2. MIS
• The three components of MIS provide a more complete and focused definition, where System
suggests integration and holistic view, Information stands for processed data, and Management is
the ultimate user, the decision makers.
• Management information system can thus be analyzed as follows:
• Management covers the planning, control, and administration of the operations of a concern.
The top management handles planning; the middle management concentrates on controlling; and
the lower management is concerned with actual administration.
• Information, in MIS, means the processed data that helps the management in planning,
controlling and operations. Data means all the facts arising out of the operations of the concern.
Data is processed i.e. recorded, summarized, compared and finally presented to the management
in the form of MIS report.
• System Data is processed into information with the help of a system. A system is made up of
inputs, processing, output and feedback or control. Thus MIS means a system for processing data
in order to give proper information to the management for performing its functions
3. INTRODUCTION
• Need of MIS audit to focus on the issues of corporate governance of
IS in computerized environment and security controls to safeguard
information and IS.
• Well planned and structured audit is essential for risk management
and monitoring and control IS in any organization.
• objective is to identify risks that an organization in computerized
environment.
• evaluates adequacy of security controls and informs mgmt with
suitable conclusions and recommendations
4. • it is continuous process of evaluating control, suggest security
measures for purpose of safeguarding assets or resources,
maintaining data integrity, improve system effectiveness and system
efficiency for purpose of satisfying organization goals.
• safeguarding of assets includes protection of hardware, software,
facilities, people, data, technology, documentation and supplies.
• auditor should review physical security over the facilities, security
over systems software and adequacy of internal controls.
• Data integrity includes safeguarding of information against
unauthorized addition, deletion, modification or alteration.
• it is maintained by Accuracy, Confidentiality, Completeness, Reliability,
Efficiency.
5. AUDIT IN COMPUTERIZED ENVIRONMENT
A) understanding computerized environment:
• auditor requires following skills to understand the environment:
1. computer concepts and system design
2. functioning of accounting information system, identify new risks
3. understand how internal controls are mapped on to computers to
manage technology and business risks
4. knowledge of use of computers in audit
6. B) ACCOUNTING INFORMATION SYSTEM IN
COMPUTERIZED ENVIRONMENT
• AIS is nothing but Transaction Processing system. TPS has 3
components input, processing and output.
• IS follows the principle of garbage in- garbage out principle it is
necessary that the input to the system should be accurate, complete
and authorized for processing purpose.
• It can be achieved by automating the input. there are large no of
methods to be used for this purpose.
• COBIT(Control Objectives for IT) is internal control framework
established for IS which can be applied to AIS.
7. • To apply COBIT Framework, organization should define IS
architecture:
• frame security policies
• conduct technology risk assessment
• take steps to manage technology risks like designing appropriate audit
trails, providing security to software systems, prepare business
continuity plan, managing IS resources like data, apps and facilities,
provide assurance for IS.
• It is applicable to sales, purchase and payroll AIS by considering inputs
required, app control, processing, report generation, exception
reports, files used.
• Auditor need to collect audit evidence to understand AIS.
8. C) IMPACT OF IT ON ECONOMICS OF AUDITING
• IT impacts audit documentation, reporting, paper work.
• Auditing in computerized environment enchances skills and
knowledge of traditional auditing, IS, business technology risks.
• it also impacts auditing, audit planning, audit risk, audit tools and
techniques.
• Detection and reduction of risks can now controlled by computer
assisted tools and techniques.
• Risk based audit approach starts with preliminary review. then
followed by risk assessment
9. • under audit approach, depending upon intensity of use of IT, audit is
done through computers.
• Once approach is decided, the next step is assses general and
application controls.
• after this step, evidence is collected, evaluated and reports are
prepared using IS.
10. D) SECURITY
• IS resources are vulnerable to risks and subject financial, productivity
losses.
• security is necessary to maintain confidentiality, integrity and
availability of data, app system and other resources.
• principles of security:
• Accountability: apportionment of duties, responsibilities, and
accountability in organization
• creation of security awareness
• cost effective implementation of info security
11. • integrated efforts to implement security
• periodic assesment of security needs
• Timely implementation of security
• Types of control to implement security:
• framing and implementing security policy: physical, environmental,
logical, administrative control.
1. physical: keys, locks, biometrics
2. environmental controls
3. logical control: access controls
4. Admin control: seperation of duties, policy, procedures, standards,
disaster recovery, IS audit etc.
12. E) IS MANAGEMENT
• it includes collection and evalation of evidence to determine whether
the IS safeguard assets, maintain data integrity, achieve organizational
goals, and consume resources efficiently.
• it is divided into 4 phases:
• Management(planning and organizing)
• Implementation and deployment
• Directing and controls
• audit and monitoring
13. F) AVAILABILITY OF IS
• security serves 3 purposes: confidentiality, availability and integrity
• access controls provide confidentiality and availability
• Business continuity process and back-up procedures provides
integrity
• Disaster recovery plan puts various IS resources in place, if any
disaster occurs.
• Because of this, financial auditor gets an idea about the risks and
importance of application
14. G) DATABASE MANAGEMENT
• database provides data sharing and data independence.
• data sharing means users and apps can share data and data
independence means data is stored independent of applications.
• It makes IS secure and easy implementation.
• DB offers facilities like data dictionary, sign-in and authentication
mechanisms.
15. H) ACCESS CONTROL
• all IS requires OS and DB that have ability to control access to the data and
apps.
• OS controls access at dictionary and file systems.
• DB controls access at record and field levels.
• To ensure data integrity, it is necessary to control access to data, apps and
other resources.
• so access to these systems should be strictly limited with the help of
authetication and authorization
• Authentication allows only authorized user should access to system and
authorization allows only minimum access to authorized user.
• This can be achieved by System Administrator
• Auditors should know all these roles.
16. I) APPLICATION CONTROLS AND THEIR
FUNCTIONING
• purpose of application control is data integrity which is achieved to
ensure integrity of input, processing and output.
• Application controls are divided into: validation of input,
authorization of input, completeness of input, accuracy of input
integrity of stored data, completeness and accuracy of processing
data, restricted access to assets and data, confidentiality and
integrity of output.
• Business risks are controlled by application control.
• Application controls effectiveness can be tested either by continuous
audit or by general audit software
17. J) EVALUATION OF BUSINESS RISKS
• Business risks are controlled and managed by implementing application
controls so primary duty of auditor is to evaluate application control to reduce
risk to minimun.
• 2 types of testing is done i.e compliance and substantial testing. compliance
testing is done only for complex systems.
• computer assisted tools and techniques help to conduct substantive testing to
evaluate whether financial statements depicts true and fair picture.
• Audit command Language(ACL) is used in general audit software which offers
tools to understand qualitative and quantitative features of data.
• it provides facilities like indexing, sorting, joining, setting relation, creating
output files, exporting files, extracting files.
• It also has feature to create command log which keeps check on auditor,
improves the quality of audit also helps in systems audit.
18. K) CONVERSION AUDIT
• Data conversion in a software project provides ability to convert data
from one database to another and from one application to another.
• Conversion audit is conducted to check accuracy of such data
conversions.
19. RISK BASED AUDIT FRAMEWORK
• It assists managers in meeting Policy on transfer payments(PTP) risk
related requirements that support governments directions to more
systematic and corporate management of risk in design and delivery
of programs.
• Planning of incorporating risks in initial stages:
• type of transfer payment should be determined by departmental
mandate, business lines, clients etc
• it is a government policy to manage transfer payments in a manner
that is sensitive to risks, complexity, accountability for results and
economical use of resources.
• Department must develop risk based audit framework for auditing of
risks.
20. • Treasury Board of Secretariat(TBS) acknowleged importance and
benefit of systematic risk management as a strategic investment in
attainment of overall business objectives and demonstration of good
governance.
• Integrated Risk Management Framework strengthen accountability by
demonstrating that levels of risk should explicitly understood.
• Active monitoring policy which incorporate that department must
actively monitor their management practices and controls using risk
based approach
21. RBAF
• It is a management document that explains how risks concepts are integrated
into strategies and approaches used for managing programs that are funded
through transfer payments.
• RBAF provides:
• Background and profile info on transfer payment pgm including key areas that
program faces.
• understanding of specific risks that may influence achievement of transfer
payment program through objectives
• description of existing measures and strategies for managing specific risks
• explaination of monitoring, recipient auditing, internal auditing, reporting
practices and procedures
22. NEED OF RBAF
• Transfer payment programs operate in environment includes
numerous interconnections, global organizations, governance req,
authorities, and various risk drivers.
• RBAF enhances managers and employees understanding and comm
of risk and related mitigation options.
• strengthen accountability for achieving objectives over public funds
• facilitates managers achivement of govm wide req.
• provides basis upon which to create contingency plans
• helps to secure funding for new or renewed pgms
• enhance info for decision making
23. DEVELOPMENT AND IMPLEMENTATION OF RBAF
• Key parties involved in development and implementation of RBAF:
• Managers of pgm to ensure framework reflects accurate analysis of
potential risks to achieve objectives as well as monitor and report
strategies.
• Internal Audit and Program staff provide expert advice and technical
support to idenfy, assess and monitor risk.
• Evaluation staff provide knowledge and expertise in recognition of
potential for overlap between RBAF and RMAF
• TBS program and Center for excellence for internal audit analyst
provide advice during preparation of pgm
• Delivery partners, codewriters, etc.
24. PLANNING AND PREPARING RBAF
• uncomplicated programs with low materiality and straightforward
accountability and risk mgmt environment would require less detailed
RBAF.
• high priority and complex pgms with significant materiality and
diversified and complex env require more detailed RBAF and large
time and efforts investment.
• meaningful info should be provided in each section of RBAF
25. ROLES, RESPONSIBILITIES AND RELATIONSHIPS
• Purpose: it should clearly delegate respective roles and responsibilities of
mgmt and IA with terms and conditions for monitoring, auditing and RBAF
requirements.
• Proces: PTP, guide on grants, contributions and other transfer payments
delegate the roles and responsibilities of mgmt and IA.
• Management: responsible for ongoing financial and operational monitoring
and audit of recipients whether results data is reliable.
• Internal Audits: to employ risk based methodologies in planning and
conducting audits to provide assurance on adequacy of integrated risk mgmt
practices, mgmt control frameworks and info used for decision making and
reporting on achievement of overall objectives.
• product: stmt of roles and responsibilities betn mgmt and IA
and recipient
26. PROGRAM PROFILE
• purpose: should provide context and key areas of inherent risk that
evolve from transfer payment programs objectives amd environment.
• process: should be developed with reference to organizations
outcomes and design info that has been compiled during recent
business planning and development of RMAF.
• product: needs of pgm, target population, resources, product grps,
delivery mechanisms and governance structure.
27. RISK IDENTIFICATION, ASSESSMENT AND MGMT
SUMMARY
• key risks should be identified, assessed and associated measures either implemented.
• purpose: ensure explicit understanding of level of key risks also understands controls to
reduce this risk.
• process: it requires input from team of managers and knowledgeable staff within pgm
area of functional grps.
• preparation steps:
• consider who should participate
• clearly define risk
• establish time horizon
• customize risk matrix
• consider other tool req.
28. Process Steps
• understand objectives: objectives with reference to outcomes
• risk identification: conduction of preliminary analysis of risk level of
each area to further analysis of areas
• risk assessment: use existing preventive measures for risk areas
selected for analysis for further analysis
• risk response: decide strategies to avoid, transfer, share, accept and
manage the risk
29. Process steps
• Key risk summaries: includes following-
• methodologies section- risk definition and model
• brief description- process steps
• identification of involved teams
• risk matrix- levels of impact and likelihood
• key areas- overall risk context of pgm and strategies
30. PROGRAM MONITORING AND RECIPIENT
AUDITING
• purpose: to provide description of monitoring and recipient auditing
practices undertaken by mgmt.
• process: objectives to meet
• achievement of established outcomes
• risks to achieve outcomes
• determine eligibility of recipients and expenditures of funds
• efficient, effective and economical use of resources
• whether or not pgm is administered with terms and conditions at all
stages of transfer payment life cycle
31. INTERNAL AUDITING
• purpose: provide valuable assistance to mgmt by providing assurance
as to soundness of risk mgmt strategy and practices , mgmt control
framework and practices and info being used for decision making and
reporting
• process: used same risk assessment methodology and recipient audit
risk
• indicate results of audit performed , details of future plans, with
expected costs
• product: description of results, audit objectives assessed, scope,
timing and expected cost for future plan, description of audit risk
assessment methodology
32. PLANNING OF MANAGING IS AUDIT FUNCTION
• Once need for a new system has been identified, plans must be
developed to ensure that the new system can be successfully
integrated with business processes and that should provide
acceptable return of investment for organization.
• effective project mgmt is essential if systems are to be produced that
correctly fulfill req of their users without exceeding constraints of
time and budget
33. PLANNING OF MANAGING IS AUDIT FUNCTION
• requirements:
• inbound logistics: receiving, warehousing and inventory control of
input materials.
• operations: value creating activities that transform inputs into final
product
• outbound logistics: activities req to get finished product to customer,
including warehousing, order fullfillment
• marketing and sales: activities associated with getting buyers to
purchase product, including channel selection, advertising, pricing
• service: activities maintain and enhance products value including
customer suport, repair services
34. ZACHMAN FRAMEWORK
• Zachman developed it for most systematic delivery of IS.
• perspectives:
• Data: what data entities need to capture and what are relationships between
them
• Function: which functions need to be addressed and which arguments does
each function have
• Network: which nodes need t be supported and what links exists between
them
• People: who are our agents and what are their tasks or work
• Time: when do things happen and to which cycles do they conform
• Motivation: what are ends of goals and by what means will we get there?
35. STRATEGIC IMPORTANCE GRID
• Looks at entire IS portfolio of organization i.e all the systems currently
in operation as well as the future systems currently under
development or being planned.
• assess whether a significant portion of an organizations systems is of
strategic nature and classifies the organization acc into one of 4
possible categories on IS strategic imp grid.
• assess imp of IS strategic plannoing in overall strategic business plan.
• useful in strategic competitor analysis or significant shifts in budget
36. IS PLANNING
• components of IS need to be successfully integrated in order to
provide right info at right place and time.
• So IS architecture needed to define IS resources that will be used to
support business strategy and stds that should be adhered to in order
to ensure compatibility within the system
• planning needs to identify app needs of business and business goals
• alternative software products needs to be evaluated also hardware
and OS should be appropriate.
• includes technical support, estimation of operating costs, financing
method
37. COST BENEFIT ANALYSIS
• used to access and prioritize new system development projects by
measuring financial impact of proposed system.
• Tangible benefits includes reduced inventory and admin cost, higher
processing volume, reduction of bad debts and improved cash flow.
• Intangible benefits includes customer satisfaction and better decision
making.
• Costs includes Development cost, equipment cost, operating cost
38. SOFTWARE ACQUISITION OPTIONS
• In-house development: develop and support computer systems to
support companys strategic goals.
• Outsourcing: purchasing of service, ASP
• End-user computing: training and assistance to user
• Project management: planning, allocation, scheduling and review
• organizing of MIS audit function with the help of activity analysis and
decision analysis
• Also creating departmentation and delegation of authority.
39. CONTROLLING MIS AUDIT FUNCTION
• purpose of control:
• to regulate process to achieve goals, objectives, targets
• control is exercised through system through comparing perfomance
• it should work on principle of feedback
• Corrective action to be taken time
• it gives advance warning about occurence of deviations in system
• auditing is tool of control
• control tools: planning, budgets, financial, risk analysis, pert/cpm
40. BENEFITS OF IS AUDIT FOR ORGANIZATION
• mapping business control with IT application
• business process reengineering
• IT security policy
• Security awareness
• Better return on inverstment
• risk management