Sigma Technology Partners Information Systems Audit Methodology

6 pages

English

Sigma Technology Partners Information Systems Audit Methodology

Methong

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

6 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

Compliance Risk Management IT Governance Assurance IT Audit Methodology Our methodology has been developed in accordance with industry standards and as recommended by various audit regulatory bodies including following the guidelines of Committee Of Sponsoring Organizations (COSO), Federal Information System Controls Audit Manual (FISCAM), NIST Special Publication 800-53, Federal Information Security Management ACT (FISMA) and Financial Systems Integration Office (FSIO). The beginning point of this methodology is to carry out planning activities that are geared towards integrating a Risk Based Audit approach to the IS Audit. Phase 1 – Opening Conference and Audit Planning During opening conference meeting, the client describes the unit or system to be reviewed, the organization, available resources (personnel, facilities, equipment), and other relevant information. The internal auditor meets with the senior officer directly responsible for the unit under review and any staff members s/he wishes to include. It is important that the client identify issues or areas of special concern that should be addressed. In this phase we plan the information system coverage to comply with the audit objectives specified by the client and ensure compliance to all laws and professional standards. The first thing is to obtain an Audit charter from the client detailing the purpose of the audit, the management responsibility, ...

Sujets

Publié par	Methong
Nombre de lectures	13
Langue	English

Extrait

Sigma Technology Partners

Page 1

Compliance

Risk Management

IT Governance

Assurance

IT Audit Methodology

Our methodology has been developed in accordance with industry standards and as

recommended by various audit regulatory bodies including following the guidelines of

Committee Of Sponsoring Organizations (COSO), Federal Information System Controls Audit

Manual (FISCAM), NIST Special Publication 800-53, Federal Information Security

Management ACT (FISMA) and Financial Systems Integration Office (FSIO). The beginning

point of this methodology is to carry out planning activities that are geared towards

integrating a Risk Based Audit approach to the IS Audit.

Phase 1 – Opening Conference and Audit Planning

During opening conference meeting, the client describes the unit or system to be reviewed,

the organization, available resources (personnel, facilities, equipment), and other relevant

information. The internal auditor meets with the senior officer directly responsible for the

unit under review and any staff members s/he wishes to include. It is important that the

client identify issues or areas of special concern that should be addressed.

In this phase we plan the information system coverage to comply with the audit objectives

specified by the client and ensure compliance to all laws and professional standards. The

first thing is to obtain an Audit charter from the client detailing the purpose of the audit, the

management responsibility, authority and accountability of the Information Systems Audit

function as follows:

Responsibility:

The Audit Charter should define the mission, aims, goals and

objectives of the Information System Audit. At this stage we also define the Key

Performance Indicators and an Audit Evaluation process;

Authority:

The Audit Charter should clearly specify the Authority assigned to the

Information Systems Auditors with relation to the Risk Assessment work that will be

carried out, right to access the client’s information, the scope and/or limitations to

the scope, the client’s functions to be audited and the auditee expectations; and

Accountability:

The Audit Charter should clearly define reporting lines, appraisals,

assessment of compliance and agreed actions.

The Audit Charter should be approved and agreed upon by an appropriate level within the

client’s organization. In addition to the Audit Charter, Sigma will obtain a written

representation (“Letter of Representation”) from the client’s management acknowledging:

Sigma Technology Partners

Page 2

Their responsibility for the design and implementation of the Internal Controls over

IT Systems and processes.

Their willingness to disclose to the Information Systems Auditor their knowledge of

irregularities and/or illegal acts affecting their organization pertaining to

management and employees with significant roles within the internal audit

department.

Their willingness to disclose to the IS Auditor the results of any risk assessment that

a material misstatement may have occurred.

Phase 2 – Risk Assessment and Business Process Analysis

Risk is the possibility of an act or event occurring that would have an adverse effect on the

organization and its information systems. Risk can also be the potential that a given threat

will exploit vulnerabilities of an asset or group of assets to cause loss of, or damage to the

assets. It is ordinarily measured by a combination of effect and likelihood of occurrence.

The process of quantifying risk is called Risk Assessment. Risk Assessment is useful in

making decisions such as:

The area/business function to be audited

The nature, extent and timing of audit procedures

The amount of resources to be allocated to an audit

The following types of risks will be evaluated under risk based audit strategy:

Inherent Risk

: Inherent risk is the susceptibility of an audit area to error which could be

material, individually or in combination with other errors, assuming that there were no

related internal controls. In assessing the inherent risk, the IS auditor should consider both

pervasive and detailed IS controls. This does not apply to circumstances where the IS

auditor’s assignment is related to pervasive IS controls only. A pervasive IS Control are

general controls which are designed to manage and monitor the IS environment and which

therefore affect all IS-related activities. Some of the pervasive IS Controls that we may

consider include:

•

The integrity of IS management and IS management experience and knowledge

•

Changes in IS management

•

Pressures on IS management which may predispose them to conceal or misstate

information (e.g. large business-critical project over-runs, and hacker activity)

•

The nature of the organization’s business and systems (e.g., the plans for electronic

commerce, the complexity of the systems, and the lack of integrated systems)

•

Factors affecting the organization’s industry as a whole (e.g., changes in technology,

and IS staff availability)

•

The level of third party influence on the control of the systems being audited (e.g.,

because of supply chain integration, outsourced IS processes, joint business

ventures, and direct access by customers)

•

Findings of previous audits

Sigma Technology Partners

Page 3

Control Risk

: Control risk is the risk that an error which could occur in an audit area, and

which could be material, individually or in combination with other errors, will not be

prevented or detected and corrected on a timely basis by the internal control system. For an

example, the control risk associated with manual reviews of computer logs can be high

because activities requiring investigation are often easily missed owning to the volume of

logged information. The control risk associated with computerized data validation

procedures is ordinarily low because the processes are consistently applied.

The IS auditor should assess the control risk as high unless relevant internal controls are:

•

Identified

•

Evaluated as effective

•

Tested and proved to be operating appropriately

Detection Risk

: Detection risk is the risk that the IS auditor’s substantive procedures will

not detect an error which could be material, individually or in combination with other errors.

In determining the level of substantive testing required, the IS auditor should consider

both:

•

The assessment of inherent risk

•

The conclusion reached on control risk following compliance testing

The higher the assessment of inherent and control risk the more audit evidence the IS

auditor should normally obtain from the performance of substantive audit procedures.

Phase 3 – Performance of Audit Work

In the performance of Audit work, the Information Systems Audit Standards require the

auditor to provide supervision, gather audit evidence and document audit work. We achieve

this objective through:

•

Obtaining sufficient, reliable and relevant evidence through inspection, observation,

inquiry, confirmation and recompilation of calculations.

•

Documenting results of test work performed and audit evidence gathered to support

the auditors’ findings.

•

Performing concurrent reviews of results of test work performed. This phase

concludes with a list of significant findings from which the auditor will prepare a draft

of the audit report.

During this phase, Sigma will take into account the type of audit evidence to be gathered,

its use as audit evidence to meet audit objectives, and its varying levels of reliability.

The various types of audit evidence which we will consider using include:

•

Observed processes and existence of physical items

•

Documentary audit evidence

•

Representations

Sigma Technology Partners

Page 4

•

Analysis

Observed processes and existence of physical items can include observations of activities,

property and information systems functions, such as:

•

An inventory of media in an offsite storage location

•

A computer room security system in operation

Documentary audit evidence, recorded on paper or other media, can include:

•

Results of data extractions

•

Records of transactions

•

Program listings

•

Invoices

•

Activity and control logs

•

System development documentation

Representations of those being audited can be audit evidence, such as:

•

Written policies and procedures

•

System flowcharts

•

Written or oral statements

Computer Assisted Audit Techniques include many types of tools and techniques, such as

generalized audit software, utility software, test data, application software tracing and

mapping, and audit expert systems. CAATs may be used in performing various audit

procedures including:

•

Tests of details of transactions and balances

•

Analytical review procedures

•

Compliance tests of IS general controls

•

Compliance tests of IS application controls

•

Penetration testing

Phase 4 - Reporting

Upon the performance of the audit test, Sigma Technology Partners shall produce an

appropriate report communicating the results of the IS Audit. Our IS audit report will

include:

Identify an organization, intended recipients and any restrictions on circulation

State the scope, objectives, period of coverage, nature, timing and the extent of the

audit work

State findings, conclusions, recommendations and any reservations, qualifications

and limitations

Provide audit evidence

Sigma Technology Partners

Page 5

Draft Report

- After field work is completed and the management's comments on audit

findings have been considered, a draft audit report is prepared. The draft report will

normally be issued with a request that management provide written comments within a

specified time on the facts and conclusions of each finding and recommendation presented

in the report. The draft report is officially a "work-in-progress" and is not a public document.

Final Report

- At the end of the response period, after reviewing and assessing the

auditee's written response to the draft report and audit finds, the final audit report will be

issued that aims to provide a fair, complete and accurate picture of the audited area during

the audit period.

Usually, the report includes a description of the scope, objectives, and

methodology of the

audit, a statement that the audit was made in accordance with agreed upon auditing

standards, and a description of the findings and recommendations for corrective action.

Exit Conference:

The formal exit conference with client’s management will probably be the last direct contact

before the final audit report is released. The exit conference is held to discuss the draft copy

of the audit report and any other items with auditee personnel. The draft report should be

available to auditee management at least one week prior to the exit conference. The date of

the exit conference will be mutually set with the client’s management.

Planing

Field Work

Reporting

Followup

Notification Letter

Entrance Conference

Preliminary Scope

Interviews with Staff

Risk and Controls

Testing Strategy

Audit Sampling

Collecting Evidence

Testing of Controls

Reviews of issues

Finalization of issues

Draft Matrix of issues

Management Feedback

Draft Executaive Summary

Draft Report

Management Comments

Final Report

Updates on issues

Follow up Review

Follow up report

Audit Program

Sigma's Audit Methodology

Univers
Ebooks
Livres audio
Presse
Podcasts
BD
Documents

Livre audio en ligne - Développement personnel Livre en ligne Tout le catalogue Tous les Intérêts

Sigma Technology Partners Information Systems Audit Methodology

management

risk management

managers

YouScribe

Le catalogue

Le service

Les conditions