1 / 21

Introduction to IS Audit and Role of Auditor

Understand IS audit, role, & tasks of IS auditor, importance of audit, internal control, legal background, activities, governance, & certification.

willhite
Download Presentation

Introduction to IS Audit and Role of Auditor

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IntroductionWhat is IS Audit How to become IS Auditor & Task and role of IS Auditor

  2. U What is Audit? What is IS Audit? “An official examination of accounts to see that they are in order” – The Oxford Dictionary An INDEPENDENT assessment of / opinion on how well (badly) the financial statements were prepared IS audit: - A review of the controls within an entity's technology infrastructure - Official examination of IT related processes to see that they are in order

  3. U What is IS Audit Activity? Independent Audit Policy and Strategy Difference Between Audit and Evaluation Organization and Regulation/Standard Business Activities Business Infrastructure Management Evaluation Company

  4. U R R R R R R R Viewpoint of an IS Auditor P1: Feasibility Study Review SLDC (System Development Lift Cycle) P2: Requirement Definition Buy Make (Build) Buy or Make P3: System Selection P3: System Design P4: Configuration P4: Development Scope of General System Development P5: Implementation P6: Post implementation Evaluate and Performance Review by an Audit P7: Disposal

  5. U Why IS Audit is needed? Social Background Information System has been becoming a main function for business. • Supporting business activity • Keeping business information • Main interface to customer Innovation of ICT gave information system major role in business Problem of business management • Inappropriate IT system to business strategy • Bug investment for IT system and unclear ROI Problem of security/ risk management • Computer virus/ illegal Access • System trouble and Backup of disaster Effective and Efficient inter management and operation for Information system should be needed Independent Information System Audit

  6. U Why IS Audit is needed? Legal Background(1) After major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom, the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002 • Directs SEC to enact rules protecting shareholders & the economy • Honesty in financial reporting • Responsibility at the Top • Demonstrate Compliance by Audits The most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company's internal control over financial reporting Internal Control must use Information System now. To evaluate internal control should needs audit for Information system

  7. U Why IS Audit is needed? Legal Background(2) Internal Control Financial Statement Financial Audit Financial Audit Report Internal Control Financial Statement Financial Audit Financial Audit Report Internal Control Statement Internal Control Audit Internal Control Audit Report IntegratedAudit Compliance with lows Assurance of Financial Statement Effectiveness and efficiency of Operation Operation Audit assure the clearance of financial statement

  8. U What is Internal Control? Financial Statement Internal Control Model by SOCO Objectives Operation Reporting Compliance Control Environment Risk Management Control Activity Activities Information and Communication Organization Monitoring Enterprise-level, Division or subsidiary and Business unit IT Control Risk Control Objective

  9. U Activities of Internal Control

  10. U IT Internal Control <= Target of IS Audit ITCLC: IT Company Level Control IT control ITGC:IT general controls ITAC: IT Application Control ITAC: IT Application Control complete and accurate • Input Data Control. • Process Control • Output Control ITGC:IT general controls • Logical access controls. • System development life cycle controls. • Program change management controls. • Data center physical security controls. • System and data backup and recovery • Computer operation controls. Application Systems Sales System AccountingSystem …. Operation Development IT Infrastructure (Network, Server, PC …) ITCLC: IT Company Level Control * IT Governance/Policy *IT Risk Management. *Training * Quality Assurance *IT Internal Audit Company

  11. U What is IS Audit? (Again) “the process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently.” - Ron Weber Purpose of IS Audit is to realize IT governance by independent and professional auditors who gave appropriate assurance based on evaluation of risk management and control of information system.- “Information System Audit Standard” Japan Minister of Economy, Trade and Industry

  12. U Who becomes an Auditor? Certification CISA (Certified Information Systems Auditor) by ISACA (Information Systems Audit and Control Association) From 1978 • More than 75,000 professionals in nearly 160 countries • for both (Account) Auditor and IT Specialist (Account)Auditor With experiences of • Accounting • Audit Information System Audit IT Specialist System Auditor by Japan Information Technology Engineers Examination) From 1985 • mainly for IT Specialist With experiences of • IT Strategy • Development • Project Management • IT Security • Service Management ….. If (Account ) Auditor want to become IS auditor, he/she should master as least skill and knowledge of FE exam. Level.

  13. U Target of IS Audit and IS Auditor's Skill and Knowledge CISA examination domains (% of num. of question in CISA exam.) • Domain 1—IS Audit Process (10%) <= Skill and Knowledge for conducting IT Audit • Domain 2—IT Governance (15%) • Domain 3—Systems and Infrastructure Lifecycle Management (16%) • Domain 4—IT Service Delivery and Support (14%) • Domain 5—Protection of Information Assets (31%) • Domain 6—Business Continuity and Disaster Recovery (14%) <= Target of IS Audit and Skill and knowledge for IT system and points of audits

  14. U Map of IS Auditor's kill and knowledge D3—Systems and Infrastructure Lifecycle Management D2—IT Governance D1—IS Audit Process • Development method • Software Testing • System/APP Architecture • E-commerce/AP knowledge • IT Strategy • Organization Mng. • Risk Management • APP control • Project Management • SQM • Process • Method • Communication • Related standards D4—IT Service Delivery and Support • Service Delivery • Service Support • Service Strategy • H/W, OS, Middle ware • Network & DB • Operation & Maintenance D5—Protection of Information Assets • Security Policy & Strategy • IT Security Audit • Logical Security • Physical Security • Network security • Security Technology D6—Business Continuity and Disaster Recovery • Operation & Maintenance • Backup & Recovery • Business contingency Planning

  15. U Overview of D1—IS Audit Process Task & Process Example: Small audit for Logical Access Control ( Control for user and program to access data, program and application)Purpose is to evaluate validity of logical access control (password) in targeted organization Reviewing regulation of policy, management and usage of passwordInspect and survey of management of password Reporting whether current regulation and management of password is appropriate or not How to modify and improve the logical access control for password Summary of Audit Process Audit Planning Perform Test Reporting Follow-UPActivity Audit mission and planning, Laws and regulations, Standards and guidelines for IS auditing, Risk analysis, Internal controls, Performing an IS audit

  16. U Overview of D2—IT Governance To provide assurance that the organization has the structure, policies, accountability, mechanisms, and monitoring practices in place to achieve the requirements of corporate governance of IT. Examples of target • Planning IT Strategy with IT Steering Committee • Implementation of the IT strategy • Business Process Reengineering • Risk management for IT strategy • Organization and Personnel Management

  17. U Overview of D3—Systems and Infrastructure Lifecycle Management To provide assurance that the management practices for the development/acquisition, testing, implementation, maintenance, and disposal of systems and infrastructure will meet the organization’s objectives. Examples of target • Application development process and regulation including needs analysis, including cost estimation and • Quality Management • Validation of computer & system architecture for Application • Application control • Management of outsourcing and vender

  18. U Overview ofD4—IT Service Delivery and Support To provide assurance that the IT service management practices will ensure the delivery of the level of services required to meet the organization’s objectives. Example of Target • Service level Agreement • Validation of Hardware and software • Validation of network infrastructure • Monitoring of Information System/Infrastructure • Capacity and Configuration Management • Configuration Management of software • Regulation of operation and maintenance • Help (Service) Desk and Incident/Problem management

  19. U Overview of D5—Protection of Information Assets To provide assurance that the security architecture (policies, standards, procedures, and controls) ensures the confidentiality, integrity, and availability of information assets. Examples of Target • Policy and regulation of IT Security including risk management • Validation of logical access control such as password and authentication • Validation of physical access control with security technology and devices • Validation of security of network infrastructure • Validation of encryption system • Validation of environmental control against fire, power break down and …

  20. U Overview of D6—Business Continuity and Disaster Recovery To provide assurance that in the event of a disruption the business continuity and disaster recovery processes will ensure the timely resumption of IT services while minimizing the business impact Examples of Target • Business Impact Analysis (BIA) and Disaster Recovery Planning (DRP) • Validation of backup and recovery against disasters • Validation of means for continuity against disasters

  21. U Where does an IS auditor work? External Audit • Accounting Audit • IS Audit Policy and Strategy Organization and Regulation/Standard Audit Company Business Activities Business Infrastructure IS Consultant Consultant Company Internal Audit • Assurance • Consulting Company & Organization

More Related