IT audit 101: internal audit is responsible for evaluating whether IT risks are appropriately understood, managed, and controlled.

Author:Ibrahim, Nargiz
Position:Back to Basics - Column

In today's business environment, IT is omnipresent and essential, affecting the fundamental manner in which transactions are initiated, authorized, recorded, processed, and reported. Generally, IT can enhance the effectiveness of an organization's internal controls by enabling it to achieve segregation of duties through the implementation of security controls in applications, databases, and operating systems; applying predetermined business rules in a consistent manner; performing complex calculations in processing of large volumes of transactions; and minimizing the risk of controls being circumvented.

However, along with benefits come risks. The specific risks IT poses to an organization's internal control system include incorrect or unauthorized modifications to system utilities, resulting in incomplete or inaccurate processing of data; lost data in the event of system failure; unauthorized access resulting in inappropriate modification of data; and inappropriate authorization of system changes impacting reliability of data.

An organization's executives, board of directors, and audit committee expect IT management to provide effective oversight of such IT risks. Internal audit is responsible for evaluating whether IT risks are appropriately understood, managed, and controlled. There are two types of IT audits, both of which are necessary to ensure complete and accurate information processing.

The general control review includes pervasive controls that apply to all areas of the organization, including IT infrastructure and support services, and relates to many applications. General control examples include data security, computer operations, and physical security controls, as well as controls over system acquisition and maintenance.

The application control review includes controls that are specific to each application. The objectives of application controls are to ensure that transactions occurred, are authorized, and are completely and accurately recorded and processed. Application controls include checking the mathematical accuracy of records and performing numerical sequence checks.

Regardless of which type of IT audit is performed, the process primarily consists of five main phases: initiation and planning, evaluating of control design and implementation (walk-throughs), testing the operating effectiveness of controls, reporting results, and follow-up. These steps help management obtain a high level of assurance that IT is aligned...

To continue reading