The first books I read about IT auditing had no mention of databases, networks, or personal computers. They were not invented yet! Later I studied IT auditing books with no mention of routers, switches, firewalls, LANs, or web servers, which all came later. It would be very hard to find an industry that ever evolved at the speed of the information technology advances of the past three decades!
Prophets, song writers, and poets often advise us not to look backwards. However, as auditors, we spend a lot of our time looking backwards! Historically auditing was a look backwards. But "the times they are a changin"-inventions in information technology advanced the automation of recordkeeping and then the computerization of business itself. These IT advances transformed auditing to a real time and forward looking profession. As noted above, there is a constant need for books that keep the IT auditing profession more in step with the advances in information technology. After my initial review of IT Auditing: Using Controls to Protect Information Assets, I was excited about the invitation to contribute a foreward since I considered this book a quintessential transitional work for the IT auditing profession in the new millennium.
The pundits' question, who could get excited about auditing? Auditing has been a part of my life since the late 1960s when I began my career at Merrill Lynch, while in high school. Wall Street was in transition to the use of computers that enabled the massive expansion of the capital markets, which contributed considerably to the economic growth we have all enjoyed since the end of World War II. The need for IT auditors followed and I answered the call. These developments exemplify the aforementioned changes that make this book so timely and valuable.
I am a capitalist and a business management devotee. My career started in audit and followed the management path through IT audit director, chief audit executive, CIO, CFO, board member, CEO, and onto chairman of an audit committee. The theme of my recent book, Managing the Audit Function, is about managing people and particularly the audit function. I believe quality auditors utilizing tested and proven procedures, in a proactive way, will produce excellent audit results. My book provides a very detailed methodology for creating a management structure and procedures to perform audits effectively and efficiently. IT Auditing: Using Controls to Protect Information Assets addresses the state of the art technologies IT audit needs to be addressing today.
The book provides a quick overview of auditing in Part I, which is an excellent primer. It then proceeds to 10 core chapters on auditing techniques for information technology audits in Part II. This part makes the book a transitory work that bridges the long established basics of audit management, with the required technological guidance necessary to address auditing in the information age we live in now.
As noted, IT audit is always playing catch up. IT Auditing: Using Controls to Protect Information Assets provides the in-depth background and detailed auditing components and procedures necessary to audit core IT areas such as data centers, applications, databases, and also emerging audit areas like Linux, routers, switches, web servers, WLAN, and mobile devices.
These are still the early days of IT auditing. As the saying goes, "If you don't know where you are going any road will lead you there." As IT progresses so has the need for IT auditing methodology advances. When companies first installed data centers, few had the foresight to see the need for IT governance frameworks. As sophisticated IT enabled, not just the automation of recording keeping functions, but new IT-based businesses to evolve, there grew the need for formal IT planning, performance measurements, approvals, monitoring, policies, procedures, and return on investment measurements. We have come to refer to these as IT governance frameworks.
Organization managers are very busy individuals, trying to achieve the purpose of their business, to satisfy their customers and stakeholders. Among their many obligations are the requirements to control the business and ensure adequate returns. These are facilitated by the use of enterprise-wide control frameworks. IT Auditing: Using Controls to Protect Information Assets, Part III, provides a comprehensive overview of the widely used and generally accepted internal control framework COSO, the IT Governance Institute's IT governance framework CoBIT, which stands for Control Objectives for Information Technology, and others.
I have devoted a good portion of my professional career to auditing. Auditing is a window into a business that enables auditors to learn and continue their development. Careful consideration of how key IT control frameworks fit into the control structure of your organization will provide a deliverable to management, connect audit to a core business management issue, and ensure success.
-Michael P Cangemi, CPA, CISA
Editor-in-chief, IS CONTROL Journal
September 7, 2006
Michael P Cangemi, CPA, CISA, is an author, speaker, and business consultant. He is president of Cangemi Company LLC (CanCo.us), a media and consulting firm centered on management, IT, and financial governance. Michael is the former president, chief executive officer, and director of Etienne Aigner Group, Inc. He is the author of Managing the Audit Function, now in a third edition, as well as in a Chinese translation, and long-time columnist and editor-in-chief of the IS Control Journal. Michael started his career at Ernst & Young and founded the Internal Audit Services practice at BDO Seidman after serving as CAE at Phelps Dodge Corporation. Michael is past international president of ISACA and past trustee of the IIA Research Foundation.