I.T Audit and Control - ITT306 Lecture Notes 2024 PDF

I.T AUDIT AND CONTROL- ITT306 September 2024 Lecturer: Engr. Dr. Shamim Akhtar Lecturer: Engr. Dr. Shamim [email protected] Akhtar Bachelor in Engineering from NED University Master in Engineering from NED University, PhD from University Malaysia Pahang. Course Description Introduces the fundamental concepts of the information technology audit and control function. The main focus is on understanding information controls, the types of controls and their impact on the organization, and how to manage and audit them The concepts and techniques used in information technology audits will be presented. Course Description Students will learn the process of creating a control structure with goals and objectives, audit an information technology infrastructure against it, and establish a systematic remediation procedure for any inadequacies The challenge of dealing with best practices, standards, and regulatory requirements governing information and controls is addressed. At the end of this course students should be able to: Understand the role and objectives of information technology audits. Develop an appropriate information technology audit process. Identify risks to the confidentially, integrity, and availability of information and processes. Describe the risks inherent in various types of information systems ranging from manual, basic accounting, to advanced operational information and knowledge for decision making At the end of this course students should be able to: Understand how to design and implement assurance procedures and control measures to effectively manage risks. Understand best practices, standards, and regulatory requirements governing information and controls that may vary for an organization’s locations and customers. Gain the ability to measure the degree of compliance with them. Understand the role of auditing in systems development, including the review of the development process and participation in systems under development. At the end of this course students should be able to: Understand data forensics. Secure and preserve evidence. Develop disaster recovery and business continuity plans. Major topics/units to be covered: Unit 1 Why Are Controls and Audit important? Unit 2 Role of the IT Auditor Unit 3 IT Governance Unit 4 Security and Service Continuity Unit 5 Managing Quality Unit 6 Risk Management Unit 7 The Legal Environment and Its Impact on Information Technology Major topics/units to be covered: Unit 1 Why Are Controls and Audit important? Unit 2 Role of the IT Auditor Unit 3 IT Governance Unit 4 Security and Service Continuity Unit 5 Managing Quality Unit 6 Risk Management Unit 7 The Legal Environment and Its Impact on Information Technology Required Text Senft, Gallegos, Davis; Information Technology Control and Audit, latest Edition , CRC Press Course Outline Course Schedule UNIT 1 - WHY ARE INFORMATION TECHNOLOGY CONTROLS AND AUDIT IMPORTANT? Unit 1 Learning Outcomes At the end of this unit, students should be able to: Discuss the need for information technology audit & controls Explain how to undertake an information system audit Compare the differences between internal audit and external audit. Describe the various controls over information and processes Why are I.T Controls and Audit Important? Why are I.T Controls and Audit Important? Present situation worldwide: - Organizations are more information dependent - Increased connectivity and availability of systems have now become the lifeline of most businesses - Pervasive electronic infrastructure and commerce integrated in business processes Why are I.T Controls and Audit Important? According to Gallegos & Senft, IT controls and audithave become critical mechanisms for ensuring the integrity of information systems and the reporting of organization finances to avoid and hopefully prevent future financial fiascos such as Enron and WorldCom. Why are I.T Controls and Audit Important? Read up on the Enron / WorldCom Scandal Why are I.T Controls and Audit Important? Although technology provides opportunities for growth and development, it also provides the means and tools for threats such as disruption, deception, theft and fraud. Outside attackers threaten our organizations, yet trusted insiders are a far greater threat (GTAG Guide) Why are I.T Controls and Audit Important? Reports of white collar crime, information theft, computer fraud, information abuse and other IT control concerns are on the rise. Why are I.T Controls and Audit Important? As a result of the rapid diffusion of computer technologies and the ease of information accessibility, there is a need for effective IT controls in place across businesses, to maintain data integrity and manage access to information. Why are I.T Controls and Audit Important? Information Technology (I.T) Controls encompass those processes that provide assurance for information and information services and help mitigate the risks associated with an organization’s use of technology. Why are I.T Controls and Audit Important? These controls include for example: - written corporate policies - Physical access protection - Ability to trace transactions to the individuals responsible for them Why are I.T Controls and Audit Important? I.T Controls are essential to protect assets, customers, business partners and sensitive information; demonstrate safe, efficient and ethical behavior; and preserve brand, reputation and trust, all of which can be easily lost in today’s global market and regulatory environment (GTAG Guide) Why are I.T Controls and Audit Important? - Any control that mitigate or detects fraud or cyber attack enhances an organization’s resiliency - I.T controls are selected and implemented on the basis of the risks they are designed to manage Why are I.T Controls and Audit Important? - I.T Controls need to be assessed continuously, especially since business process constantly change to keep up with technology. This means new threats and vulnerabilities. Why are I.T Controls and Audit Important? - Remember earlier I indicated that I.T Control provide assurance for information and information services. This assurance comes not only from having the controls, but also from the evidence that the controls are continuous and sufficient Why are I.T Controls and Audit Important? - How are I.T controls assessed? - How is the evidence to obtain that assurance sought? - One way is via an I.T Audit Why are I.T Controls and Audit Important? The auditor’s assurance is an independent and objective assessment of the first assurance. It is based on understanding, examining, and assessing the key controls related to the risks the auditors manager, as well as performing sufficient tests to ensure the controls are designed appropriately and function effectively. (ISACA) Why are I.T Controls and Audit Important? - An Information Technology (IT) audit is an audit of an organization's IT systems, management, operations and related processes to determine whether IT Controls: 1. Maintain data integrity 2. Allow the organizational goals to be achieved effectively Why are I.T Controls and Audit Important? In other words, an I.T audit is an audit done to determine if a company has effective internal I.T controls that provide reasonable and acceptable assurance that operational and control objectives will be met and that undesired events will be prevented or detected and corrected in a timely manner. Why are I.T Controls and Audit Important? It may be carried out in connection with a financial regularity audit or selective audit. As the records, services and operations of many organizations are often highly computerized, there is a need to evaluate the IT controls in the course of an audit of these organizations. Why are I.T Controls and Audit Important? It is any audit that encompasses the review and evaluation (wholly or partially) of automated information processing systems, their related non-automated processes and the interfaces between them. I.T Audit Process The I.T Process varies from auditor to auditor and it is possible to find various variations of the audit process in the literature. Please refer to Exhibit 4.2 in your text to view the Audit Workflow on page 82 I.T Audit Process Steps to determine what to audit - Areas with most risk to the organization - Areas where value can be added I.T Audit Process - Create Audit Universe Audit Universe is the inventory of all the potential audit areas within an organization to include the organization’s objectives, processes that support these objectives, risks of not achieving objectives, controls that mitigate the risk and audit objectives for each area I.T Audit Process - Create Audit Universe - Process of documenting the key business processes and risks of an organization - Linking the audit universe to the organizations objectives links the entire audit process to the business objectives and risks, making it easier to communicate the impact of control deficiencies I.T Audit Process - Rank the Audit Universe. Priority areas to be identified based on: - Known issues in the area (Risk assessment) - Inherent risk in the area - Benefits of performing the audit in the area - Management input I.T Audit Process - Once ranked and in order to arrive at final audit universe, one needs to: - Estimate the resource requirements needs for each potential audit area I.T Audit Process Step 1: Planning the I.T Audit: - Before you begin work on any audit, you must determine what you plan to review. If the planning process is executed effectively, it will set up the audit team for success. - Conversely, if it is performed poorly and work begins without a plan and without clear direction, the audit team’s efforts could result in a failure. I.T Audit Process Step 1: Planning the I.T Audit: - The goal of the planning process is to determine the objectives and scope of the audit. This is informed by the: Assessment of risks in areas being reviewed and identifying of steps to be accomplished (Please refer to the information on risk assessment in your text. Very important that you review) I.T Audit Process Risk Assessment - forms a significant part of the planning process and is often referred to as the foundation of the audit function - Used to examine the audit universe and choose areas/projects with the greatest risk exposure I.T Audit Process Step 1: Planning the I.T Audit: - Generate the Audit Plan (Note the contents of the Audit Plan in your text – Unit 4) - Also note everything related to Audit Schedule, Budget and related preparation in the text. I.T Audit Process Step 1: Planning the I.T Audit: - Scheduling the audit, in cooperation with the customers - Conduct kick off meeting where the scope and objectives of the audit are communicated, schedule discussed and point of contact identified I.T Audit Process Step 1: Planning the I.T Audit: - Please note the importance of developing the audit plan, objectives, charter etc. in collaboration with the customers/clients I.T Audit Process Step 1: Planning the I.T Audit: - Note that IT audits are often difficult as it is a field that is technologically complex, with a language of its own. Participants in the formulation of the IT audit plan to include the auditors must be sufficiently experienced and trained in all relevant areas to guarantee success of the audit. I.T Audit Process Step 2: The Audit Process: - This is where most of the audit work occur - Auditors need to find ways to validate independently information provided from customers - Documentation is key!!! Should be clear with enough detail to substantiate the auditors conclusions I.T Audit Process Step 2: The Audit Process: - This is where I.T controls are evaluated, tested, subjective tests performed and results analyzed - Note the typical phases of an audit engagement in the Unit 4 material - Also note the types of IT Audit in the Unit 4 material I.T Audit Process Step 2: The Audit Process: - Note the 7 basic steps that can assist an auditor in the review of a computer based system. These steps are valid regardless of the computer environment, audit area or system complexity. They include the following: 1. Define Objectives 2. Build a basic understanding of the area being audited 3. Build a detailed understanding of the area being audited I.T Audit Process Step 2: The Audit Process: - Note the 7 basic steps that can assist an auditor in the review of a computer based system. These steps are valid regardless of the computer environment, audit area or system complexity. They include the following: 4. Evaluate controls, strengths and weaknesses 5. Design the audit procedures 6. Test the critical controls, processes and apparent exposures I.T Audit Process Step 2: The Audit Process: - Note the 7 basic steps that can assist an auditor in the review of a computer based system. These steps are valid regardless of the computer environment, audit area or system complexity. They include the following: 7. Evaluate the results I.T Audit Process Step 2: The Audit Process: - Take particular note of how the following is done: - Controls are tested - Audit work is validated - Substantive testing is performed I.T Audit Process Step 2: The Audit Process: - During the audit process, auditors will develop list of issues and potential concerns: - Issues need to be valid and relevant - Issues should be discussed and clarified with customers immediately to validate issues exists - Need to validate risk presented by issue to see if it is significant enough to report and address I.T Audit Process Step 3: Documenting Results - This step evaluates the results of the work and preparation of a report on the findings. - Note that the audit findings include not only control strength but control weaknesses and should be used to review the control issues with the responsible management I.T Audit Process Step 3: Documenting Results - Note the analysis process one should follow to arrive at the results as listed in the text in Unit 4 Analysis ---Reexamination ---Verification --- Cause – Conclusions – Recommendations I.T Audit Process Step 3: Documenting Results - The audit report is used to formally communicate the results of the audit. - Note the typical contents of the audit report as listed in the text in Unit 4 - The value of an audit depends largely on how these results are communicated! I.T Audit Process Step 4: Follow up of audit Recommendations - Important enough to stand out on its own. The following is recommended 1. The selection of person(s) responsible for executing the action plans 2. Due date by which they will be completed. I.T Audit Process Step 4: Follow up of audit Recommendations - Important enough to stand out on its own. The following is recommended 3. Corrective action 4. Please refer to the example on page 95 in your text. An alternative example of I.T Audit Process Planning Fieldwork & Documentation Issue Discovery & Validation Solution Development Report Drafting & Issuance Issue Tracking Davis, Schiller & Wheeler. IT Auditing using Controls to protect Information Assets. 2nd Edition Control and Audit - Global Concerns In these days of this global economic crisis, it becomes clear that the importance of internal audit in companies will be increasingly higher. Developing the skills of identifying key risks, particularly those arising from global economic downturn, internal audit is seen as a key element in the fight for the combating of the negative effects of the current economic crisis but also to prevent other such negative phenomena. Control and Audit - Global Concerns Internal audit has now the chance to change its role in the process of risk management into a more strategic outcome which would not only prevent future catastrophes of this kind, but also will make the company to operate more efficiently. Control and Audit - Global Concerns After reading the section on Control and Audit in your text, and to help you better understand the impact of cybersecurity threats and lack of controls and audit on the global environment, please refer to the following: https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid- cybersecurity.html https://www.eciia.eu/wp-content/uploads/2021/04/Global-Trendsv8.pdf Discussion Question Once completing the readings of Units 1 and 4, kindly refer to the Discussion Question on the course page!

I.T Audit and Control - ITT306 Lecture Notes 2024 PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue