Chapter 2: Audit and Review Its Role in Information Technology

minorbigarmΑσφάλεια

30 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

67 εμφανίσεις

Chapter 2: Audit and Review

Its Role in Information Technology

MBAD 7090

1

IS Security, Audit, and Control (Dr. Zhao)

Fall, 2008

Objectives


Understand IT governance



The purpose of an IT audit function



Risk assessment: three methodologies



IT auditor: skill, standards and resources



Management ‘s roles and responsibilities in IT auditing



2

IS Security, Audit, and Control (Dr. Zhao)

Fall, 2008

Introduction

Fall, 2008

IS Security, Audit, and Control (Dr. Zhao)

3


Information technology audit functions are considered
part of the business environment. Their unique blend
of skills help to assess the company’s
exposures

and
develop controls
associated with their
use of technology
.


IT Governance

Fall, 2008

IS Security, Audit, and Control (Dr. Zhao)

4


Corporate governance


The set of processes, customs, policies, laws and institutions
affecting the way a corporation is directed, administered or
controlled.


Set the goal


Specify the relationships among key stakeholders


Ensure individual accountability



IT governance


A subset discipline of corporate governance


Focusing on information systems


IT Governance

Fall, 2008

IS Security, Audit, and Control (Dr. Zhao)

5


IT governance


The process of directing and controlling an enterprise’s IT



IT governance needs to ensure:


Strategic alignment between IT and enterprise objectives


Maximization of IT investments


How to measure IT’s performance


Effective management of IT
-
related risks

Reasons to Have an IT Audit Function

Fall, 2008

IS Security, Audit, and Control (Dr. Zhao)

6


Increased dependence and investments in information
systems



Increased organizational impacts caused by IT, both
positively and negatively



Unsatisfactory data reliance and security



Advancements occurred in technology


Auditing Concerns

Fall, 2008

IS Security, Audit, and Control (Dr. Zhao)

7


Focus on the systems’ controls


Look at the total systems environment


Objectives: what we are trying to accomplish


Context: industry sector, organizational structure, business
relationship


Ensure provisions are made for:


Transaction trails from beginning to end


Handling exceptions


Testing of controls


Authorization over changes to systems


Training of user personnel


Adequate security to protect data


Backup and recovery procedures

Risk Assessment: Three Methodologies

Fall, 2008

IS Security, Audit, and Control (Dr. Zhao)

8


Castellans: using a “fortress” to physically secure
systems


E.g. isolated spaces



Guardians: using law enforcement and administrative
regulations to prevent computer crimes



Gatekeepers: limiting access


E.g., passwords, encryption, biometrics


IT Auditor
-
Job Outlook

Fall, 2008

IS Security, Audit, and Control (Dr. Zhao)

9


Growth rate for accountants and auditors
(
www.bls.gov
)
: 18% between 2006 and 2016



IT auditor:


One of the fastest growing careers


11.2% increases in 2006


Average technology positions grew 3% in 2006


Salary range $67,000
-
$94,250, an 11% increase over 2005

IT Auditor: Knowledge, Skills, and Abilities

Fall, 2008

IS Security, Audit, and Control (Dr. Zhao)

10


Understand the overall control philosophy



Technical skills


Understand information system management


Ability to communicate technical information



Experience with
a particular industry and/or the specific
business



Communication skills that enable the auditor to bridge the
gap between IT professionals and business management


IT Auditor Independence

Fall, 2008

IS Security, Audit, and Control (Dr. Zhao)

11


Need to value and recognize the integrity of the audit
process



Audit reports and opinions must be free of bias or
influence



Sarbanes
-
Oxley


Auditor rotation


Scope
-
of
-
service restrictions

IT Audit Continuous Reassessment

Fall, 2008

IS Security, Audit, and Control (Dr. Zhao)

12


Stay on track with audits



Auditor steps back and reassess the audit project:


Reaffirm audit goals


E.g., to ensure that current documentation is available, adequate,
and safeguarded.


Verify audit scope


E.g., vendor
-
supplied systems and internal modifications


If auditor has deviated from either, then the audit scope
should be evaluated and revised


IT Auditor Ethical Standards

Fall, 2008

IS Security, Audit, and Control (Dr. Zhao)

13


To be an auditor, one must have high ethical standards


Auditors are trusted individuals


Some things may be unethical but still legal



Examples of a typical code of ethics


Will inform each organization, employer or client of any business
connections, interests or affiliations which might influence my
judgment or impair the equitable character of my services.



Will respect my peers opinion and conduct to ensure that honesty
and openness is demonstrated within an audit team.

Class Exercise

Fall, 2008

IS Security, Audit, and Control (Dr. Zhao)

14


Bob has just been assigned to work as an external IT
auditor for the XYZ company. His wife just found a job
as junior IT manager at XYZ one month ago.


Q: What should Bob do?

IT Auditor Resources

Fall, 2008

IS Security, Audit, and Control (Dr. Zhao)

15


Experience


Colleagues (IT professionals and other auditors)


Publications and periodicals in IT and/or audit


Seminars


University training


The Role of the IT Auditor

Fall, 2008

IS Security, Audit, and Control (Dr. Zhao)

16


IT Auditor as Counselor


Active role in the development of policies on
auditability
, control,
testing, and standards


Educate users and IT personnel on the importance of compliance
with control requirements



IT Auditor as a Partner of Senior Management


Provide independent assessment of the effect of IT decisions on the
business


Verify that all alternatives are considered, risks are assessed,
solutions are technically correct, business needs are satisfied, and
costs are reasonable

Internal vs. External Auditors

Fall, 2008

IS Security, Audit, and Control (Dr. Zhao)

17


The internal IT auditor:


Provides assurance to management that its policies and
procedures are implemented and working as intended


Monitoring and testing system reliability



The external IT auditor:


Evaluates the reliability and validity of computer system
controls, which


Minimizes transaction testing required to render an opinion on
financial statements


Deal with both manual and automated systems


Key Certifications and Professional Associations

Fall, 2008

IS Security, Audit, and Control (Dr. Zhao)

18


Certified Internal Auditor (CIA), by the Institute of
Internal Auditors



Information Systems Auditor and Control Association
(ISACA)


Certified information systems auditor (CISA)


Certified information security manager (CISM)


ISACA Charlotte Chapter



International Information Systems Security
Certification Consortium (commonly known as (ISC)²).


Certified Information Systems Security Professional (CISSP)

Collaboration between IT Auditor and IT Managers

Fall, 2008

IS Security, Audit, and Control (Dr. Zhao)

19

Are these attitudes correct?



Manager: “Arguing with an Auditor is
like mud wrestling with a pig! After a
time you realize that the pig is
enjoying himself.”



Manager: “Are we the evils ourselves
or dealing with evils.”




How IT Managers Support the IT Audit Function

Fall, 2008

IS Security, Audit, and Control (Dr. Zhao)

20


Support and participate in the audit planning process


Develop and promote risk and control awareness


Provide resources to accomplish the audit tasks


Hold the auditors to their standards of practice


What IT Managers Need to Know About an Audit

Fall, 2008

IS Security, Audit, and Control (Dr. Zhao)

21


What is the purpose of the audit?


What are the audit’s scope and objectives?


Who is assigned to perform the audit?


What is the timeframe for the audit?


What IT resources are needed?


systems, staff


What Should IT Managers Expect From an Audit?

Fall, 2008

IS Security, Audit, and Control (Dr. Zhao)

22


Regular communication


audit status


issues found to date


A closing meeting to review the audit process and
results (issues, actions, plans, etc.)


A final audit report


Audit follow
-
up on action plans identified during
the audit

Class Exercise

Fall, 2008

IS Security, Audit, and Control (Dr. Zhao)

23


In the following scenario,


What assistance could an IT auditor provide?


How can IT managers get involved?


Scenario:
A new system is being developed that will enable customers
to view their account status and submit orders via the Internet. The
technology used is new to the company.