Audit Guidelines Introduction to Audit Guidelines At the

Audit Guidelines

Introduction to Audit Guidelines � At the highest level the general audit approach is supported by: ◦ the COBIT Framework, especially the IT process classification ◦ Requirements for the audit process itself ◦ Requirements for IT process auditing ◦ General principles of control

Introduction to Audit Guidelines � � It is important to note for this level that control objectives are not necessarily applicable always and everywhere. Therefore the Guidelines suggest that a high level risk assessment, be conducted to determine which objectives need to be specifically focused on and which may be ignored.

General Structure of the Audit Guidelines � The objectives of auditing are to: ◦ provide management with reasonable assurance that control objectives are being met ◦ where there are significant control weaknesses, to substantiate the resulting risks ◦ advise management on corrective actions ◦ ﺗﺰﻭﺩ ﺍﻹﺩﺍﺭﺓ ﺑﻀﻤﺎﻥ ﻣﻌﻘﻮﻝ ﺑﺄﻦ ﺃﻬﺪﺍﻑ ﺍﻟﻤﺮﺍﻗﺒﺔ ﻳﺘﻢ ﺍﻟﻮﻓﺎﺀ ﺑﻬﺎ ﻣﻦ ﺃﺠﻞ ﺇﺛﺒﺎﺕ ﺍﻟﻤﺨﺎﻃﺮ ﺍﻟﻨﺎﺗﺠﺔ ، ﺣﻴﺚ ﺗﻮﺟﺪ ﻧﻘﺎﻁ ﺿﻌﻒ ﻫﺎﻣﺔ ﻓﻲ ﺍﻟﺮﻗﺎﺑﺔ ﺗﻘﺪﻳﻢ ﺍﻟﻤﺸﻮﺭﺓ ﻟﻺﺩﺍﺭﺓ ﺑﺸﺄﻦ ﺍﻹﺟﺮﺍﺀﺍﺕ ﺍﻟﺘﺼﺤﻴﺤﻴﺔ

General Structure of the Audit Guidelines � The generally accepted structure of the audit process is: ◦ identification and documentation ◦ evaluation ◦ compliance testing ◦ substantive testing ◦ ﻭﺗﺤﺪﻳﺪ ﺍﻟﻬﻮﻳﺔ ﻭﺍﻟﺘﻮﺛﻴﻖ ﺗﻘﻴﻴﻢ ﺍﺧﺘﺒﺎﺭ ﺍﻻﻣﺘﺜﺎﻝ ﺍﺧﺘﺒﺎﺭ ﻣﻮﺿﻮﻋﻲ

General Structure of the Audit Guidelines � � � IT process are therefore audited by: Obtaining an understanding of business requirements related risks, and relevant control measures Evaluating the appropriateness of stated controls

General Structure of the Audit Guidelines � � Assessing compliance by testing whether the stated controls are working as prescribed, consistently and continuously Substantiating the risk of control objectives not being met by using analytical techniques and/or consulting alternative sources

General Structure of the Audit Guidelines � � All these elements are provided to support the planning and performance of IT audits at the various levels described in the Guidelines. Level 1 ◦ General IT audit approach J COBIT Framework ◦ Audit Process Requirements ◦ Control Observations ◦ Generic Audit Guideline

General Structure of the Audit Guidelines � � Level 2 ◦ Process audit guidelines Detailed Audit Guidelines Level 3 ◦ Audit attention points to complement detailed control objectives ◦ Local Conditions ◦ Sector specific criteria ◦ Industry standards ◦ Platform specific elements ◦ Detailed control techniques used

Audit Guideline Application � The first step is to determine the correct scope of the audit. ◦ This requires investigation, analysis and definition of the business processes concerned ◦ Platforms and information systems, which are supporting the business process as well as connections with other systems

Audit Guideline Application ◦ The IT roles and responsibilities defined, including what has been in-or out-sourced ◦ Associated business risks and strategic choices

Audit Guideline Application � � The next step is to identify the information requirements which are of particular relevance with respect to the business processes. Then there is a need to identify the inherent IT risks as well as overall level of control that can be associated with the business process.

Audit Guideline Application � To achieve this there is a need to identify: ◦ recent changes in the business environment having an IT impact ◦ recent changes to the IT environment, new developments, etc. ◦ recent incidents relevant to the controls and business environment

Audit Guideline Application ◦ IT monitoring controls applied by management ◦ recent audit and/or certification reports ◦ recent results of self assessments

Audit Process Requirements � � On the basis of the information obtained, it is possible to select the relevant COBIT processes as well as the resources that apply to them. This could require that certain COBIT processes will need to be audited several times, each time for a different platform or system.

Audit Process Requirements � � The audit strategy should be determined on the basis of how the detailed audit plan should be further elaborated Finally, all the steps, tasks and decision points to perform the audit need to be considered.

Audit Process Requirements � � define audit scope ◦ business process concerned ◦ platforms, systems and their interconnectivity, supporting the process ◦ roles, responsibilities and organizational structure identify information requirements relevant for the business process ◦ relevance to the business process

Audit Process Requirements � � identify inherent IT risks and overall level of control ◦ recent changes and incidents in business and technology environment ◦ results of audits, self-assessments and certification ◦ monitoring controls applied by management select processes and platforms to audit ◦ processes ◦ resource

Audit Process Requirements � set audit strategy ◦ Controls, by risk ◦ steps and tasks ◦ decision points

The Generic Audit Guideline � � � first level of the audit guidelines is primarily oriented towards process understanding and determining ownership This should be a foundation and reference framework for any detailed audit guideline. This same template is then applied to the 34 processes as identified in the COBIT Framework.

Control Process Observations � � � Control, from a management point-of-view, is defined as determining what is being accomplished That is, evaluating the performance and if necessary applying corrective measures so that the performance takes place according to plan. ﺑﺄﻨﻪ ﻳﺤﺪﺩ ﻣﺎ ﻳﺠﺮﻱ ﺇﻧﺠﺎﺯﻩ ، ﻣﻦ ﻭﺟﻬﺔ ﻧﻈﺮ ﺍﻹﺩﺍﺭﺓ ، ﻭﻳﻌﺮﻑ ﺍﻟﺘﺤﻜﻢ . ﺃﻲ ﺗﻘﻴﻴﻢ ﺍﻷﺪﺍﺀ ﻭﻋﻨﺪ ﺍﻟﻀﺮﻭﺭﺓ ﺗﻄﺒﻴﻖ ﺍﻟﺘﺪﺍﺑﻴﺮ ﺍﻟﺘﺼﺤﻴﺤﻴﺔ ﺑﺤﻴﺚ ﻳﺘﻢ ﺍﻷﺪﺍﺀ ﻭﻓﻘﺎ ﻟﻠﺨﻄﺔ

Control Process Observations � � Standards can be of a very wide variety, from highlevel plans and strategies to detailed measurable key performance indicators (KPI) and critical success factors (CSF). Clearly documented, maintained and communicated standards are a must for a good control process. � � Clear responsibility for custodianship of these standards also is a requirement for good control.

Control Process Observations � � � The control process must be well documented with clear responsibilities. An important aspect is the clear definition of what constitutes a deviation, i. e. , what are the limits of deviation. The timeliness, integrity and appropriateness of control information, as well as other information, is basic to the good functioning of the control system and is something the auditor must address.

Control Process Observations � � Both control information and corrective action information will have requirements as to evidence in order to establish accountability after the fact. The following audit steps are performed to document the activities underlying the control objectives as well as to identify the stated control measures/procedures in place.

Control Process Observations � � Document the process-related IT resources particularly affected by the process under review. Confirm the understanding of the process under review, the Key Performance Indicators (KPI) of the process, the control implications, e. g. , by a process walk through.

Evaluating the Controls � The following audit steps are performed to assess the effectiveness of control measures, or the degree to which the control objective is achieved.

Evaluating the Controls � The following criteria are used to evaluate appropriateness of control measures for the process under review ◦ Documented processes exist ◦ Appropriate deliverables exist ◦ Responsibility and accountability are clear and effective ◦ Compensating controls exist, where necessary ◦ The degree to which the control objective is met.

Assessing Compliance � � These are the audit steps to be performed to ensure that the control measures established are working as prescribed Obtain direct or indirect evidence for selected items to ensure that the procedures have been complied with for the period under review using both direct and indirect evidence.

Assessing Compliance � � Perform a limited review of the adequacy of the process deliverables. Determine the level of substantive testing and additional work needed to provide assurance that the IT process is adequate.

Substantiating the Risk � � � These are the audit steps to be performed to substantiate the risk of the control objective not being met The objective is to support the opinion and to ‘shock’ management into action. Auditors have to be creative in finding and presenting this often sensitive and confidential information.

Substantiating the Risk � � � Document the control weaknesses, and resulting threats and vulnerabilities. Identify and document the actual and potential impact; e. g. , through root-cause analysis. Provide comparative information, e. g. , through benchmarks.

Substantiating the Risk � � When assessing control mechanisms, reviewers should be aware that controls operate at different levels in the traditional Plan-Do-Check-Correct cycle ◦ and that they have intricate relationships. COBIT’s process orientation provides some indication as to different control processes, levels and interrelationships, but actual implementation or assessment of control systems needs to take this added complex dimension into account