Information Technologies Compliance Audits Research Paper

Introduction

Over the past few decades, the use of Information Technologies (IT) has been extremely prevalent (Kayrak, 2014). Many sectors, including private and public institutions, are increasingly adopting IT in their operations driven by the needs to augment efficacy and effectiveness.

Nonetheless, the embracing of IT in the management of information in public and private sectors raises numerous concerns pertaining security, confidentiality, reliability, and integrity of information (Kayrak, 2014; Wongpinunwatana & Panchoo, 2014; Héroux & Fortin, 2013).

Furthermore, the failure of companies to carry out IT auditing has been disastrous in the past leading to great losses and even collapse of firms (Weiss & Solomon, 2011).Therefore, it is of paramount importance for sectors that adopt IT to carry out regular IT audits.

It is generally agreed that IT auditing is a function of accounting since it independently examines and assesses operation systems and records while evaluating “organization’s internal policies and activities” (Weiss & Solomon, 2011, p. 6).

IT auditing is broadly categorized into organizational, compliance, application, and technical auditing (Weiss & Solomon, 2011). This paper carries out a research on IT compliance auditing. IT “compliance auditing pertains to ensuring that specific guidelines, laws, or requirements have been met” (Weiss & Solomon, 2011, p. 7).

IT compliance auditors, therefore, are concerned with testing or evaluating whether IT controls are designed acquiescent with management policies and set procedures. In IT auditing, compliance is based on internally set procedures and guidelines or on externally established regulations that IT infrastructure should be in line with to enhance effectiveness and efficacy while preventing information related security breaches (Kayrak, 2014; Weiss & Solomon, 2011).

Literature review

According to Kayrak (2014), IT is increasingly becoming a central aspect of organizational operations and, therefore, information management is vital. He noted that annual global investments in IT go beyond $3.6 trillion and are likely to increase drastically in the future. Nonetheless, data breaches continue to be major sources of concern for both public and private institutions. Furthermore, the increasing levels of noncompliance affect all countries regardless of the level of their development.

The findings of his study on the Turkish courts of account revealed that the levels of IT compliance were extremely low. A major part of his recommendations included the need for IT audit methodologies that have SAIs guidelines as well as internationally accepted standards. Therefore, IT audit methodologies should incorporate both compliance testing and substantive testing. IT compliance, according to the definition of his paper, pertains with the adherence of an organization to laws, regulations, and contractual arrangements that are externally imposed criteria and internal policies.

IT compliance audits, therefore, are carried out on IT infrastructures to test their compliance with set guidelines. There are various IT auditing bodies with different auditing guidelines. As such, compliance audits are based on specific and generally agreed guidelines. The Turkish courts, which were the subject of his study, could adopt specific guidelines to enhance effectiveness and the ease of IT compliance audits.

He suggested, among others, the TCA guidelines as the source of external compliance that Turkish public organizations (Turkish courts) should adopt. The TCA guidelines adopt a three-step procedure that includes audit planning, assessing system control, and monitoring audit results. IT compliance auditors should adhere to these procedures to enhance competence and effectiveness in checking the courts’ compliance (Kayrak, 2014).

According to Nkwe (2011), the increasing impact of IT in auditing and the need to manage information has led to the revolution of IT auditing from Electronic Data Process (EDP) to the current sophisticated methods. Besides, noncompliance has resulted in accounting scandalous scenarios that have had adverse effects on organizations (Nkwe, 2011). In the developing world, where IT-based accounting is still relatively newer, CAIS is more prone to manipulation than the traditional manual accounting. Therefore, adopting IT auditing require high levels of internal and external compliance to prevent organizations from risks.

The study revealed that IT auditing firms are still not yet fully developed and are still establishing auditing departments (Nkwe, 2011). In addition, few organizations have adopted internal policies and frameworks and are striving to be compliant. Nkwe (2011) suggests that IT auditing should be adopted fully as opposed to the current partial adoption. His paper uses Botswana, a developing country, and focusses on (among other IT related issues) IT auditing and levels of compliance in private and public institutions. He notes that Botswanan organizations are increasingly adopting and depending on IT-based operations.

However, great concerns arise from the fact that IT audits, including infrastructural compliance audits, are yet to be properly established exposing organizations to IT related breaches and information management risks.

Demonstrating the lack of readiness for IT compliance audits in Botswana, Nkwe (2011) revealed that major audit firms such as KPMG, Enerst & Young, and Deloitte are yet to put in place effective IT auditing departments. In addition, The Institute of Internal Auditors in Botswana is endeavoring to adopt improved IT auditing (Nkwe, 2011). Without properly established IT departments, carrying out compliance audits is hampered.

It is worth noting that when Nkwe’s (2011) study was done, ineffective organizational frameworks and the lack of research hindered IT auditing. Nkwe (2011) noted that insignificant academic research on IT auditing had been done in Botswana and, therefore, IT compliance audits could not be carried out effectively.

Moreover, Nkwe (2011) noted that globally, IT auditing has become a significant aspect of general auditing and is likely to take over auditing in the near future. Botswana and other developing countries should ensure that IT auditing is effectively adopted.

Security issues are major concerns that deter many public and private organizations from adopting some of the IT related operations such as cloud-computing services (Rasheed, 2014). One of the major concerns in the developed countries is the absence of mechanisms of auditing in some aspects of IT operations. Rasheed (2014) investigated IT auditing issues in cloud computing environments paying key interest on auditing requirement compliance and infrastructural security. He realized that IT infrastructure security compliance has been a major concern for many information users. Some of the infrastructures that need constant compliance auditing include user domains, workstation domains, LAN domain, WAN domain, and remote access domains.

Rahman et al. (2014) observed that information management is vital. The study also noted that IT compliance audits have specific goals that differ from performance auditing.

The need for IT compliance audits

Managing information is a vital aspect in private and public sectors. As such, IT auditing is highly necessitated to ensure smooth operations while preventing information insecurity, unreliability, and integrity problems. In addition, IT auditing is vital in ensuring that confidential information is not leaked to unauthorized people.

Understanding the need and the meaning of IT compliance

IT compliance auditing is a central part of IT auditing, which involves the determining of whether companies follow set guidelines pertaining integrity in information systems. The term compliance has varied definitions (different organizations and industries have their ways of defining and viewing what is and what is not compliant) (Weiss & Solomon, 2011). Nonetheless, IT compliance can be categorized into two broad groups, including external and internal compliance. An internally compliant company adheres to its own rules (set based on policies) while externally complaint firm is able to demonstrate the desire/need to adhere to guidelines set by external organizations (Weiss & Solomon, 2011).

Companies that do not comply with internally or externally set rules are exposed to huge risks. Cases of noncompliant companies collapsing are evident. Companies such as Enron and WorldCom faced financial fiascos leading huge revenue losses and insolvencies due to internal and external noncompliance (Kayrak, 2014).

IT noncompliance exposes companies’ confidential information to unauthorized users and can lead to huge damages. For instance, TJX Companies, Inc. had various IT compliance breaches, including “failure to maintain proper security control, specifically citing lack of firewalls, wireless security, failure to patch vulnerabilities, and failure to update antivirus signatures” (Weiss & Solomon, 2011, p. 15). The IT noncompliance made the TJX stakeholders vulnerable leading to what is considered one of the biggest credit card breaches.

Weiss and Solomon (2011) categorizes the repercussions of noncompliance as follows

1. Court fines and imprisonment.
2. Legal fees resulting from infringement contained within set regulations.
3. Brand damage and lost revenue as consumers abandon a business/organization.
4. Negative effect upon stock price, hurting shareholder value.
5. Increases in cost of capital.

It is evident, thus, that noncompliance has huge consequences that can adversely hurt both public and private organizations. Therefore, firms should constantly carry out IT compliance audits to ensure that all the vulnerabilities are exposed and addressed.

It compliance audit guidelines, procedure, and rules

Compliance guidelines are similar to the overall IT audit guidelines, which according to Kayrak (2014) are “aimed at guiding the auditors on how an IT audit is planned, performed, and reported” (p. 18).

In carrying out an IT Compliance audit, compliance auditors should begin by understanding the organization and the established IT system and its implications on information management. Further, risk assessments, determination of audit strategies, and the preparation of audit programs should be done during the initial stages of the compliance audit. The second phase of the compliance audit should comprise carrying system control assessments.

The auditors should check how compliant the firms control systems are to the set rules and procedures. The effectiveness of the control systems should be a key area of focus. The last stage of the IT compliance audit will involve the reporting of the audit findings. Blaming for noncompliance should be attributed to the relevant individuals in the noncompliant sectors when the IT compliance results are given.

It is worth to understand what compliance auditors based their activities on and what regulatory requirements are for a firm to be IT compliant. In the US, for instance, the regulatory requirements are properly set to include different geopolitical levels comprising the state, federal and international jurisdictions (Weiss & Solomon, 2011). Therefore, firms and organizations should check their levels (using legal guidance where necessary) to understand which regulations are pertinent and applicable.

Moreover, Weiss and Solomon (2011) indicated that organizations rely on different avenues, including texts of laws, administrative codes, external/internal auditors, industry associations, and third-party guidelines to check on IT compliance. For the US federal government, Weiss and Solomon (2011) showed that The Federal Information Security Management Act, The US Department of Defense Requirements, and other legislative acts provide detailed compliance guidelines that IT compliance audits should base their actions while carrying out audits on government institutions.

Internationally, IT compliance audits rely on country or region based guidelines, as international IT audit bodies do not provide globally acceptable, comprehensive, and exhaustive guidelines (Kayrak, 2014).

In Europe, for example, IT compliance auditors rely on the provisions of the European Court of Auditors and National Audit Office of the United Kingdom, which do not have exclusive IT guidelines, unlike the US that provide purely technical IT auditing requirements.

The future of IT compliance audits

Studies have revealed that information management is critical and can make organizations succeed or collapse (Héroux & Fortin, 2013; Weiss & Solomon, 2011; Nkwe, 2011; Bani-Ahmad & Dalabeeh, 2014). Public and private organizations, therefore, are working hard to ensure that their IT infrastructures are compliant with the necessary guidelines to avoid information breaches.

Cyber-crimes and cases of information mismanagement are in increasing trends (Weiss & Solomon, 2011). Companies and government institutions, therefore, should find better ways of ensuring that confidential information does not reach unauthorized people.

In the attempts to improve information security, IT audit firms are likely to invest in research and development in the future. Therefore, IT compliance audits are likely to be more prevalent and embraced by organizations in the future (Nkwe, 2011). Additionally, guidelines that are more stringent are likely to guide future IT auditors making IT compliance audits more effective.

Conclusion

The significance of IT compliance audits is increasingly becoming more apparent. Many organizations, including institutions in private and public sectors, are embracing IT-based operations. As such, information is becoming more important and, therefore, mismanagement of information increasing insecurity issues.

IT compliance audits are guided by various auditing guidelines with various countries adopting specific regulatory frameworks. Moreover, organizations are adopting internally and externally set guidelines to audit the compliance of their IT infrastructure.

Some of the IT infrastructures that increase information security vulnerability include user domains, workstation domains, LAN domain, WAN domain, and remote access domains. Compliance issues still raise concerns in many countries regardless of their levels of development. Lack of preparedness, insufficient research, insufficient legal knowledge, the lack of clarity on compliance guidelines are some the major issues that increase noncompliance. Cyber-crime and information security breaches are in increasing trends creating needs for research and development for IT auditing.

Recommendations

1. IT compliance auditors should uphold highest levels of professionalism and demonstrate competence since what they do is extremely critical to survival of organizations.
2. The private and public sectors should invest in IT auditing, including auditing for compliance..
3. More research should be done on IT auditing to counter the escalating cases of information insecurity and cyber-crime. Developing countries should carry out more academic research to fill the existing IT audit and compliance related knowledge gaps.
4. International IT auditing guidelines should be clearer, comprehensive, and up-to-date to enhance compliance auditing.
5. All organizations should treat IT compliance audits as vital and pertinent part of auditing.

References

Bani-Ahmad, A. A., & Dalabeeh, A.-R. K. (2014). The Effect of Applying the Information Technology Audit Standard # 21 on the Risk Related to ERP System in the Jordanian Companies. Global Journal of Management and Business Research: Accounting and Auditing, 14(1), 24-32.

Héroux, S., & Fortin, A. (2013). The Internal Audit Function in Information Technology Governance: A Holistic Perspective. Journal of Information Systems, 27(1), 189-217. Web.

Kayrak, M. (2014). Information Technology Audit and the Practice of the Turkish Court of Account. Alphanumeric Journal, 2(1), 013-022.

Nkwe, N. (2011). State of Information Technology Auditing in Botswana. Asian Journal of Finance & Accounting, 3(1), 125-137. Web.

Rahman, A. A., Al-Nemrat, A., & Preston, D. (2014). Sustainability in Information System Auditing. European Scientific Journal, 3, 458-472.

Rasheed, H. (2014). Data and Infrastructure Security Auditing in Cloud Computing Environments. International Journal of Information Management, 34(3), 364-368.

Weiss, M., & Solomon, M. G. (2011). Auditing IT Infrastructures for Compliance. Burlington, Massachusetts: Jones & Bartlett Learning.

Wongpinunwatana, N., & Panchoo, P. (2014). Creating Self-Efficacy In Internal Auditors For Information Technology Audits: An On-The-Job Training Perspective. International Journal of Management & Information Systems (IJMIS), 18(3), 213-222.