Information systems Audit in Non-conventional Domains ... · PDF file4 IS AUDIT Audit ... and...

8/1/2011

1

INTEGRATING INFORMATION SYSTEMS AUDIT

WITH INTERNAL AUDIT

@ ICAI BANGALORE BRANCH

- 20 JULY 2011

A Subramaniam

Chief Executive – Biz Pro Consultants

(c) BizPro Consultants

AREAS OF EXPERTISE

FCA, CISA, CIA, IMS Lead assessor, ISO 27001 Lead auditor

25+ years experience in external, internal audit and consultancy in India and Oman

Integration of operational, IT, management system and internal audits

Risk Based auditing

ERM - Enterprise Risk Management : COSO and soft controls

Fraud prevention, detection, investigation, risk assessment & fraud resilient systems

IS Audit

Information systems implementation–design &review

CAAT - computer assisted audit techniques

Data analytics – for revenue assurance, information processing, controls, fraud /

error detection

ISO Management systems – QHSE & Information security


8/1/2011

2

PRESENTATION OUTLINE

Internal audit

Information systems (IS) audit

Components of IS audit

Need for IS Audit

Walkthrough of an Internal audit integrating IS Audit

IS audit Techniques

Multiple systems integration

GRC and linking IS audit


INTERNAL AUDIT

“Internal audit is an independent management function, which involves a continuous and critical appraisal of the functioning of an entity with a view to suggest improvements thereto and add value to and strengthen the overall governance mechanism of the entity, including the entity‟s risk management and internal

control system.”

– ICAI


8/1/2011

3

IIA DEFINITION OF INTERNAL AUDIT

Internal auditing is an independent, objective

assurance and consulting activity designed to add value and improve an organization's

operations. It helps an organization accomplish

its objectives by bringing a systematic, disciplined

approach to evaluate and improve the

effectiveness of risk management,

control, and governance processes.

- The Institute of Internal Auditors


INFORMATION SYSTEMS AUDIT

Information systems (IS) - The combination of

strategic, managerial and operational activities

involved in the gathering, processing, storage,

distributing, and use of information and its

related technologies. … ISACA


8/1/2011

4

IS AUDIT Audit - Formal inspection and verification to check whether a

standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met

„Audit‟, refers to a specific type of assurance engagement … a formal, independent and systematic inspection or examination of subject matter against a recognised and appropriate standard or against management‟s assertions that must meet specific criteria. … adherence to specific standards and guidance, and adoption of specific reporting formats.

Audit engagements could include support of the audit of financial statements, opinions of regulatory compliance and other formal expressions of opinion.

- Extracts from ISACA‟s IT Assurance Framework


INFORMATION SECURITY

Preservation of confidentiality, integrity and

availability of information; in addition, other

properties such as authenticity, accountability,

non-repudiation and reliability can also be

involved

- ISO 27001:2005


8/1/2011

5

AUDIT OBJECTIVES – BEYOND SECURITY

Triple E

Economy Efficiency * Effectiveness * - * (IIA standard 2120.A1)

The IA activity must

assess whether the governance … sustains and supports organization‟s strategies and objectives.

evaluate risk exposures, and adequacy and effectiveness of controls in responding to risks, relating to the organization‟s governance, operations, and information systems regarding the:

Reliability and integrity of financial and operational information. - IIA 2120, 2130.A1


IS AUDIT = CAAT S ?


8/1/2011

6

COMPONENTS OF IS AUDIT

General controls Physical access, Logical access

Environmental,

Operations, change management

Network and Infrastructure

Database and Operating systems

Application and operational systems Financial systems

Non-financial systems

Information security Backup, Archiving and data retention

Disaster recovery and Business continuity Planning – ISO 38500


COMPONENTS OF IS AUDIT - CONTD

Application Development methodology

SDLC management, Patches & upgrades,

Involvement of Users in system development

Project management

PMBOK, PRINCE 2

Service Management

ITIL and ISO 20000 (ITSM)

SLA

IT Risk assessment and Governance

COBIT and VAL IT


8/1/2011

7

REGULATORY NEED FOR IS AUDIT Financial statements audit

CARO – „adequate system of internal control … size… any major weakness‟

„… internal audit system …size ‟

ICAI – Int Audit standard 14

Cl 14 - Int Auditor should review ..robustness of .. IT environment and consider any weakness or deficiency in the design and operation of any IT control … by reviewing:

System Audit reports … conducted by … IS auditors;

+ …

SEBI Clause 49 requirements – CEO / CFO certification on internal control

SOX requirements – 404 certification

Audit scope definition and audit charter


ICAI STANDARD 14

Illustrative IT Controls to be Reviewed During

Int Audit in An IT Environment (17 controls)

IT Access Control (1)

IT Backup and recovery (4)

IT Environmental controls (1)

IT Inventory (3)

IT Operations (2)

IT Physical security (1)

IT Service Agreements (3)

IT Virus Protection Policy (1)


8/1/2011

8

INTEGRATING IS AUDIT WITH INTERNAL AUDIT

Procurement audit

Sales and Receivable audit

Data analysis


PROCUREMENT AUDIT

Requisition – Approval – Float – Evaluation - Award

Creation of PO

Incomplete PO s

Reprint of PO

PO modification – without approver permission?

Elements of P 2 P process which are handled through the application – PR, RFQ, Bid evaln, receipt, payment, recording

Access privileges

Security of purchase information – access, distribution - confidentiality – physical and logical

Fraud Potential


8/1/2011

9

SALES & RECEIVABLE AUDIT

Retail chain

Price master – access

Discount % and authority levels

Field / stress test

Audit trail

Password custody

Item master creation


DATA ANALYSIS

Exceptions from business and application logic

Failed Transactions

system weakness, failure, interface problems ?


8/1/2011

10

REVIEW OF IT SYSTEMS

The internal auditor should consider the IT

environment in designing audit procedures to

review the systems, processes, controls and

risk management framework of the entity.

Clause 13 ICAI Std 14 on IA


ERP SYSTEM – CONFIGURATION

Roles vs positions

Assignment of roles to positions

Escalation of privileges


8/1/2011

11

EXCESSIVE ACCESS RIGHTS

$19 Million Embezzled from a large international bank by VP with Excessive Access Rights

A former XYZ Bank vice president in the internal finance department is charged with embezzling over $19 million. Between July and December of 2010 the defendant allegedly transferred money between numerous XYZ corporate accounts and his personal account at ….

The former VP appears to have accrued excessive access rights to sensitive banking systems so he could both authorize and initiate eight large transfers of cash.



http://blog.veriphyr.com/2011/07/employee-fraud-bank-security-insider.html




8/1/2011

12

SEGREGATION OF DUTIES (SOD)

SOD conflicts

Authority assignment, review of privileges, SOD

Matrix review

Preventive and Detective controls


ERP SYSTEM – CONFIGURATION … CONTD

Multiple

business practices (52 weekly reporting)

Social environment (weekend days)

legal environments (financial year for Tax)

Co business rules (P2P cycle variations, co’s process requirements)

Best (or ERP‟s designed) practices vs company business process - customisation

Configurations and customisations – upgrades / patches – Documented ? Essential ?


8/1/2011

13

ERP SYSTEMS DATA STRUCTURE

Master and transaction

Efficiency & user friendly considerations (alpha vs numeric)


NORMALISATION RULES

Changes in attributes affecting past records

Update, insertion and deletion anomaly

Sixth Normal Form


8/1/2011

14

ERP SYSTEMS DATA … CONTD

Difficult to trace links – data dictionary &

definition

Resolving dilemma between Audit trail,

performance degradation

= ?


IS AUDIT TECHNIQUES

General audit techniques

Discussion, interview, process mapping,

walkthroughs)

Special audit techniques

Front end, Administrator and Backend views

Data review – application and third party tools

Configuration review techniques

Penetration testing and vulnerability assessment


8/1/2011

15

IS AUDIT TECHNIQUES … CONTD

Testing

unit testing,

integration,

extreme,

stress,

testing tools

test data packs – scenario building

cloning


MULTIPLE SYSTEM ENVIRONMENT

Why

Best of breed / most suitable / Triple E

System maintenance considerations

Issues

Interface and integration


8/1/2011

16

GRC – GOVERNANCE RISK & COMPLIANCE


GRC - COMPLIANCE, RISK AND GOVERNANCE

Are key processes processed / recorded /

monitored by IT applications

Effective resolution and escalation mechanism

IT Steering committee

Adherence to Standards & Best practices


8/1/2011

17

BENEFITS OF INTEGRATION

Holistic view

Appropriate time

Domain expert involvement

Bigger picture To management


INFORMATION SYSTEMS IN PERSPECTIVE

GIGO

Red herrings and flags

Recording of transactions in system usable

manner


8/1/2011

18

WAY FORWARD

Identify Internal audit elements involving information systems

Prepare inventory of Information systems

Prepare IS Audit programs

Integrate IS Audit tests into Internal audit programs

Use appropriately qualified resources for technical areas

Identify balance IS audit elements not covered in existing internal audit programs and schedule separate IS audits


SUMMARY

IS Audit is necessary

IS Audit is mandated by audit standards

IS Audit is important for effective internal audit

IS Audit can be effectively combined with

internal audit


8/1/2011

19

FURTHER READING

ICAI Standards on Internal Auditing – Std 14

Internal audit in IT Environment

www.isaca.org

ISO 27001 – Information Security

www.theiia.org/guidance/technology/gait/

GAIT – Guidance to Assessment of IT Risk


THANK YOU

Thank you for your patience

Questions ? ? ?


http://www.isaca.org/

http://www.theiia.org/guidance/technology/gait/

http://www.theiia.org/guidance/technology/gait/

8/1/2011

20

OUR CONTACT DETAILS

A. Subramaniam

Chief Executive

BizPro Consultants, Bangalore

[email protected]

Mob : 0091 95351 11806


mailto:[email protected]

Information systems Audit in Non-conventional Domains ... · PDF file4 IS AUDIT Audit ... and...

Documents

Transcript of Information systems Audit in Non-conventional Domains ... · PDF file4 IS AUDIT Audit ... and...