This document discusses auditing in a computer systems environment. It outlines some key risks specific to an IT environment, including physical audit trails being replaced by data trails, hardware/software failures, systematic errors, fewer human inputs leading to less segregation of duties, access authorization issues, and deliberate harmful acts. The document also discusses challenges of IT auditing, such as understanding the purpose and significance of IT controls, remaining current with methodologies and business objectives, identifying responsibilities, and balancing risks with control requirements. Effective IT auditing requires implementing an appropriate control framework and auditing plan.
This document discusses auditing in a computer systems environment. It outlines some key risks specific to an IT environment, including physical audit trails being replaced by data trails, hardware/software failures, systematic errors, fewer human inputs leading to less segregation of duties, access authorization issues, and deliberate harmful acts. The document also discusses challenges of IT auditing, such as understanding the purpose and significance of IT controls, remaining current with methodologies and business objectives, identifying responsibilities, and balancing risks with control requirements. Effective IT auditing requires implementing an appropriate control framework and auditing plan.
This document discusses auditing in a computer systems environment. It outlines some key risks specific to an IT environment, including physical audit trails being replaced by data trails, hardware/software failures, systematic errors, fewer human inputs leading to less segregation of duties, access authorization issues, and deliberate harmful acts. The document also discusses challenges of IT auditing, such as understanding the purpose and significance of IT controls, remaining current with methodologies and business objectives, identifying responsibilities, and balancing risks with control requirements. Effective IT auditing requires implementing an appropriate control framework and auditing plan.
This document discusses auditing in a computer systems environment. It outlines some key risks specific to an IT environment, including physical audit trails being replaced by data trails, hardware/software failures, systematic errors, fewer human inputs leading to less segregation of duties, access authorization issues, and deliberate harmful acts. The document also discusses challenges of IT auditing, such as understanding the purpose and significance of IT controls, remaining current with methodologies and business objectives, identifying responsibilities, and balancing risks with control requirements. Effective IT auditing requires implementing an appropriate control framework and auditing plan.
Information Technology: Key to Business Decision Making • Access to relevant and reliable information which includes timeliness of information and appropriate level of detail. • Successfully applied information technology (IT)speeds the availability of information, automates aggregation and sorting of data and ensures information accuracy. • IT is successfully applied when the organization is able to use it to fulfill business objectives, measure and address risks appropriately, grow and adapt fluidly, communicate effectively internally and externally, and react quickly to business opportunities as they arise. Risks Specific to IT Environment IT can potentially remove risks from a manual system but introduces its own risks. In addition because of the nature of IT activities, the following risks may also affect each other. Physical audit trail replaced by data trail. Many physical documents are eliminated for audits , and controls must be used to compensate. Hardware/software failure. Permanent loss of data e.g. from environmental damage, outages civil disruption and disasters is costly. Systematic Errors. IT reduces random errors such as data entry but automated systems can uniformly duplicate errors e.g. via faulty code Continuation….. Fewer human inputs/less segregation of duties. Many IT systems reduce labor costs through automation. Mitigating controls include reviewing segregation of duties and requiring end users to review their output at a low enough level of aggregation to catch problems. Access Authorization Increased ability to access sensitive information remotely also increases the risk of unauthorized access. Automated transaction authorization Transactions that formerly required review and authorization, such as credit decisions, can entirely regulated by a computer application. Authorization assurance rests on software controls and master file integrity Continuation…. Deliberate harmful acts Dishonest or disgruntled employees with proper access as well as outside individuals with profit or destructive motives can cause significant harm to an organization. Trusted insiders are the more significant risk.
The IIA GTAG 4 “Management of IT Auditing ” states that IT risks may be
divided into two (2) general categories Pervasive Risks – are not limited to one system or activity but affect the enterprise as a whole e.g. inadequate UAT of new operating system and causes total system shutdown upon implementation, all aspects of the operation are affected. Specific Risks - can be attributed to a specific processes. e.g. a malfunction that prevents vendors from accessing current inventory levels affects only inventory management and production. CHALLENGES OF IT AUDITING To identify and assess the control of IT risks properly, an internal auditor must: 1. Understand the purpose of an IT control, what type of control it is, and what it is meant to accomplish. Governance, management, technical General Application Preventive, detective, corrective Information security 2. Appreciate the significance of the control to the enterprise- both the benefits that accrue to enterprise thru the control(e.g. lega compliance or competitive advantage) and the damage that a weak or nonexistent control can cause. Reliability and effectiveness Competitive advantage Legislation and regulation 3. Remain current with methodologies and business objectives. Methodologies Audit Committee interface
4. Identify which individuals or positions are responsible for performing
what tasks Governance Management Audit . 4. Balance the risk posed with the requirements of creating a control. Risk anakysis Risk Response Baseline Controls 5. Implement an appropriate control framework and auditing plan. Control framework Frequency 6. Remain current with methodologies and business objectives. Methodologies Audit Committee interface