Chapter 2: Audit and Review Its Role in Information Technology

MBAD 7090

IS Security, Audit, and Control (Dr. Zhao)

Fall, 2008

Objectives

Understand IT governance

The purpose of an IT audit function

Risk assessment: three methodologies IT auditor: skill, standards and resources

Management s roles and responsibilities in IT auditing

IS Security, Audit, and Control (Dr. Zhao)

Fall, 2008

Introduction

Information technology audit functions are considered part of the business environment. Their unique blend of skills help to assess the companys exposures and develop controls associated with their use of technology.

IS Security, Audit, and Control (Dr. Zhao)

Fall, 2008

IT Governance

Corporate governance

The set of processes, customs, policies, laws and institutions affecting the way a corporation is directed, administered or controlled. Set the goal Specify the relationships among key stakeholders Ensure individual accountability

IT governance

A subset discipline of corporate governance Focusing on information systems

IS Security, Audit, and Control (Dr. Zhao) Fall, 2008

IT Governance

IT governance

The process of directing and controlling an enterprises IT

IT governance needs to ensure:

Strategic alignment between IT and enterprise objectives Maximization of IT investments

How to measure ITs performance

Effective management of IT-related risks

IS Security, Audit, and Control (Dr. Zhao)

Fall, 2008

Reasons to Have an IT Audit Function

Increased dependence and investments in information systems Increased organizational impacts caused by IT, both positively and negatively Unsatisfactory data reliance and security

Advancements occurred in technology

IS Security, Audit, and Control (Dr. Zhao)

Fall, 2008

Auditing Concerns

Focus on the systems controls Look at the total systems environment

Objectives: what we are trying to accomplish Context: industry sector, organizational structure, business relationship Ensure provisions are made for:

Transaction trails from beginning to end Handling exceptions Testing of controls Authorization over changes to systems Training of user personnel Adequate security to protect data Backup and recovery procedures
IS Security, Audit, and Control (Dr. Zhao) Fall, 2008

Risk Assessment: Three Methodologies

Castellans: using a fortress to physically secure systems

E.g. isolated spaces

Guardians: using law enforcement and administrative regulations to prevent computer crimes Gatekeepers: limiting access

E.g., passwords, encryption, biometrics

IS Security, Audit, and Control (Dr. Zhao)

Fall, 2008

IT Auditor-Job Outlook

Growth rate for accountants and auditors (www.bls.gov): 18% between 2006 and 2016 IT auditor:

One of the fastest growing careers

11.2% increases in 2006 Average technology positions grew 3% in 2006 Salary range $67,000-$94,250, an 11% increase over 2005

IS Security, Audit, and Control (Dr. Zhao)

Fall, 2008

IT Auditor: Knowledge, Skills, and Abilities

Understand the overall control philosophy

Technical skills

Understand information system management Ability to communicate technical information

Experience with a particular industry and/or the specific

business

Communication skills that enable the auditor to bridge the gap between IT professionals and business management
10 IS Security, Audit, and Control (Dr. Zhao) Fall, 2008

IT Auditor Independence

Need to value and recognize the integrity of the audit process Audit reports and opinions must be free of bias or influence Sarbanes-Oxley

Auditor rotation Scope-of-service restrictions

11

IS Security, Audit, and Control (Dr. Zhao)

Fall, 2008

IT Audit Continuous Reassessment

Stay on track with audits

Auditor steps back and reassess the audit project:

Reaffirm audit goals

E.g., to ensure that current documentation is available, adequate, and safeguarded.

Verify audit scope

E.g., vendor-supplied systems and internal modifications

If auditor has deviated from either, then the audit scope should be evaluated and revised
IS Security, Audit, and Control (Dr. Zhao) Fall, 2008

12

IT Auditor Ethical Standards

To be an auditor, one must have high ethical standards Auditors are trusted individuals Some things may be unethical but still legal Examples of a typical code of ethics

Will inform each organization, employer or client of any business connections, interests or affiliations which might influence my judgment or impair the equitable character of my services. Will respect my peers opinion and conduct to ensure that honesty and openness is demonstrated within an audit team.

13

IS Security, Audit, and Control (Dr. Zhao)

Fall, 2008

Class Exercise

Bob has just been assigned to work as an external IT auditor for the XYZ company. His wife just found a job as junior IT manager at XYZ one month ago.

Q: What should Bob do?

14

IS Security, Audit, and Control (Dr. Zhao)

Fall, 2008

IT Auditor Resources

Experience Colleagues (IT professionals and other auditors) Publications and periodicals in IT and/or audit Seminars University training

15

IS Security, Audit, and Control (Dr. Zhao)

Fall, 2008

The Role of the IT Auditor

IT Auditor as Counselor

Active role in the development of policies on auditability, control, testing, and standards Educate users and IT personnel on the importance of compliance with control requirements

IT Auditor as a Partner of Senior Management

Provide independent assessment of the effect of IT decisions on the business Verify that all alternatives are considered, risks are assessed, solutions are technically correct, business needs are satisfied, and costs are reasonable

16

IS Security, Audit, and Control (Dr. Zhao)

Fall, 2008

Internal vs. External Auditors

The internal IT auditor:

Provides assurance to management that its policies and procedures are implemented and working as intended

Monitoring and testing system reliability

The external IT auditor:

Evaluates the reliability and validity of computer system controls, which

Minimizes transaction testing required to render an opinion on financial statements

Deal with both manual and automated systems

17

IS Security, Audit, and Control (Dr. Zhao)

Fall, 2008

Key Certifications and Professional Associations

Certified Internal Auditor (CIA), by the Institute of Internal Auditors Information Systems Auditor and Control Association (ISACA)

Certified information systems auditor (CISA) Certified information security manager (CISM) ISACA Charlotte Chapter

International Information Systems Security Certification Consortium (commonly known as (ISC)).

18

Certified Information Systems Security Professional (CISSP)

IS Security, Audit, and Control (Dr. Zhao) Fall, 2008

Collaboration between IT Auditor and IT Managers

Are these attitudes correct?

Manager: Arguing with an Auditor is like mud wrestling with a pig! After a time you realize that the pig is enjoying himself.
Manager: Are we the evils ourselves or dealing with evils.

19

IS Security, Audit, and Control (Dr. Zhao)

Fall, 2008

How IT Managers Support the IT Audit Function

Support and participate in the audit planning process Develop and promote risk and control awareness Provide resources to accomplish the audit tasks Hold the auditors to their standards of practice

20

IS Security, Audit, and Control (Dr. Zhao)

Fall, 2008

What IT Managers Need to Know About an Audit

What is the purpose of the audit? What are the audits scope and objectives? Who is assigned to perform the audit? What is the timeframe for the audit? What IT resources are needed?

systems, staff

21

IS Security, Audit, and Control (Dr. Zhao)

Fall, 2008

What Should IT Managers Expect From an Audit?

Regular communication

audit status issues found to date

A closing meeting to review the audit process and results (issues, actions, plans, etc.) A final audit report Audit follow-up on action plans identified during the audit

22

IS Security, Audit, and Control (Dr. Zhao)

Fall, 2008

Class Exercise

In the following scenario,

What assistance could an IT auditor provide? How can IT managers get involved?

Scenario: A new system is being developed that will enable customers to view their account status and submit orders via the Internet. The technology used is new to the company.

23

IS Security, Audit, and Control (Dr. Zhao)

Fall, 2008