Information technology (IT) auditing collects and evaluates data pertaining to an IT infrastructure. An IT audit may augment a financial audit, but it is specifically designed to test the IT infrastructure’s accuracy, efficiency, and security. Though around since the 1960s, IT audits have become especially important in the 21st century, when so much of a business’s activity is conducted or assisted electronically.
The first IT audits were necessitated by the use of electronics in accounting systems. Early computers did little more than that-compute-and the combination of their expense with their extraordinarily narrow focus of applications meant that they were adopted slowly. Though General Electric used a computerized accounting system in 1954, computer use was a highly specialized skill, and early input methods (such as punch cards or paper tape) were tedious to error-check.
With the development of specialized office computers in the 1960s and the shift toward developing computers for people who did not work on them for a living, larger businesses began to integrate computers into some of their accounting procedures, especially data storage (such as to keep track of inventory or reservations) and handling large amounts of complicated information. The first IT audits were therefore electronic data processing (EDP) audits, doublechecking the accuracy of the software systems in use at a business and the data entered into and derived from them.
This led to the development of specialized accounting software, and in 1968 the American Institute of Certified Public Accountants helped formalize EDP audits, keeping them at the rigorous standards employed by financial audits. The Electronic Data Processing Auditors Association (EDPAA) was formed shortly thereafter, for the growing number of accountants who specialized in EDP audits. EDPAA has since (in 1994) changed its named to the Information Systems Audit and Control Association, and publishes CobiT-Control Objectives for Information and related Technology, the widely accepted list of standards and objectives in IT audits.
IT auditing became especially prioritized in the aftermath of the Equity Funding Corporation of America scandal of 1973, when former EFCA employee Ronald Secrist and analyst Ray Dirks reported that the Los Angeles company-which sold mutual funds and life insurance-was guilty of widespread and organized accounting fraud. At least 100 employees since 1964 had been guilty of deceiving investors and the government, and that deceit included a computer system devoted to the forgery of insurance policies for fictitious policyholders.
Determining the extent of the fraud, of course, meant auditing the computer system, as well as all others in use by the company-a process that took over two years. Similarly, in the wake of the 21st-century accounting scandals, the Sarbanes-Oxley Act of 2002 was passed, establishing stricter standards for public company boards and public accounting firms-with a greater emphasis on IT audits.
There are five categories of IT audits:
Systems and Applications audits test the input, output, and processing at all levels of the company’s systems and applications.
Information Processing Facilities audits test the control of the processing facility under normal and disruptive conditions. Systems Development audits examine the systems under development to make sure that they meet the company’s objectives and standards.
Management of IT and Enterprise Architecture audits examine the organizational structure and procedures in use.
Client/Server, Telecommunications, Intranets, and Extranets audits focus on networking issues, an area where there is particular concern with staying current in security protocols.
Information technology changes rapidly, as does its position in the process of doing business. IT auditors, though they may be CPAs, are generally more versed in information systems, with a general understanding of accounting principles, because the accounting component of their job is the more static ingredient in the mix, while the ramifications, security concerns, and potential for misuse of technology are always in flux.