Audits are performed to evaluate information validity, reliability, and internal controls. The goal is to express an opinion on the subject based on test work. IT audits specifically examine technology infrastructure, applications, development processes, and governance to evaluate security, integrity, effectiveness, and risk management. Key areas include systems, facilities, development lifecycle, management, architecture, and client/server environments. Findings are reported to assess controls and risks with recommendations for improvement.
Internal Audit Of The California Department Of Public...
Audit presentation
1.
2.
3. Audits are performed to ascertain
the validity and reliability of information; also to
provide an assessment of a system's internal
control. The goal of an audit is to express an
opinion of the person / organization / system (etc.)
in question, under evaluation based on work done
on a test basis.
4. The general definition of an audit is
an evaluation of a person, organization,
system, process, enterprise, project or
product. The term most commonly
refers to audits in accounting, but
similar concepts also exist in project
management, quality management,
water management, and energy
conservation.
5. •The role of auditor goes back many hundreds of
years. These are records from ancient Egypt and
Rome, showing that people were employed to
review work done by taxes collector and estate
managers.
•The emphasis was very much on the detection of
fraud and other irregularities.
•Emphasis has changed and the role of the auditor
becomes much more sophisticated.
6. Audits can be categorized in to two types:
Financial audit
Non financial audit
7. Financial audit:
Address questions of accounting, recording, and
reporting of financial transactions. Reviewing the
adequacy of internal controls also falls within the
scope of financial audits.
Non financial audit:
It is non statutory one and serves two purposes
It checks company’s compliance to standards
It determines whether a product or service satisfy
the customer’s demands in terms of quality and
features.
9. A legally required review of the accuracy of a company's or
government's financial records. The purpose of a statutory audit to
determine whether an organization is providing a fair and accurate
representation of its financial position by examining information
such as bank balances, bookkeeping records and financial
transactions
For Example,
a state law may require all municipalities to submit to an annual
statutory audit examining all accounts and financial transactions
and to make the results of the audit available to the public. The
purpose of such an audit is to hold the government accountable
for how it is spending taxpayers' money.
10. When the audit is not a statutory requirement , but is
conducted at the desire of owners , such an audit is private
audit . The audit is conducted primarily for their own
interest. At times the private audit may become a
requirement under tax laws , if the turnover exceeds a
specified limit.
Private Audit is following types
1 audit of sole proprietorship
2 audit of partnership firms
3 audit of individuals accounts
4 audit institutions not covered by statutory audit
11. The examination, monitoring and analysis of activities
related to a company's operation, including its business
structure, employee behavior and information systems.
Internal audit found to play the following roles-
Check weather existing controls are effective and
adequate.
Weather financial and other reports show the actual
results of the company
Weather subunits are following the policies and
procedures laid down by the company.
12. Analysis and assessment of competencies and
capabilities of a company's management in
order to evaluate their effectiveness, especially
with regard to the strategic objectives and
policies of the business. The objective of a
management audit is not to appraise individual
executive performance, but to evaluate the
management team in relation to their
competition.
13. Address the internal control environment of
automated information processing systems and
how these systems are used. IS audits typically
evaluate system input, output and processing
controls, backup and recovery plans, and system
security, as well as computer facility reviews.
IA’s scope of work is comprehensive and considers
all aspects of the organization - both financial and
non-financial - with an emphasis on constructive
improvement.
14. Staffing the audit team
Creating an audit project plan
Laying the groundwork for audit
Analyzing audit results
Sharing audit results
Writing audit results
Dealing with resistance to audit
recommendations
Building an ongoing audit programs.
15. Companies Directors
Assurance that statutory responsibilities
concerning accounts have been carried out.
Availability of expert advise.
The letter of weakness.
To Shareholders
Assurance that accounts show a true and fair
view and comply with statutory requirements
Other Organization with publish accounts
Assurance that accounts are reliable
In addition they provide reliable accounts
to regulatory bodies such as the companies
Registry, the stock exchange etc.
16. Primary Objective:
To produce a report by the auditor of his
opinion of the truth and fairness of financial
statements so that any person reading and
using them can belief in them.
Secondary Objective:
•To detect Error and Fraud
• To prevent Errors and fraud by the deterrent
and moral effects of Audit
18. An audit can neither help in prioritizing
changes nor in allocating resources.
Audit cannot mobilize people to take actions.
though audit identifies various problems that
exist in the organizational system and
processes
Audit can not generate better data than the
measures used to gather those.
19. Audit evidence is evidence obtained during a financial
audit and recorded in the audit working papers.
In the audit engagement acceptance or reappointment
stage, audit evidence is the information that the auditor
is to consider for the appointment. For examples,
change in the entity control environment, inherent risk
and nature of the entity business, and scope of audit
work.
In the audit planning stage, audit evidence is the
information that the auditor is to consider for the most
effective and efficient audit approach. For examples,
reliability of internal control procedures, and analytical
review systems.
20. In the control testing stage, audit evidence is the information
that the auditor is to consider for the mix of audit test of
control and audit substantive tests.
In the substantive testing stage, audit evidence is the
information that the auditor is to make sure the
appropriation of financial statement assertions. For
examples, existence,rights and obligations, occurrence, com
pleteness, valuation, measurement, presentation and
disclosure of a particular transaction or account balance.
In the conclusion and opinion formulation stage, audit
evidence is information that the auditor is to consider
whether the financial statements as a whole presents with
completeness, validity, accuracy and consistency with the
auditor's understanding of the entity.
22. An information technology audit,
or information systems audit, is an examination
of the management controls within
an Information technology (IT) infrastructure.
The evaluation of obtained evidence determines
if the information systems are safeguarding
assets, maintaining data integrity, and operating
effectively to achieve the organization's goals or
objectives. These reviews may be performed in
conjunction with a financial statement
audit, internal audit, or other form of attestation
engagement.
23. IT audits are also known as "automated data
processing (ADP) audits" and "computer
audits". They were formerly called "electronic
data processing (EDP) audits".
24. The concept of IT auditing was formed in the
mid-1960s. Since that time, IT auditing has
gone through numerous changes, largely due
to advances in technology and the
incorporation of technology into business.
Currently, there are many IT dependent
companies that rely on the Information
Technology in order to operate their business
e.g. Telecommunication or Banking company.
25. An IT audit is different from a financial statement
audit. While a financial audit's purpose is to
evaluate whether an organization is adhering
to standard accounting practices, the purposes of an
IT audit are to evaluate the system's internal control
design and effectiveness. This includes, but is not
limited to, efficiency and security protocols,
development processes, and IT governance or
oversight.
. One of the most important role of the IT Audit is to
audit over the critical system in order to support the
Financial audit or to support the specific regulations
announced e.g. SOX
26. Integrated information technology audit
compliance,
Quality assurance,
Business continuity,
Disaster recovery,
IT governance,
Fraud, risk, and forensics resources for information
technology auditors, internal auditors, application
auditors, compliance, information security and
forensics professionals.
27. The IT audit aims to evaluate the following:
Will the organization's computer systems be available for
the business at all times when required? (known as
availability)
Will the information in the systems be disclosed only to
authorized users? (known as security and
confidentiality)
Will the information provided by the system always be
accurate, reliable, and timely? (measures the integrity)
In this way, the audit hopes to assess the risk to the
company's valuable asset (its information) and establish
methods of minimizing those risks.
28. The audit process is generally a ten-step procedure:
1. Notification & Request for Preliminary Information
2. Planning
3. Opening Meeting
4. Fieldwork
5. Communication
6. Draft Report
7. Management Responses
8. Closing Meeting
9. Report Distribution
10. Follow-up
29. Technological innovation process audit
Innovative comparison audit
Technological position audit
five categories of audits:
1. Systems and Applications
2. Systems Development:
3. Management of IT and Enterprise Architecture:
4. Client/Server, Telecommunications, Intranets, and
Extranets
5. Information Processing Facilities:
30. This audit constructs a risk profile for existing
and new projects. The audit will assess the
length and depth of the company's experience
in its chosen technologies, as well as its
presence in relevant markets, the organization
of each project, and the structure of the portion
of the industry that deals with this project or
product, organization and industry structure.
31. This audit is an analysis of the innovative abilities
of the company being audited, in comparison
to its competitors. This requires examination of
company's research and development facilities,
as well as its track record in actually producing
new products.
Technological position audit: This audit
reviews the technologies that the business
currently has and that it needs to add.
Technologies are characterized as being either
"base", "key", "pacing" or "emerging".
32. Systems and Applications: An audit to verify that systems
and applications are appropriate, are efficient, and are
adequately controlled to ensure valid, reliable, timely, and
secure input, processing, and output at all levels of a system's
activity.
Information Processing Facilities: An audit to verify that the
processing facility is controlled to ensure timely, accurate, and
efficient processing of applications under normal and
potentially disruptive conditions.
Systems Development: An audit to verify that the systems
under development meet the objectives of the organization,
and to ensure that the systems are developed in accordance
with generally accepted standards for systems development.
.
33. Management of IT and Enterprise Architecture:
An audit to verify that IT management has
developed an organizational structure and
procedures to ensure a controlled and efficient
environment for information processing.
Client/Server, Telecommunications, Intranets,
and Extranets: An audit to verify
that telecommunications controls are in place on
the client (computer receiving services), server,
and on the network connecting the clients and
servers
34. The deep dive audit involves detailed study of the IT infrastructure
deployed - hardware, software, connectivity, power, security, MIS,
and usability by end users. Other areas of study include identifying
process coverage, data integrity, productivity improvements,
reporting frequency and adequacy, training adequacy, and system
availability.
The focal points of the IT audit are:
Business functionality
Ease of Use
Security
The capstone of Technology Audit is the Audit Findings Report which
includes gap analysis, recommendations pertaining to technology
upgrade / downgrade, training requirements and plan of action.
Technology Audit recommendation sets the direction for
organizations to optimize Return of Investment on IT.
35. Advising the Audit Committee and senior
management on IT internal control issues
Performing IT Risk Assessments
Performing:
Institutional Risk Area Audits
General Controls Audits
Application Controls Audits
Technical IT Controls Audits
Internal Controls advisors during systems
development and analysis activities.
February 14, 2007 35
37. IT Audit plays a major role in development of IT
Governance framework
Moving away from policing role into a specialist
role in the areas of risks and control
Adding value at strategic and operational levels
through the provision of business risk-focused
advice and assurance
Legislation is having a profound impact on IT
Auditing
(SOx, GLBA, HIPAA, FERPA, Privacy Notification
Regulations …)
The continuously changing technology
environment brings new risks (i.e. Cyber security,
wireless …)
February 14, 2007 37
38. Inadequate or Lack of Management Oversight
Poor Segregation of Duties
Inadequate or Lack of Supporting Documentation
No Business Continuity/Disaster Recovery Plan
Change Management
Data Security
Data Loss Incidents
There are also new audits being imposed by various
standard boards which are required to be performed,
depending upon the audited organization, which
will affect IT and ensure that IT departments are
performing certain functions and controls
appropriately to be considered compliant. An
example of such an audit is the newly minted SSAE
16
February 14, 2007 38