AUDITING IN A

COMPUTER INFORMATION
SYSTEMS ENVIRONMENT
Scope of Presentation
 What is Internal Audit
 Need for I.S. Auditing
 I.S. Audit Standards
 Controls
 COBIT
 I.S. Audit Process
 Audit Resource Management
What is Internal Audit?
INTERNAL AUDITING
 Is an independent, objective assurance and
consulting activity designed to add value and improve
an organization’s operations
 Helps an organization in accomplishing its
objectives by bringing a systematic,
disciplined approach to evaluate and improve the
effectiveness of risk management, control and
governance processes
 Functions include amongst other things, examining,
evaluating and monitoring the adequacy and
effectiveness of the accounting and internal control
systems
Internal Auditing Defined

Internal auditing is an independent, objective assurance

and consulting activity within an organization that is
guided by a philosophy of adding value to improve
operations of the organization. It assists an
organization in accomplishing its objectives by bringing
a systematic and disciplined approach to evaluate and
improve the effectiveness of the organization’s risk
management, control and governance processes.
Internal Audit Vs. External Audit

 The role of internal auditing is determined by

management and its function’s objective vary according to
management’s requirements and as such it is part of
the entity.
 External audit, on the other hand, is carried out
independently to express an opinion on the fairness of
the financial statements, with the primary concern and
objective of determining whether the financial
statements are free from material misstatements. It is,
therefore, not a part of entity.
 Nevertheless some of the means of achieving their
respective objectives are often similar and thus certain
aspects of internal auditing may be useful in determining
the nature, timing and extent of external audit
procedures.
Need for I.S. Auditing
 Increasing level of computerization of
manual functions
 Rapid technological development
 Lack of user knowledge resulting in
insecure practices
 Role of networks
 Viruses, Worms, Hackers and other
security threats
 Changing Regulatory environment
I.S. Auditing

IS auditing is the process of collecting and

evaluating evidence to determine whether
information systems and related resources,
adequately safeguard assets, maintain data
and system integrity, provide relevant and
reliable information, achieve organizational
goals effectively, consume resources
efficiently, and have in effect internal controls
that provide reasonable assurance that
operational and control objectives will be met.
I.S. Auditing Standards
Objectives of IS Auditing Standards

 Inform management and other interested

parties of the profession’s expectations
concerning the work of audit practitioners

 Inform information system auditors of the

minimum level of acceptable performance
required to meet professional responsibilities
I.S. Auditing Standards

Audit charter

Independence

Professional Ethics and Standards

Competence
I.S. Auditing Standards

Planning

Performance of audit work

Reporting

Follow-up activities
ISACA Standards and Guidelines for
IS Auditing

 Audit charter

The responsibility, authority and accountability of

the information systems audit functions are to be
appropriately documented in an audit charter or
engagement letter.
ISACA Standards and Guidelines for
IS Auditing

 Independence

Professional Independence: In all matters

related to auditing, the IS auditor is to be
independent of the auditee in attitude and
appearance.

Organizational Relationship: The IS audit

function is to be sufficiently independent of the area
being audited to permit objective completion of the
audit.
ISACA Standards and Guidelines for
IS Auditing

 Professional Ethics and Standards

Due professional care and observance of applicable

professional auditing standards are to be exercised
in all aspects of the information systems auditor’s
work.
ISACA Standards and Guidelines for
IS Auditing

 Competence

Skills and Knowledge: The information systems

auditor is to be technically competent, having the
skills and knowledge necessary to perform the
auditor’s work.

Continuing Professional Education: The

information systems auditor is to maintain technical
competence through appropriate continuing
professional education.
ISACA Standards and Guidelines for
IS Auditing

 Planning

The information systems auditor is to plan the

information systems audit work to address the audit
objectives on audit standards and requirements and
to comply with applicable professional auditing
standards.
ISACA Standards and Guidelines for
IS Auditing

• Performance of audit work

Supervision: Information systems audit staff are to

be appropriately supervised to provide assurance that
audit objectives are accomplished and applicable
professional auditing standards are met.

Evidence: During the course of the audit, the

information systems auditor is to obtain sufficient,
reliable, relevant and useful evidence to achieve the
audit objectives effectively. The audit findings and
conclusions are to be supported by appropriate analysis
and interpretation of this evidence.
ISACA Standards and Guidelines for
IS Auditing

• Reporting

The information systems auditor is to provide a

report in an appropriate form to intended
recipients upon completion of audit work. The
audit report is to state the scope, objectives,
period of coverage and the nature and extent of
the audit work performed. The report is to identify
the organization, the intended recipients and any
restrictions on circulation. The report is to state
the findings, conclusions, recommendations and
any reservations or qualifications that the auditor
has with respect to the audit.
ISACA Standards and Guidelines for
IS Auditing

• Follow-up activities

The information systems auditor is to request and

evaluate appropriate information on previous
relevant findings, conclusions and
recommendations to determine whether
appropriate actions have been implemented in a
timely manner.
Some Control Definitions...

2. IT Risk
2. Control
3. Control Objectives
4. Control Practices
IT Risk

The chance that information systems will

not satisfy the business requirement of
ensuring the achievement of IT objectives
and responding to threats to the provision
of IT services
Control

Control is defined as the policies,

procedures, practices and
organizational structures designed to
provide reasonable assurance that
business objectives will be achieved and
that undesired events will be prevented or
detected and corrected.
Control Objectives

IT Control Objective is defined as a

statement of the desired result or
purpose to be achieved by
implementing control procedures in a
particular IT activity.
Control Practices

A key control mechanism that

supports the achievement of control
objectives through responsible use of
resources, appropriate management of
risk and alignment of IT with business.
Why do we need Controls?

If everything seems under control,

you are not going fast enough
Controls

Control classification

 Preventive

 Detective

 Corrective
Controls

Information System Control Objectives

Control objectives in an information systems

environment remain unchanged from those of a manual
environment. However, control features may be
different. The internal control objectives, thus need, to
be addressed in a manner specific to IS-related
processes
CobiT is a very rich standard

 CobiT was developed by experts with extensive

experience in many different industries
 It includes all of the processes that can take place
within an IT organization
 It describes CSF’s, KPI’s, KGI’s and processes that
may not necessarily be relevant to a given
organization’s needs
 Depending on the organization, attempting to
implement the complete standard can cost more than
the value created by a successful implementation
COBIT

 Control Objectives for Information and

related Technology
 IT control objectives and standards of
good practice
 34 high-level control objectives
CobiT Framework IT Domains

BUSINESS OBJECTIVES

INFORMATION

IT RESOURCES

PLANNING
MONITORING &
ORGANISATION

DELIVERY ACQUISITION
& &
SUPPORT IMPLEMENTATION
CobiT IT Domains Processes
PLANNING & ORGANISATION PLANNING
&
ORGANISATION
3. Define a strategic IT plan
4. Define the information architecture
5. Determine the technological direction
6. Define the IT organisation and relationships
7. Manage the investment
8. Communicate management aims and directions
9. Manage human resources
10. Ensure compliance with external requirements
11. Assess risks
12. Manage project
13. Manage quality
CobiT IT Domains Processes
ACQUISITION & IMPLEMENTATION ACQUISITION
&
IMPLEMENTATION

3. Identify solutions
4. Acquire and maintain application software
5. Acquire and maintain technology architecture
6. Develop and maintain IT procedures
7. Install and accredit systems
8. Manage changes
CobiT IT Domains Processes
DELIVERY & SUPPORT DELIVERY
&
SUPPORT

3. Define Service Levels

4. Manage third-party services
5. Manage performance and capacity
6. Ensure continuous service
7. Ensure system security
8. Identify and attribute costs
9. Educate and train users
10. Assist and advise IT customers
11. Manage the configuration
12. Manage problems and incidents
13. Manage data
14. Manage facilities
15. Manage operations
CobiT IT Domains Processes
MONITORING
MONITORING

3. Monitor the processes

4. Assess the internal control adequacy
5. Obtain independent assurance
6. Provide for independent audit
 How To Assess IT Risks
PO9 Assess Risks Control Objectives

Identification
1. Carry out a business risk assessment
2. Implement an IT risk assessment approach

Risk
3. Identify IT risks
4. Measure IT risks

6. Create an IT risk management action plan

Implementation
7. Accept residual risk

Control
8. Select Safeguards
9. Commit to Risk Assessment
How To Assess IT Risks

2. Carry out a business risk assessment

3. Implement an IT risk assessment
approach
4. Identify IT risks
5. Measure IT risks
6. Create an IT risk management action plan
7. Accept residual risk
8. Select Safeguards
9. Commit to Risk Assessment
I.S. Audit Planning

 Adequate planning is a necessary first

step in performing effective IT audits

 Need to understand the general

business environment as well as the
associated business and control risks

 Assess operational and control risks and

identify control objectives during audit
planning
I.S. Audit Planning
To perform an audit planning, the IS auditor
should
– Gain an understanding of the business’
mission, objectives, processes, information and
processing requirements such as availability,
integrity and security and information
architecture requirements. In general terms,
processes and technology.
2. Perform risk analysis.
1. Conduct an internal control review.
2. Set the audit scope and audit objective(s).
3. Develop the audit approach or audit strategy.
4. Assign resources to audit and address engagement
logistics.
I.S. Audit Planning
In planning the engagement, I.S. Auditors should
consider:
 The objectives of the activity being reviewed and the
means by which the activity controls its performance.
 The significant risks to the activity, its objectives,
resources, and operations and the means by which the
potential impact of risk is kept to an acceptable level.
 The adequacy and effectiveness of the activity’s risk
management and control systems compared to a
relevant control framework or model.
 The opportunities from making significant improvements
to the activity’s risk management and control systems.
I.S. Audit Process
 General audit procedures
 Understanding of the audit area/subject
 Risk assessment and general audit plan
 Detailed audit planning
 Preliminary review of audit area/subject
 Evaluating audit area/subject
 Compliance testing
 Substantive testing
 Reporting(communicating results)
 Follow-up
I.S. Audit Process
 Audit Methodology

 The audit methodology is a set of documented

audit procedures designed to achieve planned
audit objectives. The audit strategy is the audit
methodology, which is a set of documented audit
procedures designed to achieve planned audit
objectives. It’s components are:
 a statement of scope,

 statement of audit objectives and

 statement of work programs

 I.S. Audit Process
Typical audit phases
Identify Develop
• the area to be audited • audit tools and methodology to test
• the purpose of the audit
and verify control
• procedures for evaluating the test or
• the specific systems, function or unit review results
of the organization to be included in • procedures for communication with
the review. management
• technical skills and resources needed
• the sources of information for tests or Identify
review such as functional flow-charts, • follow-up review procedures
policies, standards, procedures and • procedures to evaluate/test
prior audit work papers. operational efficiency and
• locations or facilities to be audited. effectiveness
• procedures to test controls
• select the audit approach to verify
and test the controls
Review and evaluate the
• list of individuals to interview
soundness of documents,
• obtain departmental policies, policies and procedures
standards and guidelines for review
I.S. Audit Process
 Control objective: A control objective refers to how
an internal control should function.

 Audit objective: Audit objective refers to the

specific goals of the audit. An audit may incorporate
several audit objectives. Audit objectives often center
around substantiating that internal controls exist to
minimize business risks. Management may give the
IS auditor a general objective to follow when
performing an audit.

 A key element in planning an information systems

audit is to translate basic audit objectives into
specific information systems audit objectives.
I.S. Audit Process
 Audit risk and materiality
More and more organizations are moving to a risk-
based audit approach that is usually adapted to
develop and improve the continuous audit
process. This approach is used to assess risk and
to assist with an IS auditor’s decision to do either
compliance testing or substantive testing.
I.S. Audit Process

 In a risk-based audit approach, IS auditors are not just

relying on risk; they also are relying on internal and
operational controls as well as knowledge of the company
or the business. This type of risk assessment decision can
help relate the cost-benefit analysis of the control to the
known risk, allowing practical choices.
 Business risks are the concerns about the probable effects
of an uncertain event on achieving established objectives.
The nature of these risks may be financial, regulatory or
operational. By understanding the nature of the business,
IS auditors can identify and categorize the types of risks
that will better determine the risk model or approach in
conducting the audit.
I.S. Audit Process
 Risk-based approach

 Emphasis on knowledge of the business and

technology
 Focuses on assessing the effectiveness of a
“combination” of controls
 Linkage between risk assessment and
testing focusing on control objectives.
 Focuses on the business from a
management perspective
I.S. Audit Process

 Types of risk
 Inherent risk
 Control risk
 Detection risk
 Overall audit risk
I.S. Audit Process
 Inherent Risk - The risk that an error exists
which could be material or significant when
combined with other errors encountered during
the audit assuming that there are no related
compensating controls.
 Control Risk - The risk that a material error
exists that will not be prevented or detected on a
timely basis by the system of internal controls.
 Detection Risk - The risk that an IS auditor
uses an inadequate test procedure and concludes
that material errors do not exist when, in fact,
they do.
I.S. Audit Process

 Overall Audit Risk - The combination of the

individual categories of audit risks assessed
for each specific control objective. An
objective in formulating the audit approach is
to limit the audit risk in the area under
scrutiny so the overall audit risk is at a
sufficiently low level at the completion of the
examination. Another objective is to assess
and control those risks to achieve the desired
level of assurance as efficiently as possible.
I.S. Audit Process
 Risk Assessment Techniques
 Enables management to effectively allocate limited

audit resources
 Ensures that relevant information has been
obtained
 Establishes a basis for effectively managing the

audit department
 Provides a summary of how the individual audit
subject is related to the overall organization and
to business plans
I.S. Audit Process
 Control objectives and the related key
controls that address the objective.
 An auditor should be able to identify key controls and
then decide to test these controls through substantive
or compliance verification methods. The IS auditor is to
identify application controls after developing an
understanding and documenting the application or
function, and based upon that, should identify key
control points. This will allow the auditor to
determine if controls are working as expected and
results of compliance tests will allow the auditor to
design more extensive compliance or substantive
testing.
I.S. Audit Process
Relationship between substantive and
compliance tests and the two categories of
substantive tests.
 Substantive tests substantiate the integrity of actual
processing. It provides evidence of the validity and
integrity of the balances in the financial statements and the
transactions that support these balances.
 Compliance tests determine if controls are being applied in a
manner that complies with management policies and
procedures.
I.S. Audit Process
Correlation between the level of internal
controls and the amount of substantive testing
required.

 If the results of testing controls reveal the presence of

adequate internal controls, then the IS auditor is justified in
minimizing the substantive procedures. Conversely, if the
testing controls reveals weaknesses in control that may raise
doubts about the completeness, accuracy or validity of the
accounts, substantive testing can alleviate those doubts.
I.S. Audit Process
Evidence – It is a requirement that the
auditor’s conclusions must be based on
sufficient, competent evidence.

 Independence of the provider of the evidence

 Qualification of the individual providing the information or

evidence

 Objectivity of the evidence

 Timing of evidence
I.S. Audit Process

 Techniques for gathering evidence:

 Review IS organization structures

 Review IS policies, procedures and standards
 Review IS documentation
 Interview appropriate personnel
 Observe processes and employee performance.
I.S. Audit Process
 Computer-assisted audit techniques
 CAATs are a significant tool for IS auditors
to gather information independently
 CAATs include:
 Generalized audit software (ACL, IDEA, etc.)
 Utility software
 Test data
 Application software for continuous online audits
 Audit expert systems
I.S. Audit Process
 Need for CAATs
The audit findings and conclusions are to be supported
by appropriate analysis and interpretation of the
evidence. Today’s information processing environments
pose a stiff challenge to the IS auditor to collect
sufficient, relevant and useful evidence since the
evidence exists on magnetic media and can only be
examined using CAATs. With systems having different
hardware and software environments, different data
structure, record formats, processing functions, etc., it
is almost impossible for the IS auditors to collect
evidence without a software tool to collect and analyze
the records.
I.S. Audit Process
 Functional Capabilities of CAATs
Generalized audit software provides IS auditors
the ability to use high-level problem solving
software to invoke functions to be performed on
data files. The following functions supported in
generalized audit software are:
 File access
 File reorganization
 Data Selection
 Statistical functions
 Arithmetical functions
I.S. Audit Process
 Areas of Concern

 Integrity, reliability, and security of the CAATs

beforehand

 Integrity of the information systems and security

environment

 Confidentiality and security of data as required by

the clients
I.S. Audit Process
 CAATs offer the following advantages:

 Reduced level of audit risk

 Greater independence from the auditee
 Broader and more consistent audit coverage
 Faster availability of information
 Improved exception identification
 Greater flexibility of run times
 Greater opportunity to quantify internal control weaknesses
 Enhanced sampling
 Cost savings over time
I.S. Audit Process
 Cost/benefits of CAATs
Like any other process, an IS auditor should weigh
the costs/benefits of CAATs before going through
the effort, time and expense of purchasing or
developing them. Issues to consider include:

 Ease of use, both for existing audit staff and future

staff
 Training requirements
 Complexity of coding and maintenance
 Flexibility of uses
 Installation requirements
 Processing efficiencies (especially with a PC CAAT)
 Effort required to bring the source data into the
CAATs for analysis
I.S. Audit Process
 After developing an audit program and gathering audit
evidence, the next step is an evaluation of the information
gathered in order to develop an audit opinion. This requires
the IS auditor to consider a series of strengths and
weaknesses and then to develop audit opinions and
recommendations.

 The IS auditor should assess the results of the evidence

gathered for compliance with the control requirements or
objectives established during the planning stage of the
audit. This requires considerable judgment, as controls are
often unclear. A control matrix is often utilized in assessing
the proper level of controls.
I.S. Audit Process

As part of the information systems review,

the IS auditor may discover a variety of
strong and weak controls. All should be
considered when evaluating the overall
control structure. In some instances, one
strong control may compensate for a weak
control in another area. The IS auditor should
be aware of compensating controls in areas
where controls have been identified as weak.
I.S. Audit Process

 A control objective will not normally be achieved

due to one control being considered adequate.
They must be evaluated to determine how they
relate to each other. Evaluate the totality of
control by considering the strengths and
weaknesses of control procedures.

 Assess the strengths and weaknesses of the

controls evaluated and then determine if they
are effective in meeting the control objectives
established as part of the audit planning process.
I.S. Audit Process
 Judging materiality of findings

 The concept of materiality is a key issue

when deciding which findings to bring forward in
an audit report. Key to determining the materiality
of audit findings is the assessment of what would
be significant to different levels of management.

 Assessment requires judgment of the potential

effect of the finding if corrective action is not
taken. Assess what is significant to different levels
of management. Discuss examples of what might
be important to different levels of management
and why.
I.S. Audit Process
 Communicating audit results. Results or concerns
should be communicated to senior management and
to the audit committee of the board of directors. IS
auditors should feel free to communicate issues or
concerns to such management.
 Audit report structure and contents. There is no specific
format for an IS audit report; therefore, the organization's audit
policies and procedures will generally dictate the format.
 Exit interview. Used to discuss the findings of the audit and
recommendations with management. Ensure that the facts
presented in the report are correct, recommendations are realistic
and cost effective, and if not, seek alternatives through negotiation
with the audit area; and establish implementation dates for agreed
recommendations.
I.S. Audit Process
 Presentation techniques to communicate the
results of the audit work could include the
following:
 Executive summary: an easy to read and concise
report that presents findings to management in an
understandable manner.
 Visual presentation: could include overhead
transparencies, slides or computer graphics.
 Oral presentation
I.S. Audit Process
 Auditing is an ongoing process
The IS auditor is not effective if audits are performed
and reports issued but not followed up on to determine
if management has taken appropriate corrective
actions. IS auditors should have a follow-up program to
determine if agreed corrective actions have been
implemented.

 Timing of follow-up
The timing of follow-up will depend upon the criticality
of the findings and would be subject to the IS auditor’s
judgment. The results of the follow-up should be
communicated to appropriate levels of management.
I.S. Audit Process
 Audit Documentation
 IS audit documentation is the record of the audit work
performed and the audit evidence supporting the findings
and conclusions (see ISACA Guidelines on audit
documentation).

 The IS auditor should understand techniques for

documenting an information system as well as documenting
the understanding of the information systems environment.
The IS auditor should be able to prepare adequate work
papers, narratives, complete interview questionnaires and
create understandable systems flowcharts.
I.S. Audit Resource Management
 The IS auditor should understand
techniques for managing audit projects
with appropriately trained members of
the audit staff.
 Skill and knowledge should be taken
into consideration when planning audits
and assigning staff to specific audit
assignments.
Project management techniques
 It is important for an IS auditor to consider a project
management technique for managing and administering
audit projects, whether automated or manual. Basic steps
for this purpose include:

 Develop a detailed plan - This should spread the

necessary audit steps across a time line. Realistic estimates
should be made of the time requirements for each task with
proper consideration given to the availability of the auditee.

 Report project activity against the plan. There should

be some type of reporting system in place such that IS
auditors can report their actual progress against planned
audit steps.
Project management techniques

 Adjust the plan and take corrective

action, as required. Actual
accomplishments should be measured
against the established plan on a
continuous basis. Changes should be made
in IS auditor assignments or in planned
schedules, as required.
THANK YOU!