AUDITING IN A CIS

ENVIRONMENT
OVERVIEW OF
AUDITING
MODULE 1

MELBA C. MATULA, CPA, MBA

Learning Objectives

• Be familiar with the structure of a financial audit

and the role of the IT audit component.

3
 Overview of Auditing

• An external audit is an independent attestation

performed by an expert—the auditor—who
expresses an opinion regarding the presentation
of financial statements.
• The CPA’s role is to collect and evaluate
evidence and thus render an opinion.
• External auditors follow strict rules in conducting
financial audits.

4
 Financial Audit Components

• The product of the attestation function is a formal

written report that expresses an opinion as to
whether the financial statements are in
conformity with generally accepted accounting
principles (GAAP).
• External users of financial statements are
presumed to rely on the auditor’s opinion about
the reliability of financial statements in making
decisions.

5
 Generally Accepted Auditing
Standards

From Accounting Information Systems by James Hall, 10th Edition

6
 AUDITING STANDARDS

• Auditing standards are divided into three classes:

• General qualification standards
• Field work standards
• Reporting standards

• To provide specific guidance, the AICPA issues

Statements on Auditing Standards (SASs) as
authoritative interpretations of GAAS.
• The first SAS (SAS 1) was issued by the AICPA in 1972.

7
 Structure of an Audit

• Conducting an audit is a systematic and logical

process that consists of three conceptual phases:
• Audit planning
• Tests of controls
• Substantive testing

• An IT audit involves the review of the computer-

based components of an organization. The audit
is often performed as part of a broader financial
audit.

8
AUDIT PLANNING
• Audit planning is the first step in the IT audit in which the
auditor gains a thorough understanding of the client’s
business. A major part of this phase of the audit is the
analysis of audit risk.
• Tests of Controls
• The tests of controls are tests that establish whether internal controls are
functioning properly.
• Computer-assisted audit tools and techniques (CAATTs) is the use of
computers to illustrate how application controls are tested and to
verify the effective functioning of application controls.
• Control risk is the likelihood that the control structure is flawed because
controls are either absent or inadequate to prevent or detect errors in
the accounts.

9
 AUDIT PLANNING (continued)

• Substantive Testing
• Substantive tests are tests that determine whether
database contents fairly reflect the organization’s
transactions.

10
 Phases of an Audit

From Accounting Information Systems by James Hall, 10th Edition

 MANAGEMENT ASSERTIONS

• Management assertions are a combination of

tests of application controls and substantive tests
of transaction details and account balances.
• Audit objectives are the task of creating
meaningful test data.
• Audit procedures are used to gather evidence
that corroborates or refutes management’s
assertions.

12
 Audit Objectives and Audit
Procedures Based on Management
Assertions

From Accounting Information Systems by James Hall, 10th Edition

 AUDIT RISK

• Audit risk is the probability that the auditor will

render unqualified opinions on financial
statements that are, in fact, materially misstated.
• Audit Risk Components
• Inherent Risk
• Inherent risk (IR) is the risk associated with the unique
characteristics of the business or industry of the client.

• Control Risk

14
 AUDIT RISK (continued)

• Detection Risk
• Detection risk (DR) is risk that auditors are willing to take
that errors not detected or prevented by the control
structure will also not be detected by the auditor.

• Audit Risk Model

• The audit report includes an opinion on the fair
presentation of the financial statements and an opinion
on the quality of internal controls over financial reporting.

15
End of Module 1
AUDITING IN A CIS
ENVIRONMENT
THE SARBANES OXLEY ACT
AND ITS AUDIT
IMPLICATIONS

MODULE 2

MELBA C. MATULA, CPA, MBA

UST-AMV College of Accountancy
LEARNING OBJECTIVES
• Understand the key features of Sections 302 and
404 of the Sarbanes-Oxley Act.
• Understand management and auditor
responsibilities under Sections 302 and 404.
• Understand the risks of incompatible functions
and how to structure the IT function.
• Be familiar with the controls and precautions
required to ensure the security of an
organization’s computer facilities.
 Overview of SOX Sections 302
and 404
• Sarbanes-Oxley Act (SOX) of 2002 established corporate
governance regulations and standards for public
companies registered with the SEC.
• Section 302 requires corporate management, including
the chief executive officer (CEO), to certify financial and
other information contained in the organization’s quarterly
and annual reports.
• Section 404 requires the management of public
companies to assess the effectiveness of their
organization’s internal controls over financial reporting.

4
 RELATIONSHIP BETWEEN IT
CONTROLS AND FINANCIAL
REPORTING
• Application controls ensure the integrity of specific systems.
• General controls are controls that pertain to entity-wide concerns such
as controls over the data center, organization databases, systems
development, and program maintenance.
• General computer controls are specific activities performed by persons
or systems designed to ensure that business objectives are met.
• Information technology controls include controls over IT governance, IT
infrastructure, security, and access to operating systems and
databases, application acquisition and development, and program
changes.

5
 AUDIT IMPLICATIONS OF
SECTIONS 302 AND 404
• Computer fraud is the theft, misuse, or
misappropriation of assets by altering computer-
readable records and files, or by altering the logic
of computer software; the illegal use of
computer-readable information; or the intentional
destruction of computer software or hardware.

6
 AUDIT IMPLICATIONS OF
SECTIONS 302 AND 404 (continued)
• Computer Fraud
• DATA COLLECTION
• DATA PROCESSING: Program fraud includes techniques such as
creating illegal programs that can access data files to alter, delete, or
insert values into accounting records; destroying or corrupting a
program’s logic using a computer virus; or altering program logic to
cause the application to process data incorrectly. Operations fraud is
the misuse or theft of the firm’s computer resources.
• DATABASE MANAGEMENT: Database management fraud includes
altering, deleting, corrupting, destroying, or stealing an organization’s
data.
• INFORMATION GENERATION: Scavenging involves searching through
the trash of the computer center for discarded output. Eavesdropping
involves listening to output transmissions over telecommunication lines.

7
 Information Technology Control
Relationship

From Accounting Information Systems by James Hall, 10th Edition

 The General Model for
Accounting Information Systems

From Accounting Information Systems by James Hall, 10th Edition

 IT Governance Controls

• IT governance is a broad concept relating to the

decision rights and accountability for
encouraging desirable behavior in the use of IT.
• Not all elements of IT governance relate
specifically to control issues that SOX addresses
and that are outlined in the COSO framework.

10
 Organizational Structure
Controls
• Operational tasks should be separated to:
• Segregate the task of transaction authorization from
transaction processing.
• Segregate record keeping from asset custody.
• Divide transaction-processing tasks among individuals so
that fraud will require collusion between two or more
individuals.

11
 SEGREGATION OF DUTIES WITHIN
THE CENTRALIZED FIRM
• Separating Systems Development from Computer Operations
• Separating the Database Administrator from Other Functions
• User views are sets of data that a particular user needs to achieve his or her
assigned tasks.
• SEPARATING THE DBA FROM SYSTEMS DEVELOPMENT: Access controls are
controls that ensure that only authorized personnel have access to the firm’s
assets.

• Separating New Systems Development from Maintenance

• INADEQUATE DOCUMENTATION
• PROGRAM FRAUD

• A Superior Structure for Systems Development

12
 Organizational Chart of a Centralized
Information Technology Function

From Accounting Information Systems by James Hall, 10th Edition

13
 Alternative Organization of
Systems Development

From Accounting Information Systems by James Hall, 10th Edition

 THE DISTRIBUTED MODEL

• Distributed data processing (DDP) is reorganizing

the IT function into small information processing
units (IPUs) that are distributed to end users and
placed under their control.
• Advantages of DDP
• COST REDUCTIONS
• IMPROVED COST CONTROL RESPONSIBILITY
• IMPROVED USER SATISFACTION
• BACKUP

15
 THE DISTRIBUTED MODEL (continued)

• Disadvantages of DDP
• MISMANAGEMENT OF ORGANIZATION-WIDE RESOURCES
• HARDWARE AND SOFTWARE INCOMPATIBILITY
• REDUNDANT TASKS
• CONSOLIDATING INCOMPATIBLE ACTIVITIES
• HIRING QUALIFIED PROFESSIONALS
• LACK OF STANDARDS

16
 Organizational Structure for a
Distributed System

From Accounting Information Systems by James Hall, 10th Edition

 CREATING A CORPORATE IT
FUNCTION
• Corporate IT function is a coordinating IT unit that
attempts to establish corporate-wide standards
among distributed IT units.
• Central Testing of Commercial Software and
Hardware
• User Services
• Standard-Setting Body
• Personnel Review

18
 Distributed Organization with Corporate IT Function

From Accounting Information Systems by James Hall, 10th Edition

 AUDIT OBJECTIVES RELATING TO
ORGANIZATIONAL STRUCTURE
• The auditor’s objective is to ascertain whether
individuals serving in incompatible areas are
segregated in accordance with an acceptable
level of risk and in a manner that promotes an
effective working environment.

20
 AUDIT PROCEDURES RELATING TO
ORGANIZATIONAL STRUCTURE
• The following audit tests provide evidence in achieving the
audit objective:
• Obtain and review the corporate policy on computer security.
• Review relevant documentation, including the current
organizational chart, mission statement, and job descriptions for
key functions, to determine if individuals or groups are performing
incompatible functions.
• Review systems documentation and maintenance records for a
sample of applications.
• Through observation, determine that the segregation policy is
being followed in practice.
• Review user roles to verify that programmers have access to
privileges consistent with their job descriptions.

21
 Computer Center Security and
Controls
• Fires, floods, wind, sabotage, earthquakes, or
even power outages can deprive an organization
of its data processing facilities and bring to a halt
those functions that are performed or aided by
computer.
• What does a company do to prepare itself for
such an event?
• How will it recover?

22
 COMPUTER CENTER CONTROLS
• Physical Location
• Construction
• Access
• Air Conditioning
• Fire Suppression
• Fault Tolerance Controls
• Fault tolerance is the ability of the system to continue operation when
part of the system fails because of hardware failure, application
program error, or operator error.

• Audit Objectives Relating to Computer Center Security

23
 COMPUTER CENTER CONTROLS
(continued)

• Audit Procedures for Assessing Physical Security Controls

• TESTS OF PHYSICAL CONSTRUCTION
• TESTS OF THE FIRE DETECTION SYSTEM
• TESTS OF ACCESS CONTROL

• Tests of Fault Tolerance Controls

• RAID
• POWER SUPPLIES BACKUP

• Audit Procedures for Verifying Insurance Coverage

• Audit Procedures for Verifying Adequacy of Operator
Documentation

24
End of Module 2
AUDITING IN A CIS
ENVIRONMENT
DISASTER RECOVERY
PLANNING
MODULE 3

MELBA C. MATULA, CPA, MBA

UST-AMV College of Accountancy
Learning Outcomes

• Understand the key elements of a disaster

recovery plan.
• Be familiar with the benefits, risks, and audit issues
related to IT outsourcing.
 Disaster Recovery Planning

• A disaster recovery plan (DRP) is a

comprehensive statement of all actions to be
taken before, during, and after a disaster, along
with documented, tested procedures that will
ensure the continuity of operations.
• Off-site storage is a storage procedure used to
safeguard the critical resources.

4
 PROVIDING SECOND-SITE
BACKUP
• The Empty Shell
• The empty shell is an arrangement that involves two or more user
organizations that buy or lease a building and remodel it into a
computer site, but without the computer and peripheral
equipment.

• The Recovery Operations Center

• A recovery operations center (ROC) is an arrangement involving
two or more user organizations that buy or lease a building and
remodel it into a completely equipped computer site.

• Internally Provided Backup

• Mirrored data center is a data center that reflects current
economic events of the firm.

5
 IDENTIFYING CRITICAL
APPLICATIONS
• An essential element of a DRP involves procedures to identify
the critical applications and data files of the firm to be
restored.
• For most organizations, short-term survival requires the
restoration of those functions that generate cash flows
sufficient to satisfy short-term obligations.
• Applications should be identified and prioritized in the
restoration plan.
• The task of identifying and prioritizing critical applications
requires active participation of management, user
departments, and internal auditors.

6
 PERFORMING BACKUP AND OFF-
SITE STORAGE PROCEDURES
• Backup Data Files
• Backup Documentation
• Backup Supplies and Source Documents

7
 CREATING A DISASTER
RECOVERY TEAM
• Recovering from a disaster depends on timely
corrective action.
• Failure to perform essential tasks prolongs the
recovery period and diminishes the prospects for
a successful recovery.
• Individual task responsibility must be clearly
defined and communicated to the personnel
involved.

8
 Disaster Recovery Team

From Accounting Information Systems by James Hall, 10th Edition

 TESTING THE DRP

• Tests provide measures of the preparedness of

personnel and identify omissions or bottlenecks in
the plan.
• A test is most useful in the form of a surprise
simulation of a disruption.

10
 AUDIT OBJECTIVE: ASSESSING
DISASTER RECOVERY PLANNING
• The auditor should verify that management’s
disaster recovery plan is adequate and feasible
for dealing with a catastrophe that could deprive
the organization of its computing resources.

11
 AUDIT PROCEDURES FOR ASSESSING
DISASTER RECOVERY PLANNING
• Second-Site Backup
• Critical Application List
• Backup Critical Applications and Critical Data Files
• Backup Supplies, Source Documents, and Documentation
• The Disaster Recovery Team
• CURRENT TREND IN DISASTER RECOVERY: Disaster recovery as a
service (DRaaS) is a variant on cloud computing, which draws
upon these traditional services to provide computing and backup
services.

12
 Outsourcing the IT Function

• IT outsourcing is the contracting with a third-party vendor to

take over the costs, risks, and responsibilities associated with
maintaining an effective corporate IT function, including
management of IT assets and staff and delivery of IT services
such as data entry, data center operations, applications
development, applications maintenance, and network
management.
• Core competency theory is the theory underlying outsourcing
that posits an organization should focus exclusively on its core
business competencies while allowing outsourcing vendors to
manage non-core areas such as IT functions efficiently.

13
 Outsourcing the IT Function
(continued)

• Commodity IT assets are assets not unique to an organization and

easily acquired in the marketplace (e.g., network management,
systems operations, server maintenance, help-desk functions).
• Specific IT assets are assets unique to an organization that support its
strategic objectives. Specific IT assets have little value outside their
current use. May be tangible (computer equipment), intellectual
(computer programs), or human.
• Transaction Cost Economics (TCE) theory is a belief that organizations
should retain certain specific non-core IT assets in-house; due to their
esoteric nature, such assets cannot be easily replaced once they are
given up in an outsourcing arrangement. Supports outsourcing of
commodity assets, which are easily replaced.

14
 RISKS INHERENT TO IT
OUTSOURCING
• Failure to Perform
• Vendor Exploitation of Clients
• Outsourcing Costs Exceed Benefits
• Reduced Security

15
 LOSS OF STRATEGIC
ADVANTAGE
• Organizations that use IT strategically must align
business strategy and IT strategy or run the risk of
decreased business performance.
• To accomplish such alignment necessitates a
close working relationship between corporate
management and IT management in the
concurrent development of business and IT
strategies.

16
 AUDIT IMPLICATIONS OF IT
OUTSOURCING
• The PCAOB specifically states in its Auditing Standard No. 2 that the use
of a service organization does not reduce management’s responsibility
to maintain effective internal control over financial reporting.
• Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is
an internationally recognized third-party attestation report designed for
service organizations such as IT outsourcing vendors.
• SSAE 16 is the definitive standard by which client organizations’ auditors
can determine whether processes and controls at the third-party
vendor are adequate to prevent or detect material errors that could
impact the client’s financial statements.

17
 SSAE 16 Reporting

From Accounting Information Systems by James Hall, 10th Edition

18
 SSAE 16 REPORT CONTENTS

• The SSAE 16 attest report provides a description of the

service provider’s system including details of how
transactions are processed and results are communicated
to their client organizations.
• When using the carve-out method, the service provider
management would exclude the subservice organization’s
relevant control objectives and related controls from the
description of its system.
• When using the inclusive method, reporting the service
provider’s description of its system will include the services
performed by the subservice organization.

19
End of Module 3