1 / 42

Introduction

Introduction. Lebanese Association of Certified Public Accountants Thursday, April 19, 2007 by Mohamad Y. Khachab, MBA, CISA Senior Management Consultant Certified IT Systems Auditor (CISA) Lecturer and University Prof. 03-588-441 Mohamad.khachab@lau.edu.lb. Business Case.

koen
Download Presentation

Introduction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction Lebanese Association of Certified Public Accountants Thursday, April 19, 2007 by Mohamad Y. Khachab, MBA, CISA Senior Management Consultant Certified IT Systems Auditor (CISA) Lecturer and University Prof. 03-588-441 Mohamad.khachab@lau.edu.lb

  2. Business Case As a result of the continual increase of: • Systems complexity • Cyber-threats / Internet • Avalanche of New technologies Organizations are looking for individuals with proven systems experience and knowledge to identify, evaluate and recommend solutions to mitigate vulnerabilities and risks.

  3. What is IT Audit ? A review of : • Information system processes • Management planning and organization of IS • Technical infrastructure and operational practices • Protection of information assets • Disaster recovery and business continuity • Business application system development, acquisition, implementation and maintenance • Business process evaluation and risk management

  4. IT Audit Process • Classification of Audits • Financial, operational, comprehensive • Preventive, detective, corrective • Methodology • Audit risk and materiality, risk assessment techniques, compliance vs. substantive testing, evidence, and sampling • Resource Management • Constraints on the conduct of the audit, project management techniques

  5. The Local Banking Industry and Other Market Constituents Banking Industry • New mandatory IT security and controls regulations by Banque Du Liban • Banking Control Commission • IT Recommendations Report of July 2000 • Increased acquisitions (Due Diligence) activities

  6. IT Audit –IS Audit Process There are 7 Tasks within the Process area: #1: Develop &/or implement a risk based IS Audit strategy and objectives in compliance with generally accepted standards to ensure that the organization’s IT and business processes are adequately controlled, monitored, and accessed, and aligned with the organization’s business objectives. #2: Plan specific audits to ensure that the IS audit strategy and objectives are achieved.

  7. IS Audit Process #3: Obtain sufficient audits to ensure that the IS audit strategy and objectives are achieved. #4: Analyze information gathered to identify reportable conditions and reach conclusions. #5: Review the work performed to provide reasonable assurance that objectives have been achieved. #6: Communicate audit results to key stakeholders. #7: Facilitate the implementation of risk management and control practices within the organization.

  8. IS Audit Process • Audit Mission • Audit Planning • An audit charter should exist to clearly state management’s responsibility and objectives for, and delegation of authority to IS audit. • This document should outline: authority, scope and responsibilities of the audit function. • The highest level of management should approve this charter.

  9. IS Audit Process • Audit Mission / Planning • Short / Long term audit planning must be examined annually. • Investigate new control issues, changing technologies, and enhanced evaluation techniques. • Audit methodologies must be reviewed by senior management and approved by senior management and the Audit Committee.

  10. IS Audit Process • Risk Assessment undertaken by management, regulatory requirements and other matters will impact the IS audit planning process. What does impact the approach? • System implementation, upgrade deadlines, current and future technologies, and IS resource limitations. • When planning an audit, the IS auditor must have understanding of the overall environment under review i.e. understanding of the various businesses practices and functions relating to the audit subject.

  11. How Familiar must be the IS Auditor? • The IS auditor must be familiar with the regulatory environment in which the business operates. • The IS auditor must also understand the business itself. How is that done?

  12. How Does the IS Auditor Understand the Business? • Tour key organization facilities. • Read annual reports, prior reports, and independent financial analysis reports. • Read industry publications. • Review long-term strategic plans. • Interview key managers to understand business issues. • Study regulations.

  13. Laws and Regulations • Businesses must comply with a number of governmental and external requirements related to system practices and controls. • Per instance all banks in Lebanon must comply with Banque Du Liban IT Requirements. It is mandatory and not optional. • Banks in Lebanon are making an effort to meet all the standards here and more of the standards abroad. • Why abroad ? Reporting Requirements becoming global.

  14. ISACA Standards and Guidelines for IS Auditing The objectives of the ISACA Standards for IS auditing are to inform: • IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the Code of Professional Ethics for IS Auditors. • Management of the profession’s expectations concerning the work of practitioners.

  15. Framework? • Standards define mandatory requirements for IS auditing and Reporting. • Guidelines provide guidance in applying auditing standards. The IS auditor has to consider these in determining how to achieve implementation of these standards. Use Judgment / Common sense and prepare justification for departure from these standards. • There exist procedures providing standards on how to do the audit work. • Failing to comply may result in an investigation into the auditor’s conduct by the appropriate board where there also can be disciplinary action to follow.

  16. ISACA Guidelines for IS Auditing • ISACA does provide guidelines on how to comply with set standards. IS Auditor should: • Determine how to implement the standards • Use professional judgment in applying them • Be able to justify any departure

  17. CISAs should: • Support the implementation of, and Encourage compliance with standards, procedures and controls for IS. • Serve the interest of relevant parties • Shall not be part of an illegal or improper work. • Maintain privacy and confidentiality of information obtained during the course of an audit. • Perform duties in an independent and objective manner. • Avoid any activity that may impair or appear to impair independence. • Be competent and professional, and agree to undertake only those activities expected to complete with professional competence. • Always apply due professional care. • Inform the appropriate parties of audit results. • Do not conceal unlawful practices. • Support the education of clients, management, B.O.D., and the general public. • Maintain high standards of conduct and character.

  18. Risk Analysis IS auditors must understand the relationship between risk and control, and they must have knowledge of common business risks and must be able to evaluate the risk assessment. They must make assessment of risk to help focus and plan audit work. There are many definitions of risk. Risk means different things to different people. The definition of risk published by The International Organization for Standardization (ISO): “The potential that a given threat will exploit vulnerabilities of an asset or a group of assets to cause loss or damage to the assets. The impact or relative severity of the risk is proportional to the business value of the loss/damage and to the estimated frequency of the threat.”

  19. What Elements does risk have? • Threats to, and vulnerabilities of, processes and/or assets • Impact on assets based on threats and vulnerabilities • Probabilities of threats • What are business risks? They are those that may impact the assets or processes of a specific business. • What are the Nature of risks? financial, regulatory, or operational. • How do they arise? They may rise as a result of the interaction of the business with its environment, or as a result of the strategies, systems, processes, procedures and information used by the business. • What risk is the IS auditor focused on? They focus on a class of risk defined by the potential loss of confidentiality, availability, or integrity of information.

  20. Risk Management • IS auditors are also asked to assess the risk management process used by the client to identify, evaluate, and manage the daily risks. • In Return, IS auditors identify proposed controls and/or security measures to prevent or reduce the likelihood of such risks from occurring. How? • Identify all existing controls to minimize risk. • Determine and evaluate any new or additional controls identified during the analysis of the business risk. • Prioritize all the identified risks and identify those that will provide the most effective countermeasures. What do these countermeasures depend on? • Cost benefit analysis – cost of control vs. benefit. • How much risk is management prepared to accept • Organization’s preference to risk reduction method. Terminate? Minimize? Transfer? The IS Auditor will appraise the thought process that management has adopted to identify and evaluate risks and come to a decision about which risks to minimize.

  21. Controls • Once risks are identified, existing controls are evaluated or new controls can be designed to achieve acceptable level of risk. • Controls are either preventive or detective, manual or programmed and formal or ad hoc. • What is Control ? It is defined as “the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.”

  22. Internal Control Objectives • A well designed information system have controls all built in for all its major functions. They include: • Internal Accounting Controls – Concerned with accounting operations and reliability of financial records. • Operational Controls – Concerned with day-to-day operations, functions and activities. • Administrative Controls – Concerned with operational efficiency and adherence to organizational policies.

  23. Internal Control Objectives • They assure compliance with legal and regulatory requirements as well as the confidentiality, integrity, reliability and availability of information resources. • Relevant objectives include: • Safeguarding of assets • Integrity of general operating system environment • Integrity of sensitive and critical application system environments: • Authorization of input • Accuracy & completeness of processing of transaction • Reliability of information processing activities • Accuracy and completeness and security of the output • Database integrity • Compliance with the user’s requirements • Backup/recovery • Incident response and handling • Business continuity and disaster recovery • Compliance with corporate policies or regulatory and legal requirements

  24. Internal Control Objectives • These objectives apply to all areas, whether manual or automated. • In an information systems environment, controls are unchanged from a manual environment, but the implemented control features may be different. • Examples of information systems control objectives include: • Information on automated systems is secured from improper access and kept up-to-date. • Each transaction is authorized and entered only once. • All transactions are recorded and entered into the computer for the proper period. • All rejected and duplicate transactions are reported. • Files are adequately backed up to allow for proper recovery • All changes to operating software are approved and tested.

  25. Information Systems Control Procedures General IT controls are controls that apply to all functions within an organization. Examples of General Control Procedures: • Strategy & Direction • General Organization and management • Access to data and programs • System development and change control • Data processing operations • Systems programming and technical support functions • Data processing operations • Systems programming and technical support functions • Data processing quality assurance procedures • Physical access controls • Business continuity/disaster recovery planning • Networks and communications • Database administration

  26. Information Control Procedures (ICS) ICS can be categorized into the following areas: • General Organization Control Procedures • Access to Data and Programs • System Development Methodologies • Data Processing Operations • Systems Programming and Technical Support Functions • Data Processing Quality Assurance Procedures IS Auditors must understand how general control procedures are translated into specific information systems control procedures. It is critical in planning an audit.

  27. Performing an IS Audit Several steps are required. • Adequate planning – First Step. • Overall risks must be assessed. • Develop an audit program consisting of objectives and procedures to satisfy the objectives. • Gather evidence. • Evaluate strengths and weaknesses of controls based on the evidence. • Prepare an audit report presenting issues in an objective manner to management. Management must ensure availability of adequate audit resources and a schedule for performing the audits and for follow-up reviews based on the status of corrective actions taken by management based on auditor’s recommendations.

  28. Classification of Audits • Financial Audits – involves detailed substantive testing. • Operational Audits – designed to evaluate internal controls structure in a given area. Per example, application controls or logical security systems. • Integrated Audits – Combined Financial and Operational. Performed to assess the overall objectives within an organization. This can be done by either external or internal auditors and would include both compliance and substantive audit steps. • Administrative Audits – Oriented to assess issues related to efficiency of operational productivity within an organization. • IS Audit – To determine whether an organization safeguard its assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently.

  29. Testing Procedures • IS auditors must understand the procedures for testing and evaluating information systems controls. They include the use of : • Generalized audit software to survey the contents of data files. • Specialized software to assess the contents of OS parameter files. • Flow-Charting techniques for documenting automated applications. • Audit repost available in operation systems. These are a must to allow for the planning of appropriate audit tests.

  30. Audit Methodology • Is designed to achieve planned objectives. The pre-designed program is the guide for documenting the various audit steps performed and the extent and types of evidence collected. • It provides a trail of the process used to perform the audit as well as accountability of performance. • Keep in mind that the IS auditor follows sequential program steps to gain an understanding of the entity under audit to evaluate the control structure and to test the controls.

  31. Audit Risk and Materiality • More and more organizations are heading to a risk based audit approach adapted to develop and improve the continuous audit process. • With this approach, auditors are also relying on internal and operational controls as well as their knowledge of the company or the business. This can help relate CBA of the control to the known risk. • Business risks are those that impact the long-term viability of a specific business. The nature is either financial, regulatory, or operational.

  32. Risk Assessment Model • By understanding the nature of the business, IS auditors can categorize the types of risks that will better determine the risk model or audit approach. • Per example, auditors may assign weights to certain types of risks associated with the business and identify all the risks into a mathematical equation.

  33. Audit Risk can be categorized as • Inherent Risk - Exist independently of an audit and can occur because of the nature of the business. The susceptibility to a material misstatement in the absence of related controls. Cash is more likely to be stolen than an inventory of steel. • Control Risk – The risk that a material error exists which will not be prevented or detected on a timely basis by the system of internal controls. • Detection Risk – The risk that an IS auditor uses an inadequate test procedure and concludes that material errors do not exist when in fact they do. • Overall Audit Risk – is the combination of the individual categories of audit risks assessed for each specific control objective. The objective in formulating the audit approach is to limit the audit risk in the area that is under scrutiny so the overall audit risk is sufficiently at a low level at the completion of the examination. Another objective is to assess and control those risks to achieve the desired level of assurance as efficiently as possible.

  34. Audit Risk • Audit Risk is used to describe the level of risk the IS Auditor is prepared to accept during an audit engagement whereby, the auditor may adjust the amount of detailed audit work to minimize the overall audit risk. • The IS Auditor should have a good understanding of these audit risks when planning an audit. • An internal control weakness or a set of combined weaknesses may leave an organization highly susceptible to a threat occurring. • By using proper statistical sampling procedures or strong quality control process, the probability of detection risk could be minimized. • Materiality has considerations. What may be considered significant at an operational level may not be considered significant to upper management. • Materiality is considered in terms of potential impact to the organization.

  35. Risk Assessment Techniques • The IS Auditor should determine which functional area to be audited. Each area may represent a different type of audit risk. The IS auditor must evaluate risk candidates to determine the high risk areas that will be audited. Using risk assessment to determine areas to be audited: • Enables management to effectively allocate audit resources. • Ensure relevant information has been obtained from all management levels. Audit must be directed to high risk areas to add value to management. • Establish basis for effectively managing the Audit Department. • Provide a summary of how the individual audit subject is related to the overall organization as well as to the business plan. • One of the best Risk Assessment Methods is a SCORING SYSTEM useful in prioritizing audits based on evaluation of risk factors taking into consideration variables such as technical complexity, level of control procedures in place and level of financial loss. The risk values are compared to each other and audits are scheduled accordingly. • Another form of risk assessment is judgmental, where an independent decision is made based upon executive management directives, business goals, environmental factors, and historical perspectives.

  36. Audit Objectives • An audit objective refers to the audit specific goals. • Audit objectives often center around substantiating that internal controls exist to minimize business risks. • The IS Auditor must translate basic audit objectives into IS Audit objectives. • The IS Auditor must have general understanding of how general audit objectives are translated into specific IS control objectives. • Initially, IS Auditors will identify systems key controls, than they will decide to test these controls after having documented the application and/or function, and developed an understanding.

  37. Testing : Compliance Vs. Substantive • Compliance – to test the organization’s compliance with control procedures. • Are controls applied in a manner complying with management policies and procedures? • The objective is to provide auditors with reasonable assurance that a particular control is operating as perceived. • Substantive – to evaluate the integrity of individual transactions, data or other information. • Substantive – Substantiate the integrity of actual processing. Used to test for monetary errors directly affecting financial balances per example. Testing the accuracy of of inventory records of tape library. • There is a direct correlation between the level of internal controls and the amount of substantive testing required. Should the testing reveal weaknesses in control, than there is doubts about completeness, accuracy or validity of accounts, and in this substantive testing will have to alleviate those doubts.

  38. This shows the relationship between substantive and compliance tests.

  39. Evidence • It is any information used by the IS Auditor to determine whether the entity or data being audited follows the established audit criteria or objectives. • It includes observations, notes taken from interviews, material extracted from correspondence and internal documentation or the results of audit test procedures. • Determinants to evaluate the reliability include: • Independence of the provider of the evidence. • Outside vs. inside • Recommendation letters to verify balances per instance • Qualifications of the individual providing the evidence. • Inside vs. Outside the organization • How much understanding does the auditor has of the area in question • Objectivity of the evidence. • Objectivity vs. subjective (judgment or interpretation) • The IS Auditor must understand the rules of evidence since they may encounter a variety of evidence types.

More Related