Beruflich Dokumente
Kultur Dokumente
COMPUTER INFORMATION
SYSTEMS ENVIRONMENT
Scope of Presentation
What is Internal Audit
Need for I.S. Auditing
I.S. Audit Standards
Controls
COBIT
I.S. Audit Process
Audit Resource Management
What is Internal Audit?
INTERNAL AUDITING
Is an independent, objective assurance and
consulting activity designed to add value and improve
an organization’s operations
Helps an organization in accomplishing its
objectives by bringing a systematic,
disciplined approach to evaluate and improve the
effectiveness of risk management, control and
governance processes
Functions include amongst other things, examining,
evaluating and monitoring the adequacy and
effectiveness of the accounting and internal control
systems
Internal Auditing Defined
Audit charter
Independence
Competence
I.S. Auditing Standards
Planning
Reporting
Follow-up activities
ISACA Standards and Guidelines for
IS Auditing
Audit charter
Independence
Competence
Planning
• Reporting
• Follow-up activities
2. IT Risk
2. Control
3. Control Objectives
4. Control Practices
IT Risk
Control classification
Preventive
Detective
Corrective
Controls
BUSINESS OBJECTIVES
INFORMATION
IT RESOURCES
PLANNING
MONITORING &
ORGANISATION
DELIVERY ACQUISITION
& &
SUPPORT IMPLEMENTATION
CobiT IT Domains Processes
PLANNING & ORGANISATION PLANNING
&
ORGANISATION
3. Define a strategic IT plan
4. Define the information architecture
5. Determine the technological direction
6. Define the IT organisation and relationships
7. Manage the investment
8. Communicate management aims and directions
9. Manage human resources
10. Ensure compliance with external requirements
11. Assess risks
12. Manage project
13. Manage quality
CobiT IT Domains Processes
ACQUISITION & IMPLEMENTATION ACQUISITION
&
IMPLEMENTATION
3. Identify solutions
4. Acquire and maintain application software
5. Acquire and maintain technology architecture
6. Develop and maintain IT procedures
7. Install and accredit systems
8. Manage changes
CobiT IT Domains Processes
DELIVERY & SUPPORT DELIVERY
&
SUPPORT
Identification
1. Carry out a business risk assessment
2. Implement an IT risk assessment approach
Risk
3. Identify IT risks
4. Measure IT risks
Implementation
7. Accept residual risk
Control
8. Select Safeguards
9. Commit to Risk Assessment
How To Assess IT Risks
Types of risk
Inherent risk
Control risk
Detection risk
Overall audit risk
I.S. Audit Process
Inherent Risk - The risk that an error exists
which could be material or significant when
combined with other errors encountered during
the audit assuming that there are no related
compensating controls.
Control Risk - The risk that a material error
exists that will not be prevented or detected on a
timely basis by the system of internal controls.
Detection Risk - The risk that an IS auditor
uses an inadequate test procedure and concludes
that material errors do not exist when, in fact,
they do.
I.S. Audit Process
audit resources
Ensures that relevant information has been
obtained
Establishes a basis for effectively managing the
audit department
Provides a summary of how the individual audit
subject is related to the overall organization and
to business plans
I.S. Audit Process
Control objectives and the related key
controls that address the objective.
An auditor should be able to identify key controls and
then decide to test these controls through substantive
or compliance verification methods. The IS auditor is to
identify application controls after developing an
understanding and documenting the application or
function, and based upon that, should identify key
control points. This will allow the auditor to
determine if controls are working as expected and
results of compliance tests will allow the auditor to
design more extensive compliance or substantive
testing.
I.S. Audit Process
Relationship between substantive and
compliance tests and the two categories of
substantive tests.
Substantive tests substantiate the integrity of actual
processing. It provides evidence of the validity and
integrity of the balances in the financial statements and the
transactions that support these balances.
Compliance tests determine if controls are being applied in a
manner that complies with management policies and
procedures.
I.S. Audit Process
Correlation between the level of internal
controls and the amount of substantive testing
required.
Timing of evidence
I.S. Audit Process
Timing of follow-up
The timing of follow-up will depend upon the criticality
of the findings and would be subject to the IS auditor’s
judgment. The results of the follow-up should be
communicated to appropriate levels of management.
I.S. Audit Process
Audit Documentation
IS audit documentation is the record of the audit work
performed and the audit evidence supporting the findings
and conclusions (see ISACA Guidelines on audit
documentation).