Upload
asafoabe4065
View
223
Download
0
Embed Size (px)
Citation preview
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
1/38
IT Audit Within FinancialInstitutions
Kirk Tyrell, CISAAssistant DirectorFinancial Institutions Supervisory DivisionBank of Jamaica
www.boj.org.jm
CARTAC & Caribbean Group of Banking Supervisors
IT Workshop for Regional Bank Examiners
June 23 25, 2009
Georgetown, Guyana
http://www.boj.org.jm/http://www.boj.org.jm/8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
2/38
Objectives
The characteristics of an effective ITaudit function
Provide a foundation from whichexaminers can assess the qualityand effectiveness of an institutionsIT audit programme.
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
3/38
Philosophy
a strong internal auditing functioncombined with a well-plannedexternal audit function substantiallyincrease the probability that financialinstitutions will detect potentiallyserious technology related problems.
(Holistic Approach to IT Auditing, 2008, Kaya Kazmici)
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
4/38
Definition of IT Audit Function
The objective of IT audit and riskassessment is to review a financialinstitution's IT management andoperation to ensure accuracy andreliability of information system aswell as its alignment with the financial
institution's business objectives whichcan eventually bring in the safety andsoundness
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
5/38
IT Audit Foundation
The IT audit function should beestablished
By an audit charter, which mayinclude other audit functions, forinternal audit
By An engagement letter for
external auditing function
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
6/38
IT Audit Function Requirements
Identify areas of greatest IT riskexposure
Promote the confidentiality,integrity, and availability ofinformation systems
Determine the effectiveness of
managements planning andoversight of IT activities
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
7/38
IT Audit Function Requirements
Evaluate the adequacy of operatingprocesses and internal controls
Determine the adequacy ofenterprise-wide compliance effortsrelated to IT policies and internalcontrol procedures
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
8/38
IT Audit Function Requirements
Require appropriate correctiveaction to address deficient internalcontrols
Follow-up to ensure managementpromptly and effectivelyimplements the required actions.
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
9/38
Key Audit Programme Areas
The structure of an internal auditfunction
whether internally resourced oroutsourced
The scope, authority, role,independence, and staffing of
internal IT Audit
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
10/38
Key Audit Programme Areas
The role of external audit from botha policy and engagement position
Risk assessment and risk-basedauditing methodology
Audit participation in applicationacquisition, development, and
testing
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
11/38
Unraveling the IT Audit UniverseSTEPS
1. Identifymission criticalbusinesscycles.2. Identifyapplications
supportingthose cycles.3. Identifytechnologyandinfrastructurecomponents.
4. Identify ITprocessuniverse.5. Identify andassess risk.
Division/Business line
BusinessCycles
Applications
IT Infrastructure& Processes
Financial Statement Accounts
FinancialAccounting
Revenue Expenditures Etc.
Core Banking Apps
(ICBS, BM+, etc)
Various other systems
( GL, e-Banking, etc)
Hardware/OS (Widows)Hardware/OS (others
Unix, AS/400)
Networks
Understanding/Asse
ssRisk
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
12/38
IT Audit Risk Universe
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
13/38
IT Audit Basic Elements
IT Audit Roles & Responsibilities
Independence and Staffing
Internal IT Audit Internal Audit programme
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
14/38
IT Audit Roles and Responsibilities
The Board and Senior Management:
Has overall responsibility for the
effectiveness of the audit function May establish an audit committee to
oversee audits and report to the fullboard
Provides the audit function withresources
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
15/38
IT Audit Roles and Responsibilities
The Board and Senior Management:
Ensure that written guidelines for
conducting IT audits exist Ensure that the internal audit
function is headed by a member ofmanagement
Head is independent of operationsand reports to the Board
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
16/38
IT Audit Roles and Responsibilities
Audit management:
Implements board-approved audit
directives Ensures that audit staff are
competent, independent,experienced, educated and skilled
Establish clear lines of authority andreporting responsibilities
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
17/38
IT Audit Roles and Responsibilities
Audit management:
Reviews and approves audit
strategies (including policies andprogrammes) and monitor theeffectiveness of the audit function
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
18/38
IT Audit Roles and Responsibilities
The internal audit staff:
Assesses the controls, reliability and
integrity of the IT environment Evaluates IT plans, strategies,
policies and procedures
Independently and objectivelyevaluates technological activities
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
19/38
IT Audit Roles and Responsibilities
Business line management:
Promptly and effectively responds
to IT audit findings andrecommendations
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
20/38
IT Audit Roles and Responsibilities
External auditors:
Review the general and application
controls Make recommendations to
management about procedures thataffect IT controls
Review the IT control procedures aspart of an outsourcing arrangement
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
21/38
Independence and Staffing
Independence of audit staff fromoperations management
Skill level requirements and the size
or source of IT auditors must becommensurate with the Size
Complexity
scope and
sophistication
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
22/38
Internal Audit programme
Outlines guidelines for developingand maintaining a formal internalaudit programme, including ITaudits
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
23/38
Internal Audit programme
1. A mission statement2. A risk assessment3. Audit plan
4. Audit cycle5. Audit work programme6. Delivery of a written audit report7. Requirements for audit work paper
documentation8. Follow-up process9. Professional development programme
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
24/38
Internal Audit programme
All financial institutions areencouraged to implement risk-based IT audit procedures based ona formal risk assessmentmethodology to determine theappropriate frequency and extent of
work
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
25/38
Risk Assessment & Risk-BasedAuditing
A preferred framework
Includes performing an IT risk
assessment and developing risk-based audit plans
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
26/38
Risk Assessment & Risk-BasedAuditing
Plan should include processes for:
Identifying institutional resources
and business activities Ranking risks for significant
business units and products
Developing and implementing risk-based audit plans
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
27/38
Audit and Major IT Projects
Senior management should beinclude IT audit in major applicationdevelopment, acquisition,conversion, and testing.
Review of new applications controlsas early as during the design phase
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
28/38
Audit and Major IT Projects
Involvement limited to:
monitoring, reporting, and
escalation processes Conduct post-implementation
reviews or establish test criteria andevaluate results
Importantly, for acquisitions projects with significant IT impacts,participation of IT audit may be necessary early in the duediligence stage.
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
29/38
Outsourcing Internal IT Audit
The board of directors shouldensure that the structure, scope,and management of the outsourcingarrangement provides for anadequate evaluation of the systemof internal controls
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
30/38
Outsourcing Internal IT Audit
Who may perform these services:
Independent public accounting firms
Other outside professionals Arrangements are often called:
internal audit outsourcing
internal audit assistance
audit co-sourcing
extended audit services
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
31/38
Outsourcing Internal IT Audit
Key features of relationship:
Independence of the audit provider
Clear definition of responsibilities
Internal Audit Manager or staff isresponsible for overseeing relationshipand reporting
Ongoing due diligence of audit provider
Consider current and anticipated businessrisks
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
32/38
Computer-Base Auditing
Is essentially using technology to performaudits
Todays business landscape makes it
obvious that old/manual audit techniqueswill only achieve:
Mediocre results
High risk of material misstatement
There is a welcomed realization over thepast 2 years that effective auditing is
good business
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
33/38
Examiners Responsibilities
Evaluating the effectiveness of theIT audit function
Considering the institutions abilityto promptly detect and reportsignificant risks
Taking into account the institutions
size, complexity, and overall riskprofile when performing evaluations
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
34/38
Examiners Responsibilities
Independence of the audit functionand its reporting relationship
Expertise and size of the audit staff Identification of the IT audit
universe, risk assessment, scope,and frequency
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
35/38
Examiners Responsibilities
Timely tracking and resolution ofreported weaknesses
Documentation of IT audits (e.g.work papers, audit reports, andfollow-up.
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
36/38
Lessons Learnt
An effective IT audit function may reducethe time examiners spend reviewing ITareas during examinations
The audit programme also should consistof both a full-time internal audit unit anda well-planned external auditing
programme Outsourced audit provider must report to
the Audit Manger
not directly to the audit committee
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
37/38
Questions
8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell
38/38
Additional Resources
ISACA Downloads(www.isaca.org/downloads )
COBIT (www.isaca.org/cobit ) COBIT Mappings (www.isaca.org/cobit ) IT Control Objectives for Sarbanes-Oxley
(www.isaca.org ) Integrating COBIT into IT Audit
Planning, Fieldwork, and Reporting
Holistic Approach to IT Auditing ISO (www.iso.org ) ANSI (www.ansi.org )
http://www.isaca.org/downloadshttp://www.isaca.org/downloadshttp://www.isaca.org/cobithttp://www.isaca.org/cobithttp://www.isaca.org/http://www.isaca.org/http://www.iso.org/http://www.ansi.org/http://www.ansi.org/http://www.iso.org/http://www.isaca.org/http://www.isaca.org/cobithttp://www.isaca.org/cobithttp://www.isaca.org/downloads