INFORMATION

TECHNOLGY AUDITING
BY: PROF. PETER APPIAHENE
Origin and Evolution
 The term audit is derived from the Latin term ‘audire,’ which means to
hear.
 Auditing is as old as accounting. It was in use in all ancient countries such
as Mesopotamia, Greece, Egypt. Rome, U.K. and India.
 The original objective of auditing was to detect and prevent errors and
frauds.
 Auditing evolved and grew rapidly after the industrial revolution in the 18th
century
 The shareholders who were the owners needed a report from an
independent expert on the accounts of the company managed by the
board of directors who were the employees.
 The objective of audit shifted and audit was expected to ascertain whether
the accounts were true and fair rather than detection of errors and frauds.
Definition
The term auditing has been defined by different authorities:

 Spicer and Pegler: "Auditing is such an examination of books of accounts and vouchers of

business, as will enable the auditors to satisfy himself that the balance sheet is properly
drawn up, so as to give a true and fair view of the state of affairs of the business and that
the profit and loss account gives true and fair view of the profit/loss for the financial
period, according to the best of information and explanation given to him and as shown
by the books; and if not, in what respect he is not satisfied

 Prof. L. R. Dicksee: "Auditing is an examination of accounting records undertaken with a

view to establish whether they correctly and completely reflect the transactions to which
they relate.
Definition of IT Auditing
 CISA Review Manual (ISACA, 2022): IT auditing is the formal evaluation of

an organization’s information systems, controls, and processes to ensure

they safeguard assets, maintain data integrity, align with business
objectives, and comply with regulatory standards.

 Alan Calder (IT Governance: Framework and Principles, 2021):"IT auditing

focuses on evaluating information systems and IT governance frameworks

to determine their effectiveness in supporting organizational strategies,
maintaining security, and managing risks."
 Features of Auditing
 Systematic Examination: Audit involves a systematic and scientific review of the books of accounts of a

business to ensure accuracy and reliability.

 Independence and Qualification: An audit is carried out by an independent and duly qualified individual or team.

 Verification and Fairness: The audit verifies the financial results presented in the profit and loss account and

ensures the balance sheet represents a true and fair view of the business's state of affairs.

 Critical Review: The auditor critically reviews the accounting systems, internal controls, vouchers, documents,

and other explanations provided by the authorities.

 Authenticity and Reporting: The auditor inspects and scrutinizes financial records, correspondence, and

statutory documents (e.g., Memorandum and Articles of Association) to certify the authenticity of financial
statements and provide a fair opinion on the business's financial health.
Features of IT Auditing
 Risk-Focused & Control-Driven: IT audits prioritize evaluating the effectiveness of controls in

mitigating the most significant IT-related risks.

 Independent and Objective: Auditors must be impartial, free from conflicts of interest, and provide

an unbiased evaluation.

 Systematic and Evidence-Based: Audits follow a structured approach and rely on documented

evidence for their findings.

 Compliance and Governance Centric: Audits verify adherence to laws, regulations, standards, and

internal policies, while also evaluating the effectiveness of IT governance practices.

 Actionable Recommendations for Improvement: IT audits don't just identify problems; they provide

practical suggestions for fixing them

AUDITING IT
GOVERNANCE
CONTROLS
Definition
 Auditing Information Technology (IT) Governance Controls involves

assessing the systems, processes, and frameworks that guide an

organization's IT usage.

 It ensures IT systems align with business objectives, comply with

regulations, mitigate risks, and operate securely and efficiently.

 Governance controls are essential for maintaining oversight, fostering

accountability, and driving IT performance to meet strategic goals.

Components
1. IT Governance Frameworks

IT governance frameworks provide structured guidelines for managing and

controlling IT processes. Common frameworks include:
 COBIT (Control Objectives for Information and Related Technologies): Focuses on

aligning IT with business goals and ensuring IT resources are effectively utilized.

 ITIL (Information Technology Infrastructure Library): Provides best practices for IT

service management to deliver value and maintain service quality.

 ISO/IEC 27001: Offers standards for managing information security to protect

data and ensure compliance.

 Components
2. Risk Management Governance controls in IT auditing identify, assess, and

mitigate IT-related risks, including:

• Cybersecurity threats

• Data breaches and privacy violations

• Operational disruptions (e.g., system failures)

IT audits evaluate the organization's ability to respond to and recover from

these risks.
Components
3. Policy and Compliance Controls

IT governance ensures that the organization complies with:

 Internal IT policies and procedures

 Industry-specific regulations (e.g., GDPR, HIPAA, SOX)

• National and international legal requirements

Auditors review adherence to these regulations and provide recommendations for

improvement.
Components
4. Performance Monitoring and Reporting

Governance controls ensure the organization has mechanisms to monitor IT

performance, including:
 Key performance indicators (KPIs) for IT service delivery

 Regular reporting on IT audit findings and corrective actions

 Dashboards for real-time monitoring of IT systems and risks

Components
5. IT Controls and Processes

Governance controls include assessing the effectiveness of IT General

Controls (ITGCs) and Application Controls:
• ITGCs: Focus on overarching IT management, including access controls, change

management, and backup/recovery processes.

• Application Controls: Verify the accuracy, completeness, and reliability of data

processing within specific applications.

Components
6. Strategic Alignment

Auditing governance controls ensure IT strategies align with overall business goals,
including:
 Enabling innovation and digital transformation

 Supporting operational efficiency and cost management

 Enhancing customer experience through technology

7. Resource Management

Governance controls evaluate IT resource allocation, ensuring that hardware, software,

and personnel are optimally deployed to support business objectives.
BENEFITS OF IT AUDITING
GOVERNANCE CONTROLS
 Improved Risk Management: Proactively identifies and mitigates IT-related

risks.

 Regulatory Compliance: Ensures compliance with legal and industry

standards.

 Operational Efficiency: Enhances system performance and reliability.

 Data Security: Protects sensitive data against breaches and unauthorized

access.
INTERNAL
CONTROL
Internal control.
 Internal control means different things to different people. This causes
confusion among businesspeople, legislators, regulators and others.
 Resulting miscommunication and different expectations cause problems
within an enterprise.
 Problems are compounded when the term if not clearly defined, is written
into law, regulation or rule.
KEY FACTORS
 Establish a common definition serving the needs of different parties.
 Provide a standard against which business and other entities--large or
small, in the public or private sector, for profit or not--can assess their
control systems and determine how to improve them
Definition
 Internal control is broadly defined as a process, effected by an entity's

board of directors, management and other personnel, designed to provide

reasonable assurance regarding the achievement of objectives in the

following categories
 Effectiveness and efficiency of operations.

 Reliability of financial reporting

 Compliance with applicable laws and regulations

Internal Control.
 Internal control systems operate at different levels of effectiveness.

 Internal control can be judged effective in each of the three categories,

respectively, if the board of directors and management have reasonable
assurance that: They understand the extent to which the entity's operations
objectives are being achieved.
1. Published financial statements are being prepared reliably.

2. Applicable laws and regulations are being complied with.

3. While internal control is a process, its effectiveness is a state or condition of the

process at one or more points in time.
Components of Internal
Control
 Internal control consists of five interrelated components. These are derived
from the way management runs a business, and are integrated with the
management process. The components are:
1. Control Environment : It is the foundation for all other components of
internal control, providing discipline and structure. Control environment
factors include the integrity, ethical values and competence of the
entity's people; management's philosophy and operating style.
2. Risk Assessment : Every entity faces a variety of risks from external and
internal sources that must be assessed. Risk assessment is the
identification and analysis of relevant risks to achievement of the
objectives, forming a basis for determining how the risks should be
managed
Components of Internal
Control
3. Control Activities : Control activities are the policies and procedures that help ensure
management directives are carried out. Control activities occur throughout the organization,
at all levels and in all functions. They include a range of activities as diverse as approvals,
authorizations, verifications, reconciliations, reviews of operating performance, security of
assets and segregation of duties.

4. Information and Communication : Information systems produce reports, containing

operational, financial and compliance-related information, that make it possible to run and
control the business. All personnel must receive a clear message from top management that
control responsibilities must be taken seriously. They must understand their own role in the
internal control system, as well as how individual activities relate to the work of others.
Components of Internal
Control
5. Monitoring: Internal control systems need to be monitored--a process
that assesses the quality of the system's performance over time.
Ongoing monitoring occurs in the course of operations. It includes
regular management and supervisory activities, and other actions
personnel take in performing their duties.
What Internal Control Can Do
 Internal control can help an entity achieve its performance and profitability targets,
and prevent loss of resources.

 It can help ensure reliable financial reporting.

 And it can help ensure that the enterprise complies with laws and regulations,
avoiding damage to its reputation and other consequences.

 In sum, it can help an entity get to where it wants to go, and avoid pitfalls and
surprises along the way.
What Internal Control Cannot Do
 Internal control cannot change an inherently poor manager into a good one.

 Shifts in government policy or programs, competitors' actions or economic conditions

can be beyond management's control.

 Internal control cannot ensure success, or even survival

 Controls can be circumvented by the collusion of two or more people, and management

has the ability to override the system

 Another limiting factor is that the design of an internal control system must reflect the

fact that there are resource constraints, and the benefits of controls must be considered
relative to their costs.