logging in or signing up fisa kolambekar.manish Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 14 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: January 03, 2012 This Presentation is Public Favorites: 0 Presentation Description fisa Comments Posting comment... Premium member Presentation Transcript Fundamentals of Information Systems Auditing: Fundamentals of Information Systems Auditing Presented by Karl H. Heins, CPA, CMA, CISA University of California February 25-26, 2002Introductions : Introductions Name Office Background in auditing Background in IT auditing What you would like to take away from courseGoals of This Session: Goals of This Session To understand basic IT processes To understand IT controls To understand how to approach IT auditing To know when to bring in an IT specialistCourse Topics: Course Topics Through lectures, discussions and exercises this course will cover: IT Audit, IT Control & IT Control Objectives Risk Assessment IT Audit standards Application Controls Transaction Life cycle Application Processes General ControlsCourse Topics: Course Topics IT Policies Logical & Physical Security Software Acquisition, Development & Change Management Data Base Systems and Systems Software issues Business Contingency Planning Networks, Telecommunications & Networks Basics Systems Development. Computer Assisted Audit TechniquesInformation Systems Auditing: Information Systems Auditing Objectives Management risks Components of internal control Scope General Application Roles of IT auditorsRole of Management Policies: Role of Management Policies Management direction Staff guidance Consistency of application Dynamic not staticCOBIT Influences: COBIT Influences Framework & background Audit objectives Audit guidelinesCOBIT Control Objectives: COBIT Control Objectives High level Planning & organization Acquisition & implementation Delivery & support MonitoringPlanning & Organization: Planning & Organization Define strategic IT plan Define information architecture Determine IT direction Define IT org and relationships Managing IT investment Communicate mgnt. direction Manage human resources Ensure external compliance Assess risks Manage projects Manage qualityAcquisition & Implementation: Acquisition & Implementation Identify solutions Acquire & maintain application software Acquire & maintain IT architecture Develop & maintain IT procedures Install & accredit systems Manage changes Define service levels Manage third-party services Manage performance and capacity Ensure continuous serviceDelivery and Support: Delivery and Support Ensure systems security Identify & attribute costs Educate and train users Assist & advise IT customers Manage the configuration Manage problems & incidents Manage data Manage facilitiesMonitoring: Monitoring Mange operations Monitor the processes Assess internal control adequacy Obtain independent assurance Provide the independent auditStandards: Standards AICPA IIA ISACA International GovernmentStandard for Information Systems Auditing: Standard for Information Systems Auditing Audit charter Independence Professional ethics and standards Competence Planning Performance of audit work Reporting Follow-up activitiesStatement on Auditing Standards: Statement on Auditing Standards #1 – Independence Attitude and appearance Organizational relationship #2 –Independence Involvement in systems development process #3 – Performance of work Evidence requirement #4 – Performance of work Due professional careStatement on Auditing Standards (cont.): Statement on Auditing Standards (cont.) # 5 – Performance of work Risk assessment in audit planning # 6 – Performance of work Audit documentation #7 – Reporting Audit reports #8 – Performance of work Audit consideration for irregularities #9 – Performance of work Use of audit software toolsIS Policies: IS Policies IS-1, Computer Center Fiscal Operations IS-2, Guidelines for Data Requests to Campuses by Administrative Units of the Office of the President IS-3, Electronic Information Security IS-3 Implementing Guidelines Electronic Communications Policy IS-7, Guidelines for Maintenance of the University Payroll System IS-8, Guidelines for Campus and Office of the President Acquisitions Involving Computing IS-9, Electronic Data Interchange IS-9, Electronic Data Interchange IS-9, Attachment -- Trading Partner Agreement IS-10, Systems Development StandardsApplication Controls Review: Application Controls Review Objective? Content? Who Benefits?Applications Review Scope: Applications Review Scope Transactions Controls Environments User Operations Audit trailsApplication Controls: Application Controls Transaction life cycle Data origination Data preparation Data entry Data transmission Data processing Data outputApplication Transaction Life Cycle: Application Transaction Life Cycle Input Process Output Data Preparation Data Origination Transaction Processing Information Data Entry Data StorageApplication Controls: Application Controls Transaction origination Source document design and storage User procedures and manuals Special purpose forms Transaction ID codes Cross reference indices Alternate documents where applicableApplication Controls: Application Controls Transaction origination Authorization Separation of duties Written authorizations Signatures, stamps and other evidence of approval Automated authorization/suspenseApplication Controls: Application Controls Transaction origination Input preparation Transaction numbering Batch serial numbering Balance batches to point of origin Logs Transmittal documents Turnaround documentsApplication Controls: Application Controls Transaction origination Source document retention Retention dates on source documents Filing Security Disposal proceduresApplication Controls: Application Controls Transaction origination Source document error handling Written procedures Logging Notification Verifying re-entered data Monitoring correctionsApplication Controls: Application Controls Transaction entry – batch Transaction data validation Pre-programmed formats Key verification Editing and validation routines Transaction data cutoffApplication Controls: Application Controls Transaction entry – batch (cont…) Batch proof and balancing Processing schedules Turnaround documents Cancellation of source documents Logging Batch controls Batch header recordsApplication Controls: Application Controls Transaction entry – batch (cont…) Transaction entry error handling Pre-staging input edits Error messages Verifying re-entered data Monitoring corrections Adjusting control totals if records are removed or modifiedApplication Controls: Application Controls Transaction entry – online Terminals used for data entry Based on terminal identification Terminal location Based on number of times an application or transaction is invokedApplication Controls: Application Controls Transaction entry – online Security Passwords Restrictions based on unsuccessful entry Terminal time-outs Secure building wiring and wire closets Message identification Security table Network configuration polling tableApplication Controls: Application Controls Transaction entry – online User identification/authentication Passwords Questions and answers Keys, cards and tokens Biometrics such as fingerprint, retina scan, voiceApplication Controls: Application Controls Transaction entry – online Authorization to complete a transaction Terminal ID or location Application Transaction File Data elementApplication Controls: Application Controls Transaction entry – online Message completeness All mandatory fields are completeApplication Controls: Application Controls Transaction entry – online Message integrity Hash totals and check digits Cycle redundancy checks (crc) totals Message sequence numbers Message acknowledgementsApplication Controls: Application Controls Transaction entry - online Transaction data validation Interactive editing Management error monitoring ReconciliationApplication controls: Application controls Computer processing Control totals Defaults Anticipation Exception handling Operator instructions Balancing Destructive updateApplication Controls: Application Controls Telecommunications Message integrity Logins (system, application and network) Message acknowledgements Sequencing Integrity checks EncryptionApplication Controls: Application Controls Telecommunications Network availability Preparation against outages Communication Power Hardware SoftwareApplication Controls: Application Controls Data storage and retrieval File handling Header labels Master file changes Dormant files Scanning dormant files Backup procedures/contingency planning Program change control Excessive activity Access control Restart proceduresApplication Controls: Application Controls DBMS controls Administration Views System logging Rollback/roll forward capabilitiesApplication Controls: Application Controls Output processing Controlled documents Negotiable document controls Sequence number printingApplication Controls: Application Controls Output processing Reconciling Output to input JCL System output reports SMF audit trails Report distribution Handling procedures Copy controlApplication Controls: Application Controls Output processing User review Headers & footers Output reconciliation Control totals Confirmations Api’s Exception processing activity Data in decision makingApplication Controls: Application Controls Output processing Records retention Waste disposal Deletion of unused reports Record retention requirementsApplication Controls: Application Controls Output processing Output error handling Aging open items Error logging by control groups Responsibility and accountability for error corrections Error notification Edit and verification of re-entered dataApplication Controls: Application Controls Output processing Output review Departmental review Operator activity Exception processing analysisApplication Processes: Application Processes Key information User procedures Programs and interfaces Transactions Data filesApplication Environments: Application Environments Applications in an integrated system Where is the application? Where is the data? Where are the transactions entered? Where are the exposures ?Application Audit Trails: Application Audit Trails Method to track transactional data Persons initiation transactions Programs initiating transactions Result of the transactions All documentedSystems Development - IS10: Systems Development - IS10 Methodologies Traditional Prototyping Vendor Package Purchase Audit involvement? Participatory IndependentSystems Development - IS10: Systems Development - IS10 Roles and Responsibilities * Planning and Management * Project Proposal Request for Information System Definition Prototyping Requirements Definition Request for Proposal Feasibility Study Vendor Contract and Plan General designSystems Development - cont.: Systems Development - cont. Detail Design Programming and Unit Testing System Testing * Implementation * Documentation Standards * Post Implementation Review * Data Retention * Privacy * Maintenance * * Apply to all development tracksToday’s Development Environment: Today’s Development Environment Dynamic Need Technology Interactive Economic pressures Resource availabilityAudit Service: Audit Service Expertise Selective participation Management representation Realistic independence Audit methodology and projectReview of General Controls: Review of General Controls Objective Content Who benefits Affect on audit planningGeneral Controls: General Controls Management Hardware Software System Support Database Networking Logical Security Operations Continuity Physical Security Systems developmentGeneral Controls - Management: General Controls - Management Organization Planning Training Security Resource management Facilities OperationsGeneral Controls Hardware: General Controls Hardware Hardware Interaction Processors Mainframes Desktops Laptops Input devices Tape Cartridge Output devicesGeneral Controls Software: General Controls Software Systems interactions Operating systems Applications Integrated systems UtilitiesSoftware Functions: Software Functions Application Processing Data Processor Online Management Communications Transaction Control Access Control Operating System FunctionSoftware Implementation and Maintenance: Software Implementation and Maintenance Compiling and linking Change managementCompiling and Linking: Compiling and Linking Source Compiler – Source list & error list Object Linker – Source list & error list ExecutableSoftware Maintenance Change process: Software Maintenance Change process Management User Dissatisfaction Change Request Approval Programming Copy to test Coding Testing Approval Operations To production ApprovalGeneral Controls Program Integrity: General Controls Program Integrity Program integrity Testing Access MaintenanceGeneral Controls System Support: General Controls System Support Primary objective Control environment Central vs. Decentralized Control requirementsGeneral Controls Database: General Controls Database Defined Logical view Physical view Products How they workPowerPoint Presentation: Information NetworkGeneral Controls - Networking: General Controls - Networking Basics of networking Topologies Protocols Components Internal Connectivity PerformanceGeneral Controls Network Configurations: General Controls Network Configurations Centralized Decentralized Distributed Client-ServerGeneral Controls Networking: General Controls Networking Internet, intranet, extranet technologies Services External connectivity Objectives Protection steps Firewall configuration Website issues Distributed executables “Cookies”General Controls Physical Security: General Controls Physical Security Physical protections Practices FacilitiesGeneral Controls Logical Security: General Controls Logical Security Policies – IS 3 Passwords PracticesGeneral Controls Operations: General Controls Operations Data center operations Scheduling Media management Production environmentGeneral Controls Programming: General Controls Programming System programming Critical functions Controlling functions Make the system programmer your friend Application programming Program maintenance Roles of the programmerGeneral Controls Continuity Planning: General Controls Continuity Planning Proper planning Scenarios Sufficient resources and commitment Human side Media management Inventory Processes Onsite and offsite verificationGeneral Controls Continuity Planning: General Controls Continuity Planning Analysis of threats Analysis of processes Consideration of alternatives Selection and development of a plan Documentation to support the plan Test of the PlanCAATs -- Computer Assisted Audit Techniques: CAATs -- Computer Assisted Audit Techniques Audit tools ACL Hummingbird Focus Traditional Non-traditionalWhy use CAATs: Why use CAATs Electronic data Validate processing Audit requirement for testingUsage of CAATs: Usage of CAATs Functional Real time data capture Data analysis Confirmation of dataCAATs techniques: CAATs techniques Program simulation Itf Embedded audit module You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
fisa kolambekar.manish Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 14 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: January 03, 2012 This Presentation is Public Favorites: 0 Presentation Description fisa Comments Posting comment... Premium member Presentation Transcript Fundamentals of Information Systems Auditing: Fundamentals of Information Systems Auditing Presented by Karl H. Heins, CPA, CMA, CISA University of California February 25-26, 2002Introductions : Introductions Name Office Background in auditing Background in IT auditing What you would like to take away from courseGoals of This Session: Goals of This Session To understand basic IT processes To understand IT controls To understand how to approach IT auditing To know when to bring in an IT specialistCourse Topics: Course Topics Through lectures, discussions and exercises this course will cover: IT Audit, IT Control & IT Control Objectives Risk Assessment IT Audit standards Application Controls Transaction Life cycle Application Processes General ControlsCourse Topics: Course Topics IT Policies Logical & Physical Security Software Acquisition, Development & Change Management Data Base Systems and Systems Software issues Business Contingency Planning Networks, Telecommunications & Networks Basics Systems Development. Computer Assisted Audit TechniquesInformation Systems Auditing: Information Systems Auditing Objectives Management risks Components of internal control Scope General Application Roles of IT auditorsRole of Management Policies: Role of Management Policies Management direction Staff guidance Consistency of application Dynamic not staticCOBIT Influences: COBIT Influences Framework & background Audit objectives Audit guidelinesCOBIT Control Objectives: COBIT Control Objectives High level Planning & organization Acquisition & implementation Delivery & support MonitoringPlanning & Organization: Planning & Organization Define strategic IT plan Define information architecture Determine IT direction Define IT org and relationships Managing IT investment Communicate mgnt. direction Manage human resources Ensure external compliance Assess risks Manage projects Manage qualityAcquisition & Implementation: Acquisition & Implementation Identify solutions Acquire & maintain application software Acquire & maintain IT architecture Develop & maintain IT procedures Install & accredit systems Manage changes Define service levels Manage third-party services Manage performance and capacity Ensure continuous serviceDelivery and Support: Delivery and Support Ensure systems security Identify & attribute costs Educate and train users Assist & advise IT customers Manage the configuration Manage problems & incidents Manage data Manage facilitiesMonitoring: Monitoring Mange operations Monitor the processes Assess internal control adequacy Obtain independent assurance Provide the independent auditStandards: Standards AICPA IIA ISACA International GovernmentStandard for Information Systems Auditing: Standard for Information Systems Auditing Audit charter Independence Professional ethics and standards Competence Planning Performance of audit work Reporting Follow-up activitiesStatement on Auditing Standards: Statement on Auditing Standards #1 – Independence Attitude and appearance Organizational relationship #2 –Independence Involvement in systems development process #3 – Performance of work Evidence requirement #4 – Performance of work Due professional careStatement on Auditing Standards (cont.): Statement on Auditing Standards (cont.) # 5 – Performance of work Risk assessment in audit planning # 6 – Performance of work Audit documentation #7 – Reporting Audit reports #8 – Performance of work Audit consideration for irregularities #9 – Performance of work Use of audit software toolsIS Policies: IS Policies IS-1, Computer Center Fiscal Operations IS-2, Guidelines for Data Requests to Campuses by Administrative Units of the Office of the President IS-3, Electronic Information Security IS-3 Implementing Guidelines Electronic Communications Policy IS-7, Guidelines for Maintenance of the University Payroll System IS-8, Guidelines for Campus and Office of the President Acquisitions Involving Computing IS-9, Electronic Data Interchange IS-9, Electronic Data Interchange IS-9, Attachment -- Trading Partner Agreement IS-10, Systems Development StandardsApplication Controls Review: Application Controls Review Objective? Content? Who Benefits?Applications Review Scope: Applications Review Scope Transactions Controls Environments User Operations Audit trailsApplication Controls: Application Controls Transaction life cycle Data origination Data preparation Data entry Data transmission Data processing Data outputApplication Transaction Life Cycle: Application Transaction Life Cycle Input Process Output Data Preparation Data Origination Transaction Processing Information Data Entry Data StorageApplication Controls: Application Controls Transaction origination Source document design and storage User procedures and manuals Special purpose forms Transaction ID codes Cross reference indices Alternate documents where applicableApplication Controls: Application Controls Transaction origination Authorization Separation of duties Written authorizations Signatures, stamps and other evidence of approval Automated authorization/suspenseApplication Controls: Application Controls Transaction origination Input preparation Transaction numbering Batch serial numbering Balance batches to point of origin Logs Transmittal documents Turnaround documentsApplication Controls: Application Controls Transaction origination Source document retention Retention dates on source documents Filing Security Disposal proceduresApplication Controls: Application Controls Transaction origination Source document error handling Written procedures Logging Notification Verifying re-entered data Monitoring correctionsApplication Controls: Application Controls Transaction entry – batch Transaction data validation Pre-programmed formats Key verification Editing and validation routines Transaction data cutoffApplication Controls: Application Controls Transaction entry – batch (cont…) Batch proof and balancing Processing schedules Turnaround documents Cancellation of source documents Logging Batch controls Batch header recordsApplication Controls: Application Controls Transaction entry – batch (cont…) Transaction entry error handling Pre-staging input edits Error messages Verifying re-entered data Monitoring corrections Adjusting control totals if records are removed or modifiedApplication Controls: Application Controls Transaction entry – online Terminals used for data entry Based on terminal identification Terminal location Based on number of times an application or transaction is invokedApplication Controls: Application Controls Transaction entry – online Security Passwords Restrictions based on unsuccessful entry Terminal time-outs Secure building wiring and wire closets Message identification Security table Network configuration polling tableApplication Controls: Application Controls Transaction entry – online User identification/authentication Passwords Questions and answers Keys, cards and tokens Biometrics such as fingerprint, retina scan, voiceApplication Controls: Application Controls Transaction entry – online Authorization to complete a transaction Terminal ID or location Application Transaction File Data elementApplication Controls: Application Controls Transaction entry – online Message completeness All mandatory fields are completeApplication Controls: Application Controls Transaction entry – online Message integrity Hash totals and check digits Cycle redundancy checks (crc) totals Message sequence numbers Message acknowledgementsApplication Controls: Application Controls Transaction entry - online Transaction data validation Interactive editing Management error monitoring ReconciliationApplication controls: Application controls Computer processing Control totals Defaults Anticipation Exception handling Operator instructions Balancing Destructive updateApplication Controls: Application Controls Telecommunications Message integrity Logins (system, application and network) Message acknowledgements Sequencing Integrity checks EncryptionApplication Controls: Application Controls Telecommunications Network availability Preparation against outages Communication Power Hardware SoftwareApplication Controls: Application Controls Data storage and retrieval File handling Header labels Master file changes Dormant files Scanning dormant files Backup procedures/contingency planning Program change control Excessive activity Access control Restart proceduresApplication Controls: Application Controls DBMS controls Administration Views System logging Rollback/roll forward capabilitiesApplication Controls: Application Controls Output processing Controlled documents Negotiable document controls Sequence number printingApplication Controls: Application Controls Output processing Reconciling Output to input JCL System output reports SMF audit trails Report distribution Handling procedures Copy controlApplication Controls: Application Controls Output processing User review Headers & footers Output reconciliation Control totals Confirmations Api’s Exception processing activity Data in decision makingApplication Controls: Application Controls Output processing Records retention Waste disposal Deletion of unused reports Record retention requirementsApplication Controls: Application Controls Output processing Output error handling Aging open items Error logging by control groups Responsibility and accountability for error corrections Error notification Edit and verification of re-entered dataApplication Controls: Application Controls Output processing Output review Departmental review Operator activity Exception processing analysisApplication Processes: Application Processes Key information User procedures Programs and interfaces Transactions Data filesApplication Environments: Application Environments Applications in an integrated system Where is the application? Where is the data? Where are the transactions entered? Where are the exposures ?Application Audit Trails: Application Audit Trails Method to track transactional data Persons initiation transactions Programs initiating transactions Result of the transactions All documentedSystems Development - IS10: Systems Development - IS10 Methodologies Traditional Prototyping Vendor Package Purchase Audit involvement? Participatory IndependentSystems Development - IS10: Systems Development - IS10 Roles and Responsibilities * Planning and Management * Project Proposal Request for Information System Definition Prototyping Requirements Definition Request for Proposal Feasibility Study Vendor Contract and Plan General designSystems Development - cont.: Systems Development - cont. Detail Design Programming and Unit Testing System Testing * Implementation * Documentation Standards * Post Implementation Review * Data Retention * Privacy * Maintenance * * Apply to all development tracksToday’s Development Environment: Today’s Development Environment Dynamic Need Technology Interactive Economic pressures Resource availabilityAudit Service: Audit Service Expertise Selective participation Management representation Realistic independence Audit methodology and projectReview of General Controls: Review of General Controls Objective Content Who benefits Affect on audit planningGeneral Controls: General Controls Management Hardware Software System Support Database Networking Logical Security Operations Continuity Physical Security Systems developmentGeneral Controls - Management: General Controls - Management Organization Planning Training Security Resource management Facilities OperationsGeneral Controls Hardware: General Controls Hardware Hardware Interaction Processors Mainframes Desktops Laptops Input devices Tape Cartridge Output devicesGeneral Controls Software: General Controls Software Systems interactions Operating systems Applications Integrated systems UtilitiesSoftware Functions: Software Functions Application Processing Data Processor Online Management Communications Transaction Control Access Control Operating System FunctionSoftware Implementation and Maintenance: Software Implementation and Maintenance Compiling and linking Change managementCompiling and Linking: Compiling and Linking Source Compiler – Source list & error list Object Linker – Source list & error list ExecutableSoftware Maintenance Change process: Software Maintenance Change process Management User Dissatisfaction Change Request Approval Programming Copy to test Coding Testing Approval Operations To production ApprovalGeneral Controls Program Integrity: General Controls Program Integrity Program integrity Testing Access MaintenanceGeneral Controls System Support: General Controls System Support Primary objective Control environment Central vs. Decentralized Control requirementsGeneral Controls Database: General Controls Database Defined Logical view Physical view Products How they workPowerPoint Presentation: Information NetworkGeneral Controls - Networking: General Controls - Networking Basics of networking Topologies Protocols Components Internal Connectivity PerformanceGeneral Controls Network Configurations: General Controls Network Configurations Centralized Decentralized Distributed Client-ServerGeneral Controls Networking: General Controls Networking Internet, intranet, extranet technologies Services External connectivity Objectives Protection steps Firewall configuration Website issues Distributed executables “Cookies”General Controls Physical Security: General Controls Physical Security Physical protections Practices FacilitiesGeneral Controls Logical Security: General Controls Logical Security Policies – IS 3 Passwords PracticesGeneral Controls Operations: General Controls Operations Data center operations Scheduling Media management Production environmentGeneral Controls Programming: General Controls Programming System programming Critical functions Controlling functions Make the system programmer your friend Application programming Program maintenance Roles of the programmerGeneral Controls Continuity Planning: General Controls Continuity Planning Proper planning Scenarios Sufficient resources and commitment Human side Media management Inventory Processes Onsite and offsite verificationGeneral Controls Continuity Planning: General Controls Continuity Planning Analysis of threats Analysis of processes Consideration of alternatives Selection and development of a plan Documentation to support the plan Test of the PlanCAATs -- Computer Assisted Audit Techniques: CAATs -- Computer Assisted Audit Techniques Audit tools ACL Hummingbird Focus Traditional Non-traditionalWhy use CAATs: Why use CAATs Electronic data Validate processing Audit requirement for testingUsage of CAATs: Usage of CAATs Functional Real time data capture Data analysis Confirmation of dataCAATs techniques: CAATs techniques Program simulation Itf Embedded audit module