Keywords

1 Introduction

Modern technology introduces new questions. For instance, how do we know that answers generated by algorithms are fair, and whether complex systems are sufficiently resilient to cyberattacks? These questions are extremely relevant for managers and supervisors of organizations as they must be able to account for their choices. Boards of Managements and other stakeholders have various alternatives to have these questions answered, including asking IT auditors. IT auditors provide consultancy; however, they will often be invited to provide assurance regarding high risk and high impact related issues. Assurance concerns trusted advice. However, auditing differs from consultancy and is primarily focused on investigating whether generally accepted IT auditing standards apply to the auditing object, where consultancy seems more focused on making recommendations. Consultancy could also be primarily based on prior experience in other engagements. Furthermore, IT auditors will also include societal relevance in their assessments and include consequences for other stakeholders.

IT auditing concerns the independent assessment of the quality of information technology, being, infrastructure, applications, processes, data, and governance. Quality includes many characteristics and is not only about integrity, availability, and security, but also includes fairness. In addition, the effectiveness and efficiency may also be assessed. This makes IT auditing an important instrument to identify and control IT-related risks, when developing and applying digital solutions. IT auditing concerns the following entities:

  1. 1.

    Object of auditing—investigating whether the object is suitable for investigation.

  2. 2.

    Auditing criteria and methodology—investigating which criteria are suitable for this particular object and which methodology should be applied.

  3. 3.

    Client—investigating whether the person granting the audit is authorized to do so.

  4. 4.

    Auditor—investigating whether the persons performing the audit are capable to do so.

Auditing standards are controlled by standardization bodies, being the Auditing Standards Board (ASB), the International Auditing and Assurance Standards Board (IAASB), which is supervised by the International Federation of Accountants (IFAC) and the US-based Public Company Accounting Oversight Board (PCAOB). The above four entities are further discussed in the following sections.

2 Object of Auditing

IT auditing targets information systems, which typically include components, such as hardware, communications, software, data, procedures, and Staff. Together, these components fulfill certain functionality and this functionality is able to fulfill increasingly complex tasks. Due to the continuous developing technology, we may also expect increasing use and complexity for the decade ahead. Audits therefore require careful scoping of the auditing object because inclusion of all components of all information systems will commonly be uneconomical. Risk/impact assessments form the basis of this scoping. What is the likelihood of misstatements and their associated impact? Subsequently, which information systems require investigation and which ones are out of scope?

Auditors apply the following audit risk model:

$$ \mathrm{AR}=\mathrm{IR}\times \mathrm{CR}\times \mathrm{DR} $$

In the above formula, (AR) represents the acceptable audit risk. (IR) represents the inherent risks associated to the audit object (business and/or technology). (CR) represents the control risk and whether internal procedures should be capable to detect misstatements. For instance, the (CR) in a blockchain should be close to zero. (DR) represents the risk that errors, which are not prevented by internal procedures, are also not detected by the auditor.

Audits require a comprehensive overview of the information function of the organization and associated risk/impact assessment. The information function includes (Romney & Steinbart, 2018):

  1. 1.

    The information systems and associated data (IS).

  2. 2.

    The information technology supporting the information systems (IT).

  3. 3.

    The organization supporting both information systems and information technology (IM).

In modern organizations, there is an abundant number of auditing objects for IT auditors and these audits are definitely not restricted to systems supporting financial reporting. Auditability also requires viable and working control measures. Even the most basic information systems become error prone in notoriously unprofessional environments. Along with the increasing complexity of information systems more and more control measures are required.

3 Auditing Criteria and Methodology

As mentioned before, in modern organizations there is an abundant number of auditing objects and audits are definitely not restricted to financial reporting related systems. The applied audit methodology should address all relevant system quality characteristics. Common risk categories include:

  1. 1.

    Confidentiality—unauthorized disclosure is prevented and external regulatory requirements are met.

  2. 2.

    Processing integrity—data are processed flawlessly, completely, and timely, and only with proper identifications and authorizations.

  3. 3.

    Availability—ensuring that legitimate users are offered continuous access, also in case of contingencies.

In practice, IT auditors may apply an extensive set of methods to assess their object of study (if appropriate), such as ISA3000 for financial controls, ISO2700x for operational system controls, COBIT for IT governance controls, and PRINCE2 for system development controls.

The emergence of self-learning systems challenges the existing auditing methods. As long as the algorithm training phase can be discerned from the operational phase, one should be able to scope auditable components of both the self-learning and the operational system. The additional complexity is primarily caused by the unpredictability of the environment of the system and, therefore, the interaction of the self-learning and operational system and the environment. For instance, the self-driving car systems would probably be auditable if its driving would be restricted to predetermined isolated roads, however, not in any traffic situation and in any weather condition. In such a case, the car requires automated controls that hopefully prevent the car from haphazard behavior, or stop the car in certain conditions. Such automated control systems could again be subject to auditing. Auditing always concerns historic data.

In continuous auditing, technology is used to continuously monitor exemptions and inconsistencies. Subsequently, the recovery of these exemptions is included in the overall systems, comparable to fault tolerant systems.

Audit methodology also includes the audit process, which includes the systematic engagement of clients, their possible acceptance, confirmation through the engagement letter, and establishment of an audit plan. Such an IT audit plan includes the basic understanding of the organization and its information function, risk assessment, defining the control objectives, test plan (building/execution), and evaluation of findings. Subsequently, the audit findings are reported to the client.

Increasing complexity of systems often requires new audit methodology, for instance, criteria for self-learning systems. Common risk categories, being confidentiality, integrity, and availability remain relevant; however, the impact of a particular category might change. For instance, confidentiality in blockchains differs from traditional trading platforms.

4 Clients

Being audited requires genuine commitment of organizations, because they should disclose all necessary information regarding the object of study, facilitate the consultation of employees, and/or site visits. Such commitment is restricted to those who represent the ownership of the organization. Normally, this concerns the board of management, audit committee, or board of supervisors. Furthermore, IT auditors should also include societal relevance and ethical considerations in their considerations and avoid audits that may be harmful to society.

Modern technology introduces additional problems regarding the identification of the client. For instance, who has the role of the client in a blockchain with distributed ownership? Some AI-based algorithms may not be equally beneficial to all relevant stakeholders and there is scarce information about degrees of societal acceptance or acceptable categories of inequality.

5 Auditors

From auditors we expect that they work on basis of a common body of knowledge and conclusions should be indifferent for the person performing the audit. This requires state of art technical, legislation, and organizational knowledge; and also critical reflection of proprietary expertise. Auditors should be objective, integer, competent, and confidential.

Given the complexity of information systems and organizations, being an auditor requires a profound basic education accompanied with lifelong permanent education. This basic education should in our opinion include a relevant master of science degree because the scientific approach to learning and accumulation of knowledge remains prerequisite in such a complex and dynamic domain. Graduates should also be able to further develop the existing IT auditing body of knowledge. Currently, the entry level education differs per country; however, we expect these requirement to homogenize. Similar to other critical professions, such as the medical profession or architecture, IT auditors need to accomplish a certain supervised working period. Advanced work areas typically require continuous training. To organize professional standards and also control the adherence of auditors to these standards, governments should facilitate IT auditing communities. In the Netherlands, for instance, IT auditors require an accredited parttime IT auditing university degree and minimally 3 years of relevant practice. Becoming an auditor could also be considered an audit itself and should, therefore, be transparent and controllable. This includes a professional association with mandatory ethical and quality control standards and the possibility to dispute professional issues.

Advanced technologies require comprehensive advanced technology knowledge of the IT auditor. In order to obtain this knowledge, the IT auditor should enroll in relevant courses or partner with more experienced auditors.

The four key-entities of IT auditing, which have been described in this chapter, and their key-characteristics have been illustrated in Fig. 1.

Fig. 1
An illustration comprises four circles placed at the four ends of a cross. They are labeled methodology, client, the object of audit, and auditor.

Primary IT auditing entities

Full size image

6 Conclusions

IT auditors provide assurance regarding the quality of information systems and technology allows these information systems to become increasingly complex. These complex Information systems also increasingly independently interact with their environment. Examples are complex web services, self-driving cars, and unsupervised digital currencies, such as Bitcoin. Managing the quality of these complex information systems requires additional incorporated control measures. Bitcoin being a meritorious example of a system that includes advanced operational controls for trading integrity. As such, one could say that many system developers are increasingly performing some IT auditing tasks and contemporary information systems often include more functionality to control their quality than they encompass core functionality. Additionally, there is also a growing need for a truly independent IT auditor that balances risk and control measurer and provides assurance regarding their adequacy.