Abstract image of a woman sitting on books and studying on a laptop

Intro to management_and_auditing_of_info_systs

Download as PPT, PDF
J
jakodongo

This document provides an introduction to information systems auditing and management. It discusses the need for IS audits due to reliance on electronic systems and past corporate fraud cases. It also covers auditor responsibilities, independence, types of audits, standards, regulations, and maintaining confidentiality in the role of an auditor. The overall goal is to introduce key concepts for auditing information systems.

BusinessEconomy & Finance
1 of 58
Downloaded 118 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
Lesson 1:Introduction to Management and Auditing of Information Systems Lecturer: Management and Auditing of Information Systems |
Lesson Objectives By the end of this lesson , you should:  Know the foundation of IS audit standards  Know the auditor’s professional requirements  Be familiar with auditor skills necessary for a successful audit  Differentiate mandatory versus discretionary wording of regulations  Describe the various types of audits  Know how to communicate with the auditee  Describe auditor leadership duties, including planning and setting priorities  Gain understanding the organizational structure of corporations and consulting firms  Gain understanding the methods of managing projects, including audit projects 5/29/2012 Report for 2010 2 |
The need for IS Audits • The reliance of many companies, organisations, governments, educational institutions etc on electronic data processing systems has led increasingly to the need for their proper control and management . • Just like financial auditors verify financial transaction, so does an IS auditor need to verify the integrity of an electronic system that is used to maintain crucial company data 5/29/2012 Report for 2010 3 |
The Demand for IS audits • Why is very necessary to have IS audits? The greatest focus has always been on financial audits: • Consider: • Italy’s Parmalat dairy scandal occurred in 2003, when executives admitted that an account that was supposed to be holding 4 billion Euro dollars of assets in the Cayman Islands did not exist. The 14 billion Euro organization collapsed into bankruptcy. According to industry news, four of the world’s leading banks were indicted in June 2007 for their participation. 5/29/2012 Report for 2010 4 |
The need for IS Audits • Adelphia Communications Corporation executives John Rigas and son Timothy Rigas were convicted of securities fraud, bank fraud for misrepresenting the source of $1.6 billion of funds used in company stock, and stealing $51 million in cash advances. Rigas’s illegally misrepresented $2.6 billion of off-balance sheet loans, which led to the company’s collapse in 2002. In July 2006, Comcast and Time Warner purchased the failed company and relocated it to Colorado. 5/29/2012 Report for 2010 5 |
The need for IS Audits • Arthur Andersen executive David Duncan violated his independence with his client, CFO Andrew Fastow of Enron. Duncan participated in improper, biased activities for Enron by ordering his staff to shred documents to obstruct the Enron investigation. • Converse Technology CEO Jacob ―Kobi‖ Alexander was captured by Federal authorities after fleeing the country in an attempt to avoid prosecution for orchestrating a fraudulent scheme of backdating options while running a secret stock options slush fund. This illegal • scheme made millions of dollars. CFO David Kreinberg and General Counsel William Sorin voluntarily surrendered to authorities for their participation in the scheme. All three are currently in jail awaiting prosecution. 5/29/2012 Report for 2010 6 |
The need for IS Audits • Closer home, what examples can we gather from well known frauds, scams, malpractices and other actions that have brought organizations to their knees or brought CEO and other officers to account? • Kenya Pipeline • NHIF • Goldenberg (Euro bank) • Trust Bank? • Others……………………………….. • Explain in your own words why you think there is a need for IS Audits against this backdrop 5/29/2012 Report for 2010 7 |
The need for IS Audits • More and more regulations are being put in place especially in western countries to effect control and minimize, detect or otherwise prevent deliberate or inadvertent mishaps like the examples above. • Have you heard of the Sarbanes- Oxley Act? • Do we have similar regulations in Kenya? • Other regulations exist in the US like Gramm-Leach-Bliley Act (financial transactions), Federal Information Security Management Act (FISMA, for government), Health Insurance Portability and Accountability Act (HIPAA), Supervisory Control and Data Acquisition (SCADA, for utilities), Fair and Accurate Credit Transactions Act (credit processing), Federal Financial Institutions Examination Council regulations (FFIEC), Payment Card Industry (PCI) 5/29/2012 Report for 2010 8 |
The need for IS Audits • All of these regulations require businesses to possess two simple components: • Evidence of business integrity • Evidence of internal controls to protect valuable assets 5/29/2012 Report for 2010 9 |
The need for IS Audits • Asset - anything of value, including trademarks, patents, secret recipes, durable goods, data files, competent personnel, and clients. People are never listed but they are key • Threat - as a negative event that would cause a loss if it occurred. • Vulnerability - path that allows a threat to occur. Without regulations, businesses would take risks that lead them into financial, or image problems. With the advent of widespread automation, small problems can escalate / cascade into major issues. Financial auditors focused on the financial transaction but there is a need to audit electronic systems. 5/29/2012 Report for 2010 10 |
Understanding Policies, Standards, Guidelines, and Procedures Type Description Compliance Issued by Policy Simple document stating mandatory CEO, CFO that a particular high- level control objective is important to the organization’s success. Standards mid-level documents to mandatory Middle level ensure uniform management application of a policy. For example ISO 5/29/2012 Report for 2010 11 |
Understanding Policies, Standards, Guidelines, and Procedures Type Description Compliance Issued by Guidelines provide advice pertaining to discretionary Proffessional how organizational bdies, objectives corporate might be obtained in the guidelines absence of a standard. The purpose is to provide information that would aid in making decisions about intended goals (should do), beneficial alternatives (could do), and actions that would not create problems (won’t hurt). 5/29/2012 Report for 2010 12 |
Understanding Policies, Standards, Guidelines, and Procedures Type Description Compliance Issued by Procedures These are ―cookbook‖ mandatory Operating officers recipes for accomplishing specific tasks necessary to meet a standard. Details are written in step-by-step format from the very beginning to the end. Good procedures include common troubleshooting steps in case the user encounters a known problem. 5/29/2012 Report for 2010 13 |
Code of Professional Ethics • As an IS auditor, you must adhere to certain codes of professional conduct. There are various guidelines but the most common one is by ISACA (Information Systems Audit and Control Association) • ISACA code of professional Ethics • Ethics statements are necessary to demonstrate the level of honesty and professionalism expected of every auditor. Overall, your profession requires you to be honest and fair in all representations you make. The goal is to build trust with clients. Your behavior should reflect a positive image on your profession 5/29/2012 Report for 2010 14 |
Preventing Ethical Conflicts • As an IS Auditor, do not participate in acts that would bring into question your professionalism and honesty. Anything that brings you into conflict with your work should be addressed immediately. Some of the conflicts that may bring an auditor into disrepute are:  Copyright violations  Guilty amnesty seekers  Failing to follow your own rules  Avoid violating general laws 5/29/2012 Report for 2010 15 |
Purpose of an Audit • Audit – review of past history • You are expected to follow the defined audit process, establish audit criteria, gather meaningful evidence, and render an independent opinion about internal controls. • It involves applying various techniques for collecting meaningful evidence, and then performing a comparison of the audit evidence against the standard for reference. • Always accurately report your findings, whether good or bad or indifferent. A good auditor will produce verifiable results. 5/29/2012 Report for 2010 16 |
Classifying Basic Types of Audits • Internal audits and assessments- auditing your own organization to discover inner workings (self assessment). They have more restrictions on scope. Findings are not shared with outsiders. • External audits- involves a related party like a customer auditing you. The goal is to ensure the expected level of performance as mutually agreed upon in their contracts. • Independent audits - these are outside of the customer-supplier influence. Third-party independent audits are frequently relied on for licensing, certification, or product approval. A simple example is independent consumer reports. 5/29/2012 Report for 2010 17 |
Classifying Basic Types of Audits • What is looked at during a systems audit? • Product audits - check the attributes against the design specification (size, color, markings). • Process audits - evaluate the process method to determine whether the activities or sequence of activities meet the published requirements (input process, output checks) • System audits – management, configuration, team members activities, control environment etc). • Financial audit- verifies financial transactions for integrity. • Operational audit - verifies effectiveness and efficiency of operational practices. Used mainly to audit service providers. 5/29/2012 Report for 2010 18 |
Classifying Basic Types of Audits • Integrated audit - includes both financial and operational controls audits • Administrative audit - verifies that appropriate policies and procedures exist and have been implemented as intended. This type of audit usually tests for the presence of required documentation. • Information systems certification and/or accreditation. - Certification usually involves system testing against a reference standard, whereas accreditation represents management’s level of acceptance. 5/29/2012 Report for 2010 19 |
The Auditor’s Responsibility • An Is auditor is expected to fulfill a fiduciary relationship. • Fiduciary relationship is whereby you are acting for the benefit of a given party and you put the interests of that party before yours. • However, it is important to provide the truth rather than just act in the auditees interests. 5/29/2012 Report for 2010 20 |
Comparing Audits to Assessments • Audit - An audit generates a report considered to represent a high assurance of truth. Audits are used in asset reporting engagements. • Assessment - An assessment is less formal and frequently more cooperative with the people/ objects under scrutiny. Its purpose is to see what exists and to assess value based on its relevance. • The assessment report is viewed to have lower value (moderate-to- low value) when compared to an audit. The primary role of an assessment is to help the employees improve their score. 5/29/2012 Report for 2010 21 |
Auditor Role versus Auditee Role • There are only two titles for persons directly involved in an audit. First is the auditor, the one who investigates. Second is the auditee, the subject of the audit. A third role exists which is normally outside of • Auditor - The auditor is the competent person performing the audit. • Auditee - The organization and people being audited are collectively called the auditee. • Client - The client is the person or organization with the authority to request the audit. A client may be the audit committee, external customer, internal audit department, or regulatory group. If the client is internal to the auditee, that client assumes the auditee role. the audit, known as the client. 5/29/2012 Report for 2010 22 |
Independence • An Is auditor is expected to be very independent in his work. • you are not related professionally, personally, or organizationally to the subject of the audit. You cannot be independent if the audit’s outcome results in your financial gain or if you are involved in the auditee’s decisions or design of the subject being audited. Applying an Independence Test • Are you auditing something you helped to develop? • Are you free of any conflicts, circumstances, or attitudes toward the auditee that might affect the audit outcome? 5/29/2012 Report for 2010 23 |
Independence • Is your personal life free of any relationships, off-duty behavior, or financial gain that could be perceived as affecting your judgment? • Do you have any organizational relationships with the auditee, including business deals, financial obligations, or pending legal actions? • Do you have a job conflict? Does the organizational structure require your position to work under the executive in charge of the area being audited? Did you receive any gifts of value or special favors? • If your answer is yes then your independence is compromised 5/29/2012 Report for 2010 24 |
Various Auditing Standards • audits either verify compliance (compliance test) or check the substance and integrity of a claim (substantive test). Just how does an auditor know what to do in these audits? • How does an IS auditor know what to do in these audits? • There are standards that can be used. • All these standards are in fundamental agreement with each other though they may seem many and daunting. • Our focus will be on the ISACA standards since they focus very much on IS auditing. 5/29/2012 Report for 2010 25 |
Various Auditing Standards • During the audit process, you will find clients are more receptive when your audit goals are linked to specific citations in the audit standards. You should aim to fill a known and defined point of compliance rather than provide a vague statement relating to something you may have read in a textbook. Don’t make the mistake of trusting your job to misinformation, rumors, or free advice on the Internet. 5/29/2012 Report for 2010 26 |
Specific Regulations Defining Best Practices • These are predominantly U.S. regulations with worldwide compliance implications due to global outsourcing. • Every regulation is designed to mandate the minimum acceptable requirements when conducting any form of business within that specific industry. The auditor must remain aware of two types of statements contained in all regulations: 5/29/2012 Report for 2010 27 |
Specific Regulations Defining Best Practices • Recommended (discretionary) - These are actions that usually contain statements with the word should—for example, suggested management responsibilities, staffing, control mechanisms, or technical attributes. • Required (mandatory) - These are actions that contain the word shall. Shall indicates that statement is a commandment of compliance. Shall is not optional. The auditor must remember that failing to meet a required Shall objective is a real concern. The regulations serve to protect the citizens at large. 5/29/2012 Report for 2010 28 |
Understanding the Auditors Position • Your clients expect you to be authoritative and professional regardless of the circumstances. Your office is mobile, so you are depended on to handle decisions in the field. Your clients include the highest levels of management within an organization. Those clients expect you to assist them with your observations and occasional advice. You will deal with the challenges of providing advice in a manner that does not interfere with the independent audit. 5/29/2012 Report for 2010 29 |
Understanding the Auditors Position • Confidentiality- a client entrusts an auditor with information and it should never be betrayed. Exercise confidentiality by least privilege whereby only the minimum necessary information is given. • Also:  Keep sensitive information as client property.  Contact legal counsels regarding confidentiality.  Back up and secure any work done on computer (automated working papers).  Physically secure any PC or laptops you use.  Keep securely every document file archive you make for every audit. 5/29/2012 Report for 2010 30 |
Understanding the Auditors Position • Working with lawyers – most communication between auditor and client is exempt from legal discovery hence a lawyer may not be needed. However, it is suggested that the client is consulted in case there is any need for communication with a lawyer. • Leadership – an auditor needs to have strong leadership qualities;  mark out when your directions are mandatory and when they are open to feedback and criticism  Develop specific requirements and share out the plans  Get your staff to believe in you 5/29/2012 Report for 2010 31 |
Understanding the Auditors Position • Planning and setting priorities- a good auditor plans and sets priorities on what needs to be done.  Gaining an understanding of the customer’s business  Respecting business cycles (monthly, quarterly, seasonal, and annual)  Establishing priorities  Selecting an audit strategy based on risk and information known or observed  Finding the people for your audit team  Coordinating the logistics prior to the audit for resources, work space, and facilities 5/29/2012 Report for 2010 32 |
Understanding the Auditors Position • Planning and setting priorities (continued)  Requesting documents (discovery requests)  Scheduling people’s time and availability  Arranging travel and accommodations  Planning for delays or nonperformance  Considering rescheduling if recent downtime or risks warrant it  Developing alternative strategies  Developing a briefing schedule 5/29/2012 Report for 2010 33 |
Understanding the Auditors Position • Providing standard terms of reference- an auditor needs to be courteous and polite to clients . Develop standard terms of reference to cultivate respectful and honest interpretation. – Auditee claim/statement – Present – Not present – Planned – Tested (how) – Not tested (why) – Observed – Verified (how) – Not verified – New requirement 5/29/2012 Report for 2010 34 |
Understanding the Auditors Position • Dealing with conflict/ failures – exercise common sense and quick responses. • Identifying the value of external vs. internal auditors - External auditors are paid to be independent reviewers for an organization. Internal auditors can add enormous value to an organization by providing ongoing efforts that help prepare the organization for an external audit. • Apply the evidence rule- A good auditor will use sufficient evidence to formulate their auditor’s opinion. No opinion can be formed when you lack evidence of acceptable quantity, relevance, and reliability. Your job is to be a professional skeptic and demand proof in the form of evidence you can verify. 5/29/2012 Report for 2010 35 |
Understanding the Auditors Position • Identify who you need to interview- plan for whom you will interview, how long it will take and what exactly you will ask. You have to be very specific. There are three classes of people in IS audits (data owner (e.g. CFO, CEO) , data custodian 9database administrator, systems administrator), data user (internal user, client) • Understand the organizational structure and roles- e.g. through use of hierarchy charts 5/29/2012 Report for 2010 36 |
Managing Projects • An audit exercise is essentially a project. An auditor must take a project management approach towards the audit. Some project management standards exist e.g.  Project Management Institute (PMI)  Prince2  Total Quality Management (TQM)  Six Sigma  ISO 9001  The PMI standard is by far the most comprehensive and most recommended standard for IS auditing. 5/29/2012 Report for 2010 37 |
Managing Projects What is a Project ? • Three characteristics define a project  A project is temporary (start end times)  A project is unique- is meant to facilitate a particular outcome  A project is progressively elaborated. The project starts out with simple high-level ideas that are polished and becomes defined into more and more detail during planning What is Project Management? • A simple definition of project management is to balance competing demands. These demands are referred to as the triple constraint. We can define them as competing values of  Scope  Resources (cost, time)  Quality 5/29/2012 Report for 2010 38 |
Managing Projects • The Project Management Framework • The Project Management Institute (PMI) defines the project management framework or PMBOK (Project Management Body Of Knowledge) • PMBOK offers five process groups: • The five process groups as defined by PMI are as follows: 1. Initiating 2. Planning 3. Executing 4. Monitoring and Controlling 5. Closing 5/29/2012 Report for 2010 39 |
Managing Projects 1. Initiating- This process group begins the project or a phase of the project. Sets the scope and authorization of the project. 2. Planning - Planning is where the project scope, goals, and objectives are detailed. 3. Executing- The processes within this group are used to create the project deliverables. 4. Monitoring and Controlling - measures performance and control changes. Examples include review meetings, dealing with substitutions, and schedule changes. 5. Closing - When a phase or the project is completed, this process group will pay vendors and put the files in an archive to close out the project. 5/29/2012 Report for 2010 40 |
Managing Projects Aspects of project management • Project Integration Management - Project Integration Management is the knowledge area containing processes that tie all of the other processes together • Project Scope Management - Project Scope Management contains processes that define the product created by the project and the work to be performed on the project. During this process, a structure is created that breaks each task into itemized details of work to be performed 5/29/2012 Report for 2010 41 |
Managing Projects Aspects of project management • Project Time Management - Project Time Management contains processes that define and control the activities required to complete the project as well as resources for the project. In this knowledge area, the project manager defines the baseline schedule for the project. • Project Cost Management • Project Cost Management comprises three processes that define, specify, and control costs for the project. This knowledge area uses earned value technique to measure cost performance for the project. Earned value (EV) is the current value of work that has been performed in the project. 5/29/2012 Report for 2010 42 |
Managing Projects Aspects of Project Management • Project Quality Management - The Project Quality Management knowledge area comprises three processes that define the level of quality applied to the project’s product and performance. Project team members audit the performance of their project. Next, the product created by the project is inspected for conformance to the design objectives. • Project Human Resource Management - Project Human Resource Management facilitates planning the organizational structure, job roles, specific responsibilities, and acquisition of staff for the project. This is the best technique to get the skilled people needed for your project. Use the work breakdown structure (WBS) from scope management planning to build a skills matrix. 5/29/2012 Report for 2010 43 |
Managing Projects Aspects of Project Management • Project Communications Management - Project Communications Management defines the communications needs of the project stakeholders, and then facilitates and controls communications distribution during the life of the project. Audit projects need this level of planning to clarify what is discussed or reported to our stakeholders. • Project Risk Management - Project Risk Management comprises processes that define the risk methods to be used, define the risks of the project, analyze the risks, and document responses to identified risks. 5/29/2012 Report for 2010 44 |
Managing Projects Aspects of Project Management • Project Procurement Management - Project Procurement Management defines the processes that are required to purchase resources. All projects need to procure people, equipment, and materials from outside the organization. 5/29/2012 Report for 2010 45 |
Managing Projects Using Project Management Diagramming Techniques Gannt Charts • are used to schedule and sequence activities in a waterfall-type representation. Planned activities are shown flowing downward to completion. The figure shows both sequential and concurrent activities in a linear bar-chart-style presentation. Milestones will be identified and progress reported against planned activities. 5/29/2012 Report for 2010 46 |
Managing Projects Using Project Management Diagramming Techniques PERT • Program Evaluation Review Technique (PERT) is used to illustrate the relationship between planned activities. PERT diagramming shows multiple routes through the project activities, as necessary for accomplishing the goal. • PERT has two major advantages. First is the ability to demonstrate a critical path. The second advantage is that PERT provides a quantitative measurement tool for risk analysis. It can help measure the risk of delays, failure, and likely completion. The most successful project managers use both Gantt and PERT—Gantt to display resource detail, and PERT to show the current and most up-to-date critical path. 5/29/2012 Report for 2010 47 |
Summary (Quiz) What is the difference between a policy and a procedure? A. Compliance to a policy is discretionary, and compliance to a procedure is mandatory. B. A procedure provides discretionary advice to aid in decision making. The policy defines specific requirements to ensure compliance. C. A policy is a high-level document signed by a person of authority, and compliance is mandatory. A procedure defines the mandatory steps to attain compliance. D. A policy is a mid-level document issued to advise the reader of desired actions in the absence of a standard. The procedure describes suggested steps to use. 5/29/2012 Report for 2010 48 |
Summary (Quiz) Which of the following in a business organization will be held liable by the government for failures of internal controls? A. President, vice presidents, and other true corporate officers B. Board of directors, president, vice presidents, department directors, and managers C. All members of management D. Board of directors, CEO, CFO, CIO, and department directors 5/29/2012 Report for 2010 49 |
Summary (Quiz) What does fiduciary responsibility mean? A. To use information gained for personal interests without breaching confidentiality of the client. B. To act for the benefit of another person and place the responsibilities to be fair and honest ahead of your own interest. C. To follow the desires of the client and maintain total confidentiality even if illegal acts are discovered. The auditor shall never disclose information from an audit in order to protect the client. D. None of the above. 5/29/2012 Report for 2010 50 |
Summary (Quiz) What are the different types of audits? A. Forensic, accounting, verification, regulatory B. Integrated, operational, compliance, administrative C. Financial, SAS-74, compliance, administrative D. Information systems, SAS-70, regulatory, procedural 5/29/2012 Report for 2010 51 |
Summary (Quiz) What is the difference between the word should and shall when used in regulations? A. Shall represents discretionary requirements, and should provides advice to the reader. B. Should indicates mandatory actions, whereas shall provides advisory information recommending actions when appropriate C. Should and shall are comparable in meaning. The difference is based on the individual circumstances faced by the audit. D. Should indicates actions that are discretionary according to need, whereas shall means the action is mandatory regardless of financial impact 5/29/2012 Report for 2010 52 |
Summary (Quiz) Which of the following is not defined as a nonaudit role? A. System designer B. Operational staff member C. Auditor D. Organizational manage 5/29/2012 Report for 2010 53 |
Summary (Quiz) Why is it necessary to protect audit documentation and work papers? A. The evidence gathered in an audit must be disclosed for regulatory compliance. B. A paper trail is necessary to prove the auditor is right and the auditee is wrong. C. The auditor will have to prove illegal activity in a court of law. D. Audit documentation work papers may reveal confidential information that should not be lost or disclosed. 5/29/2012 Report for 2010 54 |
Summary (Quiz) Which of the following is a network diagram that shows the critical path for a project? A. Program Evaluation Review Technique B. Gantt chart with activity sequencing C. Shortest Path Diagramming Technique D. Milestone reporting 5/29/2012 Report for 2010 55 |
Summary (Quiz) What is the purpose of standard terms of reference? A. To meet the legal requirement of regulatory compliance B. To prove who is responsible C. To ensure honest and unbiased communication D. To ensure that requirements are clearly identified in a regulation 5/29/2012 Report for 2010 56 |
Summary (Quiz) What does the term auditor independence relate to? A. It is not an issue for auditors working for a consulting company. B. It is required for an external audit. C. An internal auditor must undergo certification training to be independent. D. The audit committee bestows independence upon the auditor. 5/29/2012 Report for 2010 57 |
Ole Sangale Road, Madaraka Estate. PO Box 59857-00200, Nairobi, Kenya Tel +254 (0)20 606155, 606268, 606380 Fax +254 (0)20 607498 Mobile +254 (0)722 25 428, (0)733 618 135 Email info@strathmore.edu www.strathmore.edu |

More Related Content

PDF
Compliance in the framework of corporate governance (side panel 2) - Oliver O...
e-Democracy Conference
 
PPTX
. Managing the Outsourcing _Governance final
GTTSlide
 
PPT
Business Structure
Richard Veryard
 
PPTX
Lecture no. 2 org.structure
Pir Qasim Shah
 
PDF
Operational Risk Management for practitioners v1.0
Ignacio Reclusa
 
PPTX
Best Practices: Change Management
Corporate Compliance Seminars
 
PPTX
Compliance Framework
barnetdh
 
PPTX
OPERATIONAL RISK MANAGEMENT
Intan Noona
 
Compliance in the framework of corporate governance (side panel 2) - Oliver O...
e-Democracy Conference
 
. Managing the Outsourcing _Governance final
GTTSlide
 
Business Structure
Richard Veryard
 
Lecture no. 2 org.structure
Pir Qasim Shah
 
Operational Risk Management for practitioners v1.0
Ignacio Reclusa
 
Best Practices: Change Management
Corporate Compliance Seminars
 
Compliance Framework
barnetdh
 
OPERATIONAL RISK MANAGEMENT
Intan Noona
 

What's hot (20)

PDF
Are You Ready? Implementing COSO's Updated Internal Controls Framework
BlackLine
 
PPTX
The Directors Tutorial
Deborah_K_Williams
 
PPT
Ethics in Audit
Bikash Kumar
 
PPTX
ITIL vs. COBIT
Mohsen Yousefi
 
PPTX
Upgrading Risk Management and Internal Control in Your Organization
International Federation of Accountants
 
PDF
Managing The Business Risk Of Fraud
Mahmoud Elbagoury
 
PPTX
Toronix - SOA Governance Quick Start
rrowntree
 
PPT
Busines Continuity And Compliance
salamali
 
PPT
Learning From Failure - A Tale of Three Projects
Peter Salmon
 
PPTX
The NLRB's New Joint-Employer Test: What You Need to Know Regarding its Likel...
Winston & Strawn LLP
 
PDF
Introduction to COSO 2013 - Corporate Compliance Seminars
Corporate Compliance Seminars
 
PPTX
Leveraging Effective Risk Management and Internal Control for Your Organization
International Federation of Accountants
 
PPT
Chap008
ftsutton
 
PPTX
What Is It Governance Introduction
nicxenos
 
PPT
Governance Of Enterprise Information Technology V3
pjmartinez
 
PPTX
Governance and Compliance for Credit Unions
le chéile Group
 
PPTX
policyIQ for COSO 2013 Internal Control - Integrated Framework
sbyearly
 
PPTX
Managing human resources at data centers 1.0
aqel aqel
 
DOCX
Corporate Governance in Subsidiary Company
Alfred Rodrigues
 
PPTX
Comparison of it governance framework-COBIT, ITIL, BS7799
Meghna Verma
 
Are You Ready? Implementing COSO's Updated Internal Controls Framework
BlackLine
 
The Directors Tutorial
Deborah_K_Williams
 
Ethics in Audit
Bikash Kumar
 
ITIL vs. COBIT
Mohsen Yousefi
 
Upgrading Risk Management and Internal Control in Your Organization
International Federation of Accountants
 
Managing The Business Risk Of Fraud
Mahmoud Elbagoury
 
Toronix - SOA Governance Quick Start
rrowntree
 
Busines Continuity And Compliance
salamali
 
Learning From Failure - A Tale of Three Projects
Peter Salmon
 
The NLRB's New Joint-Employer Test: What You Need to Know Regarding its Likel...
Winston & Strawn LLP
 
Introduction to COSO 2013 - Corporate Compliance Seminars
Corporate Compliance Seminars
 
Leveraging Effective Risk Management and Internal Control for Your Organization
International Federation of Accountants
 
Chap008
ftsutton
 
What Is It Governance Introduction
nicxenos
 
Governance Of Enterprise Information Technology V3
pjmartinez
 
Governance and Compliance for Credit Unions
le chéile Group
 
policyIQ for COSO 2013 Internal Control - Integrated Framework
sbyearly
 
Managing human resources at data centers 1.0
aqel aqel
 
Corporate Governance in Subsidiary Company
Alfred Rodrigues
 
Comparison of it governance framework-COBIT, ITIL, BS7799
Meghna Verma
 
Ad

Similar to Intro to management_and_auditing_of_info_systs (20)

PPT
COSO 2013: What you need to know
jennyhollingworth
 
PPTX
Recent COSO Internal Control and Risk Management Developments
International Federation of Accountants
 
PPTX
Corporate governance good-see
Shreevatsa karanth
 
PDF
ISO 22222 - Achieving A Competitive Edge Presentation 2010
Michelle Hoskin
 
PPTX
Principal 4 Enabling A Holistic Approach
Mohammad Reda Katby
 
PPTX
Thapas Sir Presentation ppt =priyanka rai -ICBM-SBE HYDERABAD
am12sd34
 
DOCX
Mcs report
itsme_akku
 
PDF
Control and audit of information System (hendri eka saputra)
Hendri Eka Saputra
 
PDF
Hedge Fund Management
Joseph Gigliotti
 
PDF
Iso 9001 2015 iso geek
Varinder Kumar
 
PPTX
Agile in a highly regulated organization 2014
Tami Flowers
 
PPSX
Coso internal control integrated framework
Irfan Ahmed - ACA, CICA
 
PDF
Segregation of Duties Solutions
Ahmed Abdul Hamed
 
PDF
How to pass cobit exam
Egyptian Engineers Association
 
DOCX
ReferencesRobbins, S. P., & Judge, T. A. (2019). Organizational .docx
audeleypearl
 
PDF
Applying the Global Internal Audit Standards_AIS.pdf
alexiusbrian1
 
PPTX
Internal Financial Controls
tarunmallappa
 
PPTX
Corporate Governance of Wipro.pptx
DebojyotiDeySarkar
 
PPTX
business Ethics Chapter 2 BBA 2nd year by
surpriseofficialshop
 
PPTX
CoBIT 5 (A brief Description)
Sam Mandebvu
 
COSO 2013: What you need to know
jennyhollingworth
 
Recent COSO Internal Control and Risk Management Developments
International Federation of Accountants
 
Corporate governance good-see
Shreevatsa karanth
 
ISO 22222 - Achieving A Competitive Edge Presentation 2010
Michelle Hoskin
 
Principal 4 Enabling A Holistic Approach
Mohammad Reda Katby
 
Thapas Sir Presentation ppt =priyanka rai -ICBM-SBE HYDERABAD
am12sd34
 
Mcs report
itsme_akku
 
Control and audit of information System (hendri eka saputra)
Hendri Eka Saputra
 
Hedge Fund Management
Joseph Gigliotti
 
Iso 9001 2015 iso geek
Varinder Kumar
 
Agile in a highly regulated organization 2014
Tami Flowers
 
Coso internal control integrated framework
Irfan Ahmed - ACA, CICA
 
Segregation of Duties Solutions
Ahmed Abdul Hamed
 
How to pass cobit exam
Egyptian Engineers Association
 
ReferencesRobbins, S. P., & Judge, T. A. (2019). Organizational .docx
audeleypearl
 
Applying the Global Internal Audit Standards_AIS.pdf
alexiusbrian1
 
Internal Financial Controls
tarunmallappa
 
Corporate Governance of Wipro.pptx
DebojyotiDeySarkar
 
business Ethics Chapter 2 BBA 2nd year by
surpriseofficialshop
 
CoBIT 5 (A brief Description)
Sam Mandebvu
 
Ad

Recently uploaded (20)

PPT
Lecture 3344;;,,(,(((((((((((((((((((((((
princessbliss09
 
DOCX
Center Enamel A Strategic Partner for the Modernization of Georgia's Chemical...
cecvessels
 
PDF
Daniels 2024 Inclusive, Sustainable Development
CMassociates
 
PDF
Nante Industrial Plug Factory: Engineering Quality for Modern Power Applications
gdhdgee963
 
PPTX
BUSINESS CYCLE_INFLATION AND UNEMPLOYMENT.pptx
TasmiaThalil
 
PDF
533158074-Saudi-Arabia-Companies-List-Contact.pdf
Shaik Abubakr Siddiqui
 
PPTX
Board-Reporting-Package-by-Umbrex-5-23-23.pptx
Pars Six Sigma Excellence
 
PPTX
basic introduction to research chapter 1.pptx
sangeethanagaraj8
 
PDF
Booking.com The Global AI Sentiment Report 2025
agatadrynko
 
PPTX
interschool scomp.pptxzdkjhdjvdjvdjdhjhieij
PrashantNagi1
 
PDF
Chapter 2 - AI chatbots and prompt engineering.pdf
Quan Risk
 
PPTX
Slide gioi thieu VietinBank Quy 2 - 2025
hoadm5190
 
PDF
Ron Thomas - Top Influential Business Leaders Shaping the Modern Industry – 2025
themenabusinessrevie
 
PPTX
chapter 2 entrepreneurship full lecture ppt
annejo20
 
PPTX
2 - Self & Personality 587689213yiuedhwejbmansbeakjrk
inshu28231804
 
PDF
income tax laws notes important pakistan
VrindaTayade1
 
PDF
Robin Fischer: A Visionary Leader Making a Difference in Healthcare, One Day ...
The lifescience magaizne
 
PDF
TyAnn Osborn: A Visionary Leader Shaping Corporate Workforce Dynamics
CIO WOMEN MAGAIZNE CIO WOMEN MAGAIZNE
 
PPTX
operations management : demand supply ch
JayeshJaiswal23
 
DOCX
80 DE ÔN VÀO 10 NĂM 2023vhkkkjjhhhhjjjj
janggookdal
 
Lecture 3344;;,,(,(((((((((((((((((((((((
princessbliss09
 
Center Enamel A Strategic Partner for the Modernization of Georgia's Chemical...
cecvessels
 
Daniels 2024 Inclusive, Sustainable Development
CMassociates
 
Nante Industrial Plug Factory: Engineering Quality for Modern Power Applications
gdhdgee963
 
BUSINESS CYCLE_INFLATION AND UNEMPLOYMENT.pptx
TasmiaThalil
 
533158074-Saudi-Arabia-Companies-List-Contact.pdf
Shaik Abubakr Siddiqui
 
Board-Reporting-Package-by-Umbrex-5-23-23.pptx
Pars Six Sigma Excellence
 
basic introduction to research chapter 1.pptx
sangeethanagaraj8
 
Booking.com The Global AI Sentiment Report 2025
agatadrynko
 
interschool scomp.pptxzdkjhdjvdjvdjdhjhieij
PrashantNagi1
 
Chapter 2 - AI chatbots and prompt engineering.pdf
Quan Risk
 
Slide gioi thieu VietinBank Quy 2 - 2025
hoadm5190
 
Ron Thomas - Top Influential Business Leaders Shaping the Modern Industry – 2025
themenabusinessrevie
 
chapter 2 entrepreneurship full lecture ppt
annejo20
 
2 - Self & Personality 587689213yiuedhwejbmansbeakjrk
inshu28231804
 
income tax laws notes important pakistan
VrindaTayade1
 
Robin Fischer: A Visionary Leader Making a Difference in Healthcare, One Day ...
The lifescience magaizne
 
TyAnn Osborn: A Visionary Leader Shaping Corporate Workforce Dynamics
CIO WOMEN MAGAIZNE CIO WOMEN MAGAIZNE
 
operations management : demand supply ch
JayeshJaiswal23
 
80 DE ÔN VÀO 10 NĂM 2023vhkkkjjhhhhjjjj
janggookdal
 

Intro to management_and_auditing_of_info_systs

  • 1. Lesson 1:Introduction to Management and Auditing of Information Systems Lecturer: Management and Auditing of Information Systems |
  • 2. Lesson Objectives By the end of this lesson , you should:  Know the foundation of IS audit standards  Know the auditor’s professional requirements  Be familiar with auditor skills necessary for a successful audit  Differentiate mandatory versus discretionary wording of regulations  Describe the various types of audits  Know how to communicate with the auditee  Describe auditor leadership duties, including planning and setting priorities  Gain understanding the organizational structure of corporations and consulting firms  Gain understanding the methods of managing projects, including audit projects 5/29/2012 Report for 2010 2 |
  • 3. The need for IS Audits • The reliance of many companies, organisations, governments, educational institutions etc on electronic data processing systems has led increasingly to the need for their proper control and management . • Just like financial auditors verify financial transaction, so does an IS auditor need to verify the integrity of an electronic system that is used to maintain crucial company data 5/29/2012 Report for 2010 3 |
  • 4. The Demand for IS audits • Why is very necessary to have IS audits? The greatest focus has always been on financial audits: • Consider: • Italy’s Parmalat dairy scandal occurred in 2003, when executives admitted that an account that was supposed to be holding 4 billion Euro dollars of assets in the Cayman Islands did not exist. The 14 billion Euro organization collapsed into bankruptcy. According to industry news, four of the world’s leading banks were indicted in June 2007 for their participation. 5/29/2012 Report for 2010 4 |
  • 5. The need for IS Audits • Adelphia Communications Corporation executives John Rigas and son Timothy Rigas were convicted of securities fraud, bank fraud for misrepresenting the source of $1.6 billion of funds used in company stock, and stealing $51 million in cash advances. Rigas’s illegally misrepresented $2.6 billion of off-balance sheet loans, which led to the company’s collapse in 2002. In July 2006, Comcast and Time Warner purchased the failed company and relocated it to Colorado. 5/29/2012 Report for 2010 5 |
  • 6. The need for IS Audits • Arthur Andersen executive David Duncan violated his independence with his client, CFO Andrew Fastow of Enron. Duncan participated in improper, biased activities for Enron by ordering his staff to shred documents to obstruct the Enron investigation. • Converse Technology CEO Jacob ―Kobi‖ Alexander was captured by Federal authorities after fleeing the country in an attempt to avoid prosecution for orchestrating a fraudulent scheme of backdating options while running a secret stock options slush fund. This illegal • scheme made millions of dollars. CFO David Kreinberg and General Counsel William Sorin voluntarily surrendered to authorities for their participation in the scheme. All three are currently in jail awaiting prosecution. 5/29/2012 Report for 2010 6 |
  • 7. The need for IS Audits • Closer home, what examples can we gather from well known frauds, scams, malpractices and other actions that have brought organizations to their knees or brought CEO and other officers to account? • Kenya Pipeline • NHIF • Goldenberg (Euro bank) • Trust Bank? • Others……………………………….. • Explain in your own words why you think there is a need for IS Audits against this backdrop 5/29/2012 Report for 2010 7 |
  • 8. The need for IS Audits • More and more regulations are being put in place especially in western countries to effect control and minimize, detect or otherwise prevent deliberate or inadvertent mishaps like the examples above. • Have you heard of the Sarbanes- Oxley Act? • Do we have similar regulations in Kenya? • Other regulations exist in the US like Gramm-Leach-Bliley Act (financial transactions), Federal Information Security Management Act (FISMA, for government), Health Insurance Portability and Accountability Act (HIPAA), Supervisory Control and Data Acquisition (SCADA, for utilities), Fair and Accurate Credit Transactions Act (credit processing), Federal Financial Institutions Examination Council regulations (FFIEC), Payment Card Industry (PCI) 5/29/2012 Report for 2010 8 |
  • 9. The need for IS Audits • All of these regulations require businesses to possess two simple components: • Evidence of business integrity • Evidence of internal controls to protect valuable assets 5/29/2012 Report for 2010 9 |
  • 10. The need for IS Audits • Asset - anything of value, including trademarks, patents, secret recipes, durable goods, data files, competent personnel, and clients. People are never listed but they are key • Threat - as a negative event that would cause a loss if it occurred. • Vulnerability - path that allows a threat to occur. Without regulations, businesses would take risks that lead them into financial, or image problems. With the advent of widespread automation, small problems can escalate / cascade into major issues. Financial auditors focused on the financial transaction but there is a need to audit electronic systems. 5/29/2012 Report for 2010 10 |
  • 11. Understanding Policies, Standards, Guidelines, and Procedures Type Description Compliance Issued by Policy Simple document stating mandatory CEO, CFO that a particular high- level control objective is important to the organization’s success. Standards mid-level documents to mandatory Middle level ensure uniform management application of a policy. For example ISO 5/29/2012 Report for 2010 11 |
  • 12. Understanding Policies, Standards, Guidelines, and Procedures Type Description Compliance Issued by Guidelines provide advice pertaining to discretionary Proffessional how organizational bdies, objectives corporate might be obtained in the guidelines absence of a standard. The purpose is to provide information that would aid in making decisions about intended goals (should do), beneficial alternatives (could do), and actions that would not create problems (won’t hurt). 5/29/2012 Report for 2010 12 |
  • 13. Understanding Policies, Standards, Guidelines, and Procedures Type Description Compliance Issued by Procedures These are ―cookbook‖ mandatory Operating officers recipes for accomplishing specific tasks necessary to meet a standard. Details are written in step-by-step format from the very beginning to the end. Good procedures include common troubleshooting steps in case the user encounters a known problem. 5/29/2012 Report for 2010 13 |
  • 14. Code of Professional Ethics • As an IS auditor, you must adhere to certain codes of professional conduct. There are various guidelines but the most common one is by ISACA (Information Systems Audit and Control Association) • ISACA code of professional Ethics • Ethics statements are necessary to demonstrate the level of honesty and professionalism expected of every auditor. Overall, your profession requires you to be honest and fair in all representations you make. The goal is to build trust with clients. Your behavior should reflect a positive image on your profession 5/29/2012 Report for 2010 14 |
  • 15. Preventing Ethical Conflicts • As an IS Auditor, do not participate in acts that would bring into question your professionalism and honesty. Anything that brings you into conflict with your work should be addressed immediately. Some of the conflicts that may bring an auditor into disrepute are:  Copyright violations  Guilty amnesty seekers  Failing to follow your own rules  Avoid violating general laws 5/29/2012 Report for 2010 15 |
  • 16. Purpose of an Audit • Audit – review of past history • You are expected to follow the defined audit process, establish audit criteria, gather meaningful evidence, and render an independent opinion about internal controls. • It involves applying various techniques for collecting meaningful evidence, and then performing a comparison of the audit evidence against the standard for reference. • Always accurately report your findings, whether good or bad or indifferent. A good auditor will produce verifiable results. 5/29/2012 Report for 2010 16 |
  • 17. Classifying Basic Types of Audits • Internal audits and assessments- auditing your own organization to discover inner workings (self assessment). They have more restrictions on scope. Findings are not shared with outsiders. • External audits- involves a related party like a customer auditing you. The goal is to ensure the expected level of performance as mutually agreed upon in their contracts. • Independent audits - these are outside of the customer-supplier influence. Third-party independent audits are frequently relied on for licensing, certification, or product approval. A simple example is independent consumer reports. 5/29/2012 Report for 2010 17 |
  • 18. Classifying Basic Types of Audits • What is looked at during a systems audit? • Product audits - check the attributes against the design specification (size, color, markings). • Process audits - evaluate the process method to determine whether the activities or sequence of activities meet the published requirements (input process, output checks) • System audits – management, configuration, team members activities, control environment etc). • Financial audit- verifies financial transactions for integrity. • Operational audit - verifies effectiveness and efficiency of operational practices. Used mainly to audit service providers. 5/29/2012 Report for 2010 18 |
  • 19. Classifying Basic Types of Audits • Integrated audit - includes both financial and operational controls audits • Administrative audit - verifies that appropriate policies and procedures exist and have been implemented as intended. This type of audit usually tests for the presence of required documentation. • Information systems certification and/or accreditation. - Certification usually involves system testing against a reference standard, whereas accreditation represents management’s level of acceptance. 5/29/2012 Report for 2010 19 |
  • 20. The Auditor’s Responsibility • An Is auditor is expected to fulfill a fiduciary relationship. • Fiduciary relationship is whereby you are acting for the benefit of a given party and you put the interests of that party before yours. • However, it is important to provide the truth rather than just act in the auditees interests. 5/29/2012 Report for 2010 20 |
  • 21. Comparing Audits to Assessments • Audit - An audit generates a report considered to represent a high assurance of truth. Audits are used in asset reporting engagements. • Assessment - An assessment is less formal and frequently more cooperative with the people/ objects under scrutiny. Its purpose is to see what exists and to assess value based on its relevance. • The assessment report is viewed to have lower value (moderate-to- low value) when compared to an audit. The primary role of an assessment is to help the employees improve their score. 5/29/2012 Report for 2010 21 |
  • 22. Auditor Role versus Auditee Role • There are only two titles for persons directly involved in an audit. First is the auditor, the one who investigates. Second is the auditee, the subject of the audit. A third role exists which is normally outside of • Auditor - The auditor is the competent person performing the audit. • Auditee - The organization and people being audited are collectively called the auditee. • Client - The client is the person or organization with the authority to request the audit. A client may be the audit committee, external customer, internal audit department, or regulatory group. If the client is internal to the auditee, that client assumes the auditee role. the audit, known as the client. 5/29/2012 Report for 2010 22 |
  • 23. Independence • An Is auditor is expected to be very independent in his work. • you are not related professionally, personally, or organizationally to the subject of the audit. You cannot be independent if the audit’s outcome results in your financial gain or if you are involved in the auditee’s decisions or design of the subject being audited. Applying an Independence Test • Are you auditing something you helped to develop? • Are you free of any conflicts, circumstances, or attitudes toward the auditee that might affect the audit outcome? 5/29/2012 Report for 2010 23 |
  • 24. Independence • Is your personal life free of any relationships, off-duty behavior, or financial gain that could be perceived as affecting your judgment? • Do you have any organizational relationships with the auditee, including business deals, financial obligations, or pending legal actions? • Do you have a job conflict? Does the organizational structure require your position to work under the executive in charge of the area being audited? Did you receive any gifts of value or special favors? • If your answer is yes then your independence is compromised 5/29/2012 Report for 2010 24 |
  • 25. Various Auditing Standards • audits either verify compliance (compliance test) or check the substance and integrity of a claim (substantive test). Just how does an auditor know what to do in these audits? • How does an IS auditor know what to do in these audits? • There are standards that can be used. • All these standards are in fundamental agreement with each other though they may seem many and daunting. • Our focus will be on the ISACA standards since they focus very much on IS auditing. 5/29/2012 Report for 2010 25 |
  • 26. Various Auditing Standards • During the audit process, you will find clients are more receptive when your audit goals are linked to specific citations in the audit standards. You should aim to fill a known and defined point of compliance rather than provide a vague statement relating to something you may have read in a textbook. Don’t make the mistake of trusting your job to misinformation, rumors, or free advice on the Internet. 5/29/2012 Report for 2010 26 |
  • 27. Specific Regulations Defining Best Practices • These are predominantly U.S. regulations with worldwide compliance implications due to global outsourcing. • Every regulation is designed to mandate the minimum acceptable requirements when conducting any form of business within that specific industry. The auditor must remain aware of two types of statements contained in all regulations: 5/29/2012 Report for 2010 27 |
  • 28. Specific Regulations Defining Best Practices • Recommended (discretionary) - These are actions that usually contain statements with the word should—for example, suggested management responsibilities, staffing, control mechanisms, or technical attributes. • Required (mandatory) - These are actions that contain the word shall. Shall indicates that statement is a commandment of compliance. Shall is not optional. The auditor must remember that failing to meet a required Shall objective is a real concern. The regulations serve to protect the citizens at large. 5/29/2012 Report for 2010 28 |
  • 29. Understanding the Auditors Position • Your clients expect you to be authoritative and professional regardless of the circumstances. Your office is mobile, so you are depended on to handle decisions in the field. Your clients include the highest levels of management within an organization. Those clients expect you to assist them with your observations and occasional advice. You will deal with the challenges of providing advice in a manner that does not interfere with the independent audit. 5/29/2012 Report for 2010 29 |
  • 30. Understanding the Auditors Position • Confidentiality- a client entrusts an auditor with information and it should never be betrayed. Exercise confidentiality by least privilege whereby only the minimum necessary information is given. • Also:  Keep sensitive information as client property.  Contact legal counsels regarding confidentiality.  Back up and secure any work done on computer (automated working papers).  Physically secure any PC or laptops you use.  Keep securely every document file archive you make for every audit. 5/29/2012 Report for 2010 30 |
  • 31. Understanding the Auditors Position • Working with lawyers – most communication between auditor and client is exempt from legal discovery hence a lawyer may not be needed. However, it is suggested that the client is consulted in case there is any need for communication with a lawyer. • Leadership – an auditor needs to have strong leadership qualities;  mark out when your directions are mandatory and when they are open to feedback and criticism  Develop specific requirements and share out the plans  Get your staff to believe in you 5/29/2012 Report for 2010 31 |
  • 32. Understanding the Auditors Position • Planning and setting priorities- a good auditor plans and sets priorities on what needs to be done.  Gaining an understanding of the customer’s business  Respecting business cycles (monthly, quarterly, seasonal, and annual)  Establishing priorities  Selecting an audit strategy based on risk and information known or observed  Finding the people for your audit team  Coordinating the logistics prior to the audit for resources, work space, and facilities 5/29/2012 Report for 2010 32 |
  • 33. Understanding the Auditors Position • Planning and setting priorities (continued)  Requesting documents (discovery requests)  Scheduling people’s time and availability  Arranging travel and accommodations  Planning for delays or nonperformance  Considering rescheduling if recent downtime or risks warrant it  Developing alternative strategies  Developing a briefing schedule 5/29/2012 Report for 2010 33 |
  • 34. Understanding the Auditors Position • Providing standard terms of reference- an auditor needs to be courteous and polite to clients . Develop standard terms of reference to cultivate respectful and honest interpretation. – Auditee claim/statement – Present – Not present – Planned – Tested (how) – Not tested (why) – Observed – Verified (how) – Not verified – New requirement 5/29/2012 Report for 2010 34 |
  • 35. Understanding the Auditors Position • Dealing with conflict/ failures – exercise common sense and quick responses. • Identifying the value of external vs. internal auditors - External auditors are paid to be independent reviewers for an organization. Internal auditors can add enormous value to an organization by providing ongoing efforts that help prepare the organization for an external audit. • Apply the evidence rule- A good auditor will use sufficient evidence to formulate their auditor’s opinion. No opinion can be formed when you lack evidence of acceptable quantity, relevance, and reliability. Your job is to be a professional skeptic and demand proof in the form of evidence you can verify. 5/29/2012 Report for 2010 35 |
  • 36. Understanding the Auditors Position • Identify who you need to interview- plan for whom you will interview, how long it will take and what exactly you will ask. You have to be very specific. There are three classes of people in IS audits (data owner (e.g. CFO, CEO) , data custodian 9database administrator, systems administrator), data user (internal user, client) • Understand the organizational structure and roles- e.g. through use of hierarchy charts 5/29/2012 Report for 2010 36 |
  • 37. Managing Projects • An audit exercise is essentially a project. An auditor must take a project management approach towards the audit. Some project management standards exist e.g.  Project Management Institute (PMI)  Prince2  Total Quality Management (TQM)  Six Sigma  ISO 9001  The PMI standard is by far the most comprehensive and most recommended standard for IS auditing. 5/29/2012 Report for 2010 37 |
  • 38. Managing Projects What is a Project ? • Three characteristics define a project  A project is temporary (start end times)  A project is unique- is meant to facilitate a particular outcome  A project is progressively elaborated. The project starts out with simple high-level ideas that are polished and becomes defined into more and more detail during planning What is Project Management? • A simple definition of project management is to balance competing demands. These demands are referred to as the triple constraint. We can define them as competing values of  Scope  Resources (cost, time)  Quality 5/29/2012 Report for 2010 38 |
  • 39. Managing Projects • The Project Management Framework • The Project Management Institute (PMI) defines the project management framework or PMBOK (Project Management Body Of Knowledge) • PMBOK offers five process groups: • The five process groups as defined by PMI are as follows: 1. Initiating 2. Planning 3. Executing 4. Monitoring and Controlling 5. Closing 5/29/2012 Report for 2010 39 |
  • 40. Managing Projects 1. Initiating- This process group begins the project or a phase of the project. Sets the scope and authorization of the project. 2. Planning - Planning is where the project scope, goals, and objectives are detailed. 3. Executing- The processes within this group are used to create the project deliverables. 4. Monitoring and Controlling - measures performance and control changes. Examples include review meetings, dealing with substitutions, and schedule changes. 5. Closing - When a phase or the project is completed, this process group will pay vendors and put the files in an archive to close out the project. 5/29/2012 Report for 2010 40 |
  • 41. Managing Projects Aspects of project management • Project Integration Management - Project Integration Management is the knowledge area containing processes that tie all of the other processes together • Project Scope Management - Project Scope Management contains processes that define the product created by the project and the work to be performed on the project. During this process, a structure is created that breaks each task into itemized details of work to be performed 5/29/2012 Report for 2010 41 |
  • 42. Managing Projects Aspects of project management • Project Time Management - Project Time Management contains processes that define and control the activities required to complete the project as well as resources for the project. In this knowledge area, the project manager defines the baseline schedule for the project. • Project Cost Management • Project Cost Management comprises three processes that define, specify, and control costs for the project. This knowledge area uses earned value technique to measure cost performance for the project. Earned value (EV) is the current value of work that has been performed in the project. 5/29/2012 Report for 2010 42 |
  • 43. Managing Projects Aspects of Project Management • Project Quality Management - The Project Quality Management knowledge area comprises three processes that define the level of quality applied to the project’s product and performance. Project team members audit the performance of their project. Next, the product created by the project is inspected for conformance to the design objectives. • Project Human Resource Management - Project Human Resource Management facilitates planning the organizational structure, job roles, specific responsibilities, and acquisition of staff for the project. This is the best technique to get the skilled people needed for your project. Use the work breakdown structure (WBS) from scope management planning to build a skills matrix. 5/29/2012 Report for 2010 43 |
  • 44. Managing Projects Aspects of Project Management • Project Communications Management - Project Communications Management defines the communications needs of the project stakeholders, and then facilitates and controls communications distribution during the life of the project. Audit projects need this level of planning to clarify what is discussed or reported to our stakeholders. • Project Risk Management - Project Risk Management comprises processes that define the risk methods to be used, define the risks of the project, analyze the risks, and document responses to identified risks. 5/29/2012 Report for 2010 44 |
  • 45. Managing Projects Aspects of Project Management • Project Procurement Management - Project Procurement Management defines the processes that are required to purchase resources. All projects need to procure people, equipment, and materials from outside the organization. 5/29/2012 Report for 2010 45 |
  • 46. Managing Projects Using Project Management Diagramming Techniques Gannt Charts • are used to schedule and sequence activities in a waterfall-type representation. Planned activities are shown flowing downward to completion. The figure shows both sequential and concurrent activities in a linear bar-chart-style presentation. Milestones will be identified and progress reported against planned activities. 5/29/2012 Report for 2010 46 |
  • 47. Managing Projects Using Project Management Diagramming Techniques PERT • Program Evaluation Review Technique (PERT) is used to illustrate the relationship between planned activities. PERT diagramming shows multiple routes through the project activities, as necessary for accomplishing the goal. • PERT has two major advantages. First is the ability to demonstrate a critical path. The second advantage is that PERT provides a quantitative measurement tool for risk analysis. It can help measure the risk of delays, failure, and likely completion. The most successful project managers use both Gantt and PERT—Gantt to display resource detail, and PERT to show the current and most up-to-date critical path. 5/29/2012 Report for 2010 47 |
  • 48. Summary (Quiz) What is the difference between a policy and a procedure? A. Compliance to a policy is discretionary, and compliance to a procedure is mandatory. B. A procedure provides discretionary advice to aid in decision making. The policy defines specific requirements to ensure compliance. C. A policy is a high-level document signed by a person of authority, and compliance is mandatory. A procedure defines the mandatory steps to attain compliance. D. A policy is a mid-level document issued to advise the reader of desired actions in the absence of a standard. The procedure describes suggested steps to use. 5/29/2012 Report for 2010 48 |
  • 49. Summary (Quiz) Which of the following in a business organization will be held liable by the government for failures of internal controls? A. President, vice presidents, and other true corporate officers B. Board of directors, president, vice presidents, department directors, and managers C. All members of management D. Board of directors, CEO, CFO, CIO, and department directors 5/29/2012 Report for 2010 49 |
  • 50. Summary (Quiz) What does fiduciary responsibility mean? A. To use information gained for personal interests without breaching confidentiality of the client. B. To act for the benefit of another person and place the responsibilities to be fair and honest ahead of your own interest. C. To follow the desires of the client and maintain total confidentiality even if illegal acts are discovered. The auditor shall never disclose information from an audit in order to protect the client. D. None of the above. 5/29/2012 Report for 2010 50 |
  • 51. Summary (Quiz) What are the different types of audits? A. Forensic, accounting, verification, regulatory B. Integrated, operational, compliance, administrative C. Financial, SAS-74, compliance, administrative D. Information systems, SAS-70, regulatory, procedural 5/29/2012 Report for 2010 51 |
  • 52. Summary (Quiz) What is the difference between the word should and shall when used in regulations? A. Shall represents discretionary requirements, and should provides advice to the reader. B. Should indicates mandatory actions, whereas shall provides advisory information recommending actions when appropriate C. Should and shall are comparable in meaning. The difference is based on the individual circumstances faced by the audit. D. Should indicates actions that are discretionary according to need, whereas shall means the action is mandatory regardless of financial impact 5/29/2012 Report for 2010 52 |
  • 53. Summary (Quiz) Which of the following is not defined as a nonaudit role? A. System designer B. Operational staff member C. Auditor D. Organizational manage 5/29/2012 Report for 2010 53 |
  • 54. Summary (Quiz) Why is it necessary to protect audit documentation and work papers? A. The evidence gathered in an audit must be disclosed for regulatory compliance. B. A paper trail is necessary to prove the auditor is right and the auditee is wrong. C. The auditor will have to prove illegal activity in a court of law. D. Audit documentation work papers may reveal confidential information that should not be lost or disclosed. 5/29/2012 Report for 2010 54 |
  • 55. Summary (Quiz) Which of the following is a network diagram that shows the critical path for a project? A. Program Evaluation Review Technique B. Gantt chart with activity sequencing C. Shortest Path Diagramming Technique D. Milestone reporting 5/29/2012 Report for 2010 55 |
  • 56. Summary (Quiz) What is the purpose of standard terms of reference? A. To meet the legal requirement of regulatory compliance B. To prove who is responsible C. To ensure honest and unbiased communication D. To ensure that requirements are clearly identified in a regulation 5/29/2012 Report for 2010 56 |
  • 57. Summary (Quiz) What does the term auditor independence relate to? A. It is not an issue for auditors working for a consulting company. B. It is required for an external audit. C. An internal auditor must undergo certification training to be independent. D. The audit committee bestows independence upon the auditor. 5/29/2012 Report for 2010 57 |
  • 58. Ole Sangale Road, Madaraka Estate. PO Box 59857-00200, Nairobi, Kenya Tel +254 (0)20 606155, 606268, 606380 Fax +254 (0)20 607498 Mobile +254 (0)722 25 428, (0)733 618 135 Email info@strathmore.edu www.strathmore.edu |