AUDIT AND REVIEW ITS ROLE IN INFORMATION TECHNOLOGY 10’S REASON TO START OF IT AUDITING 1. Auditing around the computer was becoming unsatisfactory for the purpose of data reliance. 2. Reliance on controls was becoming highly questionable. 3. Financial institutions were losing money due to creative programming. 4. Payroll databases could not be relied on for accuracy due to sophisticated programmers 5. The security of data could no longer be enforced effectively 10’S REASON TO START OF IT AUDITING 6. Advancements occurred in technology. 7. Internal Networks were being accessed by employees’ desktop computers. 8. Personal computers became accessible for office and home use. 9. Large Amounts of data required advanced software programs to audit them, known as CAATs (Computer Assisted Audit Technique). 10. The tremendous growth of corporate hackers, either internal or external, warranted the need for IT auditors. THE NEED FOR THE IT AUDIT FUNCTION • The increased reliance on computers to perform daily transactions and with the higher risks associated with new technology, management needs assurance that the controls governing its computer operations are adequate. • IT Governance is the process by which an enterprise’s IT is directed and controlled. AUDITING CONCERNS • An adequate audit trail so that transactions can be traced forward and backward through the system. • The documentation and existence of controls over the accounting for all data (e.g. transactions) entered into the system and controls to ensure the integrity of those transactions throughout the computerized segment of the system. • Handling exceptions to and rejections from, the computer system • Unit and integrated testing, with controls in place to determine whether the systems perform as stated. • Controls over changes to the computer system to determine whether the proper authorization has been given and documented AUDITING CONCERNS • Authorization procedures for system overrides and documentation of those processes • Determining whether organization and government policies and procedures are adhered to in system implementation • Training user personnel in the operation of the system • Developing detailed evaluation criteria so that it is possible to determine whether the implemented system has met predertemined specifications • Adequate controls between internconnected computer systems AUDITING CONCERNS • Adequate security procedures to protect the user’s data • Backup and recovery procedures for the operation of the system and assurance of business continuity • Ensuring technology provided by different vendors (i.e., operational platforms) is compatible and controlled • Adequately designed and controlled databases to ensure that common definitions of data are used throughout the organization, that redundancy is eliminated or controlled, and data existing in multiple databases is updated concurrently REVIEWERS OF IS • IT Auditor has level of knowledge, skills, and abilities to do a quality job and provide a quality assessment. • How utilize the IT auditor to assist in providing objective, value added contributions to their work? WHAT ARE THE POLICIES AND PROCEDURES OF MANAGEMENT • Policies and procedures are only as good as the management structure which formed them and enforces the action taken. The IT auditor should examine the corporate structure of the policies and procedures set by management. The auditor should then verify that the policies and procedures follow audit standards. WHAT ARE THE POLICIES AND PROCEDURES OF MANAGEMENT • Each function in organization, including internal audit and IT, needs complete, well documented polices and procedures to describe the scope of the function of its activities and the interrelationships with other departments. As policies, and procedures are developed and organized into a standards manual, they should be tied directly to the goals and objectives of the organzation. AUDITOR STANDARDS • American Institute of Certified Public Accountants (AICPA) • Institute of Internal Auditor (IIA) • Internal Federation of Accountants (IFAC) • Information Systems Audit and Control Association (ISACA) • Ikatan Akuntan Indonesia (IAI) • Ikatan Audit Sistem Informasi Indonesia (IASII) Skills Related to IT Auditing • • • • • • • • • • • Performance of general controls Preparation of application assessments Transfer control protocol/Internet protocol (TCP/IP) Asynchronous transfer method (ATM) Electronic funds transfer (EFT) Database management systems (DBMS) Business continuity planning Disaster recovery planning System under change Audit integration services Information security services Auditor Independence • The audit report and opinion must be free of any bias or influence if the integrity of the audit process is to be valued and recognized for its contribution to the organization’s goals and objectives. The Role of the IT Auditor • • • • Counselor Partner of Senior Management Internal Audit Function External Audit The Organization’ Responsibility in Developing IT Audit Skills • Preaudit Checklist : – Who are members of the audit team, and what are their roles and assignments? – What are the credentials and experience of the assigned audit team? – What orientation or training can you provide them to be comfortable within the environment? – Communicate with your managers and staff in the areas to be audited – If an area was audited before, review the prior report to see the issues raised and recommended made. Get an update of corrections or changes made as a result of prior audit work and give your staff and the audit department credit The Organization’ Responsibility in Developing IT Audit Skills • Audit Cheklist: – Purpose of the audit? – Scope and objectives? – Who are the audit staff assigned ? (Ask to be notified if any staff are changed) – Timeframe for work to be performed? – Use of computer time/access to system/logs/training needed – Access to IT management and staff? – Communicate (1) and (2) to all IT staff affected – Set weekly or biweekly meetings with audit manager/audit team to discuss audit progress and issues – Before the audit is finished, request close out conference from audit group – Request a copy of audit report The Organization’ Responsibility in Developing IT Audit Skills • Post audit checklist: – When the audit report is issued, pull your team together and discuss the report; if you follow the steps above there should be no surprise. If there are, there was a communication breakdown somewhere. – If you disagree with the report or portions of the report, do so in writing with supporting evidence. Remember, the auditor has supporting evidence for their reports, and this exits in their working papers. For those area your agree, indicate what corrective actions your team plans to take. – Have your team provide a status report to you on a 3to 6-month cycle with a copy to go to internal audit. This shows you value their work.