Introduction to IT IS Auditing by liaoqinmei


									Introduction to
 IT/IS Auditing
 CISB424 – Information Systems Audit
         Semester 2 Year 2010/2011
IT Governance
 …the process for controlling an organization’s IT resources,
  including information and communication systems, and

 …using IT to promote an organization’s objectives and
  enable business processes and to manage and control IT
  related risks.
  CobiT’s IT Governance Management
 Identifies critical success factors, key goal and performance
  indicators, and an IT governance maturity model.
 IT governance framework begins with setting IT objectives
  and measures and compares performance against them
Financial vs IT Audits
 Financial audit
   Official examination of accounts to see that they are in order
 IT audit
   “a review of the controls within an entity's technology infrastructure”
    –Wikipedia (
   Official examination of IT related processes to see that they are in
 Problems
   Financial Audit – GAAP
   IT Audit - ??
Financial vs IT Audits
 IT auditors may work on financial audit engagements
 IT auditors may work on every step of the financial audit
 Standards, such as SAS No. 94, guide the work of IT
  auditors on financial audit engagements
 IT audit work on financial audit engagements is likely to
  increase as internal control evaluation becomes more
Auditing Standards
 Auditors are guided in their professional responsibility by the
  the generally accepted auditing standards (GAAS).
                                             Generally Accepted Auditing Standards

 General Standards                            Standards of Field Work                 Standards of Reporting

 The auditor must have adequate technical     Audit work must be adequately planned   The auditor must state in the auditor's
 training and proficiency to perform the                                              report whether the financial statements
 audit.                                                                               are presented in accordance with
                                                                                      generally accepted accounting principles.
 The auditor must maintain independence       The auditor must gain a sufficient      The report must identify those
 in mental attitude in all matters related    understanding of the internal control   circumstances in which generally
 to the audit.                                structure                               accepted accounting principles were not
 The auditor must use due professional        The auditor must obtain sufficient,     The report must identify any items that
 care during the performance of the audit     competent evidence                      do not have adequate informative
 and the preparation of the report.                                                   disclosures

                                                                                      The report shall contain an expression of
                                                                                      the auditor’s opinion on the financial
                                                                                      statements as a whole
What do IT auditors do?
 Ensure IT governance by assessing risks and monitoring
  controls over those risks
 Works as either internal or external auditor
 Works on many kind of audit engagements
                                Develop an
                                understanding and
                                perform preliminary
                                audit work

                                Develop audit plan

                                Evaluate the internal
                                control system

                                Determine degree of
                                reliance on internal

                                Perform substantive

                                Review work and
                                issue audit report

                                Conduct follow-up

Figure 1.2 : The Role of IT Auditors in the Financial Audit Process
IT Audit Skills
 College education – IS, computer science, accounting
 Certifications – CPA, CFE, CIA, CISA, CISSP, and special
  technical certifications
 Technical IT audit skills – specialized technologies
 General personal and business skills
Professional Groups and Certifications
– Alphabet Soup
   The largest professional organization of IT auditors
Topical Coverage on CISA Examination
 The IS audit process (10%)
 Management, Planning And Organization of IS (11%)
 Technical Infrastructure and Operational Practices (13%)
 Protection of Information Assets (25%)
 Disaster Recovery and Business Continuity (10%)
 Business Application System Development, Acquisition,
  Implementation and Maintenance (16%)
 Business Process Evaluation and Risk Management (15%)
 Independent review and examination of records and
  activities to assess the adequacy of internal controls, to
  ensure compliance with established policies and
  operational procedures, and to recommend necessary
  changes in controls, policies, or procedures.
         IT/IS Audit
 The process of collecting and evaluating evidence to
      determine whether computer system safeguards assets,
      maintain data integrity, achieves organisational goals
      effectively and consumes resources effectively.

1   RonWeber
         Objectives of IT/IS Audit

                          Improved Data

       Safeguarding of       IT/IS         Improved System
               Assets        Audit         Effectiveness

                         Improved System

Source: Ron Weber
Elements IT/IS Audit
1.   Physical and Environmental
2.   System Administration
3.   Application Software
4.   Application Development
5.   Network Security
6.   Business Continuity
7.   Data Integrity
Internal vs External
 Audit function can be performed internally or externally
 Internal audit is an independent appraisal of operations, conducted
  under the direction of management, to assess the effectiveness of
  internal administrative and accounting controls and help ensure
  conformance with managerial policies
 External Audit is an audit conducted by an individual of a firm that
  is    independent      of    the    company       being      audited
Internal Audit Reporting Structure

     Board Audit Committee

                           Head of Audit Dept

        Head of IT Audit                        Head of Non-IT Audit

     IT Audit Team Members                       Non-IT Audit Team
  Roles of IT Audit Team
                                  Financial Auditor

                            Support for Financial Auditors
                                      Application         Information
                                                          Systems Auditor


         IT Auditor                Operating System

                                     Network Intra

                                    Physical Facility

                                  Entity-Level Controls

Source: Chris Davis et al
   Effects of computers on Internal
 Separation of duties
 Delegation of authority and responsibility
 Competent and trustworthy personnel
 System of authorizations
 Adequate documents and records
 Physical control over asset and records
 Adequate management supervision
 Independent check on performance
 Comparing recorded accountability with assets
   Effects of computers on auditing
 Changes to evidence collection
 Changes to evidence evaluation
Effective IT Audit
    Early involvement
    Informal audits
    Knowledge sharing
    Self-assessments
Questions to ponder

1.    What are the implications of a profit oriented organisation
      losing its:
     a. Personnel master file
     b. Inventory master file
Questions to ponder
2.    Give an example of how incorrect data processing by the
      computer system of an organisation leads to incorrect decision
      made by the following group of people:
     a.   Management
     b.   Shareholders
     c.   Labour union
     d.   Environmentalist

     Example of org: Electricity company, Car manufacturing company,
         banking institution

To top