430 likes | 442 Views
This seminar provides an overview of auditing principles and techniques for information systems, including IT governance, risk management, and security aspects. It covers topics such as IT auditing techniques, computer science methods for IT auditing, and IT auditing for specific business processes.
E N D
Seminar Information Systems IT auditing Conducted by Prof. dr K.M. van Hee A.Kisjes RA/RE semester 1 2008 Dept of Mathematics and Computer Science
Topics • Principles of auditing • Principles and techniques of IT auditing • Computer science methods for IT auditing • IT auditing for specific business processes • Principles of IT governance • Principles of IT risk management • Security aspects of auditing Dept of Mathematics and Computer Science
Activities • It is mandatory to follow the lectures!!! • Study of literature • Lectures by: • Organizers • External experts • Student presentations (2 x) • Model of a generic business process and its control issues • Essay about On Line Auditing or • Design of an On Line Auditing Tool • Multiple choice test for IT auditing concepts Dept of Mathematics and Computer Science
Lectures overview (1-5) • Concepts (1)……………………………..KvH • Concepts (2)……………………………..KvH • General auditing principles……..………AK • IT auditing techniques…………………..AK • CS techniques for IT auditing…………..KvH Dept of Mathematics and Computer Science
Lectures overview (6-10) • Stud. pres: Revenue cycle • Stud. pres: Expenditure cycle • ITgovernance……………………….....T.Thiadens • Stud. pres: Production cycle • Stud. pres: HR and Payroll cycle Dept of Mathematics and Computer Science
Lectures overview (11-15) • Security aspects……………………S.Etalle • IT auditing in practice………………M.Verdonck • Stud. pres: essay or design • Stud. pres: essay or design • Stud. pres: essay or design Dept of Mathematics and Computer Science
Audit of the AutomationversusAutomation of the audit Dept of Mathematics and Computer Science
Lecture 1 IT auditing techniques
Index of IS Auditing Standards • S1 Audit Charter 1 January 2005 • S2 Independence 1 January 2005 • S3 Professional Ethics and Standards 1 January 2005 • S4 Competence 1 January 2005 • S5 Planning 1 January 2005 • S6 Performance of Audit Work 1 January 2005 • S7 Reporting 1 January 2005 • S8 Follow-Up Activities 1 January 2005 • S9 Irregularities and Illegal Acts 1 September 2005 • S10 IT Governance 1 September 2005 • S11 Use of Risk Assessment in Audit Planning 1 November 2005 • S12 Audit Materiality 1 July 2006 • S13 Using the Work of Other Experts 1 July 2006 • S14 Audit Evidence 1 July 2006 • S15 IT Controls 1February 2008 • S16 E-commerce 1February 2008 Dept of Mathematics and Computer Science
The Audit Process components • S1 Audit Charter (= engagement letter) 1 January 2005 • S5 Planning 1 January 2005 • S6 Performance of Audit Work 1 January 2005 • S7 Reporting 1 January 2005 • S8 Follow-Up Activities 1 January 2005 Supporting standards • S2 Independence 1 January 2005 • S3 Professional Ethics and Standards 1 January 2005 • S4 Competence 1 January 2005 • S9 Irregularities and Illegal Acts 1 September 2005 • S10 IT Governance 1 September 2005 • S11 Use of Risk Assessment in Audit Planning 1 November 2005 • S12 Audit Materiality 1 July 2006 • S13 Using the Work of Other Experts 1 July 2006 • S14 Audit Evidence 1 July 2006 • S15 IT Controls 1February 2008 Dept of Mathematics and Computer Science
Review of the system of internal control Analytical Review Reconciliations External documents and records Norms, standards and industry statistics Existence verification Information of audittee Other Attestae de vita Negative verification of obligations Statements/opinions of other (audit) professionals Third party Judgement Audit Techniques (general) Dept of Mathematics and Computer Science
Audit techniques Computer Assisted Audit Techniques (CAATs) Audit Sampling Effect of Pervasive IS Controls Use of Risk Assessment in Audit Planning Computer Forensics IT Management and Governance IT Governance System Development Life Cycle (SDLC) Review Outsourcing of IS Activities Post-implementation Review IT Infrastructure related (ICT) Business Continuity Plan (BCP) Review Process related Business Process Reengineering (BPR) Project Reviews Business-to-consumer (B2C) E-commerce Review Application related Application Systems Review Effect of Third Parties IT Controls Enterprise Resource Planning (ERP) Systems Review General Considerations on the Use of the Internet Internet Banking Materiality Concepts for Auditing Information Systems Mobile Computing Review of Virtual Private Networks IT Audit techniques Dept of Mathematics and Computer Science
ISACA IS Auditing Guidelines (1) • G01 Using the Work of Other Experts (PDF, 50K) Mar 2008 • G02 Audit Evidence Requirement (PDF, 50K) Mar 2008 • G03 Use of Computer-Assisted Audit Techniques (PDF, 59K) Mar 2008 • G04 Outsourcing of IS Activities to Other Organisations (PDF, 54K) Mar 2008 • G05 Audit Charter (PDF, 47K) Feb 2008 • G06 Materiality Concepts for Auditing Information Systems (PDF, 55K) Mar 2008 • G07 Due Professional Care (PDF, 45K) Mar 2008 • G08 Audit Documentation (PDF, 47K) Mar 2008 • G09 Audit Considerations for Irregularities (PDF, 73K) Aug 2008 • G10 Audit Sampling (PDF, 55K) Nov 1999 Dept of Mathematics and Computer Science
ISACA IS Auditing Guidelines (2) • G11 Effect of Pervasive IS Controls (PDF, 134K) Nov 1999 • G12 Organisational Relationship and Independence (PDF, 49K) May 2000 • G13 Use of Risk Assessment in Audit Planning (PDF, 56K) May 2000 • G14 Application Systems Review (PDF, 34K) Jul 2001 • G15 Planning (PDF, 35K) Nov 2001 • G16 Effect of Third Parties on an Organisation's IT Controls (PDF, 144K) Nov 2001 • G17 Effect of Nonaudit Role on the IS Auditor's Independence (PDF, 140K) Apr 2002 • G18 IT Governance (PDF, 145K) Apr 2002 • G20 Reporting (PDF, 133K) Oct 2002 Dept of Mathematics and Computer Science
ISACA IS Auditing Guidelines (3) • G21 Enterprise Resource Planning (ERP) Systems Review (PDF, 114K) Aug 2003 • G22 Business to Consumer (B2C) E-commerce Review (PDF, 210K) Aug 2003 • G23 System Development Life Cycle (SDLC) Review (PDF, 72K) Aug 2003 • G24 Internet Banking (PDF, 177K) Aug 2003 • G25 Review of Virtual Private Networks (PDF, 64K) Oct 2003 • G26 Business Process Reengineering (BPR) Project Reviews (PDF, 250K) Apr 2004 • G27 Mobile Computing (PDF, 46K) Jul 2004 • G28 Computer Forensics (PDF, 58K) Jul 2004 • G29 Post Implementation Review (PDF, 216K) Dept of Mathematics and Computer Science
ISACA IS Auditing Guidelines (4) • G30 Competence (PDF, 145K) Feb 2005 • G31 Privacy (PDF, 192K) Jun 2005 • G32 Business Continuity Plan (BCP) Review from IT Perspective (PDF, 163K) Jul 2005 • G33 General Considerations on the Use of Internet (PDF, 166K) Dec 2005 • G34 Responsibility, Authority and Accountability (PDF, 117K) Dec 2005 • G35 Follow-up Activities (PDF, 178K) Dec 2005 • G36 Biometric Controls (PDF, 174K) Oct 2006 • G38 Access Controls (PDF, 82K) Feb 2008 • G39 IT Organisation (PDF, 81K) Mar 2008 Dept of Mathematics and Computer Science
ISACA IS Auditing Procedures • P01 IS Risk Assessment Measurement (PDF, 237K) Apr 2002 • P02 Digital Signatures (PDF, 176K) May 2002 • P03 Intrusion Detection (PDF, 168K) May 2003 • P04 Viruses and Other Malicious Logic (PDF, 227K) May 2003 • P05 Control Risk Self-assessment (PDF, 166K) May 2003 • P06 Firewalls (PDF, 248K) May 2003 • P07 Irregularities and Illegal Acts (PDF, 201K) Oct 2003 • P08 Security Assessment - Penetration Testing and Vulnerability Analysis (PDF, 221K) Feb 2004 • P09 Evaluation of Management Controls Over Encryption Methodologies (PDF, 170K) Apr 2004 • P10 Business Application Change Control (PDF, 230K) Aug 2006 • P11 Electronic Funds Transfer (EFT) (PDF, 87K) Feb 2007 Dept of Mathematics and Computer Science
ISACA Audit programs (1) • Biometric Technologies (DOC, 2K) Feb 2004 • Business Continuity Planning (DOC, 2K) Sep 2001 • Cellular Management Billing (DOC, 2K) Nov 2001 • Change Control (DOC, 2K) Sep 2001 • Customer Relationship Management (CRM) Feb 2004 • Cybercrime: Incident Response and Digital Forensics Sep 2006 • eCommerce Security Business Continuity Planning (DOC, 2K) Oct 2002 • eCommerce Security Creation, Storage and Maintenance of Trading Partner Records (DOC, 2K) Oct 2000 • eCommerce Security PKI, Digital Certificates in E-commerce (DOC, 2K) Sep 2001 • eCommerce Security Public Key Infrastructure Symmetrical (Private) Key Encryption (DOC, 2K) Sep 2001 Dept of Mathematics and Computer Science
ISACA Audit programs (2) • eCommerce Security Selection & Identification of Trading Partners (DOC, 2K) Oct 2000 • Generic Application Review (DOC, 2K) Sep 2001 • Identity Management (DOC, 2K) Feb 2004 • Incident Handling (DOC, 2K) Jul 2004 • Linux: Security, Audit and Control Features Sep 2006 • Oracle Database (DOC, 2K) Aug 2004 • Oracle E-Business Suite (DOC, 67K) Nov 2006 • OS/390-z/OS (DOC, 2K) Feb 2004 • Outsourcing (DOC, 2K) Oct 2000 • PeopleSoft (DOC, 2K) Aug 2006 Dept of Mathematics and Computer Science
ISACA Audit programs (3) • SAP R-3 (DOC, 2K) Feb 2006 • Securing the Network Perimeter (DOC, 2K) May 2003 • Security Provisioning (PDF, 72K) May 2003 • Softserve Internet Services (PDF, 225K) Dec 2004 • Software Licensing (DOC, 2K) Sep 2001 • Systems Development Life Cycle (SDLC) (DOC, 2K) Sep 2001 • Telephone Management Billing (DOC, 2K) Sep 2001 • UNIX OS (DOC, 2K) Sep 2001 • Virtual Private Networking (DOC, 2K) Aug 2004 Dept of Mathematics and Computer Science
CAAT’s: Computer Assisted Audit Techniques(Audit with the computer) • 3670.1 CAATs • • 3670.2 Selecting a Data Analysis Technique • 3670.3 Planning Data Analysis in the Audit Process • • 3670.4 Data Analysis in Control Testing • • 3670.5 Establishing a Data Analysis Programme • • 3670.6 Integrating CAATs Into the Audit Process • • 3670.7 CAATs in Control Testing • • 3670.8 Establishing a CAAT Programme • • 3670.9 Managing a CAAT Project • • 3670.10 Using CAATs in a Continuous Auditing Environment • • 3670.11 Using Client Data • • 3670.12 Documenting CAATs • Dept of Mathematics and Computer Science
3670.1 CAATs • Three types: • Data testing • Systems testing • Information modeling and analysis security. Other considerations • when to use • addressing and resolving technical issues; • ensuring integrity of the CAAT process, including security over the CAAT software, • the file of selected items and the selection process. • CAAT planning issues, data retention, data integrity and completeness, privacy and confidentiality concerns, • the removal of files or selected records to the auditor’s computer and potentially offsite. • use of CAATs in various environments, including continuous auditing. Dept of Mathematics and Computer Science
Audit of Information Systems (Application systems. G14) • Planning • Performance of Audit Work • Reporting Dept of Mathematics and Computer Science
Audit of Information SystemsPlanning considerations An integral part of planning is understanding the organisation’s information system environment: to a sufficient extent for the IS auditor to determine: • the size and complexity of the systems and • the extent of the organisation’s dependence on information systems. The IS auditor should gain an understanding of the organisation’s mission and business objectives, • the level and manner in which information technology and information systems are used to support the organisation, and • the risks and exposures associated with the organisation’s objectives and its information systems. Also, an understanding of the organisational structure including roles and responsibilities of key IS staff and the business process owner of the application system should be obtained. Dept of Mathematics and Computer Science
Audit of Information SystemsPlanning considerations: application level risks Application level risks at the system and data level include such things as: • System availability risks relating to the lack of system operational capability • System security risks relating to unauthorised access to systems and/or data • System integrity risks relating to the incomplete, inaccurate, untimely, or unauthorised processing of data • System maintainability risks relating to the inability to update the system when required in a manner that continues to provide for system availability, security, and integrity • Data risks relating to its completeness, integrity, confidentiality, privacy and accuracy Dept of Mathematics and Computer Science
Audit of Information SystemsPlanning considerations: Application controls Application controls to address the application level risks may be in the form of • computerised controls built into the system, • manually performed controls, • or a combination of both. Examples include • the computerised matching of documents (purchase order, invoice and goods received report), • the checking and signing of a computer generated cheque and • the review by senior management of exception reports. Dept of Mathematics and Computer Science
Audit of Information SystemsPlanning considerations: General IT Controls Where the option to place reliance on programmed controls is taken, relevant general IT controls should be considered, as well as controls specifically relevant to the audit objective. General IT controls could be the subject of a separate review, which would include such things as: • physical controls, • system level security, • network management, • data backup • contingency planning Dept of Mathematics and Computer Science
Audit of Information SystemsPlanning considerations: When and What Application system reviews can be performed • when a package application system is being evaluated for acquisition, • before the application system goes into production (pre-implementation) • after the application system has gone into production (post-implementation). Pre-implementation application system review coverage includes • the architecture of application level security, • plans for the implementation of security, • the adequacy of system and user documentation • the adequacy of actual or planned user acceptance testing. Post-implementationreview coverage includes • application level security after implementation • may cover system conversion if there has been a transfer of data and masterfile information from the old to the new system Dept of Mathematics and Computer Science
Audit of Information Systems 3. PERFORMANCE OF AUDIT WORK • 3.1 Documenting the Flow of Transactions • 3.2 Identifying and Testing the Application System Controls 4. REPORTING • 4.1 Weaknesses Dept of Mathematics and Computer Science
Audit of Information Systems: Information Criteria • Objectives should be developed to address the 7 COBIT information criteria and then agreed upon by the organisation. The 7 COBIT information criteria are the following: • Effectiveness • Efficiency • Confidentiality • Integrity (= completeness+ correctness + timeliness + authorization) • Availability • Compliance • Reliability of Information Dept of Mathematics and Computer Science
Audit of the Data Center / ICT infrastructure • Logical access control • Software change management • Backup, recovery and fall back Dept of Mathematics and Computer Science
General Access Path Three parts: Identification Authentication Autorisation Audit of logical access control User Data communication software Transaction software Application software Data access methods Data Dept of Mathematics and Computer Science
Example: LAP UNIX Dept of Mathematics and Computer Science
Statistical sampling methods Random sampling —Ensures that all combinations of sampling units in the population have anequal chance of selection Systematic sampling —Involves selecting sampling units using a fixed interval between selections, the first interval having a random start. Examples include -Monetary Unit Sampling -Value Weighted selection where each individual monetary value (e.g., $1) in the population is given an equal chance of selection. As the individual monetary unit cannot ordinarily be examined separately, the item which includes that monetary unit is selected for examination. This method systematically weights the selection in favour of the larger amounts but still gives every monetary value an equal opportunity for selection. Another example includes selecting every ‘nth sampling unit Nonstatistical sampling methods Haphazard sampling —The IS auditor selects the sample without following a structured technique, while avoiding any conscious bias or predictability. However, analysis of a haphazard sample should not be relied upon to form a conclusion on the population Judgmental sampling —The IS auditor places a bias on the sample (e.g., all sampling units overa certain value, all for a specific type of exception, all negatives, all new users). It should benoted that a judgemental sample is not statistically based and results should not be extrapolated over the population as the sample is unlikely to be representative of the population Four commonly used sampling methods. Dept of Mathematics and Computer Science
Standard S15 on IT CONTROLS03 The IS auditor should evaluate and monitor IT controls that are an integral part of the internal control environment of the organisation. 04 The IS auditor should assist management by providing advice regarding the design, implementation, operation and improvement of IT controls. Commentary • Management is accountable for the internal control environment of an organisation including IT controls. • IT controls are comprised of general IT controls, which include • pervasive IT controls, • detailed IT controls and • application controls, • and refer to controls over the acquisition, implementation, delivery and support of IT systems and services. Dept of Mathematics and Computer Science
IT Controls • General IT controls • are controls that minimise risk to the overall functioning of the organisation’s IT systems and infrastructure and to a broad set of automated solutions (applications). • Application controls • are a set of controls embedded within applications. • Pervasive IT controls • are general IT controls that are designed to manage and monitor the IT environment and, therefore, affect all IT-related activities. • Detailed IT controls • are made up of application controls plus those general IT controls not included in pervasive IT controls. Dept of Mathematics and Computer Science
Control processes • are the policies, procedures and activities • that are part of a control environment, • designed to ensure that risks are contained within the risk tolerances established by the risk management process. COBIT defines control as • ‘the policies, procedures, practices and organisational structures, designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected’.’. Dept of Mathematics and Computer Science
DAT Data Analysis Techniques, Continous Auditing, On line Auditing • The IS auditor should consider the use of data analysis techniques • including the use of continuous assurance, • which allows IS auditors to monitor system reliability on a continuous basis and • to gather selective audit evidence through the computer when reviewing IT controls Dept of Mathematics and Computer Science
Appropriate Evidence • Includes the procedures as performed by the auditor Includes the results of procedures performed by the IS auditor Includes source documents (in either electronic or paper format), records and corroborating information used to support the audit Includes findings and results of the audit work Demonstrates that the work was performed and complies with applicable laws, regulations and policies Reliable Evidence In general terms, audit evidence reliability is greater when it is: In written form, rather than oral expressions Obtained from independent sources Obtained by the IS auditor rather than from the entity being audited Certified by an independent party Kept by an independent party Sufficient Evidence The evidence can be considered sufficient if it supports all the material questions to the audit objective and scope. Audit evidence should be objective and sufficient to enable a qualified independent party to reperform the tests and obtain the same results. The evidence should be commensurate with the materiality of the item and the risks involved. Sufficiency is a measure of the quantity of audit evidence, while appropriateness is the measure of the quality of the audit evidence, and they are interrelated. In this context, when information obtained from the organisation is used by the IS Audit Evidence: Appropriate, Reliable and Sufficient (IS standard 14) • 03 The IS auditor should obtain sufficient and appropriate audit evidence to draw reasonable conclusions on which to base the audit results. • 04 The IS auditor should evaluate the sufficiency of audit evidence obtained during the audit. Dept of Mathematics and Computer Science
Obtain audit evidence The IS auditor can obtain the audit evidence by: • Inspection • Observation • Inquiry and confirmation • Reperformance • Recalculation • Computation • Analytical procedures • Other generally accepted methods Dept of Mathematics and Computer Science
Audit Documentation: Potential Uses Potential uses of documentation include, but are not limited to: • Demonstration of the extent to which the IS auditor has complied with the IS Auditing Standards • Demonstration of audit performance to meet requirements as per the audit charter • Assistance with planning, performance and review of audits • Facilitation of third-party reviews • Evaluation of the IS auditing function’s QA programme • Support in circumstances such as insurance claims, fraud cases, disputes and lawsuits • Assistance with professional development of staff Dept of Mathematics and Computer Science
Audit documentation : Table of Contents Documentation should include, at a minimum, a record of: • Review of previous audit documentation • The planning and preparation of the audit scope and objectives. IS auditors must have an understanding of the industry, business domain, business process, product, vendor support and overall environment under review. • Minutes of management review meetings, audit committee meetings and other audit-related meetings • The audit programme and audit procedures that will satisfy the audit objectives • The audit steps performed and audit evidence gathered to evaluate the strengths and weakness of controls • The audit findings, conclusions and recommendations • Any report issued as a result of the audit work • Supervisory review Dept of Mathematics and Computer Science
The extent of the IS auditor’s documentation depends on the needs for a particular audit and should include such things as: • SCOPE: The IS auditor’s understanding of the areas to be audited and its environment. • The IS auditor’s understanding of the information processing systems and the internal control environment including the: • Control environment • Control procedures • Detection risk assessment • Control risk assessment • Equate total risk • The author and source of the audit documentation and the date of its completion • Methods used to assess adequacy of control, existence of control weakness or lack of controls,and identify compensating controls • Audit evidence, the source of the audit documentation and the date of completion, including: • Compliance tests, which are based on test policies, procedures and segregation duties • Substantive tests, which are based on analytic procedures, detailed test accounts balances and other substantive audit procedures • Acknowledgement from appropriate person of receipt of audit report and findings • Auditee’s response to recommendations • Version control, especially where documentation is in electronic media Dept of Mathematics and Computer Science