AuditingSoftware System Auditing

Audit
Independent review and examination of records

and activities to assess the adequacy of internal controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.

Audit
An audit is an evaluation of a person, organization,

system, process, enterprise, project or product.

The term most commonly refers to audits in accounting,

but similar concepts also exist in project management, quality management, and energy conservation.

IT/IS Audit
The process of collecting and evaluating evidence to

determine whether computer system safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources effectively.
An Information Technology audit, or Information Systems

audit, is an examination of the management controls within an IT infrastructure.

IT/IS Audit
The evaluation of obtained evidence determines if the

Information Systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives.
These reviews may be performed in conjunction with a

financial statement audit, internal audit, or other form of attestation engagement.

IT/IS Audit
Information Systems audit is a part of the overall audit

process, which is one of the facilitators for good corporate governance.

While there is no single universal definition of IS audit,

we can define it as: The process of collecting and evaluating evidence to determine whether a computer system (Information System) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently
6

Software Audit
Software Audits provide an independent evaluation of

software products or processes to ascertain compliance to standards, specifications, and procedures based on objective criteria that included documents that specify:
The form or content of the product to be produced. The process by which the products shall be produced.

How compliance to standards or guidelines shall be

measured.
7

Software Audit
Software audits include checking software products

and processes to verify that they comply with the applicable procedures and standards.

Categories of Software Audits

Software audits can be categorized as:
A software licensing audit, where use of the

software is audited for license compliance A software quality assurance, where a piece of software is audited for quality A software audit review, where a group of people external to a software development organization examines a software product A physical configuration audit A functional configuration audit
9

Need for IS Control & Audit

Reliance on computer

systems Survival of organization Costs of data loss Costs of errors Inability to function Possibility of incorrect decisions

10

Need for IS Control & Audit

Security & abuse - from

inside & outside: hacking, viruses, access Destruction & theft of assets Modification of assets Disruption of operations Unauthorized use of assets Physical harm Privacy violations
11

What triggers an audit..?

Quality Assurance Plan
Event Date

Requests from management

Requests from developers Requests from customers

Integration with process improvement activities

Outside requirements regulatory Gut feeling
12

 IT audits are also known as Automated Data Processing

(ADP) audits" and Computer Audits". They were formerly called Electronic Data Processing (EDP) audits
Sometimes IS Auditing has another objective- namely,

ensuring that an organization complies with some regulation, rule, or condition. IS Auditing is conceived as being a force that enables organizations to better achieve four major objectives.

13

Objectives of IT/IS Audit

Improved Data Integrity

Safeguarding of Assets

IT/IS Audit

Improved System Effectiveness

Improved System Efficiency

Source: Ron Weber
14

Asset Safeguarding Objectives

The IS assets of an organization include:

Hardware Software Facilities People (knowledge) Data files System documentation and Supplies.

Like all assets they must be protected by a system of

internal control.

15

Data integrity objectives

Data integrity is a fundamental concept in IS auditing. It is

a state implying data has certain attributes; Completeness, Soundness, Purity and Veracity.
If data integrity is not maintained, an organization no

longer has a true representation of itself or of events. Moreover if the integrity of an organizations data is low, it could suffer from loss of competitive advantage.

16

 Three major factors affect the value of a data item to an

organization:
1. The value of the information content of the data item for

individual decision makers 2. The extent to which the data item is shared among decision makers 3. The value of the data item to competitors.

17

Purpose of IT Audit
An IT audit is different from a financial statement

audit. While a financial audit's purpose is to evaluate whether an organization is adhering to standard accounting practices, the purpose of an IT audit is to evaluate the system's internal control design and effectiveness.
This includes, but is not limited to, efficiency and

security protocols, development processes, and IT governance or oversight.

18

Types of Information System Audits

Various authorities have created differing taxonomies to

distinguish the various types of IT audits. Goodman & Lawless state that there are three specific systematic approaches to carry out an IT audit:
Technological Innovation Process Audit. This audit constructs a

risk profile for existing and new projects. The audit will assess the length and depth of the company's experience in its chosen technologies, as well as its presence in relevant markets, the organization of each project, and the structure of the portion of the industry that deals with this project or product, organization and industry structure.
19

Types of Information System Audits

Innovative Comparison Audit. This audit is an analysis of the

innovative abilities of the company being audited, in comparison to its competitors. This requires examination of company's research and development facilities, as well as its track record in actually producing new products.
Technological Position Audit: This audit reviews the technologies

that the business currently has and that it needs to add. Technologies are characterized as being either "base", "key", "pacing" or "emerging".

20

Types of Information System Audits

Others describe the spectrum of IT audits with five

categories of audits:
1. Systems and Applications. 2. Information Processing Facilities. 3. Systems Development. 4. Management of IT and Enterprise Architecture. 5. Client/Server, Telecommunications, Intranets, and

Extranets.
21

Types of Information System Audits

Systems and Applications: An audit to verify that systems and

applications are appropriate, efficient, and adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity.
Information Processing Facilities: An audit to verify that the

processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions.
Systems Development: An audit to verify that the systems under

development meet the objectives of the organization, and to ensure that the systems are developed in accordance with generally accepted standards for systems development.
22

Types of Information System Audits

Management of IT and Enterprise Architecture: An audit to

verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing.
Client/Server, Telecommunications, Intranets, and Extranets: An

audit to verify that telecommunications controls are in place on the client (computer receiving services), server, and on the network connecting the clients and servers.

23

Elements IT/IS Audit

1.
2. 3. 4. 5. 6. 7.

Physical and Environmental System Administration Application Software Application Development Network Security Business Continuity Data Integrity

24

What Tools do IT Auditors require?

25

Audit Process

26

Audit- Main Steps

Initial Review:
A preliminary investigation by the auditors to

determine how the audit should be conducted. Controls Review: Detailed controls are appraised both in their necessity and presence. Compliance Testing: Determines whether controls actually exist and function as specified in the documentation. Substantive Testing: Determining if the system data actually represents reality.

27

Internal vs External Audit

Audit function can be performed Internally or

Externally Internal audit is an independent appraisal of operations, conducted under the direction of management, to assess the effectiveness of internal administrative and accounting controls and help ensure conformance with managerial policies. External Audit is an audit conducted by an individual of a firm that is independent of the company being audited.
28

Internal Audit
Internal auditing is an independent, objective

assurance and consulting activity designed to add value and improve an organization's operations.
It helps an organization accomplish its objectives by

bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

29

Internal Audit
Internal auditing is a catalyst for improving an

organizations effectiveness and efficiency by providing insight and recommendations based on analyses and assessments of data and business processes. internal auditing provides value to governing bodies and senior management as an objective source of independent advice.

With commitment to integrity and accountability,

Professionals called internal auditors are employed

by organizations to perform the internal auditing activity.

30

Scope of Internal Audit

The scope of internal auditing within an organization is

broad and may involve topics such as: Efficacy of operations. Reliability of financial reporting. Deterring and investigating fraud. Safeguarding assets, and Compliance with laws and regulations.

31

Scope of Internal Audit

Internal auditing frequently involves measuring

compliance with the entity's policies and procedures. However, Internal auditors are not responsible for the execution of company activities; they advise management and the Board of Directors (or similar oversight body) regarding how to better execute their responsibilities.
As a result of their broad scope of involvement,

internal auditors may have a variety of higher educational and professional backgrounds.
32

Scope of Internal Audit

Publicly traded corporations typically have an

Internal Auditing Department, led by a Chief Audit Executive (CAE) who generally reports to the Audit Committee of the Board of Directors, with administrative reporting to the Chief Executive Officer.

33

Internal Audit Reporting Structure

CEO
Board Audit Committee

Head of Audit Dept

Head of IT Audit

Head of Non-IT Audit

IT Audit Team Members

Non-IT Audit Team Members

34

Role of Internal Audit in Risk Management

Internal auditing professional standards require the

function to monitor and evaluate the effectiveness of the organization's risk management processes.
Risk management relates to how an organization

sets objectives, then identifies, analyzes, and responds to the risks that could potentially impact its ability to realize its objectives.

35

Motivation for Control & Audit

Major business fraud cases
Enron Worldcom The Didnt know these things were happening

syndrome Comprehensive ethical/control programs do matter to corporate stakeholders Need for ethical/control Standards Internal reporting process Highest level responsibility

36

Objectives Audit and Control

Need to control & audit info systems
IS AUDITING = collecting & evaluating evidence to

determine if system accomplishes its organizational tasks effectively & efficiently Understanding the organization & environment Understanding systems EDP in particular Understanding the Control Approach Control - a system that prevents, detects, or corrects unlawful, undesirable or improper events
37

The Auditing Environment

External vs. Internal auditors
External auditors provide increased assurance
Fairness of financial statements Frauds & Irregularities Ability to survive

Internal auditors appraise and evaluate adequacy &

effectiveness of controls Control - a system that prevents, detects, or corrects unlawful, undesirable or improper events Reporting and responsibility to Board of Directors
38

The Auditing Environment contined.

Types of audit procedures
To gain understanding of controls.
Test of controls. Substantive tests of details of transactions.

Substantive tests of balances and overall results.

Analytic review procedures.

39

Assessing Reliability
By controls
By transaction By errors

40

Internal Auditors
Responsible to Board of Directors. An internal control function. Assist the organization in measurement and evaluation

of:
Effectiveness of Internal Controls.
Achievement of organizational objectives. Economics & efficiency of activities.

Compliance with laws and regulations.

Operational audits.

41

Internal Auditors Scope of Work- SCARE

Safeguarding assets. Compliance with policies and plans.

Accomplishment of established objectives.

Reliability & integrity of information. Economics & efficient use of resources.

42

External Auditors
Responsible to stockholders and public
Via Board of Directors

Assess financial statement assertions (transactions)

Existence or occurrence.

Completeness.
Valuation and allocation. Presentation and disclosure.

Rights and obligations.

Must test compliance with laws and regulations. Must test for fraud and improprieties. Relies on internal control structure for planning of audit.
43

External Auditors
Audit (material misstatement) risk = product of
Inherent (assertion could be materially misstated) risk Control risk (misstatement will not be prevented or

detected on a timely basis by internal controls) Detection risk Inversely related to control and inherent risks

44

Internal Controls
In auditing Internal Control is defined as a process effected by

an organization's structure, work and authority flows, people and Management Information Systems, designed to help the organization accomplish specific goals or objectives.
Internal controls are a MEANS by which an organization's

resources are directed, monitored, and measured.

It plays an important role in preventing and detecting fraud

and protecting the organization's resources.

45

Internal Controls
Internal controls are designed to provide reasonable assurance

regarding the achievement of objectives in the following categories: 1. Effectiveness and efficiency of operations. 2. Reliability of financial reporting. 3. Compliance with applicable laws and regulations.

46

Internal Controls - Continued...

Controls - System of activities:
Preventive Detective

Corrective

Affect reliability
Reduce failure probability Reduce expected loss in failure

Reasonable assurance Based on cost-benefit considerations

47

Internal Controls Continued...

Internal controls can be Detective, Corrective, or Preventive by

nature. 1. Detective Controls are designed to detect errors or irregularities that may have occurred.
2.

Corrective controls are designed to correct errors or irregularities that have been detected. Preventive controls on the other hand, are designed to keep errors or irregularities from occurring in the first place.
48

3.

 Internal Controls consist of five interrelated components.

These are derived from the way management runs a business, and are integrated with the management process.
Although the components apply to all entities, small and

mid-size companies may implement them differently than large ones. Its controls may be less formal and less structured, yet a small company can still have effective internal control. The components are:
49

1.

Control Environment:

The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors.
50

2. Risk Assessment
Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.
51

3. Control Activities
Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.

52

4. Information &

Communication
Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Information systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the business. They deal not only with internally generated data, but also information about external events, activities and conditions necessary to informed business decision-making and external reporting.

53

Information & CommunicationContinued

Effective communication also must occur in a broader sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators and shareholders.

54

5. Monitoring
Internal control systems need to be monitored--a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.
55

The Internal Controls Framework

Separation of duties Delegation of authority & responsibility

System of authorizations
Documentation & records Physical control over assets & records

Management supervision
Independent checks Recruitment & training
56

Internal Control Objectives

Internal Control objectives are desired goals or conditions for a

specific event cycle which, if achieved, minimize the potential that waste, loss, unauthorized use or misappropriation will occur. They are conditions which we want the system of internal control to satisfy. For a control objective to be effective, compliance with it must be measurable and observable.
Internal Audit evaluates internal control by accessing the ability of

individual process controls to achieve seven pre-defined control objectives. The control objectives include authorization, completeness, accuracy, validity, physical safeguards and security, error handling and segregation of duties.
57

 Authorization
The objective is to ensure that all transactions are approved by responsible personnel in accordance with specific or general authority before the transaction is recorded.

Completeness
The objective is to ensure that no valid transactions have been omitted from the accounting records.

Accuracy
The objective is to ensure that all valid transactions are accurate, consistent with the originating transaction data and information is recorded in a timely manner.

Validity
The objective is to ensure that all recorded transactions fairly represent the economic events that actually occurred, are lawful in nature, and have been executed in accordance with management's general authorization.
58

 Physical Safeguards & Security

The objective is to ensure that access to physical assets and information systems are controlled and properly restricted to authorized personnel.

Error handling
The objective is to ensure that errors detected at any stage of processing receive prompt corrective action and are reported to the appropriate level of management.

Segregation of Duties
The objective is to ensure that duties are assigned to individuals in a manner that ensures that no one individual can control both the recording function and the procedures relative to processing the transaction. A well designed process with appropriate internal controls should meet most, if not all of these control objectives.

59

IT Controls
Information Technology controls (or IT controls) are

specific activities performed by persons or systems designed to ensure that business objectives are met.
They are a subset of an enterprise's internal control. IT control objectives relate to the confidentiality,

integrity, and availability of data and the overall management of the IT function of the business enterprise.
60

IT Controls
IT controls are often described in two categories:
1. IT General Controls ITGC and 2. IT Application Controls. ITGC include controls over the Information Technology

(IT) environment, computer operations, access to programs and data, program development and program changes. IT Application Controls refer to transaction processing controls, sometimes called "input-processing-output" controls.
61

 The COBIT Framework (Control Objectives for Information

Technology) is a widely-used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches.
IT departments in organizations are often led by a Chief

Information Officer (CIO), who is responsible for ensuring effective information technology controls are utilized.

62

ITGC
ITGC represent the foundation of the IT control structure. They

help ensure the reliability of data generated by IT systems and support the assertion that systems operate as intended and that output is reliable. ITGC usually include the following types of controls:
Control Environment: Those controls designed to shape the

corporate culture or "tone at the top. Provides the foundation for the other components. Encompasses such factors as managements philosophy and operating style.
Change Management procedures: Controls designed to ensure

changes meet business requirements and are authorized.

63

ITGC
Control Activities: Consists of the policies and procedures that

ensure employees carry out managements directions. Types of control activities an organization must implement are preventative controls (controls intended to stop an error from occurring), detective controls (controls intended to detect if an error has occurred), and mitigating controls (control activities that can mitigate the risks associated with a key control not operating effectively). Information and Communication: Ensures the organization obtains pertinent information, and then communicates it throughout the organization. Monitoring Reviewing the output generated by control activities and conducting special evaluations.
64

ITGC
Source code/document version control procedures - controls

designed to protect the integrity of program code

Software development life cycle standards - controls designed

to ensure IT projects are effectively managed.

Logical Access policies, standards and processes - controls

designed to manage access based on business need.

Incident management policies and procedures - controls

designed to address operational processing errors.

Problem management policies and procedures - controls

designed to identify and address the root cause of incidents.

65

ITGC
Technical support policies and procedures - policies to help users

perform more efficiently and report problems.

Hardware/software configuration, installation, testing,

management standards, policies and procedures.

Disaster recovery/backup and recovery procedures, to enable

continued processing despite adverse conditions.

Physical Security - controls to ensure the physical security of

information technology from individuals and from environmental risks.

66

IT Application Controls
IT Application Controls or Program Controls are fully-

automated controls (i.e., performed automatically by the systems) designed to ensure the complete and accurate processing of data, from input through output.
These controls vary based on the business purpose of the

specific application. These controls may also help ensure the privacy and security of data transmitted between applications.

67

IT Application Controls
Completeness checks - controls that ensure all records were

processed from initiation to completion.

Validity checks - controls that ensure only valid data is input or

processed.
Identification - controls that ensure all users are uniquely and

irrefutably identified.
Authentication - controls that provide an authentication

mechanism in the application system.

68

IT Application Controls
Categories of IT application controls may include:
Authorization - controls that ensure only approved

business users have access to the application system.

Input controls - controls that ensure data integrity fed

from upstream sources into the application system.

69

IT Application Controls

Application controls may be compromised by the following application risks: Weak security. Unauthorized access to data and unauthorized remote access. Inaccurate information and erroneous or falsified data input. Misuse by authorized end users. Incomplete processing and/or duplicate transactions. Untimely processing. Communication system failure. Inadequate training and support.
70

Internal Control Frameworks COBIT

COBIT is a widely-utilized framework containing best

practices for both ITGC and application controls. It consists of domains and processes.
The basic structure indicates that IT processes satisfy

business requirements, which is enabled by specific IT control activities. It also recommends best practices and methods of evaluation of an enterprise's IT controls.
71

Internal Control Frameworks COSO

The Committee of Sponsoring Organizations of the Treadway 1.

2.
3. 4. 5.

Commission (COSO) identifies five components of internal control: control environment risk assessment control activities information and communication monitoring These controls need to be in place to achieve financial reporting and disclosure objectives;
72

Internal Control Frameworks

COBIT provides a similar detailed guidance for IT, while the

interrelated Val IT concentrates on higher-level IT governance and value-for-money issues.

The five components of COSO can be visualized as the

horizontal layers of a three-dimensional cube, with the COBIT objective domains-applying to each individually and in aggregate.
The four COBIT major domains are: plan and organize, acquire

and implement, deliver and support, and monitor and evaluate.

73

Roles and Responsibilities in Internal Controls

According to the COSO Framework, everyone in an organization has

responsibility for internal control to some extent.

Virtually all employees produce information used in the internal

control system or take other actions needed to affect control. Also, all personnel should be responsible for communicating upward problems in operations, noncompliance with the code of conduct, or other policy violations or illegal actions.
Each major entity in corporate governance has a particular role to

play:
74

Management:
The Chief Executive Officer (the top manager) of the organization has overall responsibility for designing and implementing effective internal control.
More than any other individual, the chief executive sets the "tone at

the top" that affects integrity and ethics and other factors of a positive control environment. In a large company, the chief executive fulfills this duty by providing leadership and direction to senior managers and reviewing the way they're controlling the business.
Senior managers, in turn, assign responsibility for establishment of

more specific internal control policies and procedures to personnel responsible for the unit's functions.
75

 In a smaller entity, the influence of the chief executive,

often an owner-manager, is usually more direct. In any event, in a cascading responsibility, a manager is effectively a chief executive of his or her sphere of responsibility. Of particular significance are financial officers and their staffs, whose control activities cut across, as well as up and down, the operating and other units of an enterprise.

76

Board of Directors:
Management is accountable to the board of directors, which

provides governance, guidance and oversight. Effective board members are objective, capable and inquisitive.
They also have a knowledge of the entity's activities and

environment, and commit the time necessary to fulfill their board responsibilities. Management may be in a position to override controls and ignore or stifle communications from subordinates, enabling a dishonest management which intentionally misrepresents results to cover its tracks. A strong, active board, particularly when coupled with effective upward communications channels and capable financial, legal and internal audit functions, is often best able to identify and correct such a problem.
77

Auditors:
The Internal Auditors and External Auditors of the organization also

measure the effectiveness of internal control through their efforts.

They assess whether the controls are properly designed,

implemented and working effectively, and make recommendations on how to improve Internal Controls.
They may also review Information Technology controls, which relate

to the IT systems of the organization.

78

Limitations of Internal Controls:

No matter how well internal controls are designed, they can only provide reasonable assurance that objectives have been achieved. Some limitations are inherent in all internal control systems. These include: 1. Judgment: The effectiveness of controls will be limited by decisions made with human judgment under pressures to conduct business based on the information at hand.

2. Breakdowns: Even well designed internal controls can break down. Employees sometimes misunderstand instructions or simply make mistakes. Errors may also result from new technology and the complexity of computerized information systems.

79

Limitations of Internal Controls:

3. Management Override: High level personnel may be able to override prescribed policies and procedures for personal gain or advantage. This should not be confused with management intervention, which represents management actions to depart from prescribed policies and procedures for legitimate purposes.

4. Collusion:
Control systems can be circumvented by employee collusion. Individuals acting collectively can alter financial data or other management information in a manner that cannot be identified by control systems.
80

Limitations of Internal Controls:

Internal control can provide reasonable, not absolute,

assurance that the objectives of an organization will be met. The concept of reasonable assurance implies a high degree of assurance, constrained by the costs and benefits of establishing incremental control procedures.
Effective internal control implies the organization

generates reliable reporting and substantially complies with the laws and regulations that apply to it.

81

Limitations of Internal Controls:

However, whether an organization achieves operational

and strategic objectives may depend on factors outside the enterprise, such as competition or technological innovation.
These factors are outside the scope of internal control;

therefore, effective Internal Controls provides only timely information or feedback on progress towards the achievement of operational and strategic objectives, but cannot guarantee their achievement.
82