It is an audit associated with auditors who use technical skills and knowledge to audit through the computer system, or provide audit services where processes of data, or both, are embedded in technologies.

It focuses on the computer-based aspects of

an organization’s information system.

Technology

General Standards (3) PATT, IMA, DPC

Standards of Fieldwork (3) AP, SUIC, SCE

Reporting Standards (4) GAAP, IC-No GAAP, IC- No AD, OFSW

VAPOR Co. Valuation and allocation Presentation and disclosure Rights and obligations Completeness Occurrence and Existence

Process for controlling an organization’s information technology resources, where these resources are defined to include information and communications systems as well as technology.

Provide Direction

Compare

Measure Performance

IT Activities • Increase automation (make the business effective) • Decrease cost (make the enterprise efficient) • Manage risks (security reliability and compliance)

Set objectives • IT is aligned with the business. • IT enables the business and maximizes the benefits. • IT resources are used responsibly. • IT-related risks are managed appropriately.

Database Administration Data Processing Systems Development and Maintenance

Authorization from processing Record-keeping from custody Divide transaction processing tasks among

individuals Systems Development from Computer

Operations Database Administration from other functions New systems development from maintenance Data Library from Operations

IS audit services can be provided externally or internally.

The role of the IS internal audit function should be established by an audit charter approved by senior management.

If IS audit services are provided by an external firm, the scope and objectives should be documented in a formal contract.

In either case, the internal audit function should be INDEPENDENT and report to an audit committee or to the highest management level such as the board of directors.

The IS auditor is expected to maintain technical competence through appropriate continuing professional education.

Gain an understanding of the business’s mission, objectives, purpose and processes, which include information and processing requirements such as availability, integrity, security and business technology, and information confidentiality.

Understand changes in business environment of the auditee.

Review prior work papers. Identify stated contents such as policies,

standards and required guidelines, procedures and organization structure.

Perform a risk analysis to help in designing the audit plan.

Set the audit scope and audit objectives. Develop the audit approach or audit strategy Assign personnel resources to the audit. Address engagement logistics.

Special attention should be given to issues in industries that are closely regulated. For example, in several countries Internet service

providers (ISPs) are subject to laws regarding confidentiality and service availability.

The Information Systems Audit and Control Association (ISACA), founded in 1969, is the largest professional organization of IT auditors.

The Certified Information Systems Auditor (CISA) designation is the most highly valued global credential for IT auditors.

In addition to CISA, ISACA recently created a new credential, the Certified Information Security Manager (CISM) for non-audit security professionals.

Provides guidance on IT governance by providing “the structure that links processes, IT resources and information to enterprise strategies and objectives.”