Hubbry Logo
Information technology auditInformation technology auditMain
Open search
Information technology audit
Community hub
Information technology audit
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Information technology audit
Information technology audit
Information technology audit
View on Wikipedia
from Wikipedia

An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure and business applications. The evaluation of evidence obtained determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.

IT audits are also known as automated data processing audits (ADP audits) and computer audits. They were formerly called electronic data processing audits (EDP audits).

Purpose

[edit]

An IT audit is different from a financial statement audit. While a financial audit's purpose is to evaluate whether the financial statements present fairly, in all material respects, an entity's financial position, results of operations, and cash flows in conformity to standard accounting practices, the purposes of an IT audit is to evaluate the system's internal control design and effectiveness. This includes, but is not limited to, efficiency and security protocols, development processes, and IT governance or oversight. Installing controls are necessary but not sufficient to provide adequate security. People responsible for security must consider if the controls are installed as intended, if they are effective, or if any breach in security has occurred and if so, what actions can be done to prevent future breaches. These inquiries must be answered by independent and unbiased observers. These observers are performing the task of information systems auditing. In an Information Systems (IS) environment, an audit is an examination of information systems, their inputs, outputs, and processing. [1]

As technology continues to advance and become more prevalent in our lives and in businesses, along comes an increase of IT threats and disruptions. These impact every industry and come in different forms such as data breaches, external threats, and operational issues. These risks and need for high levels of assurance increase the need for IT audits to check businesses IT system performances and to lower the probability and impact of technology threats and disruptions.[2]

The primary functions of an IT audit are to evaluate the systems that are in place to guard an organization's information. Specifically, information technology audits are used to evaluate the organization's ability to protect its information assets and to properly dispense information to authorized parties.[3] The IT audit aims to evaluate the following:

Will the organization's computer systems be available for the business at all times when required? (known as availability) Will the information in the systems be disclosed only to authorized users? (known as security and confidentiality) Will the information provided by the system always be accurate, reliable, and timely? (measures the integrity) In this way, the audit hopes to assess the risk to the company's valuable asset (its information) and establish methods of minimizing those risks.

More specifically, organizations should look into three major requirements: confidentiality, integrity, and availability to label their needs for security and trust in their IT systems.

  • Confidentiality: The purpose is to keep private information restricted from unauthorized users.
  • Integrity: The purpose is to guarantee that information be changed in an authorized manner
  • Availability: The purpose is to ensure that only authorized users have access to specific information

These three requirements should be emphasized in every industry and every organization with an IT environment but each requirements and controls to support them will vary.[4]

Classification of IT audits

[edit]

Various authorities have created differing taxonomies to distinguish the various types of IT audits. Goodman & Lawless state that there are three specific systematic approaches to carry out an IT audit:[5]

  • Technological innovation process audit. This audit constructs a risk profile for existing and new projects. The audit will assess the length and depth of the company's experience in its chosen technologies, as well as its presence in relevant markets, the organization of each project, and the structure of the portion of the industry that deals with this project or product, organization and industry structure.
  • Innovative comparison audit. This audit is an analysis of the innovative abilities of the company being audited, in comparison to its competitors. This requires examination of company's research and development facilities, as well as its track record in actually producing new products.
  • Technological position audit: This audit reviews the technologies that the business currently has and that it needs to add. Technologies are characterized as being either "base", "key", "pacing" or "emerging".

Others describe the spectrum of IT audits with five categories of audits:

  • Systems and Applications: An audit to verify that systems and applications are appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity. System and process assurance audits form a subtype, focussing on business process-centric business IT systems. Such audits have the objective to assist financial auditors.[6]
  • Information Processing Facilities: An audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions.
  • Systems Development: An audit to verify that the systems under development meet the objectives of the organization, and to ensure that the systems are developed in accordance with generally accepted standards for systems development.
  • Management of IT and Enterprise Architecture: An audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing.
  • Client/Server, Telecommunications, Intranets, and Extranets: An audit to verify that telecommunications controls are in place on the client (computer receiving services), server, and on the network connecting the clients and servers.

And some lump all IT audits as being one of only two type: "general control review" audits or "application control review" audits.

A number[who?] of IT audit professionals from the Information Assurance realm consider there to be three fundamental types of controls regardless of the type of audit to be performed, especially in the IT realm. Many frameworks and standards try to break controls into different disciplines or arenas, terming them “Security Controls“, ”Access Controls“, “IA Controls” in an effort to define the types of controls involved. At a more fundamental level, these controls can be shown to consist of three types of fundamental controls: Protective/Preventative Controls, Detective Controls and Reactive/Corrective Controls.

In an IS, there are two types of auditors and audits: internal and external. IS auditing is usually a part of accounting internal auditing, and is frequently performed by corporate internal auditors. An external auditor reviews the findings of the internal audit as well as the inputs, processing and outputs of information systems. The external audit of information systems is primarily conducted by certified Information System auditors, such as CISA, certified by ISACA, Information System Audit and Control Association, USA, Information System Auditor (ISA) certified by ICAI (Institute of Chartered Accountants of India), and other certified by reputed organization for IS audit. Delete --> (frequently a part of the overall external auditing performed by a Certified Public Accountant (CPA) firm.[1] ) IS auditing considers all the potential hazards and controls in information systems. It focuses on issues like operations, data, integrity, software applications, security, privacy, budgets and expenditures, cost control, and productivity. Guidelines are available to assist auditors in their jobs, such as those from Information Systems Audit and Control Association.[1]

History of IT auditing

[edit]
Main article: History of information technology auditing

The concept of IT auditing was formed in the mid-1960s. Since that time, IT auditing has gone through numerous changes, largely due to advances in technology and the incorporation of technology into business.

Currently, there are many IT-dependent companies that rely on information technology in order to operate their business e.g. telecommunication or banking company. For the other types of business, IT plays the big part of company including the applying of workflow instead of using the paper request form, using the application control instead of manual control which is more reliable or implementing the ERP application to facilitate the organization by using only one application. According to these, the importance of IT audit is constantly increased. One of the most important roles of the IT audit is to audit over the critical system in order to support the financial audit or to support the specific regulations announced e.g. SOX.

Emerging issues

[edit]

There are also new audits being imposed by various standard boards which are required to be performed, depending upon the audited organization, which will affect IT and ensure that IT departments are performing certain functions and controls appropriately to be considered compliant. Examples of such audits are SSAE 16, ISAE 3402, and ISO27001:2013.

Web presence audits

[edit]

The extension of the corporate IT presence beyond the corporate firewall (e.g. the adoption of social media by the enterprise along with the proliferation of cloud-based tools like social media management systems) has elevated the importance of incorporating web presence audits into the IT/IS audit. The purposes of these audits include ensuring the company is taking the necessary steps to:

  • rein in use of unauthorized tools (e.g. "shadow IT")
  • minimize damage to reputation
  • maintain regulatory compliance
  • prevent information leakage
  • mitigate third-party risk
  • minimize governance risk[7][8]

The use of departmental or user developed tools has been a controversial topic in the past. However, with the widespread availability of data analytics tools, dashboards, and statistical packages users no longer need to stand in line waiting for IT resources to fulfill seemingly endless requests for reports. The task of IT is to work with business groups to make authorized access and reporting as straightforward as possible. To use a simple example, users should not have to do their own data matching so that pure relational tables are linked in a meaningful way. IT needs to make non-normalized, data warehouse type files available to users so that their analysis work is simplified. For example, some organizations will refresh a warehouse periodically and create easy to use "flat' tables which can be easily uploaded by a package such as Tableau and used to create dashboards.

Enterprise communications audits

[edit]

The rise of VOIP networks and issues like BYOD and the increasing capabilities of modern enterprise telephony systems causes increased risk of critical telephony infrastructure being misconfigured, leaving the enterprise open to the possibility of communications fraud or reduced system stability. Banks, financial institutions, and contact centers typically set up policies to be enforced across their communications systems. The task of auditing that the communications systems are in compliance with the policy falls on specialized telecom auditors. These audits ensure that the company's communication systems:

  • adhere to stated policy
  • follow policies designed to minimize the risk of hacking or phreaking
  • maintain regulatory compliance
  • prevent or minimize toll fraud
  • mitigate third-party risk
  • minimize governance risk[9][10]

Enterprise communications audits are also called voice audits,[11] but the term is increasingly deprecated as communications infrastructure increasingly becomes data-oriented and data-dependent. The term "telephony audit"[12] is also deprecated because modern communications infrastructure, especially when dealing with customers, is omni-channel, where interaction takes place across multiple channels, not just over the telephone.[13] One of the key issues that plagues enterprise communication audits is the lack of industry-defined or government-approved standards. IT audits are built on the basis of adherence to standards and policies published by organizations such as NIST and PCI, but the absence of such standards for enterprise communications audits means that these audits have to be based an organization's internal standards and policies, rather than industry standards. As a result, enterprise communications audits are still manually done, with random sampling checks. Policy Audit Automation tools for enterprise communications have only recently become available.

Ethical Dilemmas in IT Audits

[edit]

The Use of Artificial Intelligence (AI) in IT audits is growing rapidly, with 30% of all corporate audits to be conducted using AI by 2025 as reported by the World Economic forum from 2015. AI in IT audits raises many ethical issues.[14]

  1. The use of Artificial Intelligence causes unintended biases in results
    An issue that AI faces in completing IT audits for corporations is that unintended biases can occur as the AI filters through data. AI does not have a human element or the ability to understand different situations in which certain data is expected or not expected. AI only understands the data in which it has seen before and therefore is unable to evolve given each unique situation. This causes unintended biases and therefore unintended consequences if the AI systems are given too much trust and not carefully monitored by the human eye. As a result ethical, legal and economic issues arise.[14]
  2. Technology replacing the role of humans
    Big 4 firms have invested significant amounts of money in emerging technologies in the IT audit space. AI is now being used in assurance practices performing tasks such as “auditing and accounting procedures such as review of general ledgers, tax compliance, preparing work-papers, data analytics, expense compliance, fraud detection, and decision-making.” [14] This essentially replaces the need for auditors and relegates those who work in assurance to roles as “overseers” of the technology.
    However, firms still need auditors to perform analysis on the AI results of the IT audit. Auditors who do not understand the algorithms being utilized in the audit can allow mistakes to be made by these imperfect programs. Thus auditors with extensive tech backgrounds and degrees in technology are highly coveted by firms utilizing AI to perform audits.

Effect of IT Audit on Companies and Financial Audits

[edit]

Globalization in combination with the growth in information technology systems has caused companies to shift to an increasingly digitized working environment. Advantages provided by these systems include a reduction in working time, the ability to test large amounts of data, reduce audit risk, and provide more flexible and complete analytical information. With an increase in time, auditors are able to implement additional audit tests, leading to a great improvement in the audit process overall. The use of computer-assisted audit techniques (CAATs) have allowed companies to examine larger samples of data and more thorough reviews of all transactions, allowing the auditor to test and better understand any issues within the data.[15]

The use of IT systems in audits has transformed the way auditors accomplish important audit functions such as the management of databases, risk assurance and controls, and even governance and compliance. In addition, IT audit systems improve the operational efficiency and aid in decision making that would otherwise be left to hand-held calculations. IT systems help to eliminate the human error in audits and while it does not fully solve the issue, IT systems have proven to be helpful in audits done by the Big 4 and small firms alike. These systems have greatly reduced the margin of error on audits and provide a better insight into the data being analyzed.

As a result of the increased use of IT systems in audits, authoritative bodies such as the American Institute of Certified Public Accountants (AICPA) and the Information Systems Audit Control Association (ISACA) have established guidance on how to properly use IT systems to perform audits.[16] Auditors must now adhere to the established guidelines when utilizing IT systems in audits.

Benefits of Utilizing IT systems on Financial Audits

[edit]

The use of IT systems and AI techniques on financial audits is starting to show huge benefits for leading accounting firms. In a study done by one of the Big 4 accounting firms, it is expected that the use of IT Systems and AI techniques will generate an increase of $6.6 trillion in revenue[14] as a result of the increase in productivity. As a result, leading auditing firms are making enormous investments with the goal of increasing productivity and therefore revenue through the development or outsourcing of IT systems and AI techniques to assist in financial audits.

PwC, one of the biggest auditing firms in the world, has narrowed down three different types of IT systems and AI techniques that firms can develop and implement to achieve increased revenue and productivity. The first system is by created in a way that technology systems that play a supplemental role in the human auditors decision-making. This allows the human auditor to retain autonomy over decisions and use the technology to support and enhance their ability to perform accurate work, ultimately saving the firm in productivity costs. Next, PwC states that systems with problem solving abilities are imperative to producing the most accurate results. PwC recognizes the increased margin for error due to unintended biases, and thus the need for creating systems that are able to adapt to different scenarios. This type of system requires decision making to be shared between the human auditor and the IT system to produce the maximum output by allowing the system to take over the computing work that could not be one by a human auditor alone. Finally, PwC recognizes that there are scenarios where technology needs to have the autonomy of decision making and act independently. This allows human auditors to focus on more important tasks while the technology takes care of time consuming tasks that do not require human time.[14]

The utilization of IT systems and AI techniques on financial audits extend past the goal of reaching maximized productivity and increased revenue. Firms who utilize these systems to assist in the completion of audits are able to identify pieces of data that may constitute fraud with higher efficiency and accuracy. For example, systems such as drones have been approved by all four of the big 4 [14] to assist in obtaining more accurate inventory calculations, meanwhile voice and facial recognition is adding firms in fraud cases.[14]

See also

[edit]

Computer forensics

[edit]

Operations

[edit]

Miscellaneous

[edit]

Irregularities and illegal acts

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Information technology audit

View on Grokipedia
from Grokipedia
An information technology audit (IT audit), also referred to as an information systems audit, is a systematic process of examining and evaluating an organization's infrastructure, operations, policies, and controls to assess whether they effectively safeguard assets, maintain , and support the achievement of business objectives. This evaluation involves collecting and analyzing evidence related to IT systems, practices, and processes to provide assurance on their reliability, , and compliance. The primary objectives of an IT audit include identifying potential risks to information systems, verifying the adequacy of internal controls, ensuring adherence to relevant regulations and standards such as those from NIST or GDPR, and recommending improvements to enhance and cybersecurity resilience. By focusing on areas like access controls, data backup procedures, , and application integrity, IT audits help organizations mitigate threats, protect sensitive , and align technology with strategic goals in an increasingly digital landscape. These audits are typically conducted by certified professionals, such as those holding ISACA's Certified Information Systems Auditor (CISA) designation, using frameworks like ISACA's IT Audit Framework (ITAF) to ensure consistency and thoroughness. IT audits encompass various types, including general controls audits that evaluate overarching IT governance and security measures, and application controls audits that scrutinize specific software processes for accuracy and completeness. They may also incorporate advanced techniques, such as computer-assisted audit tools (CAATs) for and continuous auditing approaches to monitor systems in real-time. In practice, IT audits often integrate with financial or operational audits to provide a holistic view of organizational risks, making them essential for compliance with standards like and for fostering trust in IT-dependent business processes.

Fundamentals

Definition and Scope

An (IT) audit is a systematic, independent examination of an organization's IT processes, applications, systems, and to provide reasonable assurance regarding the effectiveness of controls, , and practices. This evaluation focuses on ensuring the , , , and compliance of IT operations with applicable standards and regulations. IT audits are conducted by qualified professionals using established frameworks to assess whether IT assets support objectives while mitigating potential risks. The scope of an IT audit encompasses a broad range of elements, including hardware, software, networks, practices, and user access controls, to verify their alignment with organizational policies and external requirements. Unlike general financial audits, which primarily examine the accuracy of and accounting records, IT audits concentrate on the technological controls that underpin financial reporting and operational processes, such as system reliability and data protection mechanisms. This distinction ensures that IT audits address technology-specific vulnerabilities that could impact financial integrity without overlapping into pure verification. Key concepts in IT auditing include providing assurance on IT governance, which aligns technology strategies with enterprise goals; , which identifies and mitigates IT-related threats; and internal controls, which safeguard assets and ensure reliable processing. These elements are guided by authoritative frameworks such as , developed by for holistic IT governance and management, and ISO 27001, an international standard for systems that emphasizes risk assessment and control implementation.

Objectives and Purpose

The primary objectives of an (IT) audit are to verify the effectiveness and reliability of IT controls, assess risks associated with and system operations, and ensure compliance with relevant laws and regulations. By evaluating controls over areas such as access management, , and system security, IT audits provide assurance that organizational IT systems safeguard assets and maintain operational integrity. For instance, auditors examine whether controls prevent unauthorized access to sensitive information, thereby mitigating potential breaches. These objectives align with standards outlined in ISACA's Information Technology Assurance Framework (ITAF), which emphasizes obtaining sufficient evidence to support conclusions on control design and implementation. In the broader organizational context, the purpose of IT audits extends to preventing , optimizing resource utilization, and aligning IT strategies with business goals. Audits help identify vulnerabilities that could enable fraudulent activities, such as manipulation of financial data through IT systems, and recommend enhancements to deter such risks. Additionally, by assessing IT efficiency, audits support cost-effective and strategic alignment, ensuring that technology investments contribute to enterprise objectives. This role is particularly critical in frameworks like , which guide IT governance to bridge business and IT priorities. For example, evaluating access controls in a can prevent data tampering while promoting efficient workflow automation. IT audits also focus on regulatory compliance, such as adherence to the Sarbanes-Oxley Act () for financial reporting controls or the General Data Protection Regulation (GDPR) for data privacy safeguards. Under SOX, audits assess the effectiveness of IT general controls to ensure accurate financial data processing, helping organizations avoid penalties and maintain investor confidence. Similarly, GDPR compliance audits verify data handling practices to protect personal information and mitigate privacy risks. These efforts underscore the audit's purpose in fostering a compliant environment that supports ethical operations and legal adherence. Measurable outcomes from IT audits include control effectiveness ratings, which classify controls as effective, partially effective, or deficient based on testing results, and risk exposure levels, quantified through assessments of likelihood and impact. These metrics enable organizations to prioritize remediation efforts and track improvements in IT resilience over time. For example, a control effectiveness rating above 90% might indicate strong safeguards, while elevated risk exposure levels could signal the need for immediate action. Such outcomes are derived from structured evaluations in frameworks like ITAF, providing actionable insights for management.

Classification and Types

Internal and External Audits

Internal audits in are conducted by an organization's own staff or dedicated internal audit teams to provide independent, objective assurance and consulting services that enhance the effectiveness of IT operations, , and . These audits emphasize ongoing evaluation of IT controls, compliance with internal policies, and opportunities for efficiency improvements, such as optimizing IT and aligning technology with business strategies. Governed by the Institute of Internal Auditors (IIA) Global Internal Audit Standards, internal IT audits focus on adding value through advisory roles, including assessments of IT frameworks to ensure strategic alignment, risk mitigation, and performance measurement. In contrast, external IT audits are performed by independent third-party firms, typically certified public accountants (CPAs) or specialized auditors, to deliver objective assurance for , certifications, or stakeholder reporting. These audits prioritize verifying the reliability and security of IT systems against established criteria, such as those in the American Institute of CPAs (AICPA) Trust Services Criteria, with prominent examples including SOC 2 reports that evaluate controls related to security, availability, processing integrity, confidentiality, and . External auditors maintain strict to provide unbiased opinions, often resulting in formal attestations that support disclosures or contractual obligations. Key differences between internal and external IT audits lie in their , , scope, and reporting. Internal audits occur more routinely, often as part of a continuous risk-based plan, with a narrower focus on operational enhancements and internal advisory, whereas external audits are typically periodic—such as annually—and encompass broader attestations for external validation and regulatory adherence. Reporting from internal audits is directed toward organizational to drive improvements, while external audit findings are shared with regulators, investors, or clients to affirm compliance and trustworthiness. These distinctions ensure internal efforts support day-to-day resilience, complemented by external oversight for impartial .

Specialized IT Audit Categories

Specialized IT audit categories focus on specific aspects of an organization's environment, enabling targeted evaluations of risks, controls, and performance. These categories extend beyond general IT audits by addressing distinct functional areas, such as the reliability of core systems, protection against threats, regulatory adherence, and operational effectiveness. Classification frameworks, such as those provided by ISACA's (Control Objectives for Information and Related Technology), offer structured approaches to defining and implementing these audits, emphasizing and management of IT resources. General controls audits evaluate overarching IT governance and security measures, including access controls, , physical and environmental safeguards, and system operations to ensure the overall integrity of the IT environment. These audits verify that foundational controls support reliable information processing across the . Application controls audits scrutinize specific software processes and applications for accuracy, completeness, and authorization of and transactions. They focus on input validation, processing logic, and output controls to prevent errors or in applications. Systems and infrastructure audits examine the reliability, availability, and integrity of hardware, software, and network components to ensure they support business operations without undue risk. These audits assess elements like server configurations, resilience, and software update processes, identifying vulnerabilities that could lead to downtime or . For instance, a network audit might evaluate bandwidth utilization and mechanisms to verify under load, while a database audit focuses on checks, backup procedures, and access logging to prevent unauthorized alterations. Such audits align with standards like ITIL ( Infrastructure ) for best practices in service management. Information security audits concentrate on safeguarding data and systems from threats through vulnerability assessments, penetration testing, and control evaluations. They review policies for access management, , and incident response to mitigate risks like unauthorized access or cyber attacks. Unique to this category is the emphasis on proactive , such as scanning for (CVEs) in software stacks. These audits often draw from frameworks like ISO/IEC 27001, which specifies requirements for an information security management system (ISMS). Compliance audits verify that IT practices adhere to external regulations and industry standards, such as PCI DSS (Payment Card Industry Data Security Standard) for handling cardholder data or (Sarbanes-Oxley Act) for financial reporting controls. Auditors test controls for evidence of ongoing conformity, including audit logs and certification maintenance, to avoid penalties or legal issues. This category highlights documentation and reporting requirements, ensuring alignment with legal mandates without delving into operational efficiency. SOC 2 reports, developed under AICPA guidelines, provide a common mechanism for demonstrating compliance in service organizations. Operational audits evaluate the efficiency and effectiveness of IT processes, including , workflow automation, and service delivery to optimize costs and performance. They identify redundancies or bottlenecks, such as in helpdesk ticketing systems or cloud resource provisioning, recommending improvements for better alignment with business goals. Frameworks like COSO (Committee of Sponsoring Organizations of the Treadway Commission) support these audits by integrating IT controls with . Emerging subtypes include audits for AI systems, which assess bias detection, model transparency, ethical deployment, auditability, and traceability through mechanisms such as tamper-evident logging, cryptographic hashing of inputs or decision records, and immutable timestamping to enable independent verification of system behavior., and audits, focusing on ledger integrity, security, and decentralization risks. has developed specific programs for these areas to address their unique challenges, such as the Advanced in AI Audit (AAIA) certification launched in 2025 and the Blockchain Framework Audit Program.

Historical Development

Origins and Early Practices

The origins of information technology auditing trace back to the mid-20th century, coinciding with the advent of mainframe computers and the shift toward automated systems in the 1950s. As businesses began adopting electronic data processing (EDP) technologies, such as the installed at in 1954—the first operational business computer—traditional auditing methods proved inadequate for verifying the integrity of computerized records. This emergence was driven by the need to ensure the reliability and accuracy of automated processes in sectors like and , where manual ledgers were rapidly replaced by batch-oriented systems that processed data in large volumes. Early practices in IT auditing were rudimentary and heavily manual, focusing on the tangible elements of EDP environments. Auditors conducted physical inspections of punch cards used for data input, verified the wiring of tabulating machines, and performed basic code reviews of programs written in early low-level languages such as assembly, and later in the , on mainframes. These methods emphasized input validation to prevent errors from propagating through cycles, output reconciliation to match computerized results against expected , and limited sampling techniques to assess system controls without disrupting operations. IT auditors often doubled as programmers, creating custom tools to extract and analyze files, as standardized software was not yet available. The field gained formal structure in the late 1960s amid growing concerns over data inaccuracies in early computing applications, including banking system glitches that highlighted risks of unverified automated transactions. In response, a group of professionals auditing computer controls formed in 1967, leading to the incorporation of the Electronic Data Processing Auditors Association (EDPAA)—predecessor to —on October 23, 1969, by seven founders in . This organization aimed to develop guidelines and foster knowledge sharing for EDP auditing, marking a pivotal step in professionalizing practices to address the complexities of computerized environments.

Evolution and Key Milestones

The evolution of information technology (IT) auditing from the 1970s onward reflected the rapid advancement of computing infrastructure, transitioning from centralized mainframes to decentralized microcomputers and networked systems, which demanded more sophisticated auditing methodologies to assess distributed risks and controls. In the late 1970s and early 1980s, the proliferation of microcomputers enabled auditors to perform independent data analysis, sampling, and statistical testing without relying on IT departments, thereby enhancing efficiency and reducing bottlenecks in audit processes. This shift was complemented by the development of specialized auditing software; for instance, Audit Command Language (ACL) was introduced in 1987, allowing auditors to extract, analyze, and report on large datasets from personal computers, marking a pivotal tool for generalized audit software (GAS) adoption. Pivotal organizations like the Information Systems Audit and Control Association (ISACA), founded in 1969 as the EDP Auditors Association and establishing an education foundation in 1976 to advance IT governance research, became central to standardizing IT auditing practices globally through certifications, guidelines, and frameworks. Similarly, the Institute of Internal Auditors (IIA) influenced the field by incorporating IT-specific guidance into internal audit standards, emphasizing the integration of technology risks into broader assurance activities since the 1980s. The 1990s and 2000s saw IT auditing adapt to the internet's expansion and the Year 2000 (Y2K) challenge, which necessitated comprehensive audits of legacy systems for date-related vulnerabilities, prompting the American Institute of Certified Public Accountants (AICPA) to issue auditing interpretations in 1998 for Y2K risk evaluation and entity readiness assessments. The rise of internet-based operations introduced new audit foci on web security, transactions, and data transmission controls, as organizations increasingly relied on online infrastructures. Standardization advanced with ISACA's release of the Control Objectives for Information and Related Technology () framework in 1996, offering structured controls for IT governance and management to align business goals with technology. Concurrently, the AICPA's Statement on Auditing Standards No. 70 (SAS 70) in 1992 provided a mechanism for service organizations to report on internal controls relevant to financial reporting, later evolving into Statement on Standards for Attestation Engagements No. 16 () in 2010 to incorporate a principles-based approach and third-party assessments. Entering the , IT auditing intensified its focus on cybersecurity amid high-profile incidents, exemplified by the 2013 Target data breach, where hackers accessed 40 million credit/debit card details and 70 million customer records through a third-party vendor's compromised credentials, underscoring gaps in and real-time monitoring despite prior compliance audits. This event catalyzed enhanced audit scrutiny of risks and incident response capabilities in cybersecurity frameworks. The (ISO) revised ISO/IEC 27001 in 2013 to strengthen requirements for information security management systems, incorporating leadership commitments, risk treatment plans, and Annex A controls for emerging threats like services. computing's integration further transformed auditing, with issuing guidance in the early for risk assessments of deployments, emphasizing shared responsibility models, , and continuous monitoring in service-oriented architectures. In the ensuing decade, IT auditing continued to evolve with the release of COBIT 2019 by , which updated the framework to better support and agile governance. The from 2020 accelerated the shift to remote auditing practices, increasing reliance on digital tools for evidence collection and virtual assessments while highlighting new risks in distributed work environments. Additionally, ISO/IEC 27001 was revised in 2022 to address contemporary challenges, including greater emphasis on threat intelligence, cloud security, and .

Audit Process and Standards

Planning and Risk Assessment

The planning phase of an information technology (IT) audit begins with defining the audit scope, which involves identifying the key IT areas to be examined, such as specific systems, processes, or controls aligned with organizational objectives and potential risks. This step ensures the audit addresses relevant aspects of the IT environment without unnecessary breadth, drawing from a comprehensive inventory of the IT audit universe that includes applications, infrastructure, and operations. Assembling the audit team is critical, typically comprising IT specialists with technical expertise in areas like network security or database management, alongside general auditors knowledgeable in application controls to provide balanced evaluation. The team size and composition depend on the scope, with resources allocated based on available auditor days and required skills, such as proficiency in enterprise resource planning (ERP) systems or operating systems. Developing an audit charter formalizes these elements, outlining the purpose, authority, and responsibilities of the internal audit activity in accordance with standards that mandate alignment with organizational goals and risk-based planning. The charter, approved by the governing body and senior management, serves as a foundational document to guide the entire audit process and ensure independence. Risk assessment follows as a core component of planning, focusing on identifying and prioritizing IT-specific risks to inform the audit's direction. Common risks include unauthorized access to sensitive data through vulnerabilities like weak authentication and system downtime resulting from infrastructure failures or denial-of-service attacks, which can compromise confidentiality, integrity, and availability. Tools such as risk matrices are employed to evaluate these risks qualitatively, plotting likelihood (e.g., high, medium, low) against impact (e.g., financial loss, operational disruption) on a grid to categorize and prioritize them—for instance, a high-likelihood, high-impact risk like unauthorized access might score as critical. The COSO framework supports this by providing a structured approach to within internal controls, emphasizing the identification of inherent risks and potential responses across the organization's IT operations. Quantitative methods complement this, notably the annual loss expectancy (ALE), calculated as: ALE=ARO×SLE\text{ALE} = \text{ARO} \times \text{SLE} where ARO is the annualized rate of occurrence (expected frequency of the risk event per year) and SLE is the single loss expectancy (monetary value of a single occurrence). This formula quantifies expected annual financial impact, aiding decisions on control investments—for example, if a downtime event has an SLE of $50,000 and an ARO of 0.5, the ALE is $25,000, justifying targeted mitigation. Compliance with standards like NIST SP 800-30 ensures a systematic process, integrating threat sources, vulnerabilities, and impacts to produce a risk profile. Prerequisites for effective planning include a thorough review of the organizational IT environment, encompassing infrastructure, applications, and data flows to establish the baseline for risk identification. Stakeholder interviews with IT management, business unit leaders, and compliance officers provide contextual insights, such as emerging threats or regulatory changes, ensuring the assessment reflects current conditions. These steps align with guidance that mandates proactive modification of the risk assessment based on business evolution, facilitating a tailored audit plan.

Execution, Testing, and Reporting

The execution phase of an information technology audit, often referred to as fieldwork, involves implementing the through direct engagement with the organization's and personnel to collect . Auditors conduct walkthroughs to trace processes from to completion, ensuring a comprehensive understanding of control flows, while interviews with key stakeholders provide insights into operational practices and potential risks. Evidence collection techniques include reviews, observations of operations, and technical assessments, all aimed at obtaining sufficient and appropriate data to support audit conclusions. This phase emphasizes professional skepticism and to align activities with the predefined scope. Testing in IT audits comprises control testing to evaluate the design and operating effectiveness of internal controls, such as reviewing access logs to verify segregation of duties, and substantive testing to assess the accuracy and completeness of data, for example, by sampling transaction logs for anomalies. Computer-assisted audit techniques (CAATs), including tools like ACL for data extraction and analysis in substantive tests or CaseWare for continuous monitoring in control tests, enhance efficiency by automating evidence evaluation. Vulnerability scanners, such as Nessus, are employed in technical testing to identify security weaknesses in networks and applications, integrating with broader risk assessments to prioritize high-impact areas. These methods follow a risk-based approach, adjusting scope based on preliminary findings from . Standards like the Guide to the Assessment of IT General Controls Scope Based on Risk (), developed by The Institute of Internal Auditors, guide testing by applying a top-down, risk-based to scope IT general controls relevant to financial reporting, focusing on those that could materially impact business objectives. GAIT principles ensure that testing targets technology failures only if they pose significant business risks, promoting efficient resource allocation during execution. This integration aligns IT audit testing with broader assurance frameworks, such as ISACA's , to maintain consistency in evaluating control effectiveness. Reporting culminates the audit process with a structured document that communicates results to stakeholders, typically including an , scope and objectives, detailed findings with root cause analysis, recommendations for remediation, and responses outlining action plans and timelines. Findings are rated for significance and supported by evidence, while follow-up procedures involve monitoring remediation progress and reporting to bodies on unresolved issues or acceptances. This ensures and drives continuous improvement in IT controls.

Cybersecurity and Compliance Issues

IT audits face significant cybersecurity challenges in evaluating and mitigating evolving threats such as and attacks, which can compromise organizational and . , a malicious software that encrypts data and demands payment for decryption, has become a prevalent , with attackers often exploiting unpatched vulnerabilities or weak access controls to infiltrate systems. , involving deceptive communications to trick users into revealing sensitive information or installing , bypasses technical safeguards by targeting human elements, underscoring the need for audits to assess user awareness and behavioral controls. These threats complicate audit processes by requiring examiners to test not only technical defenses but also the effectiveness of incident response plans against real-world attack vectors. To address these challenges, IT auditors increasingly rely on established frameworks like the NIST Cybersecurity Framework (CSF) version 2.0 (released February 2024), which provides a structured methodology for identifying, protecting against, detecting, responding to, and recovering from cybersecurity events. The NIST CSF enables auditors to evaluate an organization's cybersecurity posture by creating tailored profiles that map current practices against desired outcomes, highlighting gaps in risk management. For instance, the framework's Ransomware Profile aligns prevention and mitigation strategies with organizational resources, aiding audits in verifying resilience against specific threats like data encryption demands. This approach ensures audits go beyond compliance checklists to foster proactive risk reduction. Additionally, emerging quantum computing threats pose risks to encryption, with capabilities like "harvest now, decrypt later" attacks prompting audits to verify adoption of NIST's post-quantum cryptography standards finalized in 2024. Compliance issues in IT audits center on navigating stringent data protection regulations, such as the General Data Protection Regulation (GDPR) enacted in 2018 and the (CCPA), as amended by the (CPRA) effective , 2023, with further regulatory updates finalized in September 2025. GDPR mandates organizations to conduct data protection impact assessments (DPIAs) for high-risk processing activities, requiring auditors to verify that these assessments identify and mitigate privacy risks associated with IT systems. Similarly, CCPA imposes obligations for cybersecurity audits when data breaches pose substantial risks, with new requirements under 2025 amendments mandating annual cybersecurity audits for large businesses (annual revenue over $100 million or handling data of 100,000+ consumers) effective March 2027, and tightening breach notifications to within 30 calendar days of discovery effective , 2026. Compelling businesses to evaluate security measures protecting consumer . Breach reporting requirements under both regulations—72 hours for GDPR and, as updated, 30 days for CCPA starting 2026—further intensify audit scrutiny on detection mechanisms and notification protocols to prevent regulatory penalties. A key dilemma in cybersecurity audits involves balancing robust security measures with individual rights, as invasive testing can inadvertently expose . Auditors must ensure that scans and monitoring comply with principles, such as data minimization, to avoid conflicts between threat detection and rights like consent under GDPR. The 2021 exemplified this tension, where the breach led to operational shutdowns and heightened scrutiny of legacy systems, prompting enhanced federal protocols like TSA Security Directives that influenced audit standards for by emphasizing and segmenting IT networks. In response to these pressures, IT audits have adapted by incorporating penetration testing as a core evaluation method to simulate real attacks and identify exploitable weaknesses. Penetration testing, guided by standards like those in ISO/IEC 27001, involves ethical hacking to probe networks, applications, and physical controls, allowing auditors to validate defenses against threats like unauthorized access. This practice has gained prominence post-incidents, enabling organizations to demonstrate compliance and resilience through documented test results and remediation plans.

Impact of New Technologies

The adoption of has profoundly influenced IT audit practices by introducing shared responsibility models, where cloud service providers (CSPs) secure the underlying infrastructure while customers manage data, applications, and access controls. In the AWS model, for instance, AWS handles , host infrastructure, and network controls, but customers are responsible for operating system configurations, encryption, and identity management to prevent misconfigurations that could lead to breaches. This division necessitates audits that evaluate both parties' compliance, often using frameworks like the (CSA) Cloud Controls Matrix (CCM) version 4, which outlines 197 control objectives across 17 domains to assess cloud-specific risks such as data isolation in multi-tenant environments. Auditors must verify customer adherence to these controls to mitigate coverage gaps in visibility and monitoring, ensuring alignment with standards like ISO 27001 or PCI DSS. Artificial intelligence (AI) and automation technologies are reshaping IT audits by embedding complex systems that require scrutiny for algorithmic biases and robust . AI-driven decision-making in areas like detection can perpetuate biases if training lacks diversity, with studies identifying deficiencies as the (42% of cases) leading to discriminatory outcomes such as or racial inequities. Auditors must assess pipelines for quality and fairness, implementing guardrails like generation and subgroup validation to ensure ethical alignment. A key challenge arises from black-box AI models, where opacity hinders interpretability of decision processes, complicating verification of reliability and compliance with regulations like GDPR and the EU AI Act (effective August 2024, requiring audits for high-risk AI systems). To address this, audits incorporate pre- and post-model evaluations, including Model Cards for documentation and audit trails for transparency, fostering trust in automated systems. AI audits have emerged as a specialized trend in IT auditing, providing a structured process to verify the design, deployment, and governance of AI systems, ensuring traceability, accountability, and legitimacy in high-stakes applications across domains such as finance, health, and public administration. According to ISACA, an AI audit is a review of AI systems, algorithms, and data to identify and mitigate potential risks, threats, and impacts. IBM defines it as a structured, evidence-based examination of how artificial intelligence systems are designed, trained, and deployed. Holistic AI describes AI auditing as the practice of assessing, mitigating, and assuring an algorithm's safety, legality, and ethics. These audits integrate with broader IT governance frameworks to align AI usage with organizational risk management and compliance requirements. Key challenges in AI auditing include the necessity for continuous monitoring due to frequent model updates and data drifts, which can significantly alter system performance and behavior over time. This ongoing process helps maintain accountability by establishing clear responsibility pathways and preventing the diffusion of oversight in deployments where AI outputs influence critical decisions. Such practices enhance the overall legitimacy of AI systems within IT audit scopes. To enhance auditability and traceability in fail-safe AI architectures, software and procedural mechanisms are employed, enabling independent verification of system behavior after decisions are made. Techniques used for this purpose include tamper-evident logging, cryptographic hashing of inputs or decision records, and immutable timestamping mechanisms. These methods allow auditors, regulators, or system operators to reconstruct the conditions under which an AI system acted or declined to act, improving accountability without requiring continuous human oversight. The proliferation of Internet of Things (IoT) devices introduces unique security audit demands, focusing on vulnerabilities in embedded systems and network connectivity. IT audits target risks like outdated and weak , which expose devices to exploits such as DDoS attacks or unauthorized data access in sectors like healthcare and . A risk-based framework guides auditors to scope devices, evaluate data flows, and align controls with standards like IoT Security Guidance (latest release 2024), ensuring and in real-time operations. Blockchain technology impacts IT audits through the need to verify immutable transaction ledgers and secure against exploits. Auditors confirm transaction completeness and validity by tracing records, using tools like Hyperledger Fabric for compliance testing of crypto assets. audits blend automated tools, such as Mythril for vulnerability detection, with manual reviews to identify issues like reentrancy attacks or logic flaws that could result in financial losses. This approach ensures the integrity of decentralized applications while addressing risks in permissionless environments. Audits of web and communication technologies emphasize securing digital interfaces against data exposure. Website security evaluations check SSL/TLS compliance to encrypt data in transit, using NIST guidelines to verify certificate management and prevent man-in-the-middle attacks. For enterprise email systems, audits assess configurations for data leak prevention, including encryption and access controls to comply with HIPAA or GDPR and mitigate risks from phishing-induced breaches. These practices help organizations maintain in communication channels amid rising cyber threats.

Organizational and Financial Impacts

Effects on Business Operations

IT audits significantly influence business operations by uncovering inefficiencies in IT systems, such as outdated software or suboptimal network configurations, which can lead to streamlined processes and substantial cost reductions. For instance, audits often reveal redundancies in that, once addressed, optimize and enhance overall system performance. In a study of Indonesian companies, 78% reported improved following IT audit implementation, primarily through better of servers, networks, and applications, while 70% identified and resolved previously undetected inefficiencies. Similarly, regular audits facilitate the replacement of legacy systems with more efficient technologies, yielding direct cost savings by minimizing maintenance expenses and preventing costly breakdowns. Beyond immediate optimizations, IT audits contribute to governance enhancements by reinforcing IT policies and elevating board-level oversight of technology risks. These audits evaluate the maturity of governance mechanisms, such as change management and IT architecture, ensuring alignment with organizational objectives and reducing operational vulnerabilities. A study in Ghana's financial services sector demonstrated that consistent IT auditing, guided by frameworks like COBIT 5, improved governance maturity levels—for example, change management scores rose from 3.40 to 4.18 in banks—while fostering greater coherence among policies and controls. This strengthening directly bolsters (ERM) by integrating assessments into broader risk frameworks, enabling proactive mitigation and informed decision-making that supports sustained business resilience. Internal auditors play a pivotal here, providing assurance on risk processes and facilitating ERM adoption without assuming duties, which ultimately enhances governance effectiveness across operations. On a company-wide scale, IT audits drive cultural shifts toward greater IT accountability, empowering personnel and promoting a risk-aware that permeates organizational functions. Post-audit implementations often result in reduced system , as seen in cases where audits led to targeted upgrades that minimized technical disruptions; for example, 64% of audited firms reported lower unproductive time due to fewer IT issues, correlating with a positive operational efficiency coefficient of 0.58. In the Ghanaian financial sector study, audits enhanced employee in IT roles, with scores improving from 2.71 to 3.81 in pension funds, alongside better incident response capabilities, fostering a of proactive maintenance and that reduces reliance on ad-hoc fixes. These changes not only cut —evidenced by optimized workflows and —but also boost employee morale by eliminating cumbersome workarounds, leading to more agile and accountable operations overall. Despite these benefits, IT audits present challenges, including potential disruptions to daily operations and strains on . Audit processes can interrupt normal workflows, particularly during fieldwork involving or reviews, causing temporary shifts in focus that waste time and affect . Resource constraints exacerbate this, with many organizations facing talent shortages in areas like cybersecurity and data , leading to understaffed audits that divert personnel from activities; surveys indicate 51% of IT budgets remained stable or declined, limiting comprehensive coverage and increasing the risk of overlooked operational gaps. Effective planning is essential to mitigate these issues, balancing thoroughness with minimal interference to preserve operational continuity.

Integration with Financial Auditing

Information technology audits are interdependent with financial audits, as IT controls form the foundation for the reliability of by ensuring the integrity of automated systems that process financial data. Under Section 404 of the Sarbanes-Oxley Act (), publicly traded companies must establish and maintain internal controls over financial reporting (ICFR), where IT general controls—such as access management and change controls—directly support the effectiveness of these processes to prevent material misstatements. This interdependence is evident in how weaknesses in IT controls can lead to deficiencies in financial reporting, prompting integrated evaluations to assess overall control reliability. Integration methods leverage IT audits to scope financial audits more efficiently, incorporating IT evidence early to identify risks in automated environments. For instance, financial auditors rely on IT audit findings to determine the extent of substantive testing, while joint teams comprising IT and financial auditors conduct walkthroughs and tests of automated controls in systems like (ERP) platforms. This collaborative approach ensures that IT audits inform the financial audit's , allowing auditors to benchmark and rely on prior-period testing of stable automated controls, thereby streamlining the overall process. The effects of this integration on financial s include reduced risks of material misstatements by providing robust from IT controls, particularly in verifying transaction accuracy within complex systems. Auditing ERP systems, for example, involves joint testing of data flows and automated processes to confirm that financial transactions are recorded accurately and completely, mitigating errors that could affect reported revenues or expenses under SOX compliance. Such IT-derived enhances the auditor's ability to assess control , leading to more targeted substantive procedures and lower overall costs, as observed in post-2007 SOX reforms where ICFR fees declined by approximately 20-30% due to improved integration. These practices align with PCAOB Auditing Standard No. 5 (AS 5), which mandates an integrated approach where the evaluation of ICFR, including IT-dependent controls, is coordinated with the to achieve comprehensive assurance. AS 5 emphasizes a top-down, risk-based that prioritizes IT controls relevant to significant financial accounts, ensuring that testing focuses on areas with the greatest impact on financial reporting reliability.

Benefits and Best Practices

Advantages of IT Auditing

IT auditing offers organizations a range of strategic and tactical advantages that extend well beyond , fostering resilience, , and long-term value in an increasingly digital landscape. By systematically evaluating IT systems, controls, and processes, these audits help mitigate risks, optimize resources, and with goals. A primary benefit is the enhancement of an organization's posture, which directly contributes to reducing the financial consequences of breaches. IT audits identify vulnerabilities in and recommend strengthening controls, such as incident response planning and testing, leading to substantial savings. For instance, as of the 2025 Cost of a Report, organizations using extensive AI and in operations save an average of $1.9 million per breach compared to those without, highlighting the value of audit-recommended proactive measures like regular testing. This proactive approach not only prevents costly incidents but also shortens breach detection and containment times, minimizing operational disruptions. In addition to security improvements, IT auditing supports better decision-making by delivering actionable insights into IT performance, risks, and opportunities. Auditors assess how IT assets contribute to business objectives, revealing inefficiencies or gaps that inform executive strategies and resource allocation. This leads to more effective management decisions, as evidenced by internal audit practices that enhance operational oversight and strategic planning in public sector entities. Such insights enable leaders to prioritize investments in technology that drive growth rather than merely addressing immediate threats. Efficiency gains represent another critical advantage, as IT audits streamline processes and uncover redundancies in IT operations. By reviewing system configurations, software usage, and practices, audits identify areas for or consolidation, reducing operational costs and improving resource utilization. Organizations often achieve long-term through these preventive measures, avoiding expensive overhauls or repeated fixes. For example, audits can highlight underutilized licenses or legacy systems, leading to targeted optimizations that lower maintenance expenses without compromising functionality. On a strategic level, IT auditing facilitates by ensuring that technology initiatives align with organizational goals and risk tolerances. Audits evaluate the readiness of IT environments for like cloud migration or AI integration, providing assurance that transformations enhance competitiveness rather than introduce new vulnerabilities, including the need for AI oversight to manage risks like shadow AI. This support positions organizations to gain a market edge through reliable, scalable IT systems. Furthermore, by demonstrating robust and , IT audits foster ethical benefits, such as building stakeholder trust through transparent practices and compliance demonstrations. To maximize these advantages, best practices include conducting regular IT audits aligned with business cycles, such as annually or in conjunction with major IT changes, to maintain ongoing relevance and adaptability. Integrating audit findings into enterprise risk management frameworks ensures sustained benefits, turning audits into a continuous improvement tool rather than a periodic exercise.

Leveraging IT in Broader Audits

IT systems and tools significantly enhance the efficiency and scope of financial audits by enabling automated , which allows auditors to vast amounts of financial quickly and identify anomalies that might indicate errors or . Tools like IDEA from CaseWare facilitate this through features such as interactive dashboards that visually pinpoint patterns, trends, and outliers in datasets, reducing manual review time and improving accuracy in . Similarly, Tableau supports automated in financial reporting by flagging suspicious activities and unusual patterns across large volumes of transactional , enabling auditors to focus on high-risk areas rather than exhaustive manual checks. Integration of IT tools into broader audits extends to real-time monitoring powered by AI, which provides continuous oversight of financial transactions and supports scalability for handling massive datasets that traditional methods cannot efficiently manage. For instance, AI-driven platforms like MindBridge enable real-time auditing by analyzing transactions as they occur, detecting deviations from norms and alerting auditors promptly, which enhances proactive mitigation in dynamic financial environments. This scalability is particularly beneficial for organizations with global operations, where AI tools can process terabytes of without proportional increases in audit resources, as demonstrated in implementations by firms like that leverage AI for ongoing financial oversight. Best practices for leveraging IT in audits include comprehensive for auditors on these tools to maximize their effectiveness and ensure proper application. Organizations such as the Institute of Internal Auditors recommend structured programs that cover tool-specific skills, from data import in IDEA to visualization in Tableau, fostering a hybrid capable of integrating with judgment. A notable example is the use of for creating immutable audit trails in financial reporting, as seen in PwC's implementation for a multinational client, where it reduced the annual cycle from months to weeks by providing verifiable, tamper-proof transaction records that streamline verification processes. Despite these advantages, challenges such as issues can undermine IT-enhanced audits, including inaccuracies or incompleteness that lead to flawed . These are addressed through validation protocols, such as automated checks embedded in tools like IDEA, which enforce rules during import and analysis to ensure completeness and consistency before processing. Best practices from sources like emphasize regular data audits and standardized validation frameworks to mitigate these risks, allowing auditors to rely on high-quality inputs for reliable outcomes in broader financial audits.

References

  1. https://nces.ed.gov/forum/ldsguide/book2/app_d.asp
  2. https://onlineprograms.appstate.edu/blog/types-of-audits/
  3. https://www.isaca.org/resources/glossary
  4. https://siaab.audits.uillinois.edu/common/pages/DisplayFile.aspx?itemId=2416677
  5. https://www.isaca.org/resources/it-audit
  6. https://www.famu.edu/administration/audit/pdf/standards/ITAF-4th-Edition.pdf
  7. https://www.isaca.org/resources/news-and-trends/industry-news/2023/the-increasing-importance-of-it-audits-to-the-bod
  8. https://www.rapidfiretools.com/blog/it-audits/
  9. https://www.theiia.org/globalassets/site/content/guidance/recommended/supplemental/practice-guides/gtag-auditing-computing-infrastructure-and-it-operations/gtag_auditing_computing_infrastructure_and_it_ops_english.pdf
  10. https://www.isaca.org/resources/cobit
  11. https://www.iraj.in/journal/journal_file/journal_pdf/14-213-145172620179-83.pdf
  12. https://www.theiia.org/en/content/guidance/recommended/supplemental/practice-guides/global-practice-guide-internal-auditing-and-fraud/
  13. https://www.isaca.org/resources/isaca-journal/issues/2025/volume-5/sox-it-control-optimization-driving-risk-based-efficiency-and-stronger-governance
  14. https://www.isaca.org/resources/white-papers/how-to-audit-gdpr
  15. https://www.theiia.org/en/standards/what-are-the-standards/definition-of-internal-audit/
  16. https://www.theiia.org/en/standards/2024-standards/global-internal-audit-standards/
  17. https://www.theiia.org/globalassets/documents/content/articles/guidance/practice-guides/foundations-of-internal-auditing-in-financial-services-firms/gtag-17-auditing-it-governance.pdf
  18. https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2
  19. https://linfordco.com/blog/what-is-soc-2/
  20. https://linfordco.com/blog/internal-vs-external-audits-explained/
  21. https://www.accountingtools.com/articles/the-difference-between-internal-and-external-audits.html
  22. https://faddom.com/it-audit-standards/
  23. https://arxiv.org/pdf/2512.11065
  24. https://www.isaca.org/credentialing/aaia
  25. https://www.isaca.org/about-us/newsroom/press-releases/2021/isaca-introduces-new-audit-programs-for-business-continuity-and-disaster-recovery-and-blockchain
  26. https://dl.acm.org/doi/10.5555/220871
  27. https://www.compact.nl/articles/fifty-years-of-it-auditing/
  28. https://www.isaca.org/about-us/history
  29. https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2019/coincidence-or-history
  30. https://www.gao.gov/assets/126428.pdf
  31. https://info.acl.com/acl-rebrand.html
  32. http://archives.cpajournal.com/1999/0499/Departments/D480499.HTM
  33. https://www.technologyreview.com/2015/02/10/169407/the-internet-and-business/
  34. https://www.giac.org/paper/gsec/35355/case-study-critical-controls-prevented-target-breach/140127
  35. https://www.isaca.org/resources/isaca-journal/past-issues/2010/it-audits-of-cloud-and-saas
  36. https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2020/sizing-up-the-impact-of-covid19-and-remote-work-on-it-auditors
  37. https://www.iso.org/standard/27001
  38. https://leeds-faculty.colorado.edu/marlattj/ais2/gtag_developingitauditplan.pdf
  39. https://www.theiia.org/en/content/guidance/recommended/supplemental/practice-guides/model-internal-audit-activity-charter/
  40. https://www.isaca.org/resources/isaca-journal/issues/2021/volume-2/risk-assessment-and-analysis-methods
  41. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
  42. https://trustedinstitute.com/topic/cisa/is-auditing-process-execution/
  43. https://ecampusontario.pressbooks.pub/auditinginformationsystems/chapter/0203/
  44. https://www.isaca.org/resources/isaca-journal/issues/2016/volume-5/planning-for-information-security-testinga-practical-approach
  45. https://www.theiia.org/en/content/the-gait-series/
  46. https://www.isaca.org/resources/isaca-journal/issues/2020/volume-1/is-audit-basics-the-components-of-the-it-audit-report
  47. https://www.nist.gov/itl/smallbusinesscyber/guidance-topic/ransomware
  48. https://www.theiia.org/globalassets/documents/content/articles/guidance/gtag/gtag-assessing-cybersecurity-risk.pdf
  49. https://www.nist.gov/news-events/news/2024/02/nist-releases-version-20-revision-its-cybersecurity-framework
  50. https://www.nist.gov/cyberframework
  51. https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8374.pdf
  52. https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards
  53. https://cppa.ca.gov/regulations/
  54. https://oag.ca.gov/privacy/ccpa
  55. https://oag.ca.gov/privacy/ccpa/regs
  56. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679
  57. https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-122.pdf
  58. https://www.cisa.gov/news-events/news/attack-colonial-pipeline-what-weve-learned-what-weve-done-over-past-two-years
  59. https://www.blazeinfosec.com/post/iso-27001-pentest-requirements/
  60. https://www.pcisecuritystandards.org/documents/Penetration-Testing-Guidance-v1_1.pdf
  61. https://aws.amazon.com/compliance/shared-responsibility-model/
  62. https://cloudsecurityalliance.org/research/cloud-controls-matrix
  63. https://cloudsecurityalliance.org/blog/2023/09/14/understanding-the-shared-responsibility-model-for-cloud-security-how-to-avoid-coverage-gaps-and-confusion
  64. https://www.sciencedirect.com/science/article/pii/S2468227624002266
  65. https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
  66. https://assets.kpmg.com/content/dam/kpmgsites/sg/pdf/2025/05/6-key-challenges-of-auditing-ai-and-how-to-approach-them.pdf
  67. https://www.isaca.org/resources/isaca-journal/issues/2024/volume-2/a-proposed-high-level-approach-to-ai-audit
  68. https://www.ibm.com/think/topics/ai-audit
  69. https://www.holisticai.com/blog/ai-auditing
  70. https://quantumencoding.io/blog/immutable-audit-trails
  71. https://www.isaca.org/resources/isaca-journal/issues/2018/volume-5/is-audit-basics-auditing-the-iot
  72. https://owasp.org/www-project-iot-security-testing-guide/
  73. https://www.isaca.org/resources/isaca-journal/issues/2024/volume-2/blockchain-smart-contracts-part-4-how-to-audit
  74. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-16.pdf
  75. https://www.darktrace.com/cyber-ai-glossary/email-security-audits-101-what-they-are-and-how-to-conduct-one
  76. https://irasspublisher.com/assets/articles/1734192226.pdf
  77. https://www.isaca.org/resources/isaca-journal/issues/2024/volume-4/system-overload
  78. https://onlinelibrary.wiley.com/doi/full/10.1002/isd2.12349
  79. https://www.theiia.org/globalassets/documents/resources/the-role-of-internal-auditing-in-enterprise-wide-risk-management-january-2009/pp-the-role-of-internal-auditing-in-enterprise-risk-management.pdf
  80. https://ohiocpa.com/for-the-public/news/2023/11/06/three-challenges-affecting-it-auditors
  81. https://assets.kpmg.com/content/dam/kpmgsites/uk/pdf/2017/07/it-internal-audit-multiplying-risks-amid-scarce-resources.pdf
  82. https://www.sec.gov/news/studies/2009/sox-404_study.pdf
  83. https://pcaobus.org/Rulemaking/Documents/021/2007-06-12_Release_No_2007-005A.pdf
  84. https://www.deloitte.com/us/en/services/audit-assurance/articles/erp-implementation-icfr-and-sox.html
  85. https://www.isaca.org/resources/news-and-trends/industry-news/2024/the-importance-of-independent-it-audit
  86. https://www.ibm.com/reports/data-breach
  87. https://www.isaca.org/resources/news-and-trends/industry-news/2024/six-benefits-of-a-cybersecurity-audit
  88. https://www.fairfaxcounty.gov/internalaudit/potential-benefits-audit
  89. https://www.isaca.org/resources/news-and-trends/industry-news/2025/the-role-of-digital-transformation-audits-transform-while-upholding-governance-standards
  90. https://www.caseware.com/resources/blog/audit-analytics-types-benefits-and-use-cases/
  91. https://www.caseware.com/us/products/idea/
  92. https://www.tableau.com/solutions/departments/finance/audit-risk
  93. https://www.mindbridge.ai/blog/continuous-auditing-real-time-accountability-with-ai-powered-decision-intelligence/
  94. https://assets.kpmg.com/content/dam/kpmgsites/dk/pdf/dk-2024/dk-ai-in-financial-reporting-and-audit-web.pdf.coredownload.inline.pdf
  95. https://www.theiia.org/en/content/articles/global-best-practices/2025/transforming-audit-through-ai/
  96. https://www.frontiersin.org/journals/blockchain/articles/10.3389/fbloc.2025.1549729/full
  97. https://www.jdsupra.com/legalnews/six-common-data-quality-management-5787955/
Add your contribution
Related Hubs
User Avatar
No comments yet.