A Structured Approach To It Auditing

The basic instrument used in the audit process is an Audit Terms of Reference (AToR).


In current practice, we face problems in developing AToRs, namely that each IT auditor


has his or her own way of developing them. The AToR so developed consists of a mix


of detailed and general rules concerning the control measures to be assessed. The


selection of these controls is not supported by any method. The topics to which the


detailed and general rules are related do not always show clear relationships. Furthermore, each criterion within the AToR is formulated differently. This way of working has been classified as a "Rule based" approach.


The absence of a method or a systematic IT audit approach may have consequences for


the results of an audit. Lack of coherence and profundity of criteria within the AToR, or an incorrect scope and delineation of an IT object to be audited may lead to deficiencies in an AToR and may cause "IT audit risks". An unstructured AToR may lead to an inappropriate audit opinion.


This study provides a solution to this problem. It is a "Principle based" approach. This


approach is based on a conceptual framework, which consists of three components:


Structure, Content and Form. The component "Structure" refers to a multi layer structure


and is based on a general system pattern. The component "Content" refers to a pattern


of concepts and is based on a multi view approach (i.e. Means-End view). Audit principles


can be formulated based on these concepts. The component "Form" refers to a semi-formal


grammar for defining principles consistently. The framework has been developed


based on pre-defined criteria that have been grouped and related to the components


Structure, Content and Form. These criteria help in grounding these components and hence this approach.


The framework makes it possible to assign a specific type of audit principle to a specific layer of the structure and provides guidance in selecting and formulating audit principles.


Therefore, we would advise you to study this approach and use it in practice.


WIEKRAM B. TEWARIE studied Information science at the University of Amsterdam


(UvA) and attended the post-graduate IT Audit course at the University of Tilburg


(UvT/TiasNimbas). He carried out his PhD research at the Vrije University in Amsterdam,


while continuing to work full-time. Currently he is a senior IT auditor in the Accountancy department of UWV (National Social Security Agency).