Title: ?????????????????????? (Standards for The Professional Practice of Internal Auditing of The Institute of Internal Auditor)
1??????????????????????????????????????? ??????
?????????????????? (IT Audit) ???
????????????????????????? ????????????????????
?????????????
2????????????????
- ???????????????
- ?????????????????????? IT Audit
- ???????????? Case Study
- ???????????? Workshop
3??????????????? ???
- ????????????????
- ???????????
- ???????????
- ???????????????
????????????
????????????
- ???????
- ??????????
- ?????????
- ????????????
???????
4FINANCIAL VS. COMPLIANCE VS. OPERATIONAL and IT
AUDITING
- Financial Attest to the fairness of financial
statements - Compliance Determine the adherence to
Policies, procedures,
laws , and regulations - Operational Evaluate and improve the
effectiveness,
efficiency, and economy of operations - IT evaluate an auditee s computerized
information system (CIS) in order
to ascertain whether the CIS
produces timely, accurate, complete and
reliability information outputs
5IT Standard Comparison
Internal Audit IT Audit InfoSec . Audit System Sec. Audit
Audit scope Enterprise IT IS Security System Specific
Audit framework COSO COBIT ISO27001 NIST, NSAIAM ,OSSTMA
Audit Objective GRC CIA Sec. Gover. System Security
Professional Cert. CIA CISA CISSP ,IRCAISMS NSAIAM,OPST,OPSA,CEH, SSCP,CSSLP
6IT audit is
- IT audit is The process of collecting and
evaluating evidence to determine whether a
computer system has been designed to maintain
data integrity, safeguard assets,allows
organizational goals to be achieved effectively
and uses resources efficiently - ASOSAI-Weber, R., Information Systems Control and
Audit, 1999
7Need for IT Audit
- Confidentiality concerns the protection of
sensitive information from unauthorized
disclosure - Integrity the accuracy and completeness of
information as well as to its validity in
accordance with business values and expectations - Availability availability relates to information
being available when required by the business
process now and in the future. It also concerns
the safeguarding of necessary resources and
associated capabilities - Reliability the degree of consistency of a
system or the ability of a system to perform its
required function under stated conditions - Compliance with legal and regulator requirement
- With ensure IT and the controls supporting
technology - ASOSAI-Weber, R., Information Systems Control and
Audit, 1999
8???????????????????????
- 1. ??????????????? (General Controls)
- 2. ???????????????? (Application Controls)
General Controls
Application Controls
Application Controls
Application Controls
Application Controls
Specific Controls
Specific Controls
9??????????????? (General Control)
- ??????????????? ?????????????????????????
- ??????????????????????????????????????????????????
?? - ??????????????????????
- ?????????????????????????????????????????????
- ?????????????????????????????????
- ???????????????????????
- ?????????????????????????????????
- ?????????????????????????
10??????????????? (General Control)
- 1. ??????????????? ?????????????????????????
- - ?????????????????????????
- - ?????????????????????????? (Social Network)
- - ???
11??????????????? (General Control)
- 2. ????????????????????????????????????????????
- ????????
- ???????????????? (System Analysis)
- ??????????????? (Programming)
- ???????????????????????? (Computer Operation)
- ??? Master Data Maintenance
- ????????????????? (System Library)
- ??????????????? (Data Control)
12??????????????? (General Control)
- 3. ??????????????????????
- - ????????????????????????
- - ?????????????????????????? ??????????
- - ????????????????????
- - ??????????????
- - ??????????????????????????????????????????
????????
13??????????????? (General Control)
- 4. ?????????????????????????????????????????????
- ??????????????????? SDLC
- - ?????????? ????? ???????????????????????
- - ?????????? ?????????????????????????
- - ?????????????????????????????? (?????????
????????????? ?????????? - - ????????????????????????
- - ????????????????????
- - ???????????????????????????????
- - ?????????????????????????????????
- - ???????????????????????????????????????????????
??? - - ???????????????????????????????????????
?????????????????????????? - - ??????????????????????????????????????????????
- - ???????????????????????????????????????????????
????????????
14??????????????? (General Control)
- 5. ?????????????????????????????????
- - ?????????????????????????????
- - ??????????????????????????
- 6. ???????????????????????
- - ?????????????????????????? (Authentication)
- - ????????????????????????????? (Authorization)
- - ???????????????????????????????????????
- (Transaction Audit log)
15??????????????? (General Control)
- 7. ?????????????????????????????????
- - ?????????????????????????????????
- - ????????????????????????
- - ????????????
- - ???????????????? ????????????????????????
- - ?????????????????????
16??????????????? (General Control)
- 8. ?????????????????????????
- ?????????????????????????????????????????????????
????????????? - - ????????????
- - ?????????
- - ??????????????????????????????????
- - ??????????????????????
17????????????????Application Controls
- ???????????????????????? (Input Control)Batch
vs. Online - ???????????????????? (Process Control)
- ?????????????????????? (Output Control)
- ??????????????????????????????????
18????????????????Application Controls
- ???????????????????????? (Input Control)1.1
Batch Input Controls - - Financial totals
- - Record counts
- - Hash totals
-
19????????????????Application Controls
- ???????????????????????? (Input Control)1.2
Online Input Controls - - Pre-formatting ???????????????????????????????
??? - - Field checks ?????????????????????????????????
??? Key ???? ???????????????????????????????????
????? - - Validity checks ?????????????????????????????
??????????? ?????????????????????????????????????
???????????????? - - Limit or range checks ????????????????????????
??????????? - ???????????????????????
- - Self-checking digit ??????????????????????????
????? - ????????????????????????????????????????????????
??????????? -
-
20????????????????Application Controls
- 2. ????????????????????
- - ?????????????????????????????????????
- (Users Review)
- - Cross-footing
- - A Zero-balance check
- - Run to Run control totals
- - Concurrency controls
21????????????????Application Controls
- 3. ??????????????????????
- - ????????????????????????????????????????????
?????????????? (Users review) - - ?????????????????????????????????????????????
- - ???????????????????????????????????????????????
???????????????????? - - ???????????????????????????????????
- - ???????????????????????
22?????????
???????????????????????
?????? ?????
?????????????????????
???????????? ??????????????????
- ??????????????????????????????
- ????????????????????????? ????????????????
- ??????????????????????????????????????
????????????????????
???????????????????
??????????????????????
??????????????? ???????????????????????
?????????????????????????? ???????????????????
?????????????????????? ???
?????????????
????????????????????
??????????? ????????
????????? ???????????????
???????????
231. ??????????????? 2. ????????????????
????????????
????????????????????
no
?????? ???????
1. ??????? 2. ???????????? 3. ?????? 4.
????????????? 5. ?????????????? 6.
?????????????????
1. ????? 2. ???????
??????????
??????????????????????
yes
??????????? ?????? ???????? ?
????????????????
?????????????????
??????????????? ?????????? IT
????????????????
????? ???????
yes
no
?????????????????? ??????????????????
????????????????????? ??????????????????
24???????????? Case Study
25???????????? Workshop
26???????????????
27??????
????????????????????????????????????? ???????????
????????? ?????????????????????????. 02 223 2221
???? 02 221 2141 ??? 1372http//office.bangkok.g
o.th/iaud E-Mail auditbangkok_at_yahoo.com