emerging areas of it audit - qualified audit partners · in cobit 4.0 cobit® control objectives...

Copyright2006

Emerging Areas of IT audit

Integrated IT Audit

In a common risk based approach ofbusiness processes

MoniqueMonique GarsouxGarsouxIT Audit Dexia BankIT Audit Dexia Bank

ViceVice PresidentPresident IT audit ISACAIT audit ISACA BeluxBelux ChapterChapterQAPQAP SprlSprl TrainingTraining

MarcusEvans ConferenceSeptember 2006

2Copyright

2006

What is happeningin business processes : Technology

BankStatement

What is manual, visible, not IT ?

3Copyright

2006

Effects of Technology

• Technology makes certain traditionalaudit procedures invalid and/or of limitedvalue – with unclear governance message

• Transaction processing becomesautomatic & invisible with reducedoversight due to less manual intervention

• New products / services / competition

4Copyright

2006

Logical security

DB2

Client Accounts

Manage Problems& Incidents

Networks

CardsWhere areMy

Risks ?

ComplianceOperational risk, Basle II

GOVERNANCE ?

AUDIT REPORTS

5Copyright

2006

Effect of traditional approach on theAudit Process of highly automatedbusiness processes

• Uncoordinated audit plans

• Separate audits

• Parallel audits; two or more distinct audits

• Concurrent audits; risk analysis initiatives,process reengineering, performed around thesame timeframe or not !

• Results of auditor’s response :o Specialization & Silo Auditing

o Staff segregation between IT and Financial -Operational

o “The wall” erected within audit departments

6Copyright

2006

The need for an integrated independentmanagement view of the ICS and risks

• Potential business need= audit giving a global view

• This implies:

o On the field :IT, organisation of approaches

o On the message :IT and Corporate Governance oriented

reports and message

o On audit assignments :audit ICT, internal audit

7Copyright

2006

Emerging re-inforced role of IT audit

• IT audit challenge (CobiT) is selling anadded value to management inside andoutside IT

• CobiT is business oriented but … real risksand impacts understandable by higher levelmanagement remains far…in audit reports

• Need to reconsider to a better positioningof the IT audit function and visible addedvalue inside the global audit process

8Copyright

2006

ValIT EvalsIT Processes

AuditsIT Resources

Audits

DocumentedBusiness risksand impacts

IT managementIssues

IT governanceMessage

RiskManagement

Emerging Trends in IT auditThe global picture

Integrated(IT)

Audits

Process flowIncl. IT & syst.

Internal& Financial

Audits

1

9Copyright

2006

Basic CobiT Principle

COBIT® Control Objectives for Information and related Technology

10Copyright

2006

IT processes Audits


11Copyright

2006

Linking Business requirementsin CobiT 4.0


12Copyright

2006


AuditsIT Resources

Audits


IT managementIssues


RiskManagement

Integrated(IT)

Audits


Internal& Financial

Audits

2


1

13Copyright

2006

IT Resources Audits


14Copyright

2006

IT resources Audits


15Copyright

2006

Documented Business residualRisks and Impacts

..

..

Manage Operations

Business impact YOKManage Security

OKManage Problems and

Incidents

Business impact XManage Changes

..

..

..

..

..

IT Processes

…WANLANServerMainframeGeneralIT Ressources

16Copyright

2006

CobiT objective

• CobiT is an IT governanceframework and supporting toolsetthat allows managers to bridge thegap between control requirements,technical issues and business risks.


17Copyright

2006

CobiT Online Example


18Copyright

2006

CobiT Online Example


19Copyright

2006


AuditsIT Resources

Audits


IT managementIssues


RiskManagement

Integrated(IT)

Audits


Internal& Financial

Audits


21

3

20Copyright

2006

Integrated (IT) Audits

Risk Based Application

IT

Integrated auditsFOR

BusinessGovernance

Message

21Copyright

2006

Where is the integrated (IT) audit approach ?An example

Batch

Account OrdersManagement

Client OrdersDB

Accounting

Banksys

Branches

Interest calculations

Asynchrone

Synchrone

Dialog Appl

InventoryAccounting

Reconciliation

Operations

SecurityOracleDB2

Accounting

Application

Problemmanagement

NetworkCics

MQM

Compliance

Integrated (IT) AuditIntegrated (IT) Audit

22Copyright

2006

Framework Process Controls

Control Objective: PC. 1 Process Goals and Objectives

Define and communicate S-M-A-R-T-T process goals and objectives (specific, measurable, achievable,realistic, tangible and time framed/) for the effective execution of each IT process.

Ensure they are linked to the business goals and supported by suitable metrics.

Value • Key processes deliver value for the organisation Processes are in line with business requirements

• People focus on the right things• Efficiency and effectiveness of IT processes

Risk • Processes are not measurable

• Accountabilities cannot be enforced• Processes are inefficient and do not support business needs• People are not focused on the right things

Control Practices 1 Define and communicate process goals and objectives for the effective execution of each IT process.

2 Link process goals and objectives to the business goals.3 Ensure that process goals are defined in a S-M-A-R-T-T (specific, measurable, achievable, realistic,tangible and time framed) manner. 4 Define process outputs and measurable quality targets to assessoutput quality. Use personal targets to motivate positive results.

Testing the Control Design 1 Enquire and confirm that process goals and objectives have been defined. Verify that process

stakeholders understand these goals. 2 Enquire and confirm that the IT process goals link back to business goals. 3 Enquire and confirm through interviews with process stakeholders that the IT process goals are specific,

measurable, achievable, realistic, tangible and time framed. 4 Enquire and confirm that outputs and associated quality targets are defined for each IT process.


23Copyright

2006

Framework Application controls

Control Objective AC. 1 Source Data Preparation and Authorisation

Source documents are prepared by authorised and qualified personnel following established procedures including adequatesegregation of duties regarding the origination and approval of these documents. Minimise errors and omissions through goodinput form design. Detect errors and irregularities so that they can be reported and corrected.

Value

• Business data integrity• Standardised and authorised transaction documentation• Improved application performance• Accuracy of transaction data

Risk • Compromised integrity of critical business data

• Unauthorised and/or erroneous transactions• Processing inefficiencies and rework

Control Practices 1 Design source documents in a way that they increase accuracy with which data can be recorded, control the workflow and

facilitate subsequent reference checking. Where possible, completeness controls should be included in the design of the sourcedocuments.2 Create and document procedures for preparing source data entry and ensure they are effectively and properly communicated toappropriate and qualified personnel. These procedures establish and communicate required authorisation levels (input, editing,authorising, accepting, and rejecting source documents). The procedures also identify the acceptable source media for each type oftransaction.3 The function responsible for data entry maintains a list of authorised personnel, including their signatures.4 Ensure that all source documents include standard components and contain proper documentation (e.g. timeliness,predetermined input codes and default values) and are authorised by the management.5 Automatically assign a unique and sequential identifier to every transaction (e.g., index, date and time,…).6 Return documents that are not properly authorised or incomplete to submitting originators for correction and log the fact thatthey have been returned. Review logs periodically to verify that corrected documents are returned by originators in a timelyfashion, and to enable pattern analysis and root cause review.

Testing the Control Design 1 Ensure that the deign of the system provides for the identification and management of authorization levels 2 Enquire and confirm that the design of the system provides for the use of pre-approved authorizations lists and related

signatures for use in determine that documents have be appropriately authorized include 3 Assess whether source documents and/or input screens are designed with pre-determined coding, choices, etc to encourage

timely completion and minimize the potential for error. 4 Enquire and confirm that the design of the system encourages review of the forms for completeness and authorization and

identifies situations where attempts to process incomplete and/or unauthorized documents occur 5 Enquire and conform that, once identified, the system is designed to tract and report upon incomplete and/or unauthorized

documents that are rejected and retuned to the owner for correction.


24Copyright

2006

Generic Audit Programs and ICQ

Information Systems Audit and Control Association : www.isaca.org Generic Application Review

AUDIT PROGRAM &

INTERNAL CONTROL QUESTIONNAIRE

The Information Systems Audit and Control Association With more than 23,000 members in over 100 countries, the Information Systems Audit and Control Association®

(ISACA™) is a recognized global leader in IT governance, control and assurance. Founded in 1969, ISACA sponsorsinternational conferences, administers the globally respected CISA® (Certified Information Systems Auditor™)designation earned by more than 25,000 professionals worldwide, and develops globally applicable information systems(IS) auditing and control standards. An affiliated foundation undertakes the leading-edge research in support of theprofession. The IT Governance Institute, established by the association and foundation in 1998, is designed to be a"think tank" offering presentations at both ISACA and non-ISACA conferences, publications and electronic resources forgreater understanding of the roles and relationship between IT and enterprise governance.

Purpose of These Audit Programs and Internal Control Questionnaires One of the goals of ISACA’s Education Board is to ensure that educational products developed by ISACA support

member and industry information needs. Responding to member requests for useful audit programs, the EducationBoard has recently released audit programs and internal control questionnaires on various topics for member usethrough the member-only web site and K-NET. These products are intended to provide a basis for audit work.

E-business audit programs and internal control questionnaires were developed from material recently released inISACA’s e-Commerce Security Technical Reference Series. These technical reference guides were developed by Deloitte& Touche and ISACA’s Research Board and are recommended for use with these audit programs and internal controlquestionnaires.

Audit programs and internal questionnaires on other subjects were developed by ISACA volunteers and reviewed andedited by the Education Board. The Education Board cautions users not to consider these audit programs and internalcontrol questionnaires to be all-inclusive or applicable to all organizations. They should be used as a starting point tobuild upon based on an organization’s constraints, policies, practices and operational environment.

Disclaimer The topics developed for these Audit Programs and Internal Control Questionnaires have been prepared for

the professional development of ISACA members and others in the IS Audit and Control community.Although we trust that they will be useful for that purpose, ISACA cannot warrant that the use of thismaterial would be adequate to discharge the legal or professional liability of members in the conduct oftheir practices.

September 2001


25Copyright

2006

Extract application audit ISACAExample

• Generic Application Review• Audit Program and ICQ• Application Generic ControlsProcedure

Step:Data Origin• Objective:To determine that controls over the

preparation, collection, and processing of sourcedocuments ensure the accuracy, completeness, andtimeliness of data before they reach the application.

• Details/Test:Review the source document(s) anddetermine that the document design contributes tothe accuracy and efficiency of the input. Identify anycost beneficial improvements in source documentsand related forms. Determine that sourcedocument(s) are retained for an effective period oftime.


26Copyright

2006

Application audits: Hitting high risks

• Detailed application audits for :

o Transaction processing

o Business critical

o “Bread and butter”

27Copyright

2006

Outlining practical approach ofauditing processes includingapplications and other IT risks

• In addition to « classical IT audits » threelayers IT audits how ?

• IT audits becomes a key (main ?) role inbusiness audits if they are process and riskbased oriented

• Times have changed : integrated replacescomplementary approach replaces old« subcontracting IT audits » and separatedIT audits

• Need for competence in – technical ITaudits AND Business risk based IT audits

28Copyright

2006

Outlining practical approach ofauditing processes includingapplications and other IT risks

• Specific role in so called application audits andtesting

• Using results of other IT audits – audit efficiency• Offer in referentials and tools• ISACA offer evolution IT governance part of

corporate governance, new productso great tools for IT audit (control based and business

oriented first level)o But part of audit on a risk based process based

approacho Emerging requirements to bridge the gap on tools

techniques and referentials … will comeo Evolving role of the IT auditor from specialist only to

proven professional in the global corporate view ofrisks

29Copyright

2006

Integrated IT Audit (IITA) impacton the audit process

• Examines both manual proceduresthat people use and “invisible”procedures that computers performwith impacts on:

Audit plan.

Evaluation.

Testing.

Reporting.

30Copyright

2006

IITA Audit Plan

• Critical success factor = right informationat planning stage

• Coordinate efforts : global approach ofthe Audit Universe

• Many pitfalls to avoid…• Based on criticality ranking, select audit

missions• Result is coordinated audit plan where

audit missions have been documented byan overview understanding of the subjectand 3 layers IT audits and other auditsplanned in the right order

31Copyright

2006

IITA Evaluation – Combined riskassessment

• Global risk assessment incorporatesbusiness/industry risk, operational riskCOMBINED with technology risk to forman opinion on the overall design ofcontrols.

• IITA risk assessment guidelines: A limited number of risk factors (see

documented business impacts) Including Business - Technology specific Risk factors should be weighted by criticality

and measurable Some factors should /will be IT specific

32Copyright

2006

IITA Evaluation

• IITA evaluation consists of obtaining adetailed understanding of the controlenvironment design; “Do adequate (IT)controls exist” to mitigate business risks(scope selected based on risks)

• Based upon the information obtained andconfirmed during the planning phase,combined with the combined riskassessment, the auditor selects therelevant areas to include in the auditscope and performs a detailed review ofthese areas.

33Copyright

2006

• Auditors usually perform a walkthroughduring the evaluation to assist inunderstanding the process flow, obtainrelevant sample documentation, spot testthe key controls, and observe the generalenvironment.

• IITA critical success factor – the auditormust flowchart the IT systems (bread andbutter applications) to obtain a detailedunderstanding of key system processes,files and controls.

IITA Evaluation

34Copyright

2006

• The auditor should develop an integrated flowchart that combines manual and computerprocesses, key calculations, master file updates,downloads, and uploads.

• Examine processes and control design by splittingthem into three categories: Those that only people perform.

Those that people and computers perform.

Those that only the computer performs.

• Based on the evaluation of the design of theentire control environment (IT and manual), theauditor expresses an opinion on the “adequacy” ofcontrol design.

IITA Evaluation

35Copyright

2006

Batch

Account OrdersManagement

Client OrdersDB

Accounting

Banksys

Branches

Interest calculations

Asynchrone

Synchrone

Dialog Appl

InventoryAccounts

Integrated IT Audit

FlowchartedApplication

Documentedbusiness impacts

IITAflowchart

36Copyright

2006

IITA Testing

• The testing phase is the area that makesthe IITA the most value added approach

• Based on the information obtained inplanning and evaluation, the auditor selectswhich controls require testing.

37Copyright

2006

IITA Reporting

• Reporting is mainly depending of preferenceand style but IITA reporting can beincorporated into any reporting style: asingle report that renders an opinion on theentire system of risks and controls (IT andnon IT).

• Visual = no long narrative texts

• Pitfall to avoid - reporting that is done by anIT auditor and an “internal” auditor and thenpasted. This reduces the consistency ofideas. Editing is required to eliminate jargonand facilitate easy reading.

38Copyright

2006

What works and what does not …

Expanding the IT knowledge base of each andevery auditor (or THE integrated auditor) ?

Realistic audit assignments based on knowledge,skill levels and degree of difficulty of the subject(planning audits) ?

Extensive IT audit tools and support ? Effective SUPERVISION – audit management who

knows IT, Internal audit, business processes andmethodologies ?

IITA education ? IT audit is a separate and unique audit discipline in

separated audits ? Specialization is good ? Generalization is good ? The board and senior management really

understand auditing in an IT environment ? No one really cares whether audits are integrated

or not ?

39Copyright

2006

Benefits of IITA

• Eliminates redundant or narrow viewaudits, duplicated work , missedopportunities for contribution, risk of falseassurance

• Creates a broad based IT audit and role.

• Examines global process risks

• Provides Executives with a coherent view inone report

• Once adopted, subsequent audits becomehighly efficient, focusing risks

• Combines what people do with what thecomputer does (or the contrary)

40Copyright

2006

QUESTIONS ?

emerging areas of it audit - qualified audit partners · in cobit 4.0 cobit® control objectives...

Documents