Upload
andrew-bennett
View
221
Download
0
Embed Size (px)
Citation preview
7/29/2019 IT is Auditing
1/28
CISB424 Information Systems AuditSemester 2 Year 2011/2012
Introduction to
IT/IS Auditing
7/29/2019 IT is Auditing
2/28
IT Governance
the process for controlling an organizations ITresources, including information and
communication systems, and technology.
using IT to promote an organizations
objectives and enable business processes and to
manage and control IT related risks.
7/29/2019 IT is Auditing
3/28
IT Governance General Controls
The concept is relatively new
Ensuring that effective IT management and
security principles, policies and processes with
appropriate compliance measurement tools are in
place
Require an active audit committee
7/29/2019 IT is Auditing
4/28
CobiTs IT Governance Management
Guideline
Identifies critical success factors, key goal andperformance indicators, and an IT governance
maturity model.
IT governance framework begins with setting IT
objectives and measures and compares
performance against them
7/29/2019 IT is Auditing
5/28
Policies
ITStandards
Management andOrganization
Physical andEnvironmental Controls
Systems Software Controls
Systems Development Controls
Application based controls
IT General and ApplicationControls Hierarchy
Governance
Manage
ment
Technical
7/29/2019 IT is Auditing
6/28
Audit
Independent review and examination of
records and activities to assess the adequacy
of internal controls, to ensure compliance
with established policies and operationalprocedures, and to recommend necessarychanges in controls, policies, or procedures.
7/29/2019 IT is Auditing
7/28
IT/IS Audit
The process of collecting and evaluating
evidence to determine whether computer
system safeguards assets, maintain data
integrity, achieves organisational goalseffectively and consumes resources
effectively.1
1 Ron Weber
7/29/2019 IT is Auditing
8/28
Objectives of IT/IS Audit
IT/ISAudit
Safeguarding ofAssets
Improved DataIntegrity
Improved SystemEffectiveness
Improved SystemEfficiency
Source: Ron Weber
7/29/2019 IT is Auditing
9/28
Elements IT/IS Audit
1. Physical and Environmental
2. System Administration
3. Application Software
4. Application Development5. Network Security
6. Business Continuity
7. Data Integrity
7/29/2019 IT is Auditing
10/28
Internal vs External Audit function can be performed internally orexternally
Internal audit is an independent appraisal of
operations, conducted under the direction of
management, to assess the effectiveness of internaladministrative and accounting controls and help
ensure conformance with managerial policies
External Audit is an audit conducted by an individual
of a firm that is independent of the company beingaudited
7/29/2019 IT is Auditing
11/28
Internal Audit Reporting Structure
Non-IT Audit TeamMembers
CEO
Board Audit Committee
Head of Audit Dept
Head of Non-IT AuditHead of IT Audit
IT Audit Team Members
7/29/2019 IT is Auditing
12/28
Roles of IT Audit Team
Entity-Level Controls
Physical Facility
Network Intra
Operating System
Middleware
Database
Application
IT Auditor
InformationSystems Auditor
Support for Financial Auditors
Financial Auditor
Source: Chris Davis et al
7/29/2019 IT is Auditing
13/28
Financial vs IT Audits Financial audit
Official examination of accounts to see that they are in
order
IT audit
a review of the controls within an entity's technologyinfrastructure Wikipedia (www.wikipedia.org)
Official examination of IT related processes to see that
they are in order
Problems Financial Audit GAAP
IT Audit - ??
http://www.wikipedia.org/http://www.wikipedia.org/7/29/2019 IT is Auditing
14/28
Financial vs IT Audits
IT auditors may work on financial auditengagements
IT auditors may work on every step of the
financial audit engagement Standards, such as SAS No. 94, guide the
work of IT auditors on financial audit
engagements
IT audit work on financial audit engagementsis likely to increase as internal control
evaluation becomes more important
7/29/2019 IT is Auditing
15/28
Auditing Standards
Auditors are guided in their professionalresponsibility by the the generally accepted
auditing standards (GAAS).Generally Accepted Auditing StandardsGeneral Standards Standards of Field Work Standards of Reporting
The auditor must have adequate
technical training and proficiency toperform the audit.
Audit work must be adequately planned The auditor must state in the auditor's
report whether the financial statementsare presented in accordance with
generally accepted accounting
principles.
The auditor must maintain
independence in mental attitude in all
matters related to the audit.
The auditor must gain a sufficient
understanding of the internal control
structure
The report must identify those
circumstances in which generally
accepted accounting principles were not
applied
The auditor must use due professional
care during the performance of the audit
and the preparation of the report.
The auditor must obtain sufficient,
competent evidence
The report must identify any items that
do not have adequate informative
disclosures
The report shall contain an expression of
the auditors opinion on the financial
statements as a whole
7/29/2019 IT is Auditing
16/28
What is IT Auditors?
Is called internal audit specialist, IT or IS auditor
May serve as a member of consulting
organization
Generally a member of an enterprise internal
audit organization
Specialist who follows the standards and
principles of the IIA and often ISACA as well
7/29/2019 IT is Auditing
17/28
Roles and Responsibilities
Ensure IT governance by assessing risks andmonitoring controls over those risks
Works as either internal or external auditor
Works on many kind of audit engagements
Reviewing and assessing enterprise management
controls
Review and perform test of enterprise internal
controls Report to management
7/29/2019 IT is Auditing
18/28
Job Tasks and Responsibilities
Design a technology-based audit approaches;analyzes and evaluates enterprise IT processes
Works independently or in a team to review
enterprise IT controls
Examines the effectiveness of the information
security policies and procedures
Develops and presents training workshops for
audit staff Conduct and oversees investigation of
inappropriate computer use
Performs special projects and other duties as
assigned
7/29/2019 IT is Auditing
19/28
Knowledge, Skills, Abilities
Knowledge of auditing, IS and network security
Investigation and process flow analysis skills
Interpersonal/human relation skills
Verbal and written communications skillsAbility to exercise good judgment
Ability to maintain confidentiality
Ability to use IT desktop office tools, vulnerability
analysis tools, and other IT tools
7/29/2019 IT is Auditing
20/28
Minimum Qualifications
Bachelors degree in Computer Science,computer programming or accounting
Certified Information Systems Auditor (CISA)
credentials or candidate
Certified Internal Auditor credential preferred
7/29/2019 IT is Auditing
21/28
Figure 1.2 : The Role of IT Auditors in the Financial Audit Process
Develop anunderstanding andperform preliminaryaudit work
Develop audit plan
Conduct follow-upwork
Review work and
issue audit report
Perform substantivetesting
Determine degree of
reliance on internalcontrols
Evaluate the internalcontrol system
7/29/2019 IT is Auditing
22/28
Professional Groups and
Certifications Alphabet Soup
ISACACISA The largest professional organization of IT auditors
IIA CIA
ACFE CFE
AICPA CPA and CITP
http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/How-to-Become-Certified/Pages/default.aspxhttp://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/How-to-Become-Certified/Pages/default.aspx7/29/2019 IT is Auditing
23/28
Certified Info. System Auditor
Credentials
The prime professional credentials for IT auditors
More focused on IT audit
Open to all individuals who have an interest and
skills in information system audit, control and
security,
The examination is four hours in duration and
consists of 200 multiple-choice question
The test is offered each year in June andDecember at numerous worldwide locations
Must have a minimum of five years of
professional information system auditing, internal
control or security related work experience
7/29/2019 IT is Auditing
24/28
CISA Examination Content Area
The IS audit process (10%)
IT Governance (15%)
Systems and Infrastructure Life Cycle (16%)
IT Service Delivery and Support (14%) Protection of Information Assets (31%)
Business Continuity and Disaster Recovery (14%)
7/29/2019 IT is Auditing
25/28
Effects of computers on Internal
Controls
Separation of duties
Delegation of authority and responsibility
Competent and trustworthy personnel
System of authorizationsAdequate documents and records
Physical control over asset and records
Adequate management supervision Independent check on performance
Comparing recorded accountability with assets
7/29/2019 IT is Auditing
26/28
Effects of computers on auditing
Changes to evidence collection
Changes to evidence evaluation
7/29/2019 IT is Auditing
27/28
Effective IT Audit
Early involvement
Informal audits
Knowledge sharing
Self-assessments
7/29/2019 IT is Auditing
28/28
Questions to ponder
1. Explain how information systems are used in an
enterprise.