Auditing Information Systems and Controls

Corporate America is faced with a challenge today, a challenge unprecedented in our history. It has become a national imperative that corporations create audit programs and infrastructures to achieve audit readiness and guarantee the accuracy of corporate records. Executives should not and can not depend entirely on external audit reviews and recommendations. They must create internal audit programs and infrastructures to regain credibility and the confidence of shareholders. Meeting this challenge is critical to the survival and success of many business enterprises.


The federal government and leaders of our country are serious today in facing the challenges of corporate behavior and the dangers that have evolved, evidenced by the passing of the Sarbanes Oxley Act of 2002. The Act requires the certification by CEOs and CFOs regarding the accuracy of their financial statements and requires independent outside audit attestation of the operating effectiveness of controls and control structure over financial reporting. It imposes associated penalties for failure to comply. Pro-active corporations must establish the discipline of rigorous audit readiness programs and must ensure their continued successful execution. It is essential that internal audit committees take measures to install checks and balances and self-policing practices to ensure integrity within their corporations. This is not optional. CEOs today are legally responsible for the correctness of their financial statements.


IT Governance: The Only Thing Worse Than No Control Is The Illusion of Control focuses on a unique organizational structure and the mechanics of establishing an effective internal independent audit organization. It proposes the structure of an independent internal auditing group headed by a Chief Governance Officer (CGO) or Chief Accounting Executive (CAE) who reports directly to an audit committee, comprised of Board of Director members, who themselves must be totally independent. Independence is the most critical element in the success of this new audit approach and can not be emphasized enough. This will require an organizational change in most corporations and a revolutionary approach. Old paradigms in which the audit organization reported to the CEO or CFO will be discarded. These internal audit groups must serve as the eyes and ears for the public and Board of Directors. They will provide early warnings of inappropriate, fraudulent or ineffective practices and will report noncompliance with accepted basic control fundamentals and ethical behavior; they must do so without fear of reprisal.


Not only is it the responsibility of the Audit Committee to provide direction, but it is essential that every executive officer and their staffs be on board and be fully supportive of the internal audit infrastructure. It is the synergy of these organizations working together that is required to prepare us for successful audits and to improve business controls.


Education is critical and should be of paramount importance in addressing this problem. IT Governance: The Only Thing Worse Than No Control Is The Illusion of Control addresses the establishment of effective corporate governance, describes how to install a sound audit governance infrastructure, and describes how to establish effective IT controls. We have an opportunity to do better and we should. This book addresses not only how to comply with legislative mandates, but it also provides a roadmap, detailing steps on how to establish an infrastructure and audit readiness program to achieve compliance. In addition, there is a realization now by many corporations that the effectiveness of their business process controls is heavily dependent on the adequacy of their IT controls; this book focuses on the integration of business processes with IT controls.


This book addresses many facets of IT controls, from the formation of an effectiv