Information System Audit Process

1
Information System Audit Process

• INTRODUTION
• Information Systems Auditing is a function
  developed within an organization for assessing
  the maintenance of data integrity by Information
  systems. It also assesses how Information
  Systems and their operations are helping the
  organization achieve its goals effectively and
  efficiently.

2
Why IS Audit?

• Organizational Cost of Data Loss.
• Incorrect Decision Making.
• Costs of Computer Abuse.
• Value of Hardware, Software Personnel
• High Costs of Computer Error
• Maintenance of Privacy
• Controlled Evolution of Computer Use.

3
What is Information Systems Audit?

• Information Systems Auditing is the process of
  collecting and evaluating evidence to determine
  whether a computer system safe guards assets,
  maintains data integrity, allows organizational
  goals to be achieved effectively and uses
  resources efficiently . Ron Weber.
• It is an Independent examination of records/
  Information that will enable an opinion of the
  integrity of controls put in place to safe guard
  systems. It should equally help to recommend
  recommendations on how these controls can be
  improved so as to mitigate risk to an acceptable
  level.
• It is any audit that encompasses the review and
  evaluation (wholly or partially) of automated
  information processing systems, their related
  non-automated processes and the interfaces
  between them.

4
In summary, IS Auditing is the process of
collecting and evaluating evidence to determine
if Information Systems and related resources are
adequately safe-guarding assets, maintaining data
and system integrity, providing relevant and
reliable information, achieving organizational
goals effectively, consuming resources
efficiently, and if there are effective internal
controls that provide reasonable and acceptable
assurance that operational and control objectives
will be met and that undesired events will be
prevented or detected and corrected in a timely
manner.
5
Objectives of IS Auditing

• Improves safeguarding of Assets.
• Ensures Maintains Data Integrity.
• Improves systems effectiveness.
• Improves Resources efficiency.
• Ensures compliance to Legislative, Regulatory
  contractual obligations.
• Allows Effective Achievement of Organizational
  goals

6
Organization of an IS Audit fuction

• The Role of IS Audit is established by an Audit
  Charter. This is a document that states in very
  clear terms, managements responsibility and
  objectives for, and delegation of authority to
  the IS Audit function.
• It Should outline the Authority, Scope
  responsibilities of the Audit Function.
• Where the function is provided by a third party
  firm, the scope and objectives should be
  documented in a formal contract or statement of
  work.
• Be it internal or external, the audit function
  should be independent and report to the board of
  directors or the Audit committee where one is
  available.

7
IS Audit Plan

• It is Important to adequately plan for an IS
  audit.
• This should be done after a good understanding of
  the organization has been achieved.

8
Types IS Audit Plan.

• Short-Term Planning This takes into account
  audit issues that will be covered during the
  year.
• Long-Term Planning this relates to plans for
  risk-related issues that will take into account
  changes in an organization's IT strategic
  direction which will affect the organizations IT
  environment.

9
Any type of Audit plan that is undertaken, should
be analyzed annually so as to take into account
new control issues like changes in the risk
environment, technology and business processes
and enhanced evaluation techniques.The result of
this analysis should be reviewed by reviewed by
senior Audit mgt and approved by audit committee
or board of directors. This will enhance future
audit activities and should be comunicated to
relevant levels of Management.
10
Performing an IS Audit

• In performing an IS audit, there is the need to
  develop and understand the Audit
  Methodology/Strategy, which is a set of
  documented audit procedures designed to achieve
  the planned Audit objectives.
• It is usually set and approved by Audit
  management and has the following components
• Statement of Scope
• Statement of Audit objectives.
• Statement of work program

11
Performing an IS Audit cont.

• After the establishment of the strategy the
  following phases make up a typical IS Audit
• These are the general audit procedures which are
  basic Audit steps.
• Obtaining /Recording an understanding of the
  audit area/subject
• A risk assessment and audit plan schedule
• Detailed Audit plan
• Preliminary review of audit area/subject
• Evaluating audit area/subject.
• Verifying the design of controls.
• Tests of implementation of controls (Compliance
  Testing).
• Tests of operative effectiveness of controls
  (Substantive testing).
• Reporting/Communicating Audit results.
• Follow-Up on recommendations implementations.

12
Performing an IS Audit Plan

• Gain an understanding of the organization.
• tour key organizational facilities.
• Gather background information about the
  organization.
• Review business and IT long term strategic plans.
• Interview key managers to understand business
  processes and Issues.
• Review prior audit reports or IT-related reports
  ( external/internal audits or regulatory review
  reports)
• Identify specific regulations applicable to IT.
• Identify IT functions or related activities that
  have been outsourced.
• Identify stated contents e.g. policies,
  organizational structure.
• Perform a risk analysis to help in designing the
  audit plan.
• Conduct a review of Internal controls related to
  IT.
• Set the Audit Scope and objectives.
• Develop the Audit approach and strategy.
• Identify technical skills and resources needed.
• Assign personnel resources to the audit.

13
Performing an IS Audit cont.

• In performing an IS Audit, a risk based approach
  is used in assessing the risks and to help an
  auditor in the decision to perform either
  compliance or substantive test.
• This risk based approach emphasis on a good
  knowledge of the business and technology.
• It focuses on assessing the effectiveness of
  combining controls
• It provides a linkage between risk assessment and
  testing while focusing on control objectives.
• This approach assesses the organization from a
  management perspective.

14
Audit Risk and Materiality of an Event

• An audit risk is the risk that the information
  /financial report may contain material error. It
  is also the risk that an auditor may not detect
  an error that has occurred.
• The materiality of an event refers to an error
  that should be considered significant to any
  party concerned with the event in question. It is
  based on professional judgment and includes
  consideration of the effect of the event on the
  organization as a whole and errors or risks that
  may arise as a result of control weaknesses in
  the area being investigated. In considering the
  materiality of any event, it should be in the
  terms of the total impart to the organization.

15
Risk Management

• Risk is the potential that a given threat will
  exploit vulnerabilities of an asset or group of
  assets and thereby cause harm to the
  organization.
• Business risks are the likelihood that a threat
  will negatively impact the assets, processes or
  objectives of a business or organization.
• Risk analysis is a part of audit planning and it
  helps to identify risks and vulnerabilities so
  that the auditor can determine the controls
  needed to mitigate these risks.

16
Risk Analysis cont.

• The IS auditor is concerned and often focused
  towards high risk issues associated with the
  confidentiality, integrity and availability of
  sensitive and critical information, and the
  underlying information systems and processes that
  generate, store, and manipulate such information.
• The IS auditor also assesses the effectiveness of
  an organizations risk management process by
  carrying out risk assessment.

17
Risk Assessment

• Risk assessment involves an iterative life cycle
  to starts with identifying Business objs,
  information assets, and the underlying systems or
  resources that generate/store, use or manipulate
  the assets critical to achieving the set
  objectives of the business.
• This identifies threats to assets and determine
  their probabilities of occurrence and the
  resultant impacts with additional safeguards that
  will help to mitigate the risks to acceptable
  levels defined by management.

18
Risk Mitigation

• Risk mitigation involves the identification of
  controls/countermeasures which when applied to
  the identified risks to assets will help to
  prevent or reduce them to acceptable levels.
• In assessing countermeasures to be applied, a
  cost-benefit analysis should be performed based
  on any or a combination of the followings
• The cost of the control.
• Managements appetite for risk.
• Preferred risk reduction methods.

19
Monitoring Mitigated Risk

• Risks which have been mitigated has to be
  continually monitored so as to identify any
  significant changes in the environment that would
  trigger reassessment warranting changes in the
  control environment.
• Note that risk assessment should be an ongoing
  process in an organization if risk management is
  to be effective.

20
Importance of Risk Management to IS Auditing.

• It identifies risks and threats to an IT
  environment and the IS which needs to be
  addressed by management.
• It helps in the selection audit areas/subjects.
• It aids a sound evaluation of controls in audit
  planning.
• It aids an IS auditor in determining audit
  objectives.
• It supports risk-based audit decision making.