Your SlideShare is downloading. ×
  • Like
  • Save
3c   2   Information Systems Audit
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

3c 2 Information Systems Audit

  • 2,976 views
Published

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
2,976
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
4
Likes
9

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Information Systems Audit
  • 2. Overview of Presentation
    • What is IS auditing?
    • Who can do IS auditing?
    • Why is IS auditing important?
    • What kinds of work do IS audit wing perform?
    • How do we do our work?
    • Where are we doing IS audits
    • Experience sharing
  • 3. What is Information Systems Auditing?
    • “Independent and objective appraisal process that assures information is being processed in a safe and sound manner; that operations are efficient, effective, and adequate; and, information assets are safeguarded”
  • 4. Why Is Information Systems Auditing Important?
    • Growing access to and use of computers
    • Growing concern for data security due to proliferation of technology
    • Existence of computer fraud
    • Complexity of systems and computers
    • Protectors of information assets and privacy
  • 5. Who can do IS auditing
    • Certified Information Systems auditor (CISA) accredited by Information systems Audit and Control Association (ISACA) (International)
    • For Technical reviews - partner with persons having the relevant technical skill ( guest audit pool members)
  • 6. INFORMATION SYSTEMS AUDIT AND CONTROL ASSOCIATION (ISACA)
    • Founded in 1969 as EDPAA
    • Facilitates a free exchange of audit techniques and problem-solving approaches among members
    • Promotes increased awareness of IS controls
    • Provides membership opportunities for students as well as experienced practitioners
  • 7. Systems Audit - Focus Areas
    • Post-implementation Reviews of ERP (SAP)
    • Application Reviews
    • Security Reviews
    • IS department Operations review
    • Technology Reviews (firewall audit, email audit)
    • Corporate and Department Training
    • Operational Support through Audit Software
  • 8. Uniqueness of IS audit
    • Uniform processing of transactions - systemic effect
    • Absence of segregation of Functions in IT environment
    • Potential for errors & Frauds - no visible trace
    • Necessitates increased management supervision
    • Effectiveness of manual controls (management review) depends on controls over computer processing
    • Transaction Trails in digital form.
  • 9. How Do we Do our Work ?
    • Use CAATs to gather and analyze data
    • Conduct interviews to better understand process, product and control
    • Use detailed audit procedures
    • Complete flowcharts, narratives or other control documents to evaluate key controls
    • Develop recommendations to support and enhance IS controls
  • 10. We as Good IS Auditor are
    • Creative
    • Conceptual
    • Excellent Communicator
    • Persuasive
    • Inquisitive
  • 11. As IS Auditors, we take active role in
    • Internal Auditing
    • Systems Analysis
    • Project Implementations
    • Operations Management
    • External Consulting
    • Specialized Service Provider
  • 12. Systems Audit - Till Now
    • A) EID
    • Software Licensing Compliance Review
    • Data Management review in Parry & CO.
    • SAP Security and Controls review
    • SAP FI- GL review
    • SAP Authorization Review - a gap analysis
    • SAP Business process review
    • SAP - SD credit management review
    • B) Coramandel Fertilizers Limited
    • SAP --procurement cycle - from Purchase request to payment
    • C) Parrys Confectionery Limited
    • IS Security Risks-Controls Gap Review
  • 13. Our experience in SAP reviews
    • Reversal of goods receipt after matched with invoice
    • GR/IR clearing not being carried out
    • Tolerance limits for over/under delivery not defined or can be overridden
    • Tolerance checks for invoice release, documents not configured
    • Weaknesses in PO release procedures
    • No restriction on usage of movement types
    • Entry of invoices in FI
    • No validation checks defined
    Our Observation Business Impact
    • Risk of unauthorised transactions or inaccurate information
  • 14. Our experience in SAP reviews
    • Standards for developing ABAP programs were poor
    • Inadequate documentation for the customised ABAP programs and IMG settings
    • Inadequate handover procedures
    • Customised programs were still in test mode in the production environment
    • Weaknesses in assignment of rights to restrict entry to specific company codes, business areas,plant etc.
    Our experience Business Impact
    • Difficulty in maintaining the customised programs
    • Difficulty in understanding rationale for configuration settings.
    • Increased time spent by SAP team in adjusting to SAP queries.
    • Unauthorized transactions
  • 15. Legacy systems review
    • Errors identified at Ho are corrected at the back end on the database instead of passing journal entries.
    • Master data tables are accessed by the data input staff at all the depots resulting in duplication of masters.
    • No procedure of logging the master data changes by a responsible person.
    • Data import errors are expected for every import and corrections are made based on the error report.
    • No protection for sensitive information during transmission or transport.
    • No records to identify critical database assets for planning housekeeping and storage management.
    • .No offsite storage is arranged for database files.
    • No formal procedures are available to verify the retention period for data, programs and messages. Users are not aware of the retention period of data sets.
    • .No records are maintained, with contents of its program or the media library, detailing the inventory of its information assets-namely, the programs, database files documents.
  • 16. Thank You