7/28/2019 the-status-of-it-audit-education3432.ppt

1/29

Sam A. Hicks, PhD

Department of Accounting & InformationSystems

Audit track at VA SCANVirginia Tech

October 6 ,2008

The Status of IT Audit Education

7/28/2019 the-status-of-it-audit-education3432.ppt

2/29

What is Information Systems AuditWhat is an Audit

Auditing: Systematic process of objectivelyobtaining and evaluating evidence regardingassertions about economic actions and events toascertain the degree of correspondence between

those assertions and established criteria andcommunicating the results to interested users.

Financial Statement Auditors Establishedcriteria is Generally Accepted AccountingPrinciples [GAAP]

Financial Statement Auditors Must attest to theamounts on the financial statements, they cannotonly attest to the system

7/28/2019 the-status-of-it-audit-education3432.ppt

3/29

An audit compares actual to standardestablished criteria for IS Audit is COSO, COBIT,Basel II Accord, ITIL, and several ISO standards.

Sarbanes Oxley requires that management attestto Internal control over the Accounting systemand

Auditors audit managements assertions as to

Internal Control

Again, standard for Internal Control is COSO,COBIT, Basel II Accord, ITIL, and several ISOstandards.

7/28/2019 the-status-of-it-audit-education3432.ppt

4/29

IS AuditA specialized audit focusing on the controls of the

information systems of the entity.

Most frequently the IS Auditor is a part of theinternal audit team. As such, the IS Auditor is anintegral part of the

Design and Development of the system reviewsthe system analysis and design of the system, thepurchase or programming of the system, the

installation, and the post-implementation review

7/28/2019 the-status-of-it-audit-education3432.ppt

5/29

IS Audit Security [Availability, Confidentiality and Integrity]

of the system access, back-up, separation ofduties, training of users, documentation of system

Change management

Control of software

Enhance operations with changes

Do the tasks of the IS Auditor matter?

7/28/2019 the-status-of-it-audit-education3432.ppt

6/29

AICPA Top Ten IT ConcernsRanking 2008 2007 2006 2005 20041 Information

Security

Management

Information

Security

Management

Information

Security.

InformationSecurity

Information

Security

2 ITGovernance Identity andAccess

Management

Assuranceand

Compliance

Application

s

ElectronicDocumentManagement

SpamTechnology

3 Business

ContinuityManagement(BCM) andDisasterRecoveryPlanning(DRP)

Conforming to

Assurance andCompliance

Standards

Disaster and

BusinessContinuity

Planning.

Data

Integration

Digital

Optimization

http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Information+Security/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Information+Security/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Assurance++Compliance+Applications/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Assurance++Compliance+Applications/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Assurance++Compliance+Applications/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Assurance++Compliance+Applications/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Assurance++Compliance+Applications/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Disaster+and+Business+Continuity+Planning/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Disaster+and+Business+Continuity+Planning/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Disaster+and+Business+Continuity+Planning/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Disaster+and+Business+Continuity+Planning/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Disaster+and+Business+Continuity+Planning/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Disaster+and+Business+Continuity+Planning/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Disaster+and+Business+Continuity+Planning/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Disaster+and+Business+Continuity+Planning/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Assurance++Compliance+Applications/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Assurance++Compliance+Applications/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Assurance++Compliance+Applications/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Assurance++Compliance+Applications/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Assurance++Compliance+Applications/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Information+Security/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Information+Security/

7/28/2019 the-status-of-it-audit-education3432.ppt

7/29

AICPA Top Ten IT Concerns4 Privacy

Management

Privacy

Management

IT

Governance.

Spam

Technology

Database

and

Application

Integration5 Business

ProcessImprovement(BPI),Workflow and

ProcessExceptionAlerts

Disaster

Recovery

Planning and

Business

continuityManagement

Privacy

Management

DisasterRecovery

Wireless

Technologies

6

Identity andAccess

Management

IT Governance Digital

Identity and

Authentication

Technologies

CollaborationandMessaging

Applications

Disaster

Recovery

7 Conforming toAssurance andComplianceStandards

Securing and

Controlling

Information

Distribution

Wireless

Technologies

WirelessTechnologies

Data Mining

http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/IT+Governance/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/IT+Governance/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Privacy+Management/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Privacy+Management/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Digital+Identity+and+Authentication+Technologies/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Digital+Identity+and+Authentication+Technologies/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Digital+Identity+and+Authentication+Technologies/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Digital+Identity+and+Authentication+Technologies/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Digital+Identity+and+Authentication+Technologies/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Digital+Identity+and+Authentication+Technologies/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Digital+Identity+and+Authentication+Technologies/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Digital+Identity+and+Authentication+Technologies/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Privacy+Management/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/Privacy+Management/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/IT+Governance/http://infotech.aicpa.org/Resources/Top++10+Technologies/Top+10+Technologies+2006/IT+Governance/

7/28/2019 the-status-of-it-audit-education3432.ppt

8/29

AICPA Top Ten IT Concerns88 Business

Intelligence(BI)

Mobile and

Remote

Computing

Application

and Data

Integration

Authentica

tion

Technologi

es

Virtual

Office

9 Mobile andRemoteComputing

Electronic

Archiving andData Retention

Paperless

DigitalTechnologies

Storage

Technologies

Business

ExchangeTechnology10 Document,

Forms,Content andKnowledgeManagement

Document,

Content and

Knowledge

Management

Spyware

Detection

and Removal

LearningandTrainingCompetenc

y

Messaging

Applications

7/28/2019 the-status-of-it-audit-education3432.ppt

9/29

Public Company AccountingOversight Board's (PCAOB)

Auditors who sign reports tend to be financialstatement auditors with little knowledge ofsystems

PCAOB suggests that financial statementauditors have more IT education

Expressed concern of PCAOB Advisory Group

7/28/2019 the-status-of-it-audit-education3432.ppt

10/29

Department of Defense In May 2006, required about 80,000 professionals

in the area of Information Assurance Workforce,to acquired one of 13 professional certifications.Certified Information Systems Auditor [CISA] was

one of the 13.

7/28/2019 the-status-of-it-audit-education3432.ppt

11/29

Certified Information Systems Auditor[CISA]

Pass the CISA Exam Have IS Audit experience 5 years

Abide by Code of Ethics

Continuing Professional Education Follow IS Auditing Standards issued by ISACA

7/28/2019 the-status-of-it-audit-education3432.ppt

12/29

CISA Exam 200 multiple choice questions Topics

The IS Audit Process

IT Governance

Systems Life Cycle

IT Service Delivery and Support [Operations]

Security

Business Continuity and Disaster Recovery

7/28/2019 the-status-of-it-audit-education3432.ppt

13/29

Salary Info Premium of 10 to 15% for certification CISA, CISSP and CISM were among the highest

Certification Magazines 2007 Salary Survey

report

CISM came in second at $115,720 -- ISACA reportsabout 8,000 professional world-wide have CISM

CISA came in fifth at $98,740 ISACA reportsabout 55,000 professional world-wide have CISA

7/28/2019 the-status-of-it-audit-education3432.ppt

14/29

So What From this kind of information, Demand for ISAuditors is strong.

Most of our students have multiple offers

Yet

7/28/2019 the-status-of-it-audit-education3432.ppt

15/29

ISACA Student Members Website reports that over 800 students have

student memberships representing 200 schools

Thus only about 4 per school!

7/28/2019 the-status-of-it-audit-education3432.ppt

16/29

Students Graduating from ACISStudents

graduating

12 monthsperiod

ending June

30

Goal 2008 2007 2006 2005 2004

Accounting

Option90 128 155 132 134 116

SystemsAssurance

Option

[IS Audit]

45 12 11 13 19 20

Systems

Development

Option

40 5 4 15 13 19

Total

Graduates

175 145 170 160 166 155

7/28/2019 the-status-of-it-audit-education3432.ppt

17/29

Control Association (ISACA) modelcurriculum

General Education and General Business Three parts

Accounting

Systems

Auditing

7/28/2019 the-status-of-it-audit-education3432.ppt

18/29

ISACA model curriculumAccounting

Accounting Principles IAccounting Principles II

Intermediate Accounting I or ManagementAccounting

Process Control/Internal Control

Accounting Information Systems

7/28/2019 the-status-of-it-audit-education3432.ppt

19/29

ISACA model curriculumInformation Systems

Introduction to Computers

Computer Programming

Systems Analysis & Design

Data Base Management Systems

Computer-based Communication Networks

Management of Information Systems

7/28/2019 the-status-of-it-audit-education3432.ppt

20/29

ISACA model curriculumAuditing

Internal Auditing I

Introduction to Information Systems Auditing/CAATs

Special Topics (e.g., IS Integrity and Confidentiality,Audit Ethics)

7/28/2019 the-status-of-it-audit-education3432.ppt

21/29

IS Audit at Virginia TechUndergraduate

General Education 50 credits General Business 33 Credits

Accounting 15 Credits

Intermediate 6

Cost 3

Tax 3

Accounting Systems and Controls 3

7/28/2019 the-status-of-it-audit-education3432.ppt

22/29

IS Audit at Virginia TechUndergraduate

Information Systems 12 Credits Information Systems Development

Database Management systems

Networks and Telecommunications in Business

Personal Computers in Business

7/28/2019 the-status-of-it-audit-education3432.ppt

23/29

IS Audit at Virginia TechUndergraduate

Auditing 9 CreditsAuditing Governance and Professional Ethics

Financial Statement Auditing

Information Systems Audit and Control

Electives 6 Credits

7/28/2019 the-status-of-it-audit-education3432.ppt

24/29

What would you Change?

7/28/2019 the-status-of-it-audit-education3432.ppt

25/29

Alternative pathsto IS Audit knowledge

Business Information Technology Computer Science

Computer Engineering

7/28/2019 the-status-of-it-audit-education3432.ppt

26/29

Other CERTIFICATIONS

CFE Certified Fraud Examiner CIA Certified Internal Auditor CISSP Certification for Information System

Security Professional CNE Certified Novell Engineer CPA Certified Public Accountant CRP Certified Risk Professional MCSE Microsoft Certified Systems

Engineer

CISA Certified Information SystemsAuditor CITP Certified Information Technology

Professional [from AICPA]

7/28/2019 the-status-of-it-audit-education3432.ppt

27/29

Additional Cerifications CCM Certified Cash Manager CCSA Certification in Control Self Assessment CCDA Cisco Certified Design Associate CCNA Cisco Certified Network Administrator CMA Certified Management Accountant CFM Certified in Financial Management SAPTASAP Technical Auditor CMC Certified Management Consultant CFA Certified Financial Analyst CBCP Certified Business Continuity Professional CIDA Certified Investments & Derivatives

7/28/2019 the-status-of-it-audit-education3432.ppt

28/29

Why a certificate? Connected to a professional group Documents some level of knowledge

Recognition to you

Parting Words

7/28/2019 the-status-of-it-audit-education3432.ppt

29/29

Advice From CIOs

Get uncomfortable Be willing to admit to errors that you make take

responsibility

Go with your gut listen, learn, then go with yourinstinct

Get dirty be willing to try

Love it or Leave it Life is too short to do what

you do not love to do, move on and try somethingdifferent

CIO January 29, 2008