Audit Procedure

1
BSAC 117
COMPUTER AUDIT
CLASS ACTIVITY-ASSIGNMENT
Rainbow Paint Company, a medium-sized manufacturing firm, has no internal auditing

department. It recently hired a new accounting firm to perform the external audit.
REQUIRED:
Create an AUDIT PROGRAM to examine the following IT controls: (1)operating system

controls; (2) IT organizational structure controls; (3) data management controls; (4)
system development controls; (5) system maintenance controls; (6) computer center
security and controls; (7) intranet and internet controls; (8) EDI controls (Electronic Data
Interchange ); and (9) IT application controls. Include in your plan the audit objectives,
exposures, necessary controls, and tests of controls. Also, be sure to include any
documentation the auditors should request.
PRESCRIBED FORMAT
(1) OPERATING SYSTEMS CONTROLS

AUDIT AUDIT
OBJECTIVES EXPOSURES/ NECESSARY PROCEDURES
RISKS CONTROLS (TESTS OF
CONTROLS)
1. To verify that ● Unauthorized ● Password ● Review the
access privileges are access to controls organization’s
granted in a manner systems, ● Virus controls policies for
that is consistent applications, separating
with the need to data files, or a incompatible
separate network server. functions and
incompatible ● Virus infestation ensure that they
functions and is in promote reasonable
accordance with security.
organizational ● Review the
policy. privileges of a
selection of user
groups and
individuals to
determine if their
access rights are
appropriate for
their job
descriptions and
positions. Verify
that individuals are
2
granted access to
data and programs
based on their need
to know.
REFERENCES:
(2) IT ORGANIZATIONAL STRUCTURE CONTROLS

AUDIT AUDIT
CONTROLS)
1. To specify the ● Theft ● Segregation of ● Examine the risks
work to be done and ● Waste of Assets employee duties associated with
how to do it, given ● Assignment of each objective
the firm’s specific duties to allows
strategy or strategies each employee management to
2. To ensure ● Rotation of develop the means
accurate and reliable employee job to control these
operating data and assignments risks.
accounting reports ● Record Keeping ● Implement
3. To ensure procedures that
compliance with employees must
company policies follow
and federal law
REFERENCES: https://courses.lumenlearning.com/suny-finaccounting/chapter/internal-
control-structure/
(3) DATA MANAGEMENT CONTROLS

AUDIT AUDIT
CONTROLS)
1. To protect the ● Unauthorized ● Adequate ● Review of security
security and access backup and privacy
integrity of the ● Altering or ● Login provisions and
database. destroying data procedures, projects launched
in the database passwords, to fill any gaps,
security tokens, including analysis,
biometric coordinated
controls, response, reporting
firewalls, and informing
encryption, impacted
intrusion individuals
detection, and
vulnerability
3
assessment
REFERENCES: https://www.oreilly.com/library/view/accounting-information-
systems/9781118162309/c13-25.html
(4) SYSTEM DEVELOPMENT CONTROLS

AUDIT AUDIT
CONTROLS)
1. To implement a ● Incompatibility ● Segregation of ● Capture and
system successfully of user and duties should schedule the work
it is necessary developer ensure that an necessary to
to ensure that the employee complete the
design of the system involved in the project
is in accordance development of
with a system should
the business not usually be
involved in
testing the
system
REFERENCES: http://www.opentextbooks.org.hk/ditatopic/25324
https://courses.lumenlearning.com/computerapps/chapter/reading-2/
(5) SYSTEM MAINTENANCE CONTROLS

AUDIT AUDIT
CONTROLS)
1. To establish, ● Leverage of ● Regular ● Review
implement, and employees inspection maintenance
maintain a system records on a
maintenance policy. regular basis to
verify
configuration
settings, evaluate
password strengths
and assess
activities
performed on the
server
● Arrange support
services through
appropriate
maintenance
agreements or with
qualified technical
4
support staff
REFERENCES: http://eitbokwiki.org/Maintenance_and_Control#Control
(6) COMPUTER CENTER SECURITY AND CONTROLS

AUDIT AUDIT
CONTROLS)
1. To verify that ● Fire/earthquake/ ● Prevent and ● Install fire
access privileges are calamity detect threats to detection and
granted in a manner ● Unauthorized the computer suppression
that is consistent access center equipment, both
with the need to ● Effective fire manual and
separate suppression automatic
incompatible system ● Implement strict
functions and is in ● Restriction to entry procedure.
accordance with authorized
organizational employees
policy.
REFERENCES: https://www.nap.edu/read/1581/chapter/4#56
(7) INTRANET AND INTERNET CONTROLS

AUDIT AUDIT
CONTROLS)
1. To limit access ● Unauthorized ● Authentication ● Verify each user’s
and prevent hackers access to ● Restriction by identity.
and other network information user name and Authenticate the
break-ins. ● Unauthorized password user through a
changes to ● Restriction by IP challenge/response
information address, subnet dialogue, often
● Malicious or domain taking the form of
destruction of ● Encryption a
information or using public key username/password
processes cryptography exchange
● Firewalls
● Packet filtering
● Proxy server
gateways
REFERENCES: https://www.oreilly.com/library/view/accounting-information-
systems/9781118162309/c14-21.html
(8) EDI CONTROLS

AUDIT AUDIT
5

CONTROLS)
1. To eliminate ● Errors in ● Review ● Verify that
paper and related programming transmissions passwords and
audit trails and by and data input for fraudulent authority tables
allowing ● activity control access to
transactions to be ● Monitor the status this file and that
processed at high of each interface the data are
speed without encrypted.
human intervention
REFERENCES: https://www.semanticscholar.org/paper/The-Impact-of-EDI-Controls-
on-EDI-Implementation-Lee-Han/661ef14125e248e2c82c19a8ac1c4e386c9f0cfa
(9) IT APPLICATION CONTROLS

AUDIT AUDIT
CONTROLS)
1. To ensure that all ● Unknown and ● Completeness ● Ensure proper
transactions (or unwanted checks coverage and the
data) entered into applications in ● Validity checks confidentiality,
the your network ● Identification integrity, and
computer system is ● Unauthorized ● Authentication availability of the
accurate, have been Application ● Authorization application and its
authorized and ● Exploits of ● Input controls associated data
recorded, are unpatched OS ● Forensic
complete and input and third-party controls
only once, and have application
been properly vulnerabilities
converted into
machine-readable
format.
REFERENCES:
https://wps.prenhall.com/wps/media/objects/14071/14409392/Learning_Tracks/Ess10_
Ch07_LT4_General_and_Application_Controls_for_Information_Systems.pdf
https://www.whitehatsec.com/glossary/content/application-controls

Audit Procedure

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Audit Procedure

Uploaded by

Copyright:

Available Formats

1

Rainbow Paint Company, a medium-sized manufacturing firm, has no internal auditing

Create an AUDIT PROGRAM to examine the following IT controls: (1)operating system

(1) OPERATING SYSTEMS CONTROLS

(2) IT ORGANIZATIONAL STRUCTURE CONTROLS

(3) DATA MANAGEMENT CONTROLS

(4) SYSTEM DEVELOPMENT CONTROLS

(5) SYSTEM MAINTENANCE CONTROLS

(6) COMPUTER CENTER SECURITY AND CONTROLS

(7) INTRANET AND INTERNET CONTROLS

(8) EDI CONTROLS

OBJECTIVES EXPOSURES/ NECESSARY PROCEDURES

(9) IT APPLICATION CONTROLS

You might also like