IT Audit
M.C. Juan Carlos Olivares Rojas
MSN: juancarlosolivares@hotmail.com
jcolivar@itmorelia.edu.mx
http://antares.itmorelia.edu.mx/~jcolivar/
@jcolivares
Social Network: Facebook, LinkedIn. Hi5
Information Audit Concepts
• There are a lot of definition about what Audit
and Information Audit means.
• Activity: in pairs try to discuss what’s the
diference among Audit, Consult and Advisory.
• Audit is an evaluation of a person, organization,
system, process, project or product.
Audit
• Audits are performed to ascertain the validity
and reliability of information, and also provide
an assessment of a system's internal control.
• The goal of an audit is to express an opinion on
the person/organization/system etc. under
evaluation based on work done on a test basis.
• Information Audit is “review the existing system
of information management, identify problems
and recommend solutions for those problems”
(Elis 1993)
Information Audit
• Other definition of Information audit is “an
analysis of the communications (processes and
information) that take place between agents
(people) in a social context (the organisation)
using a variety of media and channels
(technology).”
• Information Audit (IA) is focused in describe
how things are done instead of existence; for
example, use of a database rather than exist a
database.
Information Audit
• The IA contex have to set
organizational goals and costraints.
•
•
•
•
against
The IA has to try to solve question such as:
What is the purpose of the audited system?
Does it accomplish its purpose?
Is the purpose in line with the purpose and
philosophy of the organisation as a whole?
Information Audit
• How effectively are resources used?
• How are resources accounted for and
safeguarded?
• How useful is the information system supporting
the organisation?
• How reliable is the information system?
• Does the system comply with regulations and
standards?
In Sum…
• The goal of the Audit project
• Compare what is,
• To what should be
• To bring the two together
• The process is:
•
•
•
•
Establish what should be
Get support
Find out what is
Create results and recommendations.
Types of Auditing
• Exist diferent clasification of Auditing.
• By deep Level: General and Technical
• General Auditing includes an assesment of
diferent areas (i.e., financial, administrative,
quality, etc.) in a company at the same time.
• Technical Audits are specific
Information System Audit.
such
as
Internal and External Audits
• Internal Audits are realized by Individual of the
Organization. The advantages are most
knowledge of Internal Control and less time in
the audit process. The disadvantages can be
non-Ethical Reports.
• External Audit or Superior Control Audit is
realized by Third-People. This is recommended
type of audit because is most Ethical and
Efficient but required more time.
Field of Information Audit
• What are Business Process?
• It’s a collection of related, structured activities
or tasks that produce a specific service or
product (serve a particular goal) for a particular
customer or customers.
• Activity: Indicate what are the Business
Process in a University such as Instituto
Tecnologico de Morelia
Business Process
• Some Business Process are very similar.
• What’s the diference?
• It’s the business rules. These are statements
that define or constrain some aspect of the
business
• Activity: Describe the rules of some sport or
game such as Soccer, Tenis, Tetris, etc.
What is Audited?
• The Information that leads to knowledge
• Resources for making information
• How info is used
• The people who need and create info
• Info capture, management and presentation
tools
• How info is valued
What’s the Point?
• Understand information
– What is it?
– How does it move?
• Manage information
– What should we spend on it?
– How should it flow?
• Give information its rightful
something we pay attention to.
– Money
– Material goods
– Processes
place
as
Internal Control
• It’s defined as a process effected by an
organization's structure, work and authority
flows, people and management information
systems, designed to help the organization
accomplish specific goals or objectives.
• It is a means by which an organization's
resources are directed, monitored, and
measured.
Internal Control
• It plays an important role in preventing and
detecting
fraud
and
protecting
the
organization's resources, both physical (e.g.,
machinery and property) and intangible (e.g.,
reputation or intellectual property such as
trademarks).
• Internal control is a key element of the Foreign
Corrupt Practices Act (FCPA) of 1977 and the
Sarbanes-Oxley Act of 2002, which required
improvements in internal control in United
States public corporations.
Internal Control
• The governance is a very important activity
inside organizations because drive and direct
the Internal Control.
• Procurement plays and importan role in the
modern organization because need mechanism
to regularize the practices and maintance the
justice.
• External Control is supported by Goverment
Legislation.
Control Models using in Info Audit
• Discussion About Methodologies:
• ISACA (Information System Audit and Control
Association)
• COBIT (Common OBjectives for Information
and related Technologies)
• ITIL (Information Technologies Infraestructure
Library)
Other Methodologies
• COSO
• ISO/IEC 17799:2000
• ISO/IEC 13335
• ISO/IEC 15408
• TickIT
• NIST 800-14
An Audit Project
• What are the goals of the project?
• What is the overall process?
• What are the deliverables?
• What does the plan look like?
What Are The Goals?
• To
assess
what
information and flow the
org needs
• To
assess
what
information and flow the
org now has
• To
make
recommendations about
how to get the two to
match
What’s the Overall Process?
1. Analyze objectives for ideal process
2,3 Get a mandate and support
4
Plan the audit
5
Perform the audit
6,7 Interpret and Present the results
8,9 Take action
10 Repeat
What are the Deliverables?
1. Analyze objectives
•One or more readiness deliverables
•A Goals-Knowledge-Info taxonomy
2,3 Get support
•One or more mandate deliverables
•Guardian and stakeholder profiles
4. Plan
•Audit methods plan
•Staging plan
5. Perform
•Information Analyses
6,7 Interpret and present
•Reports and presentations
8,9 Act
•Follow-up plan
Deliverables: A GoalsKnowledge-Info Taxonomy
• Organizational objective 1
– Knowledge requirement 1.1
• Info that supports requirement
– Containers for the information
• People who need to know it
• Flow
– Creation
– Use
– Disposal
– Knowledge requirement 1.2
• Organizational objective 2
Deliverables: Guardian and
Stakeholder Profiles
Who will you approach in the org and how?
• What: Word files, a spreadsheet or Db records
– Who are they?
– How will you approach them?
– What do you know without asking?
• How:
– Asking around
– Quick email or other communication
– Org charts or readiness results
Deliverables: Audit Methods
What are the available methods ?
• Analysis of docs and Dbs
• Observation
• Trying yourself
• Interviews
• Meetings
• Surveys
• Mapping
Deliverables: Audit Methods
How will you assess the information resources of your
organization?
• What: Word, spreadsheet or Db
– Analysis, resource, method
– Date, time, and staff
• How
– Try each method
– Discuss with guardians and stakeholders
– Design for change
Deliverables: Staging Plan
In what order should groups and information resources be
done?
• What: Word Doc, spreadsheet or DB
– Groups and sources identified
– Dates, times and staff for each
• How
– Arranged by
• Strategic importance and potential for a win
• Amount of support and ease or simplicity
• Fair representation of all information
Deliverables: Information
Analyses
The assessment of each dimension of the
organization's information.
• What? Word, spreadsheet or Db
– Data collected
– Standard set of
– Information Resources
• How
– Apply methods and plan
– Collect data, analyze and revisit if needed
Deliverables: Reports and Presentations
What are the analysis methods available?
• Side-by-side comparison
• SWOT
• CATWOE
– Clients
– Actors
– Transformations
– Ownership
– Environment
Finding the Diferences
Deliverables: Reports and Presentations
The official results of the audit
• What
– Word files, Slide decks
– Email messages, meeting agendas
• How
– Lots of trial inside the team
– Test results to supporters
– Trial presentations to insiders
– Multiple methods to communicate
Deliverables: Follow-Up Plan
What should the org do and how will its success be
measured?
• What
– Word file, project plan
– Action
– Preliminary scope, schedule, and budget
• How
–
–
–
–
Work with appropriate guardians and execs
Focus on highest return projects first
Give lots of leeway to the formation of the exact solution
Caveat the heck out of your estimates
The Team
• Audit manager
– Understands the org’s business
– Ability to listen
– Respected
• Auditors
– Technology analysts
– Interviewers
– SME (Subject Matter Experts)
• Tool designers
– Survey construction
– Data analysis and presentation techniques
• Consultants
– Specialist support in the background
Other IA Methodology
• Initial review and evaluation of the area to be
audited, and the audit plan preparation
• Detailed review and evaluation of controls
• Compliance testing
• Analysis and reporting of results
Review of System
Documentation
• The auditor reviews documentation such as
narrative descriptions, flowcharts, and program
listings. In desk checking the auditor processes
test or real data through the program logic.
• Audit throug the Computer: the process of
reviewing and evaluating the internal controls in
an electronic data processing system.
Audit with The Computer
• The utilization of the computer by an auditor to
perform some audit work that would otherwise
have to be done manually.
Test
• Test Data: The auditor prepares input
containing both valid and invalid data. Prior to
processing the test data, the input is manually
processed to determine what the output should
look like. The auditor then compares the
computer-processed output with the manually
processed results.
Test Data
Computer Operations
Auditors
Prepare Test
Transactions
And Results
Transaction
Test Data
Computer
Application
System
Computer
Output
Auditor Compares
Manually
Processed
Results
Types of Testing
• Compliance Testing: Auditors perform tests of
controls to determine that the control policies,
practices, and procedures established by
management are functioning as planned. This
is known as compliance testing.
• Substantive testing is the direct verification of
financial statement figures. Examples would
include reconciling a bank account and
confirming accounts receivable.
Parallel Simulation
• The test data process data through real
programs. With parallel simulation, the auditor
processes real client data on an audit program
similar to some aspect of the client’s program.
The auditor compares the results of this
processing with the results of the processing
done by the client’s program.
Parallel Simulation
Computer Operations
Auditors
Actual
Transactions
Computer
Application
System
Auditor’s
Simulation
Program
Auditor Compares
Actual Client
Report
Auditor
Simulation
Report
Audit Software
•
Computer programs that permit computers to
be used as auditing tools include:
•
Generalized audit software (CAATS –
Computer Assistant Audit Tools and
Techniques)
P.C. Software (support)
•
Records
• Extended Records: Specific transactions are
tagged, and the intervening processing steps
that normally would not be saved are added to
the extended record, permitting the audit trail to
be reconstructed for these transactions
• Snapshot: A snapshot is similar to an extended
record except that the snapshot is a printed
audit trail
Principles Applied to Info Auditors
• The Auditor word comes of
auditorium which means “listend”
the
greek
• Auditor was a person who main fuction was
listening problems of people in a town and
tacke back the Taxes and represent the
intereses of Imperial Country.
Auditors Responsabilities
• Support the implementation of, and encourage
compliance with, appropriate standards,
procedures and controls for information
systems.
• Perform their duties with objectivity, due
diligence and professional care, in accordance
with professional standards.
Preliminar and Detailed Review
• In this Phase we works with documents
information systems and other resources.
• Preliminar Review is fast and acts as a filter.
Detailed Review is important because we
assurance the process.
Exam and Evaluation of
Information
• The most important thing in a organization is
asset, frecuently information assets.
• What are the principal assets in a
Telecomunication Firm such as AT&T, Telmex,
etc.?
• Cupper in 1976 60%
• Cupper, Fiber and Infraestructure 30% aprox. in
2008
Exam and Evaluation of
Information
• Where are the rest of the money?
• Information System
• What is the most important thing in Coca-Cola?
• The Secret Formula. It’s the same since 1886,
only 3 pesons in the world know it.
• This formula is patented like a comercial secret
Test of User Control’s
• What’s a User Control?
• It’s a control which applied to final user or
employees.
• This process is important because a lot of firms
are interesting in their relations with theirs user,
employees, providers and third-parts.
• In Programming the User Controls are the User
Interface (UI). Remember for a end user, the UI
is the system.
Substantive Test
• Substantive testing is the stage of an audit
when the auditor gathers evidence as to the
extent of misstatements in client's accounting
records.
• This evidence is referred to as substantive
evidence and is an important factor in
determining the auditor's opinion on the
financial statements as a whole.
Substantive Test
• For example, the substantive test in an
Inventory System consists of:
• Physically examine inventory on balance date
as evidence that inventory shown in the
accounting records actually exists (validity
assertion);
• Arrange for suppliers to confirm in writing the
details of the amount owing at balance date as
evidence that accounts payable is complete
(completeness assertion);
Substantive Test
• And make inquires of management about the
collectibility of customers' accounts as evidence
that trade debtors is accurate as to its valuation.
Evidence that an account balance or class of
transaction is not complete, valid or accurate is
evidence of a substantive misstatement.
Activity
• In a Spreadsheet (electronic or paper) obtain de
Standard Deviation of the follow numbers: 1, 3,
5, 7, 9, 11, 13, 21, and the last 2 digit of yours
control number.
• For the first number (until 21) SD = 6.36
• This is an example of compliance test
Activity
•
•
•
•
•
•
•
•
•
•
What did the next pseudocode do?
W, X, Y, Z: real
READ W, X
Z=1
While (z > 0.01) do
Y = X – (((X*X) – W)/ (2*X))
Z = abs(X – Y)
X=Y
End While
Print X
Risk Assesment
• In auditing, risk assessment is a very crucial
stage before accepting an audit engagement.
• According to ISA315 Understanding the Entity
and its Environment and Assessing the Risks of
Material Misstatement, "the auditor should
perform risk assessment procedures to obtain
an understanding of the entity and its
environment, including its internal control"
Risk Assessment
• Auditor obtains initial evidence regarding the
classes of transactions at the client and the
operating effectiveness of the client’s internal
controls.
• In auditing, audit risk includes inherent risk,
control risk and detection risk.
Risk Assessment
• What’s a Risk?
• It`s a probability of activity occurs.
• It’s related with Threats, Vulnerabilities, Impact
and Exposures.
• All activities have a risk.
Risk Assesment
What’s the
probability
of
ocurrence
of this
activity?
Risk Assesment
• There are a lot of Methodologies for Calculating
Risk but all are dependents of the user.
• Risk are calculating in three levels: high,
medium and low.
• Risk are calculating by dimension like Impact
and Frecuency of Ocurrence.
Risk Assesment
Simulators
• Assurance-Life:
• 194.224.248.32/simuladores/ *
•
•
•
•
Business:
http://www.gameonsoftware.com/index.htm
http://www.beer-war.com/ *
http://www.riskybusiness.com/
Compilation of Organizational
Information
• It’s important for the correct management of
Auditing Process.
• Before of making a Report is necessary the
information that sustain the ideas. This
information is knowed such as Evidence.
• Remeber the first step is
organizational context of a Firm.
know
the
Compilation of Organizational
Information
• It’s important to manage an eficient way to
recollect information such as logs, databases,
control sheet and cross-documents.
• The retrieval information must be the most
quickly as posible.
• In the research process this activity is highlyconsumer of time (Theoretical Frame and
State-of-Art)
Human Resource Assesment
• This action is very important because some
firms have and excelente organization and
planning but in practice have a bad execution
and directions (CONTROL)
• There are two kinds of human resources
evalution:
• Activity and Resposability of a Employee in an
organization (For Example a Bad Director or
Boss).
Human Resource Assesment
• Assesment of Organization about their People
(asking about a good working conditions).
• One
technique
of
Human
Resources
Assesment is the elaboration and application of
questionaries.
• Questionaries are a good option when there are
not enough time, but are dificult because it
needs a correct design and processing.
Interviews with Informatic
Personal
• Interview is a vital process inside auditing.
• We must recollect and store this information
such as Evidence but in most of the time is
dificult because it’s not a legal process and
some Employee can’t or doesn’t like talking
about some topic in these circunstances.
• Interviews are dificult in design and application
but are crucial.
Interviews with Informatic
Personal
• Interviews provide the correct specification
about a process. Auditors could be aimed by
Personal in some process which are dficult to
understand.
• There are a lot of kinds of Interviews. The most
important thing in Interview Process is the
script. The interviewer should be and excelent
improviser and carismatic person.
Budget and Financial Situation
• Budget is an important element because
Auditors have some constraints, and the most
important is Financial.
• Ideally, the audit budget should be created after
the audit schedule is determined.
Budgets
 The most
coordination.
important
thing
is
budget
 Budget is an important constraint tha auditor
should considered in the assesment. For
example a small ofice (PyME) doesn’t have
enough money to buy a Hardware Firewall and
the small company only implement a individual
Firewall through Operating System.
Financial and material
Resources.
• Those elements are important because we
need it for working in auditing.
• Material Resources used by an Auditor could
be: Papers Formats (collection), PDA, Mobile
Phone, Laptop or Notebook (paper).
• Depending of the information assest the tools
are variable for example a cable testing in
Computer Network Audits.
References
• Senft, S. And Gallegos, F. (2008) Information
Technology Control and Audit, Third Edition,
CRC Press, United States.
• Hall, H, Information Auditing, School
Computing, Napier University, 2009.
• Boiko, UW iSchool, Information
ischool.washington.edu, 2009.
•
of
Audits,
¿Preguntas?