Information Technology (IT) auditing helps a company understand the key technology risks and how well the company is mitigating and controlling those risks. IT internal audit also provides insight into the threats inherent in today's highly complex technologies. Select one of the areas below to view a sample of IT audit information available on KnowledgeLeader.
COBIT® Framework
Control Objectives for Information and Related Technology (COBIT) is a management tool for IT. It has been developed by ISACA as an accepted standard for good IT security and control practices. It is intended for use by management, IT auditors, and control and security practitioners. COBIT defines what needs to be done to implement an effective control structure.
Computer Operations Audit Work Program
This work program focuses on auditing computer operations. It concentrates on the IT general controls to be tested; reviews the results of management’s testing; and documents the procedures used to test each control.
Data Conversion Work Program
The purpose of this document is to provide the general steps used to evaluate a data conversion project. This work program provides audit objectives and work steps to ensure proper extraction of source data, confirm that controls are in place to verify accurate data conversion, and make certain that appropriate testing is done with converted data.
Disaster Recovery Plan Assessment Checklist for IT
This checklist serves as a guide for reviewing a disaster recovery plan. The focus of this review is on information technology continuity, recovery, and restoration.
Electronic Signature (E-Sign) Audit Work Program
The audit objective of this review is to assess documented policies and procedures, including business requirements documentation, to determine if provisions of the Electronic Signatures Act and Department of Education are adequately addressed. Auditors are asked to verify that the IT Infrastructure supporting the electronic signature process is appropriately configured to protect critical data from unauthorized access, disclosure, modification, corruption, or destruction.
Healthcare Industry IT Risk Assessment Questionnaire
The purpose of this tool is to help a healthcare company perform an IT risk assessment. The risk assessment worksheets document IT components, IT processes and IT projects, and provide business process definitions. The assessment also allows the user to configure options, and rank all identified risks automatically.
IT Asset Management Diagnostic Audit Work Program
This work program covers a complete IT Asset Management (ITAM) diagnostic audit. Areas covered within this work program include the IT Asset Management Function, IT Asset Management Processes, and IT Asset Financial Management.
IT Audit Work Program – Application Controls
This sample work program covers various application controls necessary to support the business, focusing primarily on access and change controls.
IT Change Management Process Flow
The process flow is the source for understanding the IT change management process from beginning to end including both a process and information technology perspective. This document focuses on phases such as initiate, assess/approve, build/test, implement, verify/close, and emergency changes.
IT Controls Best Practices, Part 1 - Generic
This is Part 1 of a document created to identify leading practices for auditing IT controls. The presentation includes process maps and defines risk objectives and control points for change management, security administration, operations and application controls.
IT Due Diligence Checklist
This checklist focuses on what risks or controls a small company must assess in order to address their IT due diligence practices. Topics covered in this document include: IT management, personnel, and contractors as well as many more.
IT General Controls Questionnaire
IT general controls are critical and central to business processes. This excel-based template provides a number of COBIT areas and the related control objectives for each IT general control. You can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies. This questionnaire has been updated with areas defined in COBIT 4.1.
IT General Controls Scoping Questionnaire
This questionnaire has been designed to facilitate an assessment of existing controls to determine if they align with the IT Governance Institute (ITGI) control objectives. This questionnaire will allow the reviewer to determine which control objectives and illustrative controls are in-scope, and document which control objectives and illustrative controls are currently addressed with existing controls.
IT Process Questionnaire – Change Management
The purpose of this IT process questionnaire is to ensure that all changes to IT resources and infrastructure configurations are carried out in a planned and authorized manner. It involves distinct processes both for managing change requests and also for deploying those changes throughout the enterprise.
IT Risk Assessment Survey Questionnaire
This questionnaire is for conducting an IT risk assessment. It covers topics appropriate for IT management and IT executive management. These topics include: Educate and train users; Assess and manage IT risks; and IT strategic planning.
Program Development Audit Work Program
This work program focuses on auditing the program development process. It concentrates on the IT general controls to be tested; reviews the results of management’s testing; and documents the procedures used to test each control.
Physical Security Audit for Information Systems: Guidelines
This guide suggests controls for the physical security of information technology and systems related to information processing
Service Level Agreement Controls Interview Questionnaire - IT
The purpose of this interview questionnaire is to assess the IT processes associated with a Service Level Agreement (SLA). The questionnaire addresses topics such as identifying critical systems, applications, and services; change services; and continuity planning.
Software Licensure Compliance Audit Work Program
Software licensing activities are often considered a limited area of auditor concern since upgrade events and installations are limited and seemingly simple. However, there is an entry on a financial statement balance sheet representing the recorded value of property, equipment, and other durable purchased goods and the treatment of software should be carefully examined for appropriateness. This work program for can be modified for scope considerations that will depend on the extent and particulars of the licensing agreement included under review.
System Management Risk Assessment & Control Audit Work Program
Since most financial transactions are processed and maintained in the IT environment, the IT function is critical for all financial audits performed. This work program will assist audit teams to identify risks and related controls for logical security administration and monitoring, physical security, change management, problem management and system availability.
System Pre-Implementation Review Audit Work Program
The purpose of this document is to provide the general steps used to execute a pre-implementation review audit. This document provides audit objectives and procedures to help evaluate items such as the project management strategy, mechanisms that limit the ability to make changes to the application, and associated infrastructure testing strategies and procedures.
UNIX Security Audit Work Program
This sample work program covers the general security of systems running the UNIX operating system It reviews control elements, general system admin issues, account groups, remote and root logins, passwords, super users and services.
2009 Internal Audit Capabilities and Needs Survey
Protiviti’s third annual survey, found that internal auditors are looking more seriously at competencies tied to greater transparency in enterprise-wide operations and processes as well as clear and consistent views of key objectives and strategies by boards and their internal audit functions. These competencies include: ERM; Fraud monitoring, Detection and Prevention; Continuous Auditing and Computer-Assisted Audit Techniques; and Developing Relationships with other Board Committee Members. The survey was designed to gauge how internal audit professionals perceive their present capabilities, where they currently see need for improvement, and how they prioritize those needs.
Changes to The IIA Standards: What Board Members Need to Know
On January 1, 2009, The IIA formally released its revised International Standards for the Professional Practice of Internal Auditing. In this white paper, Protiviti provides a summary of the new and revised Standards, focusing on key areas that are believed to have the most significant impact on IA functions based on our knowledge and experience gained from working with organizations around the globe. Also provided are suggested actions on how IA functions can comply with these changes.
Confusion in the Ranks: IT Service Management Practice and Terminology
The Information Technology Service Management (ITSM) movement is gaining adopters throughout the world, expanding from the 2005 ratification of International Standards Organization (ISO) ISO/IEC 20000. This paper provides a background on ITSM and its contributing concepts including IT Information Library (ITIL), Service Level Management (SLM), Business Service Management (BSM), and many others. Read this article to learn about the several contributing frameworks mentioned, and reports on a survey of U.S. IT managers conducted to determine the extent of understanding of these terms and frameworks.
Continuous Monitoring and Auditing: What is the difference?
Both continuous auditing and continuous monitoring can be cornerstones in helping internal audit respond effectively to the increased expectations that are placed upon them. They can also help organizations operate more efficiently and more profitably. In part one of this two-part series, John Verver, from ACL Services Ltd., poses the question: Are these two separate concepts or merely variations of a theme? In part two, John closes his discussion by focusing on the benefits of continuous auditing and monitoring, and related best practices.
Global Technology Audit Guide (GTAG) 4: Management of IT Auditing
This fourth GTAG is designed for CAE and internal audit management personnel who are responsible for overseeing IT audits. The focus of this guide is on providing specific recommendations that a CAE can implement immediately, and to help sort through the strategic issues regarding planning, performing, and reporting on IT audits. Consideration is given to the fundamentals as well as emerging issues.
Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks
This fifth GTAG is intended to provide the chief audit executive (CAE), internal auditors, and management with insight into privacy risks that the organization should address when it collects, uses, retains, or discloses personal information. This guide provides an overview of key privacy frameworks.
Global Technology Audit Guide (GTAG) 8: Auditing Application Controls
This edition of the Global Technology Audit Guide from The IIA provides Chief Audit Executives with information on the role of internal auditors regarding application controls, and how to perform a risk assessment. This guide also includes a list of common application controls, a sample audit plan, and application control review tools.
Global Technology Audit Guide (GTAG) 9: Identity and Access Management
The objective of this GTAG is to provide insight into what IAM means to an organization and to recommend internal audit areas for investigation. It can assist CAEs and other internal auditors in understanding, analyzing, and monitoring their organization's IAM processes.
Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan
As technology becomes more integral to the organization’s operations and activities, a major challenge for internal auditors is how to best approach a company-wide assessment of IT risks and controls within the scope of their overall assurance and consulting services. As pointed out in this GTAG, auditors need to understand the organization’s IT environment; the applications and computer operations that are part of the IT infrastructure; how IT applications and operations are managed; and how IT applications and operations link back to the organization.
Global Technology Audit Guide (GTAG) 12: Auditing IT Projects
Whether IT projects are developed in house or are co-sourced with third-party providers, they are filled with challenges that must be considered carefully to ensure success. Insufficient attention to these challenges can result in wasted money and resources, loss of trust, and reputation damage. Early involvement by internal auditors can help ensure positive results. Auditing IT Projects from The IIA provides an overview of techniques for effectively engaging with project teams and management to assess IT project risks.
High Value Audits: An Update on Information Technology Auditing
Recently, Protiviti conducted a survey in which it asked chief audit executives, internal audit directors, managers, and other professionals, to determine how they perceive their departments’ capabilities concerning internal auditing, where they currently see a need for improvement, and how they prioritize those needs. Respondents rated auditing skill sets around IT change management, security, computer operations, program development and business continuity lowest.
Improving Internal Audit Through Technology
A number of studies show that internal audit functions are looking more seriously at technology as a way to improve productivity and the organization’s risk management process. The reality is that internal audit cannot successfully meet all looming expectations and perform at a new level without doing things differently and technology – or, more accurately, the very efficient and effective use of technology – is essential for internal audit to succeed in its evolving mandate. This article discusses how to start integrating technology into the audit process, sell its value proposition to executive management, and overcome the related challenges.
Maturing the use of data analytics
In the internal audit practice the use of data analytics as part of the audit process is usually part of a continuum. It tends to start off in ad hoc use, then move to repetitive use, and, finally, to continuous auditing and continuous monitoring. In this article, John Verver from ACL Services Ltd. examines the typical evolution in using data analytics.
Managing Your Security Future
IT organizations within most corporations are spending significant time and resources securing IT infrastructure. Read this article to gain an understanding of the security technologies and risks that exist today and in the near future. By understanding the technologies and threats, you can better manage security decisions to fulfill the needs of the business.
Payment Card Industry – Data Security Standards (PCI DSS)
Credit card breaches happen regularly to unprepared merchants. This article provides an overview of what auditors need to know about Payment Card Industry Data Security Standards (PCI DSS) and why PCI compliance should be an important initiative for internal audit. It spells out the steps you should take to protect your firm’s interests.
The New ISACA Risk IT Framework and Best Practice: Filling a Gap, Making Risk Management Easier and More Effective
ISACA’s Risk IT Framework, based on the COBIT® framework and best practice guidance, was recently released after 18 months of work by an international task force with members from five countries. Risk IT extends and unifies the risk management content in COBIT® and Val ITTM.
Trends in IT Internal Auditing: Greater Use of Automation, ‘Rebalancing’ Focus Away from Sarbanes-Oxley and Toward Broader Risk Management
Protiviti conducts a series of annual surveys among internal audit executives and professionals to identify key trends impacting organizations worldwide. Recent results from these studies include a number of notable trends in IT auditing. These trends focus on ISO 27000, computer-assisted audit techniques (CAATs), and IT audits not related to Sarbanes-Oxley compliance.
ACL
ACL Services Ltd. is the leading provider of software used by audit professionals around the world. This site features ACL products, services, news, and training opportunities.
Carnegie Mellon Software Engineering Institute (SEI)
For more than 20 years, the SEI has had the national mandate to advance the state of the practice of software engineering and to serve as a national resource in software engineering and technology. The SEI's core purpose is to help others make measured improvements in their software engineering capabilities and to develop the right software, delivered defect free, on time and on cost, every time.
Center for Education and Research in Information Assurance and Security (CERIAS)
CERIAS is a University center for multidisciplinary research and education in areas of information security. The CERIAS mission is to establish an ongoing center of excellence which will promote and enable world class leadership in multidisciplinary approaches to information assurance and security research and education.
Information Systems Audit and Control Association and Foundation
The Information Systems Audit and Control Association and Foundation (ISACA) is a global professional association representing information systems (IS) auditing, control, and security practitioners worldwide.
ITAudit.org
Sponsored by the Institute of Internal Auditors, IT Audit.org is designed to enhance the auditors' knowledge of information technology (IT).
IT Governance Institute (ITGI)
To achieve success in this information economy, governance of IT is a critical facet of enterprise governance. The IT Governance Institute (ITGI) exists to assist enterprise leaders in their responsibility to ensure that IT goals align with those of the business, it delivers value, its performance is measured, its resources properly allocated and its risks mitigated. Through original research, symposia and electronic resources, the ITGI helps ensure that boards and executive management have the tools and information they need for IT to deliver against expectations.
The Project Management Institute (PMI)
The Project Management Institute (PMI) is the world’s leading not-for-profit project management professional association. PMI supports over 100,000 members in 125 countries worldwide.
The SANS Technology Institute Leadership Laboratory
The Leadership Laboratory is an informal set of articles and whitepapers, almost a blog, about management, information technology, and the computer security industry. Issues and research content for SANS Management 512 Security Leadership Essentials For Managers and the GIAC Security Leadership Certification will continue to add to this site.
>> Sign up now for a
30-day free trial or an
annual subscription.
Find out more about our
subscription prices and group discounts.
If you have any questions please
contact us.