PDF IT Audit Manual

IT Audit Manual

Table of Contents 1. Introduction...................................................................................................................4 2. Definition and Objectives .............................................................................................5 3. Phases of the Audit Process..........................................................................................6 3.1 Planning............................................................................................................................6

3.1.1 Preliminary assessment and information gathering. .............................................6 3.1.2 Understanding the organization. ...........................................................................6 3.2 Risk assessment to define audit objective and scope. ..................................................... 7 3.3 Evidence collection and evaluation ................................................................................. 9 3.3.1 Types of Audit Evidence. ....................................................................................10 3.3.2 Tools of evidence collection. ...............................................................................11 3.4.1 Structure of the report. .........................................................................................13 4. The Audit Methodology..............................................................................................15 4.1 IT Controls................................................................................................................ 15 4.2 Audit of General Controls ............................................................................................. 19 4.2.1 IT Operations Control. .........................................................................................19

4.2.1.1 Control Objectives............................................................................................ 19 4.2.1.2 Risks ................................................................................................................. 19 4.2.1.3 Audit Procedures .............................................................................................. 20

4.2.1.3.1 Service Level Agreements. ......................................................................... 20 4.2.1.3.2 Manegement control and supervision. ...................................................... 20 4.2.1.3.3 Operations Documentation ..................................................................... 21 4.2.1.3.4 Problem Management ............................................................................. 22 4.2.1.3.5 Network Management and Control ....................................................... 22 4.2.2 Physical Control (Access and Environment) .......................................................22 4.2.2.1 Control Objectives............................................................................................ 22 4.2.2.2 Risks .............................................................................................................. 22 4.2.2.3 Audit Procedure................................................................................................ 23 4.2.3 Logical Access Control........................................................................................24 4.2.3.1 Control Objectives............................................................................................ 24 4.2.3.2 Risks ................................................................................................................. 24

4.2.3.3 Audit Procedure................................................................................................ 24 4.2.4 Program Change Controls....................................................................................26

4.2.4.1 Control Objectives............................................................................................ 26 4.2.4.2 Risks ................................................................................................................. 27 4.2.4.3 Audit Procedure ............................................................................................. 27 4.3 Audit of Application Controls. ...................................................................................... 28 4.3.1 Input Controls. .....................................................................................................28 4.3.1.1 Control Objectives............................................................................................ 28 4.3.1.2 Risks ................................................................................................................. 28 4.3.1.3 Audit Proceure.................................................................................................. 29 4.3.2 Processing Controls .............................................................................................30 4.3.2.1 Control Objectives ......................................................................................... 30 4.3.2.3 Risks .............................................................................................................. 31 4.3.2.4 Audit Procedure. ............................................................................................ 32 4.3.3 Output Controls....................................................................................................32 4.3.3.1 Audit Objectives............................................................................................... 32 4.3.3.2 Risks ................................................................................................................. 33 4.3.3.3 Audit Procedure................................................................................................ 33 4.4 Network and Internet Controls ...................................................................................... 33 4.4.1 Control Objectives ...............................................................................................33 4.4.2 Risks.....................................................................................................................34 4.4.3 Audit Procedure ...................................................................................................34 4.5 Internet Controls ............................................................................................................ 35 4.5.1 Firewalls...............................................................................................................36 4.5.2 Internet Password Policy......................................................................................36 5. Appendix......................................................................................................................37 5.1 Audit Checklist: List of Documents for understanding the system ................... 37 5.2 Audit Checklist:Criticality Assesment Tool......................................................... 38 5.3 Audit Checklist: Collection of specific information on IT Systems ................... 41 5.4 Audit Check List: Check list for risk assesment............................................................ 45

1. Introduction

The incessant development of information technology has changed the way organizations work in many ways. The pen and paper of manual transactions have made way for the online data entry of computerized applications; the locks and keys of filing cabinets have been replaced by passwords and identification codes that restrict access to electronic files. The implementation of innovative technology has helped organizations to improve the efficiency of their bussines processes and considerably increase their data processing and transmission capacity, but has also introduced new vulnerabilities that need to be controlled. Each new vulnerability needs to be controlled; assessing the adequacy of each control requires new methods of auditing. With the increase in the investment and dependence on computerised systems by the auditees, it has become imperative for audit to change the methodology and approach to audit because of the risks to data integrity, abuse, privacy issues etc. An independent audit is required to provide assurance that adequate measures have been designed and are operated to minimize the exposure to various risks.

2. Definition and Objectives

IT audit is the examination and evaluation of an organization's information technology infrastructure, policies and operations. IT audit can be considered the process of collecting and evaluating evidence to determine whether a computer system safeguards assets, maintains data integrity, allows organizational goals to be achieved effectively and uses resources efficiently.

The objectives of IT audit include assessment and evaluation of processes that ensure:

i. Asset safeguarding ?`assets' which include the following five types of assets:

1. Data objects in their widest sense, ( i.e., external and internal, structured and non- structured, graphics, sound, system documentation etc).

2. Application system is understood to be the sum of manual and programmed procedures.

3. Technology covers hardware, operating systems, database management systems, networking, multimedia, etc.

4. Resources to house and support information systems, supplies etc. 5. Staff skills, awareness and productivity to plan, organize, acquire, deliver,

support and monitor information systems and services.

ii. Ensures that the following seven attributes of data or information are maintained:

1. Effectiveness - deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner.

2. Efficiency - concerns the provision of information through the optimal (most productive and economical) usage of resources.

3. Confidentiality - concerns protection of sensitive information from unauthorized disclosure.

4. Integrity - relates to the accuracy and completeness of information as well as to its validity in accordance with the business' set of values and expectations.

5. Availability - relates to information being available when required by the business process, and hence also concerns the safeguarding of resources.

6. Compliance - deals with complying with those laws, regulations and contractual arrangements to which the business process is subject; i.e., externally imposed business criteria. This essentially means that systems need to operate within the ambit of rules, regulations and/or conditions of the organization.

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download