Upload
omar-regino
View
34
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Presentación capitulo 1 del manual de CISA
Citation preview
Slide 1
Audit of Information TechnologyChapter 1: Audit Process Information Systems
Adrin Hernndez MedinaAlejandra Ramrez AntonioBeatriz Alicia Rivera MendozaJuly 25, 2015IntroductionQuick ReferenceManagement of Information Systems Audit FunctionStandards and Guidelines and Audit Assurance ISACARisk analysisInternal ControlsPerform Audits of Information SystemsSelf-Assessment of Control Emerging changes in the Auditing ProcessConclusionsQuestionsContent2
Since 1978, the Certified Information Systems Auditor (CISA) program, sponsored by ISACA, has been the globally accepted standard among information systems (IS) audit, control, and security professionals.
Introduction3
Quick Reference4
Management of Information Systems Audit Function5
ISACA sets forth this Code of Professional Ethics to guide the professional and personal conduct of members of the association and / or its certification holders.
Standards and Guidelines and Audit Assurance ISACA6
Code of Professional Ethics7
GENERAL FRAMEWORK OF STANDARDS IT audit and assurance8
The aim of underwriting guidelines and IASACA IT audit is to provide additional information on how to comply with auditing and assurance standards ISACA. The auditor should:
Use professional judgment to apply in specific audits. To justify any difference.
Underwriting guidelines and IT audit9
G1 Using the Work of Other Auditors with effect from March 1, 2008G2 Audit Evidence Requirement with effect from May 1, 2008G3 Techniques Using Computer Assisted Audit (CAATs) with effect from March 1, 2008G4 outsourcing SI activities for other organizations with effect from May 1, 2008G5 Audit Charter with effect from February 1, 2008G6 Materiality Concepts for Auditing Information Systems with effect from May 1, 2008G7 Due Professional Care with effect from March 1, 2008G8 Audit Documentation with effect from March 1, 2008G9 Audit Considerations for Irregularities and Illegal Acts effective from 1 September 2008G10 Audit Sampling with effect from August 1, 2008G11 Effect of General Controls SI with effect from August 1, 2008G12 Organisational Relationship and Independence effect from August 1, 2008G13 Use of Risk Assessment in Audit Planning with effect from August 1, 2008G14 Review of application systems in force since 1 December 2008G15 audit planning effective from May 1, 2010G16 Effect of Third Parties on IT controls of an organization with effect from March 1, 2009G17 Effect of Non-Audit role on the IT audit and assurance professional Independence effective from May 1, 2010G18 IT Governance effective from 1 July 2002G19 Irregularities and Illegal Acts Removed September 1, 2008G20 Techniques current report from September 16, 2006Index underwriting guidelines and IT audit10
G21 Review System enterprise resource planning (ERP) effective as of September 16, 2010G22 Review of e-commerce business-to-customer (B2C) effective as of August 1, 2003G23 Review Life Cycle Systems Development (SDLC) with effect from August 1, 2003G24 Internet Banking with effect from August 1, 2003G25 Review of Virtual Private Networks with effect from July 1, 2004G26 Project Review of Business Process Reengineering (BPR) with effect from July 1, 2004G27 Mobile Computing with effect from September 1, 2004G28 Computer Forensics with effect from September 1, 2004G29 Post-implementation review with effect from January 1, 2005G30 Competition with effect from June 1, 2005G31Privacy with effect from June 1, 2005G32 Review of business continuity planning from an IT perspective with effect from September 1, 2005G33 General Considerations on the Use of the Internet with effect from March 1, 2006G34 Responsibility, Authority and Accountability with effect from March 1, 2006G35 Follow-up with effect from March 1, 2006G36 Biometric Controls with effect from February 1, 2007G37 Configuration Management with effect from November 1, 2007G38 Access Control with effect from February 1, 2008G39 IT organizations with effect from May 1, 2008G40 Review of Security Management Practices in force since 1 December 2008G41 Return on security investment (ROSI) effective from May 1, 2010G42 Continuous Assurance effective from May 1, 2010 Index underwriting guidelines and IT audit11
Index of tools and techniques IT Audit and Assurance12
Index of tools and techniques IT Audit and Assurance13
INFORMATION TECHNOLOGY ASSURANCE FRAMEWORK (ITAF)14
Section 2200 General Standards15
Section 2400Performance Standards 16
Section 2600 -Standards on Reports17
Section 3000-IT Assurance Guidelines18
Section 3200-related business topics19
Section 3400-IT management processes20
Section 3600-assurance processes and IT audit21
Section 3800-Management Audit and Assurance IT22
Risk analysis23
Internal Controls24
To perform an audit, several steps are required. Proper planning is the necessary first step for effective audits
Perform Audits of Information Systems25
Classification of audits26
General Audit Procedures27
Phases of the audit28
Risk Types29
Risk Treatment30
Objectives of the audit31
Evidences32
Sampling33
Methods sampling34CAATs are important tools for the auditor to gather information from these environments. These same include many types of tools and techniques, such as use software generalize audit (GAS), among others.
GAS refers to the standard software that has the ability to read and access the data directly from various BD platforms, systems and ASCII flat file formats.Auditing techniques assisted by computer35
Communication of audit results36
Audit documentation37Self-Assessment of Control 38
Self-Assessment of Control 39
FeatureDescriptionFeatureDescriptionCSA target Leverage internal audit function by changing some of the responsibilities of monitoring.Educate management about the design and monitoring of controls, particularly in the areas of concentration risk.CSA benefits Early detection of riskMore effective and improved internal controlsIncreased awareness of employees about the objectives of the organizationHighly motivated employeesIncreased safety of stakeholders and clientsReduced cost controlGreater communication between operational managers and senior managementDisadvantages of CSAIt could be confused with the replacement of the audit functionIt is considered one additional workloadNot implement the suggested improvements could damage employee moraleEmerging changes in the Auditing Process40
Auditing information systems provide information about the state in which are the systems and starting in the report generated allows senior management to take the necessary measures to achieve business goals.
Conclusions41
ISACA. (2012). Examination Preparation Manual, CISA. ISACA
Referencias42