Download - UNIT1 LBYMODT.pdf
AFRICA. DATOR. FRANCISCO. YU
UNIT 1:
IT Overview
The demand for IT auditors outweighs the supply of qualified candidates due to advances in technology and appreciation of the profession in the business sector.
Not only IT auditors are in demand, but their work is interesting and challenging.
IT auditors evaluate an entity’s information system. This may include examining documents and interviewing people as well.
These must be done because businesses processes use IT to function and IT is likely to be integral to an entity’s viability
Introduction
AFRICA. DATOR. FRANCISCO. YU
IT influences organizational risks and controls IT creates opportunities but carries with them
many kinds of risksExample:
Ability to transmit documents electronically to customers and vendors
Opportunity: Improved efficiency in the supply chain
Risk: Potential failure of electronic communication
Impact of IT in Organizations
AFRICA. DATOR. FRANCISCO. YU
IT governance is the process of controlling an organization’s information technology resources which include information and communication system as well as technology.
Enterprise Governance is the process of setting and implementing corporate strategy
The management and owners shares responsibility for managing both the enterprise and IT
IT GOVERNANCE
AFRICA. DATOR. FRANCISCO. YU
IT governance is an important part of enterprise governance because of:
- organizational dependency on information and communication
- scale of It investment- potential strategic opportunities- level of IT risk
IT governance also requires controlling the IT process to ensure that it complies with the regulatory, legal, and contractual requirements
AFRICA. DATOR. FRANCISCO. YU
Objective of IT Governance:To set strategies for IT so that it is
closely aligned with organizational goals and to use IT for maximum opportunity but minimum risk.
The first part concerns the use of IT to promote organization’s objectives and enable business processes.
The second part involves managing and controlling IT- related risks.
IT GOVERNANCE
AFRICA. DATOR. FRANCISCO. YU
This process begins with the development of an IT governance plan. Such plan will help set the strategic course of IT acquisition and deployment or use.
IT governance is an ongoing process and management needs to regularly evaluate and update plans.
IT GOVERNANCE
AFRICA. DATOR. FRANCISCO. YU
The Information Systems Audit and Control Association (ISACA) established IT Governance Institute in 1998.
This institute exists to clarify and provide guidance on current and future issues pertaining to IT governance, control and assurance.
It developed CobiT and COEG CobiT provides guidance on IT governance by
providing the structure that links IT processes, IT resources and information to enterprise strategies and objectives
IT GOVERNANCE INSTITUTE
AFRICA. DATOR. FRANCISCO. YU
Guideline:
“ Governance over information technology and its processes with the business goal of adding value, while balancing risk versus return, ensures delivery of information to the business that addresses the required Information Criteria and is measured by Key Goal Indicators, is enabled by creating and maintaining a system of process and control excellence appropriate for the business that directs and monitors the business value and delivery of IT, considers Critical Success Factors that leverage all IT Resources and is measured by Key Performance Indicators.”
AFRICA. DATOR. FRANCISCO. YU
Set Objectives:-IT is aligned with the business-IT enables the business and maximizes benefits-IT resources are used responsibly- IT- related risks managed appropriately
Provide Direction
Compare
Measure Performance
IT Activities-Increase automation (make business effective)-Decrease cost (make enterprise efficient)-Manage risks (security reliability and reliance)
IT GOVERNANCE FRAMEWORK
AFRICA. DATOR. FRANCISCO. YU
While IT is just plain good business practice, it is also a possible source of competitive advantage.
Organizations that leverage IT effectively are likely to create more value for customers and other stakeholders.
Lack on return on IT investments and security failures are also reasons why organizations should invest in developing IT governance plans and policies.
AFRICA. DATOR. FRANCISCO. YU
Part of IT governance concerns controlling IT risk. This is important in enterprises because management uses IT to process data about ongoing transactions or events.
A computerized information system for transaction processing may increase some risks and decrease others.
IT AND TRANSACTION PROCESSING
AFRICA. DATOR. FRANCISCO. YU
Example 1: In sales, compare a sales clerk who manually
records data may make an data entry error with a computer system that scans an inventory barcode that will not make that mistake.
Therefore, it decrease the riskExample 2:
The database administrator has accidentally made a mismatch of inventory item description and item number, then every sale of that inventory item will be recorded incorrectly.Overall, use of IT can reduce risk due to human error, but it can also increase them.
Change of risks dictates changes in how an auditor needs to work.Example: An auditor may need to look at a computer program to make sure the system logic is correct. Auditors ensure IT governance and , in doing so,
assess IT risks and implement or monitor the controls over those risks.
The roles of IT auditors vary with their position within or outside the organization and with each individual project. Level of expertise needed for engagement laso varies.
WORK OF AN IT AUDITOR
AFRICA. DATOR. FRANCISCO. YU
Basically, an IT auditor can provide assurance or give comfort over just about anything related to information systems, but some of the specific types of engagements an IT auditor might perform include: Evaluating controls over specific
applications Providing assurance over specific
processes Providing third-party assurance Penetration Test Supporting financial audit Searching for IT-based fraud
WORK OF AN IT AUDITOR
AFRICA. DATOR. FRANCISCO. YU
Relationship Between Financial and IT Audits
The objective of a financial statement audit is to ensure that an organization’s public financial instruments are presented with the generally accepted accounting principles
Relationship Between Financial and IT Audits In the course of an audit engagement,
financial auditors analyze an organization’s internal control system to assess the degree to which it appears to be operating effectively
As organizations have increased their reliance on computer technology in processing transactions and reporting information, it has become increasingly difficult for financial auditors to ignore IT in their audits
Relationship Between Financial and IT Audits Today’s complex IT environments call for an
evaluation of the information system as part of the financial audit
SAS No. 94, The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit, requires auditors to understand both manual and computerized processes for financial statement presentation and to recognize the additional risks and benefits of IT relative to internal control
Relationship Between Financial and IT Audits It also notes that auditors need specialized
skills in order to be able to understand IT controls and the impact of IT on a financial statement audit
Auditors are to acquire those skills themselves or obtain assistance from a specialized IT auditor
Relationship Between Financial and IT Audits Sarbanes-Oxley Act of 2002 mandates that
management assess and make representations about internal controls
Auditors will need to test those controls and provide assurance about management’s representation
IT Audit Skills Technical Skills
– IT auditors acquire specialized technology skills as they work with different platforms and software application
IT Audit Skills General Personal and Business Skills
– Communication Skills– Interpersonal Skill and Teamwork– Business Education– Decision Sciences
Professional IT Auditor Organizations and Certifications Information Systems Audit and Control Association (ISACA)
1969 Largest professional organization of IT auditors Information Systems Audit and Control Foundation- conducts
research and issues publications that guide IT audit professionals IT Governance Institute CISA- most highly valued global credential for IT auditors 1978- CISA certification CISM- non-audit security professionals
Professional IT Auditor Organizations and Certifications Institute of Internal Auditors (IIA)
1941 International organization of internal auditing
professionals Issues the CIA credential Promotes the practice of internal auditing through
quality assurance IIA’s membership – internal auditors (AICPA), (IMA) IT auditor- may be either an external auditor or a
member of an organization’s internal audit staff
Professional IT Auditor Organizations and Certifications Association of Certified Fraud Examiners
(ACFE) Issues the CFE credential to professionals
who specialize in auditing for fraud
Professional IT Auditor Organizations and Certifications American Institute of Certified Public
Accountants (AICPA) Confers the CPA license 1934- SEC required companies to have
their FS audited by CPAs CPA- provides a good foundation for an IT
auditor 2000- introduced CITP- CPA has
specialized expertise in IT
Structuring IT Audits Types of IT audits
1. Attestations or agreed-upon procedures audits2. Statement on Auditing Standards #70 audits-
service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes.
3. IT audits in support of external financial audits4. Findings and recommendations reviews
Standards and Guidelines IT auditors use: 1. AICPA Audit Standards and Guidelines.ASB.1947- issued GAAS (general, fieldwork, reporting standards).SAS- interpretations of GAAS.SSAE- perform an attestation. Issues a report stating a conclusion about the reliability of
subject matter that is the responsibility of someone else.SSAE no. 10 Attestation Standards: Revision and Recodification-
superseded all previous attestation engagement statements. - Auditors are increasingly involved in providing assurance over
nonfinancial information
Standards and Guidelines IT auditors use: 2. International Federation of Accountants (IFAC) Guidelines.International umbrella organization of national professional accountancy
groups (management, auditing, education, tax).Classification of the member organizations:.Full members.Associate members.Affiliate members.Mission: develop harmonized or common international accounting
standards and guidelines to assist professionals in their work.Types of guidance of use to IT auditors:.IFAC Handbook of International IT Guidelines- provides direction
concerning IT areas.ISAs- financial statement audits.IAPSs- implementing the standards
Standards and Guidelines IT auditors use: 3. ISACA Standards, Guidelines, and Procedures.Standards: Prescribe minimum performance levels required to
comply with ISACA’s Code of Professional Ethics.Licensed CISA- must comply with ISACA standards .Guidelines: Provide help in applying the standards.CobiT- ISACA’s IT governance framework. - assessing and advising management about internal controls. - includes a set of audit guidelines that provide IT auditors with
a structure for internal control evealuation
COBIT FRAMEWORK
ISSUE
AFRICA. DATOR. FRANCISCO. YU
Good IT governancePossible KEY
COBIT Framework
COBIT FRAMEWORKReview…
One of many Control frameworks developed to help companies develop good internal control.
Developed by the IASCF (Information System Audit and Control Foundation)
Allows1. Management to benchmark other IT practices.2. Users of IT services to be assured that adequate
security and control exist3. Auditors to substantiate their opinions on
internal control and advise on IT security and control matters.
AFRICA. DATOR. FRANCISCO. YU
COBIT FRAMEWORKReview…
Addresses the issue of control in 3 vantage points:1. Business objectives - conform with business
requirements
3. IT resources – people, application systems, technology, facilities and data.
5. IT processes – (a) planning and organizing, (b) acquisition and implementation, (c) delivery and support, (d) monitoring and evaluation
. Consolidates 36 standards in a single framework.. Helps in balance of risk and control
AFRICA. DATOR. FRANCISCO. YU
COBIT FRAMEWORKAccording to ISACA:
AFRICA. DATOR. FRANCISCO. YU
Accepted globally as a set of tools that ensures IT is working effectively
Functions as an overarching framework Provides common language to communicate goals,
objectives and expected results to all stakeholders Based on, and integrates, industry standards and good
practices in:● Strategic alignment of IT with business goals● Value delivery of services and new projects● Risk management● Resource management● Performance measurement
COBIT FRAMEWORKISACA:
How does COBIT support the governance of IT?
COBIT supports IT governance by providing a framework to ensure that:• IT is aligned with the business• IT enables the business and maximizes benefits• IT resources are used responsibly• IT risks are managed appropriately
AFRICA. DATOR. FRANCISCO. YU
COBIT FRAMEWORKAccording to ISACA:
AFRICA. DATOR. FRANCISCO. YU
IT Governance
ResourceManagement
Strate
gic
Alignment Value
Delivery
Perform
ance
Measu
rement
Ris
kM
anag
em
ent
COBIT is based on the analysis and harmonization of existing IT
standards and good practices and conforms to generally
accepted governance principles. It is positioned at a high level, driven by business requirements, covers the full
range of IT activities, and concentrates on what should
be achieved rather than how to achieve effective governance,
management and control. Therefore, it appeals to executive management;
business and IT management; governance, assurance and
security professionals; and IT audit and control professionals.
COBIT FRAMEWORKAccording to ISACA:
AFRICA. DATOR. FRANCISCO. YU
COBIT FRAMEWORKISACA updates
ISACA has started on a multiyear strategic initiative to develop the next generation of the COBIT
Framework, COBIT 5, and supporting products. Building on more than fifteen yearsof practical use of COBIT by many IT professionals from the business, IT, risk management, security and assurance communities, the COBIT 5 deliverables will be designed to meetthe current and future needs of stakeholders and align with the most up-to-date thinking in enterprise governance and IT management practices
AFRICA. DATOR. FRANCISCO. YU