In business and accounting, information technology controls (or IT controls) are specific activities performed by persons or systems designed to ensure that business objectives are met. They are a subset of an enterprise's internal control. IT control objectives relate to the confidentiality, integrity, and availability of data and the overall management of the IT function of the business enterprise. IT controls are often described in two categories: IT general controls (ITGC) and IT application controls. ITGC include controls over the Information Technology (IT) environment, computer operations, access to programs and data, program development and program changes. IT application controls refer to transaction processing controls, sometimes called \"input-processing-output\" controls. Information technology controls have been given increased prominence in corporations listed in the United States by the Sarbanes-Oxley Act. The COBIT Framework (Control Objectives for Information Technology) is a widely used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches. IT departments in organizations are often led by a chief information officer (CIO), who is responsible for ensuring effective information technology controls are utilized.
COBIT is a widely utilized framework containing best practices for the governance and management of information and technology, aimed at the whole enterprise. It consists of domains and processes. The basic structure indicates that IT processes satisfy business requirements, which are enabled by specific IT activities. COBIT defines the design factors that should be considered by the enterprise to build a best-fit governance system. COBIT addresses governance issues by grouping relevant governance components into governance and managementobjectives that can be managed to the required capability levels.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) identifies five components of internal control: control environment, risk assessment, control activities, information and communication and monitoring, that need to be in place to achieve financial reporting and disclosure objectives; COBIT provide a similar detailed guidance for IT, while the interrelated Val IT concentrates on higher-level IT governance and value-for-money issues. The five components of COSO can be visualized as the horizontal layers of a three-dimensional cube, with the COBIT objective domains applying to each individually and in aggregate. The four COBIT major domains are: plan and organize, acquire and implement, deliver and support, and monitor and evaluate.
The COBIT framework may be used to assist with SOX compliance, although COBIT is considerably wider in scope. The 2007 SOX guidance from the PCAOB and SEC state that IT controls should only be part of the SOX 404 assessment to the extent that specific financial risks are addressed, which significantly reduces the scope of IT controls required in the assessment. This scoping decision is part of the entity's SOX 404 top-down risk assessment. In addition, Statements on Auditing Standards No. 109 (SAS109) discusses the IT risks and control objectives pertinent to a financial audit and is referenced by the SOX guidance.
To comply with Sarbanes-Oxley, organizations must understand how the financial reporting process works and must be able to identify the areas where technology plays a critical part. In considering which controls to include in the program, organizations should recognize that IT controls can have a direct or indirect impact on the financial reporting process. For instance, IT application controls that ensure the completeness of transactions can be directly related to financial assertions. Access controls, on the other hand, exist within these applications or within their supporting systems, such as databases, networks, and operating systems, which are equally important, but do not directly align to a financial assertion. Application controls are generally aligned with a business process that gives rise to financial reports. While there are many IT systems operating within an organization, Sarbanes-Oxley compliance only focuses on those that are associated with a significant account or related business process and mitigate specific material financial risks. This focus on risk enables management to significantly reduce the scope of IT general control testing in 2007 relative to prior years.
Section 802 expects organizations to respond to questions on the management of SOX content. IT-related issues include policy and standards on record retention, protection, and destruction, online storage, audit trails, integration with an enterprise repository, market technology, SOX software and more. In addition, organizations should be prepared to defend the quality of their records management program (RM); comprehensiveness of RM (i.e. paper, electronic, transactional communications, which includes emails, instant messages, and spreadsheets that are used to analyze financial results), adequacy of the retention life cycle, the immutability of RM practices, audit trails and the accessibility and control of RM content.
Information technology audits determine whether IT controls protect corporate assets, ensure data integrity and are aligned with the business's overall goals. IT auditors examine not only physical security controls, but also overall business and financial controls that involve information technology systems.
Because operations at modern companies are increasingly computerized, IT audits are used to ensure information-related controls and processes are working properly. The primary objectives of an IT audit include:
An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure and business applications. The evaluation of evidence obtained determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.
An IT audit is different from a financial statement audit. While a financial audit's purpose is to evaluate whether the financial statements present fairly, in all material respects, an entity's financial position, resultsof operations, and cash flows in conformity to standard accounting practices, the purposes of an IT audit is to evaluate the system's internal control design and effectiveness. This includes, but is not limited to, efficiency and security protocols, development processes, and IT governance or oversight.Installing controls are necessary but not sufficient to provide adequate security. People responsible for security must consider if the controls are installed as intended, if they are effective, or if any breach in security has occurred and if so, what actions can be done to prevent future breaches. These inquiries must be answered by independent and unbiased observers. These observers are performing the task of information systems auditing. In an Information Systems (IS) environment, an audit is an examination of information systems, their inputs, outputs, and processing.
As technology continues to advance and become more prevalent in our lives and in businesses, along comes an increase of IT threats and disruptions. These impact every industry and come in different forms such as data breaches, external threats, and operational issues. These risks and need for high levels of assurance increase the need for IT audits to check businesses IT system performances and to lower the probability and impact of technology threats and disruptions.
The primary functions of an IT audit are to evaluate the systems that are in place to guard an organization's information. Specifically, information technology audits are used to evaluate the organization's ability to protect its information assets and to properly dispense information to authorized parties. The IT audit aims to evaluate the following:
Will the organization's computer systems be available for the business at all times when required (known as availability)Will the information in the systems be disclosed only to authorized users (known as security and confidentiality)Will the information provided by the system always be accurate, reliable, and timely (measures the integrity)In this way, the audit hopes to assess the risk to the company's valuable asset (its information) and establish methods of minimizing those risks.
In an IS, there are two types of auditors and audits: internal and external. IS auditing is usually a part of accounting internal auditing, and is frequently performed by corporate internal auditors. An external auditor reviews the findings of the internal audit as well as the inputs, processing and outputs of information systems. The external audit of information systems is primarily conducted by certified Information System auditors, such as CISA, certified by ISACA, Information System Audit and Control Association , USA, Information System Auditor (ISA) certified by ICAI (Institute of Chartered Accountants of India), and other certified by reputed organization for IS audit. Delete --> (frequently a part of the overall external auditing performed by a Certified Public Accountant (CPA) firm.)IS auditing considers all the potential hazards and controls in information systems. It focuses on issues like operations, data, integrity, software applications, security, privacy, budgets and expenditures, cost control, and productivity. Guidelines are available to assist auditors in their jobs, such as those from Information Systems Audit and Control Association. 59ce067264