1. IT AUDITS IT audits: provide audit services where processes or data, or both, are embedded in...
-
Upload
jerome-small -
Category
Documents
-
view
215 -
download
0
Transcript of 1. IT AUDITS IT audits: provide audit services where processes or data, or both, are embedded in...
IT AUDITSIT audits: provide audit services where
processes or data, or both, are embedded in technologies.Subject to ethics, guidelines, and standards of
the profession (if certified) CISA Most closely associated with ISACA
Joint with internal, external, and fraud auditsScope of IT audit coverage is increasingCharacterized by CAATTs IT governance as part of corporate governance
2
FRAUD AUDITSFraud audits: provide investigation
services where anomalies are suspected, to develop evidence to support or deny fraudulent activities.
Auditor is more like a detectiveNo materialityGoal is conviction, if sufficient evidence of
fraud exists CFE ACFE
3
EXTERNAL AUDITSExternal auditing: Objective is that in all
material respects, financial statements are a fair representation of organization’s transactions and account balances.
SEC’s roleSarbanes-Oxley ActFASB - PCAOB
CPA AICPA
4
ATTEST vs. ASSURANCEASSURANCE
Professional services that are designed to improve the quality of information, both financial and non-financial, used by decision-makers
IT Audit Groups in “Big Four” (e.g. Final Four) IT Risk Management I.S. Risk ManagementOperational Systems Risk ManagementTechnology & Security Risk ServicesTypically a division of assurance services
5
ATTEST definition Written assertionsPractitioner’s written reportFormal establishment of measurement
criteria or their descriptionLimited to:
Examination Review Application of agreed-upon procedures
6
THE IT ENVIRONMENTThere has always been a need for an effective
internal control system.The design and oversight of that system has
typically been the responsibility of accountants.
The I.T. Environment complicates the paper systems of the past.Concentration of dataExpanded access and linkages Increase in malicious activities in systems vs. paperOpportunity that can cause management fraud (i.e.,
override)7
The IT AuditAn IT audit is the process of collecting
and evaluating evidence of an organization's information systems, practices, and operations. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively and efficiently to achieve the organization's goals or objectives.
8
The IT AuditThese reviews may be performed in
conjunction with a financial statement audit, an internal audit, or other form of attestation engagement.
External auditors can accept the result of an internal audit only if the function reports to the audit committee.
External auditors may use and rely upon a 3rd party IT audit firm.
9
IT Audit Process: 8 Steps1. Plan the audit2. Hold kickoff meeting3. Gather data/test IT controls4. Remediate identified deficiencies
(organization)5. Test remediated controls6. Analyze and report findings7. Respond to findings (organization)8. Issue final report (auditor)
10
INTERNAL CONTROL
is … policies, practices, procedures … designed to …
safeguard assets ensure accuracy and reliability promote efficiency measure compliance with
policies
11
SAS 78 5 internal control componentsAuthorizationsSegregation of functionsAccounting recordsAccess controlsIndependent verification
12
BRIEF HISTORY - FCPAForeign Corrupt Practices Act 1977
1. Accounting provisions FCPA requires SEC registrants to establish and
maintain books, records, and accounts. It also requires establishment of internal accounting
controls sufficient to meet objectives.1. Transactions are executed in accordance with
management’s general or specific authorization.2. Transactions are recorded as necessary to prepare
financial statements (i.e., GAAP), and to maintain accountability.
3. Access to assets is permitted only in accordance with management authorization.
4. The recorded assets are compared with existing assets at reasonable intervals.
2. Illegal foreign payments
13
BRIEF HISTORY - COSOCommittee on Sponsoring Organizations -
1992
1. AICPA, AAA, FEI, IMA, IIA
2. Developed a management perspective model for internal controls over a number of years
3. Is widely adopted
14
BRIEF HISTORY – SOXSarbanes-Oxley Act - 2002
1. Section 404: Management Assessment of Internal Control Management is responsible for establishing and
maintaining internal control structure and procedures. Must certify by report on the effectiveness of internal
control each year, with other annual reports.
2. Section 302: Corporate Responsibility for Incident Reports Financial executives must disclose deficiencies in
internal control, and fraud (whether fraud is material or not).
15
EXPOSURES AND RISKExposure (definition)Risks (definition)
Types of riskDestruction of assetsTheft of assetsCorruption of information or the I.S.
Disruption of the I.S.
16
THE P-D-C MODELPreventive controlsDetective controlsCorrective controls
Which is most cost effective?Which one tends to be proactive measures?Can you give an example of each?
Predictive controls
17
COSO (Treadway Commission)
The five components of internal control are:
The control environmentRisk assessmentInformation & communicationMonitoringControl activities
18
What is COBITCOBIT supports IT governance by providing a framework to ensure:• Strategic Alignment: IT is aligned with
the business• Value Delivery: IT delivers the promised
benefits against the strategy• Resource Management: Optimal
investment and management ofIT resources
• Risk Management: IT risks aremanaged appropriately
• Performance Measurements: Track and monitor all areas of IT
Why COBIT?“Managers, Auditors, and users benefit from the development of COBIT because it helps them understand their IT systems and decide the level of security and control that is necessary to protect their companies’ assets through the development of an IT governance model.”
Benefits of implementing COBITA better alignment of business and IT
strategiesA view, understandable to management,
of what IT doesClear ownership and responsibilities of
processesGeneral acceptability with regulators
and 3rd partiesShared understanding among all
stakeholders, based on a common language
Fulfillment of the COSO requirements for the IT control environment
COBIT Defined IT ActivitiesIn a general process model, IT activities fall into four domains:1.Plan & Organize IT Activities to support the business2.Acquire & Implement IT resources and strategies3.Deliver & Support those resources and strategies4.Monitor & Evaluate IT resources and strategies
4 Domains 34 ProcessesPlan & OrganizePO1 Define a Strategic IT PlanPO2 Define the Information ArchitecturePO3 Determine Technological DirectionPO4 Define the IT Processes, Organization
and RelationshipsPO5 Manage the IT InvestmentPO6 Communicate Management Aims and
DirectionPO7 Manage IT Human ResourcesPO8 Manage QualityPO9 Assess and Manage IT RisksPO10 Manage Projects
Acquire & ImplementAI1 Identify Automated SolutionsAI2 Acquire and Maintain Application SoftwareAI3 Acquire and Maintain Technology
InfrastructureAI4 Enable Operation and UseAI5 Procure IT ResourcesAI6 Manage ChangesAI7 Install and Accredit Solutions and Changes
Deliver & SupportDS1 Define and Manage Service LevelsDS2 Manage Third-party Services DS3 Manage Performance and CapacityDS4 Ensure Continuous ServiceDS5 Ensure Systems SecurityDS6 Identify and Allocate CostsDS7 Educate and Train UsersDS8 Manage Service Desk and IncidentsDS9 Manage the ConfigurationDS10 Manage ProblemsDS11 Manage DataDS12 Manage the Physical EnvironmentDS13 Manage Operations
Monitor & EvaluateME1 Monitor and Evaluate IT PerformanceME2 Monitor and Evaluate Internal
ControlME3 Ensure Regulatory ComplianceME4 Provide IT Governance
Plan and Organize (PO)Are IT and the business strategy aligned?Is the enterprise achieving optimum use of its
resources?Does everyone in the organization
understand the IT objectives?Are IT risks understood and being managed?Is the quality of IT systems appropriate for
business needs?
Acquire and Implement (AI)Are new projects likely to deliver solutions
that meet business needs?Are new projects likely to be delivered on
time and within budget?Will the new systems work properly when
implemented?Will changes be made without upsetting
current business operations?
Deliver and Support (DS)Are IT services being delivered in line with
business priorities?Are IT costs optimized?Is the workforce able to use the IT systems
productively and safely?Are adequate confidentiality, integrity and
availability in place?
Monitor and Evaluate (ME)Is ITs performance measured to detect
problems before it is too late?Does management ensure that internal
controls are effective and efficient?Can IT performance be linked back to
business goals?Are risk, control, compliance and
performance measured and reported?
SAS 94The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a
Financial Statement Audit
Provides auditors with guidance on IT’s effect on internal control and on the auditor’s understanding of internal control and the assessment of control risk.
Requires the auditor to consider how an organization’s IT use affects his or her audit strategy.
Where a significant amount of information is electronic, the auditor may decide it is not practical or possible to limit detection risk to an acceptable level by performing only substantive tests for one or more financial statement assertions. In such cases, the auditor should gather evidence about the effectiveness of both the design and operation of controls intended to reduce the assessed level of control risk.
28
IT Risks ModelOperationsData management systemsNew systems developmentSystems maintenanceElectronic commerce (The Internet)
Computer applications
30