Академический Документы
Профессиональный Документы
Культура Документы
475
Session 10
Bentley University
18 April 2013
Session 10 Agenda
1. Revisiting Closing the Loop
Framework
2. Measuring IT Audit Performance
3. Application System Audit Planning
John W. Beveridge
Section 1
John Beveridge
F. Develop
Audit Results
E. Build Audit
Steps
D. Define
Audit Criteria
A. Define Control
Objectives
Closing
the
Loop
B. Identifying
Control Criteria
C. Develop
Audit Objectives
Framework Outline
Closing the Loop
Framework
A. Identifying operational and
B.
C.
D.
E.
F.
control objectives
Identifying and classifying
control criteria
Developing audit objectives
Defining audit criteria in
terms of evidence
requirements
Building audit steps
Developing audit results
Framework Outline
Closing the Loop
Framework
Audit
Planning
E.
F.
control objectives
Identifying and classifying
control criteria
Developing audit objectives
Defining audit criteria in
terms of evidence
requirements
Building audit steps
Developing audit results
A. Defining
Control
Objectives
John Beveridge
F. Develop
Audit Results
E. Build Audit
Steps
D. Define Audit
Criteria
A. Define Control
Objectives
Closing
the
Loop
B. Identifying
Control Criteria
C. Develop Audit
Objectives
Internal Control
Controls are framed by
what is to be attained
(control objectives) and
the means to attain
those goals (the
controls).
John Beveridge
A.
IT Control Objective
A statement of desired
result or purpose to be
achieved by
implementing control
procedures in a
particular IT activity
Identifying Control
Objectives
Identification of relevant
operational and control
objectives:
First, what needs to be achieved
and avoided.
Based on importance and impact of
risk triage what the control
requirements
Understanding Control
Requirements
The auditors understanding of:
what is important to the business, its
customers, and oversight bodies, and
the reasons for why IT needs to be
controlled
John Beveridge
A.
Identifying
Control
Objectives
To Achieve
Business
Objectives
Mission Statement
Business Objectives
Interviews with Managers
Business White Paper
To Avoid
Risks,
Threats and
Exposures
Risk Assessment
Risk Management Reports
Incident Reports
Security Reports
John Beveridge
B. Identifying Control
Criteria
Building Audit
Criteria
John Beveridge
F. Develop
Audit Results
E. Build Audit
Steps
D. Define Audit
Criteria
A. Define Control
Objectives
Closing
the
Loop
B. Identifying
Control Criteria
C. Develop Audit
Objectives
Look Back
Controls
Control Evidence
John Beveridge
Researching controls
Start with researching the control
objectives or purpose to be
achieved
Control Classification
General controls
Application controls
Primary controls
Secondary controls
Preventive controls
Detective Controls
Corrective Controls
Compensating controls
General Controls
Application Controls
In place?
In effect?
Physical Security
Control
Control
Category
Type of
Control
Control
Benefits
Adverse Impact
of Control not in
Place/Effect
Lock
Mechanism
Primary
Preventive
Prevent
access
Unauthorized
access gained
Monitor,
Camera
Mechanism
Secondary
Detective
Guard(s
) in
lobby
Organizationa
l
Secondary
Preventive
Detective
Corrective
Unauthorized
access gained
C. Develop Audit
Objectives
A. Define Control
Objectives
F. Develop
Audit Results
E. Build Audit
Steps
D. Define
Audit Criteria
Closing
the
Loop
B. Identifying
Control Criteria
C. Develop Audit
Objectives
Audit Objectives
Depends on the type of audit
Relate the audit objective to the control
objective.
Link the audit objectives and audit
procedures to the control
objectives and the controls (review
and examination steps) to obtain
sufficient audit evidence to draw
conclusions
John Beveridge
Audit Objectives
John Beveridge
F. Develop
Audit Results
E. Build Audit
Steps
A. Define Control
Objectives
Closing
the
Loop
D. Define Audit
Criteria
B. Identifying
Control Criteria
C. Develop Audit
Objectives
RISKS
Business
Objectives
To Achieve
To Avoid
Controls
Control in Place
Control in Effect
Process
Audit
RISKS
Business
Objectives
To Achieve
To Avoid
Controls
Control in Place
Control in Effect
John Beveridge
Control
Audit
Evidence that
Control is in
Place
Sign-out policy
for notebook
computers
Documented
policy that all
notebook
computers are to
be signed out.
Policy is readily
available in
hardcopy and
online
Understanding of
policy by
management and
staff
Register maintained
of all signed out
notebooks
Documentation of
signatures of parties
to whom notebooks
have been assigned
Reconciliation of
sign-out
documentation to IT
resource inventory
Control Objective
Control Practices
Criteria
Evidence Requirements
Audit Objective
Audit Strategy
Audit Procedures
F. Develop
Audit Results
E. Build
Audit Steps
D. Define Audit
Criteria
A. Define Control
Objectives
Closing
the Loop
B. Identifying
Control Criteria
C. Develop Audit
Objectives
Developing Audit
Strategy
Determine exactly what evidence
relevant controls
identify CSFs and Risk Factors
identify control characteristics including
desired evidence
establish audit objective(s) based on
control objective(s)
develop audit procedures to capture and
analyze evidence
John Beveridge
Audit Procedures
F. Develop
Audit Results
E. Build Audit
Steps
D. Define Audit
Criteria
A. Define Control
Objectives
Closing
the
Loop
B. Identifying
Control Criteria
C. Develop Audit
Objectives
Control Conclusions
Control Assessment
What is the control objective?
What business objective is impacted?
Appropriateness of the stated control?
Identify the type of control (application or general;
primary or secondary; and preventive, detective, or
corrective)
Number of components used to execute the control
and number of subsystems or control objectives
impacted?
Evidence that the control is in effect, or impact that it is
not.
John Beveridge
Controls
Benefit of control(s)
in place
Evidence:
control in
place
Audit Steps
Evidence:
control in
effect
Audit Steps
Impact of control(s)
not in place
Benefit of control(s)
in effect
Impact of control(s)
not in effect
Section 2
MEASURING IT AUDIT
PERFORMANCE
John W. Beveridge
60
IT Audit Performance
How well is IT Audit doing?
Is Is IT Audit doing the Right Things?
Is IT Audit Effective?
Are resources used Effectively and
Efficiently?
Performance Measurement
Performance Measurement
Audit quality
AIC and staff performance
Report content and clarity
Workpapers
Audit Risk
Compliance with auditing standards
Impact to the organization
What else?
Performance Measurement
Cornerstone to effective
management of audit assignments
Relevance and Reliability of Metrics
Reliability of data related to time
and resources
Performance Measurement
Number of findings
Number of Audit Follow-up Areas
Audit name and audit number
Total number of field days
Number of Site Visits by Support Manager
Number of Site Visits by Manager
Date that Staff End-of-Job Evaluations are
Completed and Filed with HRD
Date that all Completed (Reviewed and Signed
Off) Hardcopy Work Papers are Filed
Performance Measurement
Range
Average Field Days
Performance Measurement
Range
Average Elapsed Days
Adjusted for Work Days
Range of Topics:
Average Number of Topics:
Performance Measurement
Range
Average Days
Performance Measurement
Example Administrative
Items
Section 3
APPLICATION SYSTEM
AUDIT PLANNING
John W. Beveridge
74
Application System
Audits
Application Controls
Application System
Audits
Application System
Changes?
Is the Business Process subject to
Change?
Are changes in business strategy
occurring, or about to occur?
Is there an effort underway, or planned, to
enhance value chain?
Is there a business process engineering
effort underway, or planned?
Application Documentation
User manuals
Functional specs
Detailed specs
DFDs
Flowcharts
Data dictionaries
System narratives
Policy and procedures
Source documents
Screen formats
System reports
Questions
Questions
Questions
John W. Beveridge
87