Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
1K views53 pages

IT Audit Essentials for Professionals

The document discusses information systems audits, including: 1) The purpose of IT audits is to ensure integrity, confidentiality, and availability of information systems and address questions around accuracy, authorization of access, and system availability. 2) IT audits can be financial, operational, integrated, or specialized and focus on risks to information assets and controls. 3) Frameworks for IT audits include COBIT, COSO, and ISACA standards which provide objectives, guidelines and procedures for auditors.

Uploaded by

Atiq Rehman
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
1K views53 pages

IT Audit Essentials for Professionals

The document discusses information systems audits, including: 1) The purpose of IT audits is to ensure integrity, confidentiality, and availability of information systems and address questions around accuracy, authorization of access, and system availability. 2) IT audits can be financial, operational, integrated, or specialized and focus on risks to information assets and controls. 3) Frameworks for IT audits include COBIT, COSO, and ISACA standards which provide objectives, guidelines and procedures for auditors.

Uploaded by

Atiq Rehman
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 53

The Information Systems Audit

November 25, 2009

Ernst & Young Ford Rhodes Sidat Hyder


e 1
q
Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Institute of Chartered Accountants of Pakistan


ICAP Auditorium, Karachi

Sajid H. Khan
Executive Director
Technology and Security Risk Services
Ernst & Young Ford Rhodes Sidat Hyder

Ernst & Young Ford Rhodes Sidat Hyder


e 2
q
Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

IS Environment

Back
Office
Batch
Apps
Online Integrated
MIS
Applications/ ERP
DAS
E-Commerce /
Home
Computing
Knowledge
Ernst & Young Ford Rhodes Sidat Hyder
3 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Information Technology Audit

The IT audit focuses on determining risks that are relevant


to information assets, and in assessing and evaluating
controls in order to reduce or mitigate these risks.

Any audit that encompasses review and evaluation (wholly or partly) of


automated information processing systems, related non-automated
processes and the interfaces between them.

Ernst & Young Ford Rhodes Sidat Hyder


4 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Purpose of IT Audit – Cont.

The IT audit's agenda may be summarized by the following questions:

• Integrity - Will the information provided by the system always be


accurate, reliable, and timely?

• Confidentiality - Will the information in the systems be disclosed only


to authorized users?

• Availability - Will the organization's computer systems be available for


the business at all times when required?

Ernst & Young Ford Rhodes Sidat Hyder


5 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Classification of Audits

• Financial audits
• Operational audits
• Integrated audits
• IS audits
• Specialized audits
• Forensic audits

Ernst & Young Ford Rhodes Sidat Hyder


6 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Audit Objectives

Specific goals of the audit

• Confidentiality
• Integrity
• Reliability
• Availability
• Compliance with legal / regulatory requirements

Ernst & Young Ford Rhodes Sidat Hyder


7 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Types of IT Audits

• IT Policies & Procedures Review and Gap analysis


• Implementation Reviews (e.g. SAP / Oracle / JD Edwards)
• IT Security Reviews
• IT Forensic Investigations
• Application Integrity Reviews
• Business Continuity
• IT Disaster Recovery

These reviews may be performed in conjunction with a financial statement


audit, internal audit, or other form of attestation/special engagement.

Ernst & Young Ford Rhodes Sidat Hyder


8 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Types of IT Audits

System Implementation Review - Example

• Business process/application controls


• Report Testing and documentation
• Testing (unit, volume, user)
• Data Cleansing and Conversion
• Segregation of Duties
• Roll out strategies
• IT General Controls

Ernst & Young Ford Rhodes Sidat Hyder


9 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Various Standards and Frameworks

• COBIT
• COSO
• SOX
• ICFR
• BASEL II
• ITIL

Ernst & Young Ford Rhodes Sidat Hyder


10 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

CobIT

• A framework with 34 high-level control objectives

– Planning and organization


– Acquisition and implementation
– Delivery and support
– Monitoring and evaluation

• Use of 36 major IT-related standards and regulations

Ernst & Young Ford Rhodes Sidat Hyder


11 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

ISACA - IS Auditing Standards


Framework

Framework for the ISACA IS Auditing Standards

• Standards

• Guidelines

• Procedures

Ernst & Young Ford Rhodes Sidat Hyder


12 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

ISACA - IS Auditing Standards Framework

Standards

• Must be followed by IS auditors

Guidelines

• Provide assistance on how to implement the standards

Procedures

• Provide examples for implementing the standards


Ernst & Young Ford Rhodes Sidat Hyder
13 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

ISACA IS Auditing Standards Framework (cont.)

Objectives of the ISACA IS Auditing Standards

• Inform management and other interested parties of the


profession’s expectations concerning the work of audit
practitioners

• Inform information system auditors of the minimum


level of acceptable performance required to meet
professional responsibilities set out in the ISACA Code
of Professional Ethics

Ernst & Young Ford Rhodes Sidat Hyder


14 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

ISACA IS Auditing Standards Framework (cont.)

S1 Audit charter

S2 Independence

S3 Ethics and Standards

S4 Competence

S5 Planning

S6 Performance of audit work

Ernst & Young Ford Rhodes Sidat Hyder


15 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

ISACA IS Auditing Standards Framework (cont.)

S7 Reporting

S8 Follow-up activities

S9 Irregularities and illegal acts

S10 IT Governance

S11 Use of risk assessment in audit planning

S12 Audit Materiality

Ernst & Young Ford Rhodes Sidat Hyder


16 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

ISACA IS Auditing Standards Framework (cont.)

S13 Using the work of other Experts

S14 Audit Evidence

S15 IT Controls

S16 Electronic Commerce

Ernst & Young Ford Rhodes Sidat Hyder


17 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Skills and Competence

An ideal background for an IS Auditor

»Business

»Auditing

»Information Technology

Ernst & Young Ford Rhodes Sidat Hyder


18 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Skills and Competence (Contd.)


Specialized IS skills may be needed for an auditor to:

• Obtain understanding of the accounting and


internal control systems affected by the IS
environment.

• Determine the effect of IS environment on the


assessment of risk at each level (e.g. process,
account, transactions level)

• Design and perform appropriate tests of control


and substantive procedures e.g. data analytics.

Ernst & Young Ford Rhodes Sidat Hyder


19 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

IS Audit Resource Management & Planning

• Limited number of IS auditors


• Maintenance of their technical competence
• Assignment of audit staff

• Short and Long term planning

• Considerations

– New control issues


– Changing technologies
– Changing business processes
– Enhanced evaluation techniques

Ernst & Young Ford Rhodes Sidat Hyder


20 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Information Technology Audit - Process

• An information technology audit, or information systems audit, is an


examination of the controls within an Information technology (IT)
infrastructure.

• It is a process of collecting and evaluating evidence of an


organization's information systems, practices, and operations.

• The evaluation of obtained evidence determines if the information


systems are safeguarding assets, maintaining data integrity, and
operating effectively to achieve the organization's goals or
objectives.

Ernst & Young Ford Rhodes Sidat Hyder


21 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

A Typical IS Audit Cycle

• Planning

• Understand the Process(s)

• Walkthrough the Process/Controls.


– Design of control

• Test the Controls


– Operating Effectiveness

• Conclude and Report

Ernst & Young Ford Rhodes Sidat Hyder


22 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

IS Control Objectives

Internal control objectives apply to all areas, whether


manual or automated. Therefore, conceptually, control
objectives in an IS environment remain unchanged from
those of a manual environment.

Ernst & Young Ford Rhodes Sidat Hyder


23 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Key Controls

• A key control is a member of a set of controls that


management identifies and relies upon in order to
mitigate the risk of financial misstatement.

• In other words it is the main control that addresses


the risk.

• Key Controls are usually identified by management.

Ernst & Young Ford Rhodes Sidat Hyder


24 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Compensating Controls

• A compensating control is a control that would


be in place to mitigate the risk of damage in the
event a key control failed.

– Example: Key Control may be approval prior to


access to systems but if it fails then compensating
control might be the monthly monitoring of user
access thus minimizing the risk to a period of one
month.

Ernst & Young Ford Rhodes Sidat Hyder


25 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Prevent / Detect Controls


Change Management Example

Prevent Controls Detect Controls

Pre-Production Post Production

Production

Ernst & Young Ford Rhodes Sidat Hyder


26 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Elements of an Effective IT Audit

•Business •Checklists
Knowledge •Technology Tools and •Work Programs
•Best Practice Methods •Automated Tools
•Guidelines

Ernst & Young Ford Rhodes Sidat Hyder


27 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Risk Assessment

Assessing Information Technology risks

• Risk assessments should identify, quantify and


prioritize risks against criteria for risk acceptance and
objectives relevant to the organization.

• Should be performed periodically to address changes


in the environment, security requirements and when
significant changes occur.

Ernst & Young Ford Rhodes Sidat Hyder


28 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Risk Assessment Treatment

Treating security risks

• Each risk identified in a risk assessment needs to be


treated.

• Controls should be selected to ensure that risks are


reduced to an acceptable level

Ernst & Young Ford Rhodes Sidat Hyder


29 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Scoping

Areas / Processes in scope Risks identified within the


processes / areas

Application Scoping
Identification of Key and • Application
compensating Controls • Operating System
• Database

Ernst & Young Ford Rhodes Sidat Hyder


30 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Scoping

IT Governance
• Policies and Procedures
• Compliance
• Security Environment
Application,
Management Databases
Controls Networks etc.
• Strategy • IT General Controls
• DRP • Application Controls
• Security • Optimizing Database
Policy Performance
• Reducing Network
Vulnerabilities

Ernst & Young Ford Rhodes Sidat Hyder


31 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

IT Governance

Entity Level Controls


• Controls at the Company Level that create,
foster, and sustain a controlled IT environment.
Examples:

– IT Strategic Planning
– IT Policies and Procedures
– IT Organization Structure
– Properly segregated duties
– Fraud Identification
– Training and Education
– Monitoring, and Risk Assessment

Ernst & Young Ford Rhodes Sidat Hyder


32 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

IT General Controls: Layers of Controls

Business
Data
Processes

Ernst & Young Ford Rhodes Sidat Hyder


33 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

ITGC Domains

• ITGC Domains.

• Program Change Management

• Logical Access

• IT Operations (Backup & Recovery, Job


scheduling, Problem and Incident Management)

Ernst & Young Ford Rhodes Sidat Hyder


34 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Change Management
• Objective: To provide reasonable assurance that only
appropriately authorized, tested, and approved changes
are made to in-scope systems.

• Types of changes that fall under change management

• Program Development/Acquisition
• Program change
• Maintenance (Ex: Database, Operating System)
• Emergency Changes
• Configuration/Parameter Changes (Ex: Physical hardware
configuration and parameter settings)

Ernst & Young Ford Rhodes Sidat Hyder


35 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Change Management (cont.)


• Components of the IT Environment:

• Applications
• Interfaces
• DBMS (Database Management System)
• Network and Operating Systems (OS)

• Typical Key Controls

• Changes are Authorized


• Changes are Tested
• Changes are Approved
• Changes are Monitored
• Duties are appropriately segregated

Ernst & Young Ford Rhodes Sidat Hyder


36 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Logical Access

• Objective: To determine that only authorized persons


have access to data and applications (including
programs, tables, and related resources) and that they
can perform only specifically authorized functions.

• Levels of the logical access path

• Network / Operating System


• Application
• Database

Ernst & Young Ford Rhodes Sidat Hyder


37 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Logical Access (cont.)

• General Systems Security Settings


– Platform Specification

• Password Configuration

• Systems User Administration

– New User setup


– Change/Transfer
– Termination

Ernst & Young Ford Rhodes Sidat Hyder


38 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Logical Access (cont.)


• Privileged Users

• User Access Reviews

• Segregation of Incompatible Duties (SOD)

• Request access
• Approve access
• Provision access

Ernst & Young Ford Rhodes Sidat Hyder


39 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

IT Operations

• To determine that the critical data is properly backed-up


so that it can be accurately and completely recovered if
there is a system outage or data integrity issue.

• To determine that only appropriate users have the


ability to make changes to job scheduling.

• To determine that there is a problem and incident


management process in place.

Ernst & Young Ford Rhodes Sidat Hyder


40 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

IT Operations (continued)

• Backup & Recovery

• Job Scheduling

• Problem & Incident Management

• Data Center Walkthrough

• Physical Access

Ernst & Young Ford Rhodes Sidat Hyder


41 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Application Controls

• An application control is an automated control that is


programmed within a system to perform the same
function over and over again.

– Edit Checks
– Validations
– Calculations
– Interfaces
– Authorizations

Ernst & Young Ford Rhodes Sidat Hyder


42 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Application Controls

Embedded Control – System is programmed to perform the


control as a result of either custom coding or packaged
delivery of that functionality.

Configurable Control – System has the capacity to perform


the control depending on its setup, but may have been
configured differently. Used especially in the context of
ERP systems.

Example – A three way match within an application

Ernst & Young Ford Rhodes Sidat Hyder


43 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Application Controls - Testing

• Embedded Control

– Re-performance via walkthrough


– Inspection of authorization

• Configurable Control

– Inspect configuration
– Re-performance via walkthrough
– Inspection of authorization

Consider manual overrides and the underlying


ITGCs.
Ernst & Young Ford Rhodes Sidat Hyder
44 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

IT Dependent Manual Controls

• An IT Dependent-Manual Control is any control activity


where both an individual and an IT output are
combined.

Example - System generated report review.

Consider the underlying ITGCs.

Ernst & Young Ford Rhodes Sidat Hyder


45 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Data Analytics

• Also called “Computer Assisted Audit


Techniques” (CAATs).

• CAATs enable IS auditors to gather


information independently.

• Multiple tools available to perform data


analytics.

Ernst & Young Ford Rhodes Sidat Hyder


46 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Data Analytics (cont.)

• Functions supported by automated tools

– File access

– File reorganization

– Data selection

– Statistical functions

– Arithmetical functions

Ernst & Young Ford Rhodes Sidat Hyder


47 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Data Analytics (cont.)

Considerations before utilizing CAATs

• Ease of use
• Training requirements
• Complexity of coding and maintenance
• Installation requirements
• Processing efficiencies
• Confidentiality of data being processed

Ernst & Young Ford Rhodes Sidat Hyder


48 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Challenges for IS Auditors

• Completeness of the Population

• Time Period Coverage

• Key Control Tools – Scoping

• Additional Procedures – Controls Testing

• Impact on Application/ITDM testing if ITGC not effective

Ernst & Young Ford Rhodes Sidat Hyder


49 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Communicating Audit Results

• Exit interview

– Correct facts
– Realistic recommendations
– Implementation dates for agreed recommendations

• Presentation techniques

– Executive summary and Visual presentation

Ernst & Young Ford Rhodes Sidat Hyder


50 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Communicating Audit Results (cont.)

Audit report structure and contents

• An introduction to the report (e.g. objectives, scope,


procedures performed)
• High level Audit findings and recommendations
• The IS auditor’s overall conclusion and opinion
• The IS auditor’s reservations with respect to the audit
• Detailed audit findings and recommendations

Ernst & Young Ford Rhodes Sidat Hyder


51 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Audit Documentation

• Planning, audit scope and objectives


• Description on the scoped audit area
• Audit program(s)
• Audit steps performed and evidence gathered
• Other experts used
• Audit findings, conclusions and recommendations

Ernst & Young Ford Rhodes Sidat Hyder


52 Chartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems Audit

Thank You

Ernst & Young Ford Rhodes Sidat Hyder


53 Chartered Accountants
A member firm of Ernst & Young Global Limited

You might also like