Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
INTRODUCTION TO INFORMATION
SYSTEMS AUDIT
1 Refresh Sesi 1
Elements of a IT System
Hardware - the physical equipment
Software
• system programs perform generalized
functions for more than one program
• application programs sets of computer
instructions that perform data processing
tasks
Documentation a description of the
system and control structures
Personnel persons who manage, design,
program, operate or control the system
IT Environment
Elements of a Computer-
Management responsibilities to
based System assist the auditor:
Data - transactions and • ensuring documentation of the
system is complete
related information entered, • by maintaining a system of
stored and processed by the transaction processing that
system includes audit trails
• by making computer
Control Procedures- resources and knowledgeable
activities designed to ensure personnel available to the
proper recording of auditors to help them
transactions and to prevent or understand and audit the
detect errors or irregularities system
Effect of IT Processing
The method used to process accounting transactions will
affect a company’s organization structure and will
influence the procedures and techniques used to
accomplish the objectives of internal control.
The following are characteristics that distinguish
computer processing from manual processing
Transaction trails may not exist
Uniform processing of transactions eliminates random errors but
may cause systematic errors
Segregation of functions incompatible functions may not be
segregated and many internal controls combined in the computer
Effect of IT Processing
IT auditing :
the evaluation of IT, practices, and operations to
assure the integrity of an entity’s information. can
include assessment of the efficiency, effectiveness,
and economy of computer-based practices
IT Audit Function - part of the business
environment.
Their unique blend of skills help to assess the
company’s exposures and develop controls
associated with their use of technology.
8
Auditing Concerns
Dasar-Dasar Audit SI
Reasons for implementing an IT
governance
Increasing dependence on information and the
systems that deliver the information
Increasing vulnerabilities and a wide spectrum
of threats
Scale and cost of current and future
investments in information and information
systems
Potential for technologies to dramatically change
organizations and
Business practices to create new opportunities
11 and reduce costs.
Reason For IT Auditing
Dasar-Dasar Audit SI
IT Governance Intro
IT governance :
The responsibility of the board of directors and
executive management.
It’s an integral part of enterprise governance and
consist of leadership and organizational
structures and processes tha ensure that the
organization’s IT sustains and extends the
organization’s strategies and objectives.
13
IT Governance Intro
Dasar-Dasar Audit SI
IT Governance Intro
15
Risk t & Security Control
Perspective
Castellans: using a “fortress” to physically
secure systems
E.g. isolated spaces
Guardians: using law enforcement and
administrative regulations to prevent computer
crimes
E.g ISMS policy & regulation related IT
Gatekeepers: limiting access
E.g., passwords, encryption, biometrics
Need top and IS management support
16
IT Auditor-Job Outlook
IT auditor:
One of the fastest growing careers
• 11.2% increases in 2006
• Average technology positions grew 3% in 2006
• Salary range $67,000-$94,250, an 11% increase
over 2005
17
IT Auditor: Knowledge, Skills,
and Abilities
Understand the overall control philosophy
Technical skills
Understand information system management
Ability to communicate technical information
Experience with a particular industry and/or the
specific business
Communication skills that enable the auditor to bridge
the gap between IT professionals and business
management
18
IT Auditor: Knowledge, Skills,
and Abilities
19
IT Auditor Independence
20
IT Audit Continuous
Reassessment
Stay on track with audits
Auditor steps back and reassess the audit
project:
Reaffirm audit goals
• E.g., to ensure that current documentation is available,
adequate, and safeguarded.
23
IT Auditor Knowledge
Resources
Experience
Colleagues (IT professionals and other auditors)
Publications and periodicals in IT and/or audit
Seminars
University training
24
The Role of the IT Auditor
IT Auditor as Counselor
Active role in the development of policies on auditability, control,
testing, and standards
Educate users and IT personnel on the importance of
compliance with control requirements
25
Internal vs. External Auditors
26
Key Certifications and
Professional Associations
Certified Internal Auditor (CIA), by the Institute of
Internal Auditors
27
Collaboration between IT Auditor
and IT Managers
Are these attitudes correct?
Manager: “Arguing with an Auditor is
like mud wrestling with a pig! After a
time you realize that the pig is
enjoying himself.”
28
How IT Managers Support the IT
Audit Function
Support and participate in the audit planning process
Develop and promote risk and control awareness
Provide resources to accomplish the audit tasks
Hold the auditors to their standards of practice
29
What IT Managers Need to
Know About an Audit
What is the purpose of the audit?
What are the audit’s scope and objectives?
Who is assigned to perform the audit?
What is the timeframe for the audit?
What IT resources are needed?
systems, staff
30
What Should IT Managers Expect
From an Audit?
Regular communication
audit status
issues found to date
A closing meeting to review the audit process
and results (issues, actions, plans, etc.)
A final audit report
Audit follow-up on action plans identified during
the audit
31
Class Exercise
32