Title: How to Prepare for an Information Technology Audit or Review
1How to Prepare for an Information Technology
Audit or Review
- Andrew J. Thom, Senior Audit Manager
- Information Systems Audit
2Auditor of States Office
- Responsible for auditing all public offices
- Nearly 3000 audits annually
- 700 auditors / 23 IS auditors
3Presentation Overview
- Changes in IT and Audit
- Audit Objectives
- Common Control Issues
4Changes in IT
U.S. Army photo
5Changes in IT
Server Farm
6Changes in IT
- Increased Spending On and Use of IT
- Increases in Computing Power
- Shorter Life of Systems and Applications
7Changes in Audit
- Rare to find an entity whose use of IT does not
impact its financial audit. - Technology used by Auditors
- SAS 94
8Greater Use of Technology by Auditors
9(No Transcript)
10(No Transcript)
11(No Transcript)
12(No Transcript)
13Statement on Auditing Standards 94
- Au Section 319 (SAS 94)
- The Effect of Information Technology on the
Auditors Consideration of Internal Control in a
Financial Statement Audit
14A Few Definitions
- Information Technology, IT
- Internal Control
- General Controls
- Application Controls
15What is Information Technology?
- Information Technology (IT) encompasses automated
means of originating, processing, storing and
communicating information, and includes recording
devices, communication systems, computer systems
(including hardware and software components and
data) and other electronic devices. - AU Section 319 Consideration of Internal Control
in a Financial Statement Audit. - (SAS No. 55, SAS No. 78, SAS No. 94)
16What is Internal Control?
- Defines internal control as a process effected
by an entitys board of directors, management,
and other personnel designed to provide
reasonable assurance regarding the achievement of
objectives in the following categories (a)
reliability of financial reporting, (b)
effectiveness and efficiency of operations, and
(c) compliance with applicable laws and
regulations.
AU Section 319 Consideration of Internal Control
in a Financial Statement Audit. (SAS No. 55, SAS
No. 78, SAS No. 94)
17What are General Controls?
- Effective general controls will ensure the
applications and systems they reside on are
properly maintained, secured and backed up for
recovery purposes.
18General Controls
- Data center and network operations
- System software acquisition and maintenance
- Access security
- Application system development and maintenance
19What are Application Controls?
- Application controls differ from general controls
because they refer to SPECIFIC applications. - Effective application controls will ensure the
completeness and accuracy of data input,
processing, and output.
20IT Audit Control Objectives
- Overall Operation of the IT Function
- Development Implementation of New Applications
Systems - Changes to Existing Applications or Hardware
Systems - IT Security
- IT Operations
21Audit Objectives in the Overall Operation of the
IT Function
- IT Personnel
- Knowledge and education
- Training for personnel
22Audit Objectives in the Overall Operation of the
IT Function (cont.)
- IT Strategy
- Long range and short range
23Audit Objectives in Development Implementation
of New Applications Systems
- Project Management
- Plan and/or Schedule?
- Monitoring of the plan and project?
24Audit Objectives in Development Implementation
of New Applications Systems (cont.)
- Design/Selection of Applications and Hardware
Systems - Who was involved in the design?
- Compatibility of the application/hardware with
existing applications? - How are changes reviewed and approved?
25Audit Objectives in Development Implementation
of New Applications Systems (cont.)
- Testing of Applications/Systems
- Who reviews the changes for appropriateness to
achieve business objectives? - How are changes to the application controlled
before transferred into the live environment?
26Audit Objectives in Development Implementation
of New Applications Systems (cont.)
- Transfer into the Live Environment
- What ensures that only properly tested/reviewed
and approved applications and hardware are put
into the live environment?
27Audit Objectives in Development Implementation
of New Applications Systems (cont.)
- Conversion of Data
- How are the balances (financial/payroll, etc)
data reconciled prior to transfer? - How is the conversion process controlled?
- How do you ensure appropriate testing of data is
performed by both users and IT?
28Audit Objectives in Development Implementation
of New Applications Systems (cont.)
- Training and Documentation
- Is updated or new documentation provided to end
users? - How do you ensure users and IT staff have
appropriate training?
29Audit Objectives in Changes to Existing
Applications or Hardware Systems
- Change Requests
- Who requests and approves changes?
- Who is involved in the changes?
30Audit Objectives in Changes to Existing
Applications or Hardware Systems (cont.)
- Testing of Program Changes or Hardware System
Upgrades - What prevents and detects unauthorized changes to
applications and hardware?
31Audit Objectives in Changes to Existing
Applications or Hardware Systems (cont.)
- Transfer into the Live Environment
- What ensures that only approved and tested
changes are put into production?
32Audit Objectives in Changes to Existing
Applications or Hardware Systems (cont.)
- Documentation and Training
- Is updated or new documentation provided to end
users? - How do you ensure users and IT staff have
appropriate training?
33Audit Objectives in IT Security
- Security Management
- Is there a security policy for all users and is
it is acknowledged? - Are periodic checks performed to confirm the
users are current and access is commensurate with
their current job responsibilities?
34Audit Objectives in IT Security (cont.)
- System Software and Utilities Access Controls
- What ensures that access to system software and
utility programs is properly restricted and
monitored?
35Audit Objectives in IT Security (cont.)
- Application Level Access Controls
- How is access restricted to appropriate functions
within applications?
36Audit Objectives in IT Operations (cont.)
- System Administration and Maintenance
- How is the system monitored and measured for
availability/downtime? - Are there appropriate escalation procedures to
resolve operational failures? - Who ensures the effective administration of the
databases (DBA)?
37Audit Objectives in IT Operations (cont.)
- Backup
- When are they performed?
- Where are they stored?
- How do you know the data on the backup is
restorable? - Is the data ever tested on the backups?
38Audit Objectives in IT Operations (cont.)
- Disaster Recovery
- Has management performed an impact analysis?
- Is there a documented plan? Is it tested? Are
the results maintained and used for improvement? - Do all parties involved know they are involved
and to what level? - Do you have a spokesperson?
- Is the plan kept off-site?
- Do you have insurance for the IT equipment?
39Audit Objectives in IT Operations (cont.)
- Business Continuity
- Do you have a plan? Does it address what
applications are critical and what time frame you
can be with out them? - Do you have paper stock?
-
40Application Control Objectives
- Authorization
- Completeness of Input
- Accuracy of Input
- Cutoff of Transactions
- Transaction Classification
- Transaction Occurrence
41Application Control Objectives (cont.)
- Existence
- Integrity of Standing Data
- Completeness/Accuracy of Updating
- Completeness/Accuracy of Accumulated Data
- Restricted Access to Assets
- Completeness/Accuracy of Payments
42IT Audit Common Control Issues
- Security Related
- Unchanged Default Settings
- Excessive Access Rights
- Ineffective Termination Procedures
- Ignoring Security Patches, Advisories and Updates
43IT audit Common Control Issues (cont.)
- System Availability
- Infrequent, Untested, and/or On-site Storage of
Backups - Untested, Out of Date, or IT Centric, DRP/
Business Continuity Plan - Infrequent Monitoring of IT Activity
44IT audit Common Control Issues (cont.)
- Selecting Maintaining Systems
- Not Having an Effective Process for Selecting a
New Application - Insufficient Testing of the New Application
- Ignoring Security Controls
45IT audit Common Control Issues (cont.)
- Selecting Maintaining Systems
- Inadequate Training
- Lack of Documentation
- Too Much Reliance on Vendors
46Available Guidance
- COBIT
- COSO Integrated Framework
- ISO 17799 Code of Practice for Information
Security Management
47Available Guidance (cont.)
- AICPA SysTrust Principles and Criteria
- GAO (FISCAM) to be released soon.
48Short List of Low Cost, Low Tech Suggestions to
Improve Controls
- Set the Tone at the Top Security Policy
- Enforce Access Based on Job Need
- Change Default Settings
49Short List of Low Cost, Low Tech Suggestions to
Improve Controls (cont.)
- Test Your Backups
- Document In-house Procedures and Applications
- Monitor IT Activity
- Update IT Skills
50Reference List
- Statement on Auditing Standard 94 (SAS 94). The
Effect of Information Technology on the Auditor's
Consideration of Internal Control in a Financial
Statement Audit. American Institute of Certified
Public Accountants Auditing Standards Board,
2001. - Internal ControlIntegrated Framework. Committee
of Sponsoring Organizations of the Treadway
Commission (COSO), 1992. http//www.coso.org/. - Control Objectives for Information and Related
Technology (COBIT), Third Edition. Information
Systems Audit and Control Foundation and the IT
Governance Institute, 2000. http//www.isaca.org/
cobit.htm. - ISO/IEC 17799 2000 - Information TechnologyCode
of Practice for Information Security Management.
International Organization for Standardization,
2000. http//www.iso.org/. - AICPA Information Technology Center
http//www.infortech.aicpa.org/ - CERT Advisories http//www.cert.org/advisories/
51- 88 East Broad Street
- Columbus Ohio, 43215
- Phone (800) 282-0370 Fax (614) 466-4490
- E-mail contactus_at_auditor.state.oh.us
- www.auditor.state.oh.us