menu image
AssuranceSecurityGovernanceMembers & LeadersProfessionals & PractitionersStudents & EducatorsExhibitors & Advertisers
menu shadow
Student Benefits & Join
ISACA Student Groups
Educators
Model Curriculum
Downloads
Bookstore
IT Audit Basics
Career Centre
spacer image
Print this page
spacer image

Home Students & Educators IT Audit Basics

Journal Volume 2, 2009 Cover
 

What Every IT Auditor Should Know
About IT Audits and Data

By Tommie W. Singleton, Ph.D., CISA, CITP, CMA, CPA
Volume 2, 2009
.

It could be argued that the central focus or object of the IT audit is data. In a financial audit, the IT auditor is chiefly evaluating and testing controls, transactions and information systems that are associated with the data integrated into the financial reports. In many compliance audits (e.g., HIPAA), data remain the central issue. In IT audits, one main objective is that the IT being examined enables the integrity, reliability, timely communication and security of the data.

While that point may be self-evident, a common problem in IT audits is that management has not effectively identified and classified all of the entity’s data. Therefore, when this condition does exist, the IT auditor could be proceeding with the audit under the false assumption that the data being examined are all that needs to be examined. Identifying, collecting, classifying and controlling data are part of the holistic process known as information life cycle management (ILM).

Within that context, this article will review some basics about data that every IT auditor should know and apply.1

Information Life Cycle Management—Data

Information life cycle management includes more than data, but data are at the heart of ILM. For instance, ILM includes compliance (e.g., HIPAA, e-discovery), information security (e.g., access controls), tools (e.g., forensics, data mining), business continuity/disaster recovery, appropriate policies and procedures, and other similar issues. The central object, however, is definitely the data. To effectively manage data and to effectively control data, all data must be identified, collected, classified and controlled (see figure 1).

Figure 1

Find All of the Data

One common problem with data is that management is not able to completely identify all of the entity’s data. The larger the organization and the more autonomous business units are within an organization, the more likely it is that the organization has developed data in inconspicuous repositories and, perhaps, failed to comply with policies and procedures about data, assuming adequate ones have been developed.

Structured data, such as those produced by core applications, are readily identifiable. It is the unstructured data that are at risk of being developed and lost in the morass of systems and data, or the hectic pace of business. For example, an employee develops a spreadsheet to make some business process easier to perform and the data in the spreadsheet must meet some threshold established by management regarding criticality or risk associated with financial reporting, compliance, or organizational policies and procedures. Management may not be aware that the business process is being handled in that fashion or that critical data are now housed in a spreadsheet. If management is unaware of this situation, how can it properly control that data? If the IT auditor is unaware of this situation, how can he/she properly conduct the audit? A major issue with unstructured data is that they are growing in volume and type.

Obviously, the limitation here is one of relevance. Neither management nor the IT auditor would want to involve all of the data in the entity in performing their duties. So data would be assessed based on some threshold level of relevance, such as risk, ultimate use or importance. However, there should be some policies and procedures in place to make sure all data have been filtered through this data control model, to ensure that no relevant data have been missed.

The IT auditor should make sure to include in the audit some means of gaining assurance that all relevant data (relevant to the audit objectives) have been found by management. That assurance can be attained by interviews with management, review of data policies and procedures, and tracing data back from the end object (e.g., transaction or account balance) to its source. Another helpful technique is to make inquiries of key personnel on the “front line” of relevant business processes.

Collect All of the Data

Management should have not only identified all relevant data, but collected them by placing them into a system. It may be best for some business process data to be housed in a spreadsheet, but those data should be tied to some kind of system so they can be managed and controlled effectively.

The IT auditors should be cognizant of this fact when they find data in one of the unstructured areas. That is, when IT auditors encounter unstructured data, they should ascertain whether the data have been properly collected—systemized. If the IT auditor determines that the unstructured data are stand-alone, then that will obviously be a concern.

Classify All of the Data

This step is the one in which relevance would be assessed by management. Once data have been identified and collected, management will want to classify the data according to some appropriate model. For management, that classification process would, at a minimum, identify all data that require controls, most likely based on an appropriate risk assessment. Management should have developed policies and procedures associated with this classification, including issues such as risk assessment, systems of collection and controls.

Classification is important in enabling IT auditors to perform audit procedures efficiently and effectively. IT auditors may not be able to test controls or gather appropriate evidence if they have not been given the complete list of relevant data. For example, if the IT auditor by chance finds a spreadsheet being used to calculate the bids of large projects housed by one or two employees on a laptop that has not been classified by management as above the established threshold (e.g., some minimal risk, importance), then the IT auditor would have concerns that the classify step is not working properly. If it is not working effectively, what other relevant (risky) data exist, but have not been classified? How does that situation affect assurance and the IT audit?

Control All of the Data

This step is the one with which IT auditors, and auditors in general, are most familiar. Generally speaking, the integrity of data relevant to the IT audit is directly related to the sufficiency of the controls under which the data are gathered, processed, stored and reported.

One of the primary functions of IT auditors today is to evaluate controls. A problem arises if an unknown relevant data source exists and has not been placed under a formal set of controls. Such a situation could exist and go without detection by the IT auditor. Management cannot effectively control data that have not been properly found, collected and classified. Therefore, the IT auditor should have steps or procedures, formal or informal, in place to gain adequate assurance that no data of relevance exist outside a proper system of internal controls.

Conclusion

A key component of a typical IT audit is relevant data. The IT auditor should be aware of the steps necessary to make sure controls have been placed around all relevant data. The data life cycle for management should include find, collect, classify and control data, and should be applied to all of the organization’s data.

There is a risk that management has not been able to completely or effectively find, collect, classify and control relevant data. That circumstance creates at least two problems for the IT auditor: the possibility of missing a key source of data in the audit, and the insufficiency of management to control its sensitive data. Thus, the IT auditor should be aware of the significance of stand-alone data when they are discovered.

Endnote

1 For a short article on the subject, see “Before Data Can Be Controlled, It Must Be Found and Classified,” IT Web Ltd., Derek Street, 23 October 2008, www.itweb.co.za/sections/techforum/2008/0810230809.asp?S=Content%20Management&A=CNT&O=google.

Tommie W. Singleton, Ph.D., CISA, CIT P, CMA, CPA
is an associate professor of information systems (IS) at the University of Alabama at Birmingham (USA), a Marshall IS Scholar and a director of the Forensic Accounting Program. Prior to obtaining his doctorate in accountancy from the University of Mississippi (USA) in 1995, Singleton was president of a small, value-added dealer of accounting IS using microcomputers. Singleton is also a scholar-in-residence for IT audit and forensic accounting at Carr Riggs Ingram, a large regional public accounting firm in the southeastern US. In 1999, the Alabama Society of CPAs awarded Singleton the 1998-1999 Innovative User of Technology Award. Singleton is the ISACA academic advocate at the University of Alabama at Birmingham. His publications on fraud, IT/IS, IT auditing and IT governance have appeared in numerous publications, including the ISACA Journal.

ISACA Journal, formerly Information Systems Control Journal, is published by ISACA, a nonprofit organization created for the public in 1969. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors, employers or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25˘ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.

Subscription Rates:
US: one year (6 issues) $75.00
All international orders: one year (6 issues) $90.00
Remittance must be made in US funds.
nav menu image
spacer image
Assurance | Security | Governance
Members & Leaders | Professionals & Practitioners | Students & Educators | Exhibitors & Advertisers
Info Request | Join | Bookstore | My ISACA | About ISACA
Home | Site Map | Shopping Cart | Logout | Contact Us
spacer image
menu shadow

Terms Of Use | Privacy Policy | IP Guidelines
© 2010 ISACA All rights reserved.
3701 Algonquin Road, Suite 1010, Rolling Meadows, Illinois 60008 USA