Book Review: ‘The Basics of IT Audit’ by Stephen Gantz

IT audit is one of the compulsory and recurring activities in companies for several reasons, including threats to data security and integrity, the requirement to maintain quality of processes and products versus other organizations in the same domain, and legal requirements.

The Basics of IT Audit: Purposes, Processes, and Practical Information by Stephen Gantz attempts to explain the basics of IT audit with respect to its motives, requirements and structure. An audit is a systematic, objective examination of one or more aspects of an organization that compares what the organization does to a defined set of criteria or requirements. Information technology (IT) auditing examines processes, IT assets, and controls in an organization to measure adherence to the applicable standards or requirements.

IT audits are performed both by internal auditors working for the organization subject to audit and external auditors hired by the organization. The processes and procedures followed in internal and external auditing are often quite similar, but the roles of the audited organization and its personnel are markedly different. The audit criteria – the standards or requirements against which an organization is compared during an audit – also vary between internal and external audits and for audits of different types or conducted for different purposes.

The book describes the practice of IT auditing, including why organizations conduct or are subject to IT audits, different types of audits commonly performed in different organizations, and ways internal and external auditors approach IT audits. It explains many fundamental characteristics of IT audits, the auditors who perform them, and other aspects of the practice of auditing. One important chapter is dedicated to briefly describing the audit-related organizations, standards and certifications specialized for IT.

The author briefly discusses some of the prominent professional bodies that manage and audit information systems and related technology, including ISACA, well known for the framework COBIT (Control Objectives for Information and Related Technology), CISA certification (Certified Information Systems Auditor), and ISC2 (International Information Systems Security Certification Consortium, Inc.) which is known for the CISSP certification.

Auditors or other readers seeking prescriptive guidance on auditing will find references to many useful sources, but not audit checklists, protocols, or procedural guidance on different types of IT audits. The book’s objective is to give organizations and their employees an understanding of what to expect when undergoing IT audits. This will be helpful in interacting with the auditing or certification personnel.

The book explains the legal requirements of the Sarbanes-Oxley act, which requires publicly traded companies on the New York Stock Exchange to maintain an internal audit function. It explains how a combination of legal and regulatory requirements and business drivers incentivizes an organization to create an internal IT audit capability make sure it is properly structured, staffed, managed, and maintained.

One of the functions of IT auditing is to support quality management by making sure operations produce the intended results and that those results satisfy quality-related criteria. Quality management systems are also subject to periodic audits to determine if they meet the applicable requirements and are properly operated and maintained.

The author gives suggestions on how the audit team should be structured and should report to upper management to meet regulatory requirements, and discusses briefly the steps of a typical IT audit:

1. Audit planning
2. Preparation and evidence collection
3. Audit performance
4. Reporting findings
5. Responding to audit results
6. Process life cycles and methodologies

The book is a good read for understanding the simpler concepts of IT audit for beginners. From there, the reader can move ahead to consider a full-fledged IT audit career. The experienced professional might find this book useful too, as an introduction to be kept on a nearby bookshelf.