D.12 Policy on Conducting Information Technology Audits

A. Conducting Information Technology Audits

  1. PRIA has a responsibility to assess whether the Office’s information technology governance supports the organization's strategies and objectives.

  2. Information technology (IT) controls provide assurance related to the reliability of information and information services and help mitigate the risks associated with an organization’s use of technology. They range from corporate policies to their physical implementation within coded instructions; from physical access protection through the ability to trace actions and transactions to responsible individuals; and from automatic edits to reasonable analysis for large bodies of data.

  3. IT controls can also assist organizations in achieving broader business objectives such as regulatory compliance, cost containment, or market intelligence through the use of automated system controls, authorization checks, and exception reporting.

  4. Consequently, IT audit refers to any audit that encompasses wholly or partly the review and evaluation of IT controls in support of automated information processing systems, related manual processes, and the interfaces among them.

  5. IT auditors are expected to provide assurance on the internal control systems implemented through information technology.

  6. IT audit, as part of the overall internal audit process, is one of the facilitators for good corporate governance. For example, the range of IT audits can include IT governance, cybersecurity risk management, outsourced vendor management, data center disaster recovery planning, operating system or application security, wireless network change management, and project management audits.

B. Use of Information Technology for Auditing Purposes

  1. In PRIA’s exercise of due professional care, consideration is to be given to the use of technology based audit and other data analysis techniques.

  2. PRIA directors conducting information technology audits or using information technology must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing.

Last modified:
2018-03-02