close

Вход

Забыли?

вход по аккаунту

код для вставкиСкачать
The Auditor’s Role
in Information Systems Management
EduTex
February 22, 2001
Agenda
• Historical Perspective & Perceptions
• What Does an IT Auditor Do?
• Today’s Auditors as Control Consultants
• When to Call an Auditor
Historical Perspective &
Perceptions
• Auditing Financial Statements
• Operational Audits
• Information System Audits
• Integrated Audits
Historical Perspective &
Perceptions
We’re here to help you!
Yeah, right!
Famous last words….
Historical Perspective &
Perceptions
Historical Perspective &
Perceptions
Sadist
Auditor: :
One who delights
hears; a listener.
in cruelty.
Source: The American Heritage® Dictionary of the English Language, Third Edition. Copyright ©1996,
1992 by Houghton Mifflin Company. Published by Houghton Mifflin Company. All rights reserved.
What do IT Auditors do?
• Participate in the development of high risk
systems to ensure appropriate IT controls
are in place
• Audit existing information systems and
technologies
• Provide technical support to other audit staff
• Provide IT control consultation services
What do IT Auditors NOT do?
It is not our role to approve a new system for
implementation. We simply advise on controls
appropriate to the system given its intended use,
level of automation and relative risk.
Audits are a management tool, not a punishment!
Our Objective
The objective of internal auditing is to assist
the Chief Executive Officer in the effective
discharge of responsibilities by furnishing
objective analyses, appraisals and
recommendations concerning the activities
reviewed.
Our Objective
Dunmore’s Rule
Complete IT audit coverage can be
summarized in just eight words:
Ensuring management avoids
surprises while accomplishing
intended objectives.
Control Consultants
•
•
•
•
•
•
•
Relative Risk
Participation During Development
Focused Assessment as part of Planned Audits
On-Call Liaison
Advise in Policy Development
Added Visibility
Fraud Investigation
Risk Factors
• Mission critical (to the department and/or
University)
• High transaction volume or many users
• Quality of known internal controls
• Technical complexity and history of
problems
• Changes in key staff (both user and
technical)
Participation in System
Development
• Participate in development team meetings
as needed
• Ensure that an appropriate level of controls
are built into the system
• Ensure that the application meets user
needs, training is provided and sufficient
documentation is prepared
Participation in System
Development
Our Risk Model dictates our level of
involvement in system development
projects.
Assessments During Audits
Examples:
Network Security Scanning
Policy Violations
On-Call Liaison
Tech Staff:
“Your IP blah blah blah SSL blah DES
blah blah PGP blah blah blah digital
signature. Okay?”
!
Administrator or Executive:
“Huh?”
?
Advise in Policy Development
The auditors said we
Management said you have to!
have to.
Auditors are advisors, not policy setters.
Advise in Policy Development
Recent Examples:
• Email Policy
• Electronic Credentials Policy
• Authentication Procedures for granting
“high assurance” electronic IDs
But remember…
Auditors are advisors, not policy setters.
Added Visibility
Internal auditors typically report directly to
the top of the institution, and provide opinions
and advice independent of operational areas.
Organization Chart
Reporting Structure
Organization Chart
Also Danny Fletcher
Internal Audit Committee Members
Fraud Investigation
•
•
•
•
Independent from operating areas
Full and unrestricted access to records
Working papers generally protected by law
Professional standards help ensure accuracy
and completeness
When do I call an auditor?
• During initial planning of a critical (or high risk)
system.
• Any time you have questions about controls
appropriate to the system for which you are
responsible.
• Any time you need a “liaison” between yourself
and the end user.
• Any time.
WE MAY CALL YOU FIRST !!
Summary
We really are here to help you!
Questions?
Dyan Hudson, CISA
Assistant Audit Director
The University of Texas at Austin
[email protected]
(512) 471-8976
1/--страниц
Пожаловаться на содержимое документа