Documente Academic
Documente Profesional
Documente Cultură
on 17 July 2004, New Delhi By A.Rafeq, FCA, CISA, CQA, CFE, Bangalore
1
Learning Objectives
What is IS Audit? How to plan and perform IS Audit assignments using technology as a key enabler for audit What are CAATs - digital audit techniques? What are salient features of Guidance note of ICAI on CAAT? What are key features and functionality of audit software? How to use concepts of CAAT - digital audit techniques by using the auditee applications? How to enhance effectiveness of audit and provide better assurance to clients?
2
Sessions
1. 2.
3.
4.
Practical approach to IS Audit Step-by-Step approach to IS Audit case study How to use CAAT CAAT case study
Concepts and practice of IS Audit Need and importance of IS Audit Model case study of how to plan and perform various Information Systems Audit Assignments How to market the services of IS Audit?
2. Step-by-Step approach to
Participants to plan and perform a sample IS Audit using the case study as a group Model answer providing participants with practical tips on performing various types of IS Audits
Overview of need/importance of CAATs - digital audit techniques Guidance note on CAAT issued by ICAI Tips on how to practical use CAAT techniques
Inter-active discussion on how to use digital audit techniques for performing various types of audit tests Audit software Demo - features and functionalities in audit software How to use Audit Software for enhancing audit productivity
Digital Era
Business is going to change more in the next ten years than it has in the last fiftyBill Gates in his book Business @ the Speed of Thought using a digital nervous system. 2001-2010 as the digital decade
Impact of IT IT Paradox Impact of IT on Controls Thrust on IT Governance Compliance requirements RBI Management needs
10
Impact of IT on CAs
Rapid deployment of IT by enterprises makes it imperative that CAs have practical knowledge of using IT Not just excellence in Information Technology (IT) but empowerment through IT Creating new challenges and opportunities Enhance utility as knowledge workers with core competency and domain knowledge in the areas of accounting, finance, auditing, information systems and compliance Key strategy for success is to keep on learning new ways of delivering our services and creating new avenues in the digital era IT as a tool for drawing inferences and gathering relevant and reliable evidence as per requirements of their professional assignments Need to be innovative in using IT and in advising our clients on IT
11
Impact of IT on Controls
Controls are getting automated Controls are becoming more complex, requiring new knowledge and new decision models and an increased reliance on technologists Paper is getting eliminated, increasing risk of fraud and requiring new audit approaches Technology is performing tasks currently done by both white-collar and blue-collar workers IT is key enabler of business
12
IT Paradox
13
Single point of failure Organizational Structural changes Job role changes Online,Real-time
Synchronized processes
Change management Managing distributed computing environments Broad system access Dependency on external sources for help Program Interfaces and data conversions Audit expertise
14
Organizations who wish to be successful in the digital era need to establish a corporate governance model that encompasses key aspects of IT governance, assurance and control. IT governance is the system by which the IT is directed and controlled. The objective of IT governance is to ensure that the IT activities meet overall business objectives and are in line with the business plans.
15
Policy adherence
Budgeted cost center Career auditors
Methodology: Focus on policies, Transactions and compliance
Change facilitator
Accountability for performance improvement results Opportunities for other management positions Methodology: Focus on goals, strategies and risk management processes
16
Lack of
Uniform processing of transactions Potential for errors and irregularities Dependence of controls on computer processing Potential for
17
Overview of IS Risks
Risk is defined as: The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets
18
Information Risks
Vast amounts of critical information can now be stored in very small electronic media and a minor glitch can result in loss of this information Information is vulnerable to error, omission, abuse by persons, inside and outside the data processing network
19
Threats
Damage can range from errors harming database integrity to fires destroying entire computer centers Losses can stem from
Careless data entry clerks Knowledge of threat environment helps implementing cost-effective security measures
20
IS Security
Procedures and practices to assure that computer facilities are available at all required times Data is processed completely and efficiently Access to data in computer systems is restricted to authorised people
21
I believe that information security will become an even bigger problem as we move into the next century, especially as even the new smaller computers will be able to operate at blinding speed, making millions of computations in seconds
24
Any event with the potential to cause harm to a system in the form of disclosure, modification, destruction or denial of service
25
26
What is Security?
Confidentiality The concept of how to prevent unauthorized release of information or unauthorized use of system
27
The issue of how to preserve information to make them trustworthy, i.e. how to avoid the unauthorized modification of information
28
The probability that a system is operational at any time or, in other words, the percentage of up-time
29
30
There are NO absolutely secure systems and there are NO absolutely reliable systems. Increased security most often results in increased cost for the system.
32
The Reality of Security There must be a trade-off between: Cost for increasing system control and security Vs. Cost incurred as a result of successful security violations or system failures
33
What is IS Audit? IS Audit - Risk Perspective IS Audit - Control Perspective What is scope of IS Audit? What are Objectives of IS Audit?
34
What is IS Audit?
Any audit that encompasses:
The review and evaluation of all aspects (or any portion) Of Automated information processing systems, including related non-automated processes and The interfaces between them.
35
Objectives of IS Audit
Provide management with reasonable assurance that identified control objectives as relevant are being met by the package. Where there are significant control weaknesses, to substantiate the resulting risks, and Advise management on corrective actions Perspectives: Proactive or re-active Stage: Pre-implementation, during implementation or post-implementation
36
1. Risk management: Assess risks first and implement appropriate controls Reduce risks to acceptable level Assignments in this perspective:
Security Management Information Risk Management Information Systems Risk Management Security Audit IT Audit, etc
37
2. Controls:
Review internal control system to ensure whether business objectives are achieved Set appropriate control objectives IS Audit IS Assurance Computer Assurance Services Technology Assurance Services IT Governance IS Controls Review, etc
39
IS auditor is required to evaluate whether available controls are adequate and appropriate to mitigate the risks If controls are inadequate or inappropriate
Identify the control weakness Provide recommendation Report above to auditee management
40
IT CONTROL OBJECTIVE : A Statement of the Desired Result or Purpose to be Achieved by Implementing Control Procedures in a Particular IT Activity
41
Model case study of how to plan and perform various Information Systems Audit Assignments
42
IS Audit could encompass all aspects of operations of the auditee or it may be focussed on a particular area. IS Audit could be done by internal auditors or external auditors. IS Audit involves review (view again) and evaluation (against a benchmark or set standard) of any or all aspects of IT processing in the enterprise including the interfaces.
43
6. 7. 8. 9.
Identify Audit Objectives and Scope Understand IT environment Understand the business processes Understand the Organisation structure Understand the Information systems and Control Architecture Identify related standards\guidelines Identify \ Select relevant IT process Select Control Objectives (CO) Extend CO by adding BP \ IT controls
44
11.
12.
13.
Identify relevant Risks for identified IT process Identify Management benchmarks Prepare Audit program, procedures and checklist by integrating the information upto step 11 Perform the audit and identify control weaknesses Prepare draft report Discuss the report with auditee Prepare final report Presentation to senior management
45
Environmental Access security or controls review Physical Access security or controls review Logical Access security or controls review IS Operations security or controls review Application security or audit Implementation security or audit BCP assessment or BCP audit SDLC review or audit IT Strategy .
46
47
IT Control System
A B
C D
influences
Financial reporting
Data Data
Data
Applications/ IT applications
Oper. Sys.
Controlling
48
IS Audit Standards, Guidelines and IS Governance standard issued by ISACA. ISA or SAP issued by ICAI\IFAC IS Guidelines issued by IFAC. Specific industry standards (for example, banks, IT Companies) Technology standards as per technology deployed. Compliance requirements as relevant. Industry related controls Specific business related controls or guidelines
49
What is COBIT ?
COBIT (Control Objectives for Information and Related Technology) is a breakthrough Information Technology (IT) Governance tool that helps in understanding and managing the risks associated with Information and related Technology. COBIT provides a globally accepted framework for reviewing diverse technology platforms across the enterprise. It provides the best practices researched from a host of international standards on auditing and technology. COBIT has been developed as a generally applicable and accepted standard for good IT security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners.
50
Executive Summary - Overview for senior Management Framework - Conceptual model linking control objectives to business objectives Control Objectives - provide the landscape Audit Guidelines - provide the Compass Implementation Tool Set - how to get started ? Management Guidelines - provide the Compass to Management for measuring performance and managing IT
51
52
Preliminary review of Audit area Obtain & record understanding of audit area Evaluating audit area Compliance Testing (Test of Controls) Substantive Testing (Test of Details)
53
2.
Implications (effect)
3.
4.
5.
Use the best practices as adapted for business requirement \ IT deployment of Auditee Company
Obtain confirmation of findings and their risk ranking Remove incorrect findings based on confirmation of facts Obtain agreement on causes and recommendations Obtain agreed plan of action for implementing recommendations
55
57
Prepare executive summary for senior management highlight key findings and recommendations Prepare PPT slides for presentation Make presentation Present executive summary and detailed audit report Conduct exit interview
58
Know need and importance of IS Audit Assess the current competencies and skill-sets of your audit Decide what type of services you intend to provide Update skill-sets as required Develop tie-ups with a panel of IT Consultants or domain experts Prepare brief outline of services provided Formulate standard approach for each of audit stages and prepare standard templates Identify your potential clients existing or new Think long-term and begin with small assignments for your existing clients
59
Growing access to and use of IT Growing concern for data security due to proliferation of IT Potential of computer fraud Complexity of systems and computers Protectors of information assets and privacy Regulatory requirement Top priority of executive management
60
MIDDLE-LEVEL MANAGERS
OPERATIONAL-LEVEL EMPLOYEES
61
Innovative Avenues in IT
Consulting Infrastructure, HW, SW, MIS, Controls, Compliance.. Implementation Infrastructure, HW, SW, MIS, Controls, Compliance, Design and development Infrastructure, SW, MIS, Compliance, Training SW, IT, MIS, Implementation, Audit, Compliance, Controls, Assurance Audit, security, applications, data, processes, operations, controls, efficiency, effectiveness, compliance, reliability, quality,..
63
INFORMATION CRITERIA
Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability
64
Thank you
65