Presentation is loading. Please wait.

Presentation is loading. Please wait.

1. IT AUDITS  IT audits: provide audit services where processes or data, or both, are embedded in technologies.  Subject to ethics, guidelines, and.

Published byJerome Small Modified over 9 years ago

Similar presentations

Presentation on theme: "1. IT AUDITS  IT audits: provide audit services where processes or data, or both, are embedded in technologies.  Subject to ethics, guidelines, and."— Presentation transcript:

1 1

2 IT AUDITS  IT audits: provide audit services where processes or data, or both, are embedded in technologies.  Subject to ethics, guidelines, and standards of the profession (if certified)  CISA  Most closely associated with ISACA  Joint with internal, external, and fraud audits  Scope of IT audit coverage is increasing  Characterized by CAATTs  IT governance as part of corporate governance 2

3 FRAUD AUDITS  Fraud audits: provide investigation services where anomalies are suspected, to develop evidence to support or deny fraudulent activities.  Auditor is more like a detective  No materiality  Goal is conviction, if sufficient evidence of fraud exists  CFE  ACFE 3

4 EXTERNAL AUDITS  External auditing: Objective is that in all material respects, financial statements are a fair representation of organization’s transactions and account balances.  SEC’s role  Sarbanes-Oxley Act  FASB - PCAOB  CPA  AICPA 4

5 ATTEST vs. ASSURANCE  ASSURANCE  Professional services that are designed to improve the quality of information, both financial and non-financial, used by decision-makers  IT Audit Groups in “Big Four” (e.g. Final Four)  IT Risk Management  I.S. Risk Management  Operational Systems Risk Management  Technology & Security Risk Services  Typically a division of assurance services 5

6  ATTEST definition  Written assertions  Practitioner’s written report  Formal establishment of measurement criteria or their description  Limited to:  Examination  Review  Application of agreed-upon procedures 6

7 THE IT ENVIRONMENT  There has always been a need for an effective internal control system.  The design and oversight of that system has typically been the responsibility of accountants.  The I.T. Environment complicates the paper systems of the past.  Concentration of data  Expanded access and linkages  Increase in malicious activities in systems vs. paper  Opportunity that can cause management fraud (i.e., override) 7

8 The IT Audit An IT audit is the process of collecting and evaluating evidence of an organization's information systems, practices, and operations. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively and efficiently to achieve the organization's goals or objectives. 8

9 The IT Audit These reviews may be performed in conjunction with a financial statement audit, an internal audit, or other form of attestation engagement. External auditors can accept the result of an internal audit only if the function reports to the audit committee. External auditors may use and rely upon a 3 rd party IT audit firm. 9

10 IT Audit Process: 8 Steps 1. Plan the audit 2. Hold kickoff meeting 3. Gather data/test IT controls 4. Remediate identified deficiencies (organization) 5. Test remediated controls 6. Analyze and report findings 7. Respond to findings (organization) 8. Issue final report (auditor) 10

11 INTERNAL CONTROL  is … policies, practices, procedures … designed to …  safeguard assets  ensure accuracy and reliability  promote efficiency  measure compliance with policies 11

12 SAS 78 5 internal control components Authorizations Segregation of functions Accounting records Access controls Independent verification 12

13 BRIEF HISTORY - FCPA Foreign Corrupt Practices Act 1977 1.Accounting provisions  FCPA requires SEC registrants to establish and maintain books, records, and accounts.  It also requires establishment of internal accounting controls sufficient to meet objectives. 1.Transactions are executed in accordance with management’s general or specific authorization. 2.Transactions are recorded as necessary to prepare financial statements (i.e., GAAP), and to maintain accountability. 3.Access to assets is permitted only in accordance with management authorization. 4.The recorded assets are compared with existing assets at reasonable intervals. 2.Illegal foreign payments 13

14 BRIEF HISTORY - COSO Committee on Sponsoring Organizations - 1992 1.AICPA, AAA, FEI, IMA, IIA 2.Developed a management perspective model for internal controls over a number of years 3.Is widely adopted 14

15 BRIEF HISTORY – SOX Sarbanes-Oxley Act - 2002 1.Section 404: Management Assessment of Internal Control  Management is responsible for establishing and maintaining internal control structure and procedures.  Must certify by report on the effectiveness of internal control each year, with other annual reports. 2.Section 302: Corporate Responsibility for Incident Reports  Financial executives must disclose deficiencies in internal control, and fraud (whether fraud is material or not). 15

16 EXPOSURES AND RISK  Exposure (definition)  Risks (definition)  Types of risk  Destruction of assets  Theft of assets  Corruption of information or the I.S.  Disruption of the I.S. 16

17 THE P-D-C MODEL  Preventive controls  Detective controls  Corrective controls  Which is most cost effective?  Which one tends to be proactive measures?  Can you give an example of each?  Predictive controls 17

18 COSO (Treadway Commission) The five components of internal control are:  The control environment  Risk assessment  Information & communication  Monitoring  Control activities 18

19 What is COBIT COBIT supports IT governance by providing a framework to ensure: Strategic Alignment: IT is aligned with the business Value Delivery: IT delivers the promised benefits against the strategy Resource Management: Optimal investment and management of IT resources Risk Management: IT risks are managed appropriately Performance Measurements: Track and monitor all areas of IT

20 Why COBIT? “Managers, Auditors, and users benefit from the development of COBIT because it helps them understand their IT systems and decide the level of security and control that is necessary to protect their companies’ assets through the development of an IT governance model.”

21 Benefits of implementing COBIT A better alignment of business and IT strategies A view, understandable to management, of what IT does Clear ownership and responsibilities of processes General acceptability with regulators and 3 rd parties Shared understanding among all stakeholders, based on a common language Fulfillment of the COSO requirements for the IT control environment

22 COBIT Defined IT Activities In a general process model, IT activities fall into four domains: 1. Plan & Organize IT Activities to support the business 2. Acquire & Implement IT resources and strategies 3. Deliver & Support those resources and strategies 4. Monitor & Evaluate IT resources and strategies

23 4 Domains  34 Processes Plan & Organize PO1 Define a Strategic IT Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organization and Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks PO10 Manage Projects Acquire & Implement AI1 Identify Automated Solutions AI2 Acquire and Maintain Application Software AI3 Acquire and Maintain Technology Infrastructure AI4 Enable Operation and Use AI5 Procure IT Resources AI6 Manage Changes AI7 Install and Accredit Solutions and Changes Deliver & Support DS1 Define and Manage Service Levels DS2 Manage Third-party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems DS11 Manage Data DS12 Manage the Physical Environment DS13 Manage Operations Monitor & Evaluate ME1 Monitor and Evaluate IT Performance ME2 Monitor and Evaluate Internal Control ME3 Ensure Regulatory Compliance ME4 Provide IT Governance

24 Plan and Organize (PO) Are IT and the business strategy aligned? Is the enterprise achieving optimum use of its resources? Does everyone in the organization understand the IT objectives? Are IT risks understood and being managed? Is the quality of IT systems appropriate for business needs?

25 Acquire and Implement (AI) Are new projects likely to deliver solutions that meet business needs? Are new projects likely to be delivered on time and within budget? Will the new systems work properly when implemented? Will changes be made without upsetting current business operations?

26 Deliver and Support (DS) Are IT services being delivered in line with business priorities? Are IT costs optimized? Is the workforce able to use the IT systems productively and safely? Are adequate confidentiality, integrity and availability in place?

27 Monitor and Evaluate (ME) Is ITs performance measured to detect problems before it is too late? Does management ensure that internal controls are effective and efficient? Can IT performance be linked back to business goals? Are risk, control, compliance and performance measured and reported?

28 SAS 94 The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit Provides auditors with guidance on IT’s effect on internal control and on the auditor’s understanding of internal control and the assessment of control risk. Requires the auditor to consider how an organization’s IT use affects his or her audit strategy. Where a significant amount of information is electronic, the auditor may decide it is not practical or possible to limit detection risk to an acceptable level by performing only substantive tests for one or more financial statement assertions. In such cases, the auditor should gather evidence about the effectiveness of both the design and operation of controls intended to reduce the assessed level of control risk. 28

29 29 SAS 78 (#5: Control Activities)

30 IT Risks Model  Operations  Data management systems  New systems development  Systems maintenance  Electronic commerce (The Internet)  Computer applications 30

31 End Ch. 1 31

Download ppt "1. IT AUDITS  IT audits: provide audit services where processes or data, or both, are embedded in technologies.  Subject to ethics, guidelines, and."

Similar presentations

Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
CHAPTER 1 AUDITING AND THE PUBLIC ACCOUNTING PROFESSION Fall 2007 u What is auditing? u Types of Audits u Independent Auditor Relationships u Services.

CHAPTER 1 AUDITING AND THE PUBLIC ACCOUNTING PROFESSION Fall 2007 u What is auditing? u Types of Audits u Independent Auditor Relationships u Services.
Sept. 16, 2004 John White, PhD, CPA 1 Sarbanes-Oxley Act from an Accounting Point of View Or “Is There Anything About SOX That I Have Not Heard Before?”

Sept. 16, 2004 John White, PhD, CPA 1 Sarbanes-Oxley Act from an Accounting Point of View Or “Is There Anything About SOX That I Have Not Heard Before?”
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.

Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.
Chapter 20 Additional Assurance Services: Other Information

Chapter 20 Additional Assurance Services: Other Information
TI BISNIS ITG using COBIT &

TI BISNIS ITG using COBIT &
COBIT - II.

COBIT - II.
The Islamic University of Gaza

The Islamic University of Gaza
Chapter 1: Auditing, Assurance, and Internal Control

Chapter 1: Auditing, Assurance, and Internal Control
Chapter 1: Auditing, Assurance, and Internal Control

Chapter 1: Auditing, Assurance, and Internal Control
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 1 - 1 The Demand for Audit and Other Assurance Services Chapter 1.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
1 Sarbanes-Oxley Section 404 June 29, 2005. 2  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.

1 Sarbanes-Oxley Section 404 June 29,  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Similar presentations

Ads by Google