IT Audit Introduction to IT audit-related organizations (ISACA, COSO, PCAOB) and frameworks
23-02-25
본문
IT audit has emerged as an integral part of accounting audits to ensure the accuracy and integrity of financial statements.
In this post, we will discuss the latest regulations and standards for IT audits and the organizations/agencies involved.
What is an IT audit?
An IT audit is an investigation and evaluation of IT systems, policies, operations, and infrastructure. It allows organizations to assess whether existing IT controls effectively protect assets, ensure data integrity, ensure that the company's assets are being managed for business purposes, and that there are no misstatements in financial statement disclosures.
Latest regulations and standards for IT audits
To ensure the effectiveness and efficiency of IT audits, regulations and standards have been set by various organizations/agencies. Some of the most prominent ones are ISACA, COSO, and PCAOB. Let's take a look at just a few representative frameworks.
1. ISACA
ISACA is a global professional association focused on IT governance, security, and audit, and is known on IRS filings as the Information Systems Audit and Control Association, although ISACA currently only uses the acronym. ISACA provides the following frameworks related to IT audit.
1) COBIT Framework
The Control Objectives for Information and Related Technology (COBIT) is a framework created by ISACA for information technology (IT) management and IT governance that consists of seven principles:
- Meet the needs of stakeholders
- Cover the enterprise end-to-end
- Apply a single, unified framework
- Support a holistic approach
- Separate governance from management
- Automate processes where appropriate
- Proactively measure organizational performance
Benefits of the COBIT framework
The framework helps organizations effectively manage IT operations to achieve business objectives and comply with regulatory requirements and industry standards. It also helps organizations identify potential risks associated with IT operations and develop strategies to mitigate them. Finally, it enables organizations to measure their performance against established benchmarks to continuously improve their operations.
How does COBIT work?
COBIT provides guidance on how an organization should structure its IT operations to achieve its desired goals. It describes specific processes to follow to effectively manage all aspects of an organization's IT operations. It also provides guidance on how organizations can use data analytics and other techniques to measure performance against established benchmarks. By following these guidelines, organizations can ensure that their IT operations are aligned with their business objectives and can meet any regulatory requirements or industry standards that may apply.
2) ITAF
A professional organization called the Information Systems Audit and Control Association (ISACA) offers assistance, certification, and training in the fields of information technology (IT) governance, security, auditing, and risk management. The ITAF, created by ISACA, is a framework to assist IT auditors in conducting audits in a way that is uniform, standardized, and achieves stakeholder goals.
Components of ITAF
- General Standards: Provides guidance on the ethical and professional standards IT auditors should follow, including qualifications, independence, and duty of care.
- Performance standards: Provide guidance on the planning, testing, and reporting phases of an IT audit. It also provides guidance on how to assess and document the internal controls of an organization's IT systems.
- Reporting standards: Provides guidance on the structure and content of an IT audit report, including key findings, recommendations, and management's response.
3) Blockchain Framework and Guidance
ISACA has released the Blockchain Framework and Guidance, which proposes basic concepts for adopting blockchain technology and a framework for implementation, security, governance, and audit.
The ISACA Blockchain Framework proposes basic information, practical guidance, and tools for proper blockchain implementation. The framework covers topics such as understanding blockchain technology, assessing its potential value to the organization, developing a business case for adoption, selecting an appropriate platform or service provider, designing secure applications and smart contracts, implementing privacy controls, monitoring performance metrics, and establishing a governance structure.
The framework also includes an executive guide that describes key points for executives to consider when evaluating blockchain solutions. The guide helps executives understand the risks associated with blockchain technology and how to ensure a successful implementation. It also provides guidance on how to develop policies to ensure compliance with applicable laws and regulations.
The Blockchain Framework provides auditors with the controls, control objectives, and audit procedures needed to assess the security of a blockchain. The program helps auditors identify weaknesses in existing systems or processes that could be exploited by malicious actors. It also provides recommendations on how to improve security measures to protect against potential threats.
4) Risk IT Framework
ISACA's Risk IT Framework is a comprehensive framework designed to help organizations manage IT-related business risks. It provides a common language and set of guiding principles, as well as comprehensive tools and techniques for assessing and managing risk. The framework is designed to help IT professionals better understand and manage the risks associated with their IT systems and infrastructure.
The Risk IT Framework consists of four main components
- Risk governance: Includes the policies, procedures, and structures that govern risk management within the organization.
- Risk assessment: Includes identifying, analyzing, and evaluating risks and their potential impact on the organization.
- Risk response: Includes the selection and implementation of appropriate risk response actions, such as risk avoidance, risk reduction, risk sharing, or risk acceptance.
- Risk monitoring: involves ongoing monitoring and reporting of risk management activities, including identifying changes in the risk profile and evaluating the effectiveness of risk response actions.
2. COSO
The COSO Framework ensures the effectiveness of internal control and the accuracy of financial reporting and consists of the control environment, risk assessment, control measures, information and communication, and monitoring.
- Control Environment: The COSO framework's other elements are built on the control environment, which describes the attitude at the organization's top. It takes into account things like the employees' moral character, ethical standards, and competence.
- Risk Assessment: The risk assessment component entails locating, evaluating, and dealing with risks that could affect the accomplishment of an organization's goals.
- Control Activities: Control activities are policies and procedures that help ensure that management directives are carried out. Examples of control activities include approvals, authorizations, and verifications.
- Information and Communication: The information and communication component involves identifying, capturing, and exchanging information in a timely and accurate manner. This includes both financial and non-financial information.
- Monitoring: The monitoring component involves the ongoing review and assessment of the effectiveness of internal control.
3. PCAOB
The PCAOB is a nonprofit corporation established by the Sarbanes-Oxley Act of 2002 to oversee the audits of U.S. public companies. The PCAOB sets audit standards for public companies and the U.S. Securities and Exchange Commission (SEC) enforces them.
1) PCAOB Audit Standard 2201
AS2201 is an audit standard on internal control over financial reporting integrated with an audit of financial statements. The standard recommends that auditors evaluate the design and operating effectiveness of controls related to financial reporting and test those controls for compliance with applicable laws and regulations. In 2017, it was revised to include requirements such as assessing fraud risk and evaluating management's monitoring activities.
2) PCAOB Audit Standard 2315
AS2315 is a sampling standard that auditors apply when testing the accuracy of account balances or transaction classes. The standard provides guidance on how to select samples and how much evidence should be obtained from each sample.
It also describes procedures for analyzing sample results and determining whether additional testing is needed.
Audit sampling can help reduce audit-related costs while providing reasonable assurance that financial statements are free from material misstatement, whether due to fraud or error. However, it is important to note that audit sampling does not guarantee accuracy; it only reduces the likelihood of material misstatements that go undetected by the auditor.
