Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Published byJane Roff Modified over 9 years ago

Similar presentations

Presentation on theme: "Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements."— Presentation transcript:

1 Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements

2 Information System Audit : © South-Asian Management Technologies Foundation Risk Factors The risk factors inherent in business operations include the following: * Access Risk* Business Disruption Risk * Credit Risk* Customer Service Risk * Data Integrity Risk * Misstatement Risk * Physical Harm Risk* Fraud Risk * Legal And Regulatory Risk

3 Information System Audit : © South-Asian Management Technologies Foundation Risk analysis and Exposure A Risk is the likelihood that the organisation would face a vulnerability being exploited or a threat becoming harmful A Threat is an action, event or condition where there is a compromise in the system, its quality and ability to inflict harm to the organisation. Attack is a set of actions designed to compromise confidentiality, integrity, availability or any other desired feature of an information system.

4 Information System Audit : © South-Asian Management Technologies Foundation Risk and Exposures Vulnerability is the weakness in the system safeguards that exposes the system to threats. An Exposure is the extent of loss the organisation has to face when a risk materialises. Likelihood of the threat occurring is the estimation of the probability that the threat will succeed in achieving an undesirable event.

5 Information System Audit : © South-Asian Management Technologies Foundation Information System Control Objectives

6 Information System Audit : © South-Asian Management Technologies Foundation Information System Control Objectives Safeguarding information systems assets Compliance with corporate policies, regulatory and legal requirements Assuring system reliability Maintaining data integrity Assuring system security Assuring system availability

7 Information System Audit : © South-Asian Management Technologies Foundation Information System Control Objectives Maintaining system controllability Assuring system maintainability Assuring system usabilityensuring system effectiveness Maintaining system economy and efficiency Maintaining system quality

8 Information System Audit : © South-Asian Management Technologies Foundation Information System Audit Objectives Adequacy and effectiveness of internal controls. Efficient and effective allocation of resources Provide assurance that computer-related assets are safeguarded. Ensure that information is accurate, available on request, and reliable. Provide reasonable assurance that all errors, omissions, and irregularities are prevented, detected, corrected, and reported. Review the systems to ensure compliance to policies, procedures and standards.

9 Information System Audit : © South-Asian Management Technologies Foundation Information System Audit Objectives Ensure legal requirements are complied with, audit trails are incorporated, documentation is completed and systems data integrity and security is maintained. To identify and recognize the potential of computer related fraud, embezzlement, misappropriations and thefts. Ensure that the management takes corrective and preventive actions when required

10 Information System Audit : © South-Asian Management Technologies Foundation Information Systems Abuse Destruction of assets Theft of assets Modification of assets Privacy violations Disruption of operations Unauthorised use of assets

11 Information System Audit : © South-Asian Management Technologies Foundation Steps to Asset Safeguarding Compiling functional IT asset list - Mission-critical functions Detailing the IT systems identified Asset protection Assigning of probabilities

12 Information System Audit : © South-Asian Management Technologies Foundation Evidence Collection during Audit Reviewing the organizational structure, documentation, standards, and practices. Interviewing appropriate personnel Observing processing and operations. Using audit documentation techniques Applying analytical review procedures and sampling techniques. Using software tools to analyse logs and audit trails

13 Information System Audit : © South-Asian Management Technologies Foundation Evidence Collection during Audit Physical Examination Confirmation Documentation Observation Inquiry Processing accuracy Screen shots Log Files Testing Software Results Analytical Procedures Audit Trails

14 Information System Audit : © South-Asian Management Technologies Foundation Audit Trails Audit trails are records of an activity that can be used to reconstruct the performance of the activity. Ensure audit trail when: –Access is granted to a sensitive information asset. –Network services are accessed. –Override system controls are used –Unsuccessful attempts are made to access sensitive information or use network services.

15 Information System Audit : © South-Asian Management Technologies Foundation Audit Trails To include in the audit trail as much of the following as is practical: –User identification –Functions, resources and information used or changed –Date and time stamp (including time zone) ; –Work-station address and network connectivity path –Specific transaction or program executed.

16 Information System Audit : © South-Asian Management Technologies Foundation Audit Trails To provide an additional real time alarm for on-line capabilities: –Access attempts that violate the access control rules –Attempts to access functions or information not authorized –Concurrent log-on attempts –Security profile changes

17 Information System Audit : © South-Asian Management Technologies Foundation System Logs Control Total Verification Transaction logs Operator logs System starting and finishing time System errors and corrective action taken Confirmation of the correct handling of data files and computer output Name of the person making the log entry. Operator’s logs should be compared against operating procedures. Fault logging

Download ppt "Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements."

Similar presentations

Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.

Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.
Control and Accounting Information Systems

Control and Accounting Information Systems
Auditing Concepts.

Auditing Concepts.
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 10-1 Accounting Information Systems 9 th Edition Marshall.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 10-1 Accounting Information Systems 9 th Edition Marshall.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Internal Control.

Internal Control.
Auditing Computer Systems

Auditing Computer Systems
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
The Islamic University of Gaza

The Islamic University of Gaza
The Islamic University of Gaza

The Islamic University of Gaza
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
The Information Systems Audit Process

The Information Systems Audit Process
Overview of IS Auditing n Need for control and Audit of Computers –Org cost of data loss –cost of incorrect decision –Value of hardware, software, personnel.

Overview of IS Auditing n Need for control and Audit of Computers –Org cost of data loss –cost of incorrect decision –Value of hardware, software, personnel.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Chapter 10: Computer Controls for Organizations and Accounting Information Systems

Chapter 10: Computer Controls for Organizations and Accounting Information Systems
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.

Similar presentations

Ads by Google