?????????????????????? (Standards for The Professional Practice of Internal Auditing of The Institute of Internal Auditor)

1
??????????????????????????????????????? ??????
?????????????????? (IT Audit) ???
????????????????????????? ????????????????????
?????????????
2
????????????????

• ???????????????
• ?????????????????????? IT Audit
• ???????????? Case Study
• ???????????? Workshop

3
??????????????? ???

• ?????
• ??????????

• ????????????????
• ???????????

• ???????????
• ???????????????

????????????
????????????

• ???????
• ??????????
• ?????????
• ????????????

???????
4
FINANCIAL VS. COMPLIANCE VS. OPERATIONAL and IT
AUDITING

• Financial Attest to the fairness of financial
  statements
• Compliance Determine the adherence to
  Policies, procedures,
  laws , and regulations
• Operational Evaluate and improve the
  effectiveness,
  efficiency, and economy of operations
• IT evaluate an auditee s computerized
  information system (CIS) in order
  to ascertain whether the CIS
  produces timely, accurate, complete and
  reliability information outputs

5
IT Standard Comparison
Internal Audit IT Audit InfoSec . Audit System Sec. Audit
Audit scope Enterprise IT IS Security System Specific
Audit framework COSO COBIT ISO27001 NIST, NSAIAM ,OSSTMA
Audit Objective GRC CIA Sec. Gover. System Security
Professional Cert. CIA CISA CISSP ,IRCAISMS NSAIAM,OPST,OPSA,CEH, SSCP,CSSLP
6
IT audit is

• IT audit is The process of collecting and
  evaluating evidence to determine whether a
  computer system has been designed to maintain
  data integrity, safeguard assets,allows
  organizational goals to be achieved effectively
  and uses resources efficiently
• ASOSAI-Weber, R., Information Systems Control and
  Audit, 1999

7
Need for IT Audit

• Confidentiality concerns the protection of
  sensitive information from unauthorized
  disclosure
• Integrity the accuracy and completeness of
  information as well as to its validity in
  accordance with business values and expectations
• Availability availability relates to information
  being available when required by the business
  process now and in the future. It also concerns
  the safeguarding of necessary resources and
  associated capabilities
• Reliability the degree of consistency of a
  system or the ability of a system to perform its
  required function under stated conditions
• Compliance with legal and regulator requirement
• With ensure IT and the controls supporting
  technology
• ASOSAI-Weber, R., Information Systems Control and
  Audit, 1999

8
???????????????????????

• 1. ??????????????? (General Controls)
• 2. ???????????????? (Application Controls)

General Controls
Application Controls
Application Controls
Application Controls
Application Controls
Specific Controls
Specific Controls
9
??????????????? (General Control)

1. ??????????????? ?????????????????????????
2. ??????????????????????????????????????????????????
   ??
3. ??????????????????????
4. ?????????????????????????????????????????????
5. ?????????????????????????????????
6. ???????????????????????
7. ?????????????????????????????????
8. ?????????????????????????

10
??????????????? (General Control)

• 1. ??????????????? ?????????????????????????
• - ?????????????????????????
• - ?????????????????????????? (Social Network)
• - ???

11
??????????????? (General Control)

• 2. ????????????????????????????????????????????
• ????????
• ???????????????? (System Analysis)
• ??????????????? (Programming)
• ???????????????????????? (Computer Operation)
• ??? Master Data Maintenance
• ????????????????? (System Library)
• ??????????????? (Data Control)

12
??????????????? (General Control)

• 3. ??????????????????????
• - ????????????????????????
• - ?????????????????????????? ??????????
• - ????????????????????
• - ??????????????
• - ??????????????????????????????????????????
  ????????

13
??????????????? (General Control)

• 4. ?????????????????????????????????????????????
• ??????????????????? SDLC
• - ?????????? ????? ???????????????????????
• - ?????????? ?????????????????????????
• - ?????????????????????????????? (?????????
  ????????????? ??????????
• - ????????????????????????
• - ????????????????????
• - ???????????????????????????????
• - ?????????????????????????????????
• - ???????????????????????????????????????????????
  ???
• - ???????????????????????????????????????
  ??????????????????????????
• - ??????????????????????????????????????????????
• - ???????????????????????????????????????????????
  ????????????

14
??????????????? (General Control)

• 5. ?????????????????????????????????
• - ?????????????????????????????
• - ??????????????????????????
• 6. ???????????????????????
• - ?????????????????????????? (Authentication)
• - ????????????????????????????? (Authorization)
• - ???????????????????????????????????????
• (Transaction Audit log)

15
??????????????? (General Control)

• 7. ?????????????????????????????????
• - ?????????????????????????????????
• - ????????????????????????
• - ????????????
• - ???????????????? ????????????????????????
• - ?????????????????????

16
??????????????? (General Control)

• 8. ?????????????????????????
• ?????????????????????????????????????????????????
  ?????????????
• - ????????????
• - ?????????
• - ??????????????????????????????????
• - ??????????????????????

17
????????????????Application Controls

• ???????????????????????? (Input Control)Batch
  vs. Online
• ???????????????????? (Process Control)
• ?????????????????????? (Output Control)
• ??????????????????????????????????

18
????????????????Application Controls

• ???????????????????????? (Input Control)1.1
  Batch Input Controls
• - Financial totals
• - Record counts
• - Hash totals

19
????????????????Application Controls

• ???????????????????????? (Input Control)1.2
  Online Input Controls
• - Pre-formatting ???????????????????????????????
  ???
• - Field checks ?????????????????????????????????
  ??? Key ???? ???????????????????????????????????
  ?????
• - Validity checks ?????????????????????????????
  ??????????? ?????????????????????????????????????
  ????????????????
• - Limit or range checks ????????????????????????
  ???????????
• ???????????????????????
• - Self-checking digit ??????????????????????????
  ?????
• ????????????????????????????????????????????????
  ???????????

20
????????????????Application Controls

• 2. ????????????????????
• - ?????????????????????????????????????
• (Users Review)
• - Cross-footing
• - A Zero-balance check
• - Run to Run control totals
• - Concurrency controls

21
????????????????Application Controls

• 3. ??????????????????????
• - ????????????????????????????????????????????
  ?????????????? (Users review)
• - ?????????????????????????????????????????????
• - ???????????????????????????????????????????????
  ????????????????????
• - ???????????????????????????????????
• - ???????????????????????

22
?????????
???????????????????????
?????? ?????
?????????????????????
???????????? ??????????????????

• ??????????????????????????????
• ????????????????????????? ????????????????
• ??????????????????????????????????????

????????????????????
???????????????????
??????????????????????
??????????????? ???????????????????????
?????????????????????????? ???????????????????
?????????????????????? ???
?????????????
????????????????????
??????????? ????????
????????? ???????????????

• ????????????????????

???????????
23
1. ??????????????? 2. ????????????????
????????????
????????????????????
no
?????? ???????
1. ??????? 2. ???????????? 3. ?????? 4.
????????????? 5. ?????????????? 6.
?????????????????
1. ????? 2. ???????
??????????
??????????????????????
yes
??????????? ?????? ???????? ?
????????????????
?????????????????
??????????????? ?????????? IT
????????????????
????? ???????
yes
no
?????????????????? ??????????????????
????????????????????? ??????????????????
24
???????????? Case Study

25
???????????? Workshop
26
???????????????


27
??????
????????????????????????????????????? ???????????
????????? ?????????????????????????. 02 223 2221
???? 02 221 2141 ??? 1372http//office.bangkok.g
o.th/iaud E-Mail auditbangkok_at_yahoo.com