1 / 29

MBAD 7090 Dr. Kexin Zhao

MBAD 7090 Dr. Kexin Zhao. Chapter 1: Information Technology Environment: Why Are Controls and Audit Important?. Objectives. Understand how IT audit fits today’s business and IT environment Differentiate risk and control Audit and IT audit: purpose and role Important standards and regulations.

aliza
Download Presentation

MBAD 7090 Dr. Kexin Zhao

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MBAD 7090Dr. Kexin Zhao Chapter 1: Information Technology Environment: Why Are Controls and Audit Important? IS Security, Audit, and Control (Dr. Zhao)

  2. Objectives • Understand how IT audit fits today’s business and IT environment • Differentiate risk and control • Audit and IT audit: purpose and role • Important standards and regulations IS Security, Audit, and Control (Dr. Zhao)

  3. Business Environment • Business Strategy & Operations: • Globalizing • Complex value networks • Get products to market faster • Unpredictable customer needs • Shorter product life cycles • Technologically: • Heavily depend on information technology (IT) to become competitive IS Security, Audit, and Control (Dr. Zhao)

  4. IT Environment • Increased system quality and functionality • Service oriented architecture (SOA) • Distributed computing • Modular programming • Web 2.0 • Enable visitors to contribute information for collaboration and sharing • A critical business enabler IS Security, Audit, and Control (Dr. Zhao)

  5. Call for Better IT Control • Information systems have become indispensable to support business needs. • Auditing provides an independent and objective assurance that: • Information is processed in a safe and sound manner • Operations are efficient and effective • Information assets are safeguarded • Achieving the information goals IS Security, Audit, and Control (Dr. Zhao)

  6. What Is Risk? • Activities or events that might interfere with meeting the business objectives. • For each risk, you should identify: • The probability or likelihood that loss will occur • Measure of loss if it occurs IS Security, Audit, and Control (Dr. Zhao)

  7. Business Risks • Inherent (environmental) • Fraud • Lost opportunities • Loss of competitiveness IS Security, Audit, and Control (Dr. Zhao)

  8. IT Risks • Miss-alignment with business objectives • System/equipment failure • Unauthorized access • Unreliable/inaccurate information IS Security, Audit, and Control (Dr. Zhao)

  9. Controls • “Policies, procedures, practices, and organization structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.” (COBIT, 1998) • Purpose: reduce or eliminate risks IS Security, Audit, and Control (Dr. Zhao)

  10. Control Components (from COSO) • Control environment: setting objectives • Risk assessment • Information and communication systems • Control activities • Monitoring processes IS Security, Audit, and Control (Dr. Zhao)

  11. Class Exercise • Using the objective “get to work/school on time,” answer the following questions: • What could happen to prevent you from arriving to work/school on time? (risks) • What is the likelihood of those risks occurring? • What might happen if the risks occurred? • What do you do to ensure that you will get to work/school on time? (controls) IS Security, Audit, and Control (Dr. Zhao)

  12. Class Exercise • Please identify IT risks, their business impacts, and possible controls. IS Security, Audit, and Control (Dr. Zhao)

  13. The Audit Role and Purpose • Audit is to evaluate a person, organization, system, project or product • An auditor needs to ensure: • Information are valid and reliable • Internal control are in place and sufficient • Operations are effective and efficient IS Security, Audit, and Control (Dr. Zhao)

  14. Types of Audits • Financial Audit • An audit of financial statements • Typically done by a third party or legal entities such as governments • Usually on the annual basis before the release of the financial statements IS Security, Audit, and Control (Dr. Zhao)

  15. Types of Audits (continued) • Operational Audit • Compliance with laws, regulations, and contracts • Compliance with organizational standards, policies, and procedures • A typical internal audit function • Primary user: management IS Security, Audit, and Control (Dr. Zhao)

  16. Types of Audits (continued) • IT Audit • An integral part of the audit function • Examine the quality and integrity of an organization’s information systems, practices, and operations • Will the organization's computer systems be available for the business at all times when required? (Availability) • Will the information in the systems be disclosed only to authorized users? (Confidentiality) • Will the information provided by the system always be accurate, reliable, and timely? (Integrity) IS Security, Audit, and Control (Dr. Zhao)

  17. IT Audit (continued) • Types of IT audit • IT strategy and standards • System development • Communication networks • Associations and certifications • Information Systems Audit and Control Association (ISACA) • Certified information system auditor (CISA) • Certified information security manager (CISM) IS Security, Audit, and Control (Dr. Zhao)

  18. Audit Techniques • Risk-oriented • Computer-assisted audit tools and techniques (CAATs) • Standards • Industry standards, such as COBIT and COSO • Best practices • Company issued standards IS Security, Audit, and Control (Dr. Zhao)

  19. Professional Organizations • American Institute of Certified Public Accountants (AICPA) • Generally Accepted Auditing Standards (GAAS) • Statements of Auditing Standards (SAS) • Financial Accounting Standards Board (FASB) • Generally Accepted Accounting Principles (GAAP) • The Institute of Internal Auditors (IIA) • Statements on Internal Auditing Standards (SIAS) • Information Systems Audit & Control Association (ISACA) • COBIT- Control Objectives for Information Technology IS Security, Audit, and Control (Dr. Zhao)

  20. Related Legislations • Securities and Exchange Commission (SEC), 1933 • Privacy Act, 1974 • Computer Fraud and Abuse Act (CFAA), 1984 & 1994 • Computer Security Act, 1987 • Electronic Communications Privacy Act • Communications Decency Act, 1995 • Health Insurance Portability & Accountability Act, (HIPAA) 1996 • Sarbanes-Oxley Act of 2002 • Homeland Security Act of 2002 with the Cyber Security Enhancement Act IS Security, Audit, and Control (Dr. Zhao)

  21. Health Insurance Portability and Accountability Act (HIPPA) • Health Care Access, Portability, and Renewability • Easier to maintain the health care when switching jobs • Restrict the rejection based on pre-existing conditions • Prevent fraud and abuse • Security and privacy rules • Requires the establishment of national standards for electronic health care transactions IS Security, Audit, and Control (Dr. Zhao)

  22. Computer Security Act of 1987 • Improve the security and privacy of sensitive information in federal information systems • Develop government wide computer system security standards, guidelines, and security training programs • Balance between national security and nonclassified issues • It has been superseded by the Federal Information Security Management Act of 2002 IS Security, Audit, and Control (Dr. Zhao)

  23. Computer Fraud and Abuse Act • Protection against: • Trespass (unauthorized entry) • Exceeding authorized access • Exchanging information on how to gain unauthorized access • Different penalties for intentional and unintentional destructive trespass IS Security, Audit, and Control (Dr. Zhao)

  24. Communications Decency Act • Prohibits the making of indecent or patently offensive material available to minors via computer networks • Fines up to $250,000 and 2 years in prison • Employers are not liable for actions of an employee unless it is within the scope of their employment IS Security, Audit, and Control (Dr. Zhao)

  25. Privacy Act of 1974 • Provides safeguard to individuals against an invasion of personal privacy by: • Allowing individuals to determine what information is collected about them • Assuring individuals that Information collected is only used for one purpose • Assuring individuals that the information is current and accurate IS Security, Audit, and Control (Dr. Zhao)

  26. Homeland Security Act of 2002 • Include provisions for the Cyber Security Enhancement Act which: • Demanded life sentences for hackers that recklessly endanger lives • Allows for Net surveillance to gather personal and private data without a court order • ISPs can turnover users’ records to law enforcement • Discussion Question: • Do you see any inconsistency between the Privacy Act and Homeland Security Act? IS Security, Audit, and Control (Dr. Zhao)

  27. Sarbanes-Oxley Act of 2002 • Direct result of Enron, WorldCom and Global Crossing financial fiascos • Due professional care • Auditor rotation • No conflicting responsibility (e.g., external auditor and system design/implementation services) IS Security, Audit, and Control (Dr. Zhao)

  28. Sarbanes-Oxley Act of 2002 (continued) • Executives are more accountable for financial data • Impacts on IT • What happens in IT has become strategic IS Security, Audit, and Control (Dr. Zhao)

  29. Assignment 1 • Please discuss how Sarbanes-Oxley Act of 2002 will affect small accounting firms. • Deliverables • Limit: one page • Email submission to kzhao2@uncc.edu • Due date: September 8, 5:00pm. IS Security, Audit, and Control (Dr. Zhao)

More Related