IS Audit Training

Day 1 Introduction to IS Audit

Objective

This seminar is not about:

Hardware technology

This seminar is about:

Introducing the concepts of IS

auditing

Software technology
Specific computer application

Sharing experiences in
conducting IS auditing

Detailing a certain sophisticated

IS audit techniques

Introducing practical approach to

conduct IS auditing

2006 Veda Praxis

Control Advisory

Page 2

Outline
The need for control and audit of computers
IS auditing definition
Foundation of IS auditing
IS Audit Profession
ISACA
Certified Information System Auditor (CISA)

2006 Veda Praxis

Control Advisory

Page 3

The need for control and audit of computers

Organizational costs of data loss
Incorrect decision making
Computer abuse
Value of computer hardware, software and personnel
High cost of computer error
Privacy protection

2006 Veda Praxis

Control Advisory

Page 4

Organizational costs of data loss

Tangible or intangible cost caused by data loss (disaster, virus, etc.)
long-run survival
Bankruptcy
Nike lost $100 million dollars in
February 2001 when they experienced
data problems after implementing a
new ordering system

2006 Veda Praxis

Control Advisory

Page 5

Incorrect decision making

Data accuracy versus management level
Impact:
Unnecessary investigation
Undetected error
A UK bank discovered it lost approx
90 million due to data errors in a
computer model used to evaluate
investment positions

2006 Veda Praxis

Control Advisory

Page 6

Computer abuse
Threats to business include the following:

Financial loss loss of electronic funds,

Legal repercussions lawsuit from investor,

Loss of credibility security violation can damage credibility,

Blackmail/industrial espionage exploit security breach,

Disclosure of confidential , sensitive or embarassing information,

Sabotage dislike of the organization/self gratification,

Pos sible perpetrators include the following:

Hackers (Script kiddies, Hack-activist , Criminal hackers/crackers),

Employees (authorized or unauthorized) IS personnel and End Users,

Former employees,

Interested or educated outsiders (competitor, foreigners, organized criminals),

Part-time and temporary personnel,

Vendors and consultants,

Accidental ignorant Someone who unknowingly perpetrates a violation

2006 Veda Praxis

Control Advisory

Page 7

Value of hardware, software and personnel

Big investment on hardware, software & personnel
Hardware loss: disruption of service
Software/data loss: going concerns issue
Personnel loss: lack of well-trained staff

2006 Veda Praxis

Control Advisory

Page 8

High cost of computer error

Computers perform many critical functions

The impact would be varied depending on the erred

functions
A Michigan retailer spends 2.4 million
dollars per annum to affix tags on items
after numerous pricing errors.
A US transportation company analysed
by MIT were found to have missed 77%
of deliveries through poor data quality
and usage, causing an estimated loss of
market share valued at $1 billion in
sales.

2006 Veda Praxis

Control Advisory

Page 9

Privacy protection

Relates to concentration of
personal data in a centralized
database

The computer powerful

capability poses high risk of
data leakage

Protection over customer data,

company transactions files, etc.

2006 Veda Praxis Control Advisory

Page 10

IS auditing definition
Information systems auditing is defined as any audit that encompasses the review and
evaluation of any aspect of automated information processing systems, including related
non-automated processes, and the interfaces between them.
--ISACA-IS auditing is the process of collecting and evaluating evidence to determine whether a
computer system safeguard assets, maintains data integrity, achieves organizational
goals effectively, and consumes resources efficiently
--Ron Weber-IS auditing is the process of evaluating and reporting the adequacy of system controls,
efficiency, economy, effectiveness, and security practices to assure that computerrelated assets and information resources are safeguarded, that data integrity is
protected, and that the system is complies with applicable policies, procedures,
standards, rules, laws, and regulations.
--S. Rao Valabhaneni--

2006 Veda Praxis

Control Advisory

Page 11

IS auditing definition...
Asset safeguarding objectives

The assets of a computer installation include hardware, software, people,

data files, system documentation, and supplies

They must be protected by a system of internal control

Data integrity objectives

data completeness

data soundness

data purity

data veracity

2006 Veda Praxis

Control Advisory

Page 12

IS auditing definition...

System effectiveness objectives

Aligned with business objectives

Fulfilled business requirements

System efficiency objectives

An efficient data processing system uses minimum resources to achieve its required output.

Normally measured using the following parameters:

computer time
peripherals
channels
system software
labor

2006 Veda Praxis

Control Advisory

Page 13

Foundation of IS auditing

Traditional
auditing

Information
systems
management

Information
systems
auditing
Computer
Science

2006 Veda Praxis

Control Advisory

Behavioral
science

Page 14

Foundation of IS auditing
Traditional auditing

Controls philosophy

Information systems management

Better ways of developing and implementing information systems

Behavioral science

Impact of computer systems on task accomplishment, technical system,

and the quality of work life of individual within organization

Computer science

Reliable hardware and software

2006 Veda Praxis

Control Advisory

Page 15

IS Audit Profession
MATTERS

INFORMATION SYSTEMS AUDITOR

FINANCIAL/ INTERNAL
AUDITOR

Standards

Generally Accepted IT Controls

Principle (CoBIT)

GAAP/SAS 78: Internal

Controls

Auditee:

IT Division

Mostly Finance & Accounting

Department/ All functions of
Organization

Professional
Organization

ISACA

AICPA/IIA

Qualification

CISA

Career objectives:

Chief Information Officer, Consultants:

Auditor/Advisor for Information
Systems/Technology Control

2006 Veda Praxis

Control Advisory

CPA/CIA

Chief Financial Officer, Head

of Internal Audit Division

Page 16

IS Auditor vs Consultant
Differences

IS Auditor

IT Consultant

Design, plan, implement and

test

No

Yes

Sell product

No

Yes

Report (to the public or the

management)

Yes

No

Review

Yes

No

Independent Entity

Depends on contract

Independence

2006 Veda Praxis

Control Advisory

Page 17

ISACA
Information Systems Audit and Control Association (ISACA) is a
recognized global leader in IT governance, control and assurance. ISACA
sponsors international conferences, administers the globally respected
CISA
Founded in 1969,
Now more than 22,000 members in over 100 countries,
Develops globally-applicable Information Systems (IS) Auditing and
Control Standards, COBIT (Control Objectives for Information Related
Technology)
Certify professionals with CISA (Certified Information Systems Auditor)

2006 Veda Praxis

Control Advisory

Page 18

Certified Information System Auditor (CISA)

Since 1978, the Certified Information Systems Auditor (CISA)
program has been the globally accepted standard of achievement
among IS audit, control and security professionals.
Positive reputation as a qualified IS audit, control and/or security
professional

Demonstrate proficiency in today's most

sought-after skills, employers prefer to
hire and retain those who achieve and
maintain their designation

2006 Veda Praxis

Control Advisory

Page 19

CISA Requirement
1.

The successful completion of the CISA Examination,

2.

Information Systems auditing, control or security

experience,

3.

Code of Professional Ethics,

4.

The Continuing Education Program, and

5.

Information Systems Auditing Standards.

2006 Veda Praxis

Control Advisory

Page 20

10

 2006 Veda Praxis

Control Advisory

Page 21

11