Presentation is loading. Please wait.

Presentation is loading. Please wait.

IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee1 IT Auditing in the Small Audit Shop Beth Breier, CPA, CISA City of Tallahassee

Published byPierce Farmer Modified over 9 years ago

Similar presentations

Presentation on theme: "IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee1 IT Auditing in the Small Audit Shop Beth Breier, CPA, CISA City of Tallahassee"— Presentation transcript:

1 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee1 IT Auditing in the Small Audit Shop Beth Breier, CPA, CISA City of Tallahassee breierb@talgov.comeierb@talgov.com http://talgov.com/citytlh/auditing/index.html

2 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee2 Outline u Using IT in Audits vs. IT Audits u Types of IT Audits u Determining What Audits to Do u IT Audit Examples u Successful Strategies u References

3 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee3 Using IT in Audits Using IT tools to analyze data within a performance or financial audit

4 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee4 Using IT in Audits u Exporting data from application systems u Using IT software to identify trends, “outliers”, exceptions, etc. u Entire populations can be analyzed

5 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee5 Using IT in Audits u MS Access u ACL u IDEA u SQL u Business Objects u Focus

6 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee6 Using IT in Audits u Disbursement data –Benford Analysis –Invoices between or over a specified dollar amount –Duplicate invoices u Fleet data –Total work order costs by vehicle for year u Transactions conducted by an individual user or vendor

7 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee7 IT Audit Conducting an audit or review of information technology “t o ensure the productivity, usefulness, and availability of the IT systems that serve organizations.” IT Audits, Xenia Ley Parker (2003)

8 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee8 IT Audits u Separate audit u Combined with performance or financial audit

9 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee9 Types of IT Audits u IT General Controls u Application Controls - Software u IT Project Progress

10 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee10 IT General Controls General Controls are the structure, policies, and procedures that apply to an entity’s overall computer operations. Federal Information System Controls Audit Manual, GAO, 1999

11 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee11 IT General Controls u Entity-wide Security Planning and Management u Access Controls u Application Development/Change Controls u System Software u Segregation of Duties u Service Continuity u IT Governance

12 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee12 Software Application Any Application that affects the Financial Statements or provides information that management relies on to measure performance or make decisions.

13 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee13 Software Application u Input –Including interfaces u Processing u Output –Including Interfaces

14 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee14 IT Project Progress Conducting an assurance and consulting audit during a specified phase of a major IT project.

15 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee15 IT Project Progress u Audit Phases: –Planning –Acquisition –Implementation –Post-Implementation

16 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee16 Determining What Audits to Do u Gain an understanding of IT in Organization: u Environments u Connectivity u Locations u Operating Systems u Application Systems

17 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee17 DATA Remote Network Operating System Database Application ISS Provides Department-Owner Provides Environments

18 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee18 Example Network 1

19 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee19 Example Network 2

20 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee20 Put in an example diagram of network Example Network 3

21 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee21 Determining What Audits to Do u Listing of Operating Systems u Windows 95, 98, NT u Windows 2000, XP u UNIX u LINUX

22 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee22 Determining what audits to do u Listing of all Software Applications and their Owners: u Financial statement related systems u Other systems

23 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee23 Example

24 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee24 Example

25 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee25 Example

26 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee26 Determining what audits to do u Do a Risk Assessment and Consider impact on: t Business Operations t Revenues t Expenditures t Management Decision-making t Political and public crisis

27 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee27 Determining what audits to do u Other Areas that impact Risk Assessment: t Available Staffing w/ needed skills t Meets Current Standards t Formal Business owner t Maturity of IS operations

28 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee28 Audit Planning u Based on your risk assessment, outline a potential progression of audits: 1.Start Broad 2.Narrow down into specific areas

29 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee29 New IT System Infrastructure and Security IS General Operations Performance Measures Financial Statements Consider All the Pieces

30 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee30 Develop your IT Audit Plan IS General Operations Infrastructure and Security Financial Statements Performance Measures New IT System

31 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee31 IT Audit Examples 1. General Control - Logical Security 2. Application Control – Fleet Management System 3. IT Project Progress – Planning and Acquisition

32 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee32 General Controls - Audit Example Logical Security u Objectives: –General understanding of the network –Logical access paths –Adequacy of policies and procedures –Security controls management believed were in place

33 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee33 General Controls - Audit Example Logical Security u Objectives (Continued): –Controls in place to prevent unauthorized access in the City’s LAN –accessibility to confidential information

34 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee34 General Controls - Audit Example Logical Security u Procedures: –Interview IS Staff and Business staff –Review network schema –Examine network security system settings, user specific settings –Examine relevant laws, ordinances, policies, etc re: confidential information –Examine and test user security at network, databases, applications –Conduct vulnerability assessment procedures

35 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee35 Issues - Federal Agencies

36 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee36 Application Controls – Audit Example Fleet Application u Objectives –Understand the internal control components –Evaluate application controls –Evaluate selected general controls

37 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee37 Application Controls – Audit Example Fleet Application u Procedures –Review documentation –Identify and prioritize controls –Test effectiveness of controls –Examine interface programs and test interfaces –Test accuracy and completeness of reports

38 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee38 Application Controls – Audit Example Fleet Application u Issues: –Poor input controls (validation, etc.) –Specific controls not working –Calculations not accurate –Reports not complete or accurate –Interfaces not working as intended

39 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee39 Application Controls – Audit Example Fleet Application u Issues (Continued) –Lack of segregation of duties – users and IS staff –No software change management procedures –No written backup and recovery procedures

40 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee40 IT Project Progress – Audit Example Public Safety Systems Integration u Phase: Planning and Acquisition u Objectives: –Compliance with City policies and procedures and contract requirements –Independent assessment of risk management and project controls –Project status and accomplishments –Significant issues and status

41 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee41 IT Project Progress – Audit Example Public Safety Systems Integration u Procedures: –Advisory (non-voting) member of project teams and committees –Review key documentation (RFPs, contracts) –Test transactions for appropriateness –Interview key IS and user department staff –Observe contract negotiations

42 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee42 IT Project Progress – Audit Example Public Safety Systems Integration u Issues: –No cost benefit analysis conducted –Needs assessment not documented –No documentation of major decisions –Lack of budget monitoring –Lack of management oversight –Lack of communication among project team and/or management

43 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee43 IT Project Progress – Audit Example Public Safety Systems Integration u Issues (Continued): –Needs and expectations exceed scope –Lack of communication among projects –No plan to address insufficient infrastructure to support new system –New system will require more technical expertise than City or department has

44 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee44 3 Recommended Strategies u Start broad and then narrow the focus u Limit scope for a reasonable time frame u Plan specific IT training for staff

45 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee45 References - Audit Programs u GAO Federal Information System Controls Audit Manual (FISCAM) ( http://www.gao.gov/policy/guidance.htm ) –General Controls –Currently developing Chapter 4 on Application Controls u NASACT Information Systems Security Audit Forum (ISSAF) web page (http://www.nasact.org/IISAF/about.html)

46 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee46 References - Audit programs u CoBIT - Information Systems Audit and Control Association (ISACA) ( http://www.isaca.org/) u ISACA Systems Auditability and Control u IT Audits, Xenia Ley Parker, published by Aspen, 2003 u Handbook on IT Auditing (Warren, Edelson & Parker) u www.ITAudit.org

47 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee47 References - Audit programs u Federal Information Processing Standards (FIPS), http://csrc.nist.gov/publications/fips/index.html, including: http://csrc.nist.gov/publications/fips/index.html –FIPS 46-3, Data Encryption Standard (DES); –FIPS 112, Password Usage u Computer Security Resource Center, http://csrc.nist.gov/index.html http://csrc.nist.gov/index.html

48 IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee48 “Do what you can with what you have where you are.” Theodore Roosevelt QUESTIONS …..??

Download ppt "IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee1 IT Auditing in the Small Audit Shop Beth Breier, CPA, CISA City of Tallahassee"

Similar presentations

All Rights Reserved, Duke Medicine 2007 IT Security Presented by: Trisha Craig and Don Elsner Principal Auditors – IT Audit Duke University 1.

All Rights Reserved, Duke Medicine 2007 IT Security Presented by: Trisha Craig and Don Elsner Principal Auditors – IT Audit Duke University 1.
NSAA Information Technology Conference Planning the Scope of Your IT Audit _____________________________________ October 1, 2014 Jennifer Schreck, Audit.

NSAA Information Technology Conference Planning the Scope of Your IT Audit _____________________________________ October 1, 2014 Jennifer Schreck, Audit.
Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.

Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.
Auditing Computer Systems

Auditing Computer Systems
The Islamic University of Gaza

The Islamic University of Gaza
Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie.

Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie.
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.

OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Association of Government Accountants

Association of Government Accountants
Security Controls – What Works

Security Controls – What Works
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
PwC Role of Internal Audit in Corporate Governance September 2010 Tumin Gültekin, Partner.

PwC Role of Internal Audit in Corporate Governance September 2010 Tumin Gültekin, Partner.
Managing the Information Technology Resource Jerry N. Luftman

Managing the Information Technology Resource Jerry N. Luftman
Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.

Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Expect the Unexpected Planning the Scope of an IT Performance Audit Robin Garity, C.P.A., C.I.S.A. October 2014.

Expect the Unexpected Planning the Scope of an IT Performance Audit Robin Garity, C.P.A., C.I.S.A. October 2014.
System Implementations American corporations spend about $300 Billion a year on software implementation/upgrade projects.

System Implementations American corporations spend about $300 Billion a year on software implementation/upgrade projects.
1 Performance Auditing  In IT Environment  Evidence Gathering & Analysis Techniques  Computer Assisted Techniques  Use of IDEA.

1 Performance Auditing  In IT Environment  Evidence Gathering & Analysis Techniques  Computer Assisted Techniques  Use of IDEA.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.

Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.

Similar presentations

Ads by Google