information systems audit in non-conventional domains ... · pdf file4 is audit audit ... and...
Post on 27-Mar-2018
223 Views
Preview:
TRANSCRIPT
8/1/2011
1
INTEGRATING INFORMATION SYSTEMS AUDIT
WITH INTERNAL AUDIT
@ ICAI BANGALORE BRANCH
- 20 JULY 2011
A Subramaniam
Chief Executive – Biz Pro Consultants
(c) BizPro Consultants
AREAS OF EXPERTISE
FCA, CISA, CIA, IMS Lead assessor, ISO 27001 Lead auditor
25+ years experience in external, internal audit and consultancy in India and Oman
Integration of operational, IT, management system and internal audits
Risk Based auditing
ERM - Enterprise Risk Management : COSO and soft controls
Fraud prevention, detection, investigation, risk assessment & fraud resilient systems
IS Audit
Information systems implementation–design &review
CAAT - computer assisted audit techniques
Data analytics – for revenue assurance, information processing, controls, fraud /
error detection
ISO Management systems – QHSE & Information security
(c) BizPro Consultants
8/1/2011
2
PRESENTATION OUTLINE
Internal audit
Information systems (IS) audit
Components of IS audit
Need for IS Audit
Walkthrough of an Internal audit integrating IS Audit
IS audit Techniques
Multiple systems integration
GRC and linking IS audit
(c) BizPro Consultants
INTERNAL AUDIT
“Internal audit is an independent management function, which involves a continuous and critical appraisal of the functioning of an entity with a view to suggest improvements thereto and add value to and strengthen the overall governance mechanism of the entity, including the entity‟s risk management and internal
control system.”
– ICAI
(c) BizPro Consultants
8/1/2011
3
IIA DEFINITION OF INTERNAL AUDIT
Internal auditing is an independent, objective
assurance and consulting activity designed to add value and improve an organization's
operations. It helps an organization accomplish
its objectives by bringing a systematic, disciplined
approach to evaluate and improve the
effectiveness of risk management,
control, and governance processes.
- The Institute of Internal Auditors
(c) BizPro Consultants
INFORMATION SYSTEMS AUDIT
Information systems (IS) - The combination of
strategic, managerial and operational activities
involved in the gathering, processing, storage,
distributing, and use of information and its
related technologies. … ISACA
(c) BizPro Consultants
8/1/2011
4
IS AUDIT Audit - Formal inspection and verification to check whether a
standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met
„Audit‟, refers to a specific type of assurance engagement … a formal, independent and systematic inspection or examination of subject matter against a recognised and appropriate standard or against management‟s assertions that must meet specific criteria. … adherence to specific standards and guidance, and adoption of specific reporting formats.
Audit engagements could include support of the audit of financial statements, opinions of regulatory compliance and other formal expressions of opinion.
- Extracts from ISACA‟s IT Assurance Framework
(c) BizPro Consultants
INFORMATION SECURITY
Preservation of confidentiality, integrity and
availability of information; in addition, other
properties such as authenticity, accountability,
non-repudiation and reliability can also be
involved
- ISO 27001:2005
(c) BizPro Consultants
8/1/2011
5
AUDIT OBJECTIVES – BEYOND SECURITY
Triple E
Economy Efficiency * Effectiveness * - * (IIA standard 2120.A1)
The IA activity must
assess whether the governance … sustains and supports organization‟s strategies and objectives.
evaluate risk exposures, and adequacy and effectiveness of controls in responding to risks, relating to the organization‟s governance, operations, and information systems regarding the:
Reliability and integrity of financial and operational information. - IIA 2120, 2130.A1
(c) BizPro Consultants
IS AUDIT = CAAT S ?
(c) BizPro Consultants
8/1/2011
6
COMPONENTS OF IS AUDIT
General controls Physical access, Logical access
Environmental,
Operations, change management
Network and Infrastructure
Database and Operating systems
Application and operational systems Financial systems
Non-financial systems
Information security Backup, Archiving and data retention
Disaster recovery and Business continuity Planning – ISO 38500
(c) BizPro Consultants
COMPONENTS OF IS AUDIT - CONTD
Application Development methodology
SDLC management, Patches & upgrades,
Involvement of Users in system development
Project management
PMBOK, PRINCE 2
Service Management
ITIL and ISO 20000 (ITSM)
SLA
IT Risk assessment and Governance
COBIT and VAL IT
(c) BizPro Consultants
8/1/2011
7
REGULATORY NEED FOR IS AUDIT Financial statements audit
CARO – „adequate system of internal control … size… any major weakness‟
„… internal audit system …size ‟
ICAI – Int Audit standard 14
Cl 14 - Int Auditor should review ..robustness of .. IT environment and consider any weakness or deficiency in the design and operation of any IT control … by reviewing:
System Audit reports … conducted by … IS auditors;
+ …
SEBI Clause 49 requirements – CEO / CFO certification on internal control
SOX requirements – 404 certification
Audit scope definition and audit charter
(c) BizPro Consultants
ICAI STANDARD 14
Illustrative IT Controls to be Reviewed During
Int Audit in An IT Environment (17 controls)
IT Access Control (1)
IT Backup and recovery (4)
IT Environmental controls (1)
IT Inventory (3)
IT Operations (2)
IT Physical security (1)
IT Service Agreements (3)
IT Virus Protection Policy (1)
(c) BizPro Consultants
8/1/2011
8
INTEGRATING IS AUDIT WITH INTERNAL AUDIT
Procurement audit
Sales and Receivable audit
Data analysis
(c) BizPro Consultants
PROCUREMENT AUDIT
Requisition – Approval – Float – Evaluation - Award
Creation of PO
Incomplete PO s
Reprint of PO
PO modification – without approver permission?
Elements of P 2 P process which are handled through the application – PR, RFQ, Bid evaln, receipt, payment, recording
Access privileges
Security of purchase information – access, distribution - confidentiality – physical and logical
Fraud Potential
(c) BizPro Consultants
8/1/2011
9
SALES & RECEIVABLE AUDIT
Retail chain
Price master – access
Discount % and authority levels
Field / stress test
Audit trail
Password custody
Item master creation
(c) BizPro Consultants
DATA ANALYSIS
Exceptions from business and application logic
Failed Transactions
system weakness, failure, interface problems ?
(c) BizPro Consultants
8/1/2011
10
REVIEW OF IT SYSTEMS
The internal auditor should consider the IT
environment in designing audit procedures to
review the systems, processes, controls and
risk management framework of the entity.
Clause 13 ICAI Std 14 on IA
(c) BizPro Consultants
ERP SYSTEM – CONFIGURATION
Roles vs positions
Assignment of roles to positions
Escalation of privileges
(c) BizPro Consultants
8/1/2011
11
EXCESSIVE ACCESS RIGHTS
$19 Million Embezzled from a large international bank by VP with Excessive Access Rights
A former XYZ Bank vice president in the internal finance department is charged with embezzling over $19 million. Between July and December of 2010 the defendant allegedly transferred money between numerous XYZ corporate accounts and his personal account at ….
The former VP appears to have accrued excessive access rights to sensitive banking systems so he could both authorize and initiate eight large transfers of cash.
(c) BizPro Consultants
(c) BizPro Consultants
8/1/2011
12
SEGREGATION OF DUTIES (SOD)
SOD conflicts
Authority assignment, review of privileges, SOD
Matrix review
Preventive and Detective controls
(c) BizPro Consultants
ERP SYSTEM – CONFIGURATION … CONTD
Multiple
business practices (52 weekly reporting)
Social environment (weekend days)
legal environments (financial year for Tax)
Co business rules (P2P cycle variations, co’s process requirements)
Best (or ERP‟s designed) practices vs company business process - customisation
Configurations and customisations – upgrades / patches – Documented ? Essential ?
(c) BizPro Consultants
8/1/2011
13
ERP SYSTEMS DATA STRUCTURE
Master and transaction
Efficiency & user friendly considerations (alpha vs numeric)
(c) BizPro Consultants
NORMALISATION RULES
Changes in attributes affecting past records
Update, insertion and deletion anomaly
Sixth Normal Form
(c) BizPro Consultants
8/1/2011
14
ERP SYSTEMS DATA … CONTD
Difficult to trace links – data dictionary &
definition
Resolving dilemma between Audit trail,
performance degradation
= ?
(c) BizPro Consultants
IS AUDIT TECHNIQUES
General audit techniques
Discussion, interview, process mapping,
walkthroughs)
Special audit techniques
Front end, Administrator and Backend views
Data review – application and third party tools
Configuration review techniques
Penetration testing and vulnerability assessment
(c) BizPro Consultants
8/1/2011
15
IS AUDIT TECHNIQUES … CONTD
Testing
unit testing,
integration,
extreme,
stress,
testing tools
test data packs – scenario building
cloning
(c) BizPro Consultants
MULTIPLE SYSTEM ENVIRONMENT
Why
Best of breed / most suitable / Triple E
System maintenance considerations
Issues
Interface and integration
(c) BizPro Consultants
8/1/2011
16
GRC – GOVERNANCE RISK & COMPLIANCE
(c) BizPro Consultants
GRC - COMPLIANCE, RISK AND GOVERNANCE
Are key processes processed / recorded /
monitored by IT applications
Effective resolution and escalation mechanism
IT Steering committee
Adherence to Standards & Best practices
(c) BizPro Consultants
8/1/2011
17
BENEFITS OF INTEGRATION
Holistic view
Appropriate time
Domain expert involvement
Bigger picture To management
(c) BizPro Consultants
INFORMATION SYSTEMS IN PERSPECTIVE
GIGO
Red herrings and flags
Recording of transactions in system usable
manner
(c) BizPro Consultants
8/1/2011
18
WAY FORWARD
Identify Internal audit elements involving information systems
Prepare inventory of Information systems
Prepare IS Audit programs
Integrate IS Audit tests into Internal audit programs
Use appropriately qualified resources for technical areas
Identify balance IS audit elements not covered in existing internal audit programs and schedule separate IS audits
(c) BizPro Consultants
SUMMARY
IS Audit is necessary
IS Audit is mandated by audit standards
IS Audit is important for effective internal audit
IS Audit can be effectively combined with
internal audit
(c) BizPro Consultants
8/1/2011
19
FURTHER READING
ICAI Standards on Internal Auditing – Std 14
Internal audit in IT Environment
www.isaca.org
ISO 27001 – Information Security
www.theiia.org/guidance/technology/gait/
GAIT – Guidance to Assessment of IT Risk
(c) BizPro Consultants
THANK YOU
Thank you for your patience
Questions ? ? ?
(c) BizPro Consultants
8/1/2011
20
OUR CONTACT DETAILS
A. Subramaniam
Chief Executive
BizPro Consultants, Bangalore
subramaniam@bizproconsultants.co.in
Mob : 0091 95351 11806
(c) BizPro Consultants
top related