Slide1 l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 48

British Computer Society NORTH LONDON BRANCH AudIT to BenefIT - 6 sides of the dice Wednesday 1 6th January 2008, 18.30 – 20.30 PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

British Computer Society NORTH LONDON BRANCH AudIT to BenefIT - 6 sides of the dice Wednesday 1 6th January 2008, 18.30 – 20.30. 1 topic, 2 hours, 4 sponsors 6 views, 6 expert presenters 1 great audience. British Computer Society NORTH LONDON BRANCH. Are You an Auditor?.

Download Presentation

British Computer Society NORTH LONDON BRANCH AudIT to BenefIT - 6 sides of the dice Wednesday 1 6th January 2008, 18.30 – 20.30

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Slide1 l.jpg

British Computer SocietyNORTH LONDON BRANCHAudIT to BenefIT- 6 sides of the diceWednesday 16th January 2008, 18.30 – 20.30

1 topic, 2 hours, 4 sponsors

6 views, 6 expert presenters

1 great audience

British computer society north london branch l.jpg

British Computer SocietyNORTH LONDON BRANCH


British computer society north london branch3 l.jpg

British Computer SocietyNORTH LONDON BRANCH

4 Sponsors:

  • * Gotham Digital Science *

  • * ISACA London Chapter *

  • *IT Faculty of the Institute of Chartered Accountants in England and Wales*

  • * SUPINFO The International Institute of Information Technology *

British computer society north london branch4 l.jpg

British Computer SocietyNORTH LONDON BRANCH

6 Views – plus more!

  • [Target start time 18.30]

  • BCS NLB Intro [10 mins.] - Dalim

  • Why audit? Who needs it? [15 mins.] - Justin

  • What does the auditor do? [15 mins.] - Nick

  • What’s audited? [20 mins.] - Fraser

  • IT audit tools and techniques [15 mins.] - Martin

  • How auditors use COBIT & IT Assurance Guide [15] Lynn

  • How to plan to get value from your audits [15] - Steven

  • BCS NLB end of formal event [10 mins.] - Dalim

  • [Target end time 20.30]

  • Informal networking (with food & drink) ALL

British computer society north london branch5 l.jpg

British Computer SocietyNORTH LONDON BRANCH

6 Expert Presenters

  • [MC] Dalim Basu, BCS NLB

  • FRASER NICOL, Ernst & Young

  • JUSTIN CLARKE, Gotham Digital Science



  • NICK FELLOWS, Barclays Plc


  • [Supporting Cast: NLB team for this event]Jude Umeh, Patrick Roberts, Rebecca King

Why audit who needs it justin clarke director cisa cism cissp a inst isp l.jpg

Why audit? Who needs it?Justin Clarke, DirectorCISA, CISM, CISSP, A.Inst.ISP

What is an audit l.jpg

What is an audit?

  • Anyone?

  • A Definition

  • An audit is a professional, independent examination of a company's financial statements and accounting documents according to generally accepted accounting principles (Traditional)

  • an evaluation of a person, organization, system, process, project or product. Audits are performed to ascertain the validity and reliability of information, and also provide an assessment of a system's internal control (Wikipedia)

Understanding your auditor l.jpg

Understanding your auditor

  • Internal or External?

  • Assurance or Audit?

  • Key ideas

    • Independence

    • Reasonable assurance

    • Material error

    • Evidence

    • Testing/Sampling

Why audit l.jpg

Why audit?

  • Mitigate risk

  • Regulatory/legal - financial

  • Measurement/management

    • Conformity/Compliance

    • Quality

    • Environmental

  • How are we doing?

Who needs it l.jpg

Who needs it?

  • Organisations

    • Large and small

    • Private, public and government

  • Stakeholders

    • Shareholders

    • Management

    • Tax payers

Types of audit l.jpg

Types of audit

  • External – ITGC, ITAC, SAS70

  • Internal – Operational, Business Process, CobIT, COSO

  • Regulatory - Sarbanes Oxley, Basel II, MiFID

  • Conformity/Compliance – ISO17799/27001

  • Quality – ISO9001

  • Environmental – ISO14001

Contact l.jpg


Exploring the world of internal audit l.jpg

Exploring the world of Internal Audit

What does the auditor do and why?

Nick Fellows, CISA - Audit Manager

16 January 2008

Agenda l.jpg


The audit charter l.jpg

The Audit Charter

  • This is a document that defines the Internal Audit function

    • Its purpose, responsibility, authority and accountability.

      • What we are there to do

      • How we will maintain our independence and objectivity

      • How we will do it and conduct ourselves whilst doing it

      • The relationship between IA and its stakeholders

      • The KPIs, what they are and how they are measured

        Standard S1 and Guideline G5 for Audit Charter can be found on the ISACA website

The audit universe and the audit plan l.jpg

The Audit Universe and the Audit Plan

  • How does the audit department work out what to do?

    • Populate the audit universe

    • Prioritise based on risk ranking

    • Plan

    • Agree with stakeholders and get sign off from the Board Audit Committee

The audit l.jpg

The audit

  • Understanding the processes, working out the key controls.

  • The ‘intention to audit’.

  • Testing the controls.

  • And the consequence was…

  • The report and follow up actions.

Closing thoughts l.jpg

Closing thoughts

  • Risks are mitigated by controls. Whose controls? – yours.

  • An audit is not something that is done to you. It is something that is done with you.

  • The more you prepare, the less painful the review will be.

What is audited l.jpg


    • This template is designed for projected documents that will be presented to an audience.

    • The one template offers a choice of 5 different colour palettes with either a dark or white background. On presentations projected directly from a computer, it is preferred for the background to be dark blue.

  • How to change colour palette

    • Format > Slide Design > Color Schemes

    • Update the cover page

    • The Service Line flag and Date on the cover page should be updated in the Header & Footer menu at the start of each new presentation.

      • Go to View menu

      • Select Header & Footer...

      • Update the SERVICE LINE and Date 2007 with the appropriate information

      • Select Apply to All

What is Audited?

Fraser Nicol – Technology Security and Risk Services,Ernst and Young

AudIT to BenefIT

Presentation to British Computer Society

It audit who why what and how l.jpg

IT audit – who, why, what and how?

  • Internal auditing – is an independent, objective assurance and consulting activity designed to add value and improve an organisations operations

  • External auditing – is an independent opinion on whether or not financial statements are relevant, accurate, complete, and fairly presented

  • Both approaches are characterised by a systematic approach to the evaluation of risk management, control and governance processes. A common industry standard for IT auditing is:

  • COBIT 4.1 – Control Objectives for Information and Related Technology. Set of leading practises (framework) for information technology (IT) management. Created and governed by Information Systems Audit and Control Association (ISACA). COBIT is organised into 4 domains:

    • Plan and Organise

    • Acquire and Implement

    • Delivery and Support

    • Monitor and Evaluate

Who audits what l.jpg

Who audits what?

PO - Plan and Organise

IT Project Management

IT Strategic Alignment

IT Risk Management

Online Sales Application Project

AI - Acquire and Implement

Expect Internal Audit Focus


IT Procurement

Change Management

Cross Domain


Third Party Managed Services

DS - Delivery and Support



Application Review

System Security

Network Management Review

Expect External Audit Focus

ME - Monitor and Evaluate

Data Centre Management Review

IT Control Operation

Software Licensing

KPI / SLA Review

What gets audited and why l.jpg

What gets audited and why?

  • Example IT risk identified

    • IT Infrastructure Scalability

    • Exploitation of Security Vulnerabilities

    • IT Strategy not formulated

    • IT Upgrade Activities lead to loss of service

    • Inappropriate IT User activity

Very significant threat



Significant threat








Low threat


Key IT audit approach chart

No threat

A – Potential Over Control


B – Low Risk / Mature Controls






Inherent risk / Control maturity

C – Low Risk / Limited Controls

Partially controlled

D – Higher Risk / Mature Controls

No controls

Ad hoc

Fully controlled

Over controlled

E – Higher Risk / Limited Controls

How can it benefit l.jpg

How – can IT benefit?

Summary l.jpg


  • Understand who the auditors are, what they are looking for, and what the output of the audit is going to be

  • Understand the risks to your own areas, be proactive in engaging with the auditors to explain your area and align their understanding of key risks with yours

  • Early planning is always performed at a high level, sometimes the principle actions sit with IT or the business. You need to be involved as closely as possible in audit planning to

Contact25 l.jpg


  • Fraser Nicol,Senior Manager

  • Tel: 020 7951 0748

  • Mob: 07776047344

  • [email protected]

Slide26 l.jpg

Tools and Techniques

Martin Allen FIIA, QiCA, CISA

16 January 2008


Tools and techniques l.jpg

Tools and Techniques

Raw goods and services


Laws and regulations

Competitor Intelligence

Social responsibilities

  • The Environment

Finished goods and services


Financial Accountants

Corporate Reporting

Non-financial/regulatory reporting

Corporate Entity

Computer System

Financial Records



MIS/ Datawarehouse

Tools and techniques28 l.jpg

Tools and Techniques

  • Indicators that computer tools and techniques would help audit process:

    • Requirement to analyse large volumes of data or complex calculations

    • Reliance upon reports generated from computer systems

    • ‘Black box’ style systems where complex processing of data is not transparent

    • Key reconciliation reports regularly highlight differences

    • New or modified systems

    • Interfaces between computer systems poorly controlled

Tools and techniques29 l.jpg

Tools and Techniques

  • Tools available on the desktop:

    • Spreadsheets

    • Databases

    • MS Query

Tools and techniques30 l.jpg

Tools and Techniques

  • Tools that can be acquired:

    • IDEA

    • ACL

    • OAK

    • Datanomic

Tools and techniques31 l.jpg

Tools and Techniques

  • Risks:

    • Can allow the auditor to reach the wrong conclusion

    • Easy for inexperienced auditors to be caught out

    • Data interrogation does not test controls

  • Benefits:

    • Allows 100% sample size

    • Allows quick identification of unusual or required data

    • Allows auditor to use the power of the computer to improve the efficiency and effectiveness of the audit

Slide32 l.jpg

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.

© 2008 PricewaterhouseCoopers LLP. All rights reserved. 'PricewaterhouseCoopers' refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) or, as the context requires, other member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.


Slide33 l.jpg

  • How Auditors use COBIT® and the IT Assurance Guide

Lynn Lawton, International President

ISACA, Inc, and The IT Governance Institute, Inc.

Isaca and the it governance institute l.jpg

Over 70,000 members in 140 countries

Develop and maintain tools for IT and business management, e.g. COBIT and ValIT

Develop and administer certifications, e.g. CISA, CISM, and, coming soon, CGEIT

Deliver conferences and educational events around the world

Deliver research and thought leadership on topical issues and

ISACA and The IT Governance Institute

Slide35 l.jpg

COBIT Framework






ME1 Monitor and evaluate IT performance.

ME2 Monitor and evaluate internal control.

ME3 Ensure compliance with external requirements.

ME4 Provide IT governance.

PO1 Define a strategic IT plan.

PO2 Define the information architecture.

PO3 Determine technological direction.

PO4 Define the IT processes, organisation and relationships.

PO5 Manage the IT investment.

PO6 Communicate management aims and direction.

PO7 Manage IT human resources.

PO8 Manage quality.

PO9 Assess and manage IT risks.

PO10 Manage projects.
















DS1 Define and manage service levels.

DS2 Manage third-party services.

DS3 Manage performance and capacity.

DS4 Ensure continuous service.

DS5 Ensure systems security.

DS6 Identify and allocate costs.

DS7 Educate and train users.

DS8 Manage service desk and incidents.

DS9 Manage the configuration.

DS10 Manage problems.

DS11 Manage data.

DS12 Manage the physical environment.

DS13 Manage operations.








AI1 Identify automated solutions.

AI2 Acquire and maintain application software.

AI3 Acquire and maintain technology infrastructure.

AI4 Enable operation and use.

AI5 Procure IT resources.

AI6 Manage changes.

AI7 Install and accredit solutions and changes.




Slide38 l.jpg







Goal Setting



IT Process/Maturity

Tools and


Skills and


Policies, Standards

and Procedures

Levels for Process XX

3 Defined Process

2 Repeatable but


1 Initial/Ad Hoc

  • Measuring progress

5 Optimised

4 Managed and


Start point

Where you want to be

Interim target status

Slide39 l.jpg

  • Measuring progress













IT Process/Maturity

Levels for Process XX

5 Optimised

4 Managed and


3 Defined Process

2 Repeatable but


1 Initial/Ad Hoc

Start point

Where you want to be

Interim target status

Isaca and the it governance institute40 l.jpg

For more information, visit:

ISACA and The IT Governance Institute

How to plan to get value from your audits l.jpg

How to plan to get value from your audits

16 January 2008


Disclaimer l.jpg


The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Agenda43 l.jpg


  • Recap – What is audit?

  • Pre-audit activities

  • During the audit

  • What happens next?

Recap what is audit l.jpg

Recap – What is audit?

  • Internal auditing

    • Internal, yet independent assurance over internal controls

    • Designed to add value and improve an organisations operations

  • External auditing

    • External, independent opinion over financial statements

  • Audit should be viewed as a critical friend rather than a hindrance

  • It can add value to your organisation – so treat it this way

  • An audit is not something that is done to you; It is something that is done with you

Pre audit activities l.jpg

Pre-audit activities

  • What to do before the audit takes place

    • Understand who the auditors are, their scope, objectives and deliverables

      • Get involved in audit planning – understand the risks and issues in your own areas

      • You can influence – are there any areas you want covered?

    • Plan – The more you prepare, the less painful the review will be

    • Have a central point of contact

    • Confirm logistical arrangements

During the audit l.jpg

During the audit

  • Maintain contact with your auditors

    • The central point of contact will be key in ensuring a smooth audit

    • Arrange regular catch-up meetings

    • Understand what the key findings are

      • Have the auditors got a clear handle on the risks?

      • Are the key findings valid?

    • Is the audit on track?

    • What are the next steps?

What happens next l.jpg

What happens next?

  • How to reap the benefits for your organisation

    • Ensure that you get to review findings

      • Draft report stage

    • Be positive about the findings – Don’t take the outcome as personal criticism

    • Prepare a plan to address any issues identified and publish it – make sure the plan is implemented!

    • Roll-out learning points across your organisation, wherever possible

    • Prepare for your next audit!

Slide48 l.jpg

Presenter’s contact details

Steven Babb


+44 (0)7717 511 554

[email protected]

  • Login