SBM4302 IT Audits and Controls: Risk, Methodologies, and Impacts
VerifiedAdded on 2022/12/30
|13
|2813
|79
Report
AI Summary
This report provides a comprehensive overview of IT audits and controls, essential for ensuring the security and efficiency of business operations. It begins by introducing the importance of IT audits in today's rapidly evolving technological landscape, emphasizing their role in safeguarding assets and maintaining data integrity. The discussion section delves into the risks associated with IT audits, including inherent, control, and detection risks, providing detailed explanations and examples of each. Various IT audit methodologies are explored, such as IT controls, general controls, application controls, networking controls, and internet controls, offering insights into their functions and implementation. The report also examines the impact of IT audits on business operations, highlighting how they improve data flow, identify vulnerabilities, and inform decisions regarding security standards. Furthermore, it outlines the responsibilities of an IT auditor, including planning, executing, and reporting on audit activities. The conclusion reinforces the significance of IT audits for business development and operational enhancement.
Running head: IT AUDITS AND CONTROLS
IT AUDITS AND CONTROLS
Name of the Student:
Name of the University:
Author Note:
IT AUDITS AND CONTROLS
Name of the Student:
Name of the University:
Author Note:
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
1IT AUDITS AND CONTROLS
Table of Contents
Introduction..........................................................................................................................2
Discussion............................................................................................................................3
Risk associated in performing IT audit............................................................................3
Various IT Audit Methodologies.....................................................................................5
Impacts of IT audit on business operations.....................................................................7
Responsibilities of an IT Auditor....................................................................................8
Conclusion...........................................................................................................................9
References..........................................................................................................................10
Table of Contents
Introduction..........................................................................................................................2
Discussion............................................................................................................................3
Risk associated in performing IT audit............................................................................3
Various IT Audit Methodologies.....................................................................................5
Impacts of IT audit on business operations.....................................................................7
Responsibilities of an IT Auditor....................................................................................8
Conclusion...........................................................................................................................9
References..........................................................................................................................10
2IT AUDITS AND CONTROLS
Introduction
The rapid development of the Information technology has altered the business operations
in various ways. For example the manual data entry with the help of pen and paper has changes
in the form of digital entry in the form of database where the all the details of an individual is
stored and can be accessed easily with a proper authentication technique. The cabinet locking
mechanism has be transferred in the form of various authentication techniques such as one way
authentication, two way authentication mode and multifactor authentication technique. These
developments of the information technologies has improved the efficiency of the business. It
helps the business to meet their business goals. With the development it also increases the
vulnerabilities of an organization such as increases the risk of data breach and many more. These
vulnerabilities needs to be controlled for the seamless business operation. Thus each and every
business conducts an IT audit to examine and evaluated the IT infrastructure, operations and
policies. It is considered as the method of gathering as well as evaluating the evidence for
determining whether a system safeguards the business assets, allows the business to meet the
goals and also maintains the data integrity factor for the organization. The report mainly focus on
the risk associated with the IT audit and also discusses the various IT audit methodologies.
Introduction
The rapid development of the Information technology has altered the business operations
in various ways. For example the manual data entry with the help of pen and paper has changes
in the form of digital entry in the form of database where the all the details of an individual is
stored and can be accessed easily with a proper authentication technique. The cabinet locking
mechanism has be transferred in the form of various authentication techniques such as one way
authentication, two way authentication mode and multifactor authentication technique. These
developments of the information technologies has improved the efficiency of the business. It
helps the business to meet their business goals. With the development it also increases the
vulnerabilities of an organization such as increases the risk of data breach and many more. These
vulnerabilities needs to be controlled for the seamless business operation. Thus each and every
business conducts an IT audit to examine and evaluated the IT infrastructure, operations and
policies. It is considered as the method of gathering as well as evaluating the evidence for
determining whether a system safeguards the business assets, allows the business to meet the
goals and also maintains the data integrity factor for the organization. The report mainly focus on
the risk associated with the IT audit and also discusses the various IT audit methodologies.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
3IT AUDITS AND CONTROLS
Discussion
Risk associated in performing IT audit
Audit risks are the risk produced when the IT auditor issue an incorrect audit opinion to
some audited financial documents such as an auditor issue unqualified opinion to some audited
documents knowing the fact that the document is materially misstated (Griffiths 2016). A risk
can be generated in two ways while performing an IT audit such as a risk caused by the clients
and another risk that is caused by the auditors. There are three different risks associated while
performing the IT audit (Chou 2015). They are Inherent risk, Detection Risk and Control Risk.
Inherent risk: it is the chance of loss that is based on nature of any organization
without any alteration in the existing organization environment. This type of risk
is associated with the financial statement of the organization. The inherent risk
arises when there is a misstatement caused because of the existing transactional
frauds or errors. It also arises due to the nature of the business operations. This
risk is the primary concern for nay organization as it can negatively impact the
organization as well as the clients of the organization (Cannon and Bedard 2016).
Inherent risk is the danger or doubt generated from the individual as well as group
reports where they assume that there was a presence of some proper internal
accounting control system or process in the organization. The IT auditor prioritize
the inherent risk depending on some factors such as:
o Professional judgment
o Susceptibility as well as errors related to the organization accounts
o Complexity in the individual’s transaction
Discussion
Risk associated in performing IT audit
Audit risks are the risk produced when the IT auditor issue an incorrect audit opinion to
some audited financial documents such as an auditor issue unqualified opinion to some audited
documents knowing the fact that the document is materially misstated (Griffiths 2016). A risk
can be generated in two ways while performing an IT audit such as a risk caused by the clients
and another risk that is caused by the auditors. There are three different risks associated while
performing the IT audit (Chou 2015). They are Inherent risk, Detection Risk and Control Risk.
Inherent risk: it is the chance of loss that is based on nature of any organization
without any alteration in the existing organization environment. This type of risk
is associated with the financial statement of the organization. The inherent risk
arises when there is a misstatement caused because of the existing transactional
frauds or errors. It also arises due to the nature of the business operations. This
risk is the primary concern for nay organization as it can negatively impact the
organization as well as the clients of the organization (Cannon and Bedard 2016).
Inherent risk is the danger or doubt generated from the individual as well as group
reports where they assume that there was a presence of some proper internal
accounting control system or process in the organization. The IT auditor prioritize
the inherent risk depending on some factors such as:
o Professional judgment
o Susceptibility as well as errors related to the organization accounts
o Complexity in the individual’s transaction
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4IT AUDITS AND CONTROLS
o Addition of a complex transaction at the end of year
o Susceptibility of business property fraud or loss
o Conditions of the business environment
o Particular transactions and accounts that are considered in the IT auditing
process.
Some business environment factors associated with the IT audit risk are such as
(Khuong and Hoang 2015):
o The competitive as well as economic condition of the organization
o Nature of various business elements
o Unusual and unnecessary pressure on the organization management.
o Knowledge, honesty and experience of the managers who generate the
financial statements or the documents of the organization.
Control Risks: This type of risk arises when a financial statement or a document
is misstated because of some inconvenience in business systems. This can lead to
data loss of the organization for example, a financial can state a profit in a
business whereas in reality the business loss in that particular sector. The
managers of the business are responsible for the designing, maintain and
implementing the system of controls of an organization (Knechel and Salterio
2016). The control risk in an IT audit process indicates the layout of the internal
control which guarantees that the organization will surely detect the incorrect
material claims. The control risk of the organization is detected by the IT auditor
by proper documenting the entity of the controlling layout depending on the
o Addition of a complex transaction at the end of year
o Susceptibility of business property fraud or loss
o Conditions of the business environment
o Particular transactions and accounts that are considered in the IT auditing
process.
Some business environment factors associated with the IT audit risk are such as
(Khuong and Hoang 2015):
o The competitive as well as economic condition of the organization
o Nature of various business elements
o Unusual and unnecessary pressure on the organization management.
o Knowledge, honesty and experience of the managers who generate the
financial statements or the documents of the organization.
Control Risks: This type of risk arises when a financial statement or a document
is misstated because of some inconvenience in business systems. This can lead to
data loss of the organization for example, a financial can state a profit in a
business whereas in reality the business loss in that particular sector. The
managers of the business are responsible for the designing, maintain and
implementing the system of controls of an organization (Knechel and Salterio
2016). The control risk in an IT audit process indicates the layout of the internal
control which guarantees that the organization will surely detect the incorrect
material claims. The control risk of the organization is detected by the IT auditor
by proper documenting the entity of the controlling layout depending on the
5IT AUDITS AND CONTROLS
previous audit reports of the organization. The control risks are expressed in
coefficient from 0 to 1. It can also be expressed in some relative indicators
percentage from 0 to 100%. The starting point of the range indicates that the
handling measures are reliable enough and the probability of error occurrence is
nearly zero (Jones 2017). As the range increases the probability of error
occurrence also increases.
Detection Risk: This type of risk arises when the IT auditor does not identify the
material misstatement in the customer’s financial documents or statements. This
lead to erroneous audit opinion. This type of risks are handled by the auditor
himself or herself. These risks can be decreased by performing some additional
substantive tests in the organization (Johnstone, Gramling and Rittenberg 2013).
These risks can also be mitigated by assigning the IT auditing task to an efficient
and experienced employee of the organization. These risks effect the assessment
of inadequacy of system of the internal control as well as affect the assessment of
inadequacy of the supervision.
Various IT Audit Methodologies
IT audit process consists of various methodologies such as
IT Controls: IT controls in the computer system are the overall programmed or manual
methods, procedures or policies which guarantee the safeguarding of the assets, accuracy as well
as reliability of the records. The presence of the controls in the computerized system disallow the
duplication in inputs. IT control audit is performed using two types of testing mechanism
namely, compliance as well as substantive testing (Ahmi and Kent 2013). The IT auditor should
consider some factors in IT control audit step. The factors are: Unauthorized access to the data or
previous audit reports of the organization. The control risks are expressed in
coefficient from 0 to 1. It can also be expressed in some relative indicators
percentage from 0 to 100%. The starting point of the range indicates that the
handling measures are reliable enough and the probability of error occurrence is
nearly zero (Jones 2017). As the range increases the probability of error
occurrence also increases.
Detection Risk: This type of risk arises when the IT auditor does not identify the
material misstatement in the customer’s financial documents or statements. This
lead to erroneous audit opinion. This type of risks are handled by the auditor
himself or herself. These risks can be decreased by performing some additional
substantive tests in the organization (Johnstone, Gramling and Rittenberg 2013).
These risks can also be mitigated by assigning the IT auditing task to an efficient
and experienced employee of the organization. These risks effect the assessment
of inadequacy of system of the internal control as well as affect the assessment of
inadequacy of the supervision.
Various IT Audit Methodologies
IT audit process consists of various methodologies such as
IT Controls: IT controls in the computer system are the overall programmed or manual
methods, procedures or policies which guarantee the safeguarding of the assets, accuracy as well
as reliability of the records. The presence of the controls in the computerized system disallow the
duplication in inputs. IT control audit is performed using two types of testing mechanism
namely, compliance as well as substantive testing (Ahmi and Kent 2013). The IT auditor should
consider some factors in IT control audit step. The factors are: Unauthorized access to the data or
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
6IT AUDITS AND CONTROLS
the programs, Automatic Processing, Rising potential for the undetected misstatements,
Anonymity as well as decreased accountability, unusual transactions, Concealment of few
processes, Inaccurate data, Nature of the software and the hardware used in the organization,
Audit of the general controls
General controls include the controls that handle the data center operations, software
maintenance, access the security, IT policies, guidelines and standards. The general controls also
associate with the infrastructure of the organization. It also concerns with the logical access
controls and acquisition as well as business continuity. Auditing of the generals controls
comprises of many factors such as risks associated with the business, service level agreements,
Problem management, Network management, Program change controls and disaster recovery
controls.
Audit of Application Controls
Application Controls deal with some particular computer applications. These controls
ensure the appropriate accuracy, validity, completeness and authorization of the maintenance,
data and transactions. For example the system validates the input given by the user with the
permitted pattern, if does not matches then it immediately knock the user to change the input
(Senft, Gallegos and Davis 2016). The application controls include some factors such as:
Controls on the transaction input, control on the out, Control on the processing and controls on
the master files as well as the standing data.
Audit of Networking Controls
Maximum systems in SME utilize either LAN or WAN for connecting to the users. The
usage of these networks developed the business operations in various ways such as it allows the
the programs, Automatic Processing, Rising potential for the undetected misstatements,
Anonymity as well as decreased accountability, unusual transactions, Concealment of few
processes, Inaccurate data, Nature of the software and the hardware used in the organization,
Audit of the general controls
General controls include the controls that handle the data center operations, software
maintenance, access the security, IT policies, guidelines and standards. The general controls also
associate with the infrastructure of the organization. It also concerns with the logical access
controls and acquisition as well as business continuity. Auditing of the generals controls
comprises of many factors such as risks associated with the business, service level agreements,
Problem management, Network management, Program change controls and disaster recovery
controls.
Audit of Application Controls
Application Controls deal with some particular computer applications. These controls
ensure the appropriate accuracy, validity, completeness and authorization of the maintenance,
data and transactions. For example the system validates the input given by the user with the
permitted pattern, if does not matches then it immediately knock the user to change the input
(Senft, Gallegos and Davis 2016). The application controls include some factors such as:
Controls on the transaction input, control on the out, Control on the processing and controls on
the master files as well as the standing data.
Audit of Networking Controls
Maximum systems in SME utilize either LAN or WAN for connecting to the users. The
usage of these networks developed the business operations in various ways such as it allows the
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7IT AUDITS AND CONTROLS
organization to share the data, also allows to share other peripherals like printers, allow to leave
the system administration to the central team, allow the users to send messages instantaneously
and allow the users to access the system from their remote location (Kuenkaikaew and
Vasarhelyi 2013).
Audit of Internet Controls
If an individual wants to connect his or her computer to the internet the safe policy is to:
(a) physically isolate machine from main information system (b) Assign a trusted and an
experienced network administrator for monitoring the networking structure regularly, (c) avoid
the anonymous access to the system (d) Close each and every logical ports on internet server (e)
Monitor the attempts for logging in the system (f) Files should be shared after a proper validation
(g) Changing the system passwords regularly.
Some other measures are using the firewalls and implementation of proper internet
password policy. Sometimes business require to connect directly to the internet (Verlinde and
Verlinde 2013). This increases the risk. This can be controlled by implementing of proper
firewalls and proper password protecting policies in the organization.
Impacts of IT audit on business operations
The IT audit impacts heavily on the business operation. It helps the business to develop
by developing all the business operations. It impacts the business operation in many ways such
as:
It finds the data flow rate of the business: The auditors evaluates the type of
data business is associated with. They also determine that who are permitted to
access those data (Bentley, Omer and Sharp 2013). The auditing team lay a
organization to share the data, also allows to share other peripherals like printers, allow to leave
the system administration to the central team, allow the users to send messages instantaneously
and allow the users to access the system from their remote location (Kuenkaikaew and
Vasarhelyi 2013).
Audit of Internet Controls
If an individual wants to connect his or her computer to the internet the safe policy is to:
(a) physically isolate machine from main information system (b) Assign a trusted and an
experienced network administrator for monitoring the networking structure regularly, (c) avoid
the anonymous access to the system (d) Close each and every logical ports on internet server (e)
Monitor the attempts for logging in the system (f) Files should be shared after a proper validation
(g) Changing the system passwords regularly.
Some other measures are using the firewalls and implementation of proper internet
password policy. Sometimes business require to connect directly to the internet (Verlinde and
Verlinde 2013). This increases the risk. This can be controlled by implementing of proper
firewalls and proper password protecting policies in the organization.
Impacts of IT audit on business operations
The IT audit impacts heavily on the business operation. It helps the business to develop
by developing all the business operations. It impacts the business operation in many ways such
as:
It finds the data flow rate of the business: The auditors evaluates the type of
data business is associated with. They also determine that who are permitted to
access those data (Bentley, Omer and Sharp 2013). The auditing team lay a
8IT AUDITS AND CONTROLS
suitable groundwork for the business to tightly safeguard all the sensitive data
associated with the organization.
It finds the vulnerable points as well as issues of the business operation: The
information technology and the information system consists of many vulnerable
threats. These threats are identified and mitigated by a proper IT audit process.
The experts can find the issues of the organization easily. They verify the
operating status of both the hardware and the software.
It helps to take decision regarding the changes in the security standards and
the policies
It also recommends regarding leverage information technology in the
business operations: Every business should aim at matching the level of security
with their business (Järveläinen 2013). The IT auditing impacts the business
operation by helping to take efficient decision regarding choosing the appropriate
security solution for the organization.
Responsibilities of an IT Auditor
Some responsibilities of an IT auditor are:
Helps in the audit engagement reporting and planning activities
Execute, plan and coordinate the various audit activities in the organization
Implement and develop various complex audit test plans (Gbadago 2015).
Evaluate the audit scope as well as objective and then preparation of the audit work plan
Determine the critical risks and thus recommends some mitigating measure to lower the
identified risks
suitable groundwork for the business to tightly safeguard all the sensitive data
associated with the organization.
It finds the vulnerable points as well as issues of the business operation: The
information technology and the information system consists of many vulnerable
threats. These threats are identified and mitigated by a proper IT audit process.
The experts can find the issues of the organization easily. They verify the
operating status of both the hardware and the software.
It helps to take decision regarding the changes in the security standards and
the policies
It also recommends regarding leverage information technology in the
business operations: Every business should aim at matching the level of security
with their business (Järveläinen 2013). The IT auditing impacts the business
operation by helping to take efficient decision regarding choosing the appropriate
security solution for the organization.
Responsibilities of an IT Auditor
Some responsibilities of an IT auditor are:
Helps in the audit engagement reporting and planning activities
Execute, plan and coordinate the various audit activities in the organization
Implement and develop various complex audit test plans (Gbadago 2015).
Evaluate the audit scope as well as objective and then preparation of the audit work plan
Determine the critical risks and thus recommends some mitigating measure to lower the
identified risks
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
9IT AUDITS AND CONTROLS
Coordinate with the business, projects, compliance teams and finance to achieve the
inputs for the audit process (Dhaliwal et al. 2013).
Developing the audit program such that to allow comprehensive audit coverage in the
organization
Set the audit priorities and also to determine time needed for the completion of each audit
assignment
Adhere for auditing the standards developed by organization’s audit team
Guarantee that the previous audit details are addressed as well as implemented.
Establish a well - crafted audit reports which comprises of the recommendations and
results of the audit process
Schedule multiple meetings with the management such that the company’s policy and
procedures are clearly understood.
Determine the best practices to meet the audit requirements regularly (Brasel et al. 2016).
Complete the IT audit documentation seamlessly.
Conclusion
Therefore, it can be concluded from the report that IT audit process is an important
activity for a business. It helps the business to develop in many ways. The Business operations
are enhanced with a proper IT audit process. The report also claims that the IT audit process
should be handled to some experienced and trusted employee of the organization. The errors or
the risk should be removed from the IT auditing process such that a proper audit opinion can be
placed. Auditors should also recommend some significant improvements that can be
implemented in the business easily. The IT audit team should consider all the organization’s
policy and norms such that they conduct the process without creating any type of error. The
Coordinate with the business, projects, compliance teams and finance to achieve the
inputs for the audit process (Dhaliwal et al. 2013).
Developing the audit program such that to allow comprehensive audit coverage in the
organization
Set the audit priorities and also to determine time needed for the completion of each audit
assignment
Adhere for auditing the standards developed by organization’s audit team
Guarantee that the previous audit details are addressed as well as implemented.
Establish a well - crafted audit reports which comprises of the recommendations and
results of the audit process
Schedule multiple meetings with the management such that the company’s policy and
procedures are clearly understood.
Determine the best practices to meet the audit requirements regularly (Brasel et al. 2016).
Complete the IT audit documentation seamlessly.
Conclusion
Therefore, it can be concluded from the report that IT audit process is an important
activity for a business. It helps the business to develop in many ways. The Business operations
are enhanced with a proper IT audit process. The report also claims that the IT audit process
should be handled to some experienced and trusted employee of the organization. The errors or
the risk should be removed from the IT auditing process such that a proper audit opinion can be
placed. Auditors should also recommend some significant improvements that can be
implemented in the business easily. The IT audit team should consider all the organization’s
policy and norms such that they conduct the process without creating any type of error. The
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
10IT AUDITS AND CONTROLS
Networking layer of the organization should be enhanced according to the IT audit report which
can protect the organization from various attacks such as data breach.
Networking layer of the organization should be enhanced according to the IT audit report which
can protect the organization from various attacks such as data breach.
11IT AUDITS AND CONTROLS
References
Ahmi, A. and Kent, S., 2013. The utilisation of generalized audit software (GAS) by external
auditors. Managerial Auditing Journal.
Bentley, K.A., Omer, T.C. and Sharp, N.Y., 2013. Business strategy, financial reporting
irregularities, and audit effort. Contemporary Accounting Research, 30(2), pp.780-817.
Brasel, K., Doxey, M.M., Grenier, J.H. and Reffett, A., 2016. Risk disclosure preceding negative
outcomes: The effects of reporting critical audit matters on judgments of auditor liability. The
Accounting Review, 91(5), pp.1345-1362.
Cannon, N.H. and Bedard, J.C., 2016. Auditing challenging fair value measurements: Evidence
from the field. The Accounting Review, 92(4), pp.81-114.
Chou, D.C., 2015. Cloud computing risk and audit issues. Computer Standards & Interfaces, 42,
pp.137-142.
Dhaliwal, D.S., Lamoreaux, P.T., Lennox, C.S. and Mauler, L.M., 2013. Management influence
on auditor selection and subsequent impairments of auditor independence during the post-SOX
period. Available at SSRN 2018702.
Gbadago, F.Y., 2015. Audit expectation gap and MBA accounting students knowledge on
auditor (s) responsibilities: Evidence from a public university in Kumasi Ashanti Region of
Ghana. Journal of Accounting and Taxation, 7(4), pp.53-61.
Griffiths, P., 2016. Risk-based auditing. Routledge.
References
Ahmi, A. and Kent, S., 2013. The utilisation of generalized audit software (GAS) by external
auditors. Managerial Auditing Journal.
Bentley, K.A., Omer, T.C. and Sharp, N.Y., 2013. Business strategy, financial reporting
irregularities, and audit effort. Contemporary Accounting Research, 30(2), pp.780-817.
Brasel, K., Doxey, M.M., Grenier, J.H. and Reffett, A., 2016. Risk disclosure preceding negative
outcomes: The effects of reporting critical audit matters on judgments of auditor liability. The
Accounting Review, 91(5), pp.1345-1362.
Cannon, N.H. and Bedard, J.C., 2016. Auditing challenging fair value measurements: Evidence
from the field. The Accounting Review, 92(4), pp.81-114.
Chou, D.C., 2015. Cloud computing risk and audit issues. Computer Standards & Interfaces, 42,
pp.137-142.
Dhaliwal, D.S., Lamoreaux, P.T., Lennox, C.S. and Mauler, L.M., 2013. Management influence
on auditor selection and subsequent impairments of auditor independence during the post-SOX
period. Available at SSRN 2018702.
Gbadago, F.Y., 2015. Audit expectation gap and MBA accounting students knowledge on
auditor (s) responsibilities: Evidence from a public university in Kumasi Ashanti Region of
Ghana. Journal of Accounting and Taxation, 7(4), pp.53-61.
Griffiths, P., 2016. Risk-based auditing. Routledge.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 13
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2026 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.