Proposals for the new Postgraduate Certificate in IT Auditing
Overview
The IIA Postgraduate Certificate in IT Auditing is an advanced accredited module aimed at qualified internal auditors who wish to develop specialist expertise in the particular threats and vulnerabilities associated with information systems.
The content and assessment strategy have been developed to ensure that the award provides a detailed grasp of risks associated with data input, security, integrity, resilience and IT transformation together with the appropriate controls and contingencies. It builds upon the skills and understanding of the professional internal auditor. The syllabus has been derived with reference to the demands of the profession, the IIA Code of Ethics, the International Standards for the Professional Practice of Internal Auditing, the Institute of Internal Auditors Research Foundation Common Body of Knowledge and the Global Competency Framework for Internal Auditing.
Assessment is through a combination of examination and the completion of a work-related project. On successful completion of the module members will be awarded the designation ITAC.
Entry requirements
Entry to the IIA Postgraduate Certificate in IT Auditing will be open to qualified members of the Institute of Internal Auditors – UK and Ireland only, namely those holding PIIA, MIIA or CIA designations.
Students must be working as an internal auditor and providing independent assurance to an organisation or organisations on risks and controls associated with IT for at least twelve months to complete the award and have an additional three years’ minimum professional experience as a practising internal auditor.
Study and tuition
Tuition will be available through the Institute of Internal Auditors – UK and Ireland via a distance learning programme. The guided time required for learning, including study, research, reading, exam preparation and on-the-job development, is 120 hours.
Open University credit rating and level
The IIA will seek accreditation from the Open University (OU) to a value of 12 credits at PG1 (level 7). This is equivalent to the academic level of a Masters’ degree (total credits required 180) and may be used by successful students as credit towards their study in higher education, at the discretion of individual institutions.
Exemptions
Candidates who have passed the Specialist Information Systems Auditing examination of the IIA Qualification in Computer Auditing within five years of registering for this award will be exempted from the examination but need to complete the work-related project.
Assessment
Assessment of students for the IIA Postgraduate Certificate in IT Auditing is made in two main ways:
• knowledge and understanding is assessed through a multiple choice examination
• professional competence is assessed through evidence produced through a work related research project.
Examination
Examinations will be held once a year, in the last week of November through a two hour examination of 100 multiple choice questions. Students will be required to demonstrate their knowledge and understanding of the theories, concepts, methods and practices as outlined in the syllabus. They will be expected to relate their knowledge and understanding to contextualised scenarios. It will be necessary to:
• recognise key terms and models and confirm their appropriate application
• analyse a range of information
• make comparisons and draw relevant conclusions
• identify and select suitable recommendations and evaluative judgements.
Students will need to record their chosen answer from the options presented. One mark will be awarded for every correct answer. No marks will be awarded or deducted for incorrect answers.
The syllabus details the knowledge and understanding students are required to have in order to complete the examination successfully. Knowledge of new guidance, changes to standards, recent legislation, relevant current affairs and events related to internal auditing is also required.
Regardless of the sector in which the student works, it will be necessary to understand the role of internal auditing in public, private and voluntary sectors, as detailed in the syllabus. Where there are variations in regulations and legislation, as exists, for example, between the UK and Ireland, students will only be expected to refer to what is relevant to their situation.
Work related research project
The work related project will be an opportunity for students to employ their learning in a practical context. They will be required to lead or participate in a specialist IT audit. They will apply concepts and frameworks they have learnt in their studies supported by further research into their particular area of specialism. They will analyse the outcomes of the audit, evaluate the approaches taken and present their work in the form of a report for assessment. The report should include references for the research undertaken and recommendations for undertaking future audits. The nature and scope of the project will be negotiated between the student, their manager and the course tutor. There will be no set word count or hours of activity but guidelines will be given.
Students will need to apply an effective command of the English language, using technical terminology and standard formats as required. Due attention must be paid to standard conventions of grammar, spelling and style.
Grading
The examination will be marked and a percentage recorded. A minimum of 65% will be required for a Pass. The work related research project will also be marked and graded and a minimum of 50% required for a Pass. ‘Merit’ and ‘Distinction’ grades will be awarded for marks of 60% and above and 70% and above respectively. An overall grade for the award of Pass, Merit or Distinction will be made on the basis of the grade achieved in the work related research project, provided a minimum pass mark has been achieved in the examination.
Aims and objectives
The aim of this module is to enable students to build upon and develop their expertise in risk-based internal auditing in the context of IT threats, vulnerabilities and controls. It will enable practising IT auditors to prepare and lead on IT audits requiring detailed technical knowledge and understanding of IT systems and processes. It provides specialist IT auditors with the skills to critically assess IT risks and communicate these effectively with middle and senior managers. The module prepares candidates for dealing with risks across the full spectrum of contingencies, including those associated with major IT transformation projects in order to deliver the required level of assurance to the Board, embracing current trends and emerging technologies. It also develops the expertise needed to determine the need for and implement external specialists effectively.
The underpinning model used for analysing and evaluating risks is COSO ERM, mapped to UK and European legislation and ISO standards 20000 and 27000, and as such the module bridges the gap between organisational and IT objectives. In keeping with the International Professional Practices Framework the governance of information systems should support and sustain the strategic priorities of the organisation.
Those who have successfully completed the module will be able to:
• plan and lead internal audits that focus on the technical risks associated with the current use or planned introduction of information systems and processes
• identify IT risk in context and identify, analyse and assess the effectiveness of control measures in place to mitigate risks associated with complex IT systems and processes
• determine the need for and manage the effective use of additional IT experts
• critically assess and communicate associated risks of a complex nature to middle and senior managers
• contribute to the evaluation of the effectiveness of IT strategy and governance
• provide independent assurance on an organisation’s information security, integrity and resilience
• engage with other providers of IT assurance, such as compliance audits, quality assurance functions and other technical specialists
• contribute technical expertise to internal audits that require deep insight into complex areas of technical risks.
Knowledge and understanding
On completion of this module, students will have knowledge and understanding of:
1. Management of internal auditing in the IT environment
1.1 The information systems audit role, including
• objectives
• risk assessment
• audit planning and programmes
1.2 Vulnerability and penetration testing in the IT environment
1.3 Role of IT audit in relation to system development projects
1.4 Internal audit use of information systems and technology
1.5 Internal audit reporting
2. IT strategy and governance
2.1 IT strategies and links to corporate and business strategies and objectives
2.2 Organisation and management of information systems, including systems for
• managing people
• managing knowledge, information and data
• managing technology
2.3 Performance planning and IT service levels
2.4 Outsourcing, including:
• rationale, strategy and service level agreements
• control and audit implications
3. Management of projects and programmes
3.1 Systems development approaches
• project methodologies
• milestones and decision points
3.2 IT project management
3.3 Risks associated with projects and programmes, including
• in-house developments
• outsourced development projects
• package software
• end-user development
4. Management of infrastructure
4.1 Operating systems
• Concepts, components and functions
• Role of technical staff in configuration, patching and change control
4.2 Networks
• LANs and WANs, including control and security implications
• Internal audit approaches to LANs and WANs
4.3 Database systems
• database management system software and the role of the database administration function
• audit approaches to database software and systems
5. Management of information security
5.1 Security policies
• rationale, development and enforcement of policies
• audit involvement and objectives
5.2 Physical and environmental security
5.3 Business continuity management
6. Auditing of systems
6.1 Auditing application systems
• types and classifications of controls
• general approach to IT systems audits
• IT control frameworks – eg ISO 27001, COBIT
• internal audit approach to complex systems – eg ERP
• internal audit approach to emerging technologies
6.2 The internet
• risk assessment
• control, security and legal issues for the organisation
• audit approach
6.3 E-commerce
• risk assessment of e-commerce systems
• control and security issues relating to e-commerce
• internal audit approach to implementation and use of e-commerce systems