1Part 22 AUDIT GUIDELINES3Audit Guidelines -- 226 pages1 Generic Guideline and 34 Process Oriented A generic guideline identifies various tasks to be performed in assessing AN control ob!ective "it#in a process$%#is generic guideline e&tracted all repetitive tasks into one -- to be performed for all control ob!ectives$Ot#ers are specific process-oriented task suggestions to provide management assurance t#at a control is in place and is "orking$4Audit GuidelinesPurpose of audit guidelines is to provide simple structure for auditing controlsAudit guidelines are generic and #ig#-level in structureAlt#oug# intended as a guide for auditing #ig#-level control ob!ectives' (obi% can assist overall audit planning)nables auditor to revie" processes against control ob!ectives*CobiT supports generally accepted structure of the audit process:+dentification and documentation)valuation(ompliance testing' and,ubstantive testing6Obtaining an understanding of business requirements,related risks, and relevant control measuresEvaluating the appropriateness of stated controls Assessing compliance by testing whether the stated controls are working as prescribed, consistently and continuously.Substantiating the risk of the control objectivenot being met by using analytical techniquesand/or consulting alternative sources.The IT process is therefore audited by:-OBTAINING AN UNDERSTANDINGThe audit steps to be performed to document the activities under- !in" the contro ob#ectives as $e as to identif! the stated contro measures%procedures in pace&Interview appropriate management and staff to gain an understanding of:*usiness requirements and associated risks*!rganisation structure*"oles and responsibilities*#olicies and procedures*$aws and regulations and contractua obi"ations*%ontrol measures in place*&anagement reporting 'status, performance, action items(Document the process-reated IT resources particuar! affected b!theprocess under revie$&'onfirm the understandin" of the process underrevie$(the )e! *erformance Indicators +)*I, of the process(and the contro impications +e&"&( b! a process $a- throu"h,&GENERI' AUDIT GUIDE.INE.E/A.UATING T0E 'ONTRO.SThe audit steps to be performed in assessin" the effectiveness of contro measures in pace or the de"ree to $hich the contro ob#ective is achieved&Basica! decidin" $hat( $hether and ho$ to test&Evauate the appropriateness of contro measures for the process under revie$ b! considerin" identified criteria and industr! standard practices( the 'ritica Success 1actors +'S1, of the contromeasures and app!in" professiona #ud"ment&)*ocumented processes e+ist),ppropriate deliverables e+ist)"esponsibility and accountability are clear and effective)%ompensating controls e+ist, where necessary'oncude the de"ree to $hich the contro ob#ective is met&GENERIC AUDI GUIDE!INE/ASSESSING 'O2*.IAN'EThe audit steps to be performed to ensure that the contro measures estabished are $or-in" as prescribed( consistent! and continuous!( and to concude on the appropriateness of the contro environment&Obtain direct or indirect evidence for seected items%periods to ensure thatthe procedures have been compied $ith for the period under revie$ usin" both direct and indirect evidence&*erform a imited revie$ of the ade3uac! of the process deiverabes&Determine the eve of substantive testin" and additiona $or- needed to provide assurance that the IT process is ade3uate&GENERI' AUDIT GUIDE.INE10SUBSTANTIATING T0E RIS)The audit steps to be performed to substantiate the ris- of the contro ob#ective not bein" met b! usin" ana!tica techni3uesand%or consutin" aternative sources&The ob#ective is to supportthe opinion and to 4shoc-5 mana"ement into action&Auditorshave to be creative in findin" and presentin" this often sensitiveand confidentia information&Document the contro $ea-nesses and resutin" threats and vunerabiities&Identif! and document the actua and potentia impact +e&"&(throu"h root-cause ana!sis,&*rovide comparative information +e&"&( throu"h benchmar-s,&GENERI' AUDIT GUIDE.INE11Audit Guidelines are GUIDELINES%#e1 are a starting point for identif1ing control tasks and activities associated "it# particular control ob!ectives$%o plan and conduct t#e audit' an auditor must add kno"ledge about t#e business' risk anal1sis' and controls2 perform ade3uate audit procedures2 and dra" conclusions from t#e results of t#e audit procedures$12Using CobiT to Deelop an Audit !rogra",tart "it# Control b!ecti"es to refres# t#e purpose of t#e control ob!ective and t#e recommended +% control practices4se t#e #udit Guidelines$ generic audit guideline as a starting point4se t#e selected process-oriented audit guidelines to refine t#e audit "ork program,elect appropriate portions of t#e #udit Guidelines in s1nc "it# selected detailed control ob!ectives 5selected control tasks and activities613Using CobiT to #eie$ an Audit !rogra"4se t#e #udit Guidelines to benc#mark t#e e&isting audit program against4se t#e Control b!ecti"es$ #ig#-level control ob!ectives to revie" audit ob!ectives and detailed control ob!ectives to revie" criteria identification4se t#e generic and process-oriented audit guidelines to revie" audit process and procedures15#doptin% CobiT,tart b1 identif1ing t#e 7need8 for use' and #o" it mig#t be used9ocus on t#e benefits to be derived from using (obi%Assess t#e acceptance and implementation capabilitiesAssign priorit1 of multiple uses+dentif1 one or more c#ampions16#doptin% CobiT9or t#ose responsible for s1stems and t#ose "#o audit s1stems' t#e value lies in #aving an organi:ed +% control model t#at links management control practices to control ob!ectives' and in turn to business ob!ectives$9rom a management perspective;medium A>P 1es@o">#ig# pa1roll noneCig#>medium +% processing partial etc$3.*rimar!*erformed b! +8, IT *rocess Responsibe *art!PO1 *efine a strategic I- planPO2 *efine the information architecturePO3 *etermine technological directionPO4 *efine organisation and relationshipsPO* &anage the investmentPO6 %ommunicate management aims . directionPO- &anage human resourcesPO. /nsure compliance with e+ternal requirementsPO/ ,ssess riskPO10 &anage projectsPO11 &anage qualityA+1 Identify automated solutionsA+2 ,cquire . maintain application softwareA+3 ,cquire . maintain technology architectureA+4 *evelop . maintain proceduresA+* Install . accredit systemA+6 &anage changes?,1 *efine service levels?,2 &anage third party services?,3 &anage performance . capacity?,4 /nsure continuous service?,* /nsure system security?,6 Identify . allocate costs?,- /ducate . train users?,. ,ssist . advise customers?,/ &anage the configuration?,10 &anage problems . incidents?,11 &anage data?,12 &anage facilities?,13 &anage operationsB1 &onitor the processB2 ,ssess Internal %ontrol ,dequacyB3 !btain independent assuranceB4 #rovide for Independent ,udit'0(Identify organiational units'I- department, within organisation, outsourced or not sure( which perform activities incorporated within the I- process#ES!*NSI8LE !A#T4 5*#03/!re(Audit: 5unctions 9 #esponsibilities !oints of !oints of Accountability9unction performed b19unction F OperationAesponsiblePart1internal A>P Accountingoutsourced pa1roll Accounting+% ?ept +% processing =P of +% etc$40Interna 1orma 'ontract%S.A 7**erformed b! 'ontros in pace9 Ref&IT Department7ithinOr"anisationOutsourcedNot sureIT *rocessDocumentedNot DocumentedNot Sure:esNoNot App

icab

eNot SurePO1 *efine a strategic I- planPO2 *efine the information architecturePO3 *etermine technological directionPO4 *efine organisation and relationshipsPO* &anage the investmentPO6 %ommunicate management aims . directionPO- &anage human resourcesPO. /nsure compliance with e+ternal requirementsPO/ ,ssess riskPO10 &anage projectsPO11 &anage qualityA+1 Identify automated solutionsA+2 ,cquire . maintain application softwareA+3 ,cquire . maintain technology architectureA+4 *evelop . maintain proceduresA+* Install . accredit systemA+6 &anage changes?,1 *efine service levels?,2 &anage third party services?,3 &anage performance . capacity?,4 /nsure continuous service?,* /nsure system security?,6 Identify . allocate costs?,- /ducate . train users?,. ,ssist . advise customers?,/ &anage the configuration?,10 &anage problems . incidents?,11 &anage data?,12 &anage facilities?,13 &anage operationsB1 &onitor the processB2 ,ssess Internal %ontrol ,dequacyB3 !btain independent assuranceB4 #rovide for Independent ,uditC*NT#ACT SE#:ICE7SE#:ICE LE:EL AG#EE0ENT ;SLA< 5*#041In *rior *rior Audit DispositionScope Opinion of 1indin"s:es No IT *rocessUn3ua

ified;ua

ifiedAdverseDisc

aimer2ateria

7ea-nesses1indin"sReso

vedUnreso

vedN%ANot DeterminedPO1 *efine a strategic I- planPO2 *efine the information architecturePO3 *etermine technological directionPO4 *efine organisation and relationshipsPO* &anage the investmentPO6 %ommunicate management aims . directionPO- &anage human resourcesPO. /nsure compliance with e+ternal requirementsPO/ ,ssess riskPO10 &anage projectsPO11 &anage qualityA+1 Identify automated solutionsA+2 ,cquire . maintain application softwareA+3 ,cquire . maintain technology architectureA+4 *evelop . maintain proceduresA+* Install . accredit systemA+6 &anage changes?,1 *efine service levels?,2 &anage third party services?,3 &anage performance . capacity?,4 /nsure continuous service?,* /nsure system security?,6 Identify . allocate costs?,- /ducate . train users?,. ,ssist . advise customers?,/ &anage the configuration?,10 &anage problems . incidents?,11 &anage data?,12 &anage facilities?,13 &anage operationsB1 &onitor the processB2 ,ssess Internal %ontrol ,dequacyB3 !btain independent assuranceB4 #rovide for Independent ,uditInsert the number of material weaknesses and/or findings if there is more than one per process category andthen reflect the appropriate number under each column.!#I*# AUDIT ,*#6 5*#0,udits 'or audit entities(,%*/1222%!I-3s 45#rocesses#! 0#! 6...& 578 #re2audit survey,8 ,udit"8 "eport2 #ositive conclusion2 1inding4243Use of CobiT in Audit !lanning: ,upports ob!ectives of A4$31/7(onsideration of +nternal (ontrol in a 9inancial ,tatement Audit8' andAisk-Gased Audit planning446ey 5eatures of #is)(8ased Approach9ocuses on t#e business from a management perspective)mp#asis on kno"ledge of t#e business and t#e tec#nolog19ocus on assessing t#e effectiveness of a 7combination8 of controls@inkage bet"een risk assessment and testing focusing on control ob!ectives4*-is,.'ased #udit Plannin% What is most critical to the business? What are the CSFs? What are the risks and threats? How robust and appropriate does the internal control structure appear? What are managements concerns?46#is)s to the 8usiness-4na"are of t#e risksPoor understanding of (,9sAbsence of HP+sNo 7scorecard8 or basis of measurementAbsence of monitoring and evaluationIeak +% control environment@oss of data or s1stem integrit14-Control #is) Assess"ent Control #is) assess"ent at "a1i"u"