DOC

Seminar on IT-Audit 1

By Catherine Elliott,2014-11-13 17:02
11 views 0
Seminar on IT-Audit 1

Formulation of IT Audit Standards

    ndThe 2 IT-audit seminar

     Nanjing, China

    September 1. -4. 2004

    Theme II

    Formulation of IT Audit Standards

    The Office of the Auditor General of Norway

    The Office of the Auditor General of Norway 2004 1

Formulation of IT Audit Standards

0 Preface .................................................................................................................................3

    1Auditing Standards and guidelines .....................................................................................4 1.1 Auditing standards..........................................................................................................4 1.2 Auditing guidelines .........................................................................................................4 2The importance of IT audit ..............................................................................................6 3IT auditors level of competence ........................................................................................7 4 IT Audit Standards ..........................................................................................................8 4.1Planning the audit ....................................................................................................8 4.2Risk Assessment .......................................................................................................8 4.3Audit programs ........................................................................................................8 4.4Performing audit/testing ..........................................................................................9 4.5Reporting .................................................................................................................9 5Case studies ................................................................................................................... 10 5.1The unemployment agency audit trail ................................................................... 10

    5.2The security in IT-infrastructure, IT-application and delivery of services ................... 10

    The Office of the Auditor General of Norway 2004 2

Formulation of IT Audit Standards

0 Preface

    ndThis paper is produced for the 2 IT-Audit seminar in China, 1. -4 of September 2004. It gives

    an overview of the OAG of Norway’s audit standards and how IT-audits are performed.

The Office of the Auditor General of Norway 2004 3

Formulation of IT Audit Standards

    1 Auditing Standards and guidelines

1.1 Auditing standards

    The auditing standards for the OAG are grouped into three categories

    - General standards

    - Field standards

    - Reporting standards

IT-audit are integrated in the above described standards.

    The general standards define fundamental principles that apply all types of audit performed by the OAG. There is one general standard, who sets requirements regarding the OAG’s and the auditors’ independence, competence and their performance of the audit work.

    There are ten field standards, which define requirements regarding the audit work and are generally related to professional requirements regarding the execution of the various audit tasks undertaken by the OAG.

    There are two reporting standards, which sets requirements regarding documentation and reporting the results of completed audits.

The standards are based on INTOSAI’s standards in government auditing.

1.2 Auditing guidelines

    The auditing guidelines comprise four parts: the General Guidelines an framework Conditions for Auditing, Guidelines for financial Auditing, the Guidelines for Performance Auditing and the Guidelines for Corporate Control.

General guidelines

    The general Guidelines are general auditing manuals that overarch the guidelines for the different types of audit and describe the OAG’s legal basis, the position of the OAG in relation to the government. The General Guidelines also contain a description of the basis work carried out by the OAG, the decisions and intentions of the Storting, applicable regulations and assessments of risk and materiality - and describes the procedures followed by the OAG inn connection with reporting to the Storting and government administration.

Financial audit guidelines

    The guidelines for financial auditing also cover the IT-audits performed by the financial- and IT auditors. The objective for the OAG’s financial audits is to have obtained relevant information about a financial statement and the transactions, in order to be able to form an opinion about whether the accounts can be certified and the dispositions accepted.

    The Office of the Auditor General of Norway 2004 4

Formulation of IT Audit Standards

    All audit work is based on the auditing process defined in the guidelines. The auditing process covers the key requirements regarding that the auditors’ work are satisfied for example in relation to collecting information about the auditee, assessment of risk and materiality, goal oriented planning, assessment of the audited entities or areas’ internal control system, economical, efficient and effective execution and that the conclusions are clearly related to defined objectives. In the methodology used by the OAG, the tasks performed to verify the quality of the internal control structure are linked to the tasks undertaken to ascertain the reliability of the financial information. The tasks performed to verify the quality of the internal control include IT-Audits.

Performance audit guidelines

    The Guidelines for Performance Auditing comprise guidelines for the planning, execution and reporting of a performance audit. The performance audit is defined “ the systematic analyses of

    the economy, efficiency and effectiveness of the government administration on the basis of the decisions and intentions of the Storting” Performance audit projects are initiated on the basis of an assessment of risk and materiality. At the planning stage, it is assessed that the projects to be audited are politically relevant and financially significant. These also are the criteria’s for IT-audits

    performed by the performance audit departments.

The Office of the Auditor General of Norway 2004 5

Formulation of IT Audit Standards

    2 The importance of IT audit

    The public sector in Norway is dependent on Information and Communication Technology (ICT) and therefore the auditor has to understand how organizations use technology to run their business and reach their overall goals. If the auditors do not have this understanding, they will not be able to perform their function. This does not mean that all auditors need deep knowledge on IT-audits, but the OAG have to ensure that the auditors have the right level of competence when we staff the audits. In order to assess the internal control systems, the auditors may have to perform audits on the IT-systems.

    The increasingly use of e-business (or e-government) in public sector is also affecting the audit tasks that are to be performed. This increases the focus on IT risks, in areas such as IT Infrastructure, applications and IT business risks.

    In addition to this, IT-projects still have cost overruns, delays and lack of functionality when delivered. These projects gets a lot of media attention and the Storting takes particular interest in the results. In this relation it is natural that the OAG also have focus on these projects and perform audits after their completion.

    It is essential therefore to recognise the dependence of most business upon Information and Communication Technology (ICT) infrastructure and the quantity, quality and availability on the information. Several of the audits we perform therefore are directed towards management of service delivery and established procedures concerning the IT-environment. Effective organisation of the IT-function and co-ordination the organisations overall goal are important in this relation. These are also some of the important challenges of the managers in public sector today.

The Office of the Auditor General of Norway 2004 6

Formulation of IT Audit Standards

    3 IT auditors level of competence

    The auditor’s level of competence differ now than for some years back. We are more dependent on auditors with competence in the field of IT. Therefore we have divided our auditors skills in accordance to INTOSAI’s recommendations, in the IT Audit Curriculum:

Level 1 The Generalist

    The financial or performance auditor has to be familiar with the issues and methods of IT audit. They perform simple IT audit tasks and have the competence to assess if IT auditors are needed to perform the tasks.

Level 2 The IT Auditor

    These auditors have specialised in IT audit and perform most of our IT audits. The level 2

    1auditor has undertaken the CISA exam and is using most of the work time to carry out IT

    Audits.

Level 3 The Expert IT Auditor

    The experienced IT auditors have also CISA and often specialization in other fields for instance database and network security

    Our level 2 and 3 auditors work most of their time in IT audit projects and also assist other auditors(level 1) when this is necessary. The IT auditor’s tasks are: reviews of system

    development projects, General control reviews, Application system reviews and support to the level 1 auditors.

    In addition to our IT auditors, we can staff the audits with specialists from our Internal IT-department or for special tasks, external experts.

     1 Certified Information System Auditor is an exam hosted by the Information Audits and Control Association The Office of the Auditor General of Norway 2004 7

Formulation of IT Audit Standards

    4 IT Audit Standards

    The audit standards are based on INTOSAI’s standards for auditing and we have no separate standards for IT-Audit, as mentioned earlier. IT audits are not financial audits but tests on the information systems in order to assess the internal control systems. For financial audit the IT audit tasks are treated as an integrated part of the internal control assessments. Therefore most of the IT audits are performed in the financial audit departments.

    The financial audit departments uses a risk based audit approach when performing audits. On basis of the risk assessment performed on the auditee, the division decides if IT audits are necessary in order to base the financial audit on the internal control systems established. The internal control is defined in accordance with the definitions made by the COSO-report: Control environment, Risk assessment, Control activities, Information and communication and Monitoring. The auditors control activities are also divided into general controls and application controls.

    In the following section we describe how the IT Audit tasks are organized and the standards used. 4.1 Planning the audit

    The planning of IT audits follow the established procedures for audit planning as mentioned in Chapter 1.2 Auditing guidelines. The competence needed to perform the audit is of special importance in IT audit tasks and the competence needed, are assessed at this stage. The audits are performed in teams in two to six persons, depending on the tasks complexity.

    4.2 Risk Assessment

    The risk assessments are used to form the audit scope in addition to other information gathered when planning the tasks. When performing risk assessments the standards used by the auditee also are assessed i.e. if they use ISO 17799 as a security standard, or if they have organized their IT-department in accordance to ITIL (BS 15000) or similar.

    The auditors often also use Cobit as reference when adjusting the risk assessments to the area/organisation undertaken the audit. The Risk Assessment gives a first input on the General controls and their effectiveness.

    4.3 Audit programs

    When forming the audit programs the auditor also consider which standards the auditee uses in their IT organization. This is necessary in order to assess the quality of the solutions implemented in the organisations. In Norway there are variation in this field, and the majority of public organizations have low focus on standards in IT. Therefore are the audit programs often based on our own reference guides or for instance on Cobit, in addition to governmental laws and regulations. The audit program are used to perform tests on the general controls. The Office of the Auditor General of Norway 2004 8

Formulation of IT Audit Standards

     4.4 Performing audit/testing

    When the audits are carried out this is a combination of a variety of control methods. Both interviewing, assessing documents and testing are performed at this stage. In order to conclude on the audit, a minimum of testing are necessary. The testing can be done on a production system, or in a test environment depending on the complexity.

    4.5 Reporting

    The IT audit tasks are reported separately to the division with the main responsibility for the auditee. As mentioned earlier, these audits are parts of the internal control assessments and are therefore reported earlier (in the year) than the final financial audits. This is so that the divisions can make adjustments to their audit plans.

The Office of the Auditor General of Norway 2004 9

Formulation of IT Audit Standards

    5 Case studies

    These are examples from a few audits performed for 2003 and will give information on how we focus on our audits:

5.1 The unemployment agency audit trail

    The unemployment agency of Norway(Aetat) completed a new accounting system, system for processing benefit applications and payment, in 2003. With this new system the unemployed registrar their application forms on the internet and it automatically get processed by Aetat. The system also generates the aggregated data that are to be posted in the General Ledger. The scope of this audit was to assess if the aggregated data in the General Ledger could be traced back to the source. In Norway , the financial management regulations in central government also require that the audit trail are documented and can be found.

Audit objectives and tests

    ; To make a survey of the dataflow in the department(Aetat)

    ; To assess the completeness in the data processed

    ; To assess the consequences the solution have on the financial audit.

There were three steps of importance in tracing the transactions:

- The input of aggregated data to General Ledger(Oracle Application)

    - The transfer of data in the payments module(Abetal)

    - The transfer of data form the system processing the application form (Arena), to the payments module.

    The audit was conducted by interviews, assessing system documentation and testing of reconciliation’s carried out.

The audit concluded positive and the audit trail is documented.

    5.2 The security in IT-infrastructure, IT-application and delivery of services

    For a number of departments under The Ministry of Labour and Government administration and The Ministry of Finance, there were done a survey to assess certain security issues . The main task of the survey was to perform Risk Assessments of the auditees and to select areas for further audit.

    The survey where divided into subprojects and these performed the audits simultaneously to give the auditors an opportunity to compare the organizations solutions and audit findings. Cobit was used as a reference for this audit.

    The Office of the Auditor General of Norway 2004 10

Report this document

For any questions or suggestions please email
cust-service@docsford.com