IT Audit Process Michael Romeu-Lugo MBA, CISA February 27, 2017 IT

IT Audit Process Michael Romeu-Lugo MBA, CISA February 27, 2017 IT Audit Process Prof. Mike Romeu 1

EEUU Manufacturing EU R&D EEUU Finance & Accounting ASLA Data C enters Human Resources Sales and Marketing Help Desk Cloud Services Server, Network And DB Administrators Desktop Support Customer Service Programmers Project Managers Web Services Africa Manufacturing Business/System Analysts IT Audit Process Prof. Mike Romeu

Business Process Etc. Business Process Logistics Business Process Manufacturing Controls Include: Strategies and plans Policies and procedures Risk assessment activities Training and education Quality assurance Internal Audit Executive Management Business Process Finance Entity-level Controls Entity-level controls set the tone and culture of the enterprise. IT entity-level controls are part of a company’s overall control environment. IT Services OS/Data/Telecom/Continuity/Networks IT Audit Process Application Controls Controls embedded within business process applications directly support financial control objectives. Such controls can be found in most financial applications including large systems such as SAP and Oracle as well as small systems such as Sage 300 ERP. Control objectives/assertions include: Completeness Accuracy Existence/authorization Presentation/disclosure IT General Controls Controls embedded within IT processes that provide a reliable operating environment and support the effective operation of application controls Controls include: Program development Program Changes Access to programs and data Computer Operations Prof. Mike Romeu 3

Significant Accounts in the Financial Statements Balance Sheet Income Statement Cash Flow Notes Business Processes/Classes of Transactions Accounts Receivable IT General Controls Access to Program and Data Program Development Program Changes Computer Operations Accounts Payable Purchasing Financial Applications Application A Application B Application C IT Infrastructure Services Database Application Control Objectives Accurate Complete Exist / Authorized Preserved / Disclosed Operating System Network/Physical IT Audit Process Prof. Mike Romeu 4

AnyBook Store, Inc. – Order-to-Cash Customer Shipping Notification Order Invoice Ship Order Order to Cash 0 Context Diagram Payment Warehouse Shipping Info Warehouse IT Audit Process Prof. Mike Romeu 5

AnyBook Store, Inc. – Order-to-CashData Flow Diagram Book File Orders Level 0 Book Information Customer Process Order 1.0 Order Information Check Credit Assemble Requisition to Warehouse 2.0 Ship Order Payment Order OK Customer File Address Information Apply Credit Invoice 8.0 Shipping Order Details Bookstore Orders Shipping Notification Assemble Customer Order 5.0 Publisher Shipping Details Order Details Warehouse Order Details Invoice Book Details Shipment Completion Invoice Verification 7.0 Payment Details Invoice Copy Warehouse Shipping Info Invoice Data Invoice Creation 6.0 Assemble Shipment 4.0 Shipping Verification 3.0 Quantity of Book Titles A/R IT Audit Process Prof. Mike Romeu 6

Process for Governance of Enterprise IT Evaluate, Direct and Monitor EDM01 Ensure Governance Framework Setting and Maintenance EDM02 Ensure Benefits Delivery EDM03 Ensure Risk Optimisation EDM04 Ensure Resource Optimisation EDM05 Ensure Stakeholder Transparency Align, Plan and Organize Monitor, Evaluate and Assess aAP001 Manage the IT management Framework AP002 Manage Strategy AP003 Manage Enterprise Architecture AP004 Manage Innovation AP005 Manage Innovation AP006 Manage Budget and Costs AP008 Manage Relationships AP009 Manage Service Agreements AP010 Manage Suppliers AP011 Manage Innovation AP012 Manage Risk AP013 Manage Security BAI04 Manage Availability and Capacity BAI05 Manage Organisational Change Enablement BAI06 Manage Changes DSS05 Manage Security Services DSS06 Manage Business Process Controls AP007 Manage Human Resources MEA01 Monitor, Evaluate and Assess Performance and Conformance Build, Acquire and Implement BAI01 Manage Programmes and Projects BAI02 Manage Requirements Definition BAI03 Manage Solutions Identification and Build BAI08 Manage Knowledge BAI09 Manage Assets BAI010 Manage Configurations BAI07 Manage Change Acceptance and Transitioning MEA02 Monitor, Evaluate and Assess the System of Internal Controls Deliver, Service and Support DSS01 Manage Operations DSS02 Manage Service Requests and Incidents IT Audit Process DSS03 Manage Problems DSS04 Manage Continuity Processes for Management of Enterprise IT MEA03 Monitor, Evaluate and Assess Compliance With External Requirements Prof. Mike Romeu

Process for Governance of Enterprise IT Evaluate, Direct and Monitor EDM01 Ensure Governance Framework Setting and Maintenance EDM02 Ensure Benefits Delivery EDM03 Ensure Risk Optimisation EDM04 Ensure Resource Optimisation EDM05 Ensure Stakeholder Transparency Align, Plan and Organize Monitor, Evaluate and Assess aAP001 Manage the IT management Framework AP002 Manage Strategy AP003 Manage Enterprise Architecture AP004 Manage Innovation AP005 Manage Innovation AP006 Manage Budget and Costs AP008 Manage Relationships AP009 Manage Service Agreements AP010 Manage Suppliers AP011 Manage Innovation AP012 Manage Risk AP013 Manage Security BAI04 Manage Availability and Capacity BAI05 Manage Organisational Change Enablement BAI06 Manage Changes DSS05 Manage Security Services DSS06 Manage Business Process Controls AP007 Manage Human Resources MEA01 Monitor, Evaluate and Assess Performance and Conformance Build, Acquire and Implement BAI01 Manage Programmes and Projects BAI02 Manage Requirements Definition BAI03 Manage Solutions Identification and Build BAI08 Manage Knowledge BAI09 Manage Assets BAI010 Manage Configurations BAI07 Manage Change Acceptance and Transitioning MEA02 Monitor, Evaluate and Assess the System of Internal Controls Deliver, Service and Support DSS01 Manage Operations DSS02 Manage Service Requests and Incidents IT Audit Process DSS03 Manage Problems DSS04 Manage Continuity Processes for Management of Enterprise IT MEA03 Monitor, Evaluate and Assess Compliance With External Requirements Prof. Mike Romeu

DSS04 Manage Continuity IT Audit Process Prof. Mike Romeu 9

DSS04 Manage Continuity: Process Related Goals IT Audit Process Prof. Mike Romeu 10

DSS04 Manage Continuity: Process Practices, Inputs/Outputs and Activities IT Audit Process Prof. Mike Romeu 11

DSS04 Manage Continuity: Process Practices, Inputs/Outputs and Activities Management Practice Description DSS04.01 Define the business continuity policy, objectives and scope Define business continuity policy and scope aligned with enterprise and stakeholder objectives DSS04.02 Maintain a Continuity Strategy Evaluate business continuity management options and choose a cost-effective and viable continuity strategy that will ensure enterprise recovery and continuity in the face of disaster or other major incident or disruption. DSS04.03 Develop and implement a business continuity response Develop a business continuity plan (BCP) based on the strategy that documents the procedures and information in readiness for use in an incident to enable the enterprise to continue its critical activities. DSS04.04 Exercise, test and review the BCP Test the continuity arrangements on a regular basis to exercise the recovery plans against predetermined outcomes and to allow innovative solutions to be developed and help to verify over time that the plan will work as anticipated. DSS04.05 Review, maintain and improve the continuity plan Conduct a management review of the continuity capability at regular intervals to ensure its continued suitability, adequacy and effectiveness. Manage changes to the plan in accordance with the change control process to ensure that the continuity plan is kept up to date and continually reflects actual business requirements. DSS04.06 Conduct Continuity plan training Provide all concerned internal and external parties with regular training sessions regarding the procedures and their roles and responsibilities in case of disruption. DSS04.07 Manage Backup Arrangements Maintain availability of business-critical information. DSS04.08 Conduct post-resumption review Assess the adequacy of the BCP following the successful resumption of business processes and services after a disruption. IT Audit Process Prof. Mike Romeu 12

DSS04 Manage Continuity: Process Practices, Inputs/Outputs and Activities Management Practice Description DSS04.01 Define the business continuity policy, objectives and scope Define business continuity policy and scope aligned with enterprise and stakeholder objectives DSS04.02 Maintain a Continuity Strategy Evaluate business continuity management options and choose a cost-effective and viable continuity strategy that will ensure enterprise recovery and continuity in the face of disaster or other major incident or disruption. DSS04.03 Develop and implement a business continuity response Develop a business continuity plan (BCP) based on the strategy that documents the procedures and information in readiness for use in an incident to enable the enterprise to continue its critical activities. DSS04.04 Exercise, test and review the BCP Test the continuity arrangements on a regular basis to exercise the recovery plans against predetermined outcomes and to allow innovative solutions to be developed and help to verify over time that the plan will work as anticipated. DSS04.05 Review, maintain and improve the continuity plan Conduct a management review of the continuity capability at regular intervals to ensure its continued suitability, adequacy and effectiveness. Manage changes to the plan in accordance with the change control process to ensure that the continuity plan is kept up to date and continually reflects actual business requirements. DSS04.06 Conduct Continuity plan training Provide all concerned internal and external parties with regular training sessions regarding the procedures and their roles and responsibilities in case of disruption. DSS04.07 Manage Backup Arrangements Maintain availability of business-critical information. DSS04.08 Conduct post-resumption review Assess the adequacy of the BCP following the successful resumption of business processes and services after a disruption. IT Audit Process Prof. Mike Romeu 13

DSS04.07 Manage backup arrangements IT Audit Process Prof. Mike Romeu 14

IT General Controls They are General Controls because the are not specific to an application or business process. Governance Structure and Implementation System Development, Acquisition and Maintenance Controls Infrastructure and Operations Controls Information Security Controls Network and Infrastructure Controls Business Continuity Controls IT Audit Process Prof. Mike Romeu 15

Auditing General Controls Gaining an overall impression of the existing control environment o Governance and Administration Organization Structure Governance – Policies and Procedures Staff and Skillset Supplier Management Data Center o Environmental controls – AC, fire suppression, UPS, flood control, layout o Physical access controls – badges, keyed entries, console access, biometrics o Overall Access Controls – guards, gates/locks, badges, visitor logs IT Audit Process Prof. Mike Romeu 16

Auditing General Controls Development, Acquisition, Implementation and Maintenance o Justification and Business Case o Program and Project Management o Evaluation and procurement practices o Quality Assurance and Quality Control o Service Level Agreements Business Continuity o Disaster recovery o Backup and Restore o Business Continuity Plan and Testing Security o Logical Access o Networks o Access Controls IT Audit Process Prof. Mike Romeu 17

Application (System) Controls Application Software business transaction processing o Accounts Payable o Accounts Receivable o Payroll o Banking and Finance Data can only be understood within the context of the business process it supports o Processing controls exist within the application itself IT Audit Process Prof. Mike Romeu 18

Auditing Application Controls First: Know the business process! o Policies/procedures o Interviews o Best Practices (using the work of others ) Identify Potential Risks o What can go wrong? Evaluate how these are handled by the system o Review test protocols vs. requirements o Observation o Test data IT Audit Process Prof. Mike Romeu 19

Application (System) Controls Sequence checks – The control number follows sequentially and any break in the sequence or duplication is rejected and/or noted for follow up. Printing checks Limit Checks – Data should not exceed a predetermined amount ATM cash withdrawal limits Range Checks – Data should be within predetermined values. Merchandise receiving and sorting Validity Check – programmed checks of the data validity in accordance with predetermined criteria. Marital Status – Married, Single, Divorced Reasonableness Check – input data are matched to predetermined reasonable limits or occurrence rates. Shipping containers Table Lookups – data are verified against valid values in a table Drop down fields IT Audit Process Prof. Mike Romeu 20

Application (System) Controls Existence Checks – Data entered correctly and agree with valid predetermined criteria. Product code Key Verification – the keying process is repeated by a separate individual using a machine that compares the original keystrokes to the repeated keyed input. Check Digit – A numeric value that has been calculated mathematically is added to data to ensure that the original data have not been altered or an incorrect, but valid, value substituted. Account Number, invoice number Completeness Check – a field should always contain data rather than zeros or blanks. New employee processing – employee number IT Audit Process Prof. Mike Romeu 21

Application (System) Controls Duplicate check – new transactions are matched to those previously input to ensure that have not already been entered. Invoice processing, Invoice numbers Logical Relationship Check – If a particular condition is true then one or more additional conditions or data input relationships may be required to be true to consider the input valid. Diagnostics. IT Audit Process Prof. Mike Romeu 22