Information Technology Audit - PowerPoint PPT Presentation


PPT – Information Technology Audit PowerPoint presentation | free to download - id: 64b094-ZTQ1Y


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Information Technology Audit


Information Technology Audit Association of Government Accountants Boston Chapter 2014 Regional Professional Development Conference Bentley University – PowerPoint PPT presentation

Number of Views:51
Avg rating:3.0/5.0
Date added: 2 March 2020
Slides: 33
Provided by: LauraS176
Learn more at:


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Information Technology Audit

Information Technology Audit
Association of Government Accountants Boston
Chapter 2014 Regional Professional Development
Conference Bentley University March 13, 2014
With You Today
  • Geoff W. Clarke CISA CISSP
  • Manager KPMG Advisory Services
  • Geoff has been with the firm for seven years and
    is a manager in the KPMG LLP Information
    Technology Advisory Services (ITAS) Practice. He
    has over 30 years of business experience in both
    the MIS and IT Audit disciplines. Prior to
    joining KPMG, Mr. Clarke worked for several
    Fortune 500 Companies where he held MIS and IT
    Audit executive positions including those of
    Global IT Audit Director and CIO of Asia Pacific
    Region MIS. As a CIO, he lived in Singapore and
    had responsibility for sales, manufacturing and
    supply chain MIS development and support of his
    employers sales, manufacturing and logistical
    operations in Greater China, Australia, Japan and
    S.E. Asia.
  • During his KPMG career, Geoff has provided
    assistance to private and public sector clients
    and has managed MIS Projects, IT Risk and
    Security Assessments, IT Auditing, SSAE16
    examinations and IT controls over Financial
  • (617) 998 1408

  • IT Auditing what, who and why
  • IT Control Frameworks and IT General Control
  • IT Audit Challenges

What is IT Auditing?
  • Information systems or technology audit is a part
    of the overall audit process which is one of the
    facilitators of good organizational governance
  • While there is no single universal definition of
    IT audit, Prof. Ron Weber (author of Information
    Systems Control and Audit) defined it as "the
    process of collecting and evaluating evidence to
    determine whether a computer system (information
    system) safeguards assets, maintains data
    integrity, achieves organizational goals
    effectively and consumes resources efficiently."

Internal and External IT Audit Some Differences
Internal Audit External Audit
The internal auditor is most often an employee of the organization The external auditor is an external contractor and not an employee of the organization.
Internal audit seeks to advise management on whether its major operations have sound systems of risk management and internal controls The external auditor seeks to test the underlying transactions that form the basis of the financial statements
The IT auditor supports the goals of the Enterprise and being part of Internal Audit reports to the audit committee. The external IT auditor supports the external financial audit by providing insight into the reliance to be placed on automated financial systems through the testing of General IT controls and when requested, IT automated controls.
Internal audit forms an opinion on the adequacy and effectiveness of systems of risk management and internal control, many of which fall outside the main accounting systems. The external auditor (including supporting IT audit process) seeks to provide an opinion on whether the accounts show a true and fair view,
Besides addressing risk, internal Audit groups play a key role in identifying opportunities to improve operating efficiency in an organization. While external auditors may comment on potential efficiencies to be made it is generally not a primary focus of their activity.
Internal audits are most often time independent with a goal to be forward looking leading to control improvement. External audits are backward looking and most often are focused on the operation of controls during past financial periods
The IT Auditor
  • Plans and participates in a broad internal
    auditing program, and in particular audits of an
    entitys information technology functions to
    assure adherence to established entity policies
    and procedures and to offer constructive analysis
    and appraisal of the entitys IT operations, its
    technology policies and procedures and systems of
    internal control.

  • ISACA is an international professional
    association focused on IT Governance.
  • It is an affiliate member of the Intl Federation
    of Accountants(IFAC).
  • Previously known as the Information Systems Audit
    and Control Association, ISACA now goes by its
    acronym only, to reflect the broad range of IT
    governance professionals it serves .
  • ISACA was informally established in the US in
    1967 and incorporated formally in 1969 as the
    Electronic Data Processing (EDP) Auditors
  • ISACA currently has over 110,000 constituents in
    200 chapters located in more than 180 countries.
  • ISACA awards the certification of Certified
    Information Systems Auditor (CISA) following a
    successful examination result and 5 years of
    appropriate and recordable work experience.
  • Other ISACA certifications related to IT
    governance include Certified Information
    Security Manager (CISM), Certified in the
    Governance of Enterprise IT (CGEIT), and
    Certified in Risk and Information Systems Control

IT Audit as a Career
  • A number of schools now offer undergraduate
    degrees in Information Technology Auditing,
    including Bentley University
  • There is a shortfall of trained and experienced
    IT auditors
  • IT Auditors can come from both IT and
    business/accounting backgrounds

Impact of Information and Information Technology
  • Information is a key resource for all
    enterprises. In some cases, it is all they
  • Enterprises constantly collect or create
    information, use it, store it, share it and
    eventually destroy it.
  • Information Technology (IT) is a key enabler of
    the above.
  • IT is pervasive and ubiquitous in all areas of
    public and private enterprise, and personal life.
  • IT has the potential to dramatically change
    organizational and business operating models,
    create new opportunities and reduce costs.
  • High dependency on information requires that it
    be safeguarded from unauthorized access or
    misappropriation, have integrity and be made
    available when required.
  • Information value brings with it increased
    internal and external risks and threats of loss
    or compromise.
  • Increasing information risks and threats bring
    with it new statutory requirements specific to
    the management of information technology
  • The recognition that while it is human to err,
    it requires a computer to really screw up.

The role of IT in Enterprise operations
  • IT is a key enabler in supporting what
    organizations most want
  • to accomplish positive business outcomes
  • Achieving business goals
  • Meeting corporate governance responsibilities
    and legal requirements
  • Administering and managing business activity
    efficiently and cost effectively
  • to minimize business risk and avoid issues and
  • Business
  • Operational
  • IT
  • Statutory and legal

Examples of IT Objectives to be achieved and
Risks to be mitigated
  • IT Objectives
  • Efficient and successful operations
  • Data integrity
  • Protected systems
  • Safeguarded assets
  • Data and system availability
  • Positive ROI
  • Competitive advantage
  • Enhanced reputation
  • Statutory Compliance
  • IT Risks
  • Information Loss (accidental or malicious)
  • Financial Reporting Errors
  • Loss of data and/or system integrity confidence
  • Computer fraud
  • System failure and downtime
  • Increased cost of operation
  • Inaccurate data poor business decisions
  • Reputational loss
  • Compliance failure

Managements Requirements from its IT Organization
  • Governance and Risk Management
  • Security and Confidentiality
  • Availability
  • Integrity
  • Efficiency and Effectiveness
  • Compliance
  • Managed cost and ROI

Managements Objective
What it has
What it wants
  • Effectiveness
  • Efficiency
  • Confidentiality
  • Integrity
  • Availability
  • Compliance
  • Reliability

  • Applications
  • Data
  • Infrastructure
  • People

The role of IT Audit
  • To help meet Managements objective, IT systems
    and processing environments need to be
    appropriately managed, controlled and
    periodically assessed to ensure that
  • Organizational objectives that are dependant on
    IT are achieved
  • Systems and applications function as expected
  • Data and systems have integrity and are reliable
  • Adequate safeguards are in place to protect data,
    information and other IT resources from
    unauthorized access, disclosure or
  • Systems, applications and their information
    assets are kept available for authorized persons
  • Federal, state and other statutory regulations
    are complied with

IT Controls Achieving Objectives and Avoiding
To Avoid Risks, Threats and Exposures
To Achieve Business Objectives
Control (as defined by CobIT) The policies,
procedures, practices and organizational
structures designed to provide reasonable
assurance that business objectives will be
achieved and that undesired events will be
prevented or detected and corrected. Source
COBIT Control Objectives.
Characteristics of Good Internal Control
  • Well-defined operational control objectives
  • Appropriate supporting controls
  • Risk assessment and risk management
  • Policies, standards, defined expectations
  • Documentation
  • Competent and trustworthy people
  • Monitoring, measurement and evaluation

CobIT framework as a model for Enterprise IT
  • CobIT Control Objectives for Information and
    Related Technology
  • IT Audits COSO cousin
  • First issued in 1997, CobIT5 published in 2012 is
    the latest iteration. Developed and maintained
    by ISACA and the IT Governance Institute (ITGI).
  • Authoritative, up-to-date, international set of
    generally accepted IT control objectives and
    control practices for day-to-day use by business
    managers, IT organizations and auditors
  • The framework supports governance of IT by
    defining and aligning business goals with IT
    goals and IT processes. The COBIT components
  • Framework Organize IT governance objectives and
    good practices by IT domains and processes, and
    links them to business requirements
  • Process descriptions A reference process model
    and common language for everyone in an
    organization. The processes map to responsibility
    areas of plan, build, run and monitor.
  • Control objectives Provide a complete set of
    high-level requirements to be considered by
    management for effective control of each IT
  • Management guidelines Help assign
    responsibility, agree on objectives, measure
    performance, and illustrate interrelationship
    with other processes
  • Maturity models Assess maturity and capability
    per process and helps to address gaps.

CobIT Intended to be all things to all people
  • Business Management and User Community
  • IT Management and IT Organizations
  • IT Auditors
  • The Enterprise

Other IT Control Frameworks
  • Information Technology Infrastructure Library
  • Security Code of Conduct DTI
  • Security Handbook NIST
  • Federal Information Processing Standards (FIPS)
  • Organization for Standardization (ISO) 27001/2

IT Auditor Areas of Interest
  • Business Information Characteristics and
    Information Management
  • IT Resources and Resource Management
  • IT Processes and Process Management

Information Characteristics
  • Effective
  • information should be relevant and pertinent to
    the business process as well as being delivered
    in a timely, correct, consistent, usable and
    complete manner
  • Efficient
  • provision of information through the optimal
    (most productive and economical) use of resources
  • Confidential
  • protection of sensitive information from
    unauthorized disclosure.
  • Integrity
  • relates to the accuracy and completeness of
    information as well as its validity in
    accordance with business values and expectations
  • Available
  • requires that information be available when
    required by the business process now and in the
  • Compliant
  • compliance with those laws, regulations and
    contractual arrangements to which the business
    process is subject i.e., externally imposed
    statutory or business criteria
  • Reliable
  • the provision of appropriate and accurate
    information to management to operate the entity
    and exercise its fiduciary and governance

IT Resources and Resource Management
  • IT resources need to be managed in order to
    provide organizations with type and quality of
    information required to achieve organizational
    objectives. Resources comprise
  • Application Systems
  • are the automated user systems and associated
    manual procedures that process the information
  • Can be in-house or externally hosted (e.g.
    Software-as-a-Service applications)
  • Information
  • is data in all its forms that when compiled has
    intelligence and meaning.
  • Infrastructure and Facilities
  • is the technology (hardware, operating systems,
    database management systems, networking,
    multimedia, etc.), and the facilities that house
    and support it, that enable the processing of
    data through the applications
  • People
  • are the personnel required to plan, organize,
    acquire, implement, deliver, support, monitor and
    evaluate the information systems and services.
    They may be internal, contracted or totally
    outsourced as necessary

Information Processes and Process Management
Natural grouping of processes, often matching an
organizational domain of responsibility
A series of joined tasks and activities with
natural (control) breaks.
Actions needed to achieve a measurable result.
Activities have a life-cycle whereas tasks are
Tasks Activities
3) Information Processes and Key General IT
Control Domains
  • Domain 1 IT Management, Planning, Organization
    and Risk Management
  • Domain 2 Technical Infrastructure and IT
    Operational Practices
  • Domain 3 Protection of Information Assets
  • Domain 4 Disaster Recovery and Business
  • Domain 5 Business Application Systems
    Development, Acquisition, Implementation and

Domain 1 IT Management, Planning, Organization
and Risk Management
IT Auditor Tasks, e.g.
Conduct an Enterprise risk assessment to determine key risk areas for discussion with Management and use it to develop an appropriate IT audit plan.
Evaluate the organizations IT strategy and the processes for its development, deployment and maintenance to ensure that its supports the organizations business objectives
Evaluate the IT organizations implementation of risk management and governance
Evaluate IT organization and structure (e.g. roles and responsibilities, SOD) to ensure appropriate and adequate and controlled support of the organizations business requirements
Evaluate the IT policies, standards and procedures (e.g. risk management, change management, project management, security policies) and the processes for their development, deployment and maintenance
Evaluate IT management practices (e.g. staffing practices, training, info sec management, certifications) to ensure compliance with IT policies, standards and procedures
Evaluate the selection and management of 3rd party services to ensure that they support the organizations IT strategy
Domain 2 Technical Infrastructure and IT
Operational Practices
IT Auditor Tasks, e.g.
Evaluate the acquisition, installation and maintenance of hardware, system software and utilities (e.g. o/s, DB management systems, security packages) and network infrastructure components (e.g. voice and data comms, Internet, extranet) to ensure that that they efficiently support the organizations IT processing and business requirements and is compatible with the organizations strategies.
Evaluate the use of system performance and monitoring processes, tools and techniques (e.g. capacity planning, problem management, system management) to ensure that computer systems continue to meet the organization's business objectives.
Evaluate IT operational practices (e.g. help desk, user support functions, computer operations, scheduling, data transmission,) to ensure efficient and effective utilization of the technical resources which are used to support the organizations IT processing and business requirements.
Domain 3 Protection of Information Assets
IT Auditor Tasks, e.g.
Evaluate the design, and implementation of an Information Security organization and associated practices to ensure that it is effective and capable of protecting safeguarding the organizations information assets.
Evaluate the design, implementation and monitoring of physical access controls to ensure the level of protection for assets and facilities is sufficient to meet the organizations business objectives.
Evaluate the design, implementation and monitoring of environmental controls (e.g. HVAC, smoke/heat/water detectors, fire suppression, uninterrupted power supply UPS, backup generator) to prevent and/or minimize potential losses.
Evaluate network infrastructure security to ensure integrity, confidentiality, availability and authorized use of the network and the information transmitted.
Evaluate the design, implementation and monitoring of logical access controls to ensure the integrity, confidentiality and availability of information assets (e.g. programs and data).
Evaluate ITs safeguards over sensitive data at rest, during transmission and transportation including the copying and storage of data offsite.
Evaluate the Enterprises security posture and safeguards against external information threats such as social engineering and phishing.
Domain 4 Disaster Recovery and Business
IT Auditor Tasks, e.g.
Evaluate the adequacy of backup and recovery provisions to ensure the resumption of normal information processing in the event of a short-term disruption and/or the need to rerun or restart a process.
Evaluate the organizations ability to continue to provide information system processing capabilities in the event that the primary information processing facilities are not available (e.g. disaster recovery).
Evaluate the organizations ability to ensure business continuity in the event of a business disruption.
Domain 5 Business Solution Systems Development,
Acquisition, Implementation and Maintenance
IT Auditor Tasks, e.g.
Evaluate the processes by which business solutions are developed and implemented to ensure that they contribute to the attainment of the organizations business objectives
Evaluate the processes by which business solutions are acquired and implemented to ensure that they contribute to the attainment of the organizations business objectives
Evaluate the processes by which business solutions are maintained to ensure the continued support of the organizations business objectives.
Evaluate the Enterprise policies, standards and procedures related to the acquisition, management and monitoring of 3rd party outsourced or hosted key applications, e.g. SaaS solutions.
Evaluate the processes by which system software and utilities are maintained to ensure the continued support of the organizations business objectives.
What comprises a traditional IT audit?
  • The major elements of IT audit as defined by
    ISACA and laid out in CobIT can be broadly
  • Physical and environmental reviewThis includes
    physical security, power supply, air
    conditioning, humidity control and other
    environmental factors.
  • System administration reviewThis includes
    security review of the operating systems,
    database management systems, all system
    administration procedures and compliance.
  • Application software reviewThe business
    application could be payroll, invoicing, a
    web-based customer order processing system or an
    enterprise resource planning system that actually
    runs the business. Review of such application
    software includes access control and
    authorizations, validations, error and exception
    handling, business process flows within the
    application software and complementary manual
    controls and procedures. Additionally, a review
    of the system development lifecycle should be
  • Network security reviewReview of internal and
    external connections to the system, perimeter
    security, firewall review, router access control
    lists, port scanning and intrusion detection are
    some typical areas of coverage.
  • Business continuity reviewThis includes
    existence and maintenance of fault tolerant and
    redundant hardware, backup procedures and
    storage, and documented and tested disaster
    recovery/business continuity plan.
  • Data integrity reviewThe purpose of this is
    scrutiny of live data to verify adequacy of
    controls and impact of weaknesses, as noticed
    from any of the above reviews. Such substantive
    testing can be done using generalized audit
    software (e.g., computer assisted audit

IT Audit Challenges
  • Inaccessible and untouchable computer solutions
    Cloud based systems
  • Involvement at inception
  • Business owned and driven
  • Reliance on 3rd party service auditor reports
  • Year-to-year oversight
  • Remaining relevant
  • Effective vendor evaluations, e.g. FedRAMP
  • Statutory Compliance demands
  • Data lifecycle management
  • Keeping ahead of the curve - understanding new
    technologies, solutions and their risks
  • End user computing the ubiquitous mobile device
    and its vulnerability
  • Acquiring and retaining qualified staff