What Is Information Audit?
Information Technology Audit
An information technology audit is the evaluation of an organization's information technology infrastructure, applications, data use and management, policies, procedures and operational processes against recognized standards or established policies. Audits look at the controls to protect information technology assets to ensure integrity and align with objectives.
IT Audits and Tools
Many companies rely on information technology to operate their business. IT plays a big part in the company, including applying of workflows, using application control, and implementing the ERP application to facilitate the organization, which is more reliable and less labor intensive than using manual control. The importance of IT Audit is increasing.
The IT audit is important to support the financial audit or specific regulations announced by the government. New audits being imposed by various standard boards which are required to be performed, depending upon the audited organization, will affect IT and ensure that IT departments are performing certain functions and controls appropriately to be considered compliant. SSAE 16, ISAE 3402, and ISO27001:2013 are examples of such audits.
The use of tools in the department has been controversial in the past. Users no longer need to stand in line for IT resources to fulfill seemingly endless requests for reports because of the widespread availability of data analytic tools. IT has to work with business groups to make authorized access and reporting easy to understand.
The Tone is Set at the Top: Auditing Management Practices
Sometimes it is difficult for auditors to map the audit objective onto technology. They first identify business activity that is likely to yield the best type of evidence. They identify what applications and networks are used to handle the information.
An audit may focus on a given IT process, in which case it will include the systems used to create input for, to execute, or to control the process. The systems necessary to support the business process will be included in an audit. The auditor can use the preliminary data gathering effort to verify that the scope has been set correctly and to form a set of control objectives which will be the basis for audit testing.
Control objectives are management practices that are expected to be in place in order to achieve control over the systems. Auditors will emphasize that control objectives are management practices. It is expected that the control objectives have been established by management, that management provides leadership and resources to achieve control objectives, and that management monitors the environment to ensure that control objectives are met.
The control environment is management behavior that provides leadership and accountability for controls, and it is synonymous with the phrase: the tone is set at the top. The control objectives are a way to make sure that the auditor has covered the entire scope of the audit and that the planned technology tests are not changed during the audit. An auditor will associate each control objective with a set of activities that will provide evidence that the control objective is met.
They will make tests in advance that will show if the activities are established and reliable. The control objectives and associated test plans are referred to as the audit program. Audit fieldwork is the process of identifying the people, process, and technology within a systems environment that correspond to expected control activities.
Information systems do not always lead to higher profits. Success depends on the skill with which information systems are deployed and on their use being combined with other resources of the firm, such as relationships with business partners or superior knowledge in the industrial segment. Information systems have enabled new structures.
Virtual organizations do not rely on physical offices and standard organizational charts. The network organization and the cluster organization are two notable forms of virtual organizations. A central hub firm is where long-term corporate partners supply goods and services.
A network of relatively small companies can show the appearance of a large corporation. At the core of such an organization, it may be nothing more than a single entrepreneurial supported by a few employees. The formation and work of companies is organized around Web-based information systems.
IT Audit Objectives
IT auditing takes that one step further and looks at the controls around the information with respect to confidentiality, integrity, and availability. The IT audit will attest to the confidentiality of the information, the integrity of the information, and in situations where availability is a key factor, will also attest to the availability and ability to recover in the event of an incident. IT auditing is moving to a risk-based approach since there is a limited amount of time and a limited amount of professional qualified IT auditors.
Control objectives are different from audit objectives, they are related to how an internal control should function. Audit objectives are usually focused on proving that the internal controls exist to minimize business risks and that they function as expected. An internal control objective could be to ensure that financial transactions are posted to the General ledger, whereas the IT audit objective could be to make sure that editing features are in place to detect incorrect data.