- 1. Sam A. Hicks, PhD Department of Accounting & Information
Systems Audit track at VA SCAN Virginia Tech October 6 ,2008 The
Status of IT Audit Education
2. What is Information Systems Audit What is an Audit
- Auditing:Systematic processof objectively obtaining and
evaluatingevidenceregarding assertions about economic actions and
events to ascertain thedegree of correspondencebetween those
assertions andestablished criteriaandcommunicating the resultsto
interested users.
- Financial Statement Auditors Established criteria is Generally
Accepted Accounting Principles [GAAP]
- Financial Statement Auditors Must attest to the amounts on the
financial statements, theycannot only attest to the system
3.
- An audit compares actual to standard established criteriafor IS
Audit is COSO, COBIT, Basel II Accord, ITIL, and several ISO
standards.
- Sarbanes Oxley requires that management attest to Internal
control over the Accounting system and
- Auditors audit managements assertions as to Internal
Control
- Again, standard for Internal Control is COSO, COBIT, Basel II
Accord, ITIL, and several ISO standards.
4. IS Audit
- A specialized audit focusing on the controls of the information
systems of the entity.
- Most frequently the IS Auditor is a part of the internal audit
team.As such, the IS Auditor is an integral part of the
-
- Design and Development of the system reviews the system
analysis and design of the system, the purchase or programming of
the system, the installation, and the post-implementation
review
5. IS Audit
- Security [Availability, Confidentiality and Integrity] of the
system access, back-up, separation of duties, training of users,
documentation of system
-
- Enhance operations with changes
- Do the tasks of the IS Auditor matter?
6. AICPA Top Ten IT Concerns Ranking 2008 2007 2006 2005 2004 1
Information Security Management Information Security Management
Information Security . Information Security Information Security 2
IT Governance Identity and Access Management Assurance and
Compliance Applications Electronic Document Management Spam
Technology 3 Business Continuity Management (BCM) and Disaster
Recovery Planning (DRP) Conforming to Assurance and Compliance
Standards Disaster and Business Continuity Planning . Data
Integration Digital Optimization 7. AICPA Top Ten IT Concerns 4
PrivacyManagement Privacy Management IT Governance . Spam
Technology Database and Application Integration 5 Business Process
Improvement (BPI), Workflow and Process Exception Alerts Disaster
Recovery Planning and Business continuity Management Privacy
Management Disaster Recovery Wireless Technologies 6 Identity and
Access Management IT Governance Digital Identity and Authentication
Technologies Collaboration and Messaging Applications Disaster
Recovery 7 Conforming to Assurance and Compliance Standards
Securing and Controlling Information Distribution Wireless
Technologies Wireless Technologies Data Mining 8. AICPA Top Ten IT
Concerns 88 Business Intelligence (BI) Mobile and Remote Computing
Application and Data Integration Authentication Technologies
Virtual Office 9 Mobile and Remote Computing Electronic Archiving
and Data Retention Paperless Digital Technologies Storage
Technologies Business Exchange Technology 10 Document, Forms,
Content and Knowledge Management Document, Content and Knowledge
Management Spyware Detection and Removal Learning and Training
Competency Messaging Applications 9. Public Company Accounting
Oversight Board's (PCAOB)
- Auditors who sign reports tend to be financial statement
auditors with little knowledge of systems
- PCAOB suggests that financial statement auditors have more IT
education
- Expressed concern of PCAOB Advisory Group
10. Department of Defense
- In May 2006, required about 80,000 professionals in the area of
Information Assurance Workforce, to acquired one of 13 professional
certifications.Certified Information Systems Auditor [CISA] was one
of the 13.
11. Certified Information Systems Auditor[CISA]
- Have IS Audit experience 5 years
- Continuing Professional Education
- Follow IS Auditing Standards issued by ISACA
12. CISA Exam
- 200 multiple choice questions
-
- IT Service Delivery and Support [Operations]
-
- BusinessContinuity and Disaster Recovery
13. Salary Info
- Premium of 10 to 15% for certification
- CISA, CISSP and CISM were among the highest
- Certification Magazines 2007 Salary Survey report
-
- CISM came in second at $115,720 -- ISACA reports about 8,000
professional world-wide have CISM
-
- CISA came in fifth at $98,740 ISACA reports about 55,000
professional world-wide have CISA
14. So What
- From this kind of information, Demand for IS Auditors is
strong.
- Most of our students have multiple offers
15. ISACA Student Members
- Website reports that over 800 students have student memberships
representing 200 schools
- Thus only about 4 per school!
16. Students Graduating from ACIS Students graduating 12 months
periodending June 30 Goal 2008 2007 2006 2005 2004 Accounting
Option90 128 155 132 134 116 Systems Assurance Option[IS Audit] 45
12 11 13 19 20 Systems Development Option 40 5 4 15 13 19 Total
Graduates 175 145 170 160 166 155 17. Information Systems Audit and
Control Association (ISACA) model curriculum
- General Education and General Business
18. ISACA model curriculum Accounting
- Intermediate Accounting I or Management Accounting
- Process Control/Internal Control
- Accounting Information Systems
19. ISACA model curriculum Information Systems
- Introduction to Computers
- Systems Analysis & Design
- Data Base Management Systems
- Computer-based Communication Networks
- Management of Information Systems
20. ISACA model curriculum Auditing
- Introduction to Information Systems Auditing/CAATs
- Special Topics (e.g., IS Integrity and Confidentiality, Audit
Ethics)
21. IS Audit at Virginia Tech Undergraduate
- General Education 50 credits
- General Business 33 Credits
-
- Accounting Systems and Controls 3
22. IS Audit at Virginia Tech Undergraduate
- Information Systems 12 Credits
-
- Information Systems Development
-
- Database Management systems
-
- Networks and Telecommunications in Business
-
- Personal Computers in Business
23. IS Audit at Virginia Tech Undergraduate
-
- Auditing Governance and Professional Ethics
-
- Financial Statement Auditing
-
- Information Systems Audit and Control
24. What would you Change? 25. Alternative pathsto IS Audit
knowledge
- Business Information Technology
26. Other CERTIFICATIONS
- CFE Certified Fraud Examiner
- CIA Certified Internal Auditor
- CISSP Certification for Information SystemSecurity
Professional
- CNE Certified Novell Engineer
- CPA Certified Public Accountant
- CRP Certified Risk Professional
- MCSE Microsoft Certified Systems Engineer
- CISA Certified Information SystemsAuditor
- CITP Certified Information TechnologyProfessional [from
AICPA]
27. Additional Cerifications
- CCM Certified Cash Manager
- CCSA Certification in Control Self Assessment
- CCDA Cisco Certified Design Associate
- CCNA Cisco Certified Network Administrator
- CMA Certified Management Accountant
- CFM Certified in Financial Management
- SAPTASAPTechnical Auditor
- CMC Certified Management Consultant
- CFA Certified Financial Analyst
- CBCP Certified Business Continuity Professional
- CIDA Certified Investments & Derivatives
28. Why a certificate?
- Connected to a professional group
- Documents some level of knowledge
29. Advice From CIOs
- Be willing to admit to errors that you make take
responsibility
- Go with your gut listen, learn, then go with your instinct
- Get dirty be willing to try
- Love it or Leave it Life is too short to do what you do not
love to do, move on and try something different