INTRODUCTION

TO IT AUDIT
The points discussed here are bases
on Hand Book on IT Audit for
Supreme Audit Institutions and IT
Audit Manual
 What is Audit?
Any Audit is to ensure
• Safeguarding of assets
• Maintaining data integrity
• Achieving goals effectively
• Use resources efficiently

IS Audit also has same objectives

3
 IT Audit
• An organized and independent examination of
IT System to ensure achievement of objectives
• A continues search for compliance
• Identify Risks associated with IT environment
• Evaluation of adequacy of controls
• Provide management with conclusions and
recommendations
• An ongoing process
 IT Audit
 IT Audit is to examine whether development,
implementation and maintenance of IT systems
meets
– business goals/needs without compromising
security
– safeguards information assets
– maintains data integrity
– Privacy & cost
– other critical business elements;
 IT Audit
• IT Audit Objective:
– To ensure that IT resources allow
organisational goals to be achieved effectively
and use resources efficiently
– Cover ERP Systems, IS Security, acquisition of
business solution, System Development, and
Business Continuity
– Review of IT systems controls to gain
assurance about its adequacy and effectiveness
 IT Audit
• IT Audit Objective :
– Evaluation of the processes involved in
operations of a given area - Payroll system,
Financial accounting system etc.
– Evaluation of performance of system and its
security
– Examination of system development process
and procedures
 SYSTEM

• A system is an orderly arrangement of

interrelated and independent elements which
operates together to achieve a pre-set goal
• A set of interrelated components working
together to collect, process, store, and distribute
information for facilitating planning,
coordination, analysis and help in decision
making in the business
 Need for IT
• Automate collection, manipulation,
maintenance and generation of reports
• IT helps in
– Handling huge volume of data, high storage
capacity
– Accuracy and speed in data processing
– Easy and fast retrieval of information
– Faster Communication facilities
– Generation of reports to assist in decision
making
 IT comprises of
• Technology – the means by which data is
transformed and organized for business use:
– Hardware
– Software
– Database
– Communication

• People – users of IT
• Organization – a collection of functional units
working together to achieve a common goal
• IT facilitate business – for the business and not
the business
Information Technology Model
Storage

Input Process Out put

Input – Data flowing in to System

Process – Manipulation of data
Out put – Information flowing out of the system
Storage – Preserving data/information
 DATA
• Data 
– Plural of datum, a Latin noun meaning
“something given”
– A set facts and statistics collected together
for reference or analysis
• Example
– 77, 81, 79, 90, 85
– PC1, PC2, PC3, PC5,PC6
– Images, values, sound
 Information
• Information
– Data which
• are accurate, timely and presented with
relevance and meaning
• can lead to an increase in understanding
and decrease in uncertainty
– Data when processed, interpreted, organized,
structured and presented to make them
meaningful/ useful become information
Attributes of Information
 Availability
 Confidentiality
 Accuracy
 Integrity
 Reliability
 Validity
 Completeness
 Timeliness
 Adequacy
 IT Audit process
Audit planning is a key part of IT Audit
and carried out at three levels
– Strategic planning
– Macro planning
– Micro/Entity level planning
 Strategic planning

• A long-term (3-5 years) forecast of audit

targets and objectives for the audit of IT
systems of an organisation
• New and emerging areas like agile
programming, cloud computing audit
may be included in the strategic plan
 Macro planning
• With rapid proliferation of modern IT
systems across Governments and
limitation of resources in Audit, a risk-
based approach to prioritise and select
suitable topics would be appropriate
• Auditable entities were also selected on a
cyclical basis or on specific request from
oversight bodies
 Macro planning Risk based approach

• Identify Audit area by listing all auditable units

• Identify factors that impact criticality of system
to the organisation in carrying out its functions
and deliver service
• Assign weight to critical factors in consultation
with Audited Units
• Prepare Annual Audit plan outlining priority,
approach and schedule of Audits
 Micro planning

• Micro planning involves detailed Audit plan for

the selected entity, beginning with outlining
Audit objectives
• Audit plan assist Auditors in preparing IT Audit
programme
• As a pre-requisite step in developing Audit
programme, team should have a clear
understanding of the audited entity and its IT
Systems
 Preliminary study

• Know Impact of IT
– IT mitigate business risks
– But, Brings in IT risks
– Under stand the concepts and design
– Method of input, process and output
– Extent of business mapped in an IT
environment
– Resources - Technology and Manpower
 Preliminary study
Understanding IT environment:
• Reading background material like
– Annual reports
– Manuals and organizational publications
• Review of prior Audit reports
• Review of strategic plans
• Interview key personnel
• Visit key organizational facilities
 Preliminary study

• Criticality of IS
– Mission critical systems – Serious
impact in case of failure
– Support systems – Failure may not
result in serious impact being a
decision making system
– Determine whether any IT general
deficiency could potentially become
material
 Audit documentation
• The record of audit work performed and
evidence supporting audit findings
• To be preserved for subsequent verification
• Documentation includes :
– Planning and preparation of audit scope,
objectives and audit programs
– Evidence collected in support of findings
– All work papers, points discussed in
interviews with topics discussed, details of
person interviewed
 Audit documentation
• Documentation includes :
– Observations with reason , place and time
– Reports and data obtained - directly/
provided by entity with place and time
– Comments of Auditor and further
clarifications required, doubts and need for
additional information. Remarks on how
these were resolved.
– Draft and final report of audit
 Supervision and Review
• The work of audit staff should be properly
supervised during the audit
• Documented work should be reviewed by a
senior member of the audit staff.
• The senior staff should provide necessary
guidance and training and also monitor the
audit
 Reporting
• IT Auditor should report their finding in a
timely manner to the appropriate authorities
• The findings should be constructive and useful
to the audited entity and meaningful to other
stakeholders
• Complete, accurate, objective, convincing, and
as clear and concise as the subject permits
• Adhere to the normal reporting format for audit
reports duly keeping in mind the audience of
the report
 Reporting stages
• Generally there are three stages of reporting
• Discussion paper
– Reporting process begins with discussion paper
sent to the middle management prior to the
closing meeting. Included it in the closing
meeting for discussion.
– This allows any inflammatory wording, factual
errors/inconsistencies to be identified, corrected
or eliminated at an early stage
– Then, prepare first formal draft report with
necessary amendments
 Reporting stages
• Generally there are three stages of reporting
• Management letter
– The formal draft given to get the
response to observations raised.
– Allows the management to concentrate
on the findings, conclusions and
recommendations and to formally write
comments/responses to Auditor and
address all the findings
 Reporting stages
• Generally there are three stages of reporting
• Final Audit Report
– On receipt of clients comments, prepare
response indicating the audit position, putting
together the auditor’s comments and entity’s
response in one Final Audit Report
– By nature, audit reports tend to contain
significant criticisms, but in order to be
constructive, report should also include
conclusions and recommendations
 Reporting stages
• Generally there are three stages of reporting
• Final Audit Report
– The status of uncorrected significant findings
and recommendations from prior audits
– For balanced reporting, noteworthy management
accomplishments identified during the audit also
to be included in the report
– Important to mention on the limitations that
were faced by audit like inadequate access to
data etc. in the report
 Conclusions and recommendations
• Must be based on evidence
• Conclusions should be relevant, logical and
unbiased
• Sweeping conclusions regarding absence of
controls and risk thereon should be avoided when
not supported by substantive testing
• Auditor should report recommendations when
potential for significant improvement in
operations and performance is substantiated by the
reported findings
 Audit Matrix
• In the planning stage Audit matrix is
developed covering all the relevant issues
for audit as per the audit objective and
scope of audit
• Identify auditable issues during the
preliminary assessment stage and based on
this Audit Matrix can be developed
 Audit Matrix
• There is an overall uniformity in the
information captured in the audit matrices.
Auditable Area
Audit objective:
Audit Issues:
Criteria:
Information required Analysis methods
Audit conclusion
 Identify source of Information
• To meet the criteria, adequate information/ evidence
needs to be identified and collected
• Source of information includes:
– System development documents such as User
Requirement Specification (URS) & System
Requirement Specification (SRS)
– Electronic data (maintained inOracle, IBM DB2,
MS-SQL server, Sybase and Teradata)
– Organisation chart
– Policy, procedures and guidance
 Identify source of Information
• Source of information includes:
– Flow charts/Process flow diagram
– Other related information like forms,
budgetary information, reports from
previous internal/external audit, internal
reviews
– Users
– Internet
Techniques and tools to get information
• Auditee have combination of hardware, OS,
DBMS, application software and network
• IT auditors have to gather information from all
these sources
• Understanding the IT system of the organisation
is an essential step for data extraction using
audit tools (CAATs)
• Audit tools include IDEA, ACL, MS Excel, MS
Access, SQL quarries
 IT Governance
• The overall framework that guides IT
operations in an organisation to ensure that it
meets the needs of the business today and
incorporates plans for future needs and growth
• An integral part of the enterprise governance
and comprises the organisational leadership,
institutional structures and processes that
ensure that IT systems sustain organisational
goals and strategy while balancing risks and
effectively managing resources
 IT Governance
• IT governance plays a key role in
determining the control environment and
sets the foundation for establishing sound
internal control practices and report at
functional levels for management
oversight and review
• All stakeholders required to participate in
the decision making process
 IT Governance
• It is essential to have a well defined roles for
the responsibility of information, business
process and infrastructure are put in place to
ensure IT investments generate business value
and mitigate the associated risk
• IT governance is also involved in updating
business needs, selecting appropriate solutions
and ensure availability of necessary training
and resources (hardware, tools, network
capacity etc.)
 Key Elements of IT Governance
IT strategy and planning :
• Represents the mutual alignment between IT
strategy and business strategic objectives
• It should consider the current and future needs
of the business, current IT capacity and
requirement of resources
• IT auditors to review the IT strategy to assess
the extent to which IT governance has been a
part of the corporate decision making in
deciding IT strategy
 Key Elements of IT Governance
Organisation structure, standards, policies and processes:
• A clearly defined delegation for decision making and
performance monitoring duly supported by standards, policies
and procedures
• Organisation structure of public sector entity are influenced by
stakeholders – both internal [business executives, functional
departments who own business processes and individuals
within the organisation] and external users [agencies,
individuals, public who use products/services]
• Another influence on organisational structure is service
providers-both internal and external. The need for IT
functionalities emerges from the users and stakeholders
 Key Elements of IT Governance
IT Organisation structure:
• IT steering committee – the pillar of the organisational
structure comprising of top and senior management and
has the responsibility for reviewing, endorsing and
committing funds
• This committee takes investment decisions on “build”
or “buy” solutions after suitable recommendations from
designated groups/ committees
• Chief Information Officer(CIO) is a senior person who is
responsible for the management and operation of IT
capabilities
 Key Elements of IT Governance

Standards, Policies and Processes:

• Standards and policies adopted by the organisation
duly approved by the senior management
• Policies lay the framework for daily operations in
order to achieve the goal and supported by
procedures and processes that define how the work
is to be accomplished and controlled
• Goals are set by the senior management to
accomplish organisations’ mission and to comply
with the regulatory and legal requirements
 Key Elements of IT Governance

Standards, Policies and Processes:

• Human resource policy which deals with hiring,
training, job termination, other functions of HR,
deals with Roles and responsibility and
segregation of duties
• Documentation of Information Systems
applications, job roles, reporting systems etc.
retention of documents are important aspects
 Key Elements of IT Governance
Standards, Policies and Processes:
• IT outsourcing is for the management to concentrate their
efforts on core business activities and to reduce running
costs. It is to be ensured that it is beneficial to the
organisation
• IT Security policy establishes the requirements for
protection of information assets and refer to other
procedures/ tools on how these will be protected
• The policy should be available to all employees
responsible for IS security
 Case study 1
• The data correction utility under PF module, enables
an officer to modify the PF opening balance for the
year 2016-17. This facility was used by the
officer/staff to enhance the PF balance of self and
others
• PF recovery of employees on deputation was credited
in suspect staff’s own PF ledger using his own user
ID from various PF contributions received. The
amount was initially kept in SRPF allocation without
allocating it to respective account and after a certain
period of time it was credited to his own PF account.
 Solution – Remarks
• The additional feature provided for data
correction was misused by unauthorized persons
• Sharing of user ID and password
• Lack of Internal check
• Non mapping of business rules
• Additional feature supposed to be provided for
short duration were kept open-ended
• Lack of monitoring of system updates
• New incumbent detected the fraud (Rotation of
staff)
 Internal Controls
• A process of introducing and implementing a
system of measures and procedures to
determine whether the organisation’s activities
are and remain consistent with the approved
plans, corrective measures taken if needed
• IT risk management form an integral part of the
business risk management, involving
identification of risk concerning applications,
infrastructure. Continuous management with
periodical reviews and updates and monitoring
of risk mitigation
 Internal Controls
• Need to have a compliance mechanism in
place to ensure internal procedures and
instructions and external legislation and
regulations, management reports, progress
checks and revision of plans and audits,
evaluations and monitoring are being followed
• Organisation’s culture makes all the
employees sensitive about all non-compliance
issues and report on non compliance reviewed
by appropriate management and dealt with.
 Classification of controls

Preventive
 Identify problems before occurrence
 Prevent error/omission/malicious act
 Monitor both input and operation
 Attempt to predict problems before occurrence
Detective
 Controls that detect and report the occurrence of an
error, omission or malicious act
Cont..
 Classification of controls
Corrective
 Minimize the impact of the threat
 Resolve problems discovered by detection
 Identify the cause of the problem
 Correct errors arising from a problem
 Modify the processing systems to
minimize future occurrence of the problem
 Case study -2
• A fraud by manipulation of Pay roll system
by creating ghost employees and false
claims of TA, OTA, NDA and arrears has
been brought to the notice of Railways.
Preliminary investigation has exposed nexus
between Bill clerk of Personnel department
and the beneficiaries all working as Points
man. The prescribed codal provision for
passing of bills have also not been followed
by the concerned officials. 
Cont….
 Case study -2

• Persons have been transferred to a dummy

bill unit which dealt with salary payments of
staff nurses of NRCH. Two employees were
drawn salary during June 2017 only and not
there after.
• Audit trail indicated that master data entries
for the above employees were created and
confirmed using two different login IDs.
 Solution – Remarks
• Lack of internal check – Staff strength
not checked with sanctioned stength
• Non mapping of business rules
• Sharing of User ID and Password
• Non rotation of staff
• Audit trial used to analyze and detect
the problem (Detective control)
 Case study - 3
• Passing of contractors bills without
authorized signatory of the executive
department.
• Processing of duplicate/fake bills in the
name of party other than original
contractor by creating a new party in the
contractor ledger despite bills already
processed and paid once against the same
contract – Duplicate payments
 Solution - Remarks
• Lack of internal control (Executive Department)
• Non mapping of business rules
• Lack of internal check (Accounts Department)
• Manual intervention in IS environment – Agreements
not linked to passing of bills
• Deficiencies in processing control – Passing of
Duplicate bills
• Lack of input validation – Unauthorized Master data
entry
• New incumbent detected the fraud (Rotation of staff)
 IT Investment decisions
• IT Governance provide business users with
solutions to their new/modified requirements
• Accomplished by IT department through
development/ acquiring new systems
• For successful accomplishment there should be
a disciplined approach, identification of
requirements, analysis, prioritisation, approval
cost benefit analysis on competing solutions,
selection of optimum solution balancing cost
and risk
 IT Operations
• IT operations is typically the day-to-day
running of IT infrastructure to support
business needs
• Identification of bottlenecks, Plan for
anticipated capacity changes [requirement of
hardware/ network resources
• Capacity planning, job scheduling,
maintenance, backups, disaster recovery,
• Provision of help desk and incident
management support to IT users
THANK YOU
Gireeshkumar.K.A
From
Southern Railway Audit