IT Audit

IT Governance is the industry leader for IT governance, risk management, compliance and information security.

On this page you will find a selection of our highly regarded training courses relating to IT Auditing. An essential starting point for any IT professional hoping to become an IT Auditing Expert is our book Swanson on Internal Auditing: Raising the Bar, described as "a recommended resource for all internal audit professionals."


CISA & IT Audit Qualifications

ISACA (the Information Systems Audit and Control Association) is a global professional organisation dedicated to audit, control and security of information systems. The key ISACA qualification for IT auditors is CISA (Certified Information Systems Auditor).

More than 50,000 people have achieved this qualification. CISA exams take place twice a year, in June and December.

The official preparation and revision text is updated every year. You can order your own copy here: 2011 CISA Review and exam manual (worldwide shipping available).


Information Security Audit and ISO 27001

ISO 27001, the information security Standard, has specific requirements in terms of information security audits, both internal and external. A comprehensive ISO 27001 Audit checklist is contained in Are You Ready for an ISO 27001 Audit?

Useful advice to those soon to be audited is set out in a handy pocket book, Audits without Tears Additionally, Information Security ISO 27001 Internal Auditor training is a key skill requirement in many organisations.


ISAE 3402 and SSAE 16

ISAE 3402 and SSAE 16 are the industry standards for service organisations, having replaced the former SAS 70 certification.

ISAE 3402 is the international standard on assurance engagements, (developed by the International Auditing and Assurance Standards Board), while SSAE 16 is the American counterpart (developed by the American Institute of Certified Public Accountants).

Service organisations wishing to conduct business internationally with firms that demand SOC reports will be audited against ISAE 3402.

Types of Reports:

  • A SOC 1 Report provides information to clients on the internal controls that affect your organisation’s financial statements.
  • A SOC 2 Report provides information on non-financial controls that affect data security, privacy, availability, confidentially and processing integrity. The report verifies the application and implementation of controls.
  • A SOC 3 Report provides information on non-financial controls and verifies whether the controls that were applied and implemented are effective in achieving their objectives.

The ISAE (International Standard on Assurance Engagements) 3402 Type II compliance, unlike Type I, ensures the actual application and implementation of controls, while Type III compliance assesses the efficacy of these controls.

Learn more on our SOC Reporting information page.


What is IT Auditing?

Proactively studying "what’s out there” is increasingly important for successful IT Audits. Regular research on the following sites, in addition to periodic exploration of audit resources via Google or another Web search tool, can help you stay on top of audit tools and audit practice information. Auditors should research not only available audit tools, but also recommended professional audit practices. Both are crucial in effective auditing.

"An information technology (IT) audit or information systems (IS) audit is an examination of the controls within an entity's information technology infrastructure. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.

An IT audit is the process of collecting and evaluating evidence of an organisation's information systems, practices, and operations. Obtained evidence evaluation can ensure whether the organisation's information systems safeguard assets, maintains data integrity, and is operating effectively and efficiently to achieve the organisation's goals or objectives." (Wikipedia)

And for extra credit:

  1. The Institute of Internal Auditors, including:
  2. The Institute of Chartered Accountants in England and Wales (ICAEW), including:
  3. EU Single Market - Auditing
  4. AuditNet
  5. The Information Systems Audit and Control Association (ISACA), including:
  6. US Federal Financial Institutions Examination Council (FFIEC)
  7. US Government Accountability Office (GAO)
  8. The Treasury Board of Canada Secretariat
  9. CCAF (Canadian Comprehensive Auditing Foundation)
  10. The International Organisation of Supreme Audit Institutions (INTOSAI)
  11. The Center for Education and Research in Information Assurance and Security (CERIAS)
  12. Wikipedia entry: Information technology audit

Information and resources on this page are provided by Dan Swanson, an internal audit veteran with over 26 years' experience, who most recently was director of professional practices at the Institute of Internal Auditors.

Dan has completed audit projects for more than 30 different organisations, spending almost 10 years in government auditing, at the federal, provincial, and municipal levels, and the rest in the private sector, mainly in the financial services, transportation, and health sectors.

He has completed nearly 100 internal audits in his career including: operational audits, system audits, financial audits, value-for-money audits, comprehensive audits, and many more. He has completed almost 50 IT conversion audits and a dozen comprehensive audits of the information technology function.


Speak to an expert

Please contact us for more information or to arrange an initial meeting.