1781269
Process of Auditing
Information System
- Mgmt of IS Audit Function
- Fulfil audit function objectives
- Preserving audit indepence & competence
- Value added contributions to senior mgmt
- efficient mgmt of IT
- achievement of Biz Obj
- achievement of Biz Obj
- efficient mgmt of IT
- Organization
- Role - established by:
- Audit Charter
- state mgmt's responsibility & objectives
- delegation of authority to the IS audit function
- outline the overall authority, scope & responsibilities of the audit function
- approved by senior mgmt (highest level of mgmt and the audit committee)
- should be changed only if the change is thoroughly justified
- state mgmt's responsibility & objectives
- Audit Charter
- Provide IT-related control assurance
to financial / mgmt auditors
- IS Audit Resource Mgmt
- Audit Planning
- Short-term
- audit issues that will be covered during the year
- audit issues that will be covered during the year
- Long-term
- risk-related issues regarding changes in the organisation's IT
strategic direction that will affect the organization's IT environment
- risk-related issues regarding changes in the organisation's IT
strategic direction that will affect the organization's IT environment
- Audit Universe
- list all processes that may be considered for audit
- subject to qualitative or quantitative risk assessment
- risk factors: frequency / biz impact of risk scenarios
- evaluation of risk should ideally be
based on inputs from biz process owners
- list all processes that may be considered for audit
- analysis of short- and
long-term issues should
occur at least annually
- new control issues
- changes in risk env, technologies & biz processes
- enhanced evaluation techniques
- enhanced evaluation techniques
- changes in risk env, technologies & biz processes
- review by senior audit
mgmt | approve by audit
committee or board of
directors | communicate
to relevant levels of mgmt
- new control issues
- Short-term
- Audit Planning
- audit charter - overarching doc, entire scope of audit activities in an entity
engagement letter - more focused on a particular audit exercise
- Role - established by:
- Fulfil audit function objectives
- Performing an IS Audit
- Classification of Audits
- Compliance
- Financial
- Operational
- Integrated
- Administrative
- IS
- Specialized
- Forensic
- Compliance
- Audit Programs
- General audit
procedures
- understanding of audit
area / subject
- Risk assessment and
general audit plan and
schedule
- detailed audit
planning
- Preliminary review of the
audit area / subject
- Evaluating the audit
area / subject
- understanding of audit
area / subject
- General audit
procedures
- Fraud
Detection
- come across
indicators of fraud
- careful
evaluation
- communicate the need
for detailed investigation
- communicate the need
for detailed investigation
- Major fraud / high risk
- communicate in a timely
manner to audit committee
- communicate in a timely
manner to audit committee
- careful
evaluation
- come across
indicators of fraud
- Risk-based
Audit
Approach
- Gather
information
and plan
- Biz & industry knowledge / Prior year's audit
results / Recent financial info / Regulatory statues /
Inherent risk assessments
- Biz & industry knowledge / Prior year's audit
results / Recent financial info / Regulatory statues /
Inherent risk assessments
- Obtain
understanding
of internal
control
- Control env / control procedures,
control / detection risk assessment,
equate total risk
- Control env / control procedures,
control / detection risk assessment,
equate total risk
- Perform
compliance
tests
- identify key controls to be
tested, perform tests on
reliability, risk prevention and
adherence to org policies &
procedures
- identify key controls to be
tested, perform tests on
reliability, risk prevention and
adherence to org policies &
procedures
- Perform
substantive
test
- Analytical procedures, detailed
tests of account balance, other
substantive audit procedures
- Analytical procedures, detailed
tests of account balance, other
substantive audit procedures
- Conclude
the audit
- Create recommendations, write
audit report
- Create recommendations, write
audit report
- Gather
information
and plan
- Audit Risk & Materiality
- Def: the risk that info may contains a material error that may
go undetected during the course of the audit | Influenced by:
- Inherent Risk
- exposure of the process / entity to be audited without
taking into account the controls implemented
- exposure of the process / entity to be audited without
taking into account the controls implemented
- Control
Risk
- Risk that a material error exists that would not be
prevented or detected on a timely basis by the
system of internal controls
- Risk that a material error exists that would not be
prevented or detected on a timely basis by the
system of internal controls
- Detection Risk
- risk that material errors or misstatements that
have occurred will not be detected by the IS auditor
- risk that material errors or misstatements that
have occurred will not be detected by the IS auditor
- Overall Audit Risk
- Def: the risk that info may contains a material error that may
go undetected during the course of the audit | Influenced by:
- Risk Treatment
- Risk Mitigation
- Risk Acceptance
- Risk Avoidance
- Risk Transfer / Sharing
- Risk Transfer / Sharing
- Risk Avoidance
- Risk Acceptance
- Risk Mitigation
- Compliance Testing VS Substantive
Testing
- Compliance testing - evidence gathering for the purpose of testing
an organization's compliance with control procedures
- Substantive testing - evidence is gathered to evaluate the integrity of
individual transactions, data or other info
- If compliance test reveal the presence of adequate internal
controls > minimising the substantive procedures
- If compliance test reveal the presence of adequate internal
controls > minimising the substantive procedures
- Substantive testing - evidence is gathered to evaluate the integrity of
individual transactions, data or other info
- Compliance testing - evidence gathering for the purpose of testing
an organization's compliance with control procedures
- Evidence
gathering
- IS Org Structure
- Segregation of duties
- Segregation of duties
- IS Policies & Procedures
- appropriate policies & procedures are in
place, personnel understand the implemented
p&p, ensure p&p are being followed
- appropriate policies & procedures are in
place, personnel understand the implemented
p&p, ensure p&p are being followed
- IS Standaards
- Understand existing standards
- Understand existing standards
- IS Documentation
- doc integrity. feasibility study, SLAs, functional
requirements, design spec, test plan and report, program
and operation doc, change log, manuals, BCP, QA,
- doc integrity. feasibility study, SLAs, functional
requirements, design spec, test plan and report, program
and operation doc, change log, manuals, BCP, QA,
- Interview
- Observing processes & employee performance
- Reperformance
- provide assurance that a control is operating effectively
- provide assurance that a control is operating effectively
- Walkthrough
- confirm the understanding of controls
- confirm the understanding of controls
- IS Org Structure
- Sampling
- Attribute
- Rate of occurrence of a specific quality (attribute) in a population E.g. approval signatures
- Rate of occurrence of a specific quality (attribute) in a population E.g. approval signatures
- Stop-or-go
- helps prevent excessive sampling - to be stopped at the earliest. used when
auditor believes that relatively few errors will be found in a population
- helps prevent excessive sampling - to be stopped at the earliest. used when
auditor believes that relatively few errors will be found in a population
- Discovery
- used when expected occurrence rate is extremely low, obj is to
discover fraud, circumvention of regulations or other irregularties
- used when expected occurrence rate is extremely low, obj is to
discover fraud, circumvention of regulations or other irregularties
- 2 approaches
- Statistical sampling -
Objective, probability
- Non-statistical sampling -
determine by auditor judgement
- Statistical sampling -
Objective, probability
- Variable
- estimate the monetary value or some other unit of measure of a population from a
sample portion. Confidence coefficient - strong internal control, auditor may lower
the confidence coefficient. Larger coef, larger sample size. e.g. balance sheet for
material txn & application review of the program that produced the balance sheet
- estimate the monetary value or some other unit of measure of a population from a
sample portion. Confidence coefficient - strong internal control, auditor may lower
the confidence coefficient. Larger coef, larger sample size. e.g. balance sheet for
material txn & application review of the program that produced the balance sheet
- Attribute
- CAAT
- GAS
- file access / reorganisation / data selection
/ statistical / arithmetical functions
- file access / reorganisation / data selection
/ statistical / arithmetical functions
- Utility software
- provides evidence about system control
effectiveness - e.g. report generators
- provides evidence about system control
effectiveness - e.g. report generators
- Test data
- using a sample set of data to
assess whether logic error exist
- using a sample set of data to
assess whether logic error exist
- Application software
tracing & mapping
- provide info about
internal controls built in
- provide info about
internal controls built in
- Audit-expert
- query-based system built on
knowledge base of senior auditors
& managers, give direction &
valuable info to all level of auditors
- query-based system built on
knowledge base of senior auditors
& managers, give direction &
valuable info to all level of auditors
- GAS
- Classification of Audits
- Risk Analysis
- Risk Assessment Process
- Identify BO
- Identify Info Assets supporting the BOs
- Perform Risk Assessment [Threat -
Vulnerability - Probability - Impact]
- Perform Risk Mitigation [Map
risks with controls in place]
- Perform Risk Treatment [Treat significant
risks not mitigated by existing controls
- Perform Periodic Risk
Reevaluation (BO/RA/RM/RT)
- Perform Periodic Risk
Reevaluation (BO/RA/RM/RT)
- Perform Risk Treatment [Treat significant
risks not mitigated by existing controls
- Perform Risk Mitigation [Map
risks with controls in place]
- Perform Risk Assessment [Threat -
Vulnerability - Probability - Impact]
- Identify Info Assets supporting the BOs
- Identify BO
- Risk Assessment Process
- Internal Controls
- Classifications:
- Preventive
- Detective
- Corrective
- Corrective
- Detective
- Preventive
- COBIT 5
- IS Control Objectives
- IS Controls
- Classifications:
- Control
Self-Assessment
- Objectives
- Leverage the internal audit function by shifting some
control monitoring responsibilities to the function areas
- Not intended to replace audit's responsibilities, but to enhance them
- Leverage the internal audit function by shifting some
control monitoring responsibilities to the function areas
- Phase
- Planning
- Implementation
- Monitoring
- Monitoring
- Implementation
- Planning
- CSF
- meeting with biz rep to identify the BU's primary obj
- to determine the reliability of the internal control system
- meeting with biz rep to identify the BU's primary obj
- Benefits
- Early detection of risks / more effective and improved internal controls /
creation of cohesive teams / developing the sense of ownership of the controls
in the employees & process owners/ reducing resistance to control improvement
initiatives / awareness / knowledge / communication / reduction in control $
- Early detection of risks / more effective and improved internal controls /
creation of cohesive teams / developing the sense of ownership of the controls
in the employees & process owners/ reducing resistance to control improvement
initiatives / awareness / knowledge / communication / reduction in control $
- Objectives
- Continuous Auditng
- collection & analysis of data in real-time txns
- high-level of financial control
- avoid fraud
- avoid fraud
- high-level of financial control
- collection & analysis of data in real-time txns
Quer criar seus próprios Mapas Mentais gratuitos com a GoConqr? Saiba mais.