MBA BT 513Information System Audit

• Course Objectives– Focuses on the audit and control aspects of information

systems. – Deals with the risks, controls, and audit to information

systems. – Emphasizes on the management control framework, data

resource management controls, application control framework and processing controls.

104/13/23

1. Management Control Framework2. Application Control Framework3. Evidence Collection4. Evidence Evaluation

04/13/23 2

1. Management Control

a. Top management controlsb. Systems Development management controlsc. Programming management controlsd. Data Resource management controlse. Security management controlsf. Operation management controlsg. Quality assurance management controls

04/13/23 3

a. Top management control

• Planning – types of plans, approaches, role of a steering committee

• Organizing – Resourcing, staffing, centralization/decentralization, internal organization, location

• Leading – motivation, leadership, effective communication

• Controlling – overall control, control of IS, control over users of IS

04/13/23 4

b. Systems Development management controls

• 3 types of reviews• Normative Model – to pinpoint strengths and

weaknesses• 6 major approaches – SDLC approach - importance of well-controlled

work phases– Sociotechnical design approach – jointly

optimizing the technical systems as well as the social systems

04/13/23 5

– Political approach • understanding the effects that systems can have on the

distribution of the organizational power

– Soft systems approach • provides ways of helping decision makers learn about ill-

structured problems

– Prototyping approach • provides ways of helping resolve the uncertainty often

surrounding systems-design tasks

– Contingency approach • organizational context in which the system is being designed

04/13/23 6

13 phases provide an agenda of issues• Problem/opportunity definition• Management of the change process• Entry and feasibility assessment • Analysis of the existing system• Formulation of strategic requirements• Organizational and job design• Information processing systems design• Application software acquisition and development• Hardware/system software acquisition• Procedures development• Acceptance testing• Conversion• Operation and maintenance04/13/23 7

C. Programming management controls

• Objective – to produce or acquire and to implement high quality programs

• Six major phases – Planning– Control– Design– Coding– Testing– Operation and maintenance

04/13/23 8

d. Data Resource management controls• Objectives – – Users must be able to share data– Availability of data– Possible to modify fairly – Integrity of data must be preserved

• DA & DBA– Defining, creating, redefining, retiring data– Making the DB available to users– Informing and servicing users– Maintaining db integrity– Monitoring operations and performance

04/13/23 9

e. Security management controls• Ensuring that IS assets are secure• 2 types – Physical– Logical

• Security Admin is to conduct a security program– It is a series of ongoing, regular, periodic reviews

conducted– Preparation of a project plan, identification of assets,

valuation of assets, threats identification, threats likelihood assessment, exposures analysis, control adjustment and report preparation

04/13/23 10

f.Operation management controls

• Daily running of h/w and s/w facilities– Production application systems can accomplish

their work– Development staff can design, implement and

maintain application systems

04/13/23 11

g.Quality assurance management controls

• QAM ensures that IS produced by the Information systems function achieve certain quality goals and that development, implementation, operation and maintenance of information systems comply with a set of quality standards

04/13/23 12

2. Application Control

i. Boundary controlsii. Input controlsiii. Communication controlsiv. Processing controlsv. Database controlsvi. Output controls

04/13/23 13

i.Boundary controls• Boundary subsystem establishes the interface

between the would-be user of a computer system and the computer system itself

• 3 purposes– To establish the identity and authenticity of

would-be users– To establish the identity and authenticity of

computer system resources that users wish to employ

– To restrict the actions undertaken by users who obtain computer resources to an authorized set

04/13/23 14

• ii. Input controls– Input subsystem are responsible for bringing both data

and instructions into the information systems

• iii. Communication controls– Physical component controls– Line error controls– Flow Control– Link control– Topological Controls– Channel Access Controls– Controls over subversive threats– Internetworking, communication architecture and audit

trails controls04/13/23 15

• Processing Controls– Responsible for computing, sorting, classifying and

summarizing data– Central processor, real or virtual memory, OS,

Appln programs

• Database Controls– Defining, creating, modifying, deleting and reading

data in an IS– DBMS, appln programs, processor

• Output Controls– Determine the content of data that will be provided

to users, data formatted & presented, 04/13/23 16

17

Need for IS Control & Audit• Reliance on computer systems

– Survival of organization– Costs of data loss – Costs of errors– Inability to function– Possibility of incorrect decisions

• Organizations Costs of Data Loss• Incorrect Decision Making• Costs of Computer Abuse• Value of Computer Hardware, Software and Personnel• High Costs of Computer Error• Maintenance of Privacy• Controlled evaluation of Computer use

04/13/23

04/13/23 18

19

• Security & abuse - from inside & outside: hacking, viruses, access– Destruction & theft of assets– Modification of assets– Disruption of operations– Unauthorized use of assets– Physical harm– Privacy violations

Need for IS Control & Audit

04/13/23

20

Need for IS Control & Audit

04/13/23

04/13/23 21

What is Information System Audit

• Process of collecting and evaluating evidence to determine whether a (computerized) system:– Safeguards assets– Maintains data integrity– Enables communications & access to information– Achieve operational goals effectively– Consumes resources efficiently

Objectives of IT/IS Audit

IT/IS Audit

Safeguarding of Assets

Improved Data Integrity

Improved System Effectiveness

Improved System

Efficiency

Source: Ron Weber

Data Integrity

• Data attributes – completeness, soundness, purity

• Factors affect the values of a data item – The value of the informational content of the data

item for individual decision making– The extent to which the data item is shared

among decision makers– The value of the data item to competitors

04/13/23 23

System effectiveness

• Accomplishes its objectives• Evaluating effectiveness implies knowledge of

user needs• Auditors must know the characteristics of

users and the decision making environment• Postaudit / during design stages

04/13/23 24

Systems efficiency

• Minimum resources to achieve its required objectives

04/13/23 25

Elements IT/IS Audit

1. Physical and Environmental2. System Administration3. Application Software 4. Application Development5. Network Security6. Business Continuity7. Data Integrity

04/13/23 27

Objectives – Audit and Control

• Need to control & audit info systems• IS AUDITING = collecting & evaluating evidence to

determine if system accomplishes its organizational tasks effectively & efficiently

• Understanding the organization & environment• Understanding systems – EDP in particular

• Understanding the Control Approach– Control - a system that prevents, detects, or corrects

unlawful, undesirable or improper events

04/13/23 28

The Auditing Environment

• External vs. internal auditors• External auditors provide increased assurance– Fairness of financial statements– Frauds & irregularities– Ability to survive

• Internal auditors appraise and evaluate adequacy & effectiveness of controls– Control - a system that prevents, detects, or corrects

unlawful, undesirable or improper events

• Reporting – and responsibility – to Board of Directors

04/13/23 29

The Auditing Environment – cont.

• Types of audit procedures– To gain understanding of controls– Test of controls– Substantive tests of details of transactions– Substantive tests of balances and overall results– Analytic review procedures

04/13/23 30

Assessing Reliability

• By controls • By transaction• By errors

Internal vs External

• Audit function can be performed internally or externally• Internal audit is an independent appraisal of operations,

conducted under the direction of management, to assess the effectiveness of internal administrative and accounting controls and help ensure conformance with managerial policies

• External Audit is an audit conducted by an individual of a firm that is independent of the company being audited

Internal Audit Reporting Structure

Non-IT Audit Team Members

CEO

Board Audit Committee

Head of Audit Dept

Head of Non-IT Audit Head of IT Audit

IT Audit Team Members

04/13/23 33

Internal Auditors

• Responsible to Board of Directors• An internal control function• Assist the organization in measurement &

evaluation:– Effectiveness of internal controls– Achievement of organizational objectives– Economics & efficiency of activities– Compliance with laws and regulations

• Operational audits

04/13/23 34

Internal Auditors Scope of Work

• Safeguarding assets• Compliance with policies and plans• Accomplishment of established objectives• Reliability & integrity of information• Economics & efficient use of resources

04/13/23 35

The Internal Controls Framework

• Separation of duties• Delegation of authority & responsibility• System of authorizations• Documentation & records• Physical control over assets & records• Management supervision• Independent checks• Recruitment & training

04/13/23 36

Internal Controls - Cont.

• Controls - pattern of activities:– Preventive– Detective– Corrective

• Affect reliability– Reduce failure probability– Reduce expected loss in failure

• Reasonable assurance• Based on cost-benefit considerations

04/13/23 37

External Auditors• Responsible to stockholders and public

– Via Board of Directors• Assess financial statement assertions

– Existence or occurrence– Completeness– Valuation and allocation– Presentation and disclosure– Rights and obligations

• Must test compliance with laws and regulations• Must test for fraud and improprieties• Relies on internal control structure for planning of audit

04/13/23 38

External Auditors

• Audit (material misstatement) risk = product of– Inherent (assertion could be materially misstated)

risk– Control risk (misstatement will not be prevented

or detected on a timely basis by internal controls)– Detection risk• Inversely related to control and inherent risks

Roles of IT Audit Team

Entity-Level Controls

Physical Facility

Network Intra

Operating System

Middleware

Database

Application

IT Auditor

Information Systems Auditor

Support for Financial Auditors

Financial Auditor

Source: Chris Davis et al

Financial vs IT Audits

• Financial audit– Official examination of accounts to see that they are in order

• IT audit– “a review of the controls within an entity's technology

infrastructure” – Wikipedia (www.wikipedia.org)– Official examination of IT related processes to see that they are

in order• Problems

– Financial Audit – GAAP– IT Audit - ??

Financial vs IT Audits

• IT auditors may work on financial audit engagements• IT auditors may work on every step of the financial

audit engagement• Standards, such as SAS No. 94, guide the work of IT

auditors on financial audit engagements• IT audit work on financial audit engagements is likely

to increase as internal control evaluation becomes more important

Auditing Standards• Auditors are guided in their professional responsibility by the

the generally accepted auditing standards (GAAS).Generally Accepted Auditing Standards

General Standards Standards of Field Work Standards of Reporting

The auditor must have adequate technical training and proficiency to perform the audit.

Audit work must be adequately planned

The auditor must state in the auditor's report whether the financial statements are presented in accordance with generally accepted accounting principles.

The auditor must maintain independence in mental attitude in all matters related to the audit.

The auditor must gain a sufficient understanding of the internal control structure

The report must identify those circumstances in which generally accepted accounting principles were not applied

The auditor must use due professional care during the performance of the audit and the preparation of the report.

The auditor must obtain sufficient, competent evidence

The report must identify any items that do not have adequate informative disclosures

The report shall contain an expression of the auditor’s opinion on the financial statements as a whole

What is IT Auditors?

• Is called internal audit specialist, IT or IS auditor

• May serve as a member of consulting organization

• Generally a member of an enterprise internal audit organization

• Specialist who follows the standards and principles of the IIA and often ISACA as well

Roles and Responsibilities • Ensure IT governance by assessing risks and

monitoring controls over those risks• Works as either internal or external auditor• Works on many kind of audit engagements• Reviewing and assessing enterprise

management controls• Review and perform test of enterprise internal

controls• Report to management

Job Tasks and Responsibilities• Design a technology-based audit approaches;

analyzes and evaluates enterprise IT processes• Works independently or in a team to review

enterprise IT controls• Examines the effectiveness of the information

security policies and procedures• Develops and presents training workshops for audit

staff• Conduct and oversees investigation of inappropriate

computer use• Performs special projects and other duties as assigned

Knowledge, Skills, Abilities• Knowledge of auditing, IS and network

security• Investigation and process flow analysis skills• Interpersonal/human relation skills• Verbal and written communications skills• Ability to exercise good judgment• Ability to maintain confidentiality• Ability to use IT desktop office tools,

vulnerability analysis tools, and other IT tools

Minimum Qualifications

• Bachelor’s degree in Computer Science, computer programming or accounting

• Certified Information Systems Auditor (CISA) credentials or candidate

• Certified Internal Auditor credential preferred

The Role of IT Auditors in the Financial Audit Process

Develop an understanding and perform preliminary audit work

Develop audit plan

Conduct follow-up work

Review work and issue audit report

Perform substantive testing

Determine degree of reliance on internal controls

Evaluate the internal control system

Professional Groups and Certifications – Alphabet Soup

• ISACA – CISA– The largest professional organization of IT

auditors

• IIA – CIA• ACFE – CFE• AICPA – CPA and CITP

Certified Info. System Auditor Credentials

• The prime professional credentials for IT auditors• More focused on IT audit• Open to all individuals who have an interest and skills in

information system audit, control and security,• The examination is four hours in duration and consists of

200 multiple-choice question• The test is offered each year in June and December at

numerous worldwide locations• Must have a minimum of five years of professional

information system auditing, internal control or security related work experience

CISA Examination Content Area

• The IS audit process (10%)• IT Governance (15%)• Systems and Infrastructure Life Cycle (16%)• IT Service Delivery and Support (14%)• Protection of Information Assets (31%)• Business Continuity and Disaster Recovery

(14%)

Effects of computers on Internal Controls

• Separation of duties• Delegation of authority and responsibility• Competent and trustworthy personnel• System of authorizations• Adequate documents and records• Physical control over asset and records• Adequate management supervision• Independent check on performance• Comparing recorded accountability with assets

Effects of computers on auditing

• Changes to evidence collection• Changes to evidence evaluation

Effective IT Audit

• Early involvement• Informal audits• Knowledge sharing• Self-assessments

Why IS Audit?

• Organizational Cost of Data Loss.• Incorrect Decision Making.• Costs of Computer Abuse. • Value of Hardware, Software & Personnel• High Costs of Computer Error• Maintenance of Privacy• Controlled Evolution of Computer Use.

5504/13/23

What is Information Systems Audit?

• Information Systems Auditing is the process of collecting and evaluating evidence to determine whether a computer system safe guards assets, maintains data integrity, allows organizational goals to be achieved effectively and uses resources efficiently . Ron Weber.

• It is an Independent examination of records/ Information that will enable an opinion of the integrity of controls put in place to safe guard systems. It should equally help to recommend recommendations on how these controls can be improved so as to mitigate risk to an acceptable level.

• It is any audit that encompasses the review and evaluation (wholly or partially) of automated information processing systems, their related non-automated processes and the interfaces between them.

5604/13/23

In summary, IS Auditing is the process of collecting and evaluating evidence to determine if Information Systems and related resources are adequately safe-guarding assets, maintaining data and system integrity, providing relevant and reliable information, achieving organizational goals effectively, consuming resources efficiently, and if there are effective internal controls that provide reasonable and acceptable assurance that operational and control objectives will be met and that undesired events will be prevented or detected and corrected in a timely manner.

5704/13/23

Objectives of IS Auditing

• Improves safeguarding of Assets.• Ensures & Maintains Data Integrity.• Improves systems effectiveness.• Improves Resources efficiency.• Ensures compliance to Legislative, Regulatory

& contractual obligations.• Allows Effective Achievement of

Organizational goals

5804/13/23

Organization of an IS Audit fuction • The Role of IS Audit is established by an Audit Charter.

This is a document that states in very clear terms, managements responsibility and objectives for, and delegation of authority to the IS Audit function.

• It Should outline the Authority, Scope & responsibilities of the Audit Function.

• Where the function is provided by a third party firm, the scope and objectives should be documented in a formal contract or statement of work.

• Be it internal or external, the audit function should be independent and report to the board of directors or the Audit committee where one is available.

5904/13/23

IS Audit Plan

• It is Important to adequately plan for an IS audit.

• This should be done after a good understanding of the organization has been achieved.

6004/13/23

Types IS Audit Plan.

• Short-Term Planning: This takes into account audit issues that will be covered during the year.

• Long-Term Planning: this relates to plans for risk-related issues that will take into account changes in an organization's IT strategic direction which will affect the organization’s IT environment.

6104/13/23

Any type of Audit plan that is undertaken, should be analyzed annually so as to take into account new control issues like changes in the risk environment, technology and business processes; and enhanced evaluation techniques.The result of this analysis should be reviewed by reviewed by senior Audit mgt and approved by audit committee or board of directors. This will enhance future audit activities and should be comunicated to relevant levels of Management.

6204/13/23

Performing an IS Audit• In performing an IS audit, there is the need to

develop and understand the Audit Methodology/Strategy, which is a set of documented audit procedures designed to achieve the planned Audit objectives.

• It is usually set and approved by Audit management and has the following components:

1. Statement of Scope2. Statement of Audit objectives.3. Statement of work program

6304/13/23

Performing an IS Audit cont.After the establishment of the strategy the following phases make up a typical IS Audit•These are the general audit procedures which are basic Audit steps.1.Obtaining /Recording an understanding of the audit area/subject2.A risk assessment and audit plan schedule3.Detailed Audit plan4.Preliminary review of audit area/subject5.Evaluating audit area/subject.6.Verifying the design of controls.7.Tests of implementation of controls (Compliance Testing).8.Tests of operative effectiveness of controls (Substantive testing).9.Reporting/Communicating Audit results.10.Follow-Up on recommendations implementations.

6404/13/23

Performing an IS Audit Plan • Gain an understanding of the organization.

1. tour key organizational facilities.2. Gather background information about the organization.3. Review business and IT long term strategic plans.4. Interview key managers to understand business processes and Issues.5. Review prior audit reports or IT-related reports ( external/internal audits or regulatory

review reports)6. Identify specific regulations applicable to IT.7. Identify IT functions or related activities that have been outsourced.

• Identify stated contents e.g. policies, organizational structure.• Perform a risk analysis to help in designing the audit plan.• Conduct a review of Internal controls related to IT.• Set the Audit Scope and objectives.• Develop the Audit approach and strategy.• Identify technical skills and resources needed.• Assign personnel resources to the audit.

6504/13/23

Performing an IS Audit cont.• In performing an IS Audit, a risk based approach is

used in assessing the risks and to help an auditor in the decision to perform either compliance or substantive test.

• This risk based approach emphasis on a good knowledge of the business and technology.

• It focuses on assessing the effectiveness of combining controls

• It provides a linkage between risk assessment and testing while focusing on control objectives.

• This approach assesses the organization from a management perspective.

6604/13/23

Audit Risk and Materiality of an Event

• An audit risk is the risk that the information /financial report may contain material error. It is also the risk that an auditor may not detect an error that has occurred.

• The materiality of an event refers to an error that should be considered significant to any party concerned with the event in question. It is based on professional judgment and includes consideration of the effect of the event on the organization as a whole and errors or risks that may arise as a result of control weaknesses in the area being investigated. In considering the materiality of any event, it should be in the terms of the total impart to the organization.

6704/13/23

Risk Management• Risk is the potential that a given threat will

exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization.

• Business risks are the likelihood that a threat will negatively impact the assets, processes or objectives of a business or organization.

1. Risk analysis is a part of audit planning and it helps to identify risks and vulnerabilities so that the auditor can determine the controls needed to mitigate these risks.

6804/13/23

Risk Analysis cont.

• The IS auditor is concerned and often focused towards high risk issues associated with the confidentiality, integrity and availability of sensitive and critical information, and the underlying information systems and processes that generate, store, and manipulate such information.

• The IS auditor also assesses the effectiveness of an organization’s risk management process by carrying out risk assessment.

6904/13/23

Risk Assessment• Risk assessment involves an iterative life cycle to

starts with identifying Business objs, information assets, and the underlying systems or resources that generate/store, use or manipulate the assets critical to achieving the set objectives of the business.

• This identifies threats to assets and determine their probabilities of occurrence and the resultant impacts with additional safeguards that will help to mitigate the risks to acceptable levels defined by management.

7004/13/23

Risk Mitigation

• Risk mitigation involves the identification of controls/countermeasures which when applied to the identified risks to assets will help to prevent or reduce them to acceptable levels.

• In assessing countermeasures to be applied, a cost-benefit analysis should be performed based on any or a combination of the followings: – The cost of the control.– Management’s appetite for risk.– Preferred risk reduction methods.

7104/13/23

Monitoring Mitigated Risk

• Risks which have been mitigated has to be continually monitored so as to identify any significant changes in the environment that would trigger reassessment warranting changes in the control environment.

• Note that risk assessment should be an ongoing process in an organization if risk management is to be effective.

7204/13/23

Importance of Risk Management to IS Auditing.

• It identifies risks and threats to an IT environment and the IS which needs to be addressed by management.

• It helps in the selection audit areas/subjects.• It aids a sound evaluation of controls in audit

planning.• It aids an IS auditor in determining audit

objectives.• It supports risk-based audit decision making.

7304/13/23

Information Systems Audit and Control Association (ISACA)

• Started in 1967• Today, ISACA’s membership—more than

50,000 strong worldwide—is characterized by its diversity. Members live and work in more than 140 countries and cover a variety of professional IT-related positions

ISACA Certifications

• CISA - CISA (Certified Information Systems Auditor) is ISACA's cornerstone certification. Since 1978, the CISA exam has measured excellence in IS auditing, control and security.

• CISA has grown to be globally recognized and adopted worldwide as a symbol of achievement. The CISA certification has been earned by more than 44,000 professionals since inception

CISM

• CISM (Certified Information Security Manager) is ISACA’s groundbreaking credential earned by over 5,500 professionals in its first two years. It is for the individual who must maintain a view of the "big picture" by managing, designing, overseeing and assessing an enterprise's information security.

Conducting IS Audit

• Auditors need guidelines• Auditors evaluate the reliability of controls• Controls reduce expected losses from

unlawful events by – Decreasing the prob of the event occurring in the

first place– Limiting the losses that arise if the event occurs

04/13/23 77

Deal with complexity• Dividing systems to be evaluated into

subsystems• Evaluating reliability of subsystems and

determining implications of each subsystem’s level of reliability for the overall reliability of the system

• Easy understanding and evaluation• Loosely coupled with other subsystems and

internally cohesive (perform a single function)

04/13/23 78

Major sets of systems

• Management system– Provide the stable infrastructure in which

information systems can be built and operated on a day-to-day basis

• Application system– Undertake basic transaction processing,

management reporting and decision support

04/13/23 79

Management Systems

• Factored into subsystems– Top level IS management– Systems development mgt– Programming mgt– Data mgt– Quality assurance– Security administration – Operation mgt

04/13/23 80

Application systems• Factored into subsystems – performing – Boundary– Input – Communication– Processing– Database– Output functions

• All IS audit involves evaluating the reliability of controls in each of these management and application subsystems

04/13/23 81

Risk mgt• Function of three factors– Inherent risk

• Which reflects the likelihood that a material loss or account misstatement in some segment of the audit before the reliability of internal controls is considered

– Control risk• Which reflects the likelihood that internal controls in some

segment of the audit will not prevent, detect or correct material losses or account misstatements that arise

– Detection risk• Which reflects that the audit procedures used in some

segments of the audit will fail to detect material losses or account misstatements. Because auditors cannot influence inherent risk or control risk

04/13/23 82

Types of audit procedures

• Five– To obtain an understanding of controls– Test of controls– Substantive tests of details of transactions– Substantive tests of details of balances or overall

results– Analytical review procedures

04/13/23 83

Five major steps in an audit• Planning the audit, in which the auditor

attempts to gain an understanding of the internal controls used within an organization

• Tests of controls, in which the auditor tests significant controls to evaluate whether they are operating effectively

• Tests of transactions – undertake substantive tests to evaluate whether a material loss or account misstatement has occurred or might occur

04/13/23 84

• Tests of balances or overall results – seek to obtain sufficient evidence to make a final judgement on the extent of losses or account misstatements that have occurred or might occur

• Completion of the audit – give an opinion on whether material losses or account misstatements have occurred or might occur

04/13/23 85

• Auditing around the computers– Application is simple, Inherent risk is low,

reliability of the system’s internal processing can be easily inferred

• Auditing through the computers

04/13/23 86