Auditors are highly trusted individuals in the organization and should therefore uphold ethical values and morals in their firms. There are ethical considerations and requirements that must be considered when conducting an IT audit. Foremost, the internal auditor should be in compliant with the standards and controls accompanying the information systems. The internal auditor should also work honestly and lawfully in the best interest of stakeholders and uphold high ethical conduct. The audit should also be carried with due diligence and care. The auditor should also maintain confidentiality in the auditing process unless stated otherwise by lawful authority. The internal auditor should also present results of the work done for evaluation and factual evidence.
The purpose of professional standards in IT auditing ensures that any respective auditing is carried out with respect to the stipulated guidelines that are part of the goals and objectives. Professional standards are important in IT auditing. These standards are beneficial because they provide the guidelines and procedures to carry out an audit. The standards also provide the regulations to be adhered to while performing an audit. They serve as the conditions to be followed by auditing professionals. They enhance an auditor’s ability in technical skills that assist them to comprehend and disseminate technical information. Furthermore, professional standards determine if an auditor has enough experience in the line of work.
Performance measures are highly essential in the area of application development in the organization. Foremost, it would be beneficial to provide the audit results conducted on the application development. Secondly, it would be important to compile a list of the appropriate documents or activities involved in the commencement of the program. Thirdly, the stakeholders should be provided with adequate information regarding the application development program. By employing the above measures, the CIO will be compelled to know the risks that affect the program and thus assist them in developing mitigation strategies through the audit findings. The CIO will also be able to identify the period and costs incurred by knowing the activities involved in developing the application development. Furthermore, by providing adequate information regarding the application development program to the stakeholders, performance of IT governance can be enhanced since stakeholders will be able to make professional decisions regarding the program.
The designed control procedure for monitoring the weekly security access control is not an appropriate for the auditors. This is because the IT Audit director will be directly undermining the professional standards of the auditors. Audit professionals should be independent and objective. Furthermore, the IT Audit director should also maintain independence. Professional standards dictate that auditors are trusted persons dye to the level of professionalism that should be exercised in their tasks and activities in auditing. Therefore, if the IT audit director monitors the security controls, it is correct to conclude that the director is not adhering to the stipulated professional standards and will therefore alter the stakeholders’ acuity on independence.
The COBIT framework can be utilized to develop the operations in IT and can be used by auditors to assist in the presentation of a definite audit. The framework can be used to provide guidelines on the design of controls and provide recommendations to the management. By analyzing controls, the framework is able to improve the controls by evaluating precise IT procedures. COBIT can also assist the auditors to provide suggestions to the IT procedures in terms of improvement.
By reviewing the Federal Financial Institutions Examination Council (FFIEC) Guidance related to outsourcing, the framework assisted in providing additional recommendations to assist BDI further strengthen their third party vendor management outsourcing process. One recommendation advocated for the BDI is the consideration and functioning of the Business Continuity Plan, which will assist in the continuation of business operations during interludes of high risks. Another recommendation would be emphasizing new technology in terms of the goals and objectives specified by the BDI.
Performance measures are also indispensable in the area of IT security in the organization. An example of a performance measure would be deducing the number of workstations in compliance with virus detection policies. The importance of this measure serves as an important factor in risk management. By knowing the work bases affected or unaffected by virus, the CIO is able to determine risk avoidance or counteraction strategies that will enable the workstations to be safe from the viruses, thus improving IT governance.
The designed control procedure for monitoring the weekly change control is not appropriate for the auditors. This is because auditing professionals must remain independent and objective. Therefore, any action to monitor their control by the IT Audit Director is infringement on the professional standards of auditors, which advocates for independence and objectivity to minimize bias related to the auditors’ findings and encourage privacy of information as adherence to ethical standards.
IT auditors are largely responsible for the decisions an organization makes. Auditors provide independent and objective findings that management relies on as advisory measures for decision-making. Therefore, management of risks is a factor that is supposed to be well understood by auditors. In order for the auditors’ findings to be valuable to the management, the recommendations specified must be directly related to the company’s risk profile and business strategies. For instance, improvement of design controls for the company should be recommended for companies with high-risk profiles while a company with a low risk profile will be recommended to incorporate a less complex control structure lest it slows down the business.