John Kyriazoglou

IT Audit Guides
Establishing a Framework for
Executing IT Audits
JOHN KYRIAZOGLOU

IT AUDIT GUIDE
ESTABLISHING A FRAMEWORK
FOR EXECUTING IT AUDITS

2
IT Audit Guide: Establishing a framework for executing IT Audits
1st edition
© 2021 John Kyriazoglou & bookboon.com
ISBN 978-87-403-3876-8

3
IT AUDIT GUIDE Contents

CONTENTS
Dedication 6

Overview and Contents 7

Preface 8

1 Introduction to IT Auditing 9
1.1 Information Technology, Communications and Business 9
1.2 Basic management functions 10
1.3 Reasons for auditing companies and IT 11
1.4 What is IT Auditing 12
1.5 IT Controls 13
1.6 Importance of IT controls to the IT auditor 14

2 IT Audit Framework 15
2.1 Definitions 15
2.2 Internal Audit Procedure 16
2.3 International Auditing Standards 16
2.4 IT Auditing Standards 17
2.5 Types of Internal Audit 17
2.6 IT Audit Areas 18
2.7 IT Audit General Approach 19

3 IT Audit Plan 21
3.1 Purpose of the IT Audit Plan 21
3.2 Preparation of the IT Audit Plan 21
3.3 Description of Phases to prepare the IT Audit Plan 21

4 IT Auditing Methodology 29
4.1 Description of the IT Audit Methodology 29
4.2 Phases of the IT Audit Methodology 29

Appendix 1. Corporate and IT Documentation 37

Appendix 2. IT Audit Areas 39

Appendix 3. Documentation to understand an IT System 42

Appendix 4. Internal Audit Plan 43

Appendix 5. IT Audit Preparation Questionnaire 46

4
IT AUDIT GUIDE Contents

Appendix 6. IT Audit Plan 48

Appendix 7. Audit Sampling Methods 51

Appendix 8. IT Audit Findings Assessment Criteria 53

Appendix 9. IT Audit Glossary 55

End Notes 57

Bibliography 58

Disclaimer 59

5
IT AUDIT GUIDE Dedication

DEDICATION
This book is dedicated to my closest family members that support me with all their hearts
and souls: Sandy, Miranda, Chris and Dimitri and above all, Melina, our most precious
gem and princess of our life on this planet.

6
IT AUDIT GUIDE Overview and Contents

OVERVIEW AND CONTENTS

Overview: This book (first of a series of 5 books) introduces IT Auditing, describes the
basic components that make it up (e.g., IT Audit Framework, IT Audit Plan, IT Auditing
Methodology (of 4 phases and 22 steps), etc.) and presents various complementary aspects
that support the execution of effective IT Audits, such as: Corporate and IT Documentation,
IT Audit Areas, Documentation to understand an IT System, Internal Audit Plan, IT Audit
Preparation Questionnaire, Audit Sampling Methods, IT Audit Findings Assessment Criteria,
IT Audit Glossary, etc.

This book is complemented by the following books in this series:

Book 2: ‘IT Governance Controls’

Book 3: ‘IT Audit Execution Tools’

Book 4: ‘IT Audit Support Tools 1’

Book 5: ‘IT Audit Support Tools 2’

7
IT AUDIT GUIDE Preface

PREFACE
There are usually four distinct types of assets of value in the 21st century world, we all live in.

Type1. Assets of a physical nature (e.g., machines, equipment, plant, land, buildings,
computer or other hardware, etc.).

Type 2. Assets of a financial nature (e.g., money, funds, financial credits, etc.).

Type 3. Information Technology and Communications (ITC) assets, such as: ITC hardware
(e.g., servers, printers, personal computers, digital media and devices, etc.), and computer
and communications software (e.g., operating systems software, application systems, database
management software, utilities, network software, etc.).

Type 4. Knowledge, ideas and concepts existing in the brains of human beings, working in
the universities, laboratories, corporations and society at large.

The most critical assets, in terms of value, for organizations, enterprises, corporations,
companies (large, medium small, etc.), for society and the economy (local, global) in general,
in the 21st Century, are deemed to be not physical or financial or ITC related assets but
knowledge, ideas and concepts.

This body of knowledge, ideas and concepts, when collected in a timely and accurate way,
organized appropriately, managed and distributed effectively by Information Technology
(IT) systems and communications networks (ITC systems) can provide added value and
benefits to all stakeholders in a socio-economic milieu.

The implementation of ITC systems, as industrial, corporate and public experience has
shown, can result in misappropriation of resources (funds, personnel, etc.) and operational
disasters, if they are not properly managed and controlled. The complete or partial lack of
this function (i.e., control) is, therefore, the basic reason for the large and costly failures of
implementations of ITC systems (and projects) in a variety of public and corporate settings.
It also provides the rationale for writing these 5 books on IT Auditing.

8
IT AUDIT GUIDE Introduction to IT Auditing

1 INTRODUCTION TO IT AUDITING
Overview: This chapter describes the key role of information in the operation of businesses
as well as the causes, risks, objectives and benefits of implementing IT auditing and related
control procedures.

1.1 INFORMATION TECHNOLOGY,

COMMUNICATIONS AND BUSINESS
Information and Communications Technology (ITC) based on computers and related
communications infrastructures, automated information systems, national, international or
even business networking infrastructure (the so-called ‘network backbone1’) and complementary
mass storage technologies provide the critical data to operate effectively.

These are available to all, and within companies and organizations, with all the necessary
complementary information and details for the operation of the specific business entity
(private company, public organization, etc.), immediately, with validity and with relative
security (usually).

This technology and its consequent Information Systems have immediate results:

1. the sharing and distribution of faster and more efficient information, and
2. the governing of modern businesses and all their activities in a more
competitive, more productive and better quality and service-oriented way to
their customers and the wider society as a whole.

Given the rapid growth of information and computing technology, a rate unknown in human
history, is now even easier for businesses and organizations to transfer (almost) all their
business transactions and operations2 to be performed by integrated information systems.

These systems are like pharmaceutical drugs (medicines). They strengthen the specific
organization (or business) and make it easier for it to cure or solve a specific problem or
functional failure.

Based on this example (i.e., drugs), if these systems are not used with discipline, they can
create chaotic situations and often not the expected results. They may even have a consequence
a partial or total destruction.

9
IT AUDIT GUIDE Introduction to IT Auditing

These integrated information systems must therefore operate within a business environment
governed by rules, policies and procedures and a risk management system. Together, these
form the framework of corporate governance, which, in the case of information systems, is
complemented by an IT governance framework.

Also, information is and is considered as the modern and strategic weapon of every
organization, and it is now a strategic asset of the organization.

The cost of collecting, processing and disseminating information through information systems
requires enormous amounts of money, resources and effort.

1.2 BASIC MANAGEMENT FUNCTIONS

According to current management theory management in composed of the following five
functions3:

1. Planning: Studying future issues and designing goals and how they will be
accomplished.
2. Organizing: Designing the structure for the use of human and other resources
to achieve the business goals.
3. Staffing: Coordinating all activities and confirming that all means and resources
will be available to achieve the objectives.
4. Directing: Articulating a vision, energizing employees, inspiring and motivating
people using vision, influence, persuasion, and effective communication skills.
5. Controlling: Confirming that all actions and activities are carried out in
accordance with the approved plans and objectives.

The last function, control, is not achieved completely or at all, and is one of the main
causes of IT project implementation failures4.

In order to prevent such unpleasant consequences, we must prevent failure.

Therefore, for the optimal protection, reliability and use of these critical entities (information
systems), the full operation of an effective IT Auditing system and well-proven techniques
and methods are required. This IT Auditing system will improve both the operation of the
entire IT framework and the relevant systems for the modern company and organization.

10
IT AUDIT GUIDE Introduction to IT Auditing

1.3 REASONS FOR AUDITING COMPANIES AND IT

According to COSO (The Committee of Sponsoring Organizations of the Treadway
Commission5), a leading industry-supported organization, the main reason for auditing
companies and organizations is to support the achievement of business objectives.

For successful accomplishment of these objectives the following usual risks (Corporate and
IT) must be assessed and mitigated effectively.

Corporate risks (example)

1. Erroneous record – keeping.
2. Unacceptable accounting system (lack of principles, standards, etc.).
3. Business interruption.
4. Wrong management decisions (from inaccurate data, actions, decisions, etc.).
5. Financial and managerial fraud.
6. Imposition of fines by government agencies or regulatory authorities.
7. Excessive operating costs.
8. Destruction and / or waste of resources (intentional or unnecessary).
9. Competitive disadvantage (insufficient response of the company to market
developments).

The senior leadership/management of the company or organization, based on the rules of

corporate governance and international practices, must take all necessary measures to mitigate
the potential effects of these risks so that their specific business entity survives immediately
and thrives better in the long run.

IT risks (example)
1. Computer fraud,
2. Theft of electronic information and data,
3. Theft of ‘physical’ information, media, equipment, software, etc.,
4. Non-compliance with the provisions of the privacy framework (GDPR),
5. Damage to equipment, peripherals, software, data, technical files (audit trail,
logging), electronic data transfer, etc.,
6. Interference in telecommunications and unauthorized access (interception of
communications, user illegal access, legal user but illegal transaction, etc.),
7. Illegal recording of electromagnetic signals,

11
IT AUDIT GUIDE Introduction to IT Auditing

8. (Un) intentional incorrect entry of data,

9. Decreased information integrity from illegal change of data, software and
databases,
10. Sabotage or other illegal acts by staff or associates,
11. Illegal intrusion into computer sites, systems, equipment, and networks
(hacking), and
12. Shutdown of systems, equipment, software, environment, processes,
installations, archiving and backup mechanisms, security procedures,
organizational structures, etc.

Likewise, the management of the IT function of the company or organization, based on

the rules of IT governance and best practices, must implement all necessary measures to
mitigate the potential effects of these risks so that they support business operations that are
dependent on IT systems and services, better.

1.4 WHAT IS IT AUDITING

Description
IT Auditing is the process of deriving best assurance on whether the design, development,
implementation, operation and maintenance of IT systems meets business goals, safeguards
information assets and maintains data integrity, among other things. In other words, IT
Auditing is a review and examination of the implementation of IT systems and IT controls
to ensure that the systems meet the organization’s business requirements, needs and objectives,
without compromising security, privacy, cost, and other critical business issues and factors.

IT Audit Objectives
The objective of IT Audits is to ensure that the IT resources allow corporate goals and
objectives to be achieved effectively and use resources efficiently. IT audits may cover IT
Security, System Development, Business Continuity and IT Disaster Recovery, etc. See
Appendix 2 for more details.

Scope of IT Auditing
The internal audit function of the company or an external entity may perform IT audits in
conjunction with a financial statements audit, a review of internal controls, or other audit
(e.g., GDPR compliance audit).

12
IT AUDIT GUIDE Introduction to IT Auditing

Irrespective of the type of audit, the IT auditor would be required to assess the policies
and procedures that guide the overall IT environment of the audited entity, ensuring that
the corresponding controls and enforcement mechanisms are in place.

The scoping of the IT Audit would involve deciding the extent of audit scrutiny, the coverage
of IT systems and their functionalities, IT processes to be audited, locations of IT systems
to be covered, and the time period to be covered, etc.

1.5 IT CONTROLS
A control is the combination of mechanisms6, methods, rules, policies, and procedures
that ensure protection of the company’s assets, accuracy and reliability of its records, and
operational adherence to management standards.

In an IT context, controls are divided into two categories: IT general controls and application
controls.

The IT General Controls are the foundation of the IT Control structure. These are
concerned with the general environment in which the IT systems are developed, operated,
managed, maintained and monitored. General IT controls establish a framework of overall
control for the IT activities and operations and provide assurance that the overall control
objectives are satisfied.

IT General controls are implemented using a number of tools such as policies, procedures,
agreements, guidelines, and practices as well as putting in place an appropriate management
structure, including that for management of the company’s IT systems.

Examples of IT general controls include the design, development and implementation of

Computerized Application Systems and an IT Strategy, the implementation of an IT Security
Policy, setting up of an IT steering committee, operating a Data Center and planning for
disaster prevention and recovery, etc.

Application Controls are specific controls unique to each computerized application (e.g.,
payroll processing, accounting system, warehouse inventory control, etc.) used by the
specific company. Application controls include data input validation, encryption of data to
be transmitted, processing controls, output controls, etc.

For example, in an online payment application, one input control could be that the employees’
personal data are encrypted, another control could be that the employee’s birth date should
not be greater than today’s date, etc.

13
IT AUDIT GUIDE Introduction to IT Auditing

For more details, see book ‘IT Governance Controls’ (second in this book series).

1.6 IMPORTANCE OF IT CONTROLS TO THE IT AUDITOR

In general terms, IT auditors are called upon to test technology-related controls, whereas
non-IT auditors test financial, regulatory and compliance controls.

As more and more companies and public organizations rely on IT to automate their
operations, the line dividing the role of an IT and a non-IT auditor is also fast reducing. As
a minimum, all auditors are required to understand the control environment of the audited
entity so as to deliver assurance on internal controls operating in an entity.

This includes an understanding of internal controls, as well as objectives, operations, regulatory

environment, systems, and business processes involved.

Every control area is based on a set of control objectives that a company or organization
puts in place in order to mitigate a control risk.

The role of the auditor is to understand the potential business and IT risks facing the
specific company (audited entity), and in turn to assess whether the deployed controls are
adequate to meet the control objective.

In the case of IT general controls, it is important for the auditor to understand the broad
categories and extent of general controls in operation, evaluate the management oversight
and staff awareness in the organization for the same, and find out how effective the controls
are in order to deliver assurance.

Even in SMEs, where information systems and business processes relevant to financial
reporting are less sophisticated, their role is significant.

If general controls are weak, they severely diminish the reliability of controls associated with
individual IT applications, and vice versa.

In subsequent chapters and in the other 4 books of this series, some of the key areas of IT
General Controls and Applications Controls as well as other critical aspects of IT Auditing
(e.g., IT Auditing Organization, IT Audit Manual, etc.) are discussed in more detail.
Suggested audit matrices for each of the control areas are provided in the Appendices.

14
IT AUDIT GUIDE IT Audit Framework

2 IT AUDIT FRAMEWORK
Overview: This chapter describes the frameworks of internal and IT auditing, the types of
IT auditing and an IT Audit Approach.

2.1 DEFINITIONS
In general, an audit is an independent review and investigation of an existing system, activity,
report, or entity. It may be conducted by either an internal or external party, depending
on the situation. There are many types of audits that can be conducted, as noted below.
For more terms see Appendix 9.

ISO 19011:2018 defines an audit as a ‘systematic, independent and documented process

for obtaining audit evidence (records, statements of fact or other information which are
relevant and verifiable] and evaluating it objectively to determine the extent to which the
audit criteria [a set of policies, procedures or requirements) are fulfilled1’.

There are two main categories of audits: Internal and External.

Discover our eBooks on

Communication Skills
and hundreds more

Download now

15
IT AUDIT GUIDE IT Audit Framework

An internal audit is usually conducted by an independent internal audit team (Internal

Audit Department for large companies), and is focused on control assessments, process
assessments, legal compliance, and the safeguarding of assets. The audit team’s reports are
sent to senior management and the organization’s audit committee, and may, in most cases,
result in recommended changes and improvements to be implemented.

While internal audits focus on business practices and risks, external audits focus on
determining the accuracy and thoroughness of an organization’s financial records and issuing
an opinion.

2.2 INTERNAL AUDIT PROCEDURE

In general, a standard internal audit procedure includes the following steps:

Step 1. Discuss with the management of the corporate function that will be audited about
the objectives of the audit, the schedule, the form and the distribution of the audit report.

Step 2. Execute the audit program and assess the soundness of internal controls and business
systems and operations.

Step 3. Perform tests of internal measures and controls to ensure their proper operation.

Step 4. Discuss with the management of the audited function the findings of the audit and
the recommendations of the internal audit team.

Step 5. Review the audit report with the management of the audited function and their
responses, if any, prior to the release of the final audit report.

Step 6. Review the critical issues raised in the audit reports to see if they have been
successfully resolved, after a specific period of time.

2.3 INTERNATIONAL AUDITING STANDARDS

International Auditing Standards are the regulatory framework containing the principles and
procedures under which the audit work is performed. Their main function is the mandatory
guidance for all professionals who conduct internal auddits. Understanding and applying
International Standards improves corporate governance, while supporting the work of Audit
and Management Committees.

16
IT AUDIT GUIDE IT Audit Framework

The International Standards on Auditing are issued by the International Auditing and
Assurance Standards Board (IASB) and are primarily intended to achieve the uniform
performance of all audit work internationally.

The International Institute of Internal Auditors (www.theiia.org) is a regulatory body that

provides internal audit practitioners around the world with reliable guidance through the
International Standards for Professional Practice of Internal Auditing (IPPF2), which are
standards for the execution of the internal audit work.

2.4 IT AUDITING STANDARDS

There are various IT Auditing Standards issued by various organizations, such as COSO,
INTOSAI, IFAC, ISACA, etc. The most common is the ISACA COBIT framework3
(COBIT 5).

This is based on the following five key principles for governance and management of
enterprise IT: Meeting Stakeholder Needs; Covering the Enterprise End-to- End; Applying
a Single, Integrated Framework; Enabling a Holistic Approach; and Separating Governance
from Management.

2.5 TYPES OF INTERNAL AUDIT

The main types of internal audit are:

Type 1. Financial Audit. The purpose of this audit is to determine the extent to which
the correct presentation, accuracy and reliability of the financial statements are ensured.

Type 2. Production Audit. The purpose of this audit is to determine whether and to what
extent the manufacturing procedures are followed throughout the production phase, the
quantities produced are in accordance with the production program approved by management,
the mechanical equipment is used correctly, the product specifications are observed and the
staff are trained, etc.

Type 3. Management Audit. The purpose of this audit is to determine the extent to which
the corporate departments are properly managed. The effectiveness of the design and the
strategy of the company in terms of achieving the objectives, the management of human
resources and in general all its activities related to the issues of management are examined
and evaluated.

17
IT AUDIT GUIDE IT Audit Framework

Type 4. IT Audit. The purpose of this audit is to determine the extent to which the
reliability, confidentiality and integrity of the available information is ensured, the information
systems are effective, the IT and other resources are properly used, the IT infrastructure and
information systems are secure, and the transactions and data processed and maintained are
accurate, complete and current. More details, later.

Type 5. Data Protection Audit. The purpose of this audit is to ensure the protection of the
privacy of personal data collected, processed and maintained by companies and organizations
according to the requirements of the privacy regime under which the particular company
operates (e.g., GDPR for companies doing business in the E U). For more details, see my
books in the Bibliography.

2.6 IT AUDIT AREAS

The IT audits (type 4 described above) can be usually performed by internal auditors as
well as external auditors or other business consultants or specialists.

These relate to auditing various issues in the category of IT General Controls as well in the
category of Application Controls for a specific application (e.g., payroll processing).

For example, in the category of IT General Controls, an IT Audit assignment will include
a review and assessment of the General IT Controls that govern the IT management issues
of a company, such as:

a. Managing the IT function and its systems, and staff.

b. Developing, implementing, operating and maintaining computerized application
systems.
c. Supporting the IT procurement process.
d. Designing, developing and implementing physical and logical security measures
for IT equipment and systems.
e. Managing all aspects of the system software, etc.

For an example of IT Audit Areas and issues to be audited in each area, see: Appendix 2.

Examples of the controls related to managing the above IT issues are outlined in book 2
of this series.

The general approach for executing IT audits is described below.

18
IT AUDIT GUIDE IT Audit Framework

2.7 IT AUDIT GENERAL APPROACH

The general approach used to carry out IT audits is made up of seven distinct but inter-
related and co-operating components described next:

Component 1: Internal Audit Plan. The Internal Audit Plan sets the corporate framework
for guiding IT Audits. See example in Appendix 4.

Component 2: IT Audit Plan. The IT Audit Plan sets the pace and drives the execution
of all IT Audits. See example in Appendix 6.

Component 3: IT Auditing Methodology. The IT Auditing Methodology describes how

to perform the audit actions in the selected area (e.g., IT Security) or system (e.g., Payroll)
to be audited. See example in Chapter 4.

Component 4: Auditing around/through the computer. This entails: (a) Auditing around
the computer, and (b) Auditing through the computer.

4.1. Auditing around the computer. Without knowing any aspects of the computer
technology, the IT auditor develops the procedures to review input documents and output
reports only. It involves picking source documents at random and verifying the corresponding
outputs with the inputs. For example, the accounting system’s reports that cash book balance
reconciles with bank balance as per bank statement. The IT auditor may conduct his (or
her) own reconciliation to confirm whether it is true.

4.2. Auditing through the computer. When auditing through the computer, IT auditors
follow the audit trail through the internal computer operations in order to verify that the
processing controls that are incorporated in the application programs are functioning properly.

The IT auditor assumes that the main computer system (CPU, additional hardware, etc.)
is functioning properly. The techniques used in auditing through the computer include;
developing and using a set of ‘test data and transactions’ to run through the specific
application system audited and testing the results, using an integrated test facility, Parallel
Simulation and CAATs, auditing application and system logs, trying various passwords to
test password strength, using embedded audit modules to achieve continuous auditing, etc.

Component 5: IT Audit Execution and Support Tools. The IT Audit Execution and
Support Tools include audit programs, checklists, questionnaires and software to perform the
audit actions in the selected area (e.g., IT Security) or system (e.g., Payroll) to be audited.
See examples in Books 3, 4 and 5.

19
IT AUDIT GUIDE IT Audit Framework

Component 6: IT Audit Report. The IT Audit Report documents the audit findings and
recommendations and is submitted to management for further action. See example in Book 2.

Component 7: IT Governance Controls. The IT Governance Controls contain examples

of policies, practices and procedures (controls) that support the managing process of both
the IT function as well the IT application systems of a company. See examples in Book 2.

The audit work (review and assessment, etc.) will be carried out by IT Auditors on the
basis of this IT Audit Approach and its components (methodology, specific audit programs
and audit questionnaires, etc.) as detailed in the following chapters of this books and the
other books in this series.

20
IT AUDIT GUIDE IT Audit Plan

3 IT AUDIT PLAN
Overview: This chapter describes the steps required to develop an IT Audit Plan (the second
component of the IT Audit Approach) and presents an example of such a plan.

3.1 PURPOSE OF THE IT AUDIT PLAN

The main purpose of the IT Audit Plan is to inform and agree with all (usually) stakeholders
(senior management, audit committee, IT executives, end users, etc.):

a. The scope and the areas of the specific IT audits carried out during a year or
other predetermined period, and
b. The context and other conditions and participants involved.

3.2 PREPARATION OF THE IT AUDIT PLAN

The IT Audit Plan, within the operating framework of a company or organization, is prepared
and prepared by the Internal Audit Department, either based on the approved strategic
internal audit plan, or to satisfy the relevant request of various executives and stakeholders,
such as: Board of Directors, top management, audit committee, etc.

This is achieved by executing the steps of the following three phases:

• Phase A: Understand the business

• Phase B: Define the IT Audit Universe
• Phase C: Formalize the IT Audit Plan.

3.3 DESCRIPTION OF PHASES TO PREPARE THE IT AUDIT PLAN

Phase A: Understand the business

Description: The purpose of this phase is for IT auditors to get the best understanding of
the business for which they will perform an IT audit. This will be achieved by executing
the actions of the following steps:

21
IT AUDIT GUIDE IT Audit Plan

Step 1: Review audit issues with top management

During this step the IT Audit Management of the company will meet extensively with the
senior management, board members and the audit committee in an attempt to collect all
the necessary information regarding what IT audits should be carried out in all business
activities that operate on the basis of IT, during the next year.

The primary activities of this step are:

1. Conduct in-depth interviews with board members, audit committee members,

senior management and key stakeholders, and
2. Review, organize and evaluate information.

Step 2. Understand the corporate environment

Understanding what drives the business of the specific corporate entity is paramount
to defining an effective IT audit plan. Hence, it is most crucial to first understand the
organization’s business objectives, strategies, operating model, and the role that IT and
information systems have in supporting the business.

This can be done by identifying the risks found in the technologies used and how each risk
might prevent the organization from achieving a business objective. Doing so will result in
more meaningful and useful assessments for management.

Auditors can use different internal resources to identify and understand the organization’s
goals and objectives, including:

1. Corporate vision, mission, and value statements;

2. Internal Audit Plan (the first component of the IT Audit Approach, see example in
Appendix 4);
3. Strategic plans;
4. Management performance scorecards; and
5. Annual company reports and previous internal and external audit reports, etc.

Step 3: Review IT audit issues with management and key-users

Once IT auditors have a better understanding of the business, they need to comprehend
better the role of IT in the business operations. They can do this, by reviewing and getting
a better grip on:

22
IT AUDIT GUIDE IT Audit Plan

1. Management’s vision and goals for the company’s IT systems vis-à-vis the
services IT offers to the end users;
2. Management’s strategic goals and their correspondence to deployed IT systems,
processes and personnel;
3. Company’s IT application systems, strategy, policies, standards and procedures
as they are currently designed and implemented; and
4. Management’s view on inherent corporate strategic risks, including their views
on respective significance and potentiality of existence for the IT area.

For more details, see: ‘Appendix 1: Corporate Compliance Documentation’ and

‘Appendix 3: Documentation to understand an IT System’.

Step 4: Collect and review IT corporate data

During this step all the necessary documentation pertaining to the design, deployment and
operation of the company’s IT systems will be collected and reviewed in order for the existing
resources, facilities, information, data, transactions and test environments to be identified.

As an indication, some of the information which will be collected are the following:

1. IT studies and relevant reports, customer and user satisfaction surveys,

performance benchmarks, etc.;
2. IT systems documentation, such as: application guides, system diagrams,
network schematics, work flow process charts, information flowcharts, etc.;
3. IT strategic plans, IT budget and action plans, IT mission and vision
statements, long and short-term objectives, etc.; and
4. IT Standards, policies and procedures, etc.

For more details, see: ‘Appendix 1: Corporate Compliance Documentation’ and

Appendix 3. Documentation to understand an IT System’

Products of Phase A
The products of Phase A include the working notes of the IT auditors and the minutes of the
various meetings carried out on discussing and reviewing above IT issues with management
and stakeholders. Management as well as key end-users will also have a general idea of what
entails an IT audit.

23
IT AUDIT GUIDE IT Audit Plan

Phase B: Define the IT Audit Universe

Description: The purpose of this phase is for IT auditors to fully understand the company
IT strategy and environment so that they can prepare better for crafting the IT Audit Plan.

This will be achieved by executing the actions of the following steps:

Step 1. Determine the IT Audit Universe and Audit Areas

Determining what to audit in IT is one of the most important internal audit activities, as
performing the annual IT audit plan will have a profound impact on the overall success of
the internal audit department.

Defining the IT audit universe and the areas to audit, in a particular year, may be done
independently from the risk assessment process. Defining the IT audit universe requires
in-depth knowledge of the organization’s objectives, business model, and the IT service
support model.

For an example of an IT audit universe and the areas and issues that comprise it, see: ‘Appendix
2: IT Audit Areas’.

Step 2: Perform Risk Assessment

An effective comparative risk evaluation is essential for the completion of the IT audit of
the company’s systems. The audit approach focuses on three specific elements:

1. Complete analytical recording of all potential IT risks according to their

respective audit areas (as per Appendix 2),
2. Grading of all recorded risks in a predefined scale (1 to 10 - 1 being the lowest
possible risk and, conversely, 10 being the highest) and assigning respective
probability of occurrence for each risk on a similar scale, and
3. Aggregating the end result for each identified risk according to the
aforementioned grading.

This approach enables and facilitates the quicker, more objective and more efficient assessment
and classification of identified inherent risks facing the company’s IT systems according to
their relative significance for the organization.

24
IT AUDIT GUIDE IT Audit Plan

Step 3. Understand IT Strategy

Once IT become familiar with the organization’s environment and IT systems, they need
to review the company’s overall IT strategy to understand how it aligns with the objectives
identified in the prior step. Because the organization could have different forms of documentation
showing the relationship between its business objectives and the IT strategic plan, IT auditors
need to obtain, read, and understand these documents. Generally speaking, the IT strategic
plan should link back to organizational objectives and provide clear direction as to how it
links back to these objectives. In other words, the IT plan should identify tactical actions
to be performed by the IT department within a defined period of time, which are designed
to support the achievement of the organization’s objectives.

Step 4: Define IT Audit Objectives

The IT Audit required within the context of the Internal Audit activities must aim on
providing quick and effective results on the basis of an efficiently organized schedule,
resource allocation, budget and implementation planning. Additionally, it should focus on
the company’s critical business functions and its corporate objectives and should have as its
most important dimension the assurance that the company’s IT assets and data are properly
controlled and protected.

The main activities of this step are:

1. Select IT areas to be audited (see Appendix 2 for a full list) on the basis of an
IT Audit Preparation Questionnaire (see Appendix 5), and
2. Define IT audit project scope and objectives.

Products of Phase B
The products of Phase B include the working notes of the IT auditors, a risk assessment
report of the identified risks to the IT audit and a set of IT audit areas to be included in
the IT Audit Plan. Management as well as key end-users will also have a better idea of what
entails a very specific IT audit for their systems.

25
IT AUDIT GUIDE IT Audit Plan

Phase C: Formalize the IT Audit Plan

Description: The purpose of this phase is for IT auditors to create and formalize an effective
IT audit plan with the right resources, approved by management and integrated well with
the existing Internal Audit Plan of the company.

This will be achieved by executing the actions of the following steps:

Step 1: Determine IT audit frequency

In terms of IT audits, and depending on the risk assessment’s results, not all audit areas
can nor should be reviewed in every audit cycle. Since audits occur on a cyclical basis,
multiyear IT audit plans need to be developed and presented to management and the audit
committee for review and approval.

The multiyear plan, usually specifies what audits (e.g., IT Security, Application 1, Application
2, etc.) will be performed and when, ensure adequate audit coverage is provided over
this period of time, and identify audits that may require specialized external resources or
additional internal resources, etc.

The best approach is to create a one-year IT audit plan, as a derivative of the multiyear
plan that outlines planned IT audit activities for the upcoming year.

Step 2: Ensure availability of required resources

In addition to frequency, other factors that should be considered when defining the audit
plan include:

1. The availability of IT auditors and other resources (IT, legal for auditing
outsourcing contracts, end-users for business systems audited, external technical
consultants for security penetration testing, etc.),
2. The skills and dexterities required for IT auditors, and whether some specific
training must be carried out for a new topic (e.g., auditing cloud operations, etc.),
3. Whether new audit tools need to be installed (e.g., CATTs, etc.). and
4. Whether IT audits need to synchronized with external audits.

26
IT AUDIT GUIDE IT Audit Plan

Step 3: Confirm IT audit plan with management

IT auditors need to confirm the IT audit plan by having a final review and discussion with
management before they issue the final version. Through these discussions, insights on any
new aspects the business will be gathered along with any new concerns or requirements
key stakeholders might have.

Step 4. Issue the formal IT Audit Plan

Defining the IT audit universe and performing a risk assessment are precursor steps to
selecting what to include in the IT audit plan. While everything in the IT audit universe
could be reviewed on a recurring basis if the availability of resources is unlimited, this is
not the reality for most internal audit functions. Consequently, IT auditors create and issue
an IT Audit Plan (the second component of the IT Audit Approach), including all actions that
are required to carry out one or more IT audits through the next year.

For more details, see Appendix 6.

Step 5. Integrate the IT Audit Plan with the Internal Audit Plan
One key aspect of the planning process is to determine the integration level of the IT audit
plan with non-IT audit activities in the Internal Audit Department.

Should the IT audit plan be executed on a stand-alone basis or will IT audit subjects be
integrated with other business areas (e.g., auditing financial systems the same time)?

Answers to these questions should be based on the internal audit department’s function as
well as its mandate, strategy, staff, size, geographical distribution, and audit management
approach.

In any case, IT audits should be integrated well into the overall Internal Audit Plan, regardless
of how they will be carried out.

Often, as consulting practice has shown, and depending on each unique case, IT audit
activities are planned and executed under the responsibility of a multidisciplinary team that
has a balanced skill set, including IT audit expertise. IT staff participation, legal support, etc.

27
IT AUDIT GUIDE IT Audit Plan

Product of Phase C
The product of Phase C includes issuing and distributing the final, formal IT Audit Plan
(the second component of the IT Audit Approach), as per example in Appendix 6.

Conclusion
The IT Audit Plan and the audit work (review and assessment, etc.) will be carried out on
the basis of the IT Audit Methodology, specific audit programs and audit questionnaires,
as detailed in the following chapters of this books and the other books in this series.

Discover our eBooks

on Leadership Skills
and hundreds more

Download now

28
IT AUDIT GUIDE IT Auditing Methodology

4 IT AUDITING METHODOLOGY
Overview: This chapter describes the 4 phases and 22 steps of the proposed IT Auditing
Methodology (the third component of the IT Audit Approach).

4.1 DESCRIPTION OF THE IT AUDIT METHODOLOGY

Effective IT Auditing is based on the IT Audit Plan (see Appendix 6), specific time frames,
using tools (audit programs, questionnaires, software, etc.) and executing specific audits, as
per the IT Audit Methodology of four phases, described below.

4.2 PHASES OF THE IT AUDIT METHODOLOGY

Phase A: Planning the IT Audit

Purpose: The purpose of this phase is for IT auditors to plan better the execution activities
of auditing specific IT audit area (e.g., IT Security). This will be achieved by carrying out
the actions of the following steps:

Step 1. Define IT audit objectives and scope

The crucial first step of any audit is to define the objectives and scope. It must be decided
whether the audit should cover one or more IT Audit areas, as per IT Audit Plan, or all
issues in the IT Audit area or areas to be audited.

An example follows:

Audit Objective # 1: Evaluate the physical security and environmental aspects of the facilities
(physical, technical, etc.) that house the main data center.

Audit Objective # 2: Determine if the processing operations and transactions of the

information systems are performed in accordance with the company’s procedures, as well
as the relevant laws and regulations.

The end result of this step is to design and define the objectives of this audit.

29
IT AUDIT GUIDE IT Auditing Methodology

Step 2. Obtain user and IT commitment

IT Auditors must review what they will audit with the management of the particular area
they will be auditing to ensure: (a) their role is accepted and (b) that user and IT managers
commit and make available, both end user personnel as well as qualified IT staff to support
and collaborate in the upcoming audit.

IT Auditors must behave in a professional manner and ensure that the auditees behave in
a professional manner towards them, as well.

The end result of this step is the agreement with the management of the audited function
for the audit and the creation of the technical test information environment that will be
used for the tests by the auditors in the next phase.

Step 3. Perform risk assessment

Further to the review of the overall risk assessment included in the IT Audit plan (see
Chapter 3 and Appendix 6), IT Auditors may need to also perform a very specific risk
assessment related to the IT audit area and issues they will be auditing. For example, to
perform an IT Security Audit, they will need to assess the environment in which systems
and IT operate, if this has not been done previously.

This assessment includes:

1. The types of IT infrastructure, hardware, systems and the possibility of

malfunctions,
2. The dynamics (strength) of the relevant control points (IT controls),
3. The applicable regulatory or legal framework and needs,
4. The history from previous IT audits,
5. The technical and technological sophistication) and complexity of the
information systems of the organization, and
6. The existence and operation of computer systems that have been developed by
the organization (house developed) in comparison with standard application
packages (standard business systems) for the critical applications of the
organization (core business functions), etc.

The end result of this step is the review, analysis and understanding of IT risks (IT risk
assessment) to perform this particular IT audit.

30
IT AUDIT GUIDE IT Auditing Methodology

Step 4. Finalize list of issues to audit

Based on this study and the audit objectives, IT Auditors will compile a list of issues that
are critical to shaping their audit opinion.

For example, the audit issues or points for the IT Audit Area ‘IT SECURITY’, includes
the following:

1. Management of Information Security Issues

2. Information Security Policy
3. Hardware Security
4. Physical Access Security, etc.

For more details, see: ‘Appendix 2: IT Audit Areas’.

The end result of this step is to compile a list of audit issues (or control points) for the
IT Audit Area to be audited.

Step 5. Designing audit samples

IT Auditors will design the audit sample to achieve the audit objectives based on:

1. The number of data / documents / transactions,

2. The size of the system,
3. Whether it is objective and representative of the total population,
4. The expected errors; and
5. With the help of methods such as: statistical random sampling, statistical
systematic sampling, haphazard sampling and judgmental sampling.

For more details, see: ‘Appendix 7: Audit Sampling Methods’.

The end result of this step is the preparation of an audit sample for the audit area to be
audited.

Step 6. Create the IT Audit Program

In order to audit any activity, and in fact as complex as they are in the field of information
processing, two events must occur:

31
IT AUDIT GUIDE IT Auditing Methodology

1. The most important issues or points of each activity must be systematically

audited.
2. Standards must exist to audit and cover every audit issue. If these standards are
incomplete, then the IT Auditor will replace them with those that apply, as a
rule, in similar cases.

Only in this way IT Auditing can become an objective process in which standards are
compared to what is being done or has been done.

Based on all the above, the audit programs of the specific audit are created (see examples
of IT audit programs and IT audit questionnaires in Books 4 and 5).

The final result of this step is the preparation of an audit program and audit questionnaires
for the IT audit area to be audited.

Phase B: Executing IT Audit Tasks

Purpose: The purpose of this phase is for IT auditors to carry out better the execution
activities of the selected IT audit area (e.g., IT Security). This will be achieved by executing
the actions of the following steps:

Step 1. Create a test environment and select audit techniques

Based on the above and the IT Audit Program, IT Auditors will select the types and control
techniques that will be followed during the execution of the audit.

1. Audit tests include: Compliance tests; Weakness tests; and Substantive tests.
2. Testing techniques include: Interviews; Questionnaires; Numerical operations on
transactions; Walkthroughs; Flow charts; Data capture and analysis; Confirmation
of movements / documents (vouching); Observation; Sampling checks (spot
cheeks); Analytical review; and Use of special software (audit software).
3. IT prepares and creates the computerized test environment for carrying out
tests by IT Auditors.

The end result of this step is the selection of audit test types and techniques for the IT
audit area to be tested and a unique computerized test environment for IT Auditors.

32
IT AUDIT GUIDE IT Auditing Methodology

Step 2. Execute audit tests

IT Auditors will carry out the following sets of tests according to the IT Audit Program, etc.

Set 1. Weakness testing. IT Auditors may, in many cases, conduct a preliminary assessment
of IT Controls in the system or the area under audit to derive an understanding of assurance
that existing IT controls (General IT Controls and Application Controls) are reliable and
operate under a suitable IT Governance framework. The assessment of controls at this level
would include assessment of effective and suitable: IT Governance mechanisms; Development
of application systems; Procuring of IT solutions; Operation of computerized application
systems; Information Security; Business Continuity and IT Disaster Recovery, etc.

Next, the IT Audit Area to be audited is reviewed and evaluated.

Examples of weakness tests are: Lack of physical and logical security; Inadequate
documentation / records; Inexistent security policy; Ineffective or informal password policy
and controls; Lack of proper oversight for making application changes, etc.

Set 2. Compliance testing. A detailed examination and evaluation of controls is carried out,
through the review of IT policies, procedures and systems documentation. The IT auditor
performs test in order to verify that the IT control policies, practices and procedures set by
IT management work as planned. The auditor also examines documents such as descriptions,
diagrams, and source program code. In the case of desk checking, the auditor processes false
or true data through the logic of the program.

Examples of compliance tests include:

1. To verify configuration of all routers for controls.

2. To verify change management steps to ensure controls are effective for all
application systems.
3. Review of system access rights for all systems.
4. Review of firewall settings.
5. Review compliance with password policy for all personnel.

Set 3. Substantive testing. In substantive testing, the IT auditor gathers evidence to evaluate
the integrity of data, transactions or other controls. Substantive testing checks the integrity
of contents.

33
IT AUDIT GUIDE IT Auditing Methodology

Examples of substantive tests include:

1. Set up a test data base with fictious test data and test an application system
(e.g., payroll processing) or the encryption process and results of the personal
data stored.
2. Use of the actual production environment with fictitious (test) transactions.
3. Integrate special code specified by IT Auditors (Embedded Audit Routines) in the
production programs and recording of the processing in special files (audit files).
4. Use of special software (Audit Software) that collects the movements, examines
the results in the production files, and analyzes the possible wrong processing
or events.
5. Test the backup policy and procedures to ensure that all applications and
software are recovered as per policy.

All tests, findings, results, etc., shall be documented in the audit working notes and related forms.

The final result of this step is the examination of the audit tests conducted and results for
the IT audit area tested.

Step 3. Evaluate and document findings

IT Auditors will evaluate, based on the evaluation criteria (low, medium and high priority – as
per Appendix 8 ‘IT Audit Findings Assessment Criteria’), and will summarize all findings,
results and suggestions in the working notes and in a report. The report is usually discussed
with the specific executives of the company before its final version, as described below.

The end result of this step is the evaluation and documentation of the findings for the IT
Audit area that has been tested.

Step 4. Review of initial findings with the auditees

Initial IT audit findings are discussed (except in proven fraud cases) and test results are
reviewed with all stakeholders for the purpose of understanding the tests, designing additional
tests and controls, and cross-checking the audit evidence and findings.

34
IT AUDIT GUIDE IT Auditing Methodology

Step 5. Perform additional tests

Depending on the findings of the IT audit, additional tests may need to be performed in
the area under audit. For example, to do more tests on the computer systems used in the
specific business operation for which the audit is performed, etc.

Phase C: IT Audit Reporting

Purpose: The purpose of this phase is for IT auditors to prepare a Report and issue it to Senior
Management and other authorized stakeholders (e.g., Audit Committee, IT Manager, etc.).

Step 1. Issue the initial ‘draft’ IT audit report

The initial “draft” audit report is prepared, according to the ‘IT AUDIT REPORT Template’
in book 3 of this series. This includes the initial findings of the audit, which will be reviewed
with stakeholders in the next step.

Step 2. Overview of the initial ‘draft’ IT audit report with the auditees
The initial ‘draft’ IT audit report is reviewed with all those directly audited and their
comments and observations are recorded.

Step 3. Review the initial ‘draft’ IT audit report with management

The initial ‘draft’ IT audit report is reviewed with all levels of management of the auditees
and their relevant comments and remarks are recorded.

Step 4. Improve the initial ‘draft’ IT audit report

The initial ‘draft’ IT audit report is improved with all the relevant comments and remarks
collected by the directly audited and the management of the audited unit, and its final
version is being prepared.

35
IT AUDIT GUIDE IT Auditing Methodology

Step 5. Issuance of the “final” audit report

The final ‘official’ IT audit report is prepared, according to to the ‘IT AUDIT REPORT
Template’ in book 3 of this series.

This includes the initial findings of the audit, with all relevant comments and observations
collected from those directly audited and the management of the audited entity, and a set
of IT Audit recommendations to improve the errors, gaps and omissions found in the area
audited by the IT Auditors.

This final version is transmitted to all the competent and approved levels of management
of the audited unit as well as to senior management levels (e.g., CEO, audit committee,
chairman, managing director, etc.).

Phase D: Managing IT Audit Projects

Purpose: The purpose of this phase is for IT auditors to organize and run better IT audits
with quality and discipline and document their work and tests in a proper way.

Step 1. Management and Organization of the IT Audit Project

This step includes defining the management plan, the organizational structure, the milestones,
phases, people, tasks and activities of the IT Audit Project. It also involves implementing
the audit tasks and closing the project.

Step 2. Monitoring, supporting and controlling the IT Audit Project

This step includes: (a) Monitoring, auditing, reporting and evaluating the progress and results
of the Audit Project; (b) Assessing and managing the project risks and providing technical
support of the Audit Project; and (c) Managing quality, changes and resolving any issues
and problems during the IT audit process.

Step 3. Documentation of audit work notes

To ensure that the company’s IT audit personnel can continue to develop further the processes
and controls required to maintain the highest possible level of IT audit functionality, the
IT audit project team will document in detail all project phases, with their corresponding
working notes, findings and results.

36
IT AUDIT GUIDE Appendix 1. Corporate and IT Documentation

APPENDIX 1. CORPORATE
AND IT DOCUMENTATION

1. Corporate Plans, Policies and Procedures

• Annual company reports;
• Strategic planning documents;
• Employee confidentiality agreements;
• Internal Threats Response Plan;
• A recent organisational chart;
• Relevant legislation and regulations;
• Procedural manuals and system workflows;
• Results of any other relevant audits, departmental assessments or self-assessments;
• Vital records lists;
• Corporate Policies and Procedures Manual;
• Data Quality Policy and Procedures;
• Corporate Risk Management Process;
• Corporate Risk Register;
• Corporate Personnel Management Procedures;
• Business Records and Management System;
• Business Records Inventory;
• Privacy and Security Awareness and Training Plan.

2. IT Plans, Policies and Procedures

• IT Plans, Policies and Procedures (Strategy, Security, System Development,
Backup-Recovery, Password, IT Acceptable Use, Encryption, IT Disaster
Recovery, Data Classification, etc.);
• A recent IT organisational chart;
• Relevant IT regulations;
• Security and Privacy Methodology in IT Systems Development;
• Application Systems manuals and system workflows;
• IT System documentation;
• Results of any previous IT Audits;
• IT Assets Inventory;
• DP by Design/Default Software;
• Clean Desk and Screen Policy;

37
IT AUDIT GUIDE Appendix 1. Corporate and IT Documentation

• Security and Breach Awareness Training;

• Data Loss Prevention solution;
• Intrusion Detection and Prevention System.

3. Privacy (GDPR) Related Plans, Policies and Procedures

• Documentation of the Personal Data (PD) Processing environment;
• PD Minimization Policy; PD Disposal Register;
• PD Inventory; Web Site Privacy Policy;
• Employee Privacy Policy;
• Privacy Laws and Standards Manual;
• GDPR Gap Analysis Report;
• Consent System; Cookies Policy;
• DS Rights Satisfaction System;
• GDPR Compliance Plan;
• Third Party Disclosure Agreements;
• DP Monitoring System;
• DPIA Methodology;
• DP by Design/Default Policy;
• DP by Design/Default Techniques;
• Vulnerability assessment;
• Data Breach Management System;
• PD Access Register.

38
IT AUDIT GUIDE Appendix 2. IT Audit Areas

APPENDIX 2. IT AUDIT AREAS

Area 1. IT ORGANISATION & ADMINISTRATION

Issues: IT Department Organization; CIO Business Plan; Budget; Performance Monitoring
& Capacity Planning; IT Service Management; IT Assets Control; Project Management;
Problem Management; IT Procurement; Vendor Management, etc.

For more examples of Audit Issues, see: ‘IT Governance Audit Program’, ‘IT Administration Audit
Program’, ‘IT Personnel Management Audit Program’ and ‘IT Procurement Audit Program’, in
Book 4 of this series.

Area 2. IT STRATEGY
Issues: Strategy Process; Strategic Management; Electronic Data Interchange Strategy, etc.

For more examples of Audit Issues, see: ‘IT Strategy Audit Program’ in Book 4 of this series.

Area 3. SYSTEM DEVELOPMENT & MAINTENANCE

Issues: Standards & Methodologies; Software specifications; Error correction procedures;
Software package evaluation; Program and system testing; User documentation, etc.

For more examples of Audit Issues, see: ‘Systems Development, Acquisition and Implementation
Audit Program’ in in Book 4 of this series.

Area 4. IT SECURITY
Issues: Management of Information Security; Information Security Policy; Hardware Security;

Physical Access Security; Personnel Security; Operating System, Network, Data Base
Management and Application Systems Security, etc.

For more examples of Audit Issues, see: ‘IT Security Audit Program’ in in Book 4 of this series.

39
IT AUDIT GUIDE Appendix 2. IT Audit Areas

Area 5. IT LEGISLATION COMPLIANCE

Issues: Legislation; Licenses; Data Privacy, etc.

For more examples of Audit Issues, see: ‘IT Compliance Audit Program’ in in Book 4 of this series.

Area 6. DATA CENTER OPERATIONS

Issues: Operations standards; Physical Access; Environmental protection; Fire protection;
Health and safety; Media access control; Preliminary Planning for Critical Applications;
Contingency plan deliverables; Alternate facility review, Backup and Recovery policy review;
Recovery testing plan review, etc.

For more examples of Audit Issues, see: ‘Data Center Operations Audit Program’ and ‘Outsourcing
and Cloud Operations Audit Program’ in in Book 4 of this series.

Area 7. SYSTEMS SOFTWARE MAINTENANCE

Issues: Software assets; Maintenance contracts; Program library maintenance; Problem fixing;

Security review; System documentation review; Performance monitoring, etc.

For more examples of Audit Issues, see: ‘Systems Software Audit Program’ in in Book 4 of this series.

Area 8. DATA & DATA BASE MANAGEMENT

Issues: Data management; Data Base Controls, Data Base Modeling, Data Base Security, etc.

For more examples of Audit Issues, see: ‘Systems Software Audit Program’ in in Book 4 of this series.

Area 9. PERSONAL COMPUTERS

Issues: Management control and procedures; Security; Technical support; Software
development, etc.

For more examples of Audit Issues, see: ‘Applications and End-Users Audit Program’ in in Book
4 of this series.

40
IT AUDIT GUIDE Appendix 2. IT Audit Areas

Are 10. USER SUPPORT

Issues: User satisfaction assessment; Help desk support; Data backup, etc.

For more examples of Audit Issues, see: ‘Applications and End-Users Audit Program’ in in Book
4 of this series.

Area 11. DATA COMMUNICATIONS & NETWORKING

Issues: Strategic planning and design; Network security; Maintenance contracts management;

Problem resolution and support; Change and performance management, etc.

For more examples of Audit Issues, see: ‘Systems Software Audit Program’ in in Book 4 of this series.

Area 12. APPLICATION OPERATIONS

Issues: Controls (input, processing, etc.); Transaction audit trails; Data integrity controls;

Continuity of application processing, etc.

For more examples of Audit Issues, see: ‘Applications and End-Users Audit Program’ in in Book
4 of this series.

41
 APPENDIX 3. DOCUMENTATION TO
IT AUDIT GUIDE UNDERSTAND AN IT SYSTEM

APPENDIX 3. DOCUMENTATION
TO UNDERSTAND AN IT SYSTEM
Introduction: In order to execute an IT audit in a particular IT application system or the
IT function and its general controls, it is good practice to collect and review the following
documentation, in addition to the documentation included in Appendix 1.

List of documents
1. Brief background of the IT unit.
2. IT organization chart.
3. IT department’s job descriptions.
4. IT department’s responsibilities with reference to the specific applications.
5. IT personnel policy.List of IT applications and their details.
6. Network and application architecture, including client server architecture
7. IT budget.
8. IT asset inventory.
9. IT Project management reports.
10. Details of major server hardware and personal computers.
11. Details of software (including whether developed in-house, cloud operations,
etc.).
12. Database details.
13. Data Flow Diagrams.
14. Data Dictionary.
15. Details of interfaces with other systems.
16. Systems manual, User manuals and Operations manual.
17. List of users with permissions.
18. List of major vendors.
19. Regulations and laws that affect the organization (for example: GDPR, etc.)

42
IT AUDIT GUIDE Appendix 4. Internal Audit Plan

APPENDIX 4. INTERNAL AUDIT PLAN

Company Name: <’XYZ (fictitious) Corporation S.A.’>

Internal Audit Plan 202X/202Y

1. Internal Audit Purpose

The overall purpose of the Internal Audit plan is to provide the framework for the use
of audit resources. It is a yardstick for measuring internal audit performance ensuring that
resources are focused on activity that will make the most difference to securing the objectives
of the company.

2. Strategic objectives of Internal Audit

The strategic objectives of the company’s internal audit function are the following:

Strategic objective # 1. To increase the added value in the structures, systems and processes
of the company in order to improve its operational efficiency and effectiveness.

Strategic objective # 2. To strengthen the risk assessment and annual planning process
focusing on existing and emerging high-risk areas, such as strategic issues, information
technology and research of new services and products, and business risks in new markets.

Strategic objective # 3. To improve the alignment of audit work plans and other oversight
activities with the business objectives and plans of the company.

The effectiveness of Internal Audit in delivering the strategy through the annual audit plan
will be monitored by the Audit Committee. This Committee will receive reports from the
Manager of Internal Audit detailing key issues and the status of significant audit findings
and recommendations. The percentage of audit recommendations implemented by each
corporate function will be reviewed by the Audit Committee.

43
IT AUDIT GUIDE Appendix 4. Internal Audit Plan

3. Key Risks
The following key risks identified by the company and listed in the risk register are addressed
by the internal audit plan. These are:

1. Cyber security issues.

2. Non-performance of the finance system.
3. Errors in the payroll system.
4. Fraud, theft and misuse of assets.
5. Non-performance of outsourcing contracts.
6. Unsatisfactory procurement procedures.
7. GDPR compliance.

4. Internal Audit Service Plan Delivery

This plan has been drafted following consultation with the CEO, the managers of each
business function and the Audit Committee in order to elicit their views and proposals.

5. Basis of Audit Opinion

All audit reports issued include an assurance rating on the basis of the definitions shown
below.

No Assurance: Controls are very weak or non-existent, leaving the system open to significant
errors, abuse, and fraud, etc.

Limited Assurance: Some controls operate effectively. There are also several critical controls
that may put the company at risk.

Satisfactory Assurance: Most controls operate effectively. There are, however, a small number
of controls which are not very effective.

Substantial Assurance: There is a sound system of control designed to achieve the business
objectives. No errors or weaknesses were found.

44
IT AUDIT GUIDE Appendix 4. Internal Audit Plan

6. Internal Audit - Resource Plan

The available resources (number of persons, man-days) for the year (for each month or quarter)
to perform audits will be listed. Also, an allocation of days to audit per corporate function
to be audited (e.g., Finance, HR, BCP, IT, Fraud, Procurement, etc.) will be noted here.

7. Internal Audit Performance

7.1. Audit Standards

Internal Audit works to the standards prescribed by the < refer to the regulation or law,
etc.>. A self-assessment against these standards will be undertaken annually and the results
considered by the company’s Audit Committee.

7.2. Audit Performance Measures and Indicators

The following performance indicators (example) will be presented to the Audit Committee
during the year:

1.1. Performance Measure: Recommendations agreed in Final Audit reports

1.2. Performance Indicator: % recommendations agreed by company functions

2.1. Performance Measure: Recommendations implemented by company functions & signed

off by Internal Audit.

2.2. Performance Indicator: % medium & high priority recommendations implemented.

45
IT AUDIT GUIDE Appendix 5. IT Audit Preparation Questionnaire

APPENDIX 5. IT AUDIT
PREPARATION QUESTIONNAIRE

1. Staff Changes
Q1. Were there any changes in critical staff (redundancies, recruitment, transfers, etc.) that
have significantly affected the operation of the unit you manage or service you offer?

2. Internal Environment
Q2. Were there significant changes in business policies and procedures that significantly
affected the operation of the department you run?

Q3. Have there been any breakdowns, damage, security incidents, fraud, theft, destruction,
malfunctions, etc., in the facilities, IT equipment, systems, and infrastructure you use in
the last 2 years that have significantly affected the operation of the department you run or
service you offer?

3. External environment
Q4. Have there been urgent and significant changes in the compliance rules imposed by
external entities in the last 2 years, which have significantly and substantially affected the
operation of the unit or service you manage?

Q5. Have there been urgent and significant changes imposed by external auditors in the
last 2 years, which have significantly and substantially affected the operation of the unit or
service you manage?

Q6. What and how critical are the reports of your unit or service submitted to external
audit or other regulatory and governmental entities?

46
IT AUDIT GUIDE Appendix 5. IT Audit Preparation Questionnaire

4. IT Environment
Q7. Has there been any damage, damage, security incidents, fraud, theft, disaster, malfunction,
etc., to the information and IT systems you use in the last 2 years, which have significantly
affected the operation of the unit or service you run?

Q8. How critical are the computer systems you use in the last 2 years, how much have
they significantly affected the operation of the unit or service you run?

Q9. What type of IT audit do you think should be done?

Q9.1. Audit of ‘General Accounting System’ or other systems?

Q9.2. Audit of IT Security, etc.? (please add your thoughts and ideas).

Q10. What changes and improvements should or are expected to be made to the computer
systems you use?

47
IT AUDIT GUIDE Appendix 6. IT Audit Plan

APPENDIX 6. IT AUDIT PLAN

Part A. General Issues

A1. Summary: A brief description of the audit work to be performed and the context
(Internal Audit Plan, Company IT Environment- as per Annex 1, schedule, resources,
activities, user involvement, etc.) in which the IT Auditors will operate.

A2. Audit Purpose: A description of the audit purpose that has been pre-agreed with the audit
committee or other senior management body of the company. For example: ‘Examination
of the operation of the General IT controls of company ‘ABCDX SA’).

A3. Which IT Audit areas/systems to audit: IT Security, Application Controls, Payroll

processing system, etc.

A4. Prior Audit Details: A description of the findings, results and proposals of the previous
IT audit and what has been improved from the proposals made.

A5. Details of Stakeholders: List of all the details of the company’s executives or external
collaborators that the auditors will contact, such as: Name, Service, Telephones, Postal
Address, Email Address, etc.

A6. Responsibilities of Staff: Definition of the responsibilities of auditors and those involved
in this audit.

A7. Internal Audit Plan: Reference to the Internal Plan Document.

Part B. Scope, issues and areas of IT Audit

B1. Description of the issues in the IT Audit areas or systems to be audited: Example: IT
security, Systems development, Payroll Processing System, etc.

For more details, see: Appendix 2.

B2. Details of the computerized test environment.

48
IT AUDIT GUIDE Appendix 6. IT Audit Plan

Part C. IT Audit Process

C1. IT Audit Methodology: A brief description of the IT audit methodology, phases and
steps, as referred to in Chapter XXX.

C2. IT Audit Programs: A brief description of the techniques, methods, audit programs
and audit questionnaires to be used.

C3. IT Audit Schedule: A detailed report of the specific IT audit schedule (time period,
duration, etc.).

C4. IT Test Products: A summary of the products of the specific IT test, such as the IT
audit report, test results, etc.

See book 2 for an example of an IT Audit Report.

Part D. Working Conditions

D1. Availability of Resources: Brief description of the required resources (people, equipment,
offices, data, systems, manuals, materials, etc.), on the part of those involved, to carry out
the specific IT audit.

D2. Operating Conditions: A brief description of the operating conditions and risks of
the business unit that govern the conduct of the specific IT audit.

D3. Confidentiality Statement: The confidentiality statement is made by the auditors to

declare to the management of the auditing unit that they will maintain the confidentiality
of the information that has been disclosed to them during the audit.

D4. Audit Cancellation: A brief description of the possible causes and conditions for
auditing cancellation.

D5. Denial of Agreement: Indication of the procedure and mechanism for resolving disputes
between auditors and auditees regarding the findings, results and proposals of the IT audit.

49
IT AUDIT GUIDE Appendix 6. IT Audit Plan

Annex 1: Company IT Environment

1. IT Applications
The company (‘XYZ Corporation’) stores the data it processes by the use of the following
IT Systems:

1. E-Mail server,
2. Personnel Management System,
3. Crew Management System,
4. Vendor Management System,
5. Customer Management System,
6. Financial Management System and
7. Fleet Management System.

2. Web site
The basic site of the Company (www.company.com) is supported by an external partner.

3. Service Providers
The following external entities process personal data on behalf of the company: ‘ABC’
External Payroll Services Company, ‘AXX’ Insurance Services Company, Manning Agencies,
Travel Agents, Local Agents, Port Agents, etc.

50
IT AUDIT GUIDE Appendix 7. Audit Sampling Methods

APPENDIX 7. AUDIT
SAMPLING METHODS

Method 1. Random sampling

In this method, each element of the population has the same probability of being selected
as part of the sample as any other element. For example, an IT Auditor can randomly select
10 instances in the case of a population control of 1-100 instances by performing the test
with a random number generator or simply put each number from 1 to 100 in one piece
of paper in a hat, mix them and then randomly draw, 10 numbers.

Method 2. Systematic sampling

In this method, each element ‘n’ is selected from the list as a sample, starting with an
element of sample ‘n’ are randomly selected from the first ‘k’ elements. For example, if the
population has 1000 elements and a sample size of 100, then k will be 1000/100 = 10.

If the number 7 is randomly selected from the top ten in the list, the sample will continue
based on the list by selecting the 7th item from each group of ten items.

Method 3. Stratified sampling

This method is used when representatives from each subgroup within the population should
be represented in the sample.

1. The first step is to divide the population into subgroups (layers) based on
mutually exclusive criteria.
2. Random or systematic samples are then taken from each subgroup. The
sampling fraction for each subgroup can be taken in the same proportion as the
subgroup of the population.
3. For example, if 40 samples are to be selected, and 10% of the clients
are managers, 60% are users, 25% are operators and 5% are database
administrators, then 4 executives, 24 users, 10 operators and 2 database
administrators will be selected at random.

51
IT AUDIT GUIDE Appendix 7. Audit Sampling Methods

Method 4. Cluster sampling

In this method the sampled population is divided into groups called clusters. These are as
heterogeneous as possible to suit the population. For example, if an organization has 30
small projects in progress, and the auditor is looking to comply with a standard, he/she could
use cluster sampling to randomly select 4 of these projects for testing and then randomly
samples from parts of the project for audit rather than only the 4 projects.

5. Judgmental Sampling
In critical sampling, the person making the sample uses his or her knowledge or experience
to select the items to be sampled. For example, the IT Auditor may choose to test the most
complex or critical functions, or most commonly used parts of the software.

52
IT AUDIT GUIDE Appendix 8. IT Audit Findings Assessment Criteria

APPENDIX 8. IT AUDIT FINDINGS

ASSESSMENT CRITERIA
The findings included in the IT audit report are evaluated on the basis of the following
assessment criteria (AC):

AC1. Design and effectiveness of corporate governance, administration and HR controls,

processes, procedures, policies, and systems related to IT.

AC2. Compliance with policies, standard operating procedures, and other requirements
(i.e., legal, regulatory, accounting, contractual).

AC3. Quality of the data and information provided by management and related IT systems.

AC4. Efficiency of IT policies, systems, processes and procedures.

Each IT Audit finding is assigned a risk indicator, as shown next.

High risk indicates: There are weaknesses in the IT Controls process that present significant
risk exposure to the IT system, area, project or unit under review. The significance of these
weaknesses makes it imperative to correct them, as soon as possible (1 to 2 months). Senior
management attention is required.

Priority for action: 1.

Recommendations for major improvements should be made by IT Auditors.

Follow-up actions to be included in an Internal Audit Follow-up Plan.

Medium risk indicates: There are weaknesses in the IT Controls process that present
moderate risk exposure to the IT system, area, project or unit under review. The significance
of these weaknesses makes it important to correct them. Senior management attention is
recommended, and operating management action is required.

Priority for action: 2.

Recommendations for improvements should be made by IT Auditors.

53
IT AUDIT GUIDE Appendix 8. IT Audit Findings Assessment Criteria

Follow-up actions to be included in a Internal Audit Follow-up Plan.

Low risk indicates: There are weaknesses in the process that present minor risk exposure to
the IT system, area, project or unit under review. It is a good idea to correct these weaknesses
in the 6 to 12 months. Operating management attention is required.

Priority for action: 3.

Recommendations for improvements may be made by IT Auditors.

Follow-up actions in the Internal Audit Follow-up Plan are not required.

No risk indicates: The IT Controls examined are effective. No action is required.

54
IT AUDIT GUIDE Appendix 9. IT Audit Glossary

APPENDIX 9. IT AUDIT GLOSSARY

Application program code: Sets of computer programs, control files, tables, and user
interfaces that provide functionality for specific business operations, such as accounting,
payroll, and procurement.

Auditing: Auditing is the process of information gathering, review and analysis of assets,
activities, transactions, policies, procedures, systems, reports, files, books, records, data,
information, action plans, legal contracts, other documents, etc., to ensure such things as
policy and procedural compliance, safety and security from vulnerabilities, avoidance and
prevention of fraud, mismanagement, and errors.

Business process: A set of connected business activities that are linked with each other for
the purpose of achieving a business objective.

Compliance: Conformity and adherence to applicable laws and regulations, which also includes
conformity and adherence to policies, plans, procedures, contracts, or other requirements.

Control environment: Board and management attitudes and actions regarding the significance
of organization-wide controls. The control environment provides the structure for the
achievement of the internal control system’s primary objectives.

Database systems: A system of programs that enable data storage, modification, and extraction.

IT infrastructure: Key components of an IT system’s technical infrastructure, including

its program logic code, database, operating system, network, and physical environments
housing each component.

Internal audit function: A department, division, team of consultants, or other practitioners

that provide independent, objective assurance and consulting services designed to add value
and improve an organization’s operations.

Networks: Physical devices, such as switches, routers, firewalls, wiring, and programs, which
control the routing of data packets to link computers and enable them to communicate
with each other.

Operating systems: Software that performs a computer’s basic tasks, such as handling
operator input, managing internal computer memory, and providing disk drive, display
and peripheral device functions.

55
IT AUDIT GUIDE Appendix 9. IT Audit Glossary

Outsourcing: The use of a third-party to perform noncore company services. Outsourcing

is becoming more prevalent due to the high cost and expertise required to deliver noncore
services.

Policy: A written statement that communicates management’s intent, objectives, requirements,

and responsibilities.

Procedure: A continuous and regular action or succession of actions, taking place or being
carried out in a definite manner, and leading to the accomplishment of some results.

Risk: The possibility of an event occurring that will have an impact on the achievement of
objectives. Risk is measured in terms of impact and likelihood.

Risk assessment: A methodology for determining the likelihood of an event that could
hinder the organization from attaining its business goals and objectives in an effective,
efficient, and controlled manner.

Risk management: The management process used to understand and deal with uncertainties
that could affect the organization’s ability to achieve its objectives.

Service support processes: Within an IT context, the processes used to manage an

organization’s IT infrastructure and the development and installation of new computer
systems and IT operations. Service support processes include service desk activities and
configuration, change, release, incident, and problem management procedures.

Standards: A mandatory business process or procedure that provides direction on how to

comply with the policy to which it is linked. IT standards are generally technology neutral
and can be further divided into IT-specific controls and guidelines.

System of internal controls: A system comprising the five components of internal control —
the control environment, risk assessment, control activities, information and communication,
and monitoring — to ensure risk is managed.

System implementation projects: Larger-scale efforts in the IT delivery function to deploy

new systems of applications or infrastructure components. These efforts involve project
management activities, business processing reengineering, and behavioral change management
techniques.

Third party: An entity that is not affiliated with the organization.

For more terms, see my free IT Glossary book (resource), at:

https://www.researchgate.net/publication/354248857_IT_GLOSSARY

56
IT AUDIT GUIDE End Notes

END NOTES

Chapter 1: Introduction to IT Auditing

Note 1. A network backbone connects otherwise discrete multiple networks together, allowing
them to communicate with each other in an effective way.

https://networkencyclopedia.com/backbone-in-networking/

https://www.networkworld.com/article/3532318/what-is-the-internet-backbone-and-how-
it-works.html

Note 2. Business operations refer to activities (accounting, marketing, manufacturing, etc.) that
businesses engage in on a daily basis to increase the value of the enterprise and earn a profit.

https://corporatefinanceinstitute.com/resources/knowledge/strategy/business-operations/

Note 3. For more details, see:

https://faculty.mercer.edu/jackson_r/Ownership/chap02.pdf

https://www.uagc.edu/blog/5-principles-of-great-management

https://www.managementstudyhq.com/functions-of-management.html

For Henri Fayol’s 14 functions of management, see:

https://www.mindtools.com/pages/article/henri-fayol.htm

Note 4. There are many reasons why IT project implementations can go wrong: Lack of
planning and management participation, underestimating resources, failing to manage user
expectations, too much customization and tweaking at the end of the project, and insufficient
testing, to name a few.

https://www.techrepublic.com/article/6-reasons-why-your-it-project-will-fail/

Note 5. For more details, see ‘COSO IN THE CYBER AGE’, at:

https://www.coso.org/Pages/guidance.aspx

Note 6. For more details, see:

https://www.investopedia.com/terms/i/internalcontrols.asp

57
IT AUDIT GUIDE Bibliography

BIBLIOGRAPHY

Published books by John Kyriazoglou

A full list of all my books (privacy, business management, wellness, etc.) is available at:
https://bookboon.com/en/search?query=kyriazoglou

Other published books

Modern Auditing, 3rd Edition 2008/ Cosserat and Rodda, Wiley.

The Audit Process: Principles, Practice and Cases 6th Edition 2015 Gray, Manson and
Crawford, Cengage Learning.

External Auditing and Assurance, An Irish Textbook 2nd Edition 2013, Nolan and Nangle,
Chartered Accountants Ireland.

58
IT AUDIT GUIDE Disclaimer

DISCLAIMER
The material, concepts, ideas, plans, policies, procedures, forms, methods, tools, etc. presented,
described and analyzed in all chapters and appendices, are for educational and training
purposes only. These may be used only, possibly, as an indicative base set, and should be
customized by each organization, after careful and considerable thought as to the needs and
requirements of each organization, taking into effect the implications and aspects of the
legal, national, religious, philosophical, cultural and social environments, and expectations,
within which each organization operates and exists.

Every possible effort has been made to ensure that the information contained in this book
is accurate at the time of going to press, and the publishers and the author cannot accept
responsibility for any errors or omissions, however caused. No responsibility for loss or
damage occasioned to any person acting, or refraining from action, as a result of the material
in this publication can be accepted by the publisher or the author.

59