Introduction to Information Audit - PowerPoint PPT Presentation


PPT – Introduction to Information Audit PowerPoint presentation | free to download - id: 573d64-MDEzY


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Introduction to Information Audit


Title: Clase modelo Author: Juan Carlos Olivares Rojas Last modified by: Juan Carlos Olivares Rojas Created Date: 2/19/2009 4:07:57 AM Document presentation format – PowerPoint PPT presentation

Number of Views:7
Avg rating:3.0/5.0
Slides: 69
Provided by: JuanCarlos263


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Introduction to Information Audit

Introduction to Information Audit
  • M.C. Juan Carlos Olivares Rojas

Department of Computer and System Instituto
Tecnológico de Morelia 1
9.72388 lat, -101.1848 long
Some material in this presentation has been
obtained from various sources, each of which has
intellectual property, so in this presentation
will only have some rights reserved. These
slides are free, so you can add, modify, and
delete slides (including this one) and slide
content to suit your needs. They obviously
represent a lot of work on my part. In return for
use, I only ask the following if you use these
slides (e.g., in a class) in substantially
unaltered form, that you mention their source.
  • Audit and Information Audit Concepts.
  • Types of Auditing.
  • Internal and External Audit.
  • Field of Information Audit.
  • Internal Control.
  • Control Models using in Information Audit.
  • Principles applied to Information Auditors.
  • Managers and Auditor Responsabilities.

Objectives of the Session
  • The students will know the basis of audit and
    Information Audit

Audit and Information Audit Concepts
  • There are a lot of definition about what Audit
    and Infromation Audit means.
  • Activity in pairs try to discuss whats the
    diference among Audit, Consult and Advisory.
  • Audit is an evaluation of a person, organization,
    system, process, project or product.

  • Audits are performed to ascertain the validity
    and reliability of information, and also provide
    an assessment of a system's internal control.
  • The goal of an audit is to express an opinion on
    the person/organization/system etc. under
    evaluation based on work done on a test basis.
  • Information Audit is review the existing system
    of information management, identify problems and
    recommend solutions for those problems (Elis

Information Audit
  • Other definition of Information audit is an
    analysis of the communications (processes and
    information) that take place between agents
    (people) in a social context (the organisation)
    using a variety of media and channels
  • Information Audit (IA) is focused in describe how
    things are done instead of existence for
    example, use of a database rather than exist a

Information Audit
  • The IA contex have to set against organizational
    goals and costraints.
  • The IA has to try to solve question such as
  • What is the purpose of the audited system?
  • Does it accomplish its purpose?
  • Is the purpose in line with the purpose and
    philosophy of the organisation as a whole?

Information Audit
  • How effectively are resources used?
  • How are resources accounted for and safeguarded?
  • How useful is the information system supporting
    the organisation?
  • How reliable is the information system?
  • Does the system comply with regulations and

In Sum
  • The goal of the Audit project
  • Compare what is,
  • To what should be
  • To bring the two together
  • The process is
  • Establish what should be
  • Get support
  • Find out what is
  • Create results and recommendations.

  • Deadline Monday, February 16
  • 20 Format
  • 40 Research and writting an Essay about ISACA,
    COBIT and ITIL Standards. Download all the
    Manuals and delivery only the principal ideas.
  • 40 Make a State-of-the-Art Table among the
    standards evaluating most of 3 features.

Types of Auditing
  • Exist diferent clasification of Auditing.
  • By deep Level General and Technical
  • General Auditing includes an assesment of
    diferent areas (i.e., financial, administrative,
    quality, etc.) in a company at the same time.
  • Technical Audits are specific such as Information
    System Audit.

Internal and External Audits
  • Internal Audits are realized by Individual of the
    Organization. The advantages are most knowledge
    of Internal Control and less time in the audit
    process. The disadvantages can be non-Ethical
  • External Audit or Superior Control Audit is
    realized by Third-People. This is recommended
    type of audit because is most Ethical and
    Efficient but required more time.

Field of Information Audit
  • What are Business Process?
  • Its a collection of related, structured
    activities or tasks that produce a specific
    service or product (serve a particular goal) for
    a particular customer or customers.
  • Activity Indicate what are the Business Process
    in a University such as Instituto Tecnologico de

Business Process
  • Some Business Process are very similar.
  • Whats the diference?
  • Its the business rules. These are statements
    that define or constrain some aspect of the
  • Activity What are the business rules of ITM?
    Describe the rules of some sport or game such as
    Soccer, Tenis, Tetris, etc.

What is Audited?
  • The Information that leads to knowledge
  • Resources for making information
  • How info is used
  • The people who need and create info
  • Info capture, management and presentation tools
  • How info is valued

Whats the Point?
  • Understand information
  • What is it?
  • How does it move?
  • Manage information
  • What should we spend on it?
  • How should it flow?
  • Give information its rightful place as something
    we pay attention to.
  • Money
  • Material goods
  • Processes

Internal Control
  • Its defined as a process effected by an
    organization's structure, work and authority
    flows, people and management information systems,
    designed to help the organization accomplish
    specific goals or objectives.
  • It is a means by which an organization's
    resources are directed, monitored, and measured.

Internal Control
  • It plays an important role in preventing and
    detecting fraud and protecting the organization's
    resources, both physical (e.g., machinery and
    property) and intangible (e.g., reputation or
    intellectual property such as trademarks).
  • Internal control is a key element of the Foreign
    Corrupt Practices Act (FCPA) of 1977 and the
    Sarbanes-Oxley Act of 2002, which required
    improvements in internal control in United States
    public corporations.

Internal Control
  • The governance is a very important activity
    inside organizations because drive and direct the
    Internal Control.
  • Procurement plays and importan role in the modern
    organization because need mechanism to regularize
    the practices and maintance the justice.
  • External Control is supported by Goverment

  • Installing and OS (such as Windows, Linux, Mac)
    in a Virtual Machine. Deadline Friday, February
  • Redact an Essay how are the kind of licenses for
    Software in Virtualized Environments.
  • Can We Execute twice or more time the same
    software in virtual Machine.
  • Deadline Wednesday, February 18

  • Its a writting document which aims to persuade
    the audience about the validity and importance of
    one's own ideas on a specific topic
  • Its an argument which a process of
    analysis-synthesis is realized. I doesnt have a
    fixed and exclusive structure, but the following
    features are recommended.

  • It is recommended to start defining the author
    position and items to be addressed in the rest of
    the document.
  • In the development is recommeneded to define a
    method to develop ideas such as defining,
    comparing, analyzing, arguing, among others.
  • It has to each of the main points that support
    the author's position or posture.

  • Conclusions have to re-list the authors position
    in a brief summary and show the action lines to
    be follow (proposed)
  • Part of the Essay is a process of inquiry to
    obtain the theoretical framework as a base to
    argue opinions.
  • Essays are most used in social sciences.

Control Models using in Information Audit
  • Discussion About Methodologies
  • ISACA (Information System Audit and Control
  • COBIT (Common OBjectives for Information and
    related Technologies)
  • ITIL (Information Technologies Infraestructure

Other Methodologies
  • COSO
  • ISO/IEC 177992000
  • ISO/IEC 13335
  • ISO/IEC 15408
  • TickIT
  • NIST 800-14

An Audit Project
  • What are the goals of the project?
  • What is the overall process?
  • What are the deliverables?
  • What does the plan look like?

What Are The Goals?
  • To assess what information and flow the org needs
  • To assess what information and flow the org now
  • To make recommendations about how to get the two
    to match

Whats the Overall Process?
  • 1. Analyze objectives for ideal process
  • 2,3 Get a mandate and support
  • 4 Plan the audit
  • 5 Perform the audit
  • 6,7 Interpret and Present the results
  • 8,9 Take action
  • 10 Repeat

What are the Deliverables?
1. Analyze objectives One or more readiness deliverables A Goals-Knowledge-Info taxonomy
2,3 Get support One or more mandate deliverables Guardian and stakeholder profiles
4. Plan Audit methods plan Staging plan
5. Perform Information Analyses
6,7 Interpret and present Reports and presentations
8,9 Act Follow-up plan
Deliverables A Goals-Knowledge-Info Taxonomy
  • Organizational objective 1
  • Knowledge requirement 1.1
  • Info that supports requirement
  • Containers for the information
  • People who need to know it
  • Flow
  • Creation
  • Use
  • Disposal
  • Knowledge requirement 1.2
  • Organizational objective 2

Deliverables Guardian and Stakeholder Profiles
  • Who will you approach in the org and how?
  • What Word files, a spreadsheet or Db records
  • Who are they?
  • How will you approach them?
  • What do you know without asking?
  • How
  • Asking around
  • Quick email or other communication
  • Org charts or readiness results

Deliverables Audit Methods Plan
  • What are the available methods ?
  • Analysis of docs and Dbs
  • Observation
  • Trying yourself
  • Interviews
  • Meetings
  • Surveys
  • Mapping

  • Analize the Document (SGC Sistema de Gestión de
    la Calidad-) of previous homework.
  • Describe in your own words if the process
    described in the document correspond with the
  • How do you realized the last steep?

Deliverables Audit Methods Plan
  • How will you assess the information resources of
    your organization?
  • What Word, spreadsheet or Db
  • Analysis, resource, method
  • Date, time, and staff
  • How
  • Try each method
  • Discuss with guardians and stakeholders
  • Design for change

Deliverables Staging Plan
  • In what order should groups and information
    resources be done?
  • What Word Doc, spreadsheet or DB
  • Groups and sources identified
  • Dates, times and staff for each
  • How
  • Arranged by
  • Strategic importance and potential for a win
  • Amount of support and ease or simplicity
  • Fair representation of all information

Deliverables Information Analyses
  • The assessment of each dimension of the
    organization's information.
  • What? Word, spreadsheet or Db
  • Data collected
  • Standard set of
  • Information Resources
  • How
  • Apply methods and plan
  • Collect data, analyze and revisit if needed

Deliverables Reports and Presentations
  • What are the analysis methods available?
  • Side-by-side comparison
  • SWOT
  • Clients
  • Actors
  • Transformations
  • Ownership
  • Environment

Finding the Diferences
Deliverables Reports and Presentations
  • The official results of the audit
  • What
  • Word files, Slide decks
  • Email messages, meeting agendas
  • How
  • Lots of trial inside the team
  • Test results to supporters
  • Trial presentations to insiders
  • Multiple methods to communicate

Deliverables Follow-Up Plan
  • What should the org do and how will its success
    be measured?
  • What
  • Word file, project plan
  • Action
  • Preliminary scope, schedule, and budget
  • How
  • Work with appropriate guardians and execs
  • Focus on highest return projects first
  • Give lots of leeway to the formation of the exact
  • Caveat the heck out of your estimates

The Team
  • Audit manager
  • Understands the orgs business
  • Ability to listen
  • Respected
  • Auditors
  • Technology analysts
  • Interviewers
  • SME (Subject Matter Experts)
  • Tool designers
  • Survey construction
  • Data analysis and presentation techniques
  • Consultants
  • Specialist support in the background

Discussion About The Corporation Movie
  • Its a movie about Sustainable Development.
  • The Corporations are Persons
  • Where is applied the Informatic Auditing Process?

  • Forming Teams of 4 persons or less, discuss yours
    professional opinion with a Group Decision
    Techniques for obtaining a unique proposal.
  • This proposal must be discuted with the classroom.

Group Discussion Techniques
  • The process problem solving has three phases
    acording by Mintzberg
  • Identified the problem
  • Development diferente possible solutions
  • Evaluate possible solutions and selected it the
    more adequate
  • Other autors have added two aditional phases
  • Execute the desired solution
  • Evaluate the results of executing this solution.

Group Discussion Techniques
  • For Taking Group Decision exist diferent methodos
    such as
  • Votation (the most voted decission wins),
  • Approved Votation (each member can be to vote for
    more than one option, the most voted option
  • Range Sum (the options has assigned a
    ponderation, when 1 is for the less votation,
    this process is realizaed by each member in
    individual way, wins the options with the most
    puntuaction) y
  • Minimal Desviation (We selected the option with
    the most punctuaction and the minimal

Group Discussion Techniques
  • Nominal Group Technique is a decision making
    method for use among groups of many sizes, who
    want to make their decision quickly, as by a
    vote, but want everyone's opinions taken into
    account (as opposed to traditional voting, where
    only the largest group is considered).
  • First, every member of the group gives their view
    of the solution, with a short explanation. Then,
    duplicate solutions are eliminated from the list
    of all solutions, and the members proceed to rank
    the solutions, 1st, 2nd, 3rd, 4th, and so on.

Group Discussion Techniques
  • The numbers each solution receives are totaled,
    and the solution with the lowest (i.e. most
    favored) total ranking is selected as the final
    decision. There are variations on how this
    technique is used. For example, it can identify
    strengths versus areas in need of development,
    rather than be used as a decision-making voting
    alternative. Also, options do not always have to
    be ranked, but may be evaluated more

Group Discussion Techniques
  • These techniques
  • Brainstorm,
  • Round Table (similar to Brainstorm but each
    member of the Team has a turn for exposing
    his/her ideas),
  • SWOT(Strengths, Weaknesses, Opportunities, and

Group Discussion Techniques
  • The Phillips 66 Method is a group discussion
    technique which is used to help overcome the
    problem of silence in group situations and to
    ensure that everyone gets a chance to contribute
    to the discussion. 
  • The group is divided into sub-groups of six
    participants each.  These groups each spend six
    minutes discussing possible solutions to an
    identified problem, and then report back to the
    larger group with a proposed solution

Group Discussion Techniques
  • The Delphi method is a systematic, interactive
    forecasting method which relies on a panel of
    independent experts.
  • The carefully selected experts answer
    questionnaires in two or more rounds. After each
    round, a facilitator provides an anonymous
    summary of the experts forecasts from the
    previous round as well as the reasons they
    provided for their judgments.

Group Discussion Techniques
  • Thus, experts are encouraged to revise their
    earlier answers in light of the replies of other
    members of their panel.
  • It is believed that during this process the range
    of the answers will decrease and the group will
    converge towards the "correct" answer.

Group Discussion Techniques
  • Finally, the process is stopped after a
    pre-defined stop criterion (e.g. number of
    rounds, achievement of consensus, stability of
    results) and the mean or median scores of the
    final rounds determine the results.

Other IA Methodology
  • Initial review and evaluation of the area to be
    audited, and the audit plan preparation
  • Detailed review and evaluation of controls
  • Compliance testing
  • Analysis and reporting of results

Review of System Documentation
  • The auditor reviews documentation such as
    narrative descriptions, flowcharts, and program
    listings. In desk checking the auditor processes
    test or real data through the program logic.
  • Audit throug the Computer the process of
    reviewing and evaluating the internal controls in
    an electronic data processing system.

Audit with The Computer
  • The utilization of the computer by an auditor to
    perform some audit work that would otherwise have
    to be done manually.

  • Test Data The auditor prepares input containing
    both valid and invalid data. Prior to processing
    the test data, the input is manually processed to
    determine what the output should look like. The
    auditor then compares the computer-processed
    output with the manually processed results.

Test Data
Computer Operations
Prepare Test Transactions And Results
Transaction Test Data
Computer Application System
Manually Processed Results
Computer Output
Auditor Compares
Types of Testing
  • Compliance Testing Auditors perform tests of
    controls to determine that the control policies,
    practices, and procedures established by
    management are functioning as planned. This is
    known as compliance testing.
  • Substantive testing is the direct verification of
    financial statement figures. Examples would
    include reconciling a bank account and confirming
    accounts receivable.

Parallel Simulation
  • The test data process data through real programs.
    With parallel simulation, the auditor processes
    real client data on an audit program similar to
    some aspect of the clients program. The auditor
    compares the results of this processing with the
    results of the processing done by the clients

Parallel Simulation
Computer Operations
Actual Transactions
Computer Application System
Auditors Simulation Program
Auditor Compares
Actual Client Report
Auditor Simulation Report
Audit Software
  • Computer programs that permit computers to be
    used as auditing tools include
  • Generalized audit software (CAATS Computer
    Assistant Audit Tools and Techniques)
  • P.C. Software (support)

  • Extended Records Specific transactions are
    tagged, and the intervening processing steps that
    normally would not be saved are added to the
    extended record, permitting the audit trail to be
    reconstructed for these transactions
  • Snapshot A snapshot is similar to an extended
    record except that the snapshot is a printed
    audit trail

Principles Applied to Information Auditors
  • The Auditor word comes of the greek auditorium
    which means listend
  • Auditor was a person who main fuction was
    listening problems of people in a town and tacke
    back the Taxes and represent the intereses of
    Imperial Country.

Managers and Auditors Responsabilities
  • Support the implementation of, and encourage
    compliance with, appropriate standards,
    procedures and controls for information
    systems.Perform their duties with objectivity,
    due diligence and professional care, in
    accordance with professional standards and best
    practices.Serve in the interest of stakeholders
    in a lawful and honest manner, while maintaining
    high standards of conduct and character, and not
    engage in acts discreditable to the
    profession.Maintain the privacy and
    confidentiality of information obtained in the
    course of their duties unless disclosure is
    required by legal authority. Such information
    shall not be used for personal benefit or
    released to inappropriate parties. Maintain
    competency in their respective fields and agree
    to undertake only those activities, which they
    can reasonably expect to complete with
    professional competence.Inform appropriate
    parties of the results of work performed
    revealing all significant facts known to
    them.Support the professional education of
    stakeholders in enhancing their understanding of
    information systems security and control.

  • Print a License Agreement of Any Sofware
    preferently non-common software

  • Hall, H, Information Auditing, School of
    Computing, Napier University, 2009.
  • Boiko, UW iSchool, Information Audits,, 2009.