CAATs are used to test application controls as well as perform substantive tests on sample items. Types of CAATs include:
* Generalized Audit Software (GAS) – allows the auditor to perform tests on computer files and databases.
* Custom Audit Software (CAS) – generally written by auditors for specific audit tasks. CAS is necessary when the organization’s computer system is not compatible with the auditor’s GAS or when the auditor wants to conduct some testing that may not be possible with the GAS.
* Test Data – the auditor uses test data for testing the application controls in the client’s computer programs. The auditor includes simulated valid and invalid test data, used to test the accuracy of the computer system’s operations. This technique can be used to check data validation controls and error detection routines, processing logic controls, and arithmetic calculations, to name a few.
* Parallel Simulation – the auditor must construct a computer simulation that mimics the client’s production programs.
* Integrated Test Facility – the auditor enters test data along with actual data in a normal application run.
Saturday, May 30, 2009
Evaluation of Internal Controls
COSO defines internal control as, “a process, influenced by an entity’s board of directors, management, and other personnel, that is designed to provide reasonable assurance in the effectiveness and efficiency of operations, reliability of financial reporting, and the compliance of applicable laws and regulations”. The auditor evaluates the organization’s control structure by understanding the organization’s five interrelated control components. They include:
1. Control Environment Provides the foundation for the other components. Encompasses such factors as management’s philosophy and operating style.
2. Risk Assessment Consists of risk identification and analysis.
3. Control Activities Consists of the policies and procedures that ensure employees carry out management’s directions. Types of control activities an organization must implement are preventative controls (controls intended to stop an error from occurring), detective controls (controls intended to detect if an error has occurred), and mitigating controls (control activities that can mitigate the risks associated with a key control not operating effectively).
4. Information and Communication Ensures the organization obtains pertinent information, and then communicates it throughout the organization.
5. Monitoring Reviewing the output generated by control activities and conducting special evaluations.
In addition to understanding the organization’s control components, the auditor must also evaluate the organization’s General and Application controls. there are three audit risk componenets which are control risk, detection risk and inherent risk.
1. Control Environment Provides the foundation for the other components. Encompasses such factors as management’s philosophy and operating style.
2. Risk Assessment Consists of risk identification and analysis.
3. Control Activities Consists of the policies and procedures that ensure employees carry out management’s directions. Types of control activities an organization must implement are preventative controls (controls intended to stop an error from occurring), detective controls (controls intended to detect if an error has occurred), and mitigating controls (control activities that can mitigate the risks associated with a key control not operating effectively).
4. Information and Communication Ensures the organization obtains pertinent information, and then communicates it throughout the organization.
5. Monitoring Reviewing the output generated by control activities and conducting special evaluations.
In addition to understanding the organization’s control components, the auditor must also evaluate the organization’s General and Application controls. there are three audit risk componenets which are control risk, detection risk and inherent risk.
IT Audit Process Overview
The auditor must plan and conduct the audit to ensure their audit risk (the risk of reaching an incorrect conclusion based on the audit findings) will be limited to an acceptable level. To eliminate the possibility of assessing audit risk too low the auditor should perform the following steps:
1. Obtain an Understanding of the Organization and its Environment: The understanding of the organization and its environment is used to assess the risk of material misstatement/weakness and to set the scope of the audit. The auditor’s understanding should include information on the nature of the entity, management, governance, objectives and strategies, and business processes.
2. Identify Risks that May Result in Material Misstatements: The auditor must evaluate an organization’s business risks (threats to the organization’s ability to achieve its objectives). An organization’s business risks can arise or change due to new personnel, new or restructured information systems, corporate restructuring, and rapid growth to name a few.
3. Evaluate the Organization’s Response to those Risks: Once the auditor has evaluated the organization’s response to the assessed risks, the auditor should then obtain evidence of management’s actions toward those risks. The organization’s response (or lack thereof) to any business risks will impact the auditor’s assessed level of audit risk.
4. Assess the Risk of Material Misstatement: Based on the knowledge obtained in evaluating the organization’s responses to business risks, the auditor then assesses the risk of material misstatements and determines specific audit procedures that are necessary based on that risk assessment.
5. Evaluate Results and Issue Audit Report: At this level, the auditor should determine if the assessments of risks were appropriate and whether sufficient evidence was obtained. The auditor will issue either an unqualified or qualified audit report based on their findings.
1. Obtain an Understanding of the Organization and its Environment: The understanding of the organization and its environment is used to assess the risk of material misstatement/weakness and to set the scope of the audit. The auditor’s understanding should include information on the nature of the entity, management, governance, objectives and strategies, and business processes.
2. Identify Risks that May Result in Material Misstatements: The auditor must evaluate an organization’s business risks (threats to the organization’s ability to achieve its objectives). An organization’s business risks can arise or change due to new personnel, new or restructured information systems, corporate restructuring, and rapid growth to name a few.
3. Evaluate the Organization’s Response to those Risks: Once the auditor has evaluated the organization’s response to the assessed risks, the auditor should then obtain evidence of management’s actions toward those risks. The organization’s response (or lack thereof) to any business risks will impact the auditor’s assessed level of audit risk.
4. Assess the Risk of Material Misstatement: Based on the knowledge obtained in evaluating the organization’s responses to business risks, the auditor then assesses the risk of material misstatements and determines specific audit procedures that are necessary based on that risk assessment.
5. Evaluate Results and Issue Audit Report: At this level, the auditor should determine if the assessments of risks were appropriate and whether sufficient evidence was obtained. The auditor will issue either an unqualified or qualified audit report based on their findings.
Wednesday, May 27, 2009
IT auditor one of the fastest growing careers
Nobody likes the word “audit.” That is unless you are, or are thinking about becoming, an IT auditor, which is one of the fastest growing career areas in IT according to CareerProNews. Since the passage of information legislation, like Sarbanes-Oxley, IT audits have increased, and so has the need for people to do them.
An IT audit is basically the process of collecting and evaluating evidence of an organization’s information systems, practices, and operations. IT auditors look not only at physical controls as a security auditor would, but they also look at business and financial controls within an organization.
IT auditors help organizations comply with legislation, making sure they keeping data and records secure. These auditors don’t actually implement any fixes; they just offer an independent review of the situation.
Fred Roth, a senior consultant at a training institute, says he believes the demand for IT auditors will continue for the next couple of years: “I talk to a lot of management from companies in the U.S., Canada and Europe. The answers are always the same — they cannot find enough good IT auditors.”
So what does it take to be an IT auditor? CareerProNews says that “CIA (certified internal auditor), CISA (certified information systems auditor) and CISSP (certified information systems security professional) certifications are becoming an absolute must for IT auditors.”
Roth adds: “IT auditors need to be qualified to audit the many different aspects of IT: systems, networks, databases, encryption, etc., and that they need to be proficient and stay current as the technology changes. This requires ongoing training.”
Although most IT auditor positions start out on contract, many firms are realizing the need to hire full-time personnel to handle the duties.
An IT audit is basically the process of collecting and evaluating evidence of an organization’s information systems, practices, and operations. IT auditors look not only at physical controls as a security auditor would, but they also look at business and financial controls within an organization.
IT auditors help organizations comply with legislation, making sure they keeping data and records secure. These auditors don’t actually implement any fixes; they just offer an independent review of the situation.
Fred Roth, a senior consultant at a training institute, says he believes the demand for IT auditors will continue for the next couple of years: “I talk to a lot of management from companies in the U.S., Canada and Europe. The answers are always the same — they cannot find enough good IT auditors.”
So what does it take to be an IT auditor? CareerProNews says that “CIA (certified internal auditor), CISA (certified information systems auditor) and CISSP (certified information systems security professional) certifications are becoming an absolute must for IT auditors.”
Roth adds: “IT auditors need to be qualified to audit the many different aspects of IT: systems, networks, databases, encryption, etc., and that they need to be proficient and stay current as the technology changes. This requires ongoing training.”
Although most IT auditor positions start out on contract, many firms are realizing the need to hire full-time personnel to handle the duties.
Thursday, May 21, 2009
Regulation and Standard Usually Use For IT Audit
ISO / IEC 17799 and BS7799
Control Objectives for Information and related Technology (CobiT)
ISO TR 13335
IT Baseline Protection Manual
ITSEC / Common Criteria
Federal Information Processing Standard 140-1/2 (FIPS 140-1/2)
The “Sicheres Internet” Task Force [Task Force Sicheres Internet]
The quality seal and product audit scheme operated by the Schleswig-Holstein Independent State Centre for Data Privacy Protection (ULD)
ISO 9000
CobiT (Control Objectives for Information and Related Technology)
BS7799
Subscribe to:
Posts (Atom)