The role of IT audit is to give an opinion on the controls that are in place to ensure confidentiality, integrity and availability for the IT systems of the organization and data supporting the business processes of the organization.


The realization of IT systems audits depends on whether it is a review, audit (or examination) or agreed procedures (specific requirements)

  • Review – is conducted to provide limited assurance for a statement. Contains a summary of the review work with the least emphasis on testing or verification. A review may be more orientated to the process, focusing on the appropriateness of tasks and activities carried out and related controls. 
    The level of evidence to be collected is smaller than in an audit and testing is generally limited.
  • Examination – which is a systematic process through which a competent and independent person takes and evaluates objectively the evidence relating to declarations by the entity or events, processes, operations or internal controls in order to form an opinion and to provide a report on the degree to which claims match a set of standards identified. An examination is a verification process that provides the highest level of security with respect to a statement that an auditor can provide. An examination involves gathering and evaluating sufficient and competent evidence and conducting appropriate tests and other procedures to form an opinion on an allegation for submission to an audit report.

    An examination requires a higher level of audit evidence than a review. For example, audit tests may focus on comparing declared and practical practices audited with established standards or relevant audit practices.

  • Under the agreed procedures – a third party and the auditor agree on the specific procedures to be carried out to obtain evidence on which the third party is willing to rely on as a basis for a conclusion.

    Depending on third-party requirements, the agreed level of evidence may be considerably limited or wide. The auditor may need to take a considerable amount of evidence; in some cases, more than is needed for an audit.

An examination and review of IT systems and relevant controls to gain security or to identify violations of legal principles, efficiency, economicity and IT system effectiveness and inter-related controls .

IT Audits can be categorized and focused on several specific areas:

IT Governance

In essence, IT governance provides a structure for aligning IT strategy with business strategy. By following a formal framework, organizations can produce measurable results in achieving their strategies and goals.

A formal program also takes into account stakeholder interests as well as staff needs and the processes they pursue. At first glance, IT governance is an integral part of the overall corporate governance.

Development, Acquisition  and Systems implementation

To understand and ensure that the methods in which organizations acquire, develop, test and implement systems, these activities support and meet organizational objectives and strategic goals.

Here are taken into account

  •  software coding standards
  •  naming conventions
  •  file formats
  •  schema and data design standards
  •  user interface standards
  •  interaction
  •  efficiency of system performance
  •  scalability
  •  standards for development and testing
  •  validity against claims
  •  test plans
  •  regression and
  •  integration testing.

IT  Operations

Daily tasks involved in executing and supporting a business information system. Operations are measured and managed using key performance indicators (KPIs) that set parameters against which the effectiveness of the operations is measured. These measurements, or equivalent, should be documented and reviewed systematically. 
IT operations include

  •  design and service delivery
  •  capacity and service management
  •  incident handling procedures to ensure continuity of operations as well
  •  practices involved in managing change.


Managing business continuity is the process by which the organization prepares for future incidents that could endanger the organization’s core mission and long-term sustainability.Some of the critical processes are:

  •  Management support
  •  Risk Assessment and Risk Mitigation
  •  Business impact assessment
  •  Business Recovery and Strategy of Continuity
  •  Awareness and training
  •  Exercises
  •  Maintenance

Information Security

Information Security can be defined as the ability of a system to protect system information and resources in accordance with the terms of confidentiality and integrity. Protection of information and its systems against unauthorized access or modification is carried out in storage, processing or transfer. Information security includes those measurements needed to be identified, documented and counted as threats. Security of 
information allows an organization to protect the IT Infrastructure from unauthorized users.

The main elements of the Information Security are:

  •  Information security environment
  •  Risk assessment
  •  Security policies
  •  Organization of security
  •  Management of communications and operations
  •  Asset management
  •  Human resources security
  •  Physical and environmental safety
  •  Access control
  •  Acquiring, Developing and Maintaining IT Systems
  •  Security incident management
  •  Business continuity management
  •  Compliance


Application controls are built into specific applications to ensure and protect the accuracy, integrity, feasibility and confidentiality of the information. They ensure the initiation of properly authorized transactions, processing of valid data, complete registration and accurate reporting.

Some of the most common control elements are

  •  Input controls
  •  Process Controls
  •  Output controls
  •  Application security controls
(4 votes. Average 5 of 5)