chapter 12-1 chapter 12: information technology auditing introduction the audit function the...
TRANSCRIPT
Chapter 12-1
Chapter 12:Information Technology
Auditing
Introduction
The Audit Function
The Information Technology Auditor’s Toolkit
Auditing Computerized Accounting Information Systems
Information Technology Auditing Today
Chapter 12-2
Introduction
Audits of AISs Ensure controls are functioning properly Confirm additional controls not necessary
Nature of Auditing Internal and external auditing IT Audit and financial audit Tools of an IT auditor
Chapter 12-3
The Audit Function
Internal versus External Auditing
Information Technology Auditing
Evaluating the Effectiveness of Information Systems Controls
Chapter 12-4
Internal Auditing
Responsibility of Performance Company’s own employees External of the department being audited
Evaluation of: Employee compliance with policies and procedures Effectiveness of operations Compliance with external laws and regulations Reliability of financial reports Internal controls
Chapter 12-5
External Auditing
Responsibility of Performance Those outside the organization Accountants working for independent CPA
Audit Purpose Performance of the attest function Evaluate the accuracy and fairness of the financial
statements relative to GAAP
Chapter 12-6
Information Technology Auditing
Function Evaluate computer’s role in achieving audit and
control objectives
Assurance Provided Data and information are reliable, confidential,
secure, and available Safeguarding assets, data integrity, and
operational effectiveness
Chapter 12-7
The Componentsof an IT Audit
Chapter 12-8
The IT Audit Process
Computer-Assisted Audit Techniques (CAAT) Use of computer processes to perform audit
functions Performing substantive tests
Approaches Auditing through the computer Auditing with the computer
Chapter 12-9
The IT Audit Process
Chapter 12-10
Careers in IT Auditing
Background Accounting skills Information systems or computer science skills
Certified Information System Auditor (CISA) Successfully complete examination Experience requirements Comply with Code of Professional Ethics Continuing professional education Comply with standards
Chapter 12-11
CISA Exam Components
Chapter 12-12
Careers in IT Auditing
Certified Information Security Manager (CISM) Business orientation Understand risk management and security
CISM Knowledge Information security governance Information security program management Risk management Information security management Response management
Chapter 12-13
Evaluating the Effectiveness of
Information Systems Controls
Impact on Substantive Testing Strong controls, less substantive testing Weak controls, more substantive testing
Risk Assessment Evaluate the risks associated with control
weaknesses Make recommendations to improve controls
Chapter 12-14
Risk Assessment
Risk-Based Audit Approach Determine the threats Identify the control procedures needed Evaluate the current control procedures Evaluate the weaknesses within the AIS
Benefits Understanding of errors and irregularities Sound basis for recommendations
Chapter 12-15
Information Systems Risk Assessment
Method of evaluating desirability of IT controls
Types of Risks Errors and accidents Loss of company secrets Unauthorized manipulation of company files Interrupted computer access
Penetration Testing
Chapter 12-16
An IT auditor:
A.Must be an external auditor
B.Must be an internal auditor
C.Can be either an internal or external auditor
D.Must be a Certified Public Accountant
Study Break #1
Chapter 12-17
An IT auditor:
A.Must be an external auditor
B.Must be an internal auditor
C.Can be either an internal or external auditor
D.Must be a Certified Public Accountant
Study Break #1 - Answer
Chapter 12-18
In determining the scope of an IT audit, the auditor should pay most attention to:
A.Threats and risks
B.The cost of the audit
C.What the IT manager asks to be evaluated
D.Listings of standard control procedures
Study Break #2
Chapter 12-19
In determining the scope of an IT audit, the auditor should pay most attention to:
A.Threats and risks
B.The cost of the audit
C.What the IT manager asks to be evaluated
D.Listings of standard control procedures
Study Break #2 - Answer
Chapter 12-20
The IT Auditor’s Toolkit
Utilization of CAATs Auditing with the computer Manual access to data stored on computers is
impossible
Tools Auditing Software People Skills
Chapter 12-21
General-Use Software
Productivity tools that improve the auditor’s work
Types Word processing programs Spreadsheet software Database management systems (DBMS) Structured Query Language (SQL)
Chapter 12-22
Generalized Audit Software
Overview Allow for reviewing of files without rewriting
processing programs Basic data manipulation Tailored to auditor tasks
Common Programs Audit Command Language (ACL) Interactive Data Extraction and Analysis (IDEA)
Chapter 12-23
Generalized Audit Software - Inventory
Chapter 12-24
Automated Workpapers
Overview Automate and standardize audit tests Can prepare financial statements and other financial
measures
Features Generate trial balances Make adjusting entries Perform consolidations Conduct analytical procedures Document audit procedures and conclusions
Chapter 12-25
People Skills
Examples Working as a team Interact with clients and other auditors Interviewing clients
Importance of Interviews Gain understanding of organization Evaluate internal controls
Chapter 12-26
Auditing Computerized AISs
Auditing Around the Computer Assumes accurate output verifies proper
processing Not effective in a computerized environment
Auditing Through the Computer Follows audit trail through the computer Verifies proper functioning of processing controls
in AIS programs
Chapter 12-27
Auditing Computerized AISs
Testing Computer Programs
Validating Computer Programs
Review of Systems Software
Validating Users and Access Privileges
Continuous Auditing
Chapter 12-28
Testing Computer Programs
Test Data Create set of transactions Covering range of exception situations Compare results and investigate further
Integrated Test Facility Establish a fictitious entity Enter transactions for that entity Observe how they are processed
Chapter 12-29
Testing Computer Programs
Parallel Simulation Utilized live input data Simulates all or some of the operations Compare results Very time-consuming and cost-prohibitive
Chapter 12-30
Edit Tests and Test Data
Chapter 12-31
Validating Computer Programs
Tests of Program Change Controls Protect against unauthorized program changes Documentation of requests for program changes Utilize special forms for authorization
Program Comparison Test of Length Comparison Program
Chapter 12-32
Reviewing a Responsibility System
Chapter 12-33
Review of Systems Software
Systems Software Controls Operating system software Utility programs Program library software Access control software
Inspect Outputs Logs Incident reports
Chapter 12-34
Password Parameters
Chapter 12-35
Validating Users and Access Privileges
Purpose Ensure all system users are valid Appropriate access privileges
Utilize Software Tools Examine login times Exception conditions Irregularities
Chapter 12-36
Continuous Auditing
Embedded Audit Modules (Audit Hooks) Capture data for audit purposes
Exception Reporting Transactions falling outside given parameters are
rejected
Transaction Tagging Certain transactions tagged and progress recorded
Chapter 12-37
Continuous Auditing
Snapshot Technique Examines how transactions are processed
Continuous and Intermittent Simulation (CIS) Embeds audit module in a database management
system (DBMS) Similar to parallel simulation
Chapter 12-38
Continuous Auditing – Spreadsheet Errors
Chapter 12-39
Which of the following is NOT an audit technique for auditing computerized AIS?
A.Parallel simulation
B.Use of specialized control software
C.Continuous auditing
D.All of the above are techniques used to audit computerized AIS
Study Break #3
Chapter 12-40
Which of the following is NOT an audit technique for auditing computerized AIS?
A.Parallel simulation
B.Use of specialized control software
C.Continuous auditing
D.All of the above are techniques used to audit computerized AIS
Study Break #3 - Answer
Chapter 12-41
Continuous auditing:
A.Has been talked about for years but will never catch on
B.Will likely become popular if organizations adopt XBRL in their financial reporting
C.Does not include techniques such as embedded audit modules
D.Will never allow IT auditors to provide some types of assurance on a real-time basis
Study Break #4
Chapter 12-42
Continuous auditing:
A.Has been talked about for years but will never catch on
B.Will likely become popular if organizations adopt XBRL in their financial reporting
C.Does not include techniques such as embedded audit modules
D.Will never allow IT auditors to provide some types of assurance on a real-time basis
Study Break #4 - Answer
Chapter 12-43
IT Auditing Today
Auditing for Fraud: Statement on Auditing Standards No. 99
The Sarbanes-Oxley Act of 2002
Auditing Standard No. 5 (AS5)
Third Party and Information Systems Reliability Assurances
Chapter 12-44
IT Governance
Overview Process of using IT resources effectively Efficient, responsible, strategic use of IT
Objectives Using IT strategically to fulfill mission of
organization Ensure effective management of IT
Chapter 12-45
Auditing for Fraud: Statement on Auditing
Standard No. 99
Overview Supersedes SAS No. 82 Provides more guidance to prevent and deter fraud
Fraud Triangle Motive for committing fraud Opportunity that allows fraud to occur Rationalization by individual
Chapter 12-46
Fraud Triangle
Chapter 12-47
The Sarbanes-Oxley Act of 2002
Overview Limits services that auditors can provide clients while
they are conducting audits
Groups of Compliance Requirements Audit committee/corporate governance requirements Certification, disclosure, and internal control Financial statement reporting rules Executive reporting and conduct
Chapter 12-48
The Sarbanes-Oxley Act of 2002
Section 302 CEOs and CFOs are required to certify the
financial statements Internal controls and disclosures are adequate
Section 404 CEOs and CFOs assess and attest to the
effectiveness of internal controls
Chapter 12-49
Key Provisions of SOX
Chapter 12-50
Key Provisions of SOX
Chapter 12-51
Auditing Standard No. 5 (AS5)
Purpose PCAOB guidance Focus on most critical controls
Rebalancing of Auditor’s Work Internal auditors help to advise board of directors External auditors reduce redundant testing
Chapter 12-52
Third Party and Information Systems Reliability
Assurances
Growth of Electronic Commerce Area of growing risk Security and privacy concerns Difficult to audit
AICPA Trust Services CPA WebTrust SysTrust
Chapter 12-53
Third Party and Information Systems Reliability
Assurances
Principles of Trust Services Security Availability Processing integrity Online privacy Confidentiality
Chapter 12-54
Copyright
Copyright 2012 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in
Section 117 of the 1976 United States Copyright Act without the
express written permission of the copyright owner is unlawful.
Request for further information should be addressed to the
Permissions Department, John Wiley & Sons, Inc. The purchasermay make backup copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.
Chapter 12-55
Chapter 12