It audit presentation_icap


Published on

IT audit Presentation Helpful for ACMA Stage 5 Students

Published in: Education, Business, Technology
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Critically important to the survival and success of an organisation is effective management of information and related Information Technology (IT). In this global information society—where information travels through cyberspace without the constraints of time, distance and speed—this criticality arises from the: • Increasing dependence on information and the systems that deliver this information • Increasing vulnerabilities and a wide spectrum of threats, such as cyber threats and information warfare • Scale and cost of the current and future investments in information and information systems • Potential for technologies to dramatically change organisations and business practices, create new opportunities and reduce costs.   Management must ensure that an internal control system or framework is in place which supports the business processes, makes it clear how each individual control activity satisfies the information requirements and impacts the IT resources. I.S. Auditing is required to ensure that such a system is in place and is working effectively.
  • The specialized nature of information systems auditing, and the knowledge and skills necessary to perform such audits, require globally-applicable standards that apply specifically to information systems auditing. One of the Association’s goals is to advance standards to meet this need.   One of the most important functions of ISACA is providing information (common body of knowledge per se) to support knowledge requirements. The development and dissemination of Standards for Information systems Auditing are a cornerstone of the Association’s professional contribution to the audit community.
  • The ISACA Code of Professional Ethics requires members of ISACA and holders of the CISA designation to comply with Information Systems Auditing Standards adopted by ISACA. Apparent failure to comply with these may result in an investigation into the member’s or CISA holder’s conduct by ISACA or an appropriate ISACA board or committee. Disciplinary action may ensue. There are 8 areas within the standards. They are the audit charter, independence, professional ethics and standards, competence, planning, performance of audit work, reporting and follow-up activities.
  • Among the 8 areas within the standards, we also find: planning, performance of audit work, reporting and follow-up activities.
  • Controls are generally categorized into 3 major classifications: Preventive : These controls are to deter problems before they arise. Detective : Controls that detect and report the occurrence of an error, omission or malicious act.. Corrective : These controls minimize the impact of a threat, remedy problems discovered by detective controls, identify the cause of a problem. Refer to exhibit 1.1 on page 32 y 33 of the 2005 CISA Review Manual for further details.
  • The IS auditor should understand the basic control objectives that exist for all functions. Internal control system components include : internal accounting controls, operational controls and administrative controls. The IS control objectives include : Safeguarding assets. Information on automated systems is secured from improper access and kept up to date. Assuring the integrity of general operating system environments, including network management and operations Assuring the integrity of sensitive and critical application system environments, including accounting/financial and management information (information objectives) through: • Authorization of the input—Each transaction is authorized and entered only once • Accuracy and completeness of processing of transactions—All transactions are recorded and entered into the computer for the proper period • Reliability of overall information processing activities • Accuracy, completeness and security of the output • Database integrity Ensuring the efficiency and effectiveness of operations (operational objectives) Complying with the users’ requirements and with organizational policies and procedures as well as applicable laws and regulations (compliance objectives) Developing business continuity and disaster recovery plans Developing an incident response and handling plan Note to the instructor: The CISA candidate should be aware that it is important that the auditor understands the relationships of control objectives and controls; control objectives and audit objectives; criteria and sufficiency and competency of evidence; and audit objective, criteria and audit procedures. Strong understanding of these elements are key for the auditor’s performance.
  • Internal control objectives apply to all areas, whether manual or automated. Therefore, control objectives in an IS environment remain unchanged from a manual environment. However, the implemented control features may be different. COBIT ( Control Objectives for Information and related Technology ) is published by the ISACF and IT Governance Institute, through ISACA. COBIT is the industry’s leading framework for information system control objectives and related good practices in support of governance, control, and assurance for information and related technology. COBIT consists of 34 high-level control objectives representing IT processes grouped into four domains: planning and organization, acquisition and implementation, delivery and support and monitoring. Supporting these IT processes are over 300 detailed control objectives. The following are examples of IS control objectives: Information on automated systems is secured from improper access and kept up to date. Each transaction is authorized and entered only once. All transactions are recorded and entered into the computer for the proper period. All rejected transactions are reported. Duplicate transactions are reported. Files are adequately backed up to allow for proper recovery. All changes to operating software are approved and tested. Give 5 examples of control objectives to candidates. Note to the instructor: Instruct CISA candidates that they will not be asked to identify specific control objectives from COBIT, but rather to understand how each is applied in practice.
  • In addition to understanding of business risk and control, IS auditor must understand that risk exists within the audit process.
  • It audit presentation_icap

    2. 2. <ul><li>What is Internal Audit </li></ul><ul><li>Need for I.S. Auditing </li></ul><ul><li>I.S. Audit Standards </li></ul><ul><li>Controls </li></ul><ul><li>COBIT </li></ul><ul><li>I.S. Audit Process </li></ul><ul><li>Audit Resource Management </li></ul>Scope of Presentation
    3. 3. <ul><li>INTERNAL AUDITING </li></ul><ul><li>Is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations </li></ul><ul><li>Helps an organization in accomplishing its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes </li></ul><ul><li>Functions include amongst other things, examining, evaluating and monitoring the adequacy and effectiveness of the accounting and internal control systems </li></ul>What is Internal Audit?
    4. 4. <ul><li>Internal auditing is an independent, objective assurance and consulting activity within an organization that is guided by a philosophy of adding value to improve operations of the organization. It assists an organization in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization’s risk management, control and governance processes. </li></ul>Internal Auditing Defined
    5. 5. <ul><li>The role of internal auditing is determined by management and its function’s objective vary according to management’s requirements and as such it is part of the entity. </li></ul><ul><li>External audit, on the other hand, is carried out independently to express an opinion on the fairness of the financial statements, with the primary concern and objective of determining whether the financial statements are free from material misstatements. It is, therefore, not a part of entity. </li></ul><ul><li>Nevertheless some of the means of achieving their respective objectives are often similar and thus certain aspects of internal auditing may be useful in determining the nature, timing and extent of external audit procedures. </li></ul>Internal Audit Vs. External Audit
    6. 6. <ul><li>Increasing level of computerization of manual functions </li></ul><ul><li>Rapid technological development </li></ul><ul><li>Lack of user knowledge resulting in insecure practices </li></ul><ul><li>Role of networks </li></ul><ul><li>Viruses, Worms, Hackers and other security threats </li></ul><ul><li>Changing Regulatory environment </li></ul>Need for I.S. Auditing
    7. 7. <ul><li>IS auditing is the process of collecting and evaluating evidence to determine whether information systems and related resources, adequately safeguard assets, maintain data and system integrity, provide relevant and reliable information, achieve organizational goals effectively, consume resources efficiently, and have in effect internal controls that provide reasonable assurance that operational and control objectives will be met. </li></ul>I.S. Auditing
    8. 8. <ul><li>Objectives of IS Auditing Standards </li></ul><ul><li>Inform management and other interested parties of the profession’s expectations concerning the work of audit practitioners </li></ul><ul><li>Inform information system auditors of the minimum level of acceptable performance required to meet professional responsibilities </li></ul>I.S. Auditing Standards
    9. 9. I.S. Auditing Standards Audit charter Independence Professional Ethics and Standards Competence
    10. 10. I.S. Auditing Standards Planning Performance of audit work Reporting Follow-up activities
    11. 11. <ul><li>Audit charter </li></ul><ul><ul><li>The responsibility, authority and accountability of the information systems audit functions are to be appropriately documented in an audit charter or engagement letter. </li></ul></ul>ISACA Standards and Guidelines for IS Auditing
    12. 12. <ul><li>Independence </li></ul><ul><ul><li>Professional Independence : In all matters related to auditing, the IS auditor is to be independent of the auditee in attitude and appearance. </li></ul></ul><ul><ul><li>Organizational Relationship : The IS audit function is to be sufficiently independent of the area being audited to permit objective completion of the audit. </li></ul></ul>ISACA Standards and Guidelines for IS Auditing
    13. 13. <ul><li>Professional Ethics and Standards </li></ul><ul><ul><li>Due professional care and observance of applicable professional auditing standards are to be exercised in all aspects of the information systems auditor’s work. </li></ul></ul>ISACA Standards and Guidelines for IS Auditing
    14. 14. <ul><li>Competence </li></ul><ul><ul><li>Skills and Knowledge: The information systems auditor is to be technically competent, having the skills and knowledge necessary to perform the auditor’s work. </li></ul></ul><ul><ul><li>Continuing Professional Education: The information systems auditor is to maintain technical competence through appropriate continuing professional education. </li></ul></ul>ISACA Standards and Guidelines for IS Auditing
    15. 15. <ul><li>Planning </li></ul><ul><ul><li>The information systems auditor is to plan the information systems audit work to address the audit objectives on audit standards and requirements and to comply with applicable professional auditing standards. </li></ul></ul>ISACA Standards and Guidelines for IS Auditing
    16. 16. <ul><li>Performance of audit work </li></ul><ul><ul><li>Supervision: Information systems audit staff are to be appropriately supervised to provide assurance that audit objectives are accomplished and applicable professional auditing standards are met. </li></ul></ul><ul><ul><li>Evidence : During the course of the audit, the information systems auditor is to obtain sufficient, reliable, relevant and useful evidence to achieve the audit objectives effectively. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence. </li></ul></ul>ISACA Standards and Guidelines for IS Auditing
    17. 17. <ul><li>Reporting </li></ul><ul><ul><li>The information systems auditor is to provide a report in an appropriate form to intended recipients upon completion of audit work. The audit report is to state the scope, objectives, period of coverage and the nature and extent of the audit work performed. The report is to identify the organization, the intended recipients and any restrictions on circulation. The report is to state the findings, conclusions, recommendations and any reservations or qualifications that the auditor has with respect to the audit. </li></ul></ul>ISACA Standards and Guidelines for IS Auditing
    18. 18. <ul><li>Follow-up activities </li></ul><ul><ul><li>The information systems auditor is to request and evaluate appropriate information on previous relevant findings, conclusions and recommendations to determine whether appropriate actions have been implemented in a timely manner. </li></ul></ul>ISACA Standards and Guidelines for IS Auditing
    19. 19. Some Control Definitions... <ul><li>IT Risk </li></ul><ul><ul><li>2. Control </li></ul></ul><ul><li>3. Control Objectives </li></ul><ul><li> 4. Control Practices </li></ul>
    20. 20. IT Risk The chance that information systems will not satisfy the business requirement of ensuring the achievement of IT objectives and responding to threats to the provision of IT services
    21. 21. Control Control is defined as the policies, procedures, practices and organi z ational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.
    22. 22. Control Objectives IT Control Objective is defined as a statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity.
    23. 23. Control Practices A key control mechanism that supports the achievement of control objectives through responsible use of resources, appropriate management of risk and alignment of IT with business.
    24. 24. Why do we need Controls? <ul><li>If everything seems under control, </li></ul><ul><li>you are not going fast enough </li></ul>
    25. 25. <ul><ul><li>Control classification </li></ul></ul><ul><ul><ul><li>Preventive </li></ul></ul></ul><ul><ul><ul><li>Detective </li></ul></ul></ul><ul><ul><ul><li>Corrective </li></ul></ul></ul>Controls
    26. 26. <ul><li>Information System Control Objectives </li></ul><ul><li>Control objectives in an information systems environment remain unchanged from those of a manual environment. However, control features may be different. The internal control objectives, thus need, to be addressed in a manner specific to IS-related processes </li></ul>Controls
    27. 27. CobiT is a very rich standard <ul><li>CobiT was developed by experts with extensive experience in many different industries </li></ul><ul><li>It includes all of the processes that can take place within an IT organization </li></ul><ul><li>It describes CSF’s, KPI’s, KGI’s and processes that may not necessarily be relevant to a given organization’s needs </li></ul><ul><li>Depending on the organization, attempting to implement the complete standard can cost more than the value created by a successful implementation </li></ul>
    28. 28. <ul><li>Control Objectives for Information and related Technology </li></ul><ul><li>IT control objectives and standards of good practice </li></ul><ul><li>34 high-level control objectives </li></ul>COBIT
    30. 30. <ul><li>PLANNING & ORGANISATION </li></ul><ul><li>Define a strategic IT plan </li></ul><ul><li>Define the information architecture </li></ul><ul><li>Determine the technological direction </li></ul><ul><li>Define the IT organisation and relationships </li></ul><ul><li>Manage the investment </li></ul><ul><li>Communicate management aims and directions </li></ul><ul><li>Manage human resources </li></ul><ul><li>Ensure compliance with external requirements </li></ul><ul><li>Assess risks </li></ul><ul><li>Manage project </li></ul><ul><li>Manage quality </li></ul>PLANNING & ORGANISATION CobiT IT Domains Processes
    31. 31. <ul><li>ACQUISITION & IMPLEMENTATION </li></ul><ul><li>Identify solutions </li></ul><ul><li>Acquire and maintain application software </li></ul><ul><li>Acquire and maintain technology architecture </li></ul><ul><li>Develop and maintain IT procedures </li></ul><ul><li>Install and accredit systems </li></ul><ul><li>Manage changes </li></ul>ACQUISITION & IMPLEMENTATION CobiT IT Domains Processes
    32. 32. <ul><li>DELIVERY & SUPPORT </li></ul><ul><li>Define Service Levels </li></ul><ul><li>Manage third-party services </li></ul><ul><li>Manage performance and capacity </li></ul><ul><li>Ensure continuous service </li></ul><ul><li>Ensure system security </li></ul><ul><li>Identify and attribute costs </li></ul><ul><li>Educate and train users </li></ul><ul><li>Assist and advise IT customers </li></ul><ul><li>Manage the configuration </li></ul><ul><li>Manage problems and incidents </li></ul><ul><li>Manage data </li></ul><ul><li>Manage facilities </li></ul><ul><li>Manage operations </li></ul>DELIVERY & SUPPORT CobiT IT Domains Processes
    33. 33. <ul><li>MONITORING </li></ul><ul><li>Monitor the processes </li></ul><ul><li>Assess the internal control adequacy </li></ul><ul><li>Obtain independent assurance </li></ul><ul><li>Provide for independent audit </li></ul>MONITORING CobiT IT Domains Processes
    34. 34. How To Assess IT Risks PO9 Assess Risks Control Objectives <ul><li>Carry out a business risk assessment </li></ul><ul><li>Implement an IT risk assessment approach </li></ul><ul><li>Identify IT risks </li></ul><ul><li>Measure IT risks </li></ul><ul><li>Create an IT risk management action plan </li></ul><ul><li>Accept residual risk </li></ul><ul><li>Select Safeguards </li></ul><ul><li>Commit to Risk Assessment </li></ul>Risk Identification Control Implementation
    35. 35. How To Assess IT Risks <ul><li>Carry out a business risk assessment </li></ul><ul><li>Implement an IT risk assessment approach </li></ul><ul><li>Identify IT risks </li></ul><ul><li>Measure IT risks </li></ul><ul><li>Create an IT risk management action plan </li></ul><ul><li>Accept residual risk </li></ul><ul><li>Select Safeguards </li></ul><ul><li>Commit to Risk Assessment </li></ul>
    36. 36. I.S. Audit Planning <ul><ul><li>Adequate planning is a necessary first step in performing effective IT audits </li></ul></ul><ul><ul><li>Need to understand the general business environment as well as the associated business and control risks </li></ul></ul><ul><ul><li>Assess operational and control risks and identify control objectives during audit planning </li></ul></ul>
    37. 37. <ul><ul><li>To perform an audit planning, the IS auditor should </li></ul></ul><ul><ul><li>Gain an understanding of the business’ mission, objectives, processes, information and processing requirements such as availability, integrity and security and information architecture requirements. In general terms, processes and technology. </li></ul></ul><ul><ul><li>2. Perform risk analysis . </li></ul></ul><ul><ul><ul><li>Conduct an internal control review. </li></ul></ul></ul><ul><ul><ul><li>Set the audit scope and audit objective(s). </li></ul></ul></ul><ul><ul><ul><li>Develop the audit approach or audit strategy . </li></ul></ul></ul><ul><ul><ul><li>Assign resources to audit and address engagement logistics. </li></ul></ul></ul>I.S. Audit Planning
    38. 38. <ul><li>In planning the engagement, I.S. Auditors should consider: </li></ul><ul><li>The objectives of the activity being reviewed and the means by which the activity controls its performance. </li></ul><ul><li>The significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level. </li></ul><ul><li>The adequacy and effectiveness of the activity’s risk management and control systems compared to a relevant control framework or model. </li></ul><ul><li>The opportunities from making significant improvements to the activity’s risk management and control systems. </li></ul>I.S. Audit Planning
    39. 39. <ul><li>General audit procedures </li></ul><ul><ul><li>Understanding of the audit area/subject </li></ul></ul><ul><ul><li>Risk assessment and general audit plan </li></ul></ul><ul><ul><li>Detailed audit planning </li></ul></ul><ul><ul><li>Preliminary review of audit area/subject </li></ul></ul><ul><ul><li>Evaluating audit area/subject </li></ul></ul><ul><ul><li>Compliance testing </li></ul></ul><ul><ul><li>Substantive testing </li></ul></ul><ul><ul><li>Reporting(communicating results) </li></ul></ul><ul><ul><li>Follow-up </li></ul></ul>I.S. Audit Process
    40. 40. <ul><li>Audit Methodology </li></ul><ul><ul><li>The audit methodology is a set of documented audit procedures designed to achieve planned audit objectives. The audit strategy is the audit methodology, which is a set of documented audit procedures designed to achieve planned audit objectives. It’s components are: </li></ul></ul><ul><ul><ul><li>a statement of scope, </li></ul></ul></ul><ul><ul><ul><li>statement of audit objectives and </li></ul></ul></ul><ul><ul><ul><li>statement of work programs </li></ul></ul></ul>I.S. Audit Process
    41. 41. I.S. Audit Process <ul><ul><li>Identify </li></ul></ul><ul><ul><li>the area to be audited </li></ul></ul><ul><ul><li>the purpose of the audit </li></ul></ul><ul><ul><li>the specific systems, function or unit of the organization to be included in the review. </li></ul></ul><ul><ul><li>technical skills and resources needed </li></ul></ul><ul><ul><li>the sources of information for tests or review such as functional flow-charts, policies, standards, procedures and prior audit work papers. </li></ul></ul><ul><ul><li>locations or facilities to be audited. </li></ul></ul><ul><ul><li>select the audit approach to verify and test the controls </li></ul></ul><ul><ul><li>list of individuals to interview </li></ul></ul><ul><ul><li>obtain departmental policies, standards and guidelines for review </li></ul></ul>Typical audit phases <ul><ul><li>Develop </li></ul></ul><ul><ul><li>audit tools and methodology to test and verify control </li></ul></ul><ul><ul><li>procedures for evaluating the test or review results </li></ul></ul><ul><ul><li>procedures for communication with management </li></ul></ul><ul><ul><li>Identify </li></ul></ul><ul><ul><li>follow-up review procedures </li></ul></ul><ul><ul><li>procedures to evaluate/test operational efficiency and effectiveness </li></ul></ul><ul><ul><li>procedures to test controls </li></ul></ul><ul><li>Review and evaluate the soundness of documents, policies and procedures </li></ul>
    42. 42. <ul><li>Control objective: A control objective refers to how an internal control should function. </li></ul><ul><li>Audit objective: Audit objective refers to the specific goals of the audit. An audit may incorporate several audit objectives. Audit objectives often center around substantiating that internal controls exist to minimize business risks. Management may give the IS auditor a general objective to follow when performing an audit. </li></ul><ul><li>A key element in planning an information systems audit is to translate basic audit objectives into specific information systems audit objectives. </li></ul>I.S. Audit Process
    43. 43. <ul><li>Audit risk and materiality </li></ul><ul><ul><li>More and more organizations are moving to a risk-based audit approach that is usually adapted to develop and improve the continuous audit process. This approach is used to assess risk and to assist with an IS auditor’s decision to do either compliance testing or substantive testing. </li></ul></ul>I.S. Audit Process
    44. 44. <ul><li>In a risk-based audit approach, IS auditors are not just relying on risk; they also are relying on internal and operational controls as well as knowledge of the company or the business. This type of risk assessment decision can help relate the cost-benefit analysis of the control to the known risk, allowing practical choices. </li></ul><ul><li>Business risks are the concerns about the probable effects of an uncertain event on achieving established objectives. The nature of these risks may be financial, regulatory or operational. By understanding the nature of the business, IS auditors can identify and categorize the types of risks that will better determine the risk model or approach in conducting the audit. </li></ul>I.S. Audit Process
    45. 45. <ul><li>Risk-based approach </li></ul><ul><ul><li>Emphasis on knowledge of the business and technology </li></ul></ul><ul><ul><li>Focuses on assessing the effectiveness of a “combination” of controls </li></ul></ul><ul><ul><li>Linkage between risk assessment and testing focusing on control objectives. </li></ul></ul><ul><ul><li>Focuses on the business from a management perspective </li></ul></ul>I.S. Audit Process
    46. 46. <ul><ul><li>Types of risk </li></ul></ul><ul><ul><ul><li>Inherent risk </li></ul></ul></ul><ul><ul><ul><li>Control risk </li></ul></ul></ul><ul><ul><ul><li>Detection risk </li></ul></ul></ul><ul><ul><ul><li>Overall audit risk </li></ul></ul></ul>I.S. Audit Process
    47. 47. <ul><li>Inherent Risk - The risk that an error exists which could be material or significant when combined with other errors encountered during the audit assuming that there are no related compensating controls. </li></ul><ul><li>Control Risk - The risk that a material error exists that will not be prevented or detected on a timely basis by the system of internal controls. </li></ul><ul><li>Detection Risk - The risk that an IS auditor uses an inadequate test procedure and concludes that material errors do not exist when, in fact, they do. </li></ul>I.S. Audit Process
    48. 48. <ul><li>Overall Audit Risk - The combination of the individual categories of audit risks assessed for each specific control objective. An objective in formulating the audit approach is to limit the audit risk in the area under scrutiny so the overall audit risk is at a sufficiently low level at the completion of the examination. Another objective is to assess and control those risks to achieve the desired level of assurance as efficiently as possible. </li></ul>I.S. Audit Process
    49. 49. <ul><li>Risk Assessment Techniques </li></ul><ul><ul><li>Enables management to effectively allocate limited audit resources </li></ul></ul><ul><ul><li>Ensures that relevant information has been obtained </li></ul></ul><ul><ul><li>Establishes a basis for effectively managing the audit department </li></ul></ul><ul><ul><li>Provides a summary of how the individual audit subject is related to the overall organization and to business plans </li></ul></ul>I.S. Audit Process
    50. 50. <ul><li>Control objectives and the related key controls that address the objective. </li></ul><ul><ul><li>An auditor should be able to identify key controls and then decide to test these controls through substantive or compliance verification methods. The IS auditor is to identify application controls after developing an understanding and documenting the application or function, and based upon that, should identify key control points. This will allow the auditor to determine if controls are working as expected and results of compliance tests will allow the auditor to design more extensive compliance or substantive testing. </li></ul></ul>I.S. Audit Process
    51. 51. <ul><li>Relationship between substantive and compliance tests and the two categories of substantive tests. </li></ul><ul><ul><li>Substantive tests substantiate the integrity of actual processing. It provides evidence of the validity and integrity of the balances in the financial statements and the transactions that support these balances. </li></ul></ul><ul><ul><li>Compliance tests determine if controls are being applied in a manner that complies with management policies and procedures. </li></ul></ul>I.S. Audit Process
    52. 52. <ul><li>Correlation between the level of internal controls and the amount of substantive testing required. </li></ul><ul><ul><li>If the results of testing controls reveal the presence of adequate internal controls, then the IS auditor is justified in minimizing the substantive procedures. Conversely, if the testing controls reveals weaknesses in control that may raise doubts about the completeness, accuracy or validity of the accounts, substantive testing can alleviate those doubts. </li></ul></ul>I.S. Audit Process
    53. 53. <ul><ul><li>Evidence – It is a requirement that the auditor’s conclusions must be based on sufficient, competent evidence. </li></ul></ul><ul><ul><ul><li>Independence of the provider of the evidence </li></ul></ul></ul><ul><ul><ul><li>Qualification of the individual providing the information or evidence </li></ul></ul></ul><ul><ul><ul><li>Objectivity of the evidence </li></ul></ul></ul><ul><ul><ul><li>Timing of evidence </li></ul></ul></ul>I.S. Audit Process
    54. 54. <ul><li>Techniques for gathering evidence: </li></ul><ul><ul><li>Review IS organization structures </li></ul></ul><ul><ul><li>Review IS policies, procedures and standards </li></ul></ul><ul><ul><li>Review IS documentation </li></ul></ul><ul><ul><li>Interview appropriate personnel </li></ul></ul><ul><ul><li>Observe processes and employee performance. </li></ul></ul>I.S. Audit Process
    55. 55. <ul><li>Computer-assisted audit techniques </li></ul><ul><ul><li>CAATs are a significant tool for IS auditors to gather information independently </li></ul></ul><ul><ul><li>CAATs include: </li></ul></ul><ul><ul><ul><li>Generalized audit software (ACL, IDEA, etc.) </li></ul></ul></ul><ul><ul><ul><li>Utility software </li></ul></ul></ul><ul><ul><ul><li>Test data </li></ul></ul></ul><ul><ul><ul><li>Application software for continuous online audits </li></ul></ul></ul><ul><ul><ul><li>Audit expert systems </li></ul></ul></ul>I.S. Audit Process
    56. 56. <ul><li>Need for CAATs </li></ul><ul><ul><li>The audit findings and conclusions are to be supported by appropriate analysis and interpretation of the evidence. Today’s information processing environments pose a stiff challenge to the IS auditor to collect sufficient, relevant and useful evidence since the evidence exists on magnetic media and can only be examined using CAATs. With systems having different hardware and software environments, different data structure, record formats, processing functions, etc., it is almost impossible for the IS auditors to collect evidence without a software tool to collect and analyze the records. </li></ul></ul>I.S. Audit Process
    57. 57. <ul><li>Functional Capabilities of CAATs </li></ul><ul><ul><li>Generalized audit software provides IS auditors the ability to use high-level problem solving software to invoke functions to be performed on data files. The following functions supported in generalized audit software are: </li></ul></ul><ul><ul><ul><li>File access </li></ul></ul></ul><ul><ul><ul><li>File reorganization </li></ul></ul></ul><ul><ul><ul><li>Data Selection </li></ul></ul></ul><ul><ul><ul><li>Statistical functions </li></ul></ul></ul><ul><ul><ul><li>Arithmetical functions </li></ul></ul></ul>I.S. Audit Process
    58. 58. <ul><li>Areas of Concern </li></ul><ul><ul><li>Integrity, reliability, and security of the CAATs beforehand </li></ul></ul><ul><ul><li>Integrity of the information systems and security environment </li></ul></ul><ul><ul><li>Confidentiality and security of data as required by the clients </li></ul></ul>I.S. Audit Process
    59. 59. <ul><li>CAATs offer the following advantages: </li></ul><ul><ul><li>Reduced level of audit risk </li></ul></ul><ul><ul><li>Greater independence from the auditee </li></ul></ul><ul><ul><li>Broader and more consistent audit coverage </li></ul></ul><ul><ul><li>Faster availability of information </li></ul></ul><ul><ul><li>Improved exception identification </li></ul></ul><ul><ul><li>Greater flexibility of run times </li></ul></ul><ul><ul><li>Greater opportunity to quantify internal control weaknesses </li></ul></ul><ul><ul><li>Enhanced sampling </li></ul></ul><ul><ul><li>Cost savings over time </li></ul></ul>I.S. Audit Process
    60. 60. <ul><li>Cost/benefits of CAATs </li></ul><ul><ul><li>Like any other process, an IS auditor should weigh the costs/benefits of CAATs before going through the effort, time and expense of purchasing or developing them. Issues to consider include: </li></ul></ul><ul><ul><ul><li>Ease of use, both for existing audit staff and future staff </li></ul></ul></ul><ul><ul><ul><li>Training requirements </li></ul></ul></ul><ul><ul><ul><li>Complexity of coding and maintenance </li></ul></ul></ul><ul><ul><ul><li>Flexibility of uses </li></ul></ul></ul><ul><ul><ul><li>Installation requirements </li></ul></ul></ul><ul><ul><ul><li>Processing efficiencies (especially with a PC CAAT) </li></ul></ul></ul><ul><ul><ul><li>Effort required to bring the source data into the CAATs for analysis </li></ul></ul></ul>I.S. Audit Process
    61. 61. <ul><ul><li>After developing an audit program and gathering audit evidence, the next step is an evaluation of the information gathered in order to develop an audit opinion. This requires the IS auditor to consider a series of strengths and weaknesses and then to develop audit opinions and recommendations. </li></ul></ul><ul><ul><li>The IS auditor should assess the results of the evidence gathered for compliance with the control requirements or objectives established during the planning stage of the audit. This requires considerable judgment, as controls are often unclear. A control matrix is often utilized in assessing the proper level of controls. </li></ul></ul>I.S. Audit Process
    62. 62. <ul><li>As part of the information systems review, the IS auditor may discover a variety of strong and weak controls. All should be considered when evaluating the overall control structure . In some instances, one strong control may compensate for a weak control in another area. The IS auditor should be aware of compensating controls in areas where controls have been identified as weak. </li></ul>I.S. Audit Process
    63. 63. <ul><ul><li>A control objective will not normally be achieved due to one control being considered adequate. They must be evaluated to determine how they relate to each other. Evaluate the totality of control by considering the strengths and weaknesses of control procedures. </li></ul></ul><ul><ul><li>Assess the strengths and weaknesses of the controls evaluated and then determine if they are effective in meeting the control objectives established as part of the audit planning process. </li></ul></ul>I.S. Audit Process
    64. 64. <ul><li>Judging materiality of findings </li></ul><ul><ul><li>The concept of materiality is a key issue when deciding which findings to bring forward in an audit report. Key to determining the materiality of audit findings is the assessment of what would be significant to different levels of management. </li></ul></ul><ul><ul><li>Assessment requires judgment of the potential effect of the finding if corrective action is not taken. Assess what is significant to different levels of management. Discuss examples of what might be important to different levels of management and why. </li></ul></ul>I.S. Audit Process
    65. 65. <ul><li>Communicating audit results. Results or concerns should be communicated to senior management and to the audit committee of the board of directors. IS auditors should feel free to communicate issues or concerns to such management. </li></ul><ul><ul><li>Audit report structure and contents. There is no specific format for an IS audit report; therefore, the organization's audit policies and procedures will generally dictate the format. </li></ul></ul><ul><ul><li>Exit interview. Used to discuss the findings of the audit and recommendations with management. Ensure that the facts presented in the report are correct, recommendations are realistic and cost effective, and if not, seek alternatives through negotiation with the audit area; and establish implementation dates for agreed recommendations. </li></ul></ul>I.S. Audit Process
    66. 66. <ul><ul><li>Presentation techniques to communicate the results of the audit work could include the following: </li></ul></ul><ul><ul><ul><li>Executive summary : an easy to read and concise report that presents findings to management in an understandable manner. </li></ul></ul></ul><ul><ul><ul><li>Visual presentation : could include overhead transparencies, slides or computer graphics. </li></ul></ul></ul><ul><ul><ul><li>Oral presentation </li></ul></ul></ul>I.S. Audit Process
    67. 67. <ul><ul><li>Auditing is an ongoing process </li></ul></ul><ul><ul><li>The IS auditor is not effective if audits are performed and reports issued but not followed up on to determine if management has taken appropriate corrective actions. IS auditors should have a follow-up program to determine if agreed corrective actions have been implemented. </li></ul></ul><ul><ul><li>Timing of follow-up </li></ul></ul><ul><ul><li>The timing of follow-up will depend upon the criticality of the findings and would be subject to the IS auditor’s judgment. The results of the follow-up should be communicated to appropriate levels of management. </li></ul></ul>I.S. Audit Process
    68. 68. <ul><li>Audit Documentation </li></ul><ul><ul><li>IS audit documentation is the record of the audit work performed and the audit evidence supporting the findings and conclusions (see ISACA Guidelines on audit documentation). </li></ul></ul><ul><ul><li>The IS auditor should understand techniques for documenting an information system as well as documenting the understanding of the information systems environment. The IS auditor should be able to prepare adequate work papers, narratives, complete interview questionnaires and create understandable systems flowcharts. </li></ul></ul>I.S. Audit Process
    69. 69. <ul><li>The IS auditor should understand techniques for managing audit projects with appropriately trained members of the audit staff. </li></ul><ul><li>Skill and knowledge should be taken into consideration when planning audits and assigning staff to specific audit assignments. </li></ul>I.S. Audit Resource Management
    70. 70. Project management techniques <ul><li>It is important for an IS auditor to consider a project management technique for managing and administering audit projects, whether automated or manual. Basic steps for this purpose include: </li></ul><ul><ul><li>Develop a detailed plan - This should spread the necessary audit steps across a time line. Realistic estimates should be made of the time requirements for each task with proper consideration given to the availability of the auditee. </li></ul></ul><ul><ul><li>Report project activity against the plan . There should be some type of reporting system in place such that IS auditors can report their actual progress against planned audit steps. </li></ul></ul>
    71. 71. Project management techniques <ul><ul><li>Adjust the plan and take corrective action, as required . Actual accomplishments should be measured against the established plan on a continuous basis. Changes should be made in IS auditor assignments or in planned schedules, as required. </li></ul></ul>
    72. 72. <ul><li>THANK YOU! </li></ul>