How does IT audit fit with governance, risk management and information security?  

Governance can be considered at various levels such as broad pan-organizational controls (corporate governance) or controls over individual projects or systems (project and systems governance).

Similarly in respect of risk management, the scope can apply across the whole organization (taking in commercial, operational, market, financial, regulatory and other risks) or just to specific projects and systems.

Whether PCAOB was actually needed or not you can maybe judge for yourself from the fact that their Auditing Standard No. 1 stated: “The Board has adopted as interim standards, on an initial, transitional basis, the generally accepted auditing standards, described in the American Institute of Certified Public Accountants’ (AICPA) Auditing Standards Board’s Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards, in existence on April 16, 2003.” The first standard goes on to provide template or example SOX audit reports that say virtually nothing of any practical use, but cost SEC-listed companies vast amounts to obtain.
Auditing Standard No. 2 further states: “In the United States, the Committee of Sponsoring Organizations (“COSO”) of the Treadway Commission published Internal Control – Integrated Framework.

These may sound similar but are fundamentally different rôles: information security managers have executive responsibilities for securing the organisation’s information assets against hackers, malware and other threats whereas IT auditors are irresponsible (if you get my drift). Auditors review, advise, report and persuade. Executive managers ‘execute’ … and carry the can. The common ground is minimisation of risks.

Whilst that may be reasonably straightforward in theory, there is a lot of confusion about the terms in practice. The term ‘governance’, for instance, is often used as shorthand for ‘corporate governance’. ICT controls may be an important part of corporate governance, especially in organizations that are critically reliant on information processing, but there are many other types of control in most organizations that fall well outside the scope of ICT (e.g. the use of non-executive directors to review and guide executive management has nothing to do with ICT).

Answered by Raksha at 8:32 AM on June 26, 2008

Governance can be considered at various levels such as broad pan-organizational controls (corporate governance) or controls over individual projects or systems (project and systems governance).

Similarly in respect of risk management, the scope can apply across the whole organization (taking in commercial, operational, market, financial, regulatory and other risks) or just to specific projects and systems.

Whether PCAOB was actually needed or not you can maybe judge for yourself from the fact that their Auditing Standard No. 1 stated: “The Board has adopted as interim standards, on an initial, transitional basis, the generally accepted auditing standards, described in the American Institute of Certified Public Accountants’ (AICPA) Auditing Standards Board’s Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards, in existence on April 16, 2003.” The first standard goes on to provide template or example SOX audit reports that say virtually nothing of any practical use, but cost SEC-listed companies vast amounts to obtain.
Auditing Standard No. 2 further states: “In the United States, the Committee of Sponsoring Organizations (“COSO”) of the Treadway Commission published Internal Control – Integrated Framework.

Answered by Yash at 8:31 PM on June 25, 2008

Governance can be considered at various levels such as broad pan-organizational controls (corporate governance) or controls over individual projects or systems (project and systems governance).

Similarly in respect of risk management, the scope can apply across the whole organization (taking in commercial, operational, market, financial, regulatory and other risks) or just to specific projects and systems.

Whether PCAOB was actually needed or not you can maybe judge for yourself from the fact that their Auditing Standard No. 1 stated: “The Board has adopted as interim standards, on an initial, transitional basis, the generally accepted auditing standards, described in the American Institute of Certified Public Accountants’ (AICPA) Auditing Standards Board’s Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards, in existence on April 16, 2003.” The first standard goes on to provide template or example SOX audit reports that say virtually nothing of any practical use, but cost SEC-listed companies vast amounts to obtain.
Auditing Standard No. 2 further states: “In the United States, the Committee of Sponsoring Organizations (“COSO”) of the Treadway Commission published Internal Control – Integrated Framework.

These may sound similar but are fundamentally different rôles: information security managers have executive responsibilities for securing the organisation’s information assets against hackers, malware and other threats whereas IT auditors are irresponsible (if you get my drift). Auditors review, advise, report and persuade. Executive managers ‘execute’ … and carry the can. The common ground is minimisation of risks.

Whilst that may be reasonably straightforward in theory, there is a lot of confusion about the terms in practice. The term ‘governance’, for instance, is often used as shorthand for ‘corporate governance’. ICT controls may be an important part of corporate governance, especially in organizations that are critically reliant on information processing, but there are many other types of control in most organizations that fall well outside the scope of ICT (e.g. the use of non-executive directors to review and guide executive management has nothing to do with ICT).

Answered by Madhurima at 1:12 PM on May 31, 2008

Hi there

Governance can be considered at various levels such as broad pan-organizational controls (corporate governance) or controls over individual projects or systems (project and systems governance).

Similarly in respect of risk management, the scope can apply across the whole organization (taking in commercial, operational, market, financial, regulatory and other risks) or just to specific projects and systems.

Whether PCAOB was actually needed or not you can maybe judge for yourself from the fact that their Auditing Standard No. 1 stated: “The Board has adopted as interim standards, on an initial, transitional basis, the generally accepted auditing standards, described in the American Institute of Certified Public Accountants’ (AICPA) Auditing Standards Board’s Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards, in existence on April 16, 2003.” The first standard goes on to provide template or example SOX audit reports that say virtually nothing of any practical use, but cost SEC-listed companies vast amounts to obtain.
Auditing Standard No. 2 further states: “In the United States, the Committee of Sponsoring Organizations (“COSO”) of the Treadway Commission published Internal Control – Integrated Framework.

These may sound similar but are fundamentally different rôles: information security managers have executive responsibilities for securing the organisation’s information assets against hackers, malware and other threats whereas IT auditors are irresponsible (if you get my drift). Auditors review, advise, report and persuade. Executive managers ‘execute’ … and carry the can. The common ground is minimisation of risks.

Whilst that may be reasonably straightforward in theory, there is a lot of confusion about the terms in practice. The term ‘governance’, for instance, is often used as shorthand for ‘corporate governance’. ICT controls may be an important part of corporate governance, especially in organizations that are critically reliant on information processing, but there are many other types of control in most organizations that fall well outside the scope of ICT (e.g. the use of non-executive directors to review and guide executive management has nothing to do with ICT).

Answered by Reeta K at 6:07 PM on May 29, 2008

well Radhe, An information technology audit, or information systems audit, is an examination of the controls within an Information technology (IT) infrastructure. An IT audit is the process of collecting and evaluating evidence of an organization's information systems, practices, and operations. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively and efficiently to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement. The PCAOB was established by the U.S. Securities and Exchange Commission - the SEC - as (yet another) independent oversight board to regulate/guide professionals involved in auditing companies, this time specifically regarding compliance with the Sarbanes Oxley Act of 2002 (SOX).

Whether PCAOB was actually needed or not you can maybe judge for yourself from the fact that their Auditing Standard No. 1 stated: “The Board has adopted as interim standards, on an initial, transitional basis, the generally accepted auditing standards, described in the American Institute of Certified Public Accountants’ (AICPA) Auditing Standards Board’s Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards, in existence on April 16, 2003.” The first standard goes on to provide template or example SOX audit reports that say virtually nothing of any practical use, but cost SEC-listed companies vast amounts to obtain.

Auditing Standard No. 2 further states: “In the United States, the Committee of Sponsoring Organizations (“COSO”) of the Treadway Commission published Internal Control – Integrated Framework.

Known as the COSO report, it provides a suitable and available framework for purposes of management’s assessment.

For that reason, the performance and reporting directions in this standard are based on the COSO framework.” To give them their due, the 2nd standard does go on to describe the auditing processes in more depth but it is hardly revolutionary.

Answered by Romi at 10:18 PM on May 28, 2008

Governance is a genuine solid-gold buzzword, essentially meaning systems of control.

Governance can be considered at various levels such as broad pan-organizational controls (corporate governance) or controls over individual projects or systems (project and systems governance).

Similarly in respect of risk management, the scope can apply across the whole organization (taking in commercial, operational, market, financial, regulatory and other risks) or just to specific projects and systems.

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.The terms information security, computer security and information assurance are frequently used interchangeably. These fields are interrelated and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some subtle differences between them. These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms.

Answered by Shobhit at 2:17 PM on May 28, 2008

An information technology audit, or information systems audit, is an examination of the controls within an Information technology (IT) infrastructure. An IT audit is the process of collecting and evaluating evidence of an organization's information systems, practices, and operations. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively and efficiently to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.

IT audits are also known as automated data processing (ADP) audits and computer audits. They were formerly called electronic data processing (EDP) audits.
An IT audit should not be confused with a financial statement audit. While there may be some abstract similarities, a financial audit's primary purpose is to evaluate whether an organization is adhering to standard accounting practices. The primary functions of an IT audit are to evaluate the system's efficacy and security protocols, in particular, to evaluate the organization's ability to protect its information assets and properly dispense information to authorized parties. The IT audit's agenda may be summarized by the following questions:

* Will the organization's computer systems be available for the business at all times when required? (Availability)
* Will the information in the systems be disclosed only to authorized users? (Confidentiality)
* Will the information provided by the system always be accurate, reliable, and timely? (Integrity)

The IT audit focuses on determining risks that are relevant to information assets, and in assessing controls in order to reduce or mitigate these risks.

Answered by Sudipta Deb at 11:29 AM on May 28, 2008

Governance can be considered at various levels such as broad pan-organizational controls (corporate governance) or controls over individual projects or systems (project and systems governance).

Similarly in respect of risk management, the scope can apply across the whole organization (taking in commercial, operational, market, financial, regulatory and other risks) or just to specific projects and systems.

Whether PCAOB was actually needed or not you can maybe judge for yourself from the fact that their Auditing Standard No. 1 stated: “The Board has adopted as interim standards, on an initial, transitional basis, the generally accepted auditing standards, described in the American Institute of Certified Public Accountants’ (AICPA) Auditing Standards Board’s Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards, in existence on April 16, 2003.” The first standard goes on to provide template or example SOX audit reports that say virtually nothing of any practical use, but cost SEC-listed companies vast amounts to obtain.
Auditing Standard No. 2 further states: “In the United States, the Committee of Sponsoring Organizations (“COSO”) of the Treadway Commission published Internal Control – Integrated Framework.

These may sound similar but are fundamentally different rôles: information security managers have executive responsibilities for securing the organisation’s information assets against hackers, malware and other threats whereas IT auditors are irresponsible (if you get my drift). Auditors review, advise, report and persuade. Executive managers ‘execute’ … and carry the can. The common ground is minimisation of risks.

Whilst that may be reasonably straightforward in theory, there is a lot of confusion about the terms in practice. The term ‘governance’, for instance, is often used as shorthand for ‘corporate governance’. ICT controls may be an important part of corporate governance, especially in organizations that are critically reliant on information processing, but there are many other types of control in most organizations that fall well outside the scope of ICT (e.g. the use of non-executive directors to review and guide executive management has nothing to do with ICT).

Answered by Arti singh at 9:43 AM on May 28, 2008

Governance is a genuine solid-gold buzzword, essentially meaning systems of control.

Governance can be considered at various levels such as broad pan-organizational controls (corporate governance) or controls over individual projects or systems (project and systems governance).

Similarly in respect of risk management, the scope can apply across the whole organization (taking in commercial, operational, market, financial, regulatory and other risks) or just to specific projects and systems.

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.The terms information security, computer security and information assurance are frequently used interchangeably. These fields are interrelated and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some subtle differences between them. These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms.

Answered by jaivir at 9:14 AM on May 28, 2008

well, Governance can be considered at various levels such as broad pan-organizational controls (corporate governance) or controls over individual projects or systems (project and systems governance).

Similarly in respect of risk management, the scope can apply across the whole organization (taking in commercial, operational, market, financial, regulatory and other risks) or just to specific projects and systems.

Whether PCAOB was actually needed or not you can maybe judge for yourself from the fact that their Auditing Standard No. 1 stated: “The Board has adopted as interim standards, on an initial, transitional basis, the generally accepted auditing standards, described in the American Institute of Certified Public Accountants’ (AICPA) Auditing Standards Board’s Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards, in existence on April 16, 2003.” The first standard goes on to provide template or example SOX audit reports that say virtually nothing of any practical use, but cost SEC-listed companies vast amounts to obtain.
Auditing Standard No. 2 further states: “In the United States, the Committee of Sponsoring Organizations (“COSO”) of the Treadway Commission published Internal Control – Integrated Framework.

These may sound similar but are fundamentally different rôles: information security managers have executive responsibilities for securing the organisation’s information assets against hackers, malware and other threats whereas IT auditors are irresponsible (if you get my drift). Auditors review, advise, report and persuade. Executive managers ‘execute’ … and carry the can. The common ground is minimisation of risks.

Whilst that may be reasonably straightforward in theory, there is a lot of confusion about the terms in practice. The term ‘governance’, for instance, is often used as shorthand for ‘corporate governance’. ICT controls may be an important part of corporate governance, especially in organizations that are critically reliant on information processing, but there are many other types of control in most organizations that fall well outside the scope of ICT (e.g. the use of non-executive directors to review and guide executive management has nothing to do with ICT).

Answered by Saurabh at 7:34 AM on May 28, 2008