Presentation is loading. Please wait.

Presentation is loading. Please wait.

So You Want to Break Into the Industry… SAS No. 94 Requirements and Issues Related to IT Audits for Not-for-Profit Organizations.

Published byKurtis Roles Modified over 9 years ago

Similar presentations

Presentation on theme: "So You Want to Break Into the Industry… SAS No. 94 Requirements and Issues Related to IT Audits for Not-for-Profit Organizations."— Presentation transcript:

1 So You Want to Break Into the Industry… SAS No. 94 Requirements and Issues Related to IT Audits for Not-for-Profit Organizations

2 2 BACKGROUND What is SAS No. 94? – Standard requiring “…the auditor considers how an entity’s use of information technology (IT) and manual procedures may affect controls relevant to the audit.” – AU Section 319.16 – Effect of Information Technology on Internal Control – Became effective on June 1, 2001

3 3 BACKGROUND Why is SAS No. 94 important? – An entity’s use of IT may affect any of the five components of internal control relevant to the achievement of the entity’s financial reporting, operations, or compliance objectives, and its operating units or business functions. – The use of IT also affects the fundamental manner in which transactions are initiated, recorded, processed, and reported.

4 4 REQUIREMENTS What professional skills are required to assess the effect of IT on internal control? – Determined by the NPO’s use of IT and the scope of the audit – Minimally, the auditor should have the knowledge of the IT audit process and be able to assess the following: Protection of Information Assets IT Governance Systems and Infrastructure Lifecycle Management – Certified Information Systems Auditors are qualified to assess all three (see http://www.isaca.org)

5 5 TYPICAL NPO ISSUES Issue #1:Poor Protection of Information Assets – Poor access controls, security architectures, encryption and/or virus prevention and detection Examples From Our Case Study – Blank administrative password to the database provided access to sensitive data including names, addresses, preferences, online donation history, and credit card numbers – Objectionable material, contrary to the NPO’s mission, could be added into the body of the web site by a malicious user

6 6 TYPICAL NPO ISSUES Issue #2:Lack of IT Governance – Poor strategic alignment, – Value delivery, – Resource management, – Risk management, and/or – Performance measurement of IT Example(s) From Our Case Study – Senior management failed to define security objectives – Corporate politics impaired the Technology Oversight Committee’s performance

7 7 TYPICAL NPO ISSUES Issue #3:Weaknesses in Systems and Infrastructure Lifecycle Management – Specifically, weaknesses in benefits management, project management, risk management, change management, system architectures, requirements analysis, acquisition and contract management, system development methodologies, quality assurance, data conversion and/or system migration Examples From Our Case Study – Failure to adhere to system development methodology – Formal requirements were not developed – The security of the 3rd party organization hosting the site was not reviewed prior to executing a contract – Security was not tested prior to implementation

8 8 SCHOOL-SPECIFIC ISSUES Poor Protection of Information Assets – Poor data classification can lead to exposure of sensitive information without proper segregation of shared infrastructure Lack of IT Governance – Fiefdoms – Schools’ IT staffs place each other at risk by developing their own disparate control environments using shared infrastructure

9 9 BENEFITS Win-Win for Auditors and Clients – Provides clients and their stakeholders a higher level of assurance – Provides value-added services to clients in an area where guidance is likely needed – Protects client relationship from firms that offer financial and IT audit services

Download ppt "So You Want to Break Into the Industry… SAS No. 94 Requirements and Issues Related to IT Audits for Not-for-Profit Organizations."

Similar presentations

Managing Outsourced Service Providers By: Philip Romero, CISSP, CISA.

Managing Outsourced Service Providers By: Philip Romero, CISSP, CISA.
VALUE OF INTERNAL AUDITING: ASSURANCE, INSIGHT, OBJECTIVITY A PRESENTATION TO STAKEHOLDERS ABOUT THE VALUE OF INTERNAL AUDITING.

VALUE OF INTERNAL AUDITING: ASSURANCE, INSIGHT, OBJECTIVITY A PRESENTATION TO STAKEHOLDERS ABOUT THE VALUE OF INTERNAL AUDITING.
Presented by YOUR NAME THE DATE

Presented by YOUR NAME THE DATE
STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)

STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Security and Personnel

Security and Personnel
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.

Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
Security Controls – What Works

Security Controls – What Works
Audit Planning and Analytical Procedures Chapter 8.

Audit Planning and Analytical Procedures Chapter 8.
By Collin Smith http://techinitiatives.blogspot.com COBIT Introduction By Collin Smith http://techinitiatives.blogspot.com.

By Collin Smith COBIT Introduction By Collin Smith
1 Pertemuan 6 Internal Control System Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1.

1 Pertemuan 6 Internal Control System Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1.
Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.

Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESS

IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESS
Internal Control Pertemuan 05 s.d 06 Matakuliah: F0712 / Lab Sistem Informasi Akuntansi Tahun: 2007.

Internal Control Pertemuan 05 s.d 06 Matakuliah: F0712 / Lab Sistem Informasi Akuntansi Tahun: 2007.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Advanced Accounting Information Systems

Advanced Accounting Information Systems
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit

Similar presentations

Ads by Google