PROCESS BY DR. SELASI OCANSEY Learning Objectives 1. Describe what audit universe is, and illustrate example.
2. Define control objectives for information and related technology and
explain why they are useful for organizations and auditors.
3. Explain what a risk assessment is and its significance to the audit function. Illustrate an example of a risk assessment following the National Institute of Standards and Technology methodology.
4. Describe an audit plan and its components. Illustrate examples of IT audit
documentation supporting a financial statement audit.
5. Define the audit process and describe the phases of an IT audit
engagement.
6. Discuss other types of audits conducted in IT.
THE IS AUDIT PROCESS The Audit of an IS environment to evaluate the systems, practices and operations may include one or both of the following : Assessment of internal controls within the IS environment to assure validity, reliability, and security information. Assessment of the efficiency and effectiveness of the IS environment in economic terms. THE IS AUDIT PROCESS The IS audit process is to evaluate the adequacy of internal controls with regard to both specific computer programs and the data processing environment as a whole. This includes evaluating both the effectiveness and efficiency. The focus (scope and objective) of the audit process is not only on security which comprises confidentiality, integrity and availability but also on effectiveness (result-orientation) and efficiency (optimum utilization of resources) RESPONSIBILITY OF IS AUDITOR The audit objective and scope has a significant bearing on the skill and competence requirements of an IS auditor. The set of skills that is generally expected of an IS auditor include : Sound knowledge of business operations, practices and compliance requirements, Should possess the requisite professional technical qualification and certifications, A good understanding of information Risks and Controls, RESPONSIBILITY OF IS AUDITOR Knowledge of IT strategies, policy and procedure controls, Ability to understand technical and manual controls relating to business continuity, and Good knowledge of Professional Standards and Best practices of IT controls and security. Therefore the audit process begins by defining the scope and objectives to adapt the standards and benchmarks for developing information model for collecting and evaluating evidence to execute the audit. FUNCTIONS OF IS AUDITOR IT Auditor often is the translator of business risk, as it relates to the use of IT, to management, someone who can check the technicalities well enough to understand the risk (not necessarily manage the technology) and make a sound assessment and present risk-oriented advice to management. IT auditors review risks relating to IT systems and processes, some of them are: (i) Inadequate information security (e.g. missing or out of date antivirus controls, open computer ports, open systems without password or weak passwords etc.) FUNCTIONS OF IS AUDITOR (ii) Inefficient use of corporate resources, or poor governance (e.g. huge spending on unnecessary IT projects like printing resources, storage devices, high power servers and workstations etc.) (iii) Ineffective IT strategies, policies and practices (including a lack of policies for use of Information and Communication Technology (ICT) resources, Internet usage policies, Security practices etc.) (iv) IT-related frauds (including phishing, hacking etc) CATEGORIES OF IS AUDITS IT audits has been categorized in to five types: (i) Systems and Applications : An audit to verify that systems and applications are appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity (ii) Information Processing Facilities : An audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions. CATEGORIES OF IS AUDITS (iii) Systems Development : An audit to verify that the systems under development meet the objectives of the organization and to ensure that the systems are developed in accordance with generally accepted standards for systems development. (iv) Management of IT and Enterprise Architecture : An audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing. (v) Telecommunications, Intranets, and Extranets : An audit to verify that controls are in place on the client (computer receiving services), server, and on the network connecting the clients and servers. STEPS IN INFORMATION TECHNOLOGY AUDIT Differentaudit organizations go about IT auditing in different ways and individual auditors have their own favourite ways of working. It can be categorized into six stages:
Steps in IS Audit process
STEPS IN INFORMATION TECHNOLOGY AUDIT
(i) Scoping and pre-audit survey : the auditors determine the
main area/s of focus and any areas that are explicitly out-of- scope, based normally on some form of risk-based assessment. Information sources at this stage include background reading and web browsing, previous audit reports, pre audit interview, observations and, sometimes, subjective impressions that simply deserve further investigation. (ii) Planning and preparation: during which the scope is broken down into greater levels of detail, usually involving the generation of an audit work plan or risk-control-matrix. STEPS IN INFORMATION TECHNOLOGY AUDIT
(iii) Fieldwork : gathering evidence by interviewing staff and
managers, reviewing documents, printouts and data, observing processes etc. (iv) Analysis : this step involves desperately sorting out, reviewing and trying to make sense of all that evidence gathered earlier. SWOT (Strengths, Weaknesses, Opportunities, Treats) or PEST (Political, Economic, Social, Technological) techniques can be used for analysis. (v) Reporting : reporting to the management is done after analysis of data gathered and analysis. STEPS IN INFORMATION TECHNOLOGY AUDIT
(vi) Closure : closure involves preparing notes for future audits
and following –up management to complete the actions they promised after previous audits. Steps3 and 4 may on occasions involve the use of automated data analysis tools such as ACL or IDEA, if not Excel, Access and hand-crafted SQL queries. Automated system security analysis, configuration or vulnerability management and security benchmarking tools are also a boon for reviewing security parameters, and of course basic security management functions that are built-in to modern systems can help with log analysis, reviewing user access rights Cost effectiveness of control procedures No internal control system can provide foolproof protection against all internal control threats. The cost of a foolproof system would be prohibitive. In addition, because many controls negatively affect operational efficiency, too many controls slow the system and make it inefficient. Therefore, the objective in designing an internal control system is to provide reasonable assurance that control problems do not take place. etc. Cost effectiveness of control procedures The benefit of an internal control procedure must exceed its cost. Costs are easier to measure than benefits, however. The primary cost element is personnel, including the time to perform control procedures, the costs of hiring additional employees to achieve effective segregation of duties, and the costs of programming controls into an information system. Internalcontrol benefits stem from reduced losses. One way to calculate benefits involves expected loss, the mathematical product of risk and exposure. Cost effectiveness of control procedures Thebenefit of a control procedure is the difference between the expected loss with the control procedure(s) and the expected loss without it.