Process of Auditing Information System

Descripción

Mapa Mental sobre Process of Auditing Information System, creado por lcryst el 11/12/2014.
lcryst
Mapa Mental por lcryst, actualizado hace más de 1 año
lcryst
Creado por lcryst hace casi 10 años
56
2

Resumen del Recurso

Process of Auditing Information System
  1. Mgmt of IS Audit Function
    1. Fulfil audit function objectives
      1. Preserving audit indepence & competence
        1. Value added contributions to senior mgmt
          1. efficient mgmt of IT
            1. achievement of Biz Obj
          2. Organization
            1. Role - established by:
              1. Audit Charter
                1. state mgmt's responsibility & objectives
                  1. delegation of authority to the IS audit function
                    1. outline the overall authority, scope & responsibilities of the audit function
                      1. approved by senior mgmt (highest level of mgmt and the audit committee)
                        1. should be changed only if the change is thoroughly justified
                      2. Provide IT-related control assurance to financial / mgmt auditors
                        1. IS Audit Resource Mgmt
                          1. Audit Planning
                            1. Short-term
                              1. audit issues that will be covered during the year
                              2. Long-term
                                1. risk-related issues regarding changes in the organisation's IT strategic direction that will affect the organization's IT environment
                                2. Audit Universe
                                  1. list all processes that may be considered for audit
                                    1. subject to qualitative or quantitative risk assessment
                                      1. risk factors: frequency / biz impact of risk scenarios
                                        1. evaluation of risk should ideally be based on inputs from biz process owners
                                        2. analysis of short- and long-term issues should occur at least annually
                                          1. new control issues
                                            1. changes in risk env, technologies & biz processes
                                              1. enhanced evaluation techniques
                                            2. review by senior audit mgmt | approve by audit committee or board of directors | communicate to relevant levels of mgmt
                                        3. audit charter - overarching doc, entire scope of audit activities in an entity engagement letter - more focused on a particular audit exercise
                                      2. Performing an IS Audit
                                        1. Classification of Audits
                                          1. Compliance
                                            1. Financial
                                              1. Operational
                                                1. Integrated
                                                  1. Administrative
                                                    1. IS
                                                      1. Specialized
                                                        1. Forensic
                                                        2. Audit Programs
                                                          1. General audit procedures
                                                            1. understanding of audit area / subject
                                                              1. Risk assessment and general audit plan and schedule
                                                                1. detailed audit planning
                                                                  1. Preliminary review of the audit area / subject
                                                                    1. Evaluating the audit area / subject
                                                                  2. Fraud Detection
                                                                    1. come across indicators of fraud
                                                                      1. careful evaluation
                                                                        1. communicate the need for detailed investigation
                                                                        2. Major fraud / high risk
                                                                          1. communicate in a timely manner to audit committee
                                                                      2. Risk-based Audit Approach
                                                                        1. Gather information and plan
                                                                          1. Biz & industry knowledge / Prior year's audit results / Recent financial info / Regulatory statues / Inherent risk assessments
                                                                          2. Obtain understanding of internal control
                                                                            1. Control env / control procedures, control / detection risk assessment, equate total risk
                                                                            2. Perform compliance tests
                                                                              1. identify key controls to be tested, perform tests on reliability, risk prevention and adherence to org policies & procedures
                                                                              2. Perform substantive test
                                                                                1. Analytical procedures, detailed tests of account balance, other substantive audit procedures
                                                                                2. Conclude the audit
                                                                                  1. Create recommendations, write audit report
                                                                                3. Audit Risk & Materiality
                                                                                  1. Def: the risk that info may contains a material error that may go undetected during the course of the audit | Influenced by:
                                                                                    1. Inherent Risk
                                                                                      1. exposure of the process / entity to be audited without taking into account the controls implemented
                                                                                      2. Control Risk
                                                                                        1. Risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls
                                                                                        2. Detection Risk
                                                                                          1. risk that material errors or misstatements that have occurred will not be detected by the IS auditor
                                                                                          2. Overall Audit Risk
                                                                                          3. Risk Treatment
                                                                                            1. Risk Mitigation
                                                                                              1. Risk Acceptance
                                                                                                1. Risk Avoidance
                                                                                                  1. Risk Transfer / Sharing
                                                                                            2. Compliance Testing VS Substantive Testing
                                                                                              1. Compliance testing - evidence gathering for the purpose of testing an organization's compliance with control procedures
                                                                                                1. Substantive testing - evidence is gathered to evaluate the integrity of individual transactions, data or other info
                                                                                                  1. If compliance test reveal the presence of adequate internal controls > minimising the substantive procedures
                                                                                              2. Evidence gathering
                                                                                                1. IS Org Structure
                                                                                                  1. Segregation of duties
                                                                                                  2. IS Policies & Procedures
                                                                                                    1. appropriate policies & procedures are in place, personnel understand the implemented p&p, ensure p&p are being followed
                                                                                                    2. IS Standaards
                                                                                                      1. Understand existing standards
                                                                                                      2. IS Documentation
                                                                                                        1. doc integrity. feasibility study, SLAs, functional requirements, design spec, test plan and report, program and operation doc, change log, manuals, BCP, QA,
                                                                                                        2. Interview
                                                                                                          1. Observing processes & employee performance
                                                                                                            1. Reperformance
                                                                                                              1. provide assurance that a control is operating effectively
                                                                                                              2. Walkthrough
                                                                                                                1. confirm the understanding of controls
                                                                                                              3. Sampling
                                                                                                                1. Attribute
                                                                                                                  1. Rate of occurrence of a specific quality (attribute) in a population E.g. approval signatures
                                                                                                                  2. Stop-or-go
                                                                                                                    1. helps prevent excessive sampling - to be stopped at the earliest. used when auditor believes that relatively few errors will be found in a population
                                                                                                                    2. Discovery
                                                                                                                      1. used when expected occurrence rate is extremely low, obj is to discover fraud, circumvention of regulations or other irregularties
                                                                                                                      2. 2 approaches
                                                                                                                        1. Statistical sampling - Objective, probability
                                                                                                                          1. Non-statistical sampling - determine by auditor judgement
                                                                                                                          2. Variable
                                                                                                                            1. estimate the monetary value or some other unit of measure of a population from a sample portion. Confidence coefficient - strong internal control, auditor may lower the confidence coefficient. Larger coef, larger sample size. e.g. balance sheet for material txn & application review of the program that produced the balance sheet
                                                                                                                          3. CAAT
                                                                                                                            1. GAS
                                                                                                                              1. file access / reorganisation / data selection / statistical / arithmetical functions
                                                                                                                              2. Utility software
                                                                                                                                1. provides evidence about system control effectiveness - e.g. report generators
                                                                                                                                2. Test data
                                                                                                                                  1. using a sample set of data to assess whether logic error exist
                                                                                                                                  2. Application software tracing & mapping
                                                                                                                                    1. provide info about internal controls built in
                                                                                                                                    2. Audit-expert
                                                                                                                                      1. query-based system built on knowledge base of senior auditors & managers, give direction & valuable info to all level of auditors
                                                                                                                                  3. Risk Analysis
                                                                                                                                    1. Risk Assessment Process
                                                                                                                                      1. Identify BO
                                                                                                                                        1. Identify Info Assets supporting the BOs
                                                                                                                                          1. Perform Risk Assessment [Threat - Vulnerability - Probability - Impact]
                                                                                                                                            1. Perform Risk Mitigation [Map risks with controls in place]
                                                                                                                                              1. Perform Risk Treatment [Treat significant risks not mitigated by existing controls
                                                                                                                                                1. Perform Periodic Risk Reevaluation (BO/RA/RM/RT)
                                                                                                                                    2. Internal Controls
                                                                                                                                      1. Classifications:
                                                                                                                                        1. Preventive
                                                                                                                                          1. Detective
                                                                                                                                            1. Corrective
                                                                                                                                        2. COBIT 5
                                                                                                                                          1. IS Control Objectives
                                                                                                                                            1. IS Controls
                                                                                                                                            2. Control Self-Assessment
                                                                                                                                              1. Objectives
                                                                                                                                                1. Leverage the internal audit function by shifting some control monitoring responsibilities to the function areas
                                                                                                                                                  1. Not intended to replace audit's responsibilities, but to enhance them
                                                                                                                                                  2. Phase
                                                                                                                                                    1. Planning
                                                                                                                                                      1. Implementation
                                                                                                                                                        1. Monitoring
                                                                                                                                                    2. CSF
                                                                                                                                                      1. meeting with biz rep to identify the BU's primary obj
                                                                                                                                                        1. to determine the reliability of the internal control system
                                                                                                                                                        2. Benefits
                                                                                                                                                          1. Early detection of risks / more effective and improved internal controls / creation of cohesive teams / developing the sense of ownership of the controls in the employees & process owners/ reducing resistance to control improvement initiatives / awareness / knowledge / communication / reduction in control $
                                                                                                                                                        3. Continuous Auditng
                                                                                                                                                          1. collection & analysis of data in real-time txns
                                                                                                                                                            1. high-level of financial control
                                                                                                                                                              1. avoid fraud
                                                                                                                                                          Mostrar resumen completo Ocultar resumen completo

                                                                                                                                                          Similar

                                                                                                                                                          Anatomía del Sistema Respiratorio
                                                                                                                                                          edonoso
                                                                                                                                                          Técnicas de Expresión Oral
                                                                                                                                                          Camilo Ospina
                                                                                                                                                          La Segunda República: Parte 1
                                                                                                                                                          Diego Santos
                                                                                                                                                          Qué Carrera Estudiar
                                                                                                                                                          Diego Santos
                                                                                                                                                          ORGANIGRAMA
                                                                                                                                                          Sebastian Valencia
                                                                                                                                                          Obligations
                                                                                                                                                          nat_map
                                                                                                                                                          Revolución Industrial
                                                                                                                                                          alexander avenda
                                                                                                                                                          Ropa de invierno en ingles.
                                                                                                                                                          Danna Catalia Salamanca
                                                                                                                                                          Relación del Derecho Mercantil con otras ramas del Derecho
                                                                                                                                                          Juan Jose Avila Espinoza
                                                                                                                                                          FGM-4. REALES ORDENANZAS PARA LAS FUERZAS ARMADAS (II)
                                                                                                                                                          antonio del valle
                                                                                                                                                          Tejido nervioso
                                                                                                                                                          Lenin Ruiz Viruel