Professional Documents
Culture Documents
Auditing IT
Controls Part I:
Sarbanes-
Oxley and IT
Governance
Learning Objectives
• Be familiar with the structure of a financial audit and the role of the
IT audit component.
• Understand the key features of Sections 302 and 404 of the
Sarbanes-Oxley Act.
• Understand management and auditor responsibilities under
Sections 302 and 404.
• Understand the risks of incompatible functions and how to
structure the IT function.
• Be familiar with the controls and precautions required to ensure
the security of an organization’s computer facilities.
• Understand the key elements of a disaster recovery plan.
• Be familiar with the benefits, risks, and audit issues related to IT
outsourcing.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 2
1
Overview of Auditing
• An external audit is an independent attestation performed
by an expert—the auditor—who expresses an opinion
regarding the presentation of financial statements.
• The CPA’s role is to collect and evaluate evidence and
thus render an opinion.
• External auditors follow strict rules in conducting financial
audits.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 3
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 4
2
Generally Accepted Auditing Standards
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 5
AUDITING STANDARDS
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 6
3
Structure of an Audit
• Conducting an audit is a systematic and logical process
that consists of three conceptual phases:
1. Audit planning
2. Tests of controls
3. Substantive testing
• An IT audit involves the review of the computer-based
components of an organization. The audit is often
performed as part of a broader financial audit.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 7
AUDIT PLANNING
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 8
4
AUDIT PLANNING (continued)
• Substantive Testing
• Substantive tests are tests that determine whether database
contents fairly reflect the organization’s transactions.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 9
Phases of an Audit
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 10
10
5
MANAGEMENT ASSERTIONS
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 11
11
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 12
12
6
AUDIT RISK
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 13
13
• Detection Risk
• Detection risk (DR) is risk that auditors are willing to take that
errors not detected or prevented by the control structure will
also not be detected by the auditor.
• Audit Risk Model
• The audit report includes an opinion on the fair presentation
of the financial statements and an opinion on the quality of
internal controls over financial reporting.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 14
14
7
Overview of SOX Sections 302 and 404
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 15
15
16
8
AUDIT IMPLICATIONS OF SECTIONS 302
AND 404
• Computer fraud is the theft, misuse, or misappropriation
of assets by altering computer-readable records and files,
or by altering the logic of computer software; the illegal
use of computer-readable information; or the intentional
destruction of computer software or hardware.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 17
17
18
9
Information Technology Control Relationship
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 19
19
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 20
20
10
IT Governance Controls
• IT governance is a broad concept relating to the decision
rights and accountability for encouraging desirable
behavior in the use of IT.
• Not all elements of IT governance relate specifically to
control issues that SOX addresses and that are outlined in
the COSO framework.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 21
21
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 22
22
11
SEGREGATION OF DUTIES WITHIN THE
CENTRALIZED FIRM
• Separating Systems Development from Computer
Operations
• Separating the Database Administrator from Other
Functions
• User views are sets of data that a particular user needs to
achieve his or her assigned tasks.
• SEPARATING THE DBA FROM SYSTEMS DEVELOPMENT:
Access controls are controls that ensure that only authorized
personnel have access to the firm’s assets.
• Separating New Systems Development from Maintenance
• INADEQUATE DOCUMENTATION
• PROGRAM FRAUD
• A Superior Structure for Systems Development
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 23
23
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 24
24
12
Alternative Organization of Systems
Development
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 25
25
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 26
26
13
THE DISTRIBUTED MODEL (continued)
• Disadvantages of DDP
• MISMANAGEMENT OF ORGANIZATION-WIDE
RESOURCES
• HARDWARE AND SOFTWARE INCOMPATIBILITY
• REDUNDANT TASKS
• CONSOLIDATING INCOMPATIBLE ACTIVITIES
• HIRING QUALIFIED PROFESSIONALS
• LACK OF STANDARDS
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 27
27
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 28
28
14
CREATING A CORPORATE IT FUNCTION
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 29
29
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 30
30
15
AUDIT OBJECTIVES RELATING TO
ORGANIZATIONAL STRUCTURE
• The auditor’s objective is to ascertain whether individuals
serving in incompatible areas are segregated in
accordance with an acceptable level of risk and in a
manner that promotes an effective working environment.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 31
31
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 32
32
16
Computer Center Security and Controls
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 33
33
• Physical Location
• Construction
• Access
• Air Conditioning
• Fire Suppression
• Fault Tolerance Controls
• Fault tolerance is the ability of the system to continue
operation when part of the system fails because of hardware
failure, application program error, or operator error.
• Audit Objectives Relating to Computer Center Security
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 34
34
17
COMPUTER CENTER CONTROLS
(continued)
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 35
35
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 36
36
18
PROVIDING SECOND-SITE BACKUP
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 37
37
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 38
38
19
PERFORMING BACKUP AND OFF-SITE
STORAGE PROCEDURES
• Backup Data Files
• Backup Documentation
• Backup Supplies and Source Documents
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 39
39
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 40
40
20
Disaster Recovery Team
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 41
41
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 42
42
21
AUDIT OBJECTIVE: ASSESSING DISASTER
RECOVERY PLANNING
• The auditor should verify that management’s disaster
recovery plan is adequate and feasible for dealing with a
catastrophe that could deprive the organization of its
computing resources.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 43
43
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 44
44
22
Outsourcing the IT Function
• IT outsourcing is the contracting with a third-party vendor to
take over the costs, risks, and responsibilities associated
with maintaining an effective corporate IT function, including
management of IT assets and staff and delivery of IT
services such as data entry, data center operations,
applications development, applications maintenance, and
network management.
• Core competency theory is the theory underlying
outsourcing that posits an organization should focus
exclusively on its core business competencies while allowing
outsourcing vendors to manage non-core areas such as IT
functions efficiently.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 45
45
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 46
46
23
RISKS INHERENT TO IT OUTSOURCING
• Failure to Perform
• Vendor Exploitation of Clients
• Outsourcing Costs Exceed Benefits
• Reduced Security
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 47
47
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 48
48
24
AUDIT IMPLICATIONS OF IT
OUTSOURCING
• The PCAOB specifically states in its Auditing Standard
No. 2 that the use of a service organization does not
reduce management’s responsibility to maintain effective
internal control over financial reporting.
• Statement on Standards for Attestation Engagements
No. 16 (SSAE 16) is an internationally recognized third-
party attestation report designed for service organizations
such as IT outsourcing vendors.
• SSAE 16 is the definitive standard by which client
organizations’ auditors can determine whether processes
and controls at the third-party vendor are adequate to
prevent or detect material errors that could impact the
client’s financial statements.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 49
49
SSAE 16 Reporting
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 50
50
25
SSAE 16 REPORT CONTENTS
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 51
51
26