TIS3451/TSC2111 - 2015

Tutorial 1
Lecture 1 - IT Governance and Audit Overview
Article A - IT Auditor One of the Fastest Growing Careers
According to CareerProNews, IT auditor is one of the fastest growing career areas in IT.
Since the passage of information legislation, like Sarbanes-Oxley, IT audits have
increased, and so has the need for people to do them. Through IT audits, auditors help
organizations to comply with legislation.
An IT audit is basically the process of collecting and evaluating evidence of an
organizations information systems, practices, and operations. IT auditors look not only at
physical controls as a security auditor would, but they also look at business and financial
controls within an organization. These auditors do not actually implement any fixes as
they just offer an independent review of the situation.
Fred Roth, a senior consultant at a training institute, says he believes the demand for IT
auditors will continue for the next couple of years: I talk to a lot of management from
companies in the U.S., Canada and Europe. The answers are always the same they
cannot find enough good IT auditors.
So what does it take to be an IT auditor? CareerProNews says that Certified Internal
Auditor (CIA), Certified Information Systems Auditor (CISA) and Certified Information
Systems Security Professional (CISSP) certifications are becoming an absolute must for
IT auditors. Roth adds IT auditors need to be qualified to audit the many different
aspects of IT such as systems, networks, databases, encryption, and the list go on. They
also need to be proficient and stay current as the technology changes. This requires
ongoing trainings.
Author: Toni Bowers, Head Blogs Editor of TechRepublic
Article B - IT Auditor Works
A test IT auditors perform in evaluating IBMs Application System 400 (AS/400) is to check
user profiles. The AS/400 ships with seven preconfigured user profiles and default password
for each of them. These profiles grant special privileges to users who work with the system,
such as the system operator and the security officer.
The default password is the same name as the user name i.e., for security operator both are
QSYSOPR. One of the tests the IT auditor will want to do is to make sure management has
changed the default passwords. To test this, the auditor tries to sign on using QSYSOPR as
the sign-on and password. If it works, then obviously the defaults are still operational and any
user with this knowledge would be able to access most resources in the system. An
alternative to trying to log in with defaults is to run the ANALYZE DEFAULT PASSWORDS
command.
1

TIS3451/TSC2111 - 2015

1. What are the types of work done by IT auditors

support financial audit
provide third party assurance
Assessing risks and monitoring controls over those risks

2. What are the IT Audit objectives?

to improve safeguarding of assets (data, hardware,...)

to improve data integrity
to improve system effectiveness & efficiency

3. What are the two objectives of IT Governance? In what way does IT Audit relate to
IT Governance?
to enable business processes
to manage and control IT related risks
IT audit relates to IT governance by measuring the performance of IT
activities to Ensure the objectives are related to the requirements.

4. What are the impacts Information Technology (IT) has organizations? Provide an
origination as an example, and discuss the impacts on this organization.
Organization: Cimb bank
IT can impact the level of adoption of internet banking among customers.
+ help user to execute transaction and create awareness on their responsibilities
outline by the bank.
- lack of trust and privacy that obtain distribution or non-authorised used of personal
information.
5. How does an IT Audit relate to Financial Audit?

6. IT auditors often have technical skills related to specific software. One such software
specialization area is Enterprise Resource Planning (ERP) applications. How an IT
2

TIS3451/TSC2111 - 2015

auditor could acquire and maintain knowledge about auditing one of these
applications.

7. CISA is the most common credential obtained by IT auditors. How this certification
would add value for someone practicing IT auditing.
IT auditors are qualified to audit IT aspects, like database, networks, systems.
They are usually proficient and stay updated to the IT knowledges from time
to time.