Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte.

Published byRoger Eric Jackson Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte."— Presentation transcript:

1 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 1 Chapter 7 Information Technology Risks and Controls

2 IT intertwined with organizations’ business objectives, strategies, and operations IT initiatives must be considered in tandem with business initiatives to ensure alignment between the two. As a result, IT has changed the competencies that internal audit functions must possess and how they perform assurance and consulting services.. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 2

3 It is virtually impossible to provide value- adding services unless the internal audit function is highly proficient in its knowledge of IT risks and controls and has the capability to effectively apply technology-based audit techniques Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 3

4 An IS or IT auditor works extensively in the area of computerized information systems and has deep IT risk, control and audit expertise. At a minimum, EVERY internal auditor must have a sound understanding of certain fundamental IT concepts. All internal auditors need to understand the basic components of their organization’s information systems, the IT risks that threaten the achievement of their organization’s business objectives, and their organizations’ IT governance, risk management, and control processes. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 4

5 I. Key Components of Modern Information Systems: 1. Computer hardware - physical components 2. Networks - links 2 or more computers 3. Computer software – operating system, utility, DBMS, application and firewall Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 5

6 Key Components of Modern Information Systems: 3. Database – Repository of data 4. Information 5. People Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 6

7 7 Exhibit 7-2

8 II. Opportunities 1. E-commerce 2. ERP systems - a modular software system that enables organizations to integrate their business processes using a single operating database. Benefits include: 1. online real-time processing of transactions, 2. seamless interaction and sharing of information among functional areas, 3. improved process performance, 4. elimination or reduction of data redundancies and errors 5. and more timely decision-making 3. EDI - involves the computer-to-computer exchange of business documents in electronic form between an organization and its trading partners Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 8

9 II. Risks 1. Selection risk – selection of an IT solution that is misaligned with a strategic objective, and/or that is insufficiently flexible and/or scalable 2. Development/Acquisition and Deployment Risk – delays, $, abandonment of project 3. Availability Risk – unavailable when needed 4. Hardware/Software Risks – failure to perform properly can cause business interruption, damage to data, $ Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S. 9

10 II. Risks 5. Access Risk – unauthorized physical or logical access allows potential theft/misuse data 6. System Reliability and Information Integrity risk – systematic errors or inconsistencies in processing could result in irrelevant, incomplete, inaccurate or untimely information 7. Confidentiality and Privacy Risk – unauthorized disclosure of business partners’ proprietary information or individuals’ personal information 8. Fraud and Malicious Acts Risk – theft of IT resources, intentional misuse or destruction Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 10

11 III. IT Governance The IT Governance Institute (ITGI-1998 IT governance is the responsibility of the BOD and executive management. It consists of the leadership, structure, and oversight processes that ensure the organization’s information technology supports the objectives and strategies of the organization. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 11

12 IV. IT Risk Management IT Risk Management is the process conducted by management to understand and handle the IT risks and opportunities that could affect the organization’s ability to achieve its objectives. Each of the eight components of the ERM framework is relevant to IT risk management. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 12

13 V. IT Controls IT Controls are commonly classified as general or application controls.  General controls apply to all systems components, processes, and data for a given organization or systems environment.  Application controls pertain to the scope of individual business processes or application systems. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 13

14 Input Controls Ex 7-5 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 14

15 Input Controls Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 15

16 Processing Controls Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 16

17 Output Controls Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 17

18 Mgmt Trail Controls Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 18

19 IT Controls IT Governance controls consist of IT policies. IT Standards support IT policies by more specifically defining what is required to achieve the organization’s objectives. IT Organization and Management Controls provide assurance that the organization is structured with clearly defined lines of reporting and responsibility and has implemented effective control processes. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 19

20 IT Controls IT Physical and Environment controls protect information system resources from accidental or intentional damage, misuse, or loss. IT Technical controls include systems software controls, systems development and acquisitions controls, and application-based controls. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 20

21 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 21 Exhibit 7-4

22 IT Governance IT Policies  IT Security and privacy  Access and usage of info  Responsibility and authority  Business continuity planning Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 22

23 IT Management Standards – define what is required to achieve objectives Organization and Management – segregation of duties, change controls Physical and Environmental Controls  Restrict access  Disaster recovery plan  Fire and hazard protection Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 23

24 Implications Internal auditors must upgrade their IT knowledge and skills and adjust how they perform their work. Two Attribute Implementation Standards address IT proficiency and due professional care (1210.A3 and 1220.A2). Three Performance Implementation Standards specifically address responsibilities regarding information systems and technology (2110.A2, 2120.A1, and 2130.A1). Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 24

25 Proficiency 1210.A3 – Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 25

26 Due Professional Care 1220.A2 – In exercising due professional care internal auditors must consider the use of technology-based audit and other data analysis techniques. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 26

27 Goverance 2110.A2 – The internal audit activity must assess whether the information technology governance of the organization supports the organization’s strategies and objectives. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 27

28 Risk Management 2120.A1 – The internal audit activity must evaluate risk exposures relating to the organization’s governance, operations, and information systems regarding the: Achievement of the organization’s strategic objectives; Reliability and integrity of financial and operational information; Effectiveness and efficiency of operations and programs; Safeguarding of assets; and Compliance with laws, regulations, policies, procedures, and contracts. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 28

29 Control 2130.A1 – The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the: Achievement of the organization’s strategic objectives; Reliability and integrity of financial and operational information; Effectiveness and efficiency of operations and programs; Safeguarding of assets; and Compliance with laws, regulations, policies, procedures, and contracts. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 29

30 IT Outsourcing – is the transferring of IT functions to an outside provider to achieve cost reductions while improving service quality and efficiency. Integrated Auditing occurs when IT risk and control assessments are incorporated into assurance engagements conducted to assess process-level financial reporting, operations, and/or compliance risks and controls. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 30

31 END Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 31

32 Sources of IT Audit Guidance include the Global Technology Audit Guide (GTAG) series and the Guide to the Assessment of IT Risk (GAIT) series. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 32

33 While the IIA and COSO are connected to internal auditing, ISACA and COBIT are connected to IT auditing. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 33

34 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 34 Exhibit 7-1

35 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 35 Exhibit 7-3

36 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 36 Exhibit 7-5

37 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 37 Exhibit 7-6

Download ppt "Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte."

Similar presentations

PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.

PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.

Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.
Auditing Computer Systems

Auditing Computer Systems
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
1 Pertemuan 6 Internal Control System Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1.

1 Pertemuan 6 Internal Control System Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1.
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.

Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
Pertemuan 17-18 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
The Professional Practices Framework: Ethics and Standards of Practice

The Professional Practices Framework: Ethics and Standards of Practice
INTERNAL CONTROL OVER FINANCIAL REPORTING

INTERNAL CONTROL OVER FINANCIAL REPORTING
Information Technology Audit

Information Technology Audit
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing

Similar presentations

Ads by Google