Presentation on theme: "British Computer Society NORTH LONDON BRANCH AudIT to BenefIT - 6 sides of the dice Wednesday 16th January 2008, 18.30 – 20.30 1 topic, 2 hours, 4 sponsors."— Presentation transcript:
British Computer Society NORTH LONDON BRANCH AudIT to BenefIT - 6 sides of the dice Wednesday 16th January 2008, – topic, 2 hours, 4 sponsors 6 views, 6 expert presenters 1 great audience
British Computer Society NORTH LONDON BRANCH Are You an Auditor?
British Computer Society NORTH LONDON BRANCH 4 Sponsors: * Gotham Digital Science *www.gdssecurity.com * ISACA London Chapter *www.isaca-london.org *IT Faculty of the Institute of Chartered Accountants in England and Wales * SUPINFO The International Institute of Information Technology *www.supinfo.com/uk
British Computer Society NORTH LONDON BRANCH 6 Views – plus more! [Target start time 18.30] BCS NLB Intro [10 mins.] - Dalim Why audit? Who needs it? [15 mins.] - Justin What does the auditor do? [15 mins.] - Nick What’s audited? [20 mins.] - Fraser IT audit tools and techniques [15 mins.] - Martin How auditors use COBIT & IT Assurance Guide  Lynn How to plan to get value from your audits  - Steven BCS NLB end of formal event [10 mins.] - Dalim [Target end time 20.30] Informal networking (with food & drink) ALL
British Computer Society NORTH LONDON BRANCH 6 Expert Presenters [MC] Dalim Basu, BCS NLB 1.FRASER NICOL, Ernst & Young 2.JUSTIN CLARKE, Gotham Digital Science 3.LYNN LAWTON, ISACA 4.MARTIN ALLEN, PwC 5.NICK FELLOWS, Barclays Plc 6.STEVEN BABB, KPMG & ISACA [Supporting Cast: NLB team for this event] Jude Umeh, Patrick Roberts, Rebecca King
Exploring the world of Internal Audit What does the auditor do and why? Nick Fellows, CISA - Audit Manager 16 January 2008
Agenda The Audit Charter The Audit Universe and the Audit Plan This audit
The Audit Charter This is a document that defines the Internal Audit function Its purpose, responsibility, authority and accountability. What we are there to do How we will maintain our independence and objectivity How we will do it and conduct ourselves whilst doing it The relationship between IA and its stakeholders The KPIs, what they are and how they are measured Standard S1 and Guideline G5 for Audit Charter can be found on the ISACA website
The Audit Universe and the Audit Plan How does the audit department work out what to do? Populate the audit universe Prioritise based on risk ranking Plan Agree with stakeholders and get sign off from the Board Audit Committee
The audit Understanding the processes, working out the key controls. The ‘intention to audit’. Testing the controls. And the consequence was… The report and follow up actions.
Closing thoughts Risks are mitigated by controls. Whose controls? – yours. An audit is not something that is done to you. It is something that is done with you. The more you prepare, the less painful the review will be.
What is Audited? Fraser Nicol – Technology Security and Risk Services, Ernst and Young AudIT to BenefIT Presentation to British Computer Society INSTRUCTIONS: This template is designed for projected documents that will be presented to an audience. The one template offers a choice of 5 different colour palettes with either a dark or white background. On presentations projected directly from a computer, it is preferred for the background to be dark blue. How to change colour palette Format > Slide Design > Color Schemes Update the cover page The Service Line flag and Date on the cover page should be updated in the Header & Footer menu at the start of each new presentation. Go to View menu Select Header & Footer... Update the SERVICE LINE and Date 2007 with the appropriate information Select Apply to All
IT audit – who, why, what and how? Internal auditing – is an independent, objective assurance and consulting activity designed to add value and improve an organisations operations External auditing – is an independent opinion on whether or not financial statements are relevant, accurate, complete, and fairly presented Both approaches are characterised by a systematic approach to the evaluation of risk management, control and governance processes. A common industry standard for IT auditing is: COBIT 4.1 – Control Objectives for Information and Related Technology. Set of leading practises (framework) for information technology (IT) management. Created and governed by Information Systems Audit and Control Association (ISACA). COBIT is organised into 4 domains: –Plan and Organise –Acquire and Implement –Delivery and Support –Monitor and Evaluate
ME - Monitor and Evaluate DS - Delivery and Support AI - Acquire and Implement Cross Domain Reviews Who audits what? PO - Plan and Organise IT Strategic Alignment Online Sales Application Project Third Party Managed Services IT Project Managemen t IT Risk Management Network Management Review Data Centre Management Review Expect Internal Audit Focus Expect External Audit Focus IT Procuremen t SDLC Change Management Application Review DRP / BCP System Security IT Control Operation Software Licensing KPI / SLA Review
Example IT risk identified 1.IT Infrastructure Scalability 2.Exploitation of Security Vulnerabilities 3.IT Strategy not formulated 4.IT Upgrade Activities lead to loss of service 5.Inappropriate IT User activity Key IT audit approach chart A – Potential Over Control B – Low Risk / Mature Controls C – Low Risk / Limited Controls D – Higher Risk / Mature Controls E – Higher Risk / Limited Controls What gets audited and why? Very significant threat Significant threat Moderate threat Low threat No threat –25 16–20 11–15 6–10 1– Over controlledFully controlled Partially controlled Ad hocNo controls Inherent risk / Control maturity
#Risk (risk owner) Current Control Environment Governance Strategy Action Owner Completion DateStatus Higher Risk / Limited Controls 1Current IT infrastructure is not scalable to support anticipated service requirements Ad Hoc Controls KPIs between IT and key user groups are in place IT occasional performs capacity and service monitoring IT Management IT Management to perform a full scale assessment with key user groups as to future IT needs IT Management to review current capacity and infrastructure upgrade plans to align to user needs IT Management to continuously monitor the provision of key services and agreed service levels Open How – can IT benefit?
Summary Understand who the auditors are, what they are looking for, and what the output of the audit is going to be Understand the risks to your own areas, be proactive in engaging with the auditors to explain your area and align their understanding of key risks with yours Early planning is always performed at a high level, sometimes the principle actions sit with IT or the business. You need to be involved as closely as possible in audit planning to
Contact Fraser Nicol, Senior Manager Tel: Mob:
PricewaterhouseCoopers LLP PwC Tools and Techniques Martin Allen FIIA, QiCA, CISA 16 January 2008
PricewaterhouseCoopers LLP January 2008 Raw goods and services Income Laws and regulations Competitor Intelligence Social responsibilities Tools and Techniques The Environment Finished goods and services Expenditure Financial Accountants Corporate Reporting Non-financial/regulatory reporting Financial Records Management Accounts MIS/ Datawarehouse Corporate Entity Computer System
PricewaterhouseCoopers LLP January 2008 Tools and Techniques Indicators that computer tools and techniques would help audit process: Requirement to analyse large volumes of data or complex calculations Reliance upon reports generated from computer systems ‘Black box’ style systems where complex processing of data is not transparent Key reconciliation reports regularly highlight differences New or modified systems Interfaces between computer systems poorly controlled
PricewaterhouseCoopers LLP January 2008 Tools and Techniques Tools available on the desktop: Spreadsheets Databases MS Query
PricewaterhouseCoopers LLP January 2008 Tools and Techniques Tools that can be acquired: IDEA ACL OAK Datanomic
PricewaterhouseCoopers LLP January 2008 Tools and Techniques Risks: Can allow the auditor to reach the wrong conclusion Easy for inexperienced auditors to be caught out Data interrogation does not test controls Benefits: Allows 100% sample size Allows quick identification of unusual or required data Allows auditor to use the power of the computer to improve the efficiency and effectiveness of the audit