IS Audit Basics: Innovation in the IT Audit Process

Category: blog
Published: Wednesday, 14 April 2021 07:07
Written by Super User
Hits: 303
Print

IS Audit Basics: Innovation in the IT Audit Process In June 2015, ISACA began publishing a set of white papers titled “Innovation Insights.”¹ The papers covered the top 10 emerging digital technology trends most likely to deliver significant value, in excess of cost, to the vast majority of enterprises.²

The topics covered included big data analytics, mobile, cloud, machine learning, the Internet of Things (IoT), massive open online courses, social networking, digital business models, cybersecurity and digital currency.

Unfortunately, from an audit perspective, the papers were targeted at business leaders and board members. While they are not all topics that an IT auditor can influence on a day-to-day basis, does that mean that IT auditors cannot innovate?

Innovation is defined as the introduction of something new or a new idea, method or device³; therefore, introducing something new to a process is innovating.

Further, if it is new to the enterprise, it is also innovation. So, how can we innovate throughout the IT audit process?. According to ISACA, the typical audit process consists of three phases (figure 1). The following are my thoughts for potential innovation during each phase. Please bear in mind that what may be new and innovative for enterprise A may be business as usual for enterprise B.

Planning—Collaborate

The Internet allows us to communicate with peers instantly and has enabled innovative ways of doing many things. Fundamentally, however, we are each still planning and creating audit programs as if this revolution had not taken place. In an earlier column,⁴ I advocated for the ISACA community to develop open-source audit/assurance programs. In the meantime, organizations can innovate by collaborating on audit/assurance programs through their local chapters or industry groups. For example, does the next seminar have to take the format of an expert explaining the fundamentals of a new law or regulation? Can it not be a facilitated open forum that results in, or at least is the basis for, an audit program for said regulation?

Also, please remember that collaboration is always possible in the ISACA Knowledge Center.⁵

Planning—Implement Audit Management Software

Over the years there have been several discussions on the ISACA Knowledge Center on the benefits (or otherwise) of adopting audit management software. Those against point to the inflexibility of many of the tools available and the fact that it is just easier to get things done with Microsoft Word and Excel. However, one of the real benefits is that they enforce a standardized process. This is the very essence of what we, as auditors, like to see in processes we review.

Standardization ensures that each audit goes through steps defined and agreed on by the enterprise. These will likely include risk assessment, peer review and audit management approval. They will, in turn, improve the quality and consistency of audits. Consistency of message is key for audit functions and, indeed, for auditees.

Further, it means that IT auditor A should be in a better position to pick up, understand and continue work initiated by IT auditor B.

Planning—Utilize Data Analytics Earlier

Traditionally, the use of data analytics is considered only at the audit fieldwork stage. However, if an engagement enables access to all the enterprise’s data for the subject under review, then it may be worth employing data analytics earlier. By mining the data, it is possible to determine which countries, business units, and business processes or other areas hide outliers that could represent increased risk or compliance issues. Once a business unit or geography is identified, the scope of the engagement can be further refined by drilling deeper into the data, increasing scope in higher-risk areas and reducing scope in sectors where analytics suggests the risk may be less. The overall result is a more dynamic audit plan based on continuous, just-in-time risk assessment; more efficient audits that are aligned with areas of risk; more effective results from audits that are focused on those areas of high risk; and automated reporting.⁶

Planning—Implement Control Self-Assessment

In enterprises where a sizable portion of the evidence is provided by interviewing and there is a good, proven working relationship between management and audit, one can truly innovate and save significantly on time by adopting control self-assessment (CSA). CSA was also discussed in a previous column.⁷ To recap, ISACA defines CSA as an assessment of controls made by the staff of the unit or units involved. It is a management technique that assures stakeholders, customers and other parties that the internal control system of the organization is reliable.⁸

CSA requires the auditee to answer a series of questions on the relevant criteria or the standards and benchmarks used to measure and present the subject matter and against which an IS auditor evaluates the subject matter.⁹ With management agreement, these results can be used as a basis for audit recommendations.

Planning—Audit Horizontally

It is widespread practice to audit applications or subject areas horizontally, that is, reviewing all the selected risk areas for a given application. Each application or subject is audited independently (figure 2). However, auditing in this manner can result in recurring findings or common themes.

For example, several applications may not be fully compliant with the defined change management process. This will result in multiple similar findings across the different applications. In such circumstances, it may make sense to audit the change management process itself horizontally across all the applications (figure 2) perhaps utilizing the COBIT 5 enablers.¹⁰ The purpose of such an audit would be to address the underlying causes of the recurring theme and mitigate risk across several applications.

Fieldwork/Documentation—Get Primary Access to the Evidence

At the fieldwork stage of an audit, an IT auditor attains evidence to measure against the criteria. The traditional way to do this is via interviewing and walk-throughs, where the IT auditor will ask for a print screen, copy of a report or other evidence to confirm that the criteria have been met. However, if the IT auditor is given primary, read-only access to this evidence, it will reduce the time the auditor needs to spend with the auditee, ultimately saving the enterprise money.

Further, the IT auditor need not be limited to sampling. Some examples follow:

Change management—If a change management application is in place and the IT auditors have direct access to it, they do not necessarily need to walk through the changes with the auditee. They can sample or test all changes directly on the application or by extracting the data from the application for further analysis.
Vulnerability management—If the IT auditors have direct, read-only access to the vulnerability scanner, they can tell if the associated assets are being scanned by the tool. Further, by reviewing the results of previous scans they can gain assurance on whether an ongoing process is in place and vulnerabilities are continuously being mitigated.
Audit and logging—If the IT auditors have direct, read-only access to the enterprise’s security information and event management (SIEM) tool, they can tell whether the related application assets are captured in the tool and the auditing is at a level that matches the required criteria.

This concept could also be applied to other processes where automated software is in use or evidence is captured and maintained by second-line functions.¹¹ This could include the leavers and movers process, disaster recovery testing, backup restore testing, and database scanners.

Fieldwork/Documentation—Repurpose Generalized Audit Software

ISACA defines generalized audit software (GAS) as multipurpose audit software that can be used for general processes, such as record selection, matching, recalculation and reporting.¹² From an IT auditor’s perspective, the use of GAS tools is traditionally restricted to supporting operational or general audits by aiding in the extraction and analysis of data from the database of a given application. However, these tools will equally support data extracted from servers, application logs and views, and meta data from databases. They can be used, therefore, to support IT audits.

Once extracted, the data can be analyzed and compared against known compliant data sets and other sources of data, such as the company payroll. Further, the process can be repeated and used as part of a continuous monitoring and/or audit. Examples of this approach in use include “Auditing Oracle Databases Using CAATs”¹³ and “Auditing SQL Server Databases Using CAATs.”¹⁴

Reporting/Follow-Up—Utilize the ISACA Glossary

In a 2015 white paper, ISACA defined the five attributes of an audit finding (figure 3).¹⁵ A potential issue with the condition attribute is that the report audience may not always be technical even though a technical finding is being described. Therefore, it makes sense to include a definition of the area under review with the audit finding (e.g., vulnerability management). An effective way to do this is to use the definitions from the ISACA glossary.¹⁶ This provides clear explanations and will also create consistency, in that vulnerability management, for example, will be defined in the same way across multiple audit reports. This, in turn, means that the audience will learn and understand the terminology over time.

Even, if the ISACA glossary does not currently meet organizational needs, it can be used as a baseline or starting point.

Reporting/Follow-Up—Use Video

IT audit reports can be complex documents containing layers of interrelated findings that affect multiple areas of the business and often require further explanation. This may be overcome by meeting the audience face-to-face and providing further detail. However, due to the size, complexity and geographical dispersity of some enterprises, this is not always possible.

I had the honor of working with a colleague on an ISACA committee who overcame this problem by recording the executive summaries on video. The videos were uploaded to a private YouTube channel with the required technical controls (e.g., two-factor authentication). Besides adding context and meaning to the audit reports, it also allowed him to deliver the results with empathy—something that is difficult to get across in a written report.

Reporting/Follow-Up—Track and Measure Progress

ISACA’s Information Technology Assurance Framework (ITAF) recommends that a report on the status of agreed-upon corrective actions arising from audit engagement reports, including agreed-upon recommendations not implemented, should be presented to the appropriate level of management and to those charged with governance (e.g., the audit committee).¹⁷ This can be achieved by bringing the recommendations together in an assurance-finding register.

In addition, if these findings are allocated attributes (e.g., significance, status, owner, country, department, region), the data can be analyzed, summarized and presented in a meaningful manner—becoming information. This information can then be used to clearly show compliance to standards and regulations and even act as lead indicators for new initiatives. For further details, see “Enhancing the Audit Follow-up Process Using COBIT 5.”¹⁸

Conclusion

My overall message is that innovation, much like beauty, is in the eye of the beholder. If it is new to the enterprise, it is innovation. Furthermore, innovation does not have to include the latest technology, such as machine learning. Neither does it have to be a revolution; it can be an evolution. To innovate, we auditors do not have to be futurists; we can be “now-ists.”¹⁹

Endnotes

¹ ISACA, “Innovation Insights,” USA, 2015, www.isaca.org/Knowledge-Center/Research/Pages/isaca-innovation-insights.aspx
² Ibid.
³ Merriam-Webster, “Innovation,” https://www.merriam-webster.com/dictionary/innovation
⁴ Cooke, I.; “Audit Programs,” ISACA Journal, vol. 4, 2017, www.isaca.org/archives
⁵ ISACA Knowledge Center, Audit Tools and Techniques, www.isaca.org/Groups/Professional-English/it-audit-tools-and-techniques/Pages/Overview.aspx
⁶ Kress, R.; D. Hildebrand; “How Analytics Will Transform Internal Audit,” ISACA Journal, vol. 2, 2017, www.isaca.org/Journal/archives/Pages/default.aspx
⁷ Cooke, I.; “Doing More with Less,” ISACA Journal, vol. 5, 2017, www.isaca.org/archives
⁸ ISACA, CISA Review Manual, 26^th Edition, USA, 2016
⁹ ISACA, ITAF: Information Technology Assurance Framework, USA, 2014, www.isaca.org/Knowledge-Center/ITAF-IS-Assurance-Audit-/IS-Audit-and-Assurance/Pages/ObjectivesScopeandAuthorityofITAudit.aspx
¹⁰ ISACA, COBIT 5, USA, 2012, www.isaca.org/COBIT/Pages/default.aspx
¹¹ Chartered Institute of Internal Auditors, “Governance of Risk: Three Lines of Defence,” https://www.iia.org.uk/resources/audit-committees/governance-of-risk-three-lines-of-defence/
¹² ISACA Glossary, www.isaca.org/glossary
¹³ Cooke, I.; “Auditing Oracle Databases Using CAATs,” ISACA Journal, vol. 2, 2014, www.isaca.org/archives
¹⁴ Cooke, I.; “Auditing SQL Server Databases Using CAATs,” ISACA Journal, vol. 1, 2015, www.isaca.org/archives
¹⁵ ISACA, Information Systems Auditing: Tools and Techniques—IS Audit Reporting, USA, 2015, www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/information-systems-auditing-tools-and-techniques.aspx
¹⁶ Op cit ISACA Glossary
¹⁷ ISACA, ITAF™: A Professional Practices Framework for IS Audit/Assurance, 3^rd Edition, USA, 2014, www.isaca.org/ITAF
¹⁸ Cooke, I.; “Enhancing the Audit Follow-Up Process Using COBIT 5,” ISACA Journal, vol. 6, 2016, www.isaca.org/archives
¹⁹ Ito, J.; “Want to Innovate? Become a ‘Now-ist,’” TED, 2014, https://www.ted.com/talks/joi_ito_want_to_innovate_become_a_now_ist

Ian Cooke, CISA, CGEIT, CRISC, COBIT Assessor and Implementer, CFE, CPTE, DipFM, ITIL Foundation, Six Sigma Green Belt
Is the group IT audit manager with An Post (the Irish Post Office based in Dublin, Ireland) and has 30 years of experience in all aspects of information systems. Cooke has served on several ISACA committees and is a current member of ISACA’s CGEIT Exam Item Development Working Group. He is the community leader for the Oracle Databases, SQL Server Databases, and Audit Tools and Techniques discussions in the ISACA Knowledge Center. Cooke supported the update of the CISA Review Manual for the 2016 job practices and was a subject matter expert for ISACA’s CISA and CRISC Online Review Courses. He is the recipient of the 2017 John W. Lainhart IV Common Body of Knowledge Award for contributions to the development and enhancement of ISACA publications and certification training modules. He welcomes comments or suggestions for articles via email (This email address is being protected from spambots. You need JavaScript enabled to view it.), Twitter (@COOKEI), or on the Audit Tools and Techniques topic in the ISACA Knowledge Center. Opinions expressed are his own and do not necessarily represent the views of An Post.

Author: Ian Cooke, CISA, CRISC, CGEIT, CDPSE, COBIT 5 Assessor and Implementer, CFE, CIPM, CIPP/E, CIPT, FIP, CPTE, DipFM, ITIL Foundation, Six Sigma Green Belt
Date Published: 1 March 2018
español
PDF

Six Privacy Considerations for Auditors

Category: blog
Published: Wednesday, 14 April 2021 07:05
Written by Super User
Hits: 317
Print

As compliance requirements continue to evolve, it is critical for auditors to stay abreast of the most current regulations. Efforts to implement proper privacy measures should not necessarily lead to separate information security projects completed merely for compliance reasons, but instead should be built into overall cyberrisk and resilience management. The following are 6 elements of privacy for auditors to keep in mind:

Define personal information—Personal data has a broad definition and is defined in Article 4 of the EU General Data Protection Regulation (GDPR) as “any information relating to an identified or identifiable natural person.” Article 4 also states that an identifiable natural person is “one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” In other words, even a person’s IP address, hair color or religious preference could be considered personal information if, on its own or with other data, it can be used to identify a specific individual.
Consider user control—One of the requirements that is common among privacy laws and regulations (i.e., GDPR) is the control that consumers have over their data. In addition to their “right to be forgotten”—the right to request that their data no longer be processed and be deleted—consumers can also request to inspect and correct data about themselves that organizations have collected. The auditor should review whether the organization has mechanisms and policies in place for satisfying such requests.
Take inventory of data assets—The auditor should observe how the assets are classified and what controls have been put in place to protect and safeguard the assets and data.
Identify the regulation or framework with which to comply—The auditor will need to set criteria to measure against, as this step will help narrow the list of requirements for the specific audit. In certain cases, only some portions of the framework will apply to the organization and the auditor will need to further identify which ones. If the auditor is performing an overall audit of security and privacy, that auditor must make sure to include criteria from all frameworks that are applicable to the business.
Verify workflows and components—The auditor is required to look into the documentation describing the controls related to data handling. Each component category needs its own policies and procedures and it is very important for the auditor to ensure that components and related workflows exist.
Analyze risk assessment—One of the key activities for data privacy assessment is to look into the risk assessment conducted by the organization. This creates the opportunity to understand the potential risk factors identified and the mitigation plan.

The auditor should create written questionnaires to be completed by the different business units that handle sensitive data. The questionnaires should include questions such as:

What kinds of personal data are being collected and for what purposes?
What kinds of personal data are being processed and for what purposes?
What kinds of personal data are being stored and for what purposes?
How are the personal data collected, processed and stored?
What kind of consent does the individual require?
What steps are taken to ensure the accuracy and integrity of the stored data?
How is the data disposed of when it is no longer required?

Six Privacy Considerations for Auditors Follow-up interviews may be needed to clarify or expand on the provided answers, or to understand the rationale behind specific policies or procedures. The auditor’s goal is to determine whether the policies align with the actual processes and workflows.

A matrix is an effective tool for organizing these findings and recommendations and can include useful notes and resources. When auditors maintain current knowledge and organizations conduct training sessions to keep their employees informed of privacy issues, compliance becomes less of a burden.

Designating certain employees as “owners” of different policies, who ensure that those policies are current and reflect any regulatory changes as well as existing enterprise practices, can also be helpful.

Comprehensive cyberrisk and resilience management should be planned and executed with privacy in mind at every level of the organizational hierarchy.

Hafiz Sheikh Adnan Ahmed, CGEIT, COBIT 5 Assessor, CDPO, ISO 20000 LA/LI, ISO 22301 LA/LI, ISO 27001 LA/LI, is a governance, risk and compliance (GRC); information security; and IT strategy professional with more than 15 years of industry experience. He serves as a board member of the ISACA^® United Arab Emirates (UAE) Chapter and volunteers with ISACA Global as a Topic Leader for the Engage online communities.

He also serves as a member of the ISACA IT Advisory Group and the Chapter Compliance Task Force, an ISACA Journal article reviewer and a SheLeadsTech Ambassador. Ahmed previously served as a chapter award reviewer and on the CGEIT Quality Assurance Team. He can be reached via email at This email address is being protected from spambots. You need JavaScript enabled to view it. and LinkedIn.

Author: Hafiz Sheikh Adnan Ahmed, CGEIT, CDPSE, GDPR-CDPO, COBIT 5 Assessor, ISO 20000 LA/LI, ISO 22301 LA/LI, ISO 27001 LA/LI
Date Published: 28 September 2020

How to register a company in tanzania

Category: blog
Published: Thursday, 08 April 2021 08:01
Written by Super User
Hits: 573
Print

PROCEDURES IN TANZANIA: An Overview of the Newly Online Registration System (ORS)

1.0 Introduction

To register a business entity in Tanzania is very simple. It is be done through Business Registration and Licensing Agency (BRELA); a government agency empowered by the laws under Act No 30 of 1997 to supervise and facilitate business registration and post registration issues in Tanzania.

Payment and Accounting for VAT

Category: blog
Published: Monday, 12 April 2021 07:31
Written by Super User
Hits: 350
Print

Basing on the current system, taxpayers are required to pay taxes through banks and submit evidence of payments to TRA.The following are modes of payments

Revenue gateway and tax banking

TRA has taken a number of initiatives to modernize its operations through automation and improve the quality of services provided to the Taxpayers.

In order to have secure and efficient payment systems, the two institutions; BOT and TRA agreed to develop the interface that will improve the process of revenue collections and achieve straight through process (STP) between TISS-CBS at BOT and EPICOR, ITAX and TANCIS at TRA.

Revenue Gateway is an intelligent software interface designed and developed to improve the process of revenue collections by achieving STP between BOT and TRA, and Commercial Banks.

The Gateway shall be used for three modes of payments:

TISS Payments revenue going direct to Bank of Tanzania (SWIFT Messages)
Tax bank payments reflected directly into specific TRA Systems, revenue transferred to BOT made later

HOW IT WORKS?

Payment and Accounting for VAT The Gateway will enable taxpayers to register intention to pay tax online from TRA portal.Taxpayer will select mode of payment TISS);Upon submission, the RG shall generate pay slip and assign a unique control number ;The Control number, which is eight (8) digits, will be used for reconciliation between TRA and Commercial Banks.

The taxpayer shall then submit a printed pay-in slip to the Commercial Bank and order the Bank to transfer tax to Commissioner’s account at BOT; Commercial bank shall receive a pay slip and command the transfer by initiating the transaction into SWIFT terminal by indicating the Control number of the slip.

The Gateway shall receive transaction details in form of SWIFT messages from TISS and Gateway will validate and transform it; lastly Gateway will update respective revenue system through their web services.

The Gateway save time to taxpayers in payment process; improved accounting and analysis of Government revenue collection; Minimized human intervention; improved data integrity and speed up documentation process.

Also the Revenue gateway enhance Security - as concentrator of payment messages flow; Reduce Costs - as TRA shall maintain one interface to all commercial banks which will be easier to manage and maintain; payment procedures is made ease for taxpayer and receive acknowledgement every time when TRA receives payment.