Beruflich Dokumente
Kultur Dokumente
S1 Akuntansi FE Untar
Learning Objectives
1.
2.
3. 4. 5. 6.
7.
Definition of IS Audit Steps in Conducting an Audit Due Professional Care Management of the IS Audit Function Risk Analysis Internal Control Performing an IS Audit
Objectives of IS Auditing
System effectiveness
System efficiency
Tests of transactions
Tests of balances of overall results Completion of the audit
5
ISACA
Audit chapter : Responsibility, authority, and accountability Independence Professional independence Organizational relationship Professional ethics and standards Code of professional ethics Due professional care Competence Continuing professional education
ISACA (cont)
Planning Audit planning Performance of audit work Supervision Evidence Reporting Report content and form Follow up activities Follow up
9
CObIT Guidelines
10
Organization of the IS Audit Function IS Audit Resource Management Audit Planning Effect of Laws and Regulations on IS Audit Planning
11
IS audit services can be provided externally or internally If internally : The role should be established by an audit charter Can be part of internal audit, function as an independent or integrated group within financial and operational audit The charter should clearly state managements responsibility, objectives, and authority 12
If externally : The scope and objectives of these services should be documented in a formal contract or statement of work between the contracting organization and the service provider Should be independent and report to an audit committee, if available, or to the highest management level such as the board of directors
13
Maintain their competency through updates of existing skills and obtain training directed toward new audit techniques and technological areas Having the skills and knowledge necessary to perform the auditor's work Maintain technical competence through appropriate continuing professional education IS audit management should also provide the necessary IT resources to properly perform IS audits of a highly specialized nature
14
Audit Planning
Consists of both short- and long-term planning Analysis of short- and long-term issues should occur at least annually, for : New control issues; Changes in the risk environment, technologies and business processes; and Enhanced evaluation techniques
The results reviewed by senior audit management and approved by the audit committee, if available, or alternatively by the board of directors and communicated to relevant levels of management.
15
Each individual audit assignment must be adequately planned, Steps to perform audit planning : Gain an understanding of the business Identify policies, standards and required guidelines, procedures, and organization structure Perform a risk analysis Set the audit scope and audit objectives Develop audit strategy Assign personnel resources Address engagement logistics
16
Business regulations can impact the way data are processed, transmitted and stored IS auditors should review management's privacy policy to ascertain whether it takes into account the requirements of applicable privacy laws and regulations Two major areas of concern: Legal requirements (laws, regulatory and contractual agreements) placed on audit or IS audit, and Legal requirements placed on the auditee and its systems, data management, reporting, etc
17
Risk Analysis
Risk analysis is part of audit planning and help to determine the controls needed to mitigate the risks Must have knowledge of common business risks, related technology risks and relevant controls.
Must also be able to evaluate the risk assessment and management techniques used by business managers, and to make assessments of risk to help focus and plan
18
The risk assessment process : Identifying business objectives, information assets, and the underlying systems or information resources Identify threats and determine the probability of occurrence, and the resulting impact and additional safeguards Identify controls for mitigating identified risks Cost-benefit analysis : The cost of the control compared to the benefit Management's appetite for risk Preferred risk-reduction methods
19
Purposes of risk analysis from IS auditors perspective : Assists the IS auditor in identifying risks and threats Helps the IS auditor in his/her evaluation of controls in audit planning Assists the IS auditor in determining audit objectives Supports risk-based audit decision making
20
Internal Controls
Normally composed of policies, procedures, practices and organizational structures which are implemented to reduce risks to the organization Controls :
Preventive Detective Corrective
21
Internal accounting controls Primarily directed at accounting operations such as the safeguarding of assets and the reliability of financial records. Operational controls Directed at day-to-day operations, functions and activities to ensure that the operation is meeting the business objectives Administrative controls Concerned with operational efficiency in a functional area and adherence to management policies including operational controls
22
Ensuring availability of IT services by developing efficient business continuity (BCP) and disaster recovery plans (DRP) Enhancing protection of data and systems by developing an incident response plan Ensuring integrity and reliability of systems by implementing effective change management procedures
23
IS Control Objectives
Supports IT governance by : Ensure that IT is aligned with the business IT resources are used responsibly IT risks are managed appropriately 4 domains : Plan & Organize identification and strategy on IT Investment Acquire & Implement integrated realization on IT planning and application Deliver & Support IT support on business operation Monitor & Evaluate scheduled evaluation on IT
25
IS Control Procedures
Operations procedures
Systems programming and technical support
functions
26
IS Control Procedures
Networks and communications Database administration Protection and detective mechanisms against internal and external attacks
27
Performing an IS Audit
Classification of Audits
Audit Programs
Audit Methodology Audit Risk and Materiality Risk Assessment and Treatment Risk Assessment Techniques Audit Objectives Compliance VS Substantive Testing
28
Performing an IS Audit
Evidence
Describe and give an example for each steps on performing an IS audit You can search internet or other sources for help you
30