Office of the State Auditor :: Home 'Espanol | Home | NC.gov | Contact | FAQ | Employee Login
Office of the State Auditor :: Home
Search
Go search now.Advanced Search of Reports and Reviews.
Skip Navigation Links

THE OFFICE OF THE STATE AUDITOR JOB DESCRIPTION

INFORMATION SYSTEMS (IS) AUDITOR

Salary Grade: 77

Salary Range: (see Office of State Personnel's salary range table)

Description of Work

The purpose of an IS Auditor is to provide an independent verification of the reliability of information processed on a computer system. To accomplish this purpose, the IS Audit Specialist must review the general and application controls of a computer environment, test those controls to verify that they are both present and effective, and evaluate the reliability on the system of internal controls as they relate to the computer operations for the expression of an opinion on the financial statements.

This position will assist the financial auditors in the preparation of the auditor's opinion on the financial statements by providing an evaluation of the internal controls surrounding the computer operations.

Examples of Duties

The duties and responsibilities of an IS Auditor can be described as:

  • To assist in the performing of the financial audit of computerized applications, including the identification and testing of transactions from inception through posting to the agency's general ledger.
  • To review the physical security of a computer installation by evaluating the accessibility of the computer room, disaster recovery procedures, and control over negotiable instruments.
  • To review the control over storage media in the data library by concentration on the control and retention of data media (e.g., tapes, disks, cards, and printouts).
  • To review record layouts and systems documentation by extracting and analyzing data using audit software.
  • To analyze operational systems for control weaknesses, to ensure that applications comply with organizational policies and procedures. Auditors analyze system documentation, consult error listings, talk with systems personnel, and use such tools as audit software and test data.
  • To analyze systems under development for control weaknesses. Auditors assist the development team at various points throughout the systems development cycle to ensure that controls are adequate before the system becomes operational.
  • To evaluate system performance. This audit determines whether applications are economical, effective, and logically secure. Auditors review systems documentation, analyze production runs, and talk with system users and designers. Audit tools include hardware and software monitors, test decks and integrated test facilities.
  • To evaluate software packages and recommend implementation of control features. The auditor determines whether a software package offers sufficient control features. This assessment involves evaluation vendor documentation and discussing control with vendor personnel.
  • To provide technical assistance to financial auditors. The IS auditor should support financial auditors conducting audits by evaluating applications control, extracting required data, and performing other tasks requested by the financial auditors.
  • Provides guidance as to the audit standards that are to be followed by providing audit programs tailored to the specific engagement. The IS Auditor should be able to work independently of constant supervision while performing the field work; however, regular reviews of the audit workpapers and results of audit tests are performed.

Guidelines and standards from the IS Auditors Association, American Institute of Certified Public Accountants, General Accounting Office, and other recognized IS auditing authorities are provided to the IS Audit Specialist for reference.

The IS Auditor would be in contact with the general public, technical computer staff of the agency, executive personnel of the agency, and program staff of the agency.

Audit work would be reviewed throughout the audit process by the supervisor looking for completeness, accuracy, reliability and reasonableness. The results of the audit work directly affects the opinion issued on the financial statements. More importantly, the IS Auditor affects the security surrounding the computer operations, the ability for continued operations in the event of disaster, and the reliability of data processed by the computer. At the highest level, the continued operations of state government depend on the work of the IS Auditor. Other areas that may be affected by the auditor's work are the state's bond rating, federal programs results and cost sharing, and any other program that relies on accurate results from data processed by the computer.

The IS auditor would be assigned to an office environment that includes a computer operations center. Equipment used in the auditor's work would likely include a personal computer and mainframe computer, audit software, programming languages, and professional materials. Much of the IS auditor's work will be in front of a computer terminal or reviewing documentation and programs. The auditor must design programs that produce accurate and reliable results.

In order to evaluate the effectiveness of controls, computer programs written by other programmers will need to be reviewed. This effort will require mental concentration to be able to follow the logic and see that the actual code follows that logic.

The evaluation of physical security includes the review of fire protection and security.

Normal work hours would be from 8:00 a.m. to 5:00 p.m.; however, work would have to be done when computer time was available on the agency computer and on second or third shift to insure that controls are effective after normal working hours.

The duties of the IS Audit Specialist have been described only recently because of the increased reliance on the computer and the data processed by the computer.

Recruitment Standards

Knowledge, Skills and Abilities

A general knowledge of computer systems, analysis, design, and programming language(s):

The auditor must be able to recognize and understand DP terminology and understand the difference between manual and electronic data processing. The auditor should understand how a system functions and is familiar with input, processing, and output concepts as well as data storage and retrieval. The auditor should be able to use flowcharts to pinpoint system control areas and problems. He/she should be able to read record layouts and understand that data is coded, truncated, and modified during processing. The auditor must be able to follow the agency's computer installation work flow to determine what must be protected and to discern general security threats and risks.


An understanding of computer logic, data, security, and operations:

The auditor should be able to identify simple extracts of data for testing by reading the record layout, recognizing the point in the system where the extraction should occur and specify the report needed. The auditor should be able to prepare test data and program audit software to accomplish desired test results.


Some knowledge of application planning, design, review, and implementation:

The auditor should have some understanding of computer operations and be able to write or understand simple JCL. He/she should know a standard programming language and be capable of writing programs in that language.


A general understanding of accounting and control procedures, methods, and philosophies:

The auditor must understand double-entry bookkeeping, governmental accounting, and how the information from a system is processed into financial statements.


A working knowledge of audit concepts and standards.

The ability to perform audit responsibilities and work with management:

The auditor should assume responsibility for executing an audit, including entrance and exit conferences with user management as well as report writing. The auditor must be able to communicate with agency personnel in technical areas and on sometimes very controversial topics.

Minimum Education and Experience

The minimum level of formal education necessary to aid a person in developing the entry skills is a four-year degree from a college or university, including or supplemented by twenty-four semester hours in accounting plus a minimum of twelve semester hours of computer science or a BS/BA degree in computer science supplemented by a minimum of twelve semester hours of accounting.

The auditor should attend a training course introducing him to the areas of control in an IS environment. Such courses are available through the EDPAA or private consultants.

Five years of experience in auditing and/or computer programming, or systems analysis, including at least two years experience in IS auditing. An equivalent combination of education and experience may be substituted. A CPA certificate, a CISA certificate (Certified Information Systems Auditor), or a CDP (Certificate in Data Processing) may be substituted for two years of the required education or two years of the required experience.

Revised 08/2004


'Espanol | Home | NC.gov | Contact | FAQ | Employee Login