IT Governance is the industry leader for IT governance, risk management, compliance and information security.
On this page you will find a selection of our highly regarded training courses relating to IT Auditing.
An essential starting point for any IT professional hoping to become an IT Auditing Expert is our book Swanson on Internal Auditing: Raising the Bar, described as "a recommended resource for all internal audit professionals."
CISA & IT Audit Qualifications
ISACA (the Information Systems Audit and Control Association) is a global professional organisation dedicated to audit, control and security of information systems. The key ISACA qualification for IT auditors is CISA (Certified Information Systems Auditor).
More than 50,000 people have achieved this qualification. CISA exams take place twice a year, in June and December.
The official preparation and revision text is updated every year. You can order your own copy here: 2011 CISA Review and exam manual (worldwide shipping available).
Information Security Audit and ISO27001
ISO27001, the information security Standard, has specific requirements in terms of information security audits, both internal and external. A comprehensive ISO27001 Audit checklist is contained in Are You Ready for an ISO 27001 Audit?
Useful advice to those soon to be audited is set out in a handy pocket book, Audits without Tears.
Additionally, Information Security ISO27001 Internal Auditor training is a key skill requirement in many organisations.
The Statement on Auditing Standards ('SAS’) No. 70, Service Organisations, is an internationally recognised auditing standard developed by the American Institute of Certified Public Accountants.
SAS 70, as amended by the AICPA on 1 May 2004, addresses the effect that a service organisation may have on its clients' financial reporting objectives. CICA 5970 is the Canadian version of SAS 70.
SAS No. 70 is generally applicable when an auditor is auditing the financial statements of a user organisation that obtains services from another organisation, or service provider.
These service providers could be application service providers, bank trust departments, claims processing centres, Internet data centres, or other data processing service bureaus.
What is IT Auditing?
Proactively studying "what’s out there” is increasingly important for successful IT Audits. Regular research on the following sites, in addition to periodic exploration of audit resources via Google or another Web search tool, can help you stay on top of audit tools and audit practice information.
Auditors should research not only available audit tools, but also recommended professional audit practices. Both are crucial in effective auditing.
"An information technology (IT) audit or information systems (IS) audit is an examination of the controls within an entity's information technology infrastructure. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.
An IT audit is the process of collecting and evaluating evidence of an organisation's information systems, practices, and operations. Obtained evidence evaluation can ensure whether the organisation's information systems safeguard assets, maintains data integrity, and is operating effectively and efficiently to achieve the organisation's goals or objectives." (Wikipedia)
And for extra credit:
The Institute of Internal Auditors, including:
The Institute of Chartered Accountants in England and Wales (ICAEW), including:
EU Single Market - Auditing
The Information Systems Audit and Control Association (ISACA), including:
US Federal Financial Institutions Examination Council (FFIEC)
US Government Accountability Office (GAO), including:
The Treasury Board of Canada Secretariat Links page
CCAF (Canadian Comprehensive Auditing Foundation)
The International Organisation of Supreme Audit Institutions (INTOSAI)
The Center for Education and Research in Information Assurance and Security (CERIAS)
Wikipedia entry: Information technology audit
Information and resources on this page are provided by Dan Swanson, an internal audit veteran with over 26 years' experience, who most recently was director of professional practices at the Institute of Internal Auditors.
Dan has completed audit projects for more than 30 different organisations, spending almost 10 years in government auditing, at the federal, provincial, and municipal levels, and the rest in the private sector, mainly in the financial services, transportation, and health sectors.
He has completed nearly 100 internal audits in his career including: operational audits, system audits, financial audits, value-for-money audits, comprehensive audits, and many more. He has completed almost 50 IT conversion audits and a dozen comprehensive audits of the information technology function.
The author of more than 70 articles on internal auditing, Dan is currently a freelance writer and independent management consultant at an eponymous firm. He can be reached via email