Is Audit Overview16Jul2012
-
Upload
karam-chand -
Category
Documents
-
view
27 -
download
0
Transcript of Is Audit Overview16Jul2012
MBA BT 513Information System Audit
• Course Objectives– Focuses on the audit and control aspects of information
systems. – Deals with the risks, controls, and audit to information
systems. – Emphasizes on the management control framework, data
resource management controls, application control framework and processing controls.
104/13/23
1. Management Control Framework2. Application Control Framework3. Evidence Collection4. Evidence Evaluation
04/13/23 2
1. Management Control
a. Top management controlsb. Systems Development management controlsc. Programming management controlsd. Data Resource management controlse. Security management controlsf. Operation management controlsg. Quality assurance management controls
04/13/23 3
a. Top management control
• Planning – types of plans, approaches, role of a steering committee
• Organizing – Resourcing, staffing, centralization/decentralization, internal organization, location
• Leading – motivation, leadership, effective communication
• Controlling – overall control, control of IS, control over users of IS
04/13/23 4
b. Systems Development management controls
• 3 types of reviews• Normative Model – to pinpoint strengths and
weaknesses• 6 major approaches – SDLC approach - importance of well-controlled
work phases– Sociotechnical design approach – jointly
optimizing the technical systems as well as the social systems
04/13/23 5
– Political approach • understanding the effects that systems can have on the
distribution of the organizational power
– Soft systems approach • provides ways of helping decision makers learn about ill-
structured problems
– Prototyping approach • provides ways of helping resolve the uncertainty often
surrounding systems-design tasks
– Contingency approach • organizational context in which the system is being designed
04/13/23 6
13 phases provide an agenda of issues• Problem/opportunity definition• Management of the change process• Entry and feasibility assessment • Analysis of the existing system• Formulation of strategic requirements• Organizational and job design• Information processing systems design• Application software acquisition and development• Hardware/system software acquisition• Procedures development• Acceptance testing• Conversion• Operation and maintenance04/13/23 7
C. Programming management controls
• Objective – to produce or acquire and to implement high quality programs
• Six major phases – Planning– Control– Design– Coding– Testing– Operation and maintenance
04/13/23 8
d. Data Resource management controls• Objectives – – Users must be able to share data– Availability of data– Possible to modify fairly – Integrity of data must be preserved
• DA & DBA– Defining, creating, redefining, retiring data– Making the DB available to users– Informing and servicing users– Maintaining db integrity– Monitoring operations and performance
04/13/23 9
e. Security management controls• Ensuring that IS assets are secure• 2 types – Physical– Logical
• Security Admin is to conduct a security program– It is a series of ongoing, regular, periodic reviews
conducted– Preparation of a project plan, identification of assets,
valuation of assets, threats identification, threats likelihood assessment, exposures analysis, control adjustment and report preparation
04/13/23 10
f.Operation management controls
• Daily running of h/w and s/w facilities– Production application systems can accomplish
their work– Development staff can design, implement and
maintain application systems
04/13/23 11
g.Quality assurance management controls
• QAM ensures that IS produced by the Information systems function achieve certain quality goals and that development, implementation, operation and maintenance of information systems comply with a set of quality standards
04/13/23 12
2. Application Control
i. Boundary controlsii. Input controlsiii. Communication controlsiv. Processing controlsv. Database controlsvi. Output controls
04/13/23 13
i.Boundary controls• Boundary subsystem establishes the interface
between the would-be user of a computer system and the computer system itself
• 3 purposes– To establish the identity and authenticity of
would-be users– To establish the identity and authenticity of
computer system resources that users wish to employ
– To restrict the actions undertaken by users who obtain computer resources to an authorized set
04/13/23 14
• ii. Input controls– Input subsystem are responsible for bringing both data
and instructions into the information systems
• iii. Communication controls– Physical component controls– Line error controls– Flow Control– Link control– Topological Controls– Channel Access Controls– Controls over subversive threats– Internetworking, communication architecture and audit
trails controls04/13/23 15
• Processing Controls– Responsible for computing, sorting, classifying and
summarizing data– Central processor, real or virtual memory, OS,
Appln programs
• Database Controls– Defining, creating, modifying, deleting and reading
data in an IS– DBMS, appln programs, processor
• Output Controls– Determine the content of data that will be provided
to users, data formatted & presented, 04/13/23 16
17
Need for IS Control & Audit• Reliance on computer systems
– Survival of organization– Costs of data loss – Costs of errors– Inability to function– Possibility of incorrect decisions
• Organizations Costs of Data Loss• Incorrect Decision Making• Costs of Computer Abuse• Value of Computer Hardware, Software and Personnel• High Costs of Computer Error• Maintenance of Privacy• Controlled evaluation of Computer use
04/13/23
04/13/23 18
19
• Security & abuse - from inside & outside: hacking, viruses, access– Destruction & theft of assets– Modification of assets– Disruption of operations– Unauthorized use of assets– Physical harm– Privacy violations
Need for IS Control & Audit
04/13/23
20
Need for IS Control & Audit
04/13/23
04/13/23 21
What is Information System Audit
• Process of collecting and evaluating evidence to determine whether a (computerized) system:– Safeguards assets– Maintains data integrity– Enables communications & access to information– Achieve operational goals effectively– Consumes resources efficiently
Objectives of IT/IS Audit
IT/IS Audit
Safeguarding of Assets
Improved Data Integrity
Improved System Effectiveness
Improved System
Efficiency
Source: Ron Weber
Data Integrity
• Data attributes – completeness, soundness, purity
• Factors affect the values of a data item – The value of the informational content of the data
item for individual decision making– The extent to which the data item is shared
among decision makers– The value of the data item to competitors
04/13/23 23
System effectiveness
• Accomplishes its objectives• Evaluating effectiveness implies knowledge of
user needs• Auditors must know the characteristics of
users and the decision making environment• Postaudit / during design stages
04/13/23 24
Systems efficiency
• Minimum resources to achieve its required objectives
04/13/23 25
Elements IT/IS Audit
1. Physical and Environmental2. System Administration3. Application Software 4. Application Development5. Network Security6. Business Continuity7. Data Integrity
04/13/23 27
Objectives – Audit and Control
• Need to control & audit info systems• IS AUDITING = collecting & evaluating evidence to
determine if system accomplishes its organizational tasks effectively & efficiently
• Understanding the organization & environment• Understanding systems – EDP in particular
• Understanding the Control Approach– Control - a system that prevents, detects, or corrects
unlawful, undesirable or improper events
04/13/23 28
The Auditing Environment
• External vs. internal auditors• External auditors provide increased assurance– Fairness of financial statements– Frauds & irregularities– Ability to survive
• Internal auditors appraise and evaluate adequacy & effectiveness of controls– Control - a system that prevents, detects, or corrects
unlawful, undesirable or improper events
• Reporting – and responsibility – to Board of Directors
04/13/23 29
The Auditing Environment – cont.
• Types of audit procedures– To gain understanding of controls– Test of controls– Substantive tests of details of transactions– Substantive tests of balances and overall results– Analytic review procedures
04/13/23 30
Assessing Reliability
• By controls • By transaction• By errors
Internal vs External
• Audit function can be performed internally or externally• Internal audit is an independent appraisal of operations,
conducted under the direction of management, to assess the effectiveness of internal administrative and accounting controls and help ensure conformance with managerial policies
• External Audit is an audit conducted by an individual of a firm that is independent of the company being audited
Internal Audit Reporting Structure
Non-IT Audit Team Members
CEO
Board Audit Committee
Head of Audit Dept
Head of Non-IT Audit Head of IT Audit
IT Audit Team Members
04/13/23 33
Internal Auditors
• Responsible to Board of Directors• An internal control function• Assist the organization in measurement &
evaluation:– Effectiveness of internal controls– Achievement of organizational objectives– Economics & efficiency of activities– Compliance with laws and regulations
• Operational audits
04/13/23 34
Internal Auditors Scope of Work
• Safeguarding assets• Compliance with policies and plans• Accomplishment of established objectives• Reliability & integrity of information• Economics & efficient use of resources
04/13/23 35
The Internal Controls Framework
• Separation of duties• Delegation of authority & responsibility• System of authorizations• Documentation & records• Physical control over assets & records• Management supervision• Independent checks• Recruitment & training
04/13/23 36
Internal Controls - Cont.
• Controls - pattern of activities:– Preventive– Detective– Corrective
• Affect reliability– Reduce failure probability– Reduce expected loss in failure
• Reasonable assurance• Based on cost-benefit considerations
04/13/23 37
External Auditors• Responsible to stockholders and public
– Via Board of Directors• Assess financial statement assertions
– Existence or occurrence– Completeness– Valuation and allocation– Presentation and disclosure– Rights and obligations
• Must test compliance with laws and regulations• Must test for fraud and improprieties• Relies on internal control structure for planning of audit
04/13/23 38
External Auditors
• Audit (material misstatement) risk = product of– Inherent (assertion could be materially misstated)
risk– Control risk (misstatement will not be prevented
or detected on a timely basis by internal controls)– Detection risk• Inversely related to control and inherent risks
Roles of IT Audit Team
Entity-Level Controls
Physical Facility
Network Intra
Operating System
Middleware
Database
Application
IT Auditor
Information Systems Auditor
Support for Financial Auditors
Financial Auditor
Source: Chris Davis et al
Financial vs IT Audits
• Financial audit– Official examination of accounts to see that they are in order
• IT audit– “a review of the controls within an entity's technology
infrastructure” – Wikipedia (www.wikipedia.org)– Official examination of IT related processes to see that they are
in order• Problems
– Financial Audit – GAAP– IT Audit - ??
Financial vs IT Audits
• IT auditors may work on financial audit engagements• IT auditors may work on every step of the financial
audit engagement• Standards, such as SAS No. 94, guide the work of IT
auditors on financial audit engagements• IT audit work on financial audit engagements is likely
to increase as internal control evaluation becomes more important
Auditing Standards• Auditors are guided in their professional responsibility by the
the generally accepted auditing standards (GAAS).Generally Accepted Auditing Standards
General Standards Standards of Field Work Standards of Reporting
The auditor must have adequate technical training and proficiency to perform the audit.
Audit work must be adequately planned
The auditor must state in the auditor's report whether the financial statements are presented in accordance with generally accepted accounting principles.
The auditor must maintain independence in mental attitude in all matters related to the audit.
The auditor must gain a sufficient understanding of the internal control structure
The report must identify those circumstances in which generally accepted accounting principles were not applied
The auditor must use due professional care during the performance of the audit and the preparation of the report.
The auditor must obtain sufficient, competent evidence
The report must identify any items that do not have adequate informative disclosures
The report shall contain an expression of the auditor’s opinion on the financial statements as a whole
What is IT Auditors?
• Is called internal audit specialist, IT or IS auditor
• May serve as a member of consulting organization
• Generally a member of an enterprise internal audit organization
• Specialist who follows the standards and principles of the IIA and often ISACA as well
Roles and Responsibilities • Ensure IT governance by assessing risks and
monitoring controls over those risks• Works as either internal or external auditor• Works on many kind of audit engagements• Reviewing and assessing enterprise
management controls• Review and perform test of enterprise internal
controls• Report to management
Job Tasks and Responsibilities• Design a technology-based audit approaches;
analyzes and evaluates enterprise IT processes• Works independently or in a team to review
enterprise IT controls• Examines the effectiveness of the information
security policies and procedures• Develops and presents training workshops for audit
staff• Conduct and oversees investigation of inappropriate
computer use• Performs special projects and other duties as assigned
Knowledge, Skills, Abilities• Knowledge of auditing, IS and network
security• Investigation and process flow analysis skills• Interpersonal/human relation skills• Verbal and written communications skills• Ability to exercise good judgment• Ability to maintain confidentiality• Ability to use IT desktop office tools,
vulnerability analysis tools, and other IT tools
Minimum Qualifications
• Bachelor’s degree in Computer Science, computer programming or accounting
• Certified Information Systems Auditor (CISA) credentials or candidate
• Certified Internal Auditor credential preferred
The Role of IT Auditors in the Financial Audit Process
Develop an understanding and perform preliminary audit work
Develop audit plan
Conduct follow-up work
Review work and issue audit report
Perform substantive testing
Determine degree of reliance on internal controls
Evaluate the internal control system
Professional Groups and Certifications – Alphabet Soup
• ISACA – CISA– The largest professional organization of IT
auditors
• IIA – CIA• ACFE – CFE• AICPA – CPA and CITP
Certified Info. System Auditor Credentials
• The prime professional credentials for IT auditors• More focused on IT audit• Open to all individuals who have an interest and skills in
information system audit, control and security,• The examination is four hours in duration and consists of
200 multiple-choice question• The test is offered each year in June and December at
numerous worldwide locations• Must have a minimum of five years of professional
information system auditing, internal control or security related work experience
CISA Examination Content Area
• The IS audit process (10%)• IT Governance (15%)• Systems and Infrastructure Life Cycle (16%)• IT Service Delivery and Support (14%)• Protection of Information Assets (31%)• Business Continuity and Disaster Recovery
(14%)
Effects of computers on Internal Controls
• Separation of duties• Delegation of authority and responsibility• Competent and trustworthy personnel• System of authorizations• Adequate documents and records• Physical control over asset and records• Adequate management supervision• Independent check on performance• Comparing recorded accountability with assets
Effects of computers on auditing
• Changes to evidence collection• Changes to evidence evaluation
Effective IT Audit
• Early involvement• Informal audits• Knowledge sharing• Self-assessments
Why IS Audit?
• Organizational Cost of Data Loss.• Incorrect Decision Making.• Costs of Computer Abuse. • Value of Hardware, Software & Personnel• High Costs of Computer Error• Maintenance of Privacy• Controlled Evolution of Computer Use.
5504/13/23
What is Information Systems Audit?
• Information Systems Auditing is the process of collecting and evaluating evidence to determine whether a computer system safe guards assets, maintains data integrity, allows organizational goals to be achieved effectively and uses resources efficiently . Ron Weber.
• It is an Independent examination of records/ Information that will enable an opinion of the integrity of controls put in place to safe guard systems. It should equally help to recommend recommendations on how these controls can be improved so as to mitigate risk to an acceptable level.
• It is any audit that encompasses the review and evaluation (wholly or partially) of automated information processing systems, their related non-automated processes and the interfaces between them.
5604/13/23
In summary, IS Auditing is the process of collecting and evaluating evidence to determine if Information Systems and related resources are adequately safe-guarding assets, maintaining data and system integrity, providing relevant and reliable information, achieving organizational goals effectively, consuming resources efficiently, and if there are effective internal controls that provide reasonable and acceptable assurance that operational and control objectives will be met and that undesired events will be prevented or detected and corrected in a timely manner.
5704/13/23
Objectives of IS Auditing
• Improves safeguarding of Assets.• Ensures & Maintains Data Integrity.• Improves systems effectiveness.• Improves Resources efficiency.• Ensures compliance to Legislative, Regulatory
& contractual obligations.• Allows Effective Achievement of
Organizational goals
5804/13/23
Organization of an IS Audit fuction • The Role of IS Audit is established by an Audit Charter.
This is a document that states in very clear terms, managements responsibility and objectives for, and delegation of authority to the IS Audit function.
• It Should outline the Authority, Scope & responsibilities of the Audit Function.
• Where the function is provided by a third party firm, the scope and objectives should be documented in a formal contract or statement of work.
• Be it internal or external, the audit function should be independent and report to the board of directors or the Audit committee where one is available.
5904/13/23
IS Audit Plan
• It is Important to adequately plan for an IS audit.
• This should be done after a good understanding of the organization has been achieved.
6004/13/23
Types IS Audit Plan.
• Short-Term Planning: This takes into account audit issues that will be covered during the year.
• Long-Term Planning: this relates to plans for risk-related issues that will take into account changes in an organization's IT strategic direction which will affect the organization’s IT environment.
6104/13/23
Any type of Audit plan that is undertaken, should be analyzed annually so as to take into account new control issues like changes in the risk environment, technology and business processes; and enhanced evaluation techniques.The result of this analysis should be reviewed by reviewed by senior Audit mgt and approved by audit committee or board of directors. This will enhance future audit activities and should be comunicated to relevant levels of Management.
6204/13/23
Performing an IS Audit• In performing an IS audit, there is the need to
develop and understand the Audit Methodology/Strategy, which is a set of documented audit procedures designed to achieve the planned Audit objectives.
• It is usually set and approved by Audit management and has the following components:
1. Statement of Scope2. Statement of Audit objectives.3. Statement of work program
6304/13/23
Performing an IS Audit cont.After the establishment of the strategy the following phases make up a typical IS Audit•These are the general audit procedures which are basic Audit steps.1.Obtaining /Recording an understanding of the audit area/subject2.A risk assessment and audit plan schedule3.Detailed Audit plan4.Preliminary review of audit area/subject5.Evaluating audit area/subject.6.Verifying the design of controls.7.Tests of implementation of controls (Compliance Testing).8.Tests of operative effectiveness of controls (Substantive testing).9.Reporting/Communicating Audit results.10.Follow-Up on recommendations implementations.
6404/13/23
Performing an IS Audit Plan • Gain an understanding of the organization.
1. tour key organizational facilities.2. Gather background information about the organization.3. Review business and IT long term strategic plans.4. Interview key managers to understand business processes and Issues.5. Review prior audit reports or IT-related reports ( external/internal audits or regulatory
review reports)6. Identify specific regulations applicable to IT.7. Identify IT functions or related activities that have been outsourced.
• Identify stated contents e.g. policies, organizational structure.• Perform a risk analysis to help in designing the audit plan.• Conduct a review of Internal controls related to IT.• Set the Audit Scope and objectives.• Develop the Audit approach and strategy.• Identify technical skills and resources needed.• Assign personnel resources to the audit.
6504/13/23
Performing an IS Audit cont.• In performing an IS Audit, a risk based approach is
used in assessing the risks and to help an auditor in the decision to perform either compliance or substantive test.
• This risk based approach emphasis on a good knowledge of the business and technology.
• It focuses on assessing the effectiveness of combining controls
• It provides a linkage between risk assessment and testing while focusing on control objectives.
• This approach assesses the organization from a management perspective.
6604/13/23
Audit Risk and Materiality of an Event
• An audit risk is the risk that the information /financial report may contain material error. It is also the risk that an auditor may not detect an error that has occurred.
• The materiality of an event refers to an error that should be considered significant to any party concerned with the event in question. It is based on professional judgment and includes consideration of the effect of the event on the organization as a whole and errors or risks that may arise as a result of control weaknesses in the area being investigated. In considering the materiality of any event, it should be in the terms of the total impart to the organization.
6704/13/23
Risk Management• Risk is the potential that a given threat will
exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization.
• Business risks are the likelihood that a threat will negatively impact the assets, processes or objectives of a business or organization.
1. Risk analysis is a part of audit planning and it helps to identify risks and vulnerabilities so that the auditor can determine the controls needed to mitigate these risks.
6804/13/23
Risk Analysis cont.
• The IS auditor is concerned and often focused towards high risk issues associated with the confidentiality, integrity and availability of sensitive and critical information, and the underlying information systems and processes that generate, store, and manipulate such information.
• The IS auditor also assesses the effectiveness of an organization’s risk management process by carrying out risk assessment.
6904/13/23
Risk Assessment• Risk assessment involves an iterative life cycle to
starts with identifying Business objs, information assets, and the underlying systems or resources that generate/store, use or manipulate the assets critical to achieving the set objectives of the business.
• This identifies threats to assets and determine their probabilities of occurrence and the resultant impacts with additional safeguards that will help to mitigate the risks to acceptable levels defined by management.
7004/13/23
Risk Mitigation
• Risk mitigation involves the identification of controls/countermeasures which when applied to the identified risks to assets will help to prevent or reduce them to acceptable levels.
• In assessing countermeasures to be applied, a cost-benefit analysis should be performed based on any or a combination of the followings: – The cost of the control.– Management’s appetite for risk.– Preferred risk reduction methods.
7104/13/23
Monitoring Mitigated Risk
• Risks which have been mitigated has to be continually monitored so as to identify any significant changes in the environment that would trigger reassessment warranting changes in the control environment.
• Note that risk assessment should be an ongoing process in an organization if risk management is to be effective.
7204/13/23
Importance of Risk Management to IS Auditing.
• It identifies risks and threats to an IT environment and the IS which needs to be addressed by management.
• It helps in the selection audit areas/subjects.• It aids a sound evaluation of controls in audit
planning.• It aids an IS auditor in determining audit
objectives.• It supports risk-based audit decision making.
7304/13/23
Information Systems Audit and Control Association (ISACA)
• Started in 1967• Today, ISACA’s membership—more than
50,000 strong worldwide—is characterized by its diversity. Members live and work in more than 140 countries and cover a variety of professional IT-related positions
ISACA Certifications
• CISA - CISA (Certified Information Systems Auditor) is ISACA's cornerstone certification. Since 1978, the CISA exam has measured excellence in IS auditing, control and security.
• CISA has grown to be globally recognized and adopted worldwide as a symbol of achievement. The CISA certification has been earned by more than 44,000 professionals since inception
CISM
• CISM (Certified Information Security Manager) is ISACA’s groundbreaking credential earned by over 5,500 professionals in its first two years. It is for the individual who must maintain a view of the "big picture" by managing, designing, overseeing and assessing an enterprise's information security.
Conducting IS Audit
• Auditors need guidelines• Auditors evaluate the reliability of controls• Controls reduce expected losses from
unlawful events by – Decreasing the prob of the event occurring in the
first place– Limiting the losses that arise if the event occurs
04/13/23 77
Deal with complexity• Dividing systems to be evaluated into
subsystems• Evaluating reliability of subsystems and
determining implications of each subsystem’s level of reliability for the overall reliability of the system
• Easy understanding and evaluation• Loosely coupled with other subsystems and
internally cohesive (perform a single function)
04/13/23 78
Major sets of systems
• Management system– Provide the stable infrastructure in which
information systems can be built and operated on a day-to-day basis
• Application system– Undertake basic transaction processing,
management reporting and decision support
04/13/23 79
Management Systems
• Factored into subsystems– Top level IS management– Systems development mgt– Programming mgt– Data mgt– Quality assurance– Security administration – Operation mgt
04/13/23 80
Application systems• Factored into subsystems – performing – Boundary– Input – Communication– Processing– Database– Output functions
• All IS audit involves evaluating the reliability of controls in each of these management and application subsystems
04/13/23 81
Risk mgt• Function of three factors– Inherent risk
• Which reflects the likelihood that a material loss or account misstatement in some segment of the audit before the reliability of internal controls is considered
– Control risk• Which reflects the likelihood that internal controls in some
segment of the audit will not prevent, detect or correct material losses or account misstatements that arise
– Detection risk• Which reflects that the audit procedures used in some
segments of the audit will fail to detect material losses or account misstatements. Because auditors cannot influence inherent risk or control risk
04/13/23 82
Types of audit procedures
• Five– To obtain an understanding of controls– Test of controls– Substantive tests of details of transactions– Substantive tests of details of balances or overall
results– Analytical review procedures
04/13/23 83
Five major steps in an audit• Planning the audit, in which the auditor
attempts to gain an understanding of the internal controls used within an organization
• Tests of controls, in which the auditor tests significant controls to evaluate whether they are operating effectively
• Tests of transactions – undertake substantive tests to evaluate whether a material loss or account misstatement has occurred or might occur
04/13/23 84
• Tests of balances or overall results – seek to obtain sufficient evidence to make a final judgement on the extent of losses or account misstatements that have occurred or might occur
• Completion of the audit – give an opinion on whether material losses or account misstatements have occurred or might occur
04/13/23 85
• Auditing around the computers– Application is simple, Inherent risk is low,
reliability of the system’s internal processing can be easily inferred
• Auditing through the computers
04/13/23 86