Apr 2006 Information Systems Audit & Control

1

Information Systems Audit & Control

Introduction

Apr 2006 Information Systems Audit & Control

2

Information Systems Audit and Control Fall 2005 by Haroon Arshad

e-mail: ch_haroon@msn.com, Office Hours Wednesday & Friday 3:45-5:00 PM

Files Available To dateInformation System Audit & Control Syllabus & Course Outline.Notes Mailing group. http://groups.yahoo.com/group/isac_pucit

Syllabus

Apr 2006 Information Systems Audit & Control

3

COURSE OBJECTIVE & PHILOSOPHY

The need to comply with an array of Complex data laws Standards in IT and Information system environment

which dominates the business environment and privacy and security.

The challenge will be dealing with Regulatory requirement, Information system standards, Best practices and laws .

Syllabus

Apr 2006 Information Systems Audit & Control

4

COURSE OBJECTIVE & PHILOSOPHY

As a result, the emphasis will be on issues such as Policy management and enforcement, Benchmarking against standards, Incident response, Forensics, and monitoring for insider threats.

To a large extent, the efforts will focus on Implementing security, Control policies Management processes to ensure regulatory compliance. It's a process that will involve spending a lot more time working with

management and end users, and educating them on what the risks are.

Apr 2006 Information Systems Audit & Control

5

SyllabusThis class will be devoted to these Control issues, their impact on the organization,

and how to manage and audit them. Consequently, this is essentially a class in corporate management and audit, even though it is presented within the information technology curriculum. Much of the class time will be devoted to discussions and case studies, as active “Audit & Control mentality”.

To assure effective control, management – directly or through its internal and external auditors - must control and audit systems whose "internals" are understood only by highly -trained expert professionals. This course discusses the philosophy and describes some of the tools and methods used for control and auditing of such systems and the organizations that use them. Eventually, this will lead to increased awareness, better understanding, and more secured and effective accomplishment of the organization’s objective and use of its technology; thus, the course will be beneficial to all future managers and users, and not only to information technology professional or auditors.

Apr 2006 Information Systems Audit & Control

6

SyllabusTEXTBOOK & COURSE MATERIALSThis course is based on Ron Weber's Information Systems Control and Audit, Prentice Hall

1999, ISBN 0-13-947870-1, which emphasizes the controls approach to systems audit and security. The methodology is applicable to all systems, including internet, web-based and e-commerce systems. Many security-oriented books are available today, and the following is recommended as supplement: Information Technology Audit & Control by Frederick Gallegos, Daniel Manson, Sandra Allen-Senft, 2nd Edition, Auerbach Publishers Additional reading material will be announced during the class.

Please bring the Weber text with you to each class – we will use the cases at the end of Please bring the Weber text with you to each class – we will use the cases at the end of its chapters.its chapters.

On the Yahoo group web page you will find PowerPoint presentations for all the material that I will introduce in class. These summarize the contents of the textbook, in addition to other material that will be discussed in class. You can read these presentations prior to class, so that you can use them in class in lieu of notes. You are responsible for knowing the contents of these transparencies as well as the textbook’s material (and of course whatever is discussed in class).

Apr 2006 Information Systems Audit & Control

7

COMMUNICATIONS & PREREQUISITES I believe that open communications channels between all of us add significantly to the value of the class. You are welcome to contact me – preferably via e-mail. In particular, ALL questions and comments are welcome.

The approach taken in this course is pragmatic, rather than theoretical or technical, with the objective of increasing your familiarity with the course topics on the one hand, and your critical understanding of the material on the other. I do not intend to "read the text in class". Rather, I will emphasize certain issues, and will respond to your questions. You must read on your own and be familiar IN ADVANCE OF EACH CLASS with the assigned material as given in the schedule, and with the class notes available in my web page. The course will be discussion oriented, with emphasis on discussions geared to the case studies at the end of each chapter.

A common theme in my courses is the development of your communications skills and use of available computer technology and common software tools. You are expected to be familiar with word-processing and spreadsheet tools, and submit your work using such tools. All homework will be submitted electronically via e-mail, and follow all the rules in the PRESHINT.DOC file (wil be available next week on yahoo group).

Syllabus

Apr 2006 Information Systems Audit & Control

8

ASSIGNMENTS, QUIZZES AND EXAMS Assignments will be based on the case studies at the end of the text's chapters, and will be announced in class. Homework solutions will be discussed in class at the date they are due; therefore, late submissions of homework assignments will not be accepted. Note that homework will be based, to a large extent, on material you are supposed to read for the next class, and will be discussed in class only after you submit the homework, in order to let you exercise your own judgment and understanding. All assignments are due, unless otherwise specified, by the next Tuesday after the class in which they have been announced; they should reach me, via e-mail, by this time. Assignments should all be typed (using computerized office tools) and be professionally presentable; hand-written assignments will not be graded. Assignment due-dates as given in the schedule or in class will be strictly adhered to and late assignments will not be accepted, unless prearranged with me. Virus infected submissions will be deleted and not graded with no opportunity for resubmission.

Each class session (except the first one) may include a brief open book quiz, which stress understanding of the required material. This system eliminates the pressure for final exam preparation, allows timely grade progress feedback, and motivates students to prepare for each session (and thus increase the probability of quality participation and getting the most from the class sessions).

Syllabus

Apr 2006 Information Systems Audit & Control

9

CLASS ATTENDANCE You are expected to attend all classes, and are responsible for all announcements made in class or in the yahoo group. Makeup of quizzes or assignments will be given only by approval prior to the quiz or assignment, except for extreme circumstances. Punctuality is highly regarded; no student, if arriving late, will be given any extra time to complete a quiz, nor will makeup quizzes be offered. The university's honor code will be adhered to. Cheating will result in an automatic failing grade in the course for all those students who are deemed to have consciously contributed to the cheating.

Syllabus

Apr 2006 Information Systems Audit & Control

10

GRADING Grades will be based on homework assignments (60% - equally weighted, and possibly dropping the worst one) and the quizzes (40% - equally weighted, and possibly dropping the worst one, but not more than 5% per quiz). Final grades will be assigned on a curve, and I will exercise my judgment as to the cut points, as well as to the grading of students who miss or come late to many of the classes.

Don't nitpick about the grading. Persons who complain will not be rewarded for it; those who have the decency not to complain would deserve the same break. A request to look at one problem leads to re-grading of the whole paper, which often leads to a lower grade.

No "extra credit" opportunities will be offered or assigned to specific individuals under any circumstances; all students' grades will be based on the same components - this is an equal opportunity course.

Syllabus

Apr 2006 Information Systems Audit & Control

11

TENTATIVE & APPROXIMATE COURSE SCHEDULE(actual schedule will be determined by the class advancement, and

changes will be announced)

Will be Made available Before next Class.

Apr 2006 Information Systems Audit & Control

12

What Is Information System Audit

Collecting & evaluating evidence to determine if system accomplishes its organizational tasks effectively & efficiently

Apr 2006 Information Systems Audit & Control

13

Motivation for Control & Audit

Major business fraud cases Enron Worldcom The “Didn’t know these things were happening” syndrome

Comprehensive ethical/control programs do matter to corporate stakeholders

Need for ethical/control Standards Internal reporting process Highest level responsibility

Apr 2006 Information Systems Audit & Control

14

Motivation for ComplianceAccounting Scandals

2001 Enron

Jeffrey Skilling, Kenneth Lay, Andrew Fastow

2002 AOL Adelphia Bristol-Myers Squibb CMS Energy Computer Associates Duke Energy Dynegy El Paso Corporation Freddie Mac Global Crossing

Gary Winnick, John Legere, Thomas Casey Halliburton

Dick Cheney Harken Energy

Published report 10-9-2002

HealthSouth Homestore.com ImClone Systems Sam Waksal, Martha Stewart, John B. Landes,

Ronald A. Martell Kmart Lucent Technologies Merck & Co. Merrill Lynch Mirant Nicor Energy, LLC Peregrine Systems Qwest Communications International Reliant Energy Sunbeam Tyco International L. Dennis Kozlowski, Mark H. Swartz, Waste Management WorldCom Bernard Ebbers

Apr 2006 Information Systems Audit & Control

15

Motivation for Control & AuditRisk Based Capital

Definition of RBC: A theoretical model used to compute the minimum amount of capital that an insurance company should maintain in order to support its business operations, considering the company’s size and risk profile

Goals: To assist regulators in knowing when to intervene in a

company’s affairs To reduce costs of company insolvencies by catching them

early To be simple enough to be applied to all companies To be comprehensive enough to adequately distinguish all

possible risks

Apr 2006 Information Systems Audit & Control

16

Need for IS Control & Audit

Reliance on computer systems Survival of

organization Costs of data loss Costs of errors Inability to

function Possibility of

incorrect decisions

Apr 2006 Information Systems Audit & Control

17

Security & abuse - from inside & outside: hacking, viruses, access Destruction & theft of

assets Modification of assets Disruption of operations Unauthorized use of

assets Physical harm Privacy violations

Need for IS Control & Audit

See cases at end of ch. 1

Apr 2006 Information Systems Audit & Control

18

Need for IS Control & Audit

Apr 2006 Information Systems Audit & Control

19

What Is Information System Audit

Process of collecting and evaluating evidence to determine whether a (computerized) system: Safeguards assetsMaintains data integrityEnables communications & access to informationAchieve operational goals effectivelyConsumes resources efficientlyeffectively and efficiently

Apr 2006 Information Systems Audit & Control

20

Objectives – Audit and Control

Need to control & audit info systems IS AUDITING = collecting & evaluating evidence to

determine if system accomplishes its organizational tasks effectively & efficiently

Understanding the organization & environment Understanding systems

EDP in particular Understanding the Control Approach

Control - a system that prevents, detects, or corrects unlawful, undesirable or improper events

Apr 2006 Information Systems Audit & Control

21

The Auditing Environment

External vs. internal auditors External auditors provide increased assurance

Fairness of financial statements Frauds & irregularities Ability to survive

Internal auditors appraise and evaluate adequacy & effectiveness of controls Control - a system that prevents, detects, or corrects unlawful,

undesirable or improper events Reporting – and responsibility – to Board of Directors

Apr 2006 Information Systems Audit & Control

22

The Auditing Environment – cont.

Types of audit proceduresTo gain understanding of controlsTest of controls Substantive tests of details of transactions Substantive tests of balances and overall resultsAnalytic review procedures

Apr 2006 Information Systems Audit & Control

23

Assessing Reliability

By controls By transaction By errors

Apr 2006 Information Systems Audit & Control

24

Internal Auditors

Responsible to Board of Directors An internal control function Assist the organization in measurement &

evaluation:Effectiveness of internal controlsAchievement of organizational objectivesEconomics & efficiency of activitiesCompliance with laws and regulations

Operational audits

Apr 2006 Information Systems Audit & Control

25

Internal Auditors Scope of Work

Safeguarding assets Compliance with policies and plans Accomplishment of established objectives Reliability & integrity of information Economics & efficient use of resources

Apr 2006 Information Systems Audit & Control

26

The Internal Controls Framework

Separation of duties Delegation of authority & responsibility System of authorizations Documentation & records Physical control over assets & records Management supervision Independent checks Recruitment & training

Apr 2006 Information Systems Audit & Control

27

Internal Controls - Cont.

Controls - pattern of activities: Preventive Detective Corrective

Affect reliability Reduce failure probability Reduce expected loss in failure

Reasonable assurance Based on cost-benefit considerations

Apr 2006 Information Systems Audit & Control

28

External Auditors

Responsible to stockholders and public Via Board of Directors

Assess financial statement assertions Existence or occurrence Completeness Valuation and allocation Presentation and disclosure Rights and obligations

Must test compliance with laws and regulations Must test for fraud and improprieties Relies on internal control structure for planning of audit

Apr 2006 Information Systems Audit & Control

29

External Auditors

Audit (material misstatement) risk = product of Inherent (assertion could be materially misstated) riskControl risk (misstatement will not be prevented or

detected on a timely basis by internal controls)Detection risk

Inversely related to control and inherent risks