1

Chapter Two

Control and Audit of AIS

 Overview
2

 AIS is a system that collects, records, stores, and processes

data to produce information for decision makers.
 Control objectives are similar regardless of the data
processing methods.
 However, control policies and procedures are different
because:
 Computer processing may reduce clerical errors but
increase risks of unauthorized access.
 Segregation of duties achieve differently in AIS.

 Computers provide opportunities for enhancement of

some controls.
 Information Systems Control
3

 Internal controls are processes implemented to provide

assurance that the following objectives are achieved:
 Safeguard assets

 Maintain sufficient records

 Provide accurate and reliable information

 Prepare financial reports according to established

criteria
 Promote and improve operational efficiency

 Comply with management policies, laws and

regulations
 Cont’d…….
4

 Internal controls perform three important functions:

 Preventive controls

 Deter problems from occurring

 Detective controls

 Discover problems that are not prevented

 Corrective controls

 Correct and recover from problems

 Application Controls (revisit)
5

Revenue Cycle: Sales and Cash Collections

And
Expenditure Cycle: Purchasing and Cash
Disbursements
 Revenue Cycle
6

 Selling goods and services to customers and collecting

cash in payment for those sales.
 Basic revenue cycle activities:
 Sales Order Entry: taking customer’s order,
checking and approving customer’s credit, and
checking inventory availability.
 Shipping: picking and packing the order, and
shipping the order.
 Billing and Accounts Receivable: billing
customers and updating accounts receivable.
 Cash Collections: handling customer remittances
and depositing remittances to bank.
 Cont’d……….
7

 AIS provides adequate controls to ensure:

 Transactions are properly authorized.
 Recorded transactions are valid.
 Control Objectives:
 Valid, and authorized transactions are recorded.
 Transactions are recorded accurately.
 Assets are safeguarded from loss or theft.
 Business activities are performed efficiently and
effectively.
 Cont’d………
8

Threats & Applicable Control Procedures to Sales Order

Threat Applicable Control Procedures
Incomplete/inaccurate Data entry edit checks
customer orders
Credit sales to customers Credit approval by credit manager;
with poor credit history Accurate records of customer account
balances
Legitimacy of orders Signatures on paper documents;
Digital signatures & digital certificates
for e-business
Stock outs Inventory control systems
 Cont’d………
9

Threats & Applicable Control Procedures to Shipping

Threat Applicable Control Procedures
1. Shipping errors: Reconciliation of sales order with picking
• Wrong merchandise ticket and packing slip; bar code scanners;
• Wrong quantities data entry controls
• Wrong address
2. Theft of inventory Restrict physical access to inventory;
Documentation of all internal transfers of
inventory;
Periodic physical counts of inventory and
reconciliation with recorded amounts
 Cont’d…………
10

Threats and Control Procedures to Billing & A/R

Threat Applicable Control Procedures
1. Failure to bill Separation of shipping & billing functions;
customers Pre-numbering of shipping documents
and periodic reconciliation to invoices;
Reconciliation of picking tickets and bills
of lading with sales orders
2. Billing errors Data entry edit control, Price lists
3. Posting errors in Reconciliation of subsidiary A/R ledger
updating A/R with general ledger;
Monthly statements to customers
 Cont’d………
11

Threat and Control Procedures to Cash Collections

Threat Applicable Control Procedures
1. Theft of Cash Segregation of duties;
Minimization of cash handling;
Lockbox arrangements;
Prompt endorsement and deposit
of all receipts;
Periodic reconciliation of bank
statement
 Cont’d……….
12

General Control Issues in the Revenue Cycle

Threat Applicable Control Procedures
1. Loss of Data Backup and disaster recovery
procedures;
Access controls (physical and
logical)
2. Poor performance Preparation and review of
performance reports
 Expenditure Cycle
13

 Frequent set of business activities and related data

processing operations associated with purchase and
payment for goods and services.
 Basic activities in expenditure cycle:
1. Ordering goods and services
2. Receiving and storing goods and services
3. Paying for goods and services
 Cont’d……….
14

 AIS must provide the operational information needed

to perform the following functions:
 Determine when and how much additional inventory
to order.
 Select the appropriate vendors from whom to order.

 Verify the accuracy of vendor invoices.

 Decide whether purchase discounts should be taken.

 Monitor cash flow needs to pay outstanding

obligations.
 Threats & Control in Expenditure Cycle
15
Threats;
Stock outs
Purchasing unnecessary goods,
at inflated prices, inferior quality,
from unauthorized vendors
Kickbacks (or bribes)
Receiving unordered goods
Errors in counting goods
Theft of inventory
Failure to take available
purchasing discounts
Errors in recording and
posting purchases and payments
Loss of data
Control procedures;
Inventory control system
Vendor performance analysis
Purchase requisitions & orders approval
Restricted access to blank purchase
requisitions
Price list consultation
Budgetary controls
Use of approved vendor lists
Pre-numbered purchase orders
Prohibition of gifts from vendors
Incentives to count all deliveries
Physical access control
Recheck of invoice accuracy
 Fraud and Computers
16

 Computer fraud includes;

 Theft, misuse, or misappropriation of
 Assets by altering computer-readable records and
files.
 Assets by altering the logic of computer software.
 Computer hardware and software.
 Cont’d…. Potential areas of risk in AIS
17

Data Collection
 The simplest stage to perpetrate a computer fraud as it
only requires understanding the system and its control
weaknesses.
 The fraudulent act involves entering falsified data into
the system. For example;
 To commit a payroll fraud, the perpetrator may
insert a fraudulent payroll transaction along with
other legitimate transactions.
 Thus, it should be ensure that transaction data enter to
the system are valid, complete, and free from material
errors.
 Cont’d………..
18

Data Processing
 Data processing frauds fall into two classes: program
fraud and operations fraud.
 Program fraud techniques:

 Creating illegal programs that can access data files to

alter, delete, or insert values into accounting records;
 Destroying or corrupting a program’s logic using a
computer virus; or
 Altering program logic to cause the application to
process data incorrectly.
 Cont’d……….
19

 Operations fraud is the misuse or theft of computer

resources.
 Example; Using firm’s computer for personal
business.
 Cont’d……..
20

Database Management
 DBM Fraud includes altering, deleting, corrupting,
destroying, or stealing an organization’s data.
 A common fraud technique is accessing the database
from a remote site and browse useful information
that can be copied and sold to competitors.
 Disgruntled employees may try to destroy company
data files simply to harm the organization.
 Cont’d………..
21

Information Generation
 It is the process of compiling, arranging, formatting,
and presenting information to users.
 A common fraud at this stage is stealing, misdirect, or
misuse computer output.
 Auditing of Computer based IS
22

 IS auditors should review the controls in AIS to ensure

its compliance with internal control policies and
procedures and its effectiveness in safeguarding assets.
Audit Objective
 To verify the structure of IS function that individuals
in incompatible areas are segregated.
 IS auditors should ascertain:
 Security provisions protect computer equipment,
programs, communications, and data from
unauthorized access, modification, or destruction.
 Program development & acquisition is performed
in accordance with management’s authorization.
 Cont’d………
23

 Program modifications have an authorization and

approval of management.
 Processing of transactions, files, reports, and other
computer records is accurate and complete.
 Source data that are inaccurate or improperly
authorized are identified and handled according to
prescribed managerial policies.
 Computer data files are accurate, complete, and
confidential.
 Recommends management on how IS control can be
improved.
 Cont’d………
24

Audit Procedures:
 Review relevant documentation to verify if
individuals are performing incompatible functions.
 Review system documentation and maintenance
records to verify maintenance programmers are not
original design programmers.
 Review that computer operators do not have access
to the operational details of the system’s internal
logic and Systems documentation.
 Determine that segregation policy is being followed
in practice through observation.
 Cont’d………..
25

 Auditing of computer based IS is regarding both;

 Computer Center

 Operating Systems
 Cont’d………
26

Computer Center
 The auditor should examine the physical environment
of the computer center to
 Identify risks, and check for controls

 Mitigate risks and

 Create a secure computer environment.

Audit areas include;

 Physical location: Where should the computer
center be located?
 Construction: Soundly constructed building
 Cont’d………
27

 Access: limited to authorized personnel only

 Air conditioning: The room’s air must be
conditioned with AC
 Fire Suppression: Automatic and manual
alarms connected to fire fighting stations
 Fault Tolerance: continue operation when part
of the system fails. Example; Uninterruptible
Power Supplies (UPS)
 Cont’d………
28

Operating Systems
 Set of programs that controls the way a computer
works and runs other programs.
 If the system integrity is compromised, controls
within individual applications may also be neutralized.
 Operating system must achieve five control objectives:

 It must protect itself from users.

 Users may attempt to gain control and destroy its
components
 It must protect users from each other.
 Users may attempt to access others workspace
and attempt to destroy or corrupt data.
 Cont’d………
29

 It must protect users from themselves.

 Applications are made of set of modules that may
compete and corrupt the applications.
 It must protect itself from itself.
 The OS is made of multiple modules that may
compete and destroy each other.
 It must protect itself from the environment
 The OS may affects by incidents such as power
failure.
 Cont’d………
30

OS Security Components
1. Log on Procedure
 Use ID and Password
2. Access Token
 If successfully logged in, the OS creates an access
token (sign).
 Access token contains key information about the user;
 ID, Password, User group and privileges granted

 Access token uses to approve all actions the user

attempts during the session.
 Cont’d……..
31

3. Access Control List

 A list containing information that defines the access
privileges for all valid users and for IT resources
(disk drives, data file, program or printer)
 Access is granted if ID, privileges defined in access
token and user control list matches.
 Cont’d……..
32

 Threats to OS Integrity
 Accidental: Disk failures, OS Crushes, Memory
damp
 Intentional: Illegal access, Destructive programs
 Operating System controls and Audit tests
 The design of OS security controls must be
assessed, covering;
 Access privileges,
 Password control,
 Virus control and
 Audit trail control
 Cont’d………
33

Access privileges
 Audit Objective:
 Verify that access privileges are granted in consistent
with the need to separate incompatible functions.
 Audit Procedures:
 Review the organization’s policy for separating
incompatible functions and ensure that they promote
reasonable security.
 Review the privileges of selected users to determine
if their access rights are appropriate for their job
descriptions.
 Cont’d………
34

 Review personnel records to determine if privileged

employees pass through security clearance check in
compliance with company policies.
 Review the user’s permitted log-on times. Permission
should be appropriate with the tasks being performed.
 Cont’d…….
35

Password Control
 Audit Objective:
 Ensure that there is adequate and effective password
policy.
 Audit Procedures:
 Verify that all users are required to have passwords.
 Verify that new users are instructed in the use of
passwords.
 Review password control procedures to ensure that
passwords are changed regularly.
 Review the password file to determine weak
passwords are identified and disallowed.
 Cont’d……..
36

 Verify that the password file is encrypted and

encryption key is properly secured.
 Assess the adequacy of password standards such as
length and expiration interval.
 Review the account lock out policy and procedures.
 Number of failures and duration of lockouts.
 Cont’d……
37

Virus control
Audit Objective:
 Verify that effective policies and procedures are in place

to prevent destructive programs: viruses….

Audit Procedures:
 Determine that operation personnel have been educated

about computer viruses and aware of the risky

computing practices through interview.
 Verify that the new software is tested on standalone

workstations prior to being implemented on the host.

 Verify that the current version of antivirus software is
installed on the server and upgrades regularly.
 Cont’d……..
38

Audit trail control

 A detailed record of activity at the system, application,
and user level.

Audit Objective:
 Ensure that the established audit trial system is

adequate for preventing and detecting abuses,

reconstructing key events and planning resource
allocation.
 Cont’d………
39

 Audit Procedures
 Verify that the audit trial has been activated according
to organization policy
 Review audit trail logs to evaluate unauthorized or
terminated users failed log in attempts
 Evaluate the effectiveness of security group in
security violation cases arrangement by taking
samples.
40

The End!

Thank You!