Introduction to Information Audit M.C. Juan Carlos Olivares Rojas Department of Computer and System Instituto Tecnológico de Morelia [email protected].

Introduction to Information Audit

M.C. Juan Carlos Olivares Rojas

Department of Computer and SystemInstituto Tecnológico de Morelia

[email protected] lat, -101.1848 long

DisclaimerSome material in this presentation has been obtained from various sources, each of which has intellectual property, so in this presentation will only have some rights reserved.

These slides are free, so you can add, modify, and delete slides (including this one) and slide content to suit your needs. They obviously represent a lot of work on my part. In return for use, I only ask the following: if you use these slides (e.g., in a class) in substantially unaltered form, that you mention their source.

OutlineAudit and Information Audit Concepts.

Types of Auditing.

Internal and External Audit.

Field of Information Audit.

Internal Control.

Control Models using in Information Audit.

Principles applied to Information Auditors.

Managers and Auditor Responsabilities.

Objectives of the Session• The students will know the basis of audit and

Information Audit

Audit and Information Audit Concepts• There are a lot of definition about what Audit

and Infromation Audit means.

• Activity: in pairs try to discuss what’s the diference among Audit, Consult and Advisory.

• Audit is an evaluation of a person, organization, system, process, project or product.

Audit• Audits are performed to ascertain the validity and

reliability of information, and also provide an assessment of a system's internal control.

• The goal of an audit is to express an opinion on the person/organization/system etc. under evaluation based on work done on a test basis.

• Information Audit is “review the existing system of information management, identify problems and recommend solutions for those problems” (Elis 1993)

Information Audit• Other definition of Information audit is “an

analysis of the communications (processes and information) that take place between agents (people) in a social context (the organisation) using a variety of media and channels (technology).”

• Information Audit (IA) is focused in describe how things are done instead of existence; for example, use of a database rather than exist a database.

Information Audit• The IA contex have to set against

organizational goals and costraints.

• The IA has to try to solve question such as:

• What is the purpose of the audited system?

• Does it accomplish its purpose?

• Is the purpose in line with the purpose and philosophy of the organisation as a whole?

Information Audit• How effectively are resources used?

• How are resources accounted for and safeguarded?

• How useful is the information system supporting the organisation?

• How reliable is the information system?

• Does the system comply with regulations and standards?

In Sum…• The goal of the Audit project

• Compare what is, • To what should be• To bring the two together

• The process is:• Establish what should be• Get support• Find out what is• Create results and recommendations.

Homework• Deadline: Monday, February 16

• 20% Format

• 40% Research and writting an Essay about: ISACA, COBIT and ITIL Standards. Download all the Manuals and delivery only the principal ideas.

• 40% Make a State-of-the-Art Table among the standards evaluating most of 3 features.

Types of Auditing• Exist diferent clasification of Auditing.

• By deep Level: General and Technical

• General Auditing includes an assesment of diferent areas (i.e., financial, administrative, quality, etc.) in a company at the same time.

• Technical Audits are specific such as Information System Audit.

Internal and External Audits• Internal Audits are realized by Individual of the

Organization. The advantages are most knowledge of Internal Control and less time in the audit process. The disadvantages can be non-Ethical Reports.

• External Audit or Superior Control Audit is realized by Third-People. This is recommended type of audit because is most Ethical and Efficient but required more time.

Field of Information Audit• What are Business Process?

• It’s a collection of related, structured activities or tasks that produce a specific service or product (serve a particular goal) for a particular customer or customers.

• Activity: Indicate what are the Business Process in a University such as Instituto Tecnologico de Morelia

Business Process• Some Business Process are very similar.

• What’s the diference?

• It’s the business rules. These are statements that define or constrain some aspect of the business

• Activity: What are the business rules of ITM? Describe the rules of some sport or game such as Soccer, Tenis, Tetris, etc.

What is Audited?• The Information that leads to knowledge

• Resources for making information

• How info is used

• The people who need and create info

• Info capture, management and presentation tools

• How info is valued

What’s the Point?• Understand information

– What is it?– How does it move?

• Manage information– What should we spend on it?– How should it flow?

• Give information its rightful place as something we pay attention to.– Money– Material goods– Processes

Internal Control• It’s defined as a process effected by an

organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives.

• It is a means by which an organization's resources are directed, monitored, and measured.

Internal Control• It plays an important role in preventing and

detecting fraud and protecting the organization's resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or intellectual property such as trademarks).

• Internal control is a key element of the Foreign Corrupt Practices Act (FCPA) of 1977 and the Sarbanes-Oxley Act of 2002, which required improvements in internal control in United States public corporations.

Internal Control• The governance is a very important activity

inside organizations because drive and direct the Internal Control.

• Procurement plays and importan role in the modern organization because need mechanism to regularize the practices and maintance the justice.

• External Control is supported by Goverment Legislation.

Homework• Installing and OS (such as Windows, Linux, Mac)

in a Virtual Machine. Deadline: Friday, February 20.

• Redact an Essay how are the kind of licenses for Software in Virtualized Environments.

• Can We Execute twice or more time the same software in virtual Machine.

• Deadline: Wednesday, February 18

Essay• It’s a writting document which aims to persuade

the audience about the validity and importance of one's own ideas on a specific topic

• It’s an argument which a process of analysis-synthesis is realized. I doesn’t have a fixed and exclusive structure, but the following features are recommended.

Essay• It is recommended to start defining the author

position and items to be addressed in the rest of the document.

• In the development is recommeneded to define a method to develop ideas such as: defining, comparing, analyzing, arguing, among others.

• It has to each of the main points that support the author's position or posture.

Essay• Conclusions have to re-list the author’s

position in a brief summary and show the action lines to be follow (proposed)

• Part of the Essay is a process of inquiry to obtain the theoretical framework as a base to argue opinions.

• Essays are most used in social sciences.

Control Models using in Information Audit• Discussion About Methodologies:

• ISACA (Information System Audit and Control Association)

• COBIT (Common OBjectives for Information and related Technologies)

• ITIL (Information Technologies Infraestructure Library)

Other Methodologies• COSO

• ISO/IEC 17799:2000

• ISO/IEC 13335

• ISO/IEC 15408

• TickIT

• NIST 800-14

An Audit Project• What are the goals of the project?

• What is the overall process?

• What are the deliverables?

• What does the plan look like?

What Are The Goals?

• To assess what information and flow the org needs

• To assess what information and flow the org now has

• To make recommendations about how to get the two to match

What’s the Overall Process?1. Analyze objectives for ideal process

2,3 Get a mandate and support

4 Plan the audit

5 Perform the audit

6,7 Interpret and Present the results

8,9 Take action

10 Repeat

What are the Deliverables?

1. Analyze objectives •One or more readiness deliverables•A Goals-Knowledge-Info taxonomy

2,3 Get support •One or more mandate deliverables•Guardian and stakeholder profiles

4. Plan •Audit methods plan•Staging plan

5. Perform •Information Analyses

6,7 Interpret and present •Reports and presentations

8,9 Act •Follow-up plan

Deliverables: A Goals-Knowledge-Info Taxonomy

• Organizational objective 1– Knowledge requirement 1.1

• Info that supports requirement– Containers for the information

• People who need to know it• Flow

– Creation

– Use

– Disposal

– Knowledge requirement 1.2

• Organizational objective 2

Deliverables: Guardian and Stakeholder Profiles

Who will you approach in the org and how?

• What: Word files, a spreadsheet or Db records– Who are they?– How will you approach them?– What do you know without asking?

• How:– Asking around– Quick email or other communication– Org charts or readiness results

Deliverables: Audit Methods PlanWhat are the available methods ?

• Analysis of docs and Dbs

• Observation

• Trying yourself

• Interviews• Meetings

• Surveys• Mapping

Activity• Analize the Document (SGC –Sistema de

Gestión de la Calidad-) of previous homework.

• Describe in your own words if the process described in the document correspond with the reality.

• How do you realized the last steep?

Deliverables: Audit Methods PlanHow will you assess the information resources of your organization?

• What: Word, spreadsheet or Db– Analysis, resource, method– Date, time, and staff

• How– Try each method– Discuss with guardians and stakeholders– Design for change

Deliverables: Staging Plan In what order should groups and information resources be

done?

• What: Word Doc, spreadsheet or DB– Groups and sources identified– Dates, times and staff for each

• How– Arranged by

• Strategic importance and potential for a win • Amount of support and ease or simplicity• Fair representation of all information

Deliverables: Information Analyses

The assessment of each dimension of the organization's information.

• What? Word, spreadsheet or Db– Data collected– Standard set of – Information Resources

• How– Apply methods and plan– Collect data, analyze and revisit if needed

Deliverables: Reports and Presentations

What are the analysis methods available?• Side-by-side comparison

• SWOT

• CATWOE – Clients– Actors– Transformations– Ownership– Environment

Finding the Diferences

Deliverables: Reports and PresentationsThe official results of the audit

• What– Word files, Slide decks– Email messages, meeting agendas

• How– Lots of trial inside the team– Test results to supporters– Trial presentations to insiders– Multiple methods to communicate

Deliverables: Follow-Up PlanWhat should the org do and how will its success be

measured?

• What– Word file, project plan– Action– Preliminary scope, schedule, and budget

• How– Work with appropriate guardians and execs– Focus on highest return projects first– Give lots of leeway to the formation of the exact solution– Caveat the heck out of your estimates

The Team• Audit manager

– Understands the org’s business– Ability to listen– Respected

• Auditors– Technology analysts– Interviewers– SME (Subject Matter Experts)

• Tool designers– Survey construction– Data analysis and presentation techniques

• Consultants– Specialist support in the background

Discussion About The Corporation Movie

• It’s a movie about Sustainable Development.

• The Corporations are Persons

• Where is applied the Informatic Auditing Process?

Activity• Forming Teams of 4 persons or less, discuss

yours professional opinion with a Group Decision Techniques for obtaining a unique proposal.

• This proposal must be discuted with the classroom.

Group Discussion Techniques• The process problem solving has three phases

acording by Mintzberg: – Identified the problem– Development diferente possible solutions– Evaluate possible solutions and selected it the more

adequate

• Other autors have added two aditional phases: – Execute the desired solution– Evaluate the results of executing this solution.

Group Discussion Techniques• For Taking Group Decision exist diferent methodos

such as: – Votation (the most voted decission wins),

– Approved Votation (each member can be to vote for more than one option, the most voted option wins),

– Range Sum (the options has assigned a ponderation, when 1 is for the less votation, this process is realizaed by each member in individual way, wins the options with the most puntuaction) y

– Minimal Desviation (We selected the option with the most punctuaction and the minimal desviation).

Group Discussion Techniques• Nominal Group Technique is a decision making

method for use among groups of many sizes, who want to make their decision quickly, as by a vote, but want everyone's opinions taken into account (as opposed to traditional voting, where only the largest group is considered).

• First, every member of the group gives their view of the solution, with a short explanation. Then, duplicate solutions are eliminated from the list of all solutions, and the members proceed to rank the solutions, 1st, 2nd, 3rd, 4th, and so on.

Group Discussion Techniques• The numbers each solution receives are

totaled, and the solution with the lowest (i.e. most favored) total ranking is selected as the final decision. There are variations on how this technique is used. For example, it can identify strengths versus areas in need of development, rather than be used as a decision-making voting alternative. Also, options do not always have to be ranked, but may be evaluated more subjectively.

Group Discussion Techniques• These techniques:

– Brainstorm, – Round Table (similar to Brainstorm but each

member of the Team has a turn for exposing his/her ideas),

– SWOT(Strengths, Weaknesses, Opportunities, and Threats).

Group Discussion Techniques• The Phillips 66 Method is a group discussion

technique which is used to help overcome the problem of silence in group situations and to ensure that everyone gets a chance to contribute to the discussion. 

• The group is divided into sub-groups of six participants each.  These groups each spend six minutes discussing possible solutions to an identified problem, and then report back to the larger group with a proposed solution

Group Discussion Techniques• The Delphi method is a systematic, interactive

forecasting method which relies on a panel of independent experts.

• The carefully selected experts answer questionnaires in two or more rounds. After each round, a facilitator provides an anonymous summary of the experts’ forecasts from the previous round as well as the reasons they provided for their judgments.

Group Discussion Techniques– Thus, experts are encouraged to revise their

earlier answers in light of the replies of other members of their panel.

– It is believed that during this process the range of the answers will decrease and the group will converge towards the "correct" answer.

Group Discussion Techniques– Finally, the process is stopped after a pre-

defined stop criterion (e.g. number of rounds, achievement of consensus, stability of results) and the mean or median scores of the final rounds determine the results.

Other IA Methodology• Initial review and evaluation of the area to be

audited, and the audit plan preparation

• Detailed review and evaluation of controls

• Compliance testing

• Analysis and reporting of results

Review of System Documentation

• The auditor reviews documentation such as narrative descriptions, flowcharts, and program listings. In desk checking the auditor processes test or real data through the program logic.

• Audit throug the Computer: the process of reviewing and evaluating the internal controls in an electronic data processing system.

Audit with The Computer• The utilization of the computer by an auditor to

perform some audit work that would otherwise have to be done manually.

Test• Test Data: The auditor prepares input

containing both valid and invalid data. Prior to processing the test data, the input is manually processed to determine what the output should look like. The auditor then compares the computer-processed output with the manually processed results.

Test Data

Computer Operations

Prepare TestTransactionsAnd Results

Prepare TestTransactionsAnd Results

Auditors

ComputerApplication

System

ComputerApplication

System

ComputerOutput

ComputerOutput

Auditor Compares

TransactionTest Data

TransactionTest Data

Manually Processed

Results

Manually Processed

Results

Types of Testing• Compliance Testing: Auditors perform tests of

controls to determine that the control policies, practices, and procedures established by management are functioning as planned. This is known as compliance testing.

• Substantive testing is the direct verification of financial statement figures. Examples would include reconciling a bank account and confirming accounts receivable.

Parallel Simulation• The test data process data through real

programs. With parallel simulation, the auditor processes real client data on an audit program similar to some aspect of the client’s program. The auditor compares the results of this processing with the results of the processing done by the client’s program.

Parallel Simulation

Computer Operations Auditors

ActualTransactions

ActualTransactions

ComputerApplication

System

ComputerApplication

System

Auditor’sSimulationProgram

Auditor’sSimulationProgram

Actual ClientReport

Actual ClientReport

Auditor Simulation

Report

Auditor Simulation

Report

Auditor Compares

Audit Software• Computer programs that permit computers to

be used as auditing tools include:

• Generalized audit software (CAATS –Computer Assistant Audit Tools and Techniques)

• P.C. Software (support)

Records• Extended Records: Specific transactions are

tagged, and the intervening processing steps that normally would not be saved are added to the extended record, permitting the audit trail to be reconstructed for these transactions

• Snapshot: A snapshot is similar to an extended record except that the snapshot is a printed audit trail

Principles Applied to Information Auditors• The Auditor word comes of the greek

auditorium which means “listend”

• Auditor was a person who main fuction was listening problems of people in a town and tacke back the Taxes and represent the intereses of Imperial Country.

Managers and Auditors Responsabilities• Support the implementation of, and encourage compliance with,

appropriate standards, procedures and controls for information systems.Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards and best practices.Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties. Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence.Inform appropriate parties of the results of work performed; revealing all significant facts known to them.Support the professional education of stakeholders in enhancing their understanding of information systems security and control.

Homework• Print a License Agreement of Any Sofware

preferently non-common software

References• Hall, H, Information Auditing, School of

Computing, Napier University, 2009.

• Boiko, UW iSchool, Information Audits, ischool.washington.edu, 2009.

¿Preguntas?