Audit Chapter 18
Overview Understand the concepts of Audit Understand the need for Controls and internal controls Understand and apply the principles of audit
IT Audit IT auditing is the evaluation of Information Systems, practices, and operations to assure the integrity of an entity s information. Such evaluation can include assessment of the efficiency, effectiveness, and economy of computer-based practices with computer as an audit tool
IT Audit IT auditing is a profession with conduct, aims, and qualities that are characterized by worldwide technical standards, an ethical set of rules (ISACA Code of Ethics), and a professional certification program (Certified Information Systems Auditor, CISA) is an integral part of the audit function because it supports the auditors judgment on the quality of the information processed by computer systems.
IT Audit IT auditing is a profession with conduct, aims, and qualities that are characterized by worldwide technical standards, an ethical set of rules (ISACA Code of Ethics), and a professional certification program (Certified Information Systems Auditor, CISA) is an integral part of the audit function because it supports the auditors judgment on the quality of the information processed by computer systems.
IT Audit Companies require systems, structures, and processes to operate globally. A system represents a set of dependent elements forming a single unitary entity. can be defined by the following elements: inputs, outputs, transformation process, system structure and its state. A process is nothing more than a structured set of activities and decisions to do a certain job.
Risks Risks associated with automated applications include: Weak security Unauthorized access to data Unauthorized remote access Inaccurate information Erroneous or falsified data input Misuse by authorized end users
Risks Risks associated with automated applications include: Incomplete processing Duplicate transactions Untimely processing Communications system failure Inadequate training Inadequate support
System Planners System planners must ensure that provisions are made for: An adequate audit trail so that transactions can be traced for- ward and backward through the system Ensuring technology provided by different vendors are compatible and controlled Adequately designed and controlled databases to ensure that common definitions of data are used throughout the organization, that redundancy is eliminated or controlled, and that data existing in multiple databases is updated concurrently
System Planners System planners must ensure that provisions are made for: Handling exceptions to, and rejections from, the computer system Unit and integrated testing, with controls in place to determine whether the systems perform as planned and meet the business objectives Controls over changes to the computer system to determine whether the proper authorization has been given and documented Adequate controls between interconnected computer systems
System Planners System planners must ensure that provisions are made for: Adequate security procedures to protect the data and availability of data on demand Authorization procedures for system overrides and documentation of those processes Determining whether organization and government policies and procedures are adhered to in system implementation Backup and recovery procedures for the operation of the system and subsystems with assurance of business continuity
Audit The audit is the process through which the competent and independent persons collects and evaluates proofs to validate an opinion regarding the correspondence degree among the observed events, things and with preestablished criteria.
Audit Auditing is defined as a systematic process of objectively obtaining and evaluating evidence regarding the current condition of an entity, area, process, financial account or control and comparing it to predetermined, accepted criteria and communicating the results to the intended users.
Audit - Types The various types of audits include A quality system audit measures an organization's capability to meet the quality requirements. Management audits are carried out to validate the business strategic plan reflects the business objectives. A process audit verifies the validity of process to deliver the expected output..
Audit - Types The various types of audits include System audits are carried out to ensure a business management system is sufficiently comprehensive to control all of the activities within that business. Procedural audits Verify the documented practices and its completeness to ensure the implementation of approved policies and are capable of controlling the organisations operations.
ISO 9001:2000 ISO9001:2000 defines audit to be of three types. First Party Audits of an organization, or parts of an organization, by personnel employed by that organization. These audits are usually referred to as Internal Audits. Members of a business evaluate their own processes with established criteria with respect to their organization.
ISO 9001:2000 ISO9001:2000 defines audit to be of three types. Second Party Audits carried out by customers upon their suppliers and are completed by an organization independent of the organization being audited. These audits are usually referred to as external audits or vendor audits.
ISO 9001:2000 ISO9001:2000 defines audit to be of three types. Third Party Audits are carried out by personnel who are not connected to the customer nor the supplier. They are usually employees of certification bodies or registrars such as BSI etc.
Computer based audit Computer-based auditing has traditionally been considered from two perspectives: a systems-based approach: can be used to test the applications controls to determine if the system is performing as intended. a data-based approach focuses on the data and is commonly called transaction- or data-based auditing.
IT Audit IT Audit is the process of collecting and evaluating evidence to determine whether a information system has been designed to maintain data integrity, safeguard assets, allows organizational goals to be achieved effectively, and uses resources efficiently. It analyzes the systems and the networks with the view of measuring the efficiency of technical and procedural control in order to minimize the risks.
IT Audit IT Audit It entails the systematic examination of the information resources, information use, information flows and the management of these in an organization. It is an important element in the process of feedback. It is an instrument of evaluation and provides information that can be used to plan and implement corrective actions.
Audit Team Two necessary components for an audit to be successful The first is an auditor with the right skills, education and experience. The second is the audit process itself. A group of auditors will form an audit team.
Audit Team Audit teams are composed with consideration to the type, content, and extent of the audit to be conducted. Audit team employees, one of whom has to act as audit lead. The audit lead should be nominated early.
Audit Team The audit manager is responsible for selecting the audit teams. When selecting the audit team members, consideration should be given to audit content, cultural group, and linguistic requirements, as well as personal aspects.
Audit Documentation Audit documentation is the written record that supports the auditors representations and conclusions. serves as a basis for review and is used to plan and perform the engagement. includes records of planning and performing the work, as well as a record of the procedures performed and evidence obtained.
Audit Schedule Audit Schedule departments create annual audit schedules to gain agreement from the board on audit areas, communicate the audit areas with the functional departments, and create a project/resource plan for the year. should be linked to current business objectives and risks based on their relative cost in terms of potential loss of goodwill, etc
Audit Plan Audit Plan Planning covers both administration of the audit office as well as administration of the audit assignment. For successful audits, we need to know what we want to achieve (audit objectives), determine what procedures we should follow (audit methodology), and assign qualified staff to the audit (resource allocation).
Audit Preparation Audit preparation is composed of all the work that is involved in initiating an audit. The functions include audit selection, definition of audit scope, initial contacts and communication with audites, and audit team selection. Audit scope should clearly state the process areas, controls, geographic or functional area, time period, and other speficics to delineate the area to be reviewed.
Audit Procedures Audit procedures are the activities that the auditor performs to obtain sufficient, competent evidence to ensure a reasonable basis for the audit opinion. Firstly, they are detective control mechanisms by which auditors identify and investigate variances or deviations from predetermined standards.
Audit Procedures Audit procedures Secondly, they are used as preventive control mechanisms because the expectation of an audit should deter individuals from engaging in fraudulent financial reporting or making careless errors.
Internal Audit The internal audit function is a control function with a company or organization. The primary purpose of the internal audit function is to assure that management authorized controls are being applied effectively. Internal Audit is part of the internal monitoring system of an organization.
Audit Findings Audit findings should be formally documented and include the process area audited, the objective of the process, the control objective, the results of the test of that control, and a recommendation in the case of a control deficiency. form serves the purpose of documenting both control strengths and weaknesses and can be used to review the control issue with the responsible IT manager to agree on corrective action.
Audit Reports Audit reports Formal communication issued by the audit department describing the results of the audit is called an audit report. Audit report should include the audit scope and objectives, a description of the audit subject, a narrative of the audit work activity performed, conclusions, findings, and recommendations.
Internal controls Internal control consists of ve interrelated components as follows: Control (or Operating) environment Risk assessment Control activities Information and communication Monitoring
IT controls IT controls General Controls Application Controls Management Controls Nature of controls Preventive controls Detective analytical controls Corrective controls
Summary The audit function, whether internal or external, is part of the corporate environment. It is a process to objectively validate, verify, and substantiate a process, activity, function, system, subsystem, or project within a company. Auditors have a unique set of skills and abilities that allows them to evaluate varied issues and environments.