Auditing Information Systems (AIS)

Slides:

Advertisements

Similar presentations

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.

Advertisements

Audit of Autonomous District Councils (in an IT environment using FAAM)

Software Quality Assurance Plan

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

ITAuditing Using GAS & CAATs

Practical Flowcharting for Auditors

Auditing Concepts.

Internal Audit Awareness

Auditing Computer-Based Information Systems

Learning Objectives LO5 Document an accounting system to identify key controls and weaknesses in order to assess control risk. LO6 Write key control tests.

Auditing Computer Systems

The Islamic University of Gaza

Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

IS Audit Function Knowledge

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

Advanced Accounting Information Systems

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Computer Security: Principles and Practice

The Information Systems Audit Process

Chapter 12 Monitoring and Auditing AIS Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written.

Financial Audit Autonomous Bodies Internal Control and Risk Assessment Session Internal Control and Risk Assessment.

Database Administration Chapter 16. Need for Databases  Data is used by different people, in different departments, for different reasons  Interpretation.

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Chapter 7 Database Auditing Models

Auditing & Assurance Services, 6e

Auditing Systems Development, Acquisition and Maintenance

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Internal Auditing and Outsourcing

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

MnSCU Audit Reports Presentation to the MnSCU Audit Committee Office of the Legislative Auditor September 21, 2004.

Overview of Systems Audit

Term 2, 2011 Week 3. CONTENTS The physical design of a network Network diagrams People who develop and support networks Developing a network Supporting.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Practical Implementation of Automated Assessment Tools for the IT Auditor John A. Otte, CISSP, CISA, CFE, EnCE, MSIA Director, Strategic Services FishNet.

Internal Control in a Financial Statement Audit

IT Service Delivery And Support Week Eleven – Auditing Application Control IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA.

7-Oct-15 System Auditing. AUDITING Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic.

Copyright © 2007 Pearson Education Canada 1 Chapter 13: Audit of the Sales and Collection Cycle: Tests of Controls.

Understanding the IT environment of the entity. Session objectives Defining contours of financial accounting in an IT environment and its characteristics.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.

Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.

S4: Understanding the IT environment of the entity.

ICT development office ICT research, planning and training dept. Network development and administration dept. System development and operation dept. President.

1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.

Note1 (Admi1) Overview of administering security.

McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.

AUDIT IN COMPUTERIZED ENVIRONMENT

Database Administration

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.

Chapter 9  2000 by Prentice Hall. 9-1 Client/Server Computing.

Audit Evidence Process

Chapter 8 Auditing in an E-commerce Environment

Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.

Chapter 8-1 Chapter 8 Accounting Information Systems Information Technology Auditing Dr. Hisham madi.

1 CHAPTER 5 - b INTERNAL CONTROL OVER FINANCIAL REPORTING.

Computer Security Sample security policy Dr Alexei Vernitski.

Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.

Welcome. Contents: 1.Organization’s Policies & Procedure 2.Internal Controls 3.Manager’s Financial Role 4.Procurement Process 5.Monthly Financial Report.

McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Internal Control in a Financial Statement Audit Chapter Six.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Accounting Information Systems: An Overview

Review of IT General Controls

Auditing Concepts.

Critical Security Controls

IS4680 Security Auditing for Compliance

OU BATTLECARD: Oracle Identity Management Training

Presentation transcript:

Auditing Information Systems (AIS) Lecture - 4

Computer-assisted Audit Techniques CAATs enable IS auditors to gather information independently CAATs include: Generalized audit software (GAS) Utility software Debugging and scanning software Test data Application software tracing and mapping Expert systems

Computer-assisted Audit Techniques (continued) Items to consider before utilizing CAATs: Ease of use for existing and future audit staff Training requirements Complexity of coding and maintenance Flexibility of uses Installation requirements Processing efficiencies Confidentiality of data being processed

Computer-assisted Audit Techniques (continued) CAATs as a continuous online audit approach: Improves audit efficiency IS auditors must: develop audit techniques for use with advanced computerized systems be involved in the creation of advanced systems make greater use of automated tools

Fraud Detection Management’s responsibility Benefits of a well-designed internal control system Deterring fraud at the first instance Detecting fraud in a timely manner Fraud detection and disclosure Auditor’s role in fraud prevention and detection

Case Study A - Scenario The IS auditor has been asked to perform preliminary work that will assess the readiness of the organization for a review to measure compliance with new regulatory requirements. These requirements are designed to ensure that management is taking an active role in setting up and maintaining a well-controlled environment and, accordingly, will assess management’s review and testing of the general IT control environment. Areas to be assessed include logical and physical security, change management, production control and network management, IT governance, and end-user computing. The IS auditor has been given six months to perform this preliminary work, so sufficient time should be available. It should be noted that in previous years, repeated problems have been identified in the areas of logical security and change management, so these areas will most likely require some degree of remediation.

Case Study A Scenario (continued) Logical security deficiencies noted included the sharing of administrator accounts and failure to enforce adequate controls over passwords. Change management deficiencies included improper segregation of incompatible duties and failure to document all changes. Additionally, the process for deploying operating system updates to servers was found to be only partially effective. In anticipation of the work to be performed by the IS auditor, the chief information officer (CIO) requested direct reports to develop narratives and process flows describing the major activities for which IT is responsible. These were completed, approved by the various process owners and the CIO, and then forwarded to the IS auditor for examination.

Case Study A - Question 1. What should the IS auditor do FIRST? A. Perform an IT risk assessment. B. Perform a survey audit of logical access controls. C. Revise the audit plan to focus on risk-based auditing. D. Begin testing controls that the IS auditor feels are most critical. The correct answer is A

Case Study A - Question When testing program change management, how should the sample be selected? A. Change management documents should be selected at random and examined for appropriateness. B. Changes to production code should be sampled and traced to appropriate authorizing documentation. C. Change management documents should be selected based on system criticality and examined for appropriateness. D. Changes to production code should be sampled and traced back to system-produced logs indicating the date and time of the change. The correct answer is B

Case Study B - Scenario An IS auditor is planning to review the security of a financial application for a large company with several locations worldwide. The application system is made up of a web interface, a business logic layer and a database layer. The application is accessed locally through a LAN and remotely through the Internet via a VPN connection.

Case Study B - Question 2. Given that the application is accessed through the Internet, how should the auditor determine whether to perform a detailed review of the firewall rules and virtual private network (VPN) configuration settings? A. Documented risk analysis B. Availability of technical expertise C. Approach used in previous audit D. IS auditing guidelines and best practices The correct answer is A )

Case Study B - Question 3. During the review, if the auditor detects that the transaction authorization control objective cannot be met due to a lack of clearly defined roles and privileges in the application, the auditor should FIRST: A. review the authorization on a sample of transactions. B. immediately report this finding to upper management. C. request that auditee management review the appropriateness of access rights for all users. D. use a generalized audit software to check the integrity of the database. The correct answer is A

Conclusion Chapter 1 Quick Reference Review Page 32 of CISA Review Manual 2010