Embed Size (px)
Citation preview
1
One day seminar on IS Audit – a Practical approach
and CAAT
on 17 July 2004, New Delhi
By
A.Rafeq, FCA, CISA, CQA, CFE, Bangalore
2
Learning Objectives
What is IS Audit? How to plan and perform IS Audit assignments using
technology as a key enabler for audit What are CAATs - digital audit techniques? What are salient features of Guidance note of ICAI
on CAAT? What are key features and functionality of audit
software? How to use concepts of CAAT - digital audit
techniques by using the auditee applications? How to enhance effectiveness of audit and provide
better assurance to clients?
3
Sessions
1. Practical approach to IS Audit 2. Step-by-Step approach to IS Audit
– case study3. How to use CAAT 4. CAAT – case study
4
1. Practical approach to IS Audit Concepts and practice of IS Audit Need and importance of IS Audit Model case study of how to plan
and perform various Information Systems Audit Assignments
How to market the services of IS Audit?
5
2. Step-by-Step approach to IS Audit – case study
Participants to plan and perform a sample IS Audit using the case study as a group
Model answer providing participants with practical tips on performing various types of IS Audits
6
3. How to use CAAT Overview of need/importance of
CAATs - digital audit techniques Guidance note on CAAT issued by
ICAI Tips on how to practical use CAAT
techniques
7
4. CAAT – case study Inter-active discussion on how to use
digital audit techniques for performing various types of audit tests
Audit software Demo - features and functionalities in audit software
How to use Audit Software for enhancing audit productivity
8
Digital Era
“Business is going to change more in the next ten years than it has in the last fifty”- Bill Gates in his book “Business @ the Speed of Thought – using a digital nervous system”.
2001-2010 as the digital decade
9
Need for IS Audit
Impact of IT IT Paradox Impact of IT on Controls Thrust on IT Governance Compliance requirements – RBI Management needs
10
‘If you think technology can solve your security problems, then you don’t
understand the problems and you don’t understand the technology’
Bruce Schneier
‘Secrets & Lies Digital security in a networked world’
11
Impact of IT on CAs Rapid deployment of IT by enterprises makes it imperative
that CAs have practical knowledge of using IT Not just excellence in Information Technology (IT) but
empowerment through IT Creating new challenges and opportunities Enhance utility as knowledge workers with core competency
and domain knowledge in the areas of accounting, finance, auditing, information systems and compliance
Key strategy for success is to keep on learning new ways of delivering our services and creating new avenues in the digital era
IT as a tool for drawing inferences and gathering relevant and reliable evidence as per requirements of their professional assignments
Need to be innovative in using IT and in advising our clients on IT
12
Impact of IT on Controls
Controls are getting automated Controls are becoming more complex,
requiring new knowledge and new decision models and an increased reliance on technologists
Paper is getting eliminated, increasing risk of fraud and requiring new audit approaches
Technology is performing tasks currently done by both white-collar and blue-collar workers
IT is key enabler of business
13
IT ParadoxIT Paradox
Desire forGreater Openness inSystems
Desirefor TighterSecurity
14
Need for IS AuditRisk and Governance Issues with ERP
Single point of failure Organizational Structural changes Job role changes Online,Real-time
– Synchronized processes Change management Managing distributed computing environments Broad system access Dependency on external sources for help Program Interfaces and data conversions Audit expertise
15
Corporate Governance impacting IT Governance
Organizations who wish to be successful in the digital era need to establish a corporate governance model that encompasses key aspects of IT governance, assurance and control.
IT governance is the system by which the IT is directed and controlled.
The objective of IT governance is to ensure that the IT activities meet overall business objectives and are in line with the business plans.
16
Internal audit’s evolving role
Traditional Progressive (best practices)
Audit focus Business focus
Transaction-based Process-based
Financial account focus
Customer focus
Compliance objective
Risk identification, process improvement objective
Policies and procedures focus
Risk management focus
Multiyear audit coverage
Continual-risk-reassessment coverage
Policy adherence Change facilitator
Budgeted cost center
Accountability for performance improvement results
Career auditors Opportunities for other management positions
Methodology: Focus on policies, Transactions and compliance
Methodology: Focus on goals, strategies and risk management processes
Traditional vs. Progressive Approach
17
Effect of IT on internal control
Lack of Transaction trails Segregation of functions
Uniform processing of transactions Potential for errors and irregularities Dependence of controls on computer
processing Potential for
Increased management supervision Use of computer-assisted audit techniques
18
Overview of IS Risks
Risk is defined as: “The potential that a given threat
will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets”
19
Information Risks
Vast amounts of critical information can now be stored in very small electronic media and a minor glitch can result in loss of this information
Information is vulnerable to error, omission, abuse by persons, inside and outside the data processing network
20
Threats Damage can range from errors harming
database integrity to fires destroying entire computer centers
Losses can stem from Actions of supposedly trusted employees
defrauding a system Outside hackers
Careless data entry clerks Knowledge of threat environment helps
implementing cost-effective security measures
21
IS Security
Procedures and practices to assure that computer facilities are available at all required times
Data is processed completely and efficiently
Access to data in computer systems is restricted to authorised people
22
Why do you need Information Security
I believe that information security will become an even bigger problem as we move into the next century, especially as even the new smaller computers will be able to operate at blinding speed, making millions of computations in seconds
Akio Morito Co founder of Sony
23
IT Risks and Frauds
IT tends to confound auditors and managers to the extent that they are rarely in a position to detect or prevent computer based embezzlement -Harvard Business review
24
Vulnerability
A weakness that could be exploited to cause damage to the system
Why do you need Security?
25
Threat
Any event with the potential to cause harm to a system in the form of disclosure, modification, destruction or denial of service
Why do You need Security?
26
Error a/c no.88888 overlooked by auditors
- $ 80 million deficit built into a/c No internal controls in place to verify claim of
Leeson that he had made investment in above a/c on behalf of his client
Special password for computer access to above a/c.
Lack of segregation of duties Supervisors looked the other way
Barings Bank Bankruptcy
27
Confidentiality
The concept of how to prevent unauthorized release of information or unauthorized use of system
What is Security?
28
Integrity
The issue of how to preserve information to make them trustworthy, i.e. how to avoid the unauthorized modification of information
What is Security? (CIA)
29
Availability
The probability that a system is operational at any time or, in other words, the percentage of up-time
What is Security?
30
Auditable
Whether the system can be measured against an established criteria or benchmark
What is Security?
31
Reality of Security - RBI
Major Factors Of Security Violation Inadequate/incomplete system design Programming errors Weak/inadequate logical access
controls Poorly designed procedural controls Ineffective employee supervision Ineffective management controls
32
There are NO absolutely secure systems and there are NO absolutely reliable systems.
Increased security most often results in increased cost for the system.
The Reality of Security
33
There must be a trade-off between:
Cost for increasing system control and security
Vs.
Cost incurred as a result of successful security violations or system failures
The Reality of Security
34
Defining Scope and Objectives of IS Audit
What is IS Audit? IS Audit - Risk Perspective IS Audit - Control Perspective What is scope of IS Audit? What are Objectives of IS Audit?
35
What is IS Audit?
Any audit that encompasses: The review and evaluation of all aspects
(or any portion) Of
Automated information processing systems, including related non-automated processes
and The interfaces between them.
36
Objectives of IS Audit
Provide management with reasonable assurance that identified control objectives as relevant are being met by the package.
Where there are significant control weaknesses, to substantiate the resulting risks, and
Advise management on corrective actions Perspectives: Proactive or re-active Stage: Pre-implementation, during
implementation or post-implementation
37
IS Audit – Risk perspectiveIdentifying and assessing Risks
1. Risk management: Assess risks first and implement
appropriate controls Reduce risks to acceptable level
Assignments in this perspective: Security Management Information Risk Management Information Systems Risk Management Security Audit IT Audit, etc
38
IS Audit – Risk perspectiveIdentifying and assessing Risks
Assess the impact of IT failing to meet the business objectives on account of risks or issues impacting the following information criteria:
Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability
39
IS Audit – Control perspectiveIdentifying and assessing controls
2. Controls: Review internal control system to ensure
whether business objectives are achieved Set appropriate control objectives
Assignments in this perspective: IS Audit IS Assurance Computer Assurance Services Technology Assurance Services IT Governance IS Controls Review, etc
40
IS Audit - Control Assessment
IS auditor is required to evaluate whether available controls are adequate and appropriate to mitigate the risks
If controls are inadequate or inappropriate Identify the control weakness Provide recommendation Report above to auditee management
41
Defining Controls and Control Objectives
CONTROL : “The Policies, Procedures, Practices and Organisational Structures, Designed to Provide Reasonable Assurance that Business Objectives will be Achieved and that Undesired Events will be Prevented or Detected and Corrected”
Business Orientation - the key of controls “Control is a Management issue not a IT issue”
IT CONTROL OBJECTIVE : “A Statement of the Desired Result or Purpose to be Achieved by Implementing Control Procedures in a Particular IT Activity”
42
1. Practical approach to IS Audit
Model case study of how to plan and perform various Information Systems Audit Assignments
43
Execution of IS Audit – step by step approach
IS Audit could encompass all aspects of operations of the auditee or it may be focussed on a particular area.
IS Audit could be done by internal auditors or external auditors.
IS Audit involves review (view again) and evaluation (against a benchmark or set standard) of any or all aspects of IT processing in the enterprise including the interfaces.
44
Case study of IS Audit
Step by step1. Identify Audit Objectives and Scope2. Understand IT environment3. Understand the business processes4. Understand the Organisation structure5. Understand the Information systems
and Control Architecture6. Identify related standards\guidelines7. Identify \ Select relevant IT process 8. Select Control Objectives (CO) 9. Extend CO by adding BP \ IT controls
45
Case study of IS Audit10. Identify relevant Risks for identified IT
process 11. Identify Management benchmarks12. Prepare Audit program, procedures and
checklist by integrating the information upto step 11
13. Perform the audit and identify control weaknesses
14. Prepare draft report 15. Discuss the report with auditee16. Prepare final report17. Presentation to senior management
46
Sample Scope of IS audit Assessing Risks and Controls related to
from the two perspectives: Environmental Access security or controls
review Physical Access security or controls review Logical Access security or controls review IS Operations security or controls review Application security or audit Implementation security or audit BCP assessment or BCP audit SDLC review or audit IT Strategy ….
47
Understand the IT environment
IT Resources Facilities Technology Applications Data PeopleWhat is the Information Architecture of
the enterprise?
48
IT Control SystemIT Control System
Communic.Network
influences
influences
Hardware
IT O
rgan
izat
ion
Business processes/IT businessprocesses
Applications/IT applications
Equipment/IT infrastructure
EA
DC
BB
ControllingOper. Sys.
Financialreporting
DataData
DataDataDataData
49
Identify related standards IS Audit Standards, Guidelines and IS
Governance standard issued by ISACA. ISA or SAP issued by ICAI\IFAC IS Guidelines issued by IFAC. Specific industry standards (for example,
banks, IT Companies) Technology standards as per technology
deployed. Compliance requirements as relevant. Industry related controls Specific business related controls or guidelines
50
What is COBIT® ? COBIT (Control Objectives for Information and Related
Technology) is a breakthrough Information Technology (IT) Governance tool that helps in understanding and managing the risks associated with Information and related Technology.
COBIT provides a globally accepted framework for reviewing diverse technology platforms across the enterprise.
It provides the best practices researched from a host of international standards on auditing and technology.
COBIT has been developed as a generally applicable and accepted standard for good IT security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners.
51
COBIT - Tool for IS Audit
Executive Summary - Overview for senior Management
Framework - Conceptual model linking control objectives to business objectives
Control Objectives - provide the landscape Audit Guidelines - provide the Compass Implementation Tool Set - how to get started
? Management Guidelines - provide the
Compass to Management for measuring performance and managing IT
52
53
Formulate audit strategy and control evaluation
Preliminary review of Audit area Obtain & record understanding of
audit area Evaluating audit area Compliance Testing (Test of Controls) Substantive Testing (Test of Details)
54
Prepare draft report
1. Issue (area of control weakness) Rank this based on information criteria as
relevant.
2. Implications (effect) Highlight the IT Resources impacted as relevant.
Critical Success Factors of relevant IT process
3. Cause: identify the probably cause4. Recommendations
Use the best practices as adapted for business requirement \ IT deployment of Auditee Company
5. Management Comment: Auditee to add details
55
Discuss draft report with auditee
Obtain confirmation of findings and their risk ranking
Remove incorrect findings based on confirmation of facts
Obtain agreement on causes and recommendations
Obtain agreed plan of action for implementing recommendations
56
Prepare final report
Outline for each finding: (area of control weakness or area of improvement:
Issue: Rank this based on information criteria
as relevantImplications (effect): Highlight IT Resources impacted as
relevant & CSF of relevant IT process of not met
Cause: Identify probable cause(s)
57
Prepare final report
Recommendation: Base on best practices and adapt it
as per specific business requirement \IT deployment of auditee company
Management Comment: (Obtain) Feedback from management and
identify issues of disagreement which need escalation
Implementation Time-frame
58
Presentation to senior management
Prepare executive summary for senior management – highlight key findings and recommendations
Prepare PPT slides for presentation Make presentation Present executive summary and detailed
audit report Conduct exit interview
59
How to market the services of IS Audit?
Know need and importance of IS Audit Assess the current competencies and skill-sets of your
audit Decide what type of services you intend to provide Update skill-sets as required Develop tie-ups with a panel of IT Consultants or domain
experts Prepare brief outline of services provided Formulate standard approach for each of audit stages and
prepare standard templates Identify your potential clients – existing or new Think long-term and begin with small assignments for your
existing clients
60
Why IS Audit Important?
Growing access to and use of IT Growing concern for data security due
to proliferation of IT Potential of computer fraud Complexity of systems and computers Protectors of information assets and
privacy Regulatory requirement Top priority of executive management
61
OPERATIONAL-LEVEL EMPLOYEES
MIDDLE-LEVELMANAGERS
TOP-LEVEL
MANAGERS
Incr
easi
ng a
bilit
y to
over
ride
cont
rols
mec
hani
sms
Strongest Control M
echanisms
Greatest frequencyof fraud
62
• Assess Current Skills and future career growth path• Extensive domain knowledge and functional
expertise in chosen area of expertise• Strong PC User skills• Operating Systems and Networking• Database and SQL skills (Microsoft Access)• Report writer skills (Crystal)• Web page development (FrontPage, HTML)• Internet and eCommerce• Project management skills
Career Advice: What Should I Know
63
Innovative Avenues in IT Consulting – Infrastructure, HW, SW, MIS,
Controls, Compliance.. Implementation – Infrastructure, HW, SW,
MIS, Controls, Compliance, Design and development – Infrastructure,
SW, MIS, Compliance, Training – SW, IT, MIS, Implementation,
Audit, Compliance, Controls, Assurance – Audit, security, applications,
data, processes, operations, controls, efficiency, effectiveness, compliance, reliability, quality,…..
64
IT RESOURCES
BUSINESS PROCESSES
EffectivenessEfficiencyConfidentialityIntegrityAvailabilityComplianceReliability
INFORMATION CRITERIA
INFORMATION -AUDIT FINDINGS
65
Thank you
