Audit - img1.wsimg.com
Transcript of Audit - img1.wsimg.com
EIS Quick Bites: NOV 2018 by Prof. Om Trivedi CA Intermediate – Group II (New Course)
Prof. Om Trivedi, IIM Alumnus and Faculty Member of IGP, Delhi, NIRC & WIRC of ICAI. (9958300572, [email protected])
Audit • Audit is a systematic and independent examination of FI of an Entity.
• To express an opinion on the FS.
• And to ascertain that –
o How far the FS
o As well as Non-financial disclosures
• Present a TRUE AND FAIR VIEW of an Entity.
Audit in IT Environment
Manual Audit
Tools and Techniques of Audit in CIS Environment
Importance of IT in
CIS Audit
Risk of IT in
CIS Audit
- Computerised
Env.
- IT enabled
compilation
process of BOA
and Docs.
- Automated
Processes
(BPMS/ERP/TP
S/CBS/Tally,
etc.)
- Automated
Reporting
- Auditors require
IT/IS/BPMS
Knowledge.
- Tools: CAAT
- Manual Env.
- Manual
compilation
process of BOA
and Docs.
- Manual
Processes
- Manual
Reporting
- Auditors don’t
require
IT/IS/BPMS
and CAAT
Knowledge.
Approaches:
- Black Box
- White Box
CAAT:
- BI Tools,
ACL, IDEA,
SAS, SPSS,
Lindo, etc.
Concurrent
Audit Tools:
- Snapshots,
ITF,
SCARF,
CIS, Audit
Hooks.
1. Processes
Large
Volume of
Data
2. Security is
improved
3. Monitoring
the
Performan
ce
4. Analysis is
enhanced
(DA)
5. Reduced
Risk and
better
Controls
6. Timeliness
and CIAT
1. Unauthoris
ed Access
2. False Sense
of Security
3. Privilege
Violations
4. Process
becomes
wrong
5. Malware
6. Manual
Interventio
n
Chapter 9: Information Systems Controls and
Auditing (ISCA)
EIS Quick Bites: NOV 2018 by Prof. Om Trivedi CA Intermediate – Group II (New Course)
Prof. Om Trivedi, IIM Alumnus and Faculty Member of IGP, Delhi, NIRC & WIRC of ICAI. (9958300572, [email protected])
Objectives of Controls
Causes of the Exposure to
Potential Loss
Critical controls lacking in a CIS
Environment
1. Errors or omissions
2. Improper authorizations
3. Improper accountability
4. Inefficient activity
1. Lack of management’s understanding of
IS risks
2. Lack of IT staff’s knowledge of IS risks
3. Weak general controls and IS controls
4. Complexity of implementation of controls
Controls
• Policies, procedures, practices and organization structure
• Designed to provide reasonable assurance that business objectives are achieved and
• Undesired events are prevented or detected and corrected.
IS’s Controls
Environmental Controls
EIS Quick Bites: NOV 2018 by Prof. Om Trivedi CA Intermediate – Group II (New Course)
Prof. Om Trivedi, IIM Alumnus and Faculty Member of IGP, Delhi, NIRC & WIRC of ICAI. (9958300572, [email protected])
Physical Access Controls
Logical Access Controls - Controls relating to logical access to information resources such as
- OS controls, Application software, networking controls, access to database objects,
encryption controls etc.
Asynchronous Attacks
EIS Quick Bites: NOV 2018 by Prof. Om Trivedi CA Intermediate – Group II (New Course)
Prof. Om Trivedi, IIM Alumnus and Faculty Member of IGP, Delhi, NIRC & WIRC of ICAI. (9958300572, [email protected])
Technical Exposures
List of Logical Access Controls User
Access Management
User Responsibility
Network Access Control
OS Access Control
Application & Monitoring
System Access Control
Mobile Computing
- User
Registration
- Privilege
Management
- User
Password
Management
- Review of
User Access
Management
- Password
Use
- Unattended
User
Equipment
- Network
Policy
- Enforced
Path
- SON
- Routing
Control
- Security
- Firewall
- Encryption
- Call Back
Devices
- Automated
Terminal ID
- Terminal
Login
procedure
- Access
Token
- Access
Control List
- User ID
- Pw. Mgt.
System
- User of
System
Utilities
- Duress
Alarm
- Terminal
time-out
- Access
Restriction
- Event
Logging
- Monitor
System Use
- Clock Sync.
- Access
- ID
- Encrypti
on
- Finger-
- Eye-iris
EIS Quick Bites: NOV 2018 by Prof. Om Trivedi CA Intermediate – Group II (New Course)
Prof. Om Trivedi, IIM Alumnus and Faculty Member of IGP, Delhi, NIRC & WIRC of ICAI. (9958300572, [email protected])
Classification based on “Audit Functions”
Managerial Control Application Control 1. Top Mgt. and IS Mgt. Control
(Steering and Review Committee)
✓ Planning
✓ Leading
✓ Controlling
✓ Organizing
1. Boundary Control
✓ Access Control
✓ Biometric Control
✓ Cryptographic Control
✓ Digital Signature
✓ PIN
✓ Plastic Card
2. Programming Mgt. Control
✓ Planning
✓ Analysis
✓ Design
✓ Coding
✓ Testing
✓ Implementation
✓ Maintenance
2. Input Control
✓ Validation Control
o Field Interrogation
o Record Interrogation
o File Interrogation
✓ Batch Control
o Physical Ctrl.
o Logical Ctrl.
✓ Source Document Control
✓ Data Coding Control
o Transcription Errors
o Transposition Errors
3. System Development Mgt. Control
✓ Feasibility Study
✓ System Analysis
✓ System Design and Build
✓ System Testing
✓ System Implementation
✓ System Maintenance
3.Output Control
✓ Storage and Logging of Critical Forms
✓ Printing Control
✓ Logging of Output Program Execution
✓ Report Distribution and Collection
Control
✓ Retention Control
4. Quality Assurance Mgt. Control
✓ Quality of Sw.
✓ Licenses
✓ Quality Ctrl.
✓ As per world-wide trends
4.Process Control
✓ Processor Control
✓ Real Memory Control
✓ Virtual Memory Control
✓ Data Processing Control
5. Data Administration Control
✓ Definition Controls
✓ Existence/Backup Controls
✓ Access Controls
✓ Update Controls
✓ Concurrency Controls
✓ Quality Controls
5. Communication Control
✓ Physical Components Control
✓ Line Error Control
✓ Channel Access Control
✓ Link Control
✓ Internetworking Control
✓ Flow Control
✓ Topological Control
EIS Quick Bites: NOV 2018 by Prof. Om Trivedi CA Intermediate – Group II (New Course)
Prof. Om Trivedi, IIM Alumnus and Faculty Member of IGP, Delhi, NIRC & WIRC of ICAI. (9958300572, [email protected])
6. Operations Mgt. Control
✓ Computer operations
✓ Nw. Operations
✓ Data preparation and entry
✓ Production Ctrl.
✓ File, Doc. And Prog. Library
✓ Help-desk
✓ Capacity Planning
✓ Performance Monitoring
✓ Management of outsourced
operations
6.Database Control
✓ Update Control
o Sequence Check between TF & MF
o Ensure All Records or Files are
processed
o Process multiple transactions for
a single record in the correct
order
o Maintain a Suspense Account
✓ Report Control
o Standing Data
o Print-Run-to Run control Totals
o Print Suspense Account Entries
o Existence/Recovery Controls
5. Security Mgt. Control
✓ All Threats and Vulnerability
✓ DRP
✓ BCP
Information System Auditing Systematic and Independent Examination of the controls within an entity’s Information
technology infrastructure. (To ensure CIAT for T&F View)
Objectives of ISA Need for ISA
✓ Assets Safeguarding
✓ Data Integrity
✓ System Effectiveness
✓ System Efficiency
✓ Same as E-Commerce Control
Objectives (Chapter 5)
EIS Quick Bites: NOV 2018 by Prof. Om Trivedi CA Intermediate – Group II (New Course)
Prof. Om Trivedi, IIM Alumnus and Faculty Member of IGP, Delhi, NIRC & WIRC of ICAI. (9958300572, [email protected])
Information System Audit and Audit Evidence
SA 230
Documentation
Why audit evidences
are needed?
Inherent Limitations of
ISA
Audit
Documentation
refers to the:
✓ Record of audit
procedures
performed,
✓ Relevant audit
evidence
obtained,
✓ Conclusions the
auditor reached
✓ Means of controlling
current audit work.
✓ Evidence of audit
work performed.
✓ Schedules supporting
or additional item in
the accounts.
✓ Information about
the business being
audited, including the
recent history.
✓ Nature of Financial Reporting
✓ Nature of Audit Procedures
✓ Audit to be conducted within a reasonable
period of time and at a reasonable cost
✓ Fraud involving senior management or
collusion
✓ The existence and completeness of
related party relationships and
transactions.
✓ Non-compliance with laws and
regulations
✓ Future events or conditions that may
cause an entity to cease to continue as a
going concern
Audit Trail • Step-by-step record by which accounting data can be traced to their source.
• Logs that can be designed to record activity at the system, application, and user level
Types Objectives
1. Detecting Unauthorized
Access (Detective)
2. Personal Accountability
(Preventive)
3. Restructuring Events
(Corrective)
EIS Quick Bites: NOV 2018 by Prof. Om Trivedi CA Intermediate – Group II (New Course)
Prof. Om Trivedi, IIM Alumnus and Faculty Member of IGP, Delhi, NIRC & WIRC of ICAI. (9958300572, [email protected])
ITF
SCARF
CIS
Concurrent Audit
Definition Tools Real-time auditing to provide continuous
assurance about the quality of the data that is
continuous auditing, through:
1. Embedded Modules
2. Special Audit Records
1. Snapshot
2. ITF – Integrated Test Facility
3. SCARF – System Control Audit Review File
4. CIS – Continuous and Intermittent
Simulation
5. Audit Hooks
EIS Quick Bites: NOV 2018 by Prof. Om Trivedi CA Intermediate – Group II (New Course)
Prof. Om Trivedi, IIM Alumnus and Faculty Member of IGP, Delhi, NIRC & WIRC of ICAI. (9958300572, [email protected])
Auditing of Controls
The IS auditor needs to be able to determine if such controls are effective and if
they are cost-effective.
Auditing
Environmental
Control
Auditing
Physical
Access Control
Auditing
Logical Access
Control
Auditing
Managerial
Controls
Auditing
Application
Controls
SOD – Segregation of Duty
Definition SOD Controls
Examples of SOD Controls
It ensures that single
individuals do not possess
excess privileges that could
result in unauthorized
activities such as fraud or
the manipulation or
exposure of sensitive data.
1. Preventive Controls
2. Detective Controls
1. Transaction
Authorization
2. Split Custody of High-
Value Assets
3. Workflow
4. Periodic Review
Organization Structure And Responsibilities
Job Positions in IT
Executive
Management
1. CIO (Chief
Information
Officer)
2. CTO (Chief
Technical Officer)
3. CSO (Chief Security
Officer)
4. CISO (Chief
Information
Security Officer)
5. CPO (Chief Privacy
Officer)
Software
Development
1. Systems Architect
2. Systems Analyst
3. Software
Developer
4. Software Tester
Data
Management
1. Database
Architect
2. Database
Administrator
(DBA)
3. Database
Analyst
Network
Management
1. Network
Architect
2. Network
Engineer
3. Network
Administrator
4. Telecom
Engineer
EIS Quick Bites: NOV 2018 by Prof. Om Trivedi CA Intermediate – Group II (New Course)
Prof. Om Trivedi, IIM Alumnus and Faculty Member of IGP, Delhi, NIRC & WIRC of ICAI. (9958300572, [email protected])
Systems
Management
1. Systems Architect
2. System Engineer
3. System
Administrator
4. Storage Engineer
General
Operations
1. Operations
Manager
2. Operations
Analyst
3. Controls Analyst
4. Systems Operator
5. Data Entry
6. Media Librarian
Security
Operations
1. Security
Architect
2. Security
Engineer
3. Security Analyst
4. User Account
Manager
5. Security Auditor
Service
Desk
1. Help desk
Analyst
2. Technical
Support
Analyst