info system audit
TRANSCRIPT
The Information Systems Audit The Information Systems Audit November 25, 2009
qeErnst & Young Ford Rhodes Sidat Hyder
Chartered AccountantsA member firm of Ernst & Young Global Limited
1
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Sajid H. KhanSajid H. KhanExecutive DirectorExecutive DirectorTechnology and Security Risk ServicesTechnology and Security Risk ServicesErnst & Young Ford Rhodes Sidat HyderErnst & Young Ford Rhodes Sidat Hyder
qeErnst & Young Ford Rhodes Sidat Hyder
Chartered AccountantsA member firm of Ernst & Young Global Limited
2
Institute of Chartered Accountants of PakistanICAP Auditorium, Karachi
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Back Office Batch AppsMIS Online Integrated
Applications/ ERPDAS
E-Commerce / Home ComputingKnowledge
3
IS Environment
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
The IT audit focuses on determining risks that are relevant
to information assets, and in assessing and evaluating
controls in order to reduce or mitigate these risks.
Any audit that encompasses review and evaluation (wholly or partly) of
automated information processing systems, related non-automated
processes and the interfaces between them.
Information Technology Audit
4
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
The IT audit's agenda may be summarized by the following questions:
• Integrity - Will the information provided by the system always be
accurate, reliable, and timely?
• Confidentiality - Will the information in the systems be disclosed only
to authorized users?
• Availability - Will the organization's computer systems be available for
the business at all times when required?
Purpose of IT Audit – Cont.
5
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
• Financial audits
• Operational audits• Integrated audits • IS audits• Specialized audits• Forensic audits
Classification of Audits
6
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Specific goals of the audit
• Confidentiality
• Integrity
• Reliability
• Availability
• Compliance with legal / regulatory requirements
Audit Objectives
7
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
8
Types of IT Audits
• IT Policies & Procedures Review and Gap analysis
• Implementation Reviews (e.g. SAP / Oracle / JD Edwards)
• IT Security Reviews
• IT Forensic Investigations
• Application Integrity Reviews
• Business Continuity
• IT Disaster Recovery
These reviews may be performed in conjunction with a financial statement
audit, internal audit, or other form of attestation/special engagement.
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
9
Types of IT Audits
System Implementation Review - Example
• Business process/application controls
• Report Testing and documentation
• Testing (unit, volume, user)
• Data Cleansing and Conversion
• Segregation of Duties
• Roll out strategies
• IT General Controls
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Various Standards and Frameworks
10
• COBIT
• COSO
• SOX
• ICFR
• BASEL II
• ITIL
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
• A framework with 34 high-level control objectives
– Planning and organization
– Acquisition and implementation
– Delivery and support
– Monitoring and evaluation
• Use of 36 major IT-related standards and regulations
CobIT
11
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Framework for the ISACA IS Auditing Standards
• Standards
• Guidelines
• Procedures
ISACA - IS Auditing Standards Framework
12
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Standards
• Must be followed by IS auditors
Guidelines
• Provide assistance on how to implement the standards
Procedures
• Provide examples for implementing the standards
ISACA - IS Auditing Standards Framework
13
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Objectives of the ISACA IS Auditing Standards
• Inform management and other interested parties of the profession’s expectations concerning the work of audit practitioners
• Inform information system auditors of the minimum level of acceptable performance required to meet professional responsibilities set out in the ISACA Code of Professional Ethics
ISACA IS Auditing Standards Framework (cont.)
14
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
S1 Audit charter
S2 Independence
S3 Ethics and Standards
S4 Competence
S5 Planning
S6 Performance of audit work
ISACA IS Auditing Standards Framework (cont.)
15
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
ISACA IS Auditing Standards Framework (cont.)
16
S7 Reporting
S8 Follow-up activities
S9 Irregularities and illegal acts
S10 IT Governance
S11 Use of risk assessment in audit planning
S12 Audit Materiality
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
ISACA IS Auditing Standards Framework (cont.)
17
S13 Using the work of other Experts
S14 Audit Evidence
S15 IT Controls
S16 Electronic Commerce
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Skills and Competence
An ideal background for an IS Auditor
»Business
»Auditing
»Information Technology
18
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Skills and Competence (Contd.)
Specialized IS skills may be needed for an auditor to:
• Obtain understanding of the accounting and internal control systems affected by the IS environment.
• Determine the effect of IS environment on the assessment of risk at each level (e.g. process, account, transactions level)
• Design and perform appropriate tests of control and substantive procedures e.g. data analytics.
19
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
• Short and Long term planning
• Considerations
– New control issues– Changing technologies– Changing business processes– Enhanced evaluation techniques
IS Audit Resource Management & Planning
• Limited number of IS auditors• Maintenance of their technical competence• Assignment of audit staff
20
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
• An information technology audit, or information systems audit, is an examination of the controls within an Information technology (IT) infrastructure.
• It is a process of collecting and evaluating evidence of an organization's information systems, practices, and operations.
• The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, andoperating effectively to achieve the organization's goals or objectives.
Information Technology Audit - Process
21
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
A Typical IS Audit Cycle
• Planning
• Understand the Process(s)
• Walkthrough the Process/Controls.– Design of control
• Test the Controls– Operating Effectiveness
• Conclude and Report
22
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Internal control objectives apply to all areas, whether manual or automated. Therefore, conceptually, control objectives in an IS environment remain unchanged from those of a manual environment.
IS Control Objectives
23
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Key Controls
• A key control is a member of a set of controls that management identifies and relies upon in order to mitigate the risk of financial misstatement.
• In other words it is the main control that addresses the risk.
• Key Controls are usually identified by management.
24
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Compensating Controls
• A compensating control is a control that would be in place to mitigate the risk of damage in the event a key control failed.
– Example: Key Control may be approval prior to access to systems but if it fails then compensating control might be the monthly monitoring of user access thus minimizing the risk to a period of one month.
25
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Prevent / Detect Controls
Prevent Controls Detect Controls
Pre-Production Post Production
Production
Change Management Example
26
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Elements of an Effective IT Audit
Knowledge
•Business•Technology•Best Practice
Tools andMethods
•Checklists•Work Programs•Automated Tools•Guidelines
27
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Assessing Information Technology risks
• Risk assessments should identify, quantify and prioritize risks against criteria for risk acceptance and objectives relevant to the organization.
• Should be performed periodically to address changes in the environment, security requirements and when significant changes occur.
Risk Assessment
28
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Treating security risks
• Each risk identified in a risk assessment needs to be treated.
• Controls should be selected to ensure that risks are reduced to an acceptable level
Risk Assessment Treatment
29
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Scoping
Risks identified within the processes / areas
Identification of Key and compensating Controls
Application Scoping• Application
• Operating System
• Database
Areas / Processes in scope
30
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Management Controls
• Strategy• DRP• Security
Policy
IT Governance• Policies and Procedures• Compliance• Security Environment Application,
DatabasesNetworks etc.
• IT General Controls • Application Controls• Optimizing Database
Performance• Reducing Network
Vulnerabilities
31
Scoping
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
IT Governance
• Controls at the Company Level that create, foster, and sustain a controlled IT environment.
Examples:
– IT Strategic Planning – IT Policies and Procedures– IT Organization Structure– Properly segregated duties– Fraud Identification– Training and Education– Monitoring, and Risk Assessment
32
Entity Level Controls
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
IT General Controls: Layers of Controls
Business Processes
DataData
33
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
ITGC Domains
• ITGC Domains.
• Program Change Management
• Logical Access
• IT Operations (Backup & Recovery, Job scheduling, Problem and Incident Management)
34
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Change Management
• Objective: To provide reasonable assurance that only appropriately authorized, tested, and approved changes are made to in-scope systems.
• Types of changes that fall under change management
• Program Development/Acquisition • Program change • Maintenance (Ex: Database, Operating System)• Emergency Changes• Configuration/Parameter Changes (Ex: Physical hardware
configuration and parameter settings)
35
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Change Management (cont.)• Components of the IT Environment:
• Applications • Interfaces• DBMS (Database Management System)• Network and Operating Systems (OS)
• Typical Key Controls
• Changes are Authorized• Changes are Tested• Changes are Approved • Changes are Monitored• Duties are appropriately segregated
36
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Logical Access
• Objective: To determine that only authorized persons have access to data and applications (including programs, tables, and related resources) and that they can perform only specifically authorized functions.
• Levels of the logical access path
• Network / Operating System• Application• Database
37
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Logical Access (cont.)
• General Systems Security Settings– Platform Specification
• Password Configuration
• Systems User Administration
– New User setup– Change/Transfer – Termination
38
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Logical Access (cont.)
• Privileged Users
• User Access Reviews
• Segregation of Incompatible Duties (SOD)
• Request access• Approve access• Provision access
39
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
IT Operations
• To determine that the critical data is properly backed-up so that it can be accurately and completely recovered if there is a system outage or data integrity issue.
• To determine that only appropriate users have the ability to make changes to job scheduling.
• To determine that there is a problem and incident management process in place.
40
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
IT Operations (continued)
• Backup & Recovery
• Job Scheduling
• Problem & Incident Management
• Data Center Walkthrough
• Physical Access
41
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Application Controls
• An application control is an automated control that is programmed within a system to perform the same function over and over again.
– Edit Checks– Validations– Calculations– Interfaces– Authorizations
42
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Application Controls
Embedded Control – System is programmed to perform the control as a result of either custom coding or packaged delivery of that functionality.
Configurable Control – System has the capacity to perform the control depending on its setup, but may have been configured differently. Used especially in the context of ERP systems.
Example – A three way match within an application
43
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Application Controls - Testing
• Embedded Control
– Re-performance via walkthrough– Inspection of authorization
• Configurable Control
– Inspect configuration– Re-performance via walkthrough– Inspection of authorization
Consider manual overrides and the underlying ITGCs.
44
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
IT Dependent Manual Controls
• An IT Dependent-Manual Control is any control activity where both an individual and an IT output are combined.
Example - System generated report review.
Consider the underlying ITGCs.
45
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
• Also called “Computer Assisted Audit Techniques” (CAATs).
• CAATs enable IS auditors to gather information independently.
• Multiple tools available to perform data analytics.
Data Analytics
46
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
• Functions supported by automated tools
– File access
– File reorganization
– Data selection
– Statistical functions
– Arithmetical functions
Data Analytics (cont.)
47
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Considerations before utilizing CAATs
• Ease of use
• Training requirements
• Complexity of coding and maintenance
• Installation requirements
• Processing efficiencies
• Confidentiality of data being processed
Data Analytics (cont.)
48
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
• Completeness of the Population
• Time Period Coverage
• Key Control Tools – Scoping
• Additional Procedures – Controls Testing
• Impact on Application/ITDM testing if ITGC not effective
Challenges for IS Auditors
49
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
• Exit interview
– Correct facts
– Realistic recommendations
– Implementation dates for agreed recommendations
• Presentation techniques
– Executive summary and Visual presentation
Communicating Audit Results
50
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
Audit report structure and contents
• An introduction to the report (e.g. objectives, scope, procedures performed)
• High level Audit findings and recommendations
• The IS auditor’s overall conclusion and opinion
• The IS auditor’s reservations with respect to the audit
• Detailed audit findings and recommendations
Communicating Audit Results (cont.)
51
Ernst & Young Ford Rhodes Sidat HyderChartered Accountants
A member firm of Ernst & Young Global Limited
The Information Systems AuditThe Information Systems Audit
• Planning, audit scope and objectives
• Description on the scoped audit area
• Audit program(s)
• Audit steps performed and evidence gathered
• Other experts used
• Audit findings, conclusions and recommendations
Audit Documentation
52