Introduction to IT Auditing

Technology has revolutionized the way that organizations work. These developments have seen pen-and-paper transactions replaced by computerized online data entry applications. Instead of keys and locks for filing cabinets and filing cabinets, strong passwords are being used to limit access to electronic files. In terms of data processing capacity and transmission speed, the implementation of new technology has dramatically improved business efficiency in most companies. However, this technology has created new vulnerabilities and needs to be mitigated. Every vulnerability must be managed. This requires new auditing methods and better ways to assess the effectiveness of each control. Auditees must change their auditing approach because of the reliance on computerized systems. This is due to the fear of data integrity compromises, misuse of confidentiality policies, etc. An independent audit is necessary to confirm and prove that the appropriate measures have been taken to reduce or eliminate risk exposure.

Definition and Objectives

IT auditing is any activity that takes place within the scope of examining and evaluating the organization’s information technology infrastructure, policies, and operations. Information technology auditing is the process of gathering and evaluating evidence in order to determine if a computer system preserves data integrity, protects assets, efficiently uses resources, and helps achieve organizational goals.

Evaluation of the process to ensure:

  1. Protection of assets, such as data objects, support information systems and resources to house.
  2. You should ensure that these data are kept:
    • Efficiency
    • Confidentiality
    • Compliance
    • Available
    • Integrity
    • Information reliability

Phases in the Audit process

These are the four important steps in an audit process.

1. Plan

A. Preliminary assessment and information gathering

Although planning is an ongoing process, it is concentrated at the start of an audit. To determine the type and extent of testing that will be required, an initial assessment is made. If auditees discover that specific control procedures are not effective, they might be required to reevaluate previous conclusions and any other pertinent decisions based on them.

B. Understanding the organization

The task of an IT auditor is to gather knowledge and inputs about the following aspects of the object being audited.

  • The organization’s operating environment, and its function.
  • It is important to understand the criticality of an IT system, regardless of whether it’s a mission-critical or support system.
  • The structure of the organization
  • Software and hardware nature of use
  • The nature and severity of the risks that could affect the organization

The organization’s nature and the level of detail required to complete an audit report will determine how much information is available about it. The auditor should use the information gathered to identify possible problems, define objectives, and determine the scope of work.

2. Determining the scope and objectives of audit

An auditee must conduct a risk assessment after exposure to determine the scope and objectives of an audit. Your organization’s security from hackers is an integral part. Risk management is a key component. Risk management can be described as the process of identifying, assessing and taking necessary steps to minimize risk within a system. The primary security goals of any organization are integrity, confidentiality and availability.

An auditor can choose from a variety of risk assessment methods. These include simple classifications of low, medium and high based on the judgement, to more scientifically-based classifications to arrive at a numerical risk rating. Internal controls are procedures, practices and organizational structures that reduce risk after the assessment is complete. A preliminary assessment of controls can be made by contacting the management, filling out questionnaires, reviewing documentation and/or conducting a survey of the application.

A few of the most common goals of IT audit are:

  • Security infrastructure and systems reviewed
  • To ensure safety, review IT systems
  • Take a look at the development process and the procedures used during the various stages of the system’s creation.
  • Evaluation of performance of a program or system

The scope and objectives of audits are not limited to those mentioned. It should cover all critical areas of security such as passwords, security settings, firewall security and user rights, as well physical access security.

On the other hand, the scope should be used to define the limits and boundaries of the audit. The scope of an audit is an important part of audit planning. It includes aspects such as the scope of substantive assessment, control weaknesses, time of the audit and the locations that will be covered.

3. Collecting and evaluating evidence

To support the second auditor’s judgement and conclusions about the organization, function, activity or program being audited, it is necessary to obtain relevant, substantial, reasonable and relevant evidence. The auditor must be familiar with the process and methods used to collect data.

i. Types of audit evidence

These are the three main types that audit evidence can be found:

  • Documentary evidence of audit
  • Analyse
  • Process and existence of physical objects observed

The actual inspection or investigation of tangible assets by an auditor is called physical verification. These methods are available for collecting audit evidence.

2. Interviews can be used to gather both qualitative and quantitative evidence. Interviews can be conducted with systems analysts in order to gain a better understanding of security system controls, and data entry personnel in order to discover the method they used to enter data that was detected as malicious, incorrect, or inaccurate by the system.

3. Questionnaires – Questioners were traditionally used to assess controls within an audited system. Sometimes auditors use questioners creatively to identify system weaknesses during evidence collection. When preparing questioners, it is important to be specific and use language that is understandable by the target person.

4. Flowcharts are used to demonstrate the location of controls within the system. These flowcharts are essential for understanding, evaluation, communication, and communication during audit.

5. Analytical procedures are used to determine if an account balance is reasonable by comparing and evaluating various relationships. These procedures should be performed early in the audit process to identify accounts that need further verification, areas where the evidence can be reduced, and areas for investigation.

ii. Evidence Collection

Auditors now have a wide range of tools to help them. Some of the most commonly used software’s are:

  1. Generalized Audit Softwareprovides data access and allows for manipulation of other media.
  2. Industry-specific Audit Software -designed for giving a high-level command to invoke basic audit operations necessary for a specific industry
  3. Utility Software –This software performs often functions, such as copy, sort, and disc search.
  4. This software can be used to perform a particular set of audit tasks.
  5. Concurrent Auditing Tool -are used for simultaneous data collection with multiple applications.

4. Documentation and reporting

Auditors are required to document all audit evidence. This includes the extent of planning, the basis for the audit, the operations performed, and the findings. The audit report should include the final document, including all information about planning and preparation, audit program, data, observations, and other pertinent details.

How to structure a report?

Your report should be as complete, precise, objective, clear and timely as possible. The following titles can be used to organize your report:


The report should begin with a description of the audit. An overview can include details about the system such as details of its environment and resources, as well details on the application. It is important to give details about the processing complexity and data volume. This will allow the reader to get a better understanding of the contents of the report and encourage them to take in the subsequent findings. It is important to indicate the severity of the system. Most observations are influenced by how critical the system is.

Scope, Objectives, and Methodology

This section will explain the scope, objectives, and methodology of your audit. This section is intended to help readers understand the purpose of the audit and the challenges encountered. It also helps them make informed judgments about the merits of the work performed. The objectives section should be used to explain the aspects of the audit’s performance. The scope section should describe the extent of work done to accomplish the audit’s objectives. The auditor should identify the organization being audited, Hardwarware and software used, geographical locations, the time period covered by the audit and explain the sources of evidence. Finally, they should explain the quality or defects in the evidence. The methodology should describe the techniques used to analyze and gather the identified risks.

Audit Results Findings

Auditors are required to report any significant findings regarding audit objectives. The auditor must provide sufficient, relevant and competent information in order to enable a full understanding of the issues being discussed. It is important that the information provided be clear and convincing. You can achieve this by giving detailed background information about the audit.


The audit’s objectives are used to determine the conclusions. The strength of the conclusions is determined by the persuasiveness of the evidence and the logic used in drawing them. Avoid drawing too many conclusions about risks and controls.


Please enter your comment!
Please enter your name here