IT auditor make sure IT processes are done correct and follows company procedures /policies. They also make sure that systems are in place to prevent things like fraud. They are needed in an orginization because I would say auditors are like the police in an organization making sure everyone follows procedures. So for IT auditors they kind of police the IT department and they are needed because most people don’t have that much in depth knowledge about IT except for the IT people.
Yes, the police part fits just right. And a lot of people dont like us Auditors ( i wonder why, we work for the same company and we should have the same goals right ?? if you do your job right,then you have no reason to fear the Auditors right )
some people are downright mean, and you keep requesting some bits of evidence over and over till you have to escalate.
Some employees will even ask us – do we need to provide this evidence to you every year ( i mean, yes, Annually, Bi annual, Quartely, for the SOX audits and any other audits, we need these evidences as we need them)
I agree with your description of the jobs of the IT auditors. To make sure the organizations follow the rules and procedures and prevent them from frauds. But the financial auditors also share the same functions of those works.
Great point about IT Auditor “policing” the IT Department. Why do you think IT departments would need to be policed? Can’t they be trusted to follow policies on their own?
IT Auditors insure that all IT related matters are handled in accordance with the companies IT protocol, policies and procedures. They’re needed to be the provide an object analysis of the controls in place to ensure IT integrity. IT Auditors serve as the inspectors who continuously probe and help the business understand and and mitigate IT risk.
The first word that comes into my mind when I think of IT auditors is compliance. IT auditors ensure compliance to IT Policies, IT Regulations and to standard operating procedures. They also look at the already established policies in the organization and find if they are effective in addressing the risks and threats. They conduct audits then communicate the findings of those audits and make recommendations for doing best practices.
IT auditors are there in an organization to give management and investors peace of mind that everything is done according to the standards. They exist in an organization to ensure confidentiality and integrity of data.
Ntokwane gave the good descriptions of the jobs of IT auditors form its compliance, the risks controls and data protecting. All above three parts are critical for playing a good role of IT auditors. Thank you for your sharing.
To give an input to this discussion thread, i think we should take into cognizance the fact that there is a classification of Financial Auditors and It Auditors.
So Prof Wasson, to answer your question – I think IT Auditors should be lots of technically oriented and probably a bit of business oriented. Because like you rightly noted in class on Thursday, it’s good to know a bit about it all (the servers, database, networking, SLAs etc, that’s the reason for this class right?). And now that Firms/Organizations are even recognizing the need for IT Governance, I think the technical aspect and the business aspects are inter-operable and even sometimes inseparable.
But I have another question I also want to throw out, I remember going for an interview where they keep asking these very technical questions – like what does D (DIC) mean in SAP or what does the USRO2 Report mean when you’re auditing an ERP, and other questions that I think are kinda not relevant to what an IT Auditor should do, what should be the right answer for these interviewers ? (because we actually do not perform all these queries per se, we as It auditors gather appropriate and sufficient evidence, inspect, Observe and test right? not query a database or an ERP system)
When we say Technical for IT Auditors – how technical should technical be ?
I think IT auditors should be both technically oriented as well as business oriented. An IT auditor has to look at the IT infrastructure in the organisation, audit it and provide input. This means they should know what they are talking about from a technology point of view. At the same time they should be business oriented. They need to bring the business executives on board just to get them to understand the risks in the organisation and the need to invest in some security measures to ensure the organisation is secure. They need to be able to talk the business language and explain the return on investment and explain the whole process in the way that the business can understand.
I looked at some postings on Indeed.com for “IT Auditor”. Here’s example overview:
“We can help companies achieve multiple compliance objectives through the use of a single third party assessor. How? We offer a suite of interrelated assessment and certification services that our professionals are uniquely trained and qualified to deliver.”
A sampling of job requirements:
– 1+ year of experience from a national public accounting or consulting firm
– SOC/SSAE 16 experience but interested in learning new services such as PCI, HIPAA/HITRUST, FedRAMP, and ISO
– Have or would like to obtain your CISA, CISSP, CIA or other certifications
– Bachelor’s degree in Accounting, Finance, MIS, IT, or related field
– Prepare reports in a clear, concise and timely manner, discussing audit reviews with senior members of the audit team, and identifying misstatements, errors, and control weaknesses with the audited operations.
– Review and evaluate internal control systems and collaborate with clients to develop and implement security policies, plans and strategies.
From the above, I came away with the following conclusions. IT Auditors are responsible for keeping organizations in compliance with a range of regulations, laws and industry best practices. These regulations and best practices vary by industry (SOX/PCI DSS for financial services, HIPAA for healthcare, NIST/COBIT for any number of sectors, etc.). They’re necessary because a non-compliant company can get crushed by regulators or their competition and go out of business. Organizations attempt to meet compliance requirements through “controls”, which IT Auditors can test and verify. For example, I’m currently working on a project that deals with the European Union and relates to customer data privacy. The non-compliance penalties are percentage based. The example given to us was 4% of total worldwide turnover, which would cost my organization $1,327,600,000.
In terms of their roles within an organization, I liked the bullet that stressed the ability to communicate. Findings/Assertions must be clearly understood by management, so an IT Auditor that can’t communicate well is pretty useless.
Galarza’s citations gave a brief and clear requirement of IT auditing, which bring us an vivid image of the market needs for an qualified IT auditing and a different views to this jobs. I like this wonderful think styles to help us understanding the works of IT auditor.
Great point about the ability to communicate? Why do you think communication is such a challenge in the IT Auditing world. How about the IT world in general?
I think it’s a challenge in most worlds. Communicating effectively isn’t inherent in everyone. It’s a skill that has to be developed and practiced. Good communicators place themselves in the shoes of the person they are talking or writing to and start to ask questions.
What is it they want to get out of what I’m telling them? What’s most important? What can they take action on? What am I asking them to do? When do they need to do this by?
I second Andres. Not everyone has the ability to communicate thoroughly. Not to mention, the IT language cannot be grasped by everyone. Thus, in the IT world, there is an individual who acts as a mediator, whose primary goal is to communicate the wants of customers to those individuals in IT.
Communications in the IT Auditing is super critical because the IT Team talks in a language of their own and as an IT Auditor, you have to understand and communicate their language, otherwise they won’t respect you and it’ll be difficult for you to do an effective audit. Once the audit is complete, the IT Audit team has to clearly communicate its findings bridging the gap between the IT/non-IT language.
Like the auditors audit the company’s financial document to see whether it follow the standards, IT Auditors do the same thing. IT Auditors need to look at the IT system to see how it match with the standards, policies, and practices. They also need to test the system, know about the controls and keep records.
Because IT auditors can evaluate the system, they can figure out the potential threats of the system and know whether the system have some programs disobey the rules. They can also call and search the old records.
In my opinion, IT Auditors are organizations’ fixers and the role to help the system improves. Like I said above, the IT Auditors help the organizations to find the threats and give the advice to improve system.
Great input? What is the point of standards within an organization? Why can’t a server admin be trusted to build every server the same way without a checklist to follow?
First, I would said that the standard for organizations. Hence, in my opinion, the IT Auditors’ job is to check out that there is not program disobey the network policy, and check out that whether there are some malicious programs may use vulnerabilities to attack system. IT auditors also take responsibility to protect organizations’ information security.
For the second question, the key point why can not build up every server in the same way because it make the all organizations have a same model, it is easy for hackers to find out the crack way to attack the system, and it will become a huge damage to all the server.
The comments coming to my brain are all here, if I have some thing need to add in, I will reply again.
I think your point highlights why it’s important to learn some of the technical skills we’re going to hear about in this class. An auditor armed only with a policy and a checklist isn’t going to be savvy enough to understand if he or she is being sold short during an audit by subject-matter-experts. If you don’t know anything about how cars work, how comfortable are you going to be arguing with a mechanic if you don’t understand what they are charging you for?
In my opinion, the main job of IT auditors should be evaluating and protecting the organizations from the perspectives of its virtual assets and information systems. They must maintain confidence, integrity, and accessibilities of the data, and help the organization to achieve its goals and maintain an efficient IT governance.
IT auditors are necessary for the values they bring to the organizations. IT auditors co-work with all the departments within the organization and provide the necessary evaluations and suggestions to decrease the risks and the losses from the information security and IT governance.
To play the role of IT auditors, IT auditors should become the bridges between the business departments and the programmers from IT departments, so they should have both the knowledge of IT technology and business background.
In my opinion, the main job of IT auditors should be evaluating and protecting the organizations from the perspectives of its virtual assets and information systems. They must maintain confidence, integrity, and accessibility of the data, and help the organization to achieve its goals and maintain an efficient IT governance.
IT auditors are necessary for the values they bring to the organizations. IT auditors co-work with all the departments with the organization and provide the necessary evaluations and suggestions to decrease the risks and the losses from the information security and IT governance.
To play the role of IT auditors, IT auditors should become the bridges between the business departments and the programmers from IT departments, so they should have both the knowledge of IT technology and business background.
Thanks for the input! Do you think IT Auditors should be hired as 3rd party, organized in their own department or within the IT departments themselves?
In my opinion IT auditors should be organised in their own department not with the IT department so that they mantain the auditor independence. If they need to understand a particular process in the IT department then they can just take time and go to the IT department and see how the process is being done.
Thanks for your response. On my opinions, it depends on the size and the needs of the company. For smaller companies or companies without special requirements, outsourcing properly is a better consideration. However, for larger companies and companies with unique needs might be on the contract.
Agree with your opinion, especially the idea of IT auditors should being a bridge between the business department and the programmer from IT auditors. And for the question about Prof. Wasson, I think it depends on the situation of different company, but in general, I’m guessing that IT auditors can be both organized in their own department and within the IT departments themselves. Organized own department is good for keeping independence so the auditing result might be more reliable. Within the IT departments might save more resources and reduce procedures so the things can be done more effective and efficient.
In my opinion a person who is responsible for collecting and evaluating organization’s operations and information system is called IT Auditor. IT Auditors should follow the policies in organizations and monitor the IT systems. They should ensure that the IT systems are compatible with the policies and standards, and protected. I think the reason that IT Audit is necessary and important is because IT Auditors can assure organizations that the level of the protection for IT systems is implemented. They can act as a guard in organizations and prevent any fraudulation. They can also ensure the information that may be needed for users are completely correct and reliable. IT Auditors can play a vital role in many organizations. They should review and monitor the hardware, software, and infrastructure of a business, and ensure that they are the most suitable options for the business.
Yes professor, I think there is a connection between IT auditors and technical skills. To be an effective IT auditor, you should have adequate knowledge about computer skills, networking, database concepts such as MySQL, and etc.
In my understanding, IT auditors are people belong to audit department who are responsible for IT part. There are two types of IT auditors, internal and external. Internal IT auditors work in the company, and they report to their own audit manager or audit committee. External auditors work independently from the company they audit, and they report to the company’s shareholder. External auditor teams usually are more experienced. Sometimes they can rely on internal auditor’s results, sometimes not. Besides audit, external auditor also provide recommendations for how to mitigate the risk, like IT consultant.
I would say external auditor are more effective. Correct me if I was wrong, in my understanding, part of the reason company has their own internal audit so that they could successfully pass the external audit.
Extrenal auditors may bring more skills and best practices acquired by auditing more firms in the industry.
On the other hand internal auditors are more knowledgeable about the business and sometimes employees might be more open to internal auditors rather than external auditors.
Internal auditors experience the situations first hand and have more time to work with the organisation on a day to day basis rather than external auditors who come once in a while and go.
In my opinion internal auditors are more effective and external auditors may be called upon once in a while.
Good points. I think you also have to factor in the costs associated with external auditors. These are professionals/organizations that can charge $200-300 per hour and per consultant to work on projects. They’re not cheap!
As is the general consensus, I think IT auditors within an organization are to plan and perform an audit for the organization and to obtain and provide reasonable assurance that the financial statements are free of material misstatement whether caused by error or fraud.
An auditor is supposed to form an opinion by gathering appropriate and sufficient evidence, and observe, test, compare and confirm until gaining reasonable assurance. The auditor then forms an opinion of whether the financial statements are free of material misstatement
In talking about Roles of Auditors within the organization, I would like to classify auditors into Internal Auditors and external Auditors
Internal Auditors Vs external Auditors
The purpose of Internal Audit is to ensure that a company’s documentations meets the requirement of framework being used (ISO etc), and that daily operations are patterned after this framework.
To digress a little, there are cases where some firms/Organizations (e.g Coy A) outsource their Audit to other companies (e.g coy B) in this case, we can say Coy B is performing Internal Audit for Coy A.
And that being said, coy B in their Audit assessment must be objective and professional, and they must watch out for Audit/Residual Risk (risk that an auditor may issue an unqualified report due to the auditor’s failure to detect material misstatement either due to error or fraud.)
The primary role of external auditors is also to express an opinion on whether an organizations financial statements are free of material misstatements.
External Auditors should also not provide certain services to the entity they audit. I think this is because the auditor should be independent from the client company, so that the audit opinion will not be influenced by any relationship between them.
The external auditors are expected to give an unbiased and honest professional opinion on the financial statements to the shareholders.
To build off of your discussion on external versus internal auditors, my employer refers to a “Three Lines of Defense” concept.
It’s an onion-layer/defense-in-depth approach that starts with the front line. This would be made of up of things like the Security/Network Operations Center (SOC/NOC), developers that are writing secure code, etc. The second layer is an internal auditor that is independent from the front-line organization or team. We call ours the “Organizational Risk Management” team. Third are the external auditors, and these would typically work for a consulting company, such as PwC or Deloitte.
IT auditor finds and evaluate the risk in business which is related to technology. In addition, IT auditor also provide opinion to technical control environment. Each company needs IT auditor, because they can find the risk in information system, and the IT department could lower the risk or fix the vulnerabilities. In accounting firm, IT auditor is also important because IT auditing is an important part of auditing process. Auditors issue auditing reports not only focus on financial parts, but also IT parts.
IT audits require auditors to review printouts of programming code. IT audits require IT auditors to obtain copies of clients’ applications to test them.
An IT audit is an in-depth analysis of a company’s technical environment, including its existing computer applications, hardware infrastructure, IT plan and IT-related personnel.
IT auditors play a role in auditing the IT risk of organization or companies and ensuring the system of them are effective and efficient in accordance with policies and regulations within the company and the nation. I believe IT auditors are necessary nowadays because almost all industries involved in the world of information technology, more and more companies, universities, and other organizations are relying on the information technology. But every coin has two sides, information technology can be helpful but also can experience some risks. IT auditors have the ability to identify these risks and to give a direction about how to revise, improve, and avoid. Just like the doctor to patients, I think IT auditors play the role as IT doctors to the organization to find the risks and violations, which will help in avoiding unnecessary loss and promoting the organization development.
IT Auditors maintain the integrity and secure information systems in an enterprise. These individuals are constantly evaluating, monitoring, and reporting the effectiveness of such information systems. IT Auditors must also work side by side with other members of the IT department to correct any discrepancies. Additionally, IT Auditors must communicate the findings with the Board. Thus, these individuals are necessary as they help in ensuring that the company’s goals and objectives are aligned with that of the IT department.
For a regular auditor, his job is to audit different kind of financial statements. However, for an IT auditor, if we infer the nature of his work from the prefix “IT”, he will be performing the audit work to everything which is involved in information technology. In today’s business world, information assets has become the core competency of a company gradually, so the information security within an organization must be guaranteed, therefore, IT auditors are born in this particular background. Most corporations has established a position for Chief Information Officer (CIO) who is responsible for the internal information system and planning and integration of information resources. IT auditors perform audit work to information system and report any issues to CIO.
I think IT auditors are equivalent to maintenance personnel and supervisors. We all know that the auditors are checking accounts is correct, to prevent the company tax evasion or fraud. Similarly, the same is true of IT auditors, checking and maintaining the wrong procedures and reducing the risk of management. Most of the today’s work requires information technology, and if a company does not have IT auditors, there will be a lot of damage when their mechanisms are in question, so the presence of IT auditors is necessary.
IT auditor is responsible for identifying the potential risks of organization’s system, and using effective methods to mitigate or avoid the risks. IT auditor should use both business and technical knowledge to evaluate system vulnerabilities and solutions. IT auditors play an important role in organizations, because they can protect information assets from cybercrimes, reduce financial loss, and avoid reputation damage.
IT audit is part of the internal audit, which goal is to provide reasonable assurances to stakeholders that internal control is in place and operating effectively. Additionally, the audit team will continuously improve the effectiveness and efficiency of the internal control by identifying risk and developing appropriate solutions to mitigate risks. IT audit primarily focuses on evaluating the effectiveness and assessing risks of IT infrastructures and IT operations, including system platforms, databases, networks, and business process. IT auditors also ensure that IT operation is aligned with enterprise’s overall strategies, directions, and regulatory requirements.
IT auditors are a kind of auditor, Their jobs are more like auditing of information technology, computer systems, and the like. IT auditors should ensure that the core infrastructure supporting the company’s systems has the proper security and controls. Unlike the business folks who just understand how to use application systems, IT auditors generally are IT professionals. For example, the IT auditors could look at the database layer and below, but also could help to review some of the general application controls.
The role of the IT auditor is to test the design/operating effectiveness of the organization’s IT functions. In addition, their role is to help the organization assess the weakeness found in the various audits. They are necessary to help ensure that risks are appropriately mitigated. The IT auditor could have various roles in the organization including Internal Audit or SOX.
The IT Auditor helps:
1)Set the rules of the IT organization – both practically (implementing policy) and helping design policy
2) Verify that the proper rules/policies are implemented
3)Tests and “audits” policies against user interaction and system usage (viewing logs etc)
Every business has their own way of doing their business. There are things the every company may have like an online website or a domain that all computers exist on, but there are intricacies of these functions that can be done differently for the same affect. The only difference is that one way may be more vulnerable than the other. Auditors make sure that the company has done everything in the most secure way that they could. Their roles are to look at processes and configurations are done in the best way possible to ensure that the company is properly protected form potential threats.
Heiang Cheung says
IT auditor make sure IT processes are done correct and follows company procedures /policies. They also make sure that systems are in place to prevent things like fraud. They are needed in an orginization because I would say auditors are like the police in an organization making sure everyone follows procedures. So for IT auditors they kind of police the IT department and they are needed because most people don’t have that much in depth knowledge about IT except for the IT people.
Hanqing Zhou says
I like the your idea about IT Auditor like organization’s police, IT Auditors give many help to upgrade the organization’s system.
Folake Stella Alabede says
Yes, the police part fits just right. And a lot of people dont like us Auditors ( i wonder why, we work for the same company and we should have the same goals right ?? if you do your job right,then you have no reason to fear the Auditors right )
some people are downright mean, and you keep requesting some bits of evidence over and over till you have to escalate.
Some employees will even ask us – do we need to provide this evidence to you every year ( i mean, yes, Annually, Bi annual, Quartely, for the SOX audits and any other audits, we need these evidences as we need them)
Sometimes Auditing can be tough
Rouying Tang says
I agree with your description of the jobs of the IT auditors. To make sure the organizations follow the rules and procedures and prevent them from frauds. But the financial auditors also share the same functions of those works.
Patrick J. Wasson says
Great point about IT Auditor “policing” the IT Department. Why do you think IT departments would need to be policed? Can’t they be trusted to follow policies on their own?
Zhixin Wei says
You do a well explaination to an auditor’s roles.
Marsha Billups says
IT Auditors insure that all IT related matters are handled in accordance with the companies IT protocol, policies and procedures. They’re needed to be the provide an object analysis of the controls in place to ensure IT integrity. IT Auditors serve as the inspectors who continuously probe and help the business understand and and mitigate IT risk.
Hanqing Zhou says
Like what you said, IT Auditors make the IT become completely and precise.
Patrick J. Wasson says
Good point about objective analysis Marsha! Why do you think people often provide a subjective analysis?
Marsha Billups says
We all have different life experiences and see everything through a different lens that impacts analysis and its interpretation
Karabo Ntokwane says
The first word that comes into my mind when I think of IT auditors is compliance. IT auditors ensure compliance to IT Policies, IT Regulations and to standard operating procedures. They also look at the already established policies in the organization and find if they are effective in addressing the risks and threats. They conduct audits then communicate the findings of those audits and make recommendations for doing best practices.
IT auditors are there in an organization to give management and investors peace of mind that everything is done according to the standards. They exist in an organization to ensure confidentiality and integrity of data.
Hanqing Zhou says
The IT Auditors like the guards of the organization, they find the risk and try to deal with the risk.
Rouying Tang says
Ntokwane gave the good descriptions of the jobs of IT auditors form its compliance, the risks controls and data protecting. All above three parts are critical for playing a good role of IT auditors. Thank you for your sharing.
Somayeh Keshtkar says
I’m agree with you Karabo. IT Auditors should ensure that the IT systems are compatible with the policies and standards, and protected.
Patrick J. Wasson says
Great input! Do you think IT Auditors are generally more technically oriented or more business oriented?
Folake Stella Alabede says
To give an input to this discussion thread, i think we should take into cognizance the fact that there is a classification of Financial Auditors and It Auditors.
So Prof Wasson, to answer your question – I think IT Auditors should be lots of technically oriented and probably a bit of business oriented. Because like you rightly noted in class on Thursday, it’s good to know a bit about it all (the servers, database, networking, SLAs etc, that’s the reason for this class right?). And now that Firms/Organizations are even recognizing the need for IT Governance, I think the technical aspect and the business aspects are inter-operable and even sometimes inseparable.
But I have another question I also want to throw out, I remember going for an interview where they keep asking these very technical questions – like what does D (DIC) mean in SAP or what does the USRO2 Report mean when you’re auditing an ERP, and other questions that I think are kinda not relevant to what an IT Auditor should do, what should be the right answer for these interviewers ? (because we actually do not perform all these queries per se, we as It auditors gather appropriate and sufficient evidence, inspect, Observe and test right? not query a database or an ERP system)
When we say Technical for IT Auditors – how technical should technical be ?
Karabo Ntokwane says
I think IT auditors should be both technically oriented as well as business oriented. An IT auditor has to look at the IT infrastructure in the organisation, audit it and provide input. This means they should know what they are talking about from a technology point of view. At the same time they should be business oriented. They need to bring the business executives on board just to get them to understand the risks in the organisation and the need to invest in some security measures to ensure the organisation is secure. They need to be able to talk the business language and explain the return on investment and explain the whole process in the way that the business can understand.
Andres Galarza says
I looked at some postings on Indeed.com for “IT Auditor”. Here’s example overview:
“We can help companies achieve multiple compliance objectives through the use of a single third party assessor. How? We offer a suite of interrelated assessment and certification services that our professionals are uniquely trained and qualified to deliver.”
A sampling of job requirements:
– 1+ year of experience from a national public accounting or consulting firm
– SOC/SSAE 16 experience but interested in learning new services such as PCI, HIPAA/HITRUST, FedRAMP, and ISO
– Have or would like to obtain your CISA, CISSP, CIA or other certifications
– Bachelor’s degree in Accounting, Finance, MIS, IT, or related field
– Prepare reports in a clear, concise and timely manner, discussing audit reviews with senior members of the audit team, and identifying misstatements, errors, and control weaknesses with the audited operations.
– Review and evaluate internal control systems and collaborate with clients to develop and implement security policies, plans and strategies.
From the above, I came away with the following conclusions. IT Auditors are responsible for keeping organizations in compliance with a range of regulations, laws and industry best practices. These regulations and best practices vary by industry (SOX/PCI DSS for financial services, HIPAA for healthcare, NIST/COBIT for any number of sectors, etc.). They’re necessary because a non-compliant company can get crushed by regulators or their competition and go out of business. Organizations attempt to meet compliance requirements through “controls”, which IT Auditors can test and verify. For example, I’m currently working on a project that deals with the European Union and relates to customer data privacy. The non-compliance penalties are percentage based. The example given to us was 4% of total worldwide turnover, which would cost my organization $1,327,600,000.
In terms of their roles within an organization, I liked the bullet that stressed the ability to communicate. Findings/Assertions must be clearly understood by management, so an IT Auditor that can’t communicate well is pretty useless.
Hanqing Zhou says
Thanks for your detailed introduction about the IT Auditor. It real help me know about the requirements to become an IT auditor.
Rouying Tang says
Galarza’s citations gave a brief and clear requirement of IT auditing, which bring us an vivid image of the market needs for an qualified IT auditing and a different views to this jobs. I like this wonderful think styles to help us understanding the works of IT auditor.
Somayeh Keshtkar says
Thank you for your information. I did not have experience in IT Audit, and it was a great help for me to be more familiar with the requirements.
Patrick J. Wasson says
Great point about the ability to communicate? Why do you think communication is such a challenge in the IT Auditing world. How about the IT world in general?
Andres Galarza says
I think it’s a challenge in most worlds. Communicating effectively isn’t inherent in everyone. It’s a skill that has to be developed and practiced. Good communicators place themselves in the shoes of the person they are talking or writing to and start to ask questions.
What is it they want to get out of what I’m telling them? What’s most important? What can they take action on? What am I asking them to do? When do they need to do this by?
Raisa Ahmed says
I second Andres. Not everyone has the ability to communicate thoroughly. Not to mention, the IT language cannot be grasped by everyone. Thus, in the IT world, there is an individual who acts as a mediator, whose primary goal is to communicate the wants of customers to those individuals in IT.
Marsha Billups says
Communications in the IT Auditing is super critical because the IT Team talks in a language of their own and as an IT Auditor, you have to understand and communicate their language, otherwise they won’t respect you and it’ll be difficult for you to do an effective audit. Once the audit is complete, the IT Audit team has to clearly communicate its findings bridging the gap between the IT/non-IT language.
Hanqing Zhou says
Like the auditors audit the company’s financial document to see whether it follow the standards, IT Auditors do the same thing. IT Auditors need to look at the IT system to see how it match with the standards, policies, and practices. They also need to test the system, know about the controls and keep records.
Because IT auditors can evaluate the system, they can figure out the potential threats of the system and know whether the system have some programs disobey the rules. They can also call and search the old records.
In my opinion, IT Auditors are organizations’ fixers and the role to help the system improves. Like I said above, the IT Auditors help the organizations to find the threats and give the advice to improve system.
Somayeh Keshtkar says
Good points Hanqing. I agree with you, and also I think they can act as a guard in organizations and prevent any fraudulation.
Patrick J. Wasson says
Great input? What is the point of standards within an organization? Why can’t a server admin be trusted to build every server the same way without a checklist to follow?
Hanqing Zhou says
First, I would said that the standard for organizations. Hence, in my opinion, the IT Auditors’ job is to check out that there is not program disobey the network policy, and check out that whether there are some malicious programs may use vulnerabilities to attack system. IT auditors also take responsibility to protect organizations’ information security.
For the second question, the key point why can not build up every server in the same way because it make the all organizations have a same model, it is easy for hackers to find out the crack way to attack the system, and it will become a huge damage to all the server.
The comments coming to my brain are all here, if I have some thing need to add in, I will reply again.
Andres Galarza says
I think your point highlights why it’s important to learn some of the technical skills we’re going to hear about in this class. An auditor armed only with a policy and a checklist isn’t going to be savvy enough to understand if he or she is being sold short during an audit by subject-matter-experts. If you don’t know anything about how cars work, how comfortable are you going to be arguing with a mechanic if you don’t understand what they are charging you for?
Rouying Tang says
In my opinion, the main job of IT auditors should be evaluating and protecting the organizations from the perspectives of its virtual assets and information systems. They must maintain confidence, integrity, and accessibilities of the data, and help the organization to achieve its goals and maintain an efficient IT governance.
IT auditors are necessary for the values they bring to the organizations. IT auditors co-work with all the departments within the organization and provide the necessary evaluations and suggestions to decrease the risks and the losses from the information security and IT governance.
To play the role of IT auditors, IT auditors should become the bridges between the business departments and the programmers from IT departments, so they should have both the knowledge of IT technology and business background.
Rouying Tang says
In my opinion, the main job of IT auditors should be evaluating and protecting the organizations from the perspectives of its virtual assets and information systems. They must maintain confidence, integrity, and accessibility of the data, and help the organization to achieve its goals and maintain an efficient IT governance.
IT auditors are necessary for the values they bring to the organizations. IT auditors co-work with all the departments with the organization and provide the necessary evaluations and suggestions to decrease the risks and the losses from the information security and IT governance.
To play the role of IT auditors, IT auditors should become the bridges between the business departments and the programmers from IT departments, so they should have both the knowledge of IT technology and business background.
Patrick J. Wasson says
Thanks for the input! Do you think IT Auditors should be hired as 3rd party, organized in their own department or within the IT departments themselves?
Karabo Ntokwane says
In my opinion IT auditors should be organised in their own department not with the IT department so that they mantain the auditor independence. If they need to understand a particular process in the IT department then they can just take time and go to the IT department and see how the process is being done.
Rouying Tang says
Thanks for your response. On my opinions, it depends on the size and the needs of the company. For smaller companies or companies without special requirements, outsourcing properly is a better consideration. However, for larger companies and companies with unique needs might be on the contract.
Yingyan Wang says
Agree with your opinion, especially the idea of IT auditors should being a bridge between the business department and the programmer from IT auditors. And for the question about Prof. Wasson, I think it depends on the situation of different company, but in general, I’m guessing that IT auditors can be both organized in their own department and within the IT departments themselves. Organized own department is good for keeping independence so the auditing result might be more reliable. Within the IT departments might save more resources and reduce procedures so the things can be done more effective and efficient.
Somayeh Keshtkar says
In my opinion a person who is responsible for collecting and evaluating organization’s operations and information system is called IT Auditor. IT Auditors should follow the policies in organizations and monitor the IT systems. They should ensure that the IT systems are compatible with the policies and standards, and protected. I think the reason that IT Audit is necessary and important is because IT Auditors can assure organizations that the level of the protection for IT systems is implemented. They can act as a guard in organizations and prevent any fraudulation. They can also ensure the information that may be needed for users are completely correct and reliable. IT Auditors can play a vital role in many organizations. They should review and monitor the hardware, software, and infrastructure of a business, and ensure that they are the most suitable options for the business.
Patrick J. Wasson says
Do you see a connection between the various technical components IT auditors need to audit and the topic we will be covering in this class?
Somayeh Keshtkar says
Yes professor, I think there is a connection between IT auditors and technical skills. To be an effective IT auditor, you should have adequate knowledge about computer skills, networking, database concepts such as MySQL, and etc.
Ruby(Qianru) Yang says
In my understanding, IT auditors are people belong to audit department who are responsible for IT part. There are two types of IT auditors, internal and external. Internal IT auditors work in the company, and they report to their own audit manager or audit committee. External auditors work independently from the company they audit, and they report to the company’s shareholder. External auditor teams usually are more experienced. Sometimes they can rely on internal auditor’s results, sometimes not. Besides audit, external auditor also provide recommendations for how to mitigate the risk, like IT consultant.
Patrick J. Wasson says
Good work. Do you believe Internal or External auditors are more effective?
Ruby(Qianru) Yang says
I would say external auditor are more effective. Correct me if I was wrong, in my understanding, part of the reason company has their own internal audit so that they could successfully pass the external audit.
Karabo Ntokwane says
Extrenal auditors may bring more skills and best practices acquired by auditing more firms in the industry.
On the other hand internal auditors are more knowledgeable about the business and sometimes employees might be more open to internal auditors rather than external auditors.
Internal auditors experience the situations first hand and have more time to work with the organisation on a day to day basis rather than external auditors who come once in a while and go.
In my opinion internal auditors are more effective and external auditors may be called upon once in a while.
Andres Galarza says
Good points. I think you also have to factor in the costs associated with external auditors. These are professionals/organizations that can charge $200-300 per hour and per consultant to work on projects. They’re not cheap!
Folake Stella Alabede says
As is the general consensus, I think IT auditors within an organization are to plan and perform an audit for the organization and to obtain and provide reasonable assurance that the financial statements are free of material misstatement whether caused by error or fraud.
Folake Stella Alabede says
What are Auditors roles within organizations?
An auditor is supposed to form an opinion by gathering appropriate and sufficient evidence, and observe, test, compare and confirm until gaining reasonable assurance. The auditor then forms an opinion of whether the financial statements are free of material misstatement
In talking about Roles of Auditors within the organization, I would like to classify auditors into Internal Auditors and external Auditors
Internal Auditors Vs external Auditors
The purpose of Internal Audit is to ensure that a company’s documentations meets the requirement of framework being used (ISO etc), and that daily operations are patterned after this framework.
To digress a little, there are cases where some firms/Organizations (e.g Coy A) outsource their Audit to other companies (e.g coy B) in this case, we can say Coy B is performing Internal Audit for Coy A.
And that being said, coy B in their Audit assessment must be objective and professional, and they must watch out for Audit/Residual Risk (risk that an auditor may issue an unqualified report due to the auditor’s failure to detect material misstatement either due to error or fraud.)
The primary role of external auditors is also to express an opinion on whether an organizations financial statements are free of material misstatements.
External Auditors should also not provide certain services to the entity they audit. I think this is because the auditor should be independent from the client company, so that the audit opinion will not be influenced by any relationship between them.
The external auditors are expected to give an unbiased and honest professional opinion on the financial statements to the shareholders.
Andres Galarza says
To build off of your discussion on external versus internal auditors, my employer refers to a “Three Lines of Defense” concept.
It’s an onion-layer/defense-in-depth approach that starts with the front line. This would be made of up of things like the Security/Network Operations Center (SOC/NOC), developers that are writing secure code, etc. The second layer is an internal auditor that is independent from the front-line organization or team. We call ours the “Organizational Risk Management” team. Third are the external auditors, and these would typically work for a consulting company, such as PwC or Deloitte.
Xinteng Chen says
IT auditor finds and evaluate the risk in business which is related to technology. In addition, IT auditor also provide opinion to technical control environment. Each company needs IT auditor, because they can find the risk in information system, and the IT department could lower the risk or fix the vulnerabilities. In accounting firm, IT auditor is also important because IT auditing is an important part of auditing process. Auditors issue auditing reports not only focus on financial parts, but also IT parts.
Zhixin Wei says
IT audits require auditors to review printouts of programming code. IT audits require IT auditors to obtain copies of clients’ applications to test them.
An IT audit is an in-depth analysis of a company’s technical environment, including its existing computer applications, hardware infrastructure, IT plan and IT-related personnel.
Andres Galarza says
I’m glad you pointed out personnel. IT Auditors definitely look at the issues surrounding things like employee training and non-technical work habits.
Yingyan Wang says
IT auditors play a role in auditing the IT risk of organization or companies and ensuring the system of them are effective and efficient in accordance with policies and regulations within the company and the nation. I believe IT auditors are necessary nowadays because almost all industries involved in the world of information technology, more and more companies, universities, and other organizations are relying on the information technology. But every coin has two sides, information technology can be helpful but also can experience some risks. IT auditors have the ability to identify these risks and to give a direction about how to revise, improve, and avoid. Just like the doctor to patients, I think IT auditors play the role as IT doctors to the organization to find the risks and violations, which will help in avoiding unnecessary loss and promoting the organization development.
Raisa Ahmed says
IT Auditors maintain the integrity and secure information systems in an enterprise. These individuals are constantly evaluating, monitoring, and reporting the effectiveness of such information systems. IT Auditors must also work side by side with other members of the IT department to correct any discrepancies. Additionally, IT Auditors must communicate the findings with the Board. Thus, these individuals are necessary as they help in ensuring that the company’s goals and objectives are aligned with that of the IT department.
Yijiang Li says
For a regular auditor, his job is to audit different kind of financial statements. However, for an IT auditor, if we infer the nature of his work from the prefix “IT”, he will be performing the audit work to everything which is involved in information technology. In today’s business world, information assets has become the core competency of a company gradually, so the information security within an organization must be guaranteed, therefore, IT auditors are born in this particular background. Most corporations has established a position for Chief Information Officer (CIO) who is responsible for the internal information system and planning and integration of information resources. IT auditors perform audit work to information system and report any issues to CIO.
Chenhui Lai says
I think IT auditors are equivalent to maintenance personnel and supervisors. We all know that the auditors are checking accounts is correct, to prevent the company tax evasion or fraud. Similarly, the same is true of IT auditors, checking and maintaining the wrong procedures and reducing the risk of management. Most of the today’s work requires information technology, and if a company does not have IT auditors, there will be a lot of damage when their mechanisms are in question, so the presence of IT auditors is necessary.
Dongjie Wang says
IT auditor is responsible for identifying the potential risks of organization’s system, and using effective methods to mitigate or avoid the risks. IT auditor should use both business and technical knowledge to evaluate system vulnerabilities and solutions. IT auditors play an important role in organizations, because they can protect information assets from cybercrimes, reduce financial loss, and avoid reputation damage.
Haitao Huang says
IT audit is part of the internal audit, which goal is to provide reasonable assurances to stakeholders that internal control is in place and operating effectively. Additionally, the audit team will continuously improve the effectiveness and efficiency of the internal control by identifying risk and developing appropriate solutions to mitigate risks. IT audit primarily focuses on evaluating the effectiveness and assessing risks of IT infrastructures and IT operations, including system platforms, databases, networks, and business process. IT auditors also ensure that IT operation is aligned with enterprise’s overall strategies, directions, and regulatory requirements.
Ping Sun says
IT auditors are a kind of auditor, Their jobs are more like auditing of information technology, computer systems, and the like. IT auditors should ensure that the core infrastructure supporting the company’s systems has the proper security and controls. Unlike the business folks who just understand how to use application systems, IT auditors generally are IT professionals. For example, the IT auditors could look at the database layer and below, but also could help to review some of the general application controls.
Linlan Chen says
As for me, I think IT auditor function is to check every system process is right and monitor the IT systems!
Tamekia P. says
The role of the IT auditor is to test the design/operating effectiveness of the organization’s IT functions. In addition, their role is to help the organization assess the weakeness found in the various audits. They are necessary to help ensure that risks are appropriately mitigated. The IT auditor could have various roles in the organization including Internal Audit or SOX.
Fraser G says
The IT Auditor helps:
1)Set the rules of the IT organization – both practically (implementing policy) and helping design policy
2) Verify that the proper rules/policies are implemented
3)Tests and “audits” policies against user interaction and system usage (viewing logs etc)
Vittorio Christian DiPentino says
Every business has their own way of doing their business. There are things the every company may have like an online website or a domain that all computers exist on, but there are intricacies of these functions that can be done differently for the same affect. The only difference is that one way may be more vulnerable than the other. Auditors make sure that the company has done everything in the most secure way that they could. Their roles are to look at processes and configurations are done in the best way possible to ensure that the company is properly protected form potential threats.