©2002 By Information Systems Audit and Control Association www.isaca.org
In response to requests from
Journal readers, columnists Fred
Gallegos and S. Anantha Sayana will explore the basics of the IT audit field in each issue of the
Journal in 2002.
20
Frederick Gallegos, CISA,
CGFM, CDE is an adjunct professor and
MSBA-information systems audit advisor for the
Computer Information
Systems Department, College of Business Administration,
California State Polytechnic
University, Pomona,
California, USA. He has more than 30 years’ experience in the information systems audit, control and security field. He has taught undergraduate and graduate courses in the IS audit, security and control field and is published widely.
The answer to the above question comes from the fact that we live in an ever-changing society. The world of business does not stand still. Technology, especially computing, has become indispensable to organizations’ activities. The C
OBI
T Framework (Information
Systems Audit and Control Foundation, 1996) and the updates to C
OBI
T as of this date emphasize this point and substantiate the need to research, develop, publicize and promote up-to-date, internationally accepted, information technology control objectives. The primary emphasis of C
OBI
T is that information needed by businesses is provided by technology and that, to ensure that the required qualities of information are met, the IT processes need to be controlled.
Historically, in its 1993 discussion paper,
“Minimum Skill Levels in Information
Technology for Professional Accountants,” and its 1992 final report, “The Impact of
Information Technology on the Accountancy
Profession,” the International Federation of
Accountants (IFAC) acknowledges the need for better university-level education to address growing information technology control concerns and issues. The Institute of Internal
Auditors’ (IIA) 1992 document “Model
Curriculum for Information Systems Auditing,” was developed to define the knowledge and skills required by internal auditors to be proficient in the information age of the 1990s and beyond. ISACA published the Model Curricula for Information Systems Auditing at the
Undergraduate and Graduate Levels, first edition, March 1998. Certifications such as CISA,
CPA, CA, CISSP and CIA, with their continuing education requirements, have been drivers for professionals to maintain their currency and skill levels to practice their professions.
Today around the world, reports of whitecollar crime, information theft, computer fraud, information abuse and other information technology control concerns are being heard more frequently. Yearly reports by the
US Federal Bureau of Investigation and
Computer Security Institute have made organizations and management more information-conscious of the pervasive nature of technology across the business enterprise.
The increased connectivity of systems and open system environments have proven to be the lifelines of most business entities.
Information technology is used more extensively in all areas of commerce.
Due to the rapid diffusion of computer technologies and the ease of information accessibility, knowledgeable and well-educated IS auditors are needed to help ensure that more effective controls are in place to maintain data integrity and to manage access to information. The need for better controls over
IS has been echoed in prior studies such as the
AICPA’s Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), ISO 9000, IIA’s Systems Auditability and Control Report, Guidelines for the
Security of IS by the Organization for
Economic Cooperation and Development
(OECD), and the US President’s Council on
Integrity and Efficiency in “Computer Audit
Training Curriculum.” The foundation to this area is the Control Objectives for Information
and related Technology (C
OBI
T) Framework and all revisions and updates.
Essentially, technology has made three significant impacts in the business environment.
First, it has impacted what one can do in business in terms of information and as a business enabler. It has increased the ability to capture, store, analyze and process tremendous amounts of data and information. This has empowered the business decision-maker many times over. It also has become a primary enabler to various production processes and service processes. It has become a critical component to business processes. There is a residual effect in that the increased use of
I N F O R M A T I O N S Y S T E M S C O N T R O L J O U R N A L , V O L U M E 6 , 2 0 0 2

technology has resulted in increased budgets, increased successes and failures and increased awareness of the need to control.
Second, technology has impacted controls significantly.
While control objectives have in large part remained constant, except for some that are technology-specific, technology changes have altered the way systems should be controlled.
Safeguarding assets as a control objective remains the same, whether manual or automated. However, the manner through which the control objectives are met certainly is impacted.
Third, technology has impacted the auditing profession in terms of how audits are performed (information capture and analysis, control concerns) and the knowledge required to draw conclusions regarding operational or system effectiveness, efficiency and integrity, and reporting integrity. Initially, the impact was focused on dealing with a changed processing environment. As the need for auditors with specialized skills regarding technology grew, so did the beginning of the information systems auditing profession.
The Information Systems Audit and Control Association
(ISACA), formerly the EDP Auditors Association (EDPAA), was formed in Los Angeles in 1969. Since 1969, there has been a growing demand for well-educated and skilled IS audit professionals. IS auditing is a profession with conduct, aims and qualities that are characterized by worldwide technical standards and an ethical set of rules (Code of Professional
Ethics). It requires specialized knowledge and often long and intensive academic preparation in business or commerce.
Often, where academic programs were unavailable, significant in-house training and professional development had to be expended by employers. Most accounting, auditing and IS professional societies believe that improvements in research and education will definitely provide a better developed, theoretical and empirical knowledge base for the IS audit function.
Finally, to maintain the Certified Information Systems Auditor
(CISA) designation, the auditor must maintain his/her proficiency through continued education and training.
The breadth and depth of knowledge required to audit information technology and information systems are extensive. For example, IS auditing involves the application of risk-oriented audit approaches; the use of computer-assisted audit tools and techniques; the application of standards (national or international), such as ISO-9000/3, to improve and implement quality systems in software development; the understanding of business roles and expectations in the auditing of systems under development involving a complex systems development life cycle (SDLC) or new development techniques (e.g., prototyping, end-user computing, rapid systems or application development); and the auditing of complex technologies and communications protocols involving electronic data interchange, client servers, local and wide area networks, data communications, telecommunications and integrated voice/data/video systems. Also, IS auditors must apply their actual business experience to test computer-based controls as presented in the AICPA’s Statements on Auditing Standards
(e.g., SAS No. 48, SAS No. 55, SAS No. 78 and SAS No. 82) and understand the theory and mechanics of what needs to be done. This requires continuous, ongoing training and development, part of the professional development plan.
I N F O R M A T I O N S Y S T E M S C O N T R O L J O U R N A L , V O L U M E 6 , 2 0 0 2
An IS auditor’s professional development is as important to the individual and his/her career as it is to the company which commits training and resources to this position. A professional development plan and path offers the professional, such as an
IS auditor, opportunities to grow and upgrade the level of services one can provide an organization. If a career path and development program do not exist, the chances of poor performance and turnover for this type of individual are high.
An organization must recognize that an IS auditor with the proper mix of training (formal and on-the-job), development of designated skills and increased level of knowledge and abilities provides a valued resource for potential managerial positions in corporate, financial and other operational areas. Among the various types of incentives for a professional, career advancement is one of the most effective. In recent surveys, some professionals rank career advancement higher than monetary reward. In the IS audit profession, a large percentage of professionals enter this field because they recognize the management visibility they receive from this position. These professionals are encouraged to attain professional certification (CISA, CPA,
CISM, CA, CIA, CISSP, CQA, CFE, CGFM and others) and produce written professional products (such as published articles, papers or presentations) to transfer their experience and expertise to others. Experience and exposure in the audit profession often can provide opportunities in management.
In today’s environment, most organizations’ professional development planning for IS audit staff is insufficient. This is due largely to pressures of time and job performance. In most instances, individuals do not receive an appropriate mix of training and experience to adequately develop their knowledge, skills and abilities to progress within the organization. Thus, the career ladder and options open to the individual are not planned, nor formally defined, resulting in turnover and losses to outside organizations.
In a recent sample of 200 IS audit professionals from various companies (government and private), approximately 40 percent of the respondents indicated a lack of established career paths for IS auditors. Of this 40 percent, many stated they had considerable problems with hiring and retaining IS auditors.
How does an audit manager or organizational management design, develop and implement a professional development plan? The process of matching individual career paths with organizational objectives is not easy. Professional development is an important element to any organization; it should not be overlooked. The key components of such a plan are a defined career path with experiential development, training and expected knowledge—skills and abilities to be achieved as a person progresses up the career ladder.
A key point management should remember is that a professional development plan must be a viable, workable concept supported by management. It should not be another sales pitch to potential employees or a false promise to staff. Employee motivation and trust will be lost if they find out that the plan does not exist. This is when organizational management can lose its credibility with staff.
21

22
A functional and fully successful professional development plan should consist of at least six major areas, which are to be integrated into an established process within the organization.
These areas are:
• Career path planning with management support
• Definition of knowledge, skills and abilities
• Performance assessment
• Performance counseling/feedback
• Training
• Professional development
Each of these elements is a necessary component of an effective career development plan.
The most common method used is in-house training. This technique uses annual training and self-study materials. A graduate study from California State Polytechnic University’s
MSBA, IS audit program, undertaken by Aleksandra Looho, past president of the Los Angeles Chapter of ISACA and now a practicing professional in the IS audit field, found that more than 60 percent of the IS audit, control and security respondents received their training through these two methods. Onethird of them received annual training only, and 36 percent received training from self-study materials only. Twenty-six percent of the respondents received a combination of both annual training and self-study materials.
A relatively inexpensive method of training, video conferencing, is used rarely (less than 19 percent) to train IS auditors.
Only one respondent noted that he/she received training through teleconference, video, CBT (computer-based training) and/or development series in the past five years. Twelve percent of the respondents indicated that they received “other inhouse training” in addition to annual in-house training. A combination of annual training, video conferencing and self-study materials were used to train 12 percent of the respondents.
The survey results confirm that the main venues used to train IS auditors are seminars/workshops (94 percent). Almost
40 percent of respondents indicated that seminars/workshops are the only type of training they received in the past five years. Close to 26 percent of respondents received a combination of seminar/workshop and vendor software training.
In the past five years, almost 30 percent of IS auditors attended a university as part of their training program. Many indicated that they would like to see universities offer more training directed at information systems audit, control and security professionals. This is a result of ISACA’s efforts to identify and support model curricula. The first was published by ISACA in 1998 and can be found at www.isaca.org/mod-
elc1.htm. Under the direction of Dr. Alan T. Lord of Bowling
Green State University (Ohio, USA), international efforts are underway to update the first version. The training can be at two levels, development of professionals for entry and follow-up training for professionals in the field. Eleven percent of respondents were able to receive a combination of all three methods indicated on the survey (seminar/workshops, vendor software and university). Less than 4 percent experienced all six methods of training.
Worldwide, universities have been responding to the needs of the IS audit profession. At the undergraduate level, they have begun to integrate IS courses into their accounting programs, as well as accounting or finance courses into their IS programs. At the graduate level, several universities have implemented and maintained IS audit programs successfully.
These universities aim to meet the growing demand for entrylevel knowledge, skills and abilities. A partial list of such universities can be found at www.isaca.org/univ1.htm.
As part of the Looho study, respondents were asked to comment on how training/development plans vary depending on one’s level in his/her company. This question was designed as an open question; 67 percent of respondents commented on the question.
Overall, more than 80 percent thought that there is a difference in training requirements among different levels. For example, a staff member attends a different level of training from that attended by his/her manager. However, this is not true for government auditors due to limited funding and government regulation.
An overwhelming response indicates that staff receives more hands-on technical training than managers do. IS auditors who have reached the management level receive more training in sales/marketing, people skills, communication, negotiation, strategic planning, time management and overview of the big picture. Fifty percent of external auditors and 42 percent of internal auditors agreed with this remark.
The result of this question contradicts a previous study that researched the need for training in different stages of one’s career. The study found that individuals in later stages of their careers receive less training in communication, management and human resources skills. This is perhaps because they believed they had learned these skills earlier in their careers.
A professional development plan is focused on the continuing professional development of the IS auditor. In IS auditing, there are a number of professional organizations which can support the varied professional interests of the IS auditor. Also, many of these organizations support professional certification as a method of establishing measures of professional competence for a specific discipline. The IS auditor should be encouraged to continue his professional development and seek certification to enhance his professional status and development. This can be a developmental goal set between management and the individual. Also, it can become a performance goal which, once achieved, can reward the staff member with a bonus or quality step increase to present salary as a means of organizational recognition of professional accomplishment.
Besides certification, the individual may want to develop himself/herself through continued education beyond a bachelor’s degree level. Many local colleges and universities throughout the country offer post-bachelor certificate programs or advanced degrees at a master’s or Ph.D. level in business administration, accountancy, computer information systems,
I N F O R M A T I O N S Y S T E M S C O N T R O L J O U R N A L , V O L U M E 6 , 2 0 0 2

etc., which provide more formal development of a person’s knowledge, skills and abilities. Again, such training related goals should be part of a career development plan and performance contract. Such integration will provide accountability to the individuals and the companies for which they work.
Activity in professional associations is the final measure of professional development. An individual’s active commitment to serve on professional association boards and take an active role in development of a professional association often goes unnoticed and is seldom rewarded. Again, a career development plan could include a requirement for enhancing the individual’s professional knowledge, skills and abilities through his/her involvement in external professional associations. Such involvement can be beneficial to the individual as well as the company. For example, involvement in professional associations builds management skills and professional contacts that share information of mutual concern. For the company, IS auditors who are amply recognized by external professional organizations for professionalism and expertise transfer those intangible benefits to the organizations for which they work.
The IS audit career development process should be institutionalized and supported by management. The process itself involves: the establishment and integration of career path planning; definition of career path knowledge, skills and abilities; performance measurement; performance counseling; training; and professional development. Each element requires institutional support and commitment to make it work. Like any process, it requires time, refinement and improvement to make it work effectively.
The investment in establishing such a process in an organization is small compared to the long-range benefits it can bring. An example of such a benefit can be in the form of experienced management cadre who can effectively understand, use and manage the information systems flow within the organization. These cadre were formerly IS auditors who capably developed their individual knowledge, skills and abilities to successfully make a transition into financial, operational or corporate management positions.
As a practitioner and educator in this field for more than 30 years, this author is proud to say that many of his graduates have taken what was taught in the classroom and developed their own professional development plan. Some are still in the field of IS auditing, and many have moved on to the functions and structure of corporate management. They continue to learn, apply and evolve as business professionals with a firm understanding of control structures, aware that they must change and adapt to new challenges that technology brings with it to the business place. Many have said membership in professional organizations, such as ISACA, provided the starting point for their professional development. It reinforced their passion and commitment to the field, with colleagues of common interest, and started them on a path of establishing their professional networks. Professional development planning goes a long way toward maintaining IT audit proficiency, but professional involvement goes even farther.
Model Curricula for Information Systems Auditing at the
Undergraduate and Graduate Levels, first edition, Information
Systems Audit and Control Association, March 1998
Kneer, Daniel., et al, “Information Systems Audit Education,” volume 4, 1994, Information Systems Audit and Control
Journal, ISACA
Gallegos, Frederick, “Computer Information Systems Audit
Career Development,” EDP Auditors Journal, volume 1, 1991
Gallegos, F., Daniel Manson, and Sandra Senft-Allen,
Information Technology Control and Audit, Auerbach, 1999
Gallegos, F., R. Richardson, and F. Borthick, Audit and
Control of Information Systems, Southwestern, 1987
Gallegos, F., “Educating Auditors for The Twenty First
Century,” EDPAC96 Conference, Perth, Australia, May 1996
Katsikas, Sokratis K., “A Proposal for a Post Graduate
Curriculum in Information Security, Dependability and Safety,”
ERASMUS New Technologies Pub., Greece, 1994
Looho, Aleksandria and F. Gallegos, “IS Audit Training Needs for the 21 st Century: A Selected Assessment,” International
Association for Computer Information Systems Conference,
Las Vegas, Nevada, October 4-7, 2000
Cangemi, M. and F. Gallegos, “CIS Auditing: A Career Plan,”
New Accountant, February 1991
Soo, Harry, “Reassessment of MSBA-IS Audit Program,”
California State Polytechnic University, Pomona, California,
June 1991, pp. 30-55
I N F O R M A T I O N S Y S T E M S C O N T R O L J O U R N A L , V O L U M E 6 , 2 0 0 2 23