You are on page 1of 39

MANAGEMENT CONTROL

SYSTEM
PRESENTATION
ON
AUDIT AND IT AUDIT

BY
KAPIL KR. BANSAL-11BSP1424
MOHIT MITTAL-11BSP1813

AUDIT
Audits are performed to ascertain thevalidity
andreliabilityof information; also to provide
anassessmentof a system'sinternal control.
The goal of an audit is to express an opinion
of the person / organization / system (etc.) in
question, under evaluation based on work
done on a test basis.

CONTINUE
The general definition of an audit is an
evaluation of a person, organization,
system, process, enterprise, project or
product. The term most commonly
refers to audits in accounting, but
similar concepts also exist in project
management, quality management,
water management, and energy
conservation.

HISTORICAL BACKGROUND
The

role of auditor goes back many


hundreds of years. These are records from
ancient Egypt and Rome, showing that
people were employed to review work done
by taxes collector and estate managers.
The
emphasis was very much on the
detection of fraud and other irregularities.
Emphasis has changed and the role of the
auditor becomes much more sophisticated.

Basic Type of Audit


Audits can be categorized in to two
types:

Financial audit

Non financial audit

Continue

Financial audit:
Address questions of accounting, recording, and
reporting of financial transactions. Reviewing the
adequacy of internal controls also falls within the
scope of financial audits.

Non financial audit:


It is non statutory one and serves two purposes
It checks companys compliance to standards
It determines whether a product or service satisfy
the customers demands in terms of quality and
features.

DIFFERENT
CATEGORIZATION OF AUDIT
Statutory

Audit
Privates Audit
Internal Audit
Management Audit
IT Audit

Statutory Audit
A legally required review of the accuracy of a company's or
government's financial records. The purpose of a statutory audit to
determine whether an organization is providing a fair and accurate
representation of its financial position by examining information
such as bank balances, bookkeeping records and financial
transactions
For Example,
a state law may require all municipalities to submit to an annual
statutory audit examining all accounts and financial transactions
and to make the results of the audit available to the public. The
purpose of such an audit is to hold the government accountable
for how it is spending taxpayers' money.

Private Audit
When the audit is not a statutory requirement , but is
conducted at the desire of owners , such an audit is
private audit . The audit is conducted primarily for their
own interest. At times the private audit may become a
requirement under tax laws , if the turnover exceeds a
specified limit.

Private Audit is following types


1 audit of sole proprietorship
2 audit of partnership firms
3 audit of individuals accounts
4 audit institutions not covered by statutory audit

Internal Audit
The examination, monitoring and analysis of
activities related to a company's operation,
including its business structure, employee
behavior and information systems.
Internal audit found to play the following roles
Check weather existing controls are effective and
adequate.

Weather financial and other reports show the


actual results of the company

Weather subunits are following the policies and


procedures laid down by the company.

Management Audit
Analysis and assessment of
competencies and capabilities of a
company's management in order to
evaluate their effectiveness, especially
with regard to the strategic objectives
and policies of the business. The
objective ofa management audit is not to
appraise individual executive
performance, but to evaluate the
management team in relation to their
competition.

Information System Audit


Address the internal control environment of
automated information processing systems and
how these systems are used. IS audits typically
evaluate system input, output and processing
controls, backup and recovery plans, and
system security, as well as computer facility
reviews.
IAs scope of work is comprehensive and
considers all aspects of the organization - both
financial and non-financial - with an emphasis
on constructive improvement.

Audit process

Staffing the audit team


Creating an audit project plan
Laying the groundwork for audit
Analyzing audit results
Sharing audit results
Writing audit results
Dealing with resistance to audit
recommendations
Building an ongoing audit programs.

ADVANTAGES OF AUDIT
Companies

Directors
Assurance
that
statutory
responsibilities
concerning accounts have been carried out.
Availability of expert advise.
The letter of weakness.
To

Shareholders
Assurance that accounts show a true and fair
view and comply with statutory requirements
Other Organization with publish accounts
Assurance that accounts are reliable
In addition they provide reliable accounts
to regulatory bodies such as the companies
Registry, the stock exchange etc.

OBJECTIVE OF AUDITING
Primary Objective:
To produce a report by the auditor of his
opinion of the truth and fairness of
financial statements so that any person
reading and using them can belief in
them.
Secondary Objective:
To detect Error and Fraud
To prevent Errors and fraud by the
deterrent and moral effects of Audit

Other Objectives of Audit

Completeness
Ownership
Accuracy
Valuation
Classification
Disclosure

Limitation of Audit

An audit can neither help in prioritizing


changes nor in allocating resources.
Audit cannot mobilize people to take
actions. though audit identifies various
problems that exist in the organizational
system and processes
Audit can not generate better data than
the measures used to gather those.

Audit Evidence
Audit evidenceisevidenceobtained during a
financial auditand recorded in theaudit working papers.

In the audit engagement acceptance or reappointment


stage, audit evidence is the information that the auditor
is to consider for the appointment. For examples, change
in the entitycontrol environment, inherent risk and
nature of the entity business, and scope of audit work.
In the audit planning stage, audit evidence is the
information that the auditor is to consider for the most
effective and efficient audit approach. For examples,
reliability ofinternal controlprocedures, and
analytical reviewsystems.

Continued

In the control testing stage, audit evidence is the information that


the auditor is to consider for the mix ofaudit test of control and
audit substantive tests .

In the substantive testing stage, audit evidence is the information


that the auditor is to make sure the appropriation of
financial statement assertions . For examples,existence,rightsand
obligations,occurrence,completeness,valuation,measurement,
presentationand disclosure of a particular transaction or account
balance.

In the conclusion and opinion formulation stage, audit evidence is


information that the auditor is to consider whether the financial
statements as a whole presents with completeness, validity,
accuracy and consistency with the auditor's understanding of the
entity.

INFORMATION
TECHNOLOGY AUDIT

February 14, 2007

21

WHAT IS IT AUDIT

Aninformation technology audit,


orinformation systems audit, is an examination
of the management controls within an
Information technology(IT)infrastructure.

The evaluation of obtained evidence determines if


the information systems are safeguarding assets,
maintainingdata integrity, and operating effectively
to achieve the organization's goals or objectives.
These reviews may be performed in conjunction with
afinancial statement audit,internal audit, or other
form of attestation engagement.

CONTINUE

IT audits are also known as "automated


data processing (ADP) audits" and
"computer audits". They were formerly
called "electronic data processing(EDP)
audits".

HISTORY OF IT AUDIT

The concept of IT auditing was formed in


the mid-1960s. Since that time, IT auditing
has gone through numerous changes,
largely due to advances in technology and
the incorporation of technology into
business.
Currently, there are many IT dependent
companies that rely on the Information
Technology in order to operate their
business
e.g.
Telecommunication
or
Banking company.

PURPOSE OF IT AUDIT

An
IT
audit
is
different
from
a
financial statement audit. While a financial audit's
purpose is to evaluate whether an organization is
adhering tostandard accounting practices, the
purposes of an IT audit are to evaluate the
system's internal control design and effectiveness.
This includes, but is not limited to, efficiency and
security protocols, development processes, and IT
governance or oversight.
. One of the most important role of the IT Audit is
to audit over the critical system in order to
support the Financial audit or to support the
specific regulations announced e.g. SOX

PURPOSE OF IT AUDIT
Integrated information technology audit
compliance,

Quality assurance,

Business continuity,

Disaster recovery,

IT governance,
Fraud, risk, and forensics resources for
information technology auditors, internal
auditors, application auditors, compliance,
information
security
and
forensics
professionals.

ROLE OF IT AUDIT
The IT audit aims to evaluate the following:

Will the organization's computer systems be available


for the business at all times when required? (known as
availability)
Will the information in the systems be disclosed only to
authorized
users?
(known
as
security
and
confidentiality)
Will the information provided by the system always be
accurate, reliable, and timely? (measures the integrity)
In this way, the audit hopes to assess the risk to the
company's valuable asset (its information) and
establish methods of minimizing those risks.

IT Audit process
The audit process is generally a ten-step procedure:
1. Notification & Request for
2. Planning
3. Opening Meeting
4. Fieldwork
5. Communication
6. Draft Report
7. Management Responses
8. Closing Meeting
9. Report Distribution
10. Follow-up

Preliminary Information

TYPES OF IT AUDIT
Technological innovation process audit
Innovative comparison audit
Technological position audit
five categories of audits:
1. Systems and Applications
2. Systems Development:
3. Management of IT and Enterprise
Architecture:
4. Client/Server, Telecommunications,
Intranets, and Extranets
5. Information Processing Facilities:

Technological innovation process audit

This audit constructs a risk profile for


existing and new projects. The audit will
assess the length and depth of the
company's experience in its chosen
technologies, as well as its presence in
relevant markets, the organization of
each project, and the structure of the
portion of the industry that deals with
this project or product, organization and
industry structure.

Innovative comparison audit


This audit is an analysis of the innovative
abilities of the company being audited, in
comparison to its competitors. This requires
examination of company's research and
development facilities, as well as its track
record in actually producing new products.

Technological position audit: This audit


reviews the technologies that the business
currently has and that it needs to add.
Technologies are characterized as being
either "base", "key", "pacing" or "emerging".

FUNCTIONS IS TO BE CHECKED
Systems and Applications: An audit to verify that systems
and applications are appropriate, are efficient, and are
adequately controlled to ensure valid, reliable, timely, and
secure input, processing, and output at all levels of a
system's activity.
Information Processing Facilities: An audit to verify that
the processing facility is controlled to ensure timely,
accurate, and efficient processing of applications under
normal and potentially disruptive conditions.
Systems Development: An audit to verify that the systems
under development meet the objectives of the organization,
and to ensure that the systems are developed in accordance
with generally accepted standards forsystems development.
.

CONTINUE

Management of IT and Enterprise


Architecture: An audit to verify that IT
management has developed an organizational
structure and procedures to ensure a controlled
and efficient environment for
information processing.
Client/Server, Telecommunications,
Intranets, and Extranets: An audit to verify
thattelecommunicationscontrols are in place
on the client (computer receiving services),
server, and on thenetworkconnecting the
clients and servers

DEEP DIVE IT AUDIT

The deep dive audit involves detailed study of the IT


infrastructure deployed - hardware, software, connectivity,
power, security, MIS, and usability by end users. Other
areas of study include identifying process coverage, data
integrity, productivity improvements, reporting frequency
and adequacy, training adequacy, and system availability.

The focal points of the IT audit are:


Business functionality

Ease of Use

Security
The capstone of Technology Audit is the Audit Findings Report
which includes gap analysis, recommendations pertaining
to technology upgrade / downgrade, training requirements
and plan of action. Technology Audit recommendation sets
the direction for organizations to optimize Return of
Investment on IT.

IT Audit Role

Advising the Audit Committee and


senior management on IT internal
control issues
Performing IT Risk Assessments
Performing:
Institutional Risk Area Audits
General Controls Audits
Application Controls Audits
Technical IT Controls Audits
Internal Controls advisors during
systems development and analysis
activities.

February 14, 2007

35

The Changing Face


of IT Audit

February 14, 2007

36

The Changing Role of the IT Auditor

IT Audit plays a major role in development of


IT Governance framework

Moving away from policing role into a


specialist role in the areas of risks and
control

Adding value at strategic and operational


levels through the provision of business riskfocused advice and assurance

Legislation is having a profound impact on IT


Auditing
(SOx, GLBA, HIPAA, FERPA, Privacy
Notification Regulations )

The continuously changing technology


environment brings new risks (i.e. Cyber
security, wireless )

February 14, 2007

37

Emerging & Prevalent IT Audit Issues

Inadequate or Lack of Management Oversight


Poor Segregation of Duties
Inadequate or Lack of Supporting Documentation
No Business Continuity/Disaster Recovery Plan
Change Management
Data Security
Data Loss Incidents

There are also new audits being imposed by various


standard boards which are required to be performed,
depending upon the audited organization, which will
affect IT and ensure that IT departments are
performing certain functions and controls
appropriately to be considered compliant. An example
of such an audit is the newly mintedSSAE 16
February 14, 2007

38

THANK
YOU
ALL