is audit process ca.shweta ajmera, m.com,ca,disa(icai)
TRANSCRIPT
IS AUDIT PROCESS
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Information systems auditing is a process of collecting and evaluating evidence to determine whether :
a computer system safeguards assets, maintain data integrity, allows organizational goals to be achieved
effectively, and uses resources efficiently.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Information
Systems
Auditing
ORGANISATION
Safeguarding of Assets
Data Integrity
System Effectiveness
System Efficiency
The asset should not be destroyed, stolen or used for unauthorized purposes.
Data is the most important asset of any organization.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
The completeness, soundness, purity, authenticity and genuineness of the data.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
An efficient information system uses minimum resources to achieve its required objectives.
Resources like machine time, peripherals, system software and labour are scarce and different application systems usually compete for their use.
IS AUDIT
PROCESS
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Availability: Will the organisation computer systems be available for the business at all times when required?
Confidentiality: Will the information in the systems be disclosed only to authorized users?
Integrity: Will the information provided by the system always be accurate, reliable and timely?
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
IS Audit strategy Audit Objective Audit environment
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Audit Mission: The mission statement defines the primary
purpose of the Audit function and provides an overview of the focus, priorities, values and principles that will measure the audit decisions.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Audit charter should clearly state management’s responsibility
Audit charter is usually a part of internal audit, hence may include other audit functions
Should state objectives of audit Role of IS audit is established by audit charter
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
An IS auditor require a clear mandate from the company to perform the IS audit. This mandate is called AUDIT CHARTER or ENGAGEMENT LETTER.
Audit charter should be approved by highest level of management and once established should not be altered except in exceptional circumstances.
Audit charter should clearly address three aspects of responsibility, authority and accountability of the IS auditor as under:
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
◦Responsibility – This may include Scope
Objectives
Specific auditee requirements
deliverables◦Authority – This may include
Right of access to information, personnel, locations and systems relevant to the performance of audit
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
◦Accountability - This may include Designated recipients of the report Auditee's right Agreed completion dates Agreed fees, if applicable
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Purpose Engagement letters are often used for
individual assignments or for setting the scope and objectives of a relationship between the external IS auditor and an organisation.
Content The engagement letter should clearly
address the three aspects – responsibility, authority and accountability
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
To perform audit planning, IS auditor should perform the following steps :◦ Gain understanding of business’s
mission, objectives, purposes and processes◦ Touring key organizational facilities◦ Studying applicable laws and regulations◦ Conduct internal control review◦ Reading background material including industry publications, annual reports
etc.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
◦Reviewing long term strategic plans◦Interviewing key managers to understand business issues
◦Reviewing prior audit reports◦Set audit scope and audit objectives◦ Develop audit strategy◦ Assign personnel resources to audit
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Is used to determine the extent of compliance and /or substantive testing an auditor should undertake to fulfill the objectives of audit. Factors to consider include:◦Knowledge of business◦Degree of operational/internal controls available
Risk assessment model may use a scoring system based on ◦Technical complexity◦Level of controls in place◦Level of financial loss
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
These factors may or may not be weighed to arrive at a measure of overall risks.Another way of risk assessment is judgmental based upon management directives, historical perspectives, business goals and environment factors.
A typical overview of risk based audit approach is presented below
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Gather information and plan Gather information and plan
Knowledge of business Knowledge of business and industryand industryPrior years’ audit resultsPrior years’ audit resultsRecent financial Recent financial informationinformation
Regulatory statutesRegulatory statutesInherent risk Inherent risk assessmentassessment
Obtain understanding of internal controlsObtain understanding of internal controls
Control environmentControl environmentControl proceduresControl proceduresDetection risk Detection risk assessmentassessment
Control risk assessmentControl risk assessmentEquate total risksEquate total risks
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Perform Compliance TestPerform Compliance TestTest policies and Test policies and proceduresprocedures
Test segregation of Test segregation of dutiesduties
Perform Substantive TestsPerform Substantive TestsAnalytical proceduresAnalytical proceduresDetailed test of Detailed test of account balancesaccount balances
Other substantive Other substantive auditaudit
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Conclude the AuditConclude the AuditCreate Create recommendationsrecommendations
Write audit reportsWrite audit reports
Audit programs are based on objective and scope of the assignment and becomes guide for documenting ◦ Various audit steps to be performed ◦ Extent and type of evidential matters to be
reviewed Though not necessarily to be followed in a
sequence, IS auditor will be best advised to take a sequential approach in understanding the entity, evaluating control structure and testing the controls.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Risk that financial statements may contain material errors or material errors may remain undetected.
Sometimes audit risk may also refer to the risk that an auditor is prepared to accept
Types of risks in an audit:◦Inherent risk – based on nature of
business and is independent of audit◦Control risk - a risk that a material
error may not be prevented or detected
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
◦Detection risk – a risk that an IS auditor may use inadequate test procedure and conclude that material errors do not exist when in fact they do.
◦Overall risk – a combination of the risk factors as above. The objective is to keep overall risk within acceptable levels.
Materiality concept is applicable in case of financial audits.
In the context of IS audit, materiality may mean that a significant internal control weakness exist which leaves the organization susceptible to threat leading to financial loss, business interruptions, loss of customer trust etc.,
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Materiality always require sound judgment from an auditor. For an IS auditor the task is still more difficult
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Information Systems Auditors ultimately are concerned with evaluating the reliability or operating effectiveness of controls.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
After identifying the key control, the auditor has to determine whether to test these control through compliance or substantive testing
Compliance testing determines whether the controls are functioning as intended.
Substantive testing – refer to verifying the integrity of processing. It provides evidence as to the validity and proprietary of balances in financial statements and the transactions supporting such statementsThere is direct correlation between the level of internal control and the amount of substantive testing to be applied.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Information used to determine whether audit criteria or objective is met
May include◦Observations◦Notes taken during interviews◦Correspondence◦Internal documentation◦Result of test conducted by auditor
Reliability may depend on◦Independence of the provider of
evidence
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
◦ Qualification/competence level of the person providing information
◦ Objectivity of evidence Techniques of gathering evidence may include
◦ Review IS organization structure – key word here is adequate separation of duties
◦ Reviewing IS documentation standard – key word here is that documentation may be in automated form rather than on paper. Documentation may include System development initiating document Functional design specifications
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Program change histories User manual Database specifications Test plans and reports Quality assurance reports
◦Interviewing appropriate personnel – an interview form or checklist may be used. Also remember that interviews are not accusatory
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
◦Observing process and performance - key here is to document as much detail as is possible. Also remember that your observations do not obstruct the on going business
Finally, judgment call has to be made to determine which material is relevant for meeting audit objective and to what extent reliance should be placed there upon.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
End product of the audit The Audit Report format should be considered at
the time of planning stage itself. No fixed format but may include :◦ Introduction including audit objectives, scope,
period etc.,◦ Overall conclusion and opinion on the adequacy of
controls in the areas covered as per scope of audit◦ Any reservations or qualifications◦ Detailed findings/recommendations depending
upon materiality and intended recipient of the report
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
◦Management responses including plan if any for implementation of the recommendations.( This may be included if required by terms of reference)
It is a good practice to also give an executive summary preferably in a visual presentation mode
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
There cannot be a standard format. However the contents and format of the IS audit report should contain the minimum requirements as per the reporting standards. Some of the features of Audit report:
Report, Content and form. Purpose and Content Intended Receipients Style and Content Statement of Objectives.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Scope of Audit Restrictions on distribution Significant findings Conclusion Recommendations Reservations or qualifications Presentations Timeliness Subsequent events Follow Up
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
IS audit documentation includes the audit plan, a description or diagram of network environment, audit programs, minutes of meetings, audit evidence, findings, conclusions and recommendations, any report issued as result of audit work and management responses.
Audit documentation should support the findings and conclusions/ opinions.
Also include questionnaires and understandable flow charts
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Sometime, terms of reference may require an auditor to submit follow up action report. If so, IS auditor must set up a follow up program to determine if the agreed corrective actions have been taken
Follow up reporting may involve◦Inquiry as to the current status◦Certain audit steps to determine the
extent and correctness of the implementation measures
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Sampling used when entire population cannot be examined for reasons of cost, time or sheer volume
Sample is a subset of population. Sampling approaches are:
◦Statistical – sample size and selection process are based on objective criteria. Each item in population has equal opportunity of being selected.
◦Non-statistical – sample size and the the selection process are based on judgment. This type of sampling is also called judgmental sampling.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Both are subject to risk that conclusions may be wrong (sampling risk)
Methods of sampling are:◦ Attribute sampling◦ Variable sampling
Attribute sampling◦ Is applied in compliance testing◦ Deals with presence or absence of
characteristics (attribute)◦ Conclusions are expressed in terms of rates of
occurrence
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Variable sampling◦Is applied in substantive testing◦Deals with rupee value, weight etc.,
(variable characteristics)◦Conclusions are expressed in terms of
range of value or deviation from an expected value
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Important sampling terms include◦Confidence coefficient – a measure of
confidence in the testing process and is expressed as a percentage. Remember Stronger the internal control, lower can be the
confidence coefficient Greater the confidence coefficient, larger the
sample size◦Level of risk – is equal to 100 minus
confidence coefficient
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
◦Expected error rate – applicable in attribute sampling only. Remember Higher the expected error rate, larger
the sample size◦Tolerable error rate – acceptable upper limit of error. Used to set the precision amount in respect of compliance testing
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Key steps in using sampling in audit include◦Determine the objectives of the test.◦Define the population to be sampled.◦Determine the sampling method, such as
attribute versus variable sampling.◦Determine the precision and reliability
desired ◦Calculate the sample size.◦Select the sample.◦Evaluate the sample from an audit
perspective
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Informatio
n
Risk
Management
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
An IS auditor should clearly understand the basic concept of risks, techniques of risk assessment and relationship between risk and controls.
ISO define risk as“ The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. The impact or relative severity of the risk is proportional to the business value of loss/damage and to the estimated frequency of the threat”
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Threats includes :◦ Power loss◦ Communication
failure◦ Disgruntled
employee◦ Malicious code◦ Natural disasters◦ Abuse to access privileges by
employees
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Based on above, elements of risk are◦Threats to and vulnerabilities of assets◦Impact of threats and vulnerabilities◦Probability of occurrence of threats
IS audit is focused towards a particular class of risk defined potential for loss of confidentiality, availability or integrity of information
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Process of identifying vulnerabilities and threats to an organization resources and deciding on countermeasures to reduce the risk to an acceptable level based on the value of information resource to the organization.
Step 1◦Identify and classify the information
resources or assets which need protection. Examples of assets associated with IT include: Information and data Hardware Software
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Services Documents Personnel
Step 2 ◦Assess vulnerabilities which are
characteristics of information resources that can be exploited by a threat to cause harm. Examples of vulnerabilities are: Lack of user knowledge Lack of security functionality Poor choice of passwords
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Untested technology Transmission over unprotected
communications Step 3
◦Assess threats which are events with potential to cause harm such as destruction, disclosure, modification, denial of service etc., Common classes of threats are:oErrorsoMalicious damage or attackoFraud
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
oTheftoEquipment/software failures
• Step 4◦Assess impact if threats were to
materialize. Impact is usually in terms of financial loss both in short/long term. Example of losses are: Loss of money Breach of legislation Loss of reputation or goodwill
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Endangering of staff or customers Breach of confidence Loss of business opportunity Reduction in operational efficiency or
performance Interruption of business activity
Step 5◦Assess probability of occurrence and form
an overall view of risk. The risk is = (Value of loss x Probability of occurrence)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Step 6 ◦ Evaluate existing controls and identify the
risks which are inadequately controlled Step 7
◦ Prioritize all the identified risks requiring protection, design effective and efficient countermeasures and select appropriate countermeasures keeping in view:o The cost of control compared to the benefit of
minimizing risko Management appetite for risk
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Preferred risk reduction method- Terminate the risk- Minimize probability of occurrence- Minimize impact- Transfer (Insurance)
• Some organization may start the process with identification of threats rather than assets. This is just a matter of choice without any significance.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Risk remaining after the controls have been applied is called residual risk. The management could decide to further work upon countermeasures to mitigate the risks or take them as unavoidable component of doing business and thus laying down an acceptable level of risk.
Acceptable level of risk so defined should be used to determine the areas which might be subjected to excessive level of controls and where cost savings can be achieved by removing the excessive element of controls.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Risk assessment techniques :o Scoring system – useful in prioritizing audits
based on evaluation of risk factors, considering various variables such as technical complexity, level of control procedures and level of financial loss
o Judgemental – Decision is made based on business knowledge, executive management directives, historical perspectives, business goals and environmental factors.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Control is defined as:“ the policies, procedures, practices and
organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesirable events will be prevented or detected and corrected”
The strength of a control is measured by its inherent or design strength and the likelihood of its effectiveness. The elements to be considered while evaluating control strengths include whether controls are:
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
An IT control objective is defined as a statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity.
IT control objectives aim to ensure confidentiality, integrity and availability of information resources. COBIT and IT Governance Institute provide an excellent framework for setting IT control objectives.
Example of IT control objectives include:◦ Information is secured from improper access.◦ Each transaction is authorized and recorded only
once.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
◦ All exceptions are duly recorded, investigated and followed through.
◦ Files are adequately backed up to allow for proper recovery
◦ Changes to software are tested and approved.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Controls are generally classified under three categories as under◦ Preventive◦ Detective◦ Corrective
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
FunctionFunction ExamplesExamples
Prevent an error, omission or Prevent an error, omission or malicious act from occurringmalicious act from occurring
Predict potential problems Predict potential problems before they occur and make before they occur and make adjustmentsadjustments
Detect problems before they Detect problems before they arisearise
Employ qualified personnelEmploy qualified personnel
Segregate dutiesSegregate duties
Control physical accessControl physical access
Use well designed documentsUse well designed documents
Have authorization procedureHave authorization procedure
Complete programmed edit Complete programmed edit checkschecks
Use logical access controlsUse logical access controls
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
FunctionFunction ExamplesExamples
Detect that an error, Detect that an error, omission or malicious omission or malicious act has occurred and act has occurred and report the occurrencereport the occurrence
Hash totalsHash totals
Check pointsCheck points
Echo controlsEcho controls
Error messagesError messages
Duplicate (re -Duplicate (re -verification) of verification) of calculationscalculations
Variance reportingVariance reporting
Internal auditInternal audit
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
FunctionFunction ExamplesExamples
Minimize the impact of Minimize the impact of a threata threat
Remedy problems Remedy problems discovered by detective discovered by detective teststests
Correct errors arising Correct errors arising from a problemfrom a problem
Modify systems to Modify systems to minimize future minimize future occurrences of the occurrences of the problemproblem
Contingency Contingency
planningplanning
Backup proceduresBackup procedures
Re-run proceduresRe-run procedures
IS Audit
Techniques
& CAAT’s
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
AAS 29- Auditing in CIS Environment issued by ICAI states that:
“ The overall objective and scope of the Audit doesnot change in a CIS environment. However , the use of a computer changes the processing, storage, retrieval and communication of Financial Information and may affect the accounting and internal control systems employed by the entity”
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CAATs are important tools for the IS auditor in gathering information from these environments. When systems have different hardware and software environments, different data structure, record formats or processing functions, it is almost impossible for auditors to collect evidence without a software tool to collect and analyze the records. CAATs also enable IS auditors in performing audits to gather information independently.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
The procedures followed by the Auditor in obtaining a sufficient understanding of the accounting and Internal Control System.
The auditors evaluation of Inherent risk through which the auditor accesses the audit risk.
The Auditor’s design and performance of tests of control and substantive procedures appropriate to meet the audit objective.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
AAS 29 specifically requires auditor to consider the effect of CIS environment on the audit:
1.Extent to which the CIS environment is used in control
2.System of Internal Control3.Audit trail
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
The Auditor should have sufficient knowledge of CIS to plan, Direct, Supervise, Control and Review the work performed
Specialised skills may be needed, to 1.Obtain sufficient understanding of the effect
of the CIS environment on accounting and Internal Control System.
2.Determine the effect of the CIS environment on the assessment of overall audit risk
3.And design and perform appropriate tests of control and substantive procedures
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
The IT environment contains Business Risks. This risks could result from lack of various controls that includes:
1.Lack of an IS Security Policy framework, procedures and controls.
2.Approach for control over IT and related resources.
3.Risks of outsourcing of IT processes4.Physical and environmental security of IT
equipment and related assets.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
5. Poor controls over communication and N/w technology and infrastructure.
6. Poor Controls over system parameters settings and critical systems files.
7. Risks from Viruses, hackers and malicious code.
8. Poor controls over SDLC.9. Poor Business Continuity Planning.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Auditing Around the Computer- Black Box Approach-
The concept of ignoring what is happening inside the computer and conducting the audit using the inputs and outputs as in Manual Audits
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Auditing through the Computer- White Box Approach-
Considering the Audit trail and auditing the process followed by the computer system.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Software intended to facilitate or expedite the auditing process
Examples of CAATs include◦ Generalized audit software◦ Test data generators◦ Expert systems◦ Standard utilities◦ Software library packages◦ Integrated test facilities ◦ Snapshot◦ Specialized audit software
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
GAS refers to standard software that has the capability to directly read and access data from various database platforms, flat-file systems and ASCII formats. ACL & IDEA
Functions supported by GAS: File access – reading from different formats File reorganization – indexing, sorting, merging. Data selection Statistical functions – sampling, Arithmetical functions
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
It is written for special audit purposes or targeting specialized IT environments.
For eg: Testing for NPA’s, testing for UNIX controls, testing for overnight deals in Forex Application s/w etc.
This s/w may be developed by Auditor’s , the auditor should take care to get an assurance on the integrity and security of s/w developed by the client
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Utility software or utilities, though not developed or sold specifically for audit are often extremely useful and handy for conducting audits.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Remember ◦Seek read only access to production data
while using CAATs Advantages of using CAATs are
◦Reduce the level of audit risk◦Greater independence from the auditee◦Broader and more consistent audit
coverage◦Faster availability of information
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
◦Improved exception identification◦Greater flexibility of run times◦Greater opportunity to quantity internal
control weakness◦Enhanced sampling◦Cost saving over time
Important factor while considering usage of CAATs may include◦Ease of use◦Installation requirement
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
◦ Availability of source data Important documentation to be retained for own
developed CAATs may include◦ Online reports detailing high-risk issues for
review◦ Flowchart◦ Record and File layouts◦ Field definitions◦ Operating instructions◦ Sample reports
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
IS Audit
Regulations
and Standards
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
AAS 29 / SA 401– by ICAI on Auditing in Computer Information Systems Environment
IS Audit standards issued by ISACA COBIT – Control Objectives for Information and related Technology
BS7799 SAS 70 SysTrust ITIL ISO 9000
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
SEI – CMM IT ACT 2000 UNCITRAL Model Law on electronic commerece SOX BASEL II
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
By:CA.Shweta AjmeraM.Com,CA,DISA(ICAI)[email protected] can join me at:At Linkedin & twitter: Shweta AjmeraAt FB: shweta.ajmera.3
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)