The Information Systems Audit

Process

1
 Definitions :

Audit is an unbiased examination and evaluation of

the Products, Processes and the Systems.
Auditor The auditor is the competent person who is
performing the audit.
Auditee The organization and people being audited
are collectively called the auditee.
Client The client is the person or organization with
the authority to request the audit. A client may be the
audit committee, external customer, internal audit
department, or regulatory group. Audit details should
be kept confidential from persons not directly
involved as auditee or the client.
2
 Definitions :

Internal audits and Assessments

It involves auditing your own organization to

discover evidence of what is occurring inside
the organization (self-assessment). These
have restrictions on their scope and the
findings should not be shared outside the
organization.

3
 Definitions :
External Audits
An external audit is a review of the financial
statements or reports of a company by someone
not affiliated with the company. External audits
play a major role in the financial oversight because
they are conducted by outside individuals and
therefore provide an unbiased opinion. External
audits are commonly performed at regular
intervals by businesses and are typically required
yearly by law for governments.

CISA : Chapter #1 The Information Systems Audit Process 4

 Definitions :

External Audits

External audits involve your customer

Auditing you, or you auditing your supplier.
The business audits its customer or supplier,
or vice versa. The goal is to ensure the
expected level of performance as mutually
agreed upon in their contracts.

CISA : Chapter #1 The Information Systems Audit Process 5

Independent audits are outside of the customer-
supplier influence. Third-party independent audits
are frequently relied on for licensing, certification,
or product approval.

Product audits check the attributes against the

design specification (size, color, markings).

Process audits evaluate the process method to

determine whether the activities or sequence of
activities meet the published requirements. We
want to see how the process is working. This
involves checking inputs, actions, and outputs to
verify the process performance 6
System audits seek to evaluate the management
of the system, including its configuration. The
auditor is interested in the team members’
activities, control environment, event monitoring,
how customer needs are determined, who provides
authorization, how changes are implemented,
preventative maintenance, and so forth, including
incident response capability.
Financial audit verifies financial records,
transactions, and account balances. This type of
audit is used to check the integrity of financial
records and accounting practices compared to
well-known accounting standards.
7
Operational audit verifies effectiveness and
efficiency of operational practices. Operational
audits are used frequently in service and process
environments, including IT service providers.

Integrated audit includes both financial and

operational controls audits.

Compliance audit verifies implementation of and

adherence to a standard or regulation. This could
include ISO standards and all government
regulations. A compliance audit usually includes
tests for the presence of a working control.
8
Administrative audit verifies that appropriate
policies and procedures exist and have been
implemented as intended. This type of audit
usually tests for the presence of required
documentation.
Forensic Audits- Forensic auditing has been
defined as auditing specialized in discovering,
disclosing and following up on fraud and crimes.
The primary purpose of such a review is
the development of evidence for review by law
enforcement and judicial autorités,

9
IS Audits - This process collects and evaluates
evidence to determine whether the information
systems and related resources adequately
safeguard assets, maintain data and system
integrity and availability, provide relevant and
reliable information, achieve organizational
goals effectively, consume resources efficiently
and have in effect internal controls that provide
reasonable assurance that business, operations
and control objectives will be met and that
undesired events will be prevented or detected
and corrected in a timely manner

10
 Definitions :
Control :

The policies, procedures, practices and

organizational structures designed to
provide reasonable assurance that business
objectives will be achieved and that
undesired events will be prevented or
detected and corrected.

11
 Definitions :
IT Control Objective

A statement of the desired result or purpose

to be achieved by implementing control
procedures in a particular IT activity.

12
 Definitions :
IT Governance

Each Business have a structure of

relationships and processes to direct and
control the company to achieve its goals. IT
Governance refers to the usage of IT
infrastructure in such a way that it adds
value to the company’s basic structure
while balancing risk versus return over IT
and its processes

13
 IT Framework
A successful organization is built on a solid
framework of data and information. The Framework
explains how IT processes deliver the information
that the business needs to achieve its objectives.
This delivery is controlled through high-level control
objectives, one for each IT process, contained in the
four domains(Plan and Organize, Acquire and
Implement, Deliver and Support, and Monitor and
Evaluate). The Framework identifies which of the
seven information criterion (effectiveness, efficiency,
confidentiality, integrity, availability, compliance and
reliability), as well as which IT resources (people,
applications, technology, facilities and data) are
important for the IT processes to fully support the
business objective 14
 Audit Mission
In the light of Management objectives a well
documented AUDIT Charter defining overall
Authority, Scope and Responsibility of the AUDIT
function approved by top management.
Whenever you conduct an audit, it is important to
write an audit mission statement as part of the
preparation. A mission statement defines the audit
both for your benefit and for the benefit of the
auditee, thereby helping to eliminate confusion,
waste of resources, and inefficiencies in Auditing.

15
 Audit Mission
It serves as a link between the planning and
the execution of the audit.

Sometimes it seems that writing an auditing

mission statement can be eliminated but it is
not recommended to do so. A little bit of
planning in the form of a mission statement
goes a long way to ensuring that the audit
functions are effectively performed.

16
 Audit Planning

It consist of following :-
 Outlining of Audit purpose and Objective
 A risk assessment process to describe and analyze the
risks inherent in a given activity of business.
 An audit plan detailing IS audit’s budgeting and
planning processes
 An audit cycle that identifies the frequency of audits.
 Audit work programs that set out for each audit area
the required scope and resources
 Format of Written audit reports.

17
 Risk Analysis :
Risk
The potential that a given threat will exploit
vulnerabilities of an asset or group of assets to
cause loss or damage to the assets. The impact or
relative severity of the risk is proportional to the
business value of the loss/damage and to the
estimated frequency of the threat.
Risk Elements
 Threat
 Impact
 Frequency
18
 Business Risk

Threats that may impact the assets, processes or

objectives of a specific business organization. The
natures of these threats may be :
 FINANCIAL
 REGULATORY
 OPERATIONAL OR
 May arise as a result of the INTERACTION OF THE
BUSINESS WITH ITS ENVIRONMENT OR
 May arise in result of the STRATEGIES, SYSTEMS
AND TECHNOLOGY, PROCESS, PROCEDURE AND
INFORMATION SYSTEM USED BY THE BUSINESS

19
 Risk Analysis :
In analyzing the business risks arising from the use of IT.
It is important for the IS auditor to have a clear
understanding of:
 The purpose and nature of business, the environment in
which the business operates and related business risks
 The dependence of technology and related dependencies
that process and deliver business information
 The business risks of using IT and related dependencies
and how they impact the achievement of the business
goals and objectives
 A good overview of the business processes and the impact
of IT and related risks on the business process objectives

20
 Risk Analysis :
In analyzing the business risks arising from the use of IT.
It is important for the IS auditor to have a clear
understanding of:
 The purpose and nature of business, the environment in
which the business operates and related business risks
 The dependence of technology and related dependencies
that process and deliver business information
 The business risks of using IT and related dependencies
and how they impact the achievement of the business
goals and objectives
 A good overview of the business processes and the impact
of IT and related risks on the business process objectives

21
 ROLES AND RESPONSIBILITY OF IT
AUDITORS
The focus of IT audits today depends on the governance
of IT and process maturity in an organization. The ideal
focus should be on only those aspects of IT that are
important to the organization.

The technical IT auditor executes audit processes at the

technical systems level but may or may not be capable
of functioning at level two because of the broad business
perspective required. To illustrate, this is the auditor who
would conduct the firewall review and provide assurance
to the auditor in charge that scope and conduct of the
technical audit steps were appropriate and adequate.
22
 ROLES AND RESPONSIBILITY OF
INTERNAL AUDITORS

The primary role of the internal audit staff is

to assess independently and objectively the
controls, reliability, and integrity of the
institution’s IT environment. These
assessments can help to maintain or improve
the efficiency and effectiveness of the
institution’s IT risk management, internal
controls, and corporate governance.

23
 ROLES AND RESPONSIBILITY OF
INTERNAL AUDITORS

Internal auditors should evaluate IT plans,

strategies, policies, and procedures to ensure
adequate management oversight. Additionally,
they should assess the day-to-day IT controls to
ensure that transactions are recorded and
processed in compliance with acceptable
accounting methods and standards and are in
compliance with policies set forth by the board of
directors and senior management.

24
 ROLES AND RESPONSIBILITY OF
INTERNAL AUDITORS

Auditors should make recommendations to management

about procedures that affect IT controls.
Audit’s role generally entails reviewing the control
aspects of new applications, products, conversions, or
services throughout their development and
implementation. Early IT audit involvement can help to
ensure that proper controls are in place from inception.
However, the auditors should be careful not to
compromise, or even appear to compromise, their
independence when involved in these projects.

25
 ROLES AND RESPONSIBILITY OF
EXTERNAL AUDITORS

External auditors typically review IT control

procedures as part of their overall evaluation of
internal controls when providing an opinion on the
adequacy of an institution’s financial statements.
As a rule, external auditors review the general
and application controls affecting the recording
and safeguarding of assets and the integrity of
controls over financial statement preparation and
reporting.

26
 ROLES AND RESPONSIBILITY OF
EXTERNAL AUDITORS

General controls include the plan of organization

and operating, documentation procedures,
access to equipment and data files, and other
controls affecting overall information systems
operations. Application controls relate to specific
information systems tasks and provide
reasonable assurance that the recording,
processing, and reporting of data is properly
performed

27
 ROLES AND RESPONSIBILITY OF
EXTERNAL AUDITORS

External auditors may also review the IT control

procedures as part of an outsourcing
arrangement in which they are engaged to
perform all or part of the duties of the internal
audit staff.
The extent of external audit work, including work
related to information systems, should be clearly
defined in an engagement letter.

28
 ROLES AND RESPONSIBILITY OF
EXTERNAL AUDITORS

The extent of external audit work, including work

related to information systems, should be clearly
defined in an engagement letter.

The external auditor may discover weakness in

the internal control procedures that will affect the
accounts. The auditor should report these
weaknesses to the management. The principal
purposes of this report to management are:-
29
 ROLES AND RESPONSIBILITY OF
EXTERNAL AUDITORS
(a) To enable the auditor to comment on the accounting
records, systems and controls examined during the
course of the audit: for example, weaknesses in credit
control, the reconciliation of ledgers and the
maintenance of grant approvals.
(b)To provide management with financial statistics that
can be used to judge the performance of a charity: for
example, the number of weeks’ expenditure in
reserves, or total staff costs expressed as a ratio of
total resources expended.
(c) To communicate any matter that might affect future audits:
for example, new accounting standards.
30
 ROLES AND RESPONSIBILITY OF
EXTERNAL AUDITORS

The report to management should recommend

what changes need to be made to systems in
situations where there are no other compensatory
controls
The auditor must ensure that the recommended
changes have in fact been made.

31
 ROLES AND RESPONSIBILITY OF IT
AUDITORS

IT auditors, just as much as IT practitioners, work

in a very interesting and dynamic environment
where everything changes all the time.
Initially the role of the IT auditors was protecting
the business from the many new exposures that
Information and Communication technologies
could create and Risk Management has remained
an important activity for IT mangers and auditors.

32
 ROLES AND RESPONSIBILITY OF IT
AUDITORS
In today’s era of globalization, universal connectivity
many other things have also changed:
(a) The dependence of organizations and business on
these technologies has become critical
(b) IT has become embedded in most business
processes and is an important service function.
(c) The risks to be contained and managed have all
changed and expanded
(d) Technologies have become much more complex
and are deployed in large numbers
(e) The range of IT related activities is greater than
before, and may have been outsourced
33
 ROLES AND RESPONSIBILITY OF IT
AUDITORS
The focus of IT audits today depends on the governance
of IT and process maturity in an organization. The ideal
focus should be on only those aspects of IT that are
important to the organization.

The technical IT auditor executes audit processes at the

technical systems level but may or may not be capable
of functioning at level two because of the broad business
perspective required. To illustrate, this is the auditor who
would conduct the firewall review and provide assurance
to the auditor in charge that scope and conduct of the
technical audit steps were appropriate and adequate.
34
An Information System Audit :

“ Any Audit that encompasses review

and evaluation of automated
information processing, related non-
automated processes and the
interfaces between them.”

35
Audit Procedures :

1. Understanding of the Audit area/subject

2. Risk Assessment
3. Detailed audit planning
4. Preliminary review of Audit area/ subject
5. Evaluating Audit area/subject
6. Compliance Testing ( often test of controls)
7. Substantive testing
8. Reporting
9. Follow-up

36
Audit Risk :
Risk that the information/financial reports may contain material
error that may go undetected during the course of Audit
Categories of Audit Risk :
Inherent Risk For example, complex calculations are
more likely to be misstated than simple ones and cash is more
Likely to be stolen than the inventory of coal.
Control Risk For example, the control risk associated with
manual reviews of computer logs can be high because activities
requiring investigation are often easily missed due to the
volume of logged information.
Detection Risk The risk that an IS auditor uses an inadequate
test procedure and concludes that material errors do not exist
when, in fact, they do.
Overall Audit Risk The combination of the individual
categories of audit risks assessed for each specific control
objective. 37
Risk Assessment Techniques :

These techniques may be

 computerized
 non-computerized,
 Scoring and
 Judgment
 based upon business knowledge, executive
management directives, historical perspective,
business goals and environmental factors

38
Compliance Testing :

It tests for the presence or absence of something.

Compliance testing includes verifying that policies
and procedures have been put in place, and
checking that user access rights,program change
control procedures, and system audit logs have
been activated.
An example of a compliance test is comparing
the list of persons with physical access to the
data center against the HR list of current
employees..
39
Substantive Testing:

Substantive testing seeks to verify the

content and integrity of evidence.
Substantive tests may include complex
calculations to verify account balances,
perform physical inventory counts, or
execute sample transactions to verify the
accuracy of supporting documentation.
Substantive tests use audit samples
selected by dollar value or to project
(forecast or estimate) a total for groups with
related characteristics. 40
Evidence :
Evidence is any information used by the auditors
whether the entity or data being audited follows
the established audit criteria or objective.
These should be sufficient, relevant and
competent

Reliability of Evidences:
 Independence of the provider
 Qualification of the provider
 Objectivity of the evidence
Timing of the evidence

41
Evidence gathering Techniques :

 Reviewing IS organization structures

Reviewing IS Policies
Reviewing IS Standards
Reviewing IS documentation
Interviewing appropriate personnel
Observing processes and employees
performance.

42
Computer Assisted Audit techniques :
It include many types of Generalized Audit
Software, Utility Software, test data, Debugging
and Scanning Software , Application software
tracing and mapping and expert systems.

These tools can be used for

 Test of details of transactions and balances
 Analytical review procedures
 Compliance test of IS General controls
 Compliance Test of Application controls
 Penetration and OS vulnerabilities
43
CAATs Advantages :
 Reduced Level of Audit Risk
 Greater independence from the auditee
 Broader and more consistent audit coverage
 Faster availability of information
 Improved exception identification
 Greater flexibility of run times
 Greater opportunity to quantify internal control
weakness
 Enhanced sampling
 Cost saving over time

44
Internal controls cover policies, processes, tasks and
behaviors. These controls enable a business to operate
effectively, comply with laws and provide good quality of
Services / Products. These are used to manage and
reduce Risks.
Control Classification
1. Preventive
2. Detective
3. Corrective
• Internal Accounting Controls
Primarily directed at accounting operations such as the
safeguarding of assets and the reliability of financial
records and financial reporting.

45
• Operational Controls
Directed at day-to-day operations, functions and
activities to ensure that the operation is meeting
the business objectives.

• Administrative Controls

Concerned with operational efficiency in a

functional area and adherence to management
policies including operational controls. Described
as supporting the operational controls specifically
concerned with operating efficiency and
adherence to organizational pol icy.
46
 Elements of effective internal control
a) A strong control environment, supportive of
business objectives.
b) Risk assessment and risk management to identify
areas of vulnerability and exposure as a basis for
the objectives of the control system.
c) A range of control activities, such as segregation
of duties, authorization procedures, physical security
measures, supervision etc.
d) Communication and information processes to
ensure that all levels of management receive
appropriate progress reports.
e) Processes for monitoring the continuing
effectiveness of the system and taking corrective
action where required. 47
RISK MANAGEMENT

Risk management is the process of identifying

vulnerabilities and threats to the information
resources used by an organization in achieving
business objectives and deciding what
countermeasures (safeguards or controls). if any,
to take in reducing risk to an acceptable level (i.e.
residual risk), based on the value of the
information resource to the organization.

48
RISK MANAGEMENT
Depending on the type of risk and its significance to the
business, management and the board may choose to:
 Avoid- where feasible, choose not to implement
certain activities or processes that would incur risk
(i.e. eliminate the risk by eliminating the cause).
 Mitigate- lessen the probability or impact of the risk
by defining, implementing, and monitoring appropriate
controls.
 Transfer (deflect, or allocate)- share risk with
partners or transfer via insurance coverage,
contractual agreement, or other means.
 Accept- formally acknowledge the existence of the
risk and monitor it.
49
 Internal Control Objectives

Are statements of the desired result or purpose to

be achieved by implementing control procedure in a
particular activity.

50
Internal Control Objectives include :

1. Safeguard of information technology assets

2. Compliance to corporate policies or legal
requirements.
3. Authorization/Authentication
4. Confidentiality
5. Accuracy and completeness of data
6. Reliability of process
7. Availability of IT Services
8. Efficiency and economy of operation
9. Change management process for IT and related
systems 51
IS Control Objectives include :
1. Safeguarding of Assets
2. Integrity of general OS, Network & Operations
3. Integrity of sensitive and critical application
Systems through:
Authorization,
Accuracy
Reliability
Completeness and security of Output
Database Integrity
4. Efficiency & Effectiveness
5. Compliance
6. Continuity & Disaster Recovery Plan
7. Incident Response and Handling plan 52
IS Control Procedures include :
1. Strategy and Direction
2. General Organization and management
3. Access to data and programs
4. System development methodologies and change
control
5. Data Processing operations
6. Systems programming and technical support
functions
7. Data Processing and quality assurance procedures
8. Physical access controls
9. Business continuity/Disaster recovery planning
10. Networks and communications
53
11. Data Administration
CONTROL SELF ASSESSMENT
Control self-assessment (CSA) can be defined as a
management technique that assures stakeholders,
customers and other parties that the internal control
system of the organization is reliable. It also ensures
that employees are aware of the risks to the business
and they conduct periodic, proactive reviews of controls.
It is a methodology used to review key business
objectives, risks involved in achieving the business
objectives and internal controls designed to manage
these business risks in a formal, documented and
Collaborative process.

54
BENEFITS OF CONTROL SELF ASSESSMENT
 Early detection of risks
 More effective and improved internal controls
 Creation of cohesive teams through employee
involvement
 Developing a sense of ownership of the controls in
the employees and process owners, and reducing
their resistance to control improvement initiatives.
 Increased employee awareness of organizational
objectives, and knowledge of risk and internal
controls
 Increased communication between operational
and top management
 Highly motivated employees
 Improved audit rating process
55
 Reduction in control cost
 Assurance provided to stakeholders and customers
 Necessary assurance given to top management
about the adequacy of internal controls as required
by the various regulatory agencies and laws.
DISADVANTAGES OF CONTROL SELF ASSESSMENT
CSA does potentially contain several disadvantages
which include:
 It could be mistaken as an audit function replacement
 It may be regarded as an additional workload (e.g.,
one more report lo be submitted to management)
 Failure to act on improvement suggestions could
damage employee morale
 Lack of motivation may limit effectiveness in the
detection of weak controls 56