IT Auditing & Control

IT auditing takes that one step further and evaluates the controls around the information with respect to confidentiality, integrity, and availability. While a financial audit will attest to the validity and reliability of information, the IT audit will attest to the confidentiality of the information, the integrity of the information and in situations where availability is a key factor will also attest to the availability and the ability to recover in the event of an incident.

One of the key factors in IT auditing and one that audit management struggles with constantly, is to ensure that adequate IT audit resources are available to perform the IT audits. Unlike financial audits, IT audits are very knowledge intensive, for example, if an IT auditor is performing a Web Application audit, then they need to be trained in web applications; if they are doing an Oracle database audit, they need to be trained in Oracle; if they are doing a Windows operating system audit, they need to have some training in Windows and not just XP, they’ll need exposure to Vista, Windows 7, Server 2003, Server 2008, IIS, SQL-Server, Exchange, etc.. As you can appreciate being an IT auditor requires extensive technical training in addition to the normal auditor and project management training.