IT auditing is the process of independently evaluating a company's IT systems, infrastructure, and operations. The goal is to ensure the system effectively protects assets, maintains the integrity and reliability of accounting data, operates according to established procedures, and adheres to business objectives. In the context of the digital economy, where all transactions and accounting records are conducted electronically, IT auditing becomes a crucial foundation, reinforcing stakeholder confidence in the accuracy and transparency of financial statements.
Practical application Accounting Law 2015Regulations regarding electronic transactions and information security require organizations to have robust IT control systems. Weak controls can lead to data inaccuracies, asset losses, and tax risks. IT audits have become mandatory to assess the effectiveness of the design and operation of these controls. This activity helps organizations manage risks and ensure the accuracy of transactions and accounting data in the digital environment.
IT Auditing: Definition, Nature, and Crucial Role
IT auditing is an independent professional field that assesses the effectiveness and completeness of internal control systems related to IT, ensuring security, integrity, and legal compliance. Unlike traditional financial auditing, IT auditing delves into digital infrastructure, software applications, databases, and incident management processes. In the context of digital transformation and e-taxation, this type of audit helps businesses ensure data accuracy, reduce legal risks, protect digital assets, and improve internal governance efficiency.
The official definition and core concepts of IT auditing.
IT auditing is defined as an independent professional field focused on evaluating the adequacy, appropriateness, and effectiveness of internal IT-related control systems. The goal is to ensure these systems support the organization in achieving its security, integrity, availability, and compliance objectives.
Auditors will examine everything from accounting software applications, databases, and networks, to incident and change management processes. Unlike traditional financial statement audits, IT audits delve into the digital foundation where economic transactions occur and are processed.
Interdisciplinary nature: The intersection of accounting, auditing, and technology.
In the modern environment, the lines between accounting and IT systems have almost blurred. Electronic documents, electronic invoices, and online approval processes create a completely digitized data chain. Therefore, the accuracy of financial statements depends directly on the effectiveness of General IT Controls (GITCs) and Application Controls. IT auditing serves as the bridge to assess this close relationship.
An IT audit assesses whether the system complies with Article 17 of the 2015 Accounting Law regarding the preparation of accounting documents, particularly electronic documents. IT auditors will examine controls on data storage (ensuring protection against alteration and loss), access controls (ensuring only authorized personnel are allowed to record transactions), and backup/recovery controls. The results of an IT audit provide essential evidence for financial statement auditors to form an opinion on the fairness and accuracy of the financial statements.
The importance of digital transformation and electronic tax compliance in the context of digital transformation.
The importance of IT auditing is highlighted in the context of digital transformation, where data is considered a strategic asset. Electronic tax transactions and the use of electronic invoices are examples of this. Decree 123/2020/ND-CP Circular 78/2021/TT-BTC and Circular 78/2021/TT-BTC are both based on IT platforms. System failures or errors can cause widespread mistakes, leading to serious legal and tax consequences.
Therefore, IT audits ensure that these systems not only function but also guarantee the authenticity, legality, and traceability of tax and accounting documents. Reliability in automated processes through IT audits helps businesses minimize the risk of penalties for tax violations. For public companies, transparency and data security through IT audits also contribute to improved corporate governance.
The objectives and detailed scope of an IT audit.
IT audits provide a comprehensive assessment of IT systems, from infrastructure and applications to data and operations, to protect the security, integrity, and availability of financial information. Aimed at ensuring efficiency, legal compliance, and data reliability, IT audits focus on general controls, application controls, change management, data backup, and security.
This activity is fundamental to reducing the risk of errors and fraud and ensuring that financial reports accurately reflect the actual situation, especially in the context of digital transformation and electronic accounting.
Core objective: Protection, assurance, and compliance (The CIA Triad and beyond)
The objectives of IT audits are often expanded from the three basic control objectives (CIA Triad): Confidentiality, Integrity, and Availability, along with objectives related to business processes and governance.
- Confidentiality: Ensuring that information is only accessed by authorized individuals or systems. In accounting, this is extremely important for sensitive information such as salaries, expenses, or customer data.
- Integrity: Ensuring that data is accurate, complete, and reliable throughout its lifecycle. This directly impacts the reliability of financial statements.
- Availability: Ensuring that the system and data can be accessed by legitimate users when needed. System disruptions can cause significant economic losses.
- Effectiveness: Assessing whether the IT system effectively supports business and accounting objectives.
- Compliance: Verifying compliance with internal and external regulations, including tax, accounting, and security laws. Compliance is the focus of any IT audit.
Ensuring the integrity and reliability of accounting data.
Data integrity is a vital element of accounting and auditing. IT auditing focuses on examining controls that ensure the completeness, accuracy, and timeliness of financial data. For example, it examines input controls such as sequence checks to ensure that no transactions are missed or duplicated.
Auditors will examine processing controls to ensure that accounting calculations and business logic are executed correctly by the system. This is especially important for complex transactions such as depreciation calculations, inventory valuation (FIFO/Weighted Average), or VAT calculations. The assurance from IT auditors regarding data integrity is fundamental to minimizing the scope of substantive testing for financial statements.
Detailed audit scope (infrastructure, applications, data, operations)
The scope of an IT audit is very broad, encompassing every component of the IT system.
| Auditing field | Detailed Description | Significant Risks Related to Accounting |
| Infrastructure | Evaluate network systems, servers, operating systems (OS), and storage devices. Inspect physical controls and security configurations. | System outage (resulting in no transaction recording), Physical security vulnerability. |
| General Application Controls (GITCs) | Access Control, System Development and Maintenance (SDLC), Change Management, Backup/Recovery. | Unauthorized alteration of accounting data, System errors due to uncontrolled changes, Loss of financial data. |
| Application Controls | Input/output control, processing control (automatic calculations), and task separation (SoD) in the software. | Discrepancies in transaction recording, fraud through modification of electronic documents. |
| Security and Data | Evaluate security policies, password management, and encryption of sensitive data (such as customer information and payroll details). | Violation of Information Security Regulations, Disclosure of Sensitive Business Information. |
| Operations | Incident Management assessment, data center operations, business continuity planning (BCP), and disaster recovery (DRP). | Interruption of accounting operations, inability to complete the closing period. |
Within the GITCs framework, IT audits must focus particularly on the Change Management process. According to auditing standards, any change to the core accounting system, however small, must be tightly controlled. A lack of control in this process is a common cause of errors and fraud in financial information systems.
Legal framework and application standards for IT auditing in Vietnam
IT auditing activities in Vietnam are based on both domestic legal frameworks and international standards. The Accounting Law 2015, the Electronic Transactions Law, Decree 85/2016/ND-CP, and Circular 78/2021/TT-BTC provide the legal basis for auditing electronic documents, accounting data, and electronic invoices. Simultaneously, COBIT, ISO 27001, and ITIL provide international standards for evaluating the effectiveness of IT control, security, and operations. IT auditing also supports the implementation of VSA 315 and VSA 330, helping financial statement auditors assess risks and ensure sufficient and accurate audit evidence.
Vietnamese legal regulations related to auditing and IT.
Vietnam has issued many important legal documents that provide a basis for IT auditing activities:
- The 2015 Accounting Law, in particular, stipulates that accounting documents, ledgers, and financial reports must be prepared and stored electronically. This requires IT auditors to verify the legality and reliability of digitized documents.
- The Electronic Transactions Act 2005: Provides a legal framework for the value of data messages, serving as the basis for determining the validity of electronic documents generated by accounting systems.
- Decree 85/2016/ND-CP (on ensuring information system security according to levels): Defines technical and management requirements for information security, which is a core criterion for IT audits to assess compliance.
- Circular 78/2021/TT-BTC (on electronic invoices): Requires the system to ensure the integrity, security, and ability to store electronic invoices for the specified period. This is a mandatory IT audit area.
Referencing these laws in an IT audit report enhances the legal validity and weight of the recommendations, especially when those recommendations relate to improving controls to avoid administrative violations in accounting or taxation.
International standards and formal control frameworks (COBIT, ISO 27001)
In practice, professional IT auditors typically rely on globally recognized international standards and frameworks to conduct their assessments.
- COBIT (Control Objectives for Information and Related Technologies): This is the most popular framework for enterprise IT governance and management, developed by ISACA. COBIT 2019 provides a comprehensive set of control objectives that IT auditors use to evaluate the design and operation of GITCs. COBIT is considered the backbone of all IT audits of internal controls.
- ISO/IEC 27001 (Information Security Management System – ISMS): This framework focuses on establishing, implementing, maintaining, and continuously improving an information security management system. When conducting an IT security audit, auditors typically compare a company's current controls with the controls listed in ISO 27002 (code of practice).
- ITIL (Information Technology Infrastructure Library): Focuses on IT service management. Auditors use ITIL to evaluate the effectiveness of IT operational processes, such as incident management, problem management, and change management.
The role of Vietnamese Auditing Standards (VSA) in IT auditing.
Although VSAs are not specialized IT standards, they still play a guiding role:
- VSA 315 (Identifying and Assessing Risks of Material Misconduct Through Understanding the Entity and its Environment): Requires auditors to understand the client's IT environment to identify and assess risks. This forces financial statement auditors to utilize their knowledge or expertise in IT auditing to complete VSA 315.
- VSA 330 (Auditor's Remedies for Assessed Risks): If IT controls are assessed as effective, the auditor may minimize substantive testing and rely on control testing. Conversely, if the IT audit indicates weak controls, the scope of substantive testing must be significantly expanded.
IT auditing plays a crucial role in gathering evidence regarding internal controls to meet VSA requirements, ensuring the completeness and appropriateness of audit evidence.
Process and methodology for conducting IT audits.
The process of conducting a professional IT audit typically follows standard stages, ensuring systematic and objective execution.
Phase 1: IT Risk Planning and Assessment
The first and most important step in an IT audit is planning, which begins with understanding the IT environment and assessing the risks.
- Understanding the IT environment: Gather information about the IT organizational structure, key applications (especially ERP and accounting systems), network infrastructure, and current policies and procedures.
- IT Risk Assessment: Identify potential threats and vulnerabilities that could affect the objectives of the financial information system. Classify risks by materiality level (high, medium, low). Common risks include unauthorized access, uncontrolled change, and data loss.
- Establishing Scope and Objectives: Based on the risk assessment, clearly define the specific systems, processes, and controls that will be included within the IT audit scope. For example, if the Change Management risk is high, the audit focus will be on this process.
Phase 2: Collecting and analyzing audit evidence
This is the implementation phase, where IT auditors conduct audit procedures.
- Interviews: Interview IT personnel and end users to gain a thorough understanding of the actual process.
- Observation: Observe activities such as data backup procedures and physical access control to the server room.
- Document review: Examine policy documents, procedures, system log files, and change management reports.
- Tests of Controls: Design Effectiveness Test: Determines whether the control is appropriately designed to prevent or detect the risk; Operating Effectiveness Test: Verifyes whether the control has been operated effectively and consistently throughout the audit period.
Computerized Auditing Techniques (CAATs) and Tool Applications
CAATs (Computer-Assisted Audit Techniques) are tools and techniques used by IT auditors to collect data, analyze information, and test automated controls.
| CAATs technique | Main Purpose | Applications in Accounting/Auditing |
| Data Analysis Software | Analyze the entire dataset (100% transactions) to identify anomalies or fraudulent patterns. | Look for unusually large transactions, deals approved outside of business hours, and check the completeness of invoice numbers. |
| Test Data | Run test data (e.g., invoices with invalid product codes, incorrect dates) through the system to see if application controls are working. | Confirm that the system rejects transactions that do not meet the pre-programmed input controls. |
| Embedded Audit Modules | Install modules into the production system to automatically record high-risk transactions. | Continuously monitor transactions made by privileged users or transactions exceeding threshold values. |
| Create Control Flowcharting | Use software to create automated process flowcharts within the system. | Understanding the accounting system's processing logic is crucial for identifying weaknesses in control mechanisms. |
Using CAATs helps increase the effectiveness of IT audits and ensures that a wide range of electronic data is assessed.
Phase 3: Reporting and Recommendations
The results of an IT audit are compiled into an Audit Report. This report should not only list the findings but also provide practical and highly feasible recommendations.
- Findings: Detailed description of weaknesses in internal controls, including identified IT risks. For example: “System change controls did not require prior approval from business users before deployment, violating the Change Management policy.”
- Impact: Explain the potential consequences of the findings, particularly the impact on the integrity of accounting data and the ability to comply with the law.
- Recommendations: Suggest specific actions to address weaknesses. For example: “Request the IT department to revise the Change Management process to include an automatic Chief Accountant approval step for all changes affecting financial data.”
Practical applications of IT auditing in the accounting, auditing, and tax sectors.
IT auditing is a key element in accounting, auditing, and taxation, ensuring the accuracy, integrity, and legal compliance of financial data. This activity assesses overall IT control, application control, accounting automation, and electronic invoicing, helping to reduce the risk of errors, optimize financial statement testing, and ensure compliance with electronic tax regulations. Simultaneously, IT auditing detects fraud through the analysis of authorizations, system logs, and transaction data, becoming a crucial line of defense protecting assets, reputation, and improving corporate governance.
Applications in financial statement auditing (General Control of IT – GCC)
For financial statement auditors, the results of the IT audit regarding General Computer Controls (GCCs) are the basis for deciding on the audit approach. GCCs include controls on Logical Access, Change Management, and System Development.
If the IT Audit confirms that the GCCs are operating effectively (e.g., only authorized personnel can access the system; all changes are fully tested and approved), the auditor may:
- Minimize basic testing: Rely on automated application checks instead of manually testing numerous transactions.
- Increased confidence: Having a reliable basis for the data output from the system reduces audit risk.
Conversely, if GCCs are weak, auditors are forced to consider the system unreliable and must perform extensive, time-consuming, and costly substantive testing. IT audits provide evidence to justify this decision.
Assessment of Application Controls and Accounting Automation
Application controls are pre-programmed controls within accounting software (e.g., ERP, sales software). IT audits evaluate three main types of application controls:
- Input control: Ensure that data is entered accurately and completely. For example, the system should not allow the entry of transaction dates that are later than the current date.
- Processing control: Ensuring data is processed accurately. For example, automatically calculating VAT based on a registered tax identification number.
- Output control: Ensure that the output (reports, prints) is accurate and delivered to the right people. For example, payroll reports should only be printed after approval.
IT audits utilize test data techniques to verify the functionality of these application controls. This ensures the accuracy of automated accounting entries, thereby significantly reducing the risk of errors in financial statements.
Impact on tax administration and electronic invoicing (e-Tax)
In the era of e-taxation, the use of electronic invoices is mandatory. IT audits play a crucial role in protecting businesses from tax compliance risks.
- Invoice integrity: Verify that the storage system ensures that electronic invoices are not altered after being digitally signed and submitted to the tax authorities (Compliance with Article 7, Decree 123/2020/ND-CP).
- Transmission security: Assessing security controls during the connection process with the General Department of Taxation's portal.
- Data storage: Verify the ability to retrieve and store electronic invoices for the prescribed period (usually 10 years according to the Accounting Law).
By strengthening IT controls through IT audits, businesses can be more confident in complying with complex e-tax regulations and minimize the possibility of penalties.
The role of IT auditing in detecting accounting fraud (Fraud Detection)
Fraud is often perpetrated by exploiting vulnerabilities in IT systems. IT audits help detect fraud by:
- SoD (Segregation of Duties) Check: Analyzes user permissions within the accounting system to determine if anyone has sufficient authority to execute, record, and approve a transaction (e.g., creating a new supplier and approving payment to that supplier).
- System log analysis: Using analytical tools to look for unusual activity (e.g., accessing data outside of business hours, repeated failed access attempts).
- Data Forensics: Applying CAATs techniques to analyze entire transaction data, searching for patterns of fraud (e.g., Benford's Law algorithm to check the distribution of the first digit).
IT auditing is an advanced line of defense that helps companies detect and prevent fraud in a timely manner, protecting assets and reputation.
Challenges and future trends in IT auditing.
IT auditing faces challenges from cloud computing and AI, as many controls are vendor-centric and the transparency and accuracy of AI models need to be assessed. The demand for IT auditors skilled in both technical and accounting/tax expertise is increasing. This work involves examining critical controls such as logical access, change management, backup and recovery, task separation, and network security, ensuring accounting data is safe, accurate, and compliant with the law.
Challenges in the Cloud Computing and Artificial Intelligence (AI) Environment
The shift to Cloud Computing poses a significant challenge for IT Auditors. In the Cloud model, much of the physical and general control (such as infrastructure management) is transferred to the Cloud Service Provider (CSP).
- Scope of audit: Auditors cannot directly inspect data centers. They must rely on Service Organization Control (SOC) reports from CSPs.
- Data compliance: Ensure that accounting data stored on the Cloud complies with Vietnamese law regarding geographical data storage locations. IT auditors need in-depth knowledge of Cloud Service Agreements (SLAs) and Cloud security standards (such as CSA – Cloud Security Alliance).
The emergence of AI and Machine Learning in business processes (e.g., AI automatically classifying invoices, suggesting accounting entries) also requires IT auditors to develop new evaluation methodologies. It is necessary to ensure the transparency, interpretability, and bias of these AI models.
The demand for high-quality IT auditors (CISA)
The demand for highly qualified IT auditors is increasing. Big 4 auditing firms and large businesses all need individuals with professional certifications, especially the CISA (Certified Information Systems Auditor) certification from ISACA.
IT auditors need not only technical knowledge but also a thorough understanding of accounting, tax, and business processes. They are individuals who are capable of:
- Cross-departmental communication: Engage with both the Chief Financial Officer (CFO) and the Chief Technology Officer (CIO) to propose comprehensive control solutions.
- Applying the control framework: Master COBIT and ISO 27001 to implement IT audit procedures according to standards.
Investing in training and developing an IT audit team is a vital strategy for any organization that wants to manage risk in the digital environment.
Summary of IT controls in accounting
To get a clearer picture, consider the aspects that an IT audit must cover:
| Control Area | Target Control | Impact on Accounting Data |
| Logical Access Control | User access control, strong password policy | Prevent unauthorized modification of accounting records and electronic documents. |
| Change Management | Procedures for checking, approving, and recording system changes. | Ensure the continuity of the accounting system and avoid errors caused by uncontrolled software updates. |
| Backup and Restore | Regularly back up your data and test for disaster recovery. | Ensure the availability and integrity of accounting data after an incident. |
| Task Breakdown (SoD) | Controlling overlapping authority within the system. | Preventing accounting fraud through collusion or abuse of power. |
| Network Control | Firewall, Intrusion Detection System (IDS/IPS) | Protect the confidentiality and integrity of accounting information from external threats. |
IT auditors must gather sufficient evidence to conclude on the effectiveness of each of these control areas during their IT audit.
Conclude
IT auditing is a crucial part of modern financial statement auditing, ensuring the transparency, accuracy, and legal compliance of digitized accounting data. It's a process of assessing financial and business risks from the technological environment, going beyond simply examining computers or networks. Professional IT audit reports provide insightful information into internal control gaps, helping to protect assets, improve operational efficiency, and strengthen investor confidence.
Improve financial management efficiency and legal compliance with auditing services and full-service tax accounting From MAN – Master Accountant Network. We provide comprehensive solutions: tax audits, financial reporting, cost management consulting, and tax compliance optimization. With a team of experienced professionals, MAN helps businesses review and optimize costs, prevent legal risks, and confidently face any audit. Our in-depth training courses and specialized workshops equip you with practical knowledge, enhancing your financial management and tax accounting capabilities.
Service contact information at MAN – Master Accountant Network
- Address: No. 19A, Street 43, Tan Thuan Ward, Ho Chi Minh City
- Mobile/Zalo: 0903 963 163 – 0903 428 622
- Email: man@man.net.vn
Content production by: Mr. Le Hoang Tuyen – Founder & CEO MAN – Master Accountant Network, Vietnamese CPA Auditor with over 30 years of experience in Accounting, Auditing and Financial Consulting.
FAQ – Frequently Asked Questions about IT Audits
How does IT auditing differ from traditional financial statement auditing?
IT audits assess the IT control system as the foundation for data production, unlike traditional financial statement audits which focus on the accuracy of the financial figures already generated.
Which businesses need to conduct IT audits?
Every business that uses IT to process critical financial transactions needs an IT audit, especially companies with complex ERP systems, large volumes of electronic transactions, or those subject to strict legal regulation.
What is CISA certification and what is its role in IT auditing?
CISA (Certified Information Systems Auditor) is the most prestigious international certification, certifying that professionals possess the knowledge and skills to assess, design, control, and ensure the compliance of IT systems.
What are the most common control frameworks used in IT auditing?
The main frameworks include COBIT (for IT Governance and Management) and ISO/IEC 27001 (for Information Security Management Systems).
Can IT audits help detect accounting fraud?
Yes, IT audits help detect fraud by analyzing user authorizations (SoDs) and using advanced data analysis techniques (CAATs) to look for unusual transactions.
How do IT auditors address the challenges posed by Cloud Computing?
IT auditors address the Cloud challenge by evaluating the Service Provider's SOC (Internal Audit) Report and reviewing compliance clauses in the SLA contract.
