Integrated Audit

• History and background of IT Audit• Try to address the gap that exists between financial auditand information technology audit• What is involved in IT general controls and automatedapplication controls• Discuss an approach that will aide in the identification andtesting of IT controls• Roles and responsibilities for IT and financial auditors
Nội dung trích xuất từ tài liệu:
Integrated Audit Integrated Audit IT and Finance - Are We Talking the Same Language? Presented by: Hussain T. Hasan, CISM, CISSP Managing Director Technology Risk Management Services (TRMS) Hussain.hasan@rsmi.comRSM McGladrey, Inc. is a member firm of RSM International – an affiliation of separate and independent legal entities.Session Goals• History and background of IT Audit• Try to address the gap that exists between financial audit and information technology audit• What is involved in IT general controls and automated application controls• Discuss an approach that will aide in the identification and testing of IT controls• Roles and responsibilities for IT and financial auditors 2 1History of IT Audits• First use of a computerized accounting system - 1954 by GE• Use of computer accounting systems became more prevalent in mid-60s and early 70s• AICPA and the “Big 8” formalize EDP auditing with the release of the book “Auditing & EDP” - 1968• Electronic Data Processing Auditors Association (EDPAA) formed -late 1960s• First edition of control objectives was published (now known as CoBiT) - 1977• EDPAA changes name to ISACA (Information Systems Audit and Control Association) - 1994 3Major Events Impacting IT Auditing• Equity Funding Corporation of America fraud (1964 -1973)• AT&T infrastructure failure -1998• September 11th terrorist attacks - 2001• Enron and Arthur Andersen - 2002 4 2Why is IT Auditing a Challenge?• Unlike the certification of financial statements there is no “universally accepted principle or standard” for IT audit• The concept of “compliance to best practice”• Rapid change in IT is at times too rapid for best practices to fully develop or be recognized as such• IT audit has become a separate discipline over time 5Today’s Business Process Environment• 24/7 requirement becoming more common• Focus on early error detection• More highly automated – reducing reliance on manual controls• Integrated with complex and highly efficient IT systems• Electronic workflow with paperless trails• Increased business partner involvement through direct access to process – the network extends beyond the company 6 3 IT Control Framework Significant Financial Transaction Accounts Balance Income SCFP Notes Other Sheet Statement Business Processes/Classes of Transactions Process A Process B Class A Class BAutomated Application Controls •Application Security •Input Controls Financial Applications •Process Controls Application A Application B Application C •Output Controls •Interface Controls Infrastructure Services IT General Controls Database •Change/Development Platform •Security •Computer Operations Operating System •IT Governance Network 7 Source: Adapted from IT Governance Board, ISACA White Paper IT Control Objectives for Sarbanes-Oxley IT General Controls (ITGC) • IT general controls are pervasive controls within the IT environment and the effectiveness of all automated application controls across the organization depends on them. – Security (access to programs and data) – Change / development – Computer operations – IT governance • Primary responsibility of the IT Team • Constant interaction with the Financial Audit Team 8 4Automated Application Controls• Application controls apply to the business processes they support.• These controls a ...