it audit faq by muema lombe
DESCRIPTION
IT Audit Frequently Asked Questions (FAQ) is a listing of commonly asked questions and answers about IT audit.This document is meant to serve as an information source for both the beginning auditor and those outside the profession seeking to better understand IT Audit.TRANSCRIPT
IT Audit FAQ(Frequently Asked Questions)
Muema Lombe, CRISC, CSSLP, CGEIT, CISA
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
2
AgendaAbout IT AuditWhat is IT audit?What is IT audit known as?Who needs an IT audit?Why perform an IT audit?What is IT external audit?What is IT internal audit?What does IT auditing entail?What is the IT audit process?What are the two typical roles that IT audit performs?What does an IT audit include?What are IT audit types?What are the types of IT auditors?What is the IT audit manual?What are IT audit standards?What is IT audit strategy?What is the IT audit universe?What is an IT risk assessment?What is an IT audit program?What is an IT audit report?What is IT audit co-sourcing?What is IT audit outsourcing?What is the IT audit plan?What is the IT audit schedule?Who audits the IT auditors?
About IT Audit CareersWhat qualifications do I need to be an IT Auditor?What certification do I need to be an IT Auditor?Why should I be an IT Auditor?What is the IT audit job description?What is the IT audit reporting structure?What are IT audit job titles?What are IT audit salaries?What is the career trajectory for IT auditors?
About IT Audit Tools & ResourcesWhat software is needed for an IT Auditor/IT Audit?What resources are available for IT audit jobs?What resources are available for IT auditors to remain current?
What websites to ask IT audit related questions?
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
3
About IT Audit
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
4
What is IT audit?
An IT audit is a review of the controls of a technology environment. This may include IT infrastructure, applications, IT operations and IT projects.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
5
What is IT audit known as?
An IT audit is also known as an information technology audit, a systems audit, an information systems audit or an electronic data processing (EDP) audit.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
6
Who needs an IT audit?
Publicly traded companies are required by the S.E.C. to report to their shareholders whether internal controls are operating effectively. This includes both operational/business controls and IT controls.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
7
Why perform an IT audit?
An IT audit is typically performed to obtain an independent assessment of the technology environment. The technology department is likely to be less objective in assessing its environment.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
8
What is IT external audit?
An IT external auditor, typically a third party, is independent of the company, department or organization being audited. This may include Big 4 Auditors (e.g. EY, PWC, etc.) or government auditors (e.g. State Insurance Regulators, etc.).
External audit’s typical role is to express an opinion on the financial statements of an organization. IT external audit facilitates this process, by expressing an opinion on the technology environment of the systems which support, create and maintain the financial statements.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
9
What is IT internal audit?
The IT internal audit team is typically part of the internal audit department of an organization. Whereas IT external audit is primarily focused on controls around financial reporting, IT internal audit’s focus is more broad. While a review may include financial reporting controls, areas such as fraud, regulatory compliance and operational effectiveness may also be covered.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
10
What does IT auditing entail?
The three objectives of IT audits are to preserve the confidentiality, integrity, availability of information.
•Confidentiality – Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
•Integrity – Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.
•Availability – Ensuring timely and reliable access to and use of information
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
11
What is the IT audit process?
The IT audit process is similar to the audit process and basically includes three steps:
•audit planning,•audit execution and•audit wrap up.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
12
What are the two typical roles that IT audit performs?
IT auditors generally perform two roles: –audit and –consulting.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
13
What are the two typical roles that IT audit performs? (cont’d)
IT Audit
In this role, the IT auditor performs traditional functions which include IT audit and IT Sarbanes-Oxley procedures.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
14
What are the two typical roles that IT audit performs?
IT Consulting
In the consulting role, IT auditor are asked to perform roles outside of the traditional audit role including but not limited to the following:
•SAS70 – opine and/or participate in SAS70 reviews,•Fraud Examination – participate in and/or lead the IT portion of fraud investigations,•M&A – perform vendor due diligence of IT operations as part of the Mergers & Acquisitions
process,•Data Analysis – perform data analysis (e.g. expense accounts, procurement cards, etc.)•Business Process Risk Assessments – participate in team exercises of the evaluation of
business process for IT risks (e.g. infrastructure) and corresponding controls,•Systems Development – participate in and/or lead pre or post implementation reviews of
systems under development.•External Audit Coordinator – serve as a liaison to facilitate the expedient provision of
external audit requirements.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
15
What does an IT audit include?
IT audit typically evaluates control design and operational effectiveness.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
16
What does an IT audit include? (cont’d)
Control Design
Management is responsible for developing and maintaining effective internal control. Effective internal control provides assurance that significant weaknesses in the design or operation of internal control, that could adversely affect the agency’s ability to meet its objectives, would be prevented or detected in a timely manner.
Assessing the effectiveness of the design of a control is concerned with whether the control is suitably designed to prevent or detect a material error related to an account or group of accounts. Procedures to obtain such evidential matter ordinarily include inquiries of appropriate agency personnel; inspection of documents, reports, or electronic files; and observation of the application of specific controls. This is sometimes referred to as a “walk-through” and helps the senior assessment team ensure its understanding of the controls. An assessment of the control design should identify controls as effective, moderately effective, or not effective.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
17
What does an IT audit include? (cont’d)
Operational Effectiveness
Assessing the effectiveness of the design of a control is concerned with whether the control is suitably designed to prevent or detect a material error related to an account or group of accounts. Procedures to obtain such evidential matter ordinarily include inquiries of appropriate agency personnel; inspection of documents, reports, or electronic files; and observation of the application of specific controls. This is sometimes referred to as a “walk-through” and helps the senior assessment team ensure its understanding of the controls. An assessment of the control design should identify controls as effective, moderately effective, or not effective.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
18
What are IT audit types?
IT audits general come in two types: – Integrated IT Audit– IT Audit
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
19
What are IT audit types? (cont’d)
Integrated IT Audit• These audits are where the IT audit portion of
the review is a subset of a larger business audit review. For example the Internal Audit department may audit the Human Resources function, as a part of that review, the IT auditors may be asked to review the application that supports human resources administration and payroll.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
20
What are IT audit types? (cont’d)
IT AuditsThese audits are not integrated, but focus on a
particular technology area. Like ice cream, stand alone IT audits come in a variety of flavors. Generally IT audits fall into four buckets:– General Controls Audits– Application Control Audits– Network/Infrastructure Audits– System Development Audits
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
21
What are the types of IT auditors?
IT auditors generally fall into two categories, technical and non-technical. The best auditor is one who can explain a technical deficiency in non-technical speak for the benefit of business auditors, the Chief Audit Executive and the Audit Committee.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
22
What is the IT audit manual?
The IT audit manual is a subset of the Internal Audit manual and includes standards, policies and procedures.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
23
What are IT audit standards?
Start with ISACA’s IS Standards, Guidelines and Procedures for Auditing and Control Professionals.
https://www.isaca.org
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
24
What is IT audit strategy?
The IT audit strategy outlines the approach to address the items prioritized resulting from the IT risk assessment. Contingent upon the organization, the IT audit strategy can be defined for anywhere from one to five years. This strategy should not be defined in a silo, rather it should be co-developed and align with the Internal Audit strategy.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
25
What is the IT audit universe?
The IT audit universe should reflect the universe of IT locations (e.g. data centers, etc.), IT functions (e.g. operations, etc.), IT projects, IT platforms (e.g. VOIP, etc.), operating systems and applications.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
26
What is an IT risk assessment?
An IT risk assessment is a measurement of IT risks to the business. At a minimum, the IT risk assessment should include the risk likelihood, impact and risk rating/prioritization. When preparing the IT risk assessment, the IT auditor should have a full and complete understanding of the IT environment. IT risks rated should include all areas of the IT organization including but not limited to IT operations, infrastructure, applications, projects, etc.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
27
What is an IT audit program?
The IT audit program details the steps to be performed in conducting the IT audit.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
28
What is an IT audit report?
The IT audit report summarizes the details of what was reviewed and the results of review for the IT audit.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
29
What is IT audit co-sourcing?
IT audit co-sourcing is when the resources and/or skills of an IT audit department are augmented by an external resource. This resource augmentation could be the result of staff shortage or technical expertise.
For example a small IT audit department may not have the budget to maintain a fulltime resident expert in Oracle databases in house. For an upcoming audit of Oracle databases, the department may hire a service provider external to the organization with sufficient expertise to perform the specific duties required.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
30
What is IT audit outsourcing?
IT audit outsourcing is when the IT audit function is fully outsourced to a third party service provider. For example, an organization may have an Internal Audit department, but fully outsource the IT audit function due to headcount restrictions and/or the expense of maintaining a full time IT audit team.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
31
What is the IT audit plan?
The IT audit plan is just that, a plan for the coming year which includes the name of the audit and corresponding scope. The audit plan is approved by the Chief Audit executive and the Audit Committee and vetted with the auditee. Depending on the Internal Audit (IA) organization, the IT audit plan may be incorporated as part of the IA plan. In some cases the IT audit plan will be a stand alone plan.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
32
What is the IT audit schedule?
The audit schedule lists the names of IT audits for the coming year to which dates have been assigned (audit have been scheduled). This document is usually co-developed with the auditee to agree on timing, working around employee vacations, IT department busy periods, etc.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
33
Who audits the IT auditors?
The Institute of Internal Auditors (IIA) requires an independent Quality Assessment Review (QAR) to be performed at a minimum interval of every 5 years. This QAR review is to be performed by an independent third party to the organization, and includes a review of both the business and IT audit function.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
34
About IT Audit Careers
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
35
What qualifications do I need to be an IT Auditor?
The requirements for becoming an IT auditor vary on the requirements of an organization and the specific IT audit role you are applying for (e.g. IT Audit Staff vs IT Audit Director). Generally, the following are desired baseline qualifications:
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
36
What qualifications do I need to be an IT Auditor? (cont’d)
Education
Bachelor Degree in Technology (Information Systems, Computer Science, etc.), Accounting, Business or related field.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
37
What qualifications do I need to be an IT Auditor? (cont’d)
Certification
Certified Information Systems Auditor (CISA) designation.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
38
What qualifications do I need to be an IT Auditor? (cont’d)
Experience
Two to four years performing IT audits and/or related functions with Big 4 or similar CPA firm audit experience.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
39
What qualifications do I need to be an IT Auditor? (cont’d)
Competencies
•Experience working in a global organization, interacting with all levels of management.
•Strong knowledge of financial systems, and general internal controls for information systems and data center operations.
•Experience managing a variety of audit assignments and implementing / testing compliance with the Sarbanes Oxley Act.
•Ability to work both independently and as a member of a team in a fast paced environment, handling multiple tasks simultaneously.
•Experience in auditing large scale system implementations and strong knowledge and understanding of Project / Software Development Life Cycle methodologies (i.e. Waterfall, Rational Unified Process and Agile Development)
•Strong written, verbal and interpersonal communication skills are required.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
40
What certification do I need to be an IT Auditor?
The unofficial standard designation for IT auditors is the Certified Information Systems Auditor (CISA).
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
41
What certification do I need to be an IT Auditor? (cont’d)
Other related technology or security related certifications to consider include:
•Certified Information Security Manager (CISM)•Certified Information Systems Security Professional (CISSP)•Certified Computer Professional (CCP)•Certified Information Technology Professional (CITP)•Certified in Risk and Information Systems Control (CRISC)•Certified in the Governance of Enterprise Information
Technology (CGEIT)
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
42
Why should I be an IT Auditor?
Serving as an IT auditor is a great way to:
•network with all layers of the IT organization (CIO to Managers to IT staff),
•fully immerse into the IT department and its functions via auditing different areas,
•serve as a platform to gather the experience and expertise for a leading career such as Chief Security Officer or Chief Risk Officer.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
43
What is the IT audit job description?
• RISK ASSESSMENT: Participate in the Annual Risk Assessment and Audit Plan Development with respect to information technology environment of all the business units;
• BUDGETING: Participate in the preparation of departmental budgets and forecasts;• SCOPING: Manage the scoping and development of audit programs, working with
business unit and operational management as well as Internal Audit managers on integration to financial and operational audits;
• PLANNING: Manage all planning and fieldwork activities for IT audits at domestic and international locations to evaluate and make recommendations for improvement with respect to the effectiveness and efficiency of the IT related function and processes, as well as to assess compliance with Company policies and external regulations;
• AUDIT: Perform integrated audits and reviews of general IT controls, system access security, and application system controls to ensure the processes and data are in compliance with policies, standards and procedures;
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
44
What is the IT audit job description? (cont’d)
• TEST: Prepare, execute and document testing procedures and outcomes, perform detailed analysis and recognize relevant financial statement issues;
• ANALYZE: Analyze IT environment including: operating systems, applications, infrastructure, policies and procedures, etc.
• ISSUE IDENTIFICATION: Identify and communicate any control issues, process inefficiencies, or operational risks and recommend appropriate solutions.
• PROJECT MANAGEMENT: Manage special projects (e.g., reviews of system or policy implementations);
• QUALITY ASSURANCE: Conduct reviews of work performed to ensure compliance with auditing standards, including Generally Accepted Auditing Standards (GAAS) and the Institute of Internal Auditing (IIA);
• REPORT WRITING: Write and/or review/edit audit reports for the review and approval of the Chief Audit Executive.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
45
What is the IT audit job description? (cont’d)
• PRESENTATION: Present audit observations and recommendations to management; Assist in developing presentations for senior management and the Audit Committee of the Board of Directors with respect to the IT audit scope, coverage, and findings.
• DOCUMENTATION REVIEW: Review management action plans and monitor implementation of recommendations proposed by Internal Audit to ensure that issues are adequately addressed and mitigated;
• RELATIONSHIP MANAGEMENT: Establish partnering, yet independent and objective, relationships with auditees;
• COORDINATION: Coordinate audit activities with the business unit’s IT function and IT Department as necessary, to minimize duplication and leverage combined efforts;
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
46
What is the IT audit job description? (cont’d)
• RECRUITING: Participate in recruiting and retaining high quality audit staff and seniors;
• TRAINING: Participate in Departmental training, career development and professional development activities; and Provide technical guidance, as well as coach audit staff and seniors to enhance their technical skill levels;
• COMPLIANCE: Ensure adherence to department policies and procedures.
• REMAIN CURRENT: Review and analyze new, proposed, or revised laws, regulations, policies, and procedures in order to interpret their meaning and determine impact to the company.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
47
What is the IT audit reporting structure?
As a best practice, the IT Audit Director (or equivalent) should report to the Chief Audit Executive, who in turn reports to the Audit Committee and the Chief Executive Officer.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
48
What are IT audit job titles?
In a multi-layered big 4 accounting firm, IT audit job titles are typically as follows:
• Staff• Senior• Manager• Senior Manager• Director• Principal• Partner
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
49
What are IT audit salaries?
IT salaries vary depending on experience, certifications, type of organization and location. Generally they are up to 10% to 25% higher than traditional auditor salaries.
Explore IT audit salaries here:http://www.glassdoor.com
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
50
What is the career trajectory for IT auditors?
The career trajectory for an IT auditor is contingent upon the opportunity within an organization, the opportunity within the department and the experience of the auditor. There are generally three career trajectories for IT auditors:
1.Up or Out2.Rotation3.Flatline
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
51
What is the career trajectory for IT auditors? (cont’d)
Up or Out• The Up or Out model is typically followed by public
accounting firms. The rotation is approximately two to five years at each level, after which you are promoted to the next level (staff, senior, manager, senior manager, director then partner). If you are not promoted within this timeframe, or if management does not feel you are ready for the next level within the organization, you are “counseled out”, that is, strongly encouraged to seek employment elsewhere, otherwise you’ll be terminated.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
52
What is the career trajectory for IT auditors? (cont’d)
Rotation• Top tier financial and multinational
organizations often maintain a rotation model for their audit department. Auditors are encouraged to join the audit organization for two to four years, after which they’ve developed an understanding and expertise and are rotated into a specific department or business function.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
53
What is the career trajectory for IT auditors? (cont’d)
Flatline• The flatline trajectory is typically found in small to
medium size Internal Audit departments. By flatline, we mean, there is minimal room for upward mobility or growth in the department due to the size of the department and/or tenure of those there before you. As such, your career progression is flatlined, unless someone retires, quits or otherwise leaves the department, which would create an opportunity for you to move up.
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
54
About IT Audit Tools & Resources
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
55
What software is needed for an IT Auditor/IT Audit?
There are many types of audit software. There is:• audit management software (e.g. Team Mate,
Auto Audit, etc),• risk assessment software (e.g. Compliance 360,
Resolver, etc.)• data analysis software (e.g. ACL, IDEA, etc.),• system configuration analysis tools (e.g. EY
Mercury for SQL, OS400 and Windows, etc.)
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
56
What resources are available for IT audit jobs?
• http://www.indeed.com/• http://www.simplyhired.com/• http://www.dice.com/• http://www.monster.com/• http://hotjobs.yahoo.com/• http://it-audit-jobs.com/
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
57
What resources are available for IT auditors to remain current?
http://itauditandsecurity.com/
http://insuranceitaudit.com/
http://twitter.com/itaudit
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
58
What websites to ask IT audit related questions?
http://itauditforum.com/
Muema Lombe, CRISC, CSSLP, CGEIT, CISA http://itauditfaq.com
59
Contact
http://www.linkedin.com/in/muemalombe