Transcription
IT Audit ProcessMike Romeu-Lugo MBA, CISANovember 18, 2015IT Audit ProcessProf. Mike Romeu1
General ControlsGeneral because they are not specific to a business process or software applicationGovernance andAdministration Organization StructureGovernance – Policies and ProceduresData Center Environmental controls – AC, fire suppression, UPS, flood control, layoutPhysical access controls – badges,keyed entries, console access,biometrics Justification and Business CaseProgram and Project ManagementEvaluation and procurement practicesDevelopment,Acquisition,Implementationand MaintenanceBusiness Continuity Disaster recoverySecurityIT Audit Process Backup and Restore Logical AccessNetworks Staff and SkillsetSupplier ManagementOverall Access Controls – guards,gates/locks, badges, visitor logs Quality Assurance and Quality ControlService Level Agreements Business Continuity Plan and Testing Access ControlsProf. Mike Romeu2
IS Controls (A.K.A Application or System Controls)What are they?How to test? Application Software business transactionprocessing First: Know the business process! Accounts PayableAccounts ReceivablePayrollBanking and Finance Data can only be understood within thecontext of the business process it supports Processing controls exist within the applicationitselfIT Audit Process Policies/procedures Interviews Best Practices (using the work of others ) Identify Potential Risks What can go wrong? Evaluate how these are handled by thesystem Review test protocols vs. requirements Observation Test dataProf. Mike Romeu3
Computer-Assisted Audit Tools & Techniques Generalized Audit Software ACLEasytrieveStatistical Analysis System (SAS)Statistical Package for Social Sciences (SPSS)CaseWare IDEA Test Data Generators Random test data Pathwise data Goal-OrientedIT Audit Process Computerized Audit Programs Centralize audit dataAutomate alarms and alertsAudit reporting, dashboards and checklistsCAPA Tracking Specialized Audit Utilities – Data extractionand manipulation Spreadsheets Databases Business IntelligenceProf. Mike Romeu4
Computer-Assisted Audit Tools & TechniquesAdvantagesDisadvantages Independence – data collection Good for testing software reliability (ISControls) Increased accuracy Improved efficiency 100% testing Expensive and time consuming to set up. Requires client permission Potential incompatibility with client’scomputer system Skills and knowledge required Training required Data corruption or lossIT Audit ProcessProf. Mike Romeu5
Test DataIT Audit ProcessProf. Mike Romeu6
Test DataClientDisruption/DataCorruption Risk Minimal Using copy of theapplicationIT Audit ProcessInformation SystemsExpertise Required Minimal but Requires test datapreparation Requiresunderstanding ofinternal logicReliance on Client Client provides copyof the application Is it an exact copy?Prof. Mike Romeu7
Integrated Test Facility (ITF)IT Audit ProcessProf. Mike Romeu8
Integrated Test Facility (ITF)ClientDisruption/DataCorruption Risk High corruption risk Test data andtransactions mustbe removed fromsystemIT Audit ProcessInformation SystemsExpertise Required Expertise on auditmodule design Expertise so datadoes not affectactual data.Reliance on Client Client IndependentProf. Mike Romeu9
Parallel SimulationIT Audit ProcessProf. Mike Romeu10
Parallel SimulationClientDisruption/DataCorruption RiskInformation SystemsExpertise Required Minimal –simulation does notaffect clientprocessing System complexitydictates the level ofexpertise required. Consider using GASIT Audit ProcessReliance on Client Client IndependentProf. Mike Romeu11
Embedded Audit Module (EAM)IT Audit ProcessProf. Mike Romeu12
Embedded Audit Module (EAM)ClientDisruption/DataCorruption Risk Systemperformance maybe greatly degradedwhen EAM turnedon.IT Audit ProcessInformation SystemsExpertise Required Programmingexpertise required.Reliance on Client Relies on Client tomaintain EAMfunctionality duringchangemanagement.Prof. Mike Romeu13
Generalized Audit Software (GAS)IT Audit ProcessProf. Mike Romeu14
Generalized Audit Software (GAS)ClientDisruption/DataCorruption Risk Minimal Processing occurswithin the auditor’ssystemIT Audit ProcessInformation SystemsExpertise Required Relatively easy touse. Little backgroundfor effective use ofGAS Complex datastructures mayrequire clientsupport.Reliance on Client Minimal reliance onclientProf. Mike Romeu15
Performance Standard 1205 - ReportingStatements1401.1 IS audit and assurance professionals shall provide a report to communicate the results uponcompletion of the engagement including: Identification of the enterprise, the intended recipients and any restrictions on content andcirculation The scope, engagement objectives, period of coverage and the nature, timing and extent of thework performed The findings, conclusions and recommendations Any qualifications or limitations in scope that the IS audit and assurance professional has withrespect to the engagement Signature, date and distribution according to the terms of the audit charter or engagement letter1401.2 IS audit and assurance professionals shall ensure that findings in the audit report aresupported by sufficient and appropriate evidence.IT Audit ProcessProf. Mike Romeu16
Audit Reporting Remember that an audit engagement involves Planning the EngagementEvaluating design effectiveness of control proceduresTesting operating effectiveness of the control procedureForming a conclusion about, and reporting on, the design and/or operating effectiveness of the control Evidentiary Support – Sufficient and Appropriate Express an opinion about whether, in all material respects, the design and/or operation ofcontrol procedure in relation to the area of activity were effective.IT Audit ProcessProf. Mike Romeu17
Audit Reporting - OpinionsOpinions Can Be:UnqualifiedProfessionals should express an unqualified opinion when they conclude that, in all material respects, thedesign and/or operation of control procedures in relation to the area of activity were effective, inaccordance with the applicable criteria.QualifiedProfessionals should express a qualified opinion when they: Having obtained sufficient and appropriate evidence, conclude that control weaknesses, individuallyor in the aggregate, are material, but not pervasive to the IS audit objectives Are unable to obtain sufficient and appropriate evidence on which to base the opinion, but concludethat the possible effects on the IS audit objectives of undetected weaknesses, if any, could be materialbut not PervasiveAdverseProfessionals should express an adverse opinion when one or more significant deficiencies aggregate to amaterial and pervasive weaknessDisclaimerProfessionals should disclaim an opinion when they are unable to obtain sufficient and appropriateevidence on which to base the opinion, and conclude that the possible effects on the IS audit objectivesof undetected weaknesses, if any, could be both material and pervasive.IT Audit ProcessProf. Mike Romeu18
Audit Report - Contents “The audit was conducted in accordance with the IS Audit and Assurance Standards and ISAudit and Assurance Guidelines issued by ISACA [insert other applicable standards andguidelines]. Those standards require that the audit be planned and performed to obtainsufficient, relevant and valid evidence to provide a reasonable basis for the conclusions,opinions and audit findings (if any). “IT Audit ProcessProf. Mike Romeu19
Audit Report - Findings What is the condition found? What should it be? What is the reason for the condition? What is the impact of the condition Recommendations Management’s response Actions, people/teams, due dates Auditor’s Reply – Opinion based on the degree to which management’s response addressesthe recommendation.IT Audit ProcessProf. Mike Romeu20
IT Audit Process Prof. Mike Romeu Generalized Audit Software (GAS) Client Disruption/Data Corruption Risk Minimal Processing occurs within the auditor’s system Information Systems Expertise Required Relatively easy to use. Little background for effective use of GAS Complex da
