The Information Systems Audit Process
The Information Systems Audit Process
The Information Systems Audit Process
Process
1
Definitions :
3
Definitions :
External Audits
An external audit is a review of the financial
statements or reports of a company by someone
not affiliated with the company. External audits
play a major role in the financial oversight because
they are conducted by outside individuals and
therefore provide an unbiased opinion. External
audits are commonly performed at regular
intervals by businesses and are typically required
yearly by law for governments.
External Audits
9
IS Audits - This process collects and evaluates
evidence to determine whether the information
systems and related resources adequately
safeguard assets, maintain data and system
integrity and availability, provide relevant and
reliable information, achieve organizational
goals effectively, consume resources efficiently
and have in effect internal controls that provide
reasonable assurance that business, operations
and control objectives will be met and that
undesired events will be prevented or detected
and corrected in a timely manner
10
Definitions :
Control :
11
Definitions :
IT Control Objective
12
Definitions :
IT Governance
13
IT Framework
A successful organization is built on a solid
framework of data and information. The Framework
explains how IT processes deliver the information
that the business needs to achieve its objectives.
This delivery is controlled through high-level control
objectives, one for each IT process, contained in the
four domains(Plan and Organize, Acquire and
Implement, Deliver and Support, and Monitor and
Evaluate). The Framework identifies which of the
seven information criterion (effectiveness, efficiency,
confidentiality, integrity, availability, compliance and
reliability), as well as which IT resources (people,
applications, technology, facilities and data) are
important for the IT processes to fully support the
business objective 14
Audit Mission
In the light of Management objectives a well
documented AUDIT Charter defining overall
Authority, Scope and Responsibility of the AUDIT
function approved by top management.
Whenever you conduct an audit, it is important to
write an audit mission statement as part of the
preparation. A mission statement defines the audit
both for your benefit and for the benefit of the
auditee, thereby helping to eliminate confusion,
waste of resources, and inefficiencies in Auditing.
15
Audit Mission
It serves as a link between the planning and
the execution of the audit.
16
Audit Planning
It consist of following :-
Outlining of Audit purpose and Objective
A risk assessment process to describe and analyze the
risks inherent in a given activity of business.
An audit plan detailing IS audit’s budgeting and
planning processes
An audit cycle that identifies the frequency of audits.
Audit work programs that set out for each audit area
the required scope and resources
Format of Written audit reports.
17
Risk Analysis :
Risk
The potential that a given threat will exploit
vulnerabilities of an asset or group of assets to
cause loss or damage to the assets. The impact or
relative severity of the risk is proportional to the
business value of the loss/damage and to the
estimated frequency of the threat.
Risk Elements
Threat
Impact
Frequency
18
Business Risk
19
Risk Analysis :
In analyzing the business risks arising from the use of IT.
It is important for the IS auditor to have a clear
understanding of:
The purpose and nature of business, the environment in
which the business operates and related business risks
The dependence of technology and related dependencies
that process and deliver business information
The business risks of using IT and related dependencies
and how they impact the achievement of the business
goals and objectives
A good overview of the business processes and the impact
of IT and related risks on the business process objectives
20
Risk Analysis :
In analyzing the business risks arising from the use of IT.
It is important for the IS auditor to have a clear
understanding of:
The purpose and nature of business, the environment in
which the business operates and related business risks
The dependence of technology and related dependencies
that process and deliver business information
The business risks of using IT and related dependencies
and how they impact the achievement of the business
goals and objectives
A good overview of the business processes and the impact
of IT and related risks on the business process objectives
21
ROLES AND RESPONSIBILITY OF IT
AUDITORS
The focus of IT audits today depends on the governance
of IT and process maturity in an organization. The ideal
focus should be on only those aspects of IT that are
important to the organization.
23
ROLES AND RESPONSIBILITY OF
INTERNAL AUDITORS
24
ROLES AND RESPONSIBILITY OF
INTERNAL AUDITORS
25
ROLES AND RESPONSIBILITY OF
EXTERNAL AUDITORS
26
ROLES AND RESPONSIBILITY OF
EXTERNAL AUDITORS
27
ROLES AND RESPONSIBILITY OF
EXTERNAL AUDITORS
28
ROLES AND RESPONSIBILITY OF
EXTERNAL AUDITORS
31
ROLES AND RESPONSIBILITY OF IT
AUDITORS
32
ROLES AND RESPONSIBILITY OF IT
AUDITORS
In today’s era of globalization, universal connectivity
many other things have also changed:
(a) The dependence of organizations and business on
these technologies has become critical
(b) IT has become embedded in most business
processes and is an important service function.
(c) The risks to be contained and managed have all
changed and expanded
(d) Technologies have become much more complex
and are deployed in large numbers
(e) The range of IT related activities is greater than
before, and may have been outsourced
33
ROLES AND RESPONSIBILITY OF IT
AUDITORS
The focus of IT audits today depends on the governance
of IT and process maturity in an organization. The ideal
focus should be on only those aspects of IT that are
important to the organization.
35
Audit Procedures :
36
Audit Risk :
Risk that the information/financial reports may contain material
error that may go undetected during the course of Audit
Categories of Audit Risk :
Inherent Risk For example, complex calculations are
more likely to be misstated than simple ones and cash is more
Likely to be stolen than the inventory of coal.
Control Risk For example, the control risk associated with
manual reviews of computer logs can be high because activities
requiring investigation are often easily missed due to the
volume of logged information.
Detection Risk The risk that an IS auditor uses an inadequate
test procedure and concludes that material errors do not exist
when, in fact, they do.
Overall Audit Risk The combination of the individual
categories of audit risks assessed for each specific control
objective. 37
Risk Assessment Techniques :
38
Compliance Testing :
Reliability of Evidences:
Independence of the provider
Qualification of the provider
Objectivity of the evidence
Timing of the evidence
41
Evidence gathering Techniques :
42
Computer Assisted Audit techniques :
It include many types of Generalized Audit
Software, Utility Software, test data, Debugging
and Scanning Software , Application software
tracing and mapping and expert systems.
44
Internal controls cover policies, processes, tasks and
behaviors. These controls enable a business to operate
effectively, comply with laws and provide good quality of
Services / Products. These are used to manage and
reduce Risks.
Control Classification
1. Preventive
2. Detective
3. Corrective
• Internal Accounting Controls
Primarily directed at accounting operations such as the
safeguarding of assets and the reliability of financial
records and financial reporting.
45
• Operational Controls
Directed at day-to-day operations, functions and
activities to ensure that the operation is meeting
the business objectives.
• Administrative Controls
48
RISK MANAGEMENT
Depending on the type of risk and its significance to the
business, management and the board may choose to:
Avoid- where feasible, choose not to implement
certain activities or processes that would incur risk
(i.e. eliminate the risk by eliminating the cause).
Mitigate- lessen the probability or impact of the risk
by defining, implementing, and monitoring appropriate
controls.
Transfer (deflect, or allocate)- share risk with
partners or transfer via insurance coverage,
contractual agreement, or other means.
Accept- formally acknowledge the existence of the
risk and monitor it.
49
Internal Control Objectives
50
Internal Control Objectives include :
54
BENEFITS OF CONTROL SELF ASSESSMENT
Early detection of risks
More effective and improved internal controls
Creation of cohesive teams through employee
involvement
Developing a sense of ownership of the controls in
the employees and process owners, and reducing
their resistance to control improvement initiatives.
Increased employee awareness of organizational
objectives, and knowledge of risk and internal
controls
Increased communication between operational
and top management
Highly motivated employees
Improved audit rating process
55
Reduction in control cost
Assurance provided to stakeholders and customers
Necessary assurance given to top management
about the adequacy of internal controls as required
by the various regulatory agencies and laws.
DISADVANTAGES OF CONTROL SELF ASSESSMENT
CSA does potentially contain several disadvantages
which include:
It could be mistaken as an audit function replacement
It may be regarded as an additional workload (e.g.,
one more report lo be submitted to management)
Failure to act on improvement suggestions could
damage employee morale
Lack of motivation may limit effectiveness in the
detection of weak controls 56