2. IS Quality Assurance & Control
Why control and audit are important?
Global concern for control and audit.
Legal issue impacting IT.
Protecting against Computer Fraud.
Audit standards.
Definition and Role of an IT Auditor
1
AGENDA
7. IS Quality Assurance & Control
At that time, the need for an IT audit function came from several
directions
Auditors realized that computers had impacted their ability
to perform the attestation function.
Corporate and information processing management
recognized that computers were key resources for competing
in the business environment and similar to other valuable
business resource within the organization, and therefore, the
need for control and auditability is critical.
Professional associations and organizations, and government
entities recognized the need for IT control and auditability.
6
IT Technology Environment: Why Are
Controls and Audit Important?
8. IS Quality Assurance & Control 7
IT auditing is an integral part of the
audit function because it supports the
auditor’s judgment on the quality of
the information processed by
computer systems.
IT Technology Environment: Why Are
Controls and Audit Important?
9. IS Quality Assurance & Control 8
The events of September 11, 2001, and
the collapse of trust in the financial reports of
private industry (Enron, WorldCom, etc.) have
caused much reflection and self-assessment
within the business world.
Cases in Indonesia: Bank Bali
Solution with Forensic Accountants
A Global Concern about Control and Audit
10. IS Quality Assurance & Control 9
The financial scandals involving
Enron and Arthur Andersen LLP, and
others generated a demand for the
new legislation to prevent, detect,
and correct such aberrations.
Legal Issues Impacting IT
11. IS Quality Assurance & Control 10
The latest Computer Crime and Security Survey and a
sample study of large corporations and government
agencies conducted by the Computer Security Institute (CSI)
and the FBI have revealed the following:
90 percent of respondents have detected computer security breaches within
the past 12 months. (In 1998, this was 64 percent.)
80 percent acknowledged financial losses due to computer security breaches.
44 percent quantified their financial losses for a total of $455,848,000 in losses
among 223 respondents.
74 percent cited their Internet connection as a frequent point of attack.
33 percent cited their internal systems as a frequent point of attack.
34 percent reported the intrusions to law enforcement. (Ā is has more than
doubled since 1996.)
Computer Crime and Security Survey
12. IS Quality Assurance & Control 11
The FBI’s National Computer Crime Squad has the following
advice to help protect against computer fraud:
Place a log-in banner to ensure that unauthorized users are
warned that they may be subject to monitoring.
Turn audit trails on.
Consider keystroke level monitoring if adequate banner is
displayed. Request trap and tracing from your local
telephone company.
Consider installing caller identification.
Make backups of damaged or altered files.
Maintain old backups to show the status of the original.
Protection against Computer Fraud
13. IS Quality Assurance & Control 12
Designate one person to secure potential evidence. Evidence
can consist of tape backups and printouts. These pieces of
evidence should be documented and verified by the person
obtaining the evidence. Evidence should be retained in a
locked cabinet with access limited to one person.
Keep a record of resources used to reestablish the system
and locate the perpetrator.
Encrypt files.
Encrypt transmissions.
Use one-time password (OTP) generators.
Use secure fi rewalls.
Protection against Computer Fraud (2)
14. IS Quality Assurance & Control 13
American Institute of Certified Public Accountants (AICPA)
The Institute of Internal Auditors (IIA)
Information Systems Audit Control Association (ISACA)
Canadian Institute of Chartered Accountants (CICA)
International Federation of Accountants (IFAC)
Information System Security Association (ISSA)
Society for Information Management (SIM)
Association of Information Technology Professionals (AITP)
International Federation for Information Processing (IFIP)
Association for Computing Machinery (ACM)
The Institute of Chartered Accountants in Australia (ICAA)
National Institute of Standards and Technology (NIST)
General Accounting Office (GAO)
The International Organization of Supreme Audit Institutions (INTOSAI)
Audit Standards
15. IS Quality Assurance & Control 14
An individual qualified (at the state level) to
conduct audits. An auditor may be an
internal auditor (an individual whose
primary job function is to audit his or her
own company) or an external auditor (an
individual from outside the company, who
typically is employed by an auditing firm
who handles many different clients).
Definition of an IT Auditor
16. IS Quality Assurance & Control 15
IT auditors can perform a number of key
roles:1
Initiating IT governance programmes
Assessing the current state
Planning IT governance solutions
Monitoring IT governance initiatives
Helping make IT governance business as usual
1 Based on: ITGI, IT Governance Implementation Guide: Using CobiT® and Val ITTM, 2nd Edition, 2007
Role of an IT Auditor
17. IS Quality Assurance & Control 16
IT auditors can also help to drive business
benefits from better IT governance:
Transparency and accountability
Return on investment/stakeholder value
Opportunities and partnerships
Performance improvement
External compliance
Role of an IT Auditor (2)