IT Audit in MNC's

Download as pptx, pdf, or txt
Download as pptx, pdf, or txt
You are on page 1of 19

Role of IT Audit function in MNC’s

Achintya Agarwal - 10030241094


Table of Contents
 Basics of Auditing, IT Auditing and Internal Audit Function
 What is IT Auditing?
 Why is an IT Audit needed?
 Purpose of an IT Audit
 Internal Audit vs External Audit
 Role of Internal Audit Function – Internal Control
 Role of Internal Audit Function – Risk Management
 Role of Internal Audit Function – Corporate Governance
 Control issues and risks associated with reliance on technology
 Roles & Responsibilities of internal IT Audit function
 Auditing – What Internal IT Auditors look at
 Controls – types, significance and objectives
 Audit Areas
 Audit Trail
 What an Auditor has to do
 What an Auditor has to know
 References

2 Achintya Agarwal - Role of IT Audit Function in MNC's


Basics of Auditing, IT Auditing and Internal Audit
Function

3 Achintya Agarwal - Role of IT Audit Function in MNC's


What is IT Auditing?
 Examination of Controls of an IT Infrastructure
 Check for CIA
 Check for Access Control
 Check for Operational Efficiency
 Verify that organization’s goals and objectives are being
met
 Often takes place with Financial Audit

4 Achintya Agarwal - Role of IT Audit Function in MNC's


Why is an IT Audit needed?
 To meet its responsibility of providing an independent
audit function with sufficient resources to ensure adequate
IT coverage, the Board of Directors or its Audit
Committee should:
 Provide an internal audit function capable of evaluating IT
controls,
 Engage outside consultants or auditors to perform the internal
audit function, or
 Use a combination of both methods to ensure that the institution
has received adequate IT audit coverage.

5 Achintya Agarwal - Role of IT Audit Function in MNC's


Purpose of an IT Audit
 Evaluate control design & effectiveness
 Evaluate efficiency, security protocols, processes and IT
Governance (Oversight)
 Evaluate the organizations ability to protect information
assets and properly dispense information to authorised
parties
 Evaluate CIA Triad
 Determine prevalent risks and assessing controls to reduce
the impact of the risk

6 Achintya Agarwal - Role of IT Audit Function in MNC's


Internal Auditing vs External Auditing
 Internal Auditing
 Appraises the risk management strategy and practices,
management (including IT) control frameworks and governance
processes
 Auditors are employed by the organization to perform audits
 Has Organizational Independence from Management
 External Auditing
 Independent of entity being audited
 Presents an unbiased and independent evaluation
 Laws place stringent requirements on auditors in their
evaluation

7 Achintya Agarwal - Role of IT Audit Function in MNC's


Role of Internal Audit Function – Internal
Control
 Internal Control - a process designed to provide
reasonable assurance regarding the achievement of
objectives in the following internal control categories
 Effectiveness and efficiency of operations
 Reliability of financial reporting
 Compliance with laws and regulations

 Managers frame policies & processes; Internal Auditors


evaluate their design and operating efficiency
 Internal auditors assist in compliance to various laws

8 Achintya Agarwal - Role of IT Audit Function in MNC's


Role of Internal Audit Function – Risk
Management
 Risk Management relates to how an organization sets objectives,
then identifies, analyzes, and responds to those risks that could
potentially impact its ability to realize its objectives

 Management performs risk assessment activities as part of the


ordinary course of business in each of strategic, operational,
financial reporting, and legal/regulatory categories. Internal
Auditors evaluate each of these activities or focus on the processes
to report & monitor the identified risks
 Help companies establish and maintain Enterprise Risk
Management processes
 Internal auditors also play an important role in helping companies
execute a SOX 404 top-down risk assessment.

9 Achintya Agarwal - Role of IT Audit Function in MNC's


Role of Internal Audit Function – Corporate
Governance
 Corporate governance is a combination of processes and
organizational structures implemented by the Board of Directors to
inform, direct, manage, and monitor the organization's resources,
strategies and policies towards the achievement of the organizations
objectives

 Internal auditors help the Audit Committee of the Board of Directors


(or equivalent) perform its responsibilities effectively. Includes
 Reporting critical internal control problems
 Informing the Committee on the capabilities of key managers
 Suggesting questions or topics for the Audit Committee's meeting agendas
 Coordinating carefully with the external auditor and management to ensure
the Committee receives effective information

10 Achintya Agarwal - Role of IT Audit Function in MNC's


Control issues and risks associated with
reliance on technology
 Inappropriate user access to information systems,
 Unauthorized disclosure of confidential information,
 Unreliable or costly implementation of IT solutions,
 Inadequate alignment between IT systems and business objectives,
 Inadequate systems for monitoring information processing and
transactions,
 Ineffective training programs for employees and system users,
 Insufficient due diligence in IT vendor selection,
 Inadequate segregation of duties,
 Incomplete or inadequate audit trails,
 Lack of standards and controls for end-user systems,
 Ineffective or inadequate business continuity plans, and
 Financial losses and loss of reputation related to systems outages.

11 Achintya Agarwal - Role of IT Audit Function in MNC's


Roles & Responsibilities of internal IT Audit
function
 Assess independently and objectively the controls, reliability, and integrity of the
institution’s IT environment.
 Evaluate IT plans, strategies, policies, and procedures to ensure adequate
management oversight.
 Assess the day-to-day IT controls to ensure that transactions are recorded and
processed in compliance with acceptable accounting methods and standards and are
in compliance with policies set forth by the board of directors and senior
management.
 Perform operational audits, including system development audits, to ensure that
internal controls are in place, that policies and procedures are effective, and that
employees operate in compliance with approved policies.
 Identify weaknesses, review management’s plans for addressing those weaknesses,
monitor their resolution, and report to the board as necessary on material
weaknesses.
 Make recommendations to management about procedures that affect IT controls.
 Is involved in the development process for major new IT applications.

12 Achintya Agarwal - Role of IT Audit Function in MNC's


Auditing – What Internal IT Auditors look at

13 Achintya Agarwal - Role of IT Audit Function in MNC's


Controls – Types, Significance and
Objectives
 The controls in a computer system ensure effectiveness and efficiency of operations,
reliability of financial reporting and compliance with the rules and regulations.

 Types
 General
 Data centre operations, system software acquisition and maintenance, access security, and application system
development and maintenance
 Application
 Proper authorisation, completeness, accuracy, and validity of transactions, maintenance, and other types of data
input

 Significance
 May allow duplication of data, conceal processes, making vulnerable to remote and unauthorised
access, data loss, computer abuse

 Objectives
 Organizational control over Data Processing, adherence to policies, standards & procedures and
efficiency & effectiveness

14 Achintya Agarwal - Role of IT Audit Function in MNC's


Audit Areas
 Audit of Acquisition
 Auditing the computer facilities acquisition processes
 Audit of Development
 Auditing the computer facilities which are developed in-house
 Audit of Operation and Maintenance - General Controls
 Organisational controls
 Authorisation Control
 Operation and file Controls
 Change Management Controls
 Network Communication Security Controls
 Business continuity Planning
 Audit of Operation and Maintenance - Application Controls
 Documentation Standards
 Input Controls
 Data Transmission Controls
 Processing Controls
 Output Controls
 Master/Standing Data File Controls
 Audit Requirements

15 Achintya Agarwal - Role of IT Audit Function in MNC's


Audit Trail
 Objective of audit trail is to obtain sufficient evidence matter regarding
the reliability and integrity of the application system. To achieve this,
the audit trail should contain enough information to allow
management, the auditor and the user:
 to recreate processing action;
 to verify summary totals and
 to trace the sources of intentional and unintentional errors.

 The audit trail should include the following information:


 System information including start up time, stop time, restarts, recovery etc.
 Transaction information including input items which change the database,
control totals and rejected items (relevant to database applications).
 Communication information including terminal log-on/off, password use,
security violation, network changes and transmission statistics

16 Achintya Agarwal - Role of IT Audit Function in MNC's


What an Auditor has to do
 According to the CISA Review Manual 2010, an Auditor has
to perform the following five Tasks:
 T 1.1 Develop and implement a risk-based IS audit strategy for the
organization in compliance with IS audit standards, guidelines and
best practices.
 T 1.2 Plan specific audits to ensure that IT and business systems are
protected and controlled.
 T 1.3 Conduct audits in accordance with IS audit standards,
guidelines and best practices to meet planned audit objectives.
 T 1.4 Communicate emerging issues, potential risks and audit results
to key stakeholders.
 T 1.5 Advise on the implementation of risk management and control
practices within the organization while maintaining independence.

17 Achintya Agarwal - Role of IT Audit Function in MNC's


What an Auditor has to know
 According to the CISA Review Manual 2010, an Auditor has to have
knowledge of the following ten Knowledge Statements to perform
the tasks:
 KS 1.1 Knowledge of ISACA IS Auditing Standards, Guidelines and Procedures and Code of
Professional Ethics
 KS 1.2 Knowledge of IS auditing practices and techniques
 KS 1.3 Knowledge of techniques to gather information and preserve evidence (e.g.,
observation, inquiry, interview, computer-assisted audit techniques [CAATs], electronic
media)
 KS 1.4 Knowledge of the evidence life cycle (e.g., collection, protection, chain of custody)
 KS 1.5 Knowledge of control objectives and controls related to IS (e.g., COBIT)
 KS 1.6 Knowledge of risk assessment in an audit context
 KS 1.7 Knowledge of audit planning and management techniques
 KS 1.8 Knowledge of reporting and communication techniques (e.g., facilitation,
negotiation, conflict resolution)
 KS 1.9 Knowledge of control self-assessment (CSA)
 KS 1.10 Knowledge of continuous audit techniques

18 Achintya Agarwal - Role of IT Audit Function in MNC's


References
 http://en.wikipedia.org
 http://
www.ffiec.gov/ffiecinfobase/booklets/audit/audit_00a_rol
es_rRespons.html
 http://www.intosaiitaudit.org/india_generalprinciples.pdf
 http://www.theiia.org/theiia/about-the-profession/faqs/
 CISA Review Manual 2010

19 Achintya Agarwal - Role of IT Audit Function in MNC's

You might also like