| Information technology (IT) auditing collects and | | | | IT auditing became especially prioritized in the |
| evaluates data pertaining to an IT infrastructure. An IT | | | | aftermath of the Equity Funding Corporation of |
| audit may augment a financial audit, but it is specifically | | | | America scandal of 1973, when former EFCA |
| designed to test the IT infrastructure's accuracy, | | | | employee Ronald Secrist and analyst Ray Dirks |
| efficiency, and security. Though around since the | | | | reported that the Los Angeles company-which sold |
| 1960s, IT audits have become especially important in | | | | mutual funds and life insurance-was guilty of |
| the 21st century, when so much of a business's activity | | | | widespread and organized accounting fraud. At least |
| is conducted or assisted electronically. | | | | 100 employees since 1964 had been guilty of deceiving |
| The first IT audits were necessitated by the use of | | | | investors and the government, and that deceit included |
| electronics in accounting systems. Early computers did | | | | a computer system devoted to the forgery of |
| little more than that-compute-and the combination of | | | | insurance policies for fictitious policyholders. |
| their expense with their extraordinarily narrow focus of | | | | Determining the extent of the fraud, of course, meant |
| applications meant that they were adopted slowly. | | | | auditing the computer system, as well as all others in |
| Though General Electric used a computerized | | | | use by the company-a process that took over two |
| accounting system in 1954, computer use was a highly | | | | years. Similarly, in the wake of the 21st-century |
| specialized skill, and early input methods (such as | | | | accounting scandals, the Sarbanes-Oxley Act of 2002 |
| punch cards or paper tape) were tedious to | | | | was passed, establishing stricter standards for public |
| error-check. | | | | company boards and public accounting firms-with a |
| With the development of specialized office computers | | | | greater emphasis on IT audits. |
| in the 1960s and the shift toward developing | | | | There are five categories of IT audits: |
| computers for people who did not work on them for a | | | | Systems and Applications audits test the input, output, |
| living, larger businesses began to integrate computers | | | | and processing at all levels of the company's systems |
| into some of their accounting procedures, especially | | | | and applications. |
| data storage (such as to keep track of inventory or | | | | Information Processing Facilities audits test the control |
| reservations) and handling large amounts of | | | | of the processing facility under normal and disruptive |
| complicated information. The first IT audits were | | | | conditions. Systems Development audits examine the |
| therefore electronic data processing (EDP) audits, | | | | systems under development to make sure that they |
| doublechecking the accuracy of the software | | | | meet the company's objectives and standards. |
| systems in use at a business and the data entered | | | | Management of IT and Enterprise Architecture audits |
| into and derived from them. | | | | examine the organizational structure and procedures in |
| This led to the development of specialized accounting | | | | use. |
| software, and in 1968 the American Institute of | | | | Client/Server, Telecommunications, Intranets, and |
| Certified Public Accountants helped formalize EDP | | | | Extranets audits focus on networking issues, an area |
| audits, keeping them at the rigorous standards | | | | where there is particular concern with staying current |
| employed by financial audits. The Electronic Data | | | | in security protocols. |
| Processing Auditors Association (EDPAA) was | | | | Information technology changes rapidly, as does its |
| formed shortly thereafter, for the growing number of | | | | position in the process of doing business. IT auditors, |
| accountants who specialized in EDP audits. EDPAA | | | | though they may be CPAs, are generally more versed |
| has since (in 1994) changed its named to the | | | | in information systems, with a general understanding of |
| Information Systems Audit and Control Association, | | | | accounting principles, because the accounting |
| and publishes CobiT-Control Objectives for Information | | | | component of their job is the more static ingredient in |
| and related Technology, the widely accepted list of | | | | the mix, while the ramifications, security concerns, and |
| standards and objectives in IT audits. | | | | potential for misuse of technology are always in flux. |