Professional Documents
Culture Documents
Cisa
Cisa
IS Audit Process
Chapter Overview
Develop and/or implement a risk-based IS audit strategy and objectives, in compliance with generally accepted
standards, to ensure that the organization's information technology and business processes are adequately
controlled, monitored, and assessed, and are aligned with the organisations business objectives.
Plan specific audits to ensure that the IS audit strategy and objectives are achieved.
Obtain sufficient, reliable, relevant, and useful evidence to achieve the audit objectives.
The Auditing is defined as Systematic process by which a competent, independent person objectively obtains and evaluates
evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting
on the degree to which the assertion conforms to an identified set of standards.
IS auditing is The process of collecting and evaluating evidence to determine whether information systems and IT
environments adequately safeguard assets, maintain data and system integrity, provide relevant and reliable information,
achieve organizational goals effectively, consume resources efficiently, and have in effect internal controls that provide
reasonable assurance that operational and control objectives will be met.
Role of IS auditing
Perform separate IT audits
Audits primary role is to provide a statement of assurance as to whether adequate and reliable internal controls are in
place and are operating in an efficient and effective manner.
IS auditing involves:
Understanding of business roles in systems under development or purchase of software and project management;
Application of standards (national or international) to improve and implement quality systems in software
development;
Evaluation of System Development Life Cycle (SDLC) or new development techniques (e.g., prototyping, end-user
computing, rapid systems or application development);
Evaluation of technologies and communication protocols such as EDI, client server model, LAN and WAN, and
integrated voice/data/video systems;
Types of IS Audits
General Control Examination (Known in the past as facility audit)
Why IS Audit??
Greater reliance on Information Systems and Technology
Growing Concern for Data Security due to Proliferation of technology
Legal requirement
Audit Process
Audit Mission
Audit Charter
Information Gathering
Risk Analysis
Audit Plan
IS Auditing standards:
are to inform IS auditors of the minimum level of acceptable performance required to meet the professional
responsibilities.
Inform the management and other related parties of the professional expectation concerning the work of
practitioners.
Audit Phases
Audit Mission
Should take into consideration current IT environment and challenges faced by the audit
Information Gathering
Observation
Risk Assessment
The potential that a given threat will exploit the vulnerabilities of an asset or a group of assets to cause loss or damage to the
assets
Risk analysis is part of the audit planning and it helps identify risks and vulnerabilities so that the auditor can determine
the controls needed to mitigate those risks.
The IS auditor is often focused towards a particular class of risks associated with information and the underlying
information systems and processes.
Repetition of errors
Cascading of errors
Illogical processing
Equipment failure
Concentration of data
Elements of Risk
Safety of personnel
Loss of data
Delay loss
Fraud via IT
Physical theft
Controls
The policies, procedures, practices and organizational structures, designed to provide reasonable assurance that
business objectives will be achieved and that undesired events will be prevented or detected and corrected.
Internal control includes all measures and practices that are used to mitigate exposures to risks that could potentially
prevent an organization from achieving its objectives. Internal control is not solely a procedure or policy that is
performed at a certain point in time, but rather it is continually operating at all levels within an organization.
Reliability and completeness of accounting/financial and management information (information objectives); and,
Compliance with organizational policies and procedures as well as applicable laws and regulations (compliance
objectives).
Chapter Overview
Information Systems Strategy
Policies and Procedures
IS Management Practices
IS Organizational Structure and Responsibilities
Auditing the Management, Planning and Organization of IS
The IS Department should have long range (i.e. greater than one year, typically between 3 and 5 years) and
short range (i.e., one year or business cycle) plans. These plans should be consistent with the organization's
broader plans for attaining the organizations goals.
Typical objectives normally associated with strategic planning are:
Long-Range Planning for the Organization - should address issues pertinent to its contribution to the
organization's achievement of long-range goals.
Long-Range Planning for the Information Systems Department - should be consistent with--and integrated
into--senior management's long-range plans and recognize organizational goals, organization changes,
technological advances, and regulatory requirements.
Steering Committee
Planning/Steering Committee
Board representation
Steering committee
Board Representation
The board should have a member responsible for information technology who understands the
risks and issues.
Steering Committee
Provides an organization with direction in harmony with the corporate mission and objectives. The
cofor mmittee consists of various managers that are representative of all the business areas in the
organization. Their goal is to review and act upon all requests new system needs in accordance with the
corporate objectives. To this end it is the responsibility of the committee to ensure efficient use of data
processing resources and set the priorities, examine costs and provide support for various projects.
Policies and Procedures
Policies
Procedures
Human Resources Policies/Practices
Outsourcing Practices
Policies are high level documents. They represent the corporate philosophy of an organization. To be
effective, they must be clear and concise. Management must create a positive control environment by
assuming responsibility for formulating, developing, documenting, promulgating and controlling policies
covering general goals and directives.
Management should take the steps necessary to ensure that employees affected by a specific policy receive
a full explanation of the policy and that they understand its intent.
In addition to corporate policies that set the tone for the organization as a whole, individual divisions and
departments should define lower level policies. These would apply to the employees and operations of
these units and would focus at the operational level.
A top-down approach to the development of lower level policies in instances when they are derived from
corporate policies is desirable, as it ensures consistency across the organization.
Management should review all policies. Policies need to be updated to reflect significant changes within
the organization or department.
IS MANAGEMENT PRACTICES
Management Principles
IS Assessment Methods
Quality Management
IS Standards
CMM
Management Principles
People management
Management of change
Focus on good processes
Security
Handling third parties
People management
Personnel in a typical IS department is highly qualified, highly educated and usually do not feel
that their jobs are at risk. IT professionals are prepared to switch jobs frequently and normal perks of
money and a managerial job title are not an inducement. Therefore, employee training and development
and challenging assignments are very important.
Management of change
Not only is turnover of people more frequent, but the department is constantly in a state of flux
handling demands for new applications and new technologies. It is important for an IS department to stay
abreast of technology and proactively embrace change whenever necessary.
Focus on good processes
Because of the rate of change, it is important for IS departments to implement and enforce good
processes. There must be documented procedures for all aspects of the department whether it be
programming standards, testing or back ups of data.
Security
The concern for security is far more important and pervasive within IS than most other
departments. The Internet has intensified this concern. The IS department must be equally concerned about
business continuity and disaster recovery.
Handling third parties
IS departments have many vendors who must all work together to deliver the desired results.
IS Assessment Methods
IS budgets
Capacity and growth planning
User satisfaction
Industry standards/benchmarking
Financial management practices
Goal accomplishments
IS Budgets
Allow forecasting, monitoring and analyzing financial information. They allow for an adequate allocation
of funds, especially in an IS environment where expenses can be cost-intensive
Capacity and Growth Planning
Used to assess whether the operation is running as efficiently and effectively as possible. This activity must
be reflective of the long and short range business plans and must be considered within the budgeting
process.
Use simulation or modeling techniques to identify any shortfalls in capacity or bottlenecks that
may adversely affect service and budget for augmented or replacement equipment.
Determining unused capacity and saturation point of the present system.
Estimating growth rate of existing system.
Determining system up gradation point by comparing the growth rate of system with system
saturation point.
User Satisfaction
It is one of the measures to ensure an effective information processing operation. Users and IT should agree
on a level of service, which should be periodically audited.
Industry Standards / Benchmarking
Provide a means of determining the level of performance provided by similar information processing
facility environments. These statistics can be obtained from vendor user groups, industry publications and
professional associations.
Financial Management Practices
Critical to have sound financial management practices in place.
Goal Accomplishment
comparing performance with predefined goals.
QUALITY MANAGEMENT
ISO Standards
Capability Maturity Model (CMM)
Quality Management
Quality management is the means by which IS department-based processes are controlled, measured and improved.
Processes in this context are defined as a set of tasks that when properly performed produces the desired results.
Quality Management
Software development, maintenance and implementation
Acquisition of hardware and software
Day-to-day operations
Security
Human resource management
General administration
Standards to Assist the Organization
ISO standard interpretation
ISO 9000 2000
ISO 9126
Capability Maturity Model
ISO 9000
Provides guidelines on how to choose the appropriate Standards
ISO 9001
Provides guideline for companies in design, development, production, installation or servicing.
ISO 9002
Provides guidelines for companies in production, installation or servicing.
ISO 9003
For companies in final inspection and testing.
ISO 9004
A guideline to aid in interpretation of the standards
ISO 9126
Provides the definition of the characteristics and associated quality evaluation process used when specifying the quality requirements
of software products.
ISO 9000 2000
Maturity Levels
Process Capabilities
Key Process Areas
Goals
Common Features
Key Practices
Management Structures
Line management
Project management
IS Responsibilities and Duties
Operations
Data entry -- online and batch
Control group
Librarian
Operations
Includes all the staff required to run the computer efficiently and effectively. Can be sub-divided into three categories.
Physical Security
Data Security and Processing Controls.
Data Entry
Generally, in modern on-line environments, data entry is performed by personnel in the user departments.
On-Line Data Entry
An on-line system provides various screen edits to perform basic input verification of the data entered, e.g. range
checks, alpha-numeric checks, limit checks, and valid predefined value checks from an internal table. The department
manager or supervisor would be required to provide for an adequate separation of duties by being responsible for
overrides and resubmission of errors or rejected entries.
Batch Data Entry
Data entry within the typical information systems department is often the responsibility of the Data Control
Department.
Control Group
The input/output control group should be in a separate area where only authorized personnel are
permitted entry. The supervisor of the Control Group usually reports to the IPF Operations Manager.
Librarian
The librarian is required to record, issue and receive, and safeguard all program and data files that are maintained on
computer tapes and/or disks in an IPF.
Systems Analysis
Systems analysts are specialists who design systems based on the needs of the user. This individual is
responsible for interpreting the needs of the user and determining the programs and the programmers necessary to
create the particular application.
Applications Programming
The applications programming area is made up of the applications programmers who are responsible for
developing new and maintaining systems in production. They should work in a test environment only and should
not move test versions into the production environment.
Systems Programming
Systems programmers are responsible for maintaining the systems software including the operating system.
This function may allow for unrestricted access to the entire system.
Network Management
This position is responsible for technical and administrative control over the local area network. Depending
upon the policy of the company, this position can report to the director of the IPF or may report to the end-user
manager.
Help Desk Administration
It is a unit within an organization that responds to technical questions from users. Most software companies
have help-desks. Questions and answers can be delivered by telephone, fax or e-mail. Help desk personnel may
use third party help desk software that enables them to quickly find answers to common questions.
Transaction Authorization
Transaction authorization is the responsibility of the user department. Authorization is delegated to the degree that it
relates to the particular level of responsibility of the authorized individual in the department. Periodic checks must be performed
by both management and audit to detect the unauthorized entry of transactions.
Reconciliation
Reconciliation is the ultimate responsibility of the user. In some organizations, limited reconciliation of applications
may be performed by the Data Control group with the use of control totals and balancing sheets. This type of independent
verification increases the level of confidence that the applications ran successfully and that the data is in proper balance.
Custody of Assets
Custody of corporate assets must be determined and assigned appropriately. The "data owner" has responsibility for
determining authorization levels required to provide adequate security, while the data security administration group is often
responsible for implementing and enforcing the security system.
Reviewing Documentation
Interviewing and Observing Personnel in the Performance of Duties
Reviewing Contractual Commitments
Reviewing Documentation
Information technology strategies, security policy documentation, organization/functional charts
and steering committee reports, job descriptions, system development and program change procedures,
operations procedures, and human resource manuals provide valuable evidence to the IS auditor.
Interviewing and Observing Personnel in the Performance of Their Duties.
The candidate should be able to evaluate the information provided from an interview for the audit
and how the Observation technique can also be one of the most confident ways to ensure integrity in the
identification of personnel duties.
Actual Functions
Observation is the best test to ensure that the individual who is assigned and authorized to perform
a particular function is the person who is actually doing the job.
Security Awareness
Security awareness should be observed to verify an individual's understanding and practice of
good preventive and detective security measures to safeguard the company's assets and data.
Reporting Relationships
Reporting relationships should be observed to ensure that assigned responsibilities and adequate
separation of duties are being practiced.
Reviewing Contractual Commitments
Development of contract requirements
Contract bidding process
Contract selection process
Contract acceptance
Contract maintenance
Contract compliance