IT Audit and Controls (SBM 4302) Assessment 3
Word count/Time provided: 1500
Unit Learning Outcomes: ULO-1, ULO-2, ULO-3, ULO-4, ULO-5, ULO-6, ULO-7
Course Learning Outcomes: CLO-1, CLO-6, CLO-8, CLO-9
Graduate Attributes: GAB, GA9, GAll
This assessment is designed to assess students' ability to apply theoretical learning to practical, real world situations. In this assessment students are given a sample IT audit report and asked to comment upon it. Students are expected to identify and discuss any irregularities found in the report, for example, securing and preserving evidence. They should discuss possible audit strategies used to produce the report and what actions, recommendations, or sanctions might be included in the report as a result of the identification of irregularities. In completing this assessment successfully, you will be able to learn how to analyse an IT audit report, learn relevant legislation, generally accepted auditing standards and ISACA's CORBIT framework, which will help in achieving ULO1, ULO-2, ULO-3, ULO-4, ULO-5, ULO-6, and ULO-7.
IT Audit1. Introduction
The regulation investigation inside an organization’s infrastructure of Information Technology can be referred to as an information system (IS) auditor else, information technology (IT) audit. IS audit or audit are executed in combination with financial statement and internal audits. Sometimes, some other attestation commitment forms are also combined in the process. This process aims to collect and estimate the data regarding the information systems of a company together with their operations as well as the practices (Mat Zain, Zaman & Mohamed, 2015).
2. Case study
As per the agreement, the company should reveal the internal violation of code report. It will be accountable for the complete and impartial disclosure of the legitimate agreement. The company is also responsible for its topmost management’s ethical practices as well as the preservation of the ethics by the employees. As per the method of the fundamental audit process, the involved auditor (third party) will have to take part in the test as there is a chance of the company to show a financial report that cannot be depended on. The report’s internal control needs to be tested by the auditor as well to check the edits made to the report. The auditor will also check whether the company has indulged in appropriate steps for showing the report. A lot of hard work, time as well as similar samples will be required by the said process. If this is done, the auditor will be able to lessen the internal regulation risk on the report. It can also prove that the CEO is involved in neither any editing work nor in making any transaction. The CEO or even the topmost management of the company will be made to run a READ ONLY on the financial report and thereby indulge in no editing works. The company made it very easy to identify the fraud with the help of utilizing the LOG RECORD for each and every activity on the report.
Fraud tends to signify false data that is prepared by any party in order to betray or hide something and thereby encourage to justify the wrong data.
The case study clearly shows that that company’s topmost management is involved in the fraud. The characteristics of the management’s fraud are:
The factors that contribute to committing fraud are:
The three factors mentioned above can together be referred to as the fraud triangle. Ethical people with no external pressure for committing fraud or restricted opportunity towards that will generally not get involved in the fraud triangle, but a person with no ethical values, a lot of peer pressure as well better opportunity to access the confidential data is more likely to indulge in the fraud triangle.
3. The methodology of the Audit
Control Objectives for Information and related Technology (COBIT) - The COBIT is referred to as a framework or practices developed in 1992 by the ISACA (Information Systems Audit and Control Association) and the ITGI (IT Governance Institute) for the management of IT. COBIT provides a set of measures, pointers as well as practices to the managers and auditors together with the users of information technology so that they are able to make the most of the benefits received from the utilization of IT (Merhout & O’Toole, 2015). It also helps the company to develop an effective framework of IT governance.
4. Audit risk
Inherent Risks – Sometimes the auditors, as well as the financial officers, are unable to identify some types of risks. These audit risks are called inherent risks. So, the companies must possess a set of procedures for problem detection so that the inherent risks can be prevented. In order to identify the audit risks, the companies must have effective audit plans, approaches as well as tactics. Audit plan refers to the set of rules and regulations that should be strictly followed during auditing in order to list the gathered pieces of evidence (Seonghee Lee, 2017). Audit approach constitutes the risk analysis methods for balancing the internal operations and the probable external outcomes. Lastly, with the help of audit tactics, the audit plan is developed. The tactics also tend to manage the timings as well as the employees that are involved in the process.
Detection Risks – An audit risk that is generated from a lack of quality planning is called detection risk. Sometimes, the auditors tend to miss out the problem in time and thereby fail to rectify it prior to the audit. Similarly, there is a chance of wrong data collection or wrong calculation by the financial teams of the company as well. In order to navigate a risk of exposure, the auditors need to have a profound knowledge as well as consideration regarding the business and the company’s nature too. The detection risks consist of the entire genre of the operations of the company together with the financial statements as well as reporting methods. It also includes tests like classification, extensiveness, incidence as well as valuation.
Control Risks – Sometimes the employees tend to make mistakes in the numbers that they report and this investigation of such accuracies is called the control risk. Incorrect assessment of numbers or even wrong reporting can be some accidental frauds committed by the company (Compernolle, 2012). In order to identify the control risks, it is very important to identify the areas that may have such issues. In the presence of a weak control, the financial report may contain incorrect data and this might not catch the attention of the auditors or even the financial officers of the company.
A steady hand is required to deal with various factors if all the types of audit risks are avoided. The company will have to indulge in effective planning in each of the departments regarding all the steps. Additionally, proper internal regulation will also have to be implied over the reporting of the financial data. thus, the audit risks will be assessed properly. In order to save the company from any fiscal mishap, all such risks can possibly be resolved in an early stage by either handling it with the help of in-house staff or by taking the assistance of any other accounting firm so that the task can be completed impartially.
5. Benefits of IT auditing
IT auditing helps to lessen the IT-related risks – With the help of the said auditing, all the accessibility, confidentiality as well as veracity risks of all the IT systems can be tackled easily. Again, it can also help to enhance the systems’ effectiveness together with the efficiency of the systems as well (Ittonen & Trønnes, 2015). Variety of threats can be identified regularly as well as assessed inside an organization with the help of IT audits.
IT audits help to enhance the IT governance – Whether the employees as well the IT department are meeting all the compliances and rules of the company or not is ensured by the IT auditing. As a result of this, the IT governance is also improved and entire IT management of the company and it tends to have solid consideration of every control, risk as well as the technological scenario of the company.
6.Responsibilities of an IT auditor
Below are mentioned the fundamental principles that a professional IT auditor must follow:
Honesty should be an integral quality of a specialized IT auditor. He or she should also be absolutely straightforward and be true to all the professional associations.
Integrity is another important quality that should be present in every professional IT auditor (Palmrose & Kinney, 2018). An IT auditor should be fair in all the decisions made by him or her.
Every specialized IT auditor needs to have the below-mentioned principles of professional skill:
A well-reasoned judgment is required for capable specialized services for the purpose of knowledge as well as skill application. The two stages of professional competence are:
In order to follow the standard of confidentiality, the certified IT auditors need to abstain from the following:
In a social environment too, a professional IT auditor needs to follow the confidentiality principle. Such a person should always be careful regarding any unintentional revelation as well, mostly among family or long-term business partners (Rheeder, 2018).
Sticking to the confidentiality principle is also necessary while handling data that needs to be delivered to the employer or most importantly, clients.
The principle of confidentiality should also be followed by a proficient IT auditor while handling confidential data of his or her own employer organization.
All the necessary measures should also be taken by a professional IT auditor in order to give assurance that his or her subordinates, as well as his or her advisors, appreciate an IT auditor’s responsibilities to uphold privacy.
These evaluations help to assure whether the information systems are securing the resources of the company or not. It also checks the data integrity maintenance and also the effectiveness of the operations in order to reach the organizational goals.