You are on page 1of 27

KAS 3083: Topic 1


Overview of IS Auditing
1. The Need for Control and Audit of IS
2. Definition and objectives of IS auditing
3. Effects of computers on traditional internal
control principle
4. Auditors evidence collection & evidence
evaluation functions
5. Foundations of IS auditing

Need for Control & Audit of Computers  Computers assists organization to process data and provide information for decision making.  The use of computers has to be controlled. .  7 majors reasons to establish a function to examine controls and audit of computers.  Organization must control and audit computerbased IS because the costs of errors and irregularities is high.

Factors Influencing an Organization toward Control and Audit of Computers costs of incorrect decision making controlled evolution of computer user organizational costs of data loss costs of computer abuse value of computer hardware. software and personnel high costs of computer error Organizations control and audit of computers maintenance of privacy .

Organizational Costs of Data Loss  Data is a resource which provides an organization with an image of itself. history and future. environment.  Accurate data increases an organizations ability to adapt and survive in a changing environment but  If the data is inaccurate the organization will suffer significant losses .

 Accurate data depends on the types of decisions  Accurate decision rules depends on the types of decision.Incorrect Decision Making  High quality decisions require: HIGH QUALITY DATA and HIGH QUALITY DECISION RULES. .

Costs of Computer Abuse  Development of IS audit function is needed because of computer abuse.unauthorized electronic access to a computer  Viruses .programs which attach themselves to computer files to disrupt operations or damage data or programs  Illegal physical access to computer facilities  Abuse of privileges  Computer abuse lead of some consequences .  Major types of computer abuse  Hacking .

Costs of Computer Abuse  Types of consequences of computer abuse            Destruction of assets Theft of assets Modification of assets Privacy violations Disruption of operations Unauthorized use of assets Physical harm to personnel Losses are higher than from conventional fraud Numbers and types of threats seem to be increasing Organizations are not well prepared Deterrent security and administrative countermeasures can be effective  Laws governing abuse are evolving .

scarcity.  Loss or damage to hardware can be costly value of assets and cost of disruption of service  Investment in software. confidential information. proprietary secrets  Personnel . computer hardware. disruption of business. loss of competitive advantage .Value of Computer Hardware. Software & Personnel  Data. disruption in service. software and personnel are important to organization. unique knowledge. training cost.

 Organizations held liable for the consequences of computer errors .High Costs of Computer Error  Automatic performance of critical functions in society  Cost of computer errors is high such as loss of life or damage environment.

Maintenance of Privacy  Data is collected about us  taxation. employment. medical. spending habits  People concerned the impact on personal privacy to be a human right . educational. credit. residence.

pressure groups. organizations and individual must concerned with evaluating and monitoring how to deploy computer technology.Controlled Evolution of Computer Use  Conflicts arise on how computer technology should be used:  use of computers in control over weapon systems  use of computers to control working life and environment  Use of technology produce social problems  Governments. . professional bodies.

IS Auditing  IS auditing is the process of collecting and evaluating evidence to determine whether. Allows organizational goals to be achieved effectively.external and internal auditor.  IS audit ensure that organizations complies with regulation.  IS auditing supports traditional audit objectives. effectiveness and efficiency objectives. Maintains data integrity.     A computer safeguards assets. . Uses resources efficiently. rule and conditions.

rules or conditions .Information Systems Auditing The impact of IS audit function on organizations Improved safeguarding of assets Organizations Improved data integrity Improved system effectiveness - Effectiveness Auditing - Effectiveness Metrics Improved systems efficiency .Efficiency Metrics Compliance with regulations.

procedure authorization examine by auditors. BUT computer system is within the computer program.  Difficult to assess the authority assigned consistent to management. therefore substantial power given to IS personnel  System of authorizations  2 types of authorization to execute transaction  general and specific authorizations  Manual system. .Effects of Computers on Internal Controls  Separation of duties  Separation of duties does not always apply  Delegation of authority and responsibility  Delegation authority and responsible is difficult  Some resources are shared among multiple users.  Difficult to trace who is responsible when error occur  Competent and trustworthy personnel  Difficult to have competent and trustworthy IS personnel – high turnover.

 NOT all computer systems are well designed.Effects of Computers on Internal Controls  Adequate documents and records  Manual system adequate documents and records need to provide an audit trail BUT computer system documents might not be used.  Losses of IS assets and records increases when computer abuse arise.  Physical control over assets and records  Critical in both systems but different concentration of the IS assets and records.  Manual systems records are maintained in different physical location BUT computer system records are maintained in a single site. . some does not provide adequate access control and logging facilities to ensure preservation of an accurate and complete audit trail.  No visible audit or management trail needed.

the basic data by employee is prepared for comparison BUT computer systems software is used to prepare data. accurate and complete.  Supervisory controls built into the computer systems to controls – leverage the technology  Develop Agreement between management and subordinates  Independent checks on performance  Manual systems. .  Computer recorded accountability with assets  Manual systems.Effects of Computers on Internal Controls  Adequate management supervision  Manual supervision on employee is straightforward BUT computer systems might be remotely. independent checks carried out to detect errors and irregularities by employee BUT in computer systems independent checks are less value.  Computer system always follows the program code designated in a computer system to authorized.

Effects of Computers on Auditing  Changes to evidence collection  More complex control technology  Rapid evolution of control technology  Lag in the development of audit tools System Reliability and Controls Reliability?  Changes to evidence evaluation  Is the control reliable?  It is difficult to trace the effect of a weakness in a shared data environment  Greater consequence of errors Consequences of control strength or weaknesses? .

Knowledge and experience with IC techniques Control Philosophy Understand better ways to manage system development Traditional Auditing Computer Science Technical knowledge Information Systems Auditing IS Management Behavioral Science Understand condition leads to system failure due to human factors .Foundations of IS Auditing IS auditing as an intersection of other disciplines.

guide the work of IT auditors on financial audit engagements  IT audit work on financial audit engagements is likely to increase as internal control evaluation becomes more important . 94.IT Auditors Roles What do IT auditors do?  Ensure IT governance by assessing risks and monitoring controls over those risks  Works as either internal or external auditor  Works on many kind of audit engagements  Evidence Collection by performing -Test of Control and Substantive Test Financial vs. such as SAS No. IT Audits  IT auditors may work on financial audit engagements  IT auditors may work on every step of the financial audit engagement  Standards.

Role of IT Auditors in the Financial Audit Process ? Develop an understanding of the client and perform preliminary audit work Develop Audit Plan Evaluate the IC system Determine degree of reliance on IC Perform Substantive Testing Review work and issue audit report Conduct follow-up work TOC .

accounting  Certifications – CPA. CISSP. and special technical certifications  Technical IT audit skills – specialized technologies  General personal and business skills  Professional Groups and Certifications – Alphabet Soup  ISACA – CISA.IT Audit Skills  College education – IS. CFE. CIA. CISA. CISSP  IIA – CIA  ACFE – CFE  AICPA – CPA and CITP . computer science.

guidelines. and SSAE  IFAC Guidelines – harmonized or common international accounting standards and guidelines  ISACA standards. and procedures – includes CobiT and audit standards . SAS.Structuring an IT Audit  AICPA Standards and Guidelines – GAAS.

computer science. achieve systems effectiveness and efficiency.  Many of the principles in IS auditing similar as the traditional auditing.  Computer based IS do not undermine the traditional internal control principles  Collecting evidence on the reliability of internal control in computer based IS are more in types. complex and critical. . management and behavioral science.  Evaluating the reliability of controls in computer based IS are more complex.Summary  Organization must control and audit computer based IS because the costs of errors and irregularities is high  IS audit function is used to safeguards assets. maintain data integrity.

So.  Technology is changing daily and increasingly impacting businesses. the need for auditing is also on the rise... . The need of auditing is also increasingly important. IT auditors are going to be in demand. Thus. IT Auditing is a growing field. as IT is becoming more complex and pervasive.  Accounting scandals in recent years point to a need for more monitoring and oversight.

networkmagazineindia. R. Available from: 01. Available from:…  Vasant. & Barranoff. Certification Magazine. A. A (2004) A Career as Information Systems Auditor. (2004) Core Concept of Information Technology Auditing. J. (1999) Information System Control and Audit. R. Summer98. February.. pp22-27 . & Uma G. Information Strategy: The Executive's Journal. A.G. R (2006) Job Roles – Into the Spotlight: IT Audit Managers. R. NJ  Hunton. USA  Kadam. pp 30-33 & pp39-40  Cora. Wiley. Bryant M. 14 Issue 4.N.References & Recommended Readings  Weber. E. (1998) Information systems audits: What's in it for executives?. S.shtml  Wescott. Vol. Prentice-Hall.R (2000) Basic Concepts of Information Systems Auditing.

The End Thank You! .