Abstract image of a woman sitting on books and studying on a laptop

Information Systems Audit - week 2 lecture

Download as PPTX, PDF
Abdul-Rahman Mahmood, profile picture
Abdul-Rahman Mahmood

IS Audit week 2 lecture

Technology
1 of 30
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Abdul-Rahman Mahmood Assistant Professor, Computer Science, FAST-NU abdulrahman@nu.edu.pk reddit.com/user/alphapeeler alphapeeler.sf.net/pubkeys/pkey.htm www.flickr.com/alphapeeler pk.linkedin.com/in/armahmood http://alphapeeler.tumblr.com bqb-tsid-asp armahmood786@jabber.org alphapeeler alphapeeler@aim.com alphapeeler abdulmahmood-sss armahmood786 alphapeeler@icloud.com http://alphapeeler.sf.net/ pinterest.com/alphapeeler IS Audit & Control
Building an Effective Internal IT Audit Function
๏‚— Many audit departments spend their existence in adversarial relationships with the rest of the company. ๏‚— Reporting issues accomplishes nothing, except to make people look bad, get them fired, and create hatred of auditors. ๏‚— The real value comes when issues are addressed and problems are solved. Audit Department Issues
๏‚— The real mission of the internal audit department is to help improve the state of internal controls. This is accomplished by performing audits and reporting the results, but these acts provide no value in and of themselves. ๏‚— They provide value only when the internal control issues are resolved. ๏‚— Requires a shift in focus from โ€œreportingโ€ to โ€œimproving.โ€ Audit Department Issues
๏‚— To provide independent assurance to the audit committee (and senior management) that internal controls are in place at the company and are functioning effectively. ๏‚— To improve the state of internal controls at the company by promoting internal controls and by helping the company identify control weaknesses and develop cost-effective solutions for addressing those weaknesses. Audit Department Mission
๏‚— Webster : โ€œnot influenced or controlled by othersโ€ ๏‚— Auditors work in the same building as their fellow employees forming relationships outside the audit department. ๏‚— Success of company is of prime interest to the auditors. ๏‚— Audit departments include people who have joined the department from other areas in the company or plan to rotate out of the audit department. ๏‚— Auditorโ€™s relationship with the board of directors: Bury issues and believe that he will be allowed to โ€œdo the right thingโ€. Independence: The Great Myth
Audit team reporting structure
๏‚— Unfortunately, many auditors refuse to provide guidance and input to teams that are developing new systems or processes. ๏‚— Auditors canโ€™t provide input on the controls within the system because if they do so theyโ€™ll no longer be independent. They say, โ€œHow can you audit something if youโ€™ve already signed off on the controls?โ€ ๏‚— The auditor shouldnโ€™t be afraid to brainstorm about the controls with the team. However, this should not include actually executing the control, writing the code for implementing it, or configuring the system. ๏‚— Auditor should provide as much input as Consulting and Early Involvement (utter nonsense)
๏‚— โ€ข Early involvement ๏‚— โ€ข Informal audits ๏‚— โ€ข Knowledge sharing ๏‚— โ€ข Self-assessments Four Methods for Consulting
๏‚— Once youโ€™ve created a system, tested it, and implemented it, it is much more expensive to go back and change it than if you had done it right the first time. ๏‚— Ask to be part of the sign-off group ๏‚— There is the possibility that you will make a mistake and sign off on the project; even though the system has internal control weaknesses, but thatโ€™s a chance you have to take. ๏‚— You should not indicate that internal controls are not applicable to the system and refuse to participate; instead, you can provide some high- level guidance and be done with the project for Early involvement
๏‚— Youโ€™ll likely never go to the audit committee and report that one of the top fifteen risks that you need to review for the year is a tiny data center in a remote location supporting a small handful of people performing a less-than-critical business process. ๏‚— Does this mean that you should never understand the risks at that site? ๏‚— The informal audit is the mechanism to use. ๏‚— Remove the constraints of documenting their work in detailed work papers. Forget about taking large representative samples. Let the auditors act as consultants. ๏‚— Auditors are able to accomplish in a short time Informal Audits
1.Audit department agrees on timing and scope of the informal review with the people who are to be audited. 2.Auditor creates a checklist of areas that needs review. 3.The auditor executes those steps, keeping notes as needed but not creating work papers for review. 4.At the end, auditor compiles all concerns from review. 5.Conduct a debriefing meeting with people audited to discuss issues, their seriousness, and fixing issues. Informal Audits - basic steps
๏‚— As an internal auditor, you have a unique blend of knowledge of the company and expertise in internal controls. You must be creative in finding new ways to share knowledge with the rest of the company. ๏‚— Audit department should have its own website. ๏‚— Posting control guidelines on your website empowers groups expecting an audit. ๏‚— Posting Common Issues, Best Practices, and Innovative Solutions. ๏‚— Post info about audit tools (vulnerability scanning etc.) that you use in audits, this enables groups to self assess their controls. Knowledge Sharing
๏‚— University of Pennsylvania ๏‚— By failing to prepare, you are preparing to fail - BEN FRANKLIN ๏‚— Office of internal audit ๏‚— http://www.upenn.edu/oacp/audit/index.html ๏‚— Details of internal control ๏‚— https://oacp.upenn.edu/audit/audit101/internal-controls- guidance / ๏‚— SBP: ๏‚— Guidelines on Internal Controls (Confidential document) Examples
University of Pennsylvania
University of Pennsylvania
SBP - Guidelines on Internal Controls (Confidential document)
๏‚— Facilitating an organization in assessing itself. ๏‚— Known as control self-assessment (CSA) model. ๏‚— This could be as simple as walking through your control guidelines. Self-Assessments
๏‚— An effective internal audit department considers the audit to be a partnership with fellow employees and not a policing function. ๏‚— Following are some basic steps that you can take to start the journey: ๏‚— Be intentional about regular updates and meetings with IT management. ๏‚— Establish audit liaisons with different IT organizations. ๏‚— Get yourself invited to key meetings. ๏‚— Cultivate an attitude of collaboration and cooperation. ๏‚— Implement job swaps with the IT organization. Relationship Building: Partnering vs. Policing
๏‚— โ€ข Application auditors ๏‚— โ€ข Data extraction and analysis specialists ๏‚— โ€ข IT auditors The Role of the IT Audit Team
๏‚— Data center facilities This, quite simply, is the physical building and data center housing the computer equipment on which the system in question resides. ๏‚— Networks This allows other systems and users to communicate with the system in question when they do not have physical access to it. This layer ๏‚— includes basic networking devices such as firewalls, switches, and routers. ๏‚— System platform This provides the basic operating environment on which the higher level application runs. Examples are operating systems such as Potential auditing subject areas
๏‚— Databases This tool organizes and provides access to the data being run by the end application. ๏‚— Applications This is the end application, which actually is seen and accessed by the end user. This could be an enterprise resource planning (ERP) application providing basic business functions, an e-mail application, or a system that allows conference rooms to be scheduled.
๏‚— Focus almost solely on the application layer. ๏‚— Ensuring that access is properly controlled and that segregation of duties issues do not exist. ๏‚— Ensuring unauthorized application changes canโ€™t occur. ๏‚— Ensuring controls are in place to ensure the integrity of data. Application Auditors
๏‚— Experts of data extraction and analysis tools, such as Audit Command Language (ACL). ๏‚— Developing analytics that allow for continuous monitoring for evidence of fraud, internal control violations, policy noncompliance, and other abuses. ๏‚— This tutorial teaches you how to use audit command language (ACL) to detect ghost names in payroll. ๏‚— https://www.youtube.com/watch?v=FObE7i9GsDI Data Extraction & Analysis Specialists
๏‚— The third model (IT auditors) is critical for performing thorough and effective IT auditing because it ensures that all layers are being covered and that they are being covered by the people with the highest level of subject matter knowledge. IT Auditors
๏‚— Career IT Auditors ๏‚— Sources for Career IT Auditors ๏‚— People with Internal IT Audit Experience at Other Companies ๏‚— People with External IT Audit Experience ๏‚— College Hires ๏‚— IT Professionals ๏‚— Sources for IT Professionals as Auditors ๏‚— Technical Professionals from Within Your Company ๏‚— Technical Professionals from Outside Your Company ๏‚— College Hires Forming and Maintaining an Effective IT Audit Team
๏‚— Ability to dig into technical details without getting lost in the details. ๏‚— Analytical skills. ๏‚— Communication skills (both written and oral). ๏‚— Ability to learn the key concepts of new technologies quickly and identify key risk points within those technologies. ๏‚— Willingness not to be touching a specific technology daily. ๏‚— Build trust-based relationships with their customers. Key Traits of a Successful IT Auditor
๏‚— Exposure to a wide variety of technologies ๏‚— Opportunity to work with many levels of management. ๏‚— Broad view of the company and other IT groups ๏‚— Opportunity to lead projects. Selling Points for Recruiting IT Professionals into IT Audit
๏‚— Co-sourcing ๏‚— Sources of Learning ๏‚— Formal Training ๏‚— Research Time ๏‚— Specialization ๏‚— Knowledge Sharing After Training ๏‚— Certifications ๏‚— Job Swaps with the IT Organization ๏‚— Combining Options and Maintaining Skills Maintaining Expertise
๏‚— May be viewed as an intrusion and an annoyance. ๏‚— Must be a healthy working relationship between the internal and external auditors. ๏‚— Keep the other informed of their activities. ๏‚— Encourage the external auditors to review the internal auditorsโ€™ work prior to speaking with your customers (customer : organization demanding audit from an external auditor). Relationship with External Auditors

More Related Content

PPTX
Information Systems Audit - week 1 lecture
Abdul-Rahman Mahmood
ย 
PDF
auditpresentation-121006061658-phpapp02.pdf
owaissayyed0041
ย 
PPTX
Internal Auditttttttttttttttttttttt.pptx
RedhaElhuni
ย 
PDF
Solution Manual for Internal Auditing Assurance and Consulting Services 2nd E...
gxfmsrfzr245
ย 
PDF
Solution Manual for Internal Auditing Assurance and Consulting Services 2nd E...
braiggladipc
ย 
PPT
Internal_audit
Vishal Joshi
ย 
PPTX
Advance audit
preeti garg
ย 
PDF
How to breakthrough barriers and drive more value from your data analytics pr...
Jim Kaplan CIA CFE
ย 
Information Systems Audit - week 1 lecture
Abdul-Rahman Mahmood
ย 
auditpresentation-121006061658-phpapp02.pdf
owaissayyed0041
ย 
Internal Auditttttttttttttttttttttt.pptx
RedhaElhuni
ย 
Solution Manual for Internal Auditing Assurance and Consulting Services 2nd E...
gxfmsrfzr245
ย 
Solution Manual for Internal Auditing Assurance and Consulting Services 2nd E...
braiggladipc
ย 
Internal_audit
Vishal Joshi
ย 
Advance audit
preeti garg
ย 
How to breakthrough barriers and drive more value from your data analytics pr...
Jim Kaplan CIA CFE
ย 

Similar to Information Systems Audit - week 2 lecture (20)

PPSX
Basic internal auditing
Khalid Aziz
ย 
PDF
eob_dec14.artok
Andrew Simpson
ย 
PPTX
internal audit and its characteristic and features .pptx
Anshuman Parashar
ย 
PPT
Technology Auditing, Assurance, Internal Control
Zefren Edior
ย 
DOC
About internal Audit for news letter.doc
NeerajOjha17
ย 
PDF
Fice Of Internal Audit
Christina Berger
ย 
PPT
A Paradigm Shift in Audit Process
Padmapriya V
ย 
PPT
Ais Romney 2006 Slides 09 Auditing Computer Based Is
sharing notes123
ย 
PPT
Ais Romney 2006 Slides 09 Auditing Computer Based Is
Sharing Slides Training
ย 
PDF
Internal-Audit-Methodology-VV.pdf
robinverma31
ย 
PDF
Professional opportunities in Internal Audit
Manoj Agarwal
ย 
PDF
How to become an IT Auditor step by step process
priyanshamadhwal2
ย 
PDF
How to become an IT Auditor.pdf InfosecTrain
infosec train
ย 
PDF
๐™ƒ๐’๐™ฌ ๐™ฉ๐’ ๐‘ฉ๐™š๐’„๐™ค๐’Ž๐™š ๐™–๐’ ๐‘ฐ๐™ ๐˜ผ๐’–๐™™๐’Š๐™ฉ๐’๐™ง: ๐‘จ ๐‘บ๐™ฉ๐’†๐™ฅ-๐™—๐’š-๐‘บ๐™ฉ๐’†๐™ฅ ๐™‚๐’–๐™ž๐’…๐™š
Mansi Kandari
ย 
PDF
How to Become an IT Auditor? (Step by Step Process)
infosecTrain
ย 
PDF
๐‡๐จ๐ฐ ๐ญ๐จ ๐๐ž๐œ๐จ๐ฆ๐ž ๐š๐ง ๐ˆ๐“ ๐€๐ฎ๐๐ข๐ญ๐จ๐ซ: ๐€ ๐’๐ญ๐ž๐ฉ-๐›๐ฒ-๐’๐ญ๐ž๐ฉ ๐†๐ฎ๐ข๐๐ž
Mansi Kandari
ย 
PDF
๐‡๐จ๐ฐ ๐ญ๐จ ๐๐ž๐œ๐จ๐ฆ๐ž ๐š๐ง ๐ˆ๐“ ๐€๐ฎ๐๐ข๐ญ๐จ๐ซ: ๐€ ๐’๐ญ๐ž๐ฉ-๐›๐ฒ-๐’๐ญ๐ž๐ฉ ๐†๐ฎ๐ข๐๐ž
priyanshamadhwal2
ย 
PDF
How to Become an IT Auditor.: A Step-by-Step Guide
infosecTrain
ย 
PDF
How to Become an IT Auditor: A Step-by-Step Guide.pdf
InfosecTrain Education
ย 
PPTX
Argannoo Odiitii Auditing-Degu Desta (3).pptx
miadjafar463
ย 
Basic internal auditing
Khalid Aziz
ย 
eob_dec14.artok
Andrew Simpson
ย 
internal audit and its characteristic and features .pptx
Anshuman Parashar
ย 
Technology Auditing, Assurance, Internal Control
Zefren Edior
ย 
About internal Audit for news letter.doc
NeerajOjha17
ย 
Fice Of Internal Audit
Christina Berger
ย 
A Paradigm Shift in Audit Process
Padmapriya V
ย 
Ais Romney 2006 Slides 09 Auditing Computer Based Is
sharing notes123
ย 
Ais Romney 2006 Slides 09 Auditing Computer Based Is
Sharing Slides Training
ย 
Internal-Audit-Methodology-VV.pdf
robinverma31
ย 
Professional opportunities in Internal Audit
Manoj Agarwal
ย 
How to become an IT Auditor step by step process
priyanshamadhwal2
ย 
How to become an IT Auditor.pdf InfosecTrain
infosec train
ย 
๐™ƒ๐’๐™ฌ ๐™ฉ๐’ ๐‘ฉ๐™š๐’„๐™ค๐’Ž๐™š ๐™–๐’ ๐‘ฐ๐™ ๐˜ผ๐’–๐™™๐’Š๐™ฉ๐’๐™ง: ๐‘จ ๐‘บ๐™ฉ๐’†๐™ฅ-๐™—๐’š-๐‘บ๐™ฉ๐’†๐™ฅ ๐™‚๐’–๐™ž๐’…๐™š
Mansi Kandari
ย 
How to Become an IT Auditor? (Step by Step Process)
infosecTrain
ย 
๐‡๐จ๐ฐ ๐ญ๐จ ๐๐ž๐œ๐จ๐ฆ๐ž ๐š๐ง ๐ˆ๐“ ๐€๐ฎ๐๐ข๐ญ๐จ๐ซ: ๐€ ๐’๐ญ๐ž๐ฉ-๐›๐ฒ-๐’๐ญ๐ž๐ฉ ๐†๐ฎ๐ข๐๐ž
Mansi Kandari
ย 
๐‡๐จ๐ฐ ๐ญ๐จ ๐๐ž๐œ๐จ๐ฆ๐ž ๐š๐ง ๐ˆ๐“ ๐€๐ฎ๐๐ข๐ญ๐จ๐ซ: ๐€ ๐’๐ญ๐ž๐ฉ-๐›๐ฒ-๐’๐ญ๐ž๐ฉ ๐†๐ฎ๐ข๐๐ž
priyanshamadhwal2
ย 
How to Become an IT Auditor.: A Step-by-Step Guide
infosecTrain
ย 
How to Become an IT Auditor: A Step-by-Step Guide.pdf
InfosecTrain Education
ย 
Argannoo Odiitii Auditing-Degu Desta (3).pptx
miadjafar463
ย 
Ad

Recently uploaded (20)

PPTX
Modernising the Digital Integration Hub
Daniel Toomey
ย 
PPTX
Configure Apache Mutual Authentication
Antonino Piraino
ย 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
ย 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
ย 
PDF
Improvisation in detection of pomegranate leaf disease using transfer learni...
IAESIJAI
ย 
PPTX
GROUP4NURSINGINFORMATICSREPORT-2 PRESENTATION
ClarisejaneSartillo1
ย 
PPTX
TEXTILE technology diploma scope and career opportunities
kriti38
ย 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
ย 
PDF
Enhancing plagiarism detection using data pre-processing and machine learning...
IAESIJAI
ย 
PDF
Flame analysis and combustion estimation using large language and vision assi...
IAESIJAI
ย 
PDF
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
ย 
PDF
OpenACC and Open Hackathons Monthly Highlights July 2025
OpenACC
ย 
PDF
NewMind AI Weekly Chronicles โ€“ August โ€™25 Week III
NewMind AI
ย 
PPTX
Build Your First AI Agent with UiPath.pptx
suhanisingh58689
ย 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
ย 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
ย 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
ย 
PPTX
Custom Battery Pack Design Considerations for Performance and Safety
Epec Engineered Technologies
ย 
PPTX
Microsoft Excel 365/2024 Beginner's training
frank yeboah
ย 
PPT
Geologic Time for studying geology for geologist
ssuser738f5a
ย 
Modernising the Digital Integration Hub
Daniel Toomey
ย 
Configure Apache Mutual Authentication
Antonino Piraino
ย 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
ย 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
ย 
Improvisation in detection of pomegranate leaf disease using transfer learni...
IAESIJAI
ย 
GROUP4NURSINGINFORMATICSREPORT-2 PRESENTATION
ClarisejaneSartillo1
ย 
TEXTILE technology diploma scope and career opportunities
kriti38
ย 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
ย 
Enhancing plagiarism detection using data pre-processing and machine learning...
IAESIJAI
ย 
Flame analysis and combustion estimation using large language and vision assi...
IAESIJAI
ย 
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
ย 
OpenACC and Open Hackathons Monthly Highlights July 2025
OpenACC
ย 
NewMind AI Weekly Chronicles โ€“ August โ€™25 Week III
NewMind AI
ย 
Build Your First AI Agent with UiPath.pptx
suhanisingh58689
ย 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
ย 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
ย 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
ย 
Custom Battery Pack Design Considerations for Performance and Safety
Epec Engineered Technologies
ย 
Microsoft Excel 365/2024 Beginner's training
frank yeboah
ย 
Geologic Time for studying geology for geologist
ssuser738f5a
ย 
Ad

Information Systems Audit - week 2 lecture

  • 1. Abdul-Rahman Mahmood Assistant Professor, Computer Science, FAST-NU [email protected] reddit.com/user/alphapeeler alphapeeler.sf.net/pubkeys/pkey.htm www.flickr.com/alphapeeler pk.linkedin.com/in/armahmood http://alphapeeler.tumblr.com bqb-tsid-asp [email protected] alphapeeler [email protected] alphapeeler abdulmahmood-sss armahmood786 [email protected] http://alphapeeler.sf.net/ pinterest.com/alphapeeler IS Audit & Control
  • 2. Building an Effective Internal IT Audit Function
  • 3. ๏‚— Many audit departments spend their existence in adversarial relationships with the rest of the company. ๏‚— Reporting issues accomplishes nothing, except to make people look bad, get them fired, and create hatred of auditors. ๏‚— The real value comes when issues are addressed and problems are solved. Audit Department Issues
  • 4. ๏‚— The real mission of the internal audit department is to help improve the state of internal controls. This is accomplished by performing audits and reporting the results, but these acts provide no value in and of themselves. ๏‚— They provide value only when the internal control issues are resolved. ๏‚— Requires a shift in focus from โ€œreportingโ€ to โ€œimproving.โ€ Audit Department Issues
  • 5. ๏‚— To provide independent assurance to the audit committee (and senior management) that internal controls are in place at the company and are functioning effectively. ๏‚— To improve the state of internal controls at the company by promoting internal controls and by helping the company identify control weaknesses and develop cost-effective solutions for addressing those weaknesses. Audit Department Mission
  • 6. ๏‚— Webster : โ€œnot influenced or controlled by othersโ€ ๏‚— Auditors work in the same building as their fellow employees forming relationships outside the audit department. ๏‚— Success of company is of prime interest to the auditors. ๏‚— Audit departments include people who have joined the department from other areas in the company or plan to rotate out of the audit department. ๏‚— Auditorโ€™s relationship with the board of directors: Bury issues and believe that he will be allowed to โ€œdo the right thingโ€. Independence: The Great Myth
  • 8. ๏‚— Unfortunately, many auditors refuse to provide guidance and input to teams that are developing new systems or processes. ๏‚— Auditors canโ€™t provide input on the controls within the system because if they do so theyโ€™ll no longer be independent. They say, โ€œHow can you audit something if youโ€™ve already signed off on the controls?โ€ ๏‚— The auditor shouldnโ€™t be afraid to brainstorm about the controls with the team. However, this should not include actually executing the control, writing the code for implementing it, or configuring the system. ๏‚— Auditor should provide as much input as Consulting and Early Involvement (utter nonsense)
  • 9. ๏‚— โ€ข Early involvement ๏‚— โ€ข Informal audits ๏‚— โ€ข Knowledge sharing ๏‚— โ€ข Self-assessments Four Methods for Consulting
  • 10. ๏‚— Once youโ€™ve created a system, tested it, and implemented it, it is much more expensive to go back and change it than if you had done it right the first time. ๏‚— Ask to be part of the sign-off group ๏‚— There is the possibility that you will make a mistake and sign off on the project; even though the system has internal control weaknesses, but thatโ€™s a chance you have to take. ๏‚— You should not indicate that internal controls are not applicable to the system and refuse to participate; instead, you can provide some high- level guidance and be done with the project for Early involvement
  • 11. ๏‚— Youโ€™ll likely never go to the audit committee and report that one of the top fifteen risks that you need to review for the year is a tiny data center in a remote location supporting a small handful of people performing a less-than-critical business process. ๏‚— Does this mean that you should never understand the risks at that site? ๏‚— The informal audit is the mechanism to use. ๏‚— Remove the constraints of documenting their work in detailed work papers. Forget about taking large representative samples. Let the auditors act as consultants. ๏‚— Auditors are able to accomplish in a short time Informal Audits
  • 12. 1.Audit department agrees on timing and scope of the informal review with the people who are to be audited. 2.Auditor creates a checklist of areas that needs review. 3.The auditor executes those steps, keeping notes as needed but not creating work papers for review. 4.At the end, auditor compiles all concerns from review. 5.Conduct a debriefing meeting with people audited to discuss issues, their seriousness, and fixing issues. Informal Audits - basic steps
  • 13. ๏‚— As an internal auditor, you have a unique blend of knowledge of the company and expertise in internal controls. You must be creative in finding new ways to share knowledge with the rest of the company. ๏‚— Audit department should have its own website. ๏‚— Posting control guidelines on your website empowers groups expecting an audit. ๏‚— Posting Common Issues, Best Practices, and Innovative Solutions. ๏‚— Post info about audit tools (vulnerability scanning etc.) that you use in audits, this enables groups to self assess their controls. Knowledge Sharing
  • 14. ๏‚— University of Pennsylvania ๏‚— By failing to prepare, you are preparing to fail - BEN FRANKLIN ๏‚— Office of internal audit ๏‚— http://www.upenn.edu/oacp/audit/index.html ๏‚— Details of internal control ๏‚— https://oacp.upenn.edu/audit/audit101/internal-controls- guidance / ๏‚— SBP: ๏‚— Guidelines on Internal Controls (Confidential document) Examples
  • 17. SBP - Guidelines on Internal Controls (Confidential document)
  • 18. ๏‚— Facilitating an organization in assessing itself. ๏‚— Known as control self-assessment (CSA) model. ๏‚— This could be as simple as walking through your control guidelines. Self-Assessments
  • 19. ๏‚— An effective internal audit department considers the audit to be a partnership with fellow employees and not a policing function. ๏‚— Following are some basic steps that you can take to start the journey: ๏‚— Be intentional about regular updates and meetings with IT management. ๏‚— Establish audit liaisons with different IT organizations. ๏‚— Get yourself invited to key meetings. ๏‚— Cultivate an attitude of collaboration and cooperation. ๏‚— Implement job swaps with the IT organization. Relationship Building: Partnering vs. Policing
  • 20. ๏‚— โ€ข Application auditors ๏‚— โ€ข Data extraction and analysis specialists ๏‚— โ€ข IT auditors The Role of the IT Audit Team
  • 21. ๏‚— Data center facilities This, quite simply, is the physical building and data center housing the computer equipment on which the system in question resides. ๏‚— Networks This allows other systems and users to communicate with the system in question when they do not have physical access to it. This layer ๏‚— includes basic networking devices such as firewalls, switches, and routers. ๏‚— System platform This provides the basic operating environment on which the higher level application runs. Examples are operating systems such as Potential auditing subject areas
  • 22. ๏‚— Databases This tool organizes and provides access to the data being run by the end application. ๏‚— Applications This is the end application, which actually is seen and accessed by the end user. This could be an enterprise resource planning (ERP) application providing basic business functions, an e-mail application, or a system that allows conference rooms to be scheduled.
  • 23. ๏‚— Focus almost solely on the application layer. ๏‚— Ensuring that access is properly controlled and that segregation of duties issues do not exist. ๏‚— Ensuring unauthorized application changes canโ€™t occur. ๏‚— Ensuring controls are in place to ensure the integrity of data. Application Auditors
  • 24. ๏‚— Experts of data extraction and analysis tools, such as Audit Command Language (ACL). ๏‚— Developing analytics that allow for continuous monitoring for evidence of fraud, internal control violations, policy noncompliance, and other abuses. ๏‚— This tutorial teaches you how to use audit command language (ACL) to detect ghost names in payroll. ๏‚— https://www.youtube.com/watch?v=FObE7i9GsDI Data Extraction & Analysis Specialists
  • 25. ๏‚— The third model (IT auditors) is critical for performing thorough and effective IT auditing because it ensures that all layers are being covered and that they are being covered by the people with the highest level of subject matter knowledge. IT Auditors
  • 26. ๏‚— Career IT Auditors ๏‚— Sources for Career IT Auditors ๏‚— People with Internal IT Audit Experience at Other Companies ๏‚— People with External IT Audit Experience ๏‚— College Hires ๏‚— IT Professionals ๏‚— Sources for IT Professionals as Auditors ๏‚— Technical Professionals from Within Your Company ๏‚— Technical Professionals from Outside Your Company ๏‚— College Hires Forming and Maintaining an Effective IT Audit Team
  • 27. ๏‚— Ability to dig into technical details without getting lost in the details. ๏‚— Analytical skills. ๏‚— Communication skills (both written and oral). ๏‚— Ability to learn the key concepts of new technologies quickly and identify key risk points within those technologies. ๏‚— Willingness not to be touching a specific technology daily. ๏‚— Build trust-based relationships with their customers. Key Traits of a Successful IT Auditor
  • 28. ๏‚— Exposure to a wide variety of technologies ๏‚— Opportunity to work with many levels of management. ๏‚— Broad view of the company and other IT groups ๏‚— Opportunity to lead projects. Selling Points for Recruiting IT Professionals into IT Audit
  • 29. ๏‚— Co-sourcing ๏‚— Sources of Learning ๏‚— Formal Training ๏‚— Research Time ๏‚— Specialization ๏‚— Knowledge Sharing After Training ๏‚— Certifications ๏‚— Job Swaps with the IT Organization ๏‚— Combining Options and Maintaining Skills Maintaining Expertise
  • 30. ๏‚— May be viewed as an intrusion and an annoyance. ๏‚— Must be a healthy working relationship between the internal and external auditors. ๏‚— Keep the other informed of their activities. ๏‚— Encourage the external auditors to review the internal auditorsโ€™ work prior to speaking with your customers (customer : organization demanding audit from an external auditor). Relationship with External Auditors

Editor's Notes

  • #9: Internal controls: Examples includeย use of passwords, approval, policies and procedures.
  • #11: Thereโ€™s a big difference image-wise between saying that a system doesnโ€™t matter to you and saying that you want to provide sign-off as usual but that you donโ€™t have many concerns: one is a negative message, and the other is positive.
  • #13: 1. The audit department should agree on the timing and scope of the informal review with the people who are to be audited. 2. The auditor who will be performing the review should create a basic checklist of areas that will be under review. (The checklists throughout this book provide a good starting point.) 3. The auditor executes those steps, keeping notes as needed but not creating work papers for review. The notes do not need to be kept after the audit is completed. Remember that speed is of the essence, and this is a consulting engagement, not a formal audit review. If you canโ€™t get comfortable with this, youโ€™ll get bogged down with documentation and process, losing the flexibility to perform this sort of review effectively. 4. At the end of the project, the auditor compiles all concerns from the review. 5. The auditor has a debriefing meeting with the people who were audited to discuss the issues and consult about how serious the issues are and potential means for addressing them. 6. The auditor documents the final list of concerns, along with relevant thoughts on resolving them, in a memo. This memo does not need to include due dates and can include the caveats mentioned earlier (for example, this is not a formal audit, we will not be tracking issues, and so on). The memo also should indicate the auditorโ€™s willingness to continue consulting with the team as it addresses these items. 7. The auditor issues the memo and archives it electronically for future reference.
  • #15: Guidelines on Internal Controls www.sbp.org.pk/bsd/2004/Anex-C7.pdf
  • #28: Willingness not to be touching a specific technology daily. although performing audit analyses requires a lot of hands-on work, they wonโ€™t be acting as the administrator of a production Unix box, managing routers, and so on. Relationship building skills. Auditors must be able to build solid trust-based relationships with their customers.
  • #30: Co-sourcing isย a business strategy that involves combining internal and external resources to achieve a common goal.