Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte.

Slides:



Advertisements
Similar presentations
PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.
Advertisements

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems
Control and Accounting Information Systems
Auditing Computer-Based Information Systems
Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.
Auditing Computer Systems
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
1 Pertemuan 6 Internal Control System Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1.
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
The Professional Practices Framework: Ethics and Standards of Practice
INTERNAL CONTROL OVER FINANCIAL REPORTING
Information Technology Audit
Internal Auditing and Outsourcing
Central Piedmont Community College Internal Audit.
Overview of Systems Audit
Evolving IT Framework Standards (Compliance and IT)
Introduction to Internal Control Systems
Chapter Three IT Risks and Controls.
Chapter 5 Internal Control over Financial Reporting
Internal Control in a Financial Statement Audit
Internal Control in a Financial Statement Audit
IIA_Tampa_ Beth Breier, City of Tallahassee1 IT Auditing in the Small Audit Shop Beth Breier, CPA, CISA City of Tallahassee
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks.
Fundamentals I: Accounting Information Systems McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 6-1 Chapter Six Internal Control in a Financial Statement Audit.
Chapter 3 Governance.
Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte.
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
Business Processes and Risks
Copyright: Internal Auditing: Assurance and Consulting Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte.
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
Internal Audit Agency Integrity + Professionalism INTERNAL AUDIT AGENCY ISACA Presentation 15 July, 2013 Alisa Hotel, ACCRA.
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Internal Control in a Financial Statement Audit Chapter Six.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Modern Auditing: Assurance Services and the Integrity of Financial Reporting, 8th Edition William C. Boynton California Polytechnic State University at.
Chapter 4 Enterprise Systems
APPLICATION RISK AND CONTROLS
Introduction to the Engagement Process
What a non-IT auditor needs to know about IT & IT controls
INFORMATION SYSTEMS SECURITY and CONTROL
Chapter 6 Internal Control.
Risk of Fraud and Illegal Acts
Audit Evidence and Working Papers
Conducting the Assurance Engagement
Chapter 4 Risk Management.
Managing the Internal Audit Function
Business Processes and Risks
Chapter 11 Audit Sampling.
Introduction to Internal Auditing
Chapter 2 The International Professional Practices Framework: Authoritative Guidance for the Internal Audit Profession.
Information Technology Risks and Controls
The Consulting Engagement
Chapter 14 Communicating Assurance Engagement Outcomes and Performing Follow-up Procedures.
Chapter 3 Governance.
Internal Audit’s Role in Preventing Fraud and Corruption
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Conducting the Assurance Engagement
Presentation transcript:

Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 1 Chapter 7 Information Technology Risks and Controls

IT intertwined with organizations’ business objectives, strategies, and operations IT initiatives must be considered in tandem with business initiatives to ensure alignment between the two. As a result, IT has changed the competencies that internal audit functions must possess and how they perform assurance and consulting services.. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 2

It is virtually impossible to provide value- adding services unless the internal audit function is highly proficient in its knowledge of IT risks and controls and has the capability to effectively apply technology-based audit techniques Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 3

An IS or IT auditor works extensively in the area of computerized information systems and has deep IT risk, control and audit expertise. At a minimum, EVERY internal auditor must have a sound understanding of certain fundamental IT concepts. All internal auditors need to understand the basic components of their organization’s information systems, the IT risks that threaten the achievement of their organization’s business objectives, and their organizations’ IT governance, risk management, and control processes. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 4

I. Key Components of Modern Information Systems: 1. Computer hardware - physical components 2. Networks - links 2 or more computers 3. Computer software – operating system, utility, DBMS, application and firewall Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 5

Key Components of Modern Information Systems: 3. Database – Repository of data 4. Information 5. People Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 6

7 Exhibit 7-2

II. Opportunities 1. E-commerce 2. ERP systems - a modular software system that enables organizations to integrate their business processes using a single operating database. Benefits include: 1. online real-time processing of transactions, 2. seamless interaction and sharing of information among functional areas, 3. improved process performance, 4. elimination or reduction of data redundancies and errors 5. and more timely decision-making 3. EDI - involves the computer-to-computer exchange of business documents in electronic form between an organization and its trading partners Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 8

II. Risks 1. Selection risk – selection of an IT solution that is misaligned with a strategic objective, and/or that is insufficiently flexible and/or scalable 2. Development/Acquisition and Deployment Risk – delays, $, abandonment of project 3. Availability Risk – unavailable when needed 4. Hardware/Software Risks – failure to perform properly can cause business interruption, damage to data, $ Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S. 9

II. Risks 5. Access Risk – unauthorized physical or logical access allows potential theft/misuse data 6. System Reliability and Information Integrity risk – systematic errors or inconsistencies in processing could result in irrelevant, incomplete, inaccurate or untimely information 7. Confidentiality and Privacy Risk – unauthorized disclosure of business partners’ proprietary information or individuals’ personal information 8. Fraud and Malicious Acts Risk – theft of IT resources, intentional misuse or destruction Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 10

III. IT Governance The IT Governance Institute (ITGI-1998 IT governance is the responsibility of the BOD and executive management. It consists of the leadership, structure, and oversight processes that ensure the organization’s information technology supports the objectives and strategies of the organization. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 11

IV. IT Risk Management IT Risk Management is the process conducted by management to understand and handle the IT risks and opportunities that could affect the organization’s ability to achieve its objectives. Each of the eight components of the ERM framework is relevant to IT risk management. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 12

V. IT Controls IT Controls are commonly classified as general or application controls.  General controls apply to all systems components, processes, and data for a given organization or systems environment.  Application controls pertain to the scope of individual business processes or application systems. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 13

Input Controls Ex 7-5 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 14

Input Controls Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 15

Processing Controls Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 16

Output Controls Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 17

Mgmt Trail Controls Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 18

IT Controls IT Governance controls consist of IT policies. IT Standards support IT policies by more specifically defining what is required to achieve the organization’s objectives. IT Organization and Management Controls provide assurance that the organization is structured with clearly defined lines of reporting and responsibility and has implemented effective control processes. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 19

IT Controls IT Physical and Environment controls protect information system resources from accidental or intentional damage, misuse, or loss. IT Technical controls include systems software controls, systems development and acquisitions controls, and application-based controls. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 20

Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 21 Exhibit 7-4

IT Governance IT Policies  IT Security and privacy  Access and usage of info  Responsibility and authority  Business continuity planning Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 22

IT Management Standards – define what is required to achieve objectives Organization and Management – segregation of duties, change controls Physical and Environmental Controls  Restrict access  Disaster recovery plan  Fire and hazard protection Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 23

Implications Internal auditors must upgrade their IT knowledge and skills and adjust how they perform their work. Two Attribute Implementation Standards address IT proficiency and due professional care (1210.A3 and 1220.A2). Three Performance Implementation Standards specifically address responsibilities regarding information systems and technology (2110.A2, 2120.A1, and 2130.A1). Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 24

Proficiency 1210.A3 – Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 25

Due Professional Care 1220.A2 – In exercising due professional care internal auditors must consider the use of technology-based audit and other data analysis techniques. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 26

Goverance 2110.A2 – The internal audit activity must assess whether the information technology governance of the organization supports the organization’s strategies and objectives. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 27

Risk Management 2120.A1 – The internal audit activity must evaluate risk exposures relating to the organization’s governance, operations, and information systems regarding the: Achievement of the organization’s strategic objectives; Reliability and integrity of financial and operational information; Effectiveness and efficiency of operations and programs; Safeguarding of assets; and Compliance with laws, regulations, policies, procedures, and contracts. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 28

Control 2130.A1 – The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the: Achievement of the organization’s strategic objectives; Reliability and integrity of financial and operational information; Effectiveness and efficiency of operations and programs; Safeguarding of assets; and Compliance with laws, regulations, policies, procedures, and contracts. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 29

IT Outsourcing – is the transferring of IT functions to an outside provider to achieve cost reductions while improving service quality and efficiency. Integrated Auditing occurs when IT risk and control assessments are incorporated into assurance engagements conducted to assess process-level financial reporting, operations, and/or compliance risks and controls. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 30

END Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 31

Sources of IT Audit Guidance include the Global Technology Audit Guide (GTAG) series and the Guide to the Assessment of IT Risk (GAIT) series. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 32

While the IIA and COSO are connected to internal auditing, ISACA and COBIT are connected to IT auditing. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 33

Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 34 Exhibit 7-1

Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 35 Exhibit 7-3

Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 36 Exhibit 7-5

Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 37 Exhibit 7-6

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.