Placeholder Image

字幕列表 影片播放

  • An information technology audit, or information systems audit, is an

  • examination of the management controls within an Information technology

  • infrastructure. The evaluation of obtained evidence determines if the

  • information systems are safeguarding assets, maintaining data integrity, and

  • operating effectively to achieve the organization's goals or objectives.

  • These reviews may be performed in conjunction with a financial statement

  • audit, internal audit, or other form of attestation engagement.

  • IT audits are also known as "automated data processing audits" and "computer

  • audits". They were formerly called "electronic data processing audits".

  • Purpose An IT audit is different from a

  • financial statement audit. While a financial audit's purpose is to evaluate

  • whether an organization is adhering to standard accounting practices, the

  • purposes of an IT audit are to evaluate the system's internal control design and

  • effectiveness. This includes, but is not limited to, efficiency and security

  • protocols, development processes, and IT governance or oversight. Installing

  • controls are necessary but not sufficient to provide adequate security.

  • People responsible for security must consider if the controls are installed

  • as intended, if they are effective if any breach in security has occurred and

  • if so, what actions can be done to prevent future breaches. These inquiries

  • must be answered by independent and unbiased observers. These observers are

  • performing the task of information systems auditing. In an Information

  • Systems environment, an audit is an examination of information systems,

  • their inputs, outputs, and processing. The primary functions of an IT audit are

  • to evaluate the systems that are in place to guard an organization's

  • information. Specifically, information technology audits are used to evaluate

  • the organization's ability to protect its information assets and to properly

  • dispense information to authorized parties. The IT audit aims to evaluate

  • the following: Will the organization's computer systems

  • be available for the business at all times when required? Will the

  • information in the systems be disclosed only to authorized users? Will the

  • information provided by the system always be accurate, reliable, and

  • timely? In this way, the audit hopes to assess the risk to the company's

  • valuable asset and establish methods of minimizing those risks.

  • Also Known As: Information Systems Audit, ADP audits, EDP audits, computer

  • audits Types of IT audits

  • Various authorities have created differing taxonomies to distinguish the

  • various types of IT audits. Goodman & Lawless state that there are three

  • specific systematic approaches to carry out an IT audit:

  • Technological innovation process audit. This audit constructs a risk profile for

  • existing and new projects. The audit will assess the length and depth of the

  • company's experience in its chosen technologies, as well as its presence in

  • relevant markets, the organization of each project, and the structure of the

  • portion of the industry that deals with this project or product, organization

  • and industry structure. Innovative comparison audit. This audit

  • is an analysis of the innovative abilities of the company being audited,

  • in comparison to its competitors. This requires examination of company's

  • research and development facilities, as well as its track record in actually

  • producing new products. Technological position audit: This audit

  • reviews the technologies that the business currently has and that it needs

  • to add. Technologies are characterized as being either "base", "key", "pacing"

  • or "emerging". Others describe the spectrum of IT

  • audits with five categories of audits: Systems and Applications: An audit to

  • verify that systems and applications are appropriate, are efficient, and are

  • adequately controlled to ensure valid, reliable, timely, and secure input,

  • processing, and output at all levels of a system's activity.

  • Information Processing Facilities: An audit to verify that the processing

  • facility is controlled to ensure timely, accurate, and efficient processing of

  • applications under normal and potentially disruptive conditions.

  • Systems Development: An audit to verify that the systems under development meet

  • the objectives of the organization, and to ensure that the systems are developed

  • in accordance with generally accepted standards for systems development.

  • Management of IT and Enterprise Architecture: An audit to verify that IT

  • management has developed an organizational structure and procedures

  • to ensure a controlled and efficient environment for information processing.

  • Client/Server, Telecommunications, Intranets, and Extranets: An audit to

  • verify that telecommunications controls are in place on the client, server, and

  • on the network connecting the clients and servers.

  • And some lump all IT audits as being one of only two type: "general control

  • review" audits or "application control review" audits.

  • A number of IT Audit professionals from the Information Assurance realm consider

  • there to be three fundamental types of controls regardless of the type of audit

  • to be performed, especially in the IT realm. Many frameworks and standards try

  • to break controls into different disciplines or arenas, terming them

  • Security Controls“, ”Access Controls“, “IA Controlsin an effort to define the

  • types of controls involved. At a more fundamental level, these controls can be

  • shown to consist of three types of fundamental controls:

  • Protective/Preventative Controls, Detective Controls and

  • Reactive/Corrective Controls. In an IS system, there are two types of

  • auditors and audits: internal and external. IS auditing is usually a part

  • of accounting internal auditing, and is frequently performed by corporate

  • internal auditors. An external auditor reviews the findings of the internal

  • audit as well as the inputs, processing and outputs of information systems. The

  • external audit of information systems is frequently a part of the overall

  • external auditing performed by a Certified Public Accountant firm.

  • IS auditing considers all the potential hazards and controls in information

  • systems. It focuses on issues like operations, data, integrity, software

  • applications, security, privacy, budgets and expenditures, cost control, and

  • productivity. Guidelines are available to assist auditors in their jobs, such

  • as those from Information Systems Audit and Control Association.

  • IT Audit process The following are basic steps in

  • performing the Information Technology Audit Process:

  • Planning Studying and Evaluating Controls

  • Testing and Evaluating Controls Reporting

  • Follow-up reports

  • = Security = Auditing information security is a vital

  • part of any IT audit and is often understood to be the primary purpose of

  • an IT Audit. The broad scope of auditing information security includes such

  • topics as data centers, networks and application security. Like most

  • technical realms, these topics are always evolving; IT auditors must

  • constantly continue to expand their knowledge and understanding of the

  • systems and environment& pursuit in system company.

  • Several training and certification organizations have evolved. Currently,

  • the major certifying bodies, in the field, are the Institute of Internal

  • Auditors, the SANS Institute and ISACA. While CPAs and other traditional

  • auditors can be engaged for IT Audits, organizations are well advised to

  • require that individuals with some type of IT specific audit certification are

  • employed when validating the controls surrounding IT systems.

  • History of IT Auditing The concept of IT auditing was formed in

  • the mid-1960s. Since that time, IT auditing has gone through numerous

  • changes, largely due to advances in technology and the incorporation of

  • technology into business. Currently, there are many IT dependent

  • companies that rely on the Information Technology in order to operate their

  • business e.g. Telecommunication or Banking company. For the other types of

  • business, IT plays the big part of company including the applying of

  • workflow instead of using the paper request form, using the application

  • control instead of manual control which is more reliable or implementing the ERP

  • application to facilitate the organization by using only 1

  • application. According to these, the importance of IT Audit is constantly

  • increased. One of the most important role of the IT Audit is to audit over

  • the critical system in order to support the Financial audit or to support the

  • specific regulations announced e.g. SOX. Audit personnel

  • = Qualifications = The CISM and CAP credentials are the two

  • newest security auditing credentials, offered by the ISACA and², respectively.

  • Strictly speaking, only the CISA or GSNA title would sufficiently demonstrate

  • competences regarding both information technology and audit aspects with the

  • CISA being more audit focused and the GSNA being more information technology

  • focused. Outside of the US, various credentials

  • exist. For example, the Netherlands has the RE credential, which among others

  • requires a post-graduate IT-audit education from an accredited university,

  • subscription to a Code of Ethics, and adherence to continuous education

  • requirements. = Professional certifications =

  • Certified Information Systems Auditor Certified Internal Auditor

  • Certified in Risk and Information Systems Control

  • Certification and Accreditation Professional

  • Certified Computer Professional Certified Information Privacy

  • Professional Certified Information Systems Security

  • Professional Certified Information Security Manager

  • Certified Public Accountant Certified Internal Controls Auditor

  • Forensics Certified Public Accountant Certified Fraud Examiner

  • Chartered Accountant Certified Commercial Professional

  • Accountant Certified Accounts Executive

  • Certified Professional Internal Auditor Certified Professional Management

  • Auditor Chartered Certified Accountant

  • GIAC Certified System & Network Auditor Certified Information Technology

  • Professional, to certify, auditors should have 3 years experience.

  • Certified e-Forensic Accounting Professional

  • Certified ERP Audit Professional Emerging Issues

  • There are also new audits being imposed by various standard boards which are

  • required to be performed, depending upon the audited organization, which will

  • affect IT and ensure that IT departments are performing certain functions and

  • controls appropriately to be considered compliant. Examples of such audits are

  • SSAE 16, ISAE 3402, and ISO27001:2013. = Web Presence Audits =

  • The extension of the corporate IT presence beyond the corporate firewall

  • has elevated the importance of incorporating web presence audits into

  • the IT/IS audit. The purposes of these audits include ensuring the company is

  • taking the necessary steps to: rein in use of unauthorized tools

  • minimize brand and reputation damage maintain regulatory compliance

  • prevent information leakage mitigate third-party risk

  • minimize governance risk See also

  • = Computer Forensics = Computer forensics

  • Data analysis = Operations =

  • Helpdesk and incident reporting auditing Change management auditing

  • Disaster recovery and business continuity auditing

  • SAS 70 = Miscellaneous =

  • XBRL assurance OBASHI The OBASHI Business & IT

  • methodology and framework = Irregularities and Illegal Acts =

  • AICPA Standard: SAS 99 Consideration of Fraud in a Financial Statement Audit

  • Computer fraud case studies References

  • External links A career as Information Systems Auditor,

  • by Avinash Kadam IT Audit Careers guide

  • Federal Financial Institutions Examination Council

  • Information Systems Audit & Control Association

  • The need for CAAT Technology Open Security Architecture- Controls and

  • patterns to secure IT systems American Institute of Certified Public

  • Accountants IT Services Library

An information technology audit, or information systems audit, is an

字幕與單字

單字即點即查 點擊單字可以查詢單字解釋

B2 中高級 美國腔

信息技術審計 (Information technology audit)

  • 56 3
    dadychentw 發佈於 2021 年 01 月 14 日
影片單字