One day seminar on IS Audit a Practical approach and CAAT

on 17 July 2004, New Delhi By A.Rafeq, FCA, CISA, CQA, CFE, Bangalore
1

Learning Objectives

What is IS Audit? How to plan and perform IS Audit assignments using technology as a key enabler for audit What are CAATs - digital audit techniques? What are salient features of Guidance note of ICAI on CAAT? What are key features and functionality of audit software? How to use concepts of CAAT - digital audit techniques by using the auditee applications? How to enhance effectiveness of audit and provide better assurance to clients?
2

Sessions
1. 2.

3.

4.

Practical approach to IS Audit Step-by-Step approach to IS Audit case study How to use CAAT CAAT case study

1. Practical approach to IS Audit

Concepts and practice of IS Audit Need and importance of IS Audit Model case study of how to plan and perform various Information Systems Audit Assignments How to market the services of IS Audit?

2. Step-by-Step approach to

IS Audit case study

Participants to plan and perform a sample IS Audit using the case study as a group Model answer providing participants with practical tips on performing various types of IS Audits

3. How to use CAAT

Overview of need/importance of CAATs - digital audit techniques Guidance note on CAAT issued by ICAI Tips on how to practical use CAAT techniques

4. CAAT case study

Inter-active discussion on how to use digital audit techniques for performing various types of audit tests Audit software Demo - features and functionalities in audit software How to use Audit Software for enhancing audit productivity

Digital Era

Business is going to change more in the next ten years than it has in the last fiftyBill Gates in his book Business @ the Speed of Thought using a digital nervous system. 2001-2010 as the digital decade

Need for IS Audit

Impact of IT IT Paradox Impact of IT on Controls Thrust on IT Governance Compliance requirements RBI Management needs

If you think technology can solve your security

problems, then you dont understand the problems and you dont understand the technology
Bruce Schneier

Secrets & Lies Digital security in a networked world

10

Impact of IT on CAs

Rapid deployment of IT by enterprises makes it imperative that CAs have practical knowledge of using IT Not just excellence in Information Technology (IT) but empowerment through IT Creating new challenges and opportunities Enhance utility as knowledge workers with core competency and domain knowledge in the areas of accounting, finance, auditing, information systems and compliance Key strategy for success is to keep on learning new ways of delivering our services and creating new avenues in the digital era IT as a tool for drawing inferences and gathering relevant and reliable evidence as per requirements of their professional assignments Need to be innovative in using IT and in advising our clients on IT
11

Impact of IT on Controls

Controls are getting automated Controls are becoming more complex, requiring new knowledge and new decision models and an increased reliance on technologists Paper is getting eliminated, increasing risk of fraud and requiring new audit approaches Technology is performing tasks currently done by both white-collar and blue-collar workers IT is key enabler of business
12

IT Paradox

Desire for Greater Openness in Systems

Desire for Tighter Security

13

Need for IS Audit Risk and Governance Issues with ERP

Single point of failure Organizational Structural changes Job role changes Online,Real-time

Synchronized processes

Change management Managing distributed computing environments Broad system access Dependency on external sources for help Program Interfaces and data conversions Audit expertise

14

Corporate Governance impacting IT Governance

Organizations who wish to be successful in the digital era need to establish a corporate governance model that encompasses key aspects of IT governance, assurance and control. IT governance is the system by which the IT is directed and controlled. The objective of IT governance is to ensure that the IT activities meet overall business objectives and are in line with the business plans.

15

Traditional vs. Progressive Approach

Internal audits evolving role
Traditional Audit focus Transaction-based Financial account focus Compliance objective Policies and procedures focus Multiyear audit coverage Progressive (best practices) Business focus Process-based Customer focus Risk identification, process improvement objective Risk management focus Continual-risk-reassessment coverage

Policy adherence
Budgeted cost center Career auditors
Methodology: Focus on policies, Transactions and compliance

Change facilitator
Accountability for performance improvement results Opportunities for other management positions Methodology: Focus on goals, strategies and risk management processes
16

Effect of IT on internal control

Lack of

Transaction trails Segregation of functions

Uniform processing of transactions Potential for errors and irregularities Dependence of controls on computer processing Potential for

Increased management supervision Use of computer-assisted audit techniques

17

Overview of IS Risks

Risk is defined as: The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets

18

Information Risks

Vast amounts of critical information can now be stored in very small electronic media and a minor glitch can result in loss of this information Information is vulnerable to error, omission, abuse by persons, inside and outside the data processing network

19

Threats

Damage can range from errors harming database integrity to fires destroying entire computer centers Losses can stem from

Actions of supposedly trusted employees defrauding a system Outside hackers

Careless data entry clerks Knowledge of threat environment helps implementing cost-effective security measures
20

IS Security

Procedures and practices to assure that computer facilities are available at all required times Data is processed completely and efficiently Access to data in computer systems is restricted to authorised people

21

Why do you need Information Security

I believe that information security will become an even bigger problem as we move into the next century, especially as even the new smaller computers will be able to operate at blinding speed, making millions of computations in seconds

Akio Morito Co founder of Sony

22

IT Risks and Frauds

IT tends to confound auditors and managers to the extent that they are rarely in a position to detect or prevent computer based embezzlement -Harvard Business review
23

Why do you need Security?

Vulnerability

A weakness that could be exploited to cause damage to the system

24

Why do You need Security? Threat

Any event with the potential to cause harm to a system in the form of disclosure, modification, destruction or denial of service

25

Barings Bank Bankruptcy

Error a/c no.88888 overlooked by auditors - $ 80 million deficit built into a/c No internal controls in place to verify claim of Leeson that he had made investment in above a/c on behalf of his client Special password for computer access to above a/c. Lack of segregation of duties Supervisors looked the other way

26

What is Security?

Confidentiality The concept of how to prevent unauthorized release of information or unauthorized use of system
27

What is Security? (CIA) Integrity

The issue of how to preserve information to make them trustworthy, i.e. how to avoid the unauthorized modification of information

28

What is Security? Availability

The probability that a system is operational at any time or, in other words, the percentage of up-time

29

What is Security? Auditable

Whether the system can be measured against an established criteria or benchmark

30

Reality of Security - RBI

Major Factors Of Security Violation Inadequate/incomplete system design Programming errors Weak/inadequate logical access controls Poorly designed procedural controls Ineffective employee supervision Ineffective management controls
31

The Reality of Security

There are NO absolutely secure systems and there are NO absolutely reliable systems. Increased security most often results in increased cost for the system.

32

The Reality of Security There must be a trade-off between: Cost for increasing system control and security Vs. Cost incurred as a result of successful security violations or system failures

33

Defining Scope and Objectives of IS Audit

What is IS Audit? IS Audit - Risk Perspective IS Audit - Control Perspective What is scope of IS Audit? What are Objectives of IS Audit?

34

What is IS Audit?
Any audit that encompasses:

The review and evaluation of all aspects (or any portion) Of Automated information processing systems, including related non-automated processes and The interfaces between them.

35

Objectives of IS Audit

Provide management with reasonable assurance that identified control objectives as relevant are being met by the package. Where there are significant control weaknesses, to substantiate the resulting risks, and Advise management on corrective actions Perspectives: Proactive or re-active Stage: Pre-implementation, during implementation or post-implementation

36

IS Audit Risk perspective Identifying and assessing Risks

1. Risk management: Assess risks first and implement appropriate controls Reduce risks to acceptable level Assignments in this perspective:

Security Management Information Risk Management Information Systems Risk Management Security Audit IT Audit, etc
37

IS Audit Risk perspective Identifying and assessing Risks

Assess the impact of IT failing to meet the business objectives on account of risks or issues impacting the following information criteria: Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability
38

IS Audit Control perspective Identifying and assessing controls

2. Controls:

Review internal control system to ensure whether business objectives are achieved Set appropriate control objectives IS Audit IS Assurance Computer Assurance Services Technology Assurance Services IT Governance IS Controls Review, etc
39

Assignments in this perspective:

IS Audit - Control Assessment

IS auditor is required to evaluate whether available controls are adequate and appropriate to mitigate the risks If controls are inadequate or inappropriate

Identify the control weakness Provide recommendation Report above to auditee management
40

Defining Controls and Control Objectives

CONTROL : The Policies, Procedures, Practices and Organisational Structures, Designed to Provide Reasonable Assurance that Business Objectives will be Achieved and that Undesired Events will be Prevented or Detected and Corrected
Business Orientation - the key of controls Control is a Management issue not a IT issue

IT CONTROL OBJECTIVE : A Statement of the Desired Result or Purpose to be Achieved by Implementing Control Procedures in a Particular IT Activity
41

1. Practical approach to IS Audit

Model case study of how to plan and perform various Information Systems Audit Assignments

42

Execution of IS Audit step by step approach

IS Audit could encompass all aspects of operations of the auditee or it may be focussed on a particular area. IS Audit could be done by internal auditors or external auditors. IS Audit involves review (view again) and evaluation (against a benchmark or set standard) of any or all aspects of IT processing in the enterprise including the interfaces.
43

Case study of IS Audit

Step by step
1. 2. 3. 4. 5.

6. 7. 8. 9.

Identify Audit Objectives and Scope Understand IT environment Understand the business processes Understand the Organisation structure Understand the Information systems and Control Architecture Identify related standards\guidelines Identify \ Select relevant IT process Select Control Objectives (CO) Extend CO by adding BP \ IT controls
44

Case study of IS Audit

10.

11.
12.

13.

14. 15. 16. 17.

Identify relevant Risks for identified IT process Identify Management benchmarks Prepare Audit program, procedures and checklist by integrating the information upto step 11 Perform the audit and identify control weaknesses Prepare draft report Discuss the report with auditee Prepare final report Presentation to senior management
45

Sample Scope of IS audit

Assessing Risks and Controls related to from the two perspectives:

Environmental Access security or controls review Physical Access security or controls review Logical Access security or controls review IS Operations security or controls review Application security or audit Implementation security or audit BCP assessment or BCP audit SDLC review or audit IT Strategy .
46

Understand the IT environment

IT Resources Facilities Technology Applications Data People What is the Information Architecture of the enterprise?

47

IT Control System

Business processes/ IT business processes

IT Organization

A B

C D

influences
Financial reporting
Data Data

Data

Applications/ IT applications

Oper. Sys.

Controlling

influences Equipment/ IT infrastructure

Hardware
Communic. Network

48

Identify related standards

IS Audit Standards, Guidelines and IS Governance standard issued by ISACA. ISA or SAP issued by ICAI\IFAC IS Guidelines issued by IFAC. Specific industry standards (for example, banks, IT Companies) Technology standards as per technology deployed. Compliance requirements as relevant. Industry related controls Specific business related controls or guidelines
49

What is COBIT ?

COBIT (Control Objectives for Information and Related Technology) is a breakthrough Information Technology (IT) Governance tool that helps in understanding and managing the risks associated with Information and related Technology. COBIT provides a globally accepted framework for reviewing diverse technology platforms across the enterprise. It provides the best practices researched from a host of international standards on auditing and technology. COBIT has been developed as a generally applicable and accepted standard for good IT security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners.

50

COBIT - Tool for IS Audit

Executive Summary - Overview for senior Management Framework - Conceptual model linking control objectives to business objectives Control Objectives - provide the landscape Audit Guidelines - provide the Compass Implementation Tool Set - how to get started ? Management Guidelines - provide the Compass to Management for measuring performance and managing IT
51

52

Formulate audit strategy and control evaluation

Preliminary review of Audit area Obtain & record understanding of audit area Evaluating audit area Compliance Testing (Test of Controls) Substantive Testing (Test of Details)

53

Prepare draft report

1.

Issue (area of control weakness)

2.

Implications (effect)

Rank this based on information criteria as relevant.

Highlight the IT Resources impacted as relevant. Critical Success Factors of relevant IT process

3.
4.

Cause: identify the probably cause Recommendations

5.

Management Comment: Auditee to add details

54

Use the best practices as adapted for business requirement \ IT deployment of Auditee Company

Discuss draft report with auditee

Obtain confirmation of findings and their risk ranking Remove incorrect findings based on confirmation of facts Obtain agreement on causes and recommendations Obtain agreed plan of action for implementing recommendations
55

Prepare final report

Outline for each finding: (area of control weakness or area of improvement: Issue: Rank this based on information criteria as relevant Implications (effect): Highlight IT Resources impacted as relevant & CSF of relevant IT process of not met Cause: Identify probable cause(s)
56

Prepare final report

Recommendation: Base on best practices and adapt it as per specific business requirement \IT deployment of auditee company Management Comment: (Obtain) Feedback from management and identify issues of disagreement which need escalation Implementation Time-frame

57

Presentation to senior management

Prepare executive summary for senior management highlight key findings and recommendations Prepare PPT slides for presentation Make presentation Present executive summary and detailed audit report Conduct exit interview

58

How to market the services of IS Audit?

Know need and importance of IS Audit Assess the current competencies and skill-sets of your audit Decide what type of services you intend to provide Update skill-sets as required Develop tie-ups with a panel of IT Consultants or domain experts Prepare brief outline of services provided Formulate standard approach for each of audit stages and prepare standard templates Identify your potential clients existing or new Think long-term and begin with small assignments for your existing clients

59

Why IS Audit Important?

Growing access to and use of IT Growing concern for data security due to proliferation of IT Potential of computer fraud Complexity of systems and computers Protectors of information assets and privacy Regulatory requirement Top priority of executive management
60

Greatest frequency of fraud

TOPLEVEL MANAGERS

MIDDLE-LEVEL MANAGERS

OPERATIONAL-LEVEL EMPLOYEES
61

Career Advice: What Should I Know

Assess Current Skills and future career growth path Extensive domain knowledge and functional expertise in chosen area of expertise Strong PC User skills Operating Systems and Networking Database and SQL skills (Microsoft Access) Report writer skills (Crystal) Web page development (FrontPage, HTML) Internet and eCommerce Project management skills
62

Innovative Avenues in IT

Consulting Infrastructure, HW, SW, MIS, Controls, Compliance.. Implementation Infrastructure, HW, SW, MIS, Controls, Compliance, Design and development Infrastructure, SW, MIS, Compliance, Training SW, IT, MIS, Implementation, Audit, Compliance, Controls, Assurance Audit, security, applications, data, processes, operations, controls, efficiency, effectiveness, compliance, reliability, quality,..
63

INFORMATION CRITERIA
Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability

IT RESOURCES BUSINESS PROCESSES

INFORMATION AUDIT FINDINGS

64

Thank you

65