IT Governance, Risk, and Compliance


January 14, 2010  8:01 PM

IT Audit Fieldwork: Generally Accepted Processes – Part I



Posted by: Robert Davis
AA, Applications, Assurance Service, Audit Assurance, CIA, CICA, CISA, CITP, Compliance Testing, CPA, Files, Information Technology, Infrastructure, IT, IT Audit, PM, Program, Project Management, Risk Management, Study, Substantive Testing

IT auditing is similar to, and yet different from, auditing manual systems. The process is similar in that compliance and substantive tests are still performed within the context of generally accepted auditing standards, whereas the difference emanate from additional standards pertaining to IT auditing and the procedures unique to IT auditing which are the result of these standards. Three audit fieldwork standards guide auditors in the performance of audits. Considering the collection of evidential matter necessary to render an opinion, these standards serve as the basis for auditing concepts pertaining to the study and evaluation of controls as well as related compliance and substantive testing.

January 11, 2010  6:21 PM

IT Audit Verification Planning: Resolving Technique Selection – Part VII



Posted by: Robert Davis
AA, Applications, Assurance Service, Audit Assurance, CI, CIA, CICA, CISA, CITP, Compliance Testing, Configuration Item, Files, Information Asset, Information Technology, Infrastructure, IT, IT Audit, PM, Program, Project Management, Risk Management, Substantive Testing, Testing Techniques

Many techniques are available to the IT auditor. A significant responsibility is selecting a technique appropriate to the audit task at hand. To aid the IT auditor in understanding which technique may be appropriate, alternative schemes for categorization should be considered. Potential benefits include finding a close approximation of the employed taxonomy to the: audit objectives, objects to which the IT auditor applies procedures, and types of techniques that have been developed to assist the IT auditor.

View Part I of the IT Audit Verification Planning: Resolving Technique Selection series here


January 7, 2010  7:30 PM

IT Audit Verification Planning: Resolving Technique Selection – Part VI



Posted by: Robert Davis
AA, Applications, Assurance Service, Audit Assurance, CI, CIA, CICA, CISA, CITP, Compliance Testing, Configuration Item, Files, Information Asset, Information Technology, Infrastructure, IT, IT Audit, PM, Program, Project Management, Risk Management, Substantive Testing, Testing Techniques

Characteristics of a deployed audit trail can determine the test procedures performed. With an acceptable audit trail, the IT auditor may decide to trace selected data or information through the entire configuration or to determine infrastructure availability. Without a trail, the IT auditor may decide to execute extensive substantive tests on the electronically encoded configuration items.

View Part I of the IT Audit Verification Planning: Resolving Technique Selection series here


January 4, 2010  6:49 PM

IT Audit Verification Planning: Resolving Technique Selection – Part V



Posted by: Robert Davis
AA, Applications, Assurance Service, Audit Assurance, CI, CIA, CICA, CISA, CITP, Compliance Testing, Configuration Item, Files, Information Asset, Information Technology, Infrastructure, IT, IT Audit, PM, Program, Project Management, Risk Management, Substantive Testing, Testing Techniques

Performance of audit procedures on individual programs and files, or the entire configuration as an integrated unit, is determined by the audit objectives and the audit trial. To test the functionality of input controls, for example, the IT auditor can perform compliance tests on a specific program; while separately, or jointly, test the integrity of processing through performance of substantive procedures on a specific data file. Alternatively, the selected configuration may be compliance tested as an integrated unit by processing test data through it and examining errors rejected by programs and the contents of files for evidence of controls.

View Part I of the IT Audit Verification Planning: Resolving Technique Selection series here


December 30, 2009  7:03 PM

IT Audit Verification Planning: Resolving Technique Selection – Part IV



Posted by: Robert Davis
AA, Applications, Assurance Service, Audit Assurance, CI, CIA, CICA, CISA, CITP, Compliance Testing, Configuration Item, Files, Information Asset, Information Technology, Infrastructure, IT, IT Audit, PM, Program, Project Management, Risk Management, Substantive Testing, Testing Techniques

Auditing IT configurations involves performing compliance and substantive tests on a selected information asset as an integrated unit. Integration can refer to various activities including: combining the separate testing of programs and files into an overall evaluation; combining the testing of programs and files into a single test; utilizing a mixture of techniques to accomplish the compliance and substantive testing objectives and combining the results into an overall evaluation of the entire IT configuration or a specific configuration subset; and treating the IT configuration — with its programs and files — as a single unit that receives input, processes data, and produces output in a regulated environment.

View Part I of the IT Audit Verification Planning: Resolving Technique Selection series here


December 28, 2009  9:08 PM

IT Audit Verification Planning: Resolving Technique Selection – Part III



Posted by: Robert Davis
AA, Applications, Audit Assurance, CI, CICA, CISA, CITP, Compliance Testing, Configuration Item, Files, Information Asset, Information Technology, Infrastructure, IT, IT Audit, PM, Program, Project Management, Risk Management, Substantive Testing, Testing Techniques

Auditing electronically encoded programs can also involve compliance and substantive testing. Compliance testing usually involves testing programs for controls. Techniques for auditing programs are primarily oriented toward compliance testing. Whereas, substantive testing typically involves ascertaining the reliability with which an electronically encoded program processes data.

View Part I of the IT Audit Verification Planning: Resolving Technique Selection series here


December 23, 2009  8:11 PM

IT Audit Verification Planning: Resolving Technique Selection – Part II



Posted by: Robert Davis
AA, Applications, Assurance Service, Audit Assurance, CI, CICA, CISA, CITP, Compliance Testing, Configuration Item, Files, Information Asset, Information Technology, Infrastructure, IT, IT Audit, PM, Program, Project Management, Risk Management, Substantive Testing, Testing Techniques

Compliance testing is the primary method employed to verify stated controls are operating effectively, while substantive testing is the primary method utilized to increase audit assurance. For instance, an IT auditor may reperform compliance testing, documented by an entity’s software quality assurance department, to verify controls are operating effectively. Whereas, an IT auditor may apply substantive testing procedures for recalculating cost allocations to assess if a discovered deficiency is material.

Auditing electronically encoded files can involve compliance testing and substantive testing. Specifically, files can be tested for evidence of compliance with designed controls or the integrity of the data contained therein. Techniques for auditing files are primarily oriented toward substantive testing of details in the selected repositories.

View Part I of the IT Audit Verification Planning: Resolving Technique Selection series here


December 21, 2009  7:59 PM

IT Audit Verification Planning: Resolving Technique Selection – Part I



Posted by: Robert Davis
AA, Applications, Assurance Service, Audit Assurance, CI, Compliance Testing, Configuration Item, Files, Information Asset, Information Technology, Infrastructure, IT, IT Audit, PM, Program, Project Management, Risk Management, Substantive Testing, Testing Techniques

There are a variety of techniques available to the IT auditor for compliance and substantive testing when performing assurance engagements. Selecting a technique appropriate for the assurance task at hand, however, can be difficult. Analytically, to provide the most suitable IT audit evidence, various classification schemes can be adopted to organize the diverse testing techniques. Through these taxonomies, the IT auditor can gain an understanding regarding which technique may be most appropriate for a given situation. Within this context, determining which elements of the IT architecture are to be examined is critical to the testing technique selection process. For instance, when combined with generally accepted IT naming conventions, IT assurance testing techniques can be applied to information assets such as files, programs, or configurations — depending on the particular audit objectives and accessible audit trails.


December 17, 2009  7:32 PM

An Ounce of Disaster Prevention is Worth a Pound of Disaster Remediation – Part IV



Posted by: Robert Davis
Availability, Backup Plan, BCP, Business Continuity Plan, Crisis, Disaster, Disaster Recovery Plan, Disruption, DRP, Emergency, IT Audit, Service Restoration Plan, SRP

Business volatility includes unexpected IT demand, merger and acquisition activities, as well as economic or government events. Whereby, government volatility can reflect a political event. Theoretically, adequate Continuity Management ensures the capacity to operate when a disaster or unexpected event occurs. Therefore, an IT auditor should assess whether a process exists to ensure that the monitoring of, and planning for, future capacities are done with adequate dialog and participation within the entity well in advance, and whether plans are reviewed at periodic intervals. Good capacity management ensures that the entity’s quality of service is continued at all times — even after a disaster has occurred.

View Part I of the An Ounce of Disaster Prevention is Worth a Pound of Disaster Remediation series here


December 14, 2009  7:29 PM

An Ounce of Disaster Prevention is Worth a Pound of Disaster Remediation – Part III



Posted by: Robert Davis
Availability, Backup Plan, BCP, Business Continuity Plan, Crisis, Disaster, Disaster Recovery Plan, Disruption, DRP, Emergency, IT Audit, Service Restoration Plan, SRP

Business continuity and disaster recovery plans should follow suggested best practices for development to ensure adequate incident handling. Commonly, the primary goals of the incident management process are to restore a normal service operation as quickly as possible and to minimize the impact on business operations; thus ensuring that the best possible levels of service quality and availability are maintained.

As a sub-category, business interruption prevention plans and processes allow an entity to avoid, preclude, or limit the impact of a crisis occurring. Tasks included in such a prevention system should enable compliance with applicable laws, regulations, policies, procedures, rules and standards supporting avoidance, deterrence, and detection of potential catastrophic incidents — where incidents may encompass: local events like building fires, regional events like earthquakes, or national events like pandemic illnesses.

View Part I of the An Ounce of Disaster Prevention is Worth a Pound of Disaster Remediation series here


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: