IT auditing and controls – Auditing organizations, frameworks and standards

Kenneth Magee
May 24, 2011 by
Kenneth Magee

What is a standard?  Who defines standards?  Where do we as IT auditors come into contact with standards?  Which framework should we use to do an IT audit and if there isn’t one which one should we recommend.  In order to understand IT auditing and why we do IT auditing you need a brief history lesson.  So this post will be more history than anything else.  Hopefully by the end of the article you will have an appreciation for the different organizations and their individual standards and frameworks.

First, let’s start with a definition: ISO/IEC Guide 2:1996, definition 3.2 defines a standard as:

'A document established by consensus and approved by a recognized body that provides for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context'.

There are several organizations which have their own definitions for standards as well as their own definitions for how an audit should be conducted and what audit reports should be issued for IT engagements.  The first organization that I want to take a quick look at is the American Institute of Certified Public Accounts or AICPA and its primary certification the CPA.

The AICPA and its predecessors have a history dating back to 1887, when the American Association of Public Accountants (AAPA) was formed. In 1916, the American Association was succeeded by the Institute of Public Accountants, at which time there was a membership of 1,150. The name was changed to the American Institute of Accountants in 1917 and remained so until 1957, when it changed to its current name of the American Institute of Certified Public Accountants. The American Society of Certified Public Accountants was formed in 1921 and acted as a federation of state societies. The Society was merged into the Institute in 1936 and, at that time, the Institute agreed to restrict its future members to CPAs.  This is key because the certification associated with the AICPA which is IT specific is the Certified Information Technology Professional (CITP).  In other words, if someone want to be an IT auditor and have the CITP they must be a CPA.  In my opinion, that means they are a financial auditor first and an IT auditor second.

In 1968, the American Institute of Certified Public Accountants (AICPA) had the Big Eight (now the Big Four) accounting firms participate in the development of EDP auditing. The result of this was the release of Auditing & EDP. The book included how to document EDP audits and examples of how to process internal control reviews.  And from this came the Statement on Auditing Standards (SAS) No. 70.  For service organizations, this is a widely recognized internal control auditing standard.  A service auditor's examination performed in accordance with SAS No. 70 is widely recognized, because it represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes.

Around this same time a small group of individuals with similar jobs—auditing controls in the computer systems that were becoming increasingly critical to the operations of their organizations—sat down to discuss the need for a centralized source of information and guidance in the field. In 1969, Stuart Tyrnauer, employed by the (then) Douglas Aircraft Company, incorporated the entity as the EDP Auditors Association. EDP auditors formed the Electronic Data Processing Auditors Association (EDPAA). The goal of the association was to produce guidelines, procedures and standards for EDP audits.  This was ISACA’s start and in 1976 the association formed an education foundation to undertake large-scale research efforts to expand the knowledge and value of the IT governance and control field.  The first work from this group was in 1977, when the first edition of Control Objectives was published. This publication is now known as Control Objectives for Information and related Technology (CobiT). CobiT is the set of generally accepted IT control objectives for IT auditors. In 1994, EDPAA changed its name to Information Systems Audit and Control Association (ISACA). ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves.

Another organization is the Institute of Internal Auditors (IIA) which was established in 1941, and is an international professional association and the internal audit profession's global voice, recognized authority, acknowledged leader, chief advocate, and principal educator. Members work in internal auditing, risk management, governance, internal control, information technology audit, education, and security.

Notice that we said the IIA is internal auditing, whereas AICPA and ISACA would most commonly be referred to as external auditing or auditors.  And let’s don’t forget the Feds.

The U.S. Government Accountability Office (GAO) is an independent, nonpartisan agency that works for Congress. Often called the "congressional watchdog," GAO investigates (read that as audits) how the federal government spends taxpayer dollars. The mission of the GAO is to support the Congress in meeting its constitutional responsibilities and to help improve the performance and ensure the accountability of the federal government for the benefit of the American people. The GAO provides Congress with timely information that is objective, fact-based, nonpartisan, non-ideological, fair, and balanced.

Their work is done at the request of congressional committees or subcommittees or is mandated by public laws or committee reports and supports congressional oversight by

  • auditing agency operations to determine whether federal funds are being spent efficiently and effectively;
  • investigating allegations of illegal and improper activities;
  • reporting on how well government programs and policies are meeting their objectives;
  • performing policy analyses and outlining options for congressional consideration; and
  • issuing legal decisions and opinions, such as bid protest rulings and reports on agency rules.

Another organization which we need to look at is, COSO which was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private-sector initiative which studied the causal factors that can lead to fraudulent financial reporting. It also developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions.

The National Commission was sponsored jointly by five major professional associations headquartered in the United States: the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the National Association of Accountants (now the Institute of Management Accountants [IMA]). Wholly independent of each of the sponsoring organizations, the Commission contained representatives from industry, public accounting, investment firms, and the New York Stock Exchange.

The original chairman of the National Commission was James C. Treadway, Jr., Executive Vice President and General Counsel, Paine Webber Incorporated and a former Commissioner of the U.S. Securities and Exchange Commission. Hence, the popular name "Treadway Commission." COSO’s goal is to provide thought leadership dealing with three interrelated subjects: internal control, enterprise risk management (ERM), and fraud deterrence.

In September 1992, the four volume report entitled Internal Control— Integrated Framework was released by COSO and later re-published with minor amendments in 1994. This report presented a common definition of internal control and provided a framework against which internal control systems may be assessed and improved. This report is one standard that U.S. companies use to evaluate their compliance with FCPA. According to a poll by CFO Magazine released in 2006, 82% of respondents claimed they used COSO’s framework for internal controls. Other frameworks used by respondents included COBIT, AS2 (Auditing Standard No. 2, PCAOB), and SAS 55/78 (AICPA).

The last organization that I want to take a quick look at is the IT Governance Institute which was formed by ISACA to focus on original research on IT governance and related topics.  The IT Governance Institute (ITGI) was established in 1998 to advance international thinking and standards in directing and controlling an enterprise’s information technology.  Effective governance of IT helps ensure that IT supports business goals, optimizes business investment in IT, and appropriately manages IT-related risks and opportunities.

I’ve talked about several different organizations: AICPA, IIA, ISACA, COSO, GAO, and ITGI.  There are different frameworks associated with each and some books published by each that you might want to consider.  First let’s take a look at the major frameworks and there are three primary ones you need to be familiar with.

  • COSO Integrated ERM Framework
  • ISACA & ITGI’s CobiT
  • International Organization for Standardization’s ISO27000 series

And although not a true framework, the Fed’s NIST SP 800 series of documents with particular attention to NIST SP 800-53.

In 2001, COSO initiated a project, and engaged PricewaterhouseCoopers, to develop a framework that would be readily usable by managements to evaluate and improve their organizations’ enterprise risk management.

The period of COSO’s framework’s development was marked by a series of high-profile business scandals and failures where investors, company personnel, and other stakeholders suffered tremendous loss. In the aftermath were calls for enhanced corporate governance and risk management, with new law, regulation, and listing standards. The need for an enterprise risk management framework, providing key principles and concepts, a common language, and clear direction and guidance, became even more compelling. COSO’s Enterprise Risk Management – Integrated Framework filled this need, and COSO expected that it will become widely accepted by companies and other organizations and indeed all stakeholders and interested parties.  And in truth according to a poll by CFO Magazine released in 2006, 82% of respondents claimed they used COSO’s framework for internal controls.

COSO (and similar compliant frameworks) is generally accepted as the internal control framework for enterprises. COBIT is the generally accepted internal control framework for IT.

On the other hand, CobiT, which is geared more towards IT controls, was developed by ITGI/ISACA.  If you look closely at the structure of CobiT you will see some of the maturity levels from SEI/CMM.  CobiT defines IT activities in a generic process model within four domains. (Plan and organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate).  Within those four domains CobiT defines control objectives for all 34 processes.  And within each process has defined six general maturity levels.   This is a very lengthy framework for IT and I will not try to do justice to it in a short article here, rather, I would suggest that you or someone on your staff who is a member of ISACA, order a copy and have as a reference for your group.

ISO/IEC 27000 series of standards from the International Organization of Standardization (and, yes I know that is IOS not ISO, but don’t know why the changed the sequence of letters) includes three of note: 27001 which is the high-level document for Information Security Management Systems—this by the way is the one organizations can be certified too; ISO 27002 which is listing of all the security framework to support the certification of ISO 27001; and ISO 27005 which is a detailed explanation of Risk Management.  If you look at Appendix A in ISO 27001 and compare it to ISO27002 you will find it to be an abbreviated version.  For the full details use ISO27002 which contains 12 sections, 39 objectives, 133 controls, and 1,033 “Shoulds.”  By the way, the "shoulds" are things that you SHOULD be doing.

And finally, with respect to frameworks there is NIST SP 800-53 “Recommended Security Controls for Federal Information Systems and Organizations.”  What’s interesting to note in 800-53 is that Appendix H is a mapping of 800-53 to the ISO 27001 Appendix A standard.  What’s interesting is that if you are a U.S. Federal agency the language at the beginning of 800-53 takes away the framework selection process by saying “In accordance with the provisions of FISMA, the Secretary of Commerce shall, on the basis of standards and guidelines developed by NIST, prescribe standards and guidelines pertaining to federal information systems. The Secretary shall make standards compulsory and binding to the extent determined necessary by the Secretary to improve the efficiency of operation or security of federal information systems. Standards prescribed shall include information security standards that provide minimum information security requirements and are otherwise necessary to improve the security of federal information and information systems.”

In other words, you will use NIST SP 800-53.  But not to worry, the folks at NIST are re-writing some of the SP 800 series so that it is alignment with ISO27001, Appendix A.  And if you’re still having trouble deciding which framework to select, you should know that ISACA has published a “MAPPING” of CobiT to ISO27001.  So bottom line, everyone seems to be mapping to ISO27000 series, so I for one will recommend to the organizations that I audit, that they should use ISO 27001 as their IT security framework and COSO ERM framework for their non-IT internal controls.

Now some parting thoughts, books to have on your shelf, and certifications to aspire towards obtaining.

As an IT auditor, you’ll want to have a copy of IIA’s IPPF (International Professional Practices Framework) on your desk.  That’s more commonly known in auditing circles as the red book, which isn’t the same as the red book in IT circles.  You’ll also want to have a copy of GAO’s Yellow Book, a copy of ISACA’s CobiT 4.1, and a copy of the ISO 27000 series (27001, 27002 and 27005).  Something on COSO’s ERM framework would be nice to have, and you can download a copy from their website.  As a footnote on COSO, if someone can find the COSO CUBE, I would like to have one for my office.  From AICPA, print out a copy of the ITMS & CITP body of knowledge, in color, and frame-it and put it in your bookcase.  It makes for interesting conversation.

For the certifications, unless you’re already a CPA there’s no way of obtaining the CITP, if you are then by all means expand and pick up this cert.  From ISACA, you’ll want to consider CISA and if you are doing internal IT audits you’ll also want to consider the CIA from the Internal Audit Association.  From the Internal Organization of Standardization you’ll most definitely want to have the ISO27001 Lead Auditor certification.  This last one requires proof of performance of IT audits against the ISO framework under the guidance of a certified ISO 27001 Lead Auditor.  There are other certifications within the IT security field, but these are the prime ones for IT auditors.

Later this week, we’ll take a detailed look at IT Governance and Controls, so check back on Friday.

Until then, keep reading.


P.S. You can find other articles related it IT Auditing and Controls here.

Kenneth Magee
Kenneth Magee

Ken is President and owner of Data Security Consultation and Training, LLC. He has taught cybersecurity at the JAG school at the University of Virginia, KPMG Advisory University, Microsoft and several major federal financial institutions and government agencies. As CISO for the Virginia Community College System, Ken’s focus was the standardization of security around the ISO 27000 series framework. Writing is one of his passions and he has authored and/or co-authored several courses, including CISSP, CISA, CISM, CGEIT, CRISC, DoD Cloud Computing SRG and a course for training Security Control Assessors using NIST SP 800-53A. Ken has also achieved a number of certifications, including CISSP, SSCP, CCSP, CAP, ISSMP, ISSAP, ISSEP, CISM, CISA, CAC, CEH, ISO9000LA, ISO14001LA, ISO27001PA, Security+, CySA+, CASP, CTT+, CPT, GSEC, GSNA, GWAPT, CIA, CGAP, CFE, MCP, MCSA, MCSE and MCT.