Guide 4: Management of IT Auditing
Download (members only): English (PDF, 380KB); Spanish (480KB); French (550KB)
Purchase from The IIA Research Foundation Bookstore
Rate this guide

There is no question that IT is changing the nature of the internal audit functions. The risks companies face, the types of audits that should be performed, how to prioritize the audit universe, and how to deliver insightful findings are all issues with which chief audit executive (CAE) must grapple. The purpose of this guide is to help sort through the strategic issues regarding planning, performing, and reporting on IT audits.

This guide is designed for CAE and internal audit management personnel who are responsible for overseeing IT audits. It is meant to provide pragmatic information in plain English, with specific recommendations that a CAE can implement immediately. Further consideration is given to providing questions that a CAE can ask to help understand if his or her IT audit function is a high performer.

1. Executive Summary
2. Introduction
3. Defining IT
3.1 IT Management
3.2 Technical Infrastructure
3.3 Applications
3.4 External Connections
4. IT-related Risks
4.1 The Snowflake Theory
4.2 Risk Evolution
4.3 IT-related Risk Proliferation
4.4 Types of IT-related Risks
4.5 IT Risk Assessment
5. Defining the IT Audit Universe
5.1 Tips for the CAE
5.2 Budgeting for IT Audit
6. Executing IT Audits
6.1 Frameworks and Standards
6.2 IT Audit Resource Management
7. IT Audit Accelerators
7.1 Audit Facilitators
7.2 Testing Accelerators
8. Questions for the CAE
A. Appendix A - Emerging Issues
A.1 Wireless Networks
A.2 Mobile Devices
A.3 Interfaces
A.4 Data Management
A.5 Privacy
A.6 Segregation of Duties
A.7 Administrator Access
A.8 Configurable Controls
A.9 Piracy
Other Resources

Author
Michael Juergens, Principal, Deloitte & Touche LLP
Contributing Author
David Maberry, Senior Manager, Deloitte & Touche LLP

Questions about this guide for the authors? E-mail guidance@theiia.org.