Escolar Documentos
Profissional Documentos
Cultura Documentos
Audit Mission
Provide independent, objective assurance and consulting services designed to add value and improve organizations operations.
What is IT / IS Audit ?
An information technology audit, or information systems audit:
The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives.
These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.
IT audits are also known as "automated data processing (ADP) audits" and "computer audits". They were formerly called "electronic data processing (EDP) audits".
Important Terms
Independence : Refers to the independence of the internal auditor or of the external auditor from parties that may have a financial interest in the business being audited. Objectivity: Judgment based on observable phenomena and uninfluenced by emotions or personal prejudices. Due Diligence: Reasonable steps taken by a person in order to satisfy a requirement. Professional Care: Applying the care and skill expected of a reasonably prudent and competent auditor.
Maintain competency in their respective fields and agree to undertake only those activities they can reasonably expect to complete with the necessary skills, knowledge and competence.
Inform appropriate parties of the results of work performed; revealing all significant facts known to them. Support the professional education of stakeholders in enhancing their understanding of the governance and management of enterprise information systems and technology, including: audit, control, security and risk management.
Corporate Governance
Corporate governance is "the system by which companies are directed and controlled".
It involves regulatory and market mechanisms, and the roles and relationships between a companys management, its board, its shareholders, and the goals for which the corporation is governed.
IT Governance
Information technology governance is a subset discipline of corporate governance focused on information technology (IT) systems and their performance and risk management
1. IT Function
2. IT layers
Auditor and IT
Audit Universe
IT Audit Process
Five Tasks:
1.
2. 3. 4.
21
5.
Develop and implement a risk-based IS audit strategy for the organization in compliance with IS audit standards, guidelines and best practices. Plan specific audits to ensure that IT and business systems are protected and controlled. Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives. Communicate emerging issues, potential risks and audit results to key stakeholders. Advise on the implementation of risk management and control practices within the organization while maintaining independence.
22
23
24
25
Audit Planning
Audit planning
Short-term planning (an year) Long-term planning Things to consider
New control issues Changing technologies Changing business processes Enhanced evaluation techniques
26
Audit Planning
Audit Planning Steps
1.
2. 3. 4. 5. 6. 7. 8.
27
Gain an understanding of the businesss mission, objectives, purpose and processes. Identify stated contents (policies, standards, guidelines, procedures, and organization structure) Evaluate risk assessment and privacy impact analysis Perform a risk analysis. Conduct an internal control review. Set the audit scope and audit objectives. Develop the audit approach or audit strategy. Assign personnel resources to audit and address engagement logistics.
28
29
30
Standards
Guidelines
Procedures
IS Auditing Standards
1. 2. 3.
Audit charter Independence Ethics and Standards
7. 8. 9.
4.
5. 6.
Competence
Planning Performance of audit work
10. IT governance
11. Use of risk assessment in
planning audit
9.
Document irregularity/illegal act related communications, planning, results, evaluations and conclusions
33
Sensitivity Rating
0% 0%
34
35
Internal Control
Internal Controls
Policies, procedures, practices and organizational structures implemented to reduce risks
36
Internal Control
Internal Control
37
Internal Control
38
Preventive controls
Detective controls
Corrective controls
Internal Control
IS Control Objectives
39
Control objectives in an information systems environment remain unchanged from those of a manual environment. However, control features may be different. The internal control objectives, thus need, to be addressed in a manner specific to IS-related processes
Internal Control
40
Internal Control
IS Control Objectives (Contd)
41
Ensuring the efficiency and effectiveness of operations Complying with requirements, policies and procedures, and applicable laws Developing business continuity and disaster recovery plans Developing an incident response plan
Day 1 Recap
Audit Mission Planning Roles of Internal, external and IS Auditor Code of Professional Ethics IS Audit Standards and Guidelines IT Audit Universe Risk Analysis
Internal Control
IS Control Objectives (Contd)
COBIT
43
An IT management framework?
COBIT 3rd Edition (2000)
An IT governance framework?
COBIT 4.0 (2005) and COBIT 4.1 (2007) Governance and compliance processes added Assurance processes removed
Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).
The GOVERNANCE domain contains five governance processes; within each process, evaluate, direct and monitor (EDM) practices are defined.
The four MANAGEMENT domains are in line with the responsibility areas of plan, build, run and monitor (PBRM)
Internal Control
General Control Procedures
47
apply to all areas of an organization and include policies and practices established by management to provide reasonable assurance that specific objectives will be achieved.
Internal Control
48
Internal Control
IS Control Procedures
49
Strategy and direction General organization and management Access to data and programs Systems development methodologies and change control Data processing operations Systems programming and technical support functions Data processing quality assurance procedures Physical access controls Business continuity/disaster recovery planning Networks and communications Database administration
50
Performing an IS Audit
Definition of Auditing
Systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards.
Performing an IS Audit
Definition of IS Auditing
51
Any audit that encompasses review and evaluation (wholly or partly) of automated information processing systems, related nonautomated processes and the interfaces between them.
Performing an IS Audit
Classification of audits: Financial audits Operational audits Integrated audits Administrative audits Information systems audits Specialized audits Forensic audits
52
Performing an IS Audit
Audit Programs
53
Based on the scope and the objective of the particular assignment IS auditors perspectives
Security (confidentiality, integrity and availability) Quality (effectiveness, efficiency) Fiduciary (compliance, reliability) Service and Capacity
Performing an IS Audit
General audit procedures
54
Understanding of the audit area/subject Risk assessment and general audit plan Detailed audit planning Preliminary review of audit area/subject Evaluating audit area/subject Compliance testing Substantive testing Reporting(communicating results) Follow-up
Performing an IS Audit
55
Performing an IS Audit
Audit Methodology
56
A set of documented audit procedures designed to achieve planned audit objectives Composed of
Statement of scope Statement of audit objectives Statement of work programs
Set up and approved by the audit management Communicated to all audit staff
Performing an IS Audit
Typical audit phases
57
1. Audit subject
Identify the area to be audited
2. Audit objective
Identify the purpose of the audit
3. Audit scope
Identify the specific systems, function or unit of the organization
Performing an IS Audit
Typical audit phases (Contd)
4. Pre-audit planning
58
59
Performing an IS Audit
Typical audit phases (Contd)
5. Audit procedures and steps for data gathering
Identify and select the audit approach Identify a list of individuals to interview Identify and obtain departmental policies, standards and guidelines
Performing an IS Audit
Typical audit phases (Contd)
6. Procedures for evaluating test/review result
60
61
Performing an IS Audit
Workpapers (WPs)
What are documented in WPs?
Audit plans
Audit programs Audit activities Audit tests Audit findings and incidents
Performing an IS Audit
Workpapers (Contd)
Do not have to be on paper Must be
Dated Initialized Page-numbered Relevant Complete Clear Self-contained and properly labeled Filed and kept in custody
62
Performing an IS Audit
Fraud Detection
Managements responsibility
63
Fraud detection and disclosure Auditors role in fraud prevention and detection
64
Performing an IS Audit
Audit Risk
Audit risk is the risk that the information/financial report may contain material error that may go undetected during the audit.
A risk-based audit approach is used to assess risk and assist with an IS auditors decision to perform either compliance or substantive testing.
65
Performing an IS Audit
Audit Risks
Inherent risk Control risk Detection risk Overall audit risk
66
Performing an IS Audit
Risk-based Approach Overview
Gather Information and Plan Obtain Understanding of Internal Control Perform Compliance Tests Perform Substantive Tests Conclude the Audit
67
Performing an IS Audit
Materiality
An auditing concept regarding the importance of an item of information with regard to its impact or effect on the functioning of the entity being audited
68
Performing an IS Audit
Risk Assessment Techniques
Enables management to effectively allocate limited audit resources Ensures that relevant information has been obtained Establishes a basis for effectively managing the audit team Provides a summary of how the individual audit subject is related to the overall organization and to business plans
Performing an IS Audit
69
Confidentiality
Integrity Reliability
Availability
Performing an IS Audit
70
Substantive test
tests the integrity of actual processing
Correlation between the level of internal controls and substantive testing required Relationship between compliance and substantive tests
Performing an IS Audit
Evidence
71
It is a requirement that the auditors conclusions must be based on sufficient, competent evidence.
Independence of the provider of the evidence Qualification of the individual providing the information or evidence Objectivity of the evidence Timing of evidence
Performing an IS Audit
Techniques for gathering evidence:
72
Review IS organization structures Review IS policies and procedures Review IS standards Review IS documentation Interview appropriate personnel Observe processes and employee performance
Performing an IS Audit
Actual functions Actual processes/procedures Security awareness Reporting relationships
73
74
Performing an IS Audit
Sampling
General approaches to audit sampling:
Statistical sampling Non-statistical sampling Attribute sampling Variable sampling
Performing an IS Audit
Sampling
(Contd)
75
Attribute sampling
Stop-or-go sampling Discovery sampling
Variable sampling
Stratified mean per unit Unstratified mean per unit Difference estimation
Performing an IS Audit
Statistical sampling terms:
76
Confident coefficient Level of risk Precision Expected error rate (not for variable sampling) Sample mean Sample standard deviation Tolerable error rate Population standard deviation (not for attribute sampling)
Performing an IS Audit
77
Quiz # 1
1. Four types of Risk Treatment Strategies are 1. 2. 3. 4.
Quiz #1
2. The decisions and actions of an IS auditor are MOST likely to affect which of the following risks : A. Inherent Risk B. Detection Risk C. Control Risk D. Business Risk
Quiz # 1
3. An IS auditor is reviewing the process performed for the protection of digital evidence. Which of the following findings should present the MOST concern to the IS auditor:
A. The owner of the system was not present at the time of the evidence retrieval. B. The system was powered off by an investigator. C. There are no documented logs of the transportation of evidence. D. The contents of the random access memory (RAM) were not backed up.
Quiz # 1
4. Which of the following should an IS auditor use to detect duplicate invoice records within an invoice master file? A. Attribute sampling B. Generalized audit software (GAS) C. Test data D. Integrated test facility (ITF)
Quiz #1
5. An IS auditor performing a review of an application's controls would evaluate the: A. efficiency of the application in meeting the business processes. B. impact of any exposures discovered. C. business processes served by the application. D. application's optimization.
Quiz # 1
6) An IS auditor discovers that devices connected to the network have not been included in a network diagram that had been used to develop the scope of the audit. The chief information officer (CIO) explains that the diagram is being updated and awaiting final approval. The IS auditor should FIRST: A. expand the scope of the IS audit to include the devices that are not on the network diagram. B. evaluate the impact of the undocumented devices on the audit scope. C. note a control deficiency because the network diagram has not been updated. D.plan follow-up audits of the undocumented devices.