Information Technology Auditing and

Information Technology Auditing and Security
Information technology (IT) auditors concern themselves with analyzing the risks associated
with computerized information systems. These individuals often work closely with financial
auditors to assess the risks associated with automated AISs—a position in high demand
because so many systems are now computerized. Information systems auditors also help
financial auditors decide how much time to devote to auditing each segment of a company’s business. This assessment may lead to the conclusion that the controls within some portions
of a client’s information systems are reliable and that less time need be spent on it—or
the opposite.
IT auditors are involved in a number of activities apart from assessing risk for financial
audit purposes. Many of these auditors work for professional service organizations, such as
Ernst & Young, PricewaterhouseCoopers, or KPMG. (See Figure 1-11 for a partial listing of
the types of services offered by Ernst & Young.)
IT auditors might be CPAs or be licensed as Certified Information Systems Auditors
(CISAs)—a certification given to professional information systems auditors by the
Information Systems Audit and Control Association (ISACA). To become a CISA,
you must take an examination and obtain specialized work experience. Many CISAs have
accounting and information systems backgrounds, although formal accounting education
is not required for certification. IT auditors are in more demand than ever today, in
part because of the Sarbanes-Oxley legislation, specifically Section 404, which requires
documenting and evaluating IT controls.