Transcript Document 7345579

Chapter 17
Information
Systems Auditing
and Assurance
Objectives for Chapter 17
• Purpose of an audit and the basic conceptual elements
of the audit process
• Difference between internal and external auditing and
the relationship between them
• How auditing objectives and tests of control are
determined by the control structure of the client firm
• Audit objective and tests of control for each of the nine
general control areas
• Auditing techniques used to verify the effective
functioning of application controls
• Auditing techniques used to perform substantive tests in
a CBIS environment
Attestation versus Assurance
• Attestation:
– an engagement in which a practitioner is engaged
to issue, or does issue, a written communication
that expresses a conclusion about the reliability of
a written assertion that is the responsibility of
another party. (SSAE No. 1, AT Sec. 100.01)
• Assurance:
– professional services that are designed to
improve the quality of information, both financial
and non-financial, used by decision-makers
– includes, but is not limited to attestation
Attest and Assurance Services
What is a Financial Audit?
• An independent attestation by a
professional (CPA) regarding the
faithful representation of the
financial statements.
• Three phases of a financial audit:
– familiarization with client firm
– evaluation and testing of internal controls
– assessment of reliability of financial data
Generally Accepted Auditing
Standards (GAAS)
External versus Internal Auditing
• External auditors represent the
interests of third party stakeholders,
while internal auditors serve as an
independent appraisal function within the
organization.
• Internal auditors often perform tasks
which can reduce external audit fees and
help to achieve audit efficiency and
reduce audit fees.
Elements of an Audit
• Systematic procedures are used
• Evidence is obtained
– tests of internal controls
– substantive tests
• Determination of materiality for
weaknesses found
• Prepare audit report & audit opinion
Information Technology (IT)
Audit
• Since most information systems employ
information technology, the IT audit is typically
a significant component of all external
(financial) and internal audits.
• IT audits:
– focus on the computer-based aspects of an
organization’s information system
– assess the proper implementation, operation, and
control of computer resources
Phases of an IT Audit
Audit Risk is...
the probability the auditor will issue an
unqualified (clean) opinion when in fact
the financial statements are materially
misstated.
Components of Audit Risk
• Inherent risk is associated with the unique
characteristics of the business or industry of
the client.
• Control risk is the likelihood that the control
structure is flawed because controls are
either absent or inadequate to prevent or
detect errors in the accounts.
• Detection risk is the risk that auditors are
willing to take that errors not detected or
prevented by the control structure will also not
be detected by the auditor.
Tests of General Controls
• Our primary purposes are
to understand:
– the auditing objectives in
each general control
area and
– the nature of the tests
that auditors perform to
achieve these
objectives.
Tests of General Controls
• Our discussion is organized around the
following :
1.operating system controls
2. data management controls
3. organizational structure controls
4. systems development controls
5. systems maintenance controls
6. computer center security and control
7. Internet and Intranet controls
8. electronic data interchange (EDI) controls
9. personal computer controls
Organizational Structure
Internet
& Intranet
Operating
System
Data
Management
Internet
& Intranet
Systems
Development
EDI Trading
Partners
Systems
Maintenance
Personal Computers
Applications
Computer Center Security
General Control Framework for CBIS Risks
1. General Control Tests
Operating system objective: verify that the
security policy and control procedures are rigorous
enough to protect the operating system against:
– hardware failure
– software efforts
– destructive acts by
employees or hackers
– virus infection
1. General Control Tests
Operating system
(continued)
Access controls:
– privilege controls
– password control
– virus control
– fault tolerance control
2. General Control Tests
• Data management objective:
– protect against unauthorized access to or
destruction of data & inadequate data backup.
• Controls:
– access - encryption, user authorization tables,
inference controls and biometric devices are a
few examples
– backup - grandfather-father-son and direct
access backup; recovery procedures
3. General Control Tests
Organizational structure objectives:
– determine whether incompatible functions have
been identified and segregated in accordance with
the level of potential exposure
– determine whether segregation is sustained
through a working environment that promotes
formal relationships between incompatible tasks
Controls:
– review organizational & systems documentation,
observe behavior, and review database authority
tables
4. General Control Tests
Systems development objectives: ensure that...
– SDLC activities are applied consistently and in
accordance with management’s policies
– the system as originally implemented was free from
material errors and fraud
– the system was judged to be necessary and
justified at various checkpoints throughout the
SDLC
– system documentation is sufficiently accurate and
complete to facilitate audit and maintenance
activities
4. General Control Tests
Systems development
(continued)
Controls:
– systems authorization techniques
– good development procedures
– internal audit team participation
– appropriate testing of system
5. General Control Tests
Systems maintenance objectives:
detect unauthorized program maintenance
and determine that...
– maintenance procedures protect
applications from unauthorized changes
– applications are free from material
errors
– program libraries are protected from
unauthorized access
5. General Control Tests
Systems maintenance
(continued)
Controls:
– authorization requirements for program
maintenance
– appropriate documentation of changes
– adequate testing of program changes
– reconciling program version numbers
– review programmer authority table
– test authority table
6. General Control Tests
Computer center objectives: determine that...
– physical security controls are adequately protect
the organization from physical exposures
– insurance coverage on equipment is adequate to
compensate the organization for the destruction
of, or damage to, its computer center
– operator documentation is adequate to deal with
routine operations as well as system failures
– the organization’s disaster recovery plan is
adequate and feasible
6. General Control Tests
Computer center
(continued)
Controls:
– well-planned physical layout
– backup and disaster recovery planning
– review critical application list
7. General Control Tests
Internet & Intranet objectives: determine
that communications controls...
– can detect and correct messages loss due to
equipment failure
– can prevent and detect illegal access both
internally and from the Internet
– will render useless any data that are
successfully captured by a perpetrator
– are sufficient to preserve the integrity and
security of data connected to the network
7. General Control Tests
Internet & Intranet
(continued)
Controls:
– equipment failure: line checks (parity &
echo),and backups
– subversive threats: access controls, encryption
of data, and firewalls
– message control: sequence numbering,
authentication, transaction logs, requestresponse polling
8. General Control Tests
EDI objectives: determine that...
– all EDI transactions are authorized,
validated, and in compliance with
organizational policy
– no unauthorized organizations gain access
to data base records
– authorized trading partners have access
only to approved data
– adequate controls are in place to ensure a
complete EDI transactions
8. General Control Tests
EDI
(continued)
Controls:
– sophisticated authorization & validation
techniques
– access controls
– audit trail modules and controls
9. General Control Tests
Personal computers (PCs) objectives: determine
that...
– adequate supervision and operating procedures
exist to compensate for lack of segregation
between the duties of users, programmers, and
operators
– access to microcomputers, data files, and program
files is restricted to authorized personnel
– backup procedures are in place to prevent data and
program loss from hardware failures
– systems selection and acquisition procedures
produce applications that are high quality, free from
errors, and protected from unauthorized changes
9. General Control Tests
PCs
(continued)
Controls:
–
–
–
–
increased supervision
access & security controls
backup controls
systems development
and maintenance controls
– systems development and
acquisition controls
Computer Applications
Controls
• Techniques for auditing computer
applications fall into two classes:
1) techniques for testing application
controls
2) techniques for examining transaction
details and account balances—
substantive testing
Testing Application Controls
• Black Box Approach - understanding flowcharts,
input procedures, & output results
• White Box Approach - understanding the
internal logic of the application
– authenticity (access) tests
– accuracy tests
– completeness tests
– redundancy tests
– audit trail tests
– rounding error tests
Auditing Around the Computer The Black Box Approach
White Box Testing Techniques
• Test data method: testing for logic or control
problems - good for new systems or systems
which have undergone recent maintenance
– base case system evaluation (BCSE) - using a
comprehensive set of test transactions
– tracing - performs an electronic walkthrough of
the application’s internal logic
• Test Data Methods are not fool-proof
– a snapshot - one point in time examination
– high-cost of developing adequate test data
Auditing through the Computer:
The Test Data Technique
White Box Testing Techniques
• Integrated test facility (ITF): an
automated, on-going technique that
enables the auditor to test an
application’s logic and controls during its
normal operation
• Parallel simulation: auditor writes
simulation programs and runs actual
transactions of the client through the
system
Auditing through the Computer:
The ITF Technique
Auditing through the Computer:
The Parallel Simulation Technique
Substantive Testing
Techniques
• Search for unrecorded liabilities
• Confirm accounts receivable to ensure
they are not overstated
• Determine the correct value of inventory,
and ensure they are not overstated
• Determine the accuracy of accruals for
expenses incurred, but not yet received
(also revenues if appropriate)
Embedded Audit Module
(EAM)
• An ongoing module which filters out
non-material transactions
• The chosen, material transactions are
used for sampling in substantive tests
• Requires additional computing resources
by the client
• Hard to maintain in systems with high
maintenance
Substantive Testing:
EAM
Generalized Audit Software
(GAS)
• Very popular & widely used
• Can access data files & perform operations
on them:
– screen data
– statistical sampling methods
– foot & balance
– format reports
– compare files and fields
– recalculate data fields
Substantive Testing:
GAS