Professional Documents
Culture Documents
TOPIC 6 - Implication of IT On IA
TOPIC 6 - Implication of IT On IA
IMPLICATIONS OF
INFORMATION
TECHNOLOGY ON
INTERNAL AUDITING
1
LEARNING OBJECTIVES
IT Audit SDLC
Describe the Scope of Information
Technology (IT) audit.
01 04 Define and discuss the audit of the
System Development Life Cycle
(SDLC).
Controls
Discuss the evaluation of general
and application controls.
03
INTRODUCTION
Problem Solution
55 https://youtu.be/oMM-pn2iZ18
IT AUDIT
Operational
IT application Developing
computer
audits system audit
system audits
Information
IT management
IT process audit security and
audit
control audit
Disaster
contingency or
IT strategy audit
disaster
recovery audit
8
8
Elements of IT Audit
Physical and environmental review
10
Evaluation of
General & Application Controls
General Application
Controls Controls
• Administration of IT function
• Input control
• Physical access control
• Processing control
• Logical access control
• Output control
• Backup and contingency plan
11 Extra : https://youtu.be/bafb1IyUKUU
General Controls
Control Purpose Of Control
13
Steps To Perform IT Audit
Establish the Terms of • The CAE will determine the scope and objectives of the audit of IT functions
such as the scope and objectives of audit, responsibilities of auditor and
the Engagement auditee, authority for auditor to have access to all information of IT functions
and audit schedule.
• The auditor needs to gather information on the IT department to prepare the
Preliminary Review audit plan which includes the auditee’s strategy and responsibilities in
managing and controlling IT’s operations.
Establish Materiality and • The auditor needs to establish judgement on the materiality of IT’s function as
Assess Risks well as perform an assessment on the auditee’s business risk, in order to set the
scope of the audi
• An audit plan includes the engagement’s objectives, scope, timing and resource
Plan the Audit allocation. A well-developed audit plan will ensure that the audit process is
conducted efficiently and effectively.
Consider Internal • The auditor has to consider the internal control of the auditee in order to begin
the audit process. Once the process is completed, the auditor could assess the
Control level of auditee’s control risk, which is important to determine the level of
substantive tests to be performed during fieldwork.
Perform Audit • The auditor will perform the audit process based on the scope stated in the
audit plan. The auditor will use a substantive test approach to audit IT business
Procedures functions.
• The auditor will issue an audit report once all audit procedures have been
Issue the Audit Report completed and evaluated
14
Guide to Conduct an IT audit
(GAIT)
GAIT Methodology GAIT for IT General GAIT for Business
Control Deficiency and IT Risk
Assessment
4 Principles
15
4 Principles under GAIT Methodology
• The identification of risks and related controls in IT
general control processes (e.g. in change management,
deployment, access security, and operations) should be a
Principle One:
continuation of the top-down and risk-based approach
used to identify significant accounts, risks to those
accounts, and key controls in the business processes.
• The IT general control process risks that need to be
Principle Two: identified are those that critically affect IT functionality
in financially significant applications and related data.
• The IT general control process risks that need to be
identified as existing in processes at various IT layers:
Principle Three:
application program code, databases, operating systems
and networks.
• Risks in IT general control processes are mitigated by the
Principle Four: achievement of IT control objectives, not individual
controls.
16
SDLC
Auditing Of System Development
System Development Life Cycle (SDLC)
a series of steps used to identify the phases of an
information system development project
Process centric approach to develop and implement
system - set of defined goals and timelines that sets
out the completion date and associated deliverables
within each phases of the life cycle
Each phase (plan, analyse, design, implement)
sequentially executed – allow proper evaluation
and resolution of problems within each phase
18
18
The SDLC Process
Programming
Detail Systems
and Testing
Design Implementation
Systems
19 https://youtu.be/i-QyW8D3ei0
IA Involvement in SDLC – Life Cycle
To ascertain that test documentation including test plans and results are
adequately maintained;
To ascertain that proper change request procedures exist to ensure all changes
are authorised and attended to on a timely basis.
21
21
Risk Factors in SDLC
22
22
E-commerce Audit
Auditing E-Commerce
What is E-commerce
Literally, doing business electronically (through internet
technologies)
Use of electronic data transmission to implement or
enhance business processes
Concern with increasing number of security
incidences – security implications affect the trust of
businesses (malicious attacks on company
websites) and consumers (e.g. unauthorised usage
of credit card for online transactions)
IA involvement – Advisory service during system
development and system/network/software/
information security/system monitoring & recovery
24
24
Issues in E-commerce Environment
Business continuity
Information security and privacy
The lack of audit trails
Record retention
Segregation of duties
Legal liability
25
25
E-commerce Environment
Electronic commerce (e-commerce) is the process by
which organisations conduct their business over
electronic systems such as the Internet and other
computer networks with their customers, suppliers and
other external business partners.
Threats to e-commerce environments include virus
infections, hacking, cybercrime and failure of the
system and infrastructure.
26
Areas of Concern for IA in regard to
e-commerce
Knowledge on • Internal auditors should equip themselves with the various security
breach techniques (e.g. hacking, spamming, virus attacks) associated
security exposures with e-commerce transactions to able to address the security issues.
and control • They need to understand that different security threats require
measures different approaches and solutions.
Skills and
experience in
• Internal auditors need to equip themselves with skill and knowledge
handling e- on the latest development in IT control procedures.
commerce security
issues
27
Reason for Audit e-Commerce
To assess the effectiveness of the infrastructure and
security measures of an e-commerce.
To evaluate compliance of e-commerce business
operations with an organisation’s IT security
policies as well as with the industry good practices.
To evaluate the readiness of IT functions in the
event of a major failure in e-commerce business
transactions.
To identify other security issues that may affect the
current infrastructure of an e-commerce model.
28
Information Security Audit
Purpose – to provide assurance that an
appropriate level of control over the
confidentiality, integrity and availability of information
within e-commerce operation
E-commerce is opened to threat (e.g. virus attack),
vulnerability of system (e.g. product flaw) and
associated risk
Business need to have information security policy
Network environment – e-commerce websites
reside
Sources of threats to network environment:
network segment, application software, system
software, process integrity and physical security
29
29
Additional Reading
CAATs
Computer-Assisted Audit Tools (CAATs)
Computer-assisted audit techniques (CAATs) or Computer-
assisted audit tools and techniques (CAATTs) is an approach of
auditing using computers.
It offers various tools or utilities, which help the auditor to select,
gather, analyze and report audit findings.
Tools/utilities to help auditor to select, gather, analyse and
report audit findings
CAATs can be classified:
Electronic working papers
Information retrieval and analysis
Fraud detection
Network security
Electronic commerce and internet security
Continuous monitoring
Audit reporting
31
31
CAATs and Its Functions
Information retrieval and analysis
Auditors could use automated retrieval and analysis tools to assess
data and records and to evaluate and analyse them based on the
criteria or parameters set by them.
Fraud detection tool
Audit reporting function
32
Advantages of CAATs
Suitable to audit large volumes of transactions. It is valuable
to organisations with complex processes, distributed operations
and high transaction volumes.
Gain access into audited data in a much effecient way. A direct
access to an organisation’s data will eventually reduce the time
and effort spent in performing audit procedures with
assured accuracy.
Provide assurance to the area being audited. It allows auditors
to point out errors or fraud easily in order to provide effective
recommendations.
Provide a standard uniform practice and user-friendly
interface for auditors. It allows auditors to perform various
33
tasks, irrespective of the data format or the underlying
operating system of an organisation.
Disadvantages of CAATs
May have compatibility issues with the existing software
applications used by a company/auditee.
May require considerable computer resources/capacity that may
give rise to question cost vs. benefits. May involve additional
cost as installation process require various computer resources
or facility, for examples the type of processor, size of memory
and storage required.
The issue of cost outweighs the benefit of purchasing CAATs,
may involve
Cost of puchasing and installing the software;
Cost of training the staff in using the software;
Cost for maintaining the software; and
Cost for to contact the service centre.
Sensitive business data such as customers’ detail, business plan and
34
strategy could be compromised by irresponsible persons, if not
Conclusion
The audit of IT environment is very challenging as it
involves reviewing and reporting very technical
matters
To excellent in the audit, internal auditor should posses
adequate https://youtu.be/oMM-pn2iZ18
IT knowledge, technical skills and
experiences.
35
END CHAPTER 8
TUTORIALS (Feb 2021)
37
TUTORIALS (July 2021)
38