Information technology auditing (IT auditing) began as electronic data process (EDP) auditing and developed largely as a result of the rise in technology in accounting systems, the need for IT control, and the impact of computers on the ability to perform attestation services. The last few years have been an exciting time in the world of IT auditing as a result of the accounting scandals and increased regulation. IT auditing has had a relatively short yet rich history when compared to auditing as a whole and remains an ever-changing field.
The introduction of computer technology into accounting systems changed the way data was stored, retrieved and controlled. It is believed that the first use of a computerized accounting system was at General Electric in 1954. During the time period of 1954 to the mid-1960s, the auditing profession was still auditing around the computer. At this time only mainframe computers were used and few people had the skills and abilities to program computers. This began to change in the mid-1960s with the introduction of new, smaller and less expensive machines. This increased the use of computers in businesses and with it came the need for auditors to become familiar with EDP concepts in business. Along with the increase in computer use, came the rise of different types of accounting systems. The industry soon realized that they needed to develop their own software and the first of the generalized audit software (GAS) was developed. In 1968, the American Institute of Certified Public Accountants (AICPA) had the Big Eight (now the Big Four) accounting firms participate in the development of EDP auditing. The result of this was the release of Auditing & EDP. The book included how to document EDP audits and examples of how to process internal control reviews.
Around this time EDP auditors formed the Electronic Data Processing Auditors Association (EDPAA). The goal of the association was to produce guidelines, procedures and standards for EDP audits. In 1977, the first edition of Control Objectives was published. This publication is now known as Control Objectives for Information and related Technology (COBIT). COBIT is the set of generally accepted IT control objectives for IT auditors. In 1994, EDPAA changed its name to Information Systems Audit and Control Association (ISACA). The period from the late 1960s through today has seen rapid changes in technology from the microcomputer and networking to the internet and with these changes came some major events that change IT auditing forever.
The formation and rise in popularity of the Internet and e-commerce have had significant influences on the growth of IT audit. The Internet influences the lives of most of the world and is a place of increased business, entertainment and crime. IT auditing helps organizations and individuals on the Internet find security while helping commerce and communications to flourish.
There are five major events in U.S. history which have had significant impact on the growth of IT auditing. These are the Equity Funding scandal, the development of the Internet and e-commerce, the 1998 IT failure at AT&T Corporation, the Enron and Arthur Andersen LLP scandal, and the September 11, 2001 Attacks.
These events have not only heightened the need for more reliable, accurate, and secure systems but have brought a much needed focus to the importance of the accounting profession. Accountants certify the accuracy of public company financial statements and add confidence to financial markets. The heightened focus on the industry has brought improved control and higher standards for all working in accounting, especially those involved in IT auditing.
The first known case of misuse of information technology occurred at Equity Funding Corporation of America. Beginning in 1964 and continuing on until 1973, managers for the company booked false insurance policies to show greater profits, thus boosting the price of the capital stock of the company. If it wasn't for a whistle blower, the fraud may have never been caught. After the fraud was discovered, it took the auditing firm Touche Ross two years to confirm that the insurance policies were not real. This was one of the first cases where auditors had to audit through the computer rather than around the computer.
In 1998 AT&T suffered an IT failure that impacted worldwide commerce and communication. A major switch failed due to software and procedural errors and left many credit card users unable to access funds for upwards this brought to the forefront our reliance in IT services and reminds us of the need for assurance in our computer systems.
The Enron and Arthur Andersen LLP scandal led to the demise of a foremost accounting firm, an investor loss of more than $60 billion, and the largest bankruptcy in U.S. history. Although Arthur Andersen were found guilty of obstruction of justice for their role in the collapse of the energy giant in the US District Court for the Southern District of Texas (and affirmed by the Fifth Circuit in 2004), the conviction was overturned by the U.S. Supreme Court in Arthur Andersen LLP v. United States. This scandal had a significant impact on the Sarbanes-Oxley Act and was a major self-regulation violation.