preparing for an it audit
Download
Skip this Video
Download Presentation
Preparing for an IT Audit

Loading in 2 Seconds...

play fullscreen
1 / 27

Preparing for an IT Audit - PowerPoint PPT Presentation


  • 133 Views
  • Uploaded on

Preparing for an IT Audit. September 11, 2007 2:00pm EDT, 11:00am PDT George Spafford, Principal Consultant Pepperweed Consulting, LLC “Optimizing The Business Value of IT” www.pepperweed.com. Housekeeping. Submitting questions to speaker

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Preparing for an IT Audit' - philana


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
preparing for an it audit

Preparing for an IT Audit

September 11, 2007

2:00pm EDT, 11:00am PDT

George Spafford,

Principal Consultant

Pepperweed Consulting, LLC

“Optimizing The Business Value of IT”

www.pepperweed.com

housekeeping
Housekeeping
  • Submitting questions to speaker
    • Submit question at any time by using the “Ask a question” section located on lower left-hand side of your console.
    • Questions about presentation content will be answered during 10 minute Q&A session at end of webcast.
  • Technical difficulties?
    • Click on “Help” button
    • Use “Ask a question” interface
agenda
Agenda
  • Background on Audit
  • Why audits are part of the Deming cycle of plan-do-check-act
  • How to prepare for audits
  • What auditors look for
  • For a copy of today’s webcast PPT, please email:
the shewhart cycle
The Shewhart Cycle
  • Popularized by Deming
    • We plan
    • We do
    • We check results
    • We take corrective action
  • How can we objectively check?
    • Audit
  • Auditors must be objective
  • The process is necessary for improvement
ia risk management control
IA - Risk Management & Control
  • Reliability and integrity of financial and operational information
  • Effectiveness and efficiency of operations
  • Safeguarding of assets
  • Compliance with laws, regulations, and contracts.

Source: International Standards for the Professional Practice of Internal Auditing, http://www.theiia.org/?doc_id=1499

ia governance
IA - Governance
  • Promoting appropriate ethics and values within the organization.
  • Ensuring effective organizational performance management and accountability.
  • Effectively communicating risk and control information to appropriate areas of the organization.
  • Effectively coordinating the activities of and communicating information among the board, external and internal auditors and management.

Source: International Standards for the Professional Practice of Internal Auditing, http://www.theiia.org/?doc_id=1499

external audit
External Audit
  • Is driven by the regulatory requirement to have an independent third party certify the financial information provided to stockholders is reasonably accurate.
  • Some feel that internal review of external audit reports creates another layer of protection for financial reporting.
  • Primarily reports to the audit committee on the accuracy of the financial reports, attests to management’s assessment of internal controls over financial reporting.

Source: “Common Misconceptions”, Tone From the Top, Institute of Internal Auditors, March 2005.

important establish key controls
Important: Establish Key Controls
  • Review risks
    • Management’s current risk assessment
    • Use of a control framework as a proxy (verify with audit if acceptable)
    • If nothing to go on, the auditor will impose his/her belief system
  • Review key controls
    • Auditor may want to understand the state of the overall control environment – be sure to plan in advance
    • The emphasis and testing will be on key controls
    • Want as few key controls as possible grounded in risks
  • You want to be clear
  • Doesn’t benefit IT or audit if guessing or misinterpretation happens
cost of control
100%

You can spend a fortune and you will never truly hit a 100% level of assurance.

The objective is to lower risk to an acceptable level, not eliminate it because you can’t!

Level of Assurance

Level of Investment

Cost of Control
preparing 1
Preparing (1)
  • Emphasis – talk to your audit group ahead of time
  • Auditing is not a science
  • Practices will vary between audit firms, within firms and between auditors
  • Work with Internal Audit closely to understand company requirements and External Audit Requirements
  • Put everything in writing and get approval – do not rely on verbal communications
    • Summarize your conversations in the form of meeting minutes and send them to the other party for confirmation.
  • Bear in mind that auditors leave firms and so do audit partners
    • Who you deal with can change year to year.
preparing 2
Preparing (2)
  • Determine a formal documentation plan
    • Policies and Procedures
    • Evidence of activity / compliance
  • Clearly identify what IT services/systems are in scope
      • Materiality
      • Guide to the Assessment of IT General Controls Scope Based on Risk
  • Take care in documenting control activity, test plans, etc. If they are ambiguous or inaccurate, deficiencies may well result
  • Documenting controls that don’t exist will guarantee findings
  • Be sure to document exceptions along with risks, the business case and management’s approval
    • It is better for management to disclose known exceptions than for auditors to find them.
    • How exceptions are documented and handled vary from auditor to auditor so be sure to understand what to do, ramifications, etc.
during the audit 1
During the Audit (1)
  • Never lie to an auditor - the repercussions can be severe
  • Do not tamper with evidence - the repercussions can be severe
    • Be sure to outline the process for making any urgent remediation or changes during an audit with the auditor.
  • Be prompt in replying or providing samples
    • Delays may be interpreted as a lack of controls or that evidence is being created or altered
  • Auditors will follow the key controls and test plans verbatim if things go as planned
  • Do not be antagonistic
during the audit 2
During the Audit (2)
  • Auditors make mistakes like everyone else.
    • Be sure to help them with any requested quality assurance processes that they have to make sure that the findings are accurate
  • The management response is the proper place to voice disagreements about findings
    • Do not get into senseless arguments
the audit process 1
The Audit Process (1)
  • Coordinate Auditors
    • Internal Audit should coordinate with External Audit (This coordination is typically done by the Chief Audit Executive.)
    • Faster audits
    • Lower costs
    • Fewer interruptions
  • Schedule the audit
    • IT’s availability
    • Internal Audit’s availability
    • External audit’s availability
  • Kick off meeting
    • Goals of the audit
    • Scope
    • Roles and Responsibilities
    • Schedule / Plan
the audit process 2
The Audit Process (2)
  • Review
    • Risks
    • Key Controls
    • Documentation (Requirements will vary so inquire as to what is needed)
      • Policies and Procedures
      • What systems are in scope
      • Narratives (An audit device used when documentation doesn’t exist)
      • Flowcharts
      • Test Plans (These should have been developed between management and internal audit. Care must be taken that they are very clear and concise.)
  • Execute Tests
    • Observe
    • Inquire
    • Obtain samples according to the test plan
the audit process 3
The Audit Process (3)
  • Organize Work Papers
    • Management/IA should determine what documentation to retain from audits.
    • Part of the document retention is driven by what External Audit can leverage
    • The more management testing that External Audit can leverage, the faster the external audit goes and the lower the costs.
  • Document Results
    • The auditor will record results of tests and relate scores to work papers.
  • Make recommendations
    • Control Improvement Opportunities
    • Remediation Recommendations
  • Exit Meeting
    • Review rough draft of results as a QA step
    • Review any open items
the audit process 4
The Audit Process (4)
  • Generate Management Letter
    • Once the testing is finished, the auditor reviews the audit documentation and develops a formal letter for management summarizing findings and recommendations.
  • Solicit Management Response
    • Management can then review and respond to the findings.
  • Finalize the audit documentation
  • Share Results with Management, Audit Committee and External Audit
audit findings
Audit Findings
  • Audits always generate findings
  • Management can
    • Agree with a given finding and remediate
    • Dispute the finding
    • Accept the risk and do nothing
  • Remediation depends on the auditor and situation.
    • They may, or may not, wish to see remediation of audit findings.
  • Some external auditors leave remediation up to management
    • Bear in mind, that if this year’s audit turned up the control deficiencies, then there is a strong likelihood that next year’s audit will turn up the same things unless there are changes to scope, key controls, etc.
  • If the same deficiencies show up over and over again, the auditor may choose to increase their severity
continuous improvement
Continuous Improvement
  • Audits are vital
  • Provide objective opinions
  • Look at audit as another tool for process improvement
    • Set the proper tone from the top
    • If you think audits are a waste, then so will your team
  • The idea is to take their findings, and review what to do

* Adapted from ITIL Service Support Graphic

learning more about audit
Learning More About Audit
  • Institute of Internal Auditorshttp://www.theiia.org/GAIThttp://www.theiia.org/guidance/technology/gait/
  • Information Systems Audit and Control Associationhttp://www.isaca.org
  • IT Compliance Institutehttp://www.itcinstitute.com/
  • Jim Kaplan’s Audit Nethttp://www.auditnet.org/
  • Subscribe to Dan Swanson’s Email Listshttp://www.securitybenchmark.com/
thank you for the privilege of facilitating this webcast

Thank you for the privilege of facilitating this webcast

George Spafford

Principal Consultant

Pepperweed Consulting

Optimizing the Value of IT

[email protected]

http://www.pepperweed.com

Daily News Archive and Subscription Instructions

http://www.spaffordconsulting.com/dailynews.html

slide27
If you have any further questions, e-mail [email protected]

For future ITSM Watch Webcasts, visit www.jupiterwebcasts.com/itsm

Thank you again for attending
ad