Transcript
Page 1: Conducting the IT Audit Revised on 2014. Content ISACA IT Audit Standards, Guidelines and Procedures IT Audit Lifecycle Audit Work papers Using COBIT

Conducting the IT Audit

Revised on 2014

Page 2: Conducting the IT Audit Revised on 2014. Content ISACA IT Audit Standards, Guidelines and Procedures IT Audit Lifecycle Audit Work papers Using COBIT

Content• ISACA IT Audit Standards, Guidelines and

Procedures

• IT Audit Lifecycle

• Audit Work papers

• Using COBIT framework to perform audit

CIS

B42

4, S

ulfe

eza

Page 3: Conducting the IT Audit Revised on 2014. Content ISACA IT Audit Standards, Guidelines and Procedures IT Audit Lifecycle Audit Work papers Using COBIT

ISACA IT Audit Standards, Guidelines and Procedures

IT Assurance Framework (ITAF)

A comprehensive and good-practice-setting reference model that:1. Establishes standards that address IS audit and

assurance professional roles and responsibilities; knowledge and skills; and diligence, conduct and reporting requirements

2. Defines terms and concepts specific to IS assurance3. Provides guidance and tools and techniques on the

planning, design, conduct and reporting of IS audit and assurance assignments

(Source: ISACA)

CIS

B42

4, S

ulfe

eza

Page 4: Conducting the IT Audit Revised on 2014. Content ISACA IT Audit Standards, Guidelines and Procedures IT Audit Lifecycle Audit Work papers Using COBIT

ISACA IT Audit Standards, Guidelines and Procedures

IT Assurance Framework (ITAF) provides three (3) levels of guidance:

A) Standards – define mandatory requirements for IT auditing and reporting.ITAF IS audit and assurance standards are divided into three (3) categories:1. General standards (1000 series) —Are the guiding principles

under which the IS assurance profession operates. They apply to the conduct of all assignments, and deal with the IS audit and assurance professional’s ethics, independence, objectivity and due care as well as knowledge, competency and skill.

2. Performance standards (1200 series)—Deal with the conduct of the assignment, such as planning and supervision, scoping, risk and materiality, resource mobilisation, supervision and assignment management, audit and assurance evidence, and the exercising of professional judgement and due care

3. Reporting standards (1400 series)—Address the types of reports, means of communication and the information communicated

(Source: ISACA; Cascarino, 2012)

CIS

B42

4, S

ulfe

eza

Page 5: Conducting the IT Audit Revised on 2014. Content ISACA IT Audit Standards, Guidelines and Procedures IT Audit Lifecycle Audit Work papers Using COBIT

ISACA IT Audit Standards, Guidelines and Procedures

IT Assurance Framework (ITAF) provides three (3) levels of guidance and procedures:B) Guidelines – provide guidance in applying IT audit

standards.ITAF IS audit and assurance guidelines are also divided into three (3) categories:

1. General guidelines (2000 series)2. Performance guidelines (2200 series)3. Reporting guidelines (2400 series)

C) Tools and techniques (Section 3000) provide specific information on various methodologies, tools and templates—and provide direction in their application and use to operationalize the information provided in the guidance

(Source: ISACA; Cascarino, 2012)

CIS

B42

4, S

ulfe

eza

Page 6: Conducting the IT Audit Revised on 2014. Content ISACA IT Audit Standards, Guidelines and Procedures IT Audit Lifecycle Audit Work papers Using COBIT

IT Audit Lifecycle

1. Audit Planning & Preparatio

n

2. Audit Execution

3. Audit Follow-up

CIS

B42

4, S

ulfe

eza

Page 7: Conducting the IT Audit Revised on 2014. Content ISACA IT Audit Standards, Guidelines and Procedures IT Audit Lifecycle Audit Work papers Using COBIT

IT Audit Lifecycle – Planning & Preparation

CIS

B42

4, S

ulfe

eza

1. Identification of audit objectives, scope, tasks and duration

2. Preliminary study of the auditee’s operations and environment

1. Selection of audit team members

2. Allocation of tasks to each team member

3. Deciding when tasks should commence

4. Estimation of duration for each task based on the allocated auditors

1. Engagement letter to auditee

PlanningAuditor

assignment

Audit request

Page 8: Conducting the IT Audit Revised on 2014. Content ISACA IT Audit Standards, Guidelines and Procedures IT Audit Lifecycle Audit Work papers Using COBIT

IT Audit Lifecycle – Execution

CIS

B42

4, S

ulfe

eza

1. Review of risks and internal controls implemented

2. Testing of controlsSampling approaches:

• Non-statistical/judgmental sampling• Statistical sampling

3. Risk assessment4. Identification and development of

findingsComponent of a finding:Criteria

• Standards where observed conditions will be measured

Conditions• The actual observations during

audit testingEffects• The impact to business associated

with the observed problemCause • Reasons for internal control failures

1. Propose recommendationsa. No changesb. Improve controlc. Transfer of risk

Recommendation approaches:Recommendation Approach• Auditors provide recommendations

for the raised issues• Inquire auditees on their agreements

of the proposed recommendationsManagement-Response Approach• Auditors highlight issues• Auditees provide the responses and

action plansSolution Approach• Collaboration work between auditors

and auditees in coming out with solutions to resolve issues

FieldworkSolution

developmentReport

Issuance

1. Conduct exit meeting:

a) To discuss the findings, recommendations, and text of the draft.

b) The auditees may comment on the draft and the group works to reach an agreement on the audit findings

2. Draft Report3. Final Report

Page 9: Conducting the IT Audit Revised on 2014. Content ISACA IT Audit Standards, Guidelines and Procedures IT Audit Lifecycle Audit Work papers Using COBIT

IT Audit Lifecycle – Follow Up

CIS

B42

4, S

ulfe

eza

1. Determine and assess whether audit recommendations have been implemented

2. Follow-up report development and issuance

1. Perform self-assessment on the audit assignment

Recommendations Evaluation

Self-assessment

Page 10: Conducting the IT Audit Revised on 2014. Content ISACA IT Audit Standards, Guidelines and Procedures IT Audit Lifecycle Audit Work papers Using COBIT

Audit work papersObjectives:1. Document the planning, performance, and review of audit work

– include audit planning and scoping decisions, testing methodologies and results, and evidence of review and completion of audit program work steps.

2. Provide the principal support for audit communication such as observations, conclusions, and the final report - contain sufficient competent, relevant, and useful information to provide a sound basis (act as evidence) for engagement observations and recommendations to support the auditor's assessment.

3. Facilitate third-party reviews and re-performance requirements – provide an audit trail that enables a technically competent individual who has no experience with the prior audit to re-perform procedures.

4. Provide a basis for evaluating the internal audit activity's quality control program – tangible representation of the project that can be assessed during the quality review.

Source(: Practice Advisory 2330-1: Recording Information from the International Standards for the Professional Practice of Internal Auditing (Standards)

CIS

B42

4, S

ulfe

eza

Page 11: Conducting the IT Audit Revised on 2014. Content ISACA IT Audit Standards, Guidelines and Procedures IT Audit Lifecycle Audit Work papers Using COBIT

Audit work papers

• The work papers serve as the connecting link between the audit assignment, the auditor's fieldwork, and the final report.

• Therefore, the work papers will:a) Provide documentation of evidencesb) Support findings and recommendations

CIS

B42

4, S

ulfe

eza

Page 12: Conducting the IT Audit Revised on 2014. Content ISACA IT Audit Standards, Guidelines and Procedures IT Audit Lifecycle Audit Work papers Using COBIT

Work papers and audit cycle

CIS

B42

4, S

ulfe

eza

1. Audit Planning & Preparatio

n

2. Audit Execution

3. Audit Follow-up

1.Audit plan2.Audit program

1.Audit working papers2.Draft audit report3.Final audit report

1.Follow-up checklist 2.Follow-up report

Page 13: Conducting the IT Audit Revised on 2014. Content ISACA IT Audit Standards, Guidelines and Procedures IT Audit Lifecycle Audit Work papers Using COBIT

Audit Plan• A detailed outline of the auditor's plans and procedures used in conducting an audit.

• An audit plan will include the following items: the audit objectives and scope of work background information about the activities to be audited, including the

risks associated with the area the resources necessary to perform the audit the names of individuals who need to know about the audit the results, if appropriate, of an on-site survey to become familiar with

the activities and controls to be audited, to identify areas for audit emphasis, and to invite auditee comments and suggestions

the audit program how, when, and to whom audit results will be communicated

CIS

B42

4, S

ulfe

eza

Page 14: Conducting the IT Audit Revised on 2014. Content ISACA IT Audit Standards, Guidelines and Procedures IT Audit Lifecycle Audit Work papers Using COBIT

Audit Program

• A detailed step-by-step procedures to be followed during an audit.

• Consists of: Audit concerns Audit objectives Evidence to be examined Procedures to follow

CIS

B42

4, S

ulfe

eza

Page 15: Conducting the IT Audit Revised on 2014. Content ISACA IT Audit Standards, Guidelines and Procedures IT Audit Lifecycle Audit Work papers Using COBIT

Audit Checklists• Consists of:

Things to be done Persons who have done it Reason(s) for not doing it (if any) Date of execution

CIS

B42

4, S

ulfe

eza

Page 16: Conducting the IT Audit Revised on 2014. Content ISACA IT Audit Standards, Guidelines and Procedures IT Audit Lifecycle Audit Work papers Using COBIT

Audit Findings Worksheet• Consists of:

Condition Criteria Cause Effect Recommendation

CIS

B42

4, S

ulfe

eza

Page 17: Conducting the IT Audit Revised on 2014. Content ISACA IT Audit Standards, Guidelines and Procedures IT Audit Lifecycle Audit Work papers Using COBIT

Audit Report• A document that is issued to auditee management to record the findings of the audit and recommended actions to rectify findings or improve controls.

• Consists of: Audit Scope Executive Summary Background and methodology Findings/Issues Prioritised action list, with suggested fixes and timeline

• Sample audit report (http://www.nserc-crsng.gc.ca/_doc/Reports-Rapports/Audits-Verifications/IT05Full-IT05Detaille_eng.pdf)

CIS

B42

4, S

ulfe

eza

Page 18: Conducting the IT Audit Revised on 2014. Content ISACA IT Audit Standards, Guidelines and Procedures IT Audit Lifecycle Audit Work papers Using COBIT

COBIT®

CIS

B42

4, S

ulfe

eza

• Was introduced to meld existing IT standards and best practices into a comprehensive structure to achieve international accepted governance standards

• Encompasses full range of IT activities and processes which focus on the achievement of control objectives

• Is designed to be utilized by different set of entities in an organization:1. Top management – to ensure value is obtained from the IT

investment; and risk and control is balanced2. Middle management – to ensure that management and

control of IT resources is appropriate3. IT management – to ensure that business strategy is

supported by IT resources in a controlled and appropriate management manner

4. IT auditor – to evaluate adequacy of controls, design appropriate tests to determine the controls’ effectiveness, and provide management with appropriate advice on the IT related internal controls

(Source: Cascarino, 2012)

Page 19: Conducting the IT Audit Revised on 2014. Content ISACA IT Audit Standards, Guidelines and Procedures IT Audit Lifecycle Audit Work papers Using COBIT

COBIT® Framework

CIS

B42

4, S

ulfe

eza

a) Planning and Organizing Domain (10 processes)Processes undertaken by management in order to ensure that IT function is properly planned and controlled to provide assurance that IT objectives will be achieved

b) Acquire and Implement (7 processes)Processes involved in identifying solutions through to installation and accreditation of solutions and changes

c) Deliver and Support (13 processes)Processes required to deliver the appropriate service levels, manage information and operations, and ensure appropriate performance

d) Monitor and Evaluate (4 processes)•Processes required to monitor the overall IT performance and ensure effective IT governance


Recommended