Professional Documents
Culture Documents
IT Audit
Dr.Lovepon Savaraj
Dr. Nongnuch Laomaneerattanaporn
AGENDA 2
• Type of IT controls
• IT General Controls
• Application controls
Why do we need to audit IT system? 3
Business Customer
Order
Stock
Checking
Distribution Invoicing
Processes Loan
Approve
Draw Interest
Payment
App down calculation
Impact
SAP
Application Back office
system
systems Oracle
GFMIS
Core
Banking SWIFT
ATM
Impact
IT process
Why DO WE NEED To Audit IT Systems? 5
Types of IT Controls 6
• General IT controls are policies and procedures used to control many applications to ensure that
applications can operate effectively. These controls also include controls over IT infrastructure and
processes, namely data center and network operations; system software and application system
acquisition, change, and maintenance; and access security. Usually general IT controls are
implemented to maintain the integrity of information and security data and to support the effective
functioning of application controls. (ISA315)
• Application controls are manual or automated procedures that are specific to each application.
These controls focus at the business process level and are deployed on the processing of
transactions for each application to improve the integrity of accounting records. Application
controls are relevant to procedures that are used to initiate, record, process, and report
transactions or other financial data. They can be designed to be both preventive and detective
controls. In short, application controls help ensure that transactions occurred, are authorized, and
are completely and accurately recorded and processed (ISA315)
IT General Controls 8
Minimum areas of ITGC controls to assess 9
• Information security
• Third-party IT providers
(Singleton, 2010)
ITGC audit process 10
Inventory
• Report logic is incorrectly
applying parameters
Application (e.g. SAP)
• Report logic is incorrectly Configuration & Security
gathering source data
Infrastructure Controls
• Unauthorized changes to systems (OS, Database, Network)
or programs
Identify ITGC Risks 14
PCAOB The auditor should obtain an understanding of specific risks to a company's internal
Literature control over financial reporting resulting from IT. Examples of such risks include:
• Reliance on systems or programs that are inaccurately processing data, processing
inaccurate data, or both;
• Unauthorized access to data that might result in destruction of data or improper
changes to data, including the recording of unauthorized or nonexistent
transactions or inaccurate recording of transactions (particular risks might arise
when multiple users access a common database);
• The possibility of IT personnel gaining access privileges beyond those necessary to
perform their assigned duties, thereby breaking down segregation of duties;
• Unauthorized changes to data in master files;
• Unauthorized changes to systems or programs;
• Failure to make necessary changes to systems or programs;
• Inappropriate manual intervention; and
• Potential loss of data or inability to access data as required. [PCAOB AS 12.B4 ]
Example of ITGC risks and controls 15
ITGC audit scope 16
Access Security 17
User Access Direct Data Access System Settings
Privileges
Users have access Inappropriate changes Systems are not
privileges beyond those are made directly to adequately configured
necessary to perform financial data through or updated to restrict
their assigned duties, means other than system access to
which may create application properly authorized and
improper segregation of transactions. appropriate users.
duties.
System Change Control 17