AUDITING IN CIS ENVIRONMENT FINANCIAL AUDIT COMPONENTS
(Chapter 1)
AUDITING AND INTERNAL CONTROL
OVERVIEW OF AUDITING
EXTERNAL (FINANCIAL) AUDITS – an
independent attestation performed by an expert (the
auditor) who expresses an opinion regarding the
presentation of financial statements.
 Attest Service – task, performed by CPA who work
for public accounting firms that are independent of
the client organization being audited.
 Independence – the independent auditor collects
and evaluates evidence and renders an opinion based
on the evidence.
 Sarbanes-Oxley Act of 2002 – strict rules that
external auditors must follow in conducting financial
audits.
ATTEST SERVICE VS. ADVISORY SERVICES
 Attest Service – an engagement in which a
practitioner is engaged to issue, or does issue, a
written communication that expresses a conclusion
about the reliability of a written assertion that is the
responsibility of another party.
 Advisory Service – are professional services offered
by the public accounting firms to improve their
client organizations' operational efficiency and
effectiveness.
INTERNAL AUDITS – is typically conducted by
auditors who work for the organization, but this task
may be outsourced to other organization.
 Internal Auditing – an independent appraisal
function established within organization to examine
and evaluate its activities as a service to the
organization.
EXTERNAL VS. INTERNAL AUDITORS
External Auditors – represent outsiders
Internal Auditors – represent the interest of the
organization.
FRAUD AUDITS – they have been thrust into
prominence by a corporate environment in which both
employee theft of assets and major financial frauds by
management.
Objective: to investigate anomalies and gather evidence
of fraud that may lead to criminal conviction.
THE ROLE OF AUDIT COMMITTEE
Audit Committee – is a committee of an organization’s
board of directors.
 They are responsible for oversight of the financial
reporting process, selection of the independent
auditor, and receipt of audit results both internal and
external.
The product of the attestation function is a formal
written report that expresses an opinion about the
reliability of the assertions contained in the financial
statements. (Generally Accepted Accounting Principles)
GENERALLY ACCEPTED AUDITING STANDARDS
General Qualification Standards
1. The auditor must have adequate technical
training and proficiency.
2. The auditor must have independence of mental
attitude.
3. The auditor must exercise due professional care
in the performance of the audit and the
preparation of the report.
Field Work Standards
1. Audit work must be adequately planned.
2. The auditor must gain a sufficient understanding
of the internal control structure.
3. The auditor must obtain sufficient, competent
evidence.
Reporting Standards
1. The auditor must state in the report whether
financial statements were prepared in
accordance with generally accepted accounting
principles.
2. The report must identify those circumstances in
which generally accepted accounting principles
were not applied.
3. The report must identify any items that do not
have adequate informative disclosures.
4. The report shall contain expression of the
auditor’s opinion on the financial statements as a
whole.
 Statement on Auditing Standards – are regarded
as authoritative pronouncements.
A SYSTEMATIC PROCESS
Conducting a systematic and logical process that applies
to all forms of information systems. A systematic
approach is particularly important in the IT environment.
MANAGEMENT ASSERTIONS AND AUDIT
OBJECTIVES
 Management Assertions – are the implicit or
explicit assertions that the preparer of fs is making to
its users.
These assertions fall into five categories:
1. The existence or occurrence assertion affirms
that all assets and equities contained in the
balance sheet exist and that all transactions in
the income statement occurred.
2. The completeness assertion declares that no
material assets, equities, or transactions have
been omitted from the fs.
3. The rights and obligations assertion maintains
that assets appearing on the balance sheet are
 owned by the entity and that the liabilities
reported are obligations.
4. The valuation or allocation assertion states that
assets and equities are valued in accordance with
GAAP and that allocated amounts such as
depreciation expense are calculated on a
systematic and rational basis.
5. The presentation and disclosure assertion
alleges that fs items are correctly classified and
that footnote disclosures are adequate to avoid
misleading the users of fs.
OBTAINING EVIDENCE
This process involves gathering evidence relating to the
reliability of computer controls as well as the contents of
databases that have been processed by computer
programs.
ASCERTAINING MATERIALITY
The auditor must determine whether weaknesses in
internal controls and misstatements found in transactions
and account balances are material.
AUDIT OBJECTIVES AND AUDIT PROCEDURES
BASED ON MANAGEMENT ASSERTIONS
Management Assertion
 Existence of Occurrence
Objective: Inventories listed on the balance sheet exist.
Procedure: Observe the counting of physical inventory.
 Completeness
Objective: Accounts payable include all obligations to
vendors for the period.
Procedure: Compare receiving reports, supplier invoices,
purchase orders, and journal entries for the period and
the beginning of the next period.
 Rights and Obligations
Objective: Plant and equipment listed in the balance
sheet are owned by the entity.
Procedure: Review purchases agreements, insurance
policies, and related documents.
 Valuation or Allocation
Objective: Accounts receivable are stated at net
realizable value.
Procedure: Review entity’s aging of accounts and
evaluate the adequacy of the allowance for uncorrectable
accounts.
 Presentation and Disclosure
Objective: Contingencies not reported in financial
accounts are properly disclosed in footnotes.
Procedure: Obtain information from entity lawyers about
the status of litigation and estimates of potential loss.
COMMUNICATING RESULTS
Auditors must communicate the results of their tests to
interested users.
AUDIT RISK
The probability that the auditor will render an
unqualified (clean) opinion on financial statements that
are, in fact, materially misstated.
AUDIT RISK COMPONENTS
The auditor’s objective is to achieve a level of audit risk
that is acceptable to the auditor
Acceptable Audit Risk – estimated based on the ex-ante
value of the components of the audit risk model.
 Inherent Risk – it is associated with the unique
characteristics of the business or industry of the
client.
 Control Risk – is the likelihood that the control
structure is flawed because controls are either absent
or inadequate to prevent or detect errors in the
accounts.
 Detection Risk – is the risk that auditors are willing
to take that errors not detected or prevented by the
control structure will also not be detected by the
auditor.
AUDIT RISK MODEL
Financial auditors use the audit risk components in a
model to determine the scope, nature, and timing of
substantive tests.
AR = IR x CR x DR
The Relationship Between Tests of Controls and
Substantive Tests
These are auditing techniques used for reducing audit
risk to an acceptable level.
THE IT AUDIT
THE STRUCTURE OF AN IT AUDIT
 Audit Planning – before the auditor can determine
the nature and extent of the tests to perform, he must
gain a thorough understanding of the client’s
business.
 Test of Controls – to determine whether adequate
internal controls are in place and functioning
properly.
 Substantive Testing – detailed investigation of
specific account balances and transactions.
INTERNAL CONTROL
Organization management is required by law to establish
and maintain an adequate system of internal control.
INTERNAL CONTROL OBJECTIVES, PRINCIPLES,
AND MODELS
An organization’s internal control system comprises
policies, practices, and procedures to achieve four broad
objectives:
1. To safeguard assets of the firm.
2. To ensure the accuracy and reliability of
accounting records and information.
3. To promote efficiency in the firm’s operations.
4. To measure compliance with management’s
prescribed policies and procedures.
MODIFYING PRINCIPLES
 Management Responsibility
 Methods of Data Processing
 Limitations
1. The possibility of error – no system is perfect.
2. Circumvention – personnel may circumvent the
system through collusion or other means
3. Management override – management can
override control procedures by personally
distorting transactions or by directing a
subordinate to do so.
4. Changing conditions – conditions may change
over time so that existing effective controls may
become ineffectual.
 Reasonable Assurance
UNDESIRABLE EVENTS
 Access
 Fraud
 Errors
 Mischief
THE PDC MODEL
Preventive Controls – are passive techniques designed
to reduce the frequency of occurrence of undesirable
events. (First line of defense in the control structure)
Detective Controls – are devices, techniques, and
procedures designed to identify and expose undesirable
events that elude preventive controls. (Second line of
defense)
Corrective Controls – actually fix the problem.
 Statement on Auditing Standards No. 109 – current
authoritative document for specifying internal
objectives and techniques.
COSO INTERNAL CONTROL FRAMEWORK
The Control Environment – foundation for the other
four control components. It sets the tone for the
organization and influences the control awareness of its
management and employees.
Risk Assessment – identify, analyze, and manage risks
relevant to financial reporting.
Information and Communication – the accounting
information system consists of the records and methods
used to initiate, identify, analyze, classify, and record the
organization’s transactions and to account for the related
assets and liabilities.
Monitoring – is the process by which the quality of
internal control design and operation can be assessed.
Control Activities – are the policies and procedures
used to ensure that appropriate actions are taken to deal
with the organization’s identified risks.
 Physical Controls – this class of controls relates
primarily to the human activities employed in
accounting systems.
Transaction Authorization. to ensure that all
material transactions processed by the information
system are valid and in accordance with
management’s objectives.
Segregation of Duties. one of the most important
control activities is the segregation of employee
duties to minimize incompatible functions.
Supervision. in small organizations or in functional
areas that lack sufficient personnel, management
must compensate for the absence of segregation
controls with close supervision.
Accounting Records. consist of source documents,
journals, and ledgers.
Access Control. to ensure that only authorized
personnel have access to the firm’s assets.
Independent Verification. verification procedures
are independent checks of the accounting system to
identify errors and misrepresentations.
 IT Controls – information technology drives the
financial reporting processes of modern
organizations
Application Controls. to ensure the validity,
completeness, and accuracy of financial transactions.
General Controls. they include controls over IT
governance, IT infrastructure, security and access to
operating systems and databases, application
acquisition and development, and program change
procedures.
AUDIT IMPLICATIONS OF SOX
Prior to the passage of SOX, external auditors were not
required to test internal controls as part of their attest
function. They were required to be familiar with the
client organization’s internal controls but had the option
of not relying on them and thus not performing tests of
controls.

AUDITING IN CIS ENVIRONMENT
(Chapter 2)
AUDITING IT GOVERNANCE CONTROLS
INFORMATION TECHNOLOGY GOVERNANCE
Information Technology (IT) Governance – is a
relatively new subset of corporate governance that
focuses on the management and assessment of
strategic IT resources.
IT GOVERNANCE CONTROLS
1. Organizational structure of the IT function
2. Computer center operation
3. Disaster recovery planning
STRUCTURE OF THE INFORMATION
TECHNOLOGY FUNCTION
CENTRALIZED DATA PROCESSING – all data processing
is performed by one or more large computers housed at
a central site that serves users throughout the
organization.
 Database Administration – centrally organized
companies maintain their data resources in a
central location that is shared by all end users.
 Data Processing – manages the computer resources
used to perform the dayto-day processing of
transactions. (Data Conversion, Computer
Operations, Data Library)
Data Conversion. transcribes transaction data from
hard-copy source documents into computer input.
Computer Operations. the electronic files produced
in data conversion are later processed by the
central computer, which is managed by the
computer operations groups.
Data Library. a room adjacent to the computer
center that provides safe storage for the off-line
data files.
 Systems Development Maintenance
Systems Professionals. Include system analysts,
database designers, and programmers who design
and build the system.
End Users. Are those for whom the system is built.
Stakeholders. Are individuals inside or outside the
firm who have an interest in the system but are not
end users.
SEGREGATION OF INCOMPATIBLE IT FUNCTIONS
 Separating Systems Development from Computer
Operations
 Separating Database Administration from Other
Functions
 Separating New Systems Development from
Maintenance
Inadequate Documentation. poor-quality systems
documentation is a chronic IT problem and a
significant challenge for many organizations seeking
SOX compliance.
Program Fraud. involves making unauthorized
changes to program modules for the purpose of
committing an illegal act.
 A Superior Structure for Systems Development
A DISTRIBUTED MODEL
Distributed Data Processing (DDP) – an alternative to
the centralized model.
RISK ASSOCIATED WITH DDP
 Inefficient Use of Resources
1. The risk of mismanagement of organization-
wide IT resources by end users.
2. DDP can increase the risk of operational
inefficiencies because of redundant tasks being
performed within the end-user committee.
3. The DDP environment poses a risk of
incompatible hardware and software among
end-user functions.
 Destruction of Audit Trails
 Inadequate Segregation of Duties
 Hiring Qualified Professionals
 Lack of Standards
ADVANTAGES OF DDP
 Cost Reductions
 Improved Cost Control Responsibility
 Improved User Satisfaction
 Backup Flexibility
CONTROLLING THE DDP ENVIRONMENT
 Implement a Corporate It Function
Central Testing of Commercial Software and
hardware. A central, technically astute group such
as this can evaluate systems features, controls, and
compatibility with industry and organizational
standards.
User Service. This activity provides technical help to
users during the installation of new software and in
troubleshooting hardware and software problems.
Standard Setting Body. The corporate group can
contribute to this goal by establishing and
distributing to user area
Personnel Review. The corporate group is often
better equipped than users to evaluate the
 technical credentials of prospective systems
professionals.
 Audit Objective – the corporate group is often
better equipped than users to evaluate the
technical credentials of prospective systems
professionals.
 Audit Procedures
Centralized IT Functions:
1. Review relevant documentation, including the
current organizational chart, mission statement,
and job descriptions for key functions, to
determine if individuals or groups are
performing incompatible functions.
2. Review systems documentation and
maintenance records for a sample of
applications. Verify that maintenance
programmers assigned to specific projects are
not also the original design programmers.
3. Verify that computer operators do not have
access to the operational details of a system’s
internal logic. Systems documentation, such as
systems flowcharts, logic flowcharts, and
program code listings, should not be part of the
operation’s documentation set.
4. Through observation, determine that
segregation policy is being followed in practice.
Review operations room access logs to
determine whether programmers enter the
facility for reasons other than system failures.
Distributed IT Functions:
1. Review the current organizational chart, mission
statement, and job descriptions for key
functions to determine if individuals or groups
are performing incompatible duties.
2. Verify that corporate policies and standards for
systems design, documentation, and hardware
and software acquisition are published and
provided to distributed IT units.
3. Verify that compensating controls, such as
supervision and management monitoring, are
employed when segregation of incompatible
duties is economically infeasible.
4. Review systems documentation to verify that
applications, procedures, and databases are
designed and functioning in accordance with
corporate standards.
THE COMPUTER CENTER
The objective of this section is to present computer
center risks and the controls that help to mitigate
risk and create a secure environment.
 Physical Location – the physical location of the
computer center directly affects the risk of
destruction to a natural or man-made disaster.
 Construction – a computer center should be in a
single-story building of solid construction with
controlled access.
 Access – access to the computer center should be
limited to the operators and other employees who
work there.
 Air Conditioning – computers function best in an
air-conditioned environment and providing
adequate air conditioning is often a requirement of
the vendor’s warranty.
 Fire Suppression
1. Automatic and manual alarms should be placed
in strategic locations around the installation.
These alarms should be connected to
permanently staffed fire-fighting stations.
2. There must be an automatic fire extinguishing
system that dispenses the appropriate type of
suppressant for the location.
3. Manual fire extinguishers should be placed at
strategic locations.
4. The building should be of sound construction to
withstand water damage caused by fire
suppression equipment. 5
5. Fire exits should be clearly marked and
illuminated during a fire.
 Fault Tolerance – is the ability of the system to
continue operation when part of the system fails
because of hardware failure, application program
error, or operator error.
1. Redundant arrays of independent disks (RAID)
– involves using parallel disks that contain
redundant elements of data and applications.
2. Uninterruptible power supplies – commercially
provided electrical power presents several
problems that can disrupt the computer center
operations, including total power failures,
brownouts, power fluctuations, and frequency
variations.
 Audit Objectives – to evaluate the controls
governing computer center security.
 Audit Procedures
Tests of Physical Construction. The auditor should
obtain architectural plans to determine that the
computer center is solidly built of fireproof
material.
Tests of the Fire Detection System. The auditor
should establish that fire detection and suppression
equipment, both manual and automatic, are in
place and tested regularly.
Tests of Access Control. The auditor must establish
that routine access to the computer center is
restricted to authorized employees.
Tests of Raid. Most systems that employ RAID
provide a graphical mapping of their redundant disk
storage.
Tests of the Uninterrupted Power Supply. The
computer center should perform periodic tests of
the backup power supply to ensure that it has
 sufficient capacity to run the computer and air
conditioning.
 Audit Objective – The auditor should verify that
Test for Insurance Coverage. The auditor should
management’s disaster recovery plan is adequate
annually review the organization’s insurance
and feasible for dealing with a catastrophe that
coverage on its computer hardware, software, and
could deprive the organization of its computing
physical facility
resources.
DISASTER RECOVERY PLANNING

Disasters such as earthquakes, floods, sabotage, and

even power failures can be catastrophic to an
organization’s computer center and information
systems.
Disaster Recovery Plan (DRP) – is a comprehensive
statement of all actions to be taken before, during, and
after any type of disaster.
 Identify Critical Applications
 Creating a Disaster Recovery Team
 Providing Second-Site Backup
Mutual Aid Pack. an agreement between two or
more organizations (with compatible computer
facilities) to aid each other with their data
processing needs in the event of a disaster.
Empty Shell. an arrangement wherein the company
buys or leases a building that will serve as a data
center.
Recovery Operations Center. a fully equipped
backup data center that many companies share.
Internally Provided Backup. larger organizations
with multiple data processing centers often prefer
the self-reliance that creating internal excess
capacity provides.
Backup and Off-Site Storage Procedures
All data files, applications, documentation, and supplies
needed to perform critical functions should be
automatically backed up and stored at a secure off-site
location.
Operating System Backup. Involves purchasing backup
copies of the latest software upgrades used by the
organization.
Backup Data Files. The state-of-the-art in database
backup is the remote mirrored site, which provides
complete data currency.
Backup Documentation. The system documentation for
critical applications should be backed up and stored off-
site along with the applications.
Backup Supplies and Source Documents. The
organization should create backup inventories of
supplies and source documents used in processing
critical transactions.
Testing the DPR. Tests measure the preparedness of
personnel and identify omissions or bottlenecks in the
plan.
 Audit Procedures
Site Backup. The auditor should evaluate the
adequacy of the backup site arrangement.
Critical Application Risk. The auditor should review
the list of critical applications to ensure that it is
complete.
Software Backup. The auditor should review the list
of critical applications to ensure that it is complete.
Data Backup. The auditor should verify that critical
data files are backed up in accordance with the DRP.
Backup Supplies, Documents, and Documentation.
The auditor should verify that the types and
quantities of items specified in the DRP such as
check stock, invoices, purchase orders, and any
special purpose forms exist in a secure location
Disaster Recovery Team. The auditor should verify
that members of the team are current employees
and are aware of their assigned responsibilities.
OUTSOURCING THE IT FUNCTION
IT OUTSOURCING – Include improved core business
performance, improved IT performance, and reduced IT
costs.
Core Competency Theory – an organization should
focus exclusively on its core business competencies,
while allowing outsourcing vendors to efficiently
manage the non-core areas such as the IT functions.
Common IT Assets – not unique to a particular
organization and are thus easily acquired in the
marketplace.
Specific IT Assets – unique to the organization and
support its strategic objectives.
Transaction Cost Economic (TCE) - theory conflicts with
the core competency school by suggesting that firms
should retain certain specific non–core IT assets in
house.
RISK INHERENT TO IT OUTSOURCING
 Failure to Perform – once a client firm has
outsourced specific IT assets, its performance
becomes linked to the vendor’s performance.
 Vendor Exploitation - large-scale IT outsourcing
involves transferring to a vendor “specific assets,”
such as the design, development, and maintenance
of unique business applications that are critical to
an organization’s survival.
 Outsourcing Costs Exceed Benefits - IT outsourcing
has been criticized on the grounds that unexpected
costs arise, and the full extent of expected benefits
are not realized.
 Reduced security - information outsourced to
offshore IT vendors raises unique and serious
questions regarding internal control and the
protection of sensitive personal data.
 Loss of Strategic Advantage - IT outsourcing may
affect incongruence between a firm’s IT strategic
planning and its business planning functions.

AUDIT IMPLICATIONS OF IT OUTSOURCING

Statement on Auditing Standard No. 70 (SAS 70) – is

the definitive standard by which client organizations’
auditors can gain knowledge that controls at the third-
party vendor are adequate to prevent or detect
material errors that could impact the client’s financial
statement.

AUDITING IN CIS ENVIRONMENT
(Chapter 1)
SECURITY PART I: AUDITING OPERATING
SYSTEMS AND NETWORKS
AUDITING OPERATING SYSTEMS
Operating System – is the computer’s control program.
OPERATING SYSTEM OBJECTIVES
Compilers and Interpreters – the language translator
modules of the operating system.
OPERATING SYSTEM SECURITY – involves
policies, procedures, and controls that determine who
can access the operating system, which resources they
can use, and what actions they can take.
Log-on Procedure – is the operating system’s first line
of defense against unauthorized access.
Access Token – if the log-on attempt is successful, the
operating system creates an access token that contains
key information about the user.
Access Control List – is assigned to each IT resource,
which controls access to the resources.
Discretionary Access Privileges – allows resource
owners to grant access privileges to other users.
OPERATING SYSTEM CONTROLS AND AUDIT
TESTS
Controlling Access Privileges – user access privileges
are assigned to individuals and to entire workgroups
authorized to use the system. Privileges determine which
directories, files, applications, and other resources an
individual or group may access. They also determine the
types of actions that can be taken.
Audit Objectives Relating to Access Privileges – the
auditor’s objective is to verify that access privileges are
granted in a manner that is consistent with the need to
separate incompatible functions and is in accordance
with the organization’s policy.
Audit Procedures Relating to Access Privileges
To achieve their objectives auditors may perform the
following tests of controls:
 Review the organization’s policies for separating
incompatible functions and ensure that they
promote reasonable security.
 Review the privileges of a selection of user groups
and individuals to determine if their access rights
are appropriate for their job descriptions and
positions. The auditor should verify that individuals
are granted access to data and programs based on
their need to know.
 Review personnel records to determine whether
privileged employees undergo an adequately
intensive security clearance check in compliance
with company policy.
 Review employee records to determine whether
users have formally acknowledged their
responsibility to maintain the confidentiality of
company data.
 Review the users’ permitted log-on times.
Permission should be commensurate with the tasks
being performed.
Password Control
Password – is a secret code the user enters to gain
access to systems, applications, data files, or network
server.
The most common forms of contra-security behavior
include:
 Forgetting passwords and being locked out of the
system.
 Failing to change passwords on a frequent basis.
 The Post-it syndrome, whereby passwords are
written down and displayed for others to see.
 Simplistic passwords that a computer criminal easily
anticipates.
Reusable Passwords. The most common method of
password control is the reusable password. The user
defines the password to the system once and then
reuses it to gain future access.
One-Time Passwords. The one-time password was
designed to overcome the aforementioned problems.
Audit Objectives Relating to Passwords – the auditor’s
objective here is to ensure that the organization has an
adequate and effective password policy for controlling
access to the operating system.
Auditors Procedure Relating to Passwords
Audit Procedures Relating to Passwords The auditor
may achieve this objective by performing the following
tests:
 Verify that all users are required to have passwords.
 Verify that new users are instructed in the use of
passwords and the importance of password control.
 Review password control procedures to ensure that
passwords are changed regularly.
 Review the password file to determine that weak
passwords are identified and disallowed. This may
involve using software to scan password files for
known weak passwords.
 Verify that the password file is encrypted, and that
the encryption key is properly secured.
 Assess the adequacy of password standards such as
length and expiration interval.
 Review the account lockout policy and procedures.
Controlling Against Malicious and Destructive
Programs
Malicious and destructive programs are responsible for
millions of dollars of corporate losses annually.
Audit Objective Relating to Viruses and Other
Destructive Programs
The key to computer virus control is prevention through
strict adherence to organizational policies and
procedures that guard against virus infection.
Audit Procedures Relating to Viruses and Other
Destructive Programs
 Through interviews, determine that operations
personnel have been educated about computer
viruses and are aware of the risky computing
practices that can introduce and spread viruses and
other malicious programs.
 Verify that new software is tested on standalone
workstations prior to being implemented on the
host or network server.
 Verify that the current version of antiviral software
is installed on the server and that upgrades are
regularly downloaded to workstations.
System Audit Trail Controls
System Audit Trails – are logs that records activity at
the system, application, and user level.
Keystroke Monitoring. involves recording both the
user’s keystrokes and the system’s responses.
Event Monitoring. summarizes key activities related to
system resources.
Setting Audit Trail Objectives
Detecting Unauthorized Access. can occur in real time
or after the fact.
Reconstructing Events. audit trail analysis can be used
to reconstruct the steps that led to events such as
system failures, or security violations by individuals.
Personal Accountability. audit trails can be used to
monitor user activity at the lowest level of detail.
Implementing a System Audit Trail
The information contained in audit logs is useful to
accountants in measuring the potential damage and
financial loss associated with application errors, abuse
of authority, or unauthorized access by outside
intruders.
Audit Objectives Relating to System Audit Trails
The auditor’s objective is to ensure that the established
system audit trail is adequate for preventing and
detecting abuses, reconstructing key events that
precede systems failures, and planning resource
allocation.
AUDITING NETWORKS
INTRANET RISKS
Intranets - consist of small LANs and large WANs that
may contain thousands of individual nodes.
 Interception of Network Messages – the individual
nodes on most intranets are connected to a shared
channel across which travel user IDs, passwords,
confidential e-mails, and financial data files.
 Access to Corporate Databases – intranets
connected to central corporate databases increase
the risk that an employee will view, corrupt, change,
or copy data.
 Privileged Employees – an organization’s internal
controls are typically aimed at lower-level
employees.
Reluctance to Prosecute. A factor that contributes
to computer crime is many organizations’
reluctance to prosecute the criminals.
INTERNET RISKS
 IP Spoofing - is a form of masquerading to gain
unauthorized access to a Web server and/ or to
perpetrate an unlawful act without revealing one’s
identity.
 Denial of Service Attack - is an assault on a Web
server to prevent it from servicing its legitimate
users.
SYN Flood Attack. is accomplished by not sending
the final acknowledgment to the server’s SYN-ACK
response.
Smurf Attack. involves three parties, the
perpetrator, the intermediary, and the victim.
Distributed Denial of Service. may take the form of
a SYN flood or smurf attack.
Motivational Behind Dos Attacks. may originally
have been to punish an organization with which the
perpetrator had a grievance or simply to gain
bragging rights for being able to do it.
CONTROLLING RISKS FROM SUBVERSIVE THREATS
 Firewalls - is a system that enforces access control
between two networks.

Network-level firewalls. provide efficient but low-
security access control. This type of firewall consists
of a screening router that examines the source and
destination addresses that are attached to incoming
message packets.
Application-level firewalls. provide a higher level of
customizable network security, but they add
overhead to connectivity.
 Encryption - is the conversion of data into a secret
code for storage in databases and transmission over
networks.
Private Key Encryption. Advance encryption
standard (AES) is a 128-bit encryption technique
that has become a U.S. government standard for
private key encryption.
Triple-DES encryption - is an enhancement to an
older encryption technique called the data
encryption standard (DES). Triple DES provides
considerably improved security over most single
encryption techniques.
Public Key Encryption. Public key encryption uses
two different keys: one for encoding messages and
the other for decoding them.
RSA (Rivest-Shamir-Adleman) - is a highly secure
public key cryptography method.
 Digital Signatures - is electronic authentication that
cannot be forged.
 Digital Certificate - verifying the sender’s identity
requires a digital certificate, which is issued by a
trusted third party called a certification authority
(CA).
 Message Sequence Numbering – a sequence
number is inserted in each message, and any such
attempt will become apparent at the receiving end.
 Message Transaction Log – through this all
incoming and outgoing messages, as well as
attempted (failed) access, should be recorded in a
message transaction log.
 Request -Response Technique – using this a control
message from the sender and a response from the
receiver are sent at periodic, synchronized intervals.
 Call-Back Devices - requires the dial-in user to enter
a password and be identified.
 Audit Objectives Relating to Subversive Threats -
the auditor’s objective is to verify the security and
integrity of financial transactions.
CONTROLLING RISKS FROM EQUIPMENT FAILURE
 Line Errors - the most common problem in data
communications is data loss due to this.
Echo Check. involves the receiver of the message
returning the message to the sender.
Parity Check. incorporates an extra bit (the parity
bit) into the structure of a bit string when it is
created or transmitted.
 Audit Objectives Relating to Equipment Failure
The auditor’s objective is to verify the integrity of
the electronic commerce transactions by
determining that controls are in place to detect and
correct message loss due to equipment failure.
 Audit Procedures Relating to Equipment Failure
To achieve this control objective, the auditor can
select a sample of messages from the transaction
log and examine them for garbled content caused
by line noise. The auditor should verify that all
corrupted messages were successfully
retransmitted.
AUDITING ELECTRONIC DATA INTERCHANGE (EDI)
Electronic data interchange - the foundation for a fully
automated business process called.
EDI STANDARDS
Key to EDI success is the use of a standard format for
messaging between dissimilar systems.
BENEFITS OF EDI
EDI has made considerable inroads in several industries,
including automotive, groceries, retail, health care, and
electronics.
The following are some common EDI cost savings that
justify the approach.
 Data keying. EDI reduces or even eliminates the
need for data entry.
 Error reduction. Firms using EDI see reductions in
data keying errors, human interpretation and
classification errors, and filing (lost document)
errors.
 Reduction of paper. The use of electronic envelopes
and documents drastically reduces the paper forms
in the system.
 Postage. Mailed documents are replaced with much
cheaper data transmissions.
 Automated procedures. EDI automates manual
activities associated with purchasing, sales order
processing, cash disbursements, and cash receipts.
 Inventory reduction. By ordering directly as needed
from vendors, EDI reduces the lag time that
promotes inventory accumulation.
FINANCIAL EDI
Using electronic funds transfer (EFT) for cash
disbursement and cash receipts processing is more
complicated than using EDI for purchasing and selling
activities.
EDI CONTROLS
Transaction Authorization and Validation
Both the customer and the supplier must establish that
the transaction being processed is to (or from) a valid
trading partner and is authorized.
ACCESS CONTROL
To function smoothly, EDI trading partners must permit
a degree of access to private data files that would be
forbidden in a traditional environment.
EDI Audit Trail
Weak Access Control – Security software that provides
logon procedures is available for PCs.
Inadequate Segregation of Duties – Employees in PC
environments, particularly those of small companies,
may have access to multiple applications that constitute
incompatible tasks.
Multiverse Password Control – is used to restrict
employees who are sharing the same computers to
specific directories, programs, and data files.
Risk of Theft – because of their size, PCs are objects of
theft, and the portability of laptops places them at the
highest risk.
Weak Backup Procedures - Computer failure, usually
disk failure, is the primary cause of data loss in PC
environments.

The absence of source documents in EDI transactions Risk of Virus Infection - Virus infection is one of most
eliminates the traditional audit trail and restricts the common threats to PC integrity and system availability.
ability of accountants to verify the validity,
completeness, timing, and accuracy of transactions.

Audit Objectives Relating to EDI

The auditor’s objectives are to determine that:

(1) all EDI transactions are authorized, validated, and in

compliance with the trading partner agreement.

(2) no unauthorized organizations gain access to

database records.

(3) authorized trading partners have access only to

approved data.

(4) adequate controls are in place to ensure a complete

audit trail of all EDI transactions.

Audit Procedures Relating to EDI

To achieve these control objectives, the auditor may

perform the following tests of controls:

Tests of Authorization and Validation Controls. The

auditor should establish that trading partner
identification codes are verified before transactions are
processed.

Tests of Access Controls. Security over the valid trading

partner file and databases is central to the EDI control
framework.

Tests of Audit Trail Controls. The auditor should verify

that the EDI system produces a transaction log that
tracks transactions through all stages of processing.

AUDITING PC-BASED ACCOUNTING SYSTEMS

PC SYSTEMS RISKS AND CONTROLS

Operating System Weaknesses – In contrast to

mainframe systems, PCs provide only minimal security
for data files and programs contained within them.