تدقيق تكنولوجيا المعلومات
تدقيق تكنولجيا المعلومات أو تدقيق نظم المعلومات information technology audit، is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.
IT audits are also known as "automated data processing (ADP) audits" and "computer audits". They were formerly called "electronic data processing (EDP) audits".
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
الأهداف
An IT audit is different from a financial statement audit. While a financial audit's purpose is to evaluate whether an organization is adhering to standard accounting practices, the purposes of an IT audit are to evaluate the system's internal control design and effectiveness. This includes, but is not limited to, efficiency and security protocols, development processes, and IT governance or oversight.
أنواع تدقيق تكنولوجيا المعلومات
Various authorities have created differing taxonomies to distinguish the various types of IT audits. Goodman & Lawless state that there are three specific systematic approaches to carry out an IT audit: [1]
- Technological innovation process audit. This audit constructs a risk profile for existing and new projects. The audit will assess the length and depth of the company's experience in its chosen technologies, as well as its presence in relevant markets, the organization of each project, and the structure of the portion of the industry that deals with this project or product, organization and industry structure.
- Innovative comparison audit. This audit is an analysis of the innovative abilities of the company being audited, in comparison to its competitors. This requires examination of company's research and development facilities, as well as its track record in actually producing new products.
- Technological position audit: This audit reviews the technologies that the business currently has and that it needs to add. Technologies are characterized as being either "base", "key", "pacing" or "emerging".
Others describe the spectrum of IT audits with five categories of audits:
- Systems and Applications: An audit to verify that systems and applications are appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity.
- Information Processing Facilities: An audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions.
- Systems Development: An audit to verify that the systems under development meet the objectives of the organization, and to ensure that the systems are developed in accordance with generally accepted standards for systems development.
- Management of IT and Enterprise Architecture: An audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing.
- Client/Server, Telecommunications, Intranets, and Extranets: An audit to verify that telecommunications controls are in place on the client (computer receiving services), server, and on the network connecting the clients and servers.
And some lump all IT audits as being one of only two type: "general control review" audits or "application control review" audits.
A number of IT Audit professionals from the Information Assurance realm consider there to be three fundamental types of controls regardless of the type of audit to be performed, especially in the IT realm. Many frameworks and standards try to break controls into different disciplines or arenas, terming them “Security Controls“, ”Access Controls“, “IA Controls” in an effort to define the types of controls involved. At a more fundamental level, these controls can be shown to consist of three types of fundamental controls: Protective/Preventative Controls, Detective Controls and Reactive/Corrective Controls.
عملية تدقيق تكنولوجيا المعلومات
The following are basic steps in performing the Information Technology Audit Process:
- Planning
- Studying and Evaluating Controls
- Testing and Evaluating Controls
- Reporting
- المتابعة
الأمن
أمن تدقيق المعلومات is a vital part of any IT audit and is often understood to be the primary purpose of an IT Audit. The broad scope of auditing information security includes such topics as data centers (the physical security of data centers and the logical security of databases, servers and network infrastructure components),[2] networks and application security. Like most technical realms, these topics are always evolving; IT auditors must constantly continue to expand their knowledge and understanding of the systems and environment& pursuit in system company.
Several training and certification organizations have evolved. Currently, the major certifying bodies, in the field, are the Institute of Internal Auditors (IIA),[3] the SANS Institute (specifically, the audit specific branch of SANS and GIAC)[4] and ISACA.[5] While CPAs and other traditional auditors can be engaged for IT Audits, organizations are well advised to require that individuals with some type of IT specific audit certification are employed when validating the controls surrounding IT systems.[بحاجة لمصدر]
تاريخ تدقيق تكنولوجيا المعلومات
The concept of IT auditing was formed in the mid-1960s. Since that time, IT auditing has gone through numerous changes, largely due to advances in technology and the incorporation of technology into business.
Audit Personnel
المؤهلات
The CISM and CAP credentials are the two newest security auditing credentials, offered by the ISACA and ISC2, respectively. Strictly speaking, only the CISA or GSNA title would sufficiently demonstrate competences regarding both information technology and audit aspects with the CISA being more audit focused and the GSNA being more information technology focused.[6]
Outside of the US, various credentials exist. For example, هولندا has the RE credential (as granted by the NOREA [Dutch site] IT-auditors' association), which among others requires a post-graduate IT-audit education from an accredited university, subscription to a Code of Ethics, and adherence to strict continuous education requirements.
الشهادات المهنية
- Certified Information System Auditor (CISA)
- Certified Internal Auditor (CIA)
- Certification and Accreditation Professional (CAP)
- Certified Computer Professional (CCP)
- Certified Information Privacy Professional (CIPP)
- Certified Information Systems Security Professional (CISSP)
- Certified Information Security Manager (CISM)
- Certified Public Accountant (CPA)
- Chartered Accountant (CA)
- Chartered Certified Accountant (CCA)
- GIAC Certified System & Network Auditor (GSNA)[7]
- Certified Information Technology Professional (CITP), to certify, auditors should have 3 years experience.
قضايا ناشئة
There are also new audits being imposed by various standard boards which are required to be performed, depending upon the audited organization, which will affect IT and ensure that IT departments are performing certain functions and controls appropriately to be considered compliant. An example of such an audit is the newly minted SSAE 16.
انظر أيضا
Computer Forensics
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
عمليات
- Helpdesk and incident reporting auditing
- Change management auditing
- Disaster recovery and business continuity auditing
- SAS 70
متفرقات
- XBRL assurance
- OBASHI The OBASHI Business & IT methodology and framework
مخالفات وأعمال غير قانونية
- AICPA Standard: SAS 99 Consideration of Fraud in a Financial Statement Audit
- Computer fraud case studies
المصادر
- ^ Richard A. Goodman; Richard Arthur Goodman; Michael W. Lawless (1994). Technology and strategy: conceptual models and diagnostics. Oxford University Press US. ISBN 9780195079494. Retrieved May 9, 2010.
- ^ "Advanced System, Network and Perimeter Auditing".
- ^ "Institute of Internal Auditors".
- ^ "The SANS Technology Institute".
- ^ "ISACA".
- ^ Hoelzer, David (1999–2009). Audit Principles, Risk Assessment & Effective Reporting. SANS Press. p. 32.
{{cite book}}
: CS1 maint: date format (link) - ^ "GIAC GSNA Information".
وصلات خارجية
- A career as Information Systems Auditor, by Avinash Kadam (Network Magazine)
- Federal Financial Institutions Examination Council (FFIEC)
- Information Systems Audit & Control Association (ISACA)
- Open Security Architecture- Controls and patterns to secure IT systems
- American Institute of Certified Public Accountants (AICPA)
- IT Services Library (ITIL)
Subscript text