1 Performance Auditing In IT Environment Evidence Gathering & Analysis Techniques Computer Assisted Techniques Use of IDEA

1

Performance AuditingPerformance AuditingIn IT Environment

Evidence Gathering & Analysis Techniques

Computer Assisted TechniquesUse of IDEA

2

In the last 10 days, We discussed all aspects relating to Performance Auditing starting with strategic planning and selection of subjects to reporting process, follow up procedures, quality assurance and critical issues.

Today we will discuss briefly some of the important aspects of conducting Performance Audit in IT environment, and evidence gathering/ analysis techniques and some of the important CAATs.

There will be 4 sessions covering the areas listed in next slide.

3

Performance Auditing in IT EnvironmentTopic coverage for the day XI

Introduction Planning & Resourcing Performance Auditing involving IT System

Development Performance Auditing involving operational IT

Systems Performance Aspect of Auditing in IT Environment Evidence gathering techniques Computer Assisted Auditing Techniques Specilised and support audit techniques/software Internet Reporting

4

In the first session we will cover

Introduction- Performance Auditing in IT Env. Performance Auditing Planning & Resourcing Performance Auditing involving IT System


Systems Performance Aspect of Auditing in IT

Environment

5

Performance Auditing -IntroductionPerformance Auditing -Introduction

IT-increasingly used for public sector programme IT-increasingly used for public sector programme planning, execution, monitoringplanning, execution, monitoring

Sharing or integration of information between Sharing or integration of information between entities raises issues such as the risk of security entities raises issues such as the risk of security breaches & unauthorised manipulation of breaches & unauthorised manipulation of informationinformation

Auditors to develop strategy & technique to provide Auditors to develop strategy & technique to provide assurance to stakeholders about value for money assurance to stakeholders about value for money from the use of the IT, Security of the systems, from the use of the IT, Security of the systems, existence of proper process controls and existence of proper process controls and completeness and accuracy of the outputcompleteness and accuracy of the output

6

IT- has to be efficient IT- has to be efficient IT- should be cost effective, provide range of IT- should be cost effective, provide range of

additional services, including programme additional services, including programme performance information, with greater efficiency, performance information, with greater efficiency, security and control than are available in manual security and control than are available in manual systemsystem

IT- has risk of major systemic error having IT- has risk of major systemic error having greater impact on entity performance than would greater impact on entity performance than would be possible in manual systems.be possible in manual systems.

Performance Auditing- Introduction Performance Auditing- Introduction Contd…Contd…

7

Understand the entities IT system & its Understand the entities IT system & its significance to the performance audit objectivesignificance to the performance audit objective

Identify the extent of IT systems auditing Identify the extent of IT systems auditing required to achieve the performance audit required to achieve the performance audit objective (eg audit of system development , objective (eg audit of system development , Audit of environment and applications controls) Audit of environment and applications controls) and employ specialist IT auditors to undertake and employ specialist IT auditors to undertake the taskthe task

Develop and use appropriate CAATs to facilitate Develop and use appropriate CAATs to facilitate auditaudit

Performance Auditing -Introduction Performance Auditing -Introduction Contd…Contd…

8

Performance auditing in IT Environment shouldPerformance auditing in IT Environment should– Identify any deficiencies in IT Controls & Identify any deficiencies in IT Controls &

resulting effect on efficiency, economy and resulting effect on efficiency, economy and effectiveness of the performance of the entityeffectiveness of the performance of the entity

– Examine IT system development and Examine IT system development and maintenance practice of the entity and maintenance practice of the entity and compared to industry better practicescompared to industry better practices

Performance Auditing- Introduction Performance Auditing- Introduction Contd…Contd…

9

– Compare the IT strategic planning, risk management Compare the IT strategic planning, risk management and project management practices of the entity with and project management practices of the entity with industry better practice and in relation to corporate industry better practice and in relation to corporate governance framework of the entitygovernance framework of the entity

– Determine whether system output meets entity quality Determine whether system output meets entity quality and service delivery parameters andand service delivery parameters and

– Assess whether the IT systems enhance the economy, Assess whether the IT systems enhance the economy, efficiency and effectiveness of the entities programme efficiency and effectiveness of the entities programme management, in particular in relation to programme management, in particular in relation to programme planning, execution, monitoring and feedbackplanning, execution, monitoring and feedback

Performance Auditing -Introduction Performance Auditing -Introduction Contd…Contd…

10

Session Coverage-Performance Auditing in IT Environment


Development Performance Auditing involving

operational IT Systems Performance Aspect of Auditing in IT

Environment

11

Performance AuditingPerformance Auditing

PlanningPlanning

ResourcingResourcing

12

PlanningPlanning

Planning to frame audit objectives with reference Planning to frame audit objectives with reference to the objectives of the entity in to the objectives of the entity in adopting/introducing IT systems and should adopting/introducing IT systems and should include audit concerns relating to security, include audit concerns relating to security, controls and value for moneycontrols and value for money

Planning to identify the IT systems, computer Planning to identify the IT systems, computer systems and software packages being used by the systems and software packages being used by the entity entity

Planning to identify major potential risks and Planning to identify major potential risks and exposures of system in the entityexposures of system in the entity

13

Performance Auditing

Planning

Resourcing

14

ResourcingResourcing

Performance Auditing in IT environment Performance Auditing in IT environment requires specialist skillsrequires specialist skills

Appropriate trained persons in IT with audit Appropriate trained persons in IT with audit & accountancy skills& accountancy skills

Think of services of technical consultant for Think of services of technical consultant for more specialised technical areasmore specialised technical areas

Personnel needs extensive training to remain Personnel needs extensive training to remain abreast of technological developments and IT abreast of technological developments and IT Audit techniquesAudit techniques

15





Environment

16

Performance Auditing involving IT Performance Auditing involving IT system developmentsystem development

Determine if the entity • Has appropriate executive approvals for the development of

the system, i.e. that IT management fits within the corporate governance of the entity

• Has appropriate project management processes in place to manage the project

• Has met required targets of time, cost, system function and value for money

• Uses an appropriate system development methodology, and• Has processes in place, including the involvement of Internal

Audit, to ensure that the new system including all the necessary controls and audit trails, and is likely to meet the requirements of the entity and its stakeholder

COBIT Acquisition & Implementation Domain, Monitoring domain

17





Environment

18

Performance Auditing involving Performance Auditing involving Operational IT SystemOperational IT System

Concerns auditor would be expected to consider :-Concerns auditor would be expected to consider :-

• Strategic and operational management of IT within the entity (IT included in overall corporate governance

• IT project management includes compliance with legislative & other local laws – Compliance Testing

• Risk management practice of entity in respect of IT- No 100% risk avoidance- acceptable risk level

• IT system design, development & maintenance controls- SDLC Phases- Feasibility, Requirement, Design & Code, Implementation ( acceptance testing)

• Compliance with standards including external standards- Compliance Testing

19


Concerns auditor would be expected to Concerns auditor would be expected to consider :-consider :-

• Application controls• Processing controls, including audit trails• Business continuity arrangements• Data integrity including sampling of data (possibly using

CAATS)• Access controls and the physical & logical security of

networks and computers, including Internet firewalls• Controls to safeguard against illegal software• Performance management & measurement • Other issues that arise during the audit

20

In making assessment auditor mayIn making assessment auditor may• Review files and other documents relevant to the Review files and other documents relevant to the

development and operation of the IT systemsdevelopment and operation of the IT systems

• Use appropriate software packages to test the Use appropriate software packages to test the central and networked computing systems controlscentral and networked computing systems controls

• Test a sample of transactions ( including the use of Test a sample of transactions ( including the use of CAATs) to validate the systems and relevant CAATs) to validate the systems and relevant controls; andcontrols; and

• Interview key staff membersInterview key staff members


21





Environment

22

Performance aspects of auditing in an IT Performance aspects of auditing in an IT environmentenvironment

Auditor may also examine :-Auditor may also examine :-• Whether the IT system has enhanced the

efficiency with which the entity manages its programmes/ activities and whether the conversion to an IT system has any beneficial results for the stakeholders in the entity

23


Auditor may also Asses:-Auditor may also Asses:-• If IT system have facilitated improved If IT system have facilitated improved

programme managementprogramme management• IT to support objective of entity & is IT to support objective of entity & is

integrated part of its operationsintegrated part of its operations• Whether required highly qualified staff is Whether required highly qualified staff is

deployed or notdeployed or not• IT contribution to operations is measured in IT contribution to operations is measured in

operational efficiency termsoperational efficiency terms

24

Auditor may also Asses:-Auditor may also Asses:-• The gains of IT may not be realised without The gains of IT may not be realised without

appropriate organisational changes; andappropriate organisational changes; and• Normal value for money measures may be Normal value for money measures may be

more difficult to applymore difficult to apply• Return on investmentReturn on investment• Whether the IT environment has Whether the IT environment has

contributed to transparency, accountability contributed to transparency, accountability and good governance and good governance


25

In this session we discussed

Introduction- Performance Auditing in IT Env. Performance Auditing Planning & Resourcing Performance Auditing involving IT System


Systems Performance Aspect of Auditing in IT

Environment

Documents

1 Performance Auditing In IT Environment Evidence Gathering & Analysis Techniques Computer Assisted Techniques Use of IDEA