Professional Documents
Culture Documents
IT Governance
the process for controlling an organizations IT
objectives and enable business processes and to manage and control IT related risks.
security principles, policies and processes with appropriate compliance measurement tools are in place Require an active audit committee
performance indicators, and an IT governance maturity model. IT governance framework begins with setting IT objectives and measures and compares performance against them
Governance Policies IT Standards IT General and Application Controls Hierarchy Management and Organization Physical and Environmental Controls Systems Software Controls Systems Development Controls Technical
Management
Audit
Independent review and examination of records and activities to assess the adequacy of internal controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.
IT/IS Audit
The process of collecting and evaluating
evidence to determine whether computer system safeguards assets, maintain data integrity, achieves organisational goals effectively and consumes resources effectively.
1
Ron Weber
Safeguarding of Assets
IT/IS Audit
2.
3. 4. 5. 6. 7.
Physical and Environmental System Administration Application Software Application Development Network Security Business Continuity Data Integrity
Internal vs External
Audit
function can be performed internally or externally Internal audit is an independent appraisal of operations, conducted under the direction of management, to assess the effectiveness of internal administrative and accounting controls and help ensure conformance with managerial policies External Audit is an audit conducted by an individual of a firm that is independent of the company being audited
Head of IT Audit
IT Auditor
Financial vs IT Audits
Financial audit
Official examination of accounts to see that they are in
order
IT audit
a review of the controls within an entity's technology
infrastructure Wikipedia (www.wikipedia.org) Official examination of IT related processes to see that they are in order
Problems
Financial Audit GAAP
IT Audit - ??
Financial vs IT Audits
IT auditors may work on financial audit
engagements IT auditors may work on every step of the financial audit engagement Standards, such as SAS No. 94, guide the work of IT auditors on financial audit engagements IT audit work on financial audit engagements is likely to increase as internal control evaluation becomes more important
Auditing Standards
Auditors are guided in their professional
The auditor must maintain independence in mental attitude in all matters related to the audit. The auditor must use due professional care during the performance of the audit and the preparation of the report.
The auditor must gain a sufficient understanding of the internal control structure The auditor must obtain sufficient, competent evidence
The report shall contain an expression of the auditors opinion on the financial statements as a whole
What is IT Auditors?
Is called internal audit specialist, IT or IS auditor
organization Generally a member of an enterprise internal audit organization Specialist who follows the standards and principles of the IIA and often ISACA as well
monitoring controls over those risks Works as either internal or external auditor Works on many kind of audit engagements Reviewing and assessing enterprise management controls Review and perform test of enterprise internal controls Report to management
analyzes and evaluates enterprise IT processes Works independently or in a team to review enterprise IT controls Examines the effectiveness of the information security policies and procedures Develops and presents training workshops for audit staff Conduct and oversees investigation of inappropriate computer use Performs special projects and other duties as assigned
Minimum Qualifications
Bachelors degree in Computer Science,
computer programming or accounting Certified Information Systems Auditor (CISA) credentials or candidate Certified Internal Auditor credential preferred
Develop audit plan Evaluate the internal control system Determine degree of reliance on internal controls Perform substantive testing Review work and issue audit report
skills in information system audit, control and security, The examination is four hours in duration and consists of 200 multiple-choice question The test is offered each year in June and December at numerous worldwide locations Must have a minimum of five years of professional information system auditing, internal control or security related work experience
IT Governance (15%)
Systems and Infrastructure Life Cycle (16%) IT Service Delivery and Support (14%) Protection of Information Assets (31%) Business Continuity and Disaster Recovery (14%)
Effective IT Audit
Early involvement
Informal audits
Knowledge sharing Self-assessments
Questions to ponder
1.