1

IT AUDITS  IT audits: provide audit services where processes or data, or both, are embedded in technologies.  Subject to ethics, guidelines, and standards of the profession (if certified)  CISA  Most closely associated with ISACA  Joint with internal, external, and fraud audits  Scope of IT audit coverage is increasing  Characterized by CAATTs  IT governance as part of corporate governance 2

FRAUD AUDITS  Fraud audits: provide investigation services where anomalies are suspected, to develop evidence to support or deny fraudulent activities.  Auditor is more like a detective  No materiality  Goal is conviction, if sufficient evidence of fraud exists  CFE  ACFE 3

EXTERNAL AUDITS  External auditing: Objective is that in all material respects, financial statements are a fair representation of organization’s transactions and account balances.  SEC’s role  Sarbanes-Oxley Act  FASB - PCAOB  CPA  AICPA 4

ATTEST vs. ASSURANCE  ASSURANCE  Professional services that are designed to improve the quality of information, both financial and non-financial, used by decision-makers  IT Audit Groups in “Big Four” (e.g. Final Four)  IT Risk Management  I.S. Risk Management  Operational Systems Risk Management  Technology & Security Risk Services  Typically a division of assurance services 5

 ATTEST definition  Written assertions  Practitioner’s written report  Formal establishment of measurement criteria or their description  Limited to:  Examination  Review  Application of agreed-upon procedures 6

THE IT ENVIRONMENT  There has always been a need for an effective internal control system.  The design and oversight of that system has typically been the responsibility of accountants.  The I.T. Environment complicates the paper systems of the past.  Concentration of data  Expanded access and linkages  Increase in malicious activities in systems vs. paper  Opportunity that can cause management fraud (i.e., override) 7

The IT Audit An IT audit is the process of collecting and evaluating evidence of an organization's information systems, practices, and operations. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively and efficiently to achieve the organization's goals or objectives. 8

The IT Audit These reviews may be performed in conjunction with a financial statement audit, an internal audit, or other form of attestation engagement. External auditors can accept the result of an internal audit only if the function reports to the audit committee. External auditors may use and rely upon a 3 rd party IT audit firm. 9

IT Audit Process: 8 Steps 1. Plan the audit 2. Hold kickoff meeting 3. Gather data/test IT controls 4. Remediate identified deficiencies (organization) 5. Test remediated controls 6. Analyze and report findings 7. Respond to findings (organization) 8. Issue final report (auditor) 10

INTERNAL CONTROL  is … policies, practices, procedures … designed to …  safeguard assets  ensure accuracy and reliability  promote efficiency  measure compliance with policies 11

SAS 78 5 internal control components Authorizations Segregation of functions Accounting records Access controls Independent verification 12

BRIEF HISTORY - FCPA Foreign Corrupt Practices Act Accounting provisions  FCPA requires SEC registrants to establish and maintain books, records, and accounts.  It also requires establishment of internal accounting controls sufficient to meet objectives. 1.Transactions are executed in accordance with management’s general or specific authorization. 2.Transactions are recorded as necessary to prepare financial statements (i.e., GAAP), and to maintain accountability. 3.Access to assets is permitted only in accordance with management authorization. 4.The recorded assets are compared with existing assets at reasonable intervals. 2.Illegal foreign payments 13

BRIEF HISTORY - COSO Committee on Sponsoring Organizations AICPA, AAA, FEI, IMA, IIA 2.Developed a management perspective model for internal controls over a number of years 3.Is widely adopted 14

BRIEF HISTORY – SOX Sarbanes-Oxley Act Section 404: Management Assessment of Internal Control  Management is responsible for establishing and maintaining internal control structure and procedures.  Must certify by report on the effectiveness of internal control each year, with other annual reports. 2.Section 302: Corporate Responsibility for Incident Reports  Financial executives must disclose deficiencies in internal control, and fraud (whether fraud is material or not). 15

EXPOSURES AND RISK  Exposure (definition)  Risks (definition)  Types of risk  Destruction of assets  Theft of assets  Corruption of information or the I.S.  Disruption of the I.S. 16

THE P-D-C MODEL  Preventive controls  Detective controls  Corrective controls  Which is most cost effective?  Which one tends to be proactive measures?  Can you give an example of each?  Predictive controls 17

COSO (Treadway Commission) The five components of internal control are:  The control environment  Risk assessment  Information & communication  Monitoring  Control activities 18

What is COBIT COBIT supports IT governance by providing a framework to ensure: Strategic Alignment: IT is aligned with the business Value Delivery: IT delivers the promised benefits against the strategy Resource Management: Optimal investment and management of IT resources Risk Management: IT risks are managed appropriately Performance Measurements: Track and monitor all areas of IT

Why COBIT? “Managers, Auditors, and users benefit from the development of COBIT because it helps them understand their IT systems and decide the level of security and control that is necessary to protect their companies’ assets through the development of an IT governance model.”

Benefits of implementing COBIT A better alignment of business and IT strategies A view, understandable to management, of what IT does Clear ownership and responsibilities of processes General acceptability with regulators and 3 rd parties Shared understanding among all stakeholders, based on a common language Fulfillment of the COSO requirements for the IT control environment

COBIT Defined IT Activities In a general process model, IT activities fall into four domains: 1. Plan & Organize IT Activities to support the business 2. Acquire & Implement IT resources and strategies 3. Deliver & Support those resources and strategies 4. Monitor & Evaluate IT resources and strategies

4 Domains  34 Processes Plan & Organize PO1 Define a Strategic IT Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organization and Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks PO10 Manage Projects Acquire & Implement AI1 Identify Automated Solutions AI2 Acquire and Maintain Application Software AI3 Acquire and Maintain Technology Infrastructure AI4 Enable Operation and Use AI5 Procure IT Resources AI6 Manage Changes AI7 Install and Accredit Solutions and Changes Deliver & Support DS1 Define and Manage Service Levels DS2 Manage Third-party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems DS11 Manage Data DS12 Manage the Physical Environment DS13 Manage Operations Monitor & Evaluate ME1 Monitor and Evaluate IT Performance ME2 Monitor and Evaluate Internal Control ME3 Ensure Regulatory Compliance ME4 Provide IT Governance

Plan and Organize (PO) Are IT and the business strategy aligned? Is the enterprise achieving optimum use of its resources? Does everyone in the organization understand the IT objectives? Are IT risks understood and being managed? Is the quality of IT systems appropriate for business needs?

Acquire and Implement (AI) Are new projects likely to deliver solutions that meet business needs? Are new projects likely to be delivered on time and within budget? Will the new systems work properly when implemented? Will changes be made without upsetting current business operations?

Deliver and Support (DS) Are IT services being delivered in line with business priorities? Are IT costs optimized? Is the workforce able to use the IT systems productively and safely? Are adequate confidentiality, integrity and availability in place?

Monitor and Evaluate (ME) Is ITs performance measured to detect problems before it is too late? Does management ensure that internal controls are effective and efficient? Can IT performance be linked back to business goals? Are risk, control, compliance and performance measured and reported?

SAS 94 The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit Provides auditors with guidance on IT’s effect on internal control and on the auditor’s understanding of internal control and the assessment of control risk. Requires the auditor to consider how an organization’s IT use affects his or her audit strategy. Where a significant amount of information is electronic, the auditor may decide it is not practical or possible to limit detection risk to an acceptable level by performing only substantive tests for one or more financial statement assertions. In such cases, the auditor should gather evidence about the effectiveness of both the design and operation of controls intended to reduce the assessed level of control risk. 28

29 SAS 78 (#5: Control Activities)

IT Risks Model  Operations  Data management systems  New systems development  Systems maintenance  Electronic commerce (The Internet)  Computer applications 30

End Ch. 1 31