Welcome

STEP BY STEP APPROACH

TOWARDS

INFORMATION SYSTEMS(IS)AUDIT

Presentation byCA M.R.(Abhay) Mate (B.Com, F.C.A. DISA-ICAI)

Partner, Chobe & Mate Associates - Chartered Accountants2,Phadke Sankul,Near Pune Vidyarthi Griha, Sadashiv Peth, Pune 411 030

Phone 2447 8627, 2445 4721, 98223 51901e mail - abhay@chobemate.com

Courtesy-Mr. Sunil Kulkarni CISA

Different Kinds of Audits

• Participative audit in software development(SDLC audit)

• Software product audit

• Quality audit (Capability Maturity Model/ISO)

• Information Systems Audit

Reality For Users is

Every day is

Bad Day Bad Day

due to IT Problems

• Why IS Audit ?

Need for Information Systems

AuditingOrganizatio

nal costs of

data loss

Costs of

Incorrect

decision

making

Costs of

Computer

abuse

Value of H/W ,

S/W

personnel

High costs

of

Computer

error

Maintenanc

e of Privacy

ORGANISATION

Control & Audit of Computer based Information Systems

ORGANISATION

Objectives of Information

Systems Audit

O

R

G

A

NI

S

Safeguarding of assets

Data Integrity

Information

O

R

G

A

NS

A

TI

O

N

System Effectiveness

System Efficiency

Information

Systems

Auditing

N

I

S

A

T

I

O

N

Current State of Organization

Source: Open Compliance & Ethics Group

Business - IT Scenario

People Find Process workaround

IT - Present Scenario

Process

“80% of

unplanned

ProcessProcessProcessProcessProcessProcessProcess

“80% of

unplanned

Process

“80% of

unplanned

Process

People Technology

IT ServiceIT Service

unplanned

downtime is due

to people and

process” (source: Gartner Group)

PeoplePeople TechnologyPeople TechnologyPeople

IT ServiceIT Service

TechnologyPeople

unplanned

downtime is due

to people and

process” (source: Gartner Group)IT ServiceIT Service

TechnologyPeople

unplanned

downtime is due

to people and

process” (source: Gartner Group)IT ServiceIT Service

TechnologyPeople

Service Management

Financial

Management

Capacity Management

Availability Management

IT Service

Continuity

Management

Release

Management

Service Level

Management

Management

for IT services

Incident

Management Problem Management

Change Management

Configuration Management

Management

IT

Infrastructure

IT

Infrastructure

Obstacles Prevent

Effective

Engagement

13

IT Seen as Black Box:

Business lacks visibility

Poor customer satisfaction

Overwhelming Demand:

Unstructured capture of requests and ideas

No formal process for prioritization and trade-offs

Reactive vs. proactive

Disparate Systems

Reduce Efficiency

14

No Single System of Record for Decision Making

Relevant Metrics Hard to Obtain

Disparate Systems Costly to Maintain and Upgrade

IT Governance Landscape

IT - Overview

Customer

Site 1

Customer

Site 2

Customer

Site 3

Centralized

Desktop

Support

Network

Support

Application

Support

Systems &

Operations

Support

Third Party

Support

Centralized

Service DeskFirst -line Support

Second -line Support

Gartner Group Maturity Model

Service

Value

17

Fire Fighting

Proactive

Reactive

Why to Audit ?

To Measure – Business Value

To Validate To Direct

Why Measure ? – Purpose of reports

Strategy

Vision

Targets and

Metrics

© Crown copyright 2007. Reproduced under lic

ense fro

m OGC.

To InterveneTo Justify

Changes Corrective

Action

Your Measurement Framework

IT Performance

Factual Evidence

The Four reasons for measurements

© Crown copyright 2007. Reproduced under lic

ense fro

m OGC.

18

Awareness aspects for the Board

Part A:IT Environment Risks:

Regulatory Risks:

Strategic Risks Strategic Risks

Organisation Risks

Location Risks

Outsourcing Risks

How to mitigate the risks?

Awareness aspects for the Board

Part B: IT Operations Risk

Error RiskError Risk

Fraud Risk

Disclosure Risk

Interruption Risk

How to mitigate the risks?

Awareness aspects for the Branch

Level Implementation

Audit & Training Aspects

•Environmental Aspects•Organizational Facts•Organizational Facts•Personnel And Training Matters•Systems Security Characteristics•Configuration Management•Branch Parameter Verification & Controls•Disaster Management / Continuity Of Operations

Awareness aspects for the Branch

Level Implementation

Audit & Training Aspects

•Checking Methods Of Branch•Data Consistency Checks•Controls over Income Seepage•Physical Access•Physical Access•Logical Access•Connectivity Issues•ATM operations•Availability & Adherence of IT Procedural Guidelines•Aspects Pertaining To Central Office

Awareness aspects for the Branch

Level Implementation

Audit & Training Aspects

ATM On Site/ Offsite/ On Line / Off Line?Guidelines received from Head Office about ATM OperationsATM OperationsATM Security AspectsATM Card Maintenance ATM Card Pinning ProcessATM registers to be maintainedATM Report Generation, Authentication

THANK YOU

Chobe & Mate Associates

Chartered Accountants

1785, Sadashiv Peth, Phadake Sankul, Khajina Vihir Chowk

Near Pune Vidyarthi Gruha, Pune 411 030

Phone 020-24454721 / 24478627

Mobile CA Abhay Mate 98223 51901