An information technology audit, or data frameworks review,
is an examination of the administration controls inside an Information
innovation (IT) foundation. The assessment of acquired proof decides whether
the data frameworks are defending resources, keeping up information
uprightness, and working successfully to accomplish the association’s
objectives or targets. These surveys might be performed in conjunction with a
money related proclamation review, inside review, or other type of verification
engagement. IT reviews are
otherwise called “robotized information handling (ADP) reviews” and
“PC reviews”. They were some time ago called “electronic
2types of IT audit
3 IT Audit process
4History of auditing .
7.1Webprsence audit s
7.2Enterprise communication audits .
8.4Irregularities and lllegal acts .
.An assess IT review is not quite the same as a monetary
proclamation review. While a monetary review’s motivation is to whether an
association is clinging to standard bookkeeping hones, the reasons for an IT
review are to assess the framework’s interior control outline and viability.
This incorporates, yet isn’t restricted to, effectiveness and security
conventions, advancement procedures, and IT administration or oversight.
Introducing controls are vital yet not adequate to give sufficient security.
Individuals in charge of security must consider if the controls are introduced
as expected, in the event that they are compelling, or if any break in security
has happened and assuming this is the case, what activities should be possible
to avoid future ruptures. These request must be replied by free and impartial
eyewitnesses. These eyewitnesses are playing out the undertaking of data
frameworks examining. In an Information Systems (IS) condition, a review is an
examination of data frameworks, their sources of info, yields, and preparing.
The essential elements of
an IT review are to assess the frameworks that are set up to protect an
association’s data. In particular, data innovation reviews are utilized to
assess the association’s capacity to secure its data resources and to
legitimately administer data to approved gatherings. The IT review expects to
assess the accompanying:
Will the association’s PC frameworks be accessible for the
business constantly when required? (known as accessibility) Will the data in
the frameworks be unveiled just to approved clients? (known as security and
classification) Will the data gave by the framework dependably be precise,
solid, and convenient? (measures the honesty) along these lines, the review
wants to survey the hazard to the organization’s significant resource (its
data) and set up techniques for limiting those dangers.
IT audits are also known as Information Systems Audit, ADP
audits, EDP audits, or computer audits 2
Types of IT audits
Various authorities have created differing taxonomies to
distinguish the various types of IT audits Goodman &lawless state that there are specific
systematic approaches to carry out an IT audit.
• Technological development process audit..
This review develops a hazard profile for existing and new undertakings. The review
will survey the length and profundity of the organization’s involvement in its
picked advances, and also its quality in important markets, the association of
each undertaking, and the structure of the segment of the business that
arrangements with this venture or item, association and industry structure.
examination review. This review is an examination of the inventive capacities
of the organization being evaluated, in contrast with its rivals. This requires
examination of organization’s innovative work offices, and also its reputation
in really creating new items.
Others describe the spectrum of IT audits with five categories•
•Technology position audit: This review audits the innovations that the business as of now
has and that it needs to include. Advances are described as being either
“base”, “key”, “pacing” or “rising”.
Facilities: A review to confirm that the preparing office is controlled to
guarantee opportune, exact, and proficient handling of utilizations under
typical and possibly troublesome conditions.
• Systems Development: A
review to check that the frameworks being worked on meet the destinations of
the association, and to guarantee that the frameworks are produced as per by
and large acknowledged models for frameworks improvement.
• Management of IT and
Enterprise Architecture: A review to confirm that IT administration has built
up a hierarchical structure and methods to guarantee a controlled and effective
condition for data preparing
. • Management of IT and Enterprise Architecture:
A review to confirm that IT administration has built up a hierarchical
structure and techniques to guarantee a controlled and effective condition for
And some lump all IT audits as being one of only two type:
“general control review” audits or “application
control review” audits.
A number of IT Audit professionals from the Information Assurance realm consider there to be three fundamental types
of controls regardless of the type of audit to be performed,
especially in the IT realm. Many frameworks and standards try to break controls
into different disciplines or arenas, terming them “Security Controls”, “Access
Controls”, “IA Controls” in an effort to define the types of controls involved.
At a more fundamental level, these controls can be shown to consist of three
types of fundamental controls: Protective/Preventative Controls, Detective
Controls and Reactive/Corrective Controls.
In an IS, there are two types of auditors and audits: internal
and external. IS auditing is usually a part of accounting internal auditing,
and is frequently performed by corporate internal auditors. An external auditor
reviews the findings of the internal audit as well as the inputs, processing
and outputs of information systems. The external audit of information systems
is frequently a part of the overall external auditing performed by a Certified
Public Accountant (CPA) firm.1
IS auditing considers all the potential hazards and controls in
information systems. It focuses on issues like operations, data, integrity,
software applications, security, privacy, budgets and expenditures, cost
control, and productivity. Guidelines are available to assist auditors in their
jobs, such as those from Information Systems Audit and Control Association.1
IT process Audit
The following are basic step in performing the information
Technology audit process5
In planning Studying and Evaluating
Studying and Evaluating control
Testing and Evaluating control
Auditing data security
is an indispensable piece of any IT review and is frequently comprehended to be
the basic role of an IT Audit. The expansive extent of reviewing data security
incorporates such themes as server farms (the physical security of server farms
and the coherent security of databases, servers and system framework
components),6 systems and application security. Like most specialized
domains, these subjects are continually advancing; IT examiners should always
keep on expanding their insight and comprehension of the frameworks and
environment& interest in framework organization.
History of IT Auditing
History of information
inspecting was framed in the mid-1960s. Since that time, IT reviewing has experienced various changes, to a great
extent because of advances in innovation and the consolidation of innovation
. At present, there are
numerous IT subordinate organizations that depend on the Information Technology
with a specific end goal to work their business e.g. Media transmission or
Banking organization. For alternate sorts of business, IT has the enormous influence
of organization including the applying of work process as opposed to utilizing
the paper ask for frame, utilizing the application control rather than manual
control which is more dependable or executing the ERP application to encourage
the association by utilizing just 1 application. As per these, its significance
Audit is continually expanded. A standout amongst the most vital part of the IT
Audit is to review over the basic framework keeping in mind the end goal to
help the Financial review or to help the particular directions reported e.g.
Principles of an IT Audit
The following principles of an audit should find a reflection:10
• Timeliness: Only
when the procedures and writing computer programs is nonstop reviewed as to
their potential vulnerability to deficiencies and shortcomings, yet also
concerning the continuation of the investigation of the discovered qualities,
or by near useful examination with comparative applications a refreshed casing
can be proceeded .•
It requires an express
reference in the review of encoded programs, how the treatment of open source
must be caught on. E.g. programs, offering an open source application, yet not
considering the IM server as open source, must be viewed as basic. An evaluator
should take a claim position to the worldview of the need of the open source
nature inside cryptologic applications.
.• Elaborateness: Audit procedures ought to be arranged to
certain base standard. The current review procedures of scrambling programming
frequently change significantly in quality, in the degree and viability and
furthermore involvement in the media gathering regularly varying recognitions.
As a result of the need of exceptional learning from one viewpoint and to have
the capacity to peruse programming code and after that then again to likewise
know about encryption techniques, numerous clients even confide in the most
limited proclamations of formal affirmation. Singular responsibility as an
examiner, e.g. for quality, scale and adequacy, is subsequently to be surveyed
reflexively for yourself and to be recorded inside the review.
. .• The money related setting: Further
straightforwardness is expected to elucidate whether the product has been
created industrially and whether the review was supported financially (paid
Audit). It has any kind of effect whether it is a private interest/group
venture or whether a business organization is behind it.
. • Scientific referencing of learning
points of view: Each review ought to portray the discoveries in detail inside
the specific circumstance and furthermore feature advance and improvement needs
usefully. A reviewer isn’t the parent of the program, yet in any event he or
she is in a part of a coach, if the examiner is viewed as a feature of a PDCA
learning circle (PDCA = Plan-Do-Check-Act). There ought to be alongside the
portrayal of the identified vulnerabilities additionally a depiction of the
inventive open doors and the improvement of the potentials. Is behind it.
A peruse ought not depend entirely on the consequences of one survey, yet in
addition judge as indicated by a circle of an administration framework (e.g.
PDCA, see above), to guarantee, that the improvement group or the commentator
was and is set up to complete further examination, and furthermore in the
advancement and audit process is available to leanings and to think about notes
of others. A rundown of references ought to be went with for each situation of
• Inclusion of
client manuals and documentation: Further a check ought to be done, regardless
of whether there are manuals and specialized documentations, and, if these are
references to advancements:
Applications that permit
both, informing to disconnected and online contacts, so considering talk and
email in one application – as it is likewise the case with GoldBug – ought to
be tried with high need (rule of essence visits notwithstanding the email
work). The examiner ought to likewise feature the references to advancements
and support additionally innovative need
This list of audit principles for crypto applications describes
– past the techniques for specialized examination – especially center esteems,
that ought to be considered
. .There are
additionally new reviews being forced by different standard sheets which are
This rundown of review standards for crypto applications depicts – past the
techniques for specialized investigation – especially center esteems, that
ought to be considered
required to be performed, contingent on the evaluated
association, which will influence IT and guarantee that IT offices are playing
out specific capacities and controls fittingly to be viewed as consistent.
Cases of such reviews are SSAE 16, ISAE 3402, and ISO27001:2013.
Web Presence Audits
• The augmentation
of the corporate IT nearness past the corporate firewall (e.g. the
appropriation of online networking by the undertaking Inclusion of client
manuals and documentation: Further a check ought to be done, regardless of
whether there are manuals and specialized documentations, and, if these are
extended. alongside the
multiplication of cloud-based instruments like online networking administration
frameworks) has hoisted the significance of consolidating web nearness reviews
into the IT/IS review. The motivations behind these reviews incorporate
guaranteeing the organization is making the important moves to: • rein
being used of unapproved instruments (e.g. “shadow IT”)
prevent information leakage
mitigate third-party risk
minimize governance risk1112
Enterprise Communications Audits
The rise of VOIP networks and issues like BY Web Presence Audits
• The augmentation of
the corporate IT nearness past the corporate firewall (e.g. the appropriation
of online networking by the undertaking Inclusion of client manuals and
documentation: Further a check ought to be done, regardless of whether there
are manuals and specialized documentations, and, if these are extended. OD and
the increasing capabilities of modern enterprise telephony systems causes
increased risk of critical telephony infrastructure being mis-configured,
leaving the enterprise open to the possibility of communications fraud or
reduced system stability. Banks, Financial institutions, and contact centers
typically set up policies to be enforced across their communications systems.
The task of auditing that the communications systems are in compliance with the
policy falls on specialized telecom auditors. These audits ensure that the
company’s communication systems:
adhere to stated policy
follow policies designed to minimize the risk of hacking or
maintain regulatory compliance
prevent or minimize toll fraud
mitigate third-party risk
minimize governance risk1314
. . Endeavor
Communications Audits are additionally called voice audits,15 however the
term is progressively censured as correspondences foundation progressively
moves toward becoming information arranged and information subordinate. The
expression “communication audit”16 is likewise expostulated on the
grounds that cutting edge correspondences foundation, particularly when
managing clients, is omni-station, where collaboration happens over various
stations, not directly finished the telephone.17 One of the key issues that
sicknesses endeavor correspondence reviews is the absence of
industry-characterized or government-affirmed norms. IT reviews are based on
adherence to principles and arrangements distributed by associations, for
example, NIST and PCI, however the nonappearance of such guidelines for big
business interchanges reviews implies that these reviews must be based an
association’s inside gauges and strategies, as opposed to industry benchmarks.
Accordingly, venture interchanges reviews are still physically done, with
arbitrary inspecting checks. Strategy Audit Automation devices for big business
correspondences have just as of late moved toward becoming available.
Helpdesk and incident
Change management auditing
Disaster recovery and
business continuity auditing
Irregularities and Illegal Acts
AICPA standard :SAS 99 consideration of fraud in a financial
statement audit computer fraud case studies.