
Increasing use of computers for processing organizational data has added new scope to the review and evaluation of internal controls for audit purposes. The IT internal controls are of great value in any computerized system and it is an important task for an auditor to see that not only adequate controls exist, but that they also work effectively to ensure results and achieve objectives. Also internal controls should be commensurate with the risk assessed so as to reduce the impact of identified risks to acceptable levels. All of documents of an organization sustain by IT department. So, IT department all equipments will be more secure and restricted.
The use of Information and Communication Technology (ICT) within government entities has become increasingly significant in recent years, particularly following greater use of the Internet and organizational intranets. Technology has increased the amount of data and information being processed and it has significantly impacted the control environment. ICT is also now a key component of government entities business strategies and core business processing activities. The management of ICT risk has therefore been elevated within entities and now forms a key part of corporate governance. Accordingly, the effective and efficient management of ICT is vital to the success of most entities.
As computer technology has advanced, Government organizations have become increasingly dependent on computerized information systems to carry out their business operations and service delivery and to process, maintain and report essential information. There are also an increasing range of ICT vulnerabilities and threats that have to be effectively and efficiently managed. As a consequence, the confidentiality, integrity, availability and reliability of computerized data and of the systems that process, maintain and report these data are a major concern to audit. IT auditors evaluate the effectiveness and efficiency of IT controls in information systems and related operations to ensure they are operating as intended.
What is IT Audit?
IT audit is the process of collecting and evaluating evidence to determine whether a computer system has been designed to maintain data integrity, safeguard assets, allows organizational goals to be achieved effectively and uses resources efficiently. An effective information system leads the organization to achieve its objectives and an efficient information system uses minimum resources in achieving the required objectives. IT auditors must know the characteristics of users of the information system and the decision-making environment in the audited organization while evaluating the effectiveness of any system.
Use of computer facilities has brought about radically different ways of processing, recording and controlling information and has combined many previously separated functions. The potential for material systems error has thereby been greatly increased causing great costs to the organization. The highly repetitive nature of many computer applications means that small errors may lead to large losses. For example, an error in the calculation of income tax to be paid by employees in a manual system will not occur in each case, but once an error is introduced in a computerized system, it will affect each case. This makes it imperative for the auditor to test the invisible processes and to identify the vulnerabilities in a computer information system, as through errors and irregularities, the costs involved can be high.
Increasing use of computers for processing organizational data has added new scope to the review and evaluation of internal controls for audit purposes. The IT internal controls are of great value in any computerized system and it is an important task for an auditor to see that not only adequate controls exist, but that they also work effectively to ensure results and achieve objectives. Also internal controls should be commensurate with the risk assessed so as to reduce the impact of identified risks to acceptable levels. IT auditors need to evaluate the adequacy of internal controls in computer systems to mitigate the risk of loss due to errors, fraud and other acts and disasters or incidents that cause the system to be unavailable.
What is IT Audit Compliances?
This section outlines a risk management approach to health and safety in the offices of IT Compliance. It provides general information about the framework of Victorian occupational health and safety legislation, and how this applies to office environments. Information about the development and implementation of health and safety in IT Compliance policy in the office is also discussed.
Figure 2: Document salve setting [source: Internet]
The aim of occupational health and safety in IT compliance risk management is to eliminate or reduce the risk of injuries and illness associated with work. Managing IT compliance health and safety in the office requires a process of hazard identification, risk assessment, risk control and evaluation of control measures. Effective management of health and safety hazards also involves training, consultation, documentation of health and safety activities and regular review of the management system in IT compliance. Risk management is a continuous process, as technology changes and further options for the control of risks become available. It requires consultation between employers, employees and IT Compliance Health and Safety Representatives when determining the approach and methods to be used. Employers are also required to provide information, training and supervision so that employees can perform their work in a safe manner. Training should provide employees and their supervisors with an understanding of:
Employers are also required to keep information and records relating to the health and safety about IT compliance of employees. These include records for legal requirements (for example, injury reports) as well as records of hazard identification, risk assessment and risk control.
IT Audit Policy Issues
Establishing audit policy is an important facet of security. Monitoring the creation or modification of objects gives you a way to track potential security problems, helps to ensure user accountability, and provides evidence in the event of a security breach.
There are nine different kinds of events you can audit. If you audit any of these kinds of events, Windows records the events in the Security log, which you can find in Event Viewer.
Data Backup System: Here I show backup and restore system of data
Importance of IT Audit System
The role of information technology (IT) control and audit has become a critical mechanism for ensuring the integrity of information systems (IS) and the reporting of organization finances to avoid and hopefully prevent future financial fiascos such as Enron and WorldCom. Global economies are more interdependent than ever and geopolitical risks impact everyone. Electronic infrastructure and commerce are integrated in business processes around the globe. The need to control and audit IT has never been greater. Initially, IT auditing (formerly called electronic data processing (EDP), computer information systems (CIS), and IS auditing) evolved as an extension of traditional auditing. At that time, the need for an IT audit function came from several directions
The early components of IT auditing were drawn from several areas. First, traditional auditing contributes knowledge of internal control practices and the overall control philosophy. Another contributor was IS management, which provides methodologies necessary to achieve successful design and implementation of systems. The field of behavioral science provided such questions and analysis to when and why IS are likely to fail because of people problems. Finally, the field of computer science contributes knowledge about control concepts, discipline, theory, and the formal models that underlie hardware and software design as a basis for maintaining data validity, reliability, and integrity.
IT auditing is an integral part of the audit function because it supports the auditor's judgment on the quality of the information processed by computer systems. Initially, auditors with IT audit skills are viewed as the technological resource for the audit staff. The audit staff often looked to them for technical assistance. As you will see in this textbook, there are many types of audit needs within IT auditing, such as organizational IT audits (management control over IT), technical IT audits (infrastructure, data centers, data communication), application IT audit (business/financial/operational), development/implementation IT audits (specification/ requirements, design, development, and post-implementation phases), and compliance IT audits involving national or international standards. The IT auditor's role has evolved to provide assurance that adequate and appropriate controls are in place. Of course, the responsibility for ensuring that adequate internal controls are in place rests with the management. The audit's primary role, except in areas of management advisory services, is to provide a statement of assurance as to whether adequate and reliable internal controls are in place and are operating in an efficient and effective manner. Therefore, whereas management is to ensure, auditors are to assure.
Today, IT auditing is a profession with conduct, aims, and qualities that are characterized by worldwide technical standards, an ethical set of rules (Information Systems Audit and Control Association [ISACA] Code of Ethics), and a professional certification program (Certified Information Systems Auditor [CISA]). It requires specialized knowledge and practicable ability, and often long and intensive academic preparation. Often, where academic programs were unavailable, significant in-house training and professional development had to be expended by employers. Most accounting, auditing, and IT professional societies believe that improvements in research and education will definitely provide an IT auditor with better theoretical and empirical knowledge base to the IT audit function. They feel that emphasis should be placed on education obtained at the university level. The breadth and depth of knowledge required to audit IT systems are extensive. For example, IT auditing involves the
The article is extracted from a thesis work supervised under my guidance and successfully accomplished by Md Shahadat Hossain, a graduate student of the Department of Computer Science and Engineering at Daffodil International University.
MD Abdul Hakim, founder and managing director of Unique Business System Limited (UBSL), the witness of the ICT development of the country since the year of 1993. He is an entrepreneurial spirit emerged when he was a child and launched his first business Unique Business Systems Limited in 1993 which has been ceaselessly dedicated to introduce quality new technologies in Bangladesh specially for the improvement of Education system of the country. Yes, when he thought about the projector to enhance the learning process,... Read More...