Updated: Jan 2
Simply put, IT auditing is a project development standard, which strictly stipulates that every piece of data can be tracked; reviewed; recorded; upstream and downstream data can be verified, and calculations can be deduced.
Q1. What is an IT audit?
IT auditing is an information system auditing. It is a third party independent of the information system itself, information system-related development, and users—IT auditors.IT auditors use objective standards to conduct a complete and effective inspection and evaluation of related activities and products such as information system planning, development, use, and maintenance. So you are already a person who "stands on the bridge and looks at the scenery", and you will have foresight in the industry you are in. In addition, due to the admission of third-party personnel for review, you will have more opportunities to accumulate a wide range of network resources as part of your own value enhancement.
Q2. What is CISA?
Certified Information Systems Auditor (CISA), also known as an IT Auditor, is an international certification of knowledge and skills related to Information Systems auditing, Information security, and Information Systems Control, granted by the Association for Information Systems Auditing and Control (ISACA).
Q3. What is the future development prospect of IT auditing?
①The market demand
As far as the macro market itself is concerned, more and more companies are beginning to use large databases, the Internet, big data, cloud computing, and IT systems to support their daily business activities, such as accounting systems, various company reports, internal HR systems, software development, source data management, etc. If it is a bank, then there are too many opportunities to use IT. For example funds, stock transactions, foreign exchange transactions (at present, 99% of transactions are already automated, and there are fewer and fewer real manual operations).
②The development direction
The application of computers and databases will greatly reduce human errors, thereby further reducing costs and risks. This is a general trend and a general direction. There is a shortage of IT auditing talents in the United States. Everyone is discussing the importance of IT auditing, but few people understand.
Because, in the final analysis, all technological elements need human management. This provides a very good platform for the IT audit profession. IT developers do not have a good information security concept, which leads to many illegal operations. For example, there are still backdoors in the online application, and programmers can modify data at will, which will lead to data leakage risks and data quality degradation. More and more companies realize that they need a group of people who understand IT + audit + business background to manage IT systems and provide independent audit opinions.
Q4. What is the logic of an IT audit?
①Two stages of the audit process
The stage of checking the effectiveness of the design of systems, procedures, and control measures.
The stage of checking the effectiveness of the implementation of systems, procedures, and control measures.
②ELC (entity level control) control
It is to see whether the client's related organizational structure in IT governance is reasonable and whether the written management system is sound. The specific audit procedure is to obtain the customer’s organizational chart, and some relatively fictitious general written management systems such as "IT Management System", etc.
③System development and changes
It refers to the control of system development and subsequent minor changes to the system. The specific audit procedure is to obtain management systems related to system development and changes. You can read books such as "System Development System" and "System Change Management System".
④Operating system and database control
This part is specific to see whether the operating system and database login require a password, and then take a screenshot of the login interface as audit evidence K into the manuscript, which is quite mentally retarded. Then it is to call out some security configurations in the operating system and the database, such as whether the password is forced to be changed once a month, and the other is to see whether the user rights management is based on role-based rights allocation, etc.
⑤Application system control
The focus is the same as the operating system and database. However, application systems are ever-changing. For example, the relatively large application systems in banks include integrated business systems (some called core business systems), international settlement systems, large and small amount systems, credit management systems, and so on.
But no matter how it changes, these systems have the same ITGC thinking, depending on the security configuration and user permissions.
⑥Interface control and information security
There will be interfaces between various systems, so the accuracy and integrity of data transmitted from one system to another must be guaranteed. Information security refers to looking at the systems related to network management, the structure of the firewall, whether the internal and external networks are separated, and so on.