IT Audit

Posted on by Ruchi Kandpal

The audit charter:

May include IS audit as an audit support function.

Should clearly state management responsibility and objectives for the IS audit function, as well as the delegation of authority to it.

Is an overarching document that covers the entire scope of audit activities.

IT Audit Resource Management

The IS audit function should be managed in a manner that ensures the diverse tasks performed by the audit team will fulfill audit function objectives, while preserving audit independence and competence.

IS auditors must maintain their competency through updates of existing skills and obtain training on new audit techniques and technological areas.

Skills and knowledge should be taken into consideration when planning audits and assigning staff to specific audit assignments.

A detailed staff training plan should be drawn up for the year based on the organization’s direction in terms of technology and related risk that needs to be addressed and it should be reviewed periodically.

Using the Services of Other Auditors and Experts

When a part or all IS audit services are proposed to be outsourced to another audit or external service provider, the following should be considered regarding using the services of other auditors and experts:

Restrictions on outsourcing of audit/security services provided by laws and regulations

Audit charter or contractual stipulations

Impact on overall and specific IS audit objectives

Impact on IS audit risk and professional liability

Independence and objectivity of other auditors and experts

Professional competence, qualifications, and experience

Scope and approach of work to be outsourced

Supervisory and audit management controls

Method and modalities of communication of results of audit work

Compliance with legal and regulatory stipulations

Compliance with applicable professional standards

Activity

An internal audit department is planning its IS audits based on the approved audit plan. As the Chief Audit Executive, you are responsible for staffing the planned audits.

Individually:

Think through the steps you would take to plan to meet capacity and budget restraints.

How do you factor in training considerations, cost, and timing for IS audit resources?

In what instances would you consider using the help of outside experts?

Can everyone do AI audit today? No we need to have that competence once.

Information Systems Audits Overview

1. Compliance Audits:

Evaluate how well an organisation meets regulatory or statutory requirements, including adherence to internal policies. This assures stakeholders of legal and regulatory conformity.

2. Financial Audits:

Focus on the integrity and accuracy of financial statements, such as balance sheets, ensuring that all financial data is reliable and correctly represented.

3. Operational Audits:

Assess internal processes within the organisation to identify areas for process improvement, efficiency, and effectiveness.

4. Integrated Audits:

Combine elements of operational and financial audits to provide a comprehensive evaluation of both process efficiency and financial accuracy.

5. Administrative Audits:

Examine administrative controls to determine their effectiveness in achieving organisational goals, including productivity benchmarks.

6. Specialised Audits:

Involve specific areas such as third-party risk assessments of crucial suppliers, incorporating reports like the SOC 2 Type 2 to evaluate security, availability, and confidentiality.

7. Computer Forensic Audits:

Investigate system failures or security breaches to determine why they occurred. Subject Matter Experts (SMEs) assess business processes, maintain the chain of custody, and ensure evidence integrity without tampering.

8. Functional Audits:

Target specific organisational functions, such as Human Resources (HR), to assess their efficiency, compliance, and alignment with organisational goals.

9. Readiness Assessments:

Prepare organisations for certifications like ISO 91000 by evaluating current compliance levels and identifying areas needing improvement.

Information Systems Security Evaluation

The security of information systems is evaluated based on:

Confidentiality: Ensuring sensitive data is accessible only to authorised users, often through encryption and secure login mechanisms.

Integrity: Maintaining the accuracy and consistency of data, with measures to prevent unauthorised alteration.

Availability: Guaranteeing reliable access to information systems when needed, supported by robust access controls and system maintenance protocols.

Control Self-Assessment (CSA)

It is an assessment conducted by the staff and management of the unit or units involved to evaluate the controls they have implemented. This assessment serves as a reassurance to stakeholders, customers, and other parties, assuring them of the reliability of the enterprise’s internal control system. Additionally, CSA ensures that employees are aware of the risks to the business and conduct periodic, proactive reviews of the controls to identify and address any potential issues.

What does an IS auditor do?

An IS auditor acts as a facilitator for business process owners, helping them define and assess appropriate controls. They assist process owners in understanding the need for controls based on the risk to business processes. Additionally, they collaborate with process owners to evaluate the performance of controls against established control objectives.

CSA Programs and Objectives

CSA Programs can be implemented through various methods, including questionnaires, surveys, facilitated workshops, and informal peer reviews. By shifting some of the control monitoring responsibilities to the functional areas, the internal audit function can be leveraged. Additionally, it is crucial to educate management about control design and monitoring, particularly in areas of high risk.

IS Auditor Role in CSA

The role of IS auditors in CSA programs is multifaceted. When CSA programs are established, IS auditors become internal control professionals and assessment facilitators. To be effective, IS auditors must understand the business processes being assessed. They act as facilitators, with management clients participating as participants. IS auditors lead and guide auditees in assessing their environment, providing insight into control objectives. With management focused on improving productivity, IS auditors are better positioned to explain risk.

Elements of Integrated Auditing include:

– Identifying the risks faced by the organisation for the area being audited.

– Identifying relevant key controls:

– Reviewing and understanding the design of key controls.

– Testing that key controls are supported by the IT system.

– Testing that management controls operate effectively.

– A combined report or opinion on control risk, design, and weaknesses.

Business process, controls, design and operational effectiveness and methodology followed and what was followed and tested. What is management assertion to the deficiencies found. This is what is expected in internal audit.

Case study

AlphaCorp is a multinational enterprise with diverse operations ranging from manufacturing to online sales. The enterprise is encountering several challenges, and management is seeking assistance in identifying the most appropriate types of audits to address specific issues. Your task as the IS auditor is to determine which type of audit is needed for each situation.

AlphaCorp is a multinational enterprise with diverse operations ranging from manufacturing to online sales. The enterprise is encountering several challenges, and management is seeking assistance in identifying the most appropriate types of audits to address specific issues. Your task as the IS auditor is to determine which type of audit is needed for each situation.

What kind of audit should be performed on these scenarios?

Senior leadership has concerns about the security ever since the prior fiscal year when there was a series of instances of unauthorized access to sensitive data across the enterprise network infrastructure. A substantial cost was incurred leveraging a forensic investigator.

AlphaCorp is preparing for a merger with another company, and potential investors are scrutinizing the financial health of the organization.

The manufacturing division of AlphaCorp has experienced a decline in productivity and an increase in production costs. Management suspects inefficiencies in the enterprise production processes.

Recent changes in international trade policies have prompted concerns. Management wants to ensure that the enterprise is adhering to all relevant laws and regulations.

As an IS auditor at AlphaCorp, the following types of audits would be most suitable to address specific issues encountered by the enterprise:

Operational Audit: To evaluate the efficiency and effectiveness of manufacturing and online sales operations. This audit focuses on process improvements and resource optimisation.

Compliance Audit: To ensure that AlphaCorp adheres to industry regulations, legal requirements, and internal policies, especially critical in multinational operations where diverse laws apply.

Financial Audit: To verify the accuracy of financial statements, identify discrepancies, and ensure proper financial reporting across global divisions.

Information Systems (IS) Audit: To assess the reliability, security, and performance of IT systems supporting online sales and enterprise operations, identifying vulnerabilities and risks.

Internal Audit: To provide an independent evaluation of internal controls, risk management, and governance processes across all departments.

Environmental Audit: Particularly relevant if AlphaCorp’s manufacturing operations have significant environmental impacts, ensuring compliance with environmental laws and sustainable practices.

Identifying the correct audit type ensures that AlphaCorp’s challenges are addressed effectively, promoting organisational integrity and operational efficiency.

Risk-Based Audit Planning

The audit universe should encompass all relevant business processes, ideally listing all those eligible for audit consideration, thus representing the enterprise blueprint.

Short-Term Audit Planning:

– Considers audit issues that will be covered during the year.

Long-Term Audit Planning:

– Considers risk-related issues regarding changes in the enterprise’s IT strategic direction that will affect the enterprise’s IT environment. Audit for multi-years, multiple areas, locations.

For example, rating reputation as a critical risk factor:

– High: A process issue may result in damage to the enterprise’s reputation that will take more than six months to recover.

– Medium: A process issue may result in damage to the enterprise’s reputation that will take less than six months but more than three months to recover.

– Low: A process issue may result in damage to the enterprise’s reputation that will take less than three months to recover.

Individual Audit Assignments

In addition to overall annual planning, each individual audit assignment must be adequately planned. Consider the following factors:

– Results of periodic risk assessments

– Changes in the application of technology

– Evolving privacy issues and regulatory requirements

Audit Planning as an IS Auditor

As an IS auditor, you should gain an understanding of the enterprise mission, objectives, purpose, and processes. You should also understand the changes in the business environment of the auditee. Review prior work papers to identify stated contents, such as policies, standards, required guidelines, procedures, and organisation structure.

Next, set the audit scope and audit objectives. Develop the audit approach or audit strategy and address engagement logistics. Finally, identify opportunities for continuous audit or audit automation using computer-assisted audit tools (CAATs).

The impact of laws and regulations on IS audit planning is significant. Each organisation must adhere to various governmental and external requirements related to IS practices, controls, and data usage, storage, and security. This includes ensuring that the enterprise’s direction and intent align with its security posture, implementing structured approaches to security program implementation, and maintaining confidence that adequate and effective information security measures will protect valuable assets. Information and knowledge are crucial assets to an enterprise, and their reliance on information and related systems underscores the criticality of information security governance. Senior management and the entire enterprise must fully support information security to ensure its effectiveness.

Compliance with External Laws and Regulations

The IS auditor should identify the impact of laws and regulations on IS audit planning, including electronic data, personal data, copyrights, e-commerce, e-signatures, and more. They should also consider IS practices and controls, the storage of computers, programs, and data, the organisation or activities of information technology services, and IS audits.

Determining Compliance

Document the applicable laws and regulations. Assess whether the enterprise and IT departments have considered external requirements. Review internal IT department/function/activity documents that address adherence to industry-specific laws. Determine if established procedures address these requirements. Finally, check if there are procedures to ensure that contracts or agreements with external IT service providers comply with legal requirements.

Audit Risk and Materiality

Overall Audit Risk:

– The probability that information or financial reports may contain material errors and that the auditor may not detect an error that has occurred.

– The audit approach should limit the audit risk in the area under scrutiny, ensuring that the overall audit risk is at a sufficiently low level at the completion of the examination.

Control Risk:

– The risk that a material error exists that would not be prevented or detected on a timely basis (e.g., the risk of manual reviews of computer logs).

Inherent Risk:

– The risk level or exposure of a process/entity to be audited without considering the controls that management has implemented.

– Exists independently of an audit and can occur due to the nature of the business.

– Detection Risk:

– The risk that material errors or misstatements will not be detected by the Internal Auditor.

Risk Assessment

An IS auditor should understand how the enterprise being audited approaches risk assessment.

1. Identify, quantify, and prioritise risks against criteria for risk acceptance and objectives.

2. Guide and determine the appropriate management action and priorities.

3. Perform periodically to address changes in the environment, security requirements, and the risk landscape.

4. Management, not the IS auditor, is responsible for the risk assessment process.

Risk assessment methodologies range from simple classifications (e.g., high, medium, low) to complex scientific calculations. The results of the management risk assessment can be leveraged to supplement the IS auditor’s risk assessment procedures. Furthermore, using risk assessment to determine areas to be audited provides several outcomes.

Enable audit management to effectively allocate limited audit resources. This will establish a basis for effectively managing the audit department.

Ensure relevant information has been obtained from all levels of management. Provide a summary of how individual audit subjects relate to the overall organisation.

Risk Analysis

Risk analysis is a subset of risk assessment. It is used during audit planning to help identify risks and vulnerabilities. This allows IS auditors to determine the controls needed to mitigate risk.

Evaluating IT Business Processes

Must be able to identify and differentiate risk types and the controls used to mitigate risk. As there’s a cost to apply the control. Detection risk, audit risk and inherent risk can be there.

Should have knowledge of common business risk areas, related technology risk, and relevant controls.

Evaluate the risk assessment and management process and techniques used by business managers.

Understand that risk exists within the audit process itself.

Due to resource constraints of the IS audit team, the originally approved audit plan cannot be completed. Assuming the situation is communicated in the audit report, which course of action is most acceptable?

A. Test the adequacy of the control design.

B. Test the operational effectiveness of controls.

C. Focus on auditing high-risk areas.

D. Rely on management testing of controls.

Internal controls operate at all levels within an enterprise to mitigate risks that could prevent it from achieving its business objectives. Two key aspects of controls should be addressed: what should be achieved and what should be avoided.

The board of directors set the culture of the Organisation.

Overall governance framework which is carried out.

Types of control:

Preventive measures deter potential security breaches by implementing measures such as encryption, user authentication, and constructing secure doors. These measures prevent unauthorized access and provide guidance to users to discourage intentional or unintentional compromises.

Detective measures detect security policy and practice violations and intrusions. Examples include intrusion detection systems (IDSs) and checksums. These measures alert administrators to potential issues and allow for prompt remediation.

Corrective measures address errors, omissions, unauthorized uses, and intrusions once they are detected. Examples include data backups, error correction, and automated failover. These measures help mitigate the impact of security breaches and ensure data integrity.

Compensating measures address weaknesses in the enterprise’s control structure. For instance, placing unsecured systems on isolated network segments with strong perimeter security and adding third-party challenge-response mechanisms to devices without individual login accounts can compensate for vulnerabilities.

Control Relationship to Risk

There is a direct relationship between risk and control that demonstrates that controls are implemented to mitigate risk. Auditors should always have a clear understanding of the applicable risks to the controls being evaluated. When evaluating controls, the IS auditor should ensure that management’s identified controls are mapped back to the applicable risks. Controls are justified by the risk that necessitates their existence.

Compliance Testing:

– Gathers evidence to test enterprise compliance with control procedures.

– Determines whether controls are applied in a manner that complies with management policies and procedures.

– Requires understanding by the IS auditor of the test objective and the control being tested.

Substantive Testing:

– Gathers evidence to evaluate the integrity of individual transactions, data, or other information.

– Substantiates the integrity of actual processing and tests the completeness and accuracy of report data.

– The amount of testing required directly correlates to the level of internal controls identified by compliance tests.

Relationship Between Compliance and Substantive Tests

Review the system to identify controls.

Test compliance to determine whether controls are functioning effectively.

Evaluate the controls to determine the basis for reliance and the nature, scope, and timing of substantive tests.

Use two types of substantive tests to evaluate the validity of the data:

Test balances and transactions.

Perform analytic review procedures.

Sampling

Sampling is a statistical method used to infer characteristics about a population based on the characteristics of a sample. There are two general approaches to audit sampling: statistical sampling and judgment sampling.

To determine the objectives of the audit, define the population, determine the appropriate sampling method, calculate the sample size, select the sample, and evaluate the sample, follow these steps:

1. Determine the objectives of the audit.

2. Define the population that will be sampled.

3. Choose the appropriate sampling method (statistical or judgment).

4. Calculate the sample size based on the objectives and the population size.

5. Select the sample using the chosen method.

6. Evaluate the sample to ensure that it represents the population accurately.

Attribute sampling

It is also known as fixed sample-size attribute sampling, is used to estimate the occurrence of a specific quality in a population.

Stop-or-ge sampling

It helps prevent excessive sampling of an attribute and allows an audit test to be stopped at the earliest possible moment.

Discovery sampling

It is most commonly used when the audit objective is to uncover fraud, circumvention of regulations, or other irregularities.

Variable sampling

It encompasses three types of quantitative sampling models: stratified mean per unit, unstratified mean per unit, and difference estimation.

Sampling risk, a potential pitfall in internal audit, arises when an auditor’s conclusion differs from what would be reached if the entire population were subjected to the same audit procedure. This risk manifests in two forms: the risk of incorrect acceptance and the risk of incorrect rejection.

IS-specific controls should include strategies and directions for the IT function, general organization and management, access to IT resources (including data and programs), systems development methodologies and change control, operations procedures (systems programming and technical support functions), quality assurance (QA) procedures, physical access controls, business continuity planning (BCP) and disaster recovery planning (DRP), networks and communication technology (e.g., local area networks, wide area networks, wireless), database administration, and protection and detection mechanisms against internal and external attacks.

Control Classifications

Preventive controls:

– Inhibit or impede attempts to violate security policy and practices.

– Examples: Encryption, user authentication, and vault-construction doors.

Deterrent controls:

– Provide guidance or warnings that may dissuade international or unintentional attempts at compromise.

– Examples: Warning banners on login screens, acceptable use policies, security cameras, and rewards for the arrest of hackers.

Detective controls:

– Provide warnings of violations or attempted violations of security policy and practices without inhibiting or impeding these actions.

– Examples: Audit trails, intrusion detection systems (IDSs), and checksums.

Corrective controls:

– Remediate errors, omissions, unauthorized uses, and intrusions when detected.

– Examples: Data backups, error correction, and automated failover.

Compensating controls:

– Offset a weakness in the control structure of the enterprise.

– Examples: Placing unsecured systems on isolated network segments with stringent perimeter security and adding third-party challenge-response mechanisms to devices that do not support individual login accounts.

Control Relationship to Risk

There is a direct relationship between risk and control that demonstrates that the sink is addressed through control.

Auditors should always have an understanding of the applicable risks to the controls being evaluated.

When evaluating controls, the IS auditor should ensure that management’s identified controls are mapped back to the applicable risks.

Controls are justified by the risk that mandates their existence.

Leave a comment

Unknown's avatar

Published by Ruchi Kandpal

Fun loving and fact loving. I love soaking in new information. A conscientious, rational individual with attention to details. Sphinx. An enigmatic and a mysterious person with several interests.