Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Technology Audit

Published bySuzanna Ball Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Technology Audit"— Presentation transcript:

1 Information Technology Audit
AIG Presentation 6/16/2014

2 Topics IT controls Type of IT controls
Linkage of IT control to Financial Audit. Understanding IT controls IT Governance Key areas of IT Governance IT Governance Framework IT Governance Risk Role of Audit

3 IT Controls IT control is a process that provide assurance for information & information services, and helps to mitigate risks associated with use of technology. Two components Application controls General controls Information technology (IT) is an integral part of all processes that enable businesses and governments to accomplish their missions and objectives. IT control is a process that provide assurance for information and information services, and help to mitigate risks associated with use of technology. IT controls have two significant components: automation of business controls and control of IT. It is not necessary to know everything about IT controls Do not be concerned if you do not understand the full intricacies of IT controls. Many of these controls are the domain of specialists. There are two key control concepts to remember: Assurance must be provided by the IT controls within the whole system of internal control and must be continuous and produce a reliable and continuous trail of evidence. The auditor’s assurance is an independent and objective assessment of the first assurance. It is based on understanding, examining, and assessing the key controls related to the risks the auditor’s manage, as well as performing sufficient tests to ensure the controls are appropriately designed and function effectively.

4 Types of Controls By the area IT control resides, it can be classified as general control or application control. General controls (also known as infrastructure controls) apply to all systems components, processes, and data for a given organization or systems environment. General controls include, but are not limited to: information security policy, administration, access, and authentication; backup, recovery, and business continuity. Application controls pertain to the scope of individual business processes or application systems. They include such controls as data edits, transaction logging, and error reporting. The function of a control is highly relevant to the assessment of its design and effectiveness. Controls may be classified as preventive, detective, or corrective. Preventive controls prevent errors, omissions, or security incidents from occurring. Examples include antivirus software, firewalls, and intrusion prevention systems. Detective controls detect errors or incidents that elude preventive controls. For example, a detective control may identify account numbers of inactive accounts or accounts that have been flagged for monitoring of suspicious activities. Corrective controls correct errors, omissions, or incidents once they have been detected. They vary from simple correction of data-entry errors,, to recovery from incidents, disruptions, or disasters. Another common classification of controls is by the group responsible for ensuring they are properly implemented and maintained. For the purpose of assessing roles and responsibilities, this guide primarily categorizes IT controls as governance, management, and technical.

5 General Control- what is relevant for testing?
{ Access to programs and data Program changes Program development Computer operations Both of these domains are almost always relevant, but their complexity and the extent of audit evidence needed can vary greatly by organization. { Relevant only where new system implementations will impact ICFR and the risk of material misstatement. Testing generally not required if no impact on current year financial statements and ICFR. { Relevant only if needed to directly address assertions over significant accounts (more common in high transaction volume industries with complex systems, such as banking ) or to address specific tasks

6 Application Architecture layers & their relative risks

7 Application Controls vs. IT General Controls
Activities that ensure effective operation of application controls, automated accounting procedures that depend on computer processes & manual controls that use application-generated information/reports May also serve as Application controls, e.g. Password controls etc. Are pervasive, and therefore often do not directly support financial statement assertions Application controls Think in terms of “does this directly relate to the input, processing or output of financial transactions” Directly support CAVR(Completeness, Accuracy, Validity and Restricted Access), thereby contributing to comfort over financial statement assertions

8 Linkage of IT controls to Audit Comfort

9 Understanding IT Controls
When considering controls to implement and in determining areas to focus audit resources during reviews of the entire IT operating environment, this hierarchy represents a logical “top-down” approach, from the overall high-level policy statements issued by management and endorsed by the board of directors, down to the specific control mechanisms incorporated into application systems. The different elements of the hierarchy are not mutually exclusive; they are all connected and can intermingle. Many of the control types within the elements are described below. A top-down approach used when considering controls to implement and determining areas on which to focus.

10 Importance of IT Controls
Needs for IT controls such as controlling cost remaining competitive protecting of information assets complying with laws and regulation Implementing effective IT control will improve efficiency, reliability, flexibility and availability of assurance evidence Many issues drive the need for IT controls, including legislative and regulatory bodies. Some countries now require organizations to report on the effectiveness of internal control and, by implication, the effectiveness of IT control. The most prominent new law is Sarbanes-Oxley Act, which requires all public-traded companies in the United States and their foreign subsidiaries to report on their system of internal controls over financial reporting performed in conjunction with an audit of financial statements.

11 Roles and Responsibilities
Board of Directors /Governing Body Management – define, approve, implement IT controls or understand the use of IT controls Auditor Internal Auditors - assurance External Auditors – periodical auditing Many different roles have emerged in recent years. Each position at the governance, management, operational, and technical levels should have a clear description of its roles and responsibilities for IT controls to avoid confusion and ensure accountability for specific issues. Board One important role of the full board of directors is to determine and approve strategies, set objectives, and ensure the objectives are being met to support the strategies. Audit Committee - take IT controls as strong elements in oversight of financial issues, internal control assessment, risk management, and ethics. Management Several specific roles have emerged in large organizations in relation to IT risk and control. As stated previously, small organizations might not allocate an individual for each role, although the function must still be performed. An individual may perform multiple roles, but care must be taken that allocating these roles does not compromise the need for division of duties where roles are incompatible. Where IT is outsourced, there is still a requirement for organizations to keep many of these roles in-house to provide oversight of the outsourced functions.

12 Based On Risk Analyzing Risk Identify risks
Consider risk in determining the adequacy of IT controls Define risk mitigation strategy – accept/eliminate/share/control/mitigate Consider Baseline IT controls IT controls are selected and implemented on the basis of the risks they are designed to manage. As risks are identified — through experience or formal risk assessment — suitable risk responses are determined, ranging from doing nothing and accepting the risk as a cost of doing business to applying a wide range of specific controls, including insurance. It would be a relatively straightforward task to create a list of recommended IT controls that must be implemented within each organization. However, each control has a specific cost that may not be justified in terms of cost effectiveness when considering the type of business done by the organization. Furthermore, no list of controls is universally applicable across all types of organizations. While much good advice is available on the choice of suitable controls, strong judgment must be used. Controls must be appropriate for the level of risk faced by the organization.

13 Monitoring & Techniques
Monitoring & Assessing IT Controls Choose a control framework Use proper audit methodology Ongoing monitoring/special review/automated continuous auditing The process of identifying and assessing the IT controls necessary to address specific risks is aided considerably by the organization’s adoption of a formal control framework. This framework should apply to and be used by the whole organization — not just internal auditing. Although many frameworks exist, no single framework covers every possible business type or technology implementation. Another vital point in using any framework is that the auditor must apply judgment and risk and should ensure that each activity is properly scoped.

14 Assessment Assessing IT controls is an ongoing process because business processes are constantly changing Technology continues to advance Threats evolve as new vulnerabilities emerge Audit methods keep improving Much has changed in the 40 years that IT auditing has existed: Technology components have become smaller, faster, and cheaper even as overall IT costs to the organization have increased significantly. The majority of business processes have been automated, typically to provide efficiencies, but also to enable certain business processes that cannot be performed manually. The audit process has similarly evolved to match the automation of business processes. From “auditing around the computer” in the early days of automation, auditors now use software routinely to test or analyze data and technical controls within systems. Today automated continuous auditing becomes more and more important to an organization. GTAG 3 – Continuous Auditing has detailed coverage on the implication of continuous assurance, monitoring and risk assessment.

15 What is IT Governance? Managing IT operations and IT projects to ensure alignment between these activities and the needs of organization as defined in the strategic plan. It mean: Management understands potential & limitations of IT IT function understands objectives & corresponding needs of the organization These understandings are applied & monitored throughout the organization via an appropriate governance structure and accountability Understanding the value and cost of IT is important for the board and senior and IT management. Successful alignment between the organization and IT occurs when the goals and objectives of the organization are aligned with the needs of the organization, and IT is able to meet those needs in collaboration with management.

16 Key Areas of IT Governance
Chief IT Officer related roles and responsibilities CIO, CTO, Chief Information Security Officer Accountability and decision-making IT performance & monitoring metrics including financial management of IT operations and projects Executive/Senior management level understanding of how IT supports & enables organization’s strategy & objectives Alignment between IT and the organization IT Governance risks & controls

17 IT Governance: Aligning IT & Business
The board and the senior management should play critical roles in evaluating alternatives, providing direction, and monitoring IT and the achievement of the organization’s objective and strategies.

18 IT Governance: Characteristics
IT governance consists of organizational structure, leadership and processes that ensure IT support of the organization’s strategies and objectives. Organizational and Governance structures Is there a CIO in place and is s/he a member of the senior management team? Are the roles and responsibilities clearly defined and communicated and the leaders empowered and held accountable for results? Executive Leadership and Support Does senior management have clearly defined and communicated the roles and responsibilities of the IT function with respect to the organizational achievement of strategic and tactical goals? Does IT have adequate funding to meet the organization’s needs? Strategic and Operational Planning Do the board and senior management view It as a strategic organizational partner? Are KPIs used by senior management to measure and monitor the effectiveness of IT functions? Service Delivery and Measurement Do the board and senior management have clear understanding of the IT costs and how they ass value? How do IT costs compare to other comparable organizations? IT Organization and Risk Management To what degree are organization’s processes automated? Are data standardized and easily shared across application and the IT infrastructure? 5 components of IT governance

19 IT Governance: Benefits
Enhances relationship between the organization & IT Enterprise Risk Management of the organization & IT Visibility into IT management’s ability to achieve its objectives Improves adaptability of IT to changes in organization and IT environment IT governance can influence and impact the entire organization. IT governance structures and processes provide mechanism to link the use of IT to the overall organizational strategies. It also helps close linkage to an organization’s risk management activities including ERM. Determine the linkage between the IT metrics and objectives and validate if the metrics are being measured accurately and represent realistic views of IT operations. IT governance provides foundation for IT to manage its responsibilities and support of the organization through defined processes, roles and responsibilities of IT personnel.

20 IT Governance Risks IT Governance Component Examples
Consequences of Misalignment (Risks) Organization and Governance Structure Lack of empowerment/ accountability Creates leadership void and potential lost opportunities Unclear communication channels between IT & organizational unit leaders Lack of an effective planning and monitoring system Executive Leadership and Support Lack of clear entity wide vision by senior management Inability to meet the organizational mission The strategic importance of IT is not assessed Misunderstanding the role of IT in the organization Strategic and Operational Planning Organizational strategy does not address IT Strategic IT objectives will not be achieved

21 IT Governance Risks IT Governance Component Examples
Consequences of Misalignment (Risks) Strategic and Operational Planning Ineffective IT financial management Misuse of IT financial resources Service and Delivery Management Costs are higher than comparable entities Inefficiencies are the norm and not the expectation No meaningful metric or too many metrics Inability to achieve financial & management goals IT organization & Risk management No standard for technology selection Potential of design inefficiencies and lack of viable benchmarking options Data are not shared Duplication of effort

22 Role of Internal Audit in IT Governance
Review organizational structures, processes and policies for completeness, accuracy and relevancy Evaluate the adequacy and effectiveness of controls in responding to risk Assess whether IT governance of the organization support it’s strategies and objectives At a minimum, have an understanding of how well IT financial management has been designed & deployed by senior management The primary responsibility for IT governance lies with board and the senior level management. The internal audit activity is responsible for assessing whether the organization’s IT governance supports the strategies and objectives. While Internal audit activity cannot establish the organizational structure, approve methodologies or right policies, it should review them for completeness, accuracy and relevancy.

23 Questions

Download ppt "Information Technology Audit"

Similar presentations

Organizational Governance

Organizational Governance
Internal Control–Integrated Framework

Internal Control–Integrated Framework
Auditing Governance Functions

Auditing Governance Functions
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
It’s Time to Talk About Risk and Control

It’s Time to Talk About Risk and Control
Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.

Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Learning Objectives LO1 Describe the conceptual audit risk model and its components. LO2 Explain the usefulness and limitations of the audit risk model.

Learning Objectives LO1 Describe the conceptual audit risk model and its components. LO2 Explain the usefulness and limitations of the audit risk model.
SEM Planning Model.

SEM Planning Model.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
2011 Governance, Risk, and Compliance Conference August 29 – 31, 2011 / Orlando, FL, USA The Top Four Essential Objectives to Auditing ERM Stephen E. McBride,

2011 Governance, Risk, and Compliance Conference August 29 – 31, 2011 / Orlando, FL, USA The Top Four Essential Objectives to Auditing ERM Stephen E. McBride,
Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie.

Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie.
IT Governance Navigating for Value Michael Vitale 6 May 2003 CIO Conference Steering the Enterprise Through Stormy Seas Image source: Access2000.

IT Governance Navigating for Value Michael Vitale 6 May 2003 CIO Conference Steering the Enterprise Through Stormy Seas Image source: Access2000.
IT Governance and Management

IT Governance and Management
PwC Role of Internal Audit in Corporate Governance September 2010 Tumin Gültekin, Partner.

PwC Role of Internal Audit in Corporate Governance September 2010 Tumin Gültekin, Partner.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
COBIT Framework Introduction. Problems with IT? – Increasing pressure to leverage technology in business strategies – Growing complexity of IT environments.

COBIT Framework Introduction. Problems with IT? – Increasing pressure to leverage technology in business strategies – Growing complexity of IT environments.

Similar presentations

Ads by Google