Overview of IT Audit

Akbar, Sittie Racma

Alcordo, Cathleen Shaine
Austria, Freann Sharisse
Mastura, Bai Maarifah Janneh
Motalib, Norhani
1.1 IT Governance
• It is the responsibility of the Board of Directors and the
Executive management.
• It is an integral part of enterprise governance and
consists of the leadership and organizational structures
and processes that ensure that the organization’s IT
sustains and extends the organization’s strategies and
objectives.
Aligning with Executing the
the business value proposition
and providing throughout
collaborative delivery cycle
solution

Focus
Monitoring Area
results for Safeguarding
corrective assets, disaster
Resource Management recovery and
actions
compliance
Optimizing the
development
and use of
available
resources
Why is IT Governance Important?

• “Governance” generally has taken on even greater

significance.
• IT has a pivotal role to play in improving corporate
governance practices.
• Management’s awareness of IT related risks has increased.
• There is a focus on IT costs in all organizations.
• There is a growing realization that more management
commitment is needed to improve the management and
control of IT activities.
Benefits of IT Governance

• Transparency and Accountability

• Return on Investment and Stockholder
Value
• Opportunities and Partnerships
• Performance Improvement
• External Compliance
What is IT Governance best
practice?

• Enterprise-wide approach should be adopted

• Top level commitment backed up by clear
accountability is a necessity
• An agreed IT governance and control framework
is required
• Trust needs to be gained from the IT function
• Measurement systems will ensure objects are
owned and monitored
• Focus on costs
BASIC IT GOVERNANCE
ARRANGEMENTS
1.2: COBiT 4.1 vs COBiT 5

What is COBiT?
• Control Objectives for Information and Related
Technology
• It is a comprehensive framework of globally
accepted practices, analytical tools and models
designed for governance and management of
enterprise IT
COBiT supports it governance by
providing a framework to ensure that:

• IT is aligned with the business

• IT enables the business and maximizes benefits
• IT resources are used responsibly
• IT risks are managed appropriately
Governance and managmeent
distinguished

• Governance ensures that enterprise objectives are

achieved by
- evaluating stakeholder needs, conditions and options
- setting direction through prioritisation and decision making
- monitoring performance, compliance and progress against
agreed-on direction and objectives
• Management plans, builds, runs and monitors activities
in alignment with the direction set by the governance
body to achieve the enterprise objectives
COBIT 4.1 Framework
PO 1 Define a strategic IT Plan
PO 2 Define the information architecture
PO 3 Define the technological direction
PO 4 Define the IT processes, organization
and relationships
PO 5 Manage the IT investment
PO 6 Communicate management aims and
directions
PO 7 Manage IT Human resources
PO 8 Manage quality
PO 9 Assess and manage risks
PO 10 Manage projects
AI 1 Identify automated solutions
AI 2 Acquire and maintain
application software
AI 3 Acquire and maintain
technology infrastructure
AI 4 Enable operation and use
AI 5 Procure IT resources
AI 6 Manage changes
AI 7 Install and accredit solutions
and changes
DS 1 Define service levels
DS 2 Manage 3rd party services
DS 3 Manage performance & capacity
DS 4 Ensure continuous service
DS 5 Ensure systems security
DS 6 Identify & attribute costs
DS 7 Educate and train users
DS 8 Manage service desk & incidents
DS 9 Manage the configuration
DS 10 Manage problems
DS 11 Manage data
DS 12 Manage the physical environment
DS 13 Manage operations
ME 1 Monitor & evaluate IT
performance
ME 2 Monitor & evaluate internal
control
ME 3 Ensure regulatory compliance
ME 4 Provide IT governance
COBIT 5 Framework
EDM 1 Ensure Governance Framework
Setting & Maintenance
EDM 2 Ensure Benefits Delivery
EDM 3 Ensure Risk Optimization
EDM 4 Ensure Resource Optimization
EDM 5 Ensure Stakeholder Transparency
APO 1 Manage IT Management Framework
APO 2 Manage Strategy
APO 3 Manage Enterprise Architecture
APO 4 Manage Innovation
APO 5 Manage Portfolio
APO 6 Manage Budget & Costs
APO 7 Manage Human Relations
APO 8 Manage Relationships
APO 9 Manage Service Agreements
APO 10 Manage Suppliers
APO 11 Manage Quality
APO 12 Manage Risks
APO 13 Manage Security
BAI 1 Manage Programs & Projects
BAI 2 Manage Requirements Definition
BAI 3 Manage Solutions Identification &
Build
BAI 4 Manage Availability & Capacity
BAI 5 Manage Organizational Change
Enablement
BAI 6 Manage Changes
BAI 7 Manage Changes Acceptance &
Transitioning
BAI 8 Manage Knowledge
BAI 9 Manage Assets
BAI 10 Manage Configuration
DSS 1 Manage Operations
DSS 2 Manage Service Requests and Incidents
DSS 3 Manage Problems
DSS 4 Manage Continuity
DSS 5 Manage Security Services
DSS 6 Manage Business Process Controls
MEA 1 Monitor, Evaluate & Assess
Performance & Conformance
MEA 2 Monitor, Evaluate & Assess the
System of Internal Control
MEA 3 Evaluate & Assess Compliance with
External Requirements
 Summary of changes between CobiT
4.1 and CobiT 5

1) Processes in CobiT 4.1 that are merged in CobiT 5

PO 7 Manage IT Human resources Education & Human

DS 7 Educate and train users Resources
PO 1 Define a strategic IT Plan Management
PO 6 Communicate management Communications &
aims and directions
Management
PO 2 Define the information
architecture Information & Technical
PO 3 Define the technological Architectures
direction
 Summary of changes between CobiT
4.1 and CobiT 5

1) Processes in CobiT 4.1 that are merged in CobiT 5

AI 2 Acquire and maintain application
software Application Software &
AI 3 Acquire and maintain technology Infrastructure Components
infrastructure

DS 12 Manage the physical environment Physical Environment &

DS 5 Ensure systems security Information Security
Summary of changes between CobiT
4.1 and CobiT 5

2) Processes in CobiT 4.1 that are reassigned in CobiT 5

EDM 1 Ensure Governance

Framework Setting &
Maintenance
EDM 2 Ensure Benefits Delivery
ME 4 Provide IT governance EDM 3 Ensure Risk Optimization
EDM 4 Ensure Resource
Optimization
EDM 5 Ensure Stakeholder
Transparency

Governance
Summary of changes between CobiT
4.1 and CobiT 5

3) Processes in CobiT 4.1 that are relocated in CobiT 5

Strategic Planning
PO 1 Define a strategic IT Plan APO 2 Manage Strategy

Organization, Relationships
and Processes

PO 4 Define the IT processes, organization and relationships

APO 1 Manage IT Management Framework

Summary of changes between CobiT
4.1 and CobiT 5

4) Entirely new processes in CobiT 5

EDM 1 Ensure Governance Framework Setting & Maintenance

APO 1 Manage IT Management Framework
APO 4 Manage Innovation
APO 8 Manage Relationships
BAI 8 Manage Knowledge
DSS 2 Manage Service Requests and Incidents
DSS 6 Manage Business Process Controls
 COBIT 4.1
PO.ME
• Plan and Organize (PO) AI.DS
• Acquire and Implement (AI)
• Deliver and Support (DS)
• Monitor and Evaluate (ME)
COBIT 5

• Evaluate, Direct and Monitor (EDM)

EDM.APO •
•
Align, Plan and Organize (APO)
Build, Acquire and Implement (BAI)

BAI.DSS •
•
Deliver, Service and Support (DSS)
Monitor, Evaluate and Assess (MEA)

MEA
1.3: The Work of an IT Auditor

What is an IT Auditor?
• IT auditor participates in project
and assignments that improve
internal processes and
-40 performances.
Who are qualified to be an IT
Auditor?

 Those who have at least a bachelor's degree in

related fields such as computer information
systems and computer information technology.

 Must obtain certifications such as CISA, CISM and

CIA
Work of an IT Auditor

01 Evaluate the adequacy and effectiveness of the

organization's IT systems and internal controls against
policies and regulations.

02 IT auditors identify, document, summarize and present

audit findings to shareholders.

03 IT auditors help organizations comply with legislation,

making sure that they are keeping data and records
secure.

04 IT auditors audit the accounts of the company

05 IT auditors are responsible for security controls

Evaluate the adequacy and effectiveness of the
organization's IT systems and internal controls
against policies and regulations.

• They required to research, interpret and evaluate the

compliance expectations against governmental
regulations. IT auditors will communicate with
external auditors who are either consultants or
employed by regulatory bodies.
• Ensures compliance with established internal control
procedures by examining records, reports, operating
practices, and documentation.
IT auditors identify, document, summarize and
present audit findings to shareholders.

• Prepares audit finding memoranda and working

papers to ensure that adequate documentation
exists to support the completed audit and
conclusions.

• Reporting to shareholders allows auditors and

members to give essential information about the
company's status.
IT auditors help organizations comply with
legislation, making sure they keeping data and
records secure.

• The IT audit aims to evaluate the following:

 Availability
 Security and confidentiality
 Integrity
 Information
IT auditors audit the accounts of the
company

• They have to review the accounting patterns and

system used in the company and make changes to
make it better
• They then thoroughly check the books to see if all the
accounts are in order and whether the accountants
have done a competent job.
IT auditors are responsible for
security controls

• The employee in this role will work on specific

projects that include analyzing information
security systems, programs and software for any
type of IT system.

• They can work in designing new systems to meet

operational needs, or test existing systems to
make sure they are working correctly and are not
prone to security breaches.
1.4: IT Audit Skills

Core
IT Audit Skills
Advanced
Core Skills
Advanced Skills
To add:

• Detail-Oriented

• Business Minded

• Professional

• Tech Savy

• Certified
1.5: The CISA Examination
 Certified Information Systems Auditor (CISA)
• - is a certification issued by ISACA for the
people in charge of ensuring that an organization's
IT and business systems are monitored, managed
and protected.

 One of the four certifications provided by ISACA

CISA Examination
 ISACA
- an association established in 1969 for information systems
audit, assurance, security, risk, privacy and governance professionals.

 The CISA certification itself was launched in 1976.

 In order to become CISA Certified, applicants must pass the CISA

examination with a score of 450 or higher and possess a minimum of
five years of professional experience in the fields of information system
auditing, control, assurance or security.

 The CISA exam is usually offered in June and September every year.
The contents of the CISA Examination include areas (domains) in
information systems security, audit, and control.
CISA Exam Syllabus
 Domain 1:
The process of auditing information systems (21%)
 Domain 2:
Governance and management of IT (16%)
 Domain 3:
Information systems acquisition, development, and
implementation (18%)
 Domain 4:
Information systems operations, maintenance and support (20%)
 Domain 5:
Protection of information assets (25%)
 Overview of D1: The process of
auditing information systems
Summary of Audit Process
 covers how IT auditors provide services in
Audit Planning accordance with IT audit standards, in
order to assist the organization in
protecting and controlling information
Perform Test
systems.

Reporting
Examples of target
Follow-up
• Audit mission and planning
Activity • Laws and regulations
• Standards and guidelines for IS
auditing
• Risk analysis
• Internal controls
• Performing an IS audit
Overview of D2: Governance and
management of IT
Examples of target
 covers how IT auditors
provide assurance that • Planning IT Strategy
necessary organization with IT Steering
Committee
structure and processes • Implementation of the
are in place. IT strategy
• Business Process
Reengineering
• Risk management for
IT strategy
• Organization and
Personnel Management
Overview of D3: Information systems
acquisition, development, and
implementation
 covers how IT auditors Examples of target
provide assurance that
• Application development
the practices for the process and regulation
acquisition, including needs analysis,
including cost estimation
development, testing, • Quality Management
and implementation of IS • Validation of computer &
system architecture for
meet the organization’s Application
• Application control
strategies and • Management of
objectives. outsourcing and vender
Overview of D4: Information systems
operations, maintenance and support

 Provide assurance Examples of Target

that the processes • Service level Agreement
for information • Validation of Hardware and
systems software
• Validation of network
operations, infrastructure
maintenance and • Monitoring of Information
System/Infrastructure
support meet the • Capacity and Configuration
Management
organization’s • Configuration Management of
strategies and software
• Regulation of operation and
objectives. maintenance
• Help (Service) Desk and
Incident/Problem management
Overview of D5: Protection of
information assets

 covers how IT Examples of Target

auditors provide
assurance that the •Policy and regulation of IT Security
organization’s including risk management
security policies, •Validation of logical access control
standards, such as password and authentication
•Validation of physical access control
procedures and with security technology and devices
controls ensure the •Validation of security of network
confidentiality, infrastructure
integrity and •Validation of encryption system
availability of •Validation of environmental control
information assets. against fire, power break down
Who should take CISA Examination?

The CISA Certification was specifically created

for professionals with work experience in
information systems auditing, control or security
that include:
• IS/IT Auditors
• Security Professionals
• IS/IT Consultants
• IS/IT Audit Managers
Application for CISA Certification

ISACA allows the following as qualifying substitutes.

• A maximum of 1 year of information systems experience or 1 year
of non-IS auditing experience can be substituted for 1 year of
experience.

• Sixty (60) to 120 completed university semester credit hours (the

equivalent of a 2 or 4-year degree) not limited by the 10-year
preceding restriction, can be substituted for 1 or 2 years,
respectively, of experience.

• A bachelor's or master's degree from a university that enforces the

ISACA-sponsored Model Curricula can be substituted for 1 year of
experience.
Application for CISA Certification

• A master's degree in information security or information

technology from an accredited university can be substituted for 1
year of experience.

• Two years as a full-time university instructor in a related field

(e.g., computer science, accounting, information systems
auditing) can be substituted for 1 year of experience.
Benefits of CISA Examination

 Confirms your knowledge and experience

 Quantifies and markets your expertise

 Demonstrates that you have gained and maintained the

level of knowledge required to meet the dynamic
challenges of a modern enterprise

 Is globally recognized as the mark of excellence for the IS

audit professional
Benefits of CISA Examination

 Combines the achievement of passing a comprehensive

exam with recognition of work and educational
experience, providing you with credibility in the
marketplace.

 Increases your value to your organization

 Gives you a competitive advantage over peers when

seeking job growth

 Helps you achieve a high professional standard through

ISACA’s requirements for continuing education and ethical
conduct
Why Employers Hire CISAs?

CISA employees:

• Are highly qualified, experienced professionals

• Provide the enterprise with a certification for IT

assurance that is recognized by multinational clients,
lending credibility to the enterprise

• Are excellent indicators of proficiency in technology

controls
Why Employers Hire CISAs?

• Demonstrate competence in five domains, including

standards and practices; organization and management;
processes; integrity, confidentiality and availability; and
software development, acquisition and maintenance

• Demonstrate a commitment to providing the enterprise

with trust in and value from your information systems

• Maintain ongoing professional development for

successful on-the-job performance