Sigma Technology Partners Information Systems Audit Methodology

Sigma Technology Partners Information Systems Audit Methodology

English
6 Pages
Read
Download
Downloading requires you to have access to the YouScribe library
Learn all about the services we offer

Description

Compliance Risk Management IT Governance Assurance IT Audit Methodology Our methodology has been developed in accordance with industry standards and as recommended by various audit regulatory bodies including following the guidelines of Committee Of Sponsoring Organizations (COSO), Federal Information System Controls Audit Manual (FISCAM), NIST Special Publication 800-53, Federal Information Security Management ACT (FISMA) and Financial Systems Integration Office (FSIO). The beginning point of this methodology is to carry out planning activities that are geared towards integrating a Risk Based Audit approach to the IS Audit. Phase 1 – Opening Conference and Audit Planning During opening conference meeting, the client describes the unit or system to be reviewed, the organization, available resources (personnel, facilities, equipment), and other relevant information. The internal auditor meets with the senior officer directly responsible for the unit under review and any staff members s/he wishes to include. It is important that the client identify issues or areas of special concern that should be addressed. In this phase we plan the information system coverage to comply with the audit objectives specified by the client and ensure compliance to all laws and professional standards. The first thing is to obtain an Audit charter from the client detailing the purpose of the audit, the management responsibility, ...

Subjects

Informations

Published by
Reads 13
Language English
Report a problem
Sigma Technology Partners
Page 1
Compliance
Risk Management
IT Governance
Assurance
IT Audit Methodology
Our methodology has been developed in accordance with industry standards and as
recommended by various audit regulatory bodies including following the guidelines of
Committee Of Sponsoring Organizations (COSO), Federal Information System Controls Audit
Manual (FISCAM), NIST Special Publication 800-53, Federal Information Security
Management ACT (FISMA) and Financial Systems Integration Office (FSIO). The beginning
point of this methodology is to carry out planning activities that are geared towards
integrating a Risk Based Audit approach to the IS Audit.
Phase 1 – Opening Conference and Audit Planning
During opening conference meeting, the client describes the unit or system to be reviewed,
the organization, available resources (personnel, facilities, equipment), and other relevant
information. The internal auditor meets with the senior officer directly responsible for the
unit under review and any staff members s/he wishes to include. It is important that the
client identify issues or areas of special concern that should be addressed.
In this phase we plan the information system coverage to comply with the audit objectives
specified by the client and ensure compliance to all laws and professional standards. The
first thing is to obtain an Audit charter from the client detailing the purpose of the audit, the
management responsibility, authority and accountability of the Information Systems Audit
function as follows:
1.
Responsibility:
The Audit Charter should define the mission, aims, goals and
objectives of the Information System Audit. At this stage we also define the Key
Performance Indicators and an Audit Evaluation process;
2.
Authority:
The Audit Charter should clearly specify the Authority assigned to the
Information Systems Auditors with relation to the Risk Assessment work that will be
carried out, right to access the client’s information, the scope and/or limitations to
the scope, the client’s functions to be audited and the auditee expectations; and
3.
Accountability:
The Audit Charter should clearly define reporting lines, appraisals,
assessment of compliance and agreed actions.
The Audit Charter should be approved and agreed upon by an appropriate level within the
client’s organization. In addition to the Audit Charter, Sigma will obtain a written
representation (“Letter of Representation”) from the client’s management acknowledging:
Sigma Technology Partners
Page 2
1.
Their responsibility for the design and implementation of the Internal Controls over
IT Systems and processes.
2.
Their willingness to disclose to the Information Systems Auditor their knowledge of
irregularities and/or illegal acts affecting their organization pertaining to
management and employees with significant roles within the internal audit
department.
3.
Their willingness to disclose to the IS Auditor the results of any risk assessment that
a material misstatement may have occurred.
Phase 2 – Risk Assessment and Business Process Analysis
Risk is the possibility of an act or event occurring that would have an adverse effect on the
organization and its information systems. Risk can also be the potential that a given threat
will exploit vulnerabilities of an asset or group of assets to cause loss of, or damage to the
assets. It is ordinarily measured by a combination of effect and likelihood of occurrence.
The process of quantifying risk is called Risk Assessment. Risk Assessment is useful in
making decisions such as:
1.
The area/business function to be audited
2.
The nature, extent and timing of audit procedures
3.
The amount of resources to be allocated to an audit
The following types of risks will be evaluated under risk based audit strategy:
Inherent Risk
: Inherent risk is the susceptibility of an audit area to error which could be
material, individually or in combination with other errors, assuming that there were no
related internal controls. In assessing the inherent risk, the IS auditor should consider both
pervasive and detailed IS controls. This does not apply to circumstances where the IS
auditor’s assignment is related to pervasive IS controls only. A pervasive IS Control are
general controls which are designed to manage and monitor the IS environment and which
therefore affect all IS-related activities. Some of the pervasive IS Controls that we may
consider include:
The integrity of IS management and IS management experience and knowledge
Changes in IS management
Pressures on IS management which may predispose them to conceal or misstate
information (e.g. large business-critical project over-runs, and hacker activity)
The nature of the organization’s business and systems (e.g., the plans for electronic
commerce, the complexity of the systems, and the lack of integrated systems)
Factors affecting the organization’s industry as a whole (e.g., changes in technology,
and IS staff availability)
The level of third party influence on the control of the systems being audited (e.g.,
because of supply chain integration, outsourced IS processes, joint business
ventures, and direct access by customers)
Findings of previous audits
Sigma Technology Partners
Page 3
Control Risk
: Control risk is the risk that an error which could occur in an audit area, and
which could be material, individually or in combination with other errors, will not be
prevented or detected and corrected on a timely basis by the internal control system. For an
example, the control risk associated with manual reviews of computer logs can be high
because activities requiring investigation are often easily missed owning to the volume of
logged information. The control risk associated with computerized data validation
procedures is ordinarily low because the processes are consistently applied.
The IS auditor should assess the control risk as high unless relevant internal controls are:
Identified
Evaluated as effective
Tested and proved to be operating appropriately
Detection Risk
: Detection risk is the risk that the IS auditor’s substantive procedures will
not detect an error which could be material, individually or in combination with other errors.
In determining the level of substantive testing required, the IS auditor should consider
both:
The assessment of inherent risk
The conclusion reached on control risk following compliance testing
The higher the assessment of inherent and control risk the more audit evidence the IS
auditor should normally obtain from the performance of substantive audit procedures.
Phase 3 – Performance of Audit Work
In the performance of Audit work, the Information Systems Audit Standards require the
auditor to provide supervision, gather audit evidence and document audit work. We achieve
this objective through:
Obtaining sufficient, reliable and relevant evidence through inspection, observation,
inquiry, confirmation and recompilation of calculations.
Documenting results of test work performed and audit evidence gathered to support
the auditors’ findings.
Performing concurrent reviews of results of test work performed. This phase
concludes with a list of significant findings from which the auditor will prepare a draft
of the audit report.
During this phase, Sigma will take into account the type of audit evidence to be gathered,
its use as audit evidence to meet audit objectives, and its varying levels of reliability.
The various types of audit evidence which we will consider using include:
Observed processes and existence of physical items
Documentary audit evidence
Representations
Sigma Technology Partners
Page 4
Analysis
Observed processes and existence of physical items can include observations of activities,
property and information systems functions, such as:
An inventory of media in an offsite storage location
A computer room security system in operation
Documentary audit evidence, recorded on paper or other media, can include:
Results of data extractions
Records of transactions
Program listings
Invoices
Activity and control logs
System development documentation
Representations of those being audited can be audit evidence, such as:
Written policies and procedures
System flowcharts
Written or oral statements
Computer Assisted Audit Techniques include many types of tools and techniques, such as
generalized audit software, utility software, test data, application software tracing and
mapping, and audit expert systems. CAATs may be used in performing various audit
procedures including:
Tests of details of transactions and balances
Analytical review procedures
Compliance tests of IS general controls
Compliance tests of IS application controls
Penetration testing
Phase 4 - Reporting
Upon the performance of the audit test, Sigma Technology Partners shall produce an
appropriate report communicating the results of the IS Audit. Our IS audit report will
include:
1.
Identify an organization, intended recipients and any restrictions on circulation
2.
State the scope, objectives, period of coverage, nature, timing and the extent of the
audit work
3.
State findings, conclusions, recommendations and any reservations, qualifications
and limitations
4.
Provide audit evidence
Sigma Technology Partners
Page 5
Draft Report
- After field work is completed and the management's comments on audit
findings have been considered, a draft audit report is prepared. The draft report will
normally be issued with a request that management provide written comments within a
specified time on the facts and conclusions of each finding and recommendation presented
in the report. The draft report is officially a "work-in-progress" and is not a public document.
Final Report
- At the end of the response period, after reviewing and assessing the
auditee's written response to the draft report and audit finds, the final audit report will be
issued that aims to provide a fair, complete and accurate picture of the audited area during
the audit period.
Usually, the report includes a description of the scope, objectives, and
methodology of the
audit, a statement that the audit was made in accordance with agreed upon auditing
standards, and a description of the findings and recommendations for corrective action.
Exit Conference:
The formal exit conference with client’s management will probably be the last direct contact
before the final audit report is released. The exit conference is held to discuss the draft copy
of the audit report and any other items with auditee personnel. The draft report should be
available to auditee management at least one week prior to the exit conference. The date of
the exit conference will be mutually set with the client’s management.
Planing
Field Work
Reporting
Followup
Notification Letter
Entrance Conference
Preliminary Scope
Interviews with Staff
Risk and Controls
Testing Strategy
Audit Sampling
Collecting Evidence
Testing of Controls
Reviews of issues
Finalization of issues
Draft Matrix of issues
Management Feedback
Draft Executaive Summary
Draft Report
Management Comments
Final Report
Updates on issues
Follow up Review
Follow up report
Audit Program
Sigma's Audit Methodology