Академический Документы
Профессиональный Документы
Культура Документы
DOMAIN 1 Lecture 1 IS AUDIT PROCESS Joseph Akoki 0803 383 6414 joakoki@yahoo.com
8/31/2013
Introduction
Information Communication Technology is providing the tools that are revolutionalizing the entire business processes the world over changing professionals from that of information recorders and processors to business strategist making them much more critical to the success of an enterprise. It is there fore a sine qua non to corporate success in the 21st Century
8/31/2013
8/31/2013
Few examples
Citibank saga Credit card case in US CBN 1980 case Traffic system hacking in US by a 11years kid in US Several server crashes CSCS advert- Dont kill urselve Many more.
8/31/2013
THEN
WHAT IS IS AUDIT?
8/31/2013
IS AUDITING DEFINED
The process of collecting and evaluating evidence to determine whether a computer system safeguard assets, maintains data integrity, allows organisational goals to be achieved effectively, and uses resources efficiently.
8/31/2013
IS AUDIT FUNCTIONS
Improved Improved Improved Improved safeguarding of assets data integrity system effectiveness system efficiency
8/31/2013
8/31/2013
The need to provide Management with independence opinion on IT infrastructures and processes Corporate Governance becoming IT Governance The inability of auditors to assess IT processes using conventional audit approach
8/31/2013
Why IS AUDIT?
The need to reduce risk arising from:
8/31/2013
vagaries in IT processes-African exposures Oversight functions Fraud Critical errors and mistakes Inefficient support of the business processes Security flaws Unsecured processing environment In summary the need for CIA
Why IS AUDIT?
Because of recent corporate failures such as Enron,Worldcom,and severals scandals attending audit professions e.g. Afribank,Cadbury, AP,to mention but a few local examples
8/31/2013
8/31/2013
IS AUDITING DEFINED
The process of collecting and evaluating evidence to determine whether a computer system safeguard assets, maintains data integrity, allows organisational goals to be achieved effectively, and uses resources efficiently.
8/31/2013
IS AUDIT FUNCTIONS
Improved safeguarding of assets Improved data integrity Improved system effectiveness Improved system efficiency Throughout this domain we shall conceive IS auditing as being a force that enables the organisation to better achieve the four major objectives stated above.
8/31/2013
IS AUDIT FUNCTIONS
IS audit function should be established by an audit charter ISACA IS Auditing standard require that the responsibility, authority,scope,accountability of the IS audit function are appropriately documented in an audit charter or an engagement letter Most likely be part of internal audit function and as such may include other audit functions It is a governance document that state clearly the magt responsibility and objectives for, and delegation of authority to, the IS audit function
8/31/2013
8/31/2013
8/31/2013
8/31/2013
AUDIT PLANNING
Audit planning is both short-term and long term Short term takes account audit issues that will be covered during the year Long term relates to audit plans that will take into account risk-related issues regarding changes in the organisations IT strategic direction that will affect the organisations IT environment Analysis of short and long term issues should be occur at least annually
8/31/2013
AUDIT PLANNING
IS auditor should understand the following when planning:
New control issues Changing technologies Changing business processes Enhanced evaluation techniques The result of this analysis for planning future audit activities should be reviewed by senior magt and approved by the audit committee if available or BOD and communicated to relevant levels of magt
8/31/2013
AUDIT PLANNING
The IS auditor should understand other consideration such as: Risk assessment by magt Privacy issues and regulatory requirements System implementation deadlines Current and future technologies Requirements of business process owners IS resource limitation
8/31/2013
Business mission, objs, purposes and processes which include processing requirements, such as AIS and buz technology Identify stated contents such policies, stds and required guidelines Perform risk analysis Conduct internal control review Develop the audit approach/strategy Assign personnel resources and address engagement logistics
8/31/2013
Touring key organisation facilities Reading background material Reviewing long-term strategic plans Interviewing key managers to understand business issues Reviewing prior audit reports
8/31/2013
CIAL Quadrants
Confidentiality Integrity Availability Laws & regulations
8/31/2013
8/31/2013
8/31/2013
IS auditors Role
Identify those govt and relevant external requirements:
Document pertinent laws and regulation Assess whether magt have consider this in drawing out policies, stds and procedures Review internal information systems dept/activity that address adherence to the laws applicable to the industry Determine adherence to established procedures that address these requirements It is expected that organisation would have a legal compliance function that the IS control practitioner could rely upon.
8/31/2013
Electronic data,personal data,copyrights,e-commerce,e-signatures Computer system practices and control The manner in which computers, program and data are stored The organisation or the activities of the information services IS audits
Credit risk magt Operational risk mgt The mgt of IS through clearly defined requirement
8/31/2013
8/31/2013
Performing IS Audit
Required steps:
Adequate planning Assess overall risks Develop audit program to consists of objectives and procedure to satisfy the audit objectives Gather evidence, evaluate the strengths and weakness of controls based on evidence gathered Prepare audit report that present those issues in an objective manner Follow up reviews
8/31/2013
Classification of audit
Financial audits -assess the correctiveness of an organisations financial statements Operational audits- assesses the structure and strengths of internal control e.g. IS audits of application controls and logical security systems, HR audits,JIT audits etc. Integrated audits combines the two above, with intergrated approach and it is geared towards overall objectives of the organisation, this could be internal or external Administrative audits- assess issues relating to the efficiency of operational productivity within an organisation
8/31/2013
Classification of audit
IS audits -The process of collecting and
evaluating evidence to determine whether a computer system safeguard assets, maintains data integrity, allows organisational goals to be achieved effectively, and uses resources efficiently.
traditionally forensic auditing has been defined as an audit specialised in discovering, disclosing and following up on frauds and crimes. Forensic investigation includes the analysis of electronic devices such as computers, phones, PDAs, disks, switches, routers, hubs and other equipments
Forensic audits
8/31/2013
Classification of audit
Specialised audits IS audits involves a lot of specialised reviews that examines areas such as services provided by 3rd parties and forensic auditing. SAS 70- type reviews provide guidance to enable an independent auditor to issue an opinion on a service organisations description of controls through a service auditors report.
8/31/2013
AUDIT PROGRAMS
Audit program is a road map for the IS auditor. The audit programs should focus on major activities and key controls within and around such activities Audit program devt shd take a structured approach in which audit subject is broken down into phases, tasks, and steps. It provides methodology, suggested steps and procedures, assignment of work and basis for a summary record of work
8/31/2013
AUDIT PROGRAMS
General audit procedures are the basic steps in the performance of an audit and usually include: Obtaining and recording an understanding of audit subject/area Risk assessment and general audit plan and schedule Detailed audit planning Preliminary review of the audit area/subject Evaluating the audit area/subject Compliance testing (often referred to as test of controls) Substantive testing Reporting( communicating results) Follow-up
8/31/2013
AUDIT PROGRAMS
The IS auditor must understand the procedures for testing and evaluating information systems controls. These procedures could include: The use GAS to survey the contents of data files (including system log) The use of specialised software to assess the contents of operating parameter files Flow- charting techniques for documenting automated applications and business process The use of audit reports available in operating systems Documentation review Observation
8/31/2013
Audit procedures
These are detailed steps, instructions, or guidelines provided for the collection and accumulation of a particular type of audit evidence during audit Could be verbal or written, when written it need to be approved by audit supervisors They should be clear to enable auditors to understand what is to be accomplished
8/31/2013
Audit procedures
Examples of an audit procedure might be,Obtain physical inventory sheets and verify the accuracy..Note any exceptions. Usually audit procedures start with using action word such as review, verify, look,observe,analyse, confirm,recompute,count,etc IS auditor shd have a sufficient understanding of these procedures to allow for the planning of appropriate audit tests
8/31/2013
AUDIT METHODOLOGY
This is set of documented audit procedures designed to achieve planned audit objectives It contains statement of scope, audit objectives and work programs Should be set up and approved by the audit management And communicated to all audit staff (refer to Exhibit 1.2 in page 25 of Review Manual)
8/31/2013
8/31/2013
8/31/2013
FRAUD DETECTION
Magt is primarily responsible for establishing, implementing and maintaining a framework and design of IT controls to meet the internal control objectives A well designed internal control system provides good opportunities for deterring fraud and a system that enable timely detection of fraud Internal control may fail due to circumvention of controls by exploiting vulnerabilities or through mgt perpetrated weakness in controls for undue advantage or collusion between people
8/31/2013
FRAUD DETECTION
Legislation and regulations relating to corporate governance cast significant responsibilities on magt, auditors, audit committee regarding detection and disclosure of any fraud whether material or not IS auditors entrusted with assurance functions should ensure reasonable care while performing their work and be alert to the possible opportunities that allows fraud to materialise During the course of regular assurance work the IS auditors comes across any instance of fraud or indicators of fraud, he/she may after careful examination and evaluation, communicate the need for a detailed investigation to appropriate authorities In case of the auditor identifying a major fraud or where the risk associated with the detection is high, audit management should consider communication to the audit committee, in a timely manner.
8/31/2013
RISK ANALYSIS
Risk analysis is part of audit planning and it helps identify risks and vulnerabilities so that the auditor can determine the controls Risk mean different things to different people In general, risk is any event that negatively affect the accomplishment of an objective
8/31/2013
RISK ANALYSIS
The potential that a given threat will exploit vulnerabilities of an asset or group of an assets to cause loss or damage to the assets. The impact or the relative severity of the risk is proportional to the business value of the loss/ damage and to the estimated frequency of the threat Risk in IT concept has three elements:
Threat to, and vulnerabilities of, processes and/or assets Impact on assets based on threats and vulnerabilities Probability of threats( combination of the likelihood and frequency of occurrence
8/31/2013
RISK ANALYSIS
Business risk s are those threats that may negatively impact the assets, processes or objectives of a specific business or organisation These threat may be: financial regulatory Operational The IS auditor often focus on high risk areas associated with CIA of sensitive and critical information
8/31/2013
Perform CBA to select controls to reduce the risk to a level acceptable to mgt CBA is based on the following:
Monitoring performance levels of the risks when there is significant changes in the environment. This involves:
Risk reassessment Risk mitigation risk re-evaluation
Cost as compared to the benefit Mgt appetite for risk-level of risk acceptable to mgt Preferred risk reduction methods- e.g. terminate the risk, minimise the probability of occurrence, minimise the impact, transfer/insurance
8/31/2013
RISK ANALYSIS
Risk analysis serve the following purposes:
Assisting the IS auditor:
in identifying risks and threats In evaluation of controls in audit planning In determining audit objectives In supporting risk- based audit decision
8/31/2013
INTERNAL CONTROLS
These are policies, procedures, practices and organisational structures implemented to reduce risks They operate at all levels of the within an organisation to mitigate corporate exposure to risks The BOD and the senior mgt are responsible for establishing the appropriate culture to facilitate effective internal control system There are two key aspects that control should address:
What should be achieved and What should be avoided
8/31/2013
INTERNAL CONTROLS
Control could either be :
Preventive
Detect problem before they arise Monitor both operations and inputs Attempt to predict potential problem b4 occurrence and make adjustments Prevent errors ,omissions or malicious act from occurring Use controls that detect and report the occurrence of an error, omission or malicious act Remedy problems Minimise the impact of a threat Identify the cause of a problem
Detective
Corrective
8/31/2013
8/31/2013
8/31/2013
IS CONTROL OBJECTIVES
Internal control objectives applies to all areas whether manual or automated Control objectives in an IS environment remain unchanged from those of a manual environment But IC objectives need be addressed in a manner specific to IS related processes
8/31/2013
IS CONTROL OBJECTIVES
IS control objectives include: Safeguarding assets Assuring the integrity of general operating systems environment Ensuring the efficiency and effectiveness of operations Complying with the users requirements, organisational policies and applicable laws and regulations Developing business continuity and disaster recovery plans Developing an incident response and handling plan Change mgt
8/31/2013
COBIT
Control Objectives for Information and related Technology 34 high level control objectives representing IT processes grouped into 4 domains: Plan and organise Acquire and implement Deliver and support Monitor and evaluate To ensure that adequate governance and control arrangements are provided for their IT environment Have more than 200 detailed control objectives and uses 36 major standards and regulations relating to IT
8/31/2013
COBIT
directed to the magt and staff of information services, control departments, audit functions and, most importantly the business process owners using IT processes to assure CIA of sensitive and critical information Specific COBIT process will not be tested but candidates must know the framework applications
8/31/2013
IS CONTROL PROCEDURES
Each general control procedure can be translated into an IS specific control procedure IS control procedures include:
Strategy and direction General organisation and mgt Access to data and programs System devt methodologies and change control Data processing operations
8/31/2013
IS CONTROL PROCEDURES Systems programming and technical support functions Data processing quality assurance procedures Physical access controls BC/DRP Network and communications Database administration
8/31/2013
Audit risk can be defined as the risk that information/financial report may contain material error that may go undetected during the course of the audit
8/31/2013
8/31/2013
AUDIT=IR x CR x DR
8/31/2013
8/31/2013
MATERIALITY
The word materiality, associated with any of these components of risks, refers to an error that should be considered significant to any party concerned with the item in question Materiality consideration combined with audit risk are essential concept for planning areas to be audited as well as specific test to be performed in a given audit The assessment of whatever is material is a matter of professional judgment
8/31/2013
MATERIALITY
Type of errors:
Known errors-detected errors Likely errors-estimated errors Possible errors- errors implicit in sampling work
Due professional care requires that auditor consider the relative materiality or significance of matters to which audit procedures are applied
8/31/2013
MATERIALITY
Who should set materiality?
The auditor and auditee should arrive at an understanding about the levels of materiality and the assurance level to be applied in an audit ,this understanding should be based on cost-benefit considerations Auditor judgment plays an important role in materiality and the amount of audit and the amount of audit work to be performed and in evaluating evidence collected The concept of materiality requires a sound judgment from the IS auditor
8/31/2013
Materiality
Therefore is defined as the magnitude of a misstatement that would influence the judgment of a reasonable user of financial statement From an IS audit point of view the concept not only refer to financial statements but also to the business operations and computer systems
materiality is to be evaluated:
Material weaknesses in either business operation or computer systems may or may not directly affect the financial statement.
from a financial standpoint in relation to the financial statement as a whole from operations standpoint it should be in relation to a specific operation under consideration as well as all other operation affected by it from computer system standpoint it should be in relation to a specific information system under consideration as well as all other interfacing system affected by it
8/31/2013
8/31/2013
8/31/2013
8/31/2013
EVIDENCE
This is any information used by the IS auditor to determine whether the entity or data being audited follows the established audit criteria or objectives It is the requirement that the auditors conclusions must be based on sufficient, relevant and competent evidence When planning the audit work, the IS auditor should take into account the type of audit evidence to be gathered
8/31/2013
EVIDENCE
Audit evidence may include IS auditors observations, notes taken from interviews, material extracted from correspondence and internal documentation or the results of audit test procedures
8/31/2013
EVIDENCE
QUALITY OF A GOOD EVIDENCE Sufficiency Relevance Competence
8/31/2013
EVIDENCE
Determinants for evaluating the reliability of audit evidence
include:
Independence of the provider Qualification of the provider Objectivity of the evidence Timing of the evidence Both quality and quantity of evidence must be assessed by the auditor These two xteristics are referred to by the IFAC as competent (quality) and sufficient (quantity) Evidential matter is competent when it is both valid and relevant
8/31/2013
EVIDENCE
The following are techniques for gathering evidence: Reviewing information systems organisation structured
Reviewing IS policies and procedures Reviewing information systems standards Reviewing information system documentation Interviewing appropriate personnel Observing processes and employee performance
8/31/2013
8/31/2013
SAMPLING
Sampling is used when time and cost considerations preclude a total verification of all transactions or events in a predefined population As a general rule the larger the sample the more representative the sample is of the population
8/31/2013
SAMPLING
The two general approaches to audit sampling are statistical and nonstatistical Statistical sampling:
An objective method of determining sample size and selection criteria IS auditor quantitatively decides how closely the sample shd represent the population (sample precision) and the nos of times in 100 the sample represent
8/31/2013
SAMPLING
Non-statistical sampling:
Judgmental sampling-sample size and selection Decisions based on subjective judgment Most risky
8/31/2013
SAMPLING
There are two approaches:
Attribute sampling:
expressed in rates of incidence Applied in compliance testing Deals with presence and absence of the attributes
Variable sampling:
dollar,weight,etc Used in substantive testing situation
8/31/2013
SAMPLING
Other attribute sampling:
Stop-or-go sampling: Helps prevent excessive sampling of an attribute by allowing an audit test to be stopped at the earliest possible moment It is used when the IS auditor believes that relatively few errors will be found in the population Discovery sampling: Used when occurrence is extremely low When the objective is to seek out (discover) fraud Circumvention of regulations or other irregularities
8/31/2013
SAMPLING
Variable sampling models:
Stratified mean per unit Unstratified mean per unit Difference estimation
8/31/2013
SAMPLING
SAMPLING TERMS
8/31/2013
Confidence co-efficient Level of risk Precision Expected error rate Sample mean Sample standard deviation Tolerable error rate Population standard deviation
SAMPLING
Key steps in the construction and selection of a sample for an audit test include:
Determine the objectives of the test Define the population to be sampled and the method Calculate the sample size Evaluate the sample from an audit perspective
8/31/2013
SAMPLING
Key concepts to remember :
A good sample should be:
Representative-sample estimates the true population xteristics as possible Corrective-locate as many error items as possible so that they can be corrected Protective-an attempt to include the maximum number of high-value items in the sample Preventive-gives auditees no idea which items will be selected during the audit
8/31/2013
CAAT
Help the auditor in gathering and analysing information from different environments with varied data structure, record format, processing functions, etc Helps the auditor in independently accessing data from different database platform for analysis Features includes; mathematical computation, stratification, statistical analysis, sequence checking, duplicate checking and recomputation These tools includes; GAS, utility software, test data, application software tracing, mapping, and expert systems
8/31/2013
CAAT
Examples includes:
File access File reorganisation Data selection Statistical functions Arithmetical functions
8/31/2013
CAAT
These tools and techniques can be used in performing:
Test of details of transactions and balances Analytical review procedures Compliance tests of IS general controls Compliance tests of IS application controls Penetration and OS vulnerability assessment testing See page 44 for CAAT summary
8/31/2013
8/31/2013
8/31/2013
8/31/2013
AUDIT DOCUMENTATION
This include: Audit plan A description or diagram of the IS environment Audit programs Minutes of meetings Audit evidence Findings Conclusions and recommendations Follow-up documentations Must be kept in safe custody according to retention policies Exact content is organisation specific( see ISACA guideline 060.020.010-Audit Documentation)
8/31/2013
AUDIT DOCUMENTATION
Includes:
The planning and preparation of the audit scope and objectives The information systems environment The audit program The audit steps performed and audit evidence gathered The audit findings, conclusions and recommendations Any report issued as a result of the work Supervisory review
8/31/2013
Auditors:
Auditees:
Availability of audit staff Holidays Time-off for professional conferences Recent employee turnover or availability Infringement on deadline dates or cyclical processing dates Overall lack of knowledge or documentation
To understand these constraints IS auditors should have a good understanding of overall project mgt techniques
8/31/2013
8/31/2013
OBJECTIVES OF CSA
To leverage the internal audit function by shifting control monitoring responsibilities to the functional areas It is not intended to replace audits responsibilities BUT to enhance them Clients, such as line managers, are responsible for controls in their environment; they also should be responsible for monitoring them CSA must educate magt about control design and monitoring, particularly concentration on high risk A generic set of CSFs,KPIs, and KGIs for each process,which can be used in designing and monitoring the CSA program has been provided in COBIT magt guidelines
8/31/2013
BENEFITS OF CSA
Early detection of risks More effective and improved internal controls Increased employee awareness of organisational objectives and knowledge of risks and internal controls Increased communication btw operational and top magt Improved audit rating process Reduction in control cost Assurance provided to stakeholders and customers Necessary assurance provided to stakeholders and customers
8/31/2013
DISADVANTAGES OF CSA
It could be mistaken as an audit function replacement It is regarded as additional workload i.e. additional reported to magt Failure to act on improvement suggestions could damage employee morale Lack of motivation may limit effectiveness in the detection of weak controls
8/31/2013
AUDITORS ROLE
Should be considered enhanced when audit department embark on a CSA program When these programs are established, auditors become internal control professionals and assessment facilitators Process improvement in control structures For auditor to be effective in this facilitative and innovative role he/she must understand the business process being assessed Must remember they are facilitators and the management client is the participant in the CSA process
8/31/2013
Reporters
8/31/2013
8/31/2013
INTEGRATED AUDITING
This combines financial, operational and IS audit to evaluate risk This involves:
Identification of relevant key controls Review and understanding of the design of key controls Testing that key controls are supported by the IT system Testing that management controls operate effectively A combined report or opinion on control risks, design and weakness
8/31/2013
CONTINUOUS AUDITING
This is an emerging issue world wide As result of corporate failure e.g. Enron,Worldcom,Parmalot,etc Continuous auditing is different from continuous monitoring It rides on complete automation
8/31/2013
CONTINUOUS AUDITING
IT techniques that are used to operate CA environment must work at all levels This include: Transaction logging Query tools Statistics and data analysis (CAAT) Database magt system (DBMS) Data warehouses, data marts, data mining Embedded audit modules (EAM) Artificial intelligence Neural network technology Standard such as Extensible Business Reporting Language
8/31/2013
8/31/2013