Introduction to IT/IS Auditing

CISB424 Information Systems Audit

Semester 2 Year 2011/2012

IT Governance
the process for controlling an organizations IT

resources, including information and communication systems, and technology.

using IT to promote an organizations

objectives and enable business processes and to manage and control IT related risks.

IT Governance General Controls

The concept is relatively new

Ensuring that effective IT management and

security principles, policies and processes with appropriate compliance measurement tools are in place Require an active audit committee

CobiTs IT Governance Management Guideline

Identifies critical success factors, key goal and

performance indicators, and an IT governance maturity model. IT governance framework begins with setting IT objectives and measures and compares performance against them

Governance Policies IT Standards IT General and Application Controls Hierarchy Management and Organization Physical and Environmental Controls Systems Software Controls Systems Development Controls Technical

Application based controls

Management

Audit
Independent review and examination of records and activities to assess the adequacy of internal controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.

IT/IS Audit
The process of collecting and evaluating

evidence to determine whether computer system safeguards assets, maintain data integrity, achieves organisational goals effectively and consumes resources effectively.
1

Ron Weber

Objectives of IT/IS Audit

Improved Data Integrity

Safeguarding of Assets

IT/IS Audit

Improved System Effectiveness

Improved System Efficiency

Source: Ron Weber

Elements IT/IS Audit

1.

2.
3. 4. 5. 6. 7.

Physical and Environmental System Administration Application Software Application Development Network Security Business Continuity Data Integrity

Internal vs External
Audit

function can be performed internally or externally Internal audit is an independent appraisal of operations, conducted under the direction of management, to assess the effectiveness of internal administrative and accounting controls and help ensure conformance with managerial policies External Audit is an audit conducted by an individual of a firm that is independent of the company being audited

Internal Audit Reporting Structure

CEO
Board Audit Committee

Head of Audit Dept

Head of IT Audit

Head of Non-IT Audit

IT Audit Team Members

Non-IT Audit Team Members

Roles of IT Audit Team

Financial Auditor Support for Financial Auditors
Application Database Middleware

Information Systems Auditor

IT Auditor

Operating System Network Intra Physical Facility Entity-Level Controls

Source: Chris Davis et al

Financial vs IT Audits
Financial audit
Official examination of accounts to see that they are in

order
IT audit
a review of the controls within an entity's technology

infrastructure Wikipedia (www.wikipedia.org) Official examination of IT related processes to see that they are in order
Problems
Financial Audit GAAP
IT Audit - ??

Financial vs IT Audits
IT auditors may work on financial audit

engagements IT auditors may work on every step of the financial audit engagement Standards, such as SAS No. 94, guide the work of IT auditors on financial audit engagements IT audit work on financial audit engagements is likely to increase as internal control evaluation becomes more important

Auditing Standards
Auditors are guided in their professional

responsibility by the the generally accepted auditing standards (GAAS).

Generally Accepted Auditing Standards Standards of Field Work Audit work must be adequately planned General Standards The auditor must have adequate technical training and proficiency to perform the audit. Standards of Reporting The auditor must state in the auditor's report whether the financial statements are presented in accordance with generally accepted accounting principles. The report must identify those circumstances in which generally accepted accounting principles were not applied The report must identify any items that do not have adequate informative disclosures

The auditor must maintain independence in mental attitude in all matters related to the audit. The auditor must use due professional care during the performance of the audit and the preparation of the report.

The auditor must gain a sufficient understanding of the internal control structure The auditor must obtain sufficient, competent evidence

The report shall contain an expression of the auditors opinion on the financial statements as a whole

What is IT Auditors?
Is called internal audit specialist, IT or IS auditor

May serve as a member of consulting

organization Generally a member of an enterprise internal audit organization Specialist who follows the standards and principles of the IIA and often ISACA as well

Roles and Responsibilities

Ensure IT governance by assessing risks and

monitoring controls over those risks Works as either internal or external auditor Works on many kind of audit engagements Reviewing and assessing enterprise management controls Review and perform test of enterprise internal controls Report to management

Job Tasks and Responsibilities

Design a technology-based audit approaches;

analyzes and evaluates enterprise IT processes Works independently or in a team to review enterprise IT controls Examines the effectiveness of the information security policies and procedures Develops and presents training workshops for audit staff Conduct and oversees investigation of inappropriate computer use Performs special projects and other duties as assigned

Knowledge, Skills, Abilities

Knowledge of auditing, IS and network security

Investigation and process flow analysis skills

Interpersonal/human relation skills Verbal and written communications skills Ability to exercise good judgment Ability to maintain confidentiality Ability to use IT desktop office tools, vulnerability

analysis tools, and other IT tools

Minimum Qualifications
Bachelors degree in Computer Science,

computer programming or accounting Certified Information Systems Auditor (CISA) credentials or candidate Certified Internal Auditor credential preferred

Develop an understanding and perform preliminary audit work

Develop audit plan Evaluate the internal control system Determine degree of reliance on internal controls Perform substantive testing Review work and issue audit report

Conduct follow-up work

Figure 1.2 : The Role of IT Auditors in the Financial Audit Process

Professional Groups and Certifications Alphabet Soup

ISACA CISA
The largest professional organization of IT auditors

IIA CIA ACFE CFE AICPA CPA and CITP

Certified Info. System Auditor Credentials

The prime professional credentials for IT auditors

More focused on IT audit

Open to all individuals who have an interest and

skills in information system audit, control and security, The examination is four hours in duration and consists of 200 multiple-choice question The test is offered each year in June and December at numerous worldwide locations Must have a minimum of five years of professional information system auditing, internal control or security related work experience

CISA Examination Content Area

The IS audit process (10%)

IT Governance (15%)
Systems and Infrastructure Life Cycle (16%) IT Service Delivery and Support (14%) Protection of Information Assets (31%) Business Continuity and Disaster Recovery (14%)

Effects of computers on Internal Controls

Separation of duties

Delegation of authority and responsibility

Competent and trustworthy personnel System of authorizations

Adequate documents and records

Physical control over asset and records Adequate management supervision

Independent check on performance

Comparing recorded accountability with assets

Effects of computers on auditing

Changes to evidence collection

Changes to evidence evaluation

Effective IT Audit
Early involvement

Informal audits
Knowledge sharing Self-assessments

Questions to ponder
1.

Explain how information systems are used in an enterprise.