Professional Documents
Culture Documents
AIS Ch-6 Control and Auditing of AIS
AIS Ch-6 Control and Auditing of AIS
PROF.DR.CHINNIAH ANBALAGAN
PROFESSOR OF ACCOUNITNG AND FINANCE
COLLEGE OF BUSINESS AND ECONOMICS
SAMARA UNIVERSITY, AFAR, ETHIOPIA EAST AFRICA
MAIL ID: DR.CHINLAKSHANBU@GMAIL.COM
1
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Information Technology Auditing
• Introduction
• The Audit Function
• The Information Technology Auditor’s Toolkit
• Auditing Computerized Accounting Information Systems
• Information Technology Auditing Today
2
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Overview of Control Concepts
4
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Five Key Control Objectives
The purposes of internal controls are to:
•Protect assets;
•Ensure that records are accurate;
•Promote operational efficiency;
•Achieve organizational mission and goals; and
•Ensure compliance with policies, rules,
regulations, and laws.
5
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Overview of Control Concepts
6
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Audits of AISs
• Audits of AISs
– Ensure controls are functioning properly
– Confirm additional controls not necessary
• Nature of Auditing
– Internal and external auditing
– IT Audit and financial audit
– Tools of an IT auditor
7
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
The Audit Function
8
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Internal Auditing
• Responsibility of Performance
– Company’s own employees
– External of the department being audited
• Evaluation of:
– Employee compliance with policies and procedures
– Effectiveness of operations
– Compliance with external laws and regulations
– Reliability of financial reports
– Internal controls
9
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
External Auditing
• Responsibility of Performance
– Those outside the organization
– Accountants working for independent CPA
• Audit Purpose
– Performance of the attest function
– Evaluate the accuracy and fairness of the financial statements
relative to GAAP
10
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
The Nature of Auditing
• The IIA’s five audit scope standards outline the internal
auditor’s responsibilities:
– Review the reliability and integrity of operating and financial
information and how it is identified, measured, classified, and reported.
– Determine if the systems designed to comply with these policies, plans,
procedures, laws, and regulations are being followed.
– Review how assets are safeguarded, and verify their existence.
– Examine company resources to determine how effectively and
efficiently they are used.
– Review company operations and programs to determine if they are
being carried out as planned and if they are meeting their objectives.
11
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Information Technology Auditing
• Function
– Evaluate computer’s role in achieving audit and control
objectives
• Assurance Provided
– Data and information are reliable, confidential, secure, and
available
– Safeguarding assets, data integrity, and operational
effectiveness
12
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
The Components of an IT Audit
13
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
The IT Audit Process
14
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
The IT Audit Process
15
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
• Types of internal auditing work
– Three different types of audits are commonly performed.
• Financial audit
16
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
• Types of internal auditing work
– Three different types of audits are commonly performed.
• Financial audit
• Information systems audit
17
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
• Types of internal auditing work
– Three different types of audits are commonly performed.
• Financial audit
• Information systems audit
• Operational or management audit
18
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
Planning • An overview of the auditing process
– All audits follow a similar sequence
of activities and may be divided
into four stages:
• Planning
19
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
Planning • An overview of the auditing process
– All audits follow a similar sequence
of activities and may be divided
into four stages:
Collecting Evidence • Planning
• Collecting Evidence
20
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
Planning • An overview of the auditing process
– All audits follow a similar sequence
of activities and may be divided
into four stages:
Collecting Evidence • Planning
• Collecting evidence
• Evaluating evidence
Evaluating Evidence
21
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
Planning • An overview of the auditing process
– All audits follow a similar sequence
of activities and may be divided
into four stages:
Collecting Evidence • Planning
• Collecting evidence
• Evaluating evidence
Evaluating Evidence • Communicating audit results
Communicating Audit
Results
22
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
• Audit planning
Planning
– Purpose: Determine why, how, when, and by
whom the audit will be performed.
– The first step in audit planning is to establish
the scope and objectives of the audit.
Collecting Evidence – An audit team with the necessary experience
and expertise is formed.
– Team members become familiar with the
auditee by:
• Conferring with supervisory and
Evaluating Evidence
operating personnel;
• Reviewing system documentation; and
• Reviewing findings of prior audits.
Communicating Audit
Results
23
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
• The audit should be planned so that the greatest amount of
audit work focuses on areas with the highest risk factors.
• There are three types of risk when conducting an audit:
– Inherent risk
24
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
• The risk that a material misstatement will get
through the internal control structure and into the
• The audit shouldfinancial
be planned so that the greatest amount of
statements.
audit work focuses on areas
• Inversely withtothe
related the highest
strengthrisk factors.
of the company’s
internal
• There are three types ofcontrols,
risk wheni.e.,conducting
stronger controls means lower
an audit:
control risk.
– Inherent risk
• Can be determined by:
– Control risk – Reviewing the control environment.
– Considering control weaknesses identified in
prior audits and evaluating how they have been
rectified.
25
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
• The audit should be planned so that the greatest amount of
audit work focuses on areas with the highest risk factors.
• There are three types of risk when conducting an audit:
– Inherent risk
– Control risk
– Detection risk
27
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
Planning • Collection of audit
evidence
– Much audit effort is spent
Collecting Evidence collecting evidence.
Evaluating Evidence
Communicating Audit
Results
28
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
• Collection of audit evidence
– The following are among the most commonly used
evidence collection methods:
• Observation
• Watch the activities being audited, e.g., how employees
enter the site or handle a particular form.
29
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
• Collection of audit evidence
– The following are among the most commonly used
evidence collection methods:
• Observation
• Review of documentation
• Review documents to understand how an AIS or an
internal control system is supposed to function.
30
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
• Collection of audit evidence
– The following are among the most commonly used
evidence collection methods:
• Observation
• Review of documentation
• Discussions
• Talk with employees about their jobs and how they
carry out certain procedures.
31
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
• Collection of audit evidence
– The following are among the most commonly used
evidence collection methods:
• Observation
• Review of documentation
• Discussions
• Physical examination
• Examine quantity and/or condition of tangible
assets, such as equipment, inventory, or cash.
32
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
• Collection of audit evidence
– The following are among the most commonly used
evidence collection methods:
• Observation
• Review of documentation
• Discussions
• Physical examination
• Confirmation
• Communicate with third parties to check the
accuracy of information such as customer account
balances.
33
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
• Collection of audit evidence
– The following are among the most commonly used
evidence collection methods:
• Observation
• Review of documentation
• Discussions
• Physical examination
• Confirmation
• Re-performance
• Repeat a calculation to verify quantitative
information on records and reports.
34
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
• Collection of audit evidence
– The following are among the most commonly used
evidence collection methods:
• Observation
• Review of documentation
• Discussions
• Physical examination
• • Examine supporting documents to ensure the
Confirmation
validity of the transaction.
• Re-performance
• Vouching
35
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
• Collection of Audit Evidence
– The following are among the most commonly used
evidence collection methods:
• Observation
• • of
Review Examine relationships and trends among information
documentation
• items to detect those that deserve further
Discussions
• investigation.
Physical examination
• • Example: If the inventory turnover ratio has
Confirmation
• plummeted, it’s time to investigate why the change
Re-performance
has occurred.
• Vouching
• Analytical review
36
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
• Because many audit tests and procedures cannot feasibly be
performed on the entire set of activities, records, assets, or
documents, they are often performed on a sample basis.
• A typical audit will be a mix of audit procedures.
37
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
• An audit designed to evaluate AIS internal controls would
make greater use of:
– Observation
– Review of documentation
– Discussions
– Re-performance
• An audit of financial information would focus on:
– Physical examination
– Confirmation
– Vouching
– Analytical review
– Re-performance
38
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
• Because errors will occur anywhere,
THE NATURE OF AUDITING auditors focus on those that have a
significant impact on management’s
interpretation of the audit findings.
• •Evaluation
Materiality of Auditwhat
dictates Evidence
is and is not
Planning
– important
The auditorin evaluates
a given set the of circumstances—
evidence
primarily
gathered ainmatter
light ofofthejudgment.
specific audit
• Itobjective and decides
is generally if it supports
more important a
to external
favorable
audits, or unfavorable
when the overall conclusion.
emphasis is on the
Collecting Evidence – fairness
If inconclusive, the auditor
of financial statement plans and
executes additional
presentations, thanprocedures
to internaluntilaudits, where
sufficient evidence is obtained.
the focus is on determining adherence to
– Two important factors when deciding how
management’s policies.
much audit work is necessary and in
Evaluating Evidence evaluating audit evidence are:
• Materiality
Communicating Audit
Results
39
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
• Reasonable assurance is somewhat of a
cost-benefit notion.
• It is prohibitively expensive for the auditor to
• Evaluation
seek completeof Audit Evidence
assurance that no material
Planning
– error exists, evaluates
The auditor so he must the accept
evidencerisk that the
gathered
audit in light of
conclusion is the specific audit
incorrect.
objective and
• Therefore decidesreasonable
he seeks if it supportsassurance,
a
favorable or unfavorable conclusion.
as opposed to absolute assurance.
Collecting Evidence – If inconclusive, the auditor plans and
• Note that additional
executes when inherent
proceduresor control
until risk is
high, the auditor
sufficient evidencemust obtain greater
is obtained.
– assurance to offset
Two important factorsthe greater
when uncertainty
deciding how
and
muchrisks.
audit work is necessary and in
Evaluating Evidence evaluating audit evidence are:
• Materiality
• Reasonable assurance
Communicating Audit
Results
40
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
• At all stages of the audit, findings and conclusions are
carefully documented in working papers.
• Documentation is critical at the evaluation stage,
when final conclusions must be reached and
supported.
41
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
• Communication of audit results
Planning
– The auditor prepares a written (and
sometimes oral) report summarizing audit
findings and recommendations, with
references to supporting evidence in the
Collecting Evidence working papers.
– Report is presented to:
• Management
• The audit committee
• The board of directors
Evaluating Evidence
• Other appropriate parties
– After results are communicated, auditors
often perform a follow-up study to see if
Communicating Audit recommendations have been implemented.
Results
42
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
• The risk-based audit approach
– A risk-based audit approach is a four-step approach to
internal control evaluation that provides a logical
framework for carrying out an audit. Steps are:
• Determine the threats (errors and irregularities) facing the
AIS.
43
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
• The risk-based audit approach
– A risk-based audit approach is a four-step approach to
internal control evaluation that provides a logical
framework for carrying out an audit. Steps are:
• Determine the threats (errors and irregularities) facing the AIS.
• Identify control procedures implemented to minimize each
threat by preventing or detecting such errors and
irregularities.
44
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
• Perform a systems review to determine if necessary
procedures are in place. Involves:
• The risk-based–auditReviewing system documentation
approach
– A risk-based–audit
Interviewing
approach appropriate personnel
is a four-step approach to
internal •control
Conduct tests of controls
evaluation to determine
that provides if the
a logical
procedures are satisfactorily followed. Involves:
framework for carrying out an audit. Steps are:
– Observing system operations
• Determine the threats (errors and irregularities) facing the AIS.
– Inspecting documents, records, and reports
• Identify control procedures implemented to minimize each threat
–
by preventingChecking samples
or detecting of system
such errors inputs and outputs
and irregularities.
– Tracing transactions through the system
• Evaluate the control procedures.
45
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
• The risk-based audit approach
• Focuses on control risks and whether the control
– A risk-based audit approach is a four-step approach to
system as a whole adequately addresses them.
internal control evaluation that provides a logical
• If a control deficiency is identified, the auditor asks
framework for carrying out an audit. Steps are:
about compensating controls—procedures that
• Determine the threats (errors and irregularities) facing the AIS.
make up for the deficiency.
• Identify control procedures implemented to minimize each threat
• A control
by preventing weakness
or detecting such in oneand
errors area may be acceptable
irregularities.
if compensated for by control strengths in other
• Evaluate the control procedures.
areas.
• Evaluate weaknesses (errors and irregularities not covered by
control procedures) to determine their effect on the nature,
timing, or extent of auditing procedures and client suggestions.
46
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THE NATURE OF AUDITING
• The risk-based approach to auditing provides auditors
with a clear understanding of the errors and
irregularities that can occur and the related risks and
exposures.
• This understanding provides a basis for developing
recommendations to management on how the AIS
control system should be improved.
47
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Careers in IT Auditing
• Background
– Accounting skills
– Information systems or computer science skills
• Certified Information System Auditor (CISA)
– Successfully complete examination
– Experience requirements
– Comply with Code of Professional Ethics
– Continuing professional education
– Comply with standards
48
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
INFORMATION SYSTEMS AUDITS
• The purpose of an information systems audit is to review and
evaluate the internal controls that protect the system.
• When performing an information system audit, auditors should
ascertain that the following objectives are met:
– Security provisions protect computer equipment, programs,
communications, and data from unauthorized access, modification, or
destruction.
– Program development and acquisition are performed in accordance
with management’s general and specific authorization.
– Program modifications have management’s authorization and approval.
49
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
INFORMATION SYSTEMS AUDITS
– Processing of transactions, files, reports, and other computer records are
accurate and complete.
– Source data that are inaccurate or improperly authorized are identified and
handled according to prescribed managerial policies.
– Computer data files are accurate, complete, and confidential.
• The following slide depicts the relationship among these six objectives and
information systems components.
• The objectives are then discussed in detail in the following section.
• Each description includes an audit plan to accomplish the objective, as well as the
techniques and procedures to carry out the plan.
50
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
IS COMPONENTS AND AUDIT OBJECTIVES
Objective 1: Overall Security
Objective 5: Source Data
Source
Data
Data
Entry
Objective 2:
Program Development Source
and Acquisition Data
Processing
Programs Files
Output
Objective 3: Objective 6:
Program Modification Objective 4: Computer Processing Data Files
51
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
IS COMPONENTS AND AUDIT OBJECTIVES
Objective 1: Overall Security
Objective 5: Source Data
Source
Data
Data
Entry
Objective 2:
Program Development Source
and Acquisition Data
Processing
Programs Files
Output
Objective 3: Objective 6:
Program Modification Objective 4: Computer Processing Data Files
52
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 1: OVERALL SECURITY
• Types of security errors and fraud faced by companies:
– Accidental or intentional damage to system assets.
– Unauthorized access, disclosure, or modification of data
and programs.
– Theft.
– Interruption of crucial business activities.
53
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 1: OVERALL SECURITY
• Control procedures to minimize security errors and fraud:
– Developing an information security/protection plan.
– Restricting physical and logical access.
– Encrypting data.
– Protecting against viruses.
– Implementing firewalls.
– Instituting data transmission controls.
– Preventing and recovering from system failures or disasters, including:
• Designing fault-tolerant systems.
• Preventive maintenance.
• Backup and recovery procedures.
• Disaster recovery plans.
• Adequate insurance.
54
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 1: OVERALL SECURITY
• Audit procedures: Systems review
– Inspecting computer sites.
– Interviewing personnel.
– Reviewing policies and procedures.
– Examining access logs, insurance policies, and the disaster
recovery plan.
55
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 1: OVERALL SECURITY
• Audit procedures: Tests of controls
– Auditors test security controls by:
• Observing procedures.
• Verifying that controls are in place and work as
intended.
• Investigating errors or problems to ensure they were
handled correctly.
• Examining any tests previously performed.
– One way to test logical access controls is to try to break
into a system.
56
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 1: OVERALL SECURITY
• Compensating controls
– If security controls are seriously deficient, the organization
faces substantial risks.
– Partial compensation for poor computer security can be
provided by:
• Sound personnel policies
• Effective segregation of incompatible duties
• Effective user controls, so that users can recognize unusual system
output.
– These compensations aren’t likely to be enough, so
auditors should strongly recommend that security
weaknesses be corrected.
57
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
IS COMPONENTS AND AUDIT OBJECTIVES
Objective 1: Overall Security
Objective 5: Source Data
Source
Data
Data
Entry
Objective 2:
Program Development Source
and Acquisition Data
Processing
Programs Files
Output
Objective 3: Objective 6:
Program Modification Objective 4: Computer Processing Data Files
58
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
IS COMPONENTS AND AUDIT OBJECTIVES
Objective 1: Overall Security
Objective 5: Source Data
Source
Data
Data
Entry
Objective 2:
Program Development Source
and Acquisition Data
Processing
Programs Files
Output
Objective 3: Objective 6:
Program Modification Objective 4: Computer Processing Data Files
59
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 2: PROGRAM
DEVELOPMENT AND ACQUISITION
• Types of errors and fraud:
– Two things can go wrong in program development:
• Inadvertent errors due to careless programming or
misunderstanding specifications; or
• Deliberate insertion of unauthorized instructions into
the programs.
60
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 2: PROGRAM
DEVELOPMENT AND ACQUISITION
• Control procedures:
– The preceding problems can be controlled by requiring:
• Management and user authorization and approval
• Thorough testing
• Proper documentation
61
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 2: PROGRAM
DEVELOPMENT AND ACQUISITION
• Audit procedures: Systems review
– The auditor’s role in systems development should be
limited to an independent review of system development
activities.
• To maintain necessary objectivity for performing an independent
evaluation, the auditor should not be involved in system
development.
• During the systems review, the auditor should gain an
understanding of development procedures by discussing them with
management, users, and IS personnel.
• Should also review policies, procedures, standards, and
documentation for systems and programs.
62
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 2: PROGRAM
DEVELOPMENT AND ACQUISITION
• Audit procedures: Tests of controls
– To test systems development controls, auditors should:
• Interview managers and system users.
• Examine development approvals.
• Review the minutes of development team meetings.
• Thoroughly review all documentation relating to the testing
process and ascertain that all program changes were tested.
• Examine the test specifications, review the test data, and evaluate
the test results.
– If results were unexpected, ascertain how the
problem was resolved.
63
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 2: PROGRAM
DEVELOPMENT AND ACQUISITION
• Compensating controls
– Strong processing controls can sometimes compensate for
inadequate development controls.
• If auditors rely on compensatory processing controls,
they should obtain persuasive evidence of compliance.
– Use techniques such as independent processing of
test data to do so.
• If this type of evidence can’t be obtained, they may
have to conclude there is a material weakness in internal
control.
64
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
IS COMPONENTS AND AUDIT OBJECTIVES
Objective 1: Overall Security
Objective 5: Source Data
Source
Data
Data
Entry
Objective 2:
Program Development Source
and Acquisition Data
Processing
Programs Files
Output
Objective 3: Objective 6:
Program Modification Objective 4: Computer Processing Data Files
65
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
IS COMPONENTS AND AUDIT OBJECTIVES
Objective 1: Overall Security
Objective 5: Source Data
Source
Data
Data
Entry
Objective 2:
Program Development Source
and Acquisition Data
Processing
Programs Files
Output
Objective 3: Objective 6:
Program Modification Objective 4: Computer Processing Data Files
66
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 3: PROGRAM
MODIFICATION
• Types of errors and fraud
– Same that can occur during program development:
• Inadvertent programming errors
• Unauthorized programming code
67
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 3: PROGRAM MODIFICATION
• Control procedures
– When a program change is submitted for approval, a list of all required
updates should be compiled by management and program users.
– Changes should be thoroughly tested and documented.
– During the change process, the developmental version of the program
must be kept separate from the production version.
– When the amended program has received final approval, it should
replace the production version.
– Changes should be implemented by personnel independent of users or
programmers.
– Logical access controls should be employed at all times.
68
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 3: PROGRAM MODIFICATION
69
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 3: PROGRAM MODIFICATION
70
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 3: PROGRAM MODIFICATION
71
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 3: PROGRAM MODIFICATION
73
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 3: PROGRAM MODIFICATION
• Compensating controls
– If internal controls over program changes are deficient,
compensation controls are:
• Source code comparison;
• Reprocessing; and/or
• Parallel simulation.
– The presence of sound processing controls, independently
tested by the auditor, can also partially compensate for
deficiencies.
– But if deficiencies are caused by inadequate restrictions on
program file access, the auditor should strongly
recommend actions to strengthen the organization’s logical
access controls.
74
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
IS COMPONENTS AND AUDIT OBJECTIVES
Objective 1: Overall Security
Objective 5: Source Data
Source
Data
Data
Entry
Objective 2:
Program Development Source
and Acquisition Data
Processing
Programs Files
Output
Objective 3: Objective 6:
Program Modification Objective 4: Computer Processing Data Files
75
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
IS COMPONENTS AND AUDIT OBJECTIVES
Objective 1: Overall Security
Objective 5: Source Data
Source
Data
Data
Entry
Objective 2:
Program Development Source
and Acquisition Data
Processing
Programs Files
Output
Objective 3: Objective 6:
Program Modification Objective 4: Computer Processing Data Files
76
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 4: COMPUTER PROCESSING
77
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 4: COMPUTER PROCESSING
• Control procedures
– Computer data editing routines.
– Proper use of internal and external file labels.
– Reconciliation of batch totals.
– Effective error correction procedures.
– Understandable operating documentation and run manuals.
– Competent supervision of computer operations.
– Effective handling of data input and output by data control personnel.
– File change listings and summaries prepared for user department
review.
– Maintenance of proper environmental conditions in computer facility.
78
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 4: COMPUTER PROCESSING
79
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 4: COMPUTER PROCESSING
80
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 4: COMPUTER PROCESSING
81
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 4: COMPUTER PROCESSING
• Compensating controls
– Auditors must periodically re-evaluate processing controls
to ensure their continued reliability.
• If controls are unsatisfactory, user and source data
controls may be strong enough to compensate.
• If not, a material weakness exists and steps should be
taken to eliminate the control deficiencies.
82
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 4: COMPUTER PROCESSING
83
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 4: COMPUTER PROCESSING
84
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 4: COMPUTER PROCESSING
85
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 4: COMPUTER PROCESSING
86
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 4: COMPUTER PROCESSING
87
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 4: COMPUTER PROCESSING
88
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 4: COMPUTER PROCESSING
89
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 4: COMPUTER PROCESSING
90
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 5: SOURCE DATA
• Types of errors and fraud
– Inaccurate source data
– Unauthorized source data
91
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 5: SOURCE DATA
• Control procedures
– Effective handling of source data input by data control personnel
– User authorization of source data input
– Preparation and reconciliation of batch control totals
– Logging of the receipt, movement, and disposition of source data input
– Check digit verification
– Key verification
– Use of turnaround documents
– Computer data editing routines
– File change listings and summaries for user department review
– Effective procedures for correcting and resubmitting erroneous data
92
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 5: SOURCE DATA
• Audit procedures: System review
– Review documentation about responsibilities of data control function.
– Review administrative documentation for source data control
standards.
– Review methods of authorization and examine authorization
signatures.
– Review accounting systems documentation to identify source data
content and processing steps and specific source data controls used.
– Document accounting source data controls using an input control
matrix.
– Discuss source data control procedures with data control personnel as
well as the users and managers of the system.
93
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 5: SOURCE DATA
• Audit procedures: Tests of controls
– Observe and evaluate data control department operations
and specific data control procedures.
– Verify proper maintenance and use of data control log.
– Evaluate how items recorded in the error log are handled.
– Examine samples of accounting source data for proper
authorization.
– Reconcile a sample of batch totals and follow up on
discrepancies.
– Trace disposition of a sample of errors flagged by data edit
routines.
94
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
OBJECTIVE 5: SOURCE DATA
• Compensating controls
– Strong user controls
– Strong processing controls
95
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
CISA Exam Components
96
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Careers in IT Auditing
98
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Risk Assessment
99
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Information Systems Risk Assessment
100
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Study Break #1
An IT auditor:
101
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Study Break #2
102
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
The IT Auditor’s Toolkit
• Utilization of CAATs
– Auditing with the computer
– Manual access to data stored on computers is impossible
• Tools
– Auditing Software
– People Skills
103
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
General-Use Software
104
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Generalized Audit Software
• Overview
– Allow for reviewing of files without rewriting processing
programs
– Basic data manipulation
– Tailored to auditor tasks
• Common Programs
– Audit Command Language (ACL)
– Interactive Data Extraction and Analysis (IDEA)
105
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Generalized Audit Software - Inventory
106
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Automated Workpapers
• Overview
– Automate and standardize audit tests
– Can prepare financial statements and other financial measures
• Features
– Generate trial balances
– Make adjusting entries
– Perform consolidations
– Conduct analytical procedures
– Document audit procedures and conclusions
107
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
People Skills
• Examples
– Working as a team
– Interact with clients and other auditors
– Interviewing clients
• Importance of Interviews
– Gain understanding of organization
– Evaluate internal controls
108
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Auditing Computerized AISs
109
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Auditing Computerized AISs
110
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Testing Computer Programs
• Test Data
– Create set of transactions
– Covering range of exception situations
– Compare results and investigate further
• Integrated Test Facility
– Establish a fictitious entity
– Enter transactions for that entity
– Observe how they are processed
111
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Testing Computer Programs
• Parallel Simulation
– Utilized live input data
– Simulates all or some of the operations
– Compare results
– Very time-consuming and cost-prohibitive
112
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Edit Tests and Test Data
113
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Validating Computer Programs
114
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Reviewing a Responsibility System
115
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Review of Systems Software
116
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Password Parameters
117
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Validating Users and Access Privileges
• Purpose
– Ensure all system users are valid
– Appropriate access privileges
• Utilize Software Tools
– Examine login times
– Exception conditions
– Irregularities
118
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Continuous Auditing
119
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Continuous Auditing
• Snapshot Technique
– Examines how transactions are processed
• Continuous and Intermittent Simulation (CIS)
– Embeds audit module in a database management system
(DBMS)
– Similar to parallel simulation
120
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Continuous Auditing – Spreadsheet
Errors
121
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Study Break #3
A. Parallel simulation
B. Use of specialized control software
C. Continuous auditing
D. All of the above are techniques used to audit computerized
AIS
122
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Study Break #4
Continuous auditing:
A. Has been talked about for years but will never catch on
B. Will likely become popular if organizations adopt XBRL in
their financial reporting
C. Does not include techniques such as embedded audit
modules
D. Will never allow IT auditors to provide some types of
assurance on a real-time basis
123
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
IT Governance
• Overview
– Process of using IT resources effectively
– Efficient, responsible, strategic use of IT
• Objectives
– Using IT strategically to fulfill mission of organization
– Ensure effective management of IT
124
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
IT Auditing Today
125
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
The Sarbanes-Oxley Act of 2002
• Overview
– Limits services that auditors can provide clients while they
are conducting audits
• Groups of Compliance Requirements
– Audit committee/corporate governance requirements
– Certification, disclosure, and internal control
– Financial statement reporting rules
– Executive reporting and conduct
126
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
The Sarbanes-Oxley Act of 2002
• Section 302
– CEOs and CFOs are required to certify the financial statements
– Internal controls and disclosures are adequate
• Section 404
– CEOs and CFOs assess and attest to the effectiveness of
internal controls
127
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Key Provisions of SOX
128
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Key Provisions of SOX
129
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Auditing Standard No. 5 (AS5)
• Purpose
– Public Company Accounting Oversight Board (PCAOB)
guidance
– Focus on most critical controls
• Rebalancing of Auditor’s Work
– Internal auditors help to advise board of directors
– External auditors reduce redundant testing
130
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Third Party and Information
Systems Reliability Assurances
• Growth of Electronic Commerce
– Area of growing risk
– Security and privacy concerns
– Difficult to audit
• AICPA Trust Services
– CPA WebTrust
– SysTrust
131
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Third Party and Information
Systems Reliability Assurances
• Principles of Trust Services
– Security
– Availability
– Processing integrity
– Online privacy
– Confidentiality
132
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
THANKS
END OF CHAPTER SIX
133
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.