Scaling API-first – The story of a global engineering organization
CIS Audit Lecture # 1
1. OVERVIEW OF IT AUDIT
IT RISK AND CONTROLS
IS AUDIT PROCESS
2. Assurance engagement
An engagement in which a practitioner
expresses a conclusion designed to enhance
the degree of confidence of the intended
users other than the responsible party about
the outcome of the evaluation or
measurement of a subject matter against
criteria. (Handbook of ISA; IFAC)
3. Code of Professional Ethics
ISACA sets forth this Code of Professional Ethics to
guide the professional and personal conduct of
members of the Association and/or its certification
holders.
Members and ISACA Certification holder’s shall:
1.Support the implementation of, and encourage
compliance with, appropriate
standards, procedures and controls for
information systems.
4. Code of Professional Ethics
2.Perform their duties with due diligence and
professional care, in accordance with
professional standards and best practices.
3.Serve in the interest of stakeholders in a
lawful and honest manner, while maintaining
high standards of conduct and character, and
not engage in acts discreditable to the
profession.
5. Code of Professional Ethics
4.Maintain the privacy and confidentiality of
information obtained in the course of their
duties unless disclosure is required by legal
authority. Such information shall not be used
for personal benefit or released to
inappropriate parties.
5.Maintain competency in their respective fields
and agree to undertake only those activities,
which they can reasonably expect to
complete with professional competence.
6. Code of Professional Ethics
6.Inform appropriate parties of the results of work
performed; revealing all significant facts known
to them.
7.Support the professional education of
stakeholders in enhancing their understanding of
information systems security and control.
Failure to comply with this Code of Professional
Ethics can result in an investigation in to a
member’s or certification holder’s conduct
and, ultimately, in disciplinary measures.
7. Auditing
Evaluation
Organization
System
Process
Project
Product
Performed by
Competent
Independent
Objective
Issue report
8. Why do we plan?
To improve effectiveness
Enhance the chance of success
To improve efficiency
Achieve the best result with the least resources
9. What should we consider in
planning an IS Audit?
Risk
Controls
Technological updates
Business needs
Auditing techniques
10. How do we plan (Audit
planning process)?
Defining the needs/problem
Gather relevant information
Evaluate the plan
Asses /enumerate the risks
Assign resources Implement the plan
Develop strategy Analyze the risk
Set audit scope and Identify and review controls
objectives
11. Risk
Is the potential that a given threat will exploit
the vulnerabilities of an asset/s to cause loss
or damage to the asset/s.
12. Risk Assessment
Identifying business risks relevant to financial
reporting objectives;
Estimating the significance of the risks;
Assessing the likelihood of their occurrence;
and
Deciding about actions to address those risks.
-PSA 315.15
13. Internal control in a CIS
Environment
General CIS Control
Application Control
14. General CIS Control
Organization and management controls
Development and maintenance controls
Delivery and support controls
Monitoring controls
15. Organization and management
controls
Strategic information technology plan.
CIS policies and procedures.
Clearly defined roles and responsibilities.
Segregation of incompatible functions
Monitoring of IS activities performed by third
party consultants.
16. Development and maintenance
controls
Project initiation, requirements
definition, systems design, testing, data
conversion, go-live decision, migration to
production environment, documentation of new
or revised systems, and user training.
Acquisition and implementation of off-the-shelf
packages.
Request for changes to the existing systems.
Acquisition, implementation, and maintenance
of system software .
17. Delivery and support
controls
Establishment of service level agreements
against which CIS services are measured.
Performance and capacity management
controls.
Event and problem management controls.
Disaster recovery/contingency
planning, training, and file backup.
Computer operations controls.
Systems security.
Physical and environment controls.
20. Controls over input
Transactions are properly validated and
authorized before being processed by the
computer.
Transactions are accurately converted into
machine readable form and recorded in the
computer data files.
Transactions are not lost, added, duplicated or
improperly changed.
Incorrect transactions are rejected, corrected
and, if necessary, resubmitted on a timely basis.
21. Controls over processing and
computer data files
Transactions, including system generated
transactions, are properly processed by the
computer.
Transactions are not
lost, added, excluded, duplicated or
improperly changed.
Processing errors are identified and
corrected on a timely basis.
22. Controls over output
Results of processing are accurate.
Access to output is restricted to authorized
personnel.
Output is provided to appropriate authorized
personnel on a timely basis.
23. How do we plan (Audit
planning process)?
Defining the needs/problem
Gather relevant information
Evaluate the plan
Asses /enumerate the risks
Assign resources Implement the plan
Develop strategy Analyze the risk
Set audit scope and Identify and review controls
objectives
Defining the needs/problemGather relevant informationAsses /enumerate the risksAnalyze the riskIdentify and review controlsSet audit scope and objectivesDevelop strategyAssign resources
Check the impact and probability of the threat
Defining the needs/problemGather relevant informationAsses /enumerate the risksAnalyze the riskIdentify and review controlsSet audit scope and objectivesDevelop strategyAssign resources