Beruflich Dokumente
Kultur Dokumente
MBAD 7090
Fall, 2008
Objectives
Understand IT governance
Fall, 2008
Introduction
Information technology audit functions are considered part of the business environment. Their unique blend of skills help to assess the companys exposures and develop controls associated with their use of technology.
Fall, 2008
IT Governance
Corporate governance
The set of processes, customs, policies, laws and institutions affecting the way a corporation is directed, administered or controlled. Set the goal Specify the relationships among key stakeholders Ensure individual accountability
IT governance
IT Governance
IT governance
Fall, 2008
Increased dependence and investments in information systems Increased organizational impacts caused by IT, both positively and negatively Unsatisfactory data reliance and security
Fall, 2008
Auditing Concerns
Transaction trails from beginning to end Handling exceptions Testing of controls Authorization over changes to systems Training of user personnel Adequate security to protect data Backup and recovery procedures
IS Security, Audit, and Control (Dr. Zhao) Fall, 2008
Guardians: using law enforcement and administrative regulations to prevent computer crimes Gatekeepers: limiting access
Fall, 2008
IT Auditor-Job Outlook
Growth rate for accountants and auditors (www.bls.gov): 18% between 2006 and 2016 IT auditor:
11.2% increases in 2006 Average technology positions grew 3% in 2006 Salary range $67,000-$94,250, an 11% increase over 2005
Fall, 2008
Technical skills
Communication skills that enable the auditor to bridge the gap between IT professionals and business management
10 IS Security, Audit, and Control (Dr. Zhao) Fall, 2008
IT Auditor Independence
Need to value and recognize the integrity of the audit process Audit reports and opinions must be free of bias or influence Sarbanes-Oxley
11
Fall, 2008
If auditor has deviated from either, then the audit scope should be evaluated and revised
IS Security, Audit, and Control (Dr. Zhao) Fall, 2008
12
To be an auditor, one must have high ethical standards Auditors are trusted individuals Some things may be unethical but still legal Examples of a typical code of ethics
Will inform each organization, employer or client of any business connections, interests or affiliations which might influence my judgment or impair the equitable character of my services. Will respect my peers opinion and conduct to ensure that honesty and openness is demonstrated within an audit team.
13
Fall, 2008
Class Exercise
Bob has just been assigned to work as an external IT auditor for the XYZ company. His wife just found a job as junior IT manager at XYZ one month ago.
14
Fall, 2008
IT Auditor Resources
Experience Colleagues (IT professionals and other auditors) Publications and periodicals in IT and/or audit Seminars University training
15
Fall, 2008
IT Auditor as Counselor
Active role in the development of policies on auditability, control, testing, and standards Educate users and IT personnel on the importance of compliance with control requirements
Provide independent assessment of the effect of IT decisions on the business Verify that all alternatives are considered, risks are assessed, solutions are technically correct, business needs are satisfied, and costs are reasonable
16
Fall, 2008
Provides assurance to management that its policies and procedures are implemented and working as intended
17
Fall, 2008
Certified Internal Auditor (CIA), by the Institute of Internal Auditors Information Systems Auditor and Control Association (ISACA)
Certified information systems auditor (CISA) Certified information security manager (CISM) ISACA Charlotte Chapter
18
Manager: Arguing with an Auditor is like mud wrestling with a pig! After a time you realize that the pig is enjoying himself.
Manager: Are we the evils ourselves or dealing with evils.
19
Fall, 2008
Support and participate in the audit planning process Develop and promote risk and control awareness Provide resources to accomplish the audit tasks Hold the auditors to their standards of practice
20
Fall, 2008
What is the purpose of the audit? What are the audits scope and objectives? Who is assigned to perform the audit? What is the timeframe for the audit? What IT resources are needed?
systems, staff
21
Fall, 2008
Regular communication
A closing meeting to review the audit process and results (issues, actions, plans, etc.) A final audit report Audit follow-up on action plans identified during the audit
22
Fall, 2008
Class Exercise
What assistance could an IT auditor provide? How can IT managers get involved?
Scenario: A new system is being developed that will enable customers to view their account status and submit orders via the Internet. The technology used is new to the company.
23
Fall, 2008