Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Information Security & Assurance 
Information Security & Assurance – 
An Overview
Introduction 
• Decision making process of legacy organization, 
• Now computerized 
• The inputs now are not easily avail...
Introduction 
• Do I need to know the technology to justify my role? 
• How do I know that I am not being misguided by peo...
Introduction 
• Is power generally to the hands of those who have access 
to information? What will happen to my domain 
k...
Introduction 
• Picture a situation where you want to purchase a 
commodity from a website 
• It requires you to pay throu...
Introduction 
– Is it safe to disclose my credit card information on the website? 
– Will my name, credit card information...
Assurance services 
• The AICPA’s (American Institute of Certified Public 
Accountants) special committee on assurance ser...
Need for Assurance 
• In general, the need for assurance services arises because 
of: 
– Potential bias in providing infor...
Bias in Providing Information 
• Let us take example of lending activity 
– Considerable likelihood that borrower may subm...
Bias in Providing Information 
• The management of the company can also give 
misinformation about its financial position ...
Remoteness of User 
• Thanks to Internet 
• Online buying and selling has certain concomitant 
disadvantages 
• For instan...
Remoteness of User 
• Unable to physically examine the product before its 
purchase. 
• This remoteness creates the need f...
Complexity of the system 
• The complexity and dynamism of the IT system has 
undergone a dramatic change during last deca...
Risk Management 
• Consider a bank manger’s decision to grant a loan to a 
business concern. 
• If the bank decides to giv...
Voluminous Data 
• As organization grow and the volume of the organizational 
information and data increases, 
• The chanc...
Characteristics of Assurance Services 
• Assurance services have three critical components: 
– An assurance provider 
– In...
Types of Assurance Services 
• Assurance services can be classified into 
– Attestation services 
• Involve the evaluation...
AAuudditit 
Compliance 
Review ISIS A Auudditit 
Compliance 
Review 
Attestation Services 
InInteternrnaal la auudditit 
C...
Evolution of Information System Audit 
• IS auditing, formerly called Electronic Data Processing 
(EDP) auditing 
• Evolve...
Evolution of Information System Audit 
– The information processing management recognized that 
using computer systems was...
Evolution of Information System Audit 
– Professional associations, organizations, government bodies, 
and regulators reco...
The IS – Lifecycle in the organization 
• For any legacy organization, the IS deployment follows 
three phases 
– Pervasio...
Pervasion Consolidation 
•Uncontrolled use 
•No restriction 
•Popularization 
•Uncontrolled use 
•No restriction 
•Popular...
The Knowledge Requirement of an IS 
professional(Auditor) 
• Auditor should be a better at business than the client. 
• IS...
The Knowledge Requirement of an IS Auditor 
• Ron Weber defines it thus: 
– Information System auditing is the process of ...
The Knowledge Requirement of an IS Auditor 
• According to definition on previous slide, the job of IS 
auditor is to give...
The Knowledge Requirement of an IS Auditor 
• Data integrity has no meaning in the organization if the 
assets are not saf...
The Knowledge Requirement of an IS Auditor 
• Assets Safeguarding 
– IT Governance Institute (USA), in its Governance mode...
The Knowledge Requirement of an IS Auditor 
• Data Integrity 
– It refers to the accuracy and completeness of data, very 
...
The Knowledge Requirement of an IS Auditor 
• Efficiency 
– From auditor’s perspective, is doing a job effectively, using ...
Internal Control Project management 
Philosophy documentation 
IS Audit 
Computer Organizational 
domain behavior 
Compute...
Benefits of IS Audit For an Organization 
• Some of the benefits organization receive are: 
– Mapping business control wit...
Changing Role of IS Auditors and the Relevance 
of COBIT 
• Rapid technology changing. 
• Development of new business mode...
Upcoming SlideShare
Loading in …5
×

0

Share

Download to read offline

Isa 2

Download to read offline

information system and assurance

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Isa 2

  1. 1. Information Security & Assurance Information Security & Assurance – An Overview
  2. 2. Introduction • Decision making process of legacy organization, • Now computerized • The inputs now are not easily available • Depends on certain computer-savvy employees to provide desired information • Now called DATA • Apprehensive about taking decision as doubts creep up like:
  3. 3. Introduction • Do I need to know the technology to justify my role? • How do I know that I am not being misguided by people - who some time takes me for granted?
  4. 4. Introduction • Is power generally to the hands of those who have access to information? What will happen to my domain knowledge that I have painstakingly acquired? • And finally, am I sitting on the fence because of these apprehensions?
  5. 5. Introduction • Picture a situation where you want to purchase a commodity from a website • It requires you to pay through credit card before you receive the goods • A host of apprehensions surface in your mind, like: – Are the goods authentic? – Are they in a working order – If I send the money, what option will I have if I never receive the goods, or if they are not of the standard or quality as represented?
  6. 6. Introduction – Is it safe to disclose my credit card information on the website? – Will my name, credit card information, and other particulars be passed on to telemarketing agencies? • First three reflects your apprehension about the organization, • Last two reflects your conscious as a customer. • There are no any concrete answers to these questions. • What you really need is assurance!
  7. 7. Assurance services • The AICPA’s (American Institute of Certified Public Accountants) special committee on assurance services defines assurance as: – Independent professional services that improve the quality of information, or its context for decision makers – The word Independent – unbiased
  8. 8. Need for Assurance • In general, the need for assurance services arises because of: – Potential bias in providing information; that is the party providing the information may want to convey a better impression than real circumstances merit – Remoteness between a user and the organization or trading partner – Complexity of the transactions, information or processing system – Risk management – Voluminous data
  9. 9. Bias in Providing Information • Let us take example of lending activity – Considerable likelihood that borrower may submit an inaccurate statement to increase the chances of obtaining loan. • Likewise, the seller of goods and services has a vested interest in convincing you that product being sold is worth more than a similar product you could obtain from elsewhere.
  10. 10. Bias in Providing Information • The management of the company can also give misinformation about its financial position to attract investment. • In all the above cases, assurance will help provide reliable information to decision makers.
  11. 11. Remoteness of User • Thanks to Internet • Online buying and selling has certain concomitant disadvantages • For instance, there is a absence of personal interaction with the seller
  12. 12. Remoteness of User • Unable to physically examine the product before its purchase. • This remoteness creates the need for assurance, regarding – Trustworthiness of the individual seller – Quality of the product – Authenticity of the information received
  13. 13. Complexity of the system • The complexity and dynamism of the IT system has undergone a dramatic change during last decade • Today, domain knowledge alone may not be sufficient to understand the various ways in which controls are implemented. • Probably need to have the knowledge of technology that drives the process. • In such scenario, it is comforting to the management to know that they can seek assurance services whenever needed.
  14. 14. Risk Management • Consider a bank manger’s decision to grant a loan to a business concern. • If the bank decides to give the loan, it will charge a rate of interest determined primarily by three factors: – Cost of the fund – Business risk for the borrower – Information risk to the lender
  15. 15. Voluminous Data • As organization grow and the volume of the organizational information and data increases, • The chances of misstating facts also rises • Sometimes, there may be a need to get an independent third party to identify and give an opinion about such misstatements.
  16. 16. Characteristics of Assurance Services • Assurance services have three critical components: – An assurance provider – Information or process on which the assurance is provided – A user or group of users/beneficiaries who derive value from the assurance service provided
  17. 17. Types of Assurance Services • Assurance services can be classified into – Attestation services • Involve the evaluation of an assertion made by one party to a third party. • Traditional statutory audit – Non-attestation services • Do not involve a third party • Internal and control self assessment audits are mainly self-imposed and do not involve any third party.
  18. 18. AAuudditit Compliance Review ISIS A Auudditit Compliance Review Attestation Services InInteternrnaal la auudditit Control self assessment audit Control self assessment audit Management consulting Non-attestation services Management consulting Types of Assurance Services
  19. 19. Evolution of Information System Audit • IS auditing, formerly called Electronic Data Processing (EDP) auditing • Evolved as an extension of traditional auditing • The need for IS Audit arose due to several reasons, some of which are: – Auditors realized that a lack of knowledge of computers had adversely affected their ability to perform attestation functions
  20. 20. Evolution of Information System Audit – The information processing management recognized that using computer systems was vital to compete effectively with other concerns in the business environment and like other valuable business resources within the organization, had a critical need to possess control and audit ability – With the growing digitization of information, it was felt that evidence-collection, evaluation, and entire process of traditional audit needed a paradigm shift.
  21. 21. Evolution of Information System Audit – Professional associations, organizations, government bodies, and regulators recognized the need for IT control and audit.
  22. 22. The IS – Lifecycle in the organization • For any legacy organization, the IS deployment follows three phases – Pervasion • Initial phase where the objective of organization is popularization of IT – Consolidation • Second stage where the organization, widespread use of IT, tries to consolidate the IS • Involve ascertaining who uses what, which technology is popular, any constraint in the use of resources, etc. – Control • Tries to put in a place an appropriate mechanism of control and security
  23. 23. Pervasion Consolidation •Uncontrolled use •No restriction •Popularization •Uncontrolled use •No restriction •Popularization •Consolidation •Standardization •Consolidation •Standardization Control •Restriction •Control •Information Security Framework •Audit •Restriction •Control •Information Security Framework •Audit The lifecycle of IT absorption in an organization
  24. 24. The Knowledge Requirement of an IS professional(Auditor) • Auditor should be a better at business than the client. • IS auditor should be more familiar with the Information System than IS manager in the organization. • To understand the role of IS auditor, it is important to first understand what IS audit is.
  25. 25. The Knowledge Requirement of an IS Auditor • Ron Weber defines it thus: – Information System auditing is the process of collecting and evaluating evidences to determine whether a computer system safeguards assets, maintains data integrity, allows organizational goals to be achieved effectively, and uses resources efficiently.
  26. 26. The Knowledge Requirement of an IS Auditor • According to definition on previous slide, the job of IS auditor is to give assurance to the company that the computer system helps achieve the following objectives: – Safeguarding assets – Maintaining data integrity – Fulfilling the organizational goal effectively – Consuming resources efficiently
  27. 27. The Knowledge Requirement of an IS Auditor • Data integrity has no meaning in the organization if the assets are not safeguarded. • Effectiveness has no meaning unless there is integrity of data and • Efficiency (doing things right) is futile in the absence of efficacy (doing right things)
  28. 28. The Knowledge Requirement of an IS Auditor • Assets Safeguarding – IT Governance Institute (USA), in its Governance model i.e. COBIT (Control Objectives for Information and related Technology) has defined IT resources as being comprised of: • Data: objects in their widest sense – external and internal, structured and non-structured, graphics, sound, etc. • Application Software: Sum of manual or programmed procedures • Technology: Hardware, Operating System, Database Management Systems, Network, Multimedia, etc. • Facilities: Resources to house and support Information System • People: Includes staff skills, awareness and productivity in planning, organizing, acquiring, delivering, supporting and monitoring IS and services.
  29. 29. The Knowledge Requirement of an IS Auditor • Data Integrity – It refers to the accuracy and completeness of data, very important from assurance point of view • Effectiveness – Doing right things – From the IS point of view, it implies possession of knowledge of user needs – Auditor must know the needs of the user and the nature of the decision-making environment
  30. 30. The Knowledge Requirement of an IS Auditor • Efficiency – From auditor’s perspective, is doing a job effectively, using minimum resources or using minimal resources to achieve the desired objectives
  31. 31. Internal Control Project management Philosophy documentation IS Audit Computer Organizational domain behavior Computer Science IS Management Behavioral Science Traditional Auditing The Knowledge requirement for an IS auditor
  32. 32. Benefits of IS Audit For an Organization • Some of the benefits organization receive are: – Mapping business control with IT application – Business Process Re-engineering – The IT Security Policy – Security awareness – Better return on Investment (ROI) – Risk Management
  33. 33. Changing Role of IS Auditors and the Relevance of COBIT • Rapid technology changing. • Development of new business models. • Outsourcing, downsizing, decentralization. Traditional Role New role Detection Prevention Policemen Business partner Focus on audit Focus on business Focus on cost Focus on customer Focus on function Focus on process Auditor Risk manager Hierarchical Team Quill pen Technology

information system and assurance

Views

Total views

932

On Slideshare

0

From embeds

0

Number of embeds

4

Actions

Downloads

17

Shares

0

Comments

0

Likes

0

×