Process Mining Techniques in Internal Auditing: A Stepwise ...
1 Performance Auditing In IT Environment Evidence Gathering & Analysis Techniques Computer...
-
Upload
dennis-mosley -
Category
Documents
-
view
220 -
download
0
Transcript of 1 Performance Auditing In IT Environment Evidence Gathering & Analysis Techniques Computer...
1
Performance AuditingPerformance AuditingIn IT Environment
Evidence Gathering & Analysis Techniques
Computer Assisted TechniquesUse of IDEA
2
In the last 10 days, We discussed all aspects relating to Performance Auditing starting with strategic planning and selection of subjects to reporting process, follow up procedures, quality assurance and critical issues.
Today we will discuss briefly some of the important aspects of conducting Performance Audit in IT environment, and evidence gathering/ analysis techniques and some of the important CAATs.
There will be 4 sessions covering the areas listed in next slide.
3
Performance Auditing in IT EnvironmentTopic coverage for the day XI
Introduction Planning & Resourcing Performance Auditing involving IT System
Development Performance Auditing involving operational IT
Systems Performance Aspect of Auditing in IT Environment Evidence gathering techniques Computer Assisted Auditing Techniques Specilised and support audit techniques/software Internet Reporting
4
In the first session we will cover
Introduction- Performance Auditing in IT Env. Performance Auditing Planning & Resourcing Performance Auditing involving IT System
Development Performance Auditing involving operational IT
Systems Performance Aspect of Auditing in IT
Environment
5
Performance Auditing -IntroductionPerformance Auditing -Introduction
IT-increasingly used for public sector programme IT-increasingly used for public sector programme planning, execution, monitoringplanning, execution, monitoring
Sharing or integration of information between Sharing or integration of information between entities raises issues such as the risk of security entities raises issues such as the risk of security breaches & unauthorised manipulation of breaches & unauthorised manipulation of informationinformation
Auditors to develop strategy & technique to provide Auditors to develop strategy & technique to provide assurance to stakeholders about value for money assurance to stakeholders about value for money from the use of the IT, Security of the systems, from the use of the IT, Security of the systems, existence of proper process controls and existence of proper process controls and completeness and accuracy of the outputcompleteness and accuracy of the output
6
IT- has to be efficient IT- has to be efficient IT- should be cost effective, provide range of IT- should be cost effective, provide range of
additional services, including programme additional services, including programme performance information, with greater efficiency, performance information, with greater efficiency, security and control than are available in manual security and control than are available in manual systemsystem
IT- has risk of major systemic error having IT- has risk of major systemic error having greater impact on entity performance than would greater impact on entity performance than would be possible in manual systems.be possible in manual systems.
Performance Auditing- Introduction Performance Auditing- Introduction Contd…Contd…
7
Understand the entities IT system & its Understand the entities IT system & its significance to the performance audit objectivesignificance to the performance audit objective
Identify the extent of IT systems auditing Identify the extent of IT systems auditing required to achieve the performance audit required to achieve the performance audit objective (eg audit of system development , objective (eg audit of system development , Audit of environment and applications controls) Audit of environment and applications controls) and employ specialist IT auditors to undertake and employ specialist IT auditors to undertake the taskthe task
Develop and use appropriate CAATs to facilitate Develop and use appropriate CAATs to facilitate auditaudit
Performance Auditing -Introduction Performance Auditing -Introduction Contd…Contd…
8
Performance auditing in IT Environment shouldPerformance auditing in IT Environment should– Identify any deficiencies in IT Controls & Identify any deficiencies in IT Controls &
resulting effect on efficiency, economy and resulting effect on efficiency, economy and effectiveness of the performance of the entityeffectiveness of the performance of the entity
– Examine IT system development and Examine IT system development and maintenance practice of the entity and maintenance practice of the entity and compared to industry better practicescompared to industry better practices
Performance Auditing- Introduction Performance Auditing- Introduction Contd…Contd…
9
– Compare the IT strategic planning, risk management Compare the IT strategic planning, risk management and project management practices of the entity with and project management practices of the entity with industry better practice and in relation to corporate industry better practice and in relation to corporate governance framework of the entitygovernance framework of the entity
– Determine whether system output meets entity quality Determine whether system output meets entity quality and service delivery parameters andand service delivery parameters and
– Assess whether the IT systems enhance the economy, Assess whether the IT systems enhance the economy, efficiency and effectiveness of the entities programme efficiency and effectiveness of the entities programme management, in particular in relation to programme management, in particular in relation to programme planning, execution, monitoring and feedbackplanning, execution, monitoring and feedback
Performance Auditing -Introduction Performance Auditing -Introduction Contd…Contd…
10
Session Coverage-Performance Auditing in IT Environment
Introduction Planning & Resourcing Performance Auditing involving IT System
Development Performance Auditing involving
operational IT Systems Performance Aspect of Auditing in IT
Environment
11
Performance AuditingPerformance Auditing
PlanningPlanning
ResourcingResourcing
12
PlanningPlanning
Planning to frame audit objectives with reference Planning to frame audit objectives with reference to the objectives of the entity in to the objectives of the entity in adopting/introducing IT systems and should adopting/introducing IT systems and should include audit concerns relating to security, include audit concerns relating to security, controls and value for moneycontrols and value for money
Planning to identify the IT systems, computer Planning to identify the IT systems, computer systems and software packages being used by the systems and software packages being used by the entity entity
Planning to identify major potential risks and Planning to identify major potential risks and exposures of system in the entityexposures of system in the entity
13
Performance Auditing
Planning
Resourcing
14
ResourcingResourcing
Performance Auditing in IT environment Performance Auditing in IT environment requires specialist skillsrequires specialist skills
Appropriate trained persons in IT with audit Appropriate trained persons in IT with audit & accountancy skills& accountancy skills
Think of services of technical consultant for Think of services of technical consultant for more specialised technical areasmore specialised technical areas
Personnel needs extensive training to remain Personnel needs extensive training to remain abreast of technological developments and IT abreast of technological developments and IT Audit techniquesAudit techniques
15
Session Coverage-Performance Auditing in IT Environment
Introduction Planning & Resourcing Performance Auditing involving IT System
Development Performance Auditing involving
operational IT Systems Performance Aspect of Auditing in IT
Environment
16
Performance Auditing involving IT Performance Auditing involving IT system developmentsystem development
Determine if the entity • Has appropriate executive approvals for the development of
the system, i.e. that IT management fits within the corporate governance of the entity
• Has appropriate project management processes in place to manage the project
• Has met required targets of time, cost, system function and value for money
• Uses an appropriate system development methodology, and• Has processes in place, including the involvement of Internal
Audit, to ensure that the new system including all the necessary controls and audit trails, and is likely to meet the requirements of the entity and its stakeholder
COBIT Acquisition & Implementation Domain, Monitoring domain
17
Session Coverage-Performance Auditing in IT Environment
Introduction Planning & Resourcing Performance Auditing involving IT System
Development Performance Auditing involving
operational IT Systems Performance Aspect of Auditing in IT
Environment
18
Performance Auditing involving Performance Auditing involving Operational IT SystemOperational IT System
Concerns auditor would be expected to consider :-Concerns auditor would be expected to consider :-
• Strategic and operational management of IT within the entity (IT included in overall corporate governance
• IT project management includes compliance with legislative & other local laws – Compliance Testing
• Risk management practice of entity in respect of IT- No 100% risk avoidance- acceptable risk level
• IT system design, development & maintenance controls- SDLC Phases- Feasibility, Requirement, Design & Code, Implementation ( acceptance testing)
• Compliance with standards including external standards- Compliance Testing
19
Performance Auditing involving Performance Auditing involving Operational IT SystemOperational IT System
Concerns auditor would be expected to Concerns auditor would be expected to consider :-consider :-
• Application controls• Processing controls, including audit trails• Business continuity arrangements• Data integrity including sampling of data (possibly using
CAATS)• Access controls and the physical & logical security of
networks and computers, including Internet firewalls• Controls to safeguard against illegal software• Performance management & measurement • Other issues that arise during the audit
20
In making assessment auditor mayIn making assessment auditor may• Review files and other documents relevant to the Review files and other documents relevant to the
development and operation of the IT systemsdevelopment and operation of the IT systems
• Use appropriate software packages to test the Use appropriate software packages to test the central and networked computing systems controlscentral and networked computing systems controls
• Test a sample of transactions ( including the use of Test a sample of transactions ( including the use of CAATs) to validate the systems and relevant CAATs) to validate the systems and relevant controls; andcontrols; and
• Interview key staff membersInterview key staff members
Performance Auditing involving Performance Auditing involving Operational IT SystemOperational IT System
21
Session Coverage-Performance Auditing in IT Environment
Introduction Planning & Resourcing Performance Auditing involving IT System
Development Performance Auditing involving
operational IT Systems Performance Aspect of Auditing in IT
Environment
22
Performance aspects of auditing in an IT Performance aspects of auditing in an IT environmentenvironment
Auditor may also examine :-Auditor may also examine :-• Whether the IT system has enhanced the
efficiency with which the entity manages its programmes/ activities and whether the conversion to an IT system has any beneficial results for the stakeholders in the entity
23
Performance aspects of auditing in an IT Performance aspects of auditing in an IT environmentenvironment
Auditor may also Asses:-Auditor may also Asses:-• If IT system have facilitated improved If IT system have facilitated improved
programme managementprogramme management• IT to support objective of entity & is IT to support objective of entity & is
integrated part of its operationsintegrated part of its operations• Whether required highly qualified staff is Whether required highly qualified staff is
deployed or notdeployed or not• IT contribution to operations is measured in IT contribution to operations is measured in
operational efficiency termsoperational efficiency terms
24
Auditor may also Asses:-Auditor may also Asses:-• The gains of IT may not be realised without The gains of IT may not be realised without
appropriate organisational changes; andappropriate organisational changes; and• Normal value for money measures may be Normal value for money measures may be
more difficult to applymore difficult to apply• Return on investmentReturn on investment• Whether the IT environment has Whether the IT environment has
contributed to transparency, accountability contributed to transparency, accountability and good governance and good governance
Performance aspects of auditing in an IT Performance aspects of auditing in an IT environmentenvironment
25
In this session we discussed
Introduction- Performance Auditing in IT Env. Performance Auditing Planning & Resourcing Performance Auditing involving IT System
Development Performance Auditing involving operational IT
Systems Performance Aspect of Auditing in IT
Environment