3c 2 Information Systems AuditPresentation Transcript
Information Systems Audit
Overview of Presentation
What is IS auditing?
Who can do IS auditing?
Why is IS auditing important?
What kinds of work do IS audit wing perform?
How do we do our work?
Where are we doing IS audits
What is Information Systems Auditing?
“Independent and objective appraisal process that assures information is being processed in a safe and sound manner; that operations are efficient, effective, and adequate; and, information assets are safeguarded”
Why Is Information Systems Auditing Important?
Growing access to and use of computers
Growing concern for data security due to proliferation of technology
Existence of computer fraud
Complexity of systems and computers
Protectors of information assets and privacy
Who can do IS auditing
Certified Information Systems auditor (CISA) accredited by Information systems Audit and Control Association (ISACA) (International)
For Technical reviews - partner with persons having the relevant technical skill ( guest audit pool members)
INFORMATION SYSTEMS AUDIT AND CONTROL ASSOCIATION (ISACA)
Founded in 1969 as EDPAA
Facilitates a free exchange of audit techniques and problem-solving approaches among members
Promotes increased awareness of IS controls
Provides membership opportunities for students as well as experienced practitioners
Systems Audit - Focus Areas
Post-implementation Reviews of ERP (SAP)
IS department Operations review
Technology Reviews (firewall audit, email audit)
Corporate and Department Training
Operational Support through Audit Software
Uniqueness of IS audit
Uniform processing of transactions - systemic effect
Absence of segregation of Functions in IT environment
Potential for errors & Frauds - no visible trace
Necessitates increased management supervision
Effectiveness of manual controls (management review) depends on controls over computer processing
Transaction Trails in digital form.
How Do we Do our Work ?
Use CAATs to gather and analyze data
Conduct interviews to better understand process, product and control
Use detailed audit procedures
Complete flowcharts, narratives or other control documents to evaluate key controls
Develop recommendations to support and enhance IS controls
We as Good IS Auditor are
As IS Auditors, we take active role in
Specialized Service Provider
Systems Audit - Till Now
Software Licensing Compliance Review
Data Management review in Parry & CO.
SAP Security and Controls review
SAP FI- GL review
SAP Authorization Review - a gap analysis
SAP Business process review
SAP - SD credit management review
B) Coramandel Fertilizers Limited
SAP --procurement cycle - from Purchase request to payment
C) Parrys Confectionery Limited
IS Security Risks-Controls Gap Review
Our experience in SAP reviews
Reversal of goods receipt after matched with invoice
GR/IR clearing not being carried out
Tolerance limits for over/under delivery not defined or can be overridden
Tolerance checks for invoice release, documents not configured
Weaknesses in PO release procedures
No restriction on usage of movement types
Entry of invoices in FI
No validation checks defined
Our Observation Business Impact
Risk of unauthorised transactions or inaccurate information
Our experience in SAP reviews
Standards for developing ABAP programs were poor
Inadequate documentation for the customised ABAP programs and IMG settings
Inadequate handover procedures
Customised programs were still in test mode in the production environment
Weaknesses in assignment of rights to restrict entry to specific company codes, business areas,plant etc.
Our experience Business Impact
Difficulty in maintaining the customised programs
Difficulty in understanding rationale for configuration settings.
Increased time spent by SAP team in adjusting to SAP queries.
Legacy systems review
Errors identified at Ho are corrected at the back end on the database instead of passing journal entries.
Master data tables are accessed by the data input staff at all the depots resulting in duplication of masters.
No procedure of logging the master data changes by a responsible person.
Data import errors are expected for every import and corrections are made based on the error report.
No protection for sensitive information during transmission or transport.
No records to identify critical database assets for planning housekeeping and storage management.
.No offsite storage is arranged for database files.
No formal procedures are available to verify the retention period for data, programs and messages. Users are not aware of the retention period of data sets.
.No records are maintained, with contents of its program or the media library, detailing the inventory of its information assets-namely, the programs, database files documents.