An audit is a systematic process of objectively obtaining and evaluating evidence regarding

assertions about economic actions and events to ascertain the degree of correspondence between
these assertions and established criteria and communicating the results to interested users.
*Systematic process- because there’s a series of step
*Assertions- representation made by an entity about economic action and events.
*Audit conducted objectively- audit should not be bias.
*Established Criteria- needed to judge the validity of the assertions.
*Communicated to interested user in a timely manner.
Code of Ethics of Professional Accountants
-is a guide of principles designed to help professionals conduct business honestly and with
integrity.
a. Integrity- straightforward, being brave enough to fight for what you believe.
Ex: An accountant stays firm wherein he is not associated with information that is
incomplete, incorrect and misleading statement.
b. Objectivity- fair, not bias and free of conflict interest.
Ex.: An accountant provides financial statement which is complete and free from personal
judgement.
c. Professional Competence and Due care- continually strive to improve knowledge. It has 2
phases: 1. Attainment of professional competence- formal education. 2. Maintenance of
professional competence- aware of development to ensure quality in performance of
professional services.
d. Confidentiality- not use any information without proper authority and use for personal.
Ex.: An accountant has a financial statement but not using it for personal advantage and
not disclosing it.
e. Professional Behavior- comply with relevant laws and regulation.
Audit Process
1. Accepting an Engagement- accept or reject an audit engagement.
2. Audit Planning- obtains knowledge about the client’s business and industry and assessment
of risk and materiality to develop overall audit plan.
3. Consideration of Internal Control- obtaining understanding of the internal control,
documenting the understanding of system, assessing level of audit risk, performing test of
control.
4. Performing Substantive test- to obtain reasonable assurance that the fs is presented fairly
in accordance with applicable financial reporting framework.
5. Completing the Audit- review of subsequent events and contingencies, assessing the
appropriateness of the use of going concern assumption, performing overall analytical
review procedures, and obtaining written representation from the client’s management.
6. Issuing a Report- forms a conclusion through audit opinion.
 Audit Opinion

• Clean (unqualified) opinion;

• Qualified opinion due to a GAAP departure and scope limitation;
• Adverse opinion due to a GAAP departure; and
• Disclaimer of opinion due to a scope limitation

Error- unintentional misstatement in the financial statements, including the omission of an

amount or disclosure.
Fraud- intentional act by one or more individuals among management, those charge by the
governance, employees or third parties involving the use of deception to obtain an unjust or illegal
advantage.
Different types of Fraud
1. Management fraud (Fraudulent f. reporting)-
involves members of management or those charged with
the governance.
Ex.: A member of management forced to restate the
revenue to make the company looks financially stable.
2. Employee Fraud- involves theft of an entity’s asset
committed by the employees.
Ex.: An employee falsified his daily time record to make
more salary.
3. Customer Fraud- deceitful act committed by a customer in an entity.
Ex.: A customer paying “fake money” in a fast-food chain.
4. Vendor Fraud- it is done by a vendor sometimes with the help of employee in the entity.
Ex.: When a vendor bills the company for excess quantities/prices than what was initially
agreed upon.
5. Computer Fraud- cybercrime or use of computer to deceit an entity or individual.
Ex.: Using of phishing
Non-Compliance- acts of omission or commission by the entity being audited either intentional or
unintentional which are contrary to the prevailing laws or regulations. -such acts include
transactions entered into by or in the name of the entity or on its behalf by its management or
employees.
How to detect, control and prevent error, fraud and non-compliance?
Auditing is step by step, that means it is a process.
Process itself is an internal control. So, in order to not make mistake and avoid fraud and error
process should be followed.
Example of Different Process
Business Process- understand how it works, it’s nature and documents. For example, AR, check
for the subsidiary ledger and schedule.
Revenue Process
Sales Process- start with the customer, ends with the customer

Disbursement Process- ordered to supply office, sees that there’s no more stock, order to supplier,
waiting for delivery.
Salary for employees
Depreciation
Conversion Process

Some actions to control consumer fraud is to reconcile, have physical count and check the product.

Internal Control can detect and prevent employee, customer and vendor fraud. But it is hard to
detect management fraud since management can overrides that information.

INFORMATION TECHNOLOGY DEPLOYMENT RISKS

▪ Developing Strategic Plans- serves as primary guideline for allocating resources

throughout the firm. Keeps the organization headed in a profitable direction.
Vision-Mission-Objective-Strategy-Policies

IMPORTANT POLICY AREAS FOR IT FUNCTIONS

Planning Policies
Organizational Policies
Human Resource Policies
Software Policies
Hardware Policies
Network Policies
Security Policies
Operations Policies
Contingency Policies
Financial and Accounting Policies

“Red Flags” for IT Auditors

The Following are key planning risks indicators.
1. A Strategic planning process is not used.
2. Information technology risks are not assessed.
3. Investment analysis are not performed.
4. Quality assurance reviews are not conducted.
5. Plan and goals are not communicated.
6. Information technology personnel are disgruntled.
7. Software applications do not support business processes.
8. The technology infrastructure is inadequate.
9. The user community is unhappy with the level of support.
10. Management’s information needs are not met.
Professional Guidance

1. Develop a strategic IT plan.

2. Articulate the Information architecture.
3. Find an optimal fit between IT and the company’s strategy
4. Design the IT function to match the company’s needs.
5. Maximize the IT investment.
6. Communicate IT policies to the user community.
7. Manage the IT workforce.
8. Comply with external regulations, laws, and contracts.
9. Conduct IT risk assessments.
10. Maintain a high – quality systems development process.
11. Incorporate sound project management techniques.
Managing Development Projects
▪ Application of project management techniques can minimize project related risk.

PROJECT MANAGEMENT LIFECYCLE

Phase 1 : Plan the Project
▪ Set the time, Cost & Scope
▪ Identify resources
▪ Articulate project outcome
▪ Determine the WBS – Work Breakdown Structure
Phase 2 : Schedule the Project
▪ Gantt Charts
▪ Critical Path Analysis
▪ Critical Math Method
▪ Microsoft Project
Phase 3: Continuous Monitoring
▪ Use benchmarks, milestones, deliverables to track progress
▪ Monitoring Frequency varies by project depending on sensitivity of the project to
deviation.
▪ Rule of thumb: Determine the maximum percent deviation allowed & monitor
activities at the half-way point.
Phase 4 : Schedule the Project
▪ Aimed at keeping the project moving
▪ Adjust to unexpected issues, delays and problems arise
▪ Continually adjust the plan
Phase 5 : Closing the Project
▪ Obtain client acceptance in writing
▪ Release and evaluate project personnel
▪ Identify & reassign remaining project assets
▪ Evaluations of Project
Key Project Risk Indicators
1. Management does not use a formal project management methodology.
2. Project leaders are not adequately. experienced at managing projects.
 3. Project leaders have insufficient domain expertise.
4. Project teams are unqualified to handle the project size/complexity.
5. Project team members are dissatisfied and frustrated.
6. Projects do not have senior-level executive support.
7. Projects do not include input from all affected parties.
8. Project recipients are dissatisfied with project outcomes.
9. Projects are taking longer to develop than planned.
10. Projects are costing more than budgeted.
Acquiring Software Application
IT auditor should determine if the new application would fit into the company’s strategic
plan.
There should be a formal software application acquisition policy.

Selection Process
Assign a project manager
Must know the needs of users & include them in decisions
Identify alternatives and compare

Total Cost Software

▪ User Training
▪ Multiple Licenses
▪ Service and Support
▪ Future upgrades
▪ Software modifications
Key Acquisition Risk Indicators
1. Software acquisitions are not mapped to the strategic plan.
2. There are no documented policies aimed at guiding software acquisitions.
3. There is no process for comparing the “develop versus purchase” option.
4. No one is assigned responsibility for the acquisition process.
5. Affected parties are not involved with assessing requirements and needs.
6. There is insufficient knowledge of software alternatives.
7. Security features and internal controls are not assessed.
8. Benchmarking and performance tests are not carried out.
9. Integration and scalability issues are not taken into account.
10. Total cost of ownership is not fully considered.
Developing Software
• Determine the Extent to which proposed systems development projects are aligned
with the strategic plan.

Steering Committees are typically permanent in nature, in that the members serve in this capacity
over multiple years and guide or steer numerous projects.
• Evaluate submitted proposals.
 • Determine which potential projects merit further investigation.
• Prioritize projects in order of their importance
• Evaluate feasibility studies
• Oversee the projects progress as it unfolds.

MANAGING IT FUNCTION

Financing- acquiring and utilization of funds necessary for efficient operations. Must be
adequately funded to fulfill strategic objectives

Risks of Under-funding
Business Risk- the exposure a company or organization has to factor(s) that will lower its profits
or lead it to fail. Anything that threatens a company's ability to achieve its financial goals is
considered a business risk.
Examples:
– Needs and demands of stakeholders will go unfulfilled.
So, who are these stakeholders? customers, vendors, employees. For example, if the IT function is
underfunded and they can’t buy enough computers for every employee, the operation will be
delayed and will be inefficient because there aren’t enough resources for the employees to do their
work.
- And also, it can adversely impact the success of the company. Like the example earlier, if the
operations are inefficient and ineffective, you cannot achieve the entity’s goals and objectives that
will lead to its downfall.
Audit Risk- the risk that the auditor expresses an inappropriate audit opinion when the financial
statements are materially misstated
Example
• Heavy workloads can lead to a culture of ‘working around’ the system of internal controls.
For example, if the IT function is underfunded, they don’t have enough money to hire
enough employees to do the job. So heavy workloads are being put into the employees and
to finish their job they do cutoffs or shortcuts to save time which can lead to information
being substandard and inaccurate. Also, incompatible functions like authorizing and
encoding can be given to one employee which can give opportunity to the employee to
perpetuate and conceal errors.
Funding Approaches
Cost Center Approach- process through which a business allocates funds during the budgeting
process. The budget is prepared by the IT manager then submitted to the upper management for
approval. The entity will give the funds to the IT manager and the entity allocates cost for the IT
department. Usually this is for human resources, materials and supplies.
Profit Center Approach- Charge internal users for IT services creating intra- company funding of
the IT function based on the usage. The funds of the IT department will come from the intra-
company (with in) funding. The internal users of IT services are the employees in which they will
pay the IT department based on what they need.
Staffing The It Function- employees is one of the most important parts of IT function because
without employees, the computer environment can’t function. As they say, computer needs
humans to be able for it to function.
Human Resources- finding, screening, recruiting, and training job applicants, as well as
administering employee-benefit programs.
Risks in HR
Business Risk
• Employees lack sufficient knowledge and experience
Audit Risk
• expose company to computer security threats, information integrity problems, and asset
misappropriation
Human resources procedures are the controls that we can apply to be able to manage the human
resources properly and minimize audit and business risk.
• There are three areas in human resources procedure.
• Hiring- process of finding and engaging the services of the person that best suits
the job. Recruiting, verifying, testing, interviewing
• Rewarding- The achievement and benefit received by employees for their job
performance in an organization are known as reward. Evaluating, compensating,
promoting, training
• Terminating- refers to the end of an employee's work with a company.
DIRECTING THE IT FUNCTION
ADMINISTERING THE WORKFLOW- Workflow enables you to automate procedures in which
information, tasks, and documents are passed among several participants. In administering the
workflow, IT managers should manage the procedures need to be done. This is first done by
determining the degree of service that the It function need to provide to its users.
MANAGING THE COMPUTER ENVIRONMENT- The IT Manager must understand how the
infrastructure elements work together.
The IT manager must ensure the physical environment is safe for humans and computers
THIRD PARTY SERVICES- any unaffiliated person, company, or entity that performs services
for a company
Examples: Internet service providers (ISP), ASP, MSP, Communication companies, Security
firms, Call centers
ASSISTING USERS TRAINING AND EDUCATION & HELP DESK- For users to have the
appropriate and enough skills and knowledge, the IT manager should design programs that will
train and further educate the users of IT. IT managers should identify training needs. Design
curricula. Deliver programs. Use outside training programs (how to use the program). Aside from
training and education, IT managers should assist the users request for help. The IT manager
should design and monitor effective ways on how to assists users who needs help. He/ she must
create an atmosphere of mutual trust and respect between the IT function and user community.
CONTROLLING THE IT FUNCTION
MAJOR CONTROL CATEGORIES IN IT FUNCTION
Security Controls - Secure the computing infrastructure from internal and external threats
Physical Security- focuses on keeping facilities, computers, communication equipment and other
tangible aspects of the computing infrastructure safe from harm.
Logical Security- ‘logical’ components of the infrastructure
Input- refers to any information, or data, that is sent to a computer for processing. Input is often
sent to the computer from a device such as a keyboard, mouse, or other input device. Putting it
simple, input is the act of entering data into a computer. Incompatible functions are Proper
Authorization, Approval and Input of Accounting Transactions.
Process Controls
Validating- the collection and evaluation of data which establishes evidence that a process
is capable of consistently delivering quality product.
Error Handling- refers to the anticipation, detection, and resolution of programming,
application, and communications errors
Updating- to continually reassess their processes to ensure they are compliant and reduce
the risk of penalties
DATABASE- Database processing - involves simultaneous updating of multiple tables.
Corruption of data is quick, multiple users attempt to update the same data item
simultaneously. One user is updating while another user is reading the same data item.
How to prevent? Lock a database
OUTPUT- Output is the information produced by a system or process from a specific input. Within
the context of systems theory, the inputs are what are put into a system and the outputs are the
results obtained after running an entire process or just a small part of a process.
Only properly authorized parties can request certain output – computer screens, printed reports.
The management should restrict the output to the users who needs it and not all employees should
have the same level of authorization.
BACKUP AND RECOVERY
Physical Vaulting
✓ One backup on-site, one off-site
Electronic Vaulting
 ✓ Send backup data over a communications network (such as the Internet) to an off-site
storage medium.
Hardware Backup
✓ a hard drive or auxiliary storage device, such as an external backup or flash drive
Disaster Recovery Control
-IT managers and auditors should plan
-Transfer lost computer processing load
-Getting the infrastructure elements to alternative sites
Changing Software Application
KEY SYSTEM CHANGE RISK INDICATOR
1. A structured system change methodology is not in place.
2. A software change request procedure is not used.
3. Change requests are not reviewed/prioritized by a representative group.
4. Feasibility studies are not performed when appropriate.
5. Alternative software change designs are not considered.
6. Separate development, test, and production libraries are not used.
7. Security and controls implications are not considered.
8. Integration issues are not taken into account.
9. Testing is inadequately conducted.
10. Application changes are poorly documented.
Implementing Software Application
PARALLEL IMPLEMENTATION- the new application is placed into production alongside
the existing application and both are used to simultaneously process live data.
BIG BANG IMPLEMENTATION- the organization ceases using the old system and
immediately begins operating the new system.
PARTIAL IMPLEMENTATION- the system is phased in one piece at a time
FOCUSED IMPLEMENTATION- the company identifies a relatively small group of users to
first use the new system before placing it into use throughout the organization.
KEY IMPLEMENTATION RISK INDICATORS
1. Alternative implementation strategies are not considered
2. Formal implementation plans are not followed.
3. All affected parties are not involved.
4. Implementation teams are uncoordinated.
5. Implementation processes are rushed.
6. Change management procedures are not developed.
7. System users are inadequately trained.
8. Security and control issues are slighted.
9. Final testing is insufficient.
10. Post-implementation reviews are not conducted
Organizing the IT Function
Locating the IT function
• To whom should IT manager report?
▪ Important ramifications on IT Manager’s
▪ Ability to acquire needed resources
▪ Ability to prioritize workloads
• Must Consider segregation of incompatible duties
▪ Responsibilities vest in different people:
▪ Authorizing Transactions
▪ Recording Transactions
▪ Maintaining Custody of Assets
• Should the IT manager report to the accounting manager?
▪ Most IT application deal with accounting transaction. However, most controllers
can already authorize and record certain transactions. If allowed to maintain
custody of assets, then all three incompatible duties would be located under one of
them. Fraud would also be difficult to detect.
• Should the IT manager report to another operation/ administrative manager?
• Many software applications deal with these areas.
However:
• Many managers can authorize transactions, so custody of assets would attribute
them with 2 or 3 incompatible duties
• Other managers would not likely have the expertise to guide and support an IT
manager
• The IT function may not have access to upper management
• Should IT manager report alongside other line managers?
• Politically strong enough to compete for resources
• CEO has responsibility over authorizing, recording transactions and maintaining
custody of assets but rarely performs the 3 incompatible duties.
• Should IT manager report above another line managers?
• This structure allows the IT manager, who report to the Vice President, to focus
on local issues and needs
Designing the IT function
• Internal control considerations within an IT function
• Separate from one another:
• System development
• Computer Operations
• Computer Security
System Development
• Staff has access to operating systems, business applications and other key software
• They should not be allowed to process information
• They should not maintain custody of corporate data and business applications
Computer Operations
• Operating staff are responsible for:
 • Entering data, processing information, disseminating output
Computer Security
• Responsible for the safe-keeping of resources
• Includes ensuring that business software applications are secure
• Responsible for the safety of corporate information, communication network and
physical facilities
• IT auditors should ensure that system developers and computer operators are segregated

IT NETWORKS AND TELECOMMUNICATIONS

NETWORK- computers and peripheral devices connected to each other to transmit and share data
and information.

NETWORK COMPONENTS
END POINTS
SWITCHES
ROUTERS
SERVERS
ACCESS POINTS
CONTROLLERS [WLC]
FIREWALLS

TYPES OF NETWORKS
PERSONAL AREA NETWORK (PAN)
- Is a computer network for interconnecting electronic devices within an individual person’s
workspace.
HOME AREA NETWORK (HAN)
- Is a computer network that facilitates communication among devices within the close
vicinity of a home.
LOCAL AREA NETWORK (LAN)
- is a collection of devices connected together in one physical location, such as a building,
office, or home.
METROPOLITAN AREA NETWORK (MAN)
- Is a computer network that interconnects users with computer resources in a geographic
region of the size of a metropolitan area.
WIDE AREA NETWORK (WAN)
- Is a geographically distributed private network that interconnects multiple local area
network that spans a large geographical area, such as across cities, states, or countries.
TELECOMMUNICATIONS
- is a technique that consists of transmitting a message from one point to another.
- Telecommunications have practically eliminated the distance between people through the
use of the internet.
IT NETWORKS AND TELECOMMUNICATIONS RISK
SOCIAL ENGINEERING
 - use of social skills to obtain confidential information or unauthorized access by persuading
insiders to provide them with access.
SECURITY:
- Employees should always be cautious when sharing personal information on social media
platforms
- Never open an email that looks suspicious
- Don’t give strangers personal information until you can verify where they are calling from
- Review security policies to stay up to date with the latest social engineering techniques
- Always use a paper shredder to properly dispose of your printed material
PHYSICAL INFRASTRUCTURE THREATS
Elements and Natural Disasters
Fire, air, water, floods, earthquakes, hurricanes
Power Supply
Back up power supplier
Intentional Human Attacks
Terrorist attack, company insiders’ attack
PROGRAMMED THREATS
- Viruses
- Worms
- Trojans
MALWARE
- Short for “malicious software” is a file or code, typically delivered over a network that
infects, explores, steals or conducts virtually any behavior an attacker wants.
COMMON TYPES OF MALWARE
VIRUSES
TROJAN
WORMS
SECURITY:
Keep your operating system clean by downloading regular patches, updates, and making sure that
your computer is protected by the latest antivirus software from a trusted vendor.
DENIAL OF SERVICE ATTACKS
- Using maximum network connections so that new users can’t obtain access, overloading
primary memory and infecting file systems with unnecessary or incorrect data.
SECURITY:
Keep your system as secure as possible with regular software updates, online security monitoring,
and monitoring of your data flow to identify any unusual of threatening spikes in traffic before
they become a problem.
IT NETWORK AND TELECOMMUNICATIONS SECURITY
NETWORK SECURITY ADMINISTRATION
• Network security admin is responsible for:
- Creating a network security plan
- Developing & communicating a security policy for network resources
- Password management
AUTHENTICATION
- process of ensuring that users are who they claimed to be
- Biometrics
ENCRYPTION
- Scrambling data so that anyone who views it won’t be able to make sense of without
decryption key.
SECRET KEY CRYPTOGRAPHY
- Sender and receiver use the same key to code and decode the message.
- Problem: both must agree on the key and both need to obtain it.
PUBLIC KEY CRYPTOGRAPHY
- Uses a private/public key pair
- One key for encrypting message and another for decrypting
- Both keys issued at same time and encrypted by certified authority
- Public key is widely available and can be transmitted across public network
- Only intended receiver can decrypt it using private key.
FIREWALLS
- Is a network security device that monitors incoming and outgoing network traffic and
decides whether to allow or block specific traffic based on a defined set of security rules?
INTRUSION DETECTION SYSTEM
- Is a device or software application that monitors a network or systems for malicious activity
or policy violations.
PENETRATION TESTING
- Is the method to evaluate the security of an application or network by safely exploiting any
security vulnerabilities present in the system.

Electronic business (e-business)- is defined as the use of the internet to network and empower
business processes, electronic commerce, organizational communication and collaboration
within a company and with its customers, suppliers, and other stakeholders
E-BUSINESS TECHNOLOGY
INTERNET- is a global computer network providing a variety of information and
communication facilities, consisting of interconnected networks using standardized
communication protocols.
INFORMATION INFRASTRUCTURE- it is the support system that allows the internet to work
The main infrastructure support facilities exist in developed nations.

Broadband- is a term used to describe the bandwidth of a transmitted communications signal

ELECTRONIC DATA INTERHCNAGE- it is the exchange of documents between
organizations in electronic form directly between computer applications.
- Standard format of communication
- Fast communication
- Lower cost
 - Less paper handling
PROGRAM LANGUAGES- it facilitates the development of a set of instructions that constitutes
a computer program
WIRELESS TECHNOLOGY- it provides the ability to communicate between two or more
entities over distances without the use of wires or cables. This includes communications using
radio frequency as well as infrared waves.
Wireless Applications Protocol (WAP)
Third Generation (3G)
Bluetooth
Wireless-fidelity (WiFi)
Wimax
PAYMENT SYSTEM- it refers to arrangements which allow consumers, businesses and other
organizations to transfer funds held in a financial institution to one another
E-BUSINESS MODELS
• Business to Consumer (B2C)
• It allows businesses to sell their products and services to the end-users or consumers.
• Business to Business (B2B)
• It pertains to businesses that sells their products or services to another business
• Consumer to Business (C2B)
• It is an e-business which allow individuals to sell goods and services to companies or
businesses
• Consumer to Consumer (C2C)
• This e-business connects different consumers to exchange goods and services
TYPES OF E-BUSINESS MODELS
• Brokerages- These are intermediaries who bring together buyers and sellers for
transactions purposes
• E-shops- It provide firms with a channel of communication to customers and provide
valuable information about what products and services are sought by customers.
• E-malls- It is a collection of e-shops
• E-auctions- It provides a channel of communication through which the bidding process
for products and services can take place between competing buyers.
• Buyer aggregator model- Brings together large numbers of individual buyers so that
they can gain the types of savings that are usually the privilege of large volume buyers.
• Infomediaries- Infomediaries specialize in gathering valuable information about
customers and selling it to third parties.
• E-procurement- It is the management of all procurement activities via electronic means
• Third-party marketplaces- It is a channel through which firms can extend their sales
pitch to customers by making their product catalogue available on the website.
• Manufacturer model- It is the process of disintermediation in the supply chain by
creating a direct line of communication between manufacturers and consumers.
• Subscription model- In this model, revenue is generated through subscription to access
websites
E-BUSINESS RISKS
 • Online Security Breach
• Violation Of Intellectual Property
• Credit Card Fraud
• System Reliability Risk
• Privacy Issues
• Client Disputes and Refund

SPECIALIZED E-BUSINESS APPLICATIONS

ELECTRONIC DATA INTERCHANGE- is the electronic exchange of business transactions, in

a standard format, from one entity’s computer to another entity’s computer through an electronic
communications network.
EDI is the electronic exchange of business transactions, in a standard format, from one entity’s
computer to another entity’s computer through an electronic communications network.
A standard format must be used in EDI so that the computer will be able to read and understand
the documents.

EDI DOCUMENT STANDARDS

EDI transactions are transmitted either directly between the entities and their trading partners or
through third parties.
EDI transactions are transmitted either directly between the entities and their trading partners or
through third parties.
Direct EDI (also called Point-to-Point EDI) establishes a single secure line between two business
partners and in this approach, an organization must communicate with each business partner
individually, which of course can mean managing hundreds or thousands of separate connections.
If you choose the direct connection model, you will need to purchase a software package that
enables you to use all the agreed upon protocols. Then you will need to agree with each of your
partners on
(1) which of these communication methods or protocols you will use and
(2) the specific protocol settings to be used when exchanging your files of EDI documents.
A value-added network (VAN) is a private, hosted service that provides companies with a secure
way to send and share data with its counterparties.
To simplify the complexity of managing multiple EDI direct connections, a company can use a
single connection to an EDI VAN, which provides partner connections. So, A value-added
network (VAN) is a private, hosted service that provides companies with a secure way to send and
share data with its counterparties.
It may be an efficient option for businesses who do not wish to use multiple EDI languages for all
its different partners. VANs are third-party private hosting services that allow organizations to
channel their EDI communications, without establishing separate protocols, through a single line,
as long as all partners are using the same VAN.
Simply put, it's a secure network where EDI documents can be exchanged between a network of
business partners wherein an organization will be provided with a mailbox by the EDI VAN
provider.
WEB-BASED
Web EDI is simply conducting EDI through an Internet browser.
Software as a Service
Web EDI is simply conducting EDI through an Internet browser.

This is generally used to describe EDI systems that can be accessed and used via a Web browser.
These systems are based on what is known as the "Software as a Service" principle where the user
will pay a monthly fee in exchange for access to the Web-based EDI system.

*Software as a service (or SaaS) is a way of delivering applications over the Internet—as a service.
Instead of installing and maintaining software, it can simply be accessed via the Internet.

Web-based EDI is often the cheapest and easiest way for businesses to begin transacting with their
trading partners using EDI.

Access controls protect EDI messages against weaknesses in the transmission media and protect
the sender against internal fraud or manipulation.
Specific access controls include: access controls on files/programs, application controls in
software, restricted access to data/logs, safeguards over network access, audit trails of network
access, regular reviews of operations, high quality project plan

Integrity controls ensure that an EDI transaction appears identical to all parties.
Specific integrity controls include: regular reviews of operations, follow-up procedures for errors,
sequence numbers in messages, accounting controls, matching transactions with records,
establishment of EDI task force and acknowledgements.
Availability controls- these ensure availability of the system without interruption.
Specific availability controls include: formal development methodology, evaluation of vendor
software, evaluation of network provider, software upgrade procedures, manual checks, security
review of network systems

Confidentiality controls offer the ability to provide or preserve the privacy of the content of an
EDI transaction when required.
Specific confidentiality controls include: training and education of staff, authorization
mechanisms, encryption mechanisms, segregation of duties, legal liability, written policies and
procedures, manual checks

Specific repudiation controls include: audit involvement, audit and management trails, audit trails
of network access, record retention practices, reports for tracking transactions, procedures for
delivery failures, fallback measures for network failure

Specific authentication controls include: security reviews on network systems, authorization

mechanisms, matching transactions with records, and reports on tracking transactions
RISKS & CONTROL
Incorrect data, tables or software
Inaccurate or incomplete transactions
Alteration of files or software = Integrity

Disclosure of transaction content= Confidentiality

Repudiation of origin or receipt = Repudiation

Non-authentic or unauthorized transactions= Authentication

Interconnection problems=Access Controls

E-MAIL SECURITY AND PRIVACY

In order to maintain privacy and security, the following may be done:
Create and maintain a policy whereby employees are not allowed to use their main business email
addresses when signing up for services or websites. This includes services that are specifically
related to an employee’s daily duties.
Never click on any links or allow images/files in emails to be downloaded from unknown senders.
This is for several reasons, files and images can perform many malicious tasks on your computer
if downloaded, such as open a backdoor to an attacker, and images in the body of the email can be
used by threat actors to track who opens emails.
Train staff to be mindful of such risks and identify the signs in order to avoid them.

MANAGING THIRD PARTY PROVIDERS

INTERNET SERVICE PROVIDERS

ISPs are companies that provide Internet connections and services to individuals and organizations.
The term Internet service provider (ISP) refers to a company that provides access to the Internet
to both personal and business customers. ISPs make it possible for their customers to surf the web,
shop online, conduct business, and connect with anyone online for a fee

APPLICATION SERVICE PROVIDER

An Application Service Provider (ASP) provides applications and related services over the
Internet.
An Application Service Provider (ASP) provides applications and related services over the
Internet.

THIRD PARTY ASSURANCE SERVICES

TRUSTe is a separate organization sponsored by several of the larger Internet firms such as
Microsoft and IBM.
TRUSTe is a separate organization sponsored by several of the larger Internet firms such as
Microsoft and IBM. A TRUSTe mark notifies uses of the following:
what personally identifiable information of the user is being collected
what organization is collecting the information
How the information is used
With whom the information may be shared
what choices are available to the user regarding collection, use and distribution of the information
What kind of security procedures are in place to protect the loss, misuse, or alteration of
information under the company’s control?
VeriSign provides digital certificates that provide users assurance that they are doing business with
the genuine site and not an imposter’s “spoof” site.
VeriSign provides digital certificates that provide users assurance that they are doing business with
the genuine site and not an imposter’s “spoof” site and that the information being sent (e.g. credit
card numbers, online forms, or financial data) is being protected from interception or alteration
over the web/net.
BBB ONLINE
Websites carrying the BBB OnLine Reliability seal are all members of their local Better Business
Bureau, have been in business for at least one year, have agreed to abide by BBB standards of truth
in advertising, and have committed to work with the BBB.
BBB Online provides information about reliable business firms and a forum for consumers to
register disputes or problems with a firm. They offer a seal for which business firms can apply, but
only after the firm meets rigorous advertising standards.

In addition to these standards, the seal requires that the applicant provide both dispute resolution
procedures for customers and responsible advertising on Web pages geared for children.
IT ENVIRONMENTS - STAND-ALONE PERSONAL COMPUTERS
Stand-alone PCs can be operated by a single user or many users at different times accessing the
same or different programs on the same computer. The user of a stand-alone PC that processes
accounting applications performs many functions (for example, entering data and operating
application programs). While typically not knowledgeable about programming, users may often
use third-party or off-the-shelf software packages such as electronic spreadsheets or database
applications.
Internal Control in Stand-Alone PC Environments
In a typical stand-alone PC environment, the level of general controls is lower than what would be
found in a large-scale computing environment.
Organizational Policies and Procedures
The auditors consider the organizational structure of the entity and, in particular, the allocation of
responsibilities for data processing. Effective policies and procedures for the acquisition,
implementation, operation and maintenance of stand-alone PCs can enhance the overall control
environment.
Physical Protection – Equipment
They can be physically protected by: a. locking them in a protective room, cabinet or shell; b. using
an alarm system that is activated if the PC is disconnected or moved from its location; c. fastening
the PC to a table; d. policies outlining the proper procedures to follow when traveling with a laptop
or using it off premises; e. encryption of key files; f. installing a locking mechanism to control
access to the on/off switch. This may not prevent PC theft, but may be effective in controlling
unauthorized use; and g. implementing environmental controls to prevent damages from natural
disasters, such as fire, floods, etc.
Physical Protection - Removable and Non-Removable Media
When many individuals use a particular PC, storage media are more likely to be misplaced, altered
without authorization or destroyed. It is the user's responsibility to protect removable storage
media by, for example, keeping current backups of such media in a fireproof container, either on
site, off site, or both. This applies equally to operating systems, application programs and data
The Effect of Stand-Alone PCs on the Accounting System and Related Internal Controls- The
effect of PCs on the accounting system and the associated risks will generally depend on: a. the
extent to which the PC is being used to process accounting applications; b. the type and
significance of financial transactions being processed; and c. the nature of programs and data used
in the applications.
The Effect of a Stand-Alone PC Environment on Audit Procedures
In a stand-alone PC environment, it may not be practicable or cost-effective for management to
implement sufficient controls to reduce the risks of undetected errors to a minimum level. In this
situation, after obtaining the understanding of the accounting system and control environment
required by SAS 300 "Audit risk assessments and accounting and internal control systems", the
auditors may find it more cost-effective not to make a further review of general controls or
application controls, but to concentrate audit efforts on substantive procedures.
IT ENVIRONMENTS - ON-LINE COMPUTER SYSTEMS
On-line computer systems are computer systems that enable users to access data and programs
directly through terminal devices
On-line computer systems may be classified according to how information is entered into the
system, how it is processed and when the results are available to the user. For purposes of this PN,
on-line computer systems functions are classified as follows: a. on-line/real-time processing; b.
on-line/batch processing; c. on-line/memo update (and subsequent processing); d. on-line/inquiry;
and e. on-line downloading/uploading processing
Internal Control in an On-Line Computer System
Applications in an on-line environment may have greater exposure to unauthorized access and
update. An entity's security infrastructure plays an important part in ensuring the integrity of the
information produced. The auditors, therefore, consider the security infrastructure before
examining the general and application controls. The entity may need to establish suitable general
controls to mitigate the risks of viruses, unauthorized access and the potential destruction of audit
trails. Hence access controls are particularly important to on-line processing. These controls may
include the use of passwords and specialized access control software, such as on-line monitors,
that maintains control over the menus, authorization tables, passwords, files and programs that
users are permitted to access. They may also include physical controls such as the use of key locks
on terminal devices, locked computer rooms and inactivity timeouts
Effect of On-Line Computer Systems on the Accounting System and Related Internal Controls
The effect of an on-line computer system on the accounting system and the associated risks will
generally depend on: a. the extent to which the on-line system is being used to process accounting
applications; b. the type and significance of financial transactions being processed; and c. the
nature of files and programs the applications use. The entity's security infrastructure plays an
important part in controlling the effect of the risks created by the entity's use of an on-line
environment
Effect of On-Line Computer Systems on Audit Procedures
Generally, in a well-designed and controlled on-line computer system, it is likely that the auditors
will test general and application controls. If those controls are deemed satisfactory, the auditors
will place greater reliance on internal controls in the system when determining the nature timing
and extent of audit procedures
IT ENVIRONMENTS - DATABASE SYSTEMS
A database is a collection of data that is shared and used by many different users for different
purposes
Database Systems- consist principally of two components: the database and the database
management system (DBMS). Database systems interact with other hardware and software aspects
of the overall computer system. Database systems are distinguished by two important
characteristics: data sharing and data independence. These characteristics ordinarily require the
use of a data dictionary and the establishment of a data resource management
Internal Control in a Database Environment- Generally, internal control in a database environment
requires effective controls over the database, the DBMS and the applications
The effect of a database system on the accounting system and the associated risks will generally
depend on factors such as: a. the extent to which databases are being used by accounting
applications; b. the type and significance of financial transactions being processed; c. the nature
and structure of the database, the DBMS (including the data dictionary), the database
administration tasks and the applications (for example, batch or on-line update); and d. the general
and application controls that are particularly important in a database environment.
Audit procedures in a database environment will be affected principally by the extent to which the
accounting system uses the data in the database. Where significant accounting applications use a
common database, the auditors may find it cost-effective to use some of the procedures.
CIS environment exists when a computer of any type or size is involved in the processing by the
entity of financial information of significance to the audit, whether that computer is operated by
the entity or by a third party.
The overall objective and scope of an audit does not change in a CIS environment. However, the
use of a computer changes the processing and storage of financial information and may affect the
organization and procedures employed by the entity to achieve adequate internal control. The CIS
environment affects all aspects of Audit including: • The consideration of inherent audit risks and
control risks. • The procedures following by the auditor to obtain a sufficient understanding of the
internal control structure. • The design and performance of audit procedures by the auditor
The auditor should have an understanding of computer hardware, software and processing system
sufficient to plan the engagement and to understand how CIS affects the study and evaluation of
internal control and application of auditing procedures including CAAT.
When the auditor delegates work to assistants or uses work performed by other auditors or experts
the auditor should have sufficient knowledge of CIS to : • Direct, supervise and review the work
of assistants with CIS skills. • Obtain the reasonable assurance that the work performed by other
auditor or experts with CIS skills is adequate for his purpose
The auditor should gather the information about the CIS environment that is relevant to audit plan.
He should obtain the information in respect of the following : - • The computer hardware and
software used by the organization • The significance and complexity of computer processing in
each significant accounting application. • Planning how, where and when CIS function will be
reviewed including scheduling the words of CIS experts, as applicable. • Planning auditing
procedures using CAAT. • Determining the degree or reliance to place on the CIS controls in his
overall evaluation of internal control. • The way in which CIS function is organized and the extent
of concentration or distribution of computer processing through out the entity. • The availability
of data, source documents, computer files and other evidences
The auditor should acquire the knowledge of accounting system to gain an understanding of the
overall control environment and the flow of transactions. The Auditor should consider : • General
CIS controls • CIS application control
A CIS environment may effect the application of compliance and substantive procedures in several
ways. The use of CAAT may be required because of following : - • The absence of input
documents • Generation of accounting transactions by computer programs automatically. • The
lack of visible audit trail. • The lack of visible output
Nature of Processing – The nature of processing in a CIS environment has certain distinguishing
features. System features that may result from the nature of CIS processing include
Absence of Input documents- Data may be entered directly in to the computer system without
supporting documents
Lack of Visible Transaction Trail- Transaction trial (Audit Trial) refers to the successive stages in
the recording of a transaction in the books of accounts through which an auditor may be able to
trace accounting, entries in the books back to their initiation and viceversa. In a CIS environment,
source documents of many transactions may not be available
Lack of Visible Output- certain transactions or results of processing may not be printed or only
summary data may be printed
Ease of access to data and computer programs- Data and computer programs may be accessed and
altered at the computer or through the use of computer equipment at remote locations
Design and Procedural aspects
Consistency of performance- CIS system performs functions exactly as they are programmed. It
implies that if a computer program is correct, the information will be consistently processed
correctly
Programmed control procedure- In a CIS system, some of the internal control procedures may be
incorporated in to the computer program itself e.g. Password controls can be used for protection
of data against unauthorized access
System generated transactions- In a CIS system, certain transactions may be initiated by the system
itself without need for an input document e.g. interest may be calculated and charged to customer’s
accounts automatically
Single transaction update of multiple or data computer files- A single transaction fed in to a CIS
system may automatically update all records associated with transaction
Vulnerability of data and program storage media- The vulnerability of CIS systems requires
extensive internal controls against thefts, loss alteration and destruction of programs and data.
The internal controls over computer processing, which help to achieve the overall objectives of
internal control can be classified as: - • Overall controls affecting CIS environment (General CIS
controls) • Specific controls over accounting applications (CIS Application Controls)
General CIS Controls- • Establish a frame work of overall control over the CIS activities and • To
provide a reasonable level of assurance that the overall objectives of internal control are achieved
Organization and Management Controls
Application System Development and Maintenance
Controls
Computer Operation Controls
System Software Controls
Data Entry and Program Controls
CIS Application Controls- The purpose of CIS Application Control procedures over the accounting
application in order to provide reasonable assurance that all transaction is authorized and recorded
and are processed completely, accurately and on a timely basis.
Controls over Input
Controls over Processing and computer data files
Controls over Output
Evaluation – The general CIS controls may have a pervasive effect on the processing of transaction
in application systems. If these controls are not effective, there may be risk those misstatements
might occur and go undetected in application systems. Thus, weaknesses in general CIS controls
may preclude testing certain CIS application controls.
Auditing around the Computer - Auditing around the computer involves arriving at an audit
opinion through examining the internal control system for a computer installation and the input
and output only for application systems. On the basis of the quality of the input and output of the
application system, the auditor infers the quality of the processing carried out. Application system
processing is not examined directly. The auditor views the computer as a black box. The auditor
can usually audit around the computer when either of the following situations applies to application
systems existing in the installation: • The system is simple and batch oriented. • The system uses
generalized software that is well-tested and used widely by many installations.
Auditing through the Computer - The auditor can use the computer to test: (a) the logic and controls
existing within the system and (b) the records produced by the system. Depending upon the
complexity of the application system being audited, the approach may be fairly simple or require
extensive technical competence on the part of the auditor. There are several circumstances where
auditing through the computer must be used: • The application system processes large volumes of
input and produces large volumes of output that make extensive direct examination of the validity
of input and output difficult. • Significant parts of the internal control system are embodied in the
computer system. For example, in an online banking system a computer program may batch
transactions for individual tellers to provide control totals for reconciliation at the end of the day’s
processing. • The logic of the system is complex and there are large portions that facilitate use of
the system or efficient processing. • Because of cost-benefit considerations, there are substantial
gaps in the visible audit trail.
Computer assisted audit techniques (CAATs) are computer programmers and data that the auditor
uses as part of the audit procedures to process data of audit significance, contained in an entity’s
information systems.
The use of CAATs may be required because : • The auditor may not be able to examine
documentary evidence because of the absence of input documents (e.g., order entry in on line
systems) or the generation or accounting transactions by computer programme (e.g. automatic
calculation of discounts) • The auditor will not be able to follow transactions through computerized
accounting system because of lack of visible audit trail; and • The lack of visible output may
necessitate access to data retained of files readable only by the computer.
CAATs allow the auditor to give access to data without dependence on the client, test the reliability
of audit software and perform audit tests more efficiently. • CAATs may be used in performing
audit procedures such as:-  Test of details of transactions and balances for example the use of
audit software for recalculating interest or the extraction of invoices over a certain value from
computer records;  Analytical procedures, for example, identify inconsistencies or significant
fluctuations;  Sampling programs to extract data for audit testing;  Reperforming calculations
performed by the entity’s accounting systems.
Generalized audit software (GAS)- • Audit programmes are designed by computer manufacturers,
software professionals and large firm of auditors. • The functions that can be performed with GAS
include:-  Examination and review of records based on auditor’s criteria;  Selecting and printing
audit samples;  Testing calculations and making comparisons;  Comparing data on separate
files.