Process of Auditing Information System

lcryst
Mind Map by lcryst, updated more than 1 year ago
lcryst
Created by lcryst about 5 years ago
22
2

Description

Mind Map on Process of Auditing Information System, created by lcryst on 12/11/2014.

Resource summary

Process of Auditing Information System
1 Mgmt of IS Audit Function
1.1 Fulfil audit function objectives
1.2 Preserving audit indepence & competence
1.3 Value added contributions to senior mgmt
1.3.1 efficient mgmt of IT
1.3.1.1 achievement of Biz Obj
1.4 Organization
1.4.1 Role - established by:
1.4.1.1 Audit Charter
1.4.1.1.1 state mgmt's responsibility & objectives
1.4.1.1.2 delegation of authority to the IS audit function
1.4.1.1.3 outline the overall authority, scope & responsibilities of the audit function
1.4.1.1.4 approved by senior mgmt (highest level of mgmt and the audit committee)
1.4.1.1.5 should be changed only if the change is thoroughly justified
1.4.2 Provide IT-related control assurance to financial / mgmt auditors
1.4.3 IS Audit Resource Mgmt
1.4.3.1 Audit Planning
1.4.3.1.1 Short-term
1.4.3.1.1.1 audit issues that will be covered during the year
1.4.3.1.2 Long-term
1.4.3.1.2.1 risk-related issues regarding changes in the organisation's IT strategic direction that will affect the organization's IT environment
1.4.3.1.3 Audit Universe
1.4.3.1.3.1 list all processes that may be considered for audit
1.4.3.1.3.2 subject to qualitative or quantitative risk assessment
1.4.3.1.3.3 risk factors: frequency / biz impact of risk scenarios
1.4.3.1.3.4 evaluation of risk should ideally be based on inputs from biz process owners
1.4.3.1.4 analysis of short- and long-term issues should occur at least annually
1.4.3.1.4.1 new control issues
1.4.3.1.4.1.1 changes in risk env, technologies & biz processes
1.4.3.1.4.1.1.1 enhanced evaluation techniques
1.4.3.1.4.2 review by senior audit mgmt | approve by audit committee or board of directors | communicate to relevant levels of mgmt
1.4.4 audit charter - overarching doc, entire scope of audit activities in an entity engagement letter - more focused on a particular audit exercise
2 Performing an IS Audit
2.1 Classification of Audits
2.1.1 Compliance
2.1.2 Financial
2.1.3 Operational
2.1.4 Integrated
2.1.5 Administrative
2.1.6 IS
2.1.7 Specialized
2.1.8 Forensic
2.2 Audit Programs
2.2.1 General audit procedures
2.2.1.1 understanding of audit area / subject
2.2.1.2 Risk assessment and general audit plan and schedule
2.2.1.3 detailed audit planning
2.2.1.4 Preliminary review of the audit area / subject
2.2.1.5 Evaluating the audit area / subject
2.3 Fraud Detection
2.3.1 come across indicators of fraud
2.3.1.1 careful evaluation
2.3.1.1.1 communicate the need for detailed investigation
2.3.1.2 Major fraud / high risk
2.3.1.2.1 communicate in a timely manner to audit committee
2.4 Risk-based Audit Approach
2.4.1 Gather information and plan
2.4.1.1 Biz & industry knowledge / Prior year's audit results / Recent financial info / Regulatory statues / Inherent risk assessments
2.4.2 Obtain understanding of internal control
2.4.2.1 Control env / control procedures, control / detection risk assessment, equate total risk
2.4.3 Perform compliance tests
2.4.3.1 identify key controls to be tested, perform tests on reliability, risk prevention and adherence to org policies & procedures
2.4.4 Perform substantive test
2.4.4.1 Analytical procedures, detailed tests of account balance, other substantive audit procedures
2.4.5 Conclude the audit
2.4.5.1 Create recommendations, write audit report
2.5 Audit Risk & Materiality
2.5.1 Def: the risk that info may contains a material error that may go undetected during the course of the audit | Influenced by:
2.5.2 Inherent Risk
2.5.2.1 exposure of the process / entity to be audited without taking into account the controls implemented
2.5.3 Control Risk
2.5.3.1 Risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls
2.5.4 Detection Risk
2.5.4.1 risk that material errors or misstatements that have occurred will not be detected by the IS auditor
2.5.5 Overall Audit Risk
2.6 Risk Treatment
2.6.1 Risk Mitigation
2.6.1.1 Risk Acceptance
2.6.1.1.1 Risk Avoidance
2.6.1.1.1.1 Risk Transfer / Sharing
2.7 Compliance Testing VS Substantive Testing
2.7.1 Compliance testing - evidence gathering for the purpose of testing an organization's compliance with control procedures
2.7.1.1 Substantive testing - evidence is gathered to evaluate the integrity of individual transactions, data or other info
2.7.1.1.1 If compliance test reveal the presence of adequate internal controls > minimising the substantive procedures
2.8 Evidence gathering
2.8.1 IS Org Structure
2.8.1.1 Segregation of duties
2.8.2 IS Policies & Procedures
2.8.2.1 appropriate policies & procedures are in place, personnel understand the implemented p&p, ensure p&p are being followed
2.8.3 IS Standaards
2.8.3.1 Understand existing standards
2.8.4 IS Documentation
2.8.4.1 doc integrity. feasibility study, SLAs, functional requirements, design spec, test plan and report, program and operation doc, change log, manuals, BCP, QA,
2.8.5 Interview
2.8.6 Observing processes & employee performance
2.8.7 Reperformance
2.8.7.1 provide assurance that a control is operating effectively
2.8.8 Walkthrough
2.8.8.1 confirm the understanding of controls
2.9 Sampling
2.9.1 Attribute
2.9.1.1 Rate of occurrence of a specific quality (attribute) in a population E.g. approval signatures
2.9.2 Stop-or-go
2.9.2.1 helps prevent excessive sampling - to be stopped at the earliest. used when auditor believes that relatively few errors will be found in a population
2.9.3 Discovery
2.9.3.1 used when expected occurrence rate is extremely low, obj is to discover fraud, circumvention of regulations or other irregularties
2.9.4 2 approaches
2.9.4.1 Statistical sampling - Objective, probability
2.9.4.2 Non-statistical sampling - determine by auditor judgement
2.9.5 Variable
2.9.5.1 estimate the monetary value or some other unit of measure of a population from a sample portion. Confidence coefficient - strong internal control, auditor may lower the confidence coefficient. Larger coef, larger sample size. e.g. balance sheet for material txn & application review of the program that produced the balance sheet
2.10 CAAT
2.10.1 GAS
2.10.1.1 file access / reorganisation / data selection / statistical / arithmetical functions
2.10.2 Utility software
2.10.2.1 provides evidence about system control effectiveness - e.g. report generators
2.10.3 Test data
2.10.3.1 using a sample set of data to assess whether logic error exist
2.10.4 Application software tracing & mapping
2.10.4.1 provide info about internal controls built in
2.10.5 Audit-expert
2.10.5.1 query-based system built on knowledge base of senior auditors & managers, give direction & valuable info to all level of auditors
3 Risk Analysis
3.1 Risk Assessment Process
3.1.1 Identify BO
3.1.1.1 Identify Info Assets supporting the BOs
3.1.1.1.1 Perform Risk Assessment [Threat - Vulnerability - Probability - Impact]
3.1.1.1.1.1 Perform Risk Mitigation [Map risks with controls in place]
3.1.1.1.1.1.1 Perform Risk Treatment [Treat significant risks not mitigated by existing controls
3.1.1.1.1.1.1.1 Perform Periodic Risk Reevaluation (BO/RA/RM/RT)
4 Internal Controls
4.1 Classifications:
4.1.1 Preventive
4.1.1.1 Detective
4.1.1.1.1 Corrective
4.2 COBIT 5
4.3 IS Control Objectives
4.4 IS Controls
5 Control Self-Assessment
5.1 Objectives
5.1.1 Leverage the internal audit function by shifting some control monitoring responsibilities to the function areas
5.1.2 Not intended to replace audit's responsibilities, but to enhance them
5.2 Phase
5.2.1 Planning
5.2.1.1 Implementation
5.2.1.1.1 Monitoring
5.3 CSF
5.3.1 meeting with biz rep to identify the BU's primary obj
5.3.2 to determine the reliability of the internal control system
5.4 Benefits
5.4.1 Early detection of risks / more effective and improved internal controls / creation of cohesive teams / developing the sense of ownership of the controls in the employees & process owners/ reducing resistance to control improvement initiatives / awareness / knowledge / communication / reduction in control $
6 Continuous Auditng
6.1 collection & analysis of data in real-time txns
6.1.1 high-level of financial control
6.1.1.1 avoid fraud
Show full summary Hide full summary

Similar

Bayonet Charge flashcards
katiehumphrey
Characteristics and Climate of a hot desert
Adam Collinge
Sociology- Key Concepts
Becky Walker
Logic Pro X Practice Exam
Chris Redding
GCSE French - The Environment
Abby B
Biology B2.3
Jade Allatt
Checking out me History by John Agard
Eleanor Simmonds
Chemistry 1
Peter Hoskins
Simple Present Tense (Test)
Onur Kalafat
10 good study habits every student should have
Micheal Heffernan
GCSE Combined Science
Derek Cumberbatch