Professional Documents
Culture Documents
Course Objectives
Focuses on the audit and control aspects of information systems. Deals with the risks, controls, and audit to information systems. Emphasizes on the management control framework, data resource management controls, application control framework and processing controls.
11/6/2012
1. 2. 3. 4.
Management Control Framework Application Control Framework Evidence Collection Evidence Evaluation
11/6/2012
1. Management Control
a. b. c. d. e. f. g. Top management controls Systems Development management controls Programming management controls Data Resource management controls Security management controls Operation management controls Quality assurance management controls
3
11/6/2012
Leading motivation, leadership, effective communication Controlling overall control, control of IS, control over
users of IS
11/6/2012
Political approach
understanding the effects that systems can have on the distribution of the organizational power
Prototyping approach
provides ways of helping resolve the uncertainty often surrounding systems-design tasks
Contingency approach
organizational context in which the system is being designed
11/6/2012
11/6/2012
Users must be able to share data Availability of data Possible to modify fairly Integrity of data must be preserved Defining, creating, redefining, retiring data Making the DB available to users Informing and servicing users Maintaining db integrity Monitoring operations and performance
9
DA & DBA
11/6/2012
11
11/6/2012
12
2. Application Control
i. ii. iii. iv. v. vi. Boundary controls Input controls Communication controls Processing controls Database controls Output controls
11/6/2012
13
i.Boundary controls
Boundary subsystem establishes the interface between the would-be user of a computer system and the computer system itself 3 purposes
To establish the identity and authenticity of would-be users To establish the identity and authenticity of computer system resources that users wish to employ To restrict the actions undertaken by users who obtain computer resources to an authorized set
11/6/2012 14
Physical component controls Line error controls Flow Control Link control Topological Controls Channel Access Controls Controls over subversive threats Internetworking, communication architecture and audit trails controls
15
Processing Controls
Responsible for computing, sorting, classifying and summarizing data Central processor, real or virtual memory, OS, Appln programs
Database Controls
Defining, creating, modifying, deleting and reading data in an IS DBMS, appln programs, processor
Output Controls
Determine the content of data that will be provided to users, data formatted & presented,
11/6/2012 16
Organizations Costs of Data Loss Incorrect Decision Making Costs of Computer Abuse Value of Computer Hardware, Software and Personnel High Costs of Computer Error Maintenance of Privacy Controlled evaluation of Computer use
17
11/6/2012
11/6/2012
18
11/6/2012
19
11/6/2012
20
Safeguarding of Assets
IT/IS Audit
Data Integrity
Data attributes completeness, soundness, purity Factors affect the values of a data item
The value of the informational content of the data item for individual decision making The extent to which the data item is shared among decision makers The value of the data item to competitors
11/6/2012 23
System effectiveness
Accomplishes its objectives Evaluating effectiveness implies knowledge of user needs Auditors must know the characteristics of users and the decision making environment Postaudit / during design stages
11/6/2012
24
Systems efficiency
Minimum resources to achieve its required objectives
11/6/2012
25
11/6/2012
29
Assessing Reliability
By controls By transaction By errors
11/6/2012
30
Internal vs External
Audit function can be performed internally or externally Internal audit is an independent appraisal of operations, conducted under the direction of management, to assess the effectiveness of internal administrative and accounting controls and help ensure conformance with managerial policies External Audit is an audit conducted by an individual of a firm that is independent of the company being audited
Head of IT Audit
Internal Auditors
Responsible to Board of Directors An internal control function Assist the organization in measurement & evaluation:
Effectiveness of internal controls Achievement of organizational objectives Economics & efficiency of activities Compliance with laws and regulations
Operational audits
11/6/2012 33
11/6/2012
34
11/6/2012
Affect reliability
Reduce failure probability Reduce expected loss in failure
External Auditors
Responsible to stockholders and public
Via Board of Directors
Must test compliance with laws and regulations Must test for fraud and improprieties Relies on internal control structure for planning of 11/6/2012 audit
37
External Auditors
Audit (material misstatement) risk = product of
Inherent (assertion could be materially misstated) risk Control risk (misstatement will not be prevented or detected on a timely basis by internal controls) Detection risk
Inversely related to control and inherent risks
11/6/2012
38
IT Auditor
Financial vs IT Audits
Financial audit
Official examination of accounts to see that they are in order
IT audit
a review of the controls within an entity's technology infrastructure Wikipedia (www.wikipedia.org) Official examination of IT related processes to see that they are in order
Problems
Financial Audit GAAP IT Audit - ??
Financial vs IT Audits
IT auditors may work on financial audit engagements IT auditors may work on every step of the financial audit engagement Standards, such as SAS No. 94, guide the work of IT auditors on financial audit engagements IT audit work on financial audit engagements is likely to increase as internal control evaluation becomes more important
Auditors are guided in their professional responsibility by the the generally accepted auditing standards (GAAS).
Generally Accepted Auditing Standards General Standards The auditor must have adequate technical training and proficiency to perform the audit. Standards of Field Work Audit work must be adequately planned Standards of Reporting The auditor must state in the auditor's report whether the financial statements are presented in accordance with generally accepted accounting principles. The report must identify those circumstances in which generally accepted accounting principles were not applied The report must identify any items that do not have adequate informative disclosures
Auditing Standards
The auditor must maintain independence in mental attitude in all matters related to the audit. The auditor must use due professional care during the performance of the audit and the preparation of the report.
The auditor must gain a sufficient understanding of the internal control structure The auditor must obtain sufficient, competent evidence
The report shall contain an expression of the auditors opinion on the financial statements as a whole
What is IT Auditors?
Is called internal audit specialist, IT or IS auditor May serve as a member of consulting organization Generally a member of an enterprise internal audit organization Specialist who follows the standards and principles of the IIA and often ISACA as well
Minimum Qualifications
Bachelors degree in Computer Science, computer programming or accounting Certified Information Systems Auditor (CISA) credentials or candidate Certified Internal Auditor credential preferred
Effective IT Audit
Early involvement Informal audits Knowledge sharing Self-assessments
Why IS Audit?
Organizational Cost of Data Loss. Incorrect Decision Making. Costs of Computer Abuse. Value of Hardware, Software & Personnel High Costs of Computer Error Maintenance of Privacy Controlled Evolution of Computer Use.
55
11/6/2012
11/6/2012
56
In summary, IS Auditing is the process of collecting and evaluating evidence to determine if Information Systems and related resources are adequately safeguarding assets, maintaining data and system integrity, providing relevant and reliable information, achieving organizational goals effectively, consuming resources efficiently, and if there are effective internal controls that provide reasonable and acceptable assurance that operational and control objectives will be met and that undesired events will be prevented or detected and corrected in a timely manner.
11/6/2012 57
Objectives of IS Auditing
Improves safeguarding of Assets. Ensures & Maintains Data Integrity. Improves systems effectiveness. Improves Resources efficiency. Ensures compliance to Legislative, Regulatory & contractual obligations. Allows Effective Achievement of Organizational goals
11/6/2012 58
IS Audit Plan
It is Important to adequately plan for an IS audit. This should be done after a good understanding of the organization has been achieved.
11/6/2012
60
Any type of Audit plan that is undertaken, should be analyzed annually so as to take into account new control issues like changes in the risk environment, technology and business processes; and enhanced evaluation techniques. The result of this analysis should be reviewed by reviewed by senior Audit mgt and approved by audit committee or board of directors. This will enhance future audit activities and should be comunicated to relevant levels of Management.
11/6/2012 62
Performing an IS Audit
In performing an IS audit, there is the need to develop and understand the Audit Methodology/Strategy, which is a set of documented audit procedures designed to achieve the planned Audit objectives. It is usually set and approved by Audit management and has the following components: 1. Statement of Scope 2. Statement of Audit objectives. 3. Statement of work program
11/6/2012 63
Identify stated contents e.g. policies, organizational structure. Perform a risk analysis to help in designing the audit plan. Conduct a review of Internal controls related to IT. Set the Audit Scope and objectives. Develop the Audit approach and strategy. Identify technical skills and resources needed. Assign personnel resources to the audit.
65
11/6/2012
Risk Management
Risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. Business risks are the likelihood that a threat will negatively impact the assets, processes or objectives of a business or organization. 1. Risk analysis is a part of audit planning and it helps to identify risks and vulnerabilities so that the auditor can determine the controls needed to mitigate these risks.
11/6/2012 68
Risk Assessment
Risk assessment involves an iterative life cycle to starts with identifying Business objs, information assets, and the underlying systems or resources that generate/store, use or manipulate the assets critical to achieving the set objectives of the business. This identifies threats to assets and determine their probabilities of occurrence and the resultant impacts with additional safeguards that will help to mitigate the risks to acceptable levels defined by management.
11/6/2012 70
Risk Mitigation
Risk mitigation involves the identification of controls/countermeasures which when applied to the identified risks to assets will help to prevent or reduce them to acceptable levels. In assessing countermeasures to be applied, a cost-benefit analysis should be performed based on any or a combination of the followings:
The cost of the control. Managements appetite for risk. Preferred risk reduction methods.
11/6/2012 71
ISACA Certifications
CISA - CISA (Certified Information Systems Auditor) is ISACA's cornerstone certification. Since 1978, the CISA exam has measured excellence in IS auditing, control and security. CISA has grown to be globally recognized and adopted worldwide as a symbol of achievement. The CISA certification has been earned by more than 44,000 professionals since inception
CISM
CISM (Certified Information Security Manager) is ISACAs groundbreaking credential earned by over 5,500 professionals in its first two years. It is for the individual who must maintain a view of the "big picture" by managing, designing, overseeing and assessing an enterprise's information security.
Conducting IS Audit
Auditors need guidelines Auditors evaluate the reliability of controls Controls reduce expected losses from unlawful events by
Decreasing the prob of the event occurring in the first place Limiting the losses that arise if the event occurs
11/6/2012
77
Dividing systems to be evaluated into subsystems Evaluating reliability of subsystems and determining implications of each subsystems level of reliability for the overall reliability of the system Easy understanding and evaluation Loosely coupled with other subsystems and internally cohesive (perform a single function)
11/6/2012 78
Application system
Undertake basic transaction processing, management reporting and decision support
11/6/2012
79
Management Systems
Factored into subsystems
Top level IS management Systems development mgt Programming mgt Data mgt Quality assurance Security administration Operation mgt
11/6/2012 80
Application systems
Factored into subsystems performing
Boundary Input Communication Processing Database Output functions
All IS audit involves evaluating the reliability of controls in each of these management and application subsystems
11/6/2012 81
Risk mgt
Which reflects the likelihood that a material loss or account misstatement in some segment of the audit before the reliability of internal controls is considered
Control risk
Which reflects the likelihood that internal controls in some segment of the audit will not prevent, detect or correct material losses or account misstatements that arise
Detection risk
Which reflects that the audit procedures used in some segments of the audit will fail to detect material losses or account misstatements. Because auditors cannot influence inherent risk or control risk 11/6/2012 82
11/6/2012
83
Tests of balances or overall results seek to obtain sufficient evidence to make a final judgement on the extent of losses or account misstatements that have occurred or might occur Completion of the audit give an opinion on whether material losses or account misstatements have occurred or might occur
11/6/2012 85
11/6/2012
86