Module 2 IS Assurance Services

Similar documents
Internal Audit Checklist

1/21/2014. Agenda. Audit Testing. The Basics of Internal Auditing January 23-24, 2014

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

Imperial County. Office of the Auditor-Controller. Internal Audit Standard Practice Manual

How to gather and evaluate information

Division of Insurance Internal Control Questionnaire For the period July 1, 2013 through June 30, 2014

4 Testing General and Automated Controls

Chapter 5. Planning the Audit Engagement

BERMUDA MONETARY AUTHORITY

Quality Assurance Checklist

A424: Chapter 15 Audit Sampling for Tests of Controls and Substantive Tests of Transactions

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

the role of the head of internal audit in public service organisations 2010

Certified Information Systems Auditor (CISA)

Internal Auditing & Controls. Examination phase of the internal audit Module 5. Course Name: Internal Auditing & Controls

Risk Assessment Standards

Domain 1 The Process of Auditing Information Systems

Planning an Audit 255

Data Warehouse Management Final Audit Report Report Nr. 8/13 November 12, 2013

Internal Audit Testing and Sampling Techniques. Chartered Institute of Internal Auditors May 2014

Audit Quality Thematic Review

Audit Evidence and Documentation AN AUDIT: SUMMARY CHAPTER PCAOB ONE-UP S THE AICPA MANAGEMENT S ASSERTIONS

Abu Dhabi EHSMS Regulatory Framework (AD EHSMS RF)

Auditing data protection a guide to ICO data protection audits

INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS (ISAE) 3402 ASSURANCE REPORTS ON CONTROLS AT A SERVICE ORGANIZATION

January (1) CHAPTER 5. Table of Contents

Fundamentals Level Skills Module, F8 (IRL)

Internal Controls. A short presentation from Your Internal Audit Department

Audit Sampling. AU Section 350 AU

2. Auditing Objective and Structure What Is Auditing?

(Instructor-led; 3 Days)

Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS 3000 ASSURANCE ENGAGEMENTS OTHER THAN AUDITS OR REVIEWS OF HISTORICAL FINANCIAL INFORMATION CONTENTS

5. GUIDELINES FOR PREPARING JOB DESCRIPTIONS

Master Document Audit Program. Version 7.4, dated November 2006 B-1 Planning Considerations. Purpose and Scope

Charter of the Audit Committee of the Board of Directors

Performance Measures for Internal Auditing

Table of Contents: Chapter 2 Internal Control

Audit programs. Audit program are lists of audit procedures to be performed by audit staff in order to obtain sufficient appropriate evidence.

Integration of Risk Management and Internal Audit. Chartered Institute of Management Accountants, New Zealand

Audit Phases. Phase 1: Planning and Risk Identification

How To Audit A Financial Statement

How to survive an Audit

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland

9. GOVERNANCE. Policy 9.8 RECORDS MANAGEMENT POLICY. Version 4

October 14, (1)

The Information Systems Audit

Practical Experience Requirements Initial Professional Development for Professional Accountants

ISO 14001:2004 EMS Internal Audit Guidance

Master Document Audit Program. Version 1.5, dated September 2015 B-01 Planning Considerations

BLOOM AND WAKE (ELECTRICAL CONTRACTORS) LIMITED QUALITY ASSURANCE MANUAL

Achieve. Performance objectives

TOTAL QUALITY MANAGEMENT II QUALITY AUDIT

Lexcel England and Wales v6 incorporating the Money Advice Service Quality Framework. Additional evidence, scheme rules and guidance

GLASGOW SCHOOL OF ART OCCUPATIONAL HEALTH AND SAFETY POLICY. 1. Occupational Health and Safety Policy Statement 1

SAN FRANCISCO PUBLIC UTILITIES COMMISSION INFRASTRUCTURE DIVISION PROCEDURES MANUAL PROGRAM AND PROJECT MANAGEMENT

BUSINESS VALUATION Detailed Valuation Report Introduction

Agreed-Upon Procedures Engagements

IT Application Controls Questionnaire

INTERNATIONAL STANDARD ON REVIEW ENGAGEMENTS 2410 REVIEW OF INTERIM FINANCIAL INFORMATION PERFORMED BY THE INDEPENDENT AUDITOR OF THE ENTITY CONTENTS

Prepared by the Policy, Performance and Quality Assurance Unit (Adults) Tamsin White

FINAL DOCUMENT. Guidelines for Regulatory Auditing of Quality Management Systems of Medical Device Manufacturers Part 1: General Requirements

ORACLE QUALITY ORACLE DATA SHEET KEY FEATURES

ISACA PROFESSIONAL RESOURCES

Chapter 15 Auditing the Expenditure Cycle

Reporting on Control Procedures at Outsourcing Entities

U & D COAL LIMITED A.C.N BOARD CHARTER

The supporting information for audit/engagement procedures is part of the required Audit/Engagement Documentation (See Section ).

SCHEDULES OF CHAPTER 40B MAXIMUM ALLOWABLE PROFIT FROM SALES AND TOTAL CHAPTER 40B COSTS EXAMINATION PROGRAM

[300] Accounting and internal control systems and audit risk assessments

Auditing Module 7 June Suggested Solutions

CORPORATE AUDITOR SERIES

Professional Position Description Section I Position Information Position Title

Using data analytics and continuous auditing for effective risk management

Information Management Strategic Plan - Methodology

Effective Monitoring of Outsourced Plan Recordkeeping and Reporting Functions

CPA Student Training Records

Generally Accepted Recordkeeping Principles How Does Your Program Measure Up?

Audit Evidence. Chapter Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 7-1

GAO. Government Auditing Standards: Implementation Tool

Audit Program for Prepaid Expenses and Other Assets

The auditors responsibility to consider fraud in an audit of financial statements

Qualification in Internal Audit Leadership (QIAL ) Exam Syllabus

Asset Suite 9 Training Course Catalogue

TIER II STANDARD FOR AUDITORS

San Francisco Chapter. Jonathan Shipman, Ernst & Young David Morgan, Ernst & Young

Financial Management Framework >> Overview Diagram

Reporting on Controls at a Service Organization

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 315

Internal Control Systems and Maintenance of Accounting and Other Records for Interactive Gaming & Interactive Wagering Corporations (IGIWC)

Master Document Audit Program

Quality & Safety Manual

Guideline on risk management and other aspects of internal control in stock exchange

HOME GROUP JOB DESCRIPTION. Date:

A Model for Training/Qualification Record Validation within the Talent Management System

Review of an SMSF audit engagement questionnaire

Compliance Audits Effective for compliance audits for fiscal periods ending on or after June 15, Earlier application is permitted.

Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

SESSION 3 AUDIT PLANNING

Transcription:

Module 2 IS Assurance Services Chapter 2: IS Audit In Phases Phase 2: Part: 2 of 3 CA A.Rafeq 1

Chapter 2: Agenda Chapter 2: IS Audit in Phases Phase1: Plan Phase 2: Execute Phase 3: Report 2

Phase 2: Execution (Part-2) 3

Chapter 2: Phase 2 Creation Risk Control Matrix Audit Sampling, Data Analysis, Business Intelligence Analytical Review Procedures - CAAT Tools Compliance Testing and Substantive Testing Design Effectiveness Audit Evidence and Audit documentation Using the work of an expert 4

Creation of a Risk Control Matrix An IS Auditor charts a Risk and Control Matrix and uses the same for the audit engagement. The risk and control matrix is a matrix of the risks that have been identified in the Risk assessment phase. 5

Parts of a RCM A series of spreadsheets marking a single process (Purchase Process), application (Custom Business Application), area (Information security, Logical Security, Physical security) etc. Each Spread sheet would contain generally the following columns Risk No, Risk in depth Control Objective: This column would contain the control(s) that is ideal to counter the identified risk. Control No. Controls present: The present control that is implemented by the enterprise to counter the risk. 6

Risk Control Matrix: Contents The RCM may also be used as an Audit Notebook which contains: Details of the control owner Process owner Testing plans and results Audit observations Evidences Risk Ranking Recommendations 7

Audit Sampling: SA 530 SA 530 : Audit Sampling: This Standard on Auditing (SA) applies when the auditor has decided to use audit sampling in performing audit procedures. It deals with the auditor s use of statistical and nonstatistical sampling when designing and selecting the audit sample, performing tests of controls and tests of details, and evaluating the results from the sample. 8

Methods of Audit Sampling The IS auditor can use the following methods for sampling: Statistical Sampling which includes methods of Random sampling & Systematic Sampling Non Statistical Sampling which includes haphazard sampling, judgmental sampling. The IS auditor can use the sampling technique while assessing the controls designed in the environment. On the basis of the initial assessment the sample size can be increased or decreased to achieve the objective of assessing the tests of existence of control for the IT environment. 9

Data Analysis The use of Data analytics tools and techniques helps the IS auditor to improve audit approaches, unlike in the traditional approach which is based on a cyclical process involving manually identifying controls, performing tests and sampling a small population to measure the effectiveness. Data analytics also accommodates the growing risk focus on fraud detection. The IS auditor can use data analytics by which insights are extracted from financial, operational and other forms of electronic data internal or external to the organization. 10

Business Intelligence Set of theories, methodologies, architectures, and technologies that transform raw data into meaningful and useful information for business purposes. Encompasses the collection and analysis of information to assist decision making and assess organizational performance. Handle enormous amount of unstructured data to help identify, develop and otherwise create new opportunities. 11

Analytical Review Procedures Defined as substantive tests for a study of comparisons and relationship among data. Used in all stages of the audit including planning, substantive testing and final review stage. Serves as a vital planning function in the entirety of the audit procedures. 12

Compliance Testing Compliance testing is evidence gathering for the purpose of testing an organizations compliance with control procedures. A compliance test determines if controls are being applied in a manner that complies with management policies and procedures. The broad objective of any compliance test is to provide IS Auditors with reasonable assurance that the particular control on which the IS Auditor plans to rely is operating as the IS Auditor perceived in the preliminary evaluation. 13

Compliance Testing: Effectiveness Used to test the existence and effectiveness of a defined process, which may include a trail of documentary and/or automated evidence for example, to provide assurance that only authorized modifications are made to production programs. The IS Auditor needs to ensure that internal control exist and that the internal control is operating effectively and being operating continuously throughout the period under audit to ensure that they can be relied upon. By performing Compliance Tests, the IS Auditor is able to ascertain the existence, effectiveness and continuity of the internal control system. 14

Examples of Compliance Testing User access rights Program change control procedures, Documentation procedures Program documentation Follow up of exceptions Review of logs Software license audits 15

Substantive Testing Evidence is gathered to evaluate the integrity of individual transactions, data or other information. Designed to obtain evidence to ensure the completeness, accuracy and validity of the data. Test for monetary errors directly affecting financial statement balances, or other relevant data. 16

Substantive Testing: Examples Relate to checking the completeness, accuracy and validity of the data produced by the enterprise. Examples of substantive tests where sampling could be considered: Performance of a complex calculation on a sample of accounts Sample of transactions to vouch for supporting documentation, etc. 17

Design Effectiveness: Features Testing of Design Effectiveness and testing of operating effectiveness performed by IS Auditor on every identified control. Performed using CAAT, substantive testing and compliance testing Testing involves review of of working design of control as documented. Blue print of the control. Evaluate the documented control is effective to remove the risk. Evaluated by reviewing the policies, procedure documents, etc. 18

Design Effectiveness: Performance A walkthrough of a business process and the risk controls within it can help evaluate its design effectiveness for compliance. Performing a walkthrough of the relevant functions or transactions and tracing them all the way through the complete process, from instigation, through authorization, recording, processing and reporting will assist with the identification or existence of control activities to establish whether control activities are being performed (i.e. are in place), appraisal of the design of the risk controls, as well as substantiating the accuracy of process documentation. 19

Design Effectiveness: Walk-through In conducting the walkthrough review existence of sufficient evidence such as reconciliations are being prepared by the nominated personnel (i.e. a reconciliation statement together with documentary evidence of balance, and documentation intended to explain/justify/evidence clearance of 'reconciling items') and that these are being reviewed (i.e. supervisor's signature). Where there is such evidence it can be concluded that the control has been placed in operation and (assuming that it is properly mitigating the related risk) considered 'design effective'. 20

Operational Effectiveness Testing of Operating Effectiveness refers to actual performance of the Control in the IT Environment. IS Auditor should evaluate the controls that have been documented. IS Auditor will evaluate the effectiveness and efficiency of the control and would gain reasonable assurance whether the said control is sufficient to counter the identified risk. IS Auditor would primarily check that the control is working to its expectations in accordance with its documented design. 21

Audit Evidence Any information used by the IS Auditor to determine whether the entity or data being audited follows the established criteria or objectives, and supports audit conclusions. IS Auditor s conclusions are to be based on sufficient, relevant, competent and appropriate audit evidence. Audit evidence may include the IS Auditor s observations, notes taken from interviews, results of independent confirmations obtained by the IS Auditor from different stakeholders, material extracted from correspondence ad internal documentation or contracts with external partners, or the results of audit test procedures.` 22

Audit Evidence: evaluate reliability Independence of the provider of the audit evidence Qualifications of the individual providing the information/evidence Objectivity of Evidence Timing of the Evidence 23

Methods of gathering Audit Evidence: SA 500 Physical Examination Confirmation Documentati on Analytical Procedures Inquires with Client Recalcualtion Performance Observation 24

Types of Audit Evidence Documentation: Policy Documents, Procedure Documents Screenshots Photographs Email Correspondence with time stamps Memory Dump, Log Dump generated from the applications under consideration Surveys Audit work papers External Confirmations Written Representations Refer SA 580 25

Evidence Preservation: Examples Evidence exists in form of log files, file time stamps, contents of memory, etc. rebooting the system or accessing files could result in such evidence being lost, corrupted or overwritten. First step to be taken should be copying one or more images of the attacked system. Memory content should also be dumped to a file before rebooting the system. Any further analysis must be performed on an image of the system and on copies of the memory dumped not on the original. 26

Evidence Preservation: Standards Preserve the chain of custody. Standard on Auditing (SA) 230, Audit documentation deals with the Auditor s responsibility to prepare audit documentation for financial statements Standard on Auditing (SA) 500, Audit Evidence explains what constitutes audit evidence in an audit of financial statements, and deals with the Auditor s responsibility to design and perform audit procedures to obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base the Auditor s conclusions. 27

Evidence Preservation: SA 580 Standard on Auditing (SA) 580 Written Representations deals with the Auditor s responsibility to obtain written representations from the management and, where appropriate, those charged with governance. 28

Audit Documentation IS Auditor has to ensure evidence obtained by is sufficient, reliable, relevant and useful and enables effective achievement of audit objectives. The audit documentation generally includes: Basic documents relating to the business, technology and control environment Documents relating to laws, regulations and standards applicable Preliminary review and how the audit objectives and scope were evaluated and agreed upon. Documents relating to Risk analysis Audit plan and progress against plan, Audit programs 29

Audit Documentation: contents Audit procedures as applied to the audit. Audit findings, observations, inspection reports, management representations, logs, audit trails and other related evidence. Interpretation of audit evidence. Audit Report issued. Auditee s observations and response to findings and recommendations. Reports by third party experts. Peer Reviews. 30

Audit Documentation: record of Audit documentation includes, at a minimum a record of: Planning and preparation of audit scope and objectives Description and/or walkthroughs on the scoped audit areas Audit program Audit steps performed and audit evidence gathered Use of services of other IS Auditors and experts Audit findings, conclusions and recommendations Audit documentation relation with document identification and dates A copy of the report issued as a result of the audit work. Evidence of audit supervisory review 31

Test working papers Review of existing internal controls A summary of tests conducted Documentation of procedures performed and tools, if any used Supporting documentation of detailed tests 32

Organization of audit working papers Objective: Why the work was done? Work done: What was actually done? Finding: What issues arose? Risk: What are the risks associated with the finding, expressed in terms of impact on business? Recommended action: What is being recommended? Action: What action was agreed with management? Evidence: Each working paper should be supported by evidence of the weaknesses observed 33

Documentation Controls Each working paper (or work paper) should be: Dated manually or digitally and signed by the person completing work Referenced with a unique number 34

Audit Documentation information Planning and preparation of audit scope and objectives Description and/or walkthroughs on the scoped audit areas Audit program Audit steps performed and audit evidence gathered Use of services of other IS Auditors and experts 35

Audit Documentation includes Audit findings, conclusions and recommendations Audit documentation relation with document identification and dates A copy of the report issued as a result of the audit work. Evidence of audit supervisory review 36

Using work of another auditor and expert Outsourcing of IS assurance and security services is increasingly becoming a common practice. External experts could include experts in specific technologies such as networking, automated teller machine, wireless, systems integration and digital forensics, or subject matter experts such as specialists in a particular industry or area of specialization such as banking, securities trading, insurance, legal experts etc. 37

Using work of an Expert When a part or all IS audit services are proposed to be outsourced to another audit or external service provider, following should be considered in using services of other IS Auditors and experts: Restrictions on outsourcing of audit/security services provided by laws and regulations Audit charter or contractual stipulations Impact on overall and specific IS audit objectives 38

Using work of an expert Impact on IS audit risk and professional liability Independence and objectivity of other auditors and experts Professional competence, qualifications and experience Scope of work proposed to be outsourced and approach Supervisory and audit management controls Method and modalities of communication of results of audit work Compliance with legal and regulatory stipulations Compliance with applicable professional standards 39

Using work of an Expert Based on nature of assignment, some special consideration: Testimonials/references and background checks Access to systems, premises and records Confidentiality restrictions to protect customer related information Use of CAATs and other tools to be used by the external audit service provider Standards and methodologies for performance of work and documentation Non-disclosure agreements 40

Using work of an Expert (SA 620) The IS Auditor or entity outsourcing the services should monitor the relationship to ensure the objectivity and independence throughout the duration of the engagement. Responsibility of the IS Auditor or entity using services to: Clearly communicate audit objectives, scope and methodology through a formal engagement letter. Put in place a monitoring process for regular review of the work of the external service provider with regard to planning, supervision, review and documentation. Assess the usefulness and appropriateness of reports of such external providers, and assess the impact of significant findings on the overall audit objectives. 41

Summary Creation Risk Control Matrix Audit Sampling, Data Analysis, Business Intelligence Analytical Review Procedures - CAAT Tools Compliance Testing and Substantive Testing Design Effectiveness Audit Evidence and Audit documentation Using the work of an expert 42

Thank you! 43

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information