1 / 48

The Information Systems Audit Process

The Information Systems Audit Process. Definitions :. Audit is an unbiased examination and evaluation of the Products, Processes and the Systems. Auditor The auditor is the competent person who is performing the audit.

taniel
Download Presentation

The Information Systems Audit Process

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Information Systems Audit Process

  2. Definitions : Audit is an unbiased examination and evaluation of the Products, Processes and the Systems. Auditor The auditor is the competent person who is performing the audit. AuditeeThe organization and people being audited are collectively called the auditee. Client The client is the person or organization with the authority to request the audit. A client may be the audit committee, external customer, internal audit department, or regulatory group. Audit details should be kept confidential from persons not directly involved as auditee or the client.

  3. Definitions : • Internal audits and Assessments It involves auditing your own organization to discover evidence of what is occurring inside the organization (self-assessment). These have restrictions on their scope and the findings should not be shared outside the organization.

  4. Definitions : • External Audits An external audit is a review of the financial statements or reports of a company by someone not affiliated with the company. External audits play a major role in the financial oversight because they are conducted by outside individuals and therefore provide an unbiased opinion. External audits are commonly performed at regular intervals by businesses and are typically required yearly by law for governments. The Information Systems Audit Process

  5. Definitions : • External Audits External audits involve your customer Auditing you, or you auditing your supplier. The business audits its customer or supplier, or vice versa. The goal is to ensure the expected level of performance as mutually agreed upon in their contracts. The Information Systems Audit Process

  6. Independent audits are outside of the customer-supplier influence. Third-party independent audits are frequently relied on for licensing, certification, or product approval. Product audits check the attributes against the design specification (size, color, markings). Process audits evaluate the process method to determine whether the activities or sequence of activities meet the published requirements. We want to see how the process is working. This involves checking inputs, actions, and outputs to verify the process performance

  7. System audits seek to evaluate the management of the system, including its configuration. The auditor is interested in the team members’ activities, control environment, event monitoring, how customer needs are determined, who provides authorization, how changes are implemented, preventative maintenance, and so forth, including incident response capability. Financial audit verifies financial records, transactions, and account balances. This type of audit is used to check the integrity of financial records and accounting practices compared to well-known accounting standards.

  8. Operational audit verifies effectiveness and efficiency of operational practices. Operational audits are used frequently in service and process environments, including IT service providers. Integrated audit includes both financial and operational controls audits. Compliance audit verifies implementation of and adherence to a standard or regulation. This could include ISO standards and all government regulations. A compliance audit usually includes tests for the presence of a working control.

  9. Administrative audit verifies that appropriate policies and procedures exist and have been implemented as intended. This type of audit usually tests for the presence of required documentation.

  10. Definitions : • Control : The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.

  11. Definitions : • IT Control Objective A statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity.

  12. Definitions : • IT Governance A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise's goals by adding value while balancing risk versus return over IT and its processes

  13. IT Framework A successful organization is built on a solid framework of data and information. The Framework explains how IT processes deliver the information that the business needs to achieve its objectives. This delivery is controlled through high-level control objectives, one for each IT process, contained in the four domains. The Framework identifies which of the seven information criterion (effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability), as well as which IT resources (people, applications, technology, facilities and data) are important for the IT processes to fully support the business objective

  14. Audit Mission In the light of Management objectives a well documented AUDIT Charter defining overall Authority, Scope and Responsibility of the AUDIT function approved by top management. Whenever you conduct an audit, it is important to write an audit mission statement as part of the preparation. A mission statement defines the audit both for your benefit and for the benefit of the auditee, thereby helping to eliminate confusion, waste of resources, and inefficiencies in Auditing.

  15. Audit Mission It serves as a link between the planning and the execution of the audit. Sometimes it seems that writing an auditing mission statement can be eliminated but it is not recommended to do so. A little bit of planning in the form of a mission statement goes a long way to ensuring that the audit functions are effectively performed.

  16. Audit Mission Statement It consist of following :- • Outlining of Audit purpose and Objective • A risk assessment process to describe and analyze the risks inherent in a given line of business. • An audit plan detailing IS audit’s budgeting and planning processes • An audit cycle that identifies the frequency of audits. • Audit work programs that set out for each audit area the required scope and resources • Format of Written audit reports.

  17. Audit Planning Audit planning consists of both short and long-term planning. Short-term planning takes into account audit issues that will be covered during the year. Whereas long-term planning relates to audit plans that will take into account risk-related issues regarding changes in the organization’s IT strategic direction that will affect the organization's IT environment.

  18. Risk Analysis : • Risk The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. The impact or relative severity of the risk is proportional to the business value of the loss/damage and to the estimated frequency of the threat. • Risk Elements • Threat • Impact • Frequency

  19. Business Risk Threats that may impact the assets, processes or objectives of a specific business organization. The natures of these threats may be : • FINANCIAL • REGULATORY • OPERATIONAL OR • May arise as a result of the INTERACTION OF THE BUSINESS WITH ITS ENVIRONMENT OR • May arise in result of the STRATEGIES, SYSTEMS AND TECHNOLOGY, PROCESS, PROCEDURE AND INFORMATION SYSTEM USED BY THE BUSINESS

  20. ROLES AND RESPONSIBILITY OF INTERNAL AUDITORS The primary role of the internal IT audit staff is to assess independently and objectively the controls, reliability, and integrity of the institution’s IT environment. These assessments can help to maintain or improve the efficiency and effectiveness of the institution’s IT risk management, internal controls, and corporate governance.

  21. ROLES AND RESPONSIBILITY OF INTERNAL AUDITORS Internal auditors should evaluate IT plans, strategies, policies, and procedures to ensure adequate management oversight. Additionally, they should assess the day-to-day IT controls to ensure that transactions are recorded and processed in compliance with acceptable accounting methods and standards and are in compliance with policies set forth by the board of directors and senior management.

  22. ROLES AND RESPONSIBILITY OF INTERNAL AUDITORS Auditors should make recommendations to management about procedures that affect IT controls. Audit’s role generally entails reviewing the control aspects of new applications, products, conversions, or services throughout their development and implementation. Early IT audit involvement can help to ensure that proper controls are in place from inception. However, the auditors should be careful not to compromise, or even appear to compromise, their independence when involved in these projects.

  23. ROLES AND RESPONSIBILITY OF EXTERNAL AUDITORS External auditors typically review IT control procedures as part of their overall evaluation of internal controls when providing an opinion on the adequacy of an institution’s financial statements. As a rule, external auditors review the general and application controls affecting the recording and safeguarding of assets and the integrity of controls over financial statement preparation and reporting.

  24. ROLES AND RESPONSIBILITY OF EXTERNAL AUDITORS General controls include the plan of organization and operating, documentation procedures, access to equipment and data files, and other controls affecting overall information systems operations. Application controls relate to specific information systems tasks and provide reasonable assurance that the recording, processing, and reporting of data is properly performed

  25. ROLES AND RESPONSIBILITY OF EXTERNAL AUDITORS External auditors may also review the IT control procedures as part of an outsourcing arrangement in which they are engaged to perform all or part of the duties of the internal audit staff. The extent of external audit work, including work related to information systems, should be clearly defined in an engagement letter.

  26. ROLES AND RESPONSIBILITY OF EXTERNAL AUDITORS The extent of external audit work, including work related to information systems, should be clearly defined in an engagement letter. The external auditor may discover weakness in the internal control procedures that will affect the accounts. The auditor should report these weaknesses to the management. The principal purposes of this report to management are:-

  27. ROLES AND RESPONSIBILITY OF EXTERNAL AUDITORS (a) To enable the auditor to comment on the accounting records, systems and controls examined during the course of the audit: for example, weaknesses in credit control, the reconciliation of ledgers and the maintenance of grant approvals. (b) To provide management with financial statistics that can be used to judge the performance of a charity: for example, the number of weeks’ expenditure in reserves, or total staff costs expressed as a ratio of total resources expended. (c) To communicate any matter that might affect future audits: for example, new accounting standards.

  28. ROLES AND RESPONSIBILITY OF EXTERNAL AUDITORS The report to management should recommend what changes need to be made to systems in situations where there are no other compensatory controls The auditor must ensure that the recommended changes have in fact been made.

  29. ROLES AND RESPONSIBILITY OF IT AUDITORS IT auditors, just as much as IT practitioners, work in a very interesting and dynamic environment where everything changes all the time. Initially the role of the IT auditors was protecting the business from the many new exposures that Information and Communication technologies could create and Risk Management has remained an important activity for IT mangers and auditors.

  30. ROLES AND RESPONSIBILITY OF IT AUDITORS In today’s era of globalization, universal connectivity many other things have also changed: (a) The dependence of organizations and business on these technologies has become critical (b) IT has become embedded in most business processes and is an important service function. (c) The risks to be contained and managed have all changed and expanded (d) Technologies have become much more complex and are deployed in large numbers (e) The range of IT related activities is greater than before, and may have been outsourced

  31. ROLES AND RESPONSIBILITY OF IT AUDITORS • The detailed knowledge of IT participation of both technologies and product of is greater than the comparable knowledge of an average IT auditor. (g) Organization are less hierarchical, and the approach to internal controls and accountability has changed. (h) The Chief Information Officer (CIO) needs to be a business manager as much as she/he need to be technically knowledgeable (i) The CIO now needs to manage outsourcers – a very different game from managing on in-house service.

  32. ROLES AND RESPONSIBILITY OF IT AUDITORS The focus of IT audits today depends on the governance of IT and process maturity in an organization. The ideal focus should be on only those aspects of IT that are important to the organization. The technical IT auditor executes audit processes at the technical systems level but may or may not be capable of functioning at level two because of the broad business perspective required. To illustrate, this is the auditor who would conduct the firewall review and provide assurance to the auditor in charge that scope and conduct of the technical audit steps were appropriate and adequate.

  33. An Information System Audit : • “ Any Audit that encompasses review and evaluation of automated information processing, related non-automated processes and the interfaces between them.” Classification of Audits : Financial Audit Operational Audit Integrated Audit Administrative Audits Information System Audits Special Audit (3rd Party & Forensic – Frauds and crimes)

  34. Audit Procedures : Understanding of the Audit area/subject Risk Assessment Detailed audit planning Preliminary review of Audit are / subject Evaluating Audit are/subject Compliance Testing ( often test of controls) Substantive testing Reporting Follow-up

  35. Audit Risk : Risk that the information/financial report may contain material error that may go undetected during the course of Audit Categories of Audit Risk : Inherent Risk Control Risk Detection Risk Overall Audit Risk

  36. Risk Assessment Techniques : These techniques may be • computerized • non-computerized, • Scoring and • Judgment • based upon business knowledge, executive management directives, historical perspective, business goals and environmental factors

  37. Compliance Testing : A compliance test determines if control are being applied in a manner that comply with management policies and procedures. Substantive Testing: A Substantive test substances the integrity of actual processing.

  38. Evidence : Evidence is any information used by the auditors whether the entity or data being audited follows the established audit criteria or objective. These should be sufficient, relevant and competent Reliability of Evidences: • Independence of the provider • Qualification of the provider • Objectivity of the evidence • Timing of the evidence

  39. Evidence gathering Techniques : • Reviewing IS organization structures • Reviewing IS Policies • Reviewing IS Standards • Reviewing IS documentation • Interviewing appropriate personnel • Observing processes and employees performance.

  40. Computer Assisted Audit techniques : Generalized Audit Software, Utility Software, test data, application software tracing and mapping and expert systems. These tools can be used for • Test of details of transactions and balances • Analytical review procedures • Compliance test of IS general controls • Compliance Test of Application controls • Penetration and OS vulnerabilities

  41. CAATs Advantages : • Reduced Level of Audit Risk • Greater independence from the auditee • Broader and more consistent audit coverage • Faster availability of information • Improved exception identification • Greater flexibility of run times • Greater opportunity to quantify internal control weakness • Enhanced sampling • Cost saving over time

  42. Internal Control Policies, procedures, practices and organizational structure put into place to reduce risks. • Control Classification Preventive Detective Corrective

  43. Internal Control Objectives Are statements of the desired result or purpose to be achieved by implementing control procedure in a particular activity. • Internal Accounting Controls • Operational Controls • Administrative Controls

  44. Internal Control Objectives include : Safeguard of information technology assets Compliance to corporate policies or legal requirements. Authorization/Input Accuracy and completeness of processing of transactions Output Reliability of process Backup / Recovery Efficiency and economy of operation

  45. IS Control Objectives include : • Safeguard Assets • Integrity of general operations • Integrity of sensitive and critical application Systems through: • Authorization, • Accuracy • Reliability • Completeness and security of Output • Database Integrity • Efficiency & Effectiveness • Compliance • Continuity & Disaster Recovery Plan • Incident Response and Handling plan

  46. IS Systems Control Procedures include : Strategy and Direction General Organization and management Access to data and programs System development methodologies and change control Data Processing operations Systems programming and technical support functions Data Processing and quality assurance procedures Physical access controls Business continuity/Disaster recovery planning Networks and communications Data Administration

  47. Evaluation of Strengths and weaknesses of Audit : • Judgment • Control Matrix (ranking) • (Col-known type of errors) • (Row-Known Controls) • Compensating/Overlapping Controls • Totality of Controls • Supporting evidences

  48. Communicating Audit Results : Constraints on the conduct of the Audit :

More Related