1

IT AUDITSIT audits: provide audit services where

processes or data, or both, are embedded in technologies.Subject to ethics, guidelines, and standards of

the profession (if certified) CISA Most closely associated with ISACA

Joint with internal, external, and fraud auditsScope of IT audit coverage is increasingCharacterized by CAATTs IT governance as part of corporate governance

2

FRAUD AUDITSFraud audits: provide investigation

services where anomalies are suspected, to develop evidence to support or deny fraudulent activities.

Auditor is more like a detectiveNo materialityGoal is conviction, if sufficient evidence of

fraud exists CFE ACFE

3

EXTERNAL AUDITSExternal auditing: Objective is that in all

material respects, financial statements are a fair representation of organization’s transactions and account balances.

SEC’s roleSarbanes-Oxley ActFASB - PCAOB

CPA AICPA

4

ATTEST vs. ASSURANCEASSURANCE

Professional services that are designed to improve the quality of information, both financial and non-financial, used by decision-makers

IT Audit Groups in “Big Four” (e.g. Final Four) IT Risk Management I.S. Risk ManagementOperational Systems Risk ManagementTechnology & Security Risk ServicesTypically a division of assurance services

5

ATTEST definition Written assertionsPractitioner’s written reportFormal establishment of measurement

criteria or their descriptionLimited to:

Examination Review Application of agreed-upon procedures

6

THE IT ENVIRONMENTThere has always been a need for an effective

internal control system.The design and oversight of that system has

typically been the responsibility of accountants.

The I.T. Environment complicates the paper systems of the past.Concentration of dataExpanded access and linkages Increase in malicious activities in systems vs. paperOpportunity that can cause management fraud (i.e.,

override)7

The IT AuditAn IT audit is the process of collecting

and evaluating evidence of an organization's information systems, practices, and operations. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively and efficiently to achieve the organization's goals or objectives.

8

The IT AuditThese reviews may be performed in

conjunction with a financial statement audit, an internal audit, or other form of attestation engagement.

External auditors can accept the result of an internal audit only if the function reports to the audit committee.

External auditors may use and rely upon a 3rd party IT audit firm.

9

IT Audit Process: 8 Steps1. Plan the audit2. Hold kickoff meeting3. Gather data/test IT controls4. Remediate identified deficiencies

(organization)5. Test remediated controls6. Analyze and report findings7. Respond to findings (organization)8. Issue final report (auditor)

10

INTERNAL CONTROL

is … policies, practices, procedures … designed to …

safeguard assets ensure accuracy and reliability promote efficiency measure compliance with

policies

11

SAS 78 5 internal control componentsAuthorizationsSegregation of functionsAccounting recordsAccess controlsIndependent verification

12

BRIEF HISTORY - FCPAForeign Corrupt Practices Act 1977

1. Accounting provisions FCPA requires SEC registrants to establish and

maintain books, records, and accounts. It also requires establishment of internal accounting

controls sufficient to meet objectives.1. Transactions are executed in accordance with

management’s general or specific authorization.2. Transactions are recorded as necessary to prepare

financial statements (i.e., GAAP), and to maintain accountability.

3. Access to assets is permitted only in accordance with management authorization.

4. The recorded assets are compared with existing assets at reasonable intervals.

2. Illegal foreign payments

13

BRIEF HISTORY - COSOCommittee on Sponsoring Organizations -

1992

1. AICPA, AAA, FEI, IMA, IIA

2. Developed a management perspective model for internal controls over a number of years

3. Is widely adopted

14

BRIEF HISTORY – SOXSarbanes-Oxley Act - 2002

1. Section 404: Management Assessment of Internal Control Management is responsible for establishing and

maintaining internal control structure and procedures. Must certify by report on the effectiveness of internal

control each year, with other annual reports.

2. Section 302: Corporate Responsibility for Incident Reports Financial executives must disclose deficiencies in

internal control, and fraud (whether fraud is material or not).

15

EXPOSURES AND RISKExposure (definition)Risks (definition)

Types of riskDestruction of assetsTheft of assetsCorruption of information or the I.S.

Disruption of the I.S.

16

THE P-D-C MODELPreventive controlsDetective controlsCorrective controls

Which is most cost effective?Which one tends to be proactive measures?Can you give an example of each?

Predictive controls

17

COSO (Treadway Commission)

The five components of internal control are:

The control environmentRisk assessmentInformation & communicationMonitoringControl activities

18

What is COBITCOBIT supports IT governance by providing a framework to ensure:• Strategic Alignment: IT is aligned with

the business• Value Delivery: IT delivers the promised

benefits against the strategy• Resource Management: Optimal

investment and management ofIT resources

• Risk Management: IT risks aremanaged appropriately

• Performance Measurements: Track and monitor all areas of IT

Why COBIT?“Managers, Auditors, and users benefit from the development of COBIT because it helps them understand their IT systems and decide the level of security and control that is necessary to protect their companies’ assets through the development of an IT governance model.”

Benefits of implementing COBITA better alignment of business and IT

strategiesA view, understandable to management,

of what IT doesClear ownership and responsibilities of

processesGeneral acceptability with regulators

and 3rd partiesShared understanding among all

stakeholders, based on a common language

Fulfillment of the COSO requirements for the IT control environment

COBIT Defined IT ActivitiesIn a general process model, IT activities fall into four domains:1.Plan & Organize IT Activities to support the business2.Acquire & Implement IT resources and strategies3.Deliver & Support those resources and strategies4.Monitor & Evaluate IT resources and strategies

4 Domains 34 ProcessesPlan & OrganizePO1 Define a Strategic IT PlanPO2 Define the Information ArchitecturePO3 Determine Technological DirectionPO4 Define the IT Processes, Organization

and RelationshipsPO5 Manage the IT InvestmentPO6 Communicate Management Aims and

DirectionPO7 Manage IT Human ResourcesPO8 Manage QualityPO9 Assess and Manage IT RisksPO10 Manage Projects

Acquire & ImplementAI1 Identify Automated SolutionsAI2 Acquire and Maintain Application SoftwareAI3 Acquire and Maintain Technology

InfrastructureAI4 Enable Operation and UseAI5 Procure IT ResourcesAI6 Manage ChangesAI7 Install and Accredit Solutions and Changes

Deliver & SupportDS1 Define and Manage Service LevelsDS2 Manage Third-party Services DS3 Manage Performance and CapacityDS4 Ensure Continuous ServiceDS5 Ensure Systems SecurityDS6 Identify and Allocate CostsDS7 Educate and Train UsersDS8 Manage Service Desk and IncidentsDS9 Manage the ConfigurationDS10 Manage ProblemsDS11 Manage DataDS12 Manage the Physical EnvironmentDS13 Manage Operations

Monitor & EvaluateME1 Monitor and Evaluate IT PerformanceME2 Monitor and Evaluate Internal

ControlME3 Ensure Regulatory ComplianceME4 Provide IT Governance

Plan and Organize (PO)Are IT and the business strategy aligned?Is the enterprise achieving optimum use of its

resources?Does everyone in the organization

understand the IT objectives?Are IT risks understood and being managed?Is the quality of IT systems appropriate for

business needs?

Acquire and Implement (AI)Are new projects likely to deliver solutions

that meet business needs?Are new projects likely to be delivered on

time and within budget?Will the new systems work properly when

implemented?Will changes be made without upsetting

current business operations?

Deliver and Support (DS)Are IT services being delivered in line with

business priorities?Are IT costs optimized?Is the workforce able to use the IT systems

productively and safely?Are adequate confidentiality, integrity and

availability in place?

Monitor and Evaluate (ME)Is ITs performance measured to detect

problems before it is too late?Does management ensure that internal

controls are effective and efficient?Can IT performance be linked back to

business goals?Are risk, control, compliance and

performance measured and reported?

SAS 94The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a

Financial Statement Audit

Provides auditors with guidance on IT’s effect on internal control and on the auditor’s understanding of internal control and the assessment of control risk.

Requires the auditor to consider how an organization’s IT use affects his or her audit strategy.

Where a significant amount of information is electronic, the auditor may decide it is not practical or possible to limit detection risk to an acceptable level by performing only substantive tests for one or more financial statement assertions. In such cases, the auditor should gather evidence about the effectiveness of both the design and operation of controls intended to reduce the assessed level of control risk.

28

29

SAS 78(#5: Control Activities)

IT Risks ModelOperationsData management systemsNew systems developmentSystems maintenanceElectronic commerce (The Internet)

Computer applications

30

End Ch. 1

31