IT is Auditing

7/29/2019 IT is Auditing

1/28

CISB424 Information Systems AuditSemester 2 Year 2011/2012

Introduction to

IT/IS Auditing


2/28

IT Governance

the process for controlling an organizations ITresources, including information and

communication systems, and technology.

using IT to promote an organizations

objectives and enable business processes and to

manage and control IT related risks.


3/28

IT Governance General Controls

The concept is relatively new

Ensuring that effective IT management and

security principles, policies and processes with

appropriate compliance measurement tools are in

place

Require an active audit committee


4/28

CobiTs IT Governance Management

Guideline

Identifies critical success factors, key goal andperformance indicators, and an IT governance

maturity model.

IT governance framework begins with setting IT

objectives and measures and compares

performance against them


5/28

Policies

ITStandards

Management andOrganization

Physical andEnvironmental Controls

Systems Software Controls

Systems Development Controls

Application based controls

IT General and ApplicationControls Hierarchy

Governance

Manage

ment

Technical


6/28

Audit

Independent review and examination of

records and activities to assess the adequacy

of internal controls, to ensure compliance

with established policies and operationalprocedures, and to recommend necessarychanges in controls, policies, or procedures.


7/28

IT/IS Audit

The process of collecting and evaluating

evidence to determine whether computer

system safeguards assets, maintain data

integrity, achieves organisational goalseffectively and consumes resources

effectively.1

1 Ron Weber


8/28

Objectives of IT/IS Audit

IT/ISAudit

Safeguarding ofAssets

Improved DataIntegrity

Improved SystemEffectiveness

Improved SystemEfficiency

Source: Ron Weber


9/28

Elements IT/IS Audit

1. Physical and Environmental

2. System Administration

3. Application Software

4. Application Development5. Network Security

6. Business Continuity

7. Data Integrity


10/28

Internal vs External Audit function can be performed internally orexternally

Internal audit is an independent appraisal of

operations, conducted under the direction of

management, to assess the effectiveness of internaladministrative and accounting controls and help

ensure conformance with managerial policies

External Audit is an audit conducted by an individual

of a firm that is independent of the company beingaudited


11/28

Internal Audit Reporting Structure

Non-IT Audit TeamMembers

CEO

Board Audit Committee

Head of Audit Dept

Head of Non-IT AuditHead of IT Audit

IT Audit Team Members


12/28

Roles of IT Audit Team

Entity-Level Controls

Physical Facility

Network Intra

Operating System

Middleware

Database

Application

IT Auditor

InformationSystems Auditor

Support for Financial Auditors

Financial Auditor

Source: Chris Davis et al


13/28

Financial vs IT Audits Financial audit

Official examination of accounts to see that they are in

order

IT audit

a review of the controls within an entity's technologyinfrastructure Wikipedia (www.wikipedia.org)

Official examination of IT related processes to see that

they are in order

Problems Financial Audit GAAP

IT Audit - ??
http://www.wikipedia.org/http://www.wikipedia.org/


14/28

Financial vs IT Audits

IT auditors may work on financial auditengagements

IT auditors may work on every step of the

financial audit engagement Standards, such as SAS No. 94, guide the

work of IT auditors on financial audit

engagements

IT audit work on financial audit engagementsis likely to increase as internal control

evaluation becomes more important


15/28

Auditing Standards

Auditors are guided in their professionalresponsibility by the the generally accepted

auditing standards (GAAS).Generally Accepted Auditing StandardsGeneral Standards Standards of Field Work Standards of Reporting

The auditor must have adequate

technical training and proficiency toperform the audit.

Audit work must be adequately planned The auditor must state in the auditor's

report whether the financial statementsare presented in accordance with

generally accepted accounting

principles.

The auditor must maintain

independence in mental attitude in all

matters related to the audit.

The auditor must gain a sufficient

understanding of the internal control

structure

The report must identify those

circumstances in which generally

accepted accounting principles were not

applied

The auditor must use due professional

care during the performance of the audit

and the preparation of the report.

The auditor must obtain sufficient,

competent evidence

The report must identify any items that

do not have adequate informative

disclosures

The report shall contain an expression of

the auditors opinion on the financial

statements as a whole


16/28

What is IT Auditors?

Is called internal audit specialist, IT or IS auditor

May serve as a member of consulting

organization

Generally a member of an enterprise internal

audit organization

Specialist who follows the standards and

principles of the IIA and often ISACA as well


17/28

Roles and Responsibilities

Ensure IT governance by assessing risks andmonitoring controls over those risks

Works as either internal or external auditor

Works on many kind of audit engagements

Reviewing and assessing enterprise management

controls

Review and perform test of enterprise internal

controls Report to management


18/28

Job Tasks and Responsibilities

Design a technology-based audit approaches;analyzes and evaluates enterprise IT processes

Works independently or in a team to review

enterprise IT controls

Examines the effectiveness of the information

security policies and procedures

Develops and presents training workshops for

audit staff Conduct and oversees investigation of

inappropriate computer use

Performs special projects and other duties as

assigned


19/28

Knowledge, Skills, Abilities

Knowledge of auditing, IS and network security

Investigation and process flow analysis skills

Interpersonal/human relation skills

Verbal and written communications skillsAbility to exercise good judgment

Ability to maintain confidentiality

Ability to use IT desktop office tools, vulnerability

analysis tools, and other IT tools


20/28

Minimum Qualifications

Bachelors degree in Computer Science,computer programming or accounting

Certified Information Systems Auditor (CISA)

credentials or candidate

Certified Internal Auditor credential preferred


21/28

Figure 1.2 : The Role of IT Auditors in the Financial Audit Process

Develop anunderstanding andperform preliminaryaudit work

Develop audit plan

Conduct follow-upwork

Review work and

issue audit report

Perform substantivetesting

Determine degree of

reliance on internalcontrols

Evaluate the internalcontrol system


22/28

Professional Groups and

Certifications Alphabet Soup

ISACACISA The largest professional organization of IT auditors

IIA CIA

ACFE CFE

AICPA CPA and CITP
http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/How-to-Become-Certified/Pages/default.aspxhttp://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/How-to-Become-Certified/Pages/default.aspx


23/28

Certified Info. System Auditor

Credentials

The prime professional credentials for IT auditors

More focused on IT audit

Open to all individuals who have an interest and

skills in information system audit, control and

security,

The examination is four hours in duration and

consists of 200 multiple-choice question

The test is offered each year in June andDecember at numerous worldwide locations

Must have a minimum of five years of

professional information system auditing, internal

control or security related work experience


24/28

CISA Examination Content Area

The IS audit process (10%)

IT Governance (15%)

Systems and Infrastructure Life Cycle (16%)

IT Service Delivery and Support (14%) Protection of Information Assets (31%)

Business Continuity and Disaster Recovery (14%)


25/28

Effects of computers on Internal

Controls

Separation of duties

Delegation of authority and responsibility

Competent and trustworthy personnel

System of authorizationsAdequate documents and records

Physical control over asset and records

Adequate management supervision Independent check on performance

Comparing recorded accountability with assets


26/28

Effects of computers on auditing

Changes to evidence collection

Changes to evidence evaluation


27/28

Effective IT Audit

Early involvement

Informal audits

Knowledge sharing

Self-assessments


28/28

Questions to ponder

1. Explain how information systems are used in an

enterprise.

Documents

IT is Auditing