Presentation is loading. Please wait.

Presentation is loading. Please wait.

Auditing Information Systems (AIS)

Published byClarence Dorsey Modified over 8 years ago

Similar presentations

Presentation on theme: "Auditing Information Systems (AIS)"— Presentation transcript:

1 Auditing Information Systems (AIS)
Lecture – 5 - ‘IT Governance’

2 Corporate Governance Ethical corporate behavior by directors or others charged with governance in the creation and presentation of value for all stakeholders The distribution of rights and responsibilities among different participants in the corporation, such as board, managers, shareholders and other stakeholders Establishment of rules to manage and report on business risks

3 IT Governance Comprises the body of issues addressed in considering how IT is applied within the enterprise. Effective enterprise governance focuses on: Individual and group expertise Experience in specific areas Key element: alignment of business and IT Two issues: IT delivers value to the business IT risks are managed

4 IT Governance (contd.) IT governance implies a system where all stakeholders provide input into the decision making process: Board Internal customers Finance; etc 4

5 Practice Question 2-1 IT governance ensures that an organization aligns its IT strategy with: A. enterprise objectives. B. IT objectives. C. audit objectives. D. control objectives. Answer: A

6 Strategic Planning!!! What is Strategy? Business Strategy
Business Goals and Objectives Is CIO or senior IT management involved in the creation of the overall business strategy?

7 Why? IT Strategy IT Goals and Objectives Aligned with Business Goals
Is IT and Business Strategy Aligned? IT Strategy Business Strategy Alignment Why?

8 IT Strategy Committee Scope
IT strategy committee is an industry best practice Ensure that the IS department is in harmony with the corporate mission and objectives Scope Advice on strategy when assisting the board in its IT governance responsibilities Focus on IT value, risks and performance Make recommendations for any changes necessary in IT Strategy.

9 IT Steering Committee Scope
IT steering committee is an industry best practice Comprises of IT and representatives of key departments Scope Approves the IT related projects or present to Board for approvals Monitor and control the ongoing projects

10 Information Security Governance
Focused activity with specific value drivers Integrity of information (Integrity) Continuity of services (Availability) Protection of information assets (Confidentiality) Integral part of IT governance Information Security Program should be designed to support overall business objectives.

11 Information Security Governance (Contd.)
Significance Effective information security can add significant value to an organization by: Providing greater reliance on interactions with trading partners Improving trust in customer relationships Protecting the organization’s reputation Enabling new and better ways to process electronic transactions

12 Information Security Governance (Contd.)
Information security governance requires strategic direction from: Boards of directors / senior management Executive management Steering committees Chief information security officers

13 Practice Question 2-2 Which of the following would be included in an IS Strategic plan? A. Specifications for planned hardware purchases B. Analysis of future business objectives C. Target dates for development projects D. Annual budgetary targets for the IS department Answer: B

14 Practice Question 2-3 Which of the following BEST describes an IT department’s strategic planning process? A. The IT department will have either short-range or long-range plans depending on the organization’s broader plans and objectives. B. The IT department’s strategic plan must be time- and project-oriented, but not so detailed as to address and help determine priorities to meet business needs. C. Long-range planning for the IT department should recognize organizational goals, technological advances and regulatory requirements. D. Short-range planning for the IT department does not need to be integrated into the short-range plans of the organization since technological advances will drive the IT department plans much quicker than organizational plans. Answer: C

15 Policies and Procedures
Reflect management guidance and direction in developing controls over Information systems, Related resources, IS department processes. High level documents Must be clear and concise Set tone for organization as a whole (top down) 15

16 Policies and Procedures (Contd.)
Information Security Policy Defines information security, overall objectives and scope Is a statement of management intent Is a framework for setting control objectives including risk management Defines responsibilities for information security management 16

17 Policies and Procedures (Contd.)
Procedures are detailed documents that: Define and document implementation policies Must be derived from the parent policy Must implement the spirit (intent) of the policy statement Must be written in a clear and concise manner 17

18 Risk Management The process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives. Avoid Mitigate Transfer Accept 18

19 Risk Management Process
Identification and classification of information resources or assets Assess threats and vulnerabilities and the likelihood of their occurrence* Once the elements of risk have been established they are combined to form an overall view of risk Evaluate existing controls or design new controls to reduce the vulnerabilities to an acceptable level of risk Residual risk

20 Risk Analysis Methods Qualitative Semi quantitative Quantitative
Probability and expectancy Annual loss expectancy method

21 Sourcing Practices Sourcing practices relate to the way an organization obtains the IS function required to support the business Organizations can perform all IS functions in-house or outsource all functions across the globe Sourcing strategy should consider each IS function and determine which approach allows the IS function to meet the organization’s goals Accountability remains with the management of the client organization

22 Sourcing Practices Possible advantages: Possible disadvantages:
Commercial outsourcing companies likely to devote more time and focus more efficiently on a given project than in-house staff Outsourcing vendors likely to have more experience with a wider array of problems, issues and techniques Possible disadvantages: Costs exceeding customer expectations Loss of internal IS experience Loss of control over IS Vendor failure

23 Risks can be reduced by:
Sourcing Practices Risks can be reduced by: Establishing measurable, partnership-enacted shared goals and rewards Using multiple suppliers or withholding a piece of business as an incentive Performing periodic competitive reviews and benchmarking/bench trending Forming a cross-functional contract management team

24 Service Level Agreements (SLA)
Contractual means of helping the IS department to manage information resources under the control of a vendor. Commit a vendor to a required level of service and support options. Awareness / consideration of cross-border legislation. Right to Audit Clause

25 Organization Structure and Responsibilities

26 IS Roles and Responsibilities
Systems development manager Service Desk (help desk) Quality assurance manager Vendor and outsourcer management Operations manager Media management Data entry Systems administration Security administration Quality assurance Database administration Systems analyst Security architect Network management

27 Segregation of Duties within IT
Avoids possibility of errors or misappropriations Discourages fraudulent acts Limits access to data

28 Segregation of Duties within IT

29 Practice Question 2-7 Which of the following tasks may be performed by the same person in a well- controlled information processing computer center? Security administration and change management Computer operations and system development System development and change management System development and systems maintenance Answer: D

30 Practice Question 2-8 Which of the following is the MOST critical control over database administration? Approval of DBA activities Segregation of duties Review of access logs and activities Review of the use of database tools Answer: B

31 Segregation of Duties Controls
Control measures to enforce segregation of duties include: Transaction authorization Custody of assets Access to data Authorization forms User authorization tables

32 Segregation of Duties Controls
Compensating controls for lack of segregation of duties include: Audit trails Reconciliation Exception reporting Transaction logs Supervisory reviews Independent reviews

33 Practice Question 2-4 The MOST important responsibility of a data security officer in an organization is: A. recommending and monitoring data security policies. B. promoting security awareness within the organization. C. establishing procedures for IT security policies. D. administering physical and logical access controls. Answer: A

34 Practice Question 2-5 Which of the following is MOST likely to be performed by the security administrator? Approving the security policy Testing application software Ensuring data integrity Maintaining access rules Answer: D

35 Practice Question 2-9 When a complete segregation of duties cannot be achieved in an online system environment, which of the following functions should be separated from the others? Origination Authorization Recording D. Correction Answer: B

36 Practice Question 2-10 In a small organization, where segregation of duties is not practical, an employee performs the function of computer operator and application programmer. Which of the following controls should an IS auditor recommend? A. Automated logging of changes to development libraries B. Additional staff to provide segregation of duties C. Procedures that verify that only approved program changes are implemented D. Access controls to prevent the operator from making program modifications Answer: C

37 Conclusion Chapter 2 Quick Reference Review Additional Case Studies
Page 84 of CISA Review Manual 2010 Additional Case Studies Case Study B – page 118 of CISA Review Manual 2010 Case Study C – page 118 of CISA Review Manual 2010 Case Study D – page 119 of CISA Review Manual 2010

Download ppt "Auditing Information Systems (AIS)"

Similar presentations

Environmental Management System Implementation

Environmental Management System Implementation
Chapter 14 Fraud Risk Assessment.

Chapter 14 Fraud Risk Assessment.
© Pearson Prentice Hall 2009

© Pearson Prentice Hall 2009
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Introduction to Enterprise Risk Management (ERM)

Introduction to Enterprise Risk Management (ERM)
The Islamic University of Gaza

The Islamic University of Gaza
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 Systems Design, Implementation, Maintenance, and Review Chapter 13.

MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 Systems Design, Implementation, Maintenance, and Review Chapter 13.
Information Systems Security Officer

Information Systems Security Officer
Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.

Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.
The Information Systems Audit Process

The Information Systems Audit Process
Purpose of the Standards

Purpose of the Standards
INTERNAL CONTROL OVER FINANCIAL REPORTING

INTERNAL CONTROL OVER FINANCIAL REPORTING
Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.

Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.
Information Technology Audit

Information Technology Audit
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing

Similar presentations

Ads by Google