Your SlideShare is downloading. ×
  • Like
  • Save
3c   2   Information Systems Audit
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

3c 2 Information Systems Audit



  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Information Systems Audit
  • 2. Overview of Presentation
    • What is IS auditing?
    • Who can do IS auditing?
    • Why is IS auditing important?
    • What kinds of work do IS audit wing perform?
    • How do we do our work?
    • Where are we doing IS audits
    • Experience sharing
  • 3. What is Information Systems Auditing?
    • “Independent and objective appraisal process that assures information is being processed in a safe and sound manner; that operations are efficient, effective, and adequate; and, information assets are safeguarded”
  • 4. Why Is Information Systems Auditing Important?
    • Growing access to and use of computers
    • Growing concern for data security due to proliferation of technology
    • Existence of computer fraud
    • Complexity of systems and computers
    • Protectors of information assets and privacy
  • 5. Who can do IS auditing
    • Certified Information Systems auditor (CISA) accredited by Information systems Audit and Control Association (ISACA) (International)
    • For Technical reviews - partner with persons having the relevant technical skill ( guest audit pool members)
    • Founded in 1969 as EDPAA
    • Facilitates a free exchange of audit techniques and problem-solving approaches among members
    • Promotes increased awareness of IS controls
    • Provides membership opportunities for students as well as experienced practitioners
  • 7. Systems Audit - Focus Areas
    • Post-implementation Reviews of ERP (SAP)
    • Application Reviews
    • Security Reviews
    • IS department Operations review
    • Technology Reviews (firewall audit, email audit)
    • Corporate and Department Training
    • Operational Support through Audit Software
  • 8. Uniqueness of IS audit
    • Uniform processing of transactions - systemic effect
    • Absence of segregation of Functions in IT environment
    • Potential for errors & Frauds - no visible trace
    • Necessitates increased management supervision
    • Effectiveness of manual controls (management review) depends on controls over computer processing
    • Transaction Trails in digital form.
  • 9. How Do we Do our Work ?
    • Use CAATs to gather and analyze data
    • Conduct interviews to better understand process, product and control
    • Use detailed audit procedures
    • Complete flowcharts, narratives or other control documents to evaluate key controls
    • Develop recommendations to support and enhance IS controls
  • 10. We as Good IS Auditor are
    • Creative
    • Conceptual
    • Excellent Communicator
    • Persuasive
    • Inquisitive
  • 11. As IS Auditors, we take active role in
    • Internal Auditing
    • Systems Analysis
    • Project Implementations
    • Operations Management
    • External Consulting
    • Specialized Service Provider
  • 12. Systems Audit - Till Now
    • A) EID
    • Software Licensing Compliance Review
    • Data Management review in Parry & CO.
    • SAP Security and Controls review
    • SAP FI- GL review
    • SAP Authorization Review - a gap analysis
    • SAP Business process review
    • SAP - SD credit management review
    • B) Coramandel Fertilizers Limited
    • SAP --procurement cycle - from Purchase request to payment
    • C) Parrys Confectionery Limited
    • IS Security Risks-Controls Gap Review
  • 13. Our experience in SAP reviews
    • Reversal of goods receipt after matched with invoice
    • GR/IR clearing not being carried out
    • Tolerance limits for over/under delivery not defined or can be overridden
    • Tolerance checks for invoice release, documents not configured
    • Weaknesses in PO release procedures
    • No restriction on usage of movement types
    • Entry of invoices in FI
    • No validation checks defined
    Our Observation Business Impact
    • Risk of unauthorised transactions or inaccurate information
  • 14. Our experience in SAP reviews
    • Standards for developing ABAP programs were poor
    • Inadequate documentation for the customised ABAP programs and IMG settings
    • Inadequate handover procedures
    • Customised programs were still in test mode in the production environment
    • Weaknesses in assignment of rights to restrict entry to specific company codes, business areas,plant etc.
    Our experience Business Impact
    • Difficulty in maintaining the customised programs
    • Difficulty in understanding rationale for configuration settings.
    • Increased time spent by SAP team in adjusting to SAP queries.
    • Unauthorized transactions
  • 15. Legacy systems review
    • Errors identified at Ho are corrected at the back end on the database instead of passing journal entries.
    • Master data tables are accessed by the data input staff at all the depots resulting in duplication of masters.
    • No procedure of logging the master data changes by a responsible person.
    • Data import errors are expected for every import and corrections are made based on the error report.
    • No protection for sensitive information during transmission or transport.
    • No records to identify critical database assets for planning housekeeping and storage management.
    • .No offsite storage is arranged for database files.
    • No formal procedures are available to verify the retention period for data, programs and messages. Users are not aware of the retention period of data sets.
    • .No records are maintained, with contents of its program or the media library, detailing the inventory of its information assets-namely, the programs, database files documents.
  • 16. Thank You