Professional Documents
Culture Documents
To It Audit
To It Audit
TO IT AUDIT
The points discussed here are bases
on Hand Book on IT Audit for
Supreme Audit Institutions and IT
Audit Manual
What is Audit?
Any Audit is to ensure
• Safeguarding of assets
• Maintaining data integrity
• Achieving goals effectively
• Use resources efficiently
• People – users of IT
• Organization – a collection of functional units
working together to achieve a common goal
• IT facilitate business – for the business and not
the business
Information Technology Model
Storage
• Know Impact of IT
– IT mitigate business risks
– But, Brings in IT risks
– Under stand the concepts and design
– Method of input, process and output
– Extent of business mapped in an IT
environment
– Resources - Technology and Manpower
Preliminary study
Understanding IT environment:
• Reading background material like
– Annual reports
– Manuals and organizational publications
• Review of prior Audit reports
• Review of strategic plans
• Interview key personnel
• Visit key organizational facilities
Preliminary study
• Criticality of IS
– Mission critical systems – Serious
impact in case of failure
– Support systems – Failure may not
result in serious impact being a
decision making system
– Determine whether any IT general
deficiency could potentially become
material
Audit documentation
• The record of audit work performed and
evidence supporting audit findings
• To be preserved for subsequent verification
• Documentation includes :
– Planning and preparation of audit scope,
objectives and audit programs
– Evidence collected in support of findings
– All work papers, points discussed in
interviews with topics discussed, details of
person interviewed
Audit documentation
• Documentation includes :
– Observations with reason , place and time
– Reports and data obtained - directly/
provided by entity with place and time
– Comments of Auditor and further
clarifications required, doubts and need for
additional information. Remarks on how
these were resolved.
– Draft and final report of audit
Supervision and Review
• The work of audit staff should be properly
supervised during the audit
• Documented work should be reviewed by a
senior member of the audit staff.
• The senior staff should provide necessary
guidance and training and also monitor the
audit
Reporting
• IT Auditor should report their finding in a
timely manner to the appropriate authorities
• The findings should be constructive and useful
to the audited entity and meaningful to other
stakeholders
• Complete, accurate, objective, convincing, and
as clear and concise as the subject permits
• Adhere to the normal reporting format for audit
reports duly keeping in mind the audience of
the report
Reporting stages
• Generally there are three stages of reporting
• Discussion paper
– Reporting process begins with discussion paper
sent to the middle management prior to the
closing meeting. Included it in the closing
meeting for discussion.
– This allows any inflammatory wording, factual
errors/inconsistencies to be identified, corrected
or eliminated at an early stage
– Then, prepare first formal draft report with
necessary amendments
Reporting stages
• Generally there are three stages of reporting
• Management letter
– The formal draft given to get the
response to observations raised.
– Allows the management to concentrate
on the findings, conclusions and
recommendations and to formally write
comments/responses to Auditor and
address all the findings
Reporting stages
• Generally there are three stages of reporting
• Final Audit Report
– On receipt of clients comments, prepare
response indicating the audit position, putting
together the auditor’s comments and entity’s
response in one Final Audit Report
– By nature, audit reports tend to contain
significant criticisms, but in order to be
constructive, report should also include
conclusions and recommendations
Reporting stages
• Generally there are three stages of reporting
• Final Audit Report
– The status of uncorrected significant findings
and recommendations from prior audits
– For balanced reporting, noteworthy management
accomplishments identified during the audit also
to be included in the report
– Important to mention on the limitations that
were faced by audit like inadequate access to
data etc. in the report
Conclusions and recommendations
• Must be based on evidence
• Conclusions should be relevant, logical and
unbiased
• Sweeping conclusions regarding absence of
controls and risk thereon should be avoided when
not supported by substantive testing
• Auditor should report recommendations when
potential for significant improvement in
operations and performance is substantiated by the
reported findings
Audit Matrix
• In the planning stage Audit matrix is
developed covering all the relevant issues
for audit as per the audit objective and
scope of audit
• Identify auditable issues during the
preliminary assessment stage and based on
this Audit Matrix can be developed
Audit Matrix
• There is an overall uniformity in the
information captured in the audit matrices.
Auditable Area
Audit objective:
Audit Issues:
Criteria:
Information required Analysis methods
Audit conclusion
Identify source of Information
• To meet the criteria, adequate information/ evidence
needs to be identified and collected
• Source of information includes:
– System development documents such as User
Requirement Specification (URS) & System
Requirement Specification (SRS)
– Electronic data (maintained inOracle, IBM DB2,
MS-SQL server, Sybase and Teradata)
– Organisation chart
– Policy, procedures and guidance
Identify source of Information
• Source of information includes:
– Flow charts/Process flow diagram
– Other related information like forms,
budgetary information, reports from
previous internal/external audit, internal
reviews
– Users
– Internet
Techniques and tools to get information
• Auditee have combination of hardware, OS,
DBMS, application software and network
• IT auditors have to gather information from all
these sources
• Understanding the IT system of the organisation
is an essential step for data extraction using
audit tools (CAATs)
• Audit tools include IDEA, ACL, MS Excel, MS
Access, SQL quarries
IT Governance
• The overall framework that guides IT
operations in an organisation to ensure that it
meets the needs of the business today and
incorporates plans for future needs and growth
• An integral part of the enterprise governance
and comprises the organisational leadership,
institutional structures and processes that
ensure that IT systems sustain organisational
goals and strategy while balancing risks and
effectively managing resources
IT Governance
• IT governance plays a key role in
determining the control environment and
sets the foundation for establishing sound
internal control practices and report at
functional levels for management
oversight and review
• All stakeholders required to participate in
the decision making process
IT Governance
• It is essential to have a well defined roles for
the responsibility of information, business
process and infrastructure are put in place to
ensure IT investments generate business value
and mitigate the associated risk
• IT governance is also involved in updating
business needs, selecting appropriate solutions
and ensure availability of necessary training
and resources (hardware, tools, network
capacity etc.)
Key Elements of IT Governance
IT strategy and planning :
• Represents the mutual alignment between IT
strategy and business strategic objectives
• It should consider the current and future needs
of the business, current IT capacity and
requirement of resources
• IT auditors to review the IT strategy to assess
the extent to which IT governance has been a
part of the corporate decision making in
deciding IT strategy
Key Elements of IT Governance
Organisation structure, standards, policies and processes:
• A clearly defined delegation for decision making and
performance monitoring duly supported by standards, policies
and procedures
• Organisation structure of public sector entity are influenced by
stakeholders – both internal [business executives, functional
departments who own business processes and individuals
within the organisation] and external users [agencies,
individuals, public who use products/services]
• Another influence on organisational structure is service
providers-both internal and external. The need for IT
functionalities emerges from the users and stakeholders
Key Elements of IT Governance
IT Organisation structure:
• IT steering committee – the pillar of the organisational
structure comprising of top and senior management and
has the responsibility for reviewing, endorsing and
committing funds
• This committee takes investment decisions on “build”
or “buy” solutions after suitable recommendations from
designated groups/ committees
• Chief Information Officer(CIO) is a senior person who is
responsible for the management and operation of IT
capabilities
Key Elements of IT Governance
Preventive
Identify problems before occurrence
Prevent error/omission/malicious act
Monitor both input and operation
Attempt to predict problems before occurrence
Detective
Controls that detect and report the occurrence of an
error, omission or malicious act
Cont..
Classification of controls
Corrective
Minimize the impact of the threat
Resolve problems discovered by detection
Identify the cause of the problem
Correct errors arising from a problem
Modify the processing systems to
minimize future occurrence of the problem
Case study -2
• A fraud by manipulation of Pay roll system
by creating ghost employees and false
claims of TA, OTA, NDA and arrears has
been brought to the notice of Railways.
Preliminary investigation has exposed nexus
between Bill clerk of Personnel department
and the beneficiaries all working as Points
man. The prescribed codal provision for
passing of bills have also not been followed
by the concerned officials.
Cont….
Case study -2