audit - img1.wsimg.com

EIS Quick Bites: NOV 2018 by Prof. Om Trivedi CA Intermediate – Group II (New Course)

Prof. Om Trivedi, IIM Alumnus and Faculty Member of IGP, Delhi, NIRC & WIRC of ICAI. (9958300572, [email protected])

Audit • Audit is a systematic and independent examination of FI of an Entity.

• To express an opinion on the FS.

• And to ascertain that –

o How far the FS

o As well as Non-financial disclosures

• Present a TRUE AND FAIR VIEW of an Entity.

Audit in IT Environment

Manual Audit

Tools and Techniques of Audit in CIS Environment

Importance of IT in

CIS Audit

Risk of IT in

CIS Audit

- Computerised

Env.

- IT enabled

compilation

process of BOA

and Docs.

- Automated

Processes

(BPMS/ERP/TP

S/CBS/Tally,

etc.)

- Automated

Reporting

- Auditors require

IT/IS/BPMS

Knowledge.

- Tools: CAAT

- Manual Env.

- Manual

compilation

process of BOA

and Docs.

- Manual

Processes

- Manual

Reporting

- Auditors don’t

require

IT/IS/BPMS

and CAAT

Knowledge.

Approaches:

- Black Box

- White Box

CAAT:

- BI Tools,

ACL, IDEA,

SAS, SPSS,

Lindo, etc.

Concurrent

Audit Tools:

- Snapshots,

ITF,

SCARF,

CIS, Audit

Hooks.

1. Processes

Large

Volume of

Data

2. Security is

improved

3. Monitoring

the

Performan

ce

4. Analysis is

enhanced

(DA)

5. Reduced

Risk and

better

Controls

6. Timeliness

and CIAT

1. Unauthoris

ed Access

2. False Sense

of Security

3. Privilege

Violations

4. Process

becomes

wrong

5. Malware

6. Manual

Interventio

n

Chapter 9: Information Systems Controls and

Auditing (ISCA)



Objectives of Controls

Causes of the Exposure to

Potential Loss

Critical controls lacking in a CIS

Environment

1. Errors or omissions

2. Improper authorizations

3. Improper accountability

4. Inefficient activity

1. Lack of management’s understanding of

IS risks

2. Lack of IT staff’s knowledge of IS risks

3. Weak general controls and IS controls

4. Complexity of implementation of controls

Controls

• Policies, procedures, practices and organization structure

• Designed to provide reasonable assurance that business objectives are achieved and

• Undesired events are prevented or detected and corrected.

IS’s Controls

Environmental Controls



Physical Access Controls

Logical Access Controls - Controls relating to logical access to information resources such as

- OS controls, Application software, networking controls, access to database objects,

encryption controls etc.

Asynchronous Attacks



Technical Exposures

List of Logical Access Controls User

Access Management

User Responsibility

Network Access Control

OS Access Control

Application & Monitoring

System Access Control

Mobile Computing

- User

Registration

- Privilege

Management

- User

Password

Management

- Review of

User Access

Management

- Password

Use

- Unattended

User

Equipment

- Network

Policy

- Enforced

Path

- SON

- Routing

Control

- Security

- Firewall

- Encryption

- Call Back

Devices

- Automated

Terminal ID

- Terminal

Login

procedure

- Access

Token

- Access

Control List

- User ID

- Pw. Mgt.

System

- User of

System

Utilities

- Duress

Alarm

- Terminal

time-out

- Access

Restriction

- Event

Logging

- Monitor

System Use

- Clock Sync.

- Access

- ID

- Encrypti

on

- Finger-

print

- Eye-iris



Classification based on “Audit Functions”

Managerial Control Application Control 1. Top Mgt. and IS Mgt. Control

(Steering and Review Committee)

✓ Planning

✓ Leading

✓ Controlling

✓ Organizing

1. Boundary Control

✓ Access Control

✓ Biometric Control

✓ Cryptographic Control

✓ Digital Signature

✓ PIN

✓ Plastic Card

2. Programming Mgt. Control

✓ Planning

✓ Analysis

✓ Design

✓ Coding

✓ Testing

✓ Implementation

✓ Maintenance

2. Input Control

✓ Validation Control

o Field Interrogation

o Record Interrogation

o File Interrogation

✓ Batch Control

o Physical Ctrl.

o Logical Ctrl.

✓ Source Document Control

✓ Data Coding Control

o Transcription Errors

o Transposition Errors

3. System Development Mgt. Control

✓ Feasibility Study

✓ System Analysis

✓ System Design and Build

✓ System Testing

✓ System Implementation

✓ System Maintenance

3.Output Control

✓ Storage and Logging of Critical Forms

✓ Printing Control

✓ Logging of Output Program Execution

✓ Report Distribution and Collection

Control

✓ Retention Control

4. Quality Assurance Mgt. Control

✓ Quality of Sw.

✓ Licenses

✓ Quality Ctrl.

✓ As per world-wide trends

4.Process Control

✓ Processor Control

✓ Real Memory Control

✓ Virtual Memory Control

✓ Data Processing Control

5. Data Administration Control

✓ Definition Controls

✓ Existence/Backup Controls

✓ Access Controls

✓ Update Controls

✓ Concurrency Controls

✓ Quality Controls

5. Communication Control

✓ Physical Components Control

✓ Line Error Control

✓ Channel Access Control

✓ Link Control

✓ Internetworking Control

✓ Flow Control

✓ Topological Control



6. Operations Mgt. Control

✓ Computer operations

✓ Nw. Operations

✓ Data preparation and entry

✓ Production Ctrl.

✓ File, Doc. And Prog. Library

✓ Help-desk

✓ Capacity Planning

✓ Performance Monitoring

✓ Management of outsourced

operations

6.Database Control

✓ Update Control

o Sequence Check between TF & MF

o Ensure All Records or Files are

processed

o Process multiple transactions for

a single record in the correct

order

o Maintain a Suspense Account

✓ Report Control

o Standing Data

o Print-Run-to Run control Totals

o Print Suspense Account Entries

o Existence/Recovery Controls

5. Security Mgt. Control

✓ All Threats and Vulnerability

✓ DRP

✓ BCP

Information System Auditing Systematic and Independent Examination of the controls within an entity’s Information

technology infrastructure. (To ensure CIAT for T&F View)

Objectives of ISA Need for ISA

✓ Assets Safeguarding

✓ Data Integrity

✓ System Effectiveness

✓ System Efficiency

✓ Same as E-Commerce Control

Objectives (Chapter 5)



Information System Audit and Audit Evidence

SA 230

Documentation

Why audit evidences

are needed?

Inherent Limitations of

ISA

Audit

Documentation

refers to the:

✓ Record of audit

procedures

performed,

✓ Relevant audit

evidence

obtained,

✓ Conclusions the

auditor reached

✓ Means of controlling

current audit work.

✓ Evidence of audit

work performed.

✓ Schedules supporting

or additional item in

the accounts.

✓ Information about

the business being

audited, including the

recent history.

✓ Nature of Financial Reporting

✓ Nature of Audit Procedures

✓ Audit to be conducted within a reasonable

period of time and at a reasonable cost

✓ Fraud involving senior management or

collusion

✓ The existence and completeness of

related party relationships and

transactions.

✓ Non-compliance with laws and

regulations

✓ Future events or conditions that may

cause an entity to cease to continue as a

going concern

Audit Trail • Step-by-step record by which accounting data can be traced to their source.

• Logs that can be designed to record activity at the system, application, and user level

Types Objectives

1. Detecting Unauthorized

Access (Detective)

2. Personal Accountability

(Preventive)

3. Restructuring Events

(Corrective)



ITF

SCARF

CIS

Concurrent Audit

Definition Tools Real-time auditing to provide continuous

assurance about the quality of the data that is

continuous auditing, through:

1. Embedded Modules

2. Special Audit Records

1. Snapshot

2. ITF – Integrated Test Facility

3. SCARF – System Control Audit Review File

4. CIS – Continuous and Intermittent

Simulation

5. Audit Hooks



Auditing of Controls

The IS auditor needs to be able to determine if such controls are effective and if

they are cost-effective.

Auditing

Environmental

Control

Auditing

Physical

Access Control

Auditing

Logical Access

Control

Auditing

Managerial

Controls

Auditing

Application

Controls

SOD – Segregation of Duty

Definition SOD Controls

Examples of SOD Controls

It ensures that single

individuals do not possess

excess privileges that could

result in unauthorized

activities such as fraud or

the manipulation or

exposure of sensitive data.

1. Preventive Controls

2. Detective Controls

1. Transaction

Authorization

2. Split Custody of High-

Value Assets

3. Workflow

4. Periodic Review

Organization Structure And Responsibilities

Job Positions in IT

Executive

Management

1. CIO (Chief

Information

Officer)

2. CTO (Chief

Technical Officer)

3. CSO (Chief Security

Officer)

4. CISO (Chief

Information

Security Officer)

5. CPO (Chief Privacy

Officer)

Software

Development

1. Systems Architect

2. Systems Analyst

3. Software

Developer

4. Software Tester

Data

Management

1. Database

Architect

2. Database

Administrator

(DBA)

3. Database

Analyst

Network

Management

1. Network

Architect

2. Network

Engineer

3. Network

Administrator

4. Telecom

Engineer



Systems

Management

1. Systems Architect

2. System Engineer

3. System

Administrator

4. Storage Engineer

General

Operations

1. Operations

Manager

2. Operations

Analyst

3. Controls Analyst

4. Systems Operator

5. Data Entry

6. Media Librarian

Security

Operations

1. Security

Architect

2. Security

Engineer

3. Security Analyst

4. User Account

Manager

5. Security Auditor

Service

Desk

1. Help desk

Analyst

2. Technical

Support

Analyst

audit - img1.wsimg.com

Documents