Professional Documents
Culture Documents
Sajid H. Khan
Executive Director
Technology and Security Risk Services
Ernst & Young Ford Rhodes Sidat Hyder
IS Environment
Back
Office
Batch
Apps
Online Integrated
MIS
Applications/ ERP
DAS
E-Commerce /
Home
Computing
Knowledge
Ernst & Young Ford Rhodes Sidat Hyder
3 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit
Classification of Audits
• Financial audits
• Operational audits
• Integrated audits
• IS audits
• Specialized audits
• Forensic audits
Audit Objectives
• Confidentiality
• Integrity
• Reliability
• Availability
• Compliance with legal / regulatory requirements
Types of IT Audits
Types of IT Audits
• COBIT
• COSO
• SOX
• ICFR
• BASEL II
• ITIL
CobIT
• Standards
• Guidelines
• Procedures
Standards
Guidelines
Procedures
S1 Audit charter
S2 Independence
S4 Competence
S5 Planning
S7 Reporting
S8 Follow-up activities
S10 IT Governance
S15 IT Controls
»Business
»Auditing
»Information Technology
• Considerations
• Planning
IS Control Objectives
Key Controls
Compensating Controls
Production
•Business •Checklists
Knowledge •Technology Tools and •Work Programs
•Best Practice Methods •Automated Tools
•Guidelines
Risk Assessment
Scoping
Application Scoping
Identification of Key and • Application
compensating Controls • Operating System
• Database
Scoping
IT Governance
• Policies and Procedures
• Compliance
• Security Environment
Application,
Management Databases
Controls Networks etc.
• Strategy • IT General Controls
• DRP • Application Controls
• Security • Optimizing Database
Policy Performance
• Reducing Network
Vulnerabilities
IT Governance
– IT Strategic Planning
– IT Policies and Procedures
– IT Organization Structure
– Properly segregated duties
– Fraud Identification
– Training and Education
– Monitoring, and Risk Assessment
Business
Data
Processes
ITGC Domains
• ITGC Domains.
• Logical Access
Change Management
• Objective: To provide reasonable assurance that only
appropriately authorized, tested, and approved changes
are made to in-scope systems.
• Program Development/Acquisition
• Program change
• Maintenance (Ex: Database, Operating System)
• Emergency Changes
• Configuration/Parameter Changes (Ex: Physical hardware
configuration and parameter settings)
• Applications
• Interfaces
• DBMS (Database Management System)
• Network and Operating Systems (OS)
Logical Access
• Password Configuration
• Request access
• Approve access
• Provision access
IT Operations
IT Operations (continued)
• Job Scheduling
• Physical Access
Application Controls
– Edit Checks
– Validations
– Calculations
– Interfaces
– Authorizations
Application Controls
• Embedded Control
• Configurable Control
– Inspect configuration
– Re-performance via walkthrough
– Inspection of authorization
Data Analytics
– File access
– File reorganization
– Data selection
– Statistical functions
– Arithmetical functions
• Ease of use
• Training requirements
• Complexity of coding and maintenance
• Installation requirements
• Processing efficiencies
• Confidentiality of data being processed
• Exit interview
– Correct facts
– Realistic recommendations
– Implementation dates for agreed recommendations
• Presentation techniques
Audit Documentation
Thank You