IT Audit Research Articles

End-to-End IT Audit Frameworks Best Practices for Managing Complete Audit Cycles

The effective execution of IT audits depends on a systematic, integrated framework that drives the audit life cycle through planning, execution, and reporting. Based on this fact, the study has developed a model of an end-to-end IT audit framework that emphasizes risk-based audit planning, effective execution strategies, and strong reporting mechanisms. The article seeks to discuss best practices in optimizing audit programs to meet organizational objectives, regulatory requirements, and current landscapes regarding technological changes. These include risk assessment, scoping, resource allocation, and control testing methods that achieve a proper balance between compliance and operational efficiency. The framework further helps in challenges related to data handling, integration of automated tools, and dynamic auditing techniques for increased coverage and reliability. This framework supports audit teams to deliver actionable insights, enhance the control environment, and promote value-based auditing. This will be particularly important for auditors in highly regulated industries that rely on strong IT control systems for security and, more importantly, compliance.

Development of Multi Standard Information Technology Governance Audit Tool with SDLC Approach

In the era of digitalization, business organizations are competing to improve the quality of their services by utilizing information technology. Reliable information technology applications can be used to help the company's operations become better, while improper application of information technology can slow down the process. The process of establishing information technology through IT governance audits will optimize the application of information technology in a business. The implementation of an IT audit generates plenty of data that must be appropriately managed. Audits conducted using traditional systems frequently encounter issues such as difficulties maintaining audit indicator data, manually keeping of evidence at risk of getting damaged or lost, the process for generating reports is quite long, the audit monitoring operations are ineffective, and because there are numerous types of standards with different indicators, multiple tools are required while performing audits. In order to answer these issues, this study implemented a multi standard information technology governance audit tool that capable of managing audit activity data from many standards in a single system. The PHP and javascript programming languages, MySQL database, as well as the Laravel and VueJS Frameworks, will be used in the construction of this audit tool. The SDLC method was applied in this study, with numerous stages including planning to maintenance. Through blackbox testing on the various functions contained in the developed multi-standard audit tool, it is shown that the system can function as expected or intended. As well as through the usability testing questionnaire, it was concluded that the multi-standard audit tool developed had fulfilled the usability aspects.

LEGAL REGULATION OF THE USE OF FINANCIAL CONTROL TOOLS FOR PUBLIC ADMINISTRATION OF HIGHER EDUCATION INSTITUTIONS

The issue of financing higher education institutions plays an important role in the development of every society. The purpose of the article is to improve the legal regulation of the use of financial control tools for public administration of higher educational institutions. The main methods that were used in the research are: methods of comparative analysis, to compare normative acts of Ukraine, which regulate the use of financial control tools for public administration of higher education institutions; methods of analysis and synthesis, generalization methods and others. The article analyzes the main models of financial control over education funding: Anglo-Saxon and continental models. To evaluate the effectiveness of the funds spent by the state on the proposed mechanism of public administration of higher education institutions with financial control tools, which includes: a mechanism for evaluating the scientific activity of higher education institutions; the IT audit mechanism of the grounds for the formation of a state order for the training of students by institutions of higher education; the mechanism of financial control over the distribution of budget funds depending on the results of the scientific activity of the institution of higher education. A mechanism of public administration of higher education institutions with financial control tools has been developed, which includes such basic elements as: purpose, tasks, objects and subjects, main structural components. The main directions of interaction between subjects of the mechanism of public administration of higher education institutions with financial control tools have been established. Directions for establishing the relationship between normative acts of Ukraine on issues of public administration of institutions of higher education and instruments of financial control have been developed.

The Importance of COSO Framework Compliance in Information Technology Auditing and Enterprise Resource Management

This article examines the significance of the COSO framework in managing risks and establishing effective control environments for organizations' IT systems. It delves into the five essential components of both the COSO frameworks for internal control and enterprise resource management. Furthermore, it outlines the principles that define each of the COSO frameworks for internal control and enterprise resource management components and elaborates on their impact on the COSO framework objectives. The authors also shed light on the paramount concerns of an auditor during an IT audit. In conclusion, the article provides several recommendations for integrating COSO framework compliance into an organization's information technology plan. This articles a valuable resource for auditors, administrators, and management seeking to develop an IT strategy that aligns with their business strategy and safeguards their information systems and data.

A modular framework for auditing IoT devices and networks

In recent years, we have seen significant growth in the use of IoT devices as part of conventional enterprise networks to increase the operations, services, and functionality of business processes. The use of IoT technologies in businesses is expected to grow more in the coming years due to smart sensors, more computing power, and reliable mobile connectivity with 5 G capabilities. Since enterprise networks are liable to customers’ data and they generally have to follow certain compliances and regulations (e.g., PCI-DSS, HIPAA, etc.), they are always concerned about the overall security of their IT and security infrastructures. To address this concern, they have IT auditors that periodically analyse and assess different parts of IT infrastructure to ensure processes and systems run accurately and efficiently while remaining secure and meeting compliance regulations. Unfortunately, as of this writing, there is no customized or standalone standard that IT auditors can follow when they evaluate an IT infrastructure that has IoT devices installed. Since IoT devices have their own unique characteristics, it does not practical to use traditional IT auditing standards to audit IoT devices nor such practices can provide any meaningful audit results that can prevent corporations from violating their required compliances or regulations. This implies that if organizations want to take full advantage of IoT technologies for increasing profitability, they cannot rely on conventional IT auditing practices unless the auditors are equipped with a proper auditing framework tailored to audit IoT devices. Motivated by this, we present a modular IoT auditing framework to audit an enterprise network that consists of IoT devices. To support the implementation of the proposed framework, we provide a set of auditing questions covering all security-related features of IoT devices such as firmware, hardware, physical/logical security, communication, and data privacy.

Disclosed statement digitalization: Challenges and solutions

Subject. This article discusses the areas of concern associated with the digitalization of economic entities' accounting statements to be published. Objectives. Based on the study of Russian and foreign practices, the article aims to identify opportunities, problems and risks that arise for compilers, auditors, analysts, software developers, and regulatory authorities when submitting accounts to be published in electronic format based on XBRL, and ways to solve those numerous problems. The article also aims to identify new challenges that may arise as a result of the transition to statutory sustainability reporting, and its digital presentation. Methods. For the study, I used analysis, synthesis, comparison, generalization, and abstraction. Results. The article defines the major opportunities, significant problems and risks associated with the transition to the submission of economic entities' accounting and financial statements in electronic format. The article finds that the lack of a generally recognized taxonomy of reporting in the field of sustainable development is a new challenge to the digitalization of accounting reporting to be disclosed. Conclusions and Relevance. The transition to corporate reporting e?filing demands the organization's top management to give due consideration of the issue, and IT specialists, accountants, auditors, and specialists of other functional units involved in the preparation of corporate reporting to coordinate cross-functionally. The results of the study can be taken into account when implementing accounting reporting e-filing.

INFORMATION & TECHNOLOGY AUDIT OF E-GOVERNMENT USING COBIT A LITERATURE REVIEW

The Indonesian government continues to strive to improve public services to meet global demands, one of which is the development of technology such as a broad and integrated internet known as e-government. In implementing the e-government concept, it is necessary to have an IT audit to align the IT management process with the plans, objectives, and business strategies of government institutions. One framework that can be used as a standard is COBIT. This study uses the Systematic Literature Review research method to answer Research Questions (RQ): RQ1 regarding how the COBIT framework is used in IT audit case studies, especially in the e-government field, RQ2 regarding the COBIT domain used in research. The results of the study obtained 32 journals that were selected through a literature search process, literature selection according to criteria, and quality assessment. The results of the study, especially in the context of the main research question, namely the journals reviewed using the COBIT framework with various versions in evaluating e-government implementation. In COBIT there is a workflow that starts from identifying problems in the organization to analyzing capability level. In this study, it is known that the COBIT 2019 version is more adaptable to organizational conditions and technological developments because this version has more domains and design factors have been added (answer RQ1). The COBIT framework has 5 domains, namely the EDM, APO, BAI, DSS, and MEA domains. The most dominant domains used in assessing e-government implementation in journals are the APO and DSS (answer RQ2).

Introduction and improvement of IT audit in Kazakhstan

Audit acts as an element of ensuring the sustainability of the economic entity, reduces its information risks, given the complexity of the structure and functions of accounting. The article considers the foreign practice of IT audit (IT information technology) using special international standards such as COBIT and ITIL, gives a characteristic of the role, direction of IT audit development in Kazakhstan. IT-audit gives answers to questions of timing of updating of hardware and software, justification of its necessity, establishment of a unified system of management of IS monitoring. The questions of compliance of used information systems and technologies with the goals and objectives of the business, place and ratio of IS and business, ways to optimize investments, adaptation of Kazakhstan IT-audit system to international practice are considered. The study analyzes the optimal IT management, examines the main types and forms of IT audit as a preliminary phase of the study of the existing IS.

The Impact of Information Technology Governance Under Cobit-5 Framework on Reducing the Audit Risk in Jordanian Companies

Purpose: The goal of this study is to ascertain how the COBIT 5 framework, which consists of (Planning and organization, Acquire and implementation, Support and Delivery, Monitoring and evaluation, Guidance and Control), affects audit risk. Theoretical framework: IT governance (ITG) is a strategic and administrative procedure that aids in an organization's efficient and responsible usage of IT. The efficacy of audit control and audit process can be significantly impacted by COBIT5. Design/methodology/approach: This study used a quantitative approach, with questionnaires distributed to 450 workers from each of the 150 Jordanian companies. The three employees served as a representative sample from the finance, internal audit, and IT departments. A total of 371 sets of questionnaires were returned with complete responses and were further examined. The data analysis employed descriptive analysis, Pearson correlation, and multiple linear regressions. Findings: The results of this investigation revealed that every independent variable, including Cobit 5, had a favorable and substantial impact on the decrease of audit risk. one of the most important results of this study showed that Monitoring and evaluation is one of the most influential dimensions of ITG to reducing audit risks, and perhaps this may be due to the nature of the delivery of IT within companies’ systems and the implementation of their applications and services to be delivered. Research, Practical & Social implications: This study helps Jordanian companies to enhance the application of information technology governance, which contributes to raising the level of efficiency of their accounting systems and enabling them to compete. Originality/value: The findings showed that are a limited number of studies on IT governance and audit risk that have focused on developing countries, especially Jordan, and this is where the research comes in –to fill up the gap.

Towards It Audit Approach of Public Sector Cloud Services Under Conditions of Martial Law in Ukraine

This study is driven by the urgent need to understand the implementation of cloud computing by public users in Ukraine during martial law. It specifically addresses a critical gap in literature: the effectiveness and security of cloud services in a high-risk environment. The research focuses on Microsoft Azure, a widely-used cloud service, under these extraordinary circumstances. Our methodology involved a comprehensive IT audit of Microsoft Azure’s cloud services. This audit was meticulously designed to evaluate whether Azure sufficiently supports the operational objectives of its public users amidst heightened cyber threats. It also examined Azure’s compliance with regulatory requirements in response to these threats, and documented the effectiveness and adequacy of the service. The findings reveal key insights. We discovered certain vulnerabilities in Azure’s framework that necessitate risk response measures, control enhancements, and development of strategic actions by public service officials. Importantly, our study provides recommendations for optimizing workload architecture based on the IT audit outcomes. This research contributes significantly to the understanding of cloud computing’s role and reliability in crisis scenarios, like that of martial law in Ukraine. It offers valuable guidance for public sector entities relying on cloud services during emergencies, and sets a precedent for future studies in this rapidly evolving field.

A MATURITY CAPABILITY FRAMEWORK FOR SECURITY OPERATION CENTER

Owning a Security Operation Center (SOC) is becoming increasingly common for organizations as part of their cybersecurity strategy to ensure near-real-time detection and adequately respond to cyber-attack engaging the SOC’s humans, technology, and processes. However, SOC investments only sometimes achieve the best possible outcomes and only provide an acceptable protection level in some cases due to the challenges related to the technologies, processes and especially the human factor. This paper proposes a new practical maturity framework for Security Operation Center. This will serve as a roadmap for IT auditors and security experts when they evaluate the maturity of a security operation center in terms of safeguarding the assets of the company, its partners, and its clients.

Evolving the IT audit

Nowadays, modern technologies are becoming an essential part of any organization's activities, therefore the main priority for internal audit is to perform IT risk assessment and management control in consulting. Therefore, IT environment programs and computer operations as a part of the IT infrastructure have to be appreciated by auditors. Monitoring of IT infrastructure will afford auditors to uncover infrastructure vulnerability. The basis for assessing infrastructure vulnerability that affects internal organization structure is formed by the monitoring system of IT hardware, software, network and data components. For example, systems and networks connected to the Internet are exposed to threats that do not exist for self-contained systems and networks. When thorough understanding of the IT environment has been achieved, the executive auditor and the internal audit group can perform the risk assessment and develop the audit plan. Evolving an audit plan, many administrative factors are have to be taken into account, such as a kind of industry, revenue, a type of revenue, process complexity, and geographic location. Two factors that openly affect risk assessment and the very essence to audit IT environment are process and its role. Key words: audit, IT audit, IT infrastructure, risk, audit plan evolving.

Statistical Sampling Techniques for the IT Auditors

Statistical Sampling Techniques for the IT Auditors

DETERMINANTS OF COMPUTER ASSISTED AUDIT TOOLS AND TECHNIQUES (CAATs) ADOPTION

Determinants of the adoption of CAATs in the Internal Audit Departments are examined in this study by employing the Unified Theory of Acceptance and Use of Technology (UTAUT). The attributes that were taken from the UTAUT theoretical model are performance expectancy, organisation readiness, effort expectancy and social influence. Apart from UTAUT’s attributes, this study has taken individual factors to be examined together with the model. They are also considered an external factor that was established through the Theory of Acceptance Model (TAM) in previous literature. Using a quantitative approach, questionnaires were administered to internal auditors, followed by IT auditors and others such as Compliance officers and Quality auditors who use CAATs in their routine tasks; they work in multinational companies, government link companies and government agencies. The companies were chosen because they have in-house Internal Audit Departments. The results show that performance expectancy and individual factors are the most supported attributes that influence the adoption of CAATs. This study offers insights into the effect of individual factors on CAATs adoption. This paper expands the existing literature on factors that influence CAATs adoption among internal auditors.

Editorial Policy

Editorial Policy

PEMANTAUAN DAN EVALUASI TEKNOLOGI INFORMASI DI PEMERINTAH KABUPATEN GRESIK BERDASARKAN PERATURAN MENTERI PAN-RB NOMOR 59 TAHUN 2020

Abstract
 Central government agencies until the current local government have started to implement an electronic-based governance system (SPBE). SPBE is a government organization that utilizes information and communication technology to provide services to SPBE Users. The government has established SPBE guidelines stipulated in Presidential Regulation No. 95 of 2018 on SPBE and to ensure the implementation of SPBE can run to achieve its objectives to realize an integrated and comprehensive government set forth The Ministerial Regulation of PAN-RB No. 5 of 2018 concerning SPBE Evaluation Guidelines. In 2019, the Ministry of PAN-RB conducted SPBE evaluation activities through the SPBE self-assessment method and obtained SPBE index results worth 3.14 on a scale of 0-5 and entered into the GOOD predicate. From these results, the Gresik district government needs to improve the quality of SPBE. In September 2020 the Government again established The Ministerial Regulation of PAN-RB No. 59 of 2020 concerning the monitoring and evaluation of SPBE. The regulation has been listed 4 Domains, 8 Aspects, and 47 indicators to assess the maturity level of SPBE. The result of the evaluation maturity level of SPBE evaluation of Gresik district government based on Regulation of the Minister of PAN-RB Number 59 of 2020 is 2.54. Interpretation of the value of maturity level is included in the Predicate Enough is the level of maturity of the process capability occupied level 2 (managed) and the level of service capability occupied level 2 (Interaction). 
 Keywords: SPBE; Monitoring and Evaluation; IT Audit; Ministerial Regulation of PAN-RB Number 59 of 2020

Audit Tata Kelola TI Berbasis COBIT 2019 di Politeknik XYZ

An IT governance audit is a way to evaluate the course of IT governance in an organization so that it can be seen whether the implementation of IT governance in the organization is in accordance with the guidelines and standards or not. The results of the audit will be reported to stakeholders so that they can be followed up. This research will use the COBIT 2019 framework in conducting IT audits. This study aims to determine the quality of service, management performance and determine the risks that occur at XYZ Polytechnic. From the results of the assessment on the capability level in the domains BAI03, BAI06, BAI07, and BAI10, it was found that these domains are the top four values in the COBIT design factor.

The Effect of Abnormal Audit Hours on Earnings Persistence and Discretionary Accruals: Using the Rank-Specific Audit Hours Data*

This study examines how abnormal total audit hours and rank-specific audit hours affect earnings quality, proxied by earnings persistence or discretionary accruals. The sample is collected from listed firms in Korea between 2014 and 2019. In particular, this study uses rank-specific audit hours which have been publicly disclosed under the External Audit Act Amendment in 2014 in order to estimate abnormal audit hours for five different ranks: audit quality reviewer, director, registered accountant, associate accountant, and expert in other areas such as tax, IT audit, and asset valuation. Our major findings are fourfold. Firstly, abnormal total audit hours as well as abnormal audit hours for audit quality reviewer, registered accountant and associate accountant are negatively associated with earnings persistence. Secondly, we do not observe any significant relations between discretionary accruals and abnormal audit hours, total or rank-specific. Thirdly, the results stay qualitatively similar when discretionary accruals are replaced with loss avoidance (i.e., reporting small positive earnings), while absolute discretionary accruals appear to be positively related to abnormal audit hours by two positions (audit reviewer and director) as well as abnormal total audit hours. Lastly, results based on log of audit hours (total or rank-specific) are sensitive to the inclusion of firm size as a control variable in the regression model whereas those based on abnormal audit hours are relatively stable regardless of the presence of firm size in the control. Our results suggest that audit hours may act as an indicator of audit risk rather than audit quality.

Audit Sistem Informasi Aplikasi Gramedia Digital Menggunakan Framework COBIT 5

Gramedia Digital application is an online bookstore application issued by a bigest one bookstore in Indonesia, Gramedia Digital application itself is a good innovation in the digital era now even though it has been used by users but there are still some obstacles or lack of information contained on the application, therefore it requires maturity and capability assessment of the application. The COBIT 5 framework is an IT audit standard that has been issued by ISACA, COBIT 5 itself has a total of 11 domains but this time the research only focuses on 5 domains namely EDM05, APO05, BAI04, DSS01, MEA01. By spreading questionnaires and conducting interviews with questions that are guided by these domains and have 117 respondents, then after getting results then calculated using the maturity level formula then calculated on average using the capability level formula. The results of the maturity and capability level calculations from Gramedia Digital applications resulted in an average of EDM05 with a result of 2.7, APO05 with a result of 2.8, BAI04 with a result of 2.7, DSS01 with a result of 2.7, MEA01 with a result of 2.8. And the average capability generated by these domains is rounded to 3. The conclusion in this study Gramedia Digital application has not met the targeted target of 4

Audit Tata Kelola Teknologi Informasi Pada Perusahaan Menggunakan Domain DSS dan MEA Kerangka Kerja COBIT 2019 (Studi Kasus: Fakultas Teknik UNDIP)

Information technology is required by the Faculty of Engineering UNDIP to support the achievement of faculty goals. This faculty has implemented and relied on information technology for administrative processes, teaching, and learning activities although in performing its business processes since 2004. The problem found was the practices of information technology have been expected by the Faculty of Engineering UNDIP, or not yet. Therefore, research on the governance of IT audit is necessary to know which management objectives are important, the current capability level, comparison of IT governance conditions in 2014, which management objectives have been achieved, and provide some recommendations. This research method uses the COBIT 2019 on two parameters of the DSS and MEA. Based on the results of the research, the current capability level of the Faculty of Engineering according to the DSS and MEA domain of COBIT 2019 is at level 1 (performed) with an average value of 36%. The Faculty of Engineering has decreased level, but the goal has been more or less achieved through the practices of a set of incomplete/disorganized activities.