INFORMATION SYSTEMS
AUDIT & CONTROL OVERVIEW
AGENDA






Evolution of IT Audit “Universe”
IS Audit & Control Careers
Wearing Different Hats
IS Standards, Guidelines, & Procedures
COBIT®
Risk Assessment
cont’d
AGENDA






Computer-Assisted Auditing
Techniques & Tools
Today’s Audit Universe
IT Systems Project Participation
Options
IT Audit Resources
Glossary of Terms
Sample Questions for CISA Exam
Evolution of IT Audit “Universe”

EDP Audit to IS Audit to IT Audit
 Mainframe to distributed
computing
 Local area network to wide area
network to wireless
 Dial-up lines (modem) to highspeed Internet service
IS Audit & Control Careers

A systems background is a
real advantage, but a
journalism degree is not a bad
thing
 Not all ‘auditing’ is equal, but
all auditing is related by some
core principles
Wearing Different Hats







Audit fieldwork
Communication of results
Technical consultation
Department computing support
Risk assessment
Special projects
Continuing professional education
IS Standards, Guidelines, &
Procedures








Audit Charter
Independence
Professional Ethics & Standards
Competence
Planning (including Risk Assessment)
Performance of Audit Work
Reporting
Follow-up Activities
COBIT®--Control Objectives for
Information & Related Technologies

Effective management of
information and related IT is critical
to an organization’s success
 IT governance is critical to that
success (IT Governance—A structure of relationships
and processes to direct and control the enterprise in order to
achieve the enterprise’s goals by adding value while
.)
 IT governance links IT processes,
IT resources, and information to
enterprise strategies & objectives
balancing risk versus return over IT and its processes
COBIT®--Control Objectives for
Information & Related Technologies
COBIT® bridges the gaps between
business risks, control needs,and
technical issues
 Comparable to the COSO model
 Four domains:
Planning & Organization
Acquisition & Implementation
Delivery & Support
Monitoring

IT Risk Assessment

Examines business from
management’s perspective
 Allows IT auditor to make
observations &
recommendations that are
responsive to management’s
concerns
IT Risk Assessment

Emphasis on knowledge of the
organization’s control
environment
 Focus on effectiveness of a
combination of controls instead
of individual controls
 Strong linkage between risk
assessment and audit testing
decisions
“Handbook of IT Auditing”,
Warren, Gorham, & Lamont
CAAT—Computer Assisted Auditing
Techniques & Tools





Query systems, report writers, utilities,
computer languages
Complete files can be read speedily
Can use parameters that may be
altered each time program is run
Once programs are set up, time
savings are significant
Allows auditor independence
CAAT—Computer Assisted Auditing
Techniques & Tools
TYPES OF SOFTWARE







Automated audit workpapers
Data Analysis
Risk assessment
Scheduling
Timekeeping
Flowcharting
Report generation
CAAT—Computer Assisted Auditing
Techniques & Tools
USE IN FRAUD DETECTION & INVESTIGATION






Terminated employees being paid
Ghost employees
Purchases to homes instead of business
“On-call” pay abuse Unusually high salary
increases
Telephone use abuse
Travel reimbursement abuse
CAAT—Computer Assisted Auditing
Techniques & Tools
USE IN NETWORK SECURITY






Port scanning tools
Network intrusion detection
SANS “Top 20 Network Vulnerabilities”
Nessus
Computer Intrusion Response Teams
Tiger Teams
IT Systems Projects
Participation Options





Steering Committee
Full project team participation
Periodic review & consultation
Implementation/conversion review
Post-implementation/conversion
review
IT Audit Resources

Mailists & discussion lists
– ACUA-L, C-ISACA-L, DCC-L, Sysadmin-L
 Electronic newsletters
– Canaudit, SANS, ZDNet Security
 Libraries of audit programs:
– www.auditnet.org
– www.isaca.org (K-Net)
– www.acua.org
IT Audit Resources





Periodicals
– EDPACS, Information Security
Technical training handouts
Vendor-specific websites
Technology-specific websites
www.webopaedia.com
Descargar

INFORMATION SYSTEMS AUDIT & CONTROL OVERVIEW