S12 - Guidelines for Planning an IS Audit Christopher Chung

Similar documents
International Standard on Auditing (Ireland) 300. Planning an Audit of Financial Statements

An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

Internal Financial Control (IFC)& Internal Financial Controls over Financial Reporting (IFCoFR)

1. Auditors may be independent in fact but not independent in appearance. 3. Attestation standards provide guidance for a wide variety of engagements

Sarbanes-Oxley: Company Case Study - Viacom Inc. IT General Controls - Sustaining Compliance Efforts. Anthony Noble VP, IT Internal Audit

McGraw-Hill/Irwin. Copyright 2013 by The McGraw-Hill Companies, Inc. All rights reserved.

MODULE 2: Engagement Planning (11% 17%)

International Standards for the Professional Practice of Internal Auditing (Standards)

Chapter 06. Audit Planning, Understanding the Client, Assessing Risks, and Responding. McGraw-Hill/Irwin

CAAS 104 Cost Audit and Assurance Standard on Knowledge of Business, its Processes and the Business Environment

SRI LANKA AUDITING STANDARD 300 PLANNING AN AUDIT OF FINANCIAL STATEMENTS CONTENTS

of Financial Statements

IAASB Main Agenda (June 2004) Page Agenda Item

An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

Comparison of the PCAOB s Auditing Standards No. 5 and No. 2 (Certain key differences are highlighted by underlining)

Accounting 408 Exam 2, Chapters 3, 4, 5, 6, E, F

International Standards for the Professional Practice of Internal Auditing (Standards)

REPORT 2016/033 INTERNAL AUDIT DIVISION

CAAS Cost Audit and Assurance Standard on Planning an Audit of Cost Statements

Chapter 4. Risk Assessment. Copyright 2012 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin

Annual Audit Letter. Sheffield Teaching Hospitals NHS Foundation Trust. Year ending 31 March 2018

1. Corporate management (including the CEO) must certify monthly and annually their organization s internal controls over financial reporting.

Presentation by: CPA Zachary Muthui

Materiality and Risk. Chapter Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder

SRI LANKA AUDITING STANDARD 300 PLANNING AN AUDIT OF FINANCIAL STATEMENTS CONTENTS

INSTRUCTION ON METHODOLOGY ON PERFORMING FINANCIAL AUDIT AND REGULARITY AUDIT ( Official Gazette of MN, no. 07/15 from 17 th February 2015)

STUDY UNIT TEN INTERNAL AUDIT RESPONSIBILITIES FOR FRAUD

WATCH WORDS FROM THE PEER REVIEW PROCESS

Cost Auditing Standard Cost Auditing Standard on Knowledge of Business, its Processes and the Business Environment

IAASB Main Agenda (March 2005) Page Agenda Item 12-C

See your auditor clearly. Transparency report: How we perform quality audit engagements

Audrey A. Gramling Kennesaw State University. Larry E. Rittenberg. University of Wisconsin Madison. Karla M. Johnstone

AUDIT RISK ASSESSMENT AND RESPONSES TO ASSESSED RISK BY Geoffrey Byamugisha Partner, Ernst & Young. Lessons on Audit Risk. Responding to fraud risk

GAIT FOR BUSINESS AND IT RISK

CPA REVIEW SCHOOL OF THE PHILIPPINES M a n i l a. AUDITING THEORY Risk Assessment and Response to Assessed Risks

Tutorial Letter 201/2/2015

This charter defines the purpose, authority and responsibility of News Corporation s (the Company ) Corporate Audit Department.

BSc (Hons) Accounting with Finance. Cohort: BACF/13/FT/Aug & BACF/13/PT Jan & BACF/12B/FT. Examinations for Semester I / 2014 Semester II

Alyssa G. Martin, CPA Brandon Tanous, CIA, Using the COSO CFE, CGAP, CRMA Framework to Develop a Strong and Preventive Control Environment

Employee Dishonesty: Prevention and Detection

Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment

The Auditor s Consideration of the Internal Audit Function in an Audit of Financial Statements

ACC 269 Auditing and Assurance Services

CRISC EXAM PREP COURSE: SESSION 4

IAASB Main Agenda (December 2004) Page Agenda Item

International Standard on Auditing (Ireland) 315

APPENDIX A. Audit Findings Report. For the Year ended March 31, 2016

VERSION #1 WRITE ON YOUR SCANTRON!!!

Internal controls over Financial Reporting Key concepts. Presentation by Jayesh Gandhi at WIRC

International Standard on Auditing (UK) 315 (Revised June 2016)

SRI LANKA AUDITING STANDARD 300 PLANNING AN AUDIT OF FINANCIAL STATEMENTS CONTENTS

PHILIPPINE STANDARD ON AUDITING 300 PLANNING AN AUDIT OF FINANCIAL STATEMENTS CONTENTS

REGISTERED CANDIDATE AUDITOR (RCA) TECHNICAL COMPETENCE REQUIREMENTS

Audit Risk. Exposure Draft. IFAC International Auditing and Assurance Standards Board. October Response Due Date March 31, 2003

Risk Advisory SERVICES. A holistic approach to implementing effective governance, managing risk and maintaining compliance

Auditing & Assurance Services, 7e (Louwers) Chapter 2 Professional Standards

GLOSSARY OF TERMS 1. Unauthorized access to on-line terminal devices, programs and data; The use of computer programs by unauthorized personnel; and

Planning the audit and understanding internal control

Minneapolis Public Schools Special School District No. 1 Minneapolis, Minnesota. Communications Letter of the Student Activity Accounts.

Planning an Audit of Financial Statements

SUGGESTED SOLUTIONS/ ANSWERS EXTRA ATTEMPT EXAMINATIONS, MAY of 11 AUDIT & ASSURANCE [P2] PROFESSIONAL LEVEL

Certified Internal Auditor (CIA ) Exam Syllabus

EY Center for Board Matters. Leading practices for audit committees

AUDIT RESPONSIBILITIES AND OBJECTIVES

WATCH WORDS FROM THE PEER REVIEW PROCESS

PLANNING AN AUDIT OF FINANCIAL STATEMENTS

Guide to using the work papers

Wokingham Borough Council

COSO Updates and Expectations. IIA San Diego Chapter January 8, 2014

Planning an Audit of Financial Statements

INTEGRATING FORENSIC INVESTIGATION TECHNIQUES INTO INTERNAL AUDITING

FRAUD RISK FACTORS CHECKLIST (Source: New AU Section 240, Appendix A)

Audit Quality Assurance workshop Audit Planning by: CPA Steve Obock Associate Director- KPMG Kenya March 2017

After completing this Session, you should be able to answer the following questions:

Audit Workshop Part 2 12 December 2009

EXPLORING A NEW AUDIT RISK FACTOR THE CIRCUMVENTION ASPECT

Auditing and Attestation (AUD) - Content Outline Effective January 2014

13-A. Fraud Phase II Issues Paper

INTERNATIONAL STANDARD ON AUDITING 260 COMMUNICATION WITH THOSE CHARGED WITH GOVERNANCE CONTENTS

SUGGESTED SOLUTIONS Audit and Assurance. Certificate in Accounting and Business II Examination March 2014

AN AUDIT OF INTERNAL CONTROL THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: GUIDANCE FOR AUDITORS OF SMALLER PUBLIC COMPANIES

County of Sutter. Management Letter. June 30, 2012

SRI LANKA AUDITING STANDARD 315 (REVISED)

INTERNAL FINANCIAL CONTROL POLICY

Utility Debt Securitization Authority

PART 6 - INTERNAL CONTROL

ECON 132A SPRING 2008 MT#2

IAASB Main Agenda (March 2016) Agenda Item. Initial Discussion on the IAASB s Future Project Related to ISA 315 (Revised) 1

Statement on February 2014 Auditing Standards 128. Using the Work of Internal Auditors

Presented by Ed Williamson and Erica Bailey

Auditing Standards and Practices Council

INTERNATIONAL STANDARD ON AUDITING 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT CONTENTS

2. The auditors' report on a corporation's financial statements usually is addressed to the president of the company.

Assurance Hand Note Professional Stage-Knowledge Level By: Shafique Ahmed-Sr. Officer (Internal Audit-BSRM) Assurance

What Are Your Auditors Doing? Presented by Carrie Kennedy, Partner Travis Smith, Partner Moss Adams LLP

Annual Audit and Other Financial Matters

STANDING ADVISORY GROUP MEETING

Mapping of Original ISA 315 to New ISA 315 s Standards and Application Material (AM) Agenda Item 2-C

Transcription:

S12 - Guidelines for Planning an IS Audit Christopher Chung

IS Auditing Guidelines for Planning an IS Audit Session Objectives Agenda Information Systems Audit Planning and Scoping o Understanding Business Requirements o Knowledge of the Organization o Materiality o Risk Assessment o Internal Control Evaluation o Planning Documentation Other Considerations o Documentation and Reporting o Use of Third Parties Appendix 1

Session Objectives Session Objectives To inform Information Systems auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics for IS auditors To inform Management and other interested parties of the profession s expectations concerning the work of practitioners 2

Session Objectives Understanding the key areas to consider in planning for an Information Systems audit o Compliance perspective* o Operational perspective o Strategic perspective Understand the planning and scoping process o Using materiality to drive a top down risk based approach to Information Systems o Performing a risk assessment over Information Systems and related controls Understanding other considerations such as documentation and reporting Information Systems Audit 3

Information Systems Audit In planning the Information Systems audit, we should: o Plan the IS audit coverage to address the audit objectives and comply with applicable laws and professional auditing standards o Develop and document a risk-based audit approach o Develop and document an audit plan detailing the nature and objectives, timing and extent, and resources required o Develop an audit program and procedures Information Systems Audit Information Systems audit can be: o Compliance related (e.g. testing of Information Systems controls related to SAP to support the financial audit) o Operational (e.g. testing of pharmaceutical applications used to support operational requirements over restricted access) o Strategic (e.g. review of controls and Information Systems related to de-identification of data in order to drive a strategic decision) 4

Compliance Audit Challenges o Associated costs with compliance o Changing regulations o Guidance is not always clear Examples o Sarbanes-Oxley o HIPPA o OMB A-133 audit Operational Audit Challenges o Complexity of data and transactions o Sophisticated fraud schemes o Business need for transparency o Evolving technologies / accounting standards Examples o Review of a specific department, division, or area o Review of policies, i procedures, and operational controls o Review of fraud risk 5

Strategic Audit Challenges o IT is the fundamental backbone of many businesses. o Imperative to understand the business and align core business goals with IT governance Example o Enhancing and becoming the industry s leader in security around their patients data Planning and Scoping 6

Business Requirements Relate to a specific auditing project rather than the complete plan of an audit department or group Considers the objectives of the auditee relevant to the audit area and its technology infrastructure Understand auditee s information architecture and auditee s technological direction to be able to design a plan appropriate for the present and future technology of the auditee Carry out to the extent necessary a risk assessment and prioritization of identified risks for the area under review and organization s IS environment Knowledge of the Organization Understanding audit objectives will drive the knowledge of the organization needed to appropriately plan the audit o IS vs. Business Process Knowledge of the organization should include business, financial, and inherent risks to be used to formulate the objectives and scope of the work 7

Materiality Assessment of materiality is matter of professional judgment and includes considerations of effect and/or potential effect on organization's ability to meet its business objectives in the event of errors, omissions, irregularities, and illegal acts that may raise as a result of control weaknesses in the area being audited While assessing materiality, IS auditor should consider both quantitative and qualitative factors Materiality Where IS audit objective relates to systems or operations that process financial transactions, financial auditor s measure of materiality should be considered while conducting IS audit Establish levels of planning materiality such that the audit work will be sufficient to meet the audit objectives Identify relevant control objectives and, based on risk tolerance rate, determine what should be examined A material control is a control or group of controls without which control procedures do not provide reasonable assurance that the control objective will be met 8

Materiality Examples of measures to be considered in assessing materiality Criticality of the business processes supported by the system or operation. Cost of loss of critical and vital information in terms of money and time to reproduce. Number of accesses/transactions/inquiries processed per period. Materiality Account Name At December 31, 2007 Sales and Operating Revenue $ 2,300,000 Other Income $ 200,000 Total Revenues $ 2,500,000 Purchased Goods and Products $ 40,000 Operating Expenses $ 40,000 Selling, General, and Admin Expenses $ 10,000 Depreciation, Depletion and Amortization $ 10,000 Total Costs and Other Deductions $ 100,000 Income before Tax Expense $ 2,400,000 Income Tax Expense $ 400,000 Net Income $ 2,000,000 9

Materiality Income Statement Balances At December 31, 2007 Sales and Operating Revenue $ 2,300,000 Other Income $ 200,000 Total Revenues $ 2,500,000 Purchased Goods and Products $ 40,000 Operating Expenses $ 40,000 Selling, General, and Admin Expenses $ 10,000 Depreciation, Depletion and Amortization $ 10,000 Total Costs and Other Deductions $ 100,000 Income before Tax Expense $ 2,400,000 Income Tax Expense $ 400,000 Net Income $ 2,000,000 Materiality $ 100,000 Risk Adjusted Materiality $ 50,000 Materiality Sample of Trial Balance Accounts At December 31, 2007 Quantitative Qualitative Sales $ 2,300,000 X Other Income Purchased Goods and Products $ 200,000 X $ 40,000 X Operating Expenses Selling, General, and Admin Expenses Depreciation, Depletion and Amortization $ 40,000 $ 10,000 $ 10,000 X X X Materiality $ 100,000 Risk Adjusted Materiality $ 50,000 10

Materiality Account Name At December 31, 2007 Sales and Operating Revenue Quantitat ive Qualitati ve Business Processes / Cycles $ 2,300,000 X Sales Order Management and Revenue Other Income $ 200,000 X Sales Order Management and Revenue Purchased Goods and Products Operating Expenses Depreciation, Depletion and Amortization Selling, General, and Admin Expenses $ 40,000 X Procurement through Payables $ 40,000 X Procurement through Payables Related Applications Vinosale Vinosale Easypay Easypay Related IS Environments SQL Database (VINODB) WIN2K Server (VINOPROD) SQL Database (VINODB) WIN2K Server (VINOPROD) Oracle Databse (EASYDB) Unix Server (EASYPROD) Oracle Databse (EASYDB) Unix Server (EASYPROD) $ 10,000 Fixed Asset FAS Oracle Databse (EASYDB) Unix Server (EASYPROD) $ 10,000 X Procurement through Payables Easypay Oracle Databse (EASYDB) Unix Server (EASYPROD) Materiality The IS auditor should determine the establishment of roles and responsibilities as well as a classification of information assets including: o Information stored o IS hardware o IS architecture and software o IS network infrastructure o IS operations o Development and test environment 11

Risk Assessment The IS auditor should consider the following types of risk: o Inherent risk o Control risk o Detection risk Risk Assessment Inherent Risk o The susceptibility of an audit area to error in a way that could be material, individually or in combination with others, assuming that there were no related internal controls o IS Audit ordinarily high since the potential effects of errors ordinarily spans several business systems and many users. o In assessing inherent risk, IS auditor should consider both pervasive and detailed IS controls o Example: Operating systems security has high inherent risk since changes to data or programs without internal controls could result in false management information or competitive disadvantage. 12

Risk Assessment Examples of measures to be considered at the: Pervasive IS Control Level Integrity of IS management and IS management experience and knowledge Detailed IS Control Level Findings from and date of previous audits in this area Changes in IS management Complexity of the systems involved Factors affecting the organization s industry as a whole Susceptibility to loss or misappropriation of the assets controlled by the system Risk Assessment Control Risk o The risk that an error that could occur in an audit area and could be material, individually or in combination with other errors, will not be prevented or detected and corrected on a timely basis by the internal control system o Control risk should be assessed as high unless relevant controls are identified, evaluated as effective, and test and proved to be operating effectively o Example: Control risk associated with manual review of computer logs are high since activities requiring follow-up are missed due to high volume of logged information 13

Risk Assessment Detection Risk o The risk that the IS auditor s substantive procedures will not detect an error that could be material, individually or in combination with others o Example: The detection risk of identifying breaches of security is high because logs for the whole period of the audit are not available at the time of the audit Risk Assessment The higher the assessment of inherent and control risk the more audit evidence IS auditors should normally obtain from the performance of substantive audit procedures 14

Risk Assessment Our audit risk assessment should be focused to enable us to reduce to an acceptably low level the risk that there is a reasonable possibility that the company's controls will fail to prevent or detect on a timely basis such a misstatement o RA methodologies range from simple classifications of high, medium and low, to complex and apparently scientific calculations to provide a numeric risk rating In general, risk assessment techniques, in combination with other audit techniques should be considered in developing the overall audit plan and making planning decisions, such as: o Nature, timing, and extent of audit procedures o Areas or business functions to be audited o Amount of time and resources to be allocated to an audit Risk Assessment Examples of measures to be considered in selecting the most appropriate risk assessment methodology Extent to which the information required is already available Amount of additional information required to be collected before reliable output can be obtained, and the cost of collecting this information (including the time required to be invested in the collection exercise) Opinions of other users of the methodology and their views of how well it has assisted them in improving the efficiency and/or effectiveness of their audits Willingness of management to accept the methodology as the means of determining the type and level of audit work carried out 15

Risk Assessment Risk assessment documentation should include: o Description of risk assessment methodology used o Identification of significant exposures and corresponding risks o Risks and exposures the audit is intended to address o The audit evidence used to support the IS auditor s assessment of risk Internal Control Evaluation Consider internal controls either directly as part of auditing project objectives or as basis for reliance upon information being gathered as part of auditing project Consider the extent to which it will be necessary to review internal controls The IS auditor should make a preliminary evaluation of internal controls and develop the audit plan on the basis of this evaluation 16

Planning Documentation Preliminary audit program should be established by the IS auditor before the start of the work, and work papers should include the audit plan and the program Audit plan should be prepared so that it is in compliance with any appropriate external requirements in addition to IS Auditing Standards To extent appropriate, audit plan, audit program, and any subsequent changes should be approved by management Planning Documentation Planning documentation typically includes: o Review of previous audit documentation o Planning and preparation of audit scope and objectives o Minutes of management review meetings, audit committee meetings and other audit related meetings o Audit program and procedures to meet audit objectives Review documentation typically includes: o Audit steps performed and audit evidence gathered o Audit findings, conclusions and recommendations o Reports issues as a result of the audit work o Supervisory review 17

Other Considerations Reporting Materiality Issues In determining findings, conclusions and recommendations to be reported, IS auditor should consider both the materiality of any errors found and potential materiality of errors that could arise as a result of control weaknesses Where audit is used by management to obtain a statement of assurance regarding IS controls, an unqualified opinion on the adequacy of controls should mean that the controls in place are in accordance with generally accepted control practices to meet the control objectives, devoid of any material control weakness 18

Reporting Materiality Issues Control weakness should be considered material and, therefore, reportable, if the absence of the control results in failure to provide reasonable assurance that the control objective will be met If audit work identifies material control weaknesses, the IS auditor should consider issuing a qualified or adverse opinion on the audit objective Depending on the objectives of the audit, IS auditor should consider reporting to management weaknesses that are not material, particularly when the costs of strengthening the controls are low Client Examples 19

Client Example #1 After understanding business, determining materiality, performing risk assessment, internal controls evaluation, determined highrisk areas for fraud surrounding consolidation and reporting o The size and complexity of the client's operations o Recent control breakdowns at the client o The risk of misstatement based on the nature and complexity of the matter being considered Client Example #1 Planning documentation for the audit o Documentation of the audit strategy plan, including the risks and fraud considerations o Prepared a listing of the audit work to be performed o Prepared a listing of personnel, other resources, and document requests required to complete the work During the course of the audit work, considered changes to the audit plan based upon new information gathered and findings during the audit Supplemental testing around fraud considerations o Utilized Sherlock software to more accurately detect and respond to anomalies in accounting data 20

Client Example #1 Correctly identified and flagged a significant proportion of the misstated FS line items o Found $26M in misstatements due to concealment of inventory losses over multiple years Perpetrator (ex-auditor) used multiple methods used to hide fraud o Obscuring transactions using intermediate accounts o Created fraudulent transactions after the month but pre-dating them to the beginning or middle to escape review o Manipulating transactions IDs so they would be excluded by audit team extract requests Client Example #1 How does Sherlock work on general ledgers? Examines a client's general ledger data for anomalies and reports on accounts and transactions that may indicate fraud or error by using over 150 integrity checks Sherlock analyzes the general ledger (G/L) of a client in a five-step process 21

Client Example #2 New regulatory challenges, heightened risks due to the increased public scrutiny of data practices Strategic goal of enhancing and becoming the industry s leader in security around their patients data Client Example #2 Threats to Patient Privacy Risks Violated patient care & safety Unavailable systems & data Increased medical identity theft Fraud Loss of public trust Fines 22

Client Example #2 Data Proliferation Breach Indicators Protection Capabilities Active Response Recommend Proactive Initiatives Remediate Reactive Initiatives Data Proliferation Determine inventory, locations, classification levels and states (e.g., structured vs. unstructured) of patient information. Understand uses of data and how well it is safeguarded. Breach Indicators Analyze suspicious activity to identity evidence of targeted attacks or compromise of patient information. Protection Capabilities Define end-to-end safeguards for patient information. These protections should exist for all data stores and uses of patient information, including data centers and mobile devices (e.g., laptops, removable media, 3rd parties). Protections should focus on safeguards that prevent, identify or isolate suspicious uses of patient information. Compliance doesn t equal security. Compliance is the minimum level el of security. Nearly 90% of hacking tests are successful in accessing highly sensitive information. Active Response Determine scope, collect and protect evidence; minimize impact; and resume business as usual operations. Client Example #2 Planning documentation for the audit o Documentation of the audit strategy plan o Prepared a listing of the audit work to be performed o Prepared a listing of personnel, other resources, and document requests required to complete the work During course of work, evaluated the adequacy of the audit strategy 23

Client Example #2 Conducted comprehensive security and privacy reviews of two locations within the company Found common security and privacy challenges. Results of this review benefited the other locations o Lack of metrics to understand effectiveness of governance and accountability o Incident response and investigation processes not optimized to ensure timely and consistent responses o Inappropriate user roles and privileges over data Appendix 24

Appendix Additional Reference: o IS Auditing Guideline G2 Audit Evidence Requirement o IS Auditing Guideline G6 Materiality Concepts for Auditing Information Systems o IS Auditing Guideline G8 Audit Documentation o IS Auditing Guideline G15 Planning o IS Auditing Guideline G13 Use of Risk Assessment in Audit Planning o IS Auditing Guideline G16 Effect of Third Parties on an Organization s IT Controls o COBIT Framework, Control Objectives 25

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback