What is Audit ?

Audit - an evaluation of an organization, system, process, project or product.

Audit Mission
Provide independent, objective assurance and consulting services designed to add value and improve organization’s operations.

What is Information Technology ?
Information technology (IT) is the use of computers and telecommunications equipments to store, retrieve, transmit and manipulate data.

What is an Information System?
• An information system (IS) - is any combination of information technology and people's activities that support operations, management and decision making. • In a very broad sense, the term information system is frequently used to refer to the interaction between people, processes, data and technology.

. internal audit.What is IT / IS Audit ? An information technology audit. and operating effectively to achieve the organization's goals or objectives. They were formerly called "electronic data processing (EDP) audits".” “IT audits are also known as "automated data processing (ADP) audits" and "computer audits". maintaining data integrity. “These reviews may be performed in conjunction with a financial statement audit. or information systems audit: An examination of the management controls within an Information technology infrastructure/ Systems. or other form of attestation engagement. The evaluation of obtained evidence determines if the information systems are safeguarding assets.

such as evaluating system input. IS Auditors review different aspects of the systems. The objectives for internal auditors are set by board/management. processing and output controls. data and physical security. • The scope of an internal audit covers the total conduct of business. etc.Role of External. Internal and IS Auditors • The scope of the external audit is usually confined to a financial and compliance audit to satisfy the statutory. contingency planning and system administration. • IS Auditor is an independent advisor that address the control environment of the computer information systems and how they are used. which requires examination of the accounts and providing an opinion as to whether the financial statements produced provide a ‘true and fair picture’. .

and not discrediting the profession or the Association. • Serve in the interest of stakeholders in a lawful manner. appropriate standards and procedures for the effective governance and management of enterprise information systems and technology. • Perform their duties with objectivity.Code of Professional Ethics ISACA (Information Systems Audit and Control Association) sets forth this Code of Professional Ethics to guide the professional and personal conduct. and encourage compliance with. including: audit. . • Support the implementation of. while maintaining high standards of conduct and character. security and risk management. in accordance with professional standards. due diligence and professional care. control.

.Important Terms • Independence : Refers to the independence of the internal auditor or of the external auditor from parties that may have a financial interest in the business being audited. • Due Diligence: Reasonable steps taken by a person in order to satisfy a requirement. • Professional Care: Applying the care and skill expected of a reasonably prudent and competent auditor. • Objectivity: Judgment based on observable phenomena and uninfluenced by emotions or personal prejudices.

• Support the professional education of stakeholders in enhancing their understanding of the governance and management of enterprise information systems and technology. Such information shall not be used for personal benefit or released to inappropriate parties. knowledge and competence. • Inform appropriate parties of the results of work performed. control. • Maintain competency in their respective fields and agree to undertake only those activities they can reasonably expect to complete with the necessary skills. security and risk management. revealing all significant facts known to them. including: audit. .Code of Professional Ethics • Maintain the privacy and confidentiality of information obtained in the course of their activities unless disclosure is required by legal authority.

and the roles and relationships between a company’s management. It involves regulatory and market mechanisms.Corporate Governance Corporate governance is "the system by which companies are directed and controlled". its shareholders. . its board. and the goals for which the corporation is governed.

IT Governance • Information technology governance is a subset discipline of corporate governance focused on information technology (IT) systems and their performance and risk management .

IT Function .1.

2. IT layers .

.

.

.

.

Auditor and IT .

Audit Universe .

Business Processes and IT Controls .

guidelines and best practices to meet planned audit objectives. Develop and implement a risk-based IS audit strategy for the organization in compliance with IS audit standards. Advise on the implementation of risk management and control practices within the organization while maintaining independence. Communicate emerging issues. potential risks and audit results to key stakeholders. guidelines and best practices. 2. 4.IT Audit Process Five Tasks: 1. Plan specific audits to ensure that IT and business systems are protected and controlled. Conduct audits in accordance with IS audit standards. . 21 5. 3.

Knowledge of techniques to gather information and preserve evidence 4. Knowledge of IS auditing practices and techniques 3. Guidelines and Procedures and Code of Professional Ethics 2. Knowledge of the evidence life cycle 5.Process Knowledge Statements Ten Knowledge Statements: 1. Knowledge of IS Auditing Standards. Knowledge of control objectives and controls related to IS 22 .

Knowledge of continuous audit techniques . Knowledge of reporting and communication techniques 9. 7.23 Process Knowledge Statements Ten Knowledge Statements (Cont’d): 6. Knowledge of risk assessment in an audit context Knowledge of audit planning and management techniques 8. Knowledge of control self-assessment (CSA) 10.

the IS audit function ▫ Outlining the overall authority. scope and responsibilities of the audit function • Approval of the audit charter • Change in the audit charter . and delegation of authority to.24 Organization of IS Audit Function • Audit charter (or engagement letter) ▫ Stating management’s responsibility and objectives for.

25 IS Audit Resource Management • Limited number of IS auditors • Maintenance of their technical competence • Assignment of audit staff .

Audit Planning • Audit planning ▫ Short-term planning (an year) ▫ Long-term planning ▫ Things to consider     New control issues Changing technologies Changing business processes Enhanced evaluation techniques 26 • Individual audit planning ▫ Understanding of overall environment  Business practices and functions  Information systems and technology .

7. 27 Gain an understanding of the business’s mission. 6. and organization structure) Evaluate risk assessment and privacy impact analysis Perform a risk analysis. Conduct an internal control review. 3. 8. guidelines. Develop the audit approach or audit strategy. 2. 4. procedures. standards. 5. Identify stated contents (policies.Audit Planning • Audit Planning Steps 1. . Assign personnel resources to audit and address engagement logistics. objectives. purpose and processes. Set the audit scope and audit objectives.

28

Effect of Laws and Regulations
Each organization, regardless of its size or the industry within which it operates, will need to comply with a number of governmental and external requirements related to computer system practices and controls.
▫ ▫ ▫ ▫ Establishment of the regulatory requirements Organization of the regulatory requirements Responsibilities assigned to the corresponding entities Correlation to financial, operational and IT audit functions

29

Effect of Laws and Regulations
• Steps to determine compliance with external requirements:
▫ Identify external requirements ▫ Document pertinent laws and regulations ▫ Assess whether management and the IS function have considered the relevant external requirements ▫ Review internal IS department documents that address adherence to applicable laws ▫ Determine adherence to established procedures

30

ISACA Auditing Standards and Guidelines
Framework for the IS Auditing Standards

 Standards
 Guidelines

 Procedures

ISACA IS Auditing Standards and Guidelines
31

• IS Auditing Standards
1. 2. 3.
Audit charter Independence Ethics and Standards

7. 8. 9.

Reporting Follow-up activities Irregularities and illegal acts

4.
5. 6.

Competence
Planning Performance of audit work

10. IT governance
11. Use of risk assessment in
planning audit

results. planning. evaluations and conclusions . Irregularities and Illegal Acts (Cont’d)  Obtain written representations from management  Have knowledge of any allegations of irregularities or illegal acts  Communicate material irregularities/illegal acts  Consider appropriate action in case of inability to continue performing the audit  Document irregularity/illegal act related communications.ISACA IS Auditing Standards and Guidelines 32 9.

33 IT Risk Assessment Quadrants 100% Quadrant II (Medium Risk) Suggested Action(s): Accept Mitigate Transfer 50% Quadrant IV (Low Risk) Suggested Action(s): Accept Quadrant III (Medium Risk) Suggested Action(s): Accept Mitigate Transfer 50% Vulnerability Assessment Rating 100% Quadrant I (High Risk) Suggested Action(s):Level Assignment Mitigate Example Risk Sensitivity Rating 0% 0% .

.34 ISACA IS Auditing Standards and Guidelines • ISACA Auditing Procedures ▫ Procedures developed by the ISACA Standards Board provide examples. ▫ The IS auditor should apply their own professional judgment to the specific circumstances.

35 Internal Control • Internal Controls Policies. procedures. practices and organizational structures implemented to reduce risks .

36 Internal Control • Components of Internal Control System ▫ ▫ ▫ Internal accounting controls Operational controls Administrative controls .

Internal Control 37 • Internal Control Objectives ▫ Safeguarding of information technology assets ▫ Compliance to corporate policies or legal requirements ▫ Authorization/input ▫ Accuracy and completeness of processing of transactions ▫ Output ▫ Reliability of process ▫ Backup/recovery ▫ Efficiency and economy of operations .

Internal Control 38 • Classification of Internal Controls – Preventive controls – Detective controls – Corrective controls .

to be addressed in a manner specific to IS-related processes . The internal control objectives.Internal Control IS Control Objectives 39 Control objectives in an information systems environment remain unchanged from those of a manual environment. control features may be different. thus need. However.

completeness and security of the output – Database integrity Internal Control 40 .IS Control Objectives (cont’d) • • • Safeguarding assets Assuring the integrity of general operating system environments Assuring the integrity of sensitive and critical application system environments through: – Authorization of the input – Accuracy and completeness of processing of transactions – Reliability of overall information processing activities – Accuracy.

and applicable laws Developing business continuity and disaster recovery plans Developing an incident response plan .Internal Control IS Control Objectives (Cont’d) • • • • 41 Ensuring the efficiency and effectiveness of operations Complying with requirements. policies and procedures.

external and IS Auditor Code of Professional Ethics IS Audit Standards and Guidelines IT Audit Universe Risk Analysis .Day 1 Recap • • • • • • • Audit Mission Planning Roles of Internal.

Internal Control IS Control Objectives (Cont’d)  COBIT 43  A framework with 34 high-level control objectives  Planning and organization  Acquisition and implementation  Delivery and support  Monitoring and evaluation  Use of 36 major IT related standards and regulations .

0 (2005) and COBIT 4.What sort of framework is COBIT? ▫ An IT audit and control framework?  COBIT (1996) and COBIT 2nd Edition (1998)  Focus on Control Objectives ▫ An IT management framework?  COBIT 3rd Edition (2000)  Management Guidelines added ▫ An IT governance framework?  COBIT 4.1 (2007)  Governance and compliance processes added  Assurance processes removed BUT what is the difference between governance and Management? .

• Management plans. builds. conditions and options.Governance and Management • Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs. . setting direction through prioritisation and decision making. compliance and progress against agreed-on direction and objectives (DEM). runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM). and monitoring performance.

direct and monitor (EDM) practices are defined. within each process. • The four MANAGEMENT domains are in line with the responsibility areas of plan. build. evaluate.) • The COBIT 5 process reference model subdivides the IT-related practices and activities of the enterprise into two main areas— governance and management—with management further divided into domains of processes: • The GOVERNANCE domain contains five governance processes. run and monitor (PBRM) .Governance and Management Defined (cont.

Internal Control General Control Procedures 47 apply to all areas of an organization and include policies and practices established by management to provide reasonable assurance that specific objectives will be achieved. .

Internal Control • • 48 General Control Procedures (Cont’d) Internal accounting controls directed at accounting operations Operational controls concerned with the day-to-day operations Administrative controls concerned with operational efficiency and adherence to management policies Organizational logical security policies and procedures Overall policies for the design and use of documents and records Procedures and features to ensure authorized access to assets Physical security policies for all data centers • • • • • .

Internal Control IS Control Procedures 49 • Strategy and direction • General organization and management • Access to data and programs • Systems development methodologies and change control • Data processing operations • Systems programming and technical support functions • Data processing quality assurance procedures • Physical access controls • Business continuity/disaster recovery planning • Networks and communications • Database administration .

50 Performing an IS Audit Definition of Auditing Systematic process by which a competent. . independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards.

Performing an IS Audit Definition of IS Auditing 51 Any audit that encompasses review and evaluation (wholly or partly) of automated information processing systems. related nonautomated processes and the interfaces between them. .

Performing an IS Audit • Classification of audits: ▫ Financial audits ▫ Operational audits ▫ Integrated audits ▫ Administrative audits ▫ Information systems audits ▫ Specialized audits ▫ Forensic audits 52 .

Performing an IS Audit • Audit Programs 53 ▫ Based on the scope and the objective of the particular assignment ▫ IS auditor’s perspectives     Security (confidentiality. integrity and availability) Quality (effectiveness. reliability) Service and Capacity . efficiency) Fiduciary (compliance.

Performing an IS Audit • General audit procedures ▫ ▫ ▫ ▫ ▫ ▫ ▫ ▫ ▫ 54 Understanding of the audit area/subject Risk assessment and general audit plan Detailed audit planning Preliminary review of audit area/subject Evaluating audit area/subject Compliance testing Substantive testing Reporting(communicating results) Follow-up .

Performing an IS Audit 55 • Procedures for testing & evaluating IS controls ▫ Use of generalized audit software to survey the contents of data files ▫ Use of specialized software to assess the contents of operating system parameter files ▫ Flow-charting techniques for documenting automated applications and business process ▫ Use of audit reports available in operation systems ▫ Documentation review ▫ Observation ▫ Walkthroughs ▫ Reperformance of controls .

Performing an IS Audit • Audit Methodology 56 ▫ A set of documented audit procedures designed to achieve planned audit objectives ▫ Composed of  Statement of scope  Statement of audit objectives  Statement of work programs ▫ Set up and approved by the audit management ▫ Communicated to all audit staff .

Performing an IS Audit Typical audit phases 57 1. Audit subject Identify the area to be audited 2. Audit scope Identify the specific systems. Audit objective Identify the purpose of the audit 3. function or unit of the organization .

Performing an IS Audit Typical audit phases (Cont’d) 4. Pre-audit planning 58  Identify technical skills and resources needed  Identify the sources of information for test or review  Identify locations or facilities to be audited .

59 Performing an IS Audit Typical audit phases (Cont’d) 5. standards and guidelines  Develop audit tools and methodology . Audit procedures and steps for data gathering  Identify and select the audit approach  Identify a list of individuals to interview  Identify and obtain departmental policies.

Procedures for communication with management 8. policies and procedures. .Performing an IS Audit Typical audit phases (Cont’d) 6. Procedures for evaluating test/review result 60 7. Audit report preparation  Identify follow-up review procedures  Identify procedures to evaluate/test operational efficiency and effectiveness  Identify procedures to test controls  Review and evaluate the soundness of documents.

61 Performing an IS Audit • Workpapers (WPs) What are documented in WPs? – Audit plans – Audit programs – Audit activities – Audit tests – Audit findings and incidents .

Performing an IS Audit • Workpapers (Cont’d) ▫ ▫ Do not have to be on “paper” Must be         Dated Initialized Page-numbered Relevant Complete Clear Self-contained and properly labeled Filed and kept in custody 62 .

Performing an IS Audit • Fraud Detection ▫ Management’s responsibility 63 ▫ Benefits of a well-designed internal control system  Deterring frauds at the first instance  Detecting frauds in a timely manner ▫ Fraud detection and disclosure ▫ Auditor’s role in fraud prevention and detection .

A risk-based audit approach is used to assess risk and assist with an IS auditor’s decision to perform either compliance or substantive testing.64 Performing an IS Audit • Audit Risk ▫ Audit risk is the risk that the information/financial report may contain material error that may go undetected during the audit. ▫ .

65 Performing an IS Audit – Audit Risks     Inherent risk Control risk Detection risk Overall audit risk .

66 Performing an IS Audit • Risk-based Approach Overview ▫ ▫ ▫ ▫ ▫ Gather Information and Plan Obtain Understanding of Internal Control Perform Compliance Tests Perform Substantive Tests Conclude the Audit .

67 Performing an IS Audit • Materiality An auditing concept regarding the importance of an item of information with regard to its impact or effect on the functioning of the entity being audited .

68 Performing an IS Audit • Risk Assessment Techniques ▫ Enables management to effectively allocate limited audit resources ▫ Ensures that relevant information has been obtained ▫ Establishes a basis for effectively managing the audit team ▫ Provides a summary of how the individual audit subject is related to the overall organization and to business plans .

Specific goals of the audit ▫ Compliance with legal & regulatory requirements ▫ ▫ ▫ Confidentiality Integrity Reliability ▫ Availability .Performing an IS Audit 69 • Audit Objectives .

Performing an IS Audit ▫ 70 • Compliance vs. Substantive Testing Compliance test determines whether controls are in compliance with management policies and procedures ▫ ▫ ▫ Substantive test tests the integrity of actual processing Correlation between the level of internal controls and substantive testing required Relationship between compliance and substantive tests .

competent evidence. – Independence of the provider of the evidence – Qualification of the individual providing the information or evidence – Objectivity of the evidence – Timing of evidence .Performing an IS Audit • Evidence 71 It is a requirement that the auditor’s conclusions must be based on sufficient.

Performing an IS Audit – Techniques for gathering evidence:       72 Review IS organization structures Review IS policies and procedures Review IS standards Review IS documentation Interview appropriate personnel Observe processes and employee performance .

Performing an IS Audit – – – – Actual functions Actual processes/procedures Security awareness Reporting relationships 73 • Interviewing and Observing Personnel .

74 Performing an IS Audit • Sampling ▫ General approaches to audit sampling:   Statistical sampling Non-statistical sampling Attribute sampling Variable sampling ▫ Methods of sampling used by auditors:   .

Performing an IS Audit • Sampling (Cont’d) 75 – Attribute sampling  Stop-or-go sampling  Discovery sampling – Variable sampling  Stratified mean per unit  Unstratified mean per unit  Difference estimation .

Performing an IS Audit • Statistical sampling terms: 76 – Confident coefficient – Level of risk – Precision – Expected error rate (not for variable sampling) – Sample mean – Sample standard deviation – Tolerable error rate – Population standard deviation (not for attribute sampling) .

. Calculate the sample size Select the sample Evaluating the sample from an audit perspective.Performing an IS Audit 77 – Key steps in choosing a sample Determine the objectives of the test Define the population to be sampled Determine the sampling method. such as attribute versus variable sampling.

Four types of Risk Treatment Strategies are • 1. • 3. • 2.Quiz # 1 1. . • 4.

The decisions and actions of an IS auditor are MOST likely to affect which of the following risks : A.Quiz #1 2. Control Risk D. Inherent Risk B. Detection Risk C. Business Risk .

An IS auditor is reviewing the process performed for the protection of digital evidence. There are no documented logs of the transportation of evidence. The system was powered off by an investigator. The owner of the system was not present at the time of the evidence retrieval. Which of the following findings should present the MOST concern to the IS auditor: A. D. C. B. .Quiz # 1 3. The contents of the random access memory (RAM) were not backed up.

Quiz # 1 4. Generalized audit software (GAS) C. Which of the following should an IS auditor use to detect duplicate invoice records within an invoice master file? A. Integrated test facility (ITF) . Test data D. Attribute sampling B.

efficiency of the application in meeting the business processes. business processes served by the application. C. impact of any exposures discovered. . An IS auditor performing a review of an application's controls would evaluate the: A.Quiz #1 5. application's optimization. D. B.

The IS auditor should FIRST: A. B.plan follow-up audits of the undocumented devices.Quiz # 1 6) An IS auditor discovers that devices connected to the network have not been included in a network diagram that had been used to develop the scope of the audit. C. expand the scope of the IS audit to include the devices that are not on the network diagram. D. note a control deficiency because the network diagram has not been updated. evaluate the impact of the undocumented devices on the audit scope. The chief information officer (CIO) explains that the diagram is being updated and awaiting final approval. .

Sign up to vote on this title
UsefulNot useful