Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction What is IS Audit

Published byLizbeth Baldwin Modified over 6 years ago

Similar presentations

Presentation on theme: "Introduction What is IS Audit"— Presentation transcript:

1 Introduction What is IS Audit
How to become IS Auditor & Task and role of IS Auditor

2 What is Audit? What is IS Audit?
“An official examination of accounts to see that they are in order” – The Oxford Dictionary An INDEPENDENT assessment of / opinion on how well (badly) the financial statements were prepared IS audit: - A review of the controls within an entity's technology infrastructure - Official examination of IT related processes to see that they are in order

3 What is IS Audit Activity?
Difference Between Audit and Evaluation Independent Audit Policy and Strategy Evaluation Audit Activity of Management Independent Activity Process and Result Norm Doing right Managing right Performance Effeteness and Efficiency Next action is improvement Done at the end-of-phase Done any time Ex. Checking progress and quality of Project Ex. Checking a regulation of PM and How to apply it including current situation. Organization and Regulation/Standard Business Activities Business Infrastructure Management Evaluation Company

4 Viewpoint of an IS Auditor
SLDC (System Development Lift Cycle) P1: Feasibility Study R Review R P2: Requirement Definition Buy Make (Build) Buy or Make P3: System Design P3: System Selection R R P4: Development R P4: Configuration Scope of General System Development P5: Implementation R P6: Post implementation Evaluate and Performance Review by an Audit R P7: Disposal

5 Why IS Audit is needed? Social Background
Information System has been becoming a main function for business. Supporting business activity Keeping business information Main interface to customer Innovation of ICT gave information system major role in business Problem of business management Inappropriate IT system to business strategy Bug investment for IT system and unclear ROI Problem of security/ risk management Computer virus/ illegal Access System trouble and Backup of disaster Effective and Efficient inter management and operation for Information system should be needed Independent Information System Audit

6 Why IS Audit is needed? Legal Background (1)
After major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom, the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002 Directs SEC to enact rules protecting shareholders & the economy Honesty in financial reporting Responsibility at the Top Demonstrate Compliance by Audits The most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company's internal control over financial reporting Internal Control must use Information System now. To evaluate internal control should needs audit for Information system

7 Why IS Audit is needed? Legal Background (2)
Company Auditor Financial Audit SOX Financial Audit (Result) Operation Audit (Process) Internal Control Financial Statement Financial Audit Financial Audit Report Internal Control Financial Statement Financial Audit Financial Audit Report Internal Control Statement Internal Control Audit Internal Control Audit Report Integrated Audit Effectiveness and efficiency of Operation Assurance of Financial Statement Compliance with lows Operation Audit assure the clearance of financial statement

8 What is Internal Control?
U What is Internal Control? Financial Statement Internal Control Model by SOCO Objectives Operation Reporting Compliance Control Environment Risk Management Control Activity Activities Information and Communication Organization Monitoring Enterprise-level, Division or subsidiary and Business unit IT Control Objective Risk Control

9 Activities of Internal Control
U Activities of Internal Control Control Environment The tone for the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control. Risk Management The identification and analysis of relevant risks to the achievement of objectives, forming a basis for how the risks should be managed Control Activity The policies and procedures that help ensure management directives are carried out. Consists of 2 aspects: Policy of what should be and Procedures to accomplish policy Information and Communication Support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities Monitoring Assess the quality of internal control performance over time. IT Control Procedure or policy that provides a reasonable assurance that the information technology (IT) used by an organization

10 IT Internal Control <= Target of IS Audit
IT control ITCLC: IT Company Level Control ITGC:IT general controls ITAC: IT Application Control ITGC:IT general controls Logical access controls. System development life cycle controls. Program change management controls. Data center physical security controls. System and data backup and recovery Computer operation controls. ITAC: IT Application Control complete and accurate Input Data Control. Process Control Output Control Application Systems Accounting System Sales System …. Development Operation IT Infrastructure (Network, Server, PC …) ITCLC: IT Company Level Control * IT Governance/Policy *IT Risk Management. *Training * Quality Assurance *IT Internal Audit Company

11 What is IS Audit? (Again)
“the process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently.”   - Ron Weber Purpose of IS Audit is to realize IT governance by independent and professional auditors who gave appropriate assurance based on evaluation of risk management and control of information system. - “Information System Audit Standard” Japan Minister of Economy, Trade and Industry

12 Information System Audit
Who becomes an Auditor? Certification CISA (Certified Information Systems Auditor) by ISACA (Information Systems Audit and Control Association) From 1978 More than 75,000 professionals in nearly 160 countries for both (Account) Auditor and IT Specialist (Account) Auditor With experiences of Accounting Audit Information System Audit IT Specialist System Auditor by Japan Information Technology Engineers Examination) From 1985 mainly for IT Specialist With experiences of IT Strategy Development Project Management IT Security Service Management ….. If (Account ) Auditor want to become IS auditor, he/she should master as least skill and knowledge of FE exam. Level.

13 Target of IS Audit and IS Auditor's Skill and Knowledge
CISA examination domains (% of num. of question in CISA exam.) Domain 1—IS Audit Process (10%) <= Skill and Knowledge for conducting IT Audit Domain 2—IT Governance (15%) Domain 3—Systems and Infrastructure Lifecycle Management (16%) Domain 4—IT Service Delivery and Support (14%) Domain 5—Protection of Information Assets (31%) Domain 6—Business Continuity and Disaster Recovery (14%) <= Target of IS Audit and Skill and knowledge for IT system and points of audits

14 Map of IS Auditor's kill and knowledge
IT Technical IT Management IT Governance Audit Process & Method D3—Systems and Infrastructure Lifecycle Management D2—IT Governance D1—IS Audit Process Development method Software Testing System/APP Architecture E-commerce/AP knowledge APP control Project Management SQM IT Strategy Organization Mng. Risk Management Process Method Communication Related standards D4—IT Service Delivery and Support H/W, OS, Middle ware Network & DB Operation & Maintenance Service Delivery Service Support Service Strategy D5—Protection of Information Assets Security Policy & Strategy Network security Security Technology Logical Security Physical Security IT Security Audit D6—Business Continuity and Disaster Recovery Operation & Maintenance Backup & Recovery Business contingency Planning

15 Overview of D1—IS Audit Process Task & Process
Example: Small audit for Logical Access Control ( Control for user and program to access data, program and application) Purpose is to evaluate validity of logical access control (password) in targeted organization Reviewing regulation of policy, management and usage of password Inspect and survey of management of password Reporting whether current regulation and management of password is appropriate or not How to modify and improve the logical access control for password Summary of Audit Process Audit Planning Perform Test Reporting Follow-UP Activity Audit mission and planning, Laws and regulations, Standards and guidelines for IS auditing, Risk analysis, Internal controls, Performing an IS audit

16 Overview of D2—IT Governance
U Overview of D2—IT Governance To provide assurance that the organization has the structure, policies, accountability, mechanisms, and monitoring practices in place to achieve the requirements of corporate governance of IT. Examples of target • Planning IT Strategy with IT Steering Committee Implementation of the IT strategy Business Process Reengineering Risk management for IT strategy Organization and Personnel Management

17 Overview of D3—Systems and Infrastructure Lifecycle Management
To provide assurance that the management practices for the development/acquisition, testing, implementation, maintenance, and disposal of systems and infrastructure will meet the organization’s objectives. Examples of target Application development process and regulation including needs analysis, including cost estimation and Quality Management Validation of computer & system architecture for Application Application control Management of outsourcing and vender

18 Overview of D4—IT Service Delivery and Support
To provide assurance that the IT service management practices will ensure the delivery of the level of services required to meet the organization’s objectives. Example of Target Service level Agreement Validation of Hardware and software Validation of network infrastructure Monitoring of Information System/Infrastructure Capacity and Configuration Management Configuration Management of software Regulation of operation and maintenance Help (Service) Desk and Incident/Problem management

19 Overview of D5—Protection of Information Assets
U Overview of D5—Protection of Information Assets To provide assurance that the security architecture (policies, standards, procedures, and controls) ensures the confidentiality, integrity, and availability of information assets. Examples of Target Policy and regulation of IT Security including risk management Validation of logical access control such as password and authentication Validation of physical access control with security technology and devices Validation of security of network infrastructure Validation of encryption system Validation of environmental control against fire, power break down and …

20 Overview of D6—Business Continuity and Disaster Recovery
To provide assurance that in the event of a disruption the business continuity and disaster recovery processes will ensure the timely resumption of IT services while minimizing the business impact Examples of Target Business Impact Analysis (BIA) and Disaster Recovery Planning (DRP) Validation of backup and recovery against disasters Validation of means for continuity against disasters

21 Where does an IS auditor work?
Policy and Strategy External Audit Accounting Audit IS Audit Organization and Regulation/Standard Audit Company Business Activities Business Infrastructure IS Consultant Internal Audit Assurance Consulting Consultant Company Company & Organization

Download ppt "Introduction What is IS Audit"

Similar presentations

Software Quality Assurance Plan

Software Quality Assurance Plan
Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.

Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.
Security Controls – What Works

Security Controls – What Works
1 Pertemuan 6 Internal Control System Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1.

1 Pertemuan 6 Internal Control System Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
INTERNAL CONTROL. INTERNAL CONTROL DEFINED  INTERNAL CONTROL IS A PROCESS - EFFECTED BY AN ENTITY'S BOARD OF DIRECTORS, MANAGEMENT, AND OTHER PERSONNEL.

INTERNAL CONTROL. INTERNAL CONTROL DEFINED  INTERNAL CONTROL IS A PROCESS - EFFECTED BY AN ENTITY'S BOARD OF DIRECTORS, MANAGEMENT, AND OTHER PERSONNEL.
6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.

6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.
1 Pertemuan 9 Department Organization Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1.

1 Pertemuan 9 Department Organization Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
The Information Systems Audit Process

The Information Systems Audit Process
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
1 Performance Auditing  In IT Environment  Evidence Gathering & Analysis Techniques  Computer Assisted Techniques  Use of IDEA.

1 Performance Auditing  In IT Environment  Evidence Gathering & Analysis Techniques  Computer Assisted Techniques  Use of IDEA.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Overview of Systems Audit

Overview of Systems Audit
D-1 McGraw-Hill/Irwin ©2005 by the McGraw-Hill Companies, Inc. All rights reserved. Module D Internal, Governmental, and Fraud Audits “I predict that audit.

D-1 McGraw-Hill/Irwin ©2005 by the McGraw-Hill Companies, Inc. All rights reserved. Module D Internal, Governmental, and Fraud Audits “I predict that audit.
The Sarbanes-Oxley Act of 2002 1 PricewaterhouseCoopers Introduction of Panel Members The Sarbanes-Oxley Act of 2002 What Companies Should Be Doing Now.

The Sarbanes-Oxley Act of PricewaterhouseCoopers Introduction of Panel Members The Sarbanes-Oxley Act of 2002 What Companies Should Be Doing Now.

Similar presentations

Ads by Google