Is Audit Process Wiki

Embed Size (px)

Citation preview

  • 8/3/2019 Is Audit Process Wiki

    1/11

    An information system (IS) audit or information technology(IT) audit is an examination

    of the controls within an entity's Information technology infrastructure. These reviews

    may be performed in conjunction with a financial statement audit, internal audit, or otherform of attestation engagement. It is the process of collecting and evaluating evidence of

    an organization's information systems, practices, and operations. Obtained evidence

    evaluation can ensure whether the organization's information systems safeguard assets,maintains data integrity, and are operating effectively and efficiently to achieve the

    organization's goals or objectives.

    An IS audit is not entirely similar to a financial statement audit. An evaluation of internal

    controls may or may not take place in an IS audit. Reliance on internal controls is aunique characteristic of a financial audit. An evaluation of internal controls is necessary

    in a financial audit, in order to allow the auditor to place reliance on the internal controls,

    and therefore, substantially reduce the amount of testing necessary to form an opinionregarding the financial statements of the company. An IS audit, on the other hand, tends

    to focus on determining risks that are relevant to information assets, and in assessing

    controls in order to reduce or mitigate these risks. An IT audit may take the form of a"general control review" or an "specific control review". Regarding the protection ofinformation assets, one purpose of an IS audit is to review and evaluate an organization's

    information system's availability, confidentiality, and integrity by answering the

    following questions:

    1. Will the organization's computerized systems be available for the business at all

    times when required? (Availability)

    2. Will the information in the systems be disclosed only to authorized users?

    (Confidentiality)3. Will the information provided by the system always be accurate, reliable, and

    timely? (Integrity).

    The performance of an IS Audit covers several facets of the financial and organizational

    functions of our Clients. The diagram to the right gives you an overview of theInformation Systems Audit flow: From Financial Statements to the Control Environment

    and Information Systems Platforms.

    Information Systems Audit Methodology

    Our methodology has been developed in accordance with International Information

    Systems Audit Standards e.g ISACA Information Systems Audit Standards and

    Guidelines and the Sabarne Oxley COSO Standard. The beginning point of thismethodology is to carry out planning activities that are geared towards integrating a RiskBased Audit Approach to the IS Audit.

    PHASE 1: Audit Planning

    In this phase we plan the information system coverage to comply with the audit

    objectives specified by the Client and ensure compliance to all Laws and Professional

  • 8/3/2019 Is Audit Process Wiki

    2/11

    Standards. The first thing is to obtain an Audit Charter from the Client detailing the

    purpose of the audit, the management responsibility, authority and accountability of the

    Information Systems Audit function as follows:

    1. Responsibility: The Audit Charter should define the mission, aims, goals and

    objectives of the Information System Audit. At this stage we also define the KeyPerformance Indicators and an Audit Evaluation process;

    2. Authority: The Audit Charter should clearly specify the Authority assigned to theInformation Systems Auditors with relation to the Risk Assessment work that will

    be carried out, right to access the Clients information, the scope and/or

    limitations to the scope, the Clients functions to be audited and the auditeeexpectations; and

    3. Accountability: The Audit Charter should clearly define reporting lines,

    appraisals, assessment of compliance and agreed actions.

    The Audit Charter should be approved and agreed upon by an appropriate level within the

    Clients Organization.

    See Template for an Audit Charter/ Engagement Letter here.

    In addition to the Audit Charter, we should be able to obtain a written representation

    (Letter of Representation) from the Clients Management acknowledging:

    1. Their responsibility for the design and implementation of the Internal ControlSystems affecting the IT Systems and processes

    2. Their willingness to disclose to the Information Systems Auditor their knowledge

    of irregularities and/or illegal acts affecting their organisation pertaining to

    management and employees with significant roles within the internal auditdepartment.

    3. Their willingness to disclose to the IS Auditor the results of any risk assessmentthat a material misstatement may have occurred

    See a Template for a Letter of Representation here.

    PHASE 2 Risk Assessment and Business Process Analysis

    Risk is the possibility of an act or event occurring that would have an adverse effect on

    the organisation and its information systems. Risk can also be the potential that a given

    threat will exploit vulnerabilities of an asset or group of assets to cause loss of, or damageto, the assets. It is ordinarily measured by a combination of effect and likelihood of

    occurrence.

    More and more organisations are moving to a risk-based audit approach that can be

    adapted to develop and improve the continuous audit process. This approach is used toassess risk and to assist an IS auditors decision to do either compliance testing or

    substantive testing. In a risk based audit approach, IS auditors are not just relying on risk.

  • 8/3/2019 Is Audit Process Wiki

    3/11

    They are also relying on internal and operational controls as well as knowledge of the

    organisation. This type of risk assessment decision can help relate the cost/benefit

    analysis of the control to the known risk, allowing practical choices.

    The process of quantifying risk is called Risk Assessment. Risk Assessment is useful in

    making decisions such as:

    1. The area/business function to be audited

    2. The nature, extent and timing of audit procedures3. The amount of resources to be allocated to an audit

    The following types of risks should be considered:

    Inherent Risk: Inherent risk is the susceptibility of an audit area to error which could be

    material, individually or in combination with other errors, assuming that there were no

    related internal controls. In assessing the inherent risk, the IS auditor should consider

    both pervasive and detailed IS controls. This does not apply to circumstances where theIS auditors assignment is related to pervasive IS controls only. A pervasive IS Control

    are general controls which are designed to manage and monitor the IS environment andwhich therefore affect all IS-related activities. Some of the pervasive IS Controls that an

    auditor may consider include:

    The integrity of IS management and IS management experience and knowledge

    Changes in IS management

    Pressures on IS management which may predispose them to conceal or misstate

    information (e.g. large business-critical project over-runs, and hacker activity)

    The nature of the organisations business and systems (e.g., the plans for

    electronic commerce, the complexity of the systems, and the lack of integratedsystems)

    Factors affecting the organisations industry as a whole (e.g., changes intechnology, and IS staff availability)

    The level of third party influence on the control of the systems being audited (e.g.,

    because of supply chain integration, outsourced IS processes, joint business

    ventures, and direct access by customers) Findings from and date of previous audits

    A detailed IS control is a control over acquisition, implementation, delivery and support

    of IS systems and services. The IS auditor should consider, to the level appropriate for

    the audit area in question:

    The findings from and date of previous audits in this area

    The complexity of the systems involved

    The level of manual intervention required

    The susceptibility to loss or misappropriation of the assets controlled by the

    system (e.g., inventory, and payroll)

    The likelihood of activity peaks at certain times in the audit period

  • 8/3/2019 Is Audit Process Wiki

    4/11

    Activities outside the day-to-day routine of IS processing (e.g., the use of

    operating system utilities to amend data)

    The integrity, experience and skills of the management and staff involved inapplying the IS controls

    Control Risk: Control risk is the risk that an error which could occur in an audit area,and which could be material, individually or in combination with other errors, will not be

    prevented or detected and corrected on a timely basis by the internal control system. Forexample, the control risk associated with manual reviews of computer logs can be high

    because activities requiring investigation are often easily missed owing to the volume of

    logged information. The control risk associated with computerised data validationprocedures is ordinarily low because the processes are consistently applied. The IS

    auditor should assess the control risk as high unless relevant internal controls are:

    Identified

    Evaluated as effective

    Tested and proved to be operating appropriately

    Detection Risk: Detection risk is the risk that the IS auditors substantive procedures will

    not detect an error which could be material, individually or in combination with other

    errors. In determining the level of substantive testing required, the IS auditor shouldconsider both:

    The assessment of inherent risk

    The conclusion reached on control risk following compliance testing

    The higher the assessment of inherent and control risk the more audit evidence the IS

    auditor should normally obtain from the performance of substantive audit procedures.

    Our Risk Based Information Systems Audit Approach

  • 8/3/2019 Is Audit Process Wiki

    5/11

    A risk based approach to an Information Systems Audit will enable us to develop anoverall and effective IS Audit plan which will consider all the potential weaknesses

    and /or absence of Controls and determine whether this could lead to a significantdeficiency or material weakness.

    In order to perform an effective Risk Assessment, we will need to understand the ClientsBusiness Environment and Operations. Usually the first phase in carrying out a Risk

    Based IS Audit is to obtain an understanding of the Audit Universe. In understanding the

    Audit Universe we perform the following:

    Identify areas where the risk is unacceptably high

    Identify critical control systems that address high inherent risks

    Assess the uncertainty that exists in relation to the critical control systems

    In carrying out the Business Process Analysis we:

    Obtain an understanding of the Client Business Processes

    Map the Internal Control Environment

    Identify areas of Control Weaknesses

    The Chat to the right summarises the business process analysis phase.

    http://wikieducator.org/File:BusinessAnalysisFlowChat.jpg
  • 8/3/2019 Is Audit Process Wiki

    6/11

    The template xxx will provide you with a guideline to document an Organisations

    Business Sub Processes identified during the risk analysis phase.For each of the sub-

    processes, we identify a list of What Could Go Wrong (WCGW). This WCGW representthe threat existing on a particular process. A single process would have multiple

    WCGWs. For each of the WCGWs identified in the prior phase we will determine the

    Key Activities within that process.For each Key Activity:

    1. We will identify the Information Systems Controls2. For each of the Controls Identified, we would rate the impact/effect of the lack of

    that control (on a rating of 1 - 5, with 5 indicating the highest impact),we will then

    determine the likelyhood of the threat occuring( also on a rating of 1 - 5 with 5representing the highest likelyhood).

    >

    PHASE 3 Performance of Audit Work

    In the performance of Audit Work the Information Systems Audit Standards require us t

    o provide supervision, gather audit evidence and document our audit work. We achieve

    this objective through:

    Establishing an Internal Review Process where the work of one person isreviewed by another, preferably a more senior person.

    http://wikieducator.org/File:ControlFramework.jpg
  • 8/3/2019 Is Audit Process Wiki

    7/11

    We obtain sufficient, reliable and relevant evidence to be obtained through

    Inspection, Observation, Inquiry, Confirmation and recomputation of calculations

    We document our work by describing audit work done and audit evidencegathered to support the auditors findings.

    Based on our risk assessment and upon the identification of the risky areas, we moveahead to develop an Audit Plan and Audit Program. The Audit Plan will detail the nature,

    objectives, timing and the extent of the resources required in the audit.

    See Template for a Sample Audit Plan.

    Based on the compliance testing carried out in the prior phase, we develop an audit

    program detailing the nature, timing and extent of the audit procedures. In the Audit Plan

    various Control Tests and Reviews can be done. They are sub-divided into:

    1. General/ Pervasive Controls

    2. Specific Controls

    The Chat below to the left shows the Control Review Tests that can be performed in the

    two Control Tests above.

    Control Objectives for Information and related Technology (COBIT)

    The Control Objectives for Information and related Technology (COBIT) is a set of bestpractices (framework) for information (IT) management created by the Information

    Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI)

    in 1992.

    COBIT provides managers, auditors, and IT users with a set of generally acceptedmeasures, indicators, processes and best practices to assist them in maximizing the

    benefits derived through the use of information technology and developing appropriate IT

    governance and control in a company.

  • 8/3/2019 Is Audit Process Wiki

    8/11

    COBIT helps meet the multiple needs of management by bridging the gaps between

    business risks, control needs and technical issues. It provides a best practices framework

    for managing IT resources and presents management control activities in a manageable

    and logical structure. This framework will help optimise technology informationinvestments and will provide a suitable benchmark measure.

    http://wikieducator.org/File:CobitOverview.jpg
  • 8/3/2019 Is Audit Process Wiki

    9/11

    The Framework comprises a set of 34 high-level Control Objectives, one for each of the

    IT processes listed in the framework. These are then grouped into four domains: planning

    and organisation, acquisition and implementation, delivery and support, and monitoring.This structure covers all aspects of information processing and storage and the

    technology that supports it. By addressing these 34 high-level control objectives, we will

    ensure that an adequate control system is provided for the IT environment. Adiagrammatic representation of the framework is shown below.

    We shall apply the COBIT framework in planning, executing and reporting the results of

    the audit. This will enable us to review the General Controls Associated with IT

    Governance Issues. Our review shall cover the following domains;

    Planning and organisation of information resources; The planning and acquisition of systems and path in stage growth model of

    information systems;

    The delivery and support of the IS/IT including facilities, operations, utilisation

    and access; Monitoring of the processes surrounding the information systems;

    The level of effectiveness, efficiency, confidentiality, integrity, availability,compliance and reliability associated with the information held in; and

    The level of utilisation of IT resources available within the environment of the IS

    including people, the application systems of interface, technology, facilities anddata.

    The above control objectives will be matched with the business control objectives to

    apply specific audit procedures that will provide information on the controls built in the

    application, indicating areas of improvement that we need to focus on achieving.

    Application Control Review

    An Application Control Review will provide management with reasonable assurance that

    transactions are processed as intended and the information from the system is accurate,

    complete and timely. An Application Controls review will check whether:

    Controls effectiveness and efficiency

    Applications Security

    Whether the application performs as expected

    A Review of the Application Controls will cover an evaluation of a transaction life cyclefrom Data origination, preparation, input, transmission, processing and output as follows:

    1. Data Origination controls are controls established to prepare and authorize data tobe entered into an application. The evaluation will involve a review of source

    document design and storage, User procedures and manuals, Special purpose

    forms, Transaction ID codes, Cross reference indices and Alternate documents

  • 8/3/2019 Is Audit Process Wiki

    10/11

    where applicable. It will also involve a review of the authorization procedures and

    separation of duties in the data capture process.

    2. Input preparation controls are controls relating to Transaction numbering, Batchserial numbering, Processing, Logs analysis and a review of transmittal and

    turnaround documents

    3. Transmission controls involve batch proofing and balancing, Processingschedules, Review of Error messages, corrections monitoring and transaction

    security

    4. Processing controls ensure the integrity of the data as it undergoes the processingphase including Relational Database Controls, Data Storage and Retrieval

    5. Output controls procedures involve procedures relating to report distribution,

    reconciliation, output error processing, records retention.

    The use of Computer Aided Audit Techniques (CAATS) in the performance of an IS

    Audit

    The Information Systems Audit Standards require us that during the course of an audit,the IS auditor should obtain sufficient, reliable and relevant evidence to achieve the audit

    objectives. The audit findings and conclusions are to be supported by the appropriateanalysis and interpretation of this evidence. CAATs are useful in achieving this objective.

    Computer Assisted Audit Techniques (CAATs) are important tools for the IS auditor in

    performing audits.They include many types of tools and techniques, such as generalized

    audit software, utility software, test data, application software tracing and mapping, andaudit expert systems.For us, our CAATs include ACL Data Analysis Software and the

    Information Systems Audit Toolkit(ISAT).

    CAATs may be used in performing various audit procedures including:

    Tests of details of transactions and balances(Substantive Tests)

    Analytical review procedures

    Compliance tests of IS general controls

    Compliance tests of IS application controls

    CAATs may produce a large proportion of the audit evidence developed on IS audits and,as a result, the IS auditor should carefully plan for and exhibit due professional care in

    the use of CAATs.The major steps to be undertaken by the IS auditor in preparing for the

    application of the selected CAATs are:

    Set the audit objectives of the CAATs

    Determine the accessibility and availability of the organisations IS facilities,

    programs/system and data

    Define the procedures to be undertaken (e.g., statistical sampling, recalculation,confirmation, etc.)

    Define output requirements

  • 8/3/2019 Is Audit Process Wiki

    11/11

    Determine resource requirements, i.e., personnel, CAATs, processing

    environment (organisations IS facilities or audit IS facilities)

    Obtain access to the clientss IS facilities, programs/system, and data, includingfile definitions

    Document CAATs to be used, including objectives, high-level flowcharts, and run

    instructions Make appropriate arrangements with the Auditee and ensure that:

    1. Data files, such as detailed transaction files are retained and made available

    before the onset of the audit.

    2. You have obtained sufficient rights to the clients IS facilities, programs/system,and data

    3. Tests have been properly scheduled to minimise the effect on the organisations

    production environment.4. The effect that changes to the production programs/system have been properly

    consideered.

    See Template here for example tests that you can perform with ACL

    PHASE 4: Reporting

    Upon the performance of the audit test, the Information Systems Auditor is required to

    produce and appropriate report communicating the results of the IS Audit. An IS Auditreport should:

    1. Identify an organization, intended recipients and any restrictions on circulation

    2. State the scope, objectives, period of coverage, nature, timing and the extend of

    the audit work3. State findings, conclusions, recommendations and any reservations, qualifications

    and limitations

    4. Provide audit evidence