Introduction What is IS Audit How to become IS Auditor & Task and role of IS Auditor

What is Audit? What is IS Audit? “An official examination of accounts to see that they are in order” – The Oxford Dictionary An INDEPENDENT assessment of / opinion on how well (badly) the financial statements were prepared IS audit: - A review of the controls within an entity's technology infrastructure - Official examination of IT related processes to see that they are in order

What is IS Audit Activity? Difference Between Audit and Evaluation Independent Audit Policy and Strategy Evaluation Audit Activity of Management Independent Activity Process and Result Norm Doing right Managing right Performance Effeteness and Efficiency Next action is improvement Done at the end-of-phase Done any time Ex. Checking progress and quality of Project Ex. Checking a regulation of PM and How to apply it including current situation. Organization and Regulation/Standard Business Activities Business Infrastructure Management Evaluation Company

Viewpoint of an IS Auditor SLDC (System Development Lift Cycle) P1: Feasibility Study R Review R P2: Requirement Definition Buy Make (Build) Buy or Make P3: System Design P3: System Selection R R P4: Development R P4: Configuration Scope of General System Development P5: Implementation R P6: Post implementation Evaluate and Performance Review by an Audit R P7: Disposal

Why IS Audit is needed? Social Background Information System has been becoming a main function for business. Supporting business activity Keeping business information Main interface to customer Innovation of ICT gave information system major role in business Problem of business management Inappropriate IT system to business strategy Bug investment for IT system and unclear ROI Problem of security/ risk management Computer virus/ illegal Access System trouble and Backup of disaster Effective and Efficient inter management and operation for Information system should be needed Independent Information System Audit

Why IS Audit is needed? Legal Background (1) After major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom, the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002 Directs SEC to enact rules protecting shareholders & the economy Honesty in financial reporting Responsibility at the Top Demonstrate Compliance by Audits The most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company's internal control over financial reporting Internal Control must use Information System now. To evaluate internal control should needs audit for Information system

Why IS Audit is needed? Legal Background (2) Company Auditor Financial Audit SOX Financial Audit (Result) Operation Audit (Process) Internal Control Financial Statement Financial Audit Financial Audit Report Internal Control Financial Statement Financial Audit Financial Audit Report Internal Control Statement Internal Control Audit Internal Control Audit Report Integrated Audit Effectiveness and efficiency of Operation Assurance of Financial Statement Compliance with lows Operation Audit assure the clearance of financial statement

What is Internal Control? U What is Internal Control? Financial Statement Internal Control Model by SOCO Objectives Operation Reporting Compliance Control Environment Risk Management Control Activity Activities Information and Communication Organization Monitoring Enterprise-level, Division or subsidiary and Business unit IT Control Objective Risk Control

Activities of Internal Control U Activities of Internal Control Control Environment The tone for the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control. Risk Management The identification and analysis of relevant risks to the achievement of objectives, forming a basis for how the risks should be managed Control Activity The policies and procedures that help ensure management directives are carried out. Consists of 2 aspects: Policy of what should be and Procedures to accomplish policy Information and Communication Support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities Monitoring Assess the quality of internal control performance over time. IT Control Procedure or policy that provides a reasonable assurance that the information technology (IT) used by an organization

IT Internal Control <= Target of IS Audit IT control ITCLC: IT Company Level Control ITGC:IT general controls ITAC: IT Application Control ITGC:IT general controls Logical access controls. System development life cycle controls. Program change management controls. Data center physical security controls. System and data backup and recovery Computer operation controls. ITAC: IT Application Control complete and accurate Input Data Control. Process Control Output Control Application Systems Accounting System Sales System …. Development Operation IT Infrastructure (Network, Server, PC …) ITCLC: IT Company Level Control * IT Governance/Policy *IT Risk Management. *Training * Quality Assurance *IT Internal Audit Company

What is IS Audit? (Again) “the process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently.” 　　- Ron Weber Purpose of IS Audit is to realize IT governance by independent and professional auditors who gave appropriate assurance based on evaluation of risk management and control of information system. - “Information System Audit Standard” Japan Minister of Economy, Trade and Industry

Information System Audit Who becomes an Auditor? Certification CISA (Certified Information Systems Auditor) by ISACA (Information Systems Audit and Control Association) From 1978 More than 75,000 professionals in nearly 160 countries for both (Account) Auditor and IT Specialist (Account) Auditor With experiences of Accounting Audit Information System Audit IT Specialist System Auditor by Japan Information Technology Engineers Examination) From 1985 mainly for IT Specialist With experiences of IT Strategy Development Project Management IT Security Service Management ….. If (Account ) Auditor want to become IS auditor, he/she should master as least skill and knowledge of FE exam. Level.

Target of IS Audit and IS Auditor's Skill and Knowledge CISA examination domains (% of num. of question in CISA exam.) Domain 1—IS Audit Process (10%) <= Skill and Knowledge for conducting IT Audit Domain 2—IT Governance (15%) Domain 3—Systems and Infrastructure Lifecycle Management (16%) Domain 4—IT Service Delivery and Support (14%) Domain 5—Protection of Information Assets (31%) Domain 6—Business Continuity and Disaster Recovery (14%) <= Target of IS Audit and Skill and knowledge for IT system and points of audits

Map of IS Auditor's kill and knowledge IT Technical IT Management IT Governance Audit Process & Method D3—Systems and Infrastructure Lifecycle Management D2—IT Governance D1—IS Audit Process Development method Software Testing System/APP Architecture E-commerce/AP knowledge APP control Project Management SQM IT Strategy Organization Mng. Risk Management Process Method Communication Related standards D4—IT Service Delivery and Support H/W, OS, Middle ware Network & DB Operation & Maintenance Service Delivery Service Support Service Strategy D5—Protection of Information Assets Security Policy & Strategy Network security Security Technology Logical Security Physical Security IT Security Audit D6—Business Continuity and Disaster Recovery Operation & Maintenance Backup & Recovery Business contingency Planning

Overview of D1—IS Audit Process Task & Process Example: Small audit for Logical Access Control ( Control for user and program to access data, program and application) Purpose is to evaluate validity of logical access control (password) in targeted organization Reviewing regulation of policy, management and usage of password Inspect and survey of management of password Reporting whether current regulation and management of password is appropriate or not How to modify and improve the logical access control for password Summary of Audit Process Audit Planning Perform Test Reporting Follow-UP Activity Audit mission and planning, Laws and regulations, Standards and guidelines for IS auditing, Risk analysis, Internal controls, Performing an IS audit

Overview of D2—IT Governance U Overview of D2—IT Governance To provide assurance that the organization has the structure, policies, accountability, mechanisms, and monitoring practices in place to achieve the requirements of corporate governance of IT. Examples of target • Planning IT Strategy with IT Steering Committee Implementation of the IT strategy Business Process Reengineering Risk management for IT strategy Organization and Personnel Management

Overview of D3—Systems and Infrastructure Lifecycle Management To provide assurance that the management practices for the development/acquisition, testing, implementation, maintenance, and disposal of systems and infrastructure will meet the organization’s objectives. Examples of target Application development process and regulation including needs analysis, including cost estimation and Quality Management Validation of computer & system architecture for Application Application control Management of outsourcing and vender

Overview of D4—IT Service Delivery and Support To provide assurance that the IT service management practices will ensure the delivery of the level of services required to meet the organization’s objectives. Example of Target Service level Agreement Validation of Hardware and software Validation of network infrastructure Monitoring of Information System/Infrastructure Capacity and Configuration Management Configuration Management of software Regulation of operation and maintenance Help (Service) Desk and Incident/Problem management

Overview of D5—Protection of Information Assets U Overview of D5—Protection of Information Assets To provide assurance that the security architecture (policies, standards, procedures, and controls) ensures the confidentiality, integrity, and availability of information assets. Examples of Target Policy and regulation of IT Security including risk management Validation of logical access control such as password and authentication Validation of physical access control with security technology and devices Validation of security of network infrastructure Validation of encryption system Validation of environmental control against fire, power break down and …

Overview of D6—Business Continuity and Disaster Recovery To provide assurance that in the event of a disruption the business continuity and disaster recovery processes will ensure the timely resumption of IT services while minimizing the business impact Examples of Target Business Impact Analysis (BIA) and Disaster Recovery Planning (DRP) Validation of backup and recovery against disasters Validation of means for continuity against disasters

Where does an IS auditor work? Policy and Strategy External Audit Accounting Audit IS Audit Organization and Regulation/Standard Audit Company Business Activities Business Infrastructure IS Consultant Internal Audit Assurance Consulting Consultant Company Company & Organization