IT Audit M.C. Juan Carlos Olivares Rojas MSN: juancarlosolivares@hotmail.com jcolivar@itmorelia.edu.mx http://antares.itmorelia.edu.mx/~jcolivar/ @jcolivares Social Network: Facebook, LinkedIn. Hi5 Information Audit Concepts • There are a lot of definition about what Audit and Information Audit means. • Activity: in pairs try to discuss what’s the diference among Audit, Consult and Advisory. • Audit is an evaluation of a person, organization, system, process, project or product. Audit • Audits are performed to ascertain the validity and reliability of information, and also provide an assessment of a system's internal control. • The goal of an audit is to express an opinion on the person/organization/system etc. under evaluation based on work done on a test basis. • Information Audit is “review the existing system of information management, identify problems and recommend solutions for those problems” (Elis 1993) Information Audit • Other definition of Information audit is “an analysis of the communications (processes and information) that take place between agents (people) in a social context (the organisation) using a variety of media and channels (technology).” • Information Audit (IA) is focused in describe how things are done instead of existence; for example, use of a database rather than exist a database. Information Audit • The IA contex have to set organizational goals and costraints. • • • • against The IA has to try to solve question such as: What is the purpose of the audited system? Does it accomplish its purpose? Is the purpose in line with the purpose and philosophy of the organisation as a whole? Information Audit • How effectively are resources used? • How are resources accounted for and safeguarded? • How useful is the information system supporting the organisation? • How reliable is the information system? • Does the system comply with regulations and standards? In Sum… • The goal of the Audit project • Compare what is, • To what should be • To bring the two together • The process is: • • • • Establish what should be Get support Find out what is Create results and recommendations. Types of Auditing • Exist diferent clasification of Auditing. • By deep Level: General and Technical • General Auditing includes an assesment of diferent areas (i.e., financial, administrative, quality, etc.) in a company at the same time. • Technical Audits are specific Information System Audit. such as Internal and External Audits • Internal Audits are realized by Individual of the Organization. The advantages are most knowledge of Internal Control and less time in the audit process. The disadvantages can be non-Ethical Reports. • External Audit or Superior Control Audit is realized by Third-People. This is recommended type of audit because is most Ethical and Efficient but required more time. Field of Information Audit • What are Business Process? • It’s a collection of related, structured activities or tasks that produce a specific service or product (serve a particular goal) for a particular customer or customers. • Activity: Indicate what are the Business Process in a University such as Instituto Tecnologico de Morelia Business Process • Some Business Process are very similar. • What’s the diference? • It’s the business rules. These are statements that define or constrain some aspect of the business • Activity: Describe the rules of some sport or game such as Soccer, Tenis, Tetris, etc. What is Audited? • The Information that leads to knowledge • Resources for making information • How info is used • The people who need and create info • Info capture, management and presentation tools • How info is valued What’s the Point? • Understand information – What is it? – How does it move? • Manage information – What should we spend on it? – How should it flow? • Give information its rightful something we pay attention to. – Money – Material goods – Processes place as Internal Control • It’s defined as a process effected by an organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives. • It is a means by which an organization's resources are directed, monitored, and measured. Internal Control • It plays an important role in preventing and detecting fraud and protecting the organization's resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or intellectual property such as trademarks). • Internal control is a key element of the Foreign Corrupt Practices Act (FCPA) of 1977 and the Sarbanes-Oxley Act of 2002, which required improvements in internal control in United States public corporations. Internal Control • The governance is a very important activity inside organizations because drive and direct the Internal Control. • Procurement plays and importan role in the modern organization because need mechanism to regularize the practices and maintance the justice. • External Control is supported by Goverment Legislation. Control Models using in Info Audit • Discussion About Methodologies: • ISACA (Information System Audit and Control Association) • COBIT (Common OBjectives for Information and related Technologies) • ITIL (Information Technologies Infraestructure Library) Other Methodologies • COSO • ISO/IEC 17799:2000 • ISO/IEC 13335 • ISO/IEC 15408 • TickIT • NIST 800-14 An Audit Project • What are the goals of the project? • What is the overall process? • What are the deliverables? • What does the plan look like? What Are The Goals? • To assess what information and flow the org needs • To assess what information and flow the org now has • To make recommendations about how to get the two to match What’s the Overall Process? 1. Analyze objectives for ideal process 2,3 Get a mandate and support 4 Plan the audit 5 Perform the audit 6,7 Interpret and Present the results 8,9 Take action 10 Repeat What are the Deliverables? 1. Analyze objectives •One or more readiness deliverables •A Goals-Knowledge-Info taxonomy 2,3 Get support •One or more mandate deliverables •Guardian and stakeholder profiles 4. Plan •Audit methods plan •Staging plan 5. Perform •Information Analyses 6,7 Interpret and present •Reports and presentations 8,9 Act •Follow-up plan Deliverables: A GoalsKnowledge-Info Taxonomy • Organizational objective 1 – Knowledge requirement 1.1 • Info that supports requirement – Containers for the information • People who need to know it • Flow – Creation – Use – Disposal – Knowledge requirement 1.2 • Organizational objective 2 Deliverables: Guardian and Stakeholder Profiles Who will you approach in the org and how? • What: Word files, a spreadsheet or Db records – Who are they? – How will you approach them? – What do you know without asking? • How: – Asking around – Quick email or other communication – Org charts or readiness results Deliverables: Audit Methods What are the available methods ? • Analysis of docs and Dbs • Observation • Trying yourself • Interviews • Meetings • Surveys • Mapping Deliverables: Audit Methods How will you assess the information resources of your organization? • What: Word, spreadsheet or Db – Analysis, resource, method – Date, time, and staff • How – Try each method – Discuss with guardians and stakeholders – Design for change Deliverables: Staging Plan In what order should groups and information resources be done? • What: Word Doc, spreadsheet or DB – Groups and sources identified – Dates, times and staff for each • How – Arranged by • Strategic importance and potential for a win • Amount of support and ease or simplicity • Fair representation of all information Deliverables: Information Analyses The assessment of each dimension of the organization's information. • What? Word, spreadsheet or Db – Data collected – Standard set of – Information Resources • How – Apply methods and plan – Collect data, analyze and revisit if needed Deliverables: Reports and Presentations What are the analysis methods available? • Side-by-side comparison • SWOT • CATWOE – Clients – Actors – Transformations – Ownership – Environment Finding the Diferences Deliverables: Reports and Presentations The official results of the audit • What – Word files, Slide decks – Email messages, meeting agendas • How – Lots of trial inside the team – Test results to supporters – Trial presentations to insiders – Multiple methods to communicate Deliverables: Follow-Up Plan What should the org do and how will its success be measured? • What – Word file, project plan – Action – Preliminary scope, schedule, and budget • How – – – – Work with appropriate guardians and execs Focus on highest return projects first Give lots of leeway to the formation of the exact solution Caveat the heck out of your estimates The Team • Audit manager – Understands the org’s business – Ability to listen – Respected • Auditors – Technology analysts – Interviewers – SME (Subject Matter Experts) • Tool designers – Survey construction – Data analysis and presentation techniques • Consultants – Specialist support in the background Other IA Methodology • Initial review and evaluation of the area to be audited, and the audit plan preparation • Detailed review and evaluation of controls • Compliance testing • Analysis and reporting of results Review of System Documentation • The auditor reviews documentation such as narrative descriptions, flowcharts, and program listings. In desk checking the auditor processes test or real data through the program logic. • Audit throug the Computer: the process of reviewing and evaluating the internal controls in an electronic data processing system. Audit with The Computer • The utilization of the computer by an auditor to perform some audit work that would otherwise have to be done manually. Test • Test Data: The auditor prepares input containing both valid and invalid data. Prior to processing the test data, the input is manually processed to determine what the output should look like. The auditor then compares the computer-processed output with the manually processed results. Test Data Computer Operations Auditors Prepare Test Transactions And Results Transaction Test Data Computer Application System Computer Output Auditor Compares Manually Processed Results Types of Testing • Compliance Testing: Auditors perform tests of controls to determine that the control policies, practices, and procedures established by management are functioning as planned. This is known as compliance testing. • Substantive testing is the direct verification of financial statement figures. Examples would include reconciling a bank account and confirming accounts receivable. Parallel Simulation • The test data process data through real programs. With parallel simulation, the auditor processes real client data on an audit program similar to some aspect of the client’s program. The auditor compares the results of this processing with the results of the processing done by the client’s program. Parallel Simulation Computer Operations Auditors Actual Transactions Computer Application System Auditor’s Simulation Program Auditor Compares Actual Client Report Auditor Simulation Report Audit Software • Computer programs that permit computers to be used as auditing tools include: • Generalized audit software (CAATS – Computer Assistant Audit Tools and Techniques) P.C. Software (support) • Records • Extended Records: Specific transactions are tagged, and the intervening processing steps that normally would not be saved are added to the extended record, permitting the audit trail to be reconstructed for these transactions • Snapshot: A snapshot is similar to an extended record except that the snapshot is a printed audit trail Principles Applied to Info Auditors • The Auditor word comes of auditorium which means “listend” the greek • Auditor was a person who main fuction was listening problems of people in a town and tacke back the Taxes and represent the intereses of Imperial Country. Auditors Responsabilities • Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems. • Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards. Preliminar and Detailed Review • In this Phase we works with documents information systems and other resources. • Preliminar Review is fast and acts as a filter. Detailed Review is important because we assurance the process. Exam and Evaluation of Information • The most important thing in a organization is asset, frecuently information assets. • What are the principal assets in a Telecomunication Firm such as AT&T, Telmex, etc.? • Cupper in 1976 60% • Cupper, Fiber and Infraestructure 30% aprox. in 2008 Exam and Evaluation of Information • Where are the rest of the money? • Information System • What is the most important thing in Coca-Cola? • The Secret Formula. It’s the same since 1886, only 3 pesons in the world know it. • This formula is patented like a comercial secret Test of User Control’s • What’s a User Control? • It’s a control which applied to final user or employees. • This process is important because a lot of firms are interesting in their relations with theirs user, employees, providers and third-parts. • In Programming the User Controls are the User Interface (UI). Remember for a end user, the UI is the system. Substantive Test • Substantive testing is the stage of an audit when the auditor gathers evidence as to the extent of misstatements in client's accounting records. • This evidence is referred to as substantive evidence and is an important factor in determining the auditor's opinion on the financial statements as a whole. Substantive Test • For example, the substantive test in an Inventory System consists of: • Physically examine inventory on balance date as evidence that inventory shown in the accounting records actually exists (validity assertion); • Arrange for suppliers to confirm in writing the details of the amount owing at balance date as evidence that accounts payable is complete (completeness assertion); Substantive Test • And make inquires of management about the collectibility of customers' accounts as evidence that trade debtors is accurate as to its valuation. Evidence that an account balance or class of transaction is not complete, valid or accurate is evidence of a substantive misstatement. Activity • In a Spreadsheet (electronic or paper) obtain de Standard Deviation of the follow numbers: 1, 3, 5, 7, 9, 11, 13, 21, and the last 2 digit of yours control number. • For the first number (until 21) SD = 6.36 • This is an example of compliance test Activity • • • • • • • • • • What did the next pseudocode do? W, X, Y, Z: real READ W, X Z=1 While (z > 0.01) do Y = X – (((X*X) – W)/ (2*X)) Z = abs(X – Y) X=Y End While Print X Risk Assesment • In auditing, risk assessment is a very crucial stage before accepting an audit engagement. • According to ISA315 Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement, "the auditor should perform risk assessment procedures to obtain an understanding of the entity and its environment, including its internal control" Risk Assessment • Auditor obtains initial evidence regarding the classes of transactions at the client and the operating effectiveness of the client’s internal controls. • In auditing, audit risk includes inherent risk, control risk and detection risk. Risk Assessment • What’s a Risk? • It`s a probability of activity occurs. • It’s related with Threats, Vulnerabilities, Impact and Exposures. • All activities have a risk. Risk Assesment What’s the probability of ocurrence of this activity? Risk Assesment • There are a lot of Methodologies for Calculating Risk but all are dependents of the user. • Risk are calculating in three levels: high, medium and low. • Risk are calculating by dimension like Impact and Frecuency of Ocurrence. Risk Assesment Simulators • Assurance-Life: • 194.224.248.32/simuladores/ * • • • • Business: http://www.gameonsoftware.com/index.htm http://www.beer-war.com/ * http://www.riskybusiness.com/ Compilation of Organizational Information • It’s important for the correct management of Auditing Process. • Before of making a Report is necessary the information that sustain the ideas. This information is knowed such as Evidence. • Remeber the first step is organizational context of a Firm. know the Compilation of Organizational Information • It’s important to manage an eficient way to recollect information such as logs, databases, control sheet and cross-documents. • The retrieval information must be the most quickly as posible. • In the research process this activity is highlyconsumer of time (Theoretical Frame and State-of-Art) Human Resource Assesment • This action is very important because some firms have and excelente organization and planning but in practice have a bad execution and directions (CONTROL) • There are two kinds of human resources evalution: • Activity and Resposability of a Employee in an organization (For Example a Bad Director or Boss). Human Resource Assesment • Assesment of Organization about their People (asking about a good working conditions). • One technique of Human Resources Assesment is the elaboration and application of questionaries. • Questionaries are a good option when there are not enough time, but are dificult because it needs a correct design and processing. Interviews with Informatic Personal • Interview is a vital process inside auditing. • We must recollect and store this information such as Evidence but in most of the time is dificult because it’s not a legal process and some Employee can’t or doesn’t like talking about some topic in these circunstances. • Interviews are dificult in design and application but are crucial. Interviews with Informatic Personal • Interviews provide the correct specification about a process. Auditors could be aimed by Personal in some process which are dficult to understand. • There are a lot of kinds of Interviews. The most important thing in Interview Process is the script. The interviewer should be and excelent improviser and carismatic person. Budget and Financial Situation • Budget is an important element because Auditors have some constraints, and the most important is Financial. • Ideally, the audit budget should be created after the audit schedule is determined. Budgets The most coordination. important thing is budget Budget is an important constraint tha auditor should considered in the assesment. For example a small ofice (PyME) doesn’t have enough money to buy a Hardware Firewall and the small company only implement a individual Firewall through Operating System. Financial and material Resources. • Those elements are important because we need it for working in auditing. • Material Resources used by an Auditor could be: Papers Formats (collection), PDA, Mobile Phone, Laptop or Notebook (paper). • Depending of the information assest the tools are variable for example a cable testing in Computer Network Audits. References • Senft, S. And Gallegos, F. (2008) Information Technology Control and Audit, Third Edition, CRC Press, United States. • Hall, H, Information Auditing, School Computing, Napier University, 2009. • Boiko, UW iSchool, Information ischool.washington.edu, 2009. • of Audits, ¿Preguntas?