ch01_Student_F13.ppt
description
Transcript of ch01_Student_F13.ppt
MotivationMotivationHigh proliferation Computer systemsHigh proliferation Computer systems
Large amounts of digital dataLarge amounts of digital data
Electronic Commerce EnvironmentsElectronic Commerce Environments
Virtual Companies Virtual Companies
Electronic Networks, etc.Electronic Networks, etc.
Information SecurityInformation Security
Much opportunity for mis-useMuch opportunity for mis-use
Need Risk Assesment and ControlNeed Risk Assesment and Control
IT/IS Audit - IT/IS Audit - WikipediaWikipediaAn examination of the controls within an An examination of the controls within an Information technology (IT) (IT) infrastructure. .
The process of collecting and evaluating evidence of an The process of collecting and evaluating evidence of an organization’s IS, practices, and operationsorganization’s IS, practices, and operations. .
So what do you do in IT Audit? Info. Systems So what do you do in IT Audit? Info. Systems safeguarding assets, maintaining safeguarding assets, maintaining data integrity, and , and operating effectively to achieve the organization’s goals or operating effectively to achieve the organization’s goals or objectives. objectives.
IT __Governance________IT __Governance________ The process for controlling an organization’s IT The process for controlling an organization’s IT
resources, which include information and resources, which include information and communication systems, and technology.communication systems, and technology.
Two main objectives:Two main objectives:– use IT to promote an organization’s objectives and use IT to promote an organization’s objectives and
enable business processes;enable business processes;– manage and control IT related risks.manage and control IT related risks.
Set ObjectivesMaximize benefits;
Use resources responsibly;Manage risks appropriately.
IT governance frameworkIT governance framework
COSO and CobiTCOSO and CobiT COSO: Committee of Sponsoring OrganizationsCOSO: Committee of Sponsoring Organizations
– Objectives: develop comprehensive guidelines for Objectives: develop comprehensive guidelines for internal internal control control ((Internal Control- Integrated FrameworkInternal Control- Integrated Framework); address the ); address the growing emphasize on risk management (growing emphasize on risk management (Enterprise Risk Enterprise Risk Management- Integrated FrameworkManagement- Integrated Framework).).
CobiT: Control Objectives for Information and CobiT: Control Objectives for Information and Related Technology.Related Technology.– Developed by the Developed by the IT governance instituteIT governance institute, it identifies critical , it identifies critical
success factors, key goal and performance indicators, and an IT success factors, key goal and performance indicators, and an IT governance maturity model.governance maturity model.
Internal Control- Integrated Internal Control- Integrated FrameworkFramework
Internal control is a Internal control is a processprocess, affected by an entity’s , affected by an entity’s board of directors, management, and other personnel, board of directors, management, and other personnel, designed to provide designed to provide reasonable assurancereasonable assurance regarding regarding the achievement of objectives in: the achievement of objectives in: Effectiveness and efficiency of operations;Effectiveness and efficiency of operations; Reliability of financial reporting;Reliability of financial reporting; Compliance with applicable laws and regulations.Compliance with applicable laws and regulations.
Examples?Examples?
IT GovernanceIT Governance……the process for controlling an the process for controlling an organization’s IT resources, including organization’s IT resources, including information and communication systems, information and communication systems, and technology. and technology.
……using IT to promote an organization’s using IT to promote an organization’s objectives and enable business processes objectives and enable business processes and to manage and control IT related and to manage and control IT related risks.risks.
IT Audit’s AgendaIT Audit’s Agenda
Will the organization's computer systems be available for Will the organization's computer systems be available for the business at all times when required? (the business at all times when required? (____________________))
Will the information in the systems be disclosed only to Will the information in the systems be disclosed only to authorized users? (authorized users? (____________________))
Will the information provided by the system always be Will the information provided by the system always be accurate, reliable, and timely? (accurate, reliable, and timely? (____________________))
mitigate these risks by implementing controlsmitigate these risks by implementing controls
COSO-CobiT ConnectionCOSO-CobiT Connection
CobiT carries forward the COSO concepts by CobiT carries forward the COSO concepts by providing the domains, processes, and control providing the domains, processes, and control activities for the IT world that guide an enterprise activities for the IT world that guide an enterprise toward meeting the internal control requirements toward meeting the internal control requirements it deems appropriate for its own environment.it deems appropriate for its own environment.
www.isaca.org More about CobiT later in the course….More about CobiT later in the course….
CobiT’s IT Governance CobiT’s IT Governance Management GuidelineManagement Guideline
Identifies critical success factors, key goal and Identifies critical success factors, key goal and performance indicators, and an IT governance performance indicators, and an IT governance maturity model.maturity model.
IT governance framework begins with setting IT governance framework begins with setting IT objectives and measures and compares IT objectives and measures and compares performance against themperformance against them
Side Note Practice:Side Note Practice:Critical Success Factors Critical Success Factors
Example: McDonalds?Example: McDonalds?
Operationalize them?Operationalize them?
Measure them?Measure them?
IT and Transaction (Tx) IT and Transaction (Tx) ProcessingProcessing
The IS collects transaction dataThe IS collects transaction data
The IS turns data into informationThe IS turns data into information
Computerized Tx systems increase some Computerized Tx systems increase some risks and decrease othersrisks and decrease others
Critical Success FactorsCritical Success Factors
Virginia Tech (Banner System?)Virginia Tech (Banner System?)
Transaction data?Transaction data?
Information?Information?
Risks of Computerization?Risks of Computerization?
What do IT auditors do?What do IT auditors do?
Ensure IT governance by assessing risks and Ensure IT governance by assessing risks and monitoring controls over those risksmonitoring controls over those risks
Work as either internal or external auditorWork as either internal or external auditor
Work on many kinds of audit engagementsWork on many kinds of audit engagements
Evaluate Controls over applications (i.e., SAP) Evaluate Controls over applications (i.e., SAP)
Financial vs IT AuditsFinancial vs IT Audits IT auditors may work on financial audit engagementsIT auditors may work on financial audit engagements
IT auditors may work on every step of the financial IT auditors may work on every step of the financial audit engagementaudit engagement
Standards, such as SAS No. 94, guide the work of IT Standards, such as SAS No. 94, guide the work of IT auditors on financial audit engagementsauditors on financial audit engagements
IT audit work on financial audit engagements is likely to IT audit work on financial audit engagements is likely to increase as internal control evaluation becomes more increase as internal control evaluation becomes more important important (More Jobs!)(More Jobs!)
21
IT Audits in the Financial Audits ProcessIT Audits in the Financial Audits Process
Financial Audits IT Audits
Technological innovation Technological innovation process auditprocess audit
Constructs a risk profile for existing and new Constructs a risk profile for existing and new projects. projects.
Assess the length and depth of the company's Assess the length and depth of the company's experience in its chosen technologies, as well as experience in its chosen technologies, as well as its presence in relevant markets, the its presence in relevant markets, the organization of each project, and the structure of organization of each project, and the structure of the portion of the industry that deals with this the portion of the industry that deals with this project or product, organization and industry project or product, organization and industry structure.structure.
Innovative comparison auditInnovative comparison audit
An analysis of the innovative abilities of the An analysis of the innovative abilities of the company being audited, in comparison to its company being audited, in comparison to its competitors. competitors.
Examine company’s research and Examine company’s research and development facilities.development facilities.
Track record in actually producing new Track record in actually producing new products.products.
Technological position auditTechnological position audit
Reviews the technologies that the business Reviews the technologies that the business currently has and that it needs to add. currently has and that it needs to add.
IT Audit SkillsIT Audit Skills College education – IS, computer science, College education – IS, computer science,
accountingaccounting
Certifications – CPA, CFE, CIA, CISA, CISSP, Certifications – CPA, CFE, CIA, CISA, CISSP, and special technical certificationsand special technical certifications
Technical IT audit skills – specialized Technical IT audit skills – specialized technologiestechnologies
General personal and business skillsGeneral personal and business skills
Professional Groups and Professional Groups and Certifications – Alphabet SoupCertifications – Alphabet Soup
ISACA – CISAISACA – CISA
IIA – CIAIIA – CIA
ACFE – CFEACFE – CFE
AICPA – CPA and CITPAICPA – CPA and CITP
How to Structure an IT AuditHow to Structure an IT Audit AICPA Standards and Guidelines – GAAS, AICPA Standards and Guidelines – GAAS,
SAS, and SSAESAS, and SSAE
IFAC Guidelines – harmonized or common IFAC Guidelines – harmonized or common international accounting standards and international accounting standards and guidelinesguidelines
IISACA standards, guidelines, and SACA standards, guidelines, and procedures – includes CobiT and audit procedures – includes CobiT and audit standardsstandards
An Overview of the BookAn Overview of the Book Section I – an introduction to IT audit, the legal and Section I – an introduction to IT audit, the legal and
ethical environment of the IT audit, introduction to ethical environment of the IT audit, introduction to risks and controlsrisks and controls
Section II – risks over specific processes and Section II – risks over specific processes and technologies – deployment of IS, operation of IS, technologies – deployment of IS, operation of IS, network systems, and e-business systemsnetwork systems, and e-business systems
Section III – how to do an It audit – use of CAATTs Section III – how to do an It audit – use of CAATTs and a step-by-step IT audit and a step-by-step IT audit
Appendices – Appendices – ACLACL tutorial and IT audit glossary tutorial and IT audit glossary