（2004）Audit and Review：Its Role in Information Technology.pdfVIP

AU2032_C02.fm Page 29 Tuesday, February 3, 2004 9:54 PM A Foundation for IT Audit and Control Chapter 2 Audit and Review: Its Role in Information Technology For the information technology (IT) manager, or any manager, the words “audit” and “auditor” send chills up and down the spine. Yes, the auditor or the audit has been considered an evil that has to be dealt with by all man- agers. In the IT field, auditors in the past had to be trained or provided ori- entation in IS Concepts and Operations in order to evaluate IT practices and applications. IT managers cringed at the auditor’s ability to effectively and efficiently evaluate the complexities and grasp the issues. Exhibit 1 lists the top 10 reasons for the start of IT auditing.1 In today’s environment, organizations must integrate their IT with busi- ness strategies to attain their overall enterprise objectives, get the most value out of their information, and capitalize on the technologies available to them. Where IT was formerly viewed as an enabler of an enterprise’s strategy, it now is regarded as an integral part of that strategy to attain profitability and service. As computerized applications are penetrating nearly all business func- tions and processes, organizations are mixing hardware platforms from dif- ferent vendors with a combination of commercially available software and in-house developed software. Issues such as IT governance, international information infrastructure, E-commerce, security, and privacy and control of public and enterprise information have driven the need for self-review and self-assurance. As a result, business risk increases. IT auditing is needed to evaluate the adequacy of information systems to meet processing needs,