Chapter 1 IS Audit Process Chapter Overview

Develop and/or implement a risk-based IS audit strategy and objectives, in compliance with generally accepted standards, to ensure that the organization's information technology and business processes are adequately controlled, monitored, and assessed, and are aligned with the organisations business objectives. Plan specific audits to ensure that the IS audit strategy and objectives are achieved. Obtain sufficient, reliable, relevant, and useful evidence to achieve the audit objectives.

The Auditing is defined as Systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards. IS auditing is The process of collecting and evaluating evidence to determine whether information systems and IT environments adequately safeguard assets, maintain data and system integrity, provide relevant and reliable information, achieve organizational goals effectively, consume resources efficiently, and have in effect internal controls that provide reasonable assurance that operational and control objectives will be met.

Role of IS auditing
Perform separate IT audits Perform integrated audits Perform technical and IT operational audits etc. Audits primary role is to provide a statement of assurance as to whether adequate and reliable internal controls are in place and are operating in an efficient and effective manner. Understanding of business roles in systems under development or purchase of software and project management; Application of risk-oriented audit approaches; Application of standards (national or international) to improve and implement quality systems in software development; Evaluation of System Development Life Cycle (SDLC) or new development techniques (e.g., prototyping, end-user computing, rapid systems or application development); Evaluation of technologies and communication protocols such as EDI, client server model, LAN and WAN, and integrated voice/data/video systems; Use of computer assisted audit tools and techniques.

IS auditing involves:

Types of IS Audits
General Control Examination (Known in the past as facility audit) Application Systems Audit System Under Development Audit Technical or Special Topic Audits etc.

Why IS Audit??
Greater reliance on Information Systems and Technology

Growing Concern for Data Security due to Proliferation of technology Legal requirement Complexity of Information Systems and Technology

Audit Process
Audit Mission Audit Charter Information Gathering Risk Analysis Audit Plan Short term plan Long term plan

Abide IS Audit standards, guidelines and procedures

IS Auditing standards:
are to inform IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities. Inform the management and other related parties of the professional expectation concerning the work of practitioners.

Guidelines provide guidance in applying IS Auditing standards. Procedures provide examples of procedures an IS auditor might follow in an audit engagement.

Audit Phases
Gather information and Plan Obtain Understanding of Internal Control Perform Compliance Tests Perform Substantive Tests Conclude the Audit

Other Professional Bodies Standards

ISA6 - Risk Assessments And Internal Controls Addendum 1 To Above - EDP Characteristics And Considerations Supplement 1 To ISA 6 - EDP Environments - Stand Alone Computers

Supp. 2 To ISA 6 EDP Environments - On-Line Computers Supp. 3 To ISA 6 EDP Environments - Database Systems ISA15: Auditing In A Computer Information Systems Environment ISA 16: Computer-Assisted Audit Techniques

Audit Mission
Should commensurate with the role of audit within the organization Should be realistic and ambitious Should be approved by Audit Committee and the highest level of management Should be supported by appropriate strategic plans

Audit Charter / Engagement letter

Identifies responsibility, accountability and authority of audit Should be approved by highest level of management Should take into consideration current IT environment and challenges faced by the audit Should comply with relevant laws and regulations

Information Gathering
Reviewing documentation regarding Information Systems Meeting relevant management representatives Reviewing reports, industry publications etc. Reviewing documentation pertaining to current IT Projects Observation

Risk Assessment
The potential that a given threat will exploit the vulnerabilities of an asset or a group of assets to cause loss or damage to the assets Risk analysis is part of the audit planning and it helps identify risks and vulnerabilities so that the auditor can determine the controls needed to mitigate those risks. The IS auditor is often focused towards a particular class of risks associated with information and the underlying information systems and processes. Some of the risks associated with information technology are: Improper use of technology Repetition of errors Cascading of errors

Illogical processing Inability to control technology Equipment failure Incorrect data entry Concentration of data

Elements of Risk The threats to information system asset are: Unauthorized access Utility failure Loss of key personnel Tampering Safety of personnel Hardware failure Natural disasters Human errors Disgruntled employees

Impact on assets based on threats and vulnerabilities

Physical destruction of assets Loss of data Theft of the information Indirect theft of assets Delay loss Reduced productivity & income, extra expense, license penalties etc. Delay damage/service outage Fraud via IT Altered or omitted data Application or file tampering Unauthorized disclosure of IT data Accidental, intentional and malicious acts Physical theft Petty, insider, breaking & entering, armed robbery

Probabilities of threats (combination of the likelihood and frequency of occurrence) High loss per event High frequency of occurrence High loss per event Low frequency of occurrence

Low loss per event High frequency of occurrence

Low loss per event Low frequency of occurrence

Controls
The policies, procedures, practices and organizational structures, designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. Internal control includes all measures and practices that are used to mitigate exposures to risks that could potentially prevent an organization from achieving its objectives. Internal control is not solely a procedure or policy that is performed at a certain point in time, but rather it is continually operating at all levels within an organization.

Main objectives of the internal control process Safeguarding of assets (security objectives); Efficiency and effectiveness of operations (operational objectives); Reliability and completeness of accounting/financial and management information (information objectives); and, Compliance with organizational policies and procedures as well as applicable laws and regulations (compliance objectives).

Information Systems Control Preventive (in order to avoid occurrence) Detective (in order to detect or identify occurrences) Corrective (In order to correct or restore controls)

Chapter 2 Chapter Overview

Management Plannng and Organization of IS

Information Systems Strategy Policies and Procedures IS Management Practices IS Organizational Structure and Responsibilities Auditing the Management, Planning and Organization of IS

The objective of this content area is to ensure that the IS Auditor Understands and can evaluate the strategies, policies, standards, procedures and related practices for the management, planning and organization of IS." Chapter Summary: According to the Certification Board, this Content Area will represent approximately 11% of the CISA examination. (approximately 22 questions) Overall business strategies and policies, identifying the areas concerning information processing, and gaining an understanding of the business practices and functions. Identifying significant functional areas, tasks and reporting responsibilities of IS departments to gain an understanding of the organization's information processing environment through review of relevant documentation, inquiry and observation Evaluating management practices, procedures and organizational structure of IS departments to assess their adequacy by determining whether they are efficient and effective and include appropriate controls. Testing the controls to determine compliance with appropriate standards by applying suitable audit techniques. Assessing the organizational control environment to determine that control objectives were achieved by analyzing test results and other audit evidence.
Information Systems Strategy. Strategic Planning Long-range planning for the organization Long-range planning for the IS department Steering Committee(s) The IS Department should have long range (i.e. greater than one year, typically between 3 and 5 years) and short range (i.e., one year or business cycle) plans. These plans should be consistent with the organization's broader plans for attaining the organizations goals. Typical objectives normally associated with strategic planning are: Long-Range Planning for the Organization - should address issues pertinent to its contribution to the organization's achievement of long-range goals. Long-Range Planning for the Information Systems Department - should be consistent with--and integrated into--senior management's long-range plans and recognize organizational goals, organization changes, technological advances, and regulatory requirements. Steering Committee An organizations senior management should appoint a planning or steering committee to oversee information systems department activities. Its duties and responsibilities should be defined in a formal charter. Strategic Planning Short-range planning for the organization and for the IS department Review of planning for the organization and for the IS department

Short-Range Planning for the Organization and for the Information Systems Department - should ensure that appropriate Information Systems Department resources are allocated on a basis consistent with the overall organization's short range plans. Review of Planning for the Organization and for the Information Systems Department - Management reports should be provided for senior management's review of the organization's progression toward identified goals.

Planning/Steering Committee Board representation Steering committee Board Representation The board should have a member responsible for information technology who understands the risks and issues. Steering Committee Provides an organization with direction in harmony with the corporate mission and objectives. The cofor mmittee consists of various managers that are representative of all the business areas in the organization. Their goal is to review and act upon all requests new system needs in accordance with the corporate objectives. To this end it is the responsibility of the committee to ensure efficient use of data processing resources and set the priorities, examine costs and provide support for various projects. Policies and Procedures Policies Procedures Human Resources Policies/Practices Outsourcing Practices Policies are high level documents. They represent the corporate philosophy of an organization. To be effective, they must be clear and concise. Management must create a positive control environment by assuming responsibility for formulating, developing, documenting, promulgating and controlling policies covering general goals and directives. Management should take the steps necessary to ensure that employees affected by a specific policy receive a full explanation of the policy and that they understand its intent. In addition to corporate policies that set the tone for the organization as a whole, individual divisions and departments should define lower level policies. These would apply to the employees and operations of these units and would focus at the operational level. A top-down approach to the development of lower level policies in instances when they are derived from corporate policies is desirable, as it ensures consistency across the organization. Management should review all policies. Policies need to be updated to reflect significant changes within the organization or department. Written IS policies should originate at the corporate level to ensure uniformity. Policies should be clear and concise to allow for easy compliance and enforcement.

Human Resource Policies/Practices Hiring practices Employee handbook Promotion policies Training Hiring Practices Hiring practices are important to ensure that the most effective and efficient staff is chosen and that the company is in compliance with legal recruitment requirements. Employee Handbook Distributed to all employees upon being hired, should explain items such as: security policies and procedures, company expectations, employee benefits, etc. Promotion Policies

Must be fair and understood by employees. Policies should be based on objective criteria and consider an individual's performance, education, experience and level of responsibility. Training Training should be provided on a fair and regular basis to all employees. This is particularly important when new hardware and/or software is being implemented. Training should include relevant management training, project management training, and technical training. Human Resource Policies/ Practices Scheduling and time reporting Employee performance evaluations Required vacations Termination policies Scheduling and Time Reporting Proper scheduling provides for a more efficient operation and use of computing resources. Time reporting allows management to monitor the scheduling process. Employee Performance Evaluations Employee assessment must be a standard and regular feature for all IS staff. The HR department should ensure that IS managers and employees set mutually agreed goals/expected results. Required Vacations Ensures that at least once a year someone else performs the function. Termination Policies Established to provide clearly defined steps for employee separation. Outsourcing Practices Reasons for embarking on outsourcing Services provided by a third party Possible advantages of outsourcing Possible disadvantages of outsourcing Business risks from outsourcing Audit/security concerns of outsourcing

IS MANAGEMENT PRACTICES
Management Principles IS Assessment Methods Quality Management IS Standards CMM

Management Principles People management Management of change Focus on good processes Security Handling third parties
People management Personnel in a typical IS department is highly qualified, highly educated and usually do not feel that their jobs are at risk. IT professionals are prepared to switch jobs frequently and normal perks of money and a managerial job title are not an inducement. Therefore, employee training and development and challenging assignments are very important. Management of change Not only is turnover of people more frequent, but the department is constantly in a state of flux handling demands for new applications and new technologies. It is important for an IS department to stay abreast of technology and proactively embrace change whenever necessary. Focus on good processes

Because of the rate of change, it is important for IS departments to implement and enforce good processes. There must be documented procedures for all aspects of the department whether it be programming standards, testing or back ups of data. Security The concern for security is far more important and pervasive within IS than most other departments. The Internet has intensified this concern. The IS department must be equally concerned about business continuity and disaster recovery. Handling third parties IS departments have many vendors who must all work together to deliver the desired results. IS Assessment Methods IS budgets Capacity and growth planning User satisfaction Industry standards/benchmarking Financial management practices Goal accomplishments IS Budgets Allow forecasting, monitoring and analyzing financial information. They allow for an adequate allocation of funds, especially in an IS environment where expenses can be cost-intensive Capacity and Growth Planning Used to assess whether the operation is running as efficiently and effectively as possible. This activity must be reflective of the long and short range business plans and must be considered within the budgeting process. Use simulation or modeling techniques to identify any shortfalls in capacity or bottlenecks that may adversely affect service and budget for augmented or replacement equipment. Determining unused capacity and saturation point of the present system. Estimating growth rate of existing system. Determining system up gradation point by comparing the growth rate of system with system saturation point. User Satisfaction It is one of the measures to ensure an effective information processing operation. Users and IT should agree on a level of service, which should be periodically audited. Industry Standards / Benchmarking Provide a means of determining the level of performance provided by similar information processing facility environments. These statistics can be obtained from vendor user groups, industry publications and professional associations. Financial Management Practices Critical to have sound financial management practices in place. Goal Accomplishment comparing performance with predefined goals.

QUALITY MANAGEMENT
ISO Standards Capability Maturity Model (CMM) Quality Management Quality management is the means by which IS department-based processes are controlled, measured and improved. Processes in this context are defined as a set of tasks that when properly performed produces the desired results. Quality Management

Software development, maintenance and implementation Acquisition of hardware and software Day-to-day operations Security Human resource management General administration

Standards to Assist the Organization

ISO 9000 ISO 9001 Provides guideline for companies in design, development, production, installation or servicing. ISO 9002 ISO standard interpretation ISO 9000 2000 ISO 9126 Capability Maturity Model Provides guidelines on how to choose the appropriate Standards

Provides guidelines for companies in production, installation or servicing. ISO 9003 For companies in final inspection and testing. ISO 9004 A guideline to aid in interpretation of the standards ISO 9126 Provides the definition of the characteristics and associated quality evaluation process used when specifying the quality requirements of software products. ISO 9000 2000

Quality Measures of ISO 9000

Leadership Human Resource Development and Management Management of Process Quality Customer Focus and Satisfaction

Capability Maturity Model (CMM) Maturity Levels Process Capabilities Key Process Areas Goals Common Features Key Practices IS ORGANIZATIONAL STRUCTURE AND RESPONSIBILITIES Management Structures Line management Project management IS Responsibilities and Duties Operations Data entry -- online and batch Control group Librarian Operations Includes all the staff required to run the computer efficiently and effectively. Can be sub-divided into three categories. Physical Security Data Security and Processing Controls. Data Entry Generally, in modern on-line environments, data entry is performed by personnel in the user departments. On-Line Data Entry An on-line system provides various screen edits to perform basic input verification of the data entered, e.g. range checks, alpha-numeric checks, limit checks, and valid predefined value checks from an internal table. The department manager or supervisor would be required to provide for an adequate separation of duties by being responsible for overrides and resubmission of errors or rejected entries. Batch Data Entry Data entry within the typical information systems department is often the responsibility of the Data Control Department. Control Group The input/output control group should be in a separate area where only authorized personnel are permitted entry. The supervisor of the Control Group usually reports to the IPF Operations Manager. Librarian

The librarian is required to record, issue and receive, and safeguard all program and data files that are maintained on computer tapes and/or disks in an IPF.

IS Responsibilities and Duties

Security administration Quality assurance Database administration Security Administration Security administration must begin with management's commitment. Upper management should develop and enforce a written policy that clearly states the standards and procedures to be followed. Quality Assurance (QA) The QA group usually performs testing and verification to ensure that programs, program changes, and documentation adhere to standards and naming conventions prior to programs being moved into production. Data Base Administration The Data Base Administrator (DBA) is responsible for the actual design, definition, and the proper maintenance of the corporate data bases. Since the DBA should have no application programming or end user responsibilities, he/she should be prohibited from accessing the production data within the data bases for which this person administers. IS RESPONSIBILITIES AND DUTIES Systems analysis Application programming Systems programming Network management Help desk administration Systems Analysis Systems analysts are specialists who design systems based on the needs of the user. This individual is responsible for interpreting the needs of the user and determining the programs and the programmers necessary to create the particular application. Applications Programming The applications programming area is made up of the applications programmers who are responsible for developing new and maintaining systems in production. They should work in a test environment only and should not move test versions into the production environment. Systems Programming Systems programmers are responsible for maintaining the systems software including the operating system. This function may allow for unrestricted access to the entire system. Network Management This position is responsible for technical and administrative control over the local area network. Depending upon the policy of the company, this position can report to the director of the IPF or may report to the end-user manager. Help Desk Administration It is a unit within an organization that responds to technical questions from users. Most software companies have help-desks. Questions and answers can be delivered by telephone, fax or e-mail. Help desk personnel may use third party help desk software that enables them to quickly find answers to common questions. SEPARATION OF DUTIES WITHIN IS Transaction authorization Reconciliation Custody of assets Access to data Separation of Duties Control Matrix Transaction Authorization Transaction authorization is the responsibility of the user department. Authorization is delegated to the degree that it relates to the particular level of responsibility of the authorized individual in the department. Periodic checks must be performed by both management and audit to detect the unauthorized entry of transactions. Reconciliation

Reconciliation is the ultimate responsibility of the user. In some organizations, limited reconciliation of applications may be performed by the Data Control group with the use of control totals and balancing sheets. This type of independent verification increases the level of confidence that the applications ran successfully and that the data is in proper balance. Custody of Assets Custody of corporate assets must be determined and assigned appropriately. The "data owner" has responsibility for determining authorization levels required to provide adequate security, while the data security administration group is often responsible for implementing and enforcing the security system. Separation of Duties within IS Authorization Forms User Authorization Tables Exception Reporting Audit Trails Transaction Logs

AUDITING THE MANAGEMENT, PLANNING AND ORGANIZATION OF IS Reviewing Documentation Interviewing and Observing Personnel in the Performance of Duties Reviewing Contractual Commitments

Reviewing Documentation Information technology strategies, security policy documentation, organization/functional charts and steering committee reports, job descriptions, system development and program change procedures, operations procedures, and human resource manuals provide valuable evidence to the IS auditor. Interviewing and Observing Personnel in the Performance of Their Duties. The candidate should be able to evaluate the information provided from an interview for the audit and how the Observation technique can also be one of the most confident ways to ensure integrity in the identification of personnel duties.
The Review of Contractual Commitments Represents one of the IS auditors compliance reviews that should help verify management participation in the contracting process ensuring a proper level of timely contract compliance.

Interviewing and Observing Personnel in the Performance of their Duties Actual functions Security awareness Reporting relationships Actual Functions Observation is the best test to ensure that the individual who is assigned and authorized to perform a particular function is the person who is actually doing the job. Security Awareness Security awareness should be observed to verify an individual's understanding and practice of good preventive and detective security measures to safeguard the company's assets and data. Reporting Relationships Reporting relationships should be observed to ensure that assigned responsibilities and adequate separation of duties are being practiced.

Reviewing Contractual Commitments Development of contract requirements Contract bidding process Contract selection process

 Contract acceptance Contract maintenance Contract compliance