information technology audit 23-12 day1

7/28/2019 Information Technology Audit 23-12 Day1

1/83

What is Audit ?

Audit - an evaluation of an organization,system, process, project or product.
http://en.wikipedia.org/wiki/Audithttp://en.wikipedia.org/wiki/Audithttp://en.wikipedia.org/wiki/Audit


2/83

Audit Mission

Provide independent, objective assurance andconsulting services designed to add value andimproveorganizations operations.


3/83

What is Information Technology ?

Information technology (IT) is the use of

computers and telecommunications equipmentsto store, retrieve, transmit and manipulate data.


4/83

What is an Information System?

An information system (IS) - is anycombination ofinformation technologyandpeople's activities that support operations,management and decision making.

In a very broad sense, the term informationsystem is frequently used to refer to theinteraction between people, processes, data andtechnology.
http://en.wikipedia.org/wiki/Information_technologyhttp://en.wikipedia.org/wiki/Information_technology


5/83

What is IT / IS Audit ?An information technology audit, or information systems audit:

An examination of the management controls within an Information

technology infrastructure/ Systems.

The evaluation of obtained evidence determines if the informationsystems are safeguarding assets, maintaining data integrity, andoperating effectively to achieve the organization's goals orobjectives.

These reviews may be performed in conjunction with a financial statement audit, internal audit,or other form of attestation engagement.

IT audits are also known as "automated data processing (ADP) audits" and "computer audits".They were formerly called "electronic data processing (EDP) audits".
http://en.wikipedia.org/wiki/Financial_audithttp://en.wikipedia.org/wiki/Internal_audithttp://en.wikipedia.org/wiki/Internal_audithttp://en.wikipedia.org/wiki/Internal_audithttp://en.wikipedia.org/wiki/Internal_audithttp://en.wikipedia.org/wiki/Financial_audithttp://en.wikipedia.org/wiki/Financial_audithttp://en.wikipedia.org/wiki/Financial_audithttp://en.wikipedia.org/wiki/Financial_audithttp://en.wikipedia.org/wiki/Financial_audit


6/83

Role of External, Internal and IS Auditors The scope of the external audit is usually confined to a financial and

compliance audit to satisfy the statutory, which requires examination of theaccounts and providing an opinion as to whether the financial statementsproduced provide a true and fair picture.

The scope of an internal audit covers the total conduct of business. Theobjectives for internal auditors are set by board/management.

IS Auditor is an independent advisor that address the control environmentof the computer information systems and how they are used. IS Auditors

review different aspects of the systems; such as evaluating system input,processing and output controls, data and physical security, contingencyplanning and system administration, etc.


7/83

Code of Professional EthicsISACA (Information Systems Audit and Control Association) sets

forth this Code of Professional Ethics to guide the professional andpersonal conduct.

Support the implementation of, and encourage compliance with,appropriate standards and procedures for the effective governanceand management of enterprise information systems and technology,including: audit, control, security and risk management.

Perform their duties with objectivity, due diligence and professionalcare, in accordance with professional standards.

Serve in the interest of stakeholders in a lawful manner, whilemaintaining high standards of conduct and character, andnot discrediting the profession or the Association.


8/83

Independence : Refers to the independence of theinternal auditor or of the external auditor from partiesthat may have a financial interest in the business beingaudited.

Objectivity: Judgment based on observable phenomenaand uninfluenced by emotions or personal prejudices.

Due Diligence: Reasonable steps taken by a person inorder to satisfy a requirement.

Professional Care: Applying the care and skill expectedof a reasonably prudent and competent auditor.

Important Terms
http://en.wikipedia.org/wiki/Independencehttp://en.wikipedia.org/wiki/Internal_auditorhttp://en.wikipedia.org/wiki/External_auditorhttp://en.wikipedia.org/wiki/External_auditorhttp://en.wikipedia.org/wiki/Internal_auditorhttp://en.wikipedia.org/wiki/Independence


9/83

Maintain the privacy and confidentiality of information obtained inthe course of their activities unless disclosure is required by legalauthority. Such information shall not be used for personal benefit or

released to inappropriate parties.

Maintain competency in their respective fields and agree toundertake only those activities they can reasonably expect tocomplete with the necessary skills, knowledge and competence.

Inform appropriate parties of the results of work performed;revealing all significant facts known to them.

Support the professional education of stakeholders in enhancingtheir understanding of the governance and management ofenterprise information systems and technology, including: audit,control, security and risk management.

Code of Professional Ethics


10/83

Corporate Governance

Corporate governance is "the system by whichcompanies are directed and controlled".

It involves regulatory and market mechanisms,and the roles and relationships between acompanys management, its board, itsshareholders, and the goals for which thecorporation is governed.


11/83

Information technology governance is asubset discipline ofcorporate governancefocused on information technology(IT) systemsand their performance and risk management

IT Governance
http://en.wikipedia.org/wiki/Corporate_governancehttp://en.wikipedia.org/wiki/Information_technologyhttp://en.wikipedia.org/wiki/Performance_managementhttp://en.wikipedia.org/wiki/Risk_managementhttp://en.wikipedia.org/wiki/Risk_managementhttp://en.wikipedia.org/wiki/Performance_managementhttp://en.wikipedia.org/wiki/Information_technologyhttp://en.wikipedia.org/wiki/Corporate_governance


12/83

1. IT Function


13/83

2. IT layers


14/83


15/83


16/83


17/83


18/83

Auditor and IT


19/83

Audit Universe


20/83

Business Processes and IT Controls


21/83

21

IT Audit Process

Five Tasks:1. Develop and implement a risk-based IS audit strategy for the

organization in compliance with IS audit standards, guidelinesand best practices.

2. Plan specific audits to ensure that IT and business systems areprotected and controlled.

3. Conduct audits in accordance with IS audit standards,guidelines and best practices to meet planned audit objectives.

4. Communicate emerging issues, potential risks and audit results

to key stakeholders.5. Advise on the implementation of risk management and control

practices within the organization while maintainingindependence.


22/83

22

Process Knowledge Statements

Ten Knowledge Statements:

1. Knowledge of IS Auditing Standards, Guidelinesand Procedures and Code of Professional Ethics

2. Knowledge of IS auditing practices andtechniques

3. Knowledge of techniques to gather informationand preserve evidence

4. Knowledge of the evidence life cycle

5. Knowledge ofcontrol objectives and controlsrelated to IS


23/83

23

Process Knowledge Statements

Ten Knowledge Statements (Contd):

6. Knowledge of risk assessment in an audit context

7. Knowledge of audit planning and managementtechniques

8. Knowledge of reporting and communication techniques

9. Knowledge of control self-assessment (CSA)

10. Knowledge of continuous audit techniques


24/83

24

Organization of IS Audit Function

Audit charter (or engagement letter) Stating managements responsibility and objectives for, and

delegation of authority to, the IS audit function

Outlining the overall authority, scope and responsibilities ofthe audit function

Approval of the audit charter

Change in the audit charter


25/83

25

IS Audit Resource Management

Limited number of IS auditors

Maintenance of their technical competence

Assignment of audit staff


26/83

26

Audit Planning

Audit planning Short-term planning (an year) Long-term planning Things to consider

New control issues Changing technologies Changing business processes Enhanced evaluation techniques

Individual audit planning Understanding of overall environment

Business practices and functions Information systems and technology


27/83

27

Audit Planning Steps1. Gain an understanding of the businesss mission, objectives,

purpose and processes.

2. Identify stated contents (policies, standards, guidelines,

procedures, and organization structure)3. Evaluate risk assessment and privacy impact analysis

4. Perform a risk analysis.

5. Conduct an internal control review.

6. Set the audit scope and audit objectives.

7. Develop the audit approach or audit strategy.8. Assign personnel resources to audit and address engagement

logistics.

Audit Planning


28/83

28

Effect of Laws and Regulations

Each organization, regardless of its size or the industrywithin which it operates, will need to comply with anumber of governmental and external requirements

related to computer system practices and controls.

Establishment of the regulatory requirements Organization of the regulatory requirements

Responsibilities assigned to the corresponding entities Correlation to financial, operational and IT audit

functions


29/83

29

Effect of Laws and Regulations

Steps to determine compliance with externalrequirements: Identify external requirements

Document pertinent laws and regulations

Assess whether management and the IS function have consideredthe relevant external requirements

Review internal IS department documents that address adherenceto applicable laws

Determine adherence to established procedures


30/83

30

ISACA Auditing Standards and Guidelines

Framework for the IS Auditing Standards

Standards

Guidelines

Procedures


31/83

31

ISACA IS Auditing Standards and Guidelines

IS Auditing Standards

1. Audit charter

2. Independence

3. Ethics and Standards

4. Competence

5. Planning

6. Performance of audit work

7. Reporting

8. Follow-up activities

9. Irregularities and illegal acts

10. IT governance

11. Use of risk assessment in auditplanning


32/83

32


9. Irregularities and Illegal Acts (Contd)

Obtain written representations from management

Have knowledge of any allegations of irregularities or

illegal acts

Communicate material irregularities/illegal acts

Consider appropriate action in case of inability tocontinue performing the audit

Document irregularity/illegal act relatedcommunications, planning, results, evaluations andconclusions


33/83

33

IT Risk Assessment Quadrants

Quadrant I (High Risk)

Suggested Action(s):

Mitigate

SensitivityRat

ing

Vulnerability Assessment Rating

100%

0%

100%

Quadrant II (Medium Risk)


Accept

MitigateTransfer

Quadrant III (Medium Risk)


AcceptMitigate

Transfer

Quadrant IV (Low Risk)


Accept

Example RiskLevel Assignment

50%

50%

0%


34/83

34


ISACA Auditing Procedures

Procedures developed by the ISACA StandardsBoard provide examples.

The IS auditor should apply their own professionaljudgment to the specific circumstances.


35/83

35

Internal Control

Internal Controls

Policies, procedures, practices and organizationalstructures implemented to reduce risks


36/83

36

Internal Control

Components of Internal Control System

Internal accounting controls Operational controls Administrative controls


37/83

37

Internal Control

Internal Control Objectives

Safeguarding of information technology assets

Compliance to corporate policies or legal requirements

Authorization/input

Accuracy and completeness of processing of transactions

Output

Reliability of process

Backup/recovery

Efficiency and economy of operations


38/83

38

Classification of Internal Controls

Preventive controls

Detective controls

Corrective controls

Internal Control


39/83

39

Internal Control

IS Control Objectives

Control objectives in an information systems

environment remain unchanged from those ofa manual environment. However, controlfeatures may be different. The internalcontrol objectives, thus need, to be addressed

in a manner specific to IS-related processes


40/83

40

Internal ControlIS Control Objectives (contd)

Safeguarding assets

Assuring the integrity of general operating systemenvironments

Assuring the integrity of sensitive and criticalapplication system environments through:

Authorization of the input

Accuracy and completeness of processing oftransactions

Reliability of overall information processingactivities

Accuracy, completeness and security of the output

Database integrity


41/83

41

Internal Control

IS Control Objectives (Contd)

Ensuring the efficiency and effectiveness of operations

Complying with requirements, policies andprocedures, and applicable laws

Developing business continuity and disaster recoveryplans

Developing an incident response plan


42/83

Day 1 Recap Audit Mission

Planning

Roles of Internal, external and IS Auditor

Code of Professional Ethics

IS Audit Standards and Guidelines

IT Audit Universe Risk Analysis


43/83

43

IS Control Objectives (Contd)

COBIT

A framework with 34 high-level control objectives Planning and organization

Acquisition and implementation

Delivery and support

Monitoring and evaluation Use of 36 major IT related standards and regulations

Internal Control


44/83

What sort of framework is COBIT?

An IT audit and control framework? COBIT (1996) and COBIT 2nd Edition (1998)

Focus on Control Objectives

An IT management framework? COBIT 3rd Edition (2000)

Management Guidelines added

An IT governance framework? COBIT 4.0 (2005) and COBIT 4.1 (2007) Governance and compliance processes added Assurance processes removed

BUT what is the difference between governance and Management?


45/83

Governance and Management

Governance ensures that enterprise objectives areachieved by evaluating stakeholder needs,conditions and options; setting direction throughprioritisation and decision making; and monitoringperformance, compliance and progress againstagreed-on direction and objectives (DEM).

Management plans, builds, runs and monitorsactivities in alignment with the direction set by thegovernance body to achieve the enterprise objectives(PBRM).


46/83

Governance and Management Defined

(cont.) The COBIT 5 process reference model subdivides the IT-related

practices and activities of the enterprise into two main areasgovernance and managementwith management further dividedinto domains of processes:

The GOVERNANCE domaincontains five governanceprocesses; within each process,evaluate, direct and monitor

(EDM) practices are defined.

The four MANAGEMENTdomains are in line with theresponsibility areas of plan,build, run and monitor (PBRM)


47/83

47

Internal Control

General Control Procedures

apply to all areas of an organization and include

policies and practices established by managementto provide reasonable assurance that specific

objectives will be achieved.


48/83

48

Internal Control

General Control Procedures (Contd)

Internal accounting controls directed at accountingoperations

Operational controls concerned with the day-to-dayoperations

Administrative controls concerned with operational efficiencyand adherence to management policies

Organizational logical security policies and procedures

Overall policies for the design and use of documents andrecords

Procedures and features to ensure authorized access to assets Physical security policies for all data centers


49/83

49

IS Control Procedures Strategy and direction General organization and management Access to data and programs

Systems development methodologies and change control Data processing operations Systems programming and technical support functions Data processing quality assurance procedures Physical access controls

Business continuity/disaster recovery planning Networks and communications Database administration

Internal Control


50/83

50

Definition of Auditing

Systematic process by which a competent,

independent person objectively obtains andevaluates evidence regarding assertions about aneconomic entity or event for the purpose offorming an opinion about and reporting on the

degree to which the assertion conforms to anidentified set of standards.

Performing an IS Audit


51/83

51

Definition of IS Auditing

Any audit that encompasses review andevaluation (wholly or partly) of automatedinformation processing systems, related non-automated processes and the interfaces between

them.



52/83

52


Classification of audits:

Financial audits

Operational audits Integrated audits

Administrative audits

Information systems audits

Specialized audits

Forensic audits


53/83

53

Audit Programs

Based on the scope and the objective of theparticular assignment

IS auditors perspectives Security (confidentiality, integrity and availability)

Quality (effectiveness, efficiency)

Fiduciary (compliance, reliability)

Service and Capacity



54/83

54

General audit procedures Understanding of the audit area/subject

Risk assessment and general audit plan

Detailed audit planning

Preliminary review of audit area/subject

Evaluating audit area/subject

Compliance testing

Substantive testing

Reporting(communicating results)

Follow-up



55/83

55

Procedures for testing & evaluating IS controls Use of generalized audit software to survey the contents

of data files Use of specialized software to assess the contents of

operating system parameter files Flow-charting techniques for documenting automated

applications and business process Use of audit reports available in operation systems Documentation review Observation Walkthroughs Reperformance of controls



56/83

56


Audit Methodology

A set of documented audit procedures designed toachieve planned audit objectives

Composed of Statement of scope

Statement of audit objectives

Statement of work programs

Set up and approved by the audit management Communicated to all audit staff


57/83

57

Typical audit phases

1. Audit subject

Identify the area to be audited

2. Audit objective

Identify the purpose of the audit

3. Audit scope

Identify the specific systems, function or unit of the organization



58/83

58


Typical audit phases (Contd)

4. Pre-audit planning

Identify technical skills and resources needed

Identify the sources of information for test or

review

Identify locations or facilities to be audited


59/83

59

Typical audit phases (Contd)

5. Audit procedures and steps for data gathering

Identify and select the audit approach

Identify a list of individuals to interview

Identify and obtain departmental policies, standardsand guidelines

Develop audit tools and methodology



60/83

60

Typical audit phases (Contd)6. Procedures for evaluating test/review result

7. Procedures for communication with management

8. Audit report preparation Identify follow-up review procedures

Identify procedures to evaluate/test operational efficiency andeffectiveness

Identify procedures to test controls

Review and evaluate the soundness of documents, policies andprocedures.



61/83

61


Workpapers (WPs)

What are documented in WPs?

Audit plans

Audit programs

Audit activities

Audit tests

Audit findings and incidents


62/83

62


Workpapers (Contd)

Do not have to be on paper

Must be

Dated Initialized

Page-numbered

Relevant

Complete Clear

Self-contained and properly labeled

Filed and kept in custody


63/83

63


Fraud Detection

Managements responsibility

Benefits of a well-designed internal control system Deterring frauds at the first instance

Detecting frauds in a timely manner

Fraud detection and disclosure Auditors role in fraud prevention and detection


64/83

64


Audit Risk

Audit risk is the risk that the information/financial

report may contain material error that may goundetected during the audit.

A risk-based audit approach is used to assess riskand assist with an IS auditors decision to performeither compliance or substantive testing.


65/83

65


Audit Risks

Inherent risk Control risk Detection risk Overall audit risk


66/83

66


Risk-based Approach Overview

Gather Information and Plan

Obtain Understanding of Internal Control Perform Compliance Tests

Perform Substantive Tests

Conclude the Audit


67/83

67


Materiality

An auditing concept regarding theimportance of an item of information withregard to its impact or effect on thefunctioning of the entity being audited


68/83

68


Risk Assessment Techniques Enables management to effectively allocate

limited audit resources Ensures that relevant information has been

obtained

Establishes a basis for effectively managing the

audit team Provides a summary of how the individual audit

subject is related to the overall organization andto business plans


69/83

69


Audit Objectives - Specific goals of the audit

Compliance with legal & regulatory requirements

Confidentiality

Integrity

Reliability

Availability


70/83

70


Compliance vs. Substantive Testing Compliance test

determines whether controls are in compliance withmanagement policies and procedures

Substantive test

tests the integrity of actual processing

Correlation between the level of internal controls

and substantive testing required Relationship between compliance and substantive

tests


71/83

71


EvidenceIt is a requirement that the auditorsconclusions must be based on sufficient,competent evidence.

Independence of the provider of the evidence Qualification of the individual providing the

information or evidence Objectivity of the evidence

Timing of evidence


72/83

72


Techniques for gathering evidence:

Review IS organization structures Review IS policies and procedures

Review IS standards Review IS documentation

Interview appropriate personnel

Observe processes and employee performance


73/83

73


Interviewing and Observing Personnel Actual functions

Actual processes/procedures

Security awareness

Reporting relationships


74/83

74


Sampling

General approaches to audit sampling:

Statistical sampling Non-statistical sampling

Methods of sampling used by auditors:

Attribute sampling

Variable sampling


75/83

75


Sampling (Contd)

Attribute sampling Stop-or-go sampling

Discovery sampling

Variable sampling Stratified mean per unit

Unstratified mean per unit

Difference estimation


76/83

76

Statistical sampling terms:Confident coefficientLevel of riskPrecision

Expected error rate (not for variable sampling)Sample meanSample standard deviationTolerable error ratePopulation standard deviation (not for

attribute sampling)



77/83

77

Key steps in choosing a sampleDetermine the objectives of the test

Define the population to be sampledDetermine the sampling method, such as

attribute versus variable sampling.

Calculate the sample size

Select the sampleEvaluating the sample from an audit

perspective.



78/83

Quiz # 11. Four types of Risk Treatment Strategies are

1.

2. 3.

4.


79/83

Quiz #12. The decisions and actions of an IS auditor are

MOST likely to affect which of the following

risks :A. Inherent Risk

B. Detection Risk

C. Control Risk

D. Business Risk


80/83

Quiz # 13. An IS auditor is reviewing the process performed

for the protection of digital evidence. Which of thefollowing findings should present the MOST

concern to the IS auditor:

A. The owner of the system was not present at the time ofthe evidence retrieval.

B. The system was powered off by an investigator.

C. There are no documented logs of the transportation ofevidence.

D. The contents of the random access memory (RAM)were not backed up.


81/83

Quiz # 14. Which of the following should an IS auditor use

to detect duplicate invoice records within an

invoice master file?A. Attribute sampling

B. Generalized audit software (GAS)

C. Test data

D. Integrated test facility (ITF)


82/83


83/83

Quiz # 16) An IS auditor discovers that devices connected to the

network have not been included in a network diagramthat had been used to develop the scope of the audit. The

chief information officer (CIO) explains that the diagramis being updated and awaiting final approval. The ISauditor should FIRST:

A. expand the scope of the IS audit to include the devicesthat are not on the network diagram.

B. evaluate the impact of the undocumented devices on theaudit scope.C. note a control deficiency because the network diagram

has not been updated.D plan follow-up audits of the undocumented devices

information technology audit 23-12 day1

Documents