Basic Concepts of

Information System Audit

The Institute of Chartered Accountants of Nepal

The by:
Institute
of Chartered
Accountants
repared
CA Mukund
Pokharel, CISA

Presented by
CA XXXX
of Nepal

 (Information System Audit) ?

(information systems infrastructure)
(Information System Audit)


,

,
/,
/ /

The Institute of Chartered Accountants of Nepal

 /



(Best Practice)
CEO CFO
. ,
.

:
Auditing Standards (SAS) No. 70, developed by (AICPA),
The Sarbanes-Oxley Act of 2002, a United States Federal Law followed by many
countries
Information Technology Guidelines 2012 developed by Nepal Rastra Bank


The Institute of Chartered Accountants of Nepal

The Institute of Chartered Accountants of Nepal

 (Information System Audit) ?

Information System Control and Audit Association (ISACA) Certified Information

System Auditor (CISA)
NRB IT Guidelines, 2012



ICAN ICAI Information System Audit (ISA)

ISA

The Institute of Chartered Accountants of Nepal


1. (Project Management)
2. (IS Audit Process)
3. (IS audit Standards and Guidelines)
Standards and Guidelines

e.g. ISACA and ISO

4. (IT Risk Concept) e.g. ISO/IEC 27005 and ISACA IT Risk Framework
5. (IT Governance Standards and Concepts)- e.g. ISO/IEC
38500, COBIT and ITIL
6. (Information Security Concept)
7.

,

8. e.g. Information Security, IT Risk, IT Governance, Networking, Firewalls, Databases

and Application Systems.

The Institute of Chartered Accountants of Nepal



(- , , , )

GENERAL

IT GOVERNANCE

IT General Controls Audit

INFORMATION SYSTEMS

IT Governance Audit
Compliance Audit
IT Performance Audit
IT Investment Audit

IT RISK MANAGEMENT
IT Risk Audit
INFORMATION SECURITY
Information Security Audit
Business Continuity Audit

Application Controls Audit

System Development Audit

SPECIALIZED AUDITS

The Institute of Chartered Accountants of Nepal

 .....
Information Technology Governance
Long term IT strategy and Short term IT plans
Information security governance, effectiveness of implementation of security policies and
processes
IT Systems Architecture and Infrastructure
Physical and environmental security
Network Management Network Architecture, Switches, Firewall, IDS, IPS
Servers / Data center operations and processes
Information System Acquisition, Implementation, Development and Maintenance
Operating Systems Controls, Application Systems Controls and Database Controls
Segregation of Duties
Business Continuity Management and Disaster Recovery Plan
IT Operations and Problem Management
IT Financial Control
Asset Management
Record Processes and Control, Media Handling and Disposal, Backup and Storage Media
Technology Licensing
IT outsourcing related controls
Vulnerability Scanning and Penetration Testing
The Institute of Chartered Accountants of Nepal

IS Audit Area Overview

The Institute of Chartered Accountants of Nepal

IS Audit Area Overview

The Institute of Chartered Accountants of Nepal

 (IT Infrastructure)

The Institute of Chartered Accountants of Nepal

 (IT General Controls Audit)

IT General Control


Access Control, Compliance with Internal Policies and Procedures, Environmental
Controls Disaster Recovery
IT General Control
IT general controls ,


,

IT General Controls Audit

The Institute of Chartered Accountants of Nepal

 (Application Systems Controls Audit)

, Billing, Accounting,
ERP, CRM, HRMS Control Mechanism
Application System Control Audit
Application System Control Audit
Input Control
Processing Control
Output Control
Access Control
Back up and recovery Procedures
Application Control Audit


Application Control Audit

The Institute of Chartered Accountants of Nepal

 (IT Governance Audit)

IT Governance Audit Board Of Director Top Level Management
, IT Plan Strategy Policy

Business Strategy IT Strategy IT Business Strategy


IT
IT

The Institute of Chartered Accountants of Nepal

 (IT Investment Audit)

IT Infrastructure Audit

?
?

( e-mail, Computerized Billing, HRMS, Payroll, Web

Portal) ?

The Institute of Chartered Accountants of Nepal

 (IT Risk Audit)

IT Risk Audit



IT Risk Policies, Procedures IT Risk Register Risk Profile
Risk Profile

The Institute of Chartered Accountants of Nepal

 (Information Security Audit)

( , , , ,

)

The Institute of Chartered Accountants of Nepal

 (Information Security Audit)

Network Security
Database And Application Security
Protection From Virus
Website Security
Intrusion () Detection
, ,

Real Time / Continuous

The Institute of Chartered Accountants of Nepal

 (System Deployment Audit)

IT Control Security
IS Auditor



IS Audit IT Control Security
IS Auditor ( )

The Institute of Chartered Accountants of Nepal

 (Business Continuity Audit)

,
Business Continuity Disaster Recovery
Audit
Business Continuity Audit ,

The Institute of Chartered Accountants of Nepal

 (IT Performance Audit)

IT Performance Audit IT Metrics Tools
Performance
IT Performance Audit


IT Service Delivery

The Institute of Chartered Accountants of Nepal

 (Compliance Audit)
IT Policies, Procedures, Regulations Legislation
Compliance Audit
Compliance Audit
1. Internal Compliance (IT Policies and Procedure)
2. Government / Regulatory Authority / Legislative

(Act, Rules Directives etc.)

Compliance
Compliance Audit Enterprise Risk

The Institute of Chartered Accountants of Nepal

 (Specialized Audits)
Specialized Audit General IS Audit
Specialized Audit
Specialized Audit
Firewall Audit
Database Audit
Cloud Hosting Infrastructure Audit
Real Time Security System Audit
Application System Audit
Substantive Analysis of data using specialized tools like CAAT

The Institute of Chartered Accountants of Nepal

The Institute of Chartered Accountants of Nepal