Post on 05-Jan-2016
description
transcript
Session 2Internal Control and Information System Audit
Agenda1. Control Framework of COBIT2. Control Classification3. Information System Control Procedures4. Computer Assisted Audit Tools and Techniques (CAAT’s)
Management Expectations of IT
• Re-Engineered Processes• Right-Sizing• Distributed Processing• Flattened Organizations• Outsourcing
Management Responsibilities for IT• Safeguarding Assets
• Information as Most Valuable Asset
Both need a Control
Framework
Control
OBjectives
for Information
and Related Technology
Mission:To research, develop, publicize, and promote an authoritative, up-to-date, international set of generally accepted IT control objectives for day-to-day use by business managers and auditors.
COBITCOBIT
Who Needs COBIT?Who Needs COBIT?Management Needs CObIT•IT investment decisions•Balance of risk and control •Benchmark existing and future IT environment
IS Auditors Need CObITTo substantiate opinions to management on
internal controls• To answer the question of what are the minimum
controls necessary
Users Need CObITTo obtain assurance on return on costs, on security, and control of products and services they acquire internally and externally.
5
COSO & COBIT: The Needs
• In most companies of any size, data moves between multiple business groups and IT systems on its way from initial transactions to the reports that the CEO and CFO must attest to.
• Attesting to the accuracy of the data requires confidence in accounting procedures and controls. These are addressed within the COSO framework.
• The SOX 404 attestation also requires confidence in the IT
systems that house, move, and transform data. This requires
confidence in the processes and controls for those IT systems and databases. The COBiT framework
was designed to address IT concerns.
6
COSO & COBIT: The Linkage
In order to provide the information that
the organization needs to achieve its objectives, IT
resources need to be managed by a set of naturally
grouped processes.
Cobit’sGolden Rule
COBIT: IT Governance
Business
IT Processes
Audit Guidelines
Control Objectives
Control Practices
Critical Success Factors
Key Performance
Indicators
Key Goal Indicators
Maturity Models
requirements information
Session 2Internal Control and Information System Audit
Agenda1. Control Framework of COBIT2. Control Classification3. Information System Control Procedures4. Computer Assisted Audit Tools and Techniques (CAAT’s)
Compliance with laws and
regulations
Efficiency/ effectiveness of operations
Reliability of financial reporting
Internal Control Objectives
Management has three broad objectives in designing an effective internal control system
Control Classifications
Preventive ControlPreventive Control
Detective ControlDetective Control
Corrective ControlCorrective Control
Preventive controls are those inputs, which are designed to protect the organization from unlawful activities
Corrective controls are very important because prevention and detection alone cannot be effective unless there is an appropriate
corrective mechanism in place.
Detective controls are those which detect and report the occurences of an error, omission or malicious act in the Information System.
Preventive Control
• Employ qualified personnel• Segregation of duties• Access control• Vaccination against diseases• Documentation• Prescribing appropriate books for a course• Training and retraining of staff• Authorization of transactions• Validation, edit checks in the application• Firewalls• Anti virus software• Passwords
Detective Control
• Surprise checks by supervisor• Hash totals• Checks points in production jobs• Echo control in telecommunications• Error message over tape labels• Duplicate checking of calculations• Periodic performance reporting with variances• Past – due accounts report• The internal audit functions• Intrusion detection system• Cash counts and bank reconciliation• Monitoring expenditure against budget amount
Corrective Control
• Contingency planning• Backup procedure• Rerun procedures• Tratment procedures for a disease• Change input value to an application system• Investigate budget variance and report violations
Compensatory Control
While designing the appropriate control one thing should be kept in mind – the cost of the lock should not be more than the cost of the assets it protects.
Compensatory ControlCompensatory Control
Session 2Internal Control and Information System Audit
Agenda1. Control Framework of COBIT2. Control Classification3. Information System Control Procedures4. Computer Assisted Audit Tools and Techniques (CAAT’s)
View of IT Controls
IT Governance Another View
General Control
Application Control
General IT controls are typically pervasivein nature and are addressed through various audit avenues.
Application controls provide another category of controls and include controls within an application around input,processing, and output.
Information system auditors need to understand the range of controlsavailable for mitigating IT risks.
The controls can be thoughtof as existing within ahierarchy that relies on theoperating effectivenessinterconnectivity of thecontrols as well as therealization that failure of aset of controls can lead toincreased reliance andnecessary examination ofother control groups
IT Governance
• When addressing the topic of IT controls, an important consideration is IT governance, which provides the framework to ensure that IT can support the organization’s overall business needs.– IT Governance is not only composed of the control needed
to address identified risk but also is an integrated structure of IT practices and personnel that must be aligned closely with – and enable achievement of – the organization’s overall strategies and goals.
IT Controls
ApplicationControls
Application Systems
Development/Changes
GeneralControls
Computer Service Center
(Operations and Security)
ComputerApplication
Systems andProgram
INTERNAL CONTROLS
IT Controls and Financial Reporting
Session 2Internal Control and Information System Audit
Agenda1. Control Framework of COBIT2. Control Classification3. Information System Control Procedures4. Computer Assisted Audit Tools and Techniques (CAAT’s)
Computer Assisted Audit Tools and Techniques (CAAT’s)
• For evaluation of controls in the information system, auditors sometimes use some tools which are used in the computer system, an exercise also known as auditing with computer, for extracting and evaluating evidence.
• Such tools are basically data-mining tools and generically called Computer Assisted Tools and Techniques (CAAT’s).
Types of CAAT’s• Packaged Software• Generalized Audit Software (GAS)• Embedded Audit Module (EAM)• Audit Hook (AH)• Integrated Test Facility (ITF)• Parallel Simulation (PS)• Program Code Analysis (PCA)• Test Data• Specialized Audit Software (SAS)
Find the definitions..!!
L/O/G/O
End of Presentation
Thank You!