380 likes | 755 Views
Chapter Nine Conducting the IT Audit. Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit. Audit Standards. AICPA — Statements of Auditing Standards (SASs) ISACA—IS Audit Standards, Guidelines, and Procedures
E N D
Chapter NineConducting the IT Audit Lecture Outline • Audit Standards • IT Audit Life Cycle • Four Main Types of IT Audits • Using COBIT to Perform an Audit
Audit Standards • AICPA — Statements of Auditing Standards (SASs) • ISACA—IS Audit Standards, Guidelines, and Procedures • AICPA —Statement on Standards for Attestation Engagements (SSAE) • IFAC —International Auditing Standards • ISACA —CobiT
The IT Audit Lifecycle Planning Risk Assessment Prepare Audit Program Gather Evidence Form Conclusions Deliver Audit Opinion Follow Up
Planning • Establish scope and control objectives • Scope determines the nature and extent of testing to be performed in the audit • Control objectives are specified to provide support for the scope • Set materiality based on following criteria • Selects controls to examine based on materiality. A control is material if its absence prevents control objectives from being met • Determines materiality for an IS or operation that processes financial transactions by accessing the value of the assets controlled by the system or the volume of transactions processed by the system.
For nonfinancial transaction, consider the cost of the system, criticality of the information processed, and the potential costs of errors. • Outsourcing • IT auditor must consider the extent to which the client relies on outsourcing of services to third parties. • Understand the nature, scope, and timing of such services by reviewing the service agreements • Reviews controls in place relative to outsourced services.
Risk Assessment • Risk-based audit approach • Determining what the critical support processes are • Determine what can go wrong within those processes • Need thorough understanding of the client, the industry and environment in which the client operates, and the nature of the client’s business processes. • Materiality is important. If control is absent, how material is that control?
The Audit Program • Includes following components: • Audit scope • Audit objectives • Audit procedures • Administrative details such as planning and reporting • Generic audit programs are customized for the client and client’s technology, network architecture and topology. • After audit is complete, the program provides documentation.
Gathering Evidence • Evidence includes: • Observed processes and existence of physical items such as computer operations or data backup procedures • Documentary evidence: program change logs, access logs, authorization table • Flowcharts, narratives, written policies • CAATs procedures run on client-provided data files. • Auditors must discern the quality or reliability of the evidence gathered.
Forming Conclusions • After gather audit evidence, evaluate and form conclusions whether the audit objectives are met • Identify any reportable conditions that represents a substantial control weakness • Auditors should bring uncovered weakness to the attention of management when they are discovered
The Audit Opinion • ISACA Guidelines 70, audit report should include: • Name of organization being audited • Title, signature, and date • Statement of audit objectives and whether these were met • Scope of the audit • Any scope limitations • Intended audience • Standards and criteria • Detailed explanation of all significant findings • Conclusion, including reservations or qualifications • Suggestions for corrective action or improvement • Significant subsequent events
Following Up • Make provisions to follow up with the client of any reportable conditions • May be in the form of a telephone call to management and subsequent documentations of the conversation • Or schedule additional audit procedures to satisfy all parties that management has corrected the control weakness
4 Main Types of IT Audits • Attestation • Findings and Recommendations • SAS 70 • SAS 94 – makes up the majority of IT audits being part of a financial audit
Attestation • Provides assurance on something for which the client is responsible • Standard is SSAE 10 (Statements on Standards for Attestation Engagement) • Includes: • Data analytic reviews • Commission agreement reviews • Webtrust engagements • Systrust engagements • Financial projections • Compliance reviews
Findings and Recommendations • Consulting or advisory services - a less structured type of engagement • Include: • Systems implementations • Enterprise resource planning implementation • Security reviews • Database application reviews • IT infrastructure and improvements needed engagement • Project management • IT Internal audit services • Does not produce an opinion but summary of the work performed.
SAS 70 Audit • Applicable to any service organization that wishes to assure its clients of the existence and effectiveness of internal controls relative to the service provided • Two types of SAS 70 audits • Type I • A “walkthrough,” that describes a company’s internal controls but does not perform detailed testing of these controls • Auditor validates his understanding of the controls in place • Type II • Controls are reviewed and tested over a minimum of six months
SAS Type I report • A description of the service organization's process for which the IC are being evaluated • A description of the scope, nature, and timing of the audit procedures performed • A statement of purpose of the engagement and opinion • A disclaimer of opinion as to operating effectiveness • Statement of the risk of projecting to future periods the current findings on IC • A statement restricting the use of the report to the appropriate parties
SAS Type II report • A description of the service organization's process for which the IC are being evaluated • A description of the scope, nature, and timing of the audit procedures, including description of all tests of controls and operating effectiveness performed • A statement of the time period covered by the independent auditor’s report • A statement of purpose of the engagement and opinion • Statement of the risk of projecting to future periods the current findings on IC • A statement restricting the use of the report • A statement that no work was performed at individual user organizations
SAS 94 • Part of a regular financial statement audit • Requires auditor to consider the effect of the company’s IT on its assessment of control risk. • Requires the auditor to: • Consider how a client’s IT processes affect internal control, evidential matter, and the assessment of control risk; • Understand how transactions are initiated, entered and processed through the IS, and • Understand how recurring and nonrecurring journal entries are initiated, entered, and processed through the IS
Components of a SAS 94 audit • May involve any or all of the following steps • Physical and environmental review • Physical security of the data center itself • Systems administration review • Review of OS, DBMS & compliance with system administration procedures • Application software review • Review any applications identified in the risk assessment stage as vulnerable • Review focused on validation of data inputs, processing, output, access control & authorization, error handling, and system log procedures
Network security review • Verification and validation of control procedures around the IS network, including firewalls, router access control, IDS, port scanning, penetration testing, and virus/worm protection. • Business continuity review • Testing whether the IS can continue to function even if an event disrupts normal business operations • Includes backup procedures, disaster recovery plan, maintenance of fault tolerant systems • Data integrity review • Verifies and validates client’s data using computer assisted audit techniques
Using CobiT to Perform an Audit • Components • Executive summary • Framework • Control objectives • Management guidelines • Implementation toolset • Audit guidelines • Auditors use the Framework, Control objectives and Audit guidelines
CobiT defines IT processes within 4 domains • Planning & Organization • Acquisition & Implementation • Delivery & Support • Monitoring • If no audit program exists, use CobiT to develop the audit program, or • Map CobiT audit procedures back to the audit objectives and procedures already in place. Add procedures for areas not covered sufficiently by existing audit program.