You are on page 1of 86

MBA BT 513 Information System Audit

Course Objectives
Focuses on the audit and control aspects of information systems. Deals with the risks, controls, and audit to information systems. Emphasizes on the management control framework, data resource management controls, application control framework and processing controls.


1. 2. 3. 4.

Management Control Framework Application Control Framework Evidence Collection Evidence Evaluation


1. Management Control
a. b. c. d. e. f. g. Top management controls Systems Development management controls Programming management controls Data Resource management controls Security management controls Operation management controls Quality assurance management controls


a. Top management control

Planning types of plans, approaches, role of a steering

Organizing Resourcing, staffing,

centralization/decentralization, internal organization, location

Leading motivation, leadership, effective communication Controlling overall control, control of IS, control over
users of IS


b. Systems Development management controls

3 types of reviews Normative Model to pinpoint strengths and weaknesses 6 major approaches
SDLC approach - importance of well-controlled work phases Sociotechnical design approach jointly optimizing the technical systems as well as the social systems
11/6/2012 5

Political approach
understanding the effects that systems can have on the distribution of the organizational power

Soft systems approach

provides ways of helping decision makers learn about ill-structured problems

Prototyping approach
provides ways of helping resolve the uncertainty often surrounding systems-design tasks

Contingency approach
organizational context in which the system is being designed


13 phases provide an agenda of issues

Problem/opportunity definition Management of the change process Entry and feasibility assessment Analysis of the existing system Formulation of strategic requirements Organizational and job design Information processing systems design Application software acquisition and development Hardware/system software acquisition Procedures development Acceptance testing Conversion Operation and maintenance


C. Programming management controls

Objective to produce or acquire and to implement high quality programs Six major phases
Planning Control Design Coding Testing Operation and maintenance
11/6/2012 8

d. Data Resource management controls



Users must be able to share data Availability of data Possible to modify fairly Integrity of data must be preserved Defining, creating, redefining, retiring data Making the DB available to users Informing and servicing users Maintaining db integrity Monitoring operations and performance


e. Security management controls

Ensuring that IS assets are secure 2 types
Physical Logical

Security Admin is to conduct a security program

It is a series of ongoing, regular, periodic reviews conducted Preparation of a project plan, identification of assets, valuation of assets, threats identification, threats likelihood assessment, exposures analysis, control adjustment and report preparation
11/6/2012 10

f.Operation management controls

Daily running of h/w and s/w facilities
Production application systems can accomplish their work Development staff can design, implement and maintain application systems



g.Quality assurance management controls

QAM ensures that IS produced by the Information systems function achieve certain quality goals and that development, implementation, operation and maintenance of information systems comply with a set of quality standards



2. Application Control
i. ii. iii. iv. v. vi. Boundary controls Input controls Communication controls Processing controls Database controls Output controls



i.Boundary controls
Boundary subsystem establishes the interface between the would-be user of a computer system and the computer system itself 3 purposes
To establish the identity and authenticity of would-be users To establish the identity and authenticity of computer system resources that users wish to employ To restrict the actions undertaken by users who obtain computer resources to an authorized set
11/6/2012 14

ii. Input controls

Input subsystem are responsible for bringing both data
and instructions into the information systems

iii. Communication controls


Physical component controls Line error controls Flow Control Link control Topological Controls Channel Access Controls Controls over subversive threats Internetworking, communication architecture and audit trails controls

Processing Controls
Responsible for computing, sorting, classifying and summarizing data Central processor, real or virtual memory, OS, Appln programs

Database Controls
Defining, creating, modifying, deleting and reading data in an IS DBMS, appln programs, processor

Output Controls
Determine the content of data that will be provided to users, data formatted & presented,
11/6/2012 16

Need for IS Control & Audit

Reliance on computer systems
Survival of organization Costs of data loss Costs of errors Inability to function Possibility of incorrect decisions

Organizations Costs of Data Loss Incorrect Decision Making Costs of Computer Abuse Value of Computer Hardware, Software and Personnel High Costs of Computer Error Maintenance of Privacy Controlled evaluation of Computer use




Need for IS Control & Audit

Security & abuse - from inside & outside: hacking, viruses, access
Destruction & theft of assets Modification of assets Disruption of operations Unauthorized use of assets Physical harm Privacy violations



Need for IS Control & Audit



What is Information System Audit

Process of collecting and evaluating evidence to determine whether a (computerized) system:
Safeguards assets Maintains data integrity Enables communications & access to information Achieve operational goals effectively Consumes resources efficiently
11/6/2012 21

Objectives of IT/IS Audit

Improved Data Integrity

Safeguarding of Assets

IT/IS Audit

Improved System Effectiveness

Improved System Efficiency

Source: Ron Weber

Data Integrity
Data attributes completeness, soundness, purity Factors affect the values of a data item
The value of the informational content of the data item for individual decision making The extent to which the data item is shared among decision makers The value of the data item to competitors
11/6/2012 23

System effectiveness
Accomplishes its objectives Evaluating effectiveness implies knowledge of user needs Auditors must know the characteristics of users and the decision making environment Postaudit / during design stages



Systems efficiency
Minimum resources to achieve its required objectives



Elements IT/IS Audit

1. 2. 3. 4. 5. 6. 7. Physical and Environmental System Administration Application Software Application Development Network Security Business Continuity Data Integrity

Objectives Audit and Control

Need to control & audit info systems IS AUDITING = collecting & evaluating evidence to determine if system accomplishes its organizational tasks effectively & efficiently Understanding the organization & environment Understanding systems
EDP in particular

Understanding the Control Approach

Control - a system that prevents, detects, or corrects unlawful, undesirable or improper events
11/6/2012 27

The Auditing Environment

External vs. internal auditors External auditors provide increased assurance
Fairness of financial statements Frauds & irregularities Ability to survive

Internal auditors appraise and evaluate adequacy & effectiveness of controls

Control - a system that prevents, detects, or corrects unlawful, undesirable or improper events

Reporting and responsibility to Board of Directors

11/6/2012 28

The Auditing Environment cont.

Types of audit procedures
To gain understanding of controls Test of controls Substantive tests of details of transactions Substantive tests of balances and overall results Analytic review procedures



Assessing Reliability
By controls By transaction By errors



Internal vs External
Audit function can be performed internally or externally Internal audit is an independent appraisal of operations, conducted under the direction of management, to assess the effectiveness of internal administrative and accounting controls and help ensure conformance with managerial policies External Audit is an audit conducted by an individual of a firm that is independent of the company being audited

Internal Audit Reporting Structure

Board Audit Committee

Head of Audit Dept

Head of IT Audit

Head of Non-IT Audit

IT Audit Team Members

Non-IT Audit Team Members

Internal Auditors
Responsible to Board of Directors An internal control function Assist the organization in measurement & evaluation:
Effectiveness of internal controls Achievement of organizational objectives Economics & efficiency of activities Compliance with laws and regulations

Operational audits
11/6/2012 33

Internal Auditors Scope of Work

Safeguarding assets Compliance with policies and plans Accomplishment of established objectives Reliability & integrity of information Economics & efficient use of resources



The Internal Controls Framework

Separation of duties Delegation of authority & responsibility System of authorizations Documentation & records Physical control over assets & records Management supervision Independent checks Recruitment & training


Internal Controls - Cont.

Controls - pattern of activities:
Preventive Detective Corrective

Affect reliability
Reduce failure probability Reduce expected loss in failure

Reasonable assurance Based on cost-benefit considerations

11/6/2012 36

External Auditors
Responsible to stockholders and public
Via Board of Directors

Assess financial statement assertions

Existence or occurrence Completeness Valuation and allocation Presentation and disclosure Rights and obligations

Must test compliance with laws and regulations Must test for fraud and improprieties Relies on internal control structure for planning of 11/6/2012 audit


External Auditors
Audit (material misstatement) risk = product of
Inherent (assertion could be materially misstated) risk Control risk (misstatement will not be prevented or detected on a timely basis by internal controls) Detection risk
Inversely related to control and inherent risks



Roles of IT Audit Team

Financial Auditor Support for Financial Auditors
Application Database Middleware

Information Systems Auditor

IT Auditor

Operating System Network Intra Physical Facility Entity-Level Controls

Source: Chris Davis et al

Financial vs IT Audits
Financial audit
Official examination of accounts to see that they are in order

IT audit
a review of the controls within an entity's technology infrastructure Wikipedia ( Official examination of IT related processes to see that they are in order

Financial Audit GAAP IT Audit - ??

Financial vs IT Audits
IT auditors may work on financial audit engagements IT auditors may work on every step of the financial audit engagement Standards, such as SAS No. 94, guide the work of IT auditors on financial audit engagements IT audit work on financial audit engagements is likely to increase as internal control evaluation becomes more important

Auditors are guided in their professional responsibility by the the generally accepted auditing standards (GAAS).
Generally Accepted Auditing Standards General Standards The auditor must have adequate technical training and proficiency to perform the audit. Standards of Field Work Audit work must be adequately planned Standards of Reporting The auditor must state in the auditor's report whether the financial statements are presented in accordance with generally accepted accounting principles. The report must identify those circumstances in which generally accepted accounting principles were not applied The report must identify any items that do not have adequate informative disclosures

Auditing Standards

The auditor must maintain independence in mental attitude in all matters related to the audit. The auditor must use due professional care during the performance of the audit and the preparation of the report.

The auditor must gain a sufficient understanding of the internal control structure The auditor must obtain sufficient, competent evidence

The report shall contain an expression of the auditors opinion on the financial statements as a whole

What is IT Auditors?
Is called internal audit specialist, IT or IS auditor May serve as a member of consulting organization Generally a member of an enterprise internal audit organization Specialist who follows the standards and principles of the IIA and often ISACA as well

Roles and Responsibilities

Ensure IT governance by assessing risks and monitoring controls over those risks Works as either internal or external auditor Works on many kind of audit engagements Reviewing and assessing enterprise management controls Review and perform test of enterprise internal controls Report to management

Job Tasks and Responsibilities

Design a technology-based audit approaches; analyzes and evaluates enterprise IT processes Works independently or in a team to review enterprise IT controls Examines the effectiveness of the information security policies and procedures Develops and presents training workshops for audit staff Conduct and oversees investigation of inappropriate computer use Performs special projects and other duties as assigned

Knowledge, Skills, Abilities

Knowledge of auditing, IS and network security Investigation and process flow analysis skills Interpersonal/human relation skills Verbal and written communications skills Ability to exercise good judgment Ability to maintain confidentiality Ability to use IT desktop office tools, vulnerability analysis tools, and other IT tools

Minimum Qualifications
Bachelors degree in Computer Science, computer programming or accounting Certified Information Systems Auditor (CISA) credentials or candidate Certified Internal Auditor credential preferred

The Role of IT Auditors in the Financial Audit Process

Develop an understanding and perform preliminary audit work Develop audit plan Evaluate the internal control system Determine degree of reliance on internal controls Perform substantive testing Review work and issue audit report

Conduct follow-up work

Professional Groups and Certifications Alphabet Soup

The largest professional organization of IT auditors


Certified Info. System Auditor Credentials

The prime professional credentials for IT auditors More focused on IT audit Open to all individuals who have an interest and skills in information system audit, control and security, The examination is four hours in duration and consists of 200 multiple-choice question The test is offered each year in June and December at numerous worldwide locations Must have a minimum of five years of professional information system auditing, internal control or security related work experience

CISA Examination Content Area

The IS audit process (10%) IT Governance (15%) Systems and Infrastructure Life Cycle (16%) IT Service Delivery and Support (14%) Protection of Information Assets (31%) Business Continuity and Disaster Recovery (14%)

Effects of computers on Internal Controls

Separation of duties Delegation of authority and responsibility Competent and trustworthy personnel System of authorizations Adequate documents and records Physical control over asset and records Adequate management supervision Independent check on performance Comparing recorded accountability with assets

Effects of computers on auditing

Changes to evidence collection Changes to evidence evaluation

Effective IT Audit
Early involvement Informal audits Knowledge sharing Self-assessments

Why IS Audit?
Organizational Cost of Data Loss. Incorrect Decision Making. Costs of Computer Abuse. Value of Hardware, Software & Personnel High Costs of Computer Error Maintenance of Privacy Controlled Evolution of Computer Use.


What is Information Systems Audit?

Information Systems Auditing is the process of collecting and evaluating evidence to determine whether a computer system safe guards assets, maintains data integrity, allows organizational goals to be achieved effectively and uses resources efficiently . It is an Independent examination of records/ Information that will enable an opinion of the integrity of controls put in place to safe guard systems. It should equally help to recommend recommendations on how these controls can be improved so as to mitigate risk to an acceptable level. It is any audit that encompasses the review and evaluation (wholly or partially) of automated information processing systems, their related non-automated processes and the interfaces between them.
Ron Weber.



In summary, IS Auditing is the process of collecting and evaluating evidence to determine if Information Systems and related resources are adequately safeguarding assets, maintaining data and system integrity, providing relevant and reliable information, achieving organizational goals effectively, consuming resources efficiently, and if there are effective internal controls that provide reasonable and acceptable assurance that operational and control objectives will be met and that undesired events will be prevented or detected and corrected in a timely manner.
11/6/2012 57

Objectives of IS Auditing
Improves safeguarding of Assets. Ensures & Maintains Data Integrity. Improves systems effectiveness. Improves Resources efficiency. Ensures compliance to Legislative, Regulatory & contractual obligations. Allows Effective Achievement of Organizational goals
11/6/2012 58

Organization of an IS Audit fuction

The Role of IS Audit is established by an Audit Charter. This is a document that states in very clear terms, managements responsibility and objectives for, and delegation of authority to the IS Audit function. It Should outline the Authority, Scope & responsibilities of the Audit Function. Where the function is provided by a third party firm, the scope and objectives should be documented in a formal contract or statement of work. Be it internal or external, the audit function should be independent and report to the board of directors or the Audit committee where one is available.
11/6/2012 59

IS Audit Plan
It is Important to adequately plan for an IS audit. This should be done after a good understanding of the organization has been achieved.



Types IS Audit Plan.

Short-Term Planning: This takes into account audit issues that will be covered during the year. Long-Term Planning: this relates to plans for risk-related issues that will take into account changes in an organization's IT strategic direction which will affect the organizations IT environment.
11/6/2012 61

Any type of Audit plan that is undertaken, should be analyzed annually so as to take into account new control issues like changes in the risk environment, technology and business processes; and enhanced evaluation techniques. The result of this analysis should be reviewed by reviewed by senior Audit mgt and approved by audit committee or board of directors. This will enhance future audit activities and should be comunicated to relevant levels of Management.
11/6/2012 62

Performing an IS Audit
In performing an IS audit, there is the need to develop and understand the Audit Methodology/Strategy, which is a set of documented audit procedures designed to achieve the planned Audit objectives. It is usually set and approved by Audit management and has the following components: 1. Statement of Scope 2. Statement of Audit objectives. 3. Statement of work program
11/6/2012 63

Performing an IS Audit cont.

After the establishment of the strategy the following phases make up a typical IS Audit These are the general audit procedures which are basic Audit steps. 1. Obtaining /Recording an understanding of the audit area/subject 2. A risk assessment and audit plan schedule 3. Detailed Audit plan 4. Preliminary review of audit area/subject 5. Evaluating audit area/subject. 6. Verifying the design of controls. 7. Tests of implementation of controls (Compliance Testing). 8. Tests of operative effectiveness of controls (Substantive testing). 9. Reporting/Communicating Audit results. 10. Follow-Up on recommendations implementations. 11/6/2012 64

Performing an IS Audit Plan

Gain an understanding of the organization.
1. 2. 3. 4. 5. 6. 7. tour key organizational facilities. Gather background information about the organization. Review business and IT long term strategic plans. Interview key managers to understand business processes and Issues. Review prior audit reports or IT-related reports ( external/internal audits or regulatory review reports) Identify specific regulations applicable to IT. Identify IT functions or related activities that have been outsourced.

Identify stated contents e.g. policies, organizational structure. Perform a risk analysis to help in designing the audit plan. Conduct a review of Internal controls related to IT. Set the Audit Scope and objectives. Develop the Audit approach and strategy. Identify technical skills and resources needed. Assign personnel resources to the audit.


Performing an IS Audit cont.

In performing an IS Audit, a risk based approach is used in assessing the risks and to help an auditor in the decision to perform either compliance or substantive test. This risk based approach emphasis on a good knowledge of the business and technology. It focuses on assessing the effectiveness of combining controls It provides a linkage between risk assessment and testing while focusing on control objectives. This approach assesses the organization from a management perspective.
11/6/2012 66

Audit Risk and Materiality of an Event

An audit risk is the risk that the information /financial report may contain material error. It is also the risk that an auditor may not detect an error that has occurred. The materiality of an event refers to an error that should be considered significant to any party concerned with the event in question. It is based on professional judgment and includes consideration of the effect of the event on the organization as a whole and errors or risks that may arise as a result of control weaknesses in the area being investigated. In considering the materiality of any event, it should be in the terms of the total impart to the organization.
11/6/2012 67

Risk Management
Risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. Business risks are the likelihood that a threat will negatively impact the assets, processes or objectives of a business or organization. 1. Risk analysis is a part of audit planning and it helps to identify risks and vulnerabilities so that the auditor can determine the controls needed to mitigate these risks.
11/6/2012 68

Risk Analysis cont.

The IS auditor is concerned and often focused towards high risk issues associated with the confidentiality, integrity and availability of sensitive and critical information, and the underlying information systems and processes that generate, store, and manipulate such information. The IS auditor also assesses the effectiveness of an organizations risk management process by carrying out risk assessment.
11/6/2012 69

Risk Assessment
Risk assessment involves an iterative life cycle to starts with identifying Business objs, information assets, and the underlying systems or resources that generate/store, use or manipulate the assets critical to achieving the set objectives of the business. This identifies threats to assets and determine their probabilities of occurrence and the resultant impacts with additional safeguards that will help to mitigate the risks to acceptable levels defined by management.
11/6/2012 70

Risk Mitigation
Risk mitigation involves the identification of controls/countermeasures which when applied to the identified risks to assets will help to prevent or reduce them to acceptable levels. In assessing countermeasures to be applied, a cost-benefit analysis should be performed based on any or a combination of the followings:
The cost of the control. Managements appetite for risk. Preferred risk reduction methods.
11/6/2012 71

Monitoring Mitigated Risk

Risks which have been mitigated has to be continually monitored so as to identify any significant changes in the environment that would trigger reassessment warranting changes in the control environment. Note that risk assessment should be an ongoing process in an organization if risk management is to be effective.
11/6/2012 72

Importance of Risk Management to IS Auditing.

It identifies risks and threats to an IT environment and the IS which needs to be addressed by management. It helps in the selection audit areas/subjects. It aids a sound evaluation of controls in audit planning. It aids an IS auditor in determining audit objectives. It supports risk-based audit decision making.
11/6/2012 73

Information Systems Audit and Control Association (ISACA)

Started in 1967 Today, ISACAs membershipmore than 50,000 strong worldwideis characterized by its diversity. Members live and work in more than 140 countries and cover a variety of professional IT-related positions

ISACA Certifications
CISA - CISA (Certified Information Systems Auditor) is ISACA's cornerstone certification. Since 1978, the CISA exam has measured excellence in IS auditing, control and security. CISA has grown to be globally recognized and adopted worldwide as a symbol of achievement. The CISA certification has been earned by more than 44,000 professionals since inception

CISM (Certified Information Security Manager) is ISACAs groundbreaking credential earned by over 5,500 professionals in its first two years. It is for the individual who must maintain a view of the "big picture" by managing, designing, overseeing and assessing an enterprise's information security.

Conducting IS Audit
Auditors need guidelines Auditors evaluate the reliability of controls Controls reduce expected losses from unlawful events by
Decreasing the prob of the event occurring in the first place Limiting the losses that arise if the event occurs



Dividing systems to be evaluated into subsystems Evaluating reliability of subsystems and determining implications of each subsystems level of reliability for the overall reliability of the system Easy understanding and evaluation Loosely coupled with other subsystems and internally cohesive (perform a single function)
11/6/2012 78

Deal with complexity

Major sets of systems

Management system
Provide the stable infrastructure in which information systems can be built and operated on a day-to-day basis

Application system
Undertake basic transaction processing, management reporting and decision support



Management Systems
Factored into subsystems
Top level IS management Systems development mgt Programming mgt Data mgt Quality assurance Security administration Operation mgt
11/6/2012 80

Application systems
Factored into subsystems performing
Boundary Input Communication Processing Database Output functions

All IS audit involves evaluating the reliability of controls in each of these management and application subsystems
11/6/2012 81

Function of three factors

Inherent risk

Risk mgt

Which reflects the likelihood that a material loss or account misstatement in some segment of the audit before the reliability of internal controls is considered

Control risk
Which reflects the likelihood that internal controls in some segment of the audit will not prevent, detect or correct material losses or account misstatements that arise

Detection risk
Which reflects that the audit procedures used in some segments of the audit will fail to detect material losses or account misstatements. Because auditors cannot influence inherent risk or control risk 11/6/2012 82

Types of audit procedures

To obtain an understanding of controls Test of controls Substantive tests of details of transactions Substantive tests of details of balances or overall results Analytical review procedures



Five major steps in an audit

Planning the audit, in which the auditor attempts to gain an understanding of the internal controls used within an organization Tests of controls, in which the auditor tests significant controls to evaluate whether they are operating effectively Tests of transactions undertake substantive tests to evaluate whether a material loss or account misstatement has occurred or might occur
11/6/2012 84

Tests of balances or overall results seek to obtain sufficient evidence to make a final judgement on the extent of losses or account misstatements that have occurred or might occur Completion of the audit give an opinion on whether material losses or account misstatements have occurred or might occur
11/6/2012 85

Auditing around the computers

Application is simple, Inherent risk is low, reliability of the systems internal processing can be easily inferred

Auditing through the computers