Information technology auditing is a carefully planned and executed business process involving the collection and evaluation of evidence to ascertain if a computer system safeguards critical assets and facilitates organizational goals being achieved.

Auditor Responsibilities

In the sense of their function, auditors must not have any direct responsibility or authority over any of the activities that they examine or could examine in the future. Operational assessments and employee performance appraisals do not, in any way, relieve employees of their professional responsibilities. Auditors must be authorized to have full and unrestricted access to relevant equipment and information including computer files, documents, records, property and employees. They must have a high degree of freedom in all audit-applicable business areas with the exception of specific restrictions imposed by law.

Internal Controls

Managing critical assets, their safeguards, controlling potential frauds and improving effectiveness and efficiency can best be achieved if senior managers establish a structure of internal controls. There really is not a great deal of universal details in this area as all organizations are different in their mission and function. Let's define internal controls here in the context of formal systems that prevent, detect, and correct policy violations, unlawful and abusive events. These are the three most important levels of general controls: prevention, detection, and correction.

General Controls

General controls are those internal controls having wide application to most areas of business operations. For the most part, they include but are not limited to specific system applications:

• Planning and organization controls

• Physical and logical access controls

• Human resources

• Risk management

• Communications controls

• System development controls

Specific Controls

In broad terms these are controls with application to specific applications:

• Access controls

• Data input controls (these include all system data inputs)

• Processing controls

• Output controls

The overarching governing structure for specific and general controls is that of CIA, confidentiality, integrity, and availability. In current auditing views, there are many components where internal controls apply for example, separation of duties and least privilege, clear lines of authority and responsibility, adequate documentation, access control, management supervision, individual accountability, performance checks, and audit trails to name a few.

Separation of Duties and Least Privilege

Separation of duties basically means that separate employees should be responsible for initiating transactions, processing transactions, recording those transactions, and maintaining custody of critical assets. Least privilege means that employees have the knowledge and authority to perform their jobs and nothing more. For example, in a small organization an accounts payable clerk has the responsibility of preparing billing payments. She reviews the billing for its correctness and prepares wire transfer documents. By observing the concepts of separation of duties and least privilege, she does not have the authority or the ability to release funds. So, she prepares a voucher with the attached billing documentation and submits these materials to the finance vice-president who authorizes the transfer of funds. In the event the payment amounts are over $10,000, the organization's policies and procedures mandate that two vice- presidents approve the electronic wire transfer. Once the payment is approved, the transaction information flows to another employee that is responsible for posting the transaction to the organization's financial records.

Authority and Responsibility

Clear and well-defined lines of authority and responsibility are essential in controlling systems. In today's business environment, the distinctions between authority and responsibility may not be clear. It is frequently difficult as many resources are shared among many users. For example, database use is common among many users in a business organization. When several authorized users have simultaneous access and, through some unknown means, the data becomes corrupted, it is not always easy to fix responsibility.

Documentation

Documents and records are essential in providing an audit trail of activities within any system. Electronic and paper-based documents are used to support the initiation, execution, payment, and recording of transactions. Documentation is intended to provide an accurate record of events and acts. Documents should provide a tangible record in which events can be reconstructed from their content. In a well-designed system, audit trails document the actions and events occurring during business operations as well as those documents required to administratively run the business.