Information Systems Auditing

Posted on Sep 9, 2024 in Other subjects

1. AUDITING

A critical review to evaluate the efficiency and effectiveness of a site and determine alternative courses to improve and achieve goals.

2. COMPUTER AUDITING

Review and evaluation of controls, systems, and procedures of the computer, computer equipment, its use, efficiency, and safety. Evaluate the organization that participates in the processing of information to point out alternative courses to achieve a more efficient use of reliable and secure information that will help proper decision-making.

3. INTERNAL CONTROL

Comprises the plan of organization and all methods and procedures coordinated in a business suit to:

  • Safeguard its assets.
  • Verify the reasonableness and reliability of financial information.
  • Promote operational efficiency and adherence to policies prescribed by the administration.

Basic Internal Control Objectives

  • Protection of company assets.
  • Obtaining financial information that is accurate, reliable, and timely.
  • The promotion of efficiency in business operations.
  • Making the implementation of the operations meet the policies established by company management.

Overall Objective

  • Authorization
  • Processing and classification of transactions
  • Physical safeguards
  • Verification and evaluation

4. COMPUTER DEPARTMENT EVALUATION

The computer department should be evaluated according to:

  • Objectives, targets, plans, policies, and procedures
  • Organization
  • Organizational structure
  • Functions and levels of authority and responsibility

5. ADVANCED AUDITING TECHNIQUES

  • Comprehensive Tests: Processing data from a fictitious department, comparing these results with particular outcomes.
  • Simulation: Develop application programs for a particular test and buy the simulation results with the actual application.
  • Review Access: Keeps a computerized register of all access to certain files with identification information of both the terminal and the user.
  • Operations in Parallel: To verify the accuracy of information on the results, it produces a new system replacing an already audited one.
  • Extended Registers: Consist of adding control to a particular record, as a special field to an extra register, which may include data for all application programs.

6. INFORMATION AUDIT OBJECTIVES

  • The computer function control
  • Analysis of the efficiency of the IS and IT
  • Verification of compliance with the General Regulations of the Organization
  • Review of Plans, Programs, and Budgets of Information Systems
  • The review of the effective management of material and human resources software
  • The review and verification of general and specific technical controls on Operational
  • The review and verification of Safety: Compliance with regulations and standards, operating system, Software Security, Communications Security, Security Database, Process Safety, Application Security, Physical Security, Supply and Replenishment, Contingency
  • The control analysis results
  • The verification analysis and exposure of weaknesses and shortcomings

7. AUDIT PHASES

Planning

Develops the Audit Plan: goals, audit work programs, and a report of activities to understand and meet the audited entity.

Implementation

Review and evaluation of information, collect, analyze, interpret, and document information to support audit results (questionnaires, interviews and analysis of documents, tabulation of information).

Preparation and Issuance of the Report

Preliminary report, final report. Prepare (writing) and present (comment) to the administration, capacity must be refined in the manner of expression.

Follow-up

Must be planned to verify compliance, preparation, and presentation (completed or not, he did what he had to do, etc.).

8. AUDIT ASSURANCE

AI must ensure that:

  • Auditors are supervised properly.
  • Audit reports are accurate, objective, clear, concise, constructive, and timely.
  • The objectives of the audit are met.
  • The audit is properly documented, and appropriate evidence is retained oversight.
  • Auditors comply with professional standards of conduct.
  • Computer auditors possess the knowledge, experience, and disciplines essential for its audits.

9. INTERNAL AUDITOR KNOWLEDGE AND EXPERIENCE

  • Requires skill in applying rules, procedures, and internal auditing techniques to developing revisions.
  • Have the ability to apply broad knowledge to situations that will be presented, recognizing the significant situations and carrying out research to reach reasonable solutions.

10. AUDIT WORK AGENDA

An audit work agenda should include:

  • General purpose
  • Objectives
  • Scope
  • Schedule and program

For each specific audit, you should develop an audit program that includes procedures to be implemented, its scope, and staff appointed to run the audit.

11. SUBSTANTIVE TESTS AND TESTS OF COMPLIANCE

Substantive Tests

These tests examine procedures to determine whether the results produced by the system are correct (e.g., simple operations such as addition, subtraction, division, or multiplication).

Tests of Compliance

Represent audit procedures designed to verify if the system is implemented according to the rules (how the auditor described it and according to the intention of management). If, after verification, the controls seem to be operating effectively, the auditor will be able to justify the confidence in the system and consequently reduces its substantive tests.

5 Types of Tests of Compliance

  • Tests to ensure data quality
  • Tests to identify data inconsistencies
  • Testing for comparison with physical data
  • Testing to confirm proper communication
  • Testing to determine a lack of security

12. SYSTEMS AUDIT LIFE CYCLE

During the life cycle, the following should be evaluated:

  • Installation
  • Maintenance
  • Operation

Installation and Maintenance

This is the first phase of the software life cycle in which the auditor reviewed the following:

  • Procedures for initiating, testing, and approval of changes to the software
  • Procedure for generating and modifying the software
  • Procedures used to run software and maintain the data dictionary
  • Emergency procedures used to provide solutions to specific problems of software
  • Maintenance and content of the audit logs of all the DBMS and data dictionary modification
  • Blog the parameters of the software and the sentences of the language of running applications
  • Access to program libraries

Operation

During the second phase of the software life cycle, the following will be reviewed:

  • Access control for programs, libraries, parameters, sections, or files associated with the software
  • Procedures designed to ensure that the system is not installed (initial charge of the program) without the original software, creating a security procedure
  • Availability and access control commands that can be used to disable the software
  • Air monitoring responsibility for the software, operation, and consistency of accessibility
  • Hours during which the software is available
  • Access control on master consoles and terminals
  • Procedure for normal completion or error log, which may indicate problems in the integrity of software and document results in safety programs
  • Access controls on scripts and languages programs running applications libraries. Audit log on activities of the software
  • Unit other software to continue operation, or reliance on automated operations schedule

13. FEASIBILITY STUDY AND ITS IMPORTANCE

The feasibility study concerns the availability of resources required to carry out the proposed objectives, implementation, and commissioning of a system. Its importance is that this research determines the cost/benefit of the system, develops the logical model, reaches the decision to produce it or reject it, including the technical feasibility study and recommendations.

14. OBJECTIVES OF THE INFORMATION SECURITY AREA

  1. Protect the integrity, accuracy, and confidentiality of information.
  2. Protect assets against disasters caused by human hands of hostile acts.
  3. Protect the organization against external situations such as natural disasters and sabotage.
  4. In a disaster, have the contingency plans and policies for a speedy recovery.
  5. Having the necessary insurance to cover economic losses in case of disaster.

15. INTEGRITY, PRIVACY, AND AVAILABILITY

Integrity: Ensuring the accuracy and completeness of information and information processing methods.

Privacy: Ensuring that information is accessible only to those authorized to have access.

Availability: Ensuring that authorized users have access when they require information and associated assets.

16. CONTINGENCY PLAN PROJECT STAGES

  1. Analysis of the Impact on the organization: Identify critical or essential processes and their repercussions should not be running.
  2. Selecting the Strategy: Disaster, will seek to work systems according to their priorities and not traditionally been doing.
  3. Plan Preparation: You must be designed and tested. Requires the participation of staff to ensure they are available when it is put into practice.
  4. Test Plan is intended: To ensure that it works efficiently.
  5. Maintenance: You must ensure that after the plan is created, it is monitored and maintained regularly to reflect organizational changes or modifications by adapting the procedures.

17. IMPORTANCE OF INFORMATION SECURITY CONTROL

In developing countries, the act that manages an 80% occurrence is the theft or theft of information from the internal. This basically inside the company that there are factors which extract information and this is a problem that destroys the internal organization thus creating an unsafe environment within the company. It is important to monitor the safety of information (PED) because it is an engine of the company and which represents a major strategic tool that gives us power depending on how it is used and it is important and necessary for companies to budget allocated to internal security as in the internal security is where most problems occur they can be malicious or not malicious, they can even cause great losses to the company, these all kinds of economic, financial rather than all those, it is also important to create an organizational culture and personal on employees as these play a greater role for information security (PED). To reach timely decisions of the company.

18. THE WORK OF THE AUDITOR

Constant and dynamic. Assessing whether there are practices and procedures to ensure the quality and reliability of information, measuring the degree of fulfillment of the objectives and the appropriate use of resources.

19. IMPORTANCE OF A STRATEGIC PLAN OR MASTER OF IT

The IT Strategic Plan serves as a tool to accompany senior management in decision-making, both in IT investments made by each strategic step in the business to facilitate the flow of information through communication networks, as knowing the impact of business decisions regarding new technologies that imply a competitive advantage for the company and have a clear idea of tangible and intangible benefits to be obtained and an approximation of the costs and time frames for each orientation in hardware and software of the company or internal development of systems that are made. This means that everything is based on something solid to serve as backup to the company, as it is everyone’s responsibility, eliminating improvisation resulting in a secure and clear way forward.

20. AUDIT PLAN ELEMENTS

An audit plan should contain the following elements:

  • Setting objectives and scope of work
  • Obtaining background information on the activities being audited
  • The determination of the necessary resources to perform the audit
  • Establishing the necessary communication with all involved in the audit
  • A program or process scheduling
  • Physical inspection
  • Using techniques
  • Final Report of Findings

21. GENERAL CONTROLS

  • Control of documentation
  • IT organizational structure of the Operation Control Systems
  • Control Systems Development
  • Control Contract

22. CLASSIFICATION OF CONTROLS

  • Preventive: When it fires, the event warns (everything that happens to prevent at any given time: UPS power outage, backup procedures, redundant devices to equipment; mirror disks.
  • Detect: When the event is triggered it (happens at the time: Validation of Input # of account, failed access attempts of users, smoke alarms.
  • Remedies: When I correct it fires the event (the event has already happened: retransmission of data by system outages, Restoring data backups, data conversion dates, Patching.

23. TYPES OF AUDIT PLANS

  • Strategic Plan: It is the responsibility of all, it eliminates the improvisation, defining a north-defined master plans within five years long – Defines the direction in hardware and software-systems development – New technologies-Network).
  • Operational Plan: Plan translates the vision of strategic activities in the short term, a year-should have a close connection with the Strategic Plan, should be coordinated with the user areas, should be assessed for compliance against the stated objectives).
  • Planning for IT projects: One of the biggest problems in IT projects-Term Use PMBOCK project management, and use of monitoring tools-Stage: conception, initiation, development activities, resources, deliverables, risks, changes, costs, dates, cierre.-Use GANT charts, PERT-CMP).
  • Training plan: Derived from the evolution of changing technology and training should be continuous,”The IT Department should propose plans to update the staff and users in new technologies, training in new market trends IT (technological illiteracy)).
  • Purchase Plan: Purchase of software and hardware that responds to changing needs,”Scheduling Using change-tools-Evaluate project plans to avoid technological obsolescence-proof” Consistent performance measures for avoiding plans improvisation).
  • Conversion Plan Changes: Central server devices: memory, disks, procesadores.-change versions of software: operating system, database-change-in versions of applications must use project management: scheduling, backups, testing, information to users, managers).
  • Continuity Plan: Born the level of dependency, identify which activities are likely to stop the daily operation, prioritize critical activities of operation for his attention must be tested or simulate continuity plans).

24. DETAILED AUDIT REPORT STEPS

A detailed audit report should contain the following steps:

  1. The problems identified.
  2. Possible causes, problems, and failures that led to the situation presented.
  3. Impact they may have detected problems.
  4. Alternative solutions.
  5. Comments and observations on the direction of computers and users on the proposed solutions.

25. REQUIREMENTS AND TECHNIQUES

A requirement is a need that an information system must satisfy. They are descriptions of how the information system should behave.

Techniques

  • Interviews
  • Questionnaires
  • Review Records
  • Remark
  • Trial experts
  • Brainstorming
  • Analysis of market/competition

Problems

  • Installed late
  • With budget estimates fall far short
  • Systems not do what users really want

26. PYRAMID FOR THE IMPLEMENTATION OF AN INFORMATION SYSTEM

The three levels of the pyramid for the implementation of an information system are:

  1. Strategic level: (systems support decision making) that is used by senior commanders has more complicated systems that affect decision making.
  2. Tactical level: (management systems) that is used by middle managers is more specific because it helps the decision-making.
  3. Operational level: (transaction systems), that is transactional, the entries of information given in high volume and for this reason should be reliable, the reports can be generated from this level.

27. NEED FOR AUDIT OF SYSTEMS

The four symptoms that occur in an organization for the need for an audit of systems are:

  1. Lack of coordination and disorganization: Mismatch IT goals with those of the company, the productivity standards have fallen to continue falls in systems, technological obsolescence, low IT involvement in the planning of projects.
  2. Poor image and dissatisfaction of users: Do not address the requests of user changes, do not be repaired in time Hardware failures Reason, constants system failures, lack of attention to critical systems, the user is perceived as being abandoned.
  3. Economic and financial Weaknesses: Increased disproportionate operating costs, lack of credibility of the IT investments, development of IT projects that exceed time and cost.
  4. Insecurity: Security Security logic, Physics, Insecurity in the reliability of data, Insecurity in the use of resources and supplies.

28. DIRECTORS AND THEIR FUNCTION

  1. Director of User: Is the user responsible for operating the systems, especially in the trial period, but it must also ensure that compliance with the provisions involving the user.
  2. Executive Director: This is the company represented, has the power of decision.
  3. Director of IT: That despite participating in the various officials of the IT project.

29. TOOLS OF THE AUDIT

Check ranking list is used when you want to evaluate a task. Interviews – guest – Check list.

30. PHYSICAL AND LOGICAL SECURITY POLICIES

  1. Holistic: That is that there is security as a whole not in parts.
  2. Realistic: They are fully achievable.
  3. Continue to be kept up to date: Or is not left or forgotten.

31. RESOURCES TO DETERMINE THE CREATION OF AN AUDIT

  1. Resources of SW: Programs or monitoring systems.
  2. Resources of HW: Computer equipment.
  3. Human resources: Staff, expert networks, systems, communications.

32. DOMAINS OF COBIT 4

  1. Planning and preparation: This domain is responsible for planning and defining the objectives and scope are also resources to be used as they will be implementing the objectives and schedule for the whole is made processing.
  2. Acquisition and information: In this domain, we see as to how we acquire the audit either by local developers (internal) if Outsourcing needs to do it. Here we also analyze how it will be to implement.
  3. Delivery and Support: At this stage is where we will give the user and will be delivered the completed application completely and analyzed aspects of the support due to which they will need for the proper maintenance of different areas.
  4. Monitoring: It is at this stage where they are displayed for all activities and monitoring the entire process.

33. PRACTICE 6 ASSESSMENTS COMPONENTS

  1. Administrative: Your organization, Functions, Structure, Fulfilling the objectives, Human resources, Rules and policies, Training.
  2. Systems: Assessment of the analysis and its different stages, Assessment of the system’s logical design, Assessment of physical development, Facility for the development of systems, Control of projects.
  3. Environmental operating equipment: Acquisition, feasibility studies and cost-effective, Capacities, Application, Standardization, Controls, New acquisition projects, Storage.
  4. Data processing: Control of source data and data management, Control of the operation, Control of the output, Control in mathematical processes, Control of mass storage media, Control of media.
  5. Safety: Physical and logical security, Privacy, Support, Security personnel, Insurance, Safety in the use of equipment, Plan contingency, Restoration of equipment and systems.