The Information Systems Audit Process

11

The Information Systems Audit The Information Systems Audit ProcessProcess

22

Audit is an unbiased examination and evaluation of the Products, Processes and the Systems.

Auditor Auditor The auditor is the competent person who is The auditor is the competent person who is performing the audit.performing the audit.

Auditee Auditee The organization and people being audited are The organization and people being audited are collectively called the auditee.collectively called the auditee.

Client Client The client is the person or organization with the The client is the person or organization with the authority to request the audit. A client may be the audit authority to request the audit. A client may be the audit committee, external customer, internal audit department, committee, external customer, internal audit department, or regulatory group. Audit details should be kept or regulatory group. Audit details should be kept confidential from persons not directly involved as auditee confidential from persons not directly involved as auditee or the client.or the client.

Definitions :Definitions :

33

It involves auditing your own organization to It involves auditing your own organization to discover evidence of what is occurring inside discover evidence of what is occurring inside the organization (self-assessment). These the organization (self-assessment). These have restrictions on their scope and the have restrictions on their scope and the findings should not be shared outside the findings should not be shared outside the organization. organization.


Internal audits and Assessments

CISA : Chapter #1CISA : Chapter #1 The Information Systems Audit ProcessThe Information Systems Audit Process 44

An external audit is a review of the financial statements or reports of a company by someone not affiliated with the company. External audits play a major role in the financial oversight because they are conducted by outside individuals and therefore provide an unbiased opinion. External audits are commonly performed at regular intervals by businesses and are typically required yearly by law for governments.


External Audits

CISA : Chapter #1CISA : Chapter #1 The Information Systems Audit ProcessThe Information Systems Audit Process 55

External audits involve your customer External audits involve your customer Auditing you, or you auditing your supplier. Auditing you, or you auditing your supplier. The business audits its customer or supplier, The business audits its customer or supplier, or vice versa. The goal is to ensure the or vice versa. The goal is to ensure the expected level of performance as mutually expected level of performance as mutually agreed upon in their contracts.agreed upon in their contracts.


External Audits

66

Independent audits Independent audits are outside of the customer-supplier influence. Third-party independent audits are frequently relied on for licensing, certification, or product approval.

Product audits Product audits check the attributes against the design specification (size, color, check the attributes against the design specification (size, color, markings).markings).

Process audits Process audits evaluate the process method to determine whether the activities or evaluate the process method to determine whether the activities or sequence of activities meet the published requirements. We want to see how the sequence of activities meet the published requirements. We want to see how the process is working. This involves checking inputs, actions, and outputs to verify the process is working. This involves checking inputs, actions, and outputs to verify the process performanceprocess performance

77

System audits System audits seek to evaluate the management of the system, including its seek to evaluate the management of the system, including its configuration. The auditor is interested in the team members’ activities, control configuration. The auditor is interested in the team members’ activities, control environment, event monitoring, how customer needs are determined, who environment, event monitoring, how customer needs are determined, who provides authorization, how changes are implemented, preventative provides authorization, how changes are implemented, preventative maintenance, and so forth, including incident response capability.maintenance, and so forth, including incident response capability.

Financial audit Financial audit verifies financial records, transactions, and account balances. verifies financial records, transactions, and account balances. This type of audit is used to check the integrity of financial records and This type of audit is used to check the integrity of financial records and accounting practices compared to well-known accounting standards.accounting practices compared to well-known accounting standards.

88

Operational audit Operational audit verifies effectiveness and efficiency of operational practices. verifies effectiveness and efficiency of operational practices. Operational audits are used frequently in service and process environments, Operational audits are used frequently in service and process environments, including IT service providers.including IT service providers.

Integrated audit Integrated audit includes both financial and operational controls audits.includes both financial and operational controls audits.

Compliance audit Compliance audit verifies implementation of and adherence to a standard or verifies implementation of and adherence to a standard or regulation. This could include ISO standards and all government regulations. A regulation. This could include ISO standards and all government regulations. A compliance audit usually includes tests for the presence of a working control.compliance audit usually includes tests for the presence of a working control.

99

Administrative audit Administrative audit verifies that appropriate verifies that appropriate policies and procedures exist and have been policies and procedures exist and have been implemented as intended. This type of audit implemented as intended. This type of audit usually tests for the presence of required usually tests for the presence of required documentation.documentation.

1010

The policies, procedures, practices and The policies, procedures, practices and organizational structures designed to organizational structures designed to provide reasonable assurance that business provide reasonable assurance that business objectives will be achieved and that objectives will be achieved and that undesired events will be prevented or undesired events will be prevented or detected and corrected.detected and corrected.


Control :Control :

1111

A statement of the desired result or purpose A statement of the desired result or purpose to be achieved by implementing control to be achieved by implementing control procedures in a particular IT activity.procedures in a particular IT activity.


IT Control ObjectiveIT Control Objective

1212

A structure of relationships and processes A structure of relationships and processes to direct and control the enterprise in order to direct and control the enterprise in order to achieve the enterprise's goals by adding to achieve the enterprise's goals by adding value while balancing risk versus return value while balancing risk versus return over IT and its processesover IT and its processes


IT GovernanceIT Governance

1313

A successful organization is built on a solid framework A successful organization is built on a solid framework of data and information. The Framework explains how of data and information. The Framework explains how IT processes deliver the information that the business IT processes deliver the information that the business needs to achieve its objectives. This delivery is needs to achieve its objectives. This delivery is controlled through high-level control objectives, one controlled through high-level control objectives, one for each IT process, contained in the four domains. The for each IT process, contained in the four domains. The Framework identifies which of the seven information Framework identifies which of the seven information criterion (effectiveness, efficiency, confidentiality, criterion (effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability), as well integrity, availability, compliance and reliability), as well as which IT resources (people, applications, as which IT resources (people, applications, technology, facilities and data) are important for the IT technology, facilities and data) are important for the IT processes to fully support the business objectiveprocesses to fully support the business objective

IT FrameworkIT Framework

1414

In the light of Management objectives a well documented AUDIT Charter defining overall Authority, Scope and Responsibility of the AUDIT function approved by top management.

Whenever you conduct an audit, it is important to write an audit mission statement as part of the preparation. A mission statement defines the audit both for your benefit and for the benefit of the auditee, thereby helping to eliminate confusion, waste of resources, and inefficiencies in Auditing.

Audit MissionAudit Mission

1515

It serves as a link between the planning and the execution of the audit.

Sometimes it seems that writing an auditing mission statement can be eliminated but it is not recommended to do so. A little bit of planning in the form of a mission statement goes a long way to ensuring that the audit functions are effectively performed.ly performed.

Audit MissionAudit Mission

1616

It consist of following :-Outlining of Audit purpose and ObjectiveA risk assessment process to describe and analyze the A risk assessment process to describe and analyze the risks inherent in a given line of business.risks inherent in a given line of business.An audit plan detailing IS audit’s budgeting and planning An audit plan detailing IS audit’s budgeting and planning processesprocessesAn audit cycle that identifies the frequency of audits.An audit cycle that identifies the frequency of audits.Audit work programs that set out for each audit area the Audit work programs that set out for each audit area the required scope and resourcesrequired scope and resourcesFormat of Written audit reports.Format of Written audit reports.

Audit Mission StatementAudit Mission Statement

1717

Audit planning consists of both short and Audit planning consists of both short and long-term planning. Short-term planning long-term planning. Short-term planning takes into account audit issues that will be takes into account audit issues that will be covered during the year. Whereas long-term covered during the year. Whereas long-term planning relates to audit plans that will take planning relates to audit plans that will take into account risk-related issues regarding into account risk-related issues regarding changes in the organization’s IT strategic changes in the organization’s IT strategic direction that will affect the organization's IT direction that will affect the organization's IT environment.environment.

Audit PlanningAudit Planning

1818

The potential that a given The potential that a given threat threat will exploit will exploit vulnerabilities of an asset or group of assets to vulnerabilities of an asset or group of assets to cause loss or damage to the assets. cause loss or damage to the assets. The impactThe impact or or relative severity of the risk is proportional to the relative severity of the risk is proportional to the business value of the loss/damage and to the business value of the loss/damage and to the estimated estimated frequencyfrequency of the threat. of the threat.

Risk Analysis :Risk Analysis :

Risk ElementsRisk Elements

RiskRisk

ThreatThreat ImpactImpact FrequencyFrequency

1919

Threats that may impact the assets, processes or Threats that may impact the assets, processes or objectives of a specific business organization. The objectives of a specific business organization. The natures of these threats may be :natures of these threats may be :

FINANCIALFINANCIAL REGULATORYREGULATORY OPERATIONAL OROPERATIONAL OR May arise as a result of the INTERACTION OF THE May arise as a result of the INTERACTION OF THE

BUSINESS WITH ITS ENVIRONMENT ORBUSINESS WITH ITS ENVIRONMENT OR May arise in result of the STRATEGIES, SYSTEMS AND May arise in result of the STRATEGIES, SYSTEMS AND

TECHNOLOGY, PROCESS, PROCEDURE AND TECHNOLOGY, PROCESS, PROCEDURE AND INFORMATION SYSTEM USED BY THE BUSINESSINFORMATION SYSTEM USED BY THE BUSINESS

Business RiskBusiness Risk

2020

The primary role of the internal IT audit staff is to assess independently and objectively the controls, reliability, and integrity of the institution’s IT environment. These assessments can help to maintain or improve the efficiency and effectiveness of the institution’s IT risk management, internal controls, and corporate governance.

ROLES AND RESPONSIBILITY OF INTERNAL AUDITORS

2121

Internal auditors should evaluate IT plans, Internal auditors should evaluate IT plans, strategies, policies, and procedures to ensure strategies, policies, and procedures to ensure adequate management oversight. Additionally, adequate management oversight. Additionally, they should assess the day-to-day IT controls to they should assess the day-to-day IT controls to ensure that transactions are recorded and ensure that transactions are recorded and processed in compliance with acceptable processed in compliance with acceptable accounting methods and standards and are in accounting methods and standards and are in compliance with policies set forth by the board of compliance with policies set forth by the board of directors and senior management.directors and senior management.


2222

Auditors should make recommendations to management Auditors should make recommendations to management about procedures that affect IT controls.about procedures that affect IT controls.

Audit’s role generally entails reviewing the control Audit’s role generally entails reviewing the control aspects of new applications, products, conversions, or aspects of new applications, products, conversions, or services throughout their development and services throughout their development and implementation. Early IT audit involvement can help to implementation. Early IT audit involvement can help to ensure that proper controls are in place from inception. ensure that proper controls are in place from inception. However, the auditors should be careful not to However, the auditors should be careful not to compromise, or even appear to compromise, their compromise, or even appear to compromise, their independence when involved in these projects.independence when involved in these projects.


2323

External auditors typically review IT control External auditors typically review IT control procedures as part of their overall evaluation of procedures as part of their overall evaluation of internal controls when providing an opinion on the internal controls when providing an opinion on the adequacy of an institution’s financial statements. adequacy of an institution’s financial statements. As a rule, external auditors review the general As a rule, external auditors review the general and application controls affecting the recording and application controls affecting the recording and safeguarding of assets and the integrity of and safeguarding of assets and the integrity of controls over financial statement preparation and controls over financial statement preparation and reporting.reporting.

ROLES AND RESPONSIBILITY OF EXTERNAL AUDITORS

2424

General controls include the plan of organization General controls include the plan of organization and operating, documentation procedures, and operating, documentation procedures, access to equipment and data files, and other access to equipment and data files, and other controls affecting overall information systems controls affecting overall information systems operations. Application controls relate to specific operations. Application controls relate to specific information systems tasks and provide information systems tasks and provide reasonable assurance that the recording, reasonable assurance that the recording, processing, and reporting of data is properly processing, and reporting of data is properly performedperformed


2525

External auditors may also review the IT control External auditors may also review the IT control procedures as part of an outsourcing procedures as part of an outsourcing arrangement in which they are engaged to arrangement in which they are engaged to perform all or part of the duties of the internal perform all or part of the duties of the internal audit staff.audit staff.

The extent of external audit work, including work The extent of external audit work, including work related to information systems, should be clearly related to information systems, should be clearly defined in an engagement letter.defined in an engagement letter.


2626

The extent of external audit work, including work The extent of external audit work, including work related to information systems, should be clearly related to information systems, should be clearly defined in an engagement letter.defined in an engagement letter.

The external auditor may discover weakness in The external auditor may discover weakness in the internal control procedures that will affect the the internal control procedures that will affect the accounts. The auditor should report these accounts. The auditor should report these weaknesses to the management. The principal weaknesses to the management. The principal purposes of this report to management are:-purposes of this report to management are:-


2727

(a)(a) To enable the auditor to comment on the accounting To enable the auditor to comment on the accounting records, systems and controls examined during the course records, systems and controls examined during the course of the audit: for example, weaknesses in credit control, the of the audit: for example, weaknesses in credit control, the reconciliation of ledgers and the maintenance of grant reconciliation of ledgers and the maintenance of grant approvals. approvals.

(b)(b)To provide management with financial statistics that can be To provide management with financial statistics that can be used to judge the performance of a charity: for example, used to judge the performance of a charity: for example, the number of weeks’ expenditure in reserves, or total staff the number of weeks’ expenditure in reserves, or total staff costs expressed as a ratio of total resources expended.costs expressed as a ratio of total resources expended.

(c)(c) To communicate To communicate any matter that might affect future audits: for any matter that might affect future audits: for example, new accounting standards.example, new accounting standards.


2828

The report to management should recommend The report to management should recommend what changes need to be made to systems in what changes need to be made to systems in situations where there are no other compensatory situations where there are no other compensatory controlscontrols

The auditor must ensure that the recommended The auditor must ensure that the recommended changes have in fact been made.changes have in fact been made.


2929

IT auditors, just as much as IT practitioners, work IT auditors, just as much as IT practitioners, work in a very interesting and dynamic environment in a very interesting and dynamic environment where everything changes all the time.where everything changes all the time.

Initially the role of the IT auditors was protecting Initially the role of the IT auditors was protecting the business from the many new exposures that the business from the many new exposures that Information and Communication technologies Information and Communication technologies could create and Risk Management has remained could create and Risk Management has remained an important activity for IT mangers and auditors.an important activity for IT mangers and auditors.

ROLES AND RESPONSIBILITY OF IT AUDITORS

3030

In today’s era of globalization, universal connectivity many other In today’s era of globalization, universal connectivity many other things have also changed:things have also changed:

(a)(a) The dependence of organizations and business on these The dependence of organizations and business on these technologies has become criticaltechnologies has become critical

(b)(b) IT has become embedded in most business processes and IT has become embedded in most business processes and is an important service function. is an important service function.

(c)(c) The risks to be contained and managed have all changed The risks to be contained and managed have all changed and expandedand expanded

(d)(d) Technologies have become much more complex and are Technologies have become much more complex and are deployed in large numbersdeployed in large numbers

(e)(e) The range of IT related activities is greater than before, and The range of IT related activities is greater than before, and may have been outsourced may have been outsourced


3131

(f)(f) The detailed knowledge of IT participation of both The detailed knowledge of IT participation of both technologies and product of is greater than the technologies and product of is greater than the comparable knowledge of an average IT auditor.comparable knowledge of an average IT auditor.

(g)(g) Organization are less hierarchical, and the approach Organization are less hierarchical, and the approach to internal controls and accountability has changed.to internal controls and accountability has changed.

(h)(h) The Chief Information Officer (CIO) needs to be a The Chief Information Officer (CIO) needs to be a business manager as much as she/he need to be business manager as much as she/he need to be technically knowledgeabletechnically knowledgeable

(i)(i) The CIO now needs to manage outsourcers – a very The CIO now needs to manage outsourcers – a very different game from managing on in-house service.different game from managing on in-house service.


3232

The focus of IT audits today depends on the governance of IT The focus of IT audits today depends on the governance of IT and process maturity in an organization. The ideal focus and process maturity in an organization. The ideal focus should be on only those aspects of IT that are important to the should be on only those aspects of IT that are important to the organization.organization.

The technical IT auditor executes audit processes at the The technical IT auditor executes audit processes at the technical systems level but may or may not be capable of technical systems level but may or may not be capable of functioning at level two because of the broad business functioning at level two because of the broad business perspective required. To illustrate, this is the auditor who would perspective required. To illustrate, this is the auditor who would conduct the firewall review and provide assurance to the conduct the firewall review and provide assurance to the auditor in charge that scope and conduct of the technical audit auditor in charge that scope and conduct of the technical audit steps were appropriate and adequate.steps were appropriate and adequate.


3333

1.1. Financial AuditFinancial Audit

2.2. Operational AuditOperational Audit

3.3. Integrated AuditIntegrated Audit

4.4. Administrative AuditsAdministrative Audits

5.5. Information System AuditsInformation System Audits

6.6. Special Audit (3Special Audit (3rdrd Party & Forensic – Frauds and crimes) Party & Forensic – Frauds and crimes)

An Information System Audit :An Information System Audit :

“ “ Any Audit that encompasses review and evaluation of Any Audit that encompasses review and evaluation of automated information processing, related non-automated automated information processing, related non-automated processes and the interfaces between them.”processes and the interfaces between them.”

Classification of Audits :Classification of Audits :

3434

1.1. Understanding of the Audit area/subjectUnderstanding of the Audit area/subject

2.2. Risk AssessmentRisk Assessment

3.3. Detailed audit planningDetailed audit planning

4.4. Preliminary review of Audit are / subjectPreliminary review of Audit are / subject

5.5. Evaluating Audit are/subjectEvaluating Audit are/subject

6.6. Compliance Testing ( often test of controls)Compliance Testing ( often test of controls)

7.7. Substantive testingSubstantive testing

8.8. ReportingReporting

9.9. Follow-upFollow-up

Audit Procedures :Audit Procedures :

3535

1.1. Inherent RiskInherent Risk

2.2. Control RiskControl Risk

3.3. Detection RiskDetection Risk

4.4. Overall Audit RiskOverall Audit Risk

Categories of Audit Risk :Categories of Audit Risk :

Audit Risk :Audit Risk :

Risk that the information/financial report may contain Risk that the information/financial report may contain material error that may go undetected during the course material error that may go undetected during the course of Audit of Audit

3636

Risk Assessment Techniques :Risk Assessment Techniques :

These techniques may be These techniques may be computerizedcomputerized non-computerized, non-computerized, Scoring and Scoring and JudgmentJudgment

based upon business knowledge, executive based upon business knowledge, executive management directives, historical perspective, management directives, historical perspective, business goals and environmental factors business goals and environmental factors

3737

Compliance Testing :Compliance Testing :

A compliance test determines if control are being A compliance test determines if control are being applied in a manner that comply with applied in a manner that comply with management policies and procedures. management policies and procedures.

Substantive Testing:Substantive Testing:

A Substantive test substances the integrity of A Substantive test substances the integrity of actual processing.actual processing.

3838

Evidence :Evidence :

Evidence is any information used by the auditors Evidence is any information used by the auditors whether the entity or data being audited follows whether the entity or data being audited follows the established audit criteria or objective.the established audit criteria or objective.

These should be sufficient, relevant and These should be sufficient, relevant and competentcompetent

Reliability of Evidences:Reliability of Evidences:

Independence of the providerIndependence of the provider Qualification of the providerQualification of the provider Objectivity of the evidenceObjectivity of the evidenceTiming of the evidenceTiming of the evidence

3939

Evidence gathering Techniques :Evidence gathering Techniques :

Reviewing IS organization structuresReviewing IS organization structuresReviewing IS PoliciesReviewing IS PoliciesReviewing IS StandardsReviewing IS StandardsReviewing IS documentationReviewing IS documentationInterviewing appropriate personnelInterviewing appropriate personnelObserving processes and employees Observing processes and employees performance.performance.

4040

Computer Assisted Audit techniques :Computer Assisted Audit techniques :

Generalized Audit Software, Utility Software, test Generalized Audit Software, Utility Software, test data, application software tracing and mapping data, application software tracing and mapping and expert systems.and expert systems.

These tools can be used forThese tools can be used for Test of details of transactions and balancesTest of details of transactions and balances Analytical review proceduresAnalytical review procedures Compliance test of IS general controlsCompliance test of IS general controls Compliance Test of Application controlsCompliance Test of Application controlsPenetration and OS vulnerabilitiesPenetration and OS vulnerabilities

4141

CAATs Advantages :CAATs Advantages :

Reduced Level of Audit RiskReduced Level of Audit RiskGreater independence from the auditeeGreater independence from the auditeeBroader and more consistent audit coverageBroader and more consistent audit coverageFaster availability of informationFaster availability of informationImproved exception identificationImproved exception identificationGreater flexibility of run timesGreater flexibility of run timesGreater opportunity to quantify internal control Greater opportunity to quantify internal control weaknessweaknessEnhanced samplingEnhanced samplingCost saving over time Cost saving over time

4242

Policies, procedures, practices and organizational Policies, procedures, practices and organizational structure put into place to reduce risks.structure put into place to reduce risks.

Internal ControlInternal Control

1.1. PreventivePreventive

2.2. DetectiveDetective

3.3. CorrectiveCorrective

Control ClassificationControl Classification

4343

Are statements of the desired result or purpose to Are statements of the desired result or purpose to be achieved by implementing control procedure be achieved by implementing control procedure in a particular activity.in a particular activity.

Internal Control ObjectivesInternal Control Objectives

•Internal Accounting ControlsInternal Accounting Controls•Operational ControlsOperational Controls•Administrative ControlsAdministrative Controls

4444

1.1. Safeguard of information technology assetsSafeguard of information technology assets

2.2. Compliance to corporate policies or legal Compliance to corporate policies or legal requirements.requirements.

3.3. Authorization/InputAuthorization/Input

4.4. Accuracy and completeness of processing of Accuracy and completeness of processing of transactionstransactions

5.5. OutputOutput

6.6. Reliability of processReliability of process

7.7. Backup / RecoveryBackup / Recovery

8.8. Efficiency and economy of operation Efficiency and economy of operation

Internal Control Objectives include :Internal Control Objectives include :

4545

1.1. Safeguard AssetsSafeguard Assets

2.2. Integrity of general operationsIntegrity of general operations

3.3. Integrity of sensitive and critical application Integrity of sensitive and critical application Systems through:Systems through:

Authorization, Authorization,

AccuracyAccuracy

ReliabilityReliability

Completeness and security of OutputCompleteness and security of Output

Database IntegrityDatabase Integrity

4.4. Efficiency & EffectivenessEfficiency & Effectiveness

5.5. ComplianceCompliance

6.6. Continuity & Disaster Recovery PlanContinuity & Disaster Recovery Plan

7.7. Incident Response and Handling plan Incident Response and Handling plan

IS Control IS Control ObjectivesObjectives include : include :

4646

1.1. Strategy and DirectionStrategy and Direction

2.2. General Organization and managementGeneral Organization and management

3.3. Access to data and programsAccess to data and programs

4.4. System development methodologies and change controlSystem development methodologies and change control

5.5. Data Processing operationsData Processing operations

6.6. Systems programming and technical support functionsSystems programming and technical support functions

7.7. Data Processing and quality assurance proceduresData Processing and quality assurance procedures

8.8. Physical access controlsPhysical access controls

9.9. Business continuity/Disaster recovery planningBusiness continuity/Disaster recovery planning

10.10. Networks and communicationsNetworks and communications

11.11. Data AdministrationData Administration

IS Systems Control IS Systems Control ProceduresProcedures include : include :

4747

Evaluation of Strengths and weaknesses Evaluation of Strengths and weaknesses of Audit :of Audit :

JudgmentJudgmentControl Matrix (ranking)Control Matrix (ranking)

(Col-known type of errors)(Col-known type of errors) (Row-Known Controls)(Row-Known Controls)

Compensating/Overlapping ControlsCompensating/Overlapping ControlsTotality of ControlsTotality of ControlsSupporting evidencesSupporting evidences

4848

Communicating Audit Results :Communicating Audit Results :

Constraints on the conduct of the Audit :Constraints on the conduct of the Audit :

The Information Systems Audit Process

Documents

financial audit

process audits

audit committee

audit details

type of audit

internal audit department

operational audits

internal audits