Add to collection(s) Add to saved
  1. Social Science
  2. Psychology
  3. Social Psychology

Introduction to Informatic Auditing

Introduction to Information
Audit
M.C. Juan Carlos Olivares Rojas
Department of Computer and System
Instituto Tecnológico de Morelia
jcolivar@itmorelia.edu.mx
19.72388 lat, -101.1848 long
Disclaimer
Some material in this presentation has been
obtained from various sources, each of which
has intellectual property, so in this presentation
will only have some rights reserved.
These slides are free, so you can add, modify,
and delete slides (including this one) and slide
content to suit your needs. They obviously
represent a lot of work on my part. In return for
use, I only ask the following: if you use these
slides (e.g., in a class) in substantially unaltered
form, that you mention their source.
Outline
Audit and Information Audit Concepts.
Types of Auditing.
Internal and External Audit.
Field of Information Audit.
Internal Control.
Control Models using in Information Audit.
Principles applied to Information Auditors.
Managers and Auditor Responsabilities.
Objectives of the Session
• The students will know the basis of audit and
Information Audit
Audit and Information Audit Concepts
• There are a lot of definition about what Audit
and Infromation Audit means.
• Activity: in pairs try to discuss what’s the
diference among Audit, Consult and Advisory.
• Audit is an evaluation of a person, organization,
system, process, project or product.
Audit
• Audits are performed to ascertain the validity
and reliability of information, and also provide
an assessment of a system's internal control.
• The goal of an audit is to express an opinion on
the person/organization/system etc. under
evaluation based on work done on a test basis.
• Information Audit is “review the existing system
of information management, identify problems
and recommend solutions for those problems”
(Elis 1993)
Information Audit
• Other definition of Information audit is “an
analysis of the communications (processes and
information) that take place between agents
(people) in a social context (the organisation)
using a variety of media and channels
(technology).”
• Information Audit (IA) is focused in describe
how things are done instead of existence; for
example, use of a database rather than exist a
database.
Information Audit
• The IA contex have to set
organizational goals and costraints.
against
• The IA has to try to solve question such as:
• What is the purpose of the audited system?
• Does it accomplish its purpose?
• Is the purpose in line with the purpose and
philosophy of the organisation as a whole?
Information Audit
• How effectively are resources used?
• How are resources accounted for and
safeguarded?
• How useful is the information system supporting
the organisation?
• How reliable is the information system?
• Does the system comply with regulations and
standards?
In Sum…
• The goal of the Audit project
• Compare what is,
• To what should be
• To bring the two together
• The process is:
•
•
•
•
Establish what should be
Get support
Find out what is
Create results and recommendations.
Homework
• Deadline: Monday, February 16
• 20% Format
• 40% Research and writting an Essay about:
ISACA, COBIT and ITIL Standards. Download
all the Manuals and delivery only the principal
ideas.
• 40% Make a State-of-the-Art Table among the
standards evaluating most of 3 features.
Types of Auditing
• Exist diferent clasification of Auditing.
• By deep Level: General and Technical
• General Auditing includes an assesment of
diferent areas (i.e., financial, administrative,
quality, etc.) in a company at the same time.
• Technical Audits are specific
Information System Audit.
such
as
Internal and External Audits
• Internal Audits are realized by Individual of the
Organization. The advantages are most
knowledge of Internal Control and less time in
the audit process. The disadvantages can be
non-Ethical Reports.
• External Audit or Superior Control Audit is
realized by Third-People. This is recommended
type of audit because is most Ethical and
Efficient but required more time.
Field of Information Audit
• What are Business Process?
• It’s a collection of related, structured activities
or tasks that produce a specific service or
product (serve a particular goal) for a particular
customer or customers.
• Activity: Indicate what are the Business
Process in a University such as Instituto
Tecnologico de Morelia
Business Process
• Some Business Process are very similar.
• What’s the diference?
• It’s the business rules. These are statements
that define or constrain some aspect of the
business
• Activity: What are the business rules of ITM?
Describe the rules of some sport or game such
as Soccer, Tenis, Tetris, etc.
What is Audited?
• The Information that leads to knowledge
• Resources for making information
• How info is used
• The people who need and create info
• Info capture, management and presentation
tools
• How info is valued
What’s the Point?
• Understand information
– What is it?
– How does it move?
• Manage information
– What should we spend on it?
– How should it flow?
• Give information its rightful
something we pay attention to.
– Money
– Material goods
– Processes
place
as
Internal Control
• It’s defined as a process effected by an
organization's structure, work and authority
flows, people and management information
systems, designed to help the organization
accomplish specific goals or objectives.
• It is a means by which an organization's
resources are directed, monitored, and
measured.
Internal Control
• It plays an important role in preventing and
detecting
fraud
and
protecting
the
organization's resources, both physical (e.g.,
machinery and property) and intangible (e.g.,
reputation or intellectual property such as
trademarks).
• Internal control is a key element of the Foreign
Corrupt Practices Act (FCPA) of 1977 and the
Sarbanes-Oxley Act of 2002, which required
improvements in internal control in United
States public corporations.
Internal Control
• The governance is a very important activity
inside organizations because drive and direct
the Internal Control.
• Procurement plays and importan role in the
modern organization because need mechanism
to regularize the practices and maintance the
justice.
• External Control is supported by Goverment
Legislation.
Homework
• Installing and OS (such as Windows, Linux,
Mac) in a Virtual Machine. Deadline: Friday,
February 20.
• Redact an Essay how are the kind of licenses
for Software in Virtualized Environments.
• Can We Execute twice or more time the same
software in virtual Machine.
• Deadline: Wednesday, February 18
Essay
• It’s a writting document which aims to persuade
the audience about the validity and importance
of one's own ideas on a specific topic
• It’s an argument which a process of analysissynthesis is realized. I doesn’t have a fixed and
exclusive structure, but the following features
are recommended.
Essay
• It is recommended to start defining the author
position and items to be addressed in the rest
of the document.
• In the development is recommeneded to define
a method to develop ideas such as: defining,
comparing, analyzing, arguing, among others.
• It has to each of the main points that support
the author's position or posture.
Essay
• Conclusions have to re-list the author’s
position in a brief summary and show the
action lines to be follow (proposed)
• Part of the Essay is a process of inquiry to
obtain the theoretical framework as a base to
argue opinions.
• Essays are most used in social sciences.
Control Models using in Information Audit
• Discussion About Methodologies:
• ISACA (Information System Audit and Control
Association)
• COBIT (Common OBjectives for Information
and related Technologies)
• ITIL (Information Technologies Infraestructure
Library)
Other Methodologies
• COSO
• ISO/IEC 17799:2000
• ISO/IEC 13335
• ISO/IEC 15408
• TickIT
• NIST 800-14
An Audit Project
• What are the goals of the project?
• What is the overall process?
• What are the deliverables?
• What does the plan look like?
What Are The Goals?
• To
assess
what
information and flow the
org needs
• To
assess
what
information and flow the
org now has
• To
make
recommendations about
how to get the two to
match
What’s the Overall Process?
1. Analyze objectives for ideal process
2,3 Get a mandate and support
4
Plan the audit
5
Perform the audit
6,7 Interpret and Present the results
8,9 Take action
10 Repeat
What are the Deliverables?
1. Analyze objectives
•One or more readiness deliverables
•A Goals-Knowledge-Info taxonomy
2,3 Get support
•One or more mandate deliverables
•Guardian and stakeholder profiles
4. Plan
•Audit methods plan
•Staging plan
5. Perform
•Information Analyses
6,7 Interpret and present
•Reports and presentations
8,9 Act
•Follow-up plan
Deliverables: A GoalsKnowledge-Info Taxonomy
• Organizational objective 1
– Knowledge requirement 1.1
• Info that supports requirement
– Containers for the information
• People who need to know it
• Flow
– Creation
– Use
– Disposal
– Knowledge requirement 1.2
• Organizational objective 2
Deliverables: Guardian and
Stakeholder Profiles
Who will you approach in the org and how?
• What: Word files, a spreadsheet or Db records
– Who are they?
– How will you approach them?
– What do you know without asking?
• How:
– Asking around
– Quick email or other communication
– Org charts or readiness results
Deliverables: Audit Methods Plan
What are the available methods ?
• Analysis of docs and Dbs
• Observation
• Trying yourself
• Interviews
• Meetings
• Surveys
• Mapping
Activity
• Analize the Document (SGC –Sistema de
Gestión de la Calidad-) of previous homework.
• Describe in your own words if the process
described in the document correspond with the
reality.
• How do you realized the last steep?
Deliverables: Audit Methods Plan
How will you assess the information resources of your
organization?
• What: Word, spreadsheet or Db
– Analysis, resource, method
– Date, time, and staff
• How
– Try each method
– Discuss with guardians and stakeholders
– Design for change
Deliverables: Staging Plan
In what order should groups and information resources be
done?
• What: Word Doc, spreadsheet or DB
– Groups and sources identified
– Dates, times and staff for each
• How
– Arranged by
• Strategic importance and potential for a win
• Amount of support and ease or simplicity
• Fair representation of all information
Deliverables: Information
Analyses
The assessment of each dimension of the
organization's information.
• What? Word, spreadsheet or Db
– Data collected
– Standard set of
– Information Resources
• How
– Apply methods and plan
– Collect data, analyze and revisit if needed
Deliverables: Reports and Presentations
What are the analysis methods available?
• Side-by-side comparison
• SWOT
• CATWOE
– Clients
– Actors
– Transformations
– Ownership
– Environment
Finding the Diferences
Deliverables: Reports and Presentations
The official results of the audit
• What
– Word files, Slide decks
– Email messages, meeting agendas
• How
– Lots of trial inside the team
– Test results to supporters
– Trial presentations to insiders
– Multiple methods to communicate
Deliverables: Follow-Up Plan
What should the org do and how will its success be
measured?
• What
– Word file, project plan
– Action
– Preliminary scope, schedule, and budget
• How
–
–
–
–
Work with appropriate guardians and execs
Focus on highest return projects first
Give lots of leeway to the formation of the exact solution
Caveat the heck out of your estimates
The Team
• Audit manager
– Understands the org’s business
– Ability to listen
– Respected
• Auditors
– Technology analysts
– Interviewers
– SME (Subject Matter Experts)
• Tool designers
– Survey construction
– Data analysis and presentation techniques
• Consultants
– Specialist support in the background
Discussion About The
Corporation Movie
• It’s a movie about Sustainable Development.
• The Corporations are Persons
• Where is applied the Informatic Auditing
Process?
Activity
• Forming Teams of 4 persons or less, discuss
yours professional opinion with a Group
Decision Techniques for obtaining a unique
proposal.
• This proposal must be discuted with the
classroom.
Group Discussion Techniques
• The process problem solving has three phases
acording by Mintzberg:
– Identified the problem
– Development diferente possible solutions
– Evaluate possible solutions and selected it the more
adequate
• Other autors have added two aditional phases:
– Execute the desired solution
– Evaluate the results of executing this solution.
Group Discussion Techniques
• For Taking Group Decision exist diferent methodos
such as:
– Votation (the most voted decission wins),
– Approved Votation (each member can be to vote for more
than one option, the most voted option wins),
– Range Sum (the options has assigned a ponderation, when
1 is for the less votation, this process is realizaed by each
member in individual way, wins the options with the most
puntuaction) y
– Minimal Desviation (We selected the option with the most
punctuaction and the minimal desviation).
Group Discussion Techniques
• Nominal Group Technique is a decision making
method for use among groups of many sizes, who
want to make their decision quickly, as by a vote, but
want everyone's opinions taken into account (as
opposed to traditional voting, where only the largest
group is considered).
• First, every member of the group gives their view of
the solution, with a short explanation. Then, duplicate
solutions are eliminated from the list of all solutions,
and the members proceed to rank the solutions, 1st,
2nd, 3rd, 4th, and so on.
Group Discussion Techniques
• The numbers each solution receives are
totaled, and the solution with the lowest (i.e.
most favored) total ranking is selected as the
final decision. There are variations on how this
technique is used. For example, it can identify
strengths versus areas in need of development,
rather than be used as a decision-making
voting alternative. Also, options do not always
have to be ranked, but may be evaluated more
subjectively.
Group Discussion Techniques
• These techniques:
– Brainstorm,
– Round Table (similar to Brainstorm but each
member of the Team has a turn for exposing his/her
ideas),
– SWOT(Strengths, Weaknesses, Opportunities, and
Threats).
Group Discussion Techniques
• The Phillips 66 Method is a group discussion
technique which is used to help overcome the
problem of silence in group situations and to
ensure that everyone gets a chance to
contribute to the discussion.
• The group is divided into sub-groups of six
participants each. These groups each spend
six minutes discussing possible solutions to an
identified problem, and then report back to the
larger group with a proposed solution
Group Discussion Techniques
• The Delphi method is a systematic, interactive
forecasting method which relies on a panel of
independent experts.
• The carefully selected experts answer
questionnaires in two or more rounds. After
each round, a facilitator provides an
anonymous summary of the experts’ forecasts
from the previous round as well as the reasons
they provided for their judgments.
Group Discussion Techniques
– Thus, experts are encouraged to revise their
earlier answers in light of the replies of other
members of their panel.
– It is believed that during this process the
range of the answers will decrease and the
group will converge towards the "correct"
answer.
Group Discussion Techniques
– Finally, the process is stopped after a predefined stop criterion (e.g. number of rounds,
achievement of consensus, stability of
results) and the mean or median scores of
the final rounds determine the results.
Other IA Methodology
• Initial review and evaluation of the area to be
audited, and the audit plan preparation
• Detailed review and evaluation of controls
• Compliance testing
• Analysis and reporting of results
Review of System
Documentation
• The auditor reviews documentation such as
narrative descriptions, flowcharts, and program
listings. In desk checking the auditor processes
test or real data through the program logic.
• Audit throug the Computer: the process of
reviewing and evaluating the internal controls in
an electronic data processing system.
Audit with The Computer
• The utilization of the computer by an auditor to
perform some audit work that would otherwise
have to be done manually.
Test
• Test Data: The auditor prepares input
containing both valid and invalid data. Prior to
processing the test data, the input is manually
processed to determine what the output should
look like. The auditor then compares the
computer-processed output with the manually
processed results.
Test Data
Computer Operations
Auditors
Prepare Test
Transactions
And Results
Transaction
Test Data
Computer
Application
System
Computer
Output
Auditor Compares
Manually
Processed
Results
Types of Testing
• Compliance Testing: Auditors perform tests of
controls to determine that the control policies,
practices, and procedures established by
management are functioning as planned. This
is known as compliance testing.
• Substantive testing is the direct verification of
financial statement figures. Examples would
include reconciling a bank account and
confirming accounts receivable.
Parallel Simulation
• The test data process data through real
programs. With parallel simulation, the auditor
processes real client data on an audit program
similar to some aspect of the client’s program.
The auditor compares the results of this
processing with the results of the processing
done by the client’s program.
Parallel Simulation
Computer Operations
Auditors
Actual
Transactions
Computer
Application
System
Auditor’s
Simulation
Program
Auditor Compares
Actual Client
Report
Auditor
Simulation
Report
Audit Software
•
Computer programs that permit computers to
be used as auditing tools include:
•
Generalized audit software (CAATS –
Computer Assistant Audit Tools and
Techniques)
P.C. Software (support)
•
Records
• Extended Records: Specific transactions are
tagged, and the intervening processing steps
that normally would not be saved are added to
the extended record, permitting the audit trail to
be reconstructed for these transactions
• Snapshot: A snapshot is similar to an extended
record except that the snapshot is a printed
audit trail
Principles Applied to Information Auditors
• The Auditor word comes of
auditorium which means “listend”
the
greek
• Auditor was a person who main fuction was
listening problems of people in a town and
tacke back the Taxes and represent the
intereses of Imperial Country.
Managers and Auditors Responsabilities
• Support the implementation of, and encourage
compliance with, appropriate standards,
procedures and controls for information
systems.Perform their duties with objectivity,
due diligence and professional care, in
accordance with professional standards and
best practices.Serve in the interest of
stakeholders in a lawful and honest manner,
while maintaining high standards of conduct
and character, and not engage in acts
discreditable to the profession.Maintain the
privacy and confidentiality of information
Homework
• Print a License Agreement of Any Sofware
preferently non-common software
References
• Hall, H, Information Auditing, School
Computing, Napier University, 2009.
• Boiko, UW iSchool, Information
ischool.washington.edu, 2009.
of
Audits,
¿Preguntas?
Related documents
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Marketing Plan Rubric
Marketing Plan Rubric
As the 2nd largest business support solutions (BSS) provider, CSG
As the 2nd largest business support solutions (BSS) provider, CSG
Big Data As Complementary Audit Evidence
Big Data As Complementary Audit Evidence
Internal Auditor Job Description
Internal Auditor Job Description
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
system audit - Study Channel
system audit - Study Channel
Chapter Five: Evaluating the Integrity and Effectiveness of the
Chapter Five: Evaluating the Integrity and Effectiveness of the
Download