Professional Documents
Culture Documents
PART I ................................................................................................................................... 1
INTRODUCTION ..................................................................................................................... 1
PART II ................................................................................................................................ 12
PART IV ............................................................................................................................... 32
PART V ................................................................................................................................ 38
PART VI ............................................................................................................................... 41
iii
iv
Acronyms
PART I
1. INTRODUCTION
1.1 Introduction
As a computer technology has advanced, organization, especially financial institution has
become increasingly depends on computerized information system to carry out their
business operations and service delivery.
The continuous development of the Information Technology and data processing power
has changed the way organizations run their business from time to time. Similarly banking
industry have been positively impacted by the revolutions in this area.
As a bank, Cooperative Bank of Oromia shares the impacts of technology advancement
in this area and technological transformations help the bank to improve the efficiency of
business process.
As the effort of fulfilling the mission stated in the banks strategic document,” use of
technology” and to get competitive advantage in the banking industry, the bank has
implemented information system to automate business process, as the need increases
the banks have changed and updated information system to accommodate the bank
business process needs.
Cooperative Bank of Oromia increased the server capacity and changed the core banking
system from OMNI to T24 system. in addition to this, other new system have been
implemented or under process to be live and support the banks business process.
Furthermore, integrations with other system like Fintech company is mandatory to be
competent in this dynamic Banking industry.
However, the change comes with the mirror image called Risk which is associated with
the business and the use of information system. therefore, the risk should be identified
and the required controls should be in place in order to safeguard the business operation’s
Note: For additional guidance, see standards 1002 Organizational Independence, 1003
Professional Independence, 1004 Reasonable expectation and 1005 Due Professional
Care, as well as the related guidelines: 2002, 2003, 2004 and 2005.”
Note: For additional guidance, see standard 1006 Proficiency and guideline 2006
Proficiency.
IS audit being the formal examination and/or testing of information systems to determine
whether:
• Information systems are in compliance with applicable laws, regulations, contracts
and/or industry guidelines.
• Information systems and related processes comply with governance criteria and
related and relevant policies and procedure.
• IS data and information have appropriate levels of confidentiality, integrity and
availability.
• Information System operations are being accomplished efficiently and
effectiveness targets are being met.
During the audit process, an IS auditor reviews the control framework, gathers evidence,
evaluates the strengths and weaknesses of internal controls based on the evidence and
prepares an audit report that presents weaknesses and recommendations for remediation
in an objective manner to stakeholders.
Each phase in the audit process is subsequently divided and further broken down into
more specific steps and activities to plan, to perform, and to report the result of
engagement based on the evidence gathered through audit test. Each step will be
presented in separate chapters of this guideline.
4
ISACA IS Audit and Assurance Standards are divided into three categories
1. General Provide the guiding principles under which the IS assurance profession
operates. They apply to the conduct of all assignments, and deal with an IS
auditor’s ethics, independence, objectivity and due care as well as knowledge,
competency and skill.
2. Performances Deal with the conduct of the assignment, such as planning and
supervision, scoping, risk and materiality, resource mobilization, supervision and
assignment management, audit and assurance evidence, and the exercising of
professional judgment and due care
1.9 Scope
1.10 Organizations of this guideline
This document organized in six parts and the additional important contents are formats in
included under appendices.
I. Part One is Introduction part which establishes the general directions and creates
good understanding about this guideline
II. Part Two is planning this part describes all neccesy steps the auditorus
1.11 Responsibility
IS audit can be a part of internal audit, function as an independent group, or be integrated
within a financial and operational audit to provide IT-related control assurance to the
10
financial or management auditors. Therefore, the audit charter may include IS audit as an
audit support function.
The charter should clearly state management’s responsibility and objectives for, and
delegation of authority to, the IS audit function. The highest level of management. and the
audit committee, if one exists, should approve this charter. Once established, this charter
should be changed only if the change can be and is thoroughly justified.
An audit charter is an overarching document that covers the entire scope of audit activities
in an entity while an engagement letter is more focused on a particular audit exercise that
is sought to be initiated in an organization with a specific objective in mind. If IS audit
services are provided by an external firm, the scope and objectives of these services
should be documented in a formal contract or statement of work between the contracting
organization and the service provider. In either case, the internal audit function should be
independent and report to an audit committee, if one exists, or to the highest management
level such as the board of directors.
Note: For additional guidance, see standard 1001 Audit Charter and guideline 2001 Audit
Charter.”
11
PART II
1. The Auditors need to have clear understanding Banks Strategy, the Strategy is
realized by the achievement of (a set) of Organizations goals. Usually, the goals are
structured alongside with the balanced score card.
2. Good understanding of Banks Goals.
3. Understanding of risk profile of the bank: - a risk profile identifies the sort of IT related
risks to which the Banks is currently exposed and indicates which areas of risk is
exciding the risk appetite.
4. Good understanding of current IT and IT related issues
5. Understand Organizational(Bank) uniqueness
a. Importance of the technology based on the business nature
b. Infrastructure deployment and risks associated with the use of technology
6. Operating environment
13
Related frameworks like ITIL on Service Support and delivery with higher
reliability and lower cost.
15
16
iii. The information system auditor must see and properly examine the Bank’s annual
plan and strategy document in a way auditor able understand the operational plan
iv. The Information System Auditor must understand centralized and decentralized IT
functions.
v. The auditor must identify centrally managed IT functions that supports the entire
or larger portions of the organization.
vi. Understanding of IT support process
1. The IS audit practitioners need to understand the standardized support
process across the organization operating units which includes: -
a. Service Desk Activities.
b. Change Management.
c. Configuration Management.
d. Release management.
e. Incident Management and
f. Problem Management
2. The IS auditor should understand support service request and lifecycle
management and need to understand if there is a framework like ITIL
(information Technology infrastructure Library)
vii. Understand and identify regulatory requirements and industry standards while
implementing internal controls and risk management practice and the privacy of
personally identifiable Information these includes: -
a. Sarbanes-Oxley Act and Basel II Accord
b. Protection of customer information in credit card industry (GLBA, and
the PCI DSS)
viii. Audit Subject area Definition
a. Personal influence and staffing consideration should be avoided during
the definitions of the IT audit subject area.
b. The IS Auditors should figure out how to divide the environments in the
manner that provides the most efficient and effective audit.
17
c. The goal should be having IT audit plan that focuses on the highest risk
areas where the auditors can give more value
ix. Business Applications audit plan and overs sight should be determined by the
Chief Internal Auditor.
x. Depending on the audit function operates, it can be included in the universe on IT
audit or both.
xi. The audit of business application should be done collaborating with applications
user Process or Team.
xii. The audit practitioners should assess risk per audit subject area.
Information system audit practitioners should understand the business objectives and risks, as well must
identify the role of supporting technologies such as company network, e-mail system, and other encryption
software and other system if exist.
The IIA defines the Risk as the possibility that an event occur that could affect the
achievement of objectives which is measures in terms of impact and likelihood. Therefore,
it is vitally important for organization to determine the contests of their risk portfolio
periodically and performs activity to manage risk to acceptable level.
18
Risk analysis is the process of estimating the two essential properties of each risk
scenario.
Frequency: - The number of times in a given period (usually in a year) that an event likely
to occur.
Impact: - The business consequence of the scenario.
The IT Audit Practitioners should perform while performing risk assessment
➔ Risk assessment should be conducted after the IT audit universe is determined and
the linkage to the business objectives is properly identified.
a. Infrastructure
b. Application and
c. Computer operations or components the pose the greatest threat to the
organization ability to ensure system and data availability, reliability,
integrity, and confidentiality.
Auditors need to identify the effectiveness and usefulness of the risk assessment result which should be
predicated on the methodology employed and its proper execution.
19
b. Management and the Board of Directors need to determine the level of risk
acceptable to the Bank, including the acceptance of risk designed to
accomplish to accomplish the organization strategic plan.
c. Risk mitigation activities need to be designed and implemented to reduce or
otherwise manage risk at levels acceptable to management and Board
d. Ongoing monitoring activity need to be conducted to reassess risk
periodically and the effectiveness of the control to manage risk
e. The Board and the management need to receive periodic risk management
process report. The organizations corporate governance process also
should provide periodic communication of risk, risk strategies to the
stakeholders.
➔ The IT auditors should identify and understand IT Strategy, how it is aligned with the
overall organization level strategies and business objectives.
➔ The Chief Internal Auditor and IT auditors need to get documents that shows the
relationship between the organization strategic plan and the IT Strategy.
➔ The IT Auditor need to determine the IT universe by performing inventory of the system
to determine which IT areas need to be reviewed from a risk and controls perspectives.
There are three type of risk factors which are commonly in use
1. Subjective risk factors. Measuring risk and its impact requires a combination of
expertise, skills, imagination, and creativity. This emphasis on subjective
measurements is borne out in practice — many auditable units change so much
between audits that prior audit history is of little use. Therefore, an experienced
Auditor’s sound subjective judgment is just as valid as any other method.
2. Objective or historical risk factors. Measuring risk factor trends can be useful in
organizations with stable operations. In all cases, current objective information is
helpful in measuring risk.
3. Calculated risk factors. A subset of objective risk factor data is the class of factors
calculated from historical or objective information. These are often the weakest of all
factors to use because they are derivative factors of risk that is further upstream.
22
IT Risk
Financial
Quality of internal Change in Confidentialit Score and
Area Impact Availability Integrity
Control Audit unit y Levels
L I L I L I L I L I L I
23
24
PART III
26
4. IS auditor must identify control objectives and the related controls that address
the objective and determined whether to test these controls for compliance.
For example, an IS auditor’s initial review of an information system should identify
key controls.
5. An IS auditor should identify both key general and application controls after
developing an understanding and documenting the business processes and the
applications/functions that support these processes and general support systems.
Based on that understanding, an IS auditor should identify the key control points.
6. Alternatively, an IS auditor may assist in assessing the integrity of financial
reporting data, referred to as substantive testing, through CAATs(Computer
Assisted Audit Tools ).
27
28
conduct a comprehensive evaluation. A clear scope will help the IS auditor define
a set of testing points that is relevant to the audit and further determine the
technical skills and resources necessary to evaluate different technologies and
their components.
4. Perform pre-audit planning.
Conduct a risk assessment, which is critical in setting the final scope of a risk-
based audit. For other types of audits (e.g., compliance), conducting a risk
assessment is a good practice because the results can help the IS audit team to
justify the engagement and further refine the scope and preplanning focus.
a. Interview the auditee to inquire about activities or areas of concern that should
be included in the scope of the engagement.
b. Identify regulatory compliance requirements. Once the subject, objective and
scope are defined, the audit team can identify the resources that will be needed
to perform the audit work. Some of the resources to be defined follow:”
o Technical skills and resources needed”
o Budget and effort needed to complete the engagement
o Locations or facilities to be audited
o Roles and responsibilities among the audit team
o Time frame for the various stages of the audit
o Sources of information for test or review, such as functional
o flowcharts, policies, standards, procedures and prior audit work papers
o Points of contact for administrative and logistics arrangements
o A communication plan that describes to whom to communicate, when, how
often and for what purposes
5. Determine Audit Procedure: - At this stage of the audit process, the audit team
should have and steps for data gathering. enough information to identify and select
the audit approach or strategy and start developing the audit program. Some of
the specific activities in this step are:
29
30
and the specific risk that must be addressed in the audit area/organization. The
following skills can assist an IS auditor in creating an audit program:
1. Good understanding of the nature of the enterprise and its industry to
identify and categorize the types of risk and threat
2. Good understanding of the IT space and its components and sufficient
knowledge of the technologies that affect them
3. Understanding of the relationship between business risk and IT risk
4. A basic knowledge of risk assessment practices
5. Understanding of the different testing procedures for evaluating IS controls
and identifying the best method of evaluation.
6. The use of generalized audit software to survey the contents of data files
(e.g., system logs, user access list)
7. The use of specialized software to assess the contents of operating
systems, databases and application parameter files
8. Flowcharting techniques for documenting business processes and
automated controls
9. The use of audit logs and reports to evaluate parameters
10. Review of documentation
11. Inquiry and observations
12. Walk-throughs
13. Reperformance of controls
Note: For additional guidance, see standard 1203 Performance and Supervision and
guideline 2203 Performance and Supervision.
31
PART IV
c. Provide a list of the items the auditor is looking for, using common titles.
d. Brief description (for example, a copy of the records management policy,
security Classification procedure, system certification procedure,
organizational chart, and prior audit reports).
e. Determine applicable site safety rules.
f. Make arrangements for the audit resources.
g. Agree on attendance of observers and a guide for the audit team.
h. Request audit team workspace needs with technology services to support
the audit workflow.
33
I. Collect data or evidence based on the audit criteria outlined in the audit
work program; and
II. Collect data or evidence which is sufficient and persuasive to logically
support the analysis, observations, conclusions and recommendations
34
For each audit test completed, a working summery paper should be prepared showing
Purpose of test and reference to audit program, Results of test and Conclusions on the
results.
35
36
4.10.Discussion Draft
1. At the conclusion of the fieldwork, IT auditors draft the audit finding summary
report.
2. IT Auditors thoroughly reviews the audit working papers and discuses on the draft
before it is presented or send to the client. This discussion draft is submitted to the
client's review before the exit conference,
3. The IT Auditors must schedule and confirm with the auditee regarding to the time
when the exit conference is held.
4.11.Exit Conference
1. When the draft finding summary is submitted to the auditee, IT Auditors must meet
with the client managements to discuss the findings, the risks and the forwarded
recommendation. At this meeting, the client comments on the draft and the IT
Auditors to reach an agreement on the audit findings.
Importance of exit Conference
• Ensure common understanding on the audit findings by both parties,
• Highlight the internal control loopholes detected during the audit to the audit
Client management,
• Urge the auditee management to subsequently send audit rectification report
as per the agreed action plan,
• Advise the auditee not to limit themselves on rectifying reported audit findings
only, rather identify other similar findings that may materialize on the day-to-
day operation in order to able them taking appropriate control measure,
• Acknowledge their cooperation towards the successful accomplishment of the
audit task.
2. After the exit conference the auditee should prepare a detailed action plan for the
findings explain how report findings will be resolved and include an implementation
timetable. The prepared action plan uses by the IT auditors as checklist for the
follow-up audit.
37
PART V
39
6. Conclusions: Lastly audit conclusions are drawn by IT Auditors after the audit has
been completed by considering the audit findings and audit objectives. These
conclusions should be independent and factual, and not based on assumptions.
40
PART VI
5. Audit Work Papers
• Indicates professionalism
• Document’s work performed
• Evidence conditions found
• Supports audit reports
• Facilitates reviews by others
• Facilitates planning
• Provides a record of weaknesses, errors and irregularities detected by the audit
• Confirms and supports the auditor’s judgments, opinions and reports
41
42
Appendices
1. Information System Audit Standards
ISACA IS Audit and Assurance Standards are divided into three categories
2.1. COBIT
A Control Framework called COBIT (Control Objectives for Information and related
Technology) is used as a benchmark on preparing this guideline as it is a globally
accepted Information Technology Control Objectives for IT governance and risk
management.
ii
COBIT consists of principles, practices, tools and models to help enterprises improve
information and technology management processes. The COBIT framework is an open
standard published and continually updated by the IT Governance Institute and the
Information Systems Audit and Control Association (ISACA) whereby the current
release is COBIT-5.
IT Controls are grouped as Preventive, Detective and Corrective Controls. At the
planning stage it would suffice for the auditor to form a general opinion on the nature and
adequacy of the controls deployed in an IT system and also areas where the Controls are
weak and vulnerable. This forms the basis of the extent, the areas, and the depth of
testing required. It is also essential that these steps are recorded in detail to serve as
pointers.
Preventive
• Detect problems before they occur,
• Monitor both operation and inputs,
• Attempt to predict potential problems before they occur and make adjustments,
• Prevent an error, omission or malicious act from occurring.
Detective
• Use controls that detect and report the occurrence of an error, omission or
malicious act.
Corrective
• Minimize the impact of a threat,
• Resolve problems discovered by detective controls,
• Identify the cause of a problem,
• Correct errors arising from a problem,
• Modify the processing systems to minimize future occurrence of the problem,
iii
iv
Hence, BCM processes provide a framework to ensure the bank’s resilience to any event
and to help ensure the continuity of services to its customers. In addition, BCM activities
serve as the basis for plans that can help the bank ensure its long-term survival following
a disruptive event.
Besides, business continuity planning, BCM includes Disaster Recovery and Crisis
Management. The following section is a brief description of each.
vi
vii
In addition, the auditor needs to review the adequacy of the BCP, and DRP if separate,
in ensuring the timely resumption of operations and determine whether these plans reflect
the current operating system environment.
• Are the plans tested and revised based on plan test results?
• Where the plans are stored, and are they stored safely?
• Do plan action steps coordinate with local emergency services?
• Are alternate data center locations known to everyone?
• Is the location of data backups known?
• Does the company have adequate staff to implement the plans?
Answering these questions can help auditors evaluate the effectiveness of companywide
BCM processes and provide recommendations that can help the bank to better address
their business continuity needs.
ix
Date: _______________
2 Filed Work
3 Reporting
xi
This is to inform you that we have scheduled to undertake IT audit on: ____________
Audit in _____ starting from ________G.C.
To this end IT Auditors, _________, __________ AND ___________, will come to your
office for auditing purpose. Thus, we kindly request your office cooperate to provide them
all necessary documents and necessary assistance pertaining their work and make the
required interview for audit purpose.
Regards,
xii
Subject:
//Note: This is the format used to request anything which is used for audit purpose
whether system access privilege or documents://
1. Requested By:
Name: -------------------
Signature: ----------------
Date: --------------
2. Required material and its purpose:---------------------------------------
3. Date of request:---------------------------------
4. Date of return:----------------------------------
xiii
1. Cover page-------------------------------------------------------------------------
2. Table of content-------------------------------------------------------------------
3. Introduction, ----------------------------------------------------------------------
4. Objective of the audit-------------------------------------------------------------
5. Scope and methodology of the audit--------------------------------------------
6. Summary of Significant audit findings---------------------------------------
Response/Justificat
Anticipated
No Audit Findings: Recommendation ion of the Auditee
risks
7. Conclusions -----------------------------------------------------------------------------------
xiv
xv
Sr. Audit Findings Recommended Risk Level based Target date for Rectification
No. corrective on impact & rectification status
measures likelihood
xvi
1. Cover page-------------------------------------------------------------------------
2. Table of content-------------------------------------------------------------------
3. Executive summary---------------------------------------------------------------
xvii
Internal Memo
As you know, the Internal Audit Process conducted ________ audit on Information
Technology service Process based on the annual planed on ______ fiscal year.
This is therefore, to let you know that with this letter we enclosed and sent the final audit
report for your immediate rectification.
With regards,
xviii
xix