INTRODUCTION

DOMAIN 1 Lecture 1 IS AUDIT PROCESS Joseph Akoki 0803 383 6414 joakoki@yahoo.com
8/31/2013

5 Tasks in this Domain

Develop and implement a risk based IS audit strategy for organisation in compliance with IS audit stds, guidelines and best practices Plan specific audits to ensure that IT and business systems are protected and controlled Conduct audit in accordance with IS audit stds, guidelines and best practices to meet planned audit objectives Communicate emerging issues, potential risks and audit result to key stakeholders Advise on the implementation of risk management and control practices within the organisation while maintaining independence
8/31/2013

Introduction
Information Communication Technology is providing the tools that are revolutionalizing the entire business processes the world over changing professionals from that of information recorders and processors to business strategist making them much more critical to the success of an enterprise. It is there fore a sine qua non to corporate success in the 21st Century
8/31/2013

Information or Digital Revolution

Agrarian revolution Industrial revolution Information revolution
Information is power e.g. Iraq War It is the different btw success and failure of an enterprise Then information security is key.

8/31/2013

Few examples
Citibank saga Credit card case in US CBN 1980 case Traffic system hacking in US by a 11years kid in US Several server crashes CSCS advert- Dont kill urselve Many more.
8/31/2013

Where are we coming from?

IT professionals are A-Z of data processing Nobody understand what they are doing Record transaction and generate print out for call over by operations They can make or mar the enterprise Commit a lot of fraud from equipments procurement to data manipulations
8/31/2013

THEN

WHAT IS IS AUDIT?

8/31/2013

IS AUDITING DEFINED
The process of collecting and evaluating evidence to determine whether a computer system safeguard assets, maintains data integrity, allows organisational goals to be achieved effectively, and uses resources efficiently.

8/31/2013

IS AUDIT FUNCTIONS
Improved Improved Improved Improved safeguarding of assets data integrity system effectiveness system efficiency

8/31/2013

Why CISA OR WHY IS AUDITORS?

Business processes running on mission critical applications The need bridge the knowledge gap existing between auditors IT professionals Dependence of auditors on IT professionals during audit The need to reduce audit risks/liability

8/31/2013

Why CISA OR WHY IS AUDITORS?

The need to provide Management with independence opinion on IT infrastructures and processes Corporate Governance becoming IT Governance The inability of auditors to assess IT processes using conventional audit approach
8/31/2013

Why IS AUDIT?
The need to reduce risk arising from:

8/31/2013

vagaries in IT processes-African exposures Oversight functions Fraud Critical errors and mistakes Inefficient support of the business processes Security flaws Unsecured processing environment In summary the need for CIA

Why IS AUDIT?
Because of recent corporate failures such as Enron,Worldcom,and severals scandals attending audit professions e.g. Afribank,Cadbury, AP,to mention but a few local examples

8/31/2013

The 21st Century Challenge

(a) Understanding business processes that are driven by IT (b) Understanding key controls embedded/lacking in IT processes (c) Understanding of risks (IT or not IT) associated with controls (d) Impact analysis or qualification of risks.

8/31/2013

IS AUDITING DEFINED
The process of collecting and evaluating evidence to determine whether a computer system safeguard assets, maintains data integrity, allows organisational goals to be achieved effectively, and uses resources efficiently.

8/31/2013

IS AUDIT FUNCTIONS
Improved safeguarding of assets Improved data integrity Improved system effectiveness Improved system efficiency Throughout this domain we shall conceive IS auditing as being a force that enables the organisation to better achieve the four major objectives stated above.

8/31/2013

IS AUDIT FUNCTIONS
IS audit function should be established by an audit charter ISACA IS Auditing standard require that the responsibility, authority,scope,accountability of the IS audit function are appropriately documented in an audit charter or an engagement letter Most likely be part of internal audit function and as such may include other audit functions It is a governance document that state clearly the magt responsibility and objectives for, and delegation of authority to, the IS audit function

8/31/2013

Organisation of IS Audit Function

The highest level of magt must approve the audit charter Once established it should only be changed if the change can be thoroughly justified.

8/31/2013

IS AUDIT RESOURCE MAGT

IS auditors are a limited resource and IS technology is constantly changing IS auditors should maintain their competency thru update of skills directed towards new audit techniques and technological areas IS audit should understand techniques for managing audit projects with appropriately trained members of the audit staff ISACA IS auditing stds requires that the IS auditor is technically competent, having the skills and knowledge necessary to perform the auditors work

8/31/2013

IS AUDIT RESOURCE MAGT

IS auditor should maintain technical competence through appropriate CPE. Skills and knowledge should be taken into consideration when planning audits and assigning staff to specific audit assignments A detailed staff training plan should be drawn for the year based on the organisations direction This should be reviewed semi-annually to ensure that the training needs is aligned to the direction that the audit organisation is taking IS audit management should also provide the necessary IT resources needed to properly perform IS audits of a highly specialised nature(e.g. software, scanners for network intrusions tests, penetration test testing)

8/31/2013

AUDIT PLANNING
Audit planning is both short-term and long term Short term takes account audit issues that will be covered during the year Long term relates to audit plans that will take into account risk-related issues regarding changes in the organisations IT strategic direction that will affect the organisations IT environment Analysis of short and long term issues should be occur at least annually

8/31/2013

AUDIT PLANNING
IS auditor should understand the following when planning:
New control issues Changing technologies Changing business processes Enhanced evaluation techniques The result of this analysis for planning future audit activities should be reviewed by senior magt and approved by the audit committee if available or BOD and communicated to relevant levels of magt

8/31/2013

AUDIT PLANNING
The IS auditor should understand other consideration such as: Risk assessment by magt Privacy issues and regulatory requirements System implementation deadlines Current and future technologies Requirements of business process owners IS resource limitation
8/31/2013

Gaining understanding of the overall environment

The following steps is necessary:

Business mission, objs, purposes and processes which include processing requirements, such as AIS and buz technology Identify stated contents such policies, stds and required guidelines Perform risk analysis Conduct internal control review Develop the audit approach/strategy Assign personnel resources and address engagement logistics

8/31/2013

STEPS AN IS AUDITOR COULD TAKE TO GAIN UNDERSTANDING OF THE BUSINESS..

Touring key organisation facilities Reading background material Reviewing long-term strategic plans Interviewing key managers to understand business issues Reviewing prior audit reports

8/31/2013

CIAL Quadrants
Confidentiality Integrity Availability Laws & regulations

8/31/2013

END OF LECTURE 1 & QUESTION TIME (IF ANY)

8/31/2013

Effect of laws and regulations on IS audit planning

Data processing Data storage and usage(e.g backup and recovery procedures) Proprietary ownership Transmission(CBN, Stock exchange etc) Transborder data flows of personal data Privacy issues Data retention Service levels issues Outsourcing issues

8/31/2013

IS auditors Role
Identify those govt and relevant external requirements:

Document pertinent laws and regulation Assess whether magt have consider this in drawing out policies, stds and procedures Review internal information systems dept/activity that address adherence to the laws applicable to the industry Determine adherence to established procedures that address these requirements It is expected that organisation would have a legal compliance function that the IS control practitioner could rely upon.
8/31/2013

Electronic data,personal data,copyrights,e-commerce,e-signatures Computer system practices and control The manner in which computers, program and data are stored The organisation or the activities of the information services IS audits

Examples of IS audit Regulatory Initiatives/ internal control framework

Sarbanes- Oxley Acts of 2002 fro US-evaluating organisation IT Controls and thus provide a new IT governance rules and IS auditor shd consider the impact of SOX as part of audit planning. US Securities and Exchange Commission COSO of Treadways Commission Basle II Committee on Banking Supervision of UK recommends conditions( besides credit exposures) which will improve:

Credit risk magt Operational risk mgt The mgt of IS through clearly defined requirement
8/31/2013

ISACA IS AUDITING STANDARDS AND GUIDELINES

LETS REFER TO PAGES 14-21 of the CISA REVIEW MANUAL 2008

8/31/2013

ISACA IS AUDITING GUIDELINES

The objective of ISACA IS Auditing Guidelines is to provide further information on how to comply with ISACA Auditing Standards

The IS auditor should:

Consider them in determining how to implement the above standards Use professional judgment in applying them Be able to justify any departure
8/31/2013

Performing IS Audit
Required steps:
Adequate planning Assess overall risks Develop audit program to consists of objectives and procedure to satisfy the audit objectives Gather evidence, evaluate the strengths and weakness of controls based on evidence gathered Prepare audit report that present those issues in an objective manner Follow up reviews
8/31/2013

Classification of audit
Financial audits -assess the correctiveness of an organisations financial statements Operational audits- assesses the structure and strengths of internal control e.g. IS audits of application controls and logical security systems, HR audits,JIT audits etc. Integrated audits combines the two above, with intergrated approach and it is geared towards overall objectives of the organisation, this could be internal or external Administrative audits- assess issues relating to the efficiency of operational productivity within an organisation
8/31/2013

Classification of audit
IS audits -The process of collecting and
evaluating evidence to determine whether a computer system safeguard assets, maintains data integrity, allows organisational goals to be achieved effectively, and uses resources efficiently.

traditionally forensic auditing has been defined as an audit specialised in discovering, disclosing and following up on frauds and crimes. Forensic investigation includes the analysis of electronic devices such as computers, phones, PDAs, disks, switches, routers, hubs and other equipments

Forensic audits

8/31/2013

Classification of audit
Specialised audits IS audits involves a lot of specialised reviews that examines areas such as services provided by 3rd parties and forensic auditing. SAS 70- type reviews provide guidance to enable an independent auditor to issue an opinion on a service organisations description of controls through a service auditors report.
8/31/2013

AUDIT PROGRAMS
Audit program is a road map for the IS auditor. The audit programs should focus on major activities and key controls within and around such activities Audit program devt shd take a structured approach in which audit subject is broken down into phases, tasks, and steps. It provides methodology, suggested steps and procedures, assignment of work and basis for a summary record of work

8/31/2013

AUDIT PROGRAMS
General audit procedures are the basic steps in the performance of an audit and usually include: Obtaining and recording an understanding of audit subject/area Risk assessment and general audit plan and schedule Detailed audit planning Preliminary review of the audit area/subject Evaluating the audit area/subject Compliance testing (often referred to as test of controls) Substantive testing Reporting( communicating results) Follow-up
8/31/2013

AUDIT PROGRAMS
The IS auditor must understand the procedures for testing and evaluating information systems controls. These procedures could include: The use GAS to survey the contents of data files (including system log) The use of specialised software to assess the contents of operating parameter files Flow- charting techniques for documenting automated applications and business process The use of audit reports available in operating systems Documentation review Observation

8/31/2013

Audit procedures
These are detailed steps, instructions, or guidelines provided for the collection and accumulation of a particular type of audit evidence during audit Could be verbal or written, when written it need to be approved by audit supervisors They should be clear to enable auditors to understand what is to be accomplished

8/31/2013

Audit procedures
Examples of an audit procedure might be,Obtain physical inventory sheets and verify the accuracy..Note any exceptions. Usually audit procedures start with using action word such as review, verify, look,observe,analyse, confirm,recompute,count,etc IS auditor shd have a sufficient understanding of these procedures to allow for the planning of appropriate audit tests

8/31/2013

AUDIT METHODOLOGY
This is set of documented audit procedures designed to achieve planned audit objectives It contains statement of scope, audit objectives and work programs Should be set up and approved by the audit management And communicated to all audit staff (refer to Exhibit 1.2 in page 25 of Review Manual)

8/31/2013

WORKING PAPERS (WPs)

Any audit plans, programs, tests, activities, findings and incidents shall be properly documented in working papers The format and media is optional but due diligence and best practices require that WPs are dated ,initialised,paged-numbered,relevant, complete,clear,self-contained and properly labeled, filed and kept in custody WPs can be considered the bridge or interface between the audit objectives and the final report and should therefore provide a seamless transtion The audit report in this context should view

8/31/2013

WORKING PAPERS (WPs)

The audit report in this context should viewed as just a particular WP WPs do not necessarily have to be in hard copy

8/31/2013

FRAUD DETECTION
Magt is primarily responsible for establishing, implementing and maintaining a framework and design of IT controls to meet the internal control objectives A well designed internal control system provides good opportunities for deterring fraud and a system that enable timely detection of fraud Internal control may fail due to circumvention of controls by exploiting vulnerabilities or through mgt perpetrated weakness in controls for undue advantage or collusion between people

8/31/2013

FRAUD DETECTION
Legislation and regulations relating to corporate governance cast significant responsibilities on magt, auditors, audit committee regarding detection and disclosure of any fraud whether material or not IS auditors entrusted with assurance functions should ensure reasonable care while performing their work and be alert to the possible opportunities that allows fraud to materialise During the course of regular assurance work the IS auditors comes across any instance of fraud or indicators of fraud, he/she may after careful examination and evaluation, communicate the need for a detailed investigation to appropriate authorities In case of the auditor identifying a major fraud or where the risk associated with the detection is high, audit management should consider communication to the audit committee, in a timely manner.

8/31/2013

RISK ANALYSIS
Risk analysis is part of audit planning and it helps identify risks and vulnerabilities so that the auditor can determine the controls Risk mean different things to different people In general, risk is any event that negatively affect the accomplishment of an objective

8/31/2013

RISK ANALYSIS
The potential that a given threat will exploit vulnerabilities of an asset or group of an assets to cause loss or damage to the assets. The impact or the relative severity of the risk is proportional to the business value of the loss/ damage and to the estimated frequency of the threat Risk in IT concept has three elements:
Threat to, and vulnerabilities of, processes and/or assets Impact on assets based on threats and vulnerabilities Probability of threats( combination of the likelihood and frequency of occurrence

8/31/2013

RISK ANALYSIS
Business risk s are those threats that may negatively impact the assets, processes or objectives of a specific business or organisation These threat may be: financial regulatory Operational The IS auditor often focus on high risk areas associated with CIA of sensitive and critical information

8/31/2013

STEPS IN RISK ANALYSIS

Identification of business objective, information assets and the underlying systems Classification of systems- critical, sensitive Identify risks and determine the probability of occurrence and the resulting impact Identify controls that will:
Detect Minimise the impact Transfer the risk to another organisation

Perform CBA to select controls to reduce the risk to a level acceptable to mgt CBA is based on the following:

Monitoring performance levels of the risks when there is significant changes in the environment. This involves:
Risk reassessment Risk mitigation risk re-evaluation

Cost as compared to the benefit Mgt appetite for risk-level of risk acceptable to mgt Preferred risk reduction methods- e.g. terminate the risk, minimise the probability of occurrence, minimise the impact, transfer/insurance

8/31/2013

RISK ANALYSIS
Risk analysis serve the following purposes:
Assisting the IS auditor:
in identifying risks and threats In evaluation of controls in audit planning In determining audit objectives In supporting risk- based audit decision

8/31/2013

INTERNAL CONTROLS
These are policies, procedures, practices and organisational structures implemented to reduce risks They operate at all levels of the within an organisation to mitigate corporate exposure to risks The BOD and the senior mgt are responsible for establishing the appropriate culture to facilitate effective internal control system There are two key aspects that control should address:
What should be achieved and What should be avoided

8/31/2013

INTERNAL CONTROLS
Control could either be :
Preventive
Detect problem before they arise Monitor both operations and inputs Attempt to predict potential problem b4 occurrence and make adjustments Prevent errors ,omissions or malicious act from occurring Use controls that detect and report the occurrence of an error, omission or malicious act Remedy problems Minimise the impact of a threat Identify the cause of a problem

Detective

Corrective

see exhibit 1.2 in page 23-24 for more details

8/31/2013

INTERNAL CONTROL OBJECTIVES

These are statements of the desired result or a purpose to be achieved by implementing control procedures in a particular activity These include the following:
Internal accounting controls Operational controls Administrative controls

8/31/2013

INTERNAL CONTROL OBJECTIVES

Controls objectives include:
Safeguarding of information assets Compliance to corporate policies or legal requirements Authorisation/input Accuracy and completeness of transaction processes Output Reliability of process Backup/recovery Efficiency and economy of operations Change mgt process for IT and related systems

8/31/2013

IS CONTROL OBJECTIVES
Internal control objectives applies to all areas whether manual or automated Control objectives in an IS environment remain unchanged from those of a manual environment But IC objectives need be addressed in a manner specific to IS related processes

8/31/2013

IS CONTROL OBJECTIVES
IS control objectives include: Safeguarding assets Assuring the integrity of general operating systems environment Ensuring the efficiency and effectiveness of operations Complying with the users requirements, organisational policies and applicable laws and regulations Developing business continuity and disaster recovery plans Developing an incident response and handling plan Change mgt
8/31/2013

COBIT
Control Objectives for Information and related Technology 34 high level control objectives representing IT processes grouped into 4 domains: Plan and organise Acquire and implement Deliver and support Monitor and evaluate To ensure that adequate governance and control arrangements are provided for their IT environment Have more than 200 detailed control objectives and uses 36 major standards and regulations relating to IT

8/31/2013

COBIT
directed to the magt and staff of information services, control departments, audit functions and, most importantly the business process owners using IT processes to assure CIA of sensitive and critical information Specific COBIT process will not be tested but candidates must know the framework applications
8/31/2013

GENERAL CONTROL PROCEDURES

Applies to all areas of the organisation generally called internal controls which include: Internal accounting controls Operational controls Administrative controls Logical security policies and procedures Overall policies for the design and use of adequate documents and records to help ensure proper recording Procedures and features to ensure adequate safeguards over access to and use of assets and facilities Physical security policies for all data centers
8/31/2013

IS CONTROL PROCEDURES
Each general control procedure can be translated into an IS specific control procedure IS control procedures include:
Strategy and direction General organisation and mgt Access to data and programs System devt methodologies and change control Data processing operations

8/31/2013

IS CONTROL PROCEDURES Systems programming and technical support functions Data processing quality assurance procedures Physical access controls BC/DRP Network and communications Database administration
8/31/2013

Audit risk and Materiality

Risk-based audit approach assists the auditor in determining the nature and extent of testing, besides helping make the decision to complete a compliance or a substantive test Within this concept, inherent risk, control risk or detection risk should not be the main concern of the auditor despite major weaknesses IS auditors are not just relying on risk; they also are relying on internal and operational controls as well as knowledge of the company or the business This type of risk assessment decision can help relate the CBA of the control to the known risk, allowing practical choices
8/31/2013

AUDIT AND MATERIALITY

See exhibit 1.4 page 32 for a risk-based audit approach Gather information and plan
Obtain understanding of internal control Perform compliance tests Perform substantive tests Conclude the audit

Audit risk can be defined as the risk that information/financial report may contain material error that may go undetected during the course of the audit
8/31/2013

AUDIT AND MATERIALITY

Audit risk can be categorised as
Inherent risk- the risk that an error exists that could be material or significant when combined with other errors encountered during audit, assuming there are no related compensating controls. Inherent risks exist independent of an audit and can occur because of the nature of the business

8/31/2013

AUDIT AND MATERIALITY

Control risk- the risk that a material error exists that will not prevented or detected in a timely manner by the internal controls system Detection risk- the risk that an IS auditor uses an inadequate test procedure and concludes that material errors do not exist when in fact they do

AUDIT=IR x CR x DR

8/31/2013

AUDIT AND MATERIALITY

Audit risk is also sometimes used to describe the level of risk that the IS auditor is prepared to accept during an audit engagement NB: Audit risk should not be confused with statistical
sampling risk, which is the risk that incorrect assumptions are made about the characteristics of a population from which a sample is selected

8/31/2013

MATERIALITY
The word materiality, associated with any of these components of risks, refers to an error that should be considered significant to any party concerned with the item in question Materiality consideration combined with audit risk are essential concept for planning areas to be audited as well as specific test to be performed in a given audit The assessment of whatever is material is a matter of professional judgment

8/31/2013

MATERIALITY
Type of errors:
Known errors-detected errors Likely errors-estimated errors Possible errors- errors implicit in sampling work

Due professional care requires that auditor consider the relative materiality or significance of matters to which audit procedures are applied

8/31/2013

MATERIALITY
Who should set materiality?
The auditor and auditee should arrive at an understanding about the levels of materiality and the assurance level to be applied in an audit ,this understanding should be based on cost-benefit considerations Auditor judgment plays an important role in materiality and the amount of audit and the amount of audit work to be performed and in evaluating evidence collected The concept of materiality requires a sound judgment from the IS auditor
8/31/2013

Materiality
Therefore is defined as the magnitude of a misstatement that would influence the judgment of a reasonable user of financial statement From an IS audit point of view the concept not only refer to financial statements but also to the business operations and computer systems

materiality is to be evaluated:

Material weaknesses in either business operation or computer systems may or may not directly affect the financial statement.

from a financial standpoint in relation to the financial statement as a whole from operations standpoint it should be in relation to a specific operation under consideration as well as all other operation affected by it from computer system standpoint it should be in relation to a specific information system under consideration as well as all other interfacing system affected by it

8/31/2013

RISK ASSESSMENT TECHNIQUES

There are many assessment methodologies, computerised and non-computerised available from which the IS auditor may choose These range from simple classifications of high, medium and low, based on the IS auditors judgment, to complex and apparently scientific calculations to provide a numeric risk rating One of such risk assessment approach is a scoring system that is useful in prioritizing audits based on an evaluation of risk factor Another form is judgmental-which s based on business knowledge, executive mgt directives, historical perspectives, business goal and environmental factors
8/31/2013

RISK ASSESSMENT TECHNIQUES

Using risk assessment to determine areas to be audited:
Enables mgt to effectively allocate limited audit resources Ensures that relevant information has been obtained from all levels of mgt, including BOD Establishes a basis for effectively managing the audit dept Provides a summary of how the individual audit subject is related to the overall organisation as well as to the business plans

8/31/2013

COMPLIANCE vs SUBSTANTIVE TESTING

The identification of key control points will allow the IS auditor to develop a preliminary understanding through compliance tests of those controls to determine if they are working as expected. The results of these compliance tests allow the IS auditor to design more extensive compliance or substantive tests There is a difference btw evidence gathering for the purpose of testing an organisations compliance with control procedures and evidence gathering to evaluate the integrity of individual transactions, data or information The former procedures are called compliance tests and the latter called substantive tests.
8/31/2013

COMPLIANCE vs SUBSTANTIVE TESTING

A compliance test determines if controls are being applied in manner that complies with management policies and procedures It is important that the IS auditor understands the specific objective of a compliance test and the control being tested Compliance test can be used to test the existence and effectiveness of a defined process which may include a trail of documentary and/or automated evidence

8/31/2013

COMPLIANCE vs SUBSTANTIVE TESTING

A substantive test the integrity of actual processing It provides evidence of the validity and integrity of the balances in the financial statements and the transaction that support these balances IS auditors use substantive tests to test for monetary errors directly affecting financial statement balances An IS auditor may use substantive test to determine if the tape library inventory records are correctly stated There is therefore a correlation between the level of internal controls and the amount of substantive testing required

8/31/2013

COMPLIANCE vs SUBSTANTIVE TESTING

If the result of the testing of controls (compliance tests) reveal the presence of adequate internal controls, then IS auditors is justified in minimising the substantive procedures Conversely, if the testing of control reveals weaknesses in controls that may raise doubt the completeness, accuracy or validity of the accounts, substantive testing can alleviate those doubt See Exhibit 1.5 page 37
8/31/2013

EVIDENCE
This is any information used by the IS auditor to determine whether the entity or data being audited follows the established audit criteria or objectives It is the requirement that the auditors conclusions must be based on sufficient, relevant and competent evidence When planning the audit work, the IS auditor should take into account the type of audit evidence to be gathered

8/31/2013

EVIDENCE
Audit evidence may include IS auditors observations, notes taken from interviews, material extracted from correspondence and internal documentation or the results of audit test procedures

8/31/2013

EVIDENCE
QUALITY OF A GOOD EVIDENCE Sufficiency Relevance Competence

8/31/2013

EVIDENCE
Determinants for evaluating the reliability of audit evidence

include:

Independence of the provider Qualification of the provider Objectivity of the evidence Timing of the evidence Both quality and quantity of evidence must be assessed by the auditor These two xteristics are referred to by the IFAC as competent (quality) and sufficient (quantity) Evidential matter is competent when it is both valid and relevant
8/31/2013

EVIDENCE
The following are techniques for gathering evidence: Reviewing information systems organisation structured

Reviewing IS policies and procedures Reviewing information systems standards Reviewing information system documentation Interviewing appropriate personnel Observing processes and employee performance

8/31/2013

INTERVIEWING AND OBSERVING PERSONNEL IN THE PERFORMANCE OF THEIR DUTIES

This assist the IS auditor in identifying:

Actual functions Actual processes/procedures Security awareness Reporting relationships

8/31/2013

SAMPLING
Sampling is used when time and cost considerations preclude a total verification of all transactions or events in a predefined population As a general rule the larger the sample the more representative the sample is of the population

8/31/2013

SAMPLING
The two general approaches to audit sampling are statistical and nonstatistical Statistical sampling:
An objective method of determining sample size and selection criteria IS auditor quantitatively decides how closely the sample shd represent the population (sample precision) and the nos of times in 100 the sample represent
8/31/2013

SAMPLING
Non-statistical sampling:
Judgmental sampling-sample size and selection Decisions based on subjective judgment Most risky

8/31/2013

SAMPLING
There are two approaches:
Attribute sampling:
expressed in rates of incidence Applied in compliance testing Deals with presence and absence of the attributes

Variable sampling:
dollar,weight,etc Used in substantive testing situation
8/31/2013

SAMPLING
Other attribute sampling:
Stop-or-go sampling: Helps prevent excessive sampling of an attribute by allowing an audit test to be stopped at the earliest possible moment It is used when the IS auditor believes that relatively few errors will be found in the population Discovery sampling: Used when occurrence is extremely low When the objective is to seek out (discover) fraud Circumvention of regulations or other irregularities

8/31/2013

SAMPLING
Variable sampling models:
Stratified mean per unit Unstratified mean per unit Difference estimation

8/31/2013

SAMPLING
SAMPLING TERMS

8/31/2013

Confidence co-efficient Level of risk Precision Expected error rate Sample mean Sample standard deviation Tolerable error rate Population standard deviation

SAMPLING
Key steps in the construction and selection of a sample for an audit test include:
Determine the objectives of the test Define the population to be sampled and the method Calculate the sample size Evaluate the sample from an audit perspective
8/31/2013

SAMPLING
Key concepts to remember :
A good sample should be:
Representative-sample estimates the true population xteristics as possible Corrective-locate as many error items as possible so that they can be corrected Protective-an attempt to include the maximum number of high-value items in the sample Preventive-gives auditees no idea which items will be selected during the audit
8/31/2013

CAAT
Help the auditor in gathering and analysing information from different environments with varied data structure, record format, processing functions, etc Helps the auditor in independently accessing data from different database platform for analysis Features includes; mathematical computation, stratification, statistical analysis, sequence checking, duplicate checking and recomputation These tools includes; GAS, utility software, test data, application software tracing, mapping, and expert systems

8/31/2013

CAAT
Examples includes:
File access File reorganisation Data selection Statistical functions Arithmetical functions

8/31/2013

CAAT
These tools and techniques can be used in performing:
Test of details of transactions and balances Analytical review procedures Compliance tests of IS general controls Compliance tests of IS application controls Penetration and OS vulnerability assessment testing See page 44 for CAAT summary

8/31/2013

COMMUNICATING AUDIT RESULTS

The exit interview should round up an audit and this should achieve the following:
Ensure that facts presented in the report are correct Ensure that the recommendations are realistic and cost- effective if not seek alternative Recommend implementation dates for agreed recommendations
8/31/2013

COMMUNICATING AUDIT RESULTS

Presentation techniques could include: Executive summary-report synopsis Visual presentation IS auditor should discuss the findings with the auditee mgt for gaining agreement on the findings and develop corrective actions In cases where there is disagreement, the IS auditor should elaborate on the significance of the finding and the risks and the effect of not correcting the control weakness Sometimes auditees mgt may request assistance from the IS auditor in implementing the recommended control enhancements The IS auditor should communicate the difference between the IS auditors role and that of a consultant, and give careful consideration to how assisting the auditee may adversely affect the IS auditors independence.

8/31/2013

AUDIT REPORT STRUCTURE AND CONTENTS

The audit reports are the end product of IS audit work For findings and recommendations Audit report format vary by organisation There is no specific format for IS audit report

8/31/2013

AUDIT REPORT STRUCTURE AND CONTENTS

Audit reports, however, usually will have the following structure and content: Introduction Conclusion Reservation and qualification Detailed audit findings Limitations to audit Statement on the IS audit guidelines followed
8/31/2013

AUDIT REPORT STRUCTURE AND CONTENTS

IS auditor should exercise independence in the reporting process Mgt evaluate responses to the findings stating corrective actions to be taken and timing for implementation Mgt may not be able to implement all the audit recommendations immediately IS auditor should discuss the recommendations dates while in the process of releasing the audit report IS auditor must realise that various constraints such as, staff limitations, budgets or other projects Mgt should develop firm program for corrective action It is important to obtain a commitment from the auditee/mgt on the date by which the action plan will be done as the IS auditor might want to report to the upper mgt on the progress of implementing recommendations.

8/31/2013

MAGT ACTION TO IMPLEMENT RECOMMENDATIONS

IS auditor should realise that auditing is an ongoing process IS auditor should have effective follow-up program to determine if corrective action are being followed Although IS auditor who work for external audit firms may not necessary follow this process They may only achieve these tasks if agreed with audited entity
8/31/2013

AUDIT DOCUMENTATION
This include: Audit plan A description or diagram of the IS environment Audit programs Minutes of meetings Audit evidence Findings Conclusions and recommendations Follow-up documentations Must be kept in safe custody according to retention policies Exact content is organisation specific( see ISACA guideline 060.020.010-Audit Documentation)
8/31/2013

AUDIT DOCUMENTATION
Includes:
The planning and preparation of the audit scope and objectives The information systems environment The audit program The audit steps performed and audit evidence gathered The audit findings, conclusions and recommendations Any report issued as a result of the work Supervisory review
8/31/2013

CONSTRAINTS ON THE CONDUCT OF THE AUDIT

Auditors:

Auditees:

Availability of audit staff Holidays Time-off for professional conferences Recent employee turnover or availability Infringement on deadline dates or cyclical processing dates Overall lack of knowledge or documentation

To understand these constraints IS auditors should have a good understanding of overall project mgt techniques
8/31/2013

Project Mgt Techniques

Could be automated or manual It include the following basic steps:
Develop a detail plan Report project activity against the plan Adjust the plan and take corrective

8/31/2013

CONTROL SELF ASSESSMENT(CSA)

Magt technique that assures stakeholders, customers and other parties that the internal control system of the business is reliable It ensures that employees are aware of the risks to business and they conduct periodic proactive reviews of controls It is methodology used to review key business objectives, risks involved in achieving the business objectives In practice, CSA is a series of tools on a continuum of sophistication ranging from simple questionnaires to facilitated workshops, designed to gather information
8/31/2013

CONTROL SELF ASSESSMENT(CSA)

It can be implemented by various methods For small business units within an organisation, it can be through workshops In large organisation it could be through questionnaires or hybrid of the two See Exhibit 1.6
8/31/2013

OBJECTIVES OF CSA
To leverage the internal audit function by shifting control monitoring responsibilities to the functional areas It is not intended to replace audits responsibilities BUT to enhance them Clients, such as line managers, are responsible for controls in their environment; they also should be responsible for monitoring them CSA must educate magt about control design and monitoring, particularly concentration on high risk A generic set of CSFs,KPIs, and KGIs for each process,which can be used in designing and monitoring the CSA program has been provided in COBIT magt guidelines

8/31/2013

BENEFITS OF CSA
Early detection of risks More effective and improved internal controls Increased employee awareness of organisational objectives and knowledge of risks and internal controls Increased communication btw operational and top magt Improved audit rating process Reduction in control cost Assurance provided to stakeholders and customers Necessary assurance provided to stakeholders and customers
8/31/2013

DISADVANTAGES OF CSA
It could be mistaken as an audit function replacement It is regarded as additional workload i.e. additional reported to magt Failure to act on improvement suggestions could damage employee morale Lack of motivation may limit effectiveness in the detection of weak controls

8/31/2013

AUDITORS ROLE
Should be considered enhanced when audit department embark on a CSA program When these programs are established, auditors become internal control professionals and assessment facilitators Process improvement in control structures For auditor to be effective in this facilitative and innovative role he/she must understand the business process being assessed Must remember they are facilitators and the management client is the participant in the CSA process

8/31/2013

TRADITIONAL Vs. CSA APPROACH

TRADITIONAL HISTORICAL Assign duties/supervises staff Policy/rule- driven Limited employee participation CSA Empowered/accountable employee Continuous improvement/ learning curve Extensive employee participation and training

Narrow stakeholder focus

Auditors and other specialists

Broad stakeholder focus

Staff at all levels, in all functions, are the primary control analysis Reporters

Reporters
8/31/2013

Emerging changes in the IS audit process

Automated work papers Integrated Auditing Continuous Auditing

8/31/2013

AUTOMATED WORK PAPERS

Audit documentation driven by automation CIA rules must be applied Minimum control include:
Access to WPs Audit trails Automated features to provide and record approvals Security and integrity controls regarding O/S, DBs and comm.channels Backup and restore procedures Encryption techniques
8/31/2013

INTEGRATED AUDITING
This combines financial, operational and IS audit to evaluate risk This involves:
Identification of relevant key controls Review and understanding of the design of key controls Testing that key controls are supported by the IT system Testing that management controls operate effectively A combined report or opinion on control risks, design and weakness

8/31/2013

CONTINUOUS AUDITING
This is an emerging issue world wide As result of corporate failure e.g. Enron,Worldcom,Parmalot,etc Continuous auditing is different from continuous monitoring It rides on complete automation

8/31/2013

CONTINUOUS AUDITING
IT techniques that are used to operate CA environment must work at all levels This include: Transaction logging Query tools Statistics and data analysis (CAAT) Database magt system (DBMS) Data warehouses, data marts, data mining Embedded audit modules (EAM) Artificial intelligence Neural network technology Standard such as Extensible Business Reporting Language

8/31/2013

THIS IS A COMFORTABLE POINT TO SAY.

THANK YOU AND BEST OF LUCK

8/31/2013