IT AUDIT FUNCTION

KNOWLEDGE
CHAPTER 2
INFORMATION TECHNOLOGY
AUDITING
• Effective management of information and IT become important to
survival and success
• Because of increasing dependence of information
• So management expect decrease delivery time and improve service
level at reduce cost
• Potential from threats of IT also increasing
• Need continuous improvement of control IT Audit
WHAT IS MANAGEMENT?
• Management optimizing the utilization of corporate resources
through planning, organizing, leading and controlling.
• Process of continuous improve3ment
MANAGEMENT PROCESS
1. Understanding the organization’s business
2. Establishing the needs
3. Identifying key activities
4. Establish performance objectives
5. Decide the control strategies
6. Implement and monitor the controls
7. Evaluate and review performance
Understanding The Organization’s Business
• Combined of theoretical approach and reading of annual report
• Interviewing staff
• Site visits
• Comparing with previous reviews
Establishing The Needs
• Study of organization’s mission statement
• Strategic plans and objectives derived from mission
• Interviewing executive management, employees, and perhaps
customers and suppliers. What their business needs
Identifying Key Activities
• Determine major products and services
• Determine the level of management’s understanding of customer
needs and sizes, the competition and KPA (Key Performance Areas)
• KPA are those activities that will make or break those activities
Establish Performance Objectives
• For each KPA, Performance Objectives must be established
• KPIs (Key Performance Indicators) will be required to measure
performance
• Assess and analysis the risk and threats
Decide The Control Strategies
• After risk analysis is complete, management decide what activities
must be ensured, risks must be managed and which transferred
• Which risk can be cost-effectively prevented, which must be
detected, and how a materialized risk can be corrected
Implement and Monitor The Controls
• To be effective, controls must be monitored if they are effective
• Monitoring include self-assessment, regular audit, and continuous
improvement programs
EXECUTIVE MANAGEMENT’S RESPONSIBILITY
AND CORPORATE GOVERNANCE
• Corporate governance  relationship among various participants in
determining direction and performance, include shareholders,
management, board, employees
• Objectives of the organization must determine first
• To fulfill the objectives, must be efficient, effective, flexible and
continuous
• Management must put adequacy of internal control to meet the
objectives
AUDIT ROLE
• Auditing include IT, internal, external and public sector auditing
• Internal audit examines the adequacy and effectiveness of the
management system of internal control
• External audit ensuring the fairness of financial accounts
• Public sector audit is aimed at ensuring the effectiveness and
efficiency of management process in order to ensure service delivery
• IT Audit may be used in any of the other areas
AUDIT ROLE
• Audit process is also designed to determine where to audit as well as
what to audit, and may use any and all of:
• Control strategy assessment
• Control adequacy and effectiveness
• Performance quality assessment
• Unit performance reporting
• Following up
• Audit must based on audit standard
• IT Audit  ISACA standards
CONCEPTUAL FOUNDATION
• Provided by implementing a structured Risk Analysis
• Involves the assessment of risk of expressing an incorrect audit
opinion (include risk of audit misstatement and risk of failure to
discover fraud)
• Evaluate business risk that comprises risk to both the auditee and
third parties
PROFESSIONALISM WITHIN THE IT
AUDITING FUNCTION
• IT audit include the development and implementation of a risk-based
IT audit strategy and objectives
• Goal  to provide a statement of assurance that IT and business
processes are controlled, monitored and assessed adequately and
aligned with business objectives
• IT audit facilitate the monitoring of the implementation of risk
management and control practices within the organization
PROFESSIONALISM WITHIN THE IT
AUDITING FUNCTION
• IT audit involves the planning of specific audits to ensure that the IT
audit strategy and objectives are achieved and information is
sufficient, reliable, relevant and useful
• IT management will be required to review the work performed to
provide assurance that objectives have been achieved
• Professionalism of IT audit is demonstrated by the ISACA code of
professional ethics and ISACA IT auditing standards
RELATIONSHIP OF INTERNAL IT
AUDIT TO THE EXTERNAL AUDITOR
• External auditor is responsible to the organization and all of its
stakeholders
• External auditor has responsibility to report on financial matters
• IT auditing is an integral part of an internal audit function and
integrated function within the execution of the work of the
independent external auditor
RELATIONSHIP OF IT AUDIT TO OTHER
COMPANY AUDIT ACTIVITIES
• IT auditor is integral part of the IT audit function
• Also playing an external consultant’s role or playing an internal role
but independent of IT audit function
• The roles and responsibilities of the audit function typically are found
within the audit charter
AUDIT CHARTER
• Exist Chief Executive, head of IT Audit and the line managers
• As the reference for the head of the audit function and provides top
management with a measurement of the level of assurance regarding
the reliability and quality of internal control
• As a reference when the audit function’s structure, plans, or reports
are being reviewed
• Indicates the level of authority to act delegated to the audit function
in reviewing each of their systems of internal control over computer
and manual system
CHARTER CONTENT
• Form, content and wording of the charter will normally be selected by
the audit function itself
• IT audit charter may be an independent publication or a formally
constituted internal audit function
• The document is normally signed off by the chief executive and
chairman of the audit committee
• The document consist of:
• Definition of IT Audit
• The authority
• Terms of reference
OUTSOURCING THE IT AUDIT
ACTIVITY
• Because of a lack of expertise
• Requires assurance that the control of the function is being
maintained at a professional level
REGULATION, CONTROL AND
STANDARDS
• Accreditation and audit of IT services must be provided by internal or
third parties to ensure that adequate security and control exists
• Several evaluation methods:
• ITSEC
• TCSEC
• ISO 9000
• COBIT
• ISO 17799
• ITIL
• COSO internal control
• COSO enterprise risk management