it audit presentation_icap

AUDITING IN A COMPUTER INFORMATION SYSTEMS ENVIRONMENT

What is Internal Audit Need for I.S. Auditing I.S. Audit Standards Controls COBIT I.S. Audit Process Audit Resource Management

Scope of Presentation

INTERNAL AUDITING Is an independent, objective assurance and

consulting activity designed to add value and improve an organization’s operations

Helps an organization in accomplishing its objectives by bringing a systematic, disciplined approach to evaluate and

improve the effectiveness of risk management, control and governance processes

Functions include amongst other things, examining, evaluating and monitoring the adequacy and effectiveness of the accounting and internal control systems

What is Internal Audit?

Internal auditing is an independent, objective assurance and consulting activity within an organization that is guided by a philosophy of adding value to improve operations of the organization. It assists an organization in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization’s risk management, control and governance processes.

Internal Auditing Defined

The role of internal auditing is determined by management and its function’s objective vary according

to management’s requirements and as such it is part of the entity.

External audit, on the other hand, is carried out independently to express an opinion on the fairness of the financial statements, with the primary concern and objective of determining whether the financial statements are free from material misstatements. It is, therefore, not a part of entity.

Nevertheless some of the means of achieving their respective objectives are often similar and thus

certain aspects of internal auditing may be useful in determining the nature, timing and extent of external audit procedures.

Internal Audit Vs. External Audit

Increasing level of computerization of manual functions

Rapid technological development Lack of user knowledge resulting in

insecure practices Role of networks Viruses, Worms, Hackers and other

security threats Changing Regulatory environment

Need for I.S. Auditing

IS auditing is the process of collecting and evaluating evidence to determine whether information systems and related resources, adequately safeguard assets, maintain data and system integrity, provide relevant and reliable information, achieve organizational goals effectively, consume resources efficiently, and have in effect internal controls that provide reasonable assurance that operational and control objectives will be met.

I.S. Auditing

Objectives of IS Auditing Objectives of IS Auditing StandardsStandards

Inform management and other interested parties of the profession’s expectations concerning the work of audit practitioners

Inform information system auditors of the minimum level of acceptable performance required to meet professional responsibilities

I.S. Auditing Standards

Audit charter

Independence

Professional Ethics and Standards

Competence


Planning

Performance of audit work

Reporting

Follow-up activities


Audit charter

The responsibility, authority and accountability of the information systems audit functions are to be appropriately documented in an audit charter or engagement letter.

ISACA Standards and Guidelines for IS Auditing

Independence

Professional Independence: In all matters related to auditing, the IS auditor is to be independent of the auditee in attitude and appearance.

Organizational Relationship: The IS audit function is to be sufficiently independent of the area being audited to permit objective completion of the audit.


Professional Ethics and Standards

Due professional care and observance of applicable professional auditing standards are to be exercised in all aspects of the information systems auditor’s work.


Competence

Skills and Knowledge: The information systems auditor is to be technically competent, having the skills and knowledge necessary to perform the auditor’s work.

Continuing Professional Education: The information systems auditor is to maintain technical competence through appropriate continuing professional education.


Planning

The information systems auditor is to plan the information systems audit work to address the audit objectives on audit standards and requirements and to comply with applicable professional auditing standards.


• Performance of audit work

Supervision: Information systems audit staff are to be appropriately supervised to provide assurance that audit objectives are accomplished and applicable professional auditing standards are met.

Evidence: During the course of the audit, the information systems auditor is to obtain sufficient, reliable, relevant and useful evidence to achieve the audit objectives effectively. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence.


• Reporting

The information systems auditor is to provide a report in an appropriate form to intended recipients upon completion of audit work. The audit report is to state the scope, objectives, period of coverage and the nature and extent of the audit work performed. The report is to identify the organization, the intended recipients and any restrictions on circulation. The report is to state the findings, conclusions, recommendations and any reservations or qualifications that the auditor has with respect to the audit.


• Follow-up activities

The information systems auditor is to request and evaluate appropriate information on previous relevant findings, conclusions and recommendations to determine whether appropriate actions have been implemented in a timely manner.


Some Control Definitions...

1.IT Risk

2. Control

3. Control Objectives

4. Control Practices

IT Risk

The chance that information systems will not satisfy the business requirement of ensuring the achievement of IT objectives and responding to threats to the provision of IT services

Control

Control is defined as the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.

Control Objectives

IT Control Objective is defined as a statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity.

Control Practices

A key control mechanism that supports the achievement of control objectives through responsible use of resources, appropriate management of risk and alignment of IT with business.

Why do we need Controls?

If everything seems under control,

you are not going fast enough

Control classificationControl classification

PreventivePreventive

DetectiveDetective

CorrectiveCorrective

Controls

Information System Control ObjectivesInformation System Control Objectives

Control objectives in an information systems Control objectives in an information systems

environment remain unchanged from those of a environment remain unchanged from those of a

manual environment. However, control features may manual environment. However, control features may

be different. The internal control objectives, thus be different. The internal control objectives, thus

need, to be addressed in a manner specific to IS-need, to be addressed in a manner specific to IS-

related processesrelated processes

Controls

CobiT is a very rich standard

CobiT was developed by experts with extensive experience in many different industries

It includes all of the processes that can take place within an IT organization

It describes CSF’s, KPI’s, KGI’s and processes that may not necessarily be relevant to a given organization’s needs

Depending on the organization, attempting to implement the complete standard can cost more than the value created by a successful implementation

Control Objectives for Information Control Objectives for Information and related Technologyand related Technology

IT control objectives and standards IT control objectives and standards of good practice of good practice

34 high-level control objectives34 high-level control objectives

COBIT

CobiT Framework IT Domains

PLANNINGPLANNING

&&

ORGANISATIONORGANISATION

ACQUISITIONACQUISITION

&&

IMPLEMENTATIONIMPLEMENTATION

DELIVERYDELIVERY

&&

SUPPORTSUPPORT

MONITORINGMONITORING

BUSINESS OBJECTIVES

INFORMATION

IT RESOURCES

PLANNING & ORGANISATIONPLANNING & ORGANISATION

1. Define a strategic IT plan

2. Define the information architecture

3. Determine the technological direction

4. Define the IT organisation and relationships

5. Manage the investment

6. Communicate management aims and directions

7. Manage human resources

8. Ensure compliance with external requirements

9. Assess risks

10. Manage project

11. Manage quality

PLANNINGPLANNING

&&

ORGANISATIONORGANISATION

CobiT IT Domains Processes

ACQUISITION & IMPLEMENTATIONACQUISITION & IMPLEMENTATION

1. Identify solutions

2. Acquire and maintain application software

3. Acquire and maintain technology architecture

4. Develop and maintain IT procedures

5. Install and accredit systems

6. Manage changes

ACQUISITIONACQUISITION

&&

IMPLEMENTATIONIMPLEMENTATION


DELIVERY & SUPPORTDELIVERY & SUPPORT

1. Define Service Levels

2. Manage third-party services

3. Manage performance and capacity

4. Ensure continuous service

5. Ensure system security

6. Identify and attribute costs

7. Educate and train users

8. Assist and advise IT customers

9. Manage the configuration

10. Manage problems and incidents

11. Manage data

12. Manage facilities

13. Manage operations

DELIVERYDELIVERY

&&

SUPPORTSUPPORT



1. Monitor the processes

2. Assess the internal control adequacy

3. Obtain independent assurance

4. Provide for independent audit



How To Assess IT Risks PO9 Assess Risks Control Objectives

1. Carry out a business risk assessment2. Implement an IT risk assessment approach3. Identify IT risks4. Measure IT risks

5. Create an IT risk management action plan6. Accept residual risk7. Select Safeguards8. Commit to Risk Assessment

Risk

Id

entification

Con

trol Im

plem

entation

How To Assess IT Risks

1. Carry out a business risk assessment2. Implement an IT risk assessment approach3. Identify IT risks4. Measure IT risks5. Create an IT risk management action plan6. Accept residual risk7. Select Safeguards8. Commit to Risk Assessment

I.S. Audit Planning

Adequate planning is a necessary first Adequate planning is a necessary first step in performing effective IT auditsstep in performing effective IT audits

Need to understand the general Need to understand the general business environment as well as the business environment as well as the associated business and control risksassociated business and control risks

Assess operational and control risks Assess operational and control risks and identify control objectives during and identify control objectives during audit planningaudit planning

To perform an audit planning, the IS auditor should

1. Gain an understanding of the business’ mission, objectives, processes, information and processing requirements such as availability, integrity and security and information architecture requirements. In general terms, processes and technology.

2. Perform risk analysis.1. Conduct an internal control review.2. Set the audit scope and audit objective(s).3. Develop the audit approach or audit strategy.4. Assign resources to audit and address engagement

logistics.

I.S. Audit Planning

In planning the engagement, I.S. Auditors should consider:

The objectives of the activity being reviewed and the means by which the activity controls its performance.

The significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level.

The adequacy and effectiveness of the activity’s risk management and control systems compared to a relevant control framework or model.

The opportunities from making significant improvements to the activity’s risk management and control systems.

I.S. Audit Planning

General audit proceduresGeneral audit procedures Understanding of the audit area/subjectUnderstanding of the audit area/subject Risk assessment and general audit planRisk assessment and general audit plan Detailed audit planningDetailed audit planning Preliminary review of audit area/subjectPreliminary review of audit area/subject Evaluating audit area/subjectEvaluating audit area/subject Compliance testing Compliance testing Substantive testingSubstantive testing Reporting(communicating results)Reporting(communicating results) Follow-upFollow-up

I.S. Audit Process

Audit Methodology

The audit methodology is a set of documented audit procedures designed to achieve planned audit objectives. The audit strategy is the audit methodology, which is a set of documented audit procedures designed to achieve planned audit objectives. It’s components are: a statement of scope, statement of audit objectives and statement of work programs

I.S. Audit Process

Identify• the area to be audited• the purpose of the audit• the specific systems, function or

unit of the organization to be included in the review.

• technical skills and resources needed

• the sources of information for tests or review such as functional flow-charts, policies, standards, procedures and prior audit work papers.

• locations or facilities to be audited.

• select the audit approach to verify and test the controls

• list of individuals to interview• obtain departmental policies,

standards and guidelines for review

Typical audit phases Develop

• audit tools and methodology to test and verify control

• procedures for evaluating the test or review results

• procedures for communication with management

Identify• follow-up review procedures• procedures to evaluate/test

operational efficiency and effectiveness

• procedures to test controls

Review and evaluate the soundness of documents, policies and procedures

I.S. Audit Process

Control objective: A control objective refers to how an internal control should function.

Audit objective: Audit objective refers to the specific goals of the audit. An audit may incorporate several audit objectives. Audit objectives often center around substantiating that internal controls exist to minimize business risks. Management may give the IS auditor a general objective to follow when performing an audit.

A key element in planning an information systems audit is to translate basic audit objectives into specific information systems audit objectives.

I.S. Audit Process

Audit risk and materialityAudit risk and materialityMore and more organizations are moving to a risk-based audit approach that is usually adapted to develop and improve the continuous audit process. This approach is used to assess risk and to assist with an IS auditor’s decision to do either compliance testing or substantive testing.

I.S. Audit Process

In a risk-based audit approach, IS auditors are not just relying on risk; they also are relying on internal and operational controls as well as knowledge of the company or the business. This type of risk assessment decision can help relate the cost-benefit analysis of the control to the known risk, allowing practical choices.

Business risks are the concerns about the probable effects of an uncertain event on achieving established objectives. The nature of these risks may be financial, regulatory or operational. By understanding the nature of the business, IS auditors can identify and categorize the types of risks that will better determine the risk model or approach in conducting the audit.

I.S. Audit Process

Risk-based approachRisk-based approach

Emphasis on knowledge of the Emphasis on knowledge of the business and technologybusiness and technology

Focuses on assessing the effectiveness Focuses on assessing the effectiveness of a “combination” of controlsof a “combination” of controls

Linkage between risk assessment and Linkage between risk assessment and testing focusing on control objectives.testing focusing on control objectives.

Focuses on the business from a Focuses on the business from a management perspectivemanagement perspective

I.S. Audit Process

Types of riskTypes of risk Inherent riskInherent risk Control riskControl risk Detection riskDetection risk Overall audit riskOverall audit risk

I.S. Audit Process

Inherent Risk - The risk that an error exists which could be material or significant when combined with other errors encountered during the audit assuming that there are no related compensating controls.

Control Risk - The risk that a material error exists that will not be prevented or detected on a timely basis by the system of internal controls.

Detection Risk - The risk that an IS auditor uses an inadequate test procedure and concludes that material errors do not exist when, in fact, they do.

I.S. Audit Process

Overall Audit Risk - The combination of the individual categories of audit risks assessed for each specific control objective. An objective in formulating the audit approach is to limit the audit risk in the area under scrutiny so the overall audit risk is at a sufficiently low level at the completion of the examination. Another objective is to assess and control those risks to achieve the desired level of assurance as efficiently as possible.

I.S. Audit Process

Risk Assessment TechniquesRisk Assessment Techniques Enables management to effectively allocate Enables management to effectively allocate

limited audit resourceslimited audit resources Ensures that relevant information has been Ensures that relevant information has been

obtainedobtained Establishes a basis for effectively managing Establishes a basis for effectively managing

the audit departmentthe audit department Provides a summary of how the individual Provides a summary of how the individual

audit subject is related to the overall audit subject is related to the overall organization and to business plansorganization and to business plans

I.S. Audit Process

Control objectives and the related key controls that address the objective. An auditor should be able to identify key controls

and then decide to test these controls through substantive or compliance verification methods. The IS auditor is to identify application controls after developing an understanding and documenting the application or function, and based upon that, should identify key control points. This will allow the auditor to determine if controls are working as expected and results of compliance tests will allow the auditor to design more extensive compliance or substantive testing.

I.S. Audit Process

Relationship between substantive and compliance tests and the two categories of substantive tests.

Substantive tests substantiate the integrity of actual

processing. It provides evidence of the validity and

integrity of the balances in the financial statements

and the transactions that support these balances.

Compliance tests determine if controls are being

applied in a manner that complies with management

policies and procedures.

I.S. Audit Process

Correlation between the level of internal controls and the amount of substantive testing required.

If the results of testing controls reveal the presence of

adequate internal controls, then the IS auditor is justified in

minimizing the substantive procedures. Conversely, if the

testing controls reveals weaknesses in control that may

raise doubts about the completeness, accuracy or validity of

the accounts, substantive testing can alleviate those doubts.

I.S. Audit Process

Evidence – It is a requirement that the Evidence – It is a requirement that the auditor’s conclusions must be based on auditor’s conclusions must be based on sufficient, competent evidence.sufficient, competent evidence.

Independence of the provider of the evidenceIndependence of the provider of the evidence

Qualification of the individual providing the information Qualification of the individual providing the information

or evidenceor evidence

Objectivity of the evidenceObjectivity of the evidence

Timing of evidenceTiming of evidence

I.S. Audit Process

Techniques for gathering evidence:Techniques for gathering evidence:

Review IS organization structuresReview IS organization structures

Review IS policies, procedures and standardsReview IS policies, procedures and standards

Review IS documentation Review IS documentation

Interview appropriate personnelInterview appropriate personnel

Observe processes and employee performance.Observe processes and employee performance.

I.S. Audit Process

Computer-assisted audit techniquesComputer-assisted audit techniques CAATs are a significant tool for IS CAATs are a significant tool for IS

auditors to gather information auditors to gather information independentlyindependently

CAATs include:CAATs include: Generalized audit software (ACL, IDEA, etc.)Generalized audit software (ACL, IDEA, etc.) Utility softwareUtility software Test dataTest data Application software for continuous online Application software for continuous online

auditsaudits Audit expert systemsAudit expert systems

I.S. Audit Process

Need for CAATsThe audit findings and conclusions are to be supported by appropriate analysis and interpretation of the evidence. Today’s information processing environments pose a stiff challenge to the IS auditor to collect sufficient, relevant and useful evidence since the evidence exists on magnetic media and can only be examined using CAATs. With systems having different hardware and software environments, different data structure, record formats, processing functions, etc., it is almost impossible for the IS auditors to collect evidence without a software tool to collect and analyze the records.

I.S. Audit Process

Functional Capabilities of CAATsGeneralized audit software provides IS auditors the ability to use high-level problem solving software to invoke functions to be performed on data files. The following functions supported in generalized audit software are:

File access File reorganization Data Selection Statistical functions Arithmetical functions

I.S. Audit Process

Areas of Concern

Integrity, reliability, and security of the CAATs beforehand

Integrity of the information systems and security environment

Confidentiality and security of data as required by the clients

I.S. Audit Process

CAATs offer the following advantages:

Reduced level of audit risk Greater independence from the auditee Broader and more consistent audit coverage Faster availability of information Improved exception identification Greater flexibility of run times Greater opportunity to quantify internal control

weaknesses Enhanced sampling Cost savings over time

I.S. Audit Process

Cost/benefits of CAATsLike any other process, an IS auditor should weigh the costs/benefits of CAATs before going through the effort, time and expense of purchasing or developing them. Issues to consider include:

Ease of use, both for existing audit staff and future staff

Training requirements Complexity of coding and maintenance Flexibility of uses Installation requirements Processing efficiencies (especially with a PC CAAT) Effort required to bring the source data into the

CAATs for analysis

I.S. Audit Process

After developing an audit program and gathering audit evidence, the next step is an evaluation of the information gathered in order to develop an audit opinion. This requires the IS auditor to consider a series of strengths and weaknesses and then to develop audit opinions and recommendations.

The IS auditor should assess the results of the evidence gathered for compliance with the control requirements or objectives established during the planning stage of the audit. This requires considerable judgment, as controls are often unclear. A control matrix is often utilized in assessing the proper level of controls.

I.S. Audit Process

As part of the information systems review, the IS auditor may discover a variety of strong and weak controls. All should be considered when evaluating the overall control structure. In some instances, one strong control may compensate for a weak control in another area. The IS auditor should be aware of compensating controls in areas where controls have been identified as weak.

I.S. Audit Process

A control objective will not normally be achieved due to one control being considered adequate. They must be evaluated to determine how they relate to each other. Evaluate the totality of control by considering the strengths and weaknesses of control procedures.

Assess the strengths and weaknesses of the controls evaluated and then determine if they are effective in meeting the control objectives established as part of the audit planning process.

I.S. Audit Process

Judging materiality of findings

The concept of materiality is a key issue when deciding which findings to bring forward in an audit report. Key to determining the materiality of audit findings is the assessment of what would be significant to different levels of management.

Assessment requires judgment of the potential effect of the finding if corrective action is not taken. Assess what is significant to different levels of management. Discuss examples of what might be important to different levels of management and why.

I.S. Audit Process

Communicating audit results. Results or concerns should be communicated to senior management and to the audit committee of the board of directors. IS auditors should feel free to communicate issues or concerns to such management. Audit report structure and contents. There is no specific

format for an IS audit report; therefore, the organization's audit policies and procedures will generally dictate the format.

Exit interview. Used to discuss the findings of the audit and recommendations with management. Ensure that the facts presented in the report are correct, recommendations are realistic and cost effective, and if not, seek alternatives through negotiation with the audit area; and establish implementation dates for agreed recommendations.

I.S. Audit Process

Presentation techniques to communicate the results of the audit work could include the following:

Executive summary: an easy to read and concise report that presents findings to management in an understandable manner.

Visual presentation: could include overhead transparencies, slides or computer graphics.

Oral presentation

I.S. Audit Process

Auditing is an ongoing processAuditing is an ongoing process

The IS auditor is not effective if audits are performed and reports issued but not followed up on to determine if management has taken appropriate corrective actions. IS auditors should have a follow-up program to determine if agreed corrective actions have been implemented.

Timing of follow-upTiming of follow-up

The timing of follow-up will depend upon the criticality of the findings and would be subject to the IS auditor’s judgment. The results of the follow-up should be communicated to appropriate levels of management.

I.S. Audit Process

Audit Documentation

IS audit documentation is the record of the audit work performed and the audit evidence supporting the findings and conclusions (see ISACA Guidelines on audit documentation).

The IS auditor should understand techniques for documenting an information system as well as documenting the understanding of the information systems environment. The IS auditor should be able to prepare adequate work papers, narratives, complete interview questionnaires and create understandable systems flowcharts.

I.S. Audit Process

The IS auditor should understand techniques for managing audit projects with appropriately trained members of the audit staff.

Skill and knowledge should be taken into consideration when planning audits and assigning staff to specific audit assignments.

I.S. Audit Resource ManagementI.S. Audit Resource Management

Project management techniques It is important for an IS auditor to consider a project

management technique for managing and administering audit projects, whether automated or manual. Basic steps for this purpose include:

Develop a detailed plan - This should spread the necessary audit steps across a time line. Realistic estimates should be made of the time requirements for each task with proper consideration given to the availability of the auditee.

Report project activity against the plan. There should be some type of reporting system in place such that IS auditors can report their actual progress against planned audit steps.

Project management techniques

Adjust the plan and take corrective action, as required. Actual accomplishments should be measured against the established plan on a continuous basis. Changes should be made in IS auditor assignments or in planned schedules, as required.

THANK YOU!