SlideShare uma empresa Scribd logo

Value-added it auditing

Marc Vael
Marc Vael

A presentation I made based on ISACA research on value added IT auditing in May 2015 for the ISACA Belgium open forum

Tecnologia
1 de 70
Baixar para ler offline
VALUE-ADDED IT AUDITING MARC VAEL, BRUSSELS, MAY 2015
AGENDA ▪ What does IT audit mean to you? ▪ Traditional IT audit ▪ Top audit concerns of audit committees ▪ The way towards value-added IT audit ▪ Some predictions ▪ Questions
WHAT DOES IT AUDIT MEAN TO YOU?
Yes, you
TRADITIONAL IT AUDIT
TYPES OF INFORMATION FOR AN IT AUDITOR • Relevant information : relating to controls, tells the evaluator something meaningful about the operation of the underlying controls or control component. Information that directly confirms the operation of controls is most relevant. • Reliable information : accurate, verifiable and from an objective source. • Timely information : produced and used in a timeframe that makes it possible to prevent or detect control deficiencies before they become material to an enterprise. • Sufficient information : when evaluators have gathered enough of it to form a reasonable conclusion. For information to be sufficient, however, it must first be suitable. • Suitable information : relevant (i.e., fit for its intended purpose), reliable (i.e., accurate, verifiable and from an objective source) and timely (i.e., produced and used in an appropriate time frame) information.
TRADITIONAL IT AUDIT APPROACH Identification of Safeguards Threat Assessment Asset Identification Vulnerability Assessment Risk Determination Reporting Remediation Planning Proactive processes that turn policies into awareness programs, IT administration, change management and other activities. Technologies needed to provide the appropriate protection and support critical processes. Management strategies for IT and relevant policies, standards, guidelines or directives used to communicate these strategies to the organization. Reactive processes that enable management to measure how well policies are implemented and followed and when they need to be changed.
TYPICAL IT AUDIT ENGAGEMENTS A. General control examination or facility audit B. Application audit C. System development audit D. Technical or special topic audit
IT CONTROLS The plan of organization & the methods a business uses to safeguard IT assets, provide accurate & reliable information, 
 promote & improve operational IT efficiency, and 
 encourage adherence to prescribed IT management policies. IT control procedure classifications: 1. Preventive / Detective / Corrective / Deterrent IT controls 2. General & Application IT controls 3. Administrative & Accounting IT controls 4. Input – Processing – Output IT controls
GENERAL IT OPERATIONS 1. Change Management 2. System Development Life Cycle (SDLC) 3. Problem & Incident management 4. Back-up and data recovery 5. Project Management 6. Continuity Planning (CBCP and DRP)
INFORMATION SYSTEMS
INDEPENDENT IT CONTROLS ON PERFORMANCE To ensure that transactions are processed accurately are another important control element. Types of independent IT controls –reconciliation of 2 independently maintained sets of records –comparison of actual quantities with recorded amounts –double-entry accounting (debits = credits) –batch totals
INDEPENDENT IT CONTROLS ON PERFORMANCE Types of independent IT controls –batch totals: 5 types: 1 Financial total: sum of a euro field. 2 Hash total: sum of a field that would usually not be added. 3 Record count: number of documents processed by the IT system. 4 Line count: number of lines of data entered in the IT system. 5 Cross-footing: compares grand total of all rows with grand total of all columns to check that they are equal in the IT system.
INDEPENDENT IT CONTROLS ON PERFORMANCE Auditors must understand the following basic IT controls: 1 How transactions are initiated 2 How data are captured in machine-readable form or converted from source documents 3 How computer files are accessed & updated 4 How data are processed to prepare information 5 How information is reported All of these items make it possible to have an IT audit trail. An IT audit trail exists when individual company transactions can be traced end-to-end through the IT system.
TOP AUDIT CONCERNS OF AUDIT COMMITTEES
7
7
8
27
THE WAY TOWARDS VALUE-ADDED IT AUDIT
IT CONTROLS • IT controls continue to increase in importance to organisations • Corporate reliance on IT increases • Compliance requirements increase • IT control deficiencies can have a significant impact on any organisation
PwC 2014 state of the internal audit profession study
PwC 2014 state of the internal audit profession study
PwC 2014 state of the internal audit profession study
PwC 2014 state of the internal audit profession study
VALUE PROPOSITION
PwC 2014 state of the internal audit profession study
www.isaca.org/cobit
IT AUDIT REPORT WRITING PHASES
TYPES OF IT AUDIT ENGAGEMENTS Review • provide limited assurance about an assertion. • consists primarily of review work (less emphasis on testing). • can be more process oriented, focusing on the appropriateness of the tasks and activities that the audit entity performs and the associated controls. The level of evidence that is gathered is less than in an audit, and testing is generally limited or none is performed. • do not include audit opinions. Conclusions may often be stated negatively. Example: ‘Nothing came to our attention to indicate that the assertion is not true’.
TYPES OF IT AUDIT ENGAGEMENTS Examination • Systematic process by which a competent, independent person objectively obtains & evaluates evidence regarding assertions about an entity or event, processes, operations or internal controls, for the purpose of forming an opinion & providing a report on the degree to which the assertions conform to an identified set of standards. • Attestation process that provides the highest level of assurance about an assertion that an IT auditor can provide. • Gathering & evaluating sufficient, competent evidence and performing appropriate tests and other procedures to form the opinion about an assertion for presentation in an IT audit report.
TYPES OF IT AUDIT ENGAGEMENTS Agreed-upon Procedures Engagement Third party & IT auditor agree on specific procedures that will be performed to obtain evidence on which the third party is willing to rely as a basis for a conclusion. Agreed-upon level of evidence may be significantly limited or extensive. The IT auditor may need to obtain a substantial amount of evidence (in some cases, more than that is required for an IT audit). The IT audit report should include a statement that sufficiency of procedures is solely the responsibility of the responsible parties & a disclaimer of responsibility for the sufficiency of those procedures. The report relates only to the elements specified & does not extend beyond them.
CAATS Computer programs & data 
 that the IT auditor uses 
 as part of audit procedures 
 to process data of significance contained in a computer system
CAATS USAGE · Calculation checks: e.g. program gives total amount of individual entries in purchases day book in a particular period. Auditor then agree this total amount to the amount posted in purchases ledger control. · Detecting system violation rule: e.g. program checks that no customer has balance above specified credit limit. · Detecting unreasonable items: programs checks that no customer has discount of 50% or sales ledger balance is more than the amount of sales made to that customer. · New calculation & analysis: e.g. statistical analysis of inventory movements to identify slow moving items. · Selecting items for audit testing: e.g. obtaining a stratified sample of sales ledger balances to be used as a basis for a circularization of debtors. · Completeness checks: e.g. checking continuity of sales invoices to ensure they are all accounted for.
CAATS ADVANTAGES · Test programmed controls: in an IT accounting system, there are large volume of transactions which the auditor will have to audit. The auditor will have to check if the programmed controls are functioning correctly. The only effective way of testing programmed controls is through CAAT. · Test on large volume of data: CAAT enable auditors to test large amount of data quickly & accurately and increase the confidence they have in their opinion. · Test on source location of data: CAAT enables auditors to test the accounting systems & its records at its source location rather than testing printouts of what they believe to be a copy of those records. · Cost effective: once set up CAAT are a cost effective way of obtaining audit evidence year after year provided that the client does not change the accounting system. · Comparison: allows results from using CAAT to be compared to traditional testing. Where the two results agree this increase the overall audit confidence.
7
7
7
7
7
37
ISO15504 6
PA2.2 Work Product Management PA2.1 Performance Management Level 2 - Managed PA1.1 Process PerformanceLevel 1 - Performed Level 0 - Incomplete PA3.2 Deployment PA3.1 Definition Level 3 - Established PA4.2 Control PA4.1 Measurement Level 4 - Predictable PA5.1 Innovation PA5.2 Optimisation Level 5 - Optimising 1 L / F 2 L / F F F 3 L / F F 4 L / F F F F L / F 5 F F F F L/F = Largely or Fully F= Fully
SOME PREDICTIONS 59
PREDICTIONS INTRODUCTION • Users want to be provided with more information about business organisations, rather than less. • Demands for information is driven by business clients, customers, oversight authorities and legislatures:
 audit plan can change in the middle of the current quarter and sometimes even change on a day-to-day basis • Trend: better, faster and more comprehensive reporting. • Strong interest in independent assessment & reporting of organisational compliance with laws & regulations.
PREDICTION: INTEGRATED REPORTING Objective of integrated reporting = provide a more detailed picture of the organisation’s efforts to: 
 • Produce and sustain value
 • Identify and manage risk
 • Employ and develop human capital 
 • Meet legal requirements
 • Address corporate and social responsibility Audit reports include more in-depth non-financial reporting. Shift from solely lag indicators (as found in traditional reporting) to lead or forward indicators with increased focus on management & performance capabilities.
PREDICTION: USE OF TECHNOLOGY IN REPORTING Demand is likely to increase for using technology to present audit results in a manner that quickly enables recipients to focus on the key points of the audit. Auditing standards provide a foundation for the auditing profession to develop and issue professional audit reports. Considerations of increased use of technology in the reporting process must be benchmarked against applicable auditing standards.
CONTACT DETAILS marc@vael.net http://www.linkedin.com/in/marcvael @marcvael Marc Vael CISA, CISM, CRISC, CGEIT, ITIL SM, Prince2 F, Guberna Certified Director Chief Audit Executive SMALS vzw Fonsnylaan 20 1060 Brussel +32 473 99 30 31

Recomendados

Auditing In Computer Environment Presentation
Auditing In Computer Environment PresentationAuditing In Computer Environment Presentation
Auditing In Computer Environment PresentationEMAC Consulting Group
 
Audit bab1 sem 6- Audit Approach
Audit bab1 sem 6- Audit ApproachAudit bab1 sem 6- Audit Approach
Audit bab1 sem 6- Audit ApproachNur Dalila Zamri
 
Auditing by CIS . Chapter 6
Auditing by CIS . Chapter 6Auditing by CIS . Chapter 6
Auditing by CIS . Chapter 6Sharah Ayumi
 
Computer Audit an Introductory
Computer Audit an IntroductoryComputer Audit an Introductory
Computer Audit an IntroductoryMNorazizi HM
 
Chapter 6
Chapter 6Chapter 6
Chapter 6Nur Dalila Zamri
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
Internal Control
Internal ControlInternal Control
Internal ControlSalih Islam
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it auditkinjalmkothari92
 

Recomendados

Auditing In Computer Environment Presentation
Auditing In Computer Environment PresentationAuditing In Computer Environment Presentation
Auditing In Computer Environment PresentationEMAC Consulting Group
 
Audit bab1 sem 6- Audit Approach
Audit bab1 sem 6- Audit ApproachAudit bab1 sem 6- Audit Approach
Audit bab1 sem 6- Audit ApproachNur Dalila Zamri
 
Auditing by CIS . Chapter 6
Auditing by CIS . Chapter 6Auditing by CIS . Chapter 6
Auditing by CIS . Chapter 6Sharah Ayumi
 
Computer Audit an Introductory
Computer Audit an IntroductoryComputer Audit an Introductory
Computer Audit an IntroductoryMNorazizi HM
 
Chapter 6
Chapter 6Chapter 6
Chapter 6Nur Dalila Zamri
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
Internal Control
Internal ControlInternal Control
Internal ControlSalih Islam
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it auditkinjalmkothari92
 
CIS Audit Lecture # 1
CIS Audit Lecture # 1CIS Audit Lecture # 1
CIS Audit Lecture # 1Cheng Olayvar
 
Computer Assisted Audit Techniques (CAATS) - IS AUDIT
Computer Assisted Audit Techniques (CAATS) - IS AUDITComputer Assisted Audit Techniques (CAATS) - IS AUDIT
Computer Assisted Audit Techniques (CAATS) - IS AUDITShahzeb Pirzada
 
Ais Romney 2006 Slides 09 Auditing Computer Based Is
Ais Romney 2006 Slides 09 Auditing Computer Based IsAis Romney 2006 Slides 09 Auditing Computer Based Is
Ais Romney 2006 Slides 09 Auditing Computer Based IsSharing Slides Training
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques_supriadi
 
The Coming Age of Continuous Auditing
The Coming Age of Continuous AuditingThe Coming Age of Continuous Auditing
The Coming Age of Continuous Auditingcarlabrut
 
008.itsecurity bcp v1
008.itsecurity bcp v1008.itsecurity bcp v1
008.itsecurity bcp v1Mohammad Ashfaqur Rahman
 
Chapter 7
Chapter 7Chapter 7
Chapter 7EasyStudy3
 
Presentation 11, Test of controls of the system, Workshop on System-based aud...
Presentation 11, Test of controls of the system, Workshop on System-based aud...Presentation 11, Test of controls of the system, Workshop on System-based aud...
Presentation 11, Test of controls of the system, Workshop on System-based aud...Support for Improvement in Governance and Management SIGMA
 
Database auditing models
Database auditing models Database auditing models
Database auditing models ERSHUBHAM TIWARI
 
03.2 application control
03.2 application control03.2 application control
03.2 application controlMulyadi Yusuf
 
COMPUTERIZED ACCOUNTING AND AUDITING TECHNIQUES (CAAT)
COMPUTERIZED ACCOUNTING AND AUDITING TECHNIQUES (CAAT)COMPUTERIZED ACCOUNTING AND AUDITING TECHNIQUES (CAAT)
COMPUTERIZED ACCOUNTING AND AUDITING TECHNIQUES (CAAT)Rikesh Chaurasia
 
Generalized audit-software
Generalized audit-softwareGeneralized audit-software
Generalized audit-softwarekzoe1996
 
Presentation 5, System based audit approach - what is it about?, Workshop on ...
Presentation 5, System based audit approach - what is it about?, Workshop on ...Presentation 5, System based audit approach - what is it about?, Workshop on ...
Presentation 5, System based audit approach - what is it about?, Workshop on ...Support for Improvement in Governance and Management SIGMA
 
Auditing Systems Development
Auditing Systems DevelopmentAuditing Systems Development
Auditing Systems Developmentessbaih
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDITRos Dina
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
Internal Audit Plan 2015
Internal Audit Plan 2015Internal Audit Plan 2015
Internal Audit Plan 2015Mohammad Kashif
 
No Choice But to Comply - FATCA
No Choice But to Comply - FATCA No Choice But to Comply - FATCA
No Choice But to Comply - FATCAThinksoft Global
 
Fraud detection guide
Fraud detection guideFraud detection guide
Fraud detection guideCenapSerdarolu
 
Auditing in computerized environment.pptx
Auditing in computerized environment.pptxAuditing in computerized environment.pptx
Auditing in computerized environment.pptxinfantemiliya18
 
Computerized Environment
Computerized EnvironmentComputerized Environment
Computerized EnvironmentVadivelM9
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 

Mais conteúdo relacionado

Mais procurados

CIS Audit Lecture # 1
CIS Audit Lecture # 1CIS Audit Lecture # 1
CIS Audit Lecture # 1Cheng Olayvar
 
Computer Assisted Audit Techniques (CAATS) - IS AUDIT
Computer Assisted Audit Techniques (CAATS) - IS AUDITComputer Assisted Audit Techniques (CAATS) - IS AUDIT
Computer Assisted Audit Techniques (CAATS) - IS AUDITShahzeb Pirzada
 
Ais Romney 2006 Slides 09 Auditing Computer Based Is
Ais Romney 2006 Slides 09 Auditing Computer Based IsAis Romney 2006 Slides 09 Auditing Computer Based Is
Ais Romney 2006 Slides 09 Auditing Computer Based IsSharing Slides Training
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques_supriadi
 
The Coming Age of Continuous Auditing
The Coming Age of Continuous AuditingThe Coming Age of Continuous Auditing
The Coming Age of Continuous Auditingcarlabrut
 
03.2 application control
03.2 application control03.2 application control
03.2 application controlMulyadi Yusuf
 
COMPUTERIZED ACCOUNTING AND AUDITING TECHNIQUES (CAAT)
COMPUTERIZED ACCOUNTING AND AUDITING TECHNIQUES (CAAT)COMPUTERIZED ACCOUNTING AND AUDITING TECHNIQUES (CAAT)
COMPUTERIZED ACCOUNTING AND AUDITING TECHNIQUES (CAAT)Rikesh Chaurasia
 
Generalized audit-software
Generalized audit-softwareGeneralized audit-software
Generalized audit-softwarekzoe1996
 
Auditing Systems Development
Auditing Systems DevelopmentAuditing Systems Development
Auditing Systems Developmentessbaih
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDITRos Dina
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
Internal Audit Plan 2015
Internal Audit Plan 2015Internal Audit Plan 2015
Internal Audit Plan 2015Mohammad Kashif
 
No Choice But to Comply - FATCA
No Choice But to Comply - FATCA No Choice But to Comply - FATCA
No Choice But to Comply - FATCAThinksoft Global
 

Mais procurados (19)

CIS Audit Lecture # 1
CIS Audit Lecture # 1CIS Audit Lecture # 1
CIS Audit Lecture # 1
 
Computer Assisted Audit Techniques (CAATS) - IS AUDIT
Computer Assisted Audit Techniques (CAATS) - IS AUDITComputer Assisted Audit Techniques (CAATS) - IS AUDIT
Computer Assisted Audit Techniques (CAATS) - IS AUDIT
 
Ais Romney 2006 Slides 09 Auditing Computer Based Is
Ais Romney 2006 Slides 09 Auditing Computer Based IsAis Romney 2006 Slides 09 Auditing Computer Based Is
Ais Romney 2006 Slides 09 Auditing Computer Based Is
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques
 
The Coming Age of Continuous Auditing
The Coming Age of Continuous AuditingThe Coming Age of Continuous Auditing
The Coming Age of Continuous Auditing
 
008.itsecurity bcp v1
008.itsecurity bcp v1008.itsecurity bcp v1
008.itsecurity bcp v1
 
Chapter 7
Chapter 7Chapter 7
Chapter 7
 
Presentation 11, Test of controls of the system, Workshop on System-based aud...
Presentation 11, Test of controls of the system, Workshop on System-based aud...Presentation 11, Test of controls of the system, Workshop on System-based aud...
Presentation 11, Test of controls of the system, Workshop on System-based aud...
 
Database auditing models
Database auditing models Database auditing models
Database auditing models
 
03.2 application control
03.2 application control03.2 application control
03.2 application control
 
COMPUTERIZED ACCOUNTING AND AUDITING TECHNIQUES (CAAT)
COMPUTERIZED ACCOUNTING AND AUDITING TECHNIQUES (CAAT)COMPUTERIZED ACCOUNTING AND AUDITING TECHNIQUES (CAAT)
COMPUTERIZED ACCOUNTING AND AUDITING TECHNIQUES (CAAT)
 
Generalized audit-software
Generalized audit-softwareGeneralized audit-software
Generalized audit-software
 
Presentation 5, System based audit approach - what is it about?, Workshop on ...
Presentation 5, System based audit approach - what is it about?, Workshop on ...Presentation 5, System based audit approach - what is it about?, Workshop on ...
Presentation 5, System based audit approach - what is it about?, Workshop on ...
 
Auditing Systems Development
Auditing Systems DevelopmentAuditing Systems Development
Auditing Systems Development
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDIT
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
 
Internal Audit Plan 2015
Internal Audit Plan 2015Internal Audit Plan 2015
Internal Audit Plan 2015
 
No Choice But to Comply - FATCA
No Choice But to Comply - FATCA No Choice But to Comply - FATCA
No Choice But to Comply - FATCA
 
Fraud detection guide
Fraud detection guideFraud detection guide
Fraud detection guide
 

Semelhante a Value-added it auditing

Auditing in computerized environment.pptx
Auditing in computerized environment.pptxAuditing in computerized environment.pptx
Auditing in computerized environment.pptxinfantemiliya18
 
Computerized Environment
Computerized EnvironmentComputerized Environment
Computerized EnvironmentVadivelM9
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
CISA_WK_2.pptx
CISA_WK_2.pptxCISA_WK_2.pptx
CISA_WK_2.pptxdotco
 
2016-06-08 FDA Inspection Readiness - Mikael Yde
2016-06-08 FDA Inspection Readiness - Mikael Yde2016-06-08 FDA Inspection Readiness - Mikael Yde
2016-06-08 FDA Inspection Readiness - Mikael Ydemikaelyde
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxJoshJaro
 
Continous auditing and risk monitoring 9 23-09
Continous auditing and risk monitoring 9 23-09Continous auditing and risk monitoring 9 23-09
Continous auditing and risk monitoring 9 23-09Gaiani (CarnCorpAudit)
 
Brief overview on Internal control (Audit)
Brief overview on Internal control (Audit)Brief overview on Internal control (Audit)
Brief overview on Internal control (Audit)Hisyam
 
09.1 audit siklus penjualan dan penerimaan
09.1 audit siklus penjualan dan penerimaan09.1 audit siklus penjualan dan penerimaan
09.1 audit siklus penjualan dan penerimaanMulyadi Yusuf
 
Internal audit ratings guide
Internal audit ratings guideInternal audit ratings guide
Internal audit ratings guideCenapSerdarolu
 
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...NAFCU Services Corporation
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptxdotco
 
Tugas mandiri audit novita dewi 11353202277
Tugas mandiri audit novita dewi 11353202277Tugas mandiri audit novita dewi 11353202277
Tugas mandiri audit novita dewi 11353202277novita dewi
 
Core Areas of a CA- Interlinked with computers
Core Areas of a CA- Interlinked with computersCore Areas of a CA- Interlinked with computers
Core Areas of a CA- Interlinked with computersShikha Gupta
 
Internal control.. control env
Internal control.. control envInternal control.. control env
Internal control.. control envPhillys Sebastiane
 

Semelhante a Value-added it auditing (20)

Auditing in computerized environment.pptx
Auditing in computerized environment.pptxAuditing in computerized environment.pptx
Auditing in computerized environment.pptx
 
Computerized Environment
Computerized EnvironmentComputerized Environment
Computerized Environment
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
 
CISA_WK_2.pptx
CISA_WK_2.pptxCISA_WK_2.pptx
CISA_WK_2.pptx
 
2016-06-08 FDA Inspection Readiness - Mikael Yde
2016-06-08 FDA Inspection Readiness - Mikael Yde2016-06-08 FDA Inspection Readiness - Mikael Yde
2016-06-08 FDA Inspection Readiness - Mikael Yde
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptx
 
Continous auditing and risk monitoring 9 23-09
Continous auditing and risk monitoring 9 23-09Continous auditing and risk monitoring 9 23-09
Continous auditing and risk monitoring 9 23-09
 
Brief overview on Internal control (Audit)
Brief overview on Internal control (Audit)Brief overview on Internal control (Audit)
Brief overview on Internal control (Audit)
 
09.1 audit siklus penjualan dan penerimaan
09.1 audit siklus penjualan dan penerimaan09.1 audit siklus penjualan dan penerimaan
09.1 audit siklus penjualan dan penerimaan
 
Audit presentation
Audit presentationAudit presentation
Audit presentation
 
Chapter 7
Chapter 7Chapter 7
Chapter 7
 
Internal audit ratings guide
Internal audit ratings guideInternal audit ratings guide
Internal audit ratings guide
 
Vikas Dutta Presentation at Rutgers CARLAB Nov 2012
Vikas Dutta Presentation at Rutgers CARLAB Nov 2012Vikas Dutta Presentation at Rutgers CARLAB Nov 2012
Vikas Dutta Presentation at Rutgers CARLAB Nov 2012
 
Audit ratings guide
Audit ratings guideAudit ratings guide
Audit ratings guide
 
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
 
1auditconcepts
1auditconcepts1auditconcepts
1auditconcepts
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptx
 
Tugas mandiri audit novita dewi 11353202277
Tugas mandiri audit novita dewi 11353202277Tugas mandiri audit novita dewi 11353202277
Tugas mandiri audit novita dewi 11353202277
 
Core Areas of a CA- Interlinked with computers
Core Areas of a CA- Interlinked with computersCore Areas of a CA- Interlinked with computers
Core Areas of a CA- Interlinked with computers
 
Internal control.. control env
Internal control.. control envInternal control.. control env
Internal control.. control env
 

Mais de Marc Vael

How secure are chat and webconf tools
How secure are chat and webconf toolsHow secure are chat and webconf tools
How secure are chat and webconf toolsMarc Vael
 
my experience as ciso
my experience as cisomy experience as ciso
my experience as cisoMarc Vael
 
Advantages of privacy by design in IoE
Advantages of privacy by design in IoEAdvantages of privacy by design in IoE
Advantages of privacy by design in IoEMarc Vael
 
Cybersecurity governance existing frameworks (nov 2015)
Cybersecurity governance existing frameworks (nov 2015)Cybersecurity governance existing frameworks (nov 2015)
Cybersecurity governance existing frameworks (nov 2015)Marc Vael
 
Cybersecurity nexus vision
Cybersecurity nexus visionCybersecurity nexus vision
Cybersecurity nexus visionMarc Vael
 
ISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersMarc Vael
 
Cloud security lessons learned and audit
Cloud security lessons learned and auditCloud security lessons learned and audit
Cloud security lessons learned and auditMarc Vael
 
ISACA Internet of Things open forum presentation
ISACA Internet of Things open forum presentationISACA Internet of Things open forum presentation
ISACA Internet of Things open forum presentationMarc Vael
 
hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?
hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?
hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?Marc Vael
 
The value of big data analytics
The value of big data analyticsThe value of big data analytics
The value of big data analyticsMarc Vael
 
Social media risks and controls
Social media risks and controlsSocial media risks and controls
Social media risks and controlsMarc Vael
 
The view of auditor on cybercrime
The view of auditor on cybercrimeThe view of auditor on cybercrime
The view of auditor on cybercrimeMarc Vael
 
ISACA Mobile Payments Forum presentation
ISACA Mobile Payments Forum presentationISACA Mobile Payments Forum presentation
ISACA Mobile Payments Forum presentationMarc Vael
 
Belgian Data Protection Commission's new audit programme
Belgian Data Protection Commission's new audit programmeBelgian Data Protection Commission's new audit programme
Belgian Data Protection Commission's new audit programmeMarc Vael
 
ISACA Cloud Computing Risks
ISACA Cloud Computing RisksISACA Cloud Computing Risks
ISACA Cloud Computing RisksMarc Vael
 
Information security awareness (sept 2012) bis handout
Information security awareness (sept 2012) bis handoutInformation security awareness (sept 2012) bis handout
Information security awareness (sept 2012) bis handoutMarc Vael
 
ISACA smart security for smart devices
ISACA smart security for smart devicesISACA smart security for smart devices
ISACA smart security for smart devicesMarc Vael
 
Securing big data (july 2012)
Securing big data (july 2012)Securing big data (july 2012)
Securing big data (july 2012)Marc Vael
 
Valuendo cyberwar and security (jan 2012) handout
Valuendo cyberwar and security (jan 2012) handoutValuendo cyberwar and security (jan 2012) handout
Valuendo cyberwar and security (jan 2012) handoutMarc Vael
 
How to handle multilayered IT security today
How to handle multilayered IT security todayHow to handle multilayered IT security today
How to handle multilayered IT security todayMarc Vael
 

Mais de Marc Vael (20)

How secure are chat and webconf tools
How secure are chat and webconf toolsHow secure are chat and webconf tools
How secure are chat and webconf tools
 
my experience as ciso
my experience as cisomy experience as ciso
my experience as ciso
 
Advantages of privacy by design in IoE
Advantages of privacy by design in IoEAdvantages of privacy by design in IoE
Advantages of privacy by design in IoE
 
Cybersecurity governance existing frameworks (nov 2015)
Cybersecurity governance existing frameworks (nov 2015)Cybersecurity governance existing frameworks (nov 2015)
Cybersecurity governance existing frameworks (nov 2015)
 
Cybersecurity nexus vision
Cybersecurity nexus visionCybersecurity nexus vision
Cybersecurity nexus vision
 
ISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholders
 
Cloud security lessons learned and audit
Cloud security lessons learned and auditCloud security lessons learned and audit
Cloud security lessons learned and audit
 
ISACA Internet of Things open forum presentation
ISACA Internet of Things open forum presentationISACA Internet of Things open forum presentation
ISACA Internet of Things open forum presentation
 
hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?
hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?
hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?
 
The value of big data analytics
The value of big data analyticsThe value of big data analytics
The value of big data analytics
 
Social media risks and controls
Social media risks and controlsSocial media risks and controls
Social media risks and controls
 
The view of auditor on cybercrime
The view of auditor on cybercrimeThe view of auditor on cybercrime
The view of auditor on cybercrime
 
ISACA Mobile Payments Forum presentation
ISACA Mobile Payments Forum presentationISACA Mobile Payments Forum presentation
ISACA Mobile Payments Forum presentation
 
Belgian Data Protection Commission's new audit programme
Belgian Data Protection Commission's new audit programmeBelgian Data Protection Commission's new audit programme
Belgian Data Protection Commission's new audit programme
 
ISACA Cloud Computing Risks
ISACA Cloud Computing RisksISACA Cloud Computing Risks
ISACA Cloud Computing Risks
 
Information security awareness (sept 2012) bis handout
Information security awareness (sept 2012) bis handoutInformation security awareness (sept 2012) bis handout
Information security awareness (sept 2012) bis handout
 
ISACA smart security for smart devices
ISACA smart security for smart devicesISACA smart security for smart devices
ISACA smart security for smart devices
 
Securing big data (july 2012)
Securing big data (july 2012)Securing big data (july 2012)
Securing big data (july 2012)
 
Valuendo cyberwar and security (jan 2012) handout
Valuendo cyberwar and security (jan 2012) handoutValuendo cyberwar and security (jan 2012) handout
Valuendo cyberwar and security (jan 2012) handout
 
How to handle multilayered IT security today
How to handle multilayered IT security todayHow to handle multilayered IT security today
How to handle multilayered IT security today
 

Último

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 

Último (20)

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 

Value-added it auditing

  • 1. VALUE-ADDED IT AUDITING MARC VAEL, BRUSSELS, MAY 2015
  • 2. AGENDA ▪ What does IT audit mean to you? ▪ Traditional IT audit ▪ Top audit concerns of audit committees ▪ The way towards value-added IT audit ▪ Some predictions ▪ Questions
  • 3. WHAT DOES IT AUDIT MEAN TO YOU?
  • 5.
  • 6.
  • 8. TYPES OF INFORMATION FOR AN IT AUDITOR • Relevant information : relating to controls, tells the evaluator something meaningful about the operation of the underlying controls or control component. Information that directly confirms the operation of controls is most relevant. • Reliable information : accurate, verifiable and from an objective source. • Timely information : produced and used in a timeframe that makes it possible to prevent or detect control deficiencies before they become material to an enterprise. • Sufficient information : when evaluators have gathered enough of it to form a reasonable conclusion. For information to be sufficient, however, it must first be suitable. • Suitable information : relevant (i.e., fit for its intended purpose), reliable (i.e., accurate, verifiable and from an objective source) and timely (i.e., produced and used in an appropriate time frame) information.
  • 9. TRADITIONAL IT AUDIT APPROACH Identification of Safeguards Threat Assessment Asset Identification Vulnerability Assessment Risk Determination Reporting Remediation Planning Proactive processes that turn policies into awareness programs, IT administration, change management and other activities. Technologies needed to provide the appropriate protection and support critical processes. Management strategies for IT and relevant policies, standards, guidelines or directives used to communicate these strategies to the organization. Reactive processes that enable management to measure how well policies are implemented and followed and when they need to be changed.
  • 10. TYPICAL IT AUDIT ENGAGEMENTS A. General control examination or facility audit B. Application audit C. System development audit D. Technical or special topic audit
  • 11. IT CONTROLS The plan of organization & the methods a business uses to safeguard IT assets, provide accurate & reliable information, 
 promote & improve operational IT efficiency, and 
 encourage adherence to prescribed IT management policies. IT control procedure classifications: 1. Preventive / Detective / Corrective / Deterrent IT controls 2. General & Application IT controls 3. Administrative & Accounting IT controls 4. Input – Processing – Output IT controls
  • 12. GENERAL IT OPERATIONS 1. Change Management 2. System Development Life Cycle (SDLC) 3. Problem & Incident management 4. Back-up and data recovery 5. Project Management 6. Continuity Planning (CBCP and DRP)
  • 14. INDEPENDENT IT CONTROLS ON PERFORMANCE To ensure that transactions are processed accurately are another important control element. Types of independent IT controls –reconciliation of 2 independently maintained sets of records –comparison of actual quantities with recorded amounts –double-entry accounting (debits = credits) –batch totals
  • 15. INDEPENDENT IT CONTROLS ON PERFORMANCE Types of independent IT controls –batch totals: 5 types: 1 Financial total: sum of a euro field. 2 Hash total: sum of a field that would usually not be added. 3 Record count: number of documents processed by the IT system. 4 Line count: number of lines of data entered in the IT system. 5 Cross-footing: compares grand total of all rows with grand total of all columns to check that they are equal in the IT system.
  • 16. INDEPENDENT IT CONTROLS ON PERFORMANCE Auditors must understand the following basic IT controls: 1 How transactions are initiated 2 How data are captured in machine-readable form or converted from source documents 3 How computer files are accessed & updated 4 How data are processed to prepare information 5 How information is reported All of these items make it possible to have an IT audit trail. An IT audit trail exists when individual company transactions can be traced end-to-end through the IT system.
  • 18.
  • 19.
  • 20. 7
  • 21.
  • 22.
  • 23. 7
  • 24.
  • 25.
  • 26. 8
  • 27. 27
  • 29. IT CONTROLS • IT controls continue to increase in importance to organisations • Corporate reliance on IT increases • Compliance requirements increase • IT control deficiencies can have a significant impact on any organisation
  • 30.
  • 31. PwC 2014 state of the internal audit profession study
  • 32. PwC 2014 state of the internal audit profession study
  • 33. PwC 2014 state of the internal audit profession study
  • 34. PwC 2014 state of the internal audit profession study
  • 36.
  • 37. PwC 2014 state of the internal audit profession study
  • 38.
  • 40. IT AUDIT REPORT WRITING PHASES
  • 41. TYPES OF IT AUDIT ENGAGEMENTS Review • provide limited assurance about an assertion. • consists primarily of review work (less emphasis on testing). • can be more process oriented, focusing on the appropriateness of the tasks and activities that the audit entity performs and the associated controls. The level of evidence that is gathered is less than in an audit, and testing is generally limited or none is performed. • do not include audit opinions. Conclusions may often be stated negatively. Example: ‘Nothing came to our attention to indicate that the assertion is not true’.
  • 42. TYPES OF IT AUDIT ENGAGEMENTS Examination • Systematic process by which a competent, independent person objectively obtains & evaluates evidence regarding assertions about an entity or event, processes, operations or internal controls, for the purpose of forming an opinion & providing a report on the degree to which the assertions conform to an identified set of standards. • Attestation process that provides the highest level of assurance about an assertion that an IT auditor can provide. • Gathering & evaluating sufficient, competent evidence and performing appropriate tests and other procedures to form the opinion about an assertion for presentation in an IT audit report.
  • 43. TYPES OF IT AUDIT ENGAGEMENTS Agreed-upon Procedures Engagement Third party & IT auditor agree on specific procedures that will be performed to obtain evidence on which the third party is willing to rely as a basis for a conclusion. Agreed-upon level of evidence may be significantly limited or extensive. The IT auditor may need to obtain a substantial amount of evidence (in some cases, more than that is required for an IT audit). The IT audit report should include a statement that sufficiency of procedures is solely the responsibility of the responsible parties & a disclaimer of responsibility for the sufficiency of those procedures. The report relates only to the elements specified & does not extend beyond them.
  • 44.
  • 45. CAATS Computer programs & data 
 that the IT auditor uses 
 as part of audit procedures 
 to process data of significance contained in a computer system
  • 46. CAATS USAGE · Calculation checks: e.g. program gives total amount of individual entries in purchases day book in a particular period. Auditor then agree this total amount to the amount posted in purchases ledger control. · Detecting system violation rule: e.g. program checks that no customer has balance above specified credit limit. · Detecting unreasonable items: programs checks that no customer has discount of 50% or sales ledger balance is more than the amount of sales made to that customer. · New calculation & analysis: e.g. statistical analysis of inventory movements to identify slow moving items. · Selecting items for audit testing: e.g. obtaining a stratified sample of sales ledger balances to be used as a basis for a circularization of debtors. · Completeness checks: e.g. checking continuity of sales invoices to ensure they are all accounted for.
  • 47. CAATS ADVANTAGES · Test programmed controls: in an IT accounting system, there are large volume of transactions which the auditor will have to audit. The auditor will have to check if the programmed controls are functioning correctly. The only effective way of testing programmed controls is through CAAT. · Test on large volume of data: CAAT enable auditors to test large amount of data quickly & accurately and increase the confidence they have in their opinion. · Test on source location of data: CAAT enables auditors to test the accounting systems & its records at its source location rather than testing printouts of what they believe to be a copy of those records. · Cost effective: once set up CAAT are a cost effective way of obtaining audit evidence year after year provided that the client does not change the accounting system. · Comparison: allows results from using CAAT to be compared to traditional testing. Where the two results agree this increase the overall audit confidence.
  • 48.
  • 49. 7
  • 50. 7
  • 51. 7
  • 52. 7
  • 53.
  • 54. 7
  • 55. 37
  • 57. PA2.2 Work Product Management PA2.1 Performance Management Level 2 - Managed PA1.1 Process PerformanceLevel 1 - Performed Level 0 - Incomplete PA3.2 Deployment PA3.1 Definition Level 3 - Established PA4.2 Control PA4.1 Measurement Level 4 - Predictable PA5.1 Innovation PA5.2 Optimisation Level 5 - Optimising 1 L / F 2 L / F F F 3 L / F F 4 L / F F F F L / F 5 F F F F L/F = Largely or Fully F= Fully
  • 58.
  • 60. PREDICTIONS INTRODUCTION • Users want to be provided with more information about business organisations, rather than less. • Demands for information is driven by business clients, customers, oversight authorities and legislatures:
 audit plan can change in the middle of the current quarter and sometimes even change on a day-to-day basis • Trend: better, faster and more comprehensive reporting. • Strong interest in independent assessment & reporting of organisational compliance with laws & regulations.
  • 61.
  • 62.
  • 63. PREDICTION: INTEGRATED REPORTING Objective of integrated reporting = provide a more detailed picture of the organisation’s efforts to: 
 • Produce and sustain value
 • Identify and manage risk
 • Employ and develop human capital 
 • Meet legal requirements
 • Address corporate and social responsibility Audit reports include more in-depth non-financial reporting. Shift from solely lag indicators (as found in traditional reporting) to lead or forward indicators with increased focus on management & performance capabilities.
  • 64. PREDICTION: USE OF TECHNOLOGY IN REPORTING Demand is likely to increase for using technology to present audit results in a manner that quickly enables recipients to focus on the key points of the audit. Auditing standards provide a foundation for the auditing profession to develop and issue professional audit reports. Considerations of increased use of technology in the reporting process must be benchmarked against applicable auditing standards.
  • 65.
  • 66.
  • 67.
  • 68.
  • 69.
  • 70. CONTACT DETAILS marc@vael.net http://www.linkedin.com/in/marcvael @marcvael Marc Vael CISA, CISM, CRISC, CGEIT, ITIL SM, Prince2 F, Guberna Certified Director Chief Audit Executive SMALS vzw Fonsnylaan 20 1060 Brussel +32 473 99 30 31