is audit process ca.shweta ajmera, m.com,ca,disa(icai)

IS AUDIT PROCESS

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)

Information systems auditing is a process of collecting and evaluating evidence to determine whether :

a computer system safeguards assets, maintain data integrity, allows organizational goals to be achieved

effectively, and uses resources efficiently.



Information

Systems

Auditing

ORGANISATION

Safeguarding of Assets

Data Integrity

System Effectiveness

System Efficiency

The asset should not be destroyed, stolen or used for unauthorized purposes.

Data is the most important asset of any organization.



The completeness, soundness, purity, authenticity and genuineness of the data.


An efficient information system uses minimum resources to achieve its required objectives.

Resources like machine time, peripherals, system software and labour are scarce and different application systems usually compete for their use.

IS AUDIT

PROCESS


Availability: Will the organisation computer systems be available for the business at all times when required?

Confidentiality: Will the information in the systems be disclosed only to authorized users?

Integrity: Will the information provided by the system always be accurate, reliable and timely?


IS Audit strategy Audit Objective Audit environment


Audit Mission: The mission statement defines the primary

purpose of the Audit function and provides an overview of the focus, priorities, values and principles that will measure the audit decisions.


Audit charter should clearly state management’s responsibility

Audit charter is usually a part of internal audit, hence may include other audit functions

Should state objectives of audit Role of IS audit is established by audit charter


An IS auditor require a clear mandate from the company to perform the IS audit. This mandate is called AUDIT CHARTER or ENGAGEMENT LETTER.

Audit charter should be approved by highest level of management and once established should not be altered except in exceptional circumstances.

Audit charter should clearly address three aspects of responsibility, authority and accountability of the IS auditor as under:


◦Responsibility – This may include Scope

Objectives

Specific auditee requirements

deliverables◦Authority – This may include

Right of access to information, personnel, locations and systems relevant to the performance of audit


◦Accountability - This may include Designated recipients of the report Auditee's right Agreed completion dates Agreed fees, if applicable


Purpose Engagement letters are often used for

individual assignments or for setting the scope and objectives of a relationship between the external IS auditor and an organisation.

Content The engagement letter should clearly

address the three aspects – responsibility, authority and accountability


To perform audit planning, IS auditor should perform the following steps :◦ Gain understanding of business’s

mission, objectives, purposes and processes◦ Touring key organizational facilities◦ Studying applicable laws and regulations◦ Conduct internal control review◦ Reading background material including industry publications, annual reports

etc.


◦Reviewing long term strategic plans◦Interviewing key managers to understand business issues

◦Reviewing prior audit reports◦Set audit scope and audit objectives◦ Develop audit strategy◦ Assign personnel resources to audit


Is used to determine the extent of compliance and /or substantive testing an auditor should undertake to fulfill the objectives of audit. Factors to consider include:◦Knowledge of business◦Degree of operational/internal controls available

Risk assessment model may use a scoring system based on ◦Technical complexity◦Level of controls in place◦Level of financial loss


These factors may or may not be weighed to arrive at a measure of overall risks.Another way of risk assessment is judgmental based upon management directives, historical perspectives, business goals and environment factors.

A typical overview of risk based audit approach is presented below



Gather information and plan Gather information and plan

Knowledge of business Knowledge of business and industryand industryPrior years’ audit resultsPrior years’ audit resultsRecent financial Recent financial informationinformation

Regulatory statutesRegulatory statutesInherent risk Inherent risk assessmentassessment

Obtain understanding of internal controlsObtain understanding of internal controls

Control environmentControl environmentControl proceduresControl proceduresDetection risk Detection risk assessmentassessment

Control risk assessmentControl risk assessmentEquate total risksEquate total risks


Perform Compliance TestPerform Compliance TestTest policies and Test policies and proceduresprocedures

Test segregation of Test segregation of dutiesduties

Perform Substantive TestsPerform Substantive TestsAnalytical proceduresAnalytical proceduresDetailed test of Detailed test of account balancesaccount balances

Other substantive Other substantive auditaudit


Conclude the AuditConclude the AuditCreate Create recommendationsrecommendations

Write audit reportsWrite audit reports

Audit programs are based on objective and scope of the assignment and becomes guide for documenting ◦ Various audit steps to be performed ◦ Extent and type of evidential matters to be

reviewed Though not necessarily to be followed in a

sequence, IS auditor will be best advised to take a sequential approach in understanding the entity, evaluating control structure and testing the controls.


Risk that financial statements may contain material errors or material errors may remain undetected.

Sometimes audit risk may also refer to the risk that an auditor is prepared to accept

Types of risks in an audit:◦Inherent risk – based on nature of

business and is independent of audit◦Control risk - a risk that a material

error may not be prevented or detected


◦Detection risk – a risk that an IS auditor may use inadequate test procedure and conclude that material errors do not exist when in fact they do.

◦Overall risk – a combination of the risk factors as above. The objective is to keep overall risk within acceptable levels.

Materiality concept is applicable in case of financial audits.

In the context of IS audit, materiality may mean that a significant internal control weakness exist which leaves the organization susceptible to threat leading to financial loss, business interruptions, loss of customer trust etc.,


Materiality always require sound judgment from an auditor. For an IS auditor the task is still more difficult


Information Systems Auditors ultimately are concerned with evaluating the reliability or operating effectiveness of controls.


After identifying the key control, the auditor has to determine whether to test these control through compliance or substantive testing

Compliance testing determines whether the controls are functioning as intended.

Substantive testing – refer to verifying the integrity of processing. It provides evidence as to the validity and proprietary of balances in financial statements and the transactions supporting such statementsThere is direct correlation between the level of internal control and the amount of substantive testing to be applied.


Information used to determine whether audit criteria or objective is met

May include◦Observations◦Notes taken during interviews◦Correspondence◦Internal documentation◦Result of test conducted by auditor

Reliability may depend on◦Independence of the provider of

evidence


◦ Qualification/competence level of the person providing information

◦ Objectivity of evidence Techniques of gathering evidence may include

◦ Review IS organization structure – key word here is adequate separation of duties

◦ Reviewing IS documentation standard – key word here is that documentation may be in automated form rather than on paper. Documentation may include System development initiating document Functional design specifications


Program change histories User manual Database specifications Test plans and reports Quality assurance reports

◦Interviewing appropriate personnel – an interview form or checklist may be used. Also remember that interviews are not accusatory


◦Observing process and performance - key here is to document as much detail as is possible. Also remember that your observations do not obstruct the on going business

Finally, judgment call has to be made to determine which material is relevant for meeting audit objective and to what extent reliance should be placed there upon.


End product of the audit The Audit Report format should be considered at

the time of planning stage itself. No fixed format but may include :◦ Introduction including audit objectives, scope,

period etc.,◦ Overall conclusion and opinion on the adequacy of

controls in the areas covered as per scope of audit◦ Any reservations or qualifications◦ Detailed findings/recommendations depending

upon materiality and intended recipient of the report


◦Management responses including plan if any for implementation of the recommendations.( This may be included if required by terms of reference)

It is a good practice to also give an executive summary preferably in a visual presentation mode


There cannot be a standard format. However the contents and format of the IS audit report should contain the minimum requirements as per the reporting standards. Some of the features of Audit report:

Report, Content and form. Purpose and Content Intended Receipients Style and Content Statement of Objectives.


Scope of Audit Restrictions on distribution Significant findings Conclusion Recommendations Reservations or qualifications Presentations Timeliness Subsequent events Follow Up


IS audit documentation includes the audit plan, a description or diagram of network environment, audit programs, minutes of meetings, audit evidence, findings, conclusions and recommendations, any report issued as result of audit work and management responses.

Audit documentation should support the findings and conclusions/ opinions.

Also include questionnaires and understandable flow charts


Sometime, terms of reference may require an auditor to submit follow up action report. If so, IS auditor must set up a follow up program to determine if the agreed corrective actions have been taken

Follow up reporting may involve◦Inquiry as to the current status◦Certain audit steps to determine the

extent and correctness of the implementation measures


Sampling used when entire population cannot be examined for reasons of cost, time or sheer volume

Sample is a subset of population. Sampling approaches are:

◦Statistical – sample size and selection process are based on objective criteria. Each item in population has equal opportunity of being selected.

◦Non-statistical – sample size and the the selection process are based on judgment. This type of sampling is also called judgmental sampling.


Both are subject to risk that conclusions may be wrong (sampling risk)

Methods of sampling are:◦ Attribute sampling◦ Variable sampling

Attribute sampling◦ Is applied in compliance testing◦ Deals with presence or absence of

characteristics (attribute)◦ Conclusions are expressed in terms of rates of

occurrence


Variable sampling◦Is applied in substantive testing◦Deals with rupee value, weight etc.,

(variable characteristics)◦Conclusions are expressed in terms of

range of value or deviation from an expected value


Important sampling terms include◦Confidence coefficient – a measure of

confidence in the testing process and is expressed as a percentage. Remember Stronger the internal control, lower can be the

confidence coefficient Greater the confidence coefficient, larger the

sample size◦Level of risk – is equal to 100 minus

confidence coefficient


◦Expected error rate – applicable in attribute sampling only. Remember Higher the expected error rate, larger

the sample size◦Tolerable error rate – acceptable upper limit of error. Used to set the precision amount in respect of compliance testing


Key steps in using sampling in audit include◦Determine the objectives of the test.◦Define the population to be sampled.◦Determine the sampling method, such as

attribute versus variable sampling.◦Determine the precision and reliability

desired ◦Calculate the sample size.◦Select the sample.◦Evaluate the sample from an audit

perspective


Informatio

n

Risk

Management


An IS auditor should clearly understand the basic concept of risks, techniques of risk assessment and relationship between risk and controls.

ISO define risk as“ The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. The impact or relative severity of the risk is proportional to the business value of loss/damage and to the estimated frequency of the threat”


Threats includes :◦ Power loss◦ Communication

failure◦ Disgruntled

employee◦ Malicious code◦ Natural disasters◦ Abuse to access privileges by

employees


Based on above, elements of risk are◦Threats to and vulnerabilities of assets◦Impact of threats and vulnerabilities◦Probability of occurrence of threats

IS audit is focused towards a particular class of risk defined potential for loss of confidentiality, availability or integrity of information


Process of identifying vulnerabilities and threats to an organization resources and deciding on countermeasures to reduce the risk to an acceptable level based on the value of information resource to the organization.

Step 1◦Identify and classify the information

resources or assets which need protection. Examples of assets associated with IT include: Information and data Hardware Software


Services Documents Personnel

Step 2 ◦Assess vulnerabilities which are

characteristics of information resources that can be exploited by a threat to cause harm. Examples of vulnerabilities are: Lack of user knowledge Lack of security functionality Poor choice of passwords


Untested technology Transmission over unprotected

communications Step 3

◦Assess threats which are events with potential to cause harm such as destruction, disclosure, modification, denial of service etc., Common classes of threats are:oErrorsoMalicious damage or attackoFraud


oTheftoEquipment/software failures

• Step 4◦Assess impact if threats were to

materialize. Impact is usually in terms of financial loss both in short/long term. Example of losses are: Loss of money Breach of legislation Loss of reputation or goodwill


Endangering of staff or customers Breach of confidence Loss of business opportunity Reduction in operational efficiency or

performance Interruption of business activity

Step 5◦Assess probability of occurrence and form

an overall view of risk. The risk is = (Value of loss x Probability of occurrence)


Step 6 ◦ Evaluate existing controls and identify the

risks which are inadequately controlled Step 7

◦ Prioritize all the identified risks requiring protection, design effective and efficient countermeasures and select appropriate countermeasures keeping in view:o The cost of control compared to the benefit of

minimizing risko Management appetite for risk


Preferred risk reduction method- Terminate the risk- Minimize probability of occurrence- Minimize impact- Transfer (Insurance)

• Some organization may start the process with identification of threats rather than assets. This is just a matter of choice without any significance.


Risk remaining after the controls have been applied is called residual risk. The management could decide to further work upon countermeasures to mitigate the risks or take them as unavoidable component of doing business and thus laying down an acceptable level of risk.

Acceptable level of risk so defined should be used to determine the areas which might be subjected to excessive level of controls and where cost savings can be achieved by removing the excessive element of controls.


Risk assessment techniques :o Scoring system – useful in prioritizing audits

based on evaluation of risk factors, considering various variables such as technical complexity, level of control procedures and level of financial loss

o Judgemental – Decision is made based on business knowledge, executive management directives, historical perspectives, business goals and environmental factors.


Control is defined as:“ the policies, procedures, practices and

organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesirable events will be prevented or detected and corrected”

The strength of a control is measured by its inherent or design strength and the likelihood of its effectiveness. The elements to be considered while evaluating control strengths include whether controls are:


An IT control objective is defined as a statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity.

IT control objectives aim to ensure confidentiality, integrity and availability of information resources. COBIT and IT Governance Institute provide an excellent framework for setting IT control objectives.

Example of IT control objectives include:◦ Information is secured from improper access.◦ Each transaction is authorized and recorded only

once.


◦ All exceptions are duly recorded, investigated and followed through.

◦ Files are adequately backed up to allow for proper recovery

◦ Changes to software are tested and approved.


Controls are generally classified under three categories as under◦ Preventive◦ Detective◦ Corrective



FunctionFunction ExamplesExamples

Prevent an error, omission or Prevent an error, omission or malicious act from occurringmalicious act from occurring

Predict potential problems Predict potential problems before they occur and make before they occur and make adjustmentsadjustments

Detect problems before they Detect problems before they arisearise

Employ qualified personnelEmploy qualified personnel

Segregate dutiesSegregate duties

Control physical accessControl physical access

Use well designed documentsUse well designed documents

Have authorization procedureHave authorization procedure

Complete programmed edit Complete programmed edit checkschecks

Use logical access controlsUse logical access controls



Detect that an error, Detect that an error, omission or malicious omission or malicious act has occurred and act has occurred and report the occurrencereport the occurrence

Hash totalsHash totals

Check pointsCheck points

Echo controlsEcho controls

Error messagesError messages

Duplicate (re -Duplicate (re -verification) of verification) of calculationscalculations

Variance reportingVariance reporting

Internal auditInternal audit



Minimize the impact of Minimize the impact of a threata threat

Remedy problems Remedy problems discovered by detective discovered by detective teststests

Correct errors arising Correct errors arising from a problemfrom a problem

Modify systems to Modify systems to minimize future minimize future occurrences of the occurrences of the problemproblem

Contingency Contingency

planningplanning

Backup proceduresBackup procedures

Re-run proceduresRe-run procedures

IS Audit

Techniques

& CAAT’s


AAS 29- Auditing in CIS Environment issued by ICAI states that:

“ The overall objective and scope of the Audit doesnot change in a CIS environment. However , the use of a computer changes the processing, storage, retrieval and communication of Financial Information and may affect the accounting and internal control systems employed by the entity”


CAATs are important tools for the IS auditor in gathering information from these environments. When systems have different hardware and software environments, different data structure, record formats or processing functions, it is almost impossible for auditors to collect evidence without a software tool to collect and analyze the records. CAATs also enable IS auditors in performing audits to gather information independently.


The procedures followed by the Auditor in obtaining a sufficient understanding of the accounting and Internal Control System.

The auditors evaluation of Inherent risk through which the auditor accesses the audit risk.

The Auditor’s design and performance of tests of control and substantive procedures appropriate to meet the audit objective.


AAS 29 specifically requires auditor to consider the effect of CIS environment on the audit:

1.Extent to which the CIS environment is used in control

2.System of Internal Control3.Audit trail


The Auditor should have sufficient knowledge of CIS to plan, Direct, Supervise, Control and Review the work performed

Specialised skills may be needed, to 1.Obtain sufficient understanding of the effect

of the CIS environment on accounting and Internal Control System.

2.Determine the effect of the CIS environment on the assessment of overall audit risk

3.And design and perform appropriate tests of control and substantive procedures


The IT environment contains Business Risks. This risks could result from lack of various controls that includes:

1.Lack of an IS Security Policy framework, procedures and controls.

2.Approach for control over IT and related resources.

3.Risks of outsourcing of IT processes4.Physical and environmental security of IT

equipment and related assets.


5. Poor controls over communication and N/w technology and infrastructure.

6. Poor Controls over system parameters settings and critical systems files.

7. Risks from Viruses, hackers and malicious code.

8. Poor controls over SDLC.9. Poor Business Continuity Planning.


Auditing Around the Computer- Black Box Approach-

The concept of ignoring what is happening inside the computer and conducting the audit using the inputs and outputs as in Manual Audits


Auditing through the Computer- White Box Approach-

Considering the Audit trail and auditing the process followed by the computer system.


Software intended to facilitate or expedite the auditing process

Examples of CAATs include◦ Generalized audit software◦ Test data generators◦ Expert systems◦ Standard utilities◦ Software library packages◦ Integrated test facilities ◦ Snapshot◦ Specialized audit software


GAS refers to standard software that has the capability to directly read and access data from various database platforms, flat-file systems and ASCII formats. ACL & IDEA

Functions supported by GAS: File access – reading from different formats File reorganization – indexing, sorting, merging. Data selection Statistical functions – sampling, Arithmetical functions


It is written for special audit purposes or targeting specialized IT environments.

For eg: Testing for NPA’s, testing for UNIX controls, testing for overnight deals in Forex Application s/w etc.

This s/w may be developed by Auditor’s , the auditor should take care to get an assurance on the integrity and security of s/w developed by the client


Utility software or utilities, though not developed or sold specifically for audit are often extremely useful and handy for conducting audits.


Remember ◦Seek read only access to production data

while using CAATs Advantages of using CAATs are

◦Reduce the level of audit risk◦Greater independence from the auditee◦Broader and more consistent audit

coverage◦Faster availability of information


◦Improved exception identification◦Greater flexibility of run times◦Greater opportunity to quantity internal

control weakness◦Enhanced sampling◦Cost saving over time

Important factor while considering usage of CAATs may include◦Ease of use◦Installation requirement


◦ Availability of source data Important documentation to be retained for own

developed CAATs may include◦ Online reports detailing high-risk issues for

review◦ Flowchart◦ Record and File layouts◦ Field definitions◦ Operating instructions◦ Sample reports


IS Audit

Regulations

and Standards


AAS 29 / SA 401– by ICAI on Auditing in Computer Information Systems Environment

IS Audit standards issued by ISACA COBIT – Control Objectives for Information and related Technology

BS7799 SAS 70 SysTrust ITIL ISO 9000


SEI – CMM IT ACT 2000 UNCITRAL Model Law on electronic commerece SOX BASEL II


By:CA.Shweta AjmeraM.Com,CA,DISA(ICAI)[email protected] can join me at:At Linkedin & twitter: Shweta AjmeraAt FB: shweta.ajmera.3


is audit process ca.shweta ajmera, m.com,ca,disa(icai)

Documents

shweta ajmera

audit charterca

internal audit

disaicaiis audit processca

disaicaiaudit charter

systems relevant

organisation computer

system software