emerging areas of it audit - qualified audit partners · in cobit 4.0 cobit® control objectives...
TRANSCRIPT
Copyright2006
Emerging Areas of IT audit
Integrated IT Audit
In a common risk based approach ofbusiness processes
MoniqueMonique GarsouxGarsouxIT Audit Dexia BankIT Audit Dexia Bank
ViceVice PresidentPresident IT audit ISACAIT audit ISACA BeluxBelux ChapterChapterQAPQAP SprlSprl TrainingTraining
MarcusEvans ConferenceSeptember 2006
2Copyright
2006
What is happeningin business processes : Technology
BankStatement
What is manual, visible, not IT ?
3Copyright
2006
Effects of Technology
• Technology makes certain traditionalaudit procedures invalid and/or of limitedvalue – with unclear governance message
• Transaction processing becomesautomatic & invisible with reducedoversight due to less manual intervention
• New products / services / competition
4Copyright
2006
Logical security
DB2
Client Accounts
Manage Problems& Incidents
Networks
CardsWhere areMy
Risks ?
ComplianceOperational risk, Basle II
GOVERNANCE ?
AUDIT REPORTS
5Copyright
2006
Effect of traditional approach on theAudit Process of highly automatedbusiness processes
• Uncoordinated audit plans
• Separate audits
• Parallel audits; two or more distinct audits
• Concurrent audits; risk analysis initiatives,process reengineering, performed around thesame timeframe or not !
• Results of auditor’s response :o Specialization & Silo Auditing
o Staff segregation between IT and Financial -Operational
o “The wall” erected within audit departments
6Copyright
2006
The need for an integrated independentmanagement view of the ICS and risks
• Potential business need= audit giving a global view
• This implies:
o On the field :IT, organisation of approaches
o On the message :IT and Corporate Governance oriented
reports and message
o On audit assignments :audit ICT, internal audit
7Copyright
2006
Emerging re-inforced role of IT audit
• IT audit challenge (CobiT) is selling anadded value to management inside andoutside IT
• CobiT is business oriented but … real risksand impacts understandable by higher levelmanagement remains far…in audit reports
• Need to reconsider to a better positioningof the IT audit function and visible addedvalue inside the global audit process
8Copyright
2006
ValIT EvalsIT Processes
AuditsIT Resources
Audits
DocumentedBusiness risksand impacts
IT managementIssues
IT governanceMessage
RiskManagement
Emerging Trends in IT auditThe global picture
Integrated(IT)
Audits
Process flowIncl. IT & syst.
Internal& Financial
Audits
1
9Copyright
2006
Basic CobiT Principle
COBIT® Control Objectives for Information and related Technology
10Copyright
2006
IT processes Audits
COBIT® Control Objectives for Information and related Technology
11Copyright
2006
Linking Business requirementsin CobiT 4.0
COBIT® Control Objectives for Information and related Technology
12Copyright
2006
ValIT EvalsIT Processes
AuditsIT Resources
Audits
DocumentedBusiness risksand impacts
IT managementIssues
IT governanceMessage
RiskManagement
Integrated(IT)
Audits
Process flowIncl. IT & syst.
Internal& Financial
Audits
2
Emerging Trends in IT auditThe global picture
1
13Copyright
2006
IT Resources Audits
COBIT® Control Objectives for Information and related Technology
14Copyright
2006
IT resources Audits
COBIT® Control Objectives for Information and related Technology
15Copyright
2006
Documented Business residualRisks and Impacts
..
..
Manage Operations
Business impact YOKManage Security
OKManage Problems and
Incidents
Business impact XManage Changes
..
..
..
..
..
IT Processes
…WANLANServerMainframeGeneralIT Ressources
16Copyright
2006
CobiT objective
• CobiT is an IT governanceframework and supporting toolsetthat allows managers to bridge thegap between control requirements,technical issues and business risks.
COBIT® Control Objectives for Information and related Technology
17Copyright
2006
CobiT Online Example
COBIT® Control Objectives for Information and related Technology
18Copyright
2006
CobiT Online Example
COBIT® Control Objectives for Information and related Technology
19Copyright
2006
ValIT EvalsIT Processes
AuditsIT Resources
Audits
DocumentedBusiness risksand impacts
IT managementIssues
IT governanceMessage
RiskManagement
Integrated(IT)
Audits
Process flowIncl. IT & syst.
Internal& Financial
Audits
Emerging Trends in IT auditThe global picture
21
3
20Copyright
2006
Integrated (IT) Audits
Risk Based Application
IT
Integrated auditsFOR
BusinessGovernance
Message
21Copyright
2006
Where is the integrated (IT) audit approach ?An example
Batch
Account OrdersManagement
Client OrdersDB
Accounting
Banksys
Branches
Interest calculations
Asynchrone
Synchrone
Dialog Appl
InventoryAccounting
Reconciliation
Operations
SecurityOracleDB2
Accounting
Application
Problemmanagement
NetworkCics
MQM
Compliance
Integrated (IT) AuditIntegrated (IT) Audit
22Copyright
2006
Framework Process Controls
Control Objective: PC. 1 Process Goals and Objectives
Define and communicate S-M-A-R-T-T process goals and objectives (specific, measurable, achievable,realistic, tangible and time framed/) for the effective execution of each IT process.
Ensure they are linked to the business goals and supported by suitable metrics.
Value • Key processes deliver value for the organisation Processes are in line with business requirements
• People focus on the right things• Efficiency and effectiveness of IT processes
Risk • Processes are not measurable
• Accountabilities cannot be enforced• Processes are inefficient and do not support business needs• People are not focused on the right things
Control Practices 1 Define and communicate process goals and objectives for the effective execution of each IT process.
2 Link process goals and objectives to the business goals.3 Ensure that process goals are defined in a S-M-A-R-T-T (specific, measurable, achievable, realistic,tangible and time framed) manner. 4 Define process outputs and measurable quality targets to assessoutput quality. Use personal targets to motivate positive results.
Testing the Control Design 1 Enquire and confirm that process goals and objectives have been defined. Verify that process
stakeholders understand these goals. 2 Enquire and confirm that the IT process goals link back to business goals. 3 Enquire and confirm through interviews with process stakeholders that the IT process goals are specific,
measurable, achievable, realistic, tangible and time framed. 4 Enquire and confirm that outputs and associated quality targets are defined for each IT process.
COBIT® Control Objectives for Information and related Technology
23Copyright
2006
Framework Application controls
Control Objective AC. 1 Source Data Preparation and Authorisation
Source documents are prepared by authorised and qualified personnel following established procedures including adequatesegregation of duties regarding the origination and approval of these documents. Minimise errors and omissions through goodinput form design. Detect errors and irregularities so that they can be reported and corrected.
Value
• Business data integrity• Standardised and authorised transaction documentation• Improved application performance• Accuracy of transaction data
Risk • Compromised integrity of critical business data
• Unauthorised and/or erroneous transactions• Processing inefficiencies and rework
Control Practices 1 Design source documents in a way that they increase accuracy with which data can be recorded, control the workflow and
facilitate subsequent reference checking. Where possible, completeness controls should be included in the design of the sourcedocuments.2 Create and document procedures for preparing source data entry and ensure they are effectively and properly communicated toappropriate and qualified personnel. These procedures establish and communicate required authorisation levels (input, editing,authorising, accepting, and rejecting source documents). The procedures also identify the acceptable source media for each type oftransaction.3 The function responsible for data entry maintains a list of authorised personnel, including their signatures.4 Ensure that all source documents include standard components and contain proper documentation (e.g. timeliness,predetermined input codes and default values) and are authorised by the management.5 Automatically assign a unique and sequential identifier to every transaction (e.g., index, date and time,…).6 Return documents that are not properly authorised or incomplete to submitting originators for correction and log the fact thatthey have been returned. Review logs periodically to verify that corrected documents are returned by originators in a timelyfashion, and to enable pattern analysis and root cause review.
Testing the Control Design 1 Ensure that the deign of the system provides for the identification and management of authorization levels 2 Enquire and confirm that the design of the system provides for the use of pre-approved authorizations lists and related
signatures for use in determine that documents have be appropriately authorized include 3 Assess whether source documents and/or input screens are designed with pre-determined coding, choices, etc to encourage
timely completion and minimize the potential for error. 4 Enquire and confirm that the design of the system encourages review of the forms for completeness and authorization and
identifies situations where attempts to process incomplete and/or unauthorized documents occur 5 Enquire and conform that, once identified, the system is designed to tract and report upon incomplete and/or unauthorized
documents that are rejected and retuned to the owner for correction.
COBIT® Control Objectives for Information and related Technology
24Copyright
2006
Generic Audit Programs and ICQ
Information Systems Audit and Control Association : www.isaca.org Generic Application Review
AUDIT PROGRAM &
INTERNAL CONTROL QUESTIONNAIRE
The Information Systems Audit and Control Association With more than 23,000 members in over 100 countries, the Information Systems Audit and Control Association®
(ISACA™) is a recognized global leader in IT governance, control and assurance. Founded in 1969, ISACA sponsorsinternational conferences, administers the globally respected CISA® (Certified Information Systems Auditor™)designation earned by more than 25,000 professionals worldwide, and develops globally applicable information systems(IS) auditing and control standards. An affiliated foundation undertakes the leading-edge research in support of theprofession. The IT Governance Institute, established by the association and foundation in 1998, is designed to be a"think tank" offering presentations at both ISACA and non-ISACA conferences, publications and electronic resources forgreater understanding of the roles and relationship between IT and enterprise governance.
Purpose of These Audit Programs and Internal Control Questionnaires One of the goals of ISACA’s Education Board is to ensure that educational products developed by ISACA support
member and industry information needs. Responding to member requests for useful audit programs, the EducationBoard has recently released audit programs and internal control questionnaires on various topics for member usethrough the member-only web site and K-NET. These products are intended to provide a basis for audit work.
E-business audit programs and internal control questionnaires were developed from material recently released inISACA’s e-Commerce Security Technical Reference Series. These technical reference guides were developed by Deloitte& Touche and ISACA’s Research Board and are recommended for use with these audit programs and internal controlquestionnaires.
Audit programs and internal questionnaires on other subjects were developed by ISACA volunteers and reviewed andedited by the Education Board. The Education Board cautions users not to consider these audit programs and internalcontrol questionnaires to be all-inclusive or applicable to all organizations. They should be used as a starting point tobuild upon based on an organization’s constraints, policies, practices and operational environment.
Disclaimer The topics developed for these Audit Programs and Internal Control Questionnaires have been prepared for
the professional development of ISACA members and others in the IS Audit and Control community.Although we trust that they will be useful for that purpose, ISACA cannot warrant that the use of thismaterial would be adequate to discharge the legal or professional liability of members in the conduct oftheir practices.
September 2001
COBIT® Control Objectives for Information and related Technology
25Copyright
2006
Extract application audit ISACAExample
• Generic Application Review• Audit Program and ICQ• Application Generic ControlsProcedure
Step:Data Origin• Objective:To determine that controls over the
preparation, collection, and processing of sourcedocuments ensure the accuracy, completeness, andtimeliness of data before they reach the application.
• Details/Test:Review the source document(s) anddetermine that the document design contributes tothe accuracy and efficiency of the input. Identify anycost beneficial improvements in source documentsand related forms. Determine that sourcedocument(s) are retained for an effective period oftime.
COBIT® Control Objectives for Information and related Technology
26Copyright
2006
Application audits: Hitting high risks
• Detailed application audits for :
o Transaction processing
o Business critical
o “Bread and butter”
27Copyright
2006
Outlining practical approach ofauditing processes includingapplications and other IT risks
• In addition to « classical IT audits » threelayers IT audits how ?
• IT audits becomes a key (main ?) role inbusiness audits if they are process and riskbased oriented
• Times have changed : integrated replacescomplementary approach replaces old« subcontracting IT audits » and separatedIT audits
• Need for competence in – technical ITaudits AND Business risk based IT audits
28Copyright
2006
Outlining practical approach ofauditing processes includingapplications and other IT risks
• Specific role in so called application audits andtesting
• Using results of other IT audits – audit efficiency• Offer in referentials and tools• ISACA offer evolution IT governance part of
corporate governance, new productso great tools for IT audit (control based and business
oriented first level)o But part of audit on a risk based process based
approacho Emerging requirements to bridge the gap on tools
techniques and referentials … will comeo Evolving role of the IT auditor from specialist only to
proven professional in the global corporate view ofrisks
29Copyright
2006
Integrated IT Audit (IITA) impacton the audit process
• Examines both manual proceduresthat people use and “invisible”procedures that computers performwith impacts on:
Audit plan.
Evaluation.
Testing.
Reporting.
30Copyright
2006
IITA Audit Plan
• Critical success factor = right informationat planning stage
• Coordinate efforts : global approach ofthe Audit Universe
• Many pitfalls to avoid…• Based on criticality ranking, select audit
missions• Result is coordinated audit plan where
audit missions have been documented byan overview understanding of the subjectand 3 layers IT audits and other auditsplanned in the right order
31Copyright
2006
IITA Evaluation – Combined riskassessment
• Global risk assessment incorporatesbusiness/industry risk, operational riskCOMBINED with technology risk to forman opinion on the overall design ofcontrols.
• IITA risk assessment guidelines: A limited number of risk factors (see
documented business impacts) Including Business - Technology specific Risk factors should be weighted by criticality
and measurable Some factors should /will be IT specific
32Copyright
2006
IITA Evaluation
• IITA evaluation consists of obtaining adetailed understanding of the controlenvironment design; “Do adequate (IT)controls exist” to mitigate business risks(scope selected based on risks)
• Based upon the information obtained andconfirmed during the planning phase,combined with the combined riskassessment, the auditor selects therelevant areas to include in the auditscope and performs a detailed review ofthese areas.
33Copyright
2006
• Auditors usually perform a walkthroughduring the evaluation to assist inunderstanding the process flow, obtainrelevant sample documentation, spot testthe key controls, and observe the generalenvironment.
• IITA critical success factor – the auditormust flowchart the IT systems (bread andbutter applications) to obtain a detailedunderstanding of key system processes,files and controls.
IITA Evaluation
34Copyright
2006
• The auditor should develop an integrated flowchart that combines manual and computerprocesses, key calculations, master file updates,downloads, and uploads.
• Examine processes and control design by splittingthem into three categories: Those that only people perform.
Those that people and computers perform.
Those that only the computer performs.
• Based on the evaluation of the design of theentire control environment (IT and manual), theauditor expresses an opinion on the “adequacy” ofcontrol design.
IITA Evaluation
35Copyright
2006
Batch
Account OrdersManagement
Client OrdersDB
Accounting
Banksys
Branches
Interest calculations
Asynchrone
Synchrone
Dialog Appl
InventoryAccounts
Integrated IT Audit
FlowchartedApplication
Documentedbusiness impacts
IITAflowchart
36Copyright
2006
IITA Testing
• The testing phase is the area that makesthe IITA the most value added approach
• Based on the information obtained inplanning and evaluation, the auditor selectswhich controls require testing.
37Copyright
2006
IITA Reporting
• Reporting is mainly depending of preferenceand style but IITA reporting can beincorporated into any reporting style: asingle report that renders an opinion on theentire system of risks and controls (IT andnon IT).
• Visual = no long narrative texts
• Pitfall to avoid - reporting that is done by anIT auditor and an “internal” auditor and thenpasted. This reduces the consistency ofideas. Editing is required to eliminate jargonand facilitate easy reading.
38Copyright
2006
What works and what does not …
Expanding the IT knowledge base of each andevery auditor (or THE integrated auditor) ?
Realistic audit assignments based on knowledge,skill levels and degree of difficulty of the subject(planning audits) ?
Extensive IT audit tools and support ? Effective SUPERVISION – audit management who
knows IT, Internal audit, business processes andmethodologies ?
IITA education ? IT audit is a separate and unique audit discipline in
separated audits ? Specialization is good ? Generalization is good ? The board and senior management really
understand auditing in an IT environment ? No one really cares whether audits are integrated
or not ?
39Copyright
2006
Benefits of IITA
• Eliminates redundant or narrow viewaudits, duplicated work , missedopportunities for contribution, risk of falseassurance
• Creates a broad based IT audit and role.
• Examines global process risks
• Provides Executives with a coherent view inone report
• Once adopted, subsequent audits becomehighly efficient, focusing risks
• Combines what people do with what thecomputer does (or the contrary)
40Copyright
2006
QUESTIONS ?