Module 2 IS Assurance Services

Transcription

1 Module 2 IS Assurance Services Chapter 2: IS Audit In Phases Phase 2: Part: 2 of 3 CA A.Rafeq 1

2 Chapter 2: Agenda Chapter 2: IS Audit in Phases Phase1: Plan Phase 2: Execute Phase 3: Report 2

3 Phase 2: Execution (Part-2) 3

4 Chapter 2: Phase 2 Creation Risk Control Matrix Audit Sampling, Data Analysis, Business Intelligence Analytical Review Procedures - CAAT Tools Compliance Testing and Substantive Testing Design Effectiveness Audit Evidence and Audit documentation Using the work of an expert 4

5 Creation of a Risk Control Matrix An IS Auditor charts a Risk and Control Matrix and uses the same for the audit engagement. The risk and control matrix is a matrix of the risks that have been identified in the Risk assessment phase. 5

6 Parts of a RCM A series of spreadsheets marking a single process (Purchase Process), application (Custom Business Application), area (Information security, Logical Security, Physical security) etc. Each Spread sheet would contain generally the following columns Risk No, Risk in depth Control Objective: This column would contain the control(s) that is ideal to counter the identified risk. Control No. Controls present: The present control that is implemented by the enterprise to counter the risk. 6

7 Risk Control Matrix: Contents The RCM may also be used as an Audit Notebook which contains: Details of the control owner Process owner Testing plans and results Audit observations Evidences Risk Ranking Recommendations 7

8 Audit Sampling: SA 530 SA 530 : Audit Sampling: This Standard on Auditing (SA) applies when the auditor has decided to use audit sampling in performing audit procedures. It deals with the auditor s use of statistical and nonstatistical sampling when designing and selecting the audit sample, performing tests of controls and tests of details, and evaluating the results from the sample. 8

9 Methods of Audit Sampling The IS auditor can use the following methods for sampling: Statistical Sampling which includes methods of Random sampling & Systematic Sampling Non Statistical Sampling which includes haphazard sampling, judgmental sampling. The IS auditor can use the sampling technique while assessing the controls designed in the environment. On the basis of the initial assessment the sample size can be increased or decreased to achieve the objective of assessing the tests of existence of control for the IT environment. 9

10 Data Analysis The use of Data analytics tools and techniques helps the IS auditor to improve audit approaches, unlike in the traditional approach which is based on a cyclical process involving manually identifying controls, performing tests and sampling a small population to measure the effectiveness. Data analytics also accommodates the growing risk focus on fraud detection. The IS auditor can use data analytics by which insights are extracted from financial, operational and other forms of electronic data internal or external to the organization. 10

11 Business Intelligence Set of theories, methodologies, architectures, and technologies that transform raw data into meaningful and useful information for business purposes. Encompasses the collection and analysis of information to assist decision making and assess organizational performance. Handle enormous amount of unstructured data to help identify, develop and otherwise create new opportunities. 11

12 Analytical Review Procedures Defined as substantive tests for a study of comparisons and relationship among data. Used in all stages of the audit including planning, substantive testing and final review stage. Serves as a vital planning function in the entirety of the audit procedures. 12

13 Compliance Testing Compliance testing is evidence gathering for the purpose of testing an organizations compliance with control procedures. A compliance test determines if controls are being applied in a manner that complies with management policies and procedures. The broad objective of any compliance test is to provide IS Auditors with reasonable assurance that the particular control on which the IS Auditor plans to rely is operating as the IS Auditor perceived in the preliminary evaluation. 13

14 Compliance Testing: Effectiveness Used to test the existence and effectiveness of a defined process, which may include a trail of documentary and/or automated evidence for example, to provide assurance that only authorized modifications are made to production programs. The IS Auditor needs to ensure that internal control exist and that the internal control is operating effectively and being operating continuously throughout the period under audit to ensure that they can be relied upon. By performing Compliance Tests, the IS Auditor is able to ascertain the existence, effectiveness and continuity of the internal control system. 14

15 Examples of Compliance Testing User access rights Program change control procedures, Documentation procedures Program documentation Follow up of exceptions Review of logs Software license audits 15

16 Substantive Testing Evidence is gathered to evaluate the integrity of individual transactions, data or other information. Designed to obtain evidence to ensure the completeness, accuracy and validity of the data. Test for monetary errors directly affecting financial statement balances, or other relevant data. 16

17 Substantive Testing: Examples Relate to checking the completeness, accuracy and validity of the data produced by the enterprise. Examples of substantive tests where sampling could be considered: Performance of a complex calculation on a sample of accounts Sample of transactions to vouch for supporting documentation, etc. 17

18 Design Effectiveness: Features Testing of Design Effectiveness and testing of operating effectiveness performed by IS Auditor on every identified control. Performed using CAAT, substantive testing and compliance testing Testing involves review of of working design of control as documented. Blue print of the control. Evaluate the documented control is effective to remove the risk. Evaluated by reviewing the policies, procedure documents, etc. 18

19 Design Effectiveness: Performance A walkthrough of a business process and the risk controls within it can help evaluate its design effectiveness for compliance. Performing a walkthrough of the relevant functions or transactions and tracing them all the way through the complete process, from instigation, through authorization, recording, processing and reporting will assist with the identification or existence of control activities to establish whether control activities are being performed (i.e. are in place), appraisal of the design of the risk controls, as well as substantiating the accuracy of process documentation. 19

20 Design Effectiveness: Walk-through In conducting the walkthrough review existence of sufficient evidence such as reconciliations are being prepared by the nominated personnel (i.e. a reconciliation statement together with documentary evidence of balance, and documentation intended to explain/justify/evidence clearance of 'reconciling items') and that these are being reviewed (i.e. supervisor's signature). Where there is such evidence it can be concluded that the control has been placed in operation and (assuming that it is properly mitigating the related risk) considered 'design effective'. 20

21 Operational Effectiveness Testing of Operating Effectiveness refers to actual performance of the Control in the IT Environment. IS Auditor should evaluate the controls that have been documented. IS Auditor will evaluate the effectiveness and efficiency of the control and would gain reasonable assurance whether the said control is sufficient to counter the identified risk. IS Auditor would primarily check that the control is working to its expectations in accordance with its documented design. 21

22 Audit Evidence Any information used by the IS Auditor to determine whether the entity or data being audited follows the established criteria or objectives, and supports audit conclusions. IS Auditor s conclusions are to be based on sufficient, relevant, competent and appropriate audit evidence. Audit evidence may include the IS Auditor s observations, notes taken from interviews, results of independent confirmations obtained by the IS Auditor from different stakeholders, material extracted from correspondence ad internal documentation or contracts with external partners, or the results of audit test procedures.` 22

23 Audit Evidence: evaluate reliability Independence of the provider of the audit evidence Qualifications of the individual providing the information/evidence Objectivity of Evidence Timing of the Evidence 23

24 Methods of gathering Audit Evidence: SA 500 Physical Examination Confirmation Documentati on Analytical Procedures Inquires with Client Recalcualtion Performance Observation 24

25 Types of Audit Evidence Documentation: Policy Documents, Procedure Documents Screenshots Photographs Correspondence with time stamps Memory Dump, Log Dump generated from the applications under consideration Surveys Audit work papers External Confirmations Written Representations Refer SA

26 Evidence Preservation: Examples Evidence exists in form of log files, file time stamps, contents of memory, etc. rebooting the system or accessing files could result in such evidence being lost, corrupted or overwritten. First step to be taken should be copying one or more images of the attacked system. Memory content should also be dumped to a file before rebooting the system. Any further analysis must be performed on an image of the system and on copies of the memory dumped not on the original. 26

27 Evidence Preservation: Standards Preserve the chain of custody. Standard on Auditing (SA) 230, Audit documentation deals with the Auditor s responsibility to prepare audit documentation for financial statements Standard on Auditing (SA) 500, Audit Evidence explains what constitutes audit evidence in an audit of financial statements, and deals with the Auditor s responsibility to design and perform audit procedures to obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base the Auditor s conclusions. 27

28 Evidence Preservation: SA 580 Standard on Auditing (SA) 580 Written Representations deals with the Auditor s responsibility to obtain written representations from the management and, where appropriate, those charged with governance. 28

29 Audit Documentation IS Auditor has to ensure evidence obtained by is sufficient, reliable, relevant and useful and enables effective achievement of audit objectives. The audit documentation generally includes: Basic documents relating to the business, technology and control environment Documents relating to laws, regulations and standards applicable Preliminary review and how the audit objectives and scope were evaluated and agreed upon. Documents relating to Risk analysis Audit plan and progress against plan, Audit programs 29

30 Audit Documentation: contents Audit procedures as applied to the audit. Audit findings, observations, inspection reports, management representations, logs, audit trails and other related evidence. Interpretation of audit evidence. Audit Report issued. Auditee s observations and response to findings and recommendations. Reports by third party experts. Peer Reviews. 30

31 Audit Documentation: record of Audit documentation includes, at a minimum a record of: Planning and preparation of audit scope and objectives Description and/or walkthroughs on the scoped audit areas Audit program Audit steps performed and audit evidence gathered Use of services of other IS Auditors and experts Audit findings, conclusions and recommendations Audit documentation relation with document identification and dates A copy of the report issued as a result of the audit work. Evidence of audit supervisory review 31

32 Test working papers Review of existing internal controls A summary of tests conducted Documentation of procedures performed and tools, if any used Supporting documentation of detailed tests 32

33 Organization of audit working papers Objective: Why the work was done? Work done: What was actually done? Finding: What issues arose? Risk: What are the risks associated with the finding, expressed in terms of impact on business? Recommended action: What is being recommended? Action: What action was agreed with management? Evidence: Each working paper should be supported by evidence of the weaknesses observed 33

34 Documentation Controls Each working paper (or work paper) should be: Dated manually or digitally and signed by the person completing work Referenced with a unique number 34

35 Audit Documentation information Planning and preparation of audit scope and objectives Description and/or walkthroughs on the scoped audit areas Audit program Audit steps performed and audit evidence gathered Use of services of other IS Auditors and experts 35

36 Audit Documentation includes Audit findings, conclusions and recommendations Audit documentation relation with document identification and dates A copy of the report issued as a result of the audit work. Evidence of audit supervisory review 36

37 Using work of another auditor and expert Outsourcing of IS assurance and security services is increasingly becoming a common practice. External experts could include experts in specific technologies such as networking, automated teller machine, wireless, systems integration and digital forensics, or subject matter experts such as specialists in a particular industry or area of specialization such as banking, securities trading, insurance, legal experts etc. 37

38 Using work of an Expert When a part or all IS audit services are proposed to be outsourced to another audit or external service provider, following should be considered in using services of other IS Auditors and experts: Restrictions on outsourcing of audit/security services provided by laws and regulations Audit charter or contractual stipulations Impact on overall and specific IS audit objectives 38

39 Using work of an expert Impact on IS audit risk and professional liability Independence and objectivity of other auditors and experts Professional competence, qualifications and experience Scope of work proposed to be outsourced and approach Supervisory and audit management controls Method and modalities of communication of results of audit work Compliance with legal and regulatory stipulations Compliance with applicable professional standards 39

40 Using work of an Expert Based on nature of assignment, some special consideration: Testimonials/references and background checks Access to systems, premises and records Confidentiality restrictions to protect customer related information Use of CAATs and other tools to be used by the external audit service provider Standards and methodologies for performance of work and documentation Non-disclosure agreements 40

41 Using work of an Expert (SA 620) The IS Auditor or entity outsourcing the services should monitor the relationship to ensure the objectivity and independence throughout the duration of the engagement. Responsibility of the IS Auditor or entity using services to: Clearly communicate audit objectives, scope and methodology through a formal engagement letter. Put in place a monitoring process for regular review of the work of the external service provider with regard to planning, supervision, review and documentation. Assess the usefulness and appropriateness of reports of such external providers, and assess the impact of significant findings on the overall audit objectives. 41

42 Summary Creation Risk Control Matrix Audit Sampling, Data Analysis, Business Intelligence Analytical Review Procedures - CAAT Tools Compliance Testing and Substantive Testing Design Effectiveness Audit Evidence and Audit documentation Using the work of an expert 42

43 Thank you! 43