Slide 1

Audit of Information TechnologyChapter 1: Audit Process Information Systems

Adrin Hernndez MedinaAlejandra Ramrez AntonioBeatriz Alicia Rivera MendozaJuly 25, 2015IntroductionQuick ReferenceManagement of Information Systems Audit FunctionStandards and Guidelines and Audit Assurance ISACARisk analysisInternal ControlsPerform Audits of Information SystemsSelf-Assessment of Control Emerging changes in the Auditing ProcessConclusionsQuestionsContent2

Since 1978, the Certified Information Systems Auditor (CISA) program, sponsored by ISACA, has been the globally accepted standard among information systems (IS) audit, control, and security professionals.

Introduction3

Quick Reference4

Management of Information Systems Audit Function5

ISACA sets forth this Code of Professional Ethics to guide the professional and personal conduct of members of the association and / or its certification holders.

Standards and Guidelines and Audit Assurance ISACA6

Code of Professional Ethics7

GENERAL FRAMEWORK OF STANDARDS IT audit and assurance8

The aim of underwriting guidelines and IASACA IT audit is to provide additional information on how to comply with auditing and assurance standards ISACA. The auditor should:

Use professional judgment to apply in specific audits. To justify any difference.

Underwriting guidelines and IT audit9

G1 Using the Work of Other Auditors with effect from March 1, 2008G2 Audit Evidence Requirement with effect from May 1, 2008G3 Techniques Using Computer Assisted Audit (CAATs) with effect from March 1, 2008G4 outsourcing SI activities for other organizations with effect from May 1, 2008G5 Audit Charter with effect from February 1, 2008G6 Materiality Concepts for Auditing Information Systems with effect from May 1, 2008G7 Due Professional Care with effect from March 1, 2008G8 Audit Documentation with effect from March 1, 2008G9 Audit Considerations for Irregularities and Illegal Acts effective from 1 September 2008G10 Audit Sampling with effect from August 1, 2008G11 Effect of General Controls SI with effect from August 1, 2008G12 Organisational Relationship and Independence effect from August 1, 2008G13 Use of Risk Assessment in Audit Planning with effect from August 1, 2008G14 Review of application systems in force since 1 December 2008G15 audit planning effective from May 1, 2010G16 Effect of Third Parties on IT controls of an organization with effect from March 1, 2009G17 Effect of Non-Audit role on the IT audit and assurance professional Independence effective from May 1, 2010G18 IT Governance effective from 1 July 2002G19 Irregularities and Illegal Acts Removed September 1, 2008G20 Techniques current report from September 16, 2006Index underwriting guidelines and IT audit10

G21 Review System enterprise resource planning (ERP) effective as of September 16, 2010G22 Review of e-commerce business-to-customer (B2C) effective as of August 1, 2003G23 Review Life Cycle Systems Development (SDLC) with effect from August 1, 2003G24 Internet Banking with effect from August 1, 2003G25 Review of Virtual Private Networks with effect from July 1, 2004G26 Project Review of Business Process Reengineering (BPR) with effect from July 1, 2004G27 Mobile Computing with effect from September 1, 2004G28 Computer Forensics with effect from September 1, 2004G29 Post-implementation review with effect from January 1, 2005G30 Competition with effect from June 1, 2005G31Privacy with effect from June 1, 2005G32 Review of business continuity planning from an IT perspective with effect from September 1, 2005G33 General Considerations on the Use of the Internet with effect from March 1, 2006G34 Responsibility, Authority and Accountability with effect from March 1, 2006G35 Follow-up with effect from March 1, 2006G36 Biometric Controls with effect from February 1, 2007G37 Configuration Management with effect from November 1, 2007G38 Access Control with effect from February 1, 2008G39 IT organizations with effect from May 1, 2008G40 Review of Security Management Practices in force since 1 December 2008G41 Return on security investment (ROSI) effective from May 1, 2010G42 Continuous Assurance effective from May 1, 2010 Index underwriting guidelines and IT audit11

Index of tools and techniques IT Audit and Assurance12

Index of tools and techniques IT Audit and Assurance13

INFORMATION TECHNOLOGY ASSURANCE FRAMEWORK (ITAF)14

Section 2200 General Standards15

Section 2400Performance Standards 16

Section 2600 -Standards on Reports17

Section 3000-IT Assurance Guidelines18

Section 3200-related business topics19

Section 3400-IT management processes20

Section 3600-assurance processes and IT audit21

Section 3800-Management Audit and Assurance IT22

Risk analysis23

Internal Controls24

To perform an audit, several steps are required. Proper planning is the necessary first step for effective audits

Perform Audits of Information Systems25

Classification of audits26

General Audit Procedures27

Phases of the audit28

Risk Types29

Risk Treatment30

Objectives of the audit31

Evidences32

Sampling33

Methods sampling34CAATs are important tools for the auditor to gather information from these environments. These same include many types of tools and techniques, such as use software generalize audit (GAS), among others.

GAS refers to the standard software that has the ability to read and access the data directly from various BD platforms, systems and ASCII flat file formats.Auditing techniques assisted by computer35

Communication of audit results36

Audit documentation37Self-Assessment of Control 38

Self-Assessment of Control 39

FeatureDescriptionFeatureDescriptionCSA target Leverage internal audit function by changing some of the responsibilities of monitoring.Educate management about the design and monitoring of controls, particularly in the areas of concentration risk.CSA benefits Early detection of riskMore effective and improved internal controlsIncreased awareness of employees about the objectives of the organizationHighly motivated employeesIncreased safety of stakeholders and clientsReduced cost controlGreater communication between operational managers and senior managementDisadvantages of CSAIt could be confused with the replacement of the audit functionIt is considered one additional workloadNot implement the suggested improvements could damage employee moraleEmerging changes in the Auditing Process40

Auditing information systems provide information about the state in which are the systems and starting in the report generated allows senior management to take the necessary measures to achieve business goals.

Conclusions41

ISACA. (2012). Examination Preparation Manual, CISA. ISACA

Referencias42