November 25, 2009 e q 1
Institute of of Pakistan ICAP Auditorium, Karachi Sajid H. Khan Executive Director Technology and Security Risk Services e q 2
IS Environment Back Office Batch Apps MIS Online Integrated Applications/ ERP DAS E-Commerce / Home Computing Knowledge 3
Information Technology Audit The IT audit focuses on determining risks that are relevant to information assets, and in assessing and evaluating controls in order to reduce or mitigate these risks. Any audit that encompasses review and evaluation (wholly or partly) of automated information processing systems, related non-automated processes and the interfaces between them. 4
Purpose of IT Audit Cont. The IT audit's agenda may be summarized by the following questions: Integrity - Will the information provided by the system always be accurate, reliable, and timely? Confidentiality - Will the information in the systems be disclosed only to authorized users? Availability - Will the organization's computer systems be available for the business at all times when required? 5
Classification of Audits Financial audits Operational audits Integrated audits IS audits Specialized audits Forensic audits 6
Audit Objectives Specific goals of the audit Confidentiality Integrity Reliability Availability Compliance with legal / regulatory requirements 7
Types of IT Audits IT Policies & Procedures Review and Gap analysis Implementation Reviews (e.g. SAP / Oracle / JD Edwards) IT Security Reviews IT Forensic Investigations Application Integrity Reviews Business Continuity IT Disaster Recovery These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation/special engagement. 8
Types of IT Audits System Implementation Review - Example Business process/application controls Report Testing and documentation Testing (unit, volume, user) Data Cleansing and Conversion Segregation of Duties Roll out strategies IT General Controls 9
Various Standards and Frameworks COBIT COSO SOX ICFR BASEL II ITIL 10
CobIT A framework with 34 high-level control objectives Planning and organization Acquisition and implementation Delivery and support Monitoring and evaluation Use of 36 major IT-related standards and regulations 11
ISACA - IS Auditing Standards Framework Framework for the ISACA IS Auditing Standards Standards Guidelines Procedures 12
ISACA - IS Auditing Standards Framework Standards Must be followed by IS auditors Guidelines Provide assistance on how to implement the standards Procedures Provide examples for implementing the standards 13
ISACA IS Auditing Standards Framework (cont.) Objectives of the ISACA IS Auditing Standards Inform management and other interested parties of the profession s expectations concerning the work of audit practitioners Inform information system auditors of the minimum level of acceptable performance required to meet professional responsibilities set out in the ISACA Code of Professional Ethics 14
ISACA IS Auditing Standards Framework (cont.) S1 S2 S3 S4 S5 S6 Audit charter Independence Ethics and Standards Competence Planning Performance of audit work 15
ISACA IS Auditing Standards Framework (cont.) S7 S8 S9 S10 S11 Reporting Follow-up activities Irregularities and illegal acts IT Governance Use of risk assessment in audit planning S12 Audit Materiality 16
ISACA IS Auditing Standards Framework (cont.) S13 Using the work of other Experts S14 Audit Evidence S15 IT Controls S16 Electronic Commerce 17
Skills and Competence An ideal background for an IS Auditor»Business»Auditing»Information Technology 18
Skills and Competence (Contd.) Specialized IS skills may be needed for an auditor to: Obtain understanding of the accounting and internal control systems affected by the IS environment. Determine the effect of IS environment on the assessment of risk at each level (e.g. process, account, transactions level) Design and perform appropriate tests of control and substantive procedures e.g. data analytics. 19
IS Audit Resource Management & Planning Limited number of IS auditors Maintenance of their technical competence Assignment of audit staff Short and Long term planning Considerations New control issues Changing technologies Changing business processes Enhanced evaluation techniques 20
Information Technology Audit - Process An information technology audit, or information systems audit, is an examination of the controls within an Information technology (IT) infrastructure. It is a process of collecting and evaluating evidence of an organization's information systems, practices, and operations. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. 21
A Typical IS Audit Cycle Planning Understand the Process(s) Walkthrough the Process/Controls. Design of control Test the Controls Operating Effectiveness Conclude and Report 22
IS Control Objectives Internal control objectives apply to all areas, whether manual or automated. Therefore, conceptually, control objectives in an IS environment remain unchanged from those of a manual environment. 23
Key Controls A key control is a member of a set of controls that management identifies and relies upon in order to mitigate the risk of financial misstatement. In other words it is the main control that addresses the risk. Key Controls are usually identified by management. 24
Compensating Controls A compensating control is a control that would be in place to mitigate the risk of damage in the event a key control failed. Example: Key Control may be approval prior to access to systems but if it fails then compensating control might be the monthly monitoring of user access thus minimizing the risk to a period of one month. 25
Prevent / Detect Controls Change Management Example Prevent Controls Detect Controls Pre-Production Post Production Production 26
Elements of an Effective IT Audit Knowledge Business Technology Best Practice Tools and Methods Checklists Work Programs Automated Tools Guidelines 27
Risk Assessment Assessing Information Technology risks Risk assessments should identify, quantify and prioritize risks against criteria for risk acceptance and objectives relevant to the organization. Should be performed periodically to address changes in the environment, security requirements and when significant changes occur. 28
Risk Assessment Treatment Treating security risks Each risk identified in a risk assessment needs to be treated. Controls should be selected to ensure that risks are reduced to an acceptable level 29
Scoping Areas / Processes in scope Risks identified within the processes / areas Application Scoping Identification of Key and compensating Controls Application Operating System Database 30
Scoping Management Controls Strategy DRP Security Policy IT Governance Policies and Procedures Compliance Security Environment Application, Databases Networks etc. IT General Controls Application Controls Optimizing Database Performance Reducing Network Vulnerabilities 31
IT Governance Entity Level Controls Controls at the Company Level that create, foster, and sustain a controlled IT environment. Examples: IT Strategic Planning IT Policies and Procedures IT Organization Structure Properly segregated duties Fraud Identification Training and Education Monitoring, and Risk Assessment 32
IT General Controls: Layers of Controls Data Business Data Processes 33
ITGC Domains ITGC Domains. Program Change Management Logical Access IT Operations (Backup & Recovery, Job scheduling, Problem and Incident Management) 34
Change Management Objective: To provide reasonable assurance that only appropriately authorized, tested, and approved changes are made to in-scope systems. Types of changes that fall under change management Program Development/Acquisition Program change Maintenance (Ex: Database, Operating System) Emergency Changes Configuration/Parameter Changes (Ex: Physical hardware configuration and parameter settings) 35
Change Management (cont.) Components of the IT Environment: Applications Interfaces DBMS (Database Management System) Network and Operating Systems (OS) Typical Key Controls Changes are Authorized Changes are Tested Changes are Approved Changes are Monitored Duties are appropriately segregated 36
Logical Access Objective: To determine that only authorized persons have access to data and applications (including programs, tables, and related resources) and that they can perform only specifically authorized functions. Levels of the logical access path Network / Operating System Application Database 37
Logical Access (cont.) General Systems Security Settings Platform Specification Password Configuration Systems User Administration New User setup Change/Transfer Termination 38
Logical Access (cont.) Privileged Users User Access Reviews Segregation of Incompatible Duties (SOD) Request access Approve access Provision access 39
IT Operations To determine that the critical data is properly backed-up so that it can be accurately and completely recovered if there is a system outage or data integrity issue. To determine that only appropriate users have the ability to make changes to job scheduling. To determine that there is a problem and incident management process in place. 40
IT Operations (continued) Backup & Recovery Job Scheduling Problem & Incident Management Data Center Walkthrough Physical Access 41
Application Controls An application control is an automated control that is programmed within a system to perform the same function over and over again. Edit Checks Validations Calculations Interfaces Authorizations 42
Application Controls Embedded Control System is programmed to perform the control as a result of either custom coding or packaged delivery of that functionality. Configurable Control System has the capacity to perform the control depending on its setup, but may have been configured differently. Used especially in the context of ERP systems. Example A three way match within an application 43
Application Controls - Testing Embedded Control Re-performance via walkthrough Inspection of authorization Configurable Control Inspect configuration Re-performance via walkthrough Inspection of authorization Consider manual overrides and the underlying ITGCs. 44
IT Dependent Manual Controls An IT Dependent-Manual Control is any control activity where both an individual and an IT output are combined. Example - System generated report review. Consider the underlying ITGCs. 45
Data Analytics Also called Computer Assisted Audit Techniques (CAATs). CAATs enable IS auditors to gather information independently. Multiple tools available to perform data analytics. 46
Data Analytics (cont.) Functions supported by automated tools File access File reorganization Data selection Statistical functions Arithmetical functions 47
Data Analytics (cont.) Considerations before utilizing CAATs Ease of use Training requirements Complexity of coding and maintenance Installation requirements Processing efficiencies Confidentiality of data being processed 48
Challenges for IS Auditors Completeness of the Population Time Period Coverage Key Control Tools Scoping Additional Procedures Controls Testing Impact on Application/ITDM testing if ITGC not effective 49
Communicating Audit Results Exit interview Correct facts Realistic recommendations Implementation dates for agreed recommendations Presentation techniques Executive summary and Visual presentation 50
Communicating Audit Results (cont.) Audit report structure and contents An introduction to the report (e.g. objectives, scope, procedures performed) High level Audit findings and recommendations The IS auditor s overall conclusion and opinion The IS auditor s reservations with respect to the audit Detailed audit findings and recommendations 51
Audit Documentation Planning, audit scope and objectives Description on the scoped audit area Audit program(s) Audit steps performed and evidence gathered Other experts used Audit findings, conclusions and recommendations 52
Thank You 53