UNIT1 LBYMODT.pdf

AFRICA. DATOR. FRANCISCO. YU

UNIT 1:

IT Overview

The demand for IT auditors outweighs the supply of qualified candidates due to advances in technology and appreciation of the profession in the business sector.

Not only IT auditors are in demand, but their work is interesting and challenging.

IT auditors evaluate an entity’s information system. This may include examining documents and interviewing people as well.

These must be done because businesses processes use IT to function and IT is likely to be integral to an entity’s viability

Introduction


IT influences organizational risks and controls IT creates opportunities but carries with them

many kinds of risksExample:

Ability to transmit documents electronically to customers and vendors

Opportunity: Improved efficiency in the supply chain

Risk: Potential failure of electronic communication

Impact of IT in Organizations


IT governance is the process of controlling an organization’s information technology resources which include information and communication system as well as technology.

Enterprise Governance is the process of setting and implementing corporate strategy

The management and owners shares responsibility for managing both the enterprise and IT

IT GOVERNANCE


IT governance is an important part of enterprise governance because of:

- organizational dependency on information and communication

- scale of It investment- potential strategic opportunities- level of IT risk

IT governance also requires controlling the IT process to ensure that it complies with the regulatory, legal, and contractual requirements


Objective of IT Governance:To set strategies for IT so that it is

closely aligned with organizational goals and to use IT for maximum opportunity but minimum risk.

The first part concerns the use of IT to promote organization’s objectives and enable business processes.

The second part involves managing and controlling IT- related risks.

IT GOVERNANCE


This process begins with the development of an IT governance plan. Such plan will help set the strategic course of IT acquisition and deployment or use.

IT governance is an ongoing process and management needs to regularly evaluate and update plans.

IT GOVERNANCE


The Information Systems Audit and Control Association (ISACA) established IT Governance Institute in 1998.

This institute exists to clarify and provide guidance on current and future issues pertaining to IT governance, control and assurance.

It developed CobiT and COEG CobiT provides guidance on IT governance by

providing the structure that links IT processes, IT resources and information to enterprise strategies and objectives

IT GOVERNANCE INSTITUTE


Guideline:

“ Governance over information technology and its processes with the business goal of adding value, while balancing risk versus return, ensures delivery of information to the business that addresses the required Information Criteria and is measured by Key Goal Indicators, is enabled by creating and maintaining a system of process and control excellence appropriate for the business that directs and monitors the business value and delivery of IT, considers Critical Success Factors that leverage all IT Resources and is measured by Key Performance Indicators.”


Set Objectives:-IT is aligned with the business-IT enables the business and maximizes benefits-IT resources are used responsibly- IT- related risks managed appropriately

Provide Direction

Compare

Measure Performance

IT Activities-Increase automation (make business effective)-Decrease cost (make enterprise efficient)-Manage risks (security reliability and reliance)

IT GOVERNANCE FRAMEWORK


While IT is just plain good business practice, it is also a possible source of competitive advantage.

Organizations that leverage IT effectively are likely to create more value for customers and other stakeholders.

Lack on return on IT investments and security failures are also reasons why organizations should invest in developing IT governance plans and policies.


Part of IT governance concerns controlling IT risk. This is important in enterprises because management uses IT to process data about ongoing transactions or events.

A computerized information system for transaction processing may increase some risks and decrease others.

IT AND TRANSACTION PROCESSING


Example 1: In sales, compare a sales clerk who manually

records data may make an data entry error with a computer system that scans an inventory barcode that will not make that mistake.

Therefore, it decrease the riskExample 2:

The database administrator has accidentally made a mismatch of inventory item description and item number, then every sale of that inventory item will be recorded incorrectly.Overall, use of IT can reduce risk due to human error, but it can also increase them.

Change of risks dictates changes in how an auditor needs to work.Example: An auditor may need to look at a computer program to make sure the system logic is correct. Auditors ensure IT governance and , in doing so,

assess IT risks and implement or monitor the controls over those risks.

The roles of IT auditors vary with their position within or outside the organization and with each individual project. Level of expertise needed for engagement laso varies.

WORK OF AN IT AUDITOR


Basically, an IT auditor can provide assurance or give comfort over just about anything related to information systems, but some of the specific types of engagements an IT auditor might perform include: Evaluating controls over specific

applications Providing assurance over specific

processes Providing third-party assurance Penetration Test Supporting financial audit Searching for IT-based fraud

WORK OF AN IT AUDITOR


Relationship Between Financial and IT Audits

The objective of a financial statement audit is to ensure that an organization’s public financial instruments are presented with the generally accepted accounting principles

Relationship Between Financial and IT Audits In the course of an audit engagement,

financial auditors analyze an organization’s internal control system to assess the degree to which it appears to be operating effectively

As organizations have increased their reliance on computer technology in processing transactions and reporting information, it has become increasingly difficult for financial auditors to ignore IT in their audits

Relationship Between Financial and IT Audits Today’s complex IT environments call for an

evaluation of the information system as part of the financial audit

SAS No. 94, The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit, requires auditors to understand both manual and computerized processes for financial statement presentation and to recognize the additional risks and benefits of IT relative to internal control

Relationship Between Financial and IT Audits It also notes that auditors need specialized

skills in order to be able to understand IT controls and the impact of IT on a financial statement audit

Auditors are to acquire those skills themselves or obtain assistance from a specialized IT auditor

Relationship Between Financial and IT Audits Sarbanes-Oxley Act of 2002 mandates that

management assess and make representations about internal controls

Auditors will need to test those controls and provide assurance about management’s representation

IT Audit Skills Technical Skills

– IT auditors acquire specialized technology skills as they work with different platforms and software application

IT Audit Skills General Personal and Business Skills

– Communication Skills– Interpersonal Skill and Teamwork– Business Education– Decision Sciences

Professional IT Auditor Organizations and Certifications Information Systems Audit and Control Association (ISACA)

1969 Largest professional organization of IT auditors Information Systems Audit and Control Foundation- conducts

research and issues publications that guide IT audit professionals IT Governance Institute CISA- most highly valued global credential for IT auditors 1978- CISA certification CISM- non-audit security professionals

Professional IT Auditor Organizations and Certifications Institute of Internal Auditors (IIA)

1941 International organization of internal auditing

professionals Issues the CIA credential Promotes the practice of internal auditing through

quality assurance IIA’s membership – internal auditors (AICPA), (IMA) IT auditor- may be either an external auditor or a

member of an organization’s internal audit staff

Professional IT Auditor Organizations and Certifications Association of Certified Fraud Examiners

(ACFE) Issues the CFE credential to professionals

who specialize in auditing for fraud

Professional IT Auditor Organizations and Certifications American Institute of Certified Public

Accountants (AICPA) Confers the CPA license 1934- SEC required companies to have

their FS audited by CPAs CPA- provides a good foundation for an IT

auditor 2000- introduced CITP- CPA has

specialized expertise in IT

Structuring IT Audits Types of IT audits

1. Attestations or agreed-upon procedures audits2. Statement on Auditing Standards #70 audits-

service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes.

3. IT audits in support of external financial audits4. Findings and recommendations reviews

Standards and Guidelines IT auditors use: 1. AICPA Audit Standards and Guidelines.ASB.1947- issued GAAS (general, fieldwork, reporting standards).SAS- interpretations of GAAS.SSAE- perform an attestation. Issues a report stating a conclusion about the reliability of

subject matter that is the responsibility of someone else.SSAE no. 10 Attestation Standards: Revision and Recodification-

superseded all previous attestation engagement statements. - Auditors are increasingly involved in providing assurance over

nonfinancial information

Standards and Guidelines IT auditors use: 2. International Federation of Accountants (IFAC) Guidelines.International umbrella organization of national professional accountancy

groups (management, auditing, education, tax).Classification of the member organizations:.Full members.Associate members.Affiliate members.Mission: develop harmonized or common international accounting

standards and guidelines to assist professionals in their work.Types of guidance of use to IT auditors:.IFAC Handbook of International IT Guidelines- provides direction

concerning IT areas.ISAs- financial statement audits.IAPSs- implementing the standards

Standards and Guidelines IT auditors use: 3. ISACA Standards, Guidelines, and Procedures.Standards: Prescribe minimum performance levels required to

comply with ISACA’s Code of Professional Ethics.Licensed CISA- must comply with ISACA standards .Guidelines: Provide help in applying the standards.CobiT- ISACA’s IT governance framework. - assessing and advising management about internal controls. - includes a set of audit guidelines that provide IT auditors with

a structure for internal control evealuation

COBIT FRAMEWORK

ISSUE


Good IT governancePossible KEY

COBIT Framework

COBIT FRAMEWORKReview…

One of many Control frameworks developed to help companies develop good internal control.

Developed by the IASCF (Information System Audit and Control Foundation)

Allows1. Management to benchmark other IT practices.2. Users of IT services to be assured that adequate

security and control exist3. Auditors to substantiate their opinions on

internal control and advise on IT security and control matters.


COBIT FRAMEWORKReview…

Addresses the issue of control in 3 vantage points:1. Business objectives - conform with business

requirements

3. IT resources – people, application systems, technology, facilities and data.

5. IT processes – (a) planning and organizing, (b) acquisition and implementation, (c) delivery and support, (d) monitoring and evaluation

. Consolidates 36 standards in a single framework.. Helps in balance of risk and control


COBIT FRAMEWORKAccording to ISACA:


Accepted globally as a set of tools that ensures IT is working effectively

Functions as an overarching framework Provides common language to communicate goals,

objectives and expected results to all stakeholders Based on, and integrates, industry standards and good

practices in:● Strategic alignment of IT with business goals● Value delivery of services and new projects● Risk management● Resource management● Performance measurement

COBIT FRAMEWORKISACA:

How does COBIT support the governance of IT?

COBIT supports IT governance by providing a framework to ensure that:• IT is aligned with the business• IT enables the business and maximizes benefits• IT resources are used responsibly• IT risks are managed appropriately




IT Governance

ResourceManagement

Strate

gic

Alignment Value

Delivery

Perform

ance

Measu

rement

Ris

kM

anag

em

ent

COBIT is based on the analysis and harmonization of existing IT

standards and good practices and conforms to generally

accepted governance principles. It is positioned at a high level, driven by business requirements, covers the full

range of IT activities, and concentrates on what should

be achieved rather than how to achieve effective governance,

management and control. Therefore, it appeals to executive management;

business and IT management; governance, assurance and

security professionals; and IT audit and control professionals.

COBIT FRAMEWORKISACA updates

ISACA has started on a multiyear strategic initiative to develop the next generation of the COBIT

Framework, COBIT 5, and supporting products. Building on more than fifteen yearsof practical use of COBIT by many IT professionals from the business, IT, risk management, security and assurance communities, the COBIT 5 deliverables will be designed to meetthe current and future needs of stakeholders and align with the most up-to-date thinking in enterprise governance and IT management practices


UNIT1 LBYMODT.pdf

Documents

Transcript of UNIT1 LBYMODT.pdf