We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byJane Roff
Modified about 1 year ago
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements
Information System Audit : © South-Asian Management Technologies Foundation Risk Factors The risk factors inherent in business operations include the following: * Access Risk* Business Disruption Risk * Credit Risk* Customer Service Risk * Data Integrity Risk * Misstatement Risk * Physical Harm Risk* Fraud Risk * Legal And Regulatory Risk
Information System Audit : © South-Asian Management Technologies Foundation Risk analysis and Exposure A Risk is the likelihood that the organisation would face a vulnerability being exploited or a threat becoming harmful A Threat is an action, event or condition where there is a compromise in the system, its quality and ability to inflict harm to the organisation. Attack is a set of actions designed to compromise confidentiality, integrity, availability or any other desired feature of an information system.
Information System Audit : © South-Asian Management Technologies Foundation Risk and Exposures Vulnerability is the weakness in the system safeguards that exposes the system to threats. An Exposure is the extent of loss the organisation has to face when a risk materialises. Likelihood of the threat occurring is the estimation of the probability that the threat will succeed in achieving an undesirable event.
Information System Audit : © South-Asian Management Technologies Foundation Information System Control Objectives
Information System Audit : © South-Asian Management Technologies Foundation Information System Control Objectives Safeguarding information systems assets Compliance with corporate policies, regulatory and legal requirements Assuring system reliability Maintaining data integrity Assuring system security Assuring system availability
Information System Audit : © South-Asian Management Technologies Foundation Information System Control Objectives Maintaining system controllability Assuring system maintainability Assuring system usabilityensuring system effectiveness Maintaining system economy and efficiency Maintaining system quality
Information System Audit : © South-Asian Management Technologies Foundation Information System Audit Objectives Adequacy and effectiveness of internal controls. Efficient and effective allocation of resources Provide assurance that computer-related assets are safeguarded. Ensure that information is accurate, available on request, and reliable. Provide reasonable assurance that all errors, omissions, and irregularities are prevented, detected, corrected, and reported. Review the systems to ensure compliance to policies, procedures and standards.
Information System Audit : © South-Asian Management Technologies Foundation Information System Audit Objectives Ensure legal requirements are complied with, audit trails are incorporated, documentation is completed and systems data integrity and security is maintained. To identify and recognize the potential of computer related fraud, embezzlement, misappropriations and thefts. Ensure that the management takes corrective and preventive actions when required
Information System Audit : © South-Asian Management Technologies Foundation Information Systems Abuse Destruction of assets Theft of assets Modification of assets Privacy violations Disruption of operations Unauthorised use of assets
Information System Audit : © South-Asian Management Technologies Foundation Steps to Asset Safeguarding Compiling functional IT asset list - Mission-critical functions Detailing the IT systems identified Asset protection Assigning of probabilities
Information System Audit : © South-Asian Management Technologies Foundation Evidence Collection during Audit Reviewing the organizational structure, documentation, standards, and practices. Interviewing appropriate personnel Observing processing and operations. Using audit documentation techniques Applying analytical review procedures and sampling techniques. Using software tools to analyse logs and audit trails
Information System Audit : © South-Asian Management Technologies Foundation Evidence Collection during Audit Physical Examination Confirmation Documentation Observation Inquiry Processing accuracy Screen shots Log Files Testing Software Results Analytical Procedures Audit Trails
Information System Audit : © South-Asian Management Technologies Foundation Audit Trails Audit trails are records of an activity that can be used to reconstruct the performance of the activity. Ensure audit trail when: –Access is granted to a sensitive information asset. –Network services are accessed. –Override system controls are used –Unsuccessful attempts are made to access sensitive information or use network services.
Information System Audit : © South-Asian Management Technologies Foundation Audit Trails To include in the audit trail as much of the following as is practical: –User identification –Functions, resources and information used or changed –Date and time stamp (including time zone) ; –Work-station address and network connectivity path –Specific transaction or program executed.
Information System Audit : © South-Asian Management Technologies Foundation Audit Trails To provide an additional real time alarm for on-line capabilities: –Access attempts that violate the access control rules –Attempts to access functions or information not authorized –Concurrent log-on attempts –Security profile changes
Information System Audit : © South-Asian Management Technologies Foundation System Logs Control Total Verification Transaction logs Operator logs System starting and finishing time System errors and corrective action taken Confirmation of the correct handling of data files and computer output Name of the person making the log entry. Operator’s logs should be compared against operating procedures. Fault logging
AWARENESS OF ISO 9000 (2000) By C. Das Additional Director ERTL(E),Calcutta.
IT Security Auditing. Topics Defining IT Audit Risk Analysis Internal Controls Steps of an IT Audit Preparing to be Audited Auditing IT Applications Who.
Federal Information System Controls Audit Manual (FISCAM)
Audit Planning With Analytical Procedures, Risk, and Materiality Edward A. Dion County Auditor's Office.
Electronic Presentations in Microsoft ® PowerPoint ® Prepared by Brad MacDonald SIAST © 2003 McGraw-Hill Ryerson Limited.
Audit Planning, Understanding the Client, Assessing Risks, and Responding Chapter 06 McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc.
PLANNING THE AUDIT Individual audits must be properly planned to ensure: Appropriate and sufficient evidence is obtained to support the auditors opinion;
Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
Logical IT Security By Prashant Mali.
Prepared for Cerner Illuminations Session 4.07 – Accountability for Use or Disclosure of a Patients Electronic Record Requirements for a Security and Privacy.
Audit Considerations for your 11i implementation Richard Byrom Oracle Applications Consultant UKOUG November 2004.
1 Gramm-Leach-Bliley Act (GLBA) Implementation of the Safeguards Rule Information Security Program University of Minnesota (Adapted from the Federal Trade.
Dealing with Web Application Security, Regulation Style Andrew Weidenhamer 11/10/2010.
Department of Internal Audit An Internal Control Overview By ETSU Department of Internal Audit.
E-Procurement for Improving Governance Session 5: Integrity Protection of eProcurement systems A World Bank live e-learning event addressing the design.
1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
Internal Control Chapter 7 McGraw-Hill/Irwin Copyright © 2010 by The McGraw-Hill Companies, Inc. All rights reserved.
March 2011 Created by: Margie Harvey & Dorraine Teitsch.
ISO 14971, 2 nd Ed., 2007 Medical devices: Application of risk management to medical devices By Grant Schmidbauer Nemko USA, Inc. San Diego, CA.
1 Audit Risk Week Risk Assessment in Planning AR = IR x CR x DR To meet desired level of Audit Risk Need to assess each component IR & CR can be.
Internal Controls… They Are Not For Wimps Presented by: Billy Morehead, Ph.D., CPA, CGFM, CPM AGA Past National President and Associate Professor of Accountancy.
Challenges of Recent Legislation and the Need for IT Policy Jacqueline Craig University of California Office of the President Secure IT 2004 April 28,
© Crown Copyright (2000) Module 1 Evaluation Overview.
INTERNAL CONTROL BASED ON THE COSO REPORT. Objective COSO C OBI T To use COSO, the Corporate Governance model, and C OBI T, the Information Technology.
Sales Order Cycle Review Report Insert Date. Source: 2 Table of Contents Executive Summary 3 Objective, Scope & Procedures Performed4.
Presented to By. 2Normative references ISO 9000:2005, Quality management systems Fundamentals and vocabulary ISO 19011:2002, Guidelines for quality and/or.
FINANCIAL AND INTERNAL CONTROL FOR CHARTER SCHOOLS WELCOME.
1 CHAPTER 9 INFORMATION SECURITY Management Information Systems, 9 th edition, By Raymond McLeod, Jr. and George P. Schell © 2004, Prentice Hall, Inc.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
1 AUDITING THE REVENUE PROCESS. 2 Major Processes in the Sales & Collections Cycle Sale of goods and services (Revenue) Payments received for goods and.
© 2016 SlidePlayer.com Inc. All rights reserved.