• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
CIS Audit Lecture # 1
 

CIS Audit Lecture # 1

on

  • 1,660 views

 

Statistics

Views

Total Views
1,660
Views on SlideShare
1,660
Embed Views
0

Actions

Likes
0
Downloads
54
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Defining the needs/problemGather relevant informationAsses /enumerate the risksAnalyze the riskIdentify and review controlsSet audit scope and objectivesDevelop strategyAssign resources
  • Check the impact and probability of the threat
  • Defining the needs/problemGather relevant informationAsses /enumerate the risksAnalyze the riskIdentify and review controlsSet audit scope and objectivesDevelop strategyAssign resources

CIS Audit Lecture # 1 CIS Audit Lecture # 1 Presentation Transcript

  • OVERVIEW OF IT AUDITIT RISK AND CONTROLSIS AUDIT PROCESS
  • Assurance engagement An engagement in which a practitioner expresses a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the outcome of the evaluation or measurement of a subject matter against criteria. (Handbook of ISA; IFAC)
  • Code of Professional EthicsISACA sets forth this Code of Professional Ethics to guide the professional and personal conduct of members of the Association and/or its certification holders.Members and ISACA Certification holder’s shall:1.Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems.
  • Code of Professional Ethics2.Perform their duties with due diligence and professional care, in accordance with professional standards and best practices.3.Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.
  • Code of Professional Ethics4.Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.5.Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence.
  • Code of Professional Ethics6.Inform appropriate parties of the results of work performed; revealing all significant facts known to them.7.Support the professional education of stakeholders in enhancing their understanding of information systems security and control.Failure to comply with this Code of Professional Ethics can result in an investigation in to a member’s or certification holder’s conduct and, ultimately, in disciplinary measures.
  • Auditing Evaluation  Organization  System  Process  Project  Product Performed by  Competent  Independent  Objective Issue report
  • Why do we plan? To improve effectiveness  Enhance the chance of success To improve efficiency  Achieve the best result with the least resources
  • What should we consider inplanning an IS Audit? Risk Controls Technological updates Business needs Auditing techniques
  • How do we plan (Audit planning process)? Defining the needs/problem Gather relevant information Evaluate the plan Asses /enumerate the risksAssign resources Implement the plan Develop strategy Analyze the risk Set audit scope and Identify and review controls objectives
  • Risk Is the potential that a given threat will exploit the vulnerabilities of an asset/s to cause loss or damage to the asset/s.
  • Risk Assessment Identifying business risks relevant to financial reporting objectives; Estimating the significance of the risks; Assessing the likelihood of their occurrence; and Deciding about actions to address those risks.-PSA 315.15
  • Internal control in a CISEnvironment General CIS Control Application Control
  • General CIS Control Organization and management controls Development and maintenance controls Delivery and support controls Monitoring controls
  • Organization and managementcontrols Strategic information technology plan. CIS policies and procedures. Clearly defined roles and responsibilities. Segregation of incompatible functions Monitoring of IS activities performed by third party consultants.
  • Development and maintenancecontrols Project initiation, requirements definition, systems design, testing, data conversion, go-live decision, migration to production environment, documentation of new or revised systems, and user training. Acquisition and implementation of off-the-shelf packages. Request for changes to the existing systems. Acquisition, implementation, and maintenance of system software .
  • Delivery and supportcontrols Establishment of service level agreements against which CIS services are measured. Performance and capacity management controls. Event and problem management controls. Disaster recovery/contingency planning, training, and file backup. Computer operations controls. Systems security. Physical and environment controls.
  • Monitoring controls Monitoring of key CIS performance indicators. Internal and external CIS audits.
  • Application Control Controls over input Controls over processing and computer data files Controls over output
  • Controls over input Transactions are properly validated and authorized before being processed by the computer. Transactions are accurately converted into machine readable form and recorded in the computer data files. Transactions are not lost, added, duplicated or improperly changed. Incorrect transactions are rejected, corrected and, if necessary, resubmitted on a timely basis.
  • Controls over processing andcomputer data files Transactions, including system generated transactions, are properly processed by the computer. Transactions are not lost, added, excluded, duplicated or improperly changed. Processing errors are identified and corrected on a timely basis.
  • Controls over output Results of processing are accurate. Access to output is restricted to authorized personnel. Output is provided to appropriate authorized personnel on a timely basis.
  • How do we plan (Audit planning process)? Defining the needs/problem Gather relevant information Evaluate the plan Asses /enumerate the risksAssign resources Implement the plan Develop strategy Analyze the risk Set audit scope and Identify and review controls objectives
  • References PAPS 1008 PSA 315 ISACA