380 likes | 1.11k Views
Chapter 2: Audit and Review Its Role in Information Technology. MBAD 7090. Objectives. Understand IT governance The purpose of an IT audit function Risk assessment: three methodologies IT auditor: skill, standards and resources Management ‘s roles and responsibilities in IT auditing.
E N D
Chapter 2: Audit and ReviewIts Role in Information Technology MBAD 7090 IS Security, Audit, and Control (Dr. Zhao)
Objectives • Understand IT governance • The purpose of an IT audit function • Risk assessment: three methodologies • IT auditor: skill, standards and resources • Management ‘s roles and responsibilities in IT auditing IS Security, Audit, and Control (Dr. Zhao)
Introduction • Information technology audit functions are considered part of the business environment. Their unique blend of skills help to assess the company’s exposures and develop controls associated with their use of technology. IS Security, Audit, and Control (Dr. Zhao)
IT Governance • Corporate governance • The set of processes, customs, policies, laws and institutions affecting the way a corporation is directed, administered or controlled. • Set the goal • Specify the relationships among key stakeholders • Ensure individual accountability • IT governance • A subset discipline of corporate governance • Focusing on information systems IS Security, Audit, and Control (Dr. Zhao)
IT Governance • IT governance • The process of directing and controlling an enterprise’s IT • IT governance needs to ensure: • Strategic alignment between IT and enterprise objectives • Maximization of IT investments • How to measure IT’s performance • Effective management of IT-related risks IS Security, Audit, and Control (Dr. Zhao)
Reasons to Have an IT Audit Function • Increased dependence and investments in information systems • Increased organizational impacts caused by IT, both positively and negatively • Unsatisfactory data reliance and security • Advancements occurred in technology IS Security, Audit, and Control (Dr. Zhao)
Auditing Concerns • Focus on the systems’ controls • Look at the total systems environment • Objectives: what we are trying to accomplish • Context: industry sector, organizational structure, business relationship • Ensure provisions are made for: • Transaction trails from beginning to end • Handling exceptions • Testing of controls • Authorization over changes to systems • Training of user personnel • Adequate security to protect data • Backup and recovery procedures IS Security, Audit, and Control (Dr. Zhao)
Risk Assessment: Three Methodologies • Castellans: using a “fortress” to physically secure systems • E.g. isolated spaces • Guardians: using law enforcement and administrative regulations to prevent computer crimes • Gatekeepers: limiting access • E.g., passwords, encryption, biometrics IS Security, Audit, and Control (Dr. Zhao)
IT Auditor-Job Outlook • Growth rate for accountants and auditors (www.bls.gov): 18% between 2006 and 2016 • IT auditor: • One of the fastest growing careers • 11.2% increases in 2006 • Average technology positions grew 3% in 2006 • Salary range $67,000-$94,250, an 11% increase over 2005 IS Security, Audit, and Control (Dr. Zhao)
IT Auditor: Knowledge, Skills, and Abilities • Understand the overall control philosophy • Technical skills • Understand information system management • Ability to communicate technical information • Experience with a particular industry and/or the specific business • Communication skills that enable the auditor to bridge the gap between IT professionals and business management IS Security, Audit, and Control (Dr. Zhao)
IT Auditor Independence • Need to value and recognize the integrity of the audit process • Audit reports and opinions must be free of bias or influence • Sarbanes-Oxley • Auditor rotation • Scope-of-service restrictions IS Security, Audit, and Control (Dr. Zhao)
IT Audit Continuous Reassessment • Stay on track with audits • Auditor steps back and reassess the audit project: • Reaffirm audit goals • E.g., to ensure that current documentation is available, adequate, and safeguarded. • Verify audit scope • E.g., vendor-supplied systems and internal modifications • If auditor has deviated from either, then the audit scope should be evaluated and revised IS Security, Audit, and Control (Dr. Zhao)
IT Auditor Ethical Standards • To be an auditor, one must have high ethical standards • Auditors are trusted individuals • Some things may be unethical but still legal • Examples of a typical code of ethics • Will inform each organization, employer or client of any business connections, interests or affiliations which might influence my judgment or impair the equitable character of my services. • Will respect my peers opinion and conduct to ensure that honesty and openness is demonstrated within an audit team. IS Security, Audit, and Control (Dr. Zhao)
Class Exercise • Bob has just been assigned to work as an external IT auditor for the XYZ company. His wife just found a job as junior IT manager at XYZ one month ago. Q: What should Bob do? IS Security, Audit, and Control (Dr. Zhao)
IT Auditor Resources • Experience • Colleagues (IT professionals and other auditors) • Publications and periodicals in IT and/or audit • Seminars • University training IS Security, Audit, and Control (Dr. Zhao)
The Role of the IT Auditor • IT Auditor as Counselor • Active role in the development of policies on auditability, control, testing, and standards • Educate users and IT personnel on the importance of compliance with control requirements • IT Auditor as a Partner of Senior Management • Provide independent assessment of the effect of IT decisions on the business • Verify that all alternatives are considered, risks are assessed, solutions are technically correct, business needs are satisfied, and costs are reasonable IS Security, Audit, and Control (Dr. Zhao)
Internal vs. External Auditors • The internal IT auditor: • Provides assurance to management that its policies and procedures are implemented and working as intended • Monitoring and testing system reliability • The external IT auditor: • Evaluates the reliability and validity of computer system controls, which • Minimizes transaction testing required to render an opinion on financial statements • Deal with both manual and automated systems IS Security, Audit, and Control (Dr. Zhao)
Key Certifications and Professional Associations • Certified Internal Auditor (CIA), by the Institute of Internal Auditors • Information Systems Auditor and Control Association (ISACA) • Certified information systems auditor (CISA) • Certified information security manager (CISM) • ISACA Charlotte Chapter • International Information Systems Security Certification Consortium (commonly known as (ISC)²). • Certified Information Systems Security Professional (CISSP) IS Security, Audit, and Control (Dr. Zhao)
Collaboration between IT Auditor and IT Managers Are these attitudes correct? • Manager: “Arguing with an Auditor is like mud wrestling with a pig! After a time you realize that the pig is enjoying himself.” • Manager: “Are we the evils ourselves or dealing with evils.” IS Security, Audit, and Control (Dr. Zhao)
How IT Managers Support the IT Audit Function • Support and participate in the audit planning process • Develop and promote risk and control awareness • Provide resources to accomplish the audit tasks • Hold the auditors to their standards of practice IS Security, Audit, and Control (Dr. Zhao)
What IT Managers Need to Know About an Audit • What is the purpose of the audit? • What are the audit’s scope and objectives? • Who is assigned to perform the audit? • What is the timeframe for the audit? • What IT resources are needed? • systems, staff IS Security, Audit, and Control (Dr. Zhao)
What Should IT Managers Expect From an Audit? • Regular communication • audit status • issues found to date • A closing meeting to review the audit process and results (issues, actions, plans, etc.) • A final audit report • Audit follow-up on action plans identified during the audit IS Security, Audit, and Control (Dr. Zhao)
Class Exercise • In the following scenario, • What assistance could an IT auditor provide? • How can IT managers get involved? Scenario: A new system is being developed that will enable customers to view their account status and submit orders via the Internet. The technology used is new to the company. IS Security, Audit, and Control (Dr. Zhao)