AUDITING ?

involves the process in which an individual or

entity (the auditor) provides assurances to at
least one other individual or entity regarding
representations or assertions made by some third
party (the auditee).

1
GENERAL TERM

Interim audit, has the objective of

establishing the degree to which the
internal control system can be relied
on.
Compliance testing is to confirm the
existence, assess the effectiveness,
and check the continuity of operation
of those internal controls.
Financial Statement Audit, assurance
that the financial statement are fairly
presented
Substantive Testing, direct verification
of financial statement figures

2
AUDITING THROUGH THE
COMPUTER
Auditing through the computer may be
defined as the verification of controls in a
computerized system.

3
AUDITING WITH Click icon to add picture
COMPUTER
• Auditing with the computer is the
process of using IT in auditing. IT is
used to perform some audit work
• Consistent and Legible
• Time saving
• More accurate
• Efficiently in analytical procedures
• Standarized the audit procedure
easily
• Cost effectiveness

4
 Click icon to add picture

Company Level Control

RISK-BASED AUDITING
• Risk-based auditing (RBA) provides Account
assurances relating to the
effectiveness of an organization’s
enterprise risk management (ERM) Process
processes.
• RBA provides assurance that risks are
being managed within the
Risk
organization’s risk appetite

CONTROL RISK Control

5
 INFORMATION SYSTEM AUDITING
TECHNOLOGY
Information systems auditing technology has evolved along
with computer systems development

6
Test Data
• Test data are auditor-prepared input containing both valid and invalid
data
• Test data may be used to verify input transaction validation routines,
processing logic, and computational routines of computer programs and
to verify the incorporation of program changes

7
INFORMATION SYSTEM AUDITING TECHNOLOGY

Click icon to Click icon to Click icon to Click icon to

add picture add picture add picture add picture

GENERALIZED AUDIT
INTEGRATED TEST FACILITY PARALLEL SIMULATION AUDIT SOFTWARE
SOFTWARE
ITF involves both the use Processing real data Computer programs GAS is audit software
of test data and the through audit programs. that permit the that has been
creation of fictitious The simulated output computer to be used as specifically designed to
records (vendors, and the regular output an auditing tool. allow auditors to
employees) on the are then compared. perform audit-related
master files of a data processing
computer system. functions.

8
INFORMATION SYSTEM AUDITING TECHNOLOGY

Click icon to Click icon to Click icon to Click icon to

add picture add picture add picture add picture

EMBEDDED AUDIT
PC SOFTWARE EXTENDED RECORD SNAPSHOT
ROUTINES
Software that allows the Special auditing routines Modification of Modification of
auditor to use a PC to included in regular programs to collect and programs to output data
perform audit tasks. computer programs so store data of audit of audit interest.
that transaction data can interest.
be subjected to audit
analysis.

9
INFORMATION SYSTEM AUDITING TECHNOLOGY

Click icon to Click icon to Click icon to Click icon to

add picture add picture add picture add picture

TRACING
Tracing provides a
detailed audit trail of the
instructions executed
during the program’s
operation.
REVIEW OF SYSTEM
CONTROL FLOWCHARTING MAPPING
DOCUMENTATION
Extending system Analytic flowcharts or Special software is used
documentation such as other graphic to monitor the execution
program flowcharts are techniques are used to of a program.
reviewed for audit describe the controls in
purposes. a system.

10
TYPES OF INFORMATION SYSTEMS AUDITING

Click icon to add picture

11
 1st phase: The initial review and evaluation of the
area to be audited and audit plan preparation.
• Object/Evidence, Resources, Audit Program
GENERAL APPROACH TO
AN INFORMATION 2nd phase: Detailed review and evaluation controls
SYSTEMS AUDIT • Documentation

3rd phase: Compliance testing and is followed by

analysis and reporting of results
• Produces evidence with procedures

12
INFORMATION SYSTEMS APPLICATION SYSTEMS
APPLICATION AUDITS DEVELOPMENT AUDITS
• Auditing the information systems
• Auditing the activities of systems
application is usually done by testing
analysts and programmers who
the application which is in area of
develop and modify application
• Input
program, files, and related
• Processing
procedures.
• Output
• Areas:
E.g: Testing the SAP • System development standards
• Project management
• Program change controls

13

COMPUTER SERVICE
CENTER AUDIT
• It is usually might be done before any
other application audits to ensure the
general integrity of the environment.
• Areas:
• Environmental controls
• Physical security
• Disaster recovery plan
• Management controls over Computer
Service Center
AUDITING SERVICE-
ORIENTED ARCHITECTURES
(SOA)
• This process need a special audit
consideration, because SOA may be
composed of so many individual
services that can be connected
together one way on one day and a
different way on another day
• SOA usually externalize identity
management (e.g. user password
control), but it’s will be stored to the
centralized database by the security
artifacs.
14
 Click icon to add picture

IT GOVERNANCE
• IT governance has the objective of
enhancing and ensuring the efficient
application of IT resources as a
critical success factor that sustains
and extends the organization’s
strategies and objectives.
• Organization must understand about
the risk in which existing at:
• IT strategy is not aligned with the
business stargegy
• Needed organization structure is not
provided
• IT performance is not measured or
evaluated
15
CONTROLS OBJECTIVES
FOR INFORMATION AND
RELATED TECHNOLOGY
(COBIT)
• COBIT is an open standard for control
over IT.
• COBIT is directed at helping
management discharge its
responsibilities with respect to an
organization’s IT assets by “bridging
the gaps” between business risks,
control needs, and technical issues.
• COBIT provides a generally applicable
and accepted standard of IT security
and control practices
• COBIT identifies 34 IT processes, a
high-level approach to control over
these processes, and several hundred
detailed control objectives and audit
guidelines to assess the IT processes.
16
THE 34 HIGH-LEVEL COBIT OBJECTIVES ARE ORGANIZED INTO
FOUR DOMAINS. THESE DOMAINS ARE:
Click icon to
add picture
PLAN AND ORGANIZE
How the company as a whole
uses its IT infrastructure to
achieve its goals and
objectives.
Click icon to
add picture
ACQUIRE AND IMPLEMENT
company’s overall strategies
for identifying IT requirements
and acquiring, implementing,
and maintaining IT resources
and projects.
Click icon to
add picture
DELIVER AND SUPPORT
the processes involved in
delivering, supporting, training,
and security relating to IT
applications.
Click icon to
add picture
MONITOR AND EVALUATE
the company’s strategies for
assessing how effectively IT
helps satisfy the company’s
objectives.
17
NAVIGATION DIAGRAM
• The diagram provides a description of
the process, together with key goals
and metrics in the form of a
“waterfall” diagram.

18
 Click icon to add picture

MATURITY MODELS
• A maturity model component is used
to evaluate an organization’s relative
level of achievement of IT
governance.
• The defined levels in the scale are
numbered 0–5, with 0 being the
lowest level, and are as follows:
• 0: Nonexistent
• 1: Initial/Ad Hoc
• 2: Repeatable but Intuitive
• 3: Defined Process
• 4: Managed and Measurable
• 5: Optimized
19
Manage ment Guidelines
These consist of detailed inputs, outputs, activities, goals, and
metrics for the 34 COBIT processes.

Performance Measurement
Goals and metrics are defined in COBIT at three levels:
• IT goals and metrics that define what the business expects from IT and how to measure it
• Process goals and metrics that define what the IT process must deliver to support IT objectives and how to
measure it
• Activity goals and metrics that establish what needs to happen inside the process to achieve
• the required performance and how to measure it

20
PROFESSIONAL CERTIFICATIONS RELATING TO IT
GOVERNANCE

• The Certified Information Systems Auditor (CISA)

certification is for information systems audit, control,
assurance and/or security professionals.
• The CISA certification program has been available since
1978 and has been renowned as the globally recognized
achievement for those who control, monitor, and
assess an organization’s IT and business systems.

21
THANK YOU !
FLORA@CONTOSO.COM

HTTP://WWW.CONTOSO.COM/