Conducting the IT Audit Revised on 2014. Content ISACA IT Audit Standards, Guidelines and Procedures IT Audit Lifecycle Audit Work papers Using COBIT

  • Published on
    24-Dec-2015

  • View
    222

  • Download
    3

Embed Size (px)

Transcript

  • Slide 1
  • Conducting the IT Audit Revised on 2014
  • Slide 2
  • Content ISACA IT Audit Standards, Guidelines and Procedures IT Audit Lifecycle Audit Work papers Using COBIT framework to perform audit CISB424, Sulfeeza
  • Slide 3
  • ISACA IT Audit Standards, Guidelines and Procedures IT Assurance Framework (ITAF) A comprehensive and good-practice-setting reference model that: 1. Establishes standards that address IS audit and assurance professional roles and responsibilities ; knowledge and skills ; and diligence, conduct and reporting requirements 2. Defines terms and concepts specific to IS assurance 3. Provides guidance and tools and techniques on the planning, design, conduct and reporting of IS audit and assurance assignments (Source: ISACA) CISB424, Sulfeeza
  • Slide 4
  • ISACA IT Audit Standards, Guidelines and Procedures IT Assurance Framework (ITAF) provides three (3) levels of guidance: A) Standards define mandatory requirements for IT auditing and reporting. ITAF IS audit and assurance standards are divided into three (3) categories: 1. General standards (1000 series) Are the guiding principles under which the IS assurance profession operates. They apply to the conduct of all assignments, and deal with the IS audit and assurance professionals ethics, independence, objectivity and due care as well as knowledge, competency and skill. 2. Performance standards (1200 series) Deal with the conduct of the assignment, such as planning and supervision, scoping, risk and materiality, resource mobilisation, supervision and assignment management, audit and assurance evidence, and the exercising of professional judgement and due care 3. Reporting standards (1400 series) Address the types of reports, means of communication and the information communicated (Source: ISACA; Cascarino, 2012) CISB424, Sulfeeza
  • Slide 5
  • ISACA IT Audit Standards, Guidelines and Procedures IT Assurance Framework (ITAF) provides three (3) levels of guidance and procedures: B) Guidelines provide guidance in applying IT audit standards. ITAF IS audit and assurance guidelines are also divided into three (3) categories: 1. General guidelines (2000 series) 2. Performance guidelines (2200 series) 3. Reporting guidelines (2400 series) C) Tools and techniques (Section 3000) provide specific information on various methodologies, tools and templatesand provide direction in their application and use to operationalize the information provided in the guidance (Source: ISACA; Cascarino, 2012) CISB424, Sulfeeza
  • Slide 6
  • IT Audit Lifecycle 1. Audit Planning & Preparation 2. Audit Execution 3. Audit Follow-up CISB424, Sulfeeza
  • Slide 7
  • IT Audit Lifecycle Planning & Preparation CISB424, Sulfeeza 1. Identification of audit objectives, scope, tasks and duration 2.Preliminary study of the auditees operations and environment 1. Identification of audit objectives, scope, tasks and duration 2.Preliminary study of the auditees operations and environment 1.Selection of audit team members 2.Allocation of tasks to each team member 3.Deciding when tasks should commence 4.Estimation of duration for each task based on the allocated auditors 1.Selection of audit team members 2.Allocation of tasks to each team member 3.Deciding when tasks should commence 4.Estimation of duration for each task based on the allocated auditors 1. Engagement letter to auditee Planning Auditor assignment Audit request
  • Slide 8
  • IT Audit Lifecycle Execution CISB424, Sulfeeza 1. Review of risks and internal controls implemented 2.Testing of controls Sampling approaches: Non-statistical/judgmental sampling Statistical sampling 3.Risk assessment 4.Identification and development of findings Component of a finding: Criteria Standards where observed conditions will be measured Conditions The actual observations during audit testing Effects The impact to business associated with the observed problem Cause Reasons for internal control failures 1. Review of risks and internal controls implemented 2.Testing of controls Sampling approaches: Non-statistical/judgmental sampling Statistical sampling 3.Risk assessment 4.Identification and development of findings Component of a finding: Criteria Standards where observed conditions will be measured Conditions The actual observations during audit testing Effects The impact to business associated with the observed problem Cause Reasons for internal control failures 1.Propose recommendations a.No changes b.Improve control c.Transfer of risk Recommendation approaches: Recommendation Approach Auditors provide recommendations for the raised issues Inquire auditees on their agreements of the proposed recommendations Management-Response Approach Auditors highlight issues Auditees provide the responses and action plans Solution Approach Collaboration work between auditors and auditees in coming out with solutions to resolve issues 1.Propose recommendations a.No changes b.Improve control c.Transfer of risk Recommendation approaches: Recommendation Approach Auditors provide recommendations for the raised issues Inquire auditees on their agreements of the proposed recommendations Management-Response Approach Auditors highlight issues Auditees provide the responses and action plans Solution Approach Collaboration work between auditors and auditees in coming out with solutions to resolve issues Fieldwork Solution development Report Issuance 1. Conduct exit meeting: a)To discuss the findings, recommendations, and text of the draft. b)The auditees may comment on the draft and the group works to reach an agreement on the audit findings 2. Draft Report 3.Final Report 1. Conduct exit meeting: a)To discuss the findings, recommendations, and text of the draft. b)The auditees may comment on the draft and the group works to reach an agreement on the audit findings 2. Draft Report 3.Final Report
  • Slide 9
  • IT Audit Lifecycle Follow Up CISB424, Sulfeeza 1. Determine and assess whether audit recommendations have been implemented 2.Follow-up report development and issuance 1. Determine and assess whether audit recommendations have been implemented 2.Follow-up report development and issuance 1.Perform self- assessment on the audit assignment Recommendations Evaluation Self- assessment
  • Slide 10
  • Audit work papers Objectives: 1. Document the planning, performance, and review of audit work include audit planning and scoping decisions, testing methodologies and results, and evidence of review and completion of audit program work steps. 2. Provide the principal support for audit communication such as observations, conclusions, and the final report - contain sufficient competent, relevant, and useful information to provide a sound basis (act as evidence) for engagement observations and recommendations to support the auditor's assessment. 3. Facilitate third-party reviews and re-performance requirements provide an audit trail that enables a technically competent individual who has no experience with the prior audit to re- perform procedures. 4. Provide a basis for evaluating the internal audit activity's quality control program tangible representation of the project that can be assessed during the quality review. Source(: Practice Advisory 2330-1: Recording Information from the International Standards for the Professional Practice of Internal Auditing ( Standards ) CISB424, Sulfeeza
  • Slide 11
  • Audit work papers The work papers serve as the connecting link between the audit assignment, the auditor's fieldwork, and the final report. Therefore, the work papers will: a)Provide documentation of evidences b)Support findings and recommendations CISB424, Sulfeeza
  • Slide 12
  • Work papers and audit cycle CISB424, Sulfeeza 1. Audit Planning & Preparation 2. Audit Execution 3. Audit Follow-up 1.Audit plan 2.Audit program 1.Audit working papers 2.Draft audit report 3.Final audit report 1.Follow-up checklist 2.Follow-up report
  • Slide 13
  • Audit Plan A detailed outline of the auditor's plans and procedures used in conducting an audit. An audit plan will include the following items: the audit objectives and scope of work background information about the activities to be audited, including the risks associated with the area the resources necessary to perform the audit the names of individuals who need to know about the audit the results, if appropriate, of an on-site survey to become familiar with the activities and controls to be audited, to identify areas for audit emphasis, and to invite auditee comments and suggestions the audit program how, when, and to whom audit results will be communicated CISB424, Sulfeeza
  • Slide 14
  • Audit Program A detailed step-by-step procedures to be followed during an audit. Consists of: Audit concerns Audit objectives Evidence to be examined Procedures to follow CISB424, Sulfeeza
  • Slide 15
  • Audit Checklists Consists of: Things to be done Persons who have done it Reason(s) for not doing it (if any) Date of execution CISB424, Sulfeeza
  • Slide 16
  • Audit Findings Worksheet Consists of: Condition Criteria Cause Effect Recommendation CISB424, Sulfeeza
  • Slide 17
  • Audit Report A document that is issued to auditee management to record the findings of the audit and recommended actions to rectify findings or improve controls. Consists of: Audit Scope Executive Summary Background and methodology Findings/Issues Prioritised action list, with suggested fixes and timeline Sample audit report (http://www.nserc-crsng.gc.ca/_doc/Reports-Rapports/Audits- Verifications/IT05Full-IT05Detaille_eng.pdf)http://www.nserc-crsng.gc.ca/_doc/Reports-Rapports/Audits- Verifications/IT05Full-IT05Detaille_eng.pdf CISB424, Sulfeeza
  • Slide 18
  • COBIT CISB424, Sulfeeza Was introduced to meld existing IT standards and best practices into a comprehensive structure to achieve international accepted governance standards Encompasses full range of IT activities and processes which focus on the achievement of control objectives Is designed to be utilized by different set of entities in an organization: 1. Top management to ensure value is obtained from the IT investment; and risk and control is balanced 2. Middle management to ensure that management and control of IT resources is appropriate 3. IT management to ensure that business strategy is supported by IT resources in a controlled and appropriate management manner 4. IT auditor to evaluate adequacy of controls, design appropriate tests to determine the controls effectiveness, and provide management with appropriate advice on the IT related internal controls (Source: Cascarino, 2012)
  • Slide 19
  • COBIT Framework CISB424, Sulfeeza a)Planning and Organizing Domain (10 processes) Processes undertaken by management in order to ensure that IT function is properly planned and controlled to provide assurance that IT objectives will be achieved b)Acquire and Implement (7 processes) Processes involved in identifying solutions through to installation and accreditation of solutions and changes c)Deliver and Support (13 processes) Processes required to deliver the appropriate service levels, manage information and operations, and ensure appropriate performance d)Monitor and Evaluate (4 processes) Processes required to monitor the overall IT performance and ensure effective IT governance

Recommended

View more >