IT Audit

Auditor's Guide to Information Systems Auditing ("Richard Cascarino has done a superb job.")

IT Auditing: Using Controls to Protect Information Assets ("A must-have for auditors and professionals.")

SAS 70 - 2007 Edition

Swanson on Internal Auditing: Raising the Bar (' ... a recommended resource for all internal audit professionals.')

Read about Information Security Internal Audit Training

On this site, you can access key texts, browse key titles in our IT Audit Bookshop and guidance on IT auditing, as well as a wide range of critical and valuable IT audit resources.

CISA & IT Audit Qualifications

CISA: Order your own copy of the 2010 CISA Review and exam manual here .

ISACA (the Information Systems Audit and Control Association) is a global professional organization dedicated to audit, control and security of information systems. The key ISACA qualification for IT auditors is CISA (Certified Information Systems Auditor). More than 50,000 people have achieved this qualification. CISA exams take place twice per year, in June and December. The official preparation and revision text is updated every year. You can order - for worldwide shipment - your own copy of the 2010 CISA Review and exam manual here.

Information Security Audit and ISO 27001

ISO 27001, the information security standard, has specific requirements in terms of information security audits, both internal and external. A comprehensive ISO 27001 Audit checklist is contained in Are You Ready for an ISO 27001 Audit? Useful advice to those about to be audited is set out in a handy pocket book, Audits without Tears, which should be ordered in packs of 10 so that all members of staff can have their own copy in advance of the audit.

Information Security ISO 27001 Internal Auditor training is a key skill requirement in more and more organisations.

SAS 70

The Statement on Auditing Standards (‘SAS’) No. 70, Service Organizations, is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants. SAS 70, as amended by the AICPA on 1 May 2004, addresses the effect that a service organization may have on its client’s financial reporting objectives. CICA 5970 is the Canadian version of SAS 70.

SAS No. 70 is generally applicable when an auditor is auditing the financial statements of a user organization that obtains services from another organization, or service provider. These service providers could be application service providers, bank trust departments, claims processing centres, Internet data centres, or other data processing service bureaus.

Audit Resources

Proactively studying “what’s out there” is increasingly important for successful IT Audits. Regular research on the following sites, in addition to periodic exploration of audit resources via Google or another Web search tool, can help you stay on top of audit tools and audit practice information. Auditors should research not only available audit tools, but also recommended professional audit practices. Both are crucial in effective auditing.

"An information technology (IT) audit or information systems (IS) audit is an examination of the controls within an entity's information technology infrastructure. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement. An IT audit is the process of collecting and evaluating evidence of an organization's information systems, practices, and operations. Obtained evidence evaluation can ensure whether the organization's information systems safeguard assets, maintains data integrity, and is operating effectively and efficiently to achieve the organization's goals or objectives." (Wikipedia)

1. The Institute of Internal Auditors, including:

a. Guidance and Resource Information

b. IIA Technology

2. The Institute of Chartered Accountants in England and Wales (ICAEW), including:

3. EU Single Market - Auditing

4. AuditNet

5. The Information Systems Audit and Control Association (ISACA), including:

a. IT Governance Institute (ITGI)

6. US Federal Financial Institutions Examination Council (FFIEC)

a. FFIEC Resources

b. FFIEC Programs

7. US Government Accountability Office (GAO), including:

a. The Auditing and Accountability Community

b. Selected GAO Best Practices Work

8. The Treasury Board of Canada Secretariat Links page

9. CCAF (Canadian Comprehensive Auditing Foundation)

10. The International Organization of Supreme Audit Institutions (INTOSAI)

11. The Center for Education and Research in Information Assurance and Security (CERIAS)

And for extra credit:

12. Wikipedia entry: Information technology audit

Information and resources on this page are provided by Dan Swanson, a 26-year internal audit veteran, who most recently was director of professional practices at the Institute of Internal Auditors. Dan has completed audit projects for more than 30 different organizations, spending almost 10 years in government auditing, at the federal, provincial, and municipal levels, and the rest in the private sector, mainly in the financial services, transportation, and health sectors. He has completed nearly 100 internal audits in his career including: operational audits, system audits, financial audits, value-for-money audits, comprehensive audits, and many more. He has completed almost 50 IT conversion audits and a dozen comprehensive audits of the information technology function.

The author of more than 70 articles on internal auditing, Dan is currently a freelance writer and independent management consultant at an eponymous firm. He can be reached via email.