Erasmus Universiteit Rotterdam. Postdoctorale opleidingen.
The Concepts of an Audit Audit and Certification in Digital Preservation April 14 – 16, 2004, Antwerpen
J. Pasmooij RE RA RO Manager ICT Knowledge Center, Royal NIVRA, Amsterdam Program Manager postgraduate IT-auditing curriculum Erasmus University, Rotterdam
April 14, 2004 / 1 Erasmus Universiteit Rotterdam
Erasmus Universiteit Rotterdam. Postdoctorale opleidingen.
Agenda • The objectives of an audit • The elements of an audit • Examples of audits
April 14, 2004 / 2 Erasmus Universiteit Rotterdam
Erasmus Universiteit Rotterdam. Postdoctorale opleidingen.
The objective of an audit The objective of an audit is for the responsible party a way to proof compliance with legal and/or contractual terms, or suitable criteria.
April 14, 2004 / 3 Erasmus Universiteit Rotterdam
Erasmus Universiteit Rotterdam. Postdoctorale opleidingen.
The objective of an audit The objective of an audit is for an (intended) user to learn more about the quality of the subject matter or compliance with legal and/or contractual terms or suitable criteria.
April 14, 2004 / 4 Erasmus Universiteit Rotterdam
Erasmus Universiteit Rotterdam. Postdoctorale opleidingen.
The objective of an audit The objective of an audit is for a professional auditor to evaluate or measure a subject matter that is the responsibility of an other party against identified suitable criteria, and to express a conclusion (opinion) with a level of assurance about the subject matter for the intended user. April 14, 2004 / 5 Erasmus Universiteit Rotterdam
Erasmus Universiteit Rotterdam. Postdoctorale opleidingen.
The elements of an audit • • • • • • •
Kind of audit / assurance engagements A three party relationship The subject matter The scope of the audit Suitable criteria The audit process The report
April 14, 2004 / 6 Erasmus Universiteit Rotterdam
Erasmus Universiteit Rotterdam. Postdoctorale opleidingen.
Kind of audit engagements • Attest (audit relates to a report or written assertion by the responsible party) • Direct reporting (audit relates directly to the subject matter) • A broad range of subject matters • To provide high or moderate levels of assurance • To report internally and/or externally • Within the private or public sector April 14, 2004 / 7 Erasmus Universiteit Rotterdam
The auditor Erasmus Universiteit Rotterdam. Postdoctorale opleidingen.
•
The auditor has to observe: – – – – – – –
•
Integrity Objectivity Independency Professional competence and due care Confidentiality Professional behavior Application of technical standards
The auditor should be: A member of a respected institute or organization with: – quality control policies and procedures – disciplinary rules – a code of ethics – auditing standards
April 14, 2004 / 8 Erasmus Universiteit Rotterdam
Erasmus Universiteit Rotterdam. Postdoctorale opleidingen.
The subject matter May be: • A report / a management assertion (data / information) • A system (infrastructure / software) • A process (organization / people / procedures • A strategy / policy • Behavior
April 14, 2004 / 9 Erasmus Universiteit Rotterdam
Erasmus Universiteit Rotterdam. Postdoctorale opleidingen.
The scope of the audit • •
Design (point in time) Design and operating (covering a period of time)
•
Focussing on specific criteria (for example): – – – – – – –
Compliance with …… Integrity Exclusivity / Confidentiality Continuity / Availability Auditability / Controllability Effectiveness Efficiency
April 14, 2004 / 10 Erasmus Universiteit Rotterdam
Erasmus Universiteit Rotterdam. Postdoctorale opleidingen.
Suitable criteria • Criteria are the standards / requirements used to evaluate or measure the subject matter • Suitable criteria are context-sensitive • The characteristics are suitable when they are – – – – – – –
Relevant Reliable Neutral objective Understandable Complete Generally accepted Unequivocal
April 14, 2004 / 11 Erasmus Universiteit Rotterdam
The audit process Erasmus Universiteit Rotterdam. Postdoctorale opleidingen.
•
Pre-audit – Preliminary investigation – Assignment process
•
Performing the audit – – – – –
•
Initial investigation Determing the Soll-position (the required situation) Determing the Ist-position (collecting evidence) Evaluating Soll versus Ist Evaluating and forming an opinion
Completion – Reporting – Evaluating the audit
April 14, 2004 / 12 Erasmus Universiteit Rotterdam
Erasmus Universiteit Rotterdam. Postdoctorale opleidingen.
The report • The auditor’s report should contain a clear expression of the auditor’s opinion about a subject matter based on the identified suitable criteria and the evidence obtained in the course of the audit engagement. • The form of conclusion to be expressed by the auditor is determined by the nature of the subject matter and the agreed objective of the engagement and is designed to meet the needs of the intended user of the report of the auditor.
April 14, 2004 / 13 Erasmus Universiteit Rotterdam
Erasmus Universiteit Rotterdam. Postdoctorale opleidingen.
The report The auditor’s report should include: • Title • An addressee • A description of the engagement and identification of the subject matter • A statement to identify the responable party and decribe the auditor’s reponsibilities • When the report is for restricted purposes, identification of the parties concerned • Identification of the auditing standards • Identification of the criteria • The auditor’s conclusion (opinion), including any reservations or denial of a conclusion • The report date • The name of the auditor April 14, 2004 / 14 Erasmus Universiteit Rotterdam
Erasmus Universiteit Rotterdam. Postdoctorale opleidingen.
Examples of audits • • • • • •
Financial audit IT-audits Operational audits Compliance Sarbanes Oxley Audits based on ISO-standards (security, digital signatures).
April 14, 2004 / 15 Erasmus Universiteit Rotterdam
