Information Systems Audit 3.0 Course Module - 1 PDF

ISA Background Material ISA INFORMATION SYSTEMS AUDIT 3.0 COURSE (Modules 1 to 6) Background Material ISBN - 978-81-8441-995-5 INFORMATION SYSTEMS AUDIT 3.0 COURSE Module - 1 Information Systems Audit Process Module - 1 Digital Accounting and Assurance Board The Institute of Chartered Accountants of India August | 2020 | P2724 (Revised) ICAI Bhawan,Hostel Block, 7th Floor A-29, Sector-62 Digital Accounting and Assurance Board Noida - 201309, India The Institute of Chartered Accountants of India Tel (Direct): +91 120 3045992/961 Web: www.icai.org (Set up by an Act of Parliament) New Delhi Background Material on Information Systems Audit 3.0 Course Module-1: Information Systems Audit Process Digital Accounting and Assurance Board The Institute of Chartered Accountants of India (Set up by an Act of Parliament) New Delhi © The Institute of Chartered Accountants of India All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form, or by any means, electronic mechanical, photocopying, recording, or otherwise, without prior permission, in writing, from the publisher. DISCLAIMER The views expressed in this material are those of author(s). The Institute of Chartered Accountants of India (ICAI) may not necessarily subscribe to the views expressed by the author(s). The information in this material has been contributed by various authors based on their expertise and research. While every effort have been made to keep the information cited in this material error free, the Institute or its officers do not take the responsibility for any typographical or clerical error which may have crept in while compiling the information provided in this material. There are no warranties/claims for ready use of this material as this material is for educational purpose. The information provided in this material are subject to changes in technology, business and regulatory environment. Hence, members are advised to apply this using professional judgement. Please visit 34& portal for the latest updates. All copyrights are acknowledged. Use of specific hardware/software in the material is not an endorsement by ICAI. Revised Edition : August, 2020 Committee/Department : Digital Accounting and Assurance Board Email : [email protected] Website : www.icai.org/ https://pqc.icai.org Price : ` 750/- (For Complete Set) ISBN : 978-81-8441-995-5 Published by : The Publication Directorate on behalf of The Institute of Chartered Accountants of India ICAI Bhawan, Post Box No. 7100, Indraprastha Marg, New Delhi - 110002 Printed by : Sahitya Bhawan Publications, Hospital Road, Agra – 282 003 August | 2020 | P2724 (Revised) Foreword The digital revolution is transforming the traditional ways of doing business, necessitating realignment of profession to leverage the multipliers of digital technology - enhanced efficiency, scale and speed, effectiveness, agility and giving access to newer markets. In view of the rapid technological changes, it is imperative for Information System Auditors to adapt, be innovative in aiding organizations to improve its control environment and strengthen governance of IT risks. Adoption of emerging technologies will help them to assimilate vast amount of data and provide value added analysis in the form of data analysis and business intelligence. Chartered Accountants possess unique blend of systems and process understanding and expertise in controls and governance, thereby best suited to be the perfect Information Systems Auditor. The Institute of Chartered Accountants of India (ICAI), through its Digital Accounting and Assurance Board (DAAB), is continuously monitoring technological developments and taking initiatives to disseminate updated knowledge amongst our members and other stakeholders. In this direction, it is heartening to note that the DAAB is bringing out next version of “Educational Material” for Post Qualification Course on Information Systems Audit. This updated and revised Material combines technology, information assurance and information management expertise that enable Chartered Accountants to be an advisor and handling assurance assignments. In this updated course curriculum various aspects of emerging technologies like, Blockchain, Robotics Process Automation, etc., have also been introduced to keep members fully abreast. With focus on increased practical aspects, case studies and lab manuals at appropriate places this material is a great learning guide for members aspiring to be Information Systems Auditor. I compliment CA. Manu Agrawal, Chairman, CA. Dayaniwas Sharma, Vice-Chairman and other members of the Digital Accounting and Assurance Board for generation next material in digital era by taking up this timely initiative. I am confident that our members would take benefit of these updated modules of post qualification course on Information Systems Audit, so as to render their professional responsibility as Information System Auditor more efficiently and highest standards to achieve global recognition. CA. Atul Kumar Gupta President, ICAI Place: New Delhi Date: April 12, 2020 iv Preface Evolution of digital economy and ever-changing dynamic ecosystem presents significant challenges, including new competition, new business and service delivery models, unprecedented transparency, privacy concerns and cyber threats. With a goal to keep members abreast of impact of emerging technologies, Digital Accounting and Assurance Board has come out with the updated Post Qualification Course on Information Systems Audit Modules to equip members with specialised body of knowledge and skill sets so that they become Information Systems Auditors (ISAs) who are technologically adept and are able to utilize and leverage technology to provide reasonable assurance that an organization safeguards it data processing assets, maintains data integrity and achieves system effectiveness and efficiency. This updated syllabus facilitates high level understanding about the role and competence of an IS Auditor to analyse, review, evaluate and provide recommendations on identified control weaknesses in diverse areas of information systems deployment. Revised Modules of Post Qualification Course on Information Systems Audit has specific objective, i.e., “To provide relevant practical knowledge and develop skills for planning and performing various types of assurance or consulting assignments in the areas of Governance, Risk management, Security, Controls and Compliance of Information Systems.” The core of DISA 3.0 lies in inculcating competence to add to service delivery of the members. The updated course would help the members to apply appropriate strategy, approach, methodology and techniques for auditing information system and perform IS Assurance and consulting assignments by using relevant best practices, IS Audit standards, frameworks, guidelines and procedures. The updated ISA Course 3.0 has a blend of training and includes e-learning, live case studies and lab manuals, project work in addition to class room lectures. This updated background material also includes a DVD which has e-Learning lectures, PPTs, case studies, DEMO CAAT software, useful checklists and sample audit reports. New Module on “Emerging Technology and Audit” has been added which covers Information System Assurance and Data Analytics, Assurance in Block chain Ecosystem, and Embracing Robotic Process Automation in Assurance Services. In addition to this Artificial Intelligence and Internet of Things (IoT) has also been inducted in the new modules. We would like to take this opportunity to place on record our deep appreciation for the efforts put in by Convener, Dr. Onkar Nath as well as authors and reviewers of the various modules, viz., CA Anand Prakash Jangid, Mr. N.D. Kundu, Mr. Inder Pal Singh, Mr. Avinash Gokhale, CA Pranay Kochar, CA Naresh Gandhi, Dr Manish Kumar Srivastava, Dr. Saurabh Maheshwari, CA Narasimhan Elangovan and CA Atul Kumar Gupta. It would be also appropriate to express our thanks to all the ISA faculties for giving their inputs/ suggestions for the implementation of DISA 3.0. We would like to express gratitude to CA. Atul Kumar Gupta, President, ICAI, and CA. Nihar Niranjan Jambusaria, Vice President, ICAI, for their thought leadership and encouragement to the initiatives of the Board. We would also like to place on record our gratitude for all the Board members, co-opted members and special invitees for providing their valuable guidance and support in this initiative of the Board. We also wish to express my sincere appreciation for CA. Amit Gupta, Secretary, DAAB, Ms. Nishi Saraf, Section Officer for their untiring efforts in finalization of the updated Modules. We are sure that these updated Modules on Post Qualification Course on Information Systems Audit would be of immense help to the members and enable them to enhance service delivery not only in compliance, consulting and assurance of IT services, but also provide new professional avenues in the areas of IT Governance, Cyber Security, Information System Control and assurance services. CA. Manu Agrawal CA. Dayaniwas Sharma Chairman Vice-Chairman Digital Accounting and Assurance Board Digital Accounting and Assurance Board vi Contents Chapter 1: Concepts of IS Audit 1–22 1.1 Learning Objectives 1 1.2 Introduction 1 1.3 Definitions 2 1.4 Concepts of IS Audit 3 1.5 Concepts of IS Audit and Auditing in a computerised environment 4 1.5.1 Audit in a computerised environment 4 1.5.2 IS Audit and Audit of computerised environment 5 1.6 Concept of IT Risk 6 1.6.1 IT Risk in the risk hierarchy 6 1.6.2 Risk Management 7 1.7 Risk based auditing 7 1.8 Audit Universe 8 1.8.1 Benefits of having an Audit universe 8 1.9 Audit Risk and materiality 10 1.9.1 Audit Risk 10 1.9.2 Materiality 11 1.10 Concepts of Internal Controls 13 1.10.1 Types of internal controls 13 1.10.2 Types of IS Controls 14 1.11 Organisation of IS Audit Function 14 1.11.1 Infrastructure and organisation 15 1.11.2 Internal and external audit control framework 15 1.11.3 Quality assessment and peer review 16 1.11.4 Standards on audit performance 16 1.12 Summary 17 1.13 Case studies 17 1.14 Questions 19 1.15 Answers and explanation 21 Chapter 2: IS Audit in phases 23–91 2.1 Learning objectives 23 2.2 Introduction 23 2.3 Conducting an IS Audit 24 2.3.1 Setting up of Audit objectives 24 2.3.2 Request for proposal and submitting response 24 2.4 Audit charter and terms of Engagement 25 2.4.1 IS Audit Charter 25 2.4.2 Audit Engagement letter 27 2.4.3 Communication with Auditee 28 2.4.4 Quality assurance process 28 2.5 Audit scope 29 2.6 Audit planning 30 2.6.1 Risk assessment in planning 31 2.7 Objectives of IS Controls 32 2.7.1 Principles of Fiduciary 33 2.7.2 Principles of quality 33 2.7.3 Principles of security (CIA) 34 2.8 Understanding the auditee environment 35 2.8.1 Business of the entity 35 2.8.2 Organisation structure 36 2.8.3 IT Infrastructure 36 2.8.4 Regulations, standards, policy, procedures, guidelines & statements 36 2.9 Framework and best practices of IS Audit 39 2.9.1 ITAF – 3rd edition 39 viii 2.9.2 COBIT 2019 Framework: principles, components and core models 40 2.10 Risk Assessment 44 2.10.1 Guidance on Risk assessment by ISACA 45 2.10.2 Risk Management steps 46 2.10.3 Risk assessment procedures and related activities 48 2.10.4 Use of Risk assessment in audit planning 48 2.11 Governance and Management controls 49 2.11.1 IT General Controls 49 2.11.2 IT Application controls 57 2.11.3 Scope and steps of IS Audit of application software 60 2.12 Creation of Risk control Matrix 62 2.13 Audit sampling, Data Analysis and business intelligence 63 2.13.1 Audit sampling 63 2.13.2 Data Analysis 64 2.13.3 Business Intelligence 65 2.13.4 Analytical review procedures 66 2.14 Compliance Testing 66 2.15 Substantive Testing 67 2.16 Design and operational effectiveness 67 2.16.1 Design effectiveness 67 2.16.2 Operational effectiveness 68 2.17 Audit Evidence: Methods 69 2.17.1 Evaluating audit evidence 69 2.17.2 Types of evidence 70 2.17.3 Evidence preservation 71 2.17.4 Standards on evidence 71 2.18 Audit Documentation 74 2.18.1 Test working papers 75 ix 2.18.2 Organisation of audit working papers 75 2.18.3 Documentation controls 76 2.19 Using work of another auditor and expert 77 2.20 Evaluation of strength and weaknesses: judging by materiality 79 2.21 Risk ranking 80 2.22 Audit report structure and content 81 2.23 Management implementation of recommendation 84 2.24 Follow up review 84 2.25 Summary 85 2.26 Case studies 86 2.27 Questions 88 2.28 Answers with explanation 90 Chapter 3: Computer Assisted Audit Tools and Techniques 92–104 3.1 Learning objectives 92 3.2 CAAT 92 3.2.1 Need for CAAT 92 3.2.2 Types of CAAT 95 3.2.3 Typical steps in using CAATs 97 3.2.4 Selecting, implementing and using CAATs 97 3.3 Continuous auditing approach 98 3.3.1 Techniques for continuous auditing 98 3.4 Summary 100 3.5 Questions 100 3.6 Answers with explanation 103 Chapter 4: Application Controls Review 105–118 4.1 Learning objectives 105 4.2 Introduction 105 x 4.3 Business application software – parameters for selection 105 4.4 Types of business application 106 4.5 Key features and controls of business application 107 4.6 Application controls 107 4.6.1 Internal controls 107 4.7 Objectives of application controls 108 4.7.1 Objectives 108 4.7.2 Information criteria 108 4.7.3 Application controls objectives 109 4.7.4 Control practices 110 4.8 Summary 115 4.9 Questions 115 4.10 Answers with explanation 117 Chapter 5: Application controls review- Specialised systems 119–129 5.1 Learning objectives 119 5.2 Review of application controls for various business applications 119 5.2.1 Need for application control review 119 5.2.2 How to perform application review 119 5.3 Review of business application controls 120 5.4 Application control review for specialised system 120 5.4.1 Artificial intelligence (AI) 120 5.4.2 Data Warehouse 121 5.4.3 Decision support system 122 5.4.4 Electronic fund transfer 122 5.4.5 E-commerce 123 5.4.6 Point of sale system (POS) 124 5.4.7 Automated Teller Machines (ATM) 124 5.5 Summary 125 xi 5.6 Questions 125 5.7 Answers with explanation 128 Chapter 6: IT Enabled services 130–147 6.1 Learning objectives 130 6.2 Introduction 130 6.3 Classification of audits 130 6.4 IT enabled services 133 6.5 Frauds 134 6.5.1 Fraud detection 134 6.5.2 Cyber fraud investigation 136 6.5.3 Cyber Forensics: Digital forensics 138 6.5.4 Fraud investigation tools and techniques 139 6.6 Case studies of frauds and lessons 140 6.7 Overview of lessons learned 143 6.7 Summary 143 6.8 Questions 143 6.9 Answers with explanations 145 6.10 References 146 Appendix 1: RFP from Bank for IS Audit of application software 148 Appendix 2: Response to RFP for logical access controls review of SAP 150 Appendix 3: Sample IS Audit Findings 157 Appendix 4: CAAT Report using SQL 159 Appendix 5: Sample IS Audit Report 161 Appendix 6: Questionnaire for providing assurance services 165 Appendix 7: Specimen Report Format 167 xii Chapter 1 Concepts of IS Audit 1.1 Learning Objectives The objective of this chapter is to provide sufficient knowledge about the fundamental concepts of information systems audit. This chapter provides insight into all the key concepts relating to IS audit such as IS Audit methodology, enterprise risk management, risk-based auditing, materiality, internal controls and the roles and responsibilities of the IS audit function. A good understanding of these concepts will enable auditors to plan, perform and provide report on IS Assurance and consulting assignments. The concepts covered are the building blocks for execution and reporting of IS audit. 1.2 Introduction In the present age of globalization, Information Systems have become the backbone for any organization whether the field of its operations is manufacturing, education, trading, technology or entertainment, etc. Nowadays, the success of any organization thrives on information that is generated within the information systems. IT is used by enterprises for providing greater satisfaction to customers, to access wider range of information, to handle business changes as real time events, and create more efficiency within the enterprise. Further, with the development of automated information systems there has been a simultaneous increase in the threats to the security of information systems which has led to financial losses to the enterprise and most importantly loss of critical information. Hence, in the current competitive world, the enterprises strive not only to attain more efficiency and effectiveness of business through implementation of information systems but also secure the information which has become the most valuable asset to the enterprise. As an IS auditor, the scope of work can vary from assisting the enterprise in selection and implementation of information systems to providing assurance services. The engagements can go beyond just implementing some basic IT level security. It is important for organisations to take a holistic approach and implement security from a governance perspective with involvement of board in directing and monitoring the use of IT for achieving business objectives. Regulatory requirements also demand involvement of senior management in effective decision making in all key aspects of IT security. Senior management look for assurance from IS Auditors on the availability, adequacy and appropriateness of IT controls as implemented and also seek advice on best deployment of IT for achieving business objectives. Hence, the role of IS auditor has expanded to review not only whether IT is deployed in a safe and secure environment but also to provide advisory services on optimum use of technology to enable organizations to survive and thrive in the competitive environment while complying with regulatory requirements. Background Material on Information Systems Audit 3.0 Course (Module 1) 1.3 Definitions Audit: In simple terms, audit is an inspection of an organization’s accounts, typically by an independent body. In case of financial audit, audit is an independent examination of financial information of any entity, whether profit oriented or not, and irrespective of its size or legal form with a view to expressing an opinion thereon. In case of IS Audit, the audit encompasses independent review and evaluation of automated information systems, related manual systems and the interfaces between them. Computer System: A computer is an electronic device that processes data by following a set of instructions. It has the ability to receive input, process data, and with the processed data, create information for storage and/or output. A computer system is a complete and functional computer that includes required hardware and software. Information: As per IT Act 2000, information includes data, messages, images, sound, voice, codes, computer programs, software and databases or microfilm or computer-generated micro fiche. In general, data processed in a meaningful context is information. Information has value to user. Information is data that is (1) accurate and timely, (2) specific and organized for a purpose, (3) presented within a context that gives it meaning and relevance, and (4) can lead to an increase in understanding and decrease in uncertainty. Information Systems (IS): Information systems are formal, sociotechnical, organizational systems designed to collect, process, store, and distribute information. In a sociotechnical perspective, information systems are composed by four components: task, people, structure, and technology. In general, Information Systems refer to hardware and software, that people and organizations use to collect, filter and process, create, and distribute data. Specifically in the context of IT, Information systems support data-intensive applications and include the design and implementation of languages, data models, process models, algorithms, networks etc. Secure system: It means computer hardware, software and procedures that are reasonably: (a) Secure from unauthorized access and misuse; (b) Provide assurance for correct information processing; (c) Suited to perform intended functions; and (d) Adhere to generally accepted security procedures. Risk: It is the potential of uncertain event resulting in losing something of value, weighed against the potential to gain something of value. In IT parlance, it can be an uncertain event or something going wrong, which affects enterprise from achieving its objectives. Risk is the potential that a given threat will exploit the vulnerabilities of an asset or a group of assets to cause loss or damage to the assets. Internal Control: It is a process implemented in an organization to help in achieving specific 2 Concepts of IS Audit goals. Internal controls include the policies, standards, practices & procedures, and organisational structures designed to provide reasonable assurance that enterprise objectives will be achieved and undesired events will be prevented, detected and corrected. Business Process: A business process is a collection of related, structured activities or tasks that produce a specific service or product (serve a particular goal) for a particular customer or customers. It often can be visualized with a flowchart as a sequence of activities, decision points or with a Process Matrix showing interrelated activities based on data flow in the process. 1.4 Concepts of Audit The general standards of auditing are applicable to IS Audit also as IS Audit is a type of internal audit or a requirement of the statutory audit. As per the general guidelines on Internal Auditing issued by ICAI, Auditing is defined as a systematic and independent examination of data, statements, records, operations and performances of an enterprise for a stated purpose. In an auditing situation, the IS Auditor perceives and recognizes the propositions before him for examination, collects evidence, evaluates the same and on this basis formulates judgment which is communicated through the report. Internal auditing is defined as an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Standard on Auditing (SA 200) describes the basic principles of audit and these principles are applicable for IS Audit also and have to be complied with. IS Audit is primarily an internal audit conducted for providing assurance after evaluation of risks and provides report on the implemented controls. Based on such evaluation, the IS Auditor would provide appropriate recommendations for mitigating control weaknesses in IT related areas. IS Audit can be carried out by external auditors as part of statutory audit to review internal controls in automated information systems. However, the scope would be bound by the objectives of the applicable regulatory requirements. IS Audit could also be carried out as a part of internal audit or as a specialized audit of IT environment such as penetration testing, audit of data centre, audit of Business Continuity Plan or review of IT strategy etc. Integrity, Objectivity and Independence: IS Auditors should be straight forward, honest and sincere in their approach to the professional work. The auditor must be fair and must not allow prejudice or bias to override objectivity. The auditor should maintain an impartial attitude and appear to be free from any interest which might be regarded as being incompatible with integrity and objectivity. Knowledge, Skill and Competence: The IS audit should be performed and the report prepared with due professional care by persons who have adequate knowledge, training, experience and 3 Background Material on Information Systems Audit 3.0 Course (Module 1) competence. This can be acquired through a combination of general education, technical knowledge obtained through study and formal courses concluded by a qualifying examination recognized for this purpose and practical experience under proper supervision. Confidentiality: The IS Auditor should respect the confidentiality of information acquired during the course of work and should not disclose any such information to a third party without specific authority or unless there is any legal or professional duty to disclose. Work performed by others: When the IS Auditor delegates work to assistants or uses work performed by other IS Auditors or experts, he continues to be responsible for forming and expressing his opinion on auditee environment as per the scope and objectives of audit. However, at the same time IS Auditors are entitled to rely on the work performed by others provided latter have adequate skills and exercise due care and the former are not aware of any reasons to believe that they should not have relied upon the work of the latter. The IS Auditors should carefully direct, supervise and review work delegated to assistants. They should obtain reasonable assurance that work performed by other IS Auditors or experts are adequate and in accordance with set audit objectives. Documentation: The IS Auditor should maintain documentary evidence that the audit was carried out in accordance with IS Auditing standards, guidelines and procedures and is adhering to the regulatory requirements. Information systems and internal control: The IS Auditor should gain an understanding of the information systems and related internal controls. They should study and evaluate the operation of those internal controls upon which they wish to rely to determine the nature, timing and extent of other audit procedures. Audit conclusions and reporting: The IS Auditor should review and assess the conclusions drawn from the audit evidence obtained and from their knowledge of business of the entity as the basis for the expression of their opinion. 1.5 Concept of IS Audit and Auditing in a Computerized Environment 1.5.1 Audit in a Computerized Environment Historically, all kinds of accounting and data processing jobs were conducted manually which involved preparation of physical records and the auditor had no choice but to conduct audit manually. With the increased use of internet, data analytics and e-commerce technologies, enterprises are relying more and more on computer systems for much of accounting and all other critical business processes leading to most of the auditee information being available in electronic format rather than manual format. However, the overall scope and objectives of audit do not change in a computerised environment. The use of computers changes the methodology of processing and storage of 4 Concepts of IS Audit information that may affect the organization and the procedures employed by it to implement adequate and appropriate internal controls. Accordingly, the procedures followed by the auditors in their review and evaluation of the information systems, related internal controls, nature, timing and extent of audit procedures are directly impacted by the computerised information systems environment. Hence, the audit approach and the audit evidence have moved from physical to digital and it may become necessary for auditors to use computers to audit this digital information. 1.5.2 IS Audit and Audit of Computerised Environment The IS Audit of an Information Systems Environment may include one or both of the following:  Assessment of internal controls within the IS environment to ascertain the degree of confidentiality, integrity and availability of information and information systems.  Assessment of the efficiency and effectiveness of the IS environment to evaluate whether it achieves the organization’s goals and objectives The objective of IS audit process is to evaluate the adequacy of internal controls with regard to both specific computer program and the data processing environment as a whole. ISACA defines IS Audit as: “any audit that encompasses wholly or partly, review and evaluation of automated information processing systems, related non-automated processes and the interfaces between them”. Although IS Audit is often misunderstood as a mere technical audit and a domain of IT professionals, it is clear that IS Audit involves evaluating the adequacy and efficiency of internal controls in business processes that are either partly or fully computerized. Hence, Audit and Control professionals who have expertise in understanding of business processes and internal controls and knowledge of information systems’ risks and associated controls are considered the most appropriate professionals to conduct most of the information systems audits. An IS Audit cannot be viewed from a narrow perspective of audit of automated information processing systems only but would include audit of non-automated processes and their interfaces to the automated processes. Therefore, depending on the audit environment, objectives and scope, the audit could involve audit of entire business processes - partially or fully automated, or audit of specified applications, technology and related controls. IS Audit being a focused audit about auditing an information systems area whereas Audit in a Computerized Environment is a regular audit engagement performed in process area that uses computers. 5 Background Material on Information Systems Audit 3.0 Course (Module 1) 1.6 Concept of IT Risk There are numerous changes in IT and its operating environment that emphasizes the need to better manage IT related risks. This has increased the level of dependency of organizations on electronic information which are processed by IT systems. These IT systems are now essential to support critical business processes. Risk is an event which has a potential to impact organization’s goals and strategy implementation in a negative manner. Another way of defining risk would be Threat exploiting Vulnerabilities. IT risk has significant impact on the overall business risk as failure of IT could impact the business. IT risk is a component of the overall risk universe of the enterprise, as shown in the figure given below. Other risks that an enterprise faces include strategic risk, environmental risk, market risk, credit risk, operational risk and compliance risk. In many enterprises, IT-related risk is considered to be a component of operational risk, e.g., in the financial industry in the Basel II framework. However, even strategic risk can have an IT component to it, especially where IT is the key enabler of new business initiatives. The same applies for credit risk, where poor controls on IT and IT security can lead to lower credit ratings of organizations. For this reason, it is better not to depict IT risk with a hierarchic dependency on one of the other risk categories. IT–Risk 1.6.1 IT Risk in the Risk Hierarchy Managing the IT risk of the enterprise starts with defining the risk universe; a risk universe describes risk in the overall environment and provides a structure for managing IT risk. The Risk universe:  considers the overall business objectives, business processes and their dependencies throughout the enterprise. It describes which IT applications and infrastructure support the business objectives through the provision of IT services. It is worth highlighting that IT risk needs to be seen from an end-to-end business activity perspective, crossing IT function silos (IT operations, project management, application development, disaster recovery, security, etc.).  considers the full value chain of the enterprise. This can include not only the enterprise and its subsidiaries/business units, but also clients, suppliers and service providers. 6 Concepts of IS Audit  considers a full life-cycle of IT related business activities, including transformation programs, investments, projects and operations.  includes a logical and workable segmentation of the overall risk environment. This sounds relatively easy but often it is not – the hierarchical organizational of the enterprise business, business processes and supporting IT infrastructure and services often are not aligned, and it is highly probable that different views along different dimensions exist for the overall environment. It is up to the enterprise to determine which view will be the most meaningful to support the business objectives of the enterprise while considering the potential overlaps and omissions.  needs to be reviewed and updated on a regular basis due to the constantly changing internal and external requirements. 1.6.2 Risk Management Risk management is the process of identifying vulnerabilities and threats to the information assets used by an organization in achieving business objectives and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information assets to the organization. Risk can be avoided, reduced (mitigated), transferred or accepted. An organization can also choose to reject risk by ignoring it, which can be dangerous and should be considered a red flag by the IS Auditor. The counter-measures for mitigating risks are also called controls and these need to be implemented as appropriate. In reviewing an IS environment, the primary focus of the IS Auditor would be to review the risk assessment done by the organisation, assess whether these risks have been mitigated by implementing appropriate controls and the residual risk is knowingly accepted and is within the risk appetite. In case the residual risks after applying the controls exceed the risk appetite and have not been approved by the management, these should be reported along with appropriate remedial measures. Here onwards, the word Risk should be interpreted as IT Risk and Audit would be referred to as IS Audit. 1.7 Risk Based Auditing A risk-based audit approach is usually adapted to develop and improve the audit process on a continuous basis so that the focus is on high risk areas and maximum value addition is derived from audit resources deployed. This approach is used to assess risks and to assist an IS Auditor to focus on high risk areas and in making the decision with regards to the sample size to perform either compliance testing and/or substantive testing. It is important to note that the risk-based audit approach efficiently assists the IS Auditor in focusing on the risk areas which are most critical and also in determining the nature and extent of testing. Within this concept, inherent risk, control risk or detection risk are of major concern for the IS Auditor. In a risk-based audit approach, IS Auditors are not just relying on risk; they also are 7 Background Material on Information Systems Audit 3.0 Course (Module 1) relying on internal and operational controls as well as knowledge of the business of the company. This type of risk assessment decision can help relate the cost-benefit analysis of the controls to the known risks, allowing practical choices. Business risks include concerns about the probable effects of an uncertain event in achieving established business objectives. The nature of these risks maybe financial, regulatory or operational, and may also include risks derived from specific technology deployment. For example, an airline company is subject to extensive safety regulations and economic changes, both of which impact the continuing operations of the company. In this context, the availability of IT services and their reliability are critical. By understanding the nature of business, IS Auditors can identify and categorize the types of risks associated with the business and identify the risks applicable to specific situations. On the other hand, risk assessment refers to the methodology where risks have been given elaborate weights based on the nature of the business or the significance of the risk and risks are categorized as high, medium or low based on which appropriate decisions are taken by the management. SA 315, the standard for risk identification and assessment requires IS Auditors to assess risk that is part of the business environment and the internal control system. SA 330 requires IS Auditors to review whether management has designed and implemented appropriate risk remediation measures and provide recommendations on the residual risks that have been identified as critical and are not appropriately mitigated. Usually the IS Auditor would provide recommendations for risk remediation as part of the Audit Report. 1.8 Audit Universe Audit universe consists of all risk areas that could be subject to audit, resulting in a list of possible audit engagement that could be performed. The audit universe includes projects and initiatives related to the organisation’s strategic plan, and it may be organised by business units, product or service lines, processes, programs, systems or controls or by risk category/ prioritisation. Organisation should identify and keep up to date all the possible audits that can be done. 1.8.1 Benefits of having an Audit Universe One of the advantages of having an audit universe is that it enables the audit activity to be clear about the extent of coverage of key risks and other risk areas each year. It can also provide a degree of rigour around areas not being audited. This means that for those audit committees and senior managers who value a degree of cyclical assurance, the audit universe could be used to inform this. The benefits of an audit universe could also be extended to organisations with a network of retail outlets, depots, branches, regional operations, subsidiaries where managers are mitigating risks on a day to day basis at the front line of service provision. 8 Concepts of IS Audit In these situations, individual engagements in the audit plan, drawn from the audit universe, can be organised to address the top risks to the organisation focused on those aspects managed at the location. The important issue here is making sure regular or cyclical audit reviews result in auditing the management of significant risks rather than risks that have little or no significance. Thus, entities or areas within the audit universe with a lower risk ranking would be audited at a different frequency than those with a higher risk rating. Indeed it is possible that some areas within the audit universe will never be audited, highlighting the importance of other assurance providers for those areas. An audit universe can be a useful aid to help communicate the amount of coverage of the organisation by internal audit, which can be invaluable during resourcing discussions. The table below shows an example of planned coverage by audit against the total audit universe (in this case, ranked into tiers 1, 2 and 3, as per their risk impacts). In practice, other considerations may override the simplified tier classification. Those include, but are not limited to: 1. Board/senior management requested review(s) 2. Regulator requested review(s) In these circumstances, those considerations would be incorporated into the risk assessment and therefore form part of the risk rating to facilitate tier classification. The audit universe can be valuable to assist the head of internal audit consider all of the relevant areas in forming an "overall audit opinion". 1.9 Audit Risk and Materiality 9 Background Material on Information Systems Audit 3.0 Course (Module 1) 1.9.1 Audit Risk In general, audit risk refers to the risk that an auditor may issue unqualified report due to the auditor's failure to detect material misstatement either due to error or fraud. This risk is composed of inherent risk (IR), control risk (CR) and detection risk (DR). Audit risk can be high, moderate or low depending on the sample size selected by the Auditor. In the context of IS Audit, the meaning of audit risk is still relevant but it would vary depending on the specific scope and objectives of audit. Inherent risk means overall risk of management which is on account of entity’s business operations as a whole. Inherent risk is the susceptibility of information resources or resources controlled by the information systems to material theft, destruction, disclosure, unauthorized modification, or other impairment, assuming that there are no related internal controls. Inherent risk is the risk that has natural association. The inherent risk for audit assignment can be project related risks, revenues related risks, and resource related risks. Inherent risk to business can be dependent on nature of business. If the IS Auditor concludes that there is a high likelihood and consequence of risk exposure, ignoring internal controls, the IS Auditor would conclude that the inherent risk is high. Control risk is the risk that an error which could occur in an audit area, and which could be material, individually or in combination with other errors, will not be prevented or detected and corrected on a timely basis by the internal control system. Control risk is a measure of the IS Auditor's assessment of the likelihood that risk exceeds a tolerable level and will not be prevented or detected by the client's internal control system. This assessment includes an assessment of whether a client's internal controls are effective. For example: the enterprise has good system of segregation of duties but two employees could collaborate and still commit fraud. Detection risk is the risk of the IS Auditor when he is not able to detect the inherent risk or the controllable risk. It means higher the level of non-detection by the IS Auditor, higher is the detection risk. Detection risk is the risk that the IS Auditor’s substantive procedures will not detect an error which could be material, individually or in combination with other errors. For example, the detection risk associated with identifying breaches of security in an application system is ordinarily high if the audit logs for the whole period of audit are not available at the time of the audit. Detection risk is a measure of the IS Auditor's assessment of the likelihood that the vulnerability or gaps will not be detected by the IS Auditors. IS Auditor will carry out more detailed audit to detect material vulnerabilities or gaps if the inherent risks and control risks are high. Detection risk primarily refers to the fact that there exists a control weakness that auditor fails to detect. Assessing inherent, control and detection risks gives the final assessment of the overall Audit Risk i.e. the risk which the IS Auditor is ready to accept in an audit assignment. Audit risk is the product of inherent risk, control risk and detection risk. The extent of audit effort is dictated by 10 Concepts of IS Audit the degree of audit risk, the assessment of which is critical to the effectiveness of the audit effort. Amongst the critical factors affecting the audit risk is the appropriate assessment of the control environment. The preliminary review of audit environment enables the IS Auditor to gain understanding of the business, technology and control environment and also gain clarity on the objectives of the audit and scope of audit. Risk assessment allows the IS Auditor to determine the scope of the audit and assess the level of audit risk. 1.9.2 Materiality The concept of materiality in the case of financial audit is based on value and volume of the transactions and the relevant error or discrepancy or control weakness detected. In case of regulatory audit, materiality is based on impact of non-compliance and in case of IS Audit, materiality is based on the effect or consequence of the risk in terms of potential loss. Hence, materiality varies based on the scope and objectives of the audit and specific auditee environment. Materiality is an important aspect of the professional judgment of the IS Auditor as he/she has to decide whether the information is material or immaterial. With regards to the materiality of the financial statements, information is regarded as material if it changes the decision of the users of the financial statement i.e. if the misstatement is of a high value and quantity. The IS Auditor should have a good understanding of these audit risks when planning an audit. An audit sample may not detect every potential error in a population. When evaluating internal controls, the IS Auditor should realize that a given system may not detect a minor error. However, that specific error, combined with others, could become material to the overall system. The concept of materiality requires sound judgment from the IS Auditor. The IS Auditor may detect a small error that could be considered significant at an operational level, but may not be viewed as significant to upper management. Materiality considerations combined with an understanding of audit risk are essential concepts for planning the areas to be audited and the specific tests to be performed in the audit. Higher the level of materiality, lower is the risk that an IS auditor is, usually, willing to take. For systems and operations not affecting financial transactions, following are the examples of measures that should be considered to assess materiality:  Criticality of the business processes supported by the system or operation  Cost of the system or operation (i.e., hardware, software, staff, third-party services, overheads, and a combination of these). As for example a virus has been detected and cleaned and there was no impact on business or operations. Apparently, this may not be a material risk. However, materiality can be correctly determined only when root cause analysis is done to ascertain as to how and from where the virus entered the organisation’s information systems. The analysis may reveal that there is a weakness in control process. Hence, although the incident per se is not material but inherent cause of weakness is definitely material as the virus problem can recur and cause harm to the 11 Background Material on Information Systems Audit 3.0 Course (Module 1) organisation’s information systems. If auditor fails to detect this weakness, it might result in detection risk.  Potential cost of errors (possibly in terms of lost sales, warranty claims, irrecoverable development costs, cost of publicity required for warnings, rectification costs, health and safety costs, unnecessarily high costs of production, high wastage, etc.)  Number of accesses/transactions/inquiries processed per period  Nature, timing and extent of reports prepared and files maintained  Nature and quantities of materials handled (e.g., where inventory movements are recorded without values)  Service level agreement (SLA) requirements and cost of potential penalties  Penalties for failure to comply with legal and contractual requirements. SA 320 is the Auditing standard for Audit Materiality. It requires the Auditor to report those items that create an impact on the financial statements and which changes the decision that would be made by the stakeholder. The same concept is applied even when conducting an IS Audit Engagement. The ITAF (Information Technology Assurance Framework) 3rd edition issued by ISACA has the following standards on “Materiality” which have to be complied by the IS Auditor. 1204.1 IS audit and assurance professionals shall consider potential weaknesses or absences of controls while planning an engagement, and whether such weaknesses or absences of controls could result in a significant deficiency or a material weakness. 1204.2 IS audit and assurance professionals shall consider audit materiality and its relationship to audit risk while determining the nature, timing and extent of audit procedures. 1204.3 IS audit and assurance professionals shall consider the cumulative effect of minor control deficiencies or weaknesses and whether the absence of controls translates into a significant deficiency or a material weakness. 1204.4 IS audit and assurance professionals shall disclose the following in the report: a. Absence of controls or ineffective controls b. Significance of the control deficiency c. Likelihood of these weaknesses resulting in a significant deficiency or material weakness. 1.10 Concepts of Internal Controls 12 Concepts of IS Audit The increasing use of IT in organizations has made it imperative that appropriate information systems are implemented in an organization. IT should cover all key aspects of business process of an enterprise which have an impact on its strategic and competitive advantage for its success. Control is defined by ISACA as: “the policies, procedures, practices and the organisation structure that are designed to provide reasonable assurance that the business objectives will be achieved and undesired events are prevented or detected and corrected”. This definition of control is applied for all IS Audits. Internal Controls are normally composed of policies, procedures, practices and organizational structures which are implemented to reduce risks in the organisation to an acceptable level. Internal controls are developed to provide reasonable assurance to management that the organization’s business objectives will be achieved and risk events will be prevented or detected and corrected. Internal control activities and supporting processes are either manual or driven by automated computer information resources. Thus, IS audit includes reviewing the implemented systems or providing consultation and evaluating the reliability of operational effectiveness of controls. The objective of controls is to reduce or if possible, eliminate the causes of the exposure to potential loss. 1.10.1 Types of Internal Controls Internal Controls is said to be a mechanism that is established by organizations which is a sum of General Controls and IS Controls. IS controls is said to be a sum of IT Application Controls and IT General Controls. General Controls refers to internal controls that encompass all administrative areas in general including IT implementation whereas application controls are implemented in specific application softwares. In general, it can be said that IS Controls are controls that are present on the enterprise’s IT Infrastructure. IT Infrastructure includes hardware and software. General Controls Internal Controls IS Controls 13 Background Material on Information Systems Audit 3.0 Course (Module 1) IS Controls Information Systems Controls Application IT General Controls Controls Apply to IT environment in Specific to application software general 1.10.2 Types of IS Controls IS Controls can also be classified in the following manner: Preventive Controls: Controls that prevents problems before they arise. They monitor both operations and inputs. They attempt to predict potential problems before they occur and make adjustments. They also help in preventing an error, omission or malicious act from occurring; e.g. Firewalls. Detective Controls: Controls that detect and report the occurrence of an error, omission or malicious act; e.g. Audit Trails. Corrective Controls: Controls that minimize the impact of a threat. They remedy problems that are discovered by Detective controls. They help in identification of the cause of the problem. They correct errors arising from the problem. They modify the processing systems to minimize future occurrences of the problem; e.g. backups. 1.11 Organization of IS Audit Function The IS audit function should be placed in the organization so as to ensure its objectivity and independence. The composition and constitution of the IS audit function should ideally be decided by the Audit Committee which should be the prime reporting authority for the IS Audit function. The role of the IS Audit function is defined by the audit charter which defines the authority, scope and responsibility. The audit charter provides mandate for performing the audit function. Based on the overall guidelines defined in the audit charter, the audit function is created with specific roles and responsibilities. The appointment of external auditors should also be governed by stipulations for independence and objectivity, which is the foundation for an effective audit function. 14 Concepts of IS Audit 1.11.1 Infrastructure and Organization IS audit function should be equipped with sufficient resources to discharge its duties efficiently and effectively. An important determinant in the quality of the IS audit function is the quality of human resources that staff the audit function. The skills and competence requirements should be clearly established and the IS Audit function should collectively possess the skills and knowledge necessary for performing an effective and professional audit. Even in cases where external agencies are engaged, the professional competences and skills of such agencies should be ensured. Continuing Professional Education should be included as part of the IS audit management plan. Assurance function perspective: It describes what is needed in an enterprise to build and provide assurance function(s). The assurance function perspective describes how each factor contributes to the overall provisioning of assurance, for example: d. Which organizational structures are required to provide assurance (board/audit committee, audit function, etc.)? e. Which information items are required to provide assurance (audit universe, audit plan, audit reports, etc.)? The function might require special infrastructure for using CAATs. If so, availability of appropriate tools and infrastructure should be ensured. ITAF 3rd edition issued by ISACA provides the following standard regarding independence of IS Auditor. 1002 Organisational Independence 1002.1 The IS audit and assurance function shall be independent of the area or activity being reviewed to permit objective completion of the audit and assurance engagement. 1003 Professional Independence 1003.1 IS audit and assurance professionals shall be independent and objective in both attitude and appearance in all matters related to audit and assurance engagements. 1.11.2 Internal and External Audit Control Framework The internal and external audit control framework ensures the minimum quality of audits. This forms the basis for the organization to implement appropriate audit control framework. Accordingly, policies and procedures for risk assessment, planning, implementation and reporting are to be established. The audit control framework assures the effectiveness and efficiency of operations, reliability of reporting and compliances with laws and regulations. The standards and professional pronouncements should be strictly adhered to, and this should be reflected in the organization and operations of the audit function. Specific guidelines have to be issued to ensure the qualitative work under control environment. 15 Background Material on Information Systems Audit 3.0 Course (Module 1) 1.11.3 Quality Assessment and Peer Reviews Quality Assessment ensures that the IS audit function is delivering in line with the best auditing practices and following the professional standards and pronouncements, it also ensures that the IS Audit function is subject to both internal and external quality assessments, peer reviews, certification and accreditation. Though the objective of the internal and external IS audit remains same, the scope and approach might vary. In case of an internal IS audit, the IS Auditor reviews the internal control environment in detail whereas an external IS Auditor takes an overall view of internal control environment and focuses on substantive testing as per the specific scope and objective of the assignment. In case of external audit, the audit engagement letter defines the scope and objectives of individual audit assignment. 1.11.4 Standards on Audit Performance IS auditors are expected to comply with the following standards of ITAF 3rd Edition issued by ISACA. 1004 Reasonable Expectation 1004.1 IS audit and assurance professionals shall have reasonable expectation that the engagement can be completed in accordance with the IS audit and assurance standards and, where required, other appropriate professional or industry standards or applicable regulations and result in a professional opinion or conclusion. 1004.2 IS audit and assurance professionals shall have reasonable expectation that the scope of the engagement enables conclusion on the subject matter and addresses any restrictions. 1004.3 IS audit and assurance professionals shall have reasonable expectation that management understands its obligations and responsibilities with respect to the provision of appropriate, relevant and timely information required to perform the engagement. 1005 Due Professional Care 1005.1 IS audit and assurance professionals shall exercise due professional care, including observance of applicable professional audit standards, in planning, performing and reporting on the results of engagements. 1006 Proficiency 1006.1 IS audit and assurance professionals, collectively with others assisting with the assignment, shall possess adequate skills and proficiency in conducting IS audit and assurance engagements and be professionally competent to perform the work required. 1006.2 IS audit and assurance professionals, collectively with others assisting with the assignment, shall possess adequate knowledge of the subject matter. 1006.3 IS audit and assurance professionals shall maintain professional competence through appropriate continuing professional education and training. 16 Concepts of IS Audit 1007 Assertions 1007.1 IS audit and assurance professionals shall review the assertions against which the subject matter will be assessed to determine that such assertions are capable of being audited and that the assertions are sufficient, valid and relevant. 1008 Criteria 1008.1 IS audit and assurance professionals shall select criteria, against which the subject matter will be assessed, that are objective, complete, relevant, measurable, understandable, widely recognised, authoritative and understood by, or available to, all readers and users of the report. 1008.2 IS audit and assurance professionals shall consider the source of the criteria and focus on those issued by relevant authoritative bodies before accepting lesser-known criteria. 1.12 Summary This chapter has provided brief overview of the fundamental concepts of Audit, IS audit, risks, controls and internal controls. We have also provided the distinction between audit in an IS environment and audit of a computerized environment. Further, the conceptual understanding of IT risk and risk-based auditing has been provided with an overview of types of audit risks and their categorization as: Inherent Risk, Control Risk and Detection Risk. The concept of materiality and internal controls with overview of types of internal controls has been provided. Controls can be classified as, IS Controls and General Controls and IS controls are bifurcated as IT Application Controls which are specific to application softwares and IT General Controls which pertain to the IT environment in general. The classification of controls as preventive, detective and corrective has been explained. The overall objective of this chapter is to provide an understanding of the key concepts of information systems, audit function, materiality and the attached risks. 1.13 Case Study Case Background: M/s InfoTech Solutions have been assigned to review effectiveness of existing controls of Online Portal of a large Retail Chain. One of the clauses of service level agreement is stated below: “InfoTech Solutions to submit final audit report within 1 month from date of agreement. In case of deviation following penalty to be impacted: Turn Around Time Penalty Within 30 days Nil 31-40 days 10% of total fees payable 41-50 days 20% of total fees payable 17 Background Material on Information Systems Audit 3.0 Course (Module 1) 51-60 days 30% of total fees payable Above 60 days 50% of total fees payable To adhere to SLA, M/s InfoTech Solutions detailed out following audit program: (i) Detailed Risk Assessment will not be carried out. Audit will be assigned to a Senior IS Auditor and he will decide audit area and sampling techniques as per his prior experiences. (ii) Initially, 2 associates will be allotted for the assignment. More resources will be provided as and when required. (iii) Senior Auditor will have to submit his draft report to Partner by 25th day and final report to be issued to client by 30th day. (iv) To preserve time, working papers and evidence gathering will be structured once the final report is submitted. Questions: (1) While planning an audit M/s InfoTech Solutions should have FIRST identified: (a) Areas of High risk. (b) Skill sets of the audit staff. (c) Test steps in the audit. (d) Time allotted for the audit. Correct Answer: A, areas of high risk Explanation: (a) When designing an audit plan, it is important to identify the areas of highest risk to determine the areas to be audited. (b) Skill sets of audit staff is an important consideration. However, unless risks are identified it will not be known how and where to utilize the skills. (c) Compliance test and substantial test can be effectively carried out only once auditor is aware about areas of high risk. (d) Allotment of time is important but not the first & primary step like identification of high-risk areas. (2) M/s InfoTech Solutions has decided to Skip Risk Assessment Process. What is the Primary Risk involved here? (a) Resources may not be allocated to the areas of highest concern. 18 Concepts of IS Audit (b) Budgets are more likely to be met by the IS audit staff. (c) May not able to complete assignment as per timelines defined in SLA. (d) Senior Auditor may not take responsibility of Audit Observations. Correct Answer: A, Resources may not be allocated to areas of highest concern Explanation: Primary Risk involved here is critical risks are not identified and may remain unnoticed. Other areas are not of that concern. (3) The decisions and actions of Senior Auditor of M/s InfoTech Solutions are MOST likely to affect which of the following risks? (a) Detection (b) Inherent (c) Control (d) Business Correct Answer: A, Detection Risk Explanation: (a) Detection risks are directly affected by the auditor's selection of audit procedures and techniques. (b) Inherent risks usually are not affected by the IS auditor. (c) Control risks are controlled by the actions of the company's management. (d) Business risks are not affected by the IS auditor. 1.14 Questions 1 The primary purpose and existence of an audit charter is to: A. Document the audit process used by the enterprise B. Formally document the audit department’s plan of action C. Document a code of professional conduct for the auditor D. Describe the authority and responsibilities of the audit department 2 Which of the following control classifications identify the cause of a problem and minimize the impact of threat? A. Administrative Controls B. Detective Controls 19 Background Material on Information Systems Audit 3.0 Course (Module 1) C. Preventive Controls D. Corrective Controls 3. To conduct a system audit, the IS auditor should A. Be technically at par with client’s technical staff B. Be able to understand the system that is being audited C. Possess knowledge in the area of current technology D. Only possess a knowledge of auditing. 4 Which of the following are most commonly used to mitigate risks discovered by organizations? A. Controls B. Personnel C. Resources D. Threats 5 The rate of change in technology increases the importance of: A. Outsourcing the IS function B. Implementing and enforcing good processes C. Hiring personnel willing to make a career within the organisation D. Meeting user requirements 6 What means the rate at which opinion of the IS Auditor would change if he selects a larger sample size? A. Audit Risk B. Materiality C. Risk Based Audit D. Controls 7 Which of the following cannot be classified as Audit Risk? A. Inherent Risk B. Detection Risk C. Controllable Risk 20 Concepts of IS Audit D. Administrative Risk 8 After you enter a purchase order in an on-line system, you get the message, “The request could not be processed due to lack of funds in your budget”. This is an example of error? A. Detection B. Correction C. Prevention D. Recovery 9 When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that: A. Controls needed to mitigate risks are in place. B. Vulnerabilities and threats are identified. C. Audit risks are considered. D. Gap analysis is appropriate 10 Reviewing management's long-term strategic plans helps the IS auditor: A. Gains an understanding of an organization's goals and objectives. B. Tests the enterprise's internal controls. C. Assess the organization's reliance on information systems. D. Determine the number of audit resources needed. 1.15 Answers and Explanations 1 An audit charter describes the authority, responsibility of the audit department. These are established by the senior management. Correct answer is D. 2 Corrective Controls classification identify the cause of a problem and minimize the impact of threat. The goal of these controls is to identify the root cause of an issue whenever possible and eliminate the potential for that occurring again. The other controls are useful but perform other functions instead. Correct answer is D. 3 To conduct IS Audit by the IS Auditor, the primary requirement is that he should be able to understand the system and technology being audited. He is not required to be the expert in all subjects. There is no comparison of his knowledge with that of 21 Background Material on Information Systems Audit 3.0 Course (Module 1) auditee’s staff. He should have the knowledge of audit along with the technology in the related subject of audit. Correct answer is B. 4 Controls are most commonly used to mitigate risks discovered by organizations. This is what organizations implement as a result of the risks an organization discovers. Resources and personnel are often expended to implement controls. Correct answer is A. 5 Rate of change of technology increases the importance of implementing and enforcing good practices. Correct answer is B. 6 Audit risk means the rate at which opinion of the IS Auditor would change if he selects a larger sample size. Audit risk can be high, moderate or low depending on the sample size selected by the IS Auditor. A risk-based audit approach is usually adapted to develop and improve the continuous audit process. Materiality means importance of information to the users. It is totally the matter of the professional judgment of the IS Auditor to decide whether the information is material or immaterial. Correct answer is A. 7 Inherent risk means overall risk of management which is on account of entity’s business operations as a whole. Controllable risk is the risk present in the internal control system and the enterprise can control this risk completely and eliminate it from the system. Detection risk is the risk of the IS Auditor when he is not able to detect the inherent risk or the controllable risk. Correct answer D 8 To stop or prevent a wrong entry is a function of error prevention. All other options work after an error. Prevention works before occurrence of error. Correct answer is C. 9 In developing a risk-based audit strategy, risks and vulnerabilities are to be understood. This determines areas to be audited and the extent of coverage. Understanding whether appropriate controls required to mitigate risks are in place is a resultant effect of an audit. Audit risks are inherent aspects of auditing, are directly related to the audit process and are not relevant to the risk analysis of the environment to be audited. Gap analysis would normally be done to compare the actual state to an expected or desirable state. Correct answer B. 10 Strategic planning sets corporate or departmental objectives into motion. It is time and project-oriented, but must also address and help determine priorities to meet business needs. Reviewing long-term strategic plans will not achieve objectives by other choice. Correct answer is A. 22 Chapter 2 IS Audit in Phases 2.1 Learning Objectives This chapter provides detailed insights into various phases of IS audit. The fundamental concepts which were discussed in earlier chapter are connected to their practical aspects in terms of how to define the audit scope and objectives, gain knowledge of the organisation’s business, assessment of risk, IT application controls and IT general controls of the enterprise. Sampling and testing methodologies using CAAT as used by the IS auditor are also discussed. How to develop audit programs and approach and design appropriate tests for compliance and substantive testing for reviewing the design effectiveness and operational effectiveness of the Information Systems are explained. The need for IS auditor to obtain sufficient evidence as a part of the audit process which forms critical part of the assurance services as well as use of global best practices as benchmarks for performing and reporting IS audit findings are discussed in this chapter. Please note that ‘organisation’ and ‘enterprise’ words are used inter-changeably. 2.2 Introduction Information systems have become an integral part of business processes. The growth of technology has made IT an indispensable part of our day to day functioning. Organizations value information as the most critical asset and hence it has become more vulnerable to theft causing loss to the enterprise. There is a risk that the information may be stolen fraudulently and fraudsters can use it for financial gains. Information systems are helping organizations in improving efficiency in customer delivery and also opening up new delivery channels. In order to adapt to these technological advancements organizations have reengineered their processes which has potential of introducing new vulnerabilities. There is critical requirement of enhancing value of information by making it available online but this should be coupled with right level of security. In the networked world, the fraudsters can intrude the systems anytime and from anywhere. It is important that the management not only has systems and processes in place to ensure that adequate controls exist and are working effectively but also having an independent evaluation by IS Audit professionals. The IS auditor has to plan the audit keeping in mind the scope and objectives of the audit including the auditee environment, regulatory requirements and technology deployment. The IS Audit phases are summarized in the following diagram. Background Material on Information Systems Audit 3.0 Course (Module 1) IS Audit Phases Plan Execute Report Understanding the Analytical procedures, environment and Compliance and Audit report and Setting up of objectives Substantive testing recommendations Risk assessment & Presentation to control identification Sampling management Audit program and Using CAATs and procedures evaluating Audit Follow up review Evidence 2.3 Conducting an IS Audit 2.3.1 Setting up of audit objectives Audit objectives refer to the specific goals that must be met by the audit. In contrast, a control objective refers to how an internal control should function. An audit may, and generally does, incorporate several audit objectives. Audit objectives often focus on substantiating that internal controls exist to mitigate business risks, and that they function as expected. These audit objectives include assuring compliance with legal and regulatory requirements as well as the confidentiality, integrity, reliability and availability of information and IT Resources. Auditee management may give the IS Auditor a general control objective to review and evaluate when performing an audit. One of the basic purposes of any IS audit is to identify control objectives and the related controls that address these objectives. The objective of an information systems audit (design and operating effectiveness of the internal control system) is to enable the IS Auditor to express an opinion on whether the internal control system set up and operated by the organisation for the purpose of managing risks to the achievement of the objectives was suitably designed and operated effectively in the period. If there are control weaknesses, these should be reported with appropriate recommendations for mitigating these risks by improving controls and thus add value. 2.3.2. Request for proposal (RFP) Many a times, organizations may need to engage outside agencies i.e. external auditors for 24 IS Audit in Phases some audit assignments. An RFP is a standard solicitation document used by various organisations to compete for contract opportunities. An RFP is most often used to acquire services, although it may be used in some circumstances to acquire goods. A successful RFP process will support the principles of fair, open, and transparent procurement and will satisfy the business requirements. Well-prepared RFPs can go a long way in creating effective solutions and programs for business development and associations. With an RFP, proposals are evaluated against multiple criteria such as price, qualifications and experience, and the proposed solution or approach. The best proposal is awarded the contract though it may, or may not, quote the lowest price. IS Auditor can play an important role in preparation and evaluation of responses to RFP. 2.4 Audit Charter and Terms of Engagement 2.4.1 IS Audit charter The IS Audit charter is like the constitution for the IS Audit function as it mandates the authority, scope and responsibility of IS Audit in the organisation. The IS Auditor should have a clear mandate to perform the IS audit function as authorized through the audit charter. This mandate should be formally accepted and approved by senior management. Where an audit charter exists for the audit function as a whole, the IS audit mandate should be included therein. The IT Auditing Assurance Framework has the following standards for audit charter; 1001.1: The IS audit and assurance function shall document the audit function appropriately in an audit charter, indicating purpose, responsibility, authority and accountability. 1001.2: The IS audit and assurance function shall have the audit charter agreed upon and approved at an appropriate level within the enterprise. Contents of the Audit Charter The audit charter should clearly address the four aspects of purpose, responsibility, authority and accountability. Aspects to consider are set out in the following sections. Purpose  Role  Aims/goals  Mission statement  Scope  Objectives 25 Background Material on Information Systems Audit 3.0 Course (Module 1) Responsibility  Operating principles  Independence  Relationship with external audit  Auditee requirements  Critical success factors  Key performance indicators  Risk assessment  Other measures of performance Authority  Right of access to information, personnel, locations and systems relevant to the performance of audits  Scope or any limitations of scope  Functions to be audited  Auditee expectations  Organizational structure, including reporting lines to board and senior management  Grading of IS audit staff Accountability  Reporting lines to senior management  Assignment performance appraisals  Personnel performance appraisals  Staffing/career development  Auditee rights  Independent quality reviews  Assessment of compliance with standards  Benchmarking performance and functions  Assessment of completion of the audit plan  Comparison of budget to actual costs  Agreed actions, e.g., penalties when either party fails to carry out their responsibilities 26 IS Audit in Phases 2.4.2 Audit Engagement Letter Purpose: Engagement letters are often used for individual assignments or for setting the scope and objectives of a relationship between external IS audit and an organization. Content: The engagement letter should clearly address the three aspects of responsibility, authority and accountability. Aspects to consider are set out in the following paragraphs. Responsibility  Scope  Objectives  Independence  Risk assessment  Specific Auditee requirements  Deliverables Authority  Right of access to information, personnel, locations and systems relevant to the performance of the assignment  Scope or any limitations of scope  Evidence of agreement to the terms and conditions of the engagement Accountability  Intended recipients of reports  Auditee rights  Quality reviews  Agreed completion dates  Agreed budgets/fees, if available The standards of auditing (SA) 210 Agreeing the terms of Audit Engagements requires the auditor and the client to agree on the terms of engagement and document them in the audit engagement letter. It requires that the engagement letters be renewed if necessary, before the commencement of the audit in succeeding years. The IS Audit is performed internally as per audit charter or it may be outsourced to an external IS Auditor. In case it is outsourced, an audit engagement letter is issued as per details discussed earlier. It is critical to note that external IS audits would have specific scope, objectives, timelines and deliverables whereas in case of internal IS Audit, these may be flexible and could vary depending on the needs of the enterprise. The audit assignment requires continuing involvement 27 Background Material on Information Systems Audit 3.0 Course (Module 1) of client personnel. Hence, on-going communication with the auditee is critical. 2.4.3 Communication with Auditee Effective communication with Auditee involves:  Describing the service, its scope and timeliness of delivery  Providing cost estimates or budgets  Describing problems and possible resolutions for them  Providing adequate and readily accessible facilities for effective communication  Determining relationship between services offered and needs of the Auditee. The audit charter forms a sound basis for communication with Auditee and should include references to service level agreements for things such as:  Availability for unplanned work  Delivery of reports  Costs  Response to Auditee complaints  Quality of service  Review of performance  Communication with Auditee  Needs assessment  Control risk self-assessment  Agreement of terms of reference for audits  Reporting process  Agreement of findings 2.4.4 Quality Assurance Process The IS Auditor should consider establishing a quality assurance process (e.g., interviews, customer satisfaction surveys, assignment performance surveys) to understand Auditee’s needs and expectations relevant to the IS audit function. These needs should be evaluated against the charter with a view to improving the service or changing the service delivery or audit charter, as necessary. The IS Audit standards require IS Auditor to deploy and monitor completion of the assurance assignments with the staff having required competencies and skill- sets. If required, external experts may be used in the assignment as required. However, the IS Auditor continues to remain responsible for the assignment. IS auditor should develop standard 28 IS Audit in Phases approach, documentation and methodology with appropriate templates for various types of assignments. Best practices and frameworks along with the required standards, guidelines and procedures should be used in developing quality assurance process and all the staff should be trained in the process to be followed in all stages of planning to execution and reporting of various types of assignments. According to SA 220 of ICAI, Quality Control Systems, policies and procedures are the responsibility of the audit firm. Under SQC 1, the firm has an obligation to establish and maintain a system of quality control to provide it with reasonable assurance that: (a) The firm and its personnel comply with professional standards and regulatory and legal requirements; and (b) The reports issued by the firm or engagement partners are appropriate in the circumstances. This SA 220 is premised on the basis that the firm is subject to SQC 1. Within the context of the firm’s system of quality control, engagement teams have a responsibility to implement quality control procedures that are applicable to the audit engagement and provide the firm with relevant information to enable the functioning of that part of the firm’s system of quality control relating to independence. Engagement teams are entitled to rely on the firm’s system of quality control, unless information provided by the firm or other parties suggests otherwise. 2.5 Audit Scope A determination of the range of the activities and the period (of records that are to be subjected to an audit examination) is the scope of audit. The scope and objectives for every audit are determined through discussion with the auditee management and a specific risk assessment. The scope of audit would be specifically determined by the management in case of internal audit and is set by statute if it is as per regulatory requirement. While each audit is unique, there are some general or common objectives applied to most audits. Once planning work begins, clearly defining the audit scope is important in determining the budget, human resources, and time required for audit and in determining what will have to be specifically reported and in which format. Scoping the audit involves narrowing the audit to relatively few matters of significance that pertain to the audit objective and that can be audited with resources available to the audit team. In a multi-entity audit, the scope includes identifying the specific departments or applications that will be included in the audit. To identify matters of significance, the IS auditor should conduct research on competitive environment, nature of business, technology used and the regulatory requirements to understand the auditee environment so as to plan and execute the assignment as per scope and objectives of the assignment including:  Are there areas that have an important impact on the organisation’s results?  Will the audit of the issue make a difference; that is, will it result in improved performance, accountability, or value for money?  Are there issues with high visibility or of current concern? 29 Background Material on Information Systems Audit 3.0 Course (Module 1)  Are there areas that have undergone a significant degree of change? Examples of changes within an entity are new technology deployed, increased staff turnover, and reorganization. Examples of changes to an entity’s environment are new regulatory requirements, change in senior management and budget cuts etc.  Is the timing appropriate for auditing the issue?  Are there any examples of past non-compliances?  What is the management style and the risk appetite and approach to risk management?  Are there any cases of past fraud or material errors? Carefully scoping the audit early in the process helps increase efficiency and effectiveness of the audit. The statement of scope should be clear about any areas excluded from audit. 2.6 Audit Planning One of the primary and important phases in an IS Audit is planning which ensures that the audit is performed in an effective way and completed in a timely manner. Planning takes on more significan

Information Systems Audit 3.0 Course Module - 1 PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue