3c 2 Information Systems Audit


Published on

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

3c 2 Information Systems Audit

  1. 1. Information Systems Audit
  2. 2. Overview of Presentation <ul><li>What is IS auditing? </li></ul><ul><li>Who can do IS auditing? </li></ul><ul><li>Why is IS auditing important? </li></ul><ul><li>What kinds of work do IS audit wing perform? </li></ul><ul><li>How do we do our work? </li></ul><ul><li>Where are we doing IS audits </li></ul><ul><li>Experience sharing </li></ul>
  3. 3. What is Information Systems Auditing? <ul><li>“Independent and objective appraisal process that assures information is being processed in a safe and sound manner; that operations are efficient, effective, and adequate; and, information assets are safeguarded” </li></ul>
  4. 4. Why Is Information Systems Auditing Important? <ul><li>Growing access to and use of computers </li></ul><ul><li>Growing concern for data security due to proliferation of technology </li></ul><ul><li>Existence of computer fraud </li></ul><ul><li>Complexity of systems and computers </li></ul><ul><li>Protectors of information assets and privacy </li></ul>
  5. 5. Who can do IS auditing <ul><li>Certified Information Systems auditor (CISA) accredited by Information systems Audit and Control Association (ISACA) (International) </li></ul><ul><li>For Technical reviews - partner with persons having the relevant technical skill ( guest audit pool members) </li></ul>
  6. 6. INFORMATION SYSTEMS AUDIT AND CONTROL ASSOCIATION (ISACA) <ul><li>Founded in 1969 as EDPAA </li></ul><ul><li>Facilitates a free exchange of audit techniques and problem-solving approaches among members </li></ul><ul><li>Promotes increased awareness of IS controls </li></ul><ul><li>Provides membership opportunities for students as well as experienced practitioners </li></ul>
  7. 7. Systems Audit - Focus Areas <ul><li>Post-implementation Reviews of ERP (SAP) </li></ul><ul><li>Application Reviews </li></ul><ul><li>Security Reviews </li></ul><ul><li>IS department Operations review </li></ul><ul><li>Technology Reviews (firewall audit, email audit) </li></ul><ul><li>Corporate and Department Training </li></ul><ul><li>Operational Support through Audit Software </li></ul>
  8. 8. Uniqueness of IS audit <ul><li>Uniform processing of transactions - systemic effect </li></ul><ul><li>Absence of segregation of Functions in IT environment </li></ul><ul><li>Potential for errors & Frauds - no visible trace </li></ul><ul><li>Necessitates increased management supervision </li></ul><ul><li>Effectiveness of manual controls (management review) depends on controls over computer processing </li></ul><ul><li>Transaction Trails in digital form. </li></ul>
  9. 9. How Do we Do our Work ? <ul><li>Use CAATs to gather and analyze data </li></ul><ul><li>Conduct interviews to better understand process, product and control </li></ul><ul><li>Use detailed audit procedures </li></ul><ul><li>Complete flowcharts, narratives or other control documents to evaluate key controls </li></ul><ul><li>Develop recommendations to support and enhance IS controls </li></ul>
  10. 10. We as Good IS Auditor are <ul><li>Creative </li></ul><ul><li>Conceptual </li></ul><ul><li>Excellent Communicator </li></ul><ul><li>Persuasive </li></ul><ul><li>Inquisitive </li></ul>
  11. 11. As IS Auditors, we take active role in <ul><li>Internal Auditing </li></ul><ul><li>Systems Analysis </li></ul><ul><li>Project Implementations </li></ul><ul><li>Operations Management </li></ul><ul><li>External Consulting </li></ul><ul><li>Specialized Service Provider </li></ul>
  12. 12. Systems Audit - Till Now <ul><li>A) EID </li></ul><ul><li>Software Licensing Compliance Review </li></ul><ul><li>Data Management review in Parry & CO. </li></ul><ul><li>SAP Security and Controls review </li></ul><ul><li>SAP FI- GL review </li></ul><ul><li>SAP Authorization Review - a gap analysis </li></ul><ul><li>SAP Business process review </li></ul><ul><li>SAP - SD credit management review </li></ul><ul><li>B) Coramandel Fertilizers Limited </li></ul><ul><li>SAP --procurement cycle - from Purchase request to payment </li></ul><ul><li>C) Parrys Confectionery Limited </li></ul><ul><li>IS Security Risks-Controls Gap Review </li></ul>
  13. 13. Our experience in SAP reviews <ul><li>Reversal of goods receipt after matched with invoice </li></ul><ul><li>GR/IR clearing not being carried out </li></ul><ul><li>Tolerance limits for over/under delivery not defined or can be overridden </li></ul><ul><li>Tolerance checks for invoice release, documents not configured </li></ul><ul><li>Weaknesses in PO release procedures </li></ul><ul><li>No restriction on usage of movement types </li></ul><ul><li>Entry of invoices in FI </li></ul><ul><li>No validation checks defined </li></ul>Our Observation Business Impact <ul><li>Risk of unauthorised transactions or inaccurate information </li></ul>
  14. 14. Our experience in SAP reviews <ul><li>Standards for developing ABAP programs were poor </li></ul><ul><li>Inadequate documentation for the customised ABAP programs and IMG settings </li></ul><ul><li>Inadequate handover procedures </li></ul><ul><li>Customised programs were still in test mode in the production environment </li></ul><ul><li>Weaknesses in assignment of rights to restrict entry to specific company codes, business areas,plant etc. </li></ul>Our experience Business Impact <ul><li>Difficulty in maintaining the customised programs </li></ul><ul><li>Difficulty in understanding rationale for configuration settings. </li></ul><ul><li>Increased time spent by SAP team in adjusting to SAP queries. </li></ul><ul><li>Unauthorized transactions </li></ul>
  15. 15. Legacy systems review <ul><li>Errors identified at Ho are corrected at the back end on the database instead of passing journal entries. </li></ul><ul><li>Master data tables are accessed by the data input staff at all the depots resulting in duplication of masters. </li></ul><ul><li>No procedure of logging the master data changes by a responsible person. </li></ul><ul><li>Data import errors are expected for every import and corrections are made based on the error report. </li></ul><ul><li>No protection for sensitive information during transmission or transport. </li></ul><ul><li>No records to identify critical database assets for planning housekeeping and storage management. </li></ul><ul><li>.No offsite storage is arranged for database files. </li></ul><ul><li>No formal procedures are available to verify the retention period for data, programs and messages. Users are not aware of the retention period of data sets. </li></ul><ul><li>.No records are maintained, with contents of its program or the media library, detailing the inventory of its information assets-namely, the programs, database files documents. </li></ul>
  16. 16. Thank You