Embed Size (px)
DESCRIPTION
The Documents talk about the Information System and Audit in the Educational Context and the Current trends in ISA.
Citation preview
Chapter 4
Auditing in IS strategies and Management – Organization structures, Long term and short term plans, steering and other committees, HR and IT polices, Segregation of Duties etc.
The IT Infrastructure Library (ITIL) is so named as it originated as a collection of books(standards) each covering a specific 'practice' within IT management. After the initialpublished works, the number of publications quickly grew (within ITIL v1) to over 30 books. In order to make ITIL more accessible (and affordable) to those wishing to explore it, one of the aims of the ITIL v2 project was to consolidate the works into a number of logical 'sets' that aimed to group related sets of process guidelines for different aspects of the management of Information Technology systems, applications and services together
The eight ITIL books and their disciplines are:The IT Service Management sets relating to1. Service Delivery2. Service SupportOther operational guidance relating to3. ICT Infrastructure Management4. Security Management5. The Business Perspective6. Application Management7. Software Asset ManagementTo assist with the implementation of ITIL practices a further book was publishedproviding guidance on implementation (mainly of Service Management)8. Planning to Implement Service Management
Details of the ITIL Framework(a) The Service Support ITIL discipline is focused on the User of the ICT services and isprimarily concerned with ensuring that they have access to the appropriate services tosupport the business functions. The service desk will try to resolve it, if there is a directsolution or will create an incident. Incidents initiate a chain of processes: IncidentManagement, Problem Management, Change Management, Release Management andConfiguration Management.
(b) The goal of Problem Management is to resolve the root cause of incidents and thus tominimize the adverse impact of incidents and problems on business that are caused byerrors within the IT infrastructure, and to prevent recurrence of incidents related to theseerrors. A `problem' is an unknown underlying cause of one or more incidents, and a`known error' is a problem that is successfully diagnosed and for which a work-aroundhas been identified
(c) Configuration Management is a process that tracks all of the individual ConfigurationItems (CI) in a system. A system may be as simple as a single server, or as complex asthe entire IT department. Configuration Management includes:
Creating a parts list of every CI (hardware or software) in the system. Defining the relationship of CIs in the system Tracking of the status of each CI, both its current status and its history. Tracking all Requests for Change to the system. Verifying and ensuring that the CI parts list is complete and correct.
There are five basic activities in configuration management:. Planning. Identification. Control. Status accounting. Verification and Audit
(d) Release Management is used for platform-independent and automated distribution ofsoftware and hardware, including license controls across the entire IT infrastructure.Proper Software and Hardware Control ensure the availability of licensed, tested, andversion certified software and hardware, which will function correctly and respectivelywith the available hardware. Quality control during the development and implementationof new hardware and software is also the responsibility of Release Management. Thisguarantees that all software can be conceptually optimized to meet the demands of thebusiness processes. The goals of release management are:. Plan to rollout of software. Design and implement procedures for the distribution and installation of changes toIT systems. Effectively communicate and manage expectations of the customer during theplanning and rollout of new releases. Control the distribution and installation of changes to IT systems
(e) Service Delivery: The Service Delivery discipline is primarily concerned with theproactive and forward-looking services that the business requires of its ICT provider inorder to provide adequate support to the business users. It is focused on the business asthe Customer of the ICT services (compare with: Service Support). The disciplineconsists of the following processes, explained in subsections below:. Service Level Management. Capacity Management. IT Service Continuity Management. Availability Management. Financial Management
(f) Service Level Management: Service Level Management provides for continualidentification, monitoring and review of the levels of IT services specified in the ServiceLevel Agreements (SLAs). Service Level Management ensures that arrangements are inplace with internal IT support providers and external suppliers in the form of OperationalLevel Agreements (OLAs) and Underpinning Contracts (UpCs). The process involvesassessing the impact of change upon service quality and SLAs.
(g) Capacity Management: Capacity Management supports the optimum and cost effectiveprovision of IT services by helping organizations match their IT resources to the businessInformation Systems Auditing Standards, Guidelines, Best Practices 8.25demands. The high-level activities are Application Sizing, Workload Management,Demand Management, Modelling, Capacity Planning, Resource Management, andPerformance Management
(h) Security Management: The ITIL-process Security Management describes the structuredfitting of information security in the management organization. ITIL Security Managementis based on the code of practice for information security management also known asISO/IEC 17799. A basic concept of the Security Management is the information security.The primary goal of information security is to guarantee safety of the information. Safetyis to be protected against risks. Security is the means to be safe against risks. Whenprotecting information it is the value of the information that has to be protected. Thesevalues are stipulated by the confidentiality, integrity and availability. Inferred aspects areprivacy, anonymity and verifiability.
(i) ICT Infrastructure Management: ICT Infrastructure Management processes recommend
best practice for requirements analysis, planning, design, deployment and ongoingoperations management and technical support of an ICT Infrastructure. TheInfrastructure Management processes describe those processes within ITIL that directlyrelate to the ICT equipment and software that is involved in providing ICT services tocustomers.. ICT Design and Planning. ICT Deployment. ICT Operations. ICT Technical Support
(j) The Business Perspective: The Business Perspective is the name given to thecollection of best practices that is suggested to address some of the issues oftenencountered in understanding and improving IT service provision, as a part of the entirebusiness requirement for high IS quality management. These issues are:. Business Continuity Management describes the responsibilities and opportunitiesavailable to the business manager to improve what is, in most organizations one ofthe key contributing services to business efficiency and effectiveness.. Surviving Change. IT infrastructure changes can impact the manner in whichbusiness is conducted or the continuity of business operations. It is important thatbusiness managers take notice of these changes and ensure that steps are taken tosafeguard the business from adverse side effects.. Transformation of business practice through radical change helps to control IT andto integrate it with the business.. Partnerships and outsourcing
(k) Application Management: ITIL Application Management set encompasses a set of bestpractices proposed to improve the overall quality of IT software development and supportthrough the life-cycle of software development projects, with particular attention togathering and defining requirements that meet business objectives.(l) Software Asset Management: Organisations rely increasingly on technology in order tooperate profitably and software as such should be treated as a valuable asset. GoodSoftware Asset Management achieved through Best Practice enables organisations tosave money through effective policies and procedures which are continuously reviewedand improved. Software Asset Management is a part of overall IT Service Managementbest illustrated by the IT Infrastructure Library (ITIL) guides, which is the mostly widelyaccepted approach to providing a comprehensive and consistent set of best practices.
Auditing organization
The auditing organization has the regulatory authority or is designated by the regulatory authority to perform audits, the results of which are evidence of the auditee’s compliance or non-compliance with the regulatory requirements for quality management systems. Associated with this authority are the responsibilities for management and performance of all audit activities.The responsibilities of the auditing organization for audit management include:a) complying with relevant regulatory requirements for audit managementb) following the principles of these guidelines c) following applicable standards d) training, authorizing, selecting and supervising auditorse) establishing methods to ensure consistency in the interpretation of the regulatory
requirements f) maintaining the means of providing prompt guidance which may be required by the
audit team during the audit g) safeguarding the confidentiality of all documents and information obtained in
association with the audit h) establishing and complying with a code of ethicsi) informing the appropriate authority on decisions taken when required by the
regulatory requirementsAudits do not result in a transfer of the responsibility to achieve quality objectives from the manufacturer to the auditing organization.In conjunction with the lead auditor, the responsibilities of the auditing organization for audit performance include:
a) complying with relevant regulatory requirements for auditing
b) agreeing on the scope of the audit, including the standards or other documents to be used, with the manufacturer as necessary to comply with and as permitted by the regulatory requirements
c) planning, organizing, evaluating and reporting on the audit
d) selecting the auditors
e) agreeing to the language of the audit
f) decision making with regard to applicable regulatory requirements resulting from nonconformities discovered during the audit and subsequent verification of corrections and/or corrective actions
The responsibilities of auditors include:
a) complying with the applicable regulatory requirements for auditing
b) helping the auditee understand the regulatory requirements
c) planning and carrying out assigned responsibilities objectively, effectively and efficiently within the audit scope and in accordance with a code of ethics for auditors established and documented by the auditing organization
d) co-operating with and supporting the lead auditor
e) collecting, analyzing and, where appropriate, documenting objective evidence that is relevant and sufficient to permit the establishment of conclusions regarding compliance of the quality management system with regulatory requirements and the effectiveness of its implementation in meeting quality objectives
f) establishing the extent to which the procedures, documents and other information describing or supporting the required elements of the quality management system are known, available, understood and used by the auditee’s personnel
g) remaining alert to any indications or evidence that can influence the audit results and possibly require more extensive auditing
h) informing the lead auditor of audit findings in a timely manner
i) assisting the lead auditor in preparing the report of the audit
j) informing the lead auditor immediately of any major obstacles encountered in performing the audit
k) safeguarding the confidentiality of all documents and information obtained in association with the audit:
i) when submitting such documents to the auditing organization through the
lead auditor
ii) treating privileged information with discretion
l) verifying that corrective actions have been taken and have been effective:
i) as a result of a previous audit
ii) during the audit, as feasible
iii) based on experience gained with devices on the market (e.g. post market surveillance)
iv) based on incidents of a serious nature
m) minimizing disruption to the auditee’s personnel and processes during the audit while attaining the audit's objectives
n) complying with any health and safety or other applicable requirements of the auditee
Importance of IT Audit Planning Both Short Term and Long Term
Whether it is IT Audit or General Audit Planning it consist of both short term and long term planning. Short term audit planning involves risk and issues within that year. Long term planning is strategic planning involving long term goals of IT planning.
One of the most important aspect is that the IT Auditors should understand the environment where the audit will be performed. IT Auditor should take into consideration for systems implementation or upgrade, technologies associated with organization, business process owners requirements and IT resources limitation of the organization. One should plan for short term and long term. Especially with so much change in IT organization structure wise and technology wise, planning is very important.
Today's internal auditors must provide to their audit committees explicit assurance on organizational governance, as well as meet ever-increasing demands of management and other stakeholders. They must excel as internal control and risk management experts to ensure the controls over key systems and business processes are robust and effective. To meet these high expectations, a solid staffing strategy is essential. It is the responsibility of the Chief Audit Executive (CAE) to establish an effective program for selecting and developing the internal audit team.
The skill mix, depth, and size of the audit team should be determined by the services expected by the audit committee and management in order to meet organizational needs. The resulting audit plan should be based on an assessment and ranking of risks, critical systems, and processes across the organization, and should consider the organization's long-term business objectives, expansion plans, and growth strategies; as well as short-term changes in the control environment such as M&A activities, major system implementations, and reengineering of business processes.
Audit Committee:
Audit committees are a key institution in the context of corporate governance because they help boards of directors fulfill their financial and fiduciary responsibilities to shareholders. Through their audit committees, boards of directors establish a direct line of communication between themselves and the internal and external auditors as well as the chief financial officer. Such an organizational structure and reporting responsibility in an environment of free and unrestricted access enables full boards of directors not only to gain assurance about the quality of financial reporting and audit processes, but also to approve of
significant accounting policy decisions. Moreover, strong and effective audit committees, through their planning, review, and monitoring activities, can recognize problem areas and take corrective action before such problems impact the company's financial statements and investors. Thus, audit committees have an important role in helping boards of directors avoid litigation risk because such committees provide due diligence related to financial reporting.
Requirement For Audit Committees
Audit committees have long been seen as an important group in assuring greater corporate accountability in the United States. The value of such committees has been noted by the U.S. Congress, the U.S. Securities and Exchange Commission, the New York Stock Exchange, and the American Institute of Certified Public Accountants. Audit committees are required by the New York Stock Exchange, American Stock Exchange, and National Association of Securities Dealers (NASDAQ/NMS issuers).
Key recommendations and decisions in the evolution of audit committees in the United States include the following:
1940The Securities and Exchange Commission (SEC) recommended the establishment of audit committees (Accounting Series Release No. 19). Specifically, the SEC recommended that shareholders elect the auditors at annual meetings and a committee of nonofficer directors nominate the auditors. Also, the New York Stock Exchange Board of Governors issued a similar recommendation.
1967The executive committee of the American Institute of Certified Public Accountants (AICPA) recommended that publicly held corporations establish audit committees to nominate the auditors and discuss the audit.
1972The SEC issued Accounting Series Release No. 123, "Standing Audit Committees Composed of Outside Directors."
1973The New York Stock Exchange (NYSE) issued a white paper, "Recommendations and Comments on Financial Reporting to Shareholders and Related Matters," strongly recommending that each listed company form an audit committee.
1974
The SEC amended Regulation 14A dealing with the proxy rules. Registrants are required to disclose in their proxy statements the existence of audit committees and the names of the committee members.
1977A NYSE audit committee policy statement required each domestic corporation listed on the exchange to establish and maintain an audit committee of outside directors before July 1, 1978.
1987The National Commission on Fraudulent Financial Reporting recommended that the SEC require that all public companies have audit committees.
1987The National Association of Securities Dealers required each NASDAQ/NMS issuer to establish an audit committee.
1991Congress passed the Federal Deposit Insurance Corporation Improvement Act. The law provided for the establishment of audit committees for insured depository institutions that have total assets of $150,000,000 or more.
1993American Stock Exchange required its listed companies to establish audit committees.
1994The American Law Institute issued Principles of Corporate Governance: Analysis and Recommendations. The Institute strongly supported and endorsed the concept of audit committees.
1999The Independence Standards Board issued its first standard, "Independence Discussions with Audit Committees," which requires independent auditors to issue an annual independence confirmation to the audit committee of the company.
1999The SEC approved changes to its rules to implement several of the recommendations by the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees. Registrants are required to disclose information about audit committee composition and practices.
In addition to the presence of audit committees on U.S. stock exchanges, a number of stock exchanges in Canada, Europe, Africa, the Middle East, and the Asia/Pacific region have adopted audit committees. As worldwide financial markets expand and more companies are
listed on major stock exchanges in different countries, the international investing public's demand for consistent and equal oversight protection through the use of audit committees will continue. In addition, international investors are concerned about the quality of corporate governance because of the impact of financial collapses and alleged frauds on securities markets.
In response, a number of stock exchanges have adopted audit committees to increase transparency and competence in the management of their listed member companies in order to deal effectively with attracting foreign equity investment.
Organization and Structure of Audit Committees:
Boards of directors form their audit committees by either passing a board resolution or amending corporate bylaws. Audit committees' responsibilities should be clearly defined and documented in their charter. Although the scope of the audit committees' responsibilities is predetermined by boards, the committees should be allowed to expand their charge with board approval and investigate significant matters that impact financial reporting disclosures.
Boards of directors should carefully give consideration to the following points with respect to their appointments of directors to audit committees:
1. Number of directors: The number of independent directors appointed to audit committees depends on the nature of the business and industry dynamics, the size of the company, and the size of the board of directors. The general consensus seems to be that three to five members are adequate.
2. Composition: Because members of audit committees have varied backgrounds and occupations, they provide a mix of skills and experience. Although the members have different levels of expertise, it is strongly advisable to have at least one individual who has a financial accounting background.
3. Meetings: Audit committees meet from one to four times each year, with three or four meetings being the most common schedules.
Nature of Audit Committees Responsibilities:
Boards of directors define the role and responsibilities of their audit committees. This jurisdictional charge is usually disclosed in the audit committees' written charter, which includes the terms of reference, such as mission statement, membership (size and
composition), term of service, frequency of meetings, scope of responsibilities, and reporting responsibilities. Audit committees are primarily responsible for the quality related to such matters as:
External auditing process Internal auditing process Internal controls Conflicts of interest (code of corporate conduct, fraud presentation) Financial reporting process Regulatory and legal matters Other matters (interim reporting, information technology, officers' expense accounts)
Although boards of directors have defined the responsibilities of audit committees, boards may expand the scope of the audit committees' charter; however, boards should avoid diluting the committees' charge with information over-load. Recognizing that audit committees operate on a part-time basis and serve in an advisory capacity to boards, it is essential that boards place limitations on the scope of the committees' charge. Such a scope limitation enables boards to evaluate the committees' performance as well as protect the committees against legal claims for their inactions that are outside their charge. An illustration of the roles and responsibilities of audit committees is disclosed in the annual proxy statement of a company.
The duties of the Audit Committee are (a) to recommend to the Board of Directors a firm of independent accountants to perform the examination of the annual financial statements of the Company; (b) to review with the independent accountants and with the Controller the pro posed scope of the annual audit, past audit experience, the Company's internal audit program, recently completed internal audits and other matters bearing upon the scope of the audit; (c) to review with the independent accountants and with the Controller significant matters revealed in the course of the audit of the annual financial statements of the Company; (d) to review on a regular basis whether the Company's Standards of Business Conduct and Corporate Policies relating thereto has been communicated by the Company to all key employees of the Company and its subsidiaries throughout the world with a direction that all such key employees certify that they have read, understand and are not aware of any violation of the Standards of Business Con duct; (e) to review with the Controller any suggestions and recommendations of the independent accountants concerning the internal control standards and accounting procedures of the Company; (f) to meet on a regular basis
with a representative or representatives of the Internal Audit Department of the Company and to review the Internal Audit Department's Reports of Operations; and (g) to report its activities and actions to the Board at least once each fiscal year.
The IS auditor will require to include in the scope of the audit the relevant processes forplanning and organising the information systems activity and the processes for monitoringthat activity. The scope of the audit will also include the internal control system(s) for theuse and protection of the information and the Information Systems, as under :
a) Datab) Application systemsc) Technologyd) Facilitiese) People
Performance of Audit Work :The IS auditor should review the following :a) Minutes of the meetings of the Board of Directors for audit information relating to theconsideration of the matters concerning the information systems and their control and thesupporting materials for any such items.b) Minutes of the meetings of the Audit Committee reporting to the Board ofDirectors for audit information relating to the consideration of the mattersconcerning the information systems and their control and the supporting materialsfor any such items.
The IS auditor will require to consider whether the information obtained from the abovereviews indicates coverage of the appropriate areas. The various issues / documents /statements / areas, among others, which the IS auditor will require to examine include asunder :a) IS mission statement and agreed goals and objectives for information systems activities.b) Assessment of the risks associated with the organisation’s use of the informationsystems and approach to managing those risks.c) IS strategy, plans to implement the strategy and monitoring of progress against thoseplans.d) IS budgets and monitoring of variances.e) High level policies for IS use and the protection and monitoring of compliance withthese policies.
f) Major contract approval and monitoring of supplier’s performance.g) Monitoring of performance against service level agreements.h) Acquisition of major systems and decisions on implementation.i) Impact of external influences on IS such as Internet, merger of suppliers or liquidationetc.j) Control of self-assessment reports, internal and external audit reports, quality assurancereports or other reports on IS.k) Business Continuity Planning, Testing thereof and Test results.l) Compliance with legal and regulatory requirements.m) Appointment, Performance Monitoring and Succession Planning for senior IS staffincluding internal IS audit Management and Business Process Owners.
Review of Policies and Compliance :The IS auditor will require to consider whether the policies issued cover all of theappropriate areas for which board-level direction is necessary in order to providereasonable assurance that the business objectives are met. Such policies on board leveldirection will require to be documented ones only and such documented policies shall,among others, include the following :
a) Security Policyb) Human Resources Policyc) Data Ownership Policyd) End-user Computing Policye) Copyright Policyf) Data Retention Policyg) System Acquisition and Implementation Policyh) Outsourcing Policy
The IS auditor will require to assess whether the policies issued are appropriate tothe information system needs/requirements of the organisation. Further, the IS auditor willrequire to assess whether the policies are being adequately enforced, including thecommunication of the policies, existence and awareness of standards, procedures andmethodologies to support the policies, allocation of the responsibility for enforcing thepolicies and the system, put in place by the organization, to monitor and report on thecompliance with the policies.
Responsibilities of the Owner of the Business Process :The IS auditor will require to review the responsibilities of the business process owners, asunder and assess whether these are appropriate to support the policies set at the Board ofDirector’s level.a) Assessment of whether the business process owners have the skills, experience andresources necessary to fulfill this role.b) Review of the information received by the business process owners and to assesswhether it is appropriate to enable them to discharge their responsibilities and to monitorcompliance with the policies.Information that may be considered appropriate includes as under:i) Reports of attempted access to the systems supporting business processes and follow-upaction taken.ii) Reports of changes to user access rights, including new users and those whose accessrights have been removed.iii) Reports of the results of business continuity tests and follow-up action taken.iv) Reports on the results of feasibility studies and tendering processes for systemsacquisition.v) Reports of the results of user acceptance testing of new systems or changes to theexisting systems.vi) Reports on performance against agreed service levels.vii) Statistics on the availability, number of failures, number of system changes requestedand implemented etc.viii) Status of system changes in progress.ix) Reports of changes to corporate data dictionary entries.c) Assessment of the system which produces the above information and its reliability,integrity and potential for management override.d) Where the organisation has internal audit resources, which is an important element ofthe corporate governance process, assessment whether the appropriate level of theinvolvement of the internal audit resources has been provided.
Consideration of External Factors :Corporate governance of the information systems involves directing as well as controlling.The industry in which the organisation operates, trends in the IS industry and the social andpolitical changes may influence the benefits, which the organisation can obtain from theuse of the information systems. The IS auditor will require to verify that the organizationhas put in place the procedures to monitor the external factors, which are relevant to theorganization. The IS auditor will require to also verify whether the material issues, which
require all computerised organisations to assess their potential effects well in advance,current at the time of the audit exercise, are under active consideration at the appropriatelevel. The organisation has to plan appropriate actions to avoid the potential materialadverse effects of such issues. In case such issues are not being actively considered at theappropriate level in the organisation, the IS auditor will require to promptly report thismatter to the designated authority/ies in the organisation.
IS Specialist Staff :The IS auditor will require to consider the position or functions of the IS specialist staff inthe organisation and assess whether this is appropriate to enable the organisation to makethe best use of IS to achieve its business objectives. The control of the information systems,even in decentralised and end-user run environments, should include segregation ofconflicting duties. The IS auditor will require to assess whether the management of the ISspecialists and the non-specialists with IS responsibilities is adequate to address the risks tothe organisation from the errors, omissions, irregularities or illegal acts.
Reporting :The IS auditor will require to address reports on the corporate governance of theinformation systems to the Audit Committee/Board of Directors or any other designatedauthority in the organisation. In case of detection/identification of failures in corporategovernance, the same will require to be urgently reported to the designated authority in theorganisation. The IS audit report on corporate governance of information systems should,among others, include the following :a) A statement that the Board of Directors is responsible for the organisation’s InformationSystems and formulation and implementation of the system of internal controls.b) A statement that a system of internal controls can only provide reasonable and notabsolute assurance against material misstatement or loss.c) A description of the key procedures, which the Board of Directors hasapproved/established, to provide effective internal control and the related supportingdocumentation presented to the Board of Directors.d) Information on any non-compliance with the national or industry codes of practice forcorporate governance.e) Information on any major uncontrolled risks.f) Information on any ineffective or inefficient control structures or control measurestogetherwith the IS auditor’s recommendations for improvement.g) The IS auditor’s overall conclusion on the corporate governance of the informationsystems, as defined in the scope of audit.
Follow-up Activities :The weaknesses, if any, in the system of corporate governance of information andinformation systems can cause wide ranging and high risk effects in the organisation. TheIS auditor will require to, therefore, where appropriate, carry out sufficient, timely follow-up work to verify that the management action is taken promptly to address suchweaknesses.
