IT audit: An IT audit is the examination and evaluation of an organization's information technology infrastructure, policies and operations. Information technology audits determine whether IT controls protect corporate assets, ensure data integrity and are aligned with the business's overall goals. The first step is to gather information and do some planning, the second step is to gain an understanding of the existing internal control structure. More and more organizations are moving to a risk-based audit approach which is used to assess risk and helps an IT auditor make the decision as to whether to perform compliance testing or substantive testing. In a risk-based approach, IT auditors are relying on internal and operational controls as well as the knowledge of the company or the business. This type of risk assessment decision can help relate the cost-benefit analysis of the control to the known risk.
In the “Gathering Information” step the IT auditor needs to identify five items: 1. Knowledge of business and industry
2. Prior year’s audit results
3. Recent financial information
4. Regulatory statutes
5. Inherent risk assessments