What is
IT Audit?

An Information Technology Audit or IT Audit is an evaluation of a company's technical infrastructure, technical processes/policies, management controls, technical support, and technical applications to protect the company's policies and processes. These processes must align with a standard of established policies and support the company's specific technical goals.

IT Audit Process

Planning by mapping to relevant standards

Adjust for audit scope and objectives

Prioritize controls and align to budget

Walkthrough Controls

Test Controls

Consolidate, Report and Present Results

Planning by mapping to relevant standards

The Planning phase is the first initial step of starting the audit and it is important because it sets up the framework of the audit. This step involves verifying and examining mandatory requirements. The audit’s agenda should reflect the industry regulations/rules and guidelines.

After verifying mandatory requirements, knowledge on the following aspects needs to be known:

  • Organizational functions and the operating environment
  • Organizational Structure
  • Criticality of IT systems
  • Nature of hardware and software used
  • Nature and extent of risks affecting the system

This information can be gathered by Inquiring of management, reading organization publications, annual reports, past audits (if available) and analytical documents.

Adjust for audit scope and objectives

Adjust for audit scope is the second step of the audit process. It is important to know the initial scope of the audit and the audit’s objectives. Scope refers to the boundaries of the audit. The audit’s scope may increase or decrease due to the changes of the audit or changes to the organization’s structure and IT controls.

Risk Assessment

Risk Assessment is identifying risk, assessing risk, and taking steps to reduce risk.

Risk-based approach steps

  • Inventory the information systems in use by the organization and categorize them.
  • Determine which systems impact critical functions or assets.
  • Assess which risks affect these systems and the severity of impact on the system and business.
  • Based on the above assessment decide the audit priority, resources, schedule, and frequency.

IT auditors have access to risk assessment resources to calculate risk, policies, procedures, practices, and organizational structures that are implemented by management. Policies, procedures, practices, and organizational structures are called internal controls.

Prioritize controls and align budget

The third step of the audit process is to prioritize controls and align to budget. This step begins with a preliminary analysis by identifying existing controls and potential weaknesses. Each existing control must be inspected.

Inherent and residual risk must be considered when examining each control because it helps prioritize the areas requiring the most attention and budget.

Walkthrough Controls

Walkthroughs assess the overall risk of material misstatement to the controls. The purpose of a walk-through is to catch any errors and to observe how the process is working.

Test Controls

The fifth step of the audit is to test the controls. IT controls are often described in two categories: IT general controls and IT application controls.

General Controls

Controls that are around the IT’s general infrastructure.

  • logical Access
  • Change Management
  • Computer Operations

Application Controls

Controls that are inside the IT’s general infrastructure.

  • HR Systems
  • Payroll Systems
  • Enrollment Systems

These controls must be tested and examined.

Test of design

  • Was the control design well?
  • If implemented, will the control work?
  • How did the previous control addressed the risk?

Test control effectiveness

  • How was the control applied?
  • By whom was the control applied?
  • Was the control applied consistently?

If the answer is no to any of the questions above, the control was not effective.

5 Types of test methods


Observation of documentation



Computer Assisted Audit Technique

Consolidate, Report and Present Results

The fifth and last step of the audit process is to consolidate, report, and present the results. A comprehensive examination is done. This examination covers the integration in the enterprise resource monitoring framework, the overall governance, roles, and the level of IT risk within the organization. Opinions can be prepared for each tested control objectives. If there are any opinions or objections that are related to a specific tested control objective, the auditor needs to provide reasons why to management and the reasons for passing/failing the sections, highlight any weak points, and explain potential impacts on the organization.

Key Terms

Application Controls: Controls that are inside the IT’s general infrastructure.

General Controls: Controls that are around the IT’s general infrastructure.

Internal Controls: Policies, procedures, practices, and organizational structures are called internal controls.

Inherent: Existing in something as a permanent, essential, or characteristic attribute.

Residual Risk: The residual risk is the amount of risk or danger associated with an action or event remaining after natural or inherent risks have been reduced by risk controls.

Scope: Boundaries of the audit.


“Five Steps for Effective Auditing of IT Risk Management.” ISACA,

Grant Thornton IT Audit Manual pdf.