1 / 29

Information Systems Audit & Control

Information Systems Audit & Control. Introduction. Syllabus. Information Systems Audit and Control Fall 2005 by Haroon Arshad e-mail: ch_haroon@msn.com, Office Hours Wednesday & Friday 3:45-5:00 PM Files Available To date Information System Audit & Control Syllabus & Course Outline.

hagop
Télécharger la présentation

Information Systems Audit & Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Systems Audit & Control Introduction Information Systems Audit & Control

  2. Syllabus Information Systems Audit and Control Fall 2005 by Haroon Arshad e-mail: ch_haroon@msn.com, Office Hours Wednesday & Friday 3:45-5:00 PM Files Available To date Information System Audit & Control Syllabus & Course Outline. Notes Mailing group. http://groups.yahoo.com/group/isac_pucit Information Systems Audit & Control

  3. Syllabus COURSE OBJECTIVE & PHILOSOPHY The need to comply with an array of Complex data laws Standards in IT and Information system environment which dominates the business environment and privacy and security. The challenge will be dealing with Regulatory requirement, Information system standards, Best practices and laws . Information Systems Audit & Control

  4. COURSE OBJECTIVE & PHILOSOPHY • As a result, the emphasis will be on issues such as • Policy management and enforcement, • Benchmarking against standards, • Incident response, • Forensics, and monitoring for insider threats. • To a large extent, the efforts will focus on • Implementing security, • Control policies • Management processes to ensure regulatory compliance. It's a process that will involve spending a lot more time working with management and end users, and educating them on what the risks are. Information Systems Audit & Control

  5. Syllabus This class will be devoted to these Control issues, their impact on the organization, and how to manage and audit them. Consequently, this is essentially a class in corporate management and audit, even though it is presented within the information technology curriculum. Much of the class time will be devoted to discussions and case studies, as active “Audit & Control mentality”. To assure effective control, management – directly or through its internal and external auditors - must control and audit systems whose "internals" are understood only by highly­-trained expert professionals. This course discusses the philosophy and describes some of the tools and methods used for control and auditing of such systems and the organizations that use them. Eventually, this will lead to increased awareness, better understanding, and more secured and effective accomplishment of the organization’s objective and use of its technology; thus, the course will be beneficial to all future managers and users, and not only to information technology professional or auditors. Information Systems Audit & Control

  6. Syllabus TEXTBOOK & COURSE MATERIALS This course is based on Ron Weber's Information Systems Control and Audit, Prentice Hall 1999, ISBN 0-13-947870-1, which emphasizes the controls approach to systems audit and security. The methodology is applicable to all systems, including internet, web-based and e-commerce systems. Many security-oriented books are available today, and the following is recommended as supplement: Information Technology Audit & Control by Frederick Gallegos, Daniel Manson, Sandra Allen-Senft, 2nd Edition, Auerbach Publishers Additional reading material will be announced during the class. Please bring the Weber text with you to each class – we will use the cases at the end of its chapters. On the Yahoo group web page you will find PowerPoint presentations for all the material that I will introduce in class. These summarize the contents of the textbook, in addition to other material that will be discussed in class. You can read these presentations prior to class, so that you can use them in class in lieu of notes. You are responsible for knowing the contents of these transparencies as well as the textbook’s material (and of course whatever is discussed in class). Information Systems Audit & Control

  7. Syllabus COMMUNICATIONS & PREREQUISITES I believe that open communications channels between all of us add significantly to the value of the class. You are welcome to contact me – preferably via e-mail. In particular, ALL questions and comments are welcome. The approach taken in this course is pragmatic, rather than theoretical or technical, with the objective of increasing your familiarity with the course topics on the one hand, and your critical understanding of the material on the other. I do not intend to "read the text in class". Rather, I will emphasize certain issues, and will respond to your questions. You must read on your own and be familiar IN ADVANCE OF EACH CLASS with the assigned material as given in the schedule, and with the class notes available in my web page. The course will be discussion oriented, with emphasis on discussions geared to the case studies at the end of each chapter. A common theme in my courses is the development of your communications skills and use of available computer technology and common software tools. You are expected to be familiar with word-processing and spreadsheet tools, and submit your work using such tools. All homework will be submitted electronically via e-mail, and follow all the rules in the PRESHINT.DOC file (wil be available next week on yahoo group). Information Systems Audit & Control

  8. Syllabus ASSIGNMENTS, QUIZZES AND EXAMS Assignments will be based on the case studies at the end of the text's chapters, and will be announced in class. Homework solutions will be discussed in class at the date they are due; therefore, late submissions of homework assignments will not be accepted. Note that homework will be based, to a large extent, on material you are supposed to read for the next class, and will be discussed in class only after you submit the homework, in order to let you exercise your own judgment and understanding. All assignments are due, unless otherwise specified, by the next Tuesday after the class in which they have been announced; they should reach me, via e-mail, by this time. Assignments should all be typed (using computerized office tools) and be professionally presentable; hand-written assignments will not be graded. Assignment due-dates as given in the schedule or in class will be strictly adhered to and late assignments will not be accepted,unless prearranged with me. Virus infected submissions will be deleted and not graded with no opportunity for resubmission. Each class session (except the first one) may include a brief open book quiz, which stress understanding of the required material. This system eliminates the pressure for final exam preparation, allows timely grade progress feedback, and motivates students to prepare for each session (and thus increase the probability of quality participation and getting the most from the class sessions). Information Systems Audit & Control

  9. Syllabus CLASS ATTENDANCE You are expected to attend all classes, and are responsible for all announcements made in class or in the yahoo group. Makeup of quizzes or assignments will be given only by approval prior to the quiz or assignment, except for extreme circumstances. Punctuality is highly regarded; no student, if arriving late, will be given any extra time to complete a quiz, nor will makeup quizzes be offered. The university's honor code will be adhered to. Cheating will result in an automatic failing grade in the course for all those students who are deemed to have consciously contributed to the cheating. Information Systems Audit & Control

  10. Syllabus GRADING Grades will be based on homework assignments (60% - equally weighted, and possibly dropping the worst one) and the quizzes (40% - equally weighted, and possibly dropping the worst one, but not more than 5% per quiz). Final grades will be assigned on a curve, and I will exercise my judgment as to the cut points, as well as to the grading of students who miss or come late to many of the classes. Don't nitpick about the grading.Persons who complain will not be rewarded for it; those who have the decency not to complain would deserve the same break.A request to look at one problem leads to re-grading of the whole paper, which often leads to a lower grade. No "extra credit" opportunities will be offered or assigned to specific individuals under any circumstances; all students' grades will be based on the same components - this is an equal opportunity course. Information Systems Audit & Control

  11. TENTATIVE & APPROXIMATE COURSE SCHEDULE(actual schedule will be determined by the class advancement, and changes will be announced) • Will be Made available Before next Class. Information Systems Audit & Control

  12. What Is Information System Audit • Collecting & evaluating evidence to determine if system accomplishes its organizational tasks effectively & efficiently Information Systems Audit & Control

  13. Motivation for Control & Audit • Major business fraud cases • Enron • Worldcom • The “Didn’t know these things were happening” syndrome • Comprehensive ethical/control programs do matter to corporate stakeholders • Need for ethical/control • Standards • Internal reporting process • Highest level responsibility Information Systems Audit & Control

  14. 2001 Enron Jeffrey Skilling, Kenneth Lay, Andrew Fastow 2002 AOL Adelphia Bristol-Myers Squibb CMS Energy Computer Associates Duke Energy Dynegy El Paso Corporation Freddie Mac Global Crossing Gary Winnick, John Legere, Thomas Casey Halliburton Dick Cheney Harken Energy Published report 10-9-2002 HealthSouth Homestore.com ImClone Systems Sam Waksal, Martha Stewart, John B. Landes, Ronald A. Martell Kmart Lucent Technologies Merck & Co. Merrill Lynch Mirant Nicor Energy, LLC Peregrine Systems Qwest Communications International Reliant Energy Sunbeam Tyco International L. Dennis Kozlowski, Mark H. Swartz, Waste Management WorldCom Bernard Ebbers Motivation for ComplianceAccounting Scandals Information Systems Audit & Control

  15. Motivation for Control & AuditRisk Based Capital • Definition of RBC: A theoretical model used to compute the minimum amount of capital that an insurance company should maintain in order to support its business operations, considering the company’s size and risk profile • Goals: • To assist regulators in knowing when to intervene in a company’s affairs • To reduce costs of company insolvencies by catching them early • To be simple enough to be applied to all companies • To be comprehensive enough to adequately distinguish all possible risks Information Systems Audit & Control

  16. Need for IS Control & Audit • Reliance on computer systems • Survival of organization • Costs of data loss • Costs of errors • Inability to function • Possibility of incorrect decisions Information Systems Audit & Control

  17. Need for IS Control & Audit • Security & abuse - from inside & outside: hacking, viruses, access • Destruction & theft of assets • Modification of assets • Disruption of operations • Unauthorized use of assets • Physical harm • Privacy violations See cases at end of ch. 1 Information Systems Audit & Control

  18. Need for IS Control & Audit Information Systems Audit & Control

  19. What Is Information System Audit • Process of collecting and evaluating evidence to determine whether a (computerized) system: • Safeguards assets • Maintains data integrity • Enables communications & access to information • Achieve operational goals effectively • Consumes resources efficiently effectively and efficiently Information Systems Audit & Control

  20. Objectives – Audit and Control • Need to control & audit info systems • IS AUDITING = collecting & evaluating evidence to determine if system accomplishes its organizational tasks effectively & efficiently • Understanding the organization & environment • Understanding systems • EDP in particular • Understanding the Control Approach • Control - a system that prevents, detects, or corrects unlawful, undesirable or improper events Information Systems Audit & Control

  21. The Auditing Environment • External vs. internal auditors • External auditors provide increased assurance • Fairness of financial statements • Frauds & irregularities • Ability to survive • Internal auditors appraise and evaluate adequacy & effectiveness of controls • Control - a system that prevents, detects, or corrects unlawful, undesirable or improper events • Reporting – and responsibility – to Board of Directors Information Systems Audit & Control

  22. The Auditing Environment – cont. • Types of audit procedures • To gain understanding of controls • Test of controls • Substantive tests of details of transactions • Substantive tests of balances and overall results • Analytic review procedures Information Systems Audit & Control

  23. Assessing Reliability • By controls • By transaction • By errors Information Systems Audit & Control

  24. Internal Auditors • Responsible to Board of Directors • An internal control function • Assist the organization in measurement & evaluation: • Effectiveness of internal controls • Achievement of organizational objectives • Economics & efficiency of activities • Compliance with laws and regulations • Operational audits Information Systems Audit & Control

  25. Internal Auditors Scope of Work • Safeguarding assets • Compliance with policies and plans • Accomplishment of established objectives • Reliability & integrity of information • Economics & efficient use of resources Information Systems Audit & Control

  26. The Internal Controls Framework • Separation of duties • Delegation of authority & responsibility • System of authorizations • Documentation & records • Physical control over assets & records • Management supervision • Independent checks • Recruitment & training Information Systems Audit & Control

  27. Internal Controls - Cont. • Controls - pattern of activities: • Preventive • Detective • Corrective • Affect reliability • Reduce failure probability • Reduce expected loss in failure • Reasonable assurance • Based on cost-benefit considerations Information Systems Audit & Control

  28. External Auditors • Responsible to stockholders and public • Via Board of Directors • Assess financial statement assertions • Existence or occurrence • Completeness • Valuation and allocation • Presentation and disclosure • Rights and obligations • Must test compliance with laws and regulations • Must test for fraud and improprieties • Relies on internal control structure for planning of audit Information Systems Audit & Control

  29. External Auditors • Audit (material misstatement) risk = product of • Inherent (assertion could be materially misstated) risk • Control risk (misstatement will not be prevented or detected on a timely basis by internal controls) • Detection risk • Inversely related to control and inherent risks Information Systems Audit & Control

More Related