Académique Documents
Professionnel Documents
Culture Documents
INTRODUCTION TO INFORMATION
SYSTEMS AUDIT
IT Audit Processes
Objectives
2
Overview
3
Financial Audits
Financial auditors
Evaluate the fairness of financial statements
Cover all equipment and procedures used in
processing significant data
Certification: CPA
Standards: Generally Accepted Accounting Principles
(GAAP)
• Fairly presented in conformity with generally accepted
accounting principles (GAAP).
• The measure for ‘fairly presented’: there is less than 5%
chance (5% audit risk) that the financial statements are
‘materially misstated’.
4
IT Audits
IT auditors
Evaluate IT systems, practices, and operations
Assure the validity, reliability, and security of
information
Assure the efficiency and effectiveness of the IT
environment in economic terms
Certification: CISA, CISM, CISSP etc.
Standards: Generally Accepted Auditing
Standards (GAAS)
5
GAAS
General standards
An auditor should have adequate technical training and
proficiency
An auditor should maintain an independent attitude
Due professional care
Reporting Standards
In accordance with generally accepted
accounting principles
Identify those circumstances in which such
principles have not been consistently observed in
the current period in relation to the preceding
period.
Reasonably adequate
Contain an expression of opinion regarding the
financial statements
7
ITAF (IT Assurance Framework)
Dasar-Dasar Audit SI
ITAF (IT Assurance Framework)
General Standards
The guiding principles under which the IT
assurance profession operates.
Performance Standards
Deal with the conduct of the assignment,
Reporting Standard
Address the types of reports, means of
communication and the information
communicated
Dasar-Dasar Audit SI
Guidelines
Provide the IT audit and assurance professional
with information and direction about an audit or
assurance area.
Tools and Techniques
Provide specific information on various
methodologies, tools and templates
Dasar-Dasar Audit SI
The Overall Audit Process
12
Step 1: Audit plan
Purpose:
Identify what must be accomplished
Deliverable
An audit plan
Steps:
Preliminary assessment
Risk assessment
Identify application areas
Preparing an audit plan
13
Preliminary Assessment
Prioritized by risks
Which subsystems need more detailed
examination
16
Preparing an Audit Plan
17
Step 2: Audit schedule
Timing
By request
Synergizing and coordinating audits
Resources
Availability of internal and external expertise
Cost
18
Step 3: Audit tasks
Boundary controls
Input controls
Communication controls
Processing controls
Database controls
Output controls
Obtain an Understanding
Steps followed in development of flowcharts and their
use as audit evaluation tools include:
Understanding how data is processed by computers
Identifying documents and their flow through the
system
Defining critical data
Developing audit data flow diagrams
Evaluating the quality of system documentation
Assessing controls over documents
Determining the effectiveness of processing under
computer programs
Evaluating the usefulness of reports
Dasar-Dasar Audit SI
Evaluating Control Strength
and Weakness
Existence of
Documented policies and procedures
• Accuracy and completeness
Evidence of compliance
Process Effectiveness
• Avoid redundancy and bottlenecks
Management support
Examples of controls over documents
Record counts
Control totals : Input = processed
28
Component reliability
Reliability of a component is a
function of the controls that act on
that component
A control is a pattern of activities or
actions executed by one or more
components to prevent detect or
correct errors or irregularities that
might affect the reliability of the
component
Subdivisions of Control Review
Risks
Systems Subsystems Components
Threats
Observation
Observe the activity being performed
Evidence of the activity
Source documents (input forms, etc.)
Output documents (reports)
Logs (errors, exceptions)
Duplicating the activity
repeating the task
33
Testing
Compliance testing
Are they doing what they said they would do?
Determines adherence to existing controls (policies,
procedures, etc.)
Substantive testing
Determine if the business objective is being achieved
Are the current controls enabling the intended
business goal to be met?
34
Evaluating the Results
Legal requirements
Audit Standards
Best Practices
Company policies and procedures
35
Audit Risk(1)
38
Evaluate Audit’s Performance
Client feedback
Audit results
Accurate issues
Realistic action plans
Audit management
Resource allocation
On time?
Did the audit add value?
39
Everyday Auditing
40