Add to collection(s) Add to saved
  1. Business
  2. Management

Information Technology Audit & Control

advertisement 
Information Systems Audit &
Control
Introduction
Apr 2006
Information Systems Audit & Control
1
Syllabus
Information Systems Audit and Control Fall 2005
by Haroon Arshad
e-mail: ch_haroon@msn.com,
Office Hours Wednesday & Friday 3:45-5:00 PM
Files Available To date
Information System Audit & Control Syllabus & Course Outline.
Notes Mailing group. http://groups.yahoo.com/group/isac_pucit
Apr 2006
Information Systems Audit & Control
2
Syllabus
COURSE OBJECTIVE & PHILOSOPHY
The need to comply with an array of
Complex data laws
Standards in IT and
Information system environment
which dominates the business environment and privacy and security.
The challenge will be dealing with
Regulatory requirement,
Information system standards,
Best practices and laws .
Apr 2006
Information Systems Audit & Control
3
COURSE OBJECTIVE & PHILOSOPHY

As a result, the emphasis will be on issues such as





Policy management and enforcement,
Benchmarking against standards,
Incident response,
Forensics, and monitoring for insider threats.
To a large extent, the efforts will focus on



Implementing security,
Control policies
Management processes to ensure regulatory compliance.
It's a process that will involve spending a lot more time working with
management and end users, and educating them on what the risks are.
Apr 2006
Information Systems Audit & Control
4
Syllabus
This class will be devoted to these Control issues, their impact on the organization,
and how to manage and audit them. Consequently, this is essentially a class in
corporate management and audit, even though it is presented within the
information technology curriculum. Much of the class time will be devoted to
discussions and case studies, as active “Audit & Control mentality”.
To assure effective control, management – directly or through its internal and
external auditors - must control and audit systems whose "internals" are
understood only by highly-trained expert professionals. This course discusses
the philosophy and describes some of the tools and methods used for control
and auditing of such systems and the organizations that use them. Eventually,
this will lead to increased awareness, better understanding, and more secured
and effective accomplishment of the organization’s objective and use of its
technology; thus, the course will be beneficial to all future managers and users,
and not only to information technology professional or auditors.
Apr 2006
Information Systems Audit & Control
5
Syllabus
TEXTBOOK & COURSE MATERIALS
This course is based on Ron Weber's Information Systems Control and Audit, Prentice Hall
1999, ISBN 0-13-947870-1, which emphasizes the controls approach to systems audit
and security. The methodology is applicable to all systems, including internet, webbased and e-commerce systems. Many security-oriented books are available today, and
the following is recommended as supplement: Information Technology Audit &
Control by Frederick Gallegos, Daniel Manson, Sandra Allen-Senft, 2nd Edition,
Auerbach Publishers
Additional reading material will be announced during the class.
Please bring the Weber text with you to each class – we will use the cases at the end of
its chapters.
On the Yahoo group web page you will find PowerPoint presentations for all the material
that I will introduce in class. These summarize the contents of the textbook, in addition
to other material that will be discussed in class. You can read these presentations prior to
class, so that you can use them in class in lieu of notes. You are responsible for knowing
the contents of these transparencies as well as the textbook’s material (and of course
whatever is discussed in class).
Apr 2006
Information Systems Audit & Control
6
Syllabus
COMMUNICATIONS & PREREQUISITES
I believe that open communications channels between all of us add significantly to the value of the
class. You are welcome to contact me – preferably via e-mail. In particular, ALL questions and
comments are welcome.
The approach taken in this course is pragmatic, rather than theoretical or technical, with the
objective of increasing your familiarity with the course topics on the one hand, and your critical
understanding of the material on the other. I do not intend to "read the text in class". Rather, I will
emphasize certain issues, and will respond to your questions. You must read on your own and be
familiar IN ADVANCE OF EACH CLASS with the assigned material as given in the schedule, and
with the class notes available in my web page. The course will be discussion oriented, with
emphasis on discussions geared to the case studies at the end of each chapter.
A common theme in my courses is the development of your communications skills and use of
available computer technology and common software tools. You are expected to be familiar with
word-processing and spreadsheet tools, and submit your work using such tools. All homework will
be submitted electronically via e-mail, and follow all the rules in the PRESHINT.DOC file (wil be
available next week on yahoo group).
Apr 2006
Information Systems Audit & Control
7
Syllabus
ASSIGNMENTS, QUIZZES AND EXAMS
Assignments will be based on the case studies at the end of the text's chapters, and will be
announced in class. Homework solutions will be discussed in class at the date they are due;
therefore, late submissions of homework assignments will not be accepted. Note that homework will
be based, to a large extent, on material you are supposed to read for the next class, and will be
discussed in class only after you submit the homework, in order to let you exercise your own
judgment and understanding. All assignments are due, unless otherwise specified, by the next
Tuesday after the class in which they have been announced; they should reach me, via e-mail, by
this time. Assignments should all be typed (using computerized office tools) and be professionally
presentable; hand-written assignments will not be graded. Assignment due-dates as given in the
schedule or in class will be strictly adhered to and late assignments will not be accepted, unless
prearranged with me. Virus infected submissions will be deleted and not graded with no
opportunity for resubmission.
Each class session (except the first one) may include a brief open book quiz, which stress
understanding of the required material. This system eliminates the pressure for final exam
preparation, allows timely grade progress feedback, and motivates students to prepare for each
session (and thus increase the probability of quality participation and getting the most from the
class sessions).
Apr 2006
Information Systems Audit & Control
8
Syllabus
CLASS ATTENDANCE
You are expected to attend all classes, and are responsible for all
announcements made in class or in the yahoo group. Makeup of
quizzes or assignments will be given only by approval prior to the
quiz or assignment, except for extreme circumstances. Punctuality
is highly regarded; no student, if arriving late, will be given any
extra time to complete a quiz, nor will makeup quizzes be offered.
The university's honor code will be adhered to. Cheating will result
in an automatic failing grade in the course for all those students
who are deemed to have consciously contributed to the cheating.
Apr 2006
Information Systems Audit & Control
9
Syllabus
GRADING
Grades will be based on homework assignments (60% - equally weighted, and
possibly dropping the worst one) and the quizzes (40% - equally weighted, and
possibly dropping the worst one, but not more than 5% per quiz). Final grades will
be assigned on a curve, and I will exercise my judgment as to the cut points, as
well as to the grading of students who miss or come late to many of the classes.
Don't nitpick about the grading. Persons who complain will not be rewarded for it;
those who have the decency not to complain would deserve the same break. A
request to look at one problem leads to re-grading of the whole paper, which often
leads to a lower grade.
No "extra credit" opportunities will be offered or assigned to specific individuals
under any circumstances; all students' grades will be based on the same
components - this is an equal opportunity course.
Apr 2006
Information Systems Audit & Control
10
TENTATIVE & APPROXIMATE COURSE SCHEDULE
(actual schedule will be determined by the class advancement, and
changes will be announced)

Will be Made available Before next Class.
Apr 2006
Information Systems Audit & Control
11
What Is Information System Audit

Collecting & evaluating evidence to determine if
system accomplishes its organizational tasks
effectively & efficiently
Apr 2006
Information Systems Audit & Control
12
Motivation for Control & Audit

Major business fraud cases
 Enron
 Worldcom
 The


“Didn’t know these things were happening” syndrome
Comprehensive ethical/control programs do matter to
corporate stakeholders
Need for ethical/control
 Standards
 Internal
reporting process
 Highest level responsibility
Apr 2006
Information Systems Audit & Control
13
Motivation for Compliance
Accounting Scandals


2001
Enron



Jeffrey Skilling, Kenneth Lay, Andrew Fastow













2002
AOL
Adelphia
Bristol-Myers Squibb
CMS Energy
Computer Associates
Duke Energy
Dynegy
El Paso Corporation
Freddie Mac
Global Crossing



Dick Cheney
Harken Energy

Apr 2006









Gary Winnick, John Legere, Thomas Casey
Halliburton


Published report 10-9-2002





HealthSouth
Homestore.com
ImClone Systems
Sam Waksal, Martha Stewart, John B.
Landes, Ronald A. Martell
Kmart
Lucent Technologies
Merck & Co.
Merrill Lynch
Mirant
Nicor Energy, LLC
Peregrine Systems
Qwest Communications International
Reliant Energy
Sunbeam
Tyco International
L. Dennis Kozlowski, Mark H. Swartz,
Waste Management
WorldCom
Bernard Ebbers
Information Systems Audit & Control
14
Motivation for Control & Audit
Risk Based Capital


Definition of RBC: A theoretical model used to compute
the minimum amount of capital that an insurance
company should maintain in order to support its business
operations, considering the company’s size and risk
profile
Goals:
 To
assist regulators in knowing when to intervene in a
company’s affairs
 To reduce costs of company insolvencies by catching them
early
 To be simple enough to be applied to all companies
 To be comprehensive enough to adequately distinguish all
possible risks
Apr 2006
Information Systems Audit & Control
15
Need for IS Control & Audit

Reliance on
computer systems
 Survival
of
organization
 Costs of data loss
 Costs of errors
 Inability to
function
 Possibility of
incorrect decisions
Apr 2006
Information Systems Audit & Control
16
Need for IS Control & Audit

Security & abuse - from
inside & outside:
hacking, viruses, access
 Destruction
& theft of
assets
 Modification of assets
 Disruption of operations
 Unauthorized use of
assets
 Physical harm
 Privacy violations
Apr 2006
See cases at end of ch. 1
Information Systems Audit & Control
17
Need for IS Control & Audit
Apr 2006
Information Systems Audit & Control
18
What Is Information System Audit

Process of collecting and evaluating evidence to
determine whether a (computerized) system:
Safeguards
assets
Maintains data integrity
Enables communications & access to information
Achieve operational goals effectively
Consumes resources efficiently
effectively and efficiently
Apr 2006
Information Systems Audit & Control
19
Objectives – Audit and Control




Need to control & audit info systems
IS AUDITING = collecting & evaluating evidence to
determine if system accomplishes its organizational tasks
effectively & efficiently
Understanding the organization & environment
Understanding systems
 EDP in

particular
Understanding the Control Approach
 Control
- a system that prevents, detects, or corrects unlawful,
undesirable or improper events
Apr 2006
Information Systems Audit & Control
20
The Auditing Environment


External vs. internal auditors
External auditors provide increased assurance
 Fairness
of financial statements
 Frauds & irregularities
 Ability to survive

Internal auditors appraise and evaluate adequacy &
effectiveness of controls
 Control
- a system that prevents, detects, or corrects unlawful,
undesirable or improper events

Reporting – and responsibility – to Board of Directors
Apr 2006
Information Systems Audit & Control
21
The Auditing Environment –
cont.

Types of audit procedures
To
gain understanding of controls
Test of controls
Substantive tests of details of transactions
Substantive tests of balances and overall results
Analytic review procedures
Apr 2006
Information Systems Audit & Control
22
Assessing Reliability
By controls
 By transaction
 By errors

Apr 2006
Information Systems Audit & Control
23
Internal Auditors
Responsible to Board of Directors
 An internal control function
 Assist the organization in measurement &
evaluation:

Effectiveness
of internal controls
Achievement of organizational objectives
Economics & efficiency of activities
Compliance with laws and regulations

Operational audits
Apr 2006
Information Systems Audit & Control
24
Internal Auditors Scope of Work
Safeguarding assets
 Compliance with policies and plans
 Accomplishment of established objectives
 Reliability & integrity of information
 Economics & efficient use of resources

Apr 2006
Information Systems Audit & Control
25
The Internal Controls Framework
Separation of duties
 Delegation of authority & responsibility
 System of authorizations
 Documentation & records
 Physical control over assets & records
 Management supervision
 Independent checks
 Recruitment & training

Apr 2006
Information Systems Audit & Control
26
Internal Controls - Cont.

Controls - pattern of activities:
Preventive
Detective
Corrective

Affect reliability
Reduce
failure probability
Reduce expected loss in failure
Reasonable assurance
 Based on cost-benefit considerations

Apr 2006
Information Systems Audit & Control
27
External Auditors

Responsible to stockholders and public
 Via

Board of Directors
Assess financial statement assertions
 Existence
or occurrence
 Completeness
 Valuation and allocation
 Presentation and disclosure
 Rights and obligations



Must test compliance with laws and regulations
Must test for fraud and improprieties
Relies on internal control structure for planning of audit
Apr 2006
Information Systems Audit & Control
28
External Auditors

Audit (material misstatement) risk = product of
Inherent
(assertion could be materially misstated) risk
Control risk (misstatement will not be prevented or
detected on a timely basis by internal controls)
Detection risk
 Inversely
Apr 2006
related to control and inherent risks
Information Systems Audit & Control
29
Related documents
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Marketing Plan Rubric
Marketing Plan Rubric
Big Data As Complementary Audit Evidence
Big Data As Complementary Audit Evidence
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
system audit - Study Channel
system audit - Study Channel
As the 2nd largest business support solutions (BSS) provider, CSG
As the 2nd largest business support solutions (BSS) provider, CSG
Most Important Issues Confronting Colleges
Most Important Issues Confronting Colleges
Download
advertisement