chapter 17
DESCRIPTION
Chapter 17. Information Systems Auditing and Assurance. Objectives for Chapter 17. The purpose of an audit and the basic conceptual elements of the audit process Difference between internal and external auditing and the relationship between them - PowerPoint PPT PresentationTRANSCRIPT
1
Chapter 17
Information Systems Auditing
and Assurance
2
Objectives for Chapter 17 The purpose of an audit and the basic conceptual elements
of the audit process Difference between internal and external auditing and the
relationship between them How auditing objectives and tests of control are
determined by the control structure of the client firm Audit objective and tests of control for each of the nine
general control areas Auditing techniques used to verify the effective functioning
of application controls Auditing techniques used to perform substantive tests in a
CBIS environment
3
Attestation vs. AssuranceAttestation:
an engagement in which a practitioner is engaged to issue, or does issue, a written communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of another party (SSAE No. 1, AT Sec. 100.01)
Assurance: professional services that are designed to
improve the quality of information, both financial and non-financial, used by decision-makers
includes, but is not limited to, attestation
Attest and Assurance Services
Assurance
Management ConsultingAttestation
5
What is Auditing?
An independent attestation by a professional (CPA) regarding the faithful representation of the financial statements
Three phases of a financial audit: Familiarization with client firm Evaluation and testing of internal controls Assessment of reliability of financial data
6
External Auditing versus Internal Auditing
External auditors represent the interests of third party stakeholders, while internal auditors serve as an independent appraisal function within the organization.
Internal auditors often perform tasks which can reduce external audit fees and help to achieve audit efficiency and reduce audit fees.
7
Information Technology (IT) Audit
Since most information systems employ information technology, the IT audit is typically a significant component of all external (financial) and internal audits.
IT audits: focuses on the computer-based aspects of
an organization’s information system assessing the proper implementation,
operation, and control of computer resources
8
Elements of an Audit
systematic procedures are usedevidence is obtained
tests of internal controls substantive tests
determination of materiality for weaknesses found
prepare audit report and audit opinion
Review of Organization’sPolicies, Practices, andStructure
Review General Controlsand Application Controls
Plan Tests of Controls and Substantive TestingProcedures
Perform Tests ofControls
Evaluate TestResults
Determine Degreeof Relianceon Controls
Perform SubstantiveTests
Evaluate Results andIssue Auditor’s Report
Audit Report
AUDIT PLANNINGPHASE
TESTS OFCONTROLS PHASE
SUBSTANTIVETESTING PHASE
Phases of an IT Audit
Start
10
Audit Risk is
the probability the auditor will issue an unqualified (clean) opinion when in fact the financial statements are materially misstated.
11
Components of Audit Risk
Inherent risk is associated with the unique characteristics of the business or industry of the client.
Control risk is the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts.
Detection risk is the risk that auditors are willing to take that errors not detected or prevented by the control structure will also not be detected by the auditor.
12
Tests of General Controls
Our primary purposes are to understand:
auditing objectives in each general control area
the nature of the tests that auditors perform to achieve these objectives
13
Tests of General Controls
Our discussion is organized around the following:
1. Operating system controls
2. Data management controls3. Organizational structure controls4. Systems development controls5. Systems maintenance controls6. Computer center security and controls7. Internet and Intranet controls8. Electronic data interchange controls9. Personal computer controls
Operating System
Data Management
Systems Development
Systems Maintenance
Organizational Structure
Internet
& Intranet
EDI Trading Partners
Personal Computers
Computer Center Security
Applications
Internet
& Intranet
General Control Framework for CBIS Risks
15
1. General Control Tests
Operating System Objective: verify that the security policy and control procedures are rigorous enough to protect the operating system against: hardware failure software efforts destructive acts by
employees or hackers virus infection
16
Operating System Controls: access
privilege controls password control virus control fault tolerance control
1. General Control Tests
17
2. General Control Tests
Data Management Objective: protect against unauthorized access to
or destruction of data and inadequate data backup
Controls: access - encryption, user authorization
tables, inference controls, and biometric devices are a few examples
backup - grandfather-father-son and direct access backup; recovery procedures
18
3. General Control Tests
Organizational Structure Objectives: determine whether incompatible functions have
been identified and segregated in accordance with the level of potential exposure
determine whether segregation is sustained through a working environment that promotes formal relationships between incompatible tasks
Controls: review organizational and systems
documentation, observe behavior, and review database authority tables
19
4. General Control Tests
Systems Development Objectives ensure that: SDLC activities are applied consistently and in
accordance with management’s policies the system as originally implemented was free
from material errors and fraud the system was judged to be necessary and
justified at various checkpoints throughout the SDLC
system documentation is sufficiently accurate and complete to facilitate audit and maintenance activities
20
Systems Development Controls:
systems authorization techniques good development procedures internal audit team participation appropriate testing of system
4. General Control Tests
21
5. General Control Tests
Systems Maintenance Objectives: determine that: maintenance procedures protect
applications from unauthorized changes
applications are free from material errors
program libraries are protected from unauthorized access
22
5. General Control Tests
Systems Maintenance Controls:
authorization requirements for program maintenance
appropriate documentation of changes adequate testing of program changes reconciling program version numbers review programmer authority table test authority table
23
6. General Control Tests Computer Center Objectives determine that:
physical security controls are adequately protecting the organization from physical exposures
insurance coverage on equipment is adequate to compensate the organization for the destruction of, or damage to, its computer center
operator documentation is adequate to deal with routine operations as well as system failures
the organization’s disaster recovery plan is adequate and feasible
24
Computer Center Controls:
well-planned physical layout backup and disaster recovery planning review critical application list
6. General Control Tests
25
7. General Control Tests
Internet & Intranet Objectives determine that communications controls: can detect and correct messages lost due
to equipment failure can prevent and detect illegal access both
internally and from the Internet will render useless any data that are
successfully captured by a perpetrator are sufficient to preserve the integrity and
security of data connected to the network
26
7. General Control Tests
Internet & Intranet Controls:
Equipment failure: line checks (parity & echo) and backups
Subversive threats: access controls, encryption of data, and firewalls
Message control: sequence numbering, authentication, transaction logs, request-response polling
27
8. General Control Tests
EDI Objectives determine that: all EDI transactions are authorized,
validated, and in compliance with organizational policy
no unauthorized organizations gain access to database records
authorized trading partners have access only to approved data
adequate controls are in place to ensure complete EDI transactions
28
8. General Control Tests
EDI Controls:
sophisticated authorization and validation techniques
access controls audit trail modules and controls
29
9. General Control Tests Personal Computers Objectives determine that:
adequate supervision and operating procedures exist to compensate for lack of segregation between the duties of users, programmers, and operators
access to microcomputers, data files, and program files is restricted to authorized personnel
backup procedures are in place to prevent data and program loss from hardware failures
systems selection and acquisition procedures produce applications that are high quality, free from errors, and protected from unauthorized changes
30
9. General Control Tests
Personal Computers Controls:
increased supervision access and security controls backup controls systems and
acquisition controls
31
Computer Applications Controls
Techniques for auditing computer applications fall into two classes: techniques for testing application controls
techniques for examining transaction details and account balances--substantive testing
32
Testing Application ControlsBlack Box Approach - understanding
flowcharts, input procedures, and output resultsWhite Box Approach - understanding the
internal logic of the application authenticity (access) tests accuracy tests completeness tests redundancy tests audit trail tests rounding error tests
Auditing Around the Computer - The Black Box Approach
Input
MasterFile
Applicationunder review
Output
Auditor reconcilesinput transactionswith output producedby application.
34
White Box Testing Techniques
Test Data Method - testing for logic or control problems; good for testing new systems or systems that have undergone recent maintenance Base Case System Evaluation (BCSE) - using
a comprehensive set of test transactions Tracing - performs an electronic walkthrough of
the application’s internal logicTest Data Methods are not fool-proof
a snapshot-one point in time examination high-cost of developing adequate test data
Auditing through the Computer: The Test Data Technique
TestMasterFiles
Applicationunder review
TestResults
Test Data
PredeterminedResults
Test DataAuditor preparestest transactions,test master files,and expected results.
After test run,auditor comparestest results withpredetermined results.
TestData
36
White Box Testing Techniques
Integrated Test Facility (ITF) - an automated, ongoing technique that enables the auditor to test an application’s logic and controls during its normal operation
Parallel Simulation - auditor writes simulation programs and runs actual transactions of the client through the system
Auditing through the Computer: The Integrated Test Facility Technique
Production Applicationwith EmbeddedITF Modules
ExpectedResults
ITFTransactions
Auditor enters test transactions along withproduction transactions and calculatesexpected results.
After testing,auditor compares ITFresults with expectedresults.
ProductionTransactions
ProductionMaster FilesITF MasterFiles
ProductionReports
ITF Test Results
Auditing through the Computer: The Parallel Simulation Technique
ProductionTransactions
ProductionTransaction File
ActualProductionApplication
ProductionOutput
ProductionMaster Files
SimulationProgram
SimulationOutput
ApplicationSpecifications
GeneralizedAudit Software (GAS)
Auditor uses GAS toproduce simulation ofapplication under review
Auditor reconciles simulationwith production output
39
Substantive Testing Techniques
Search for unrecorded liabilities.Confirm accounts receivable to ensure
they are not overstated.Determine the correct value of
inventory, and ensure they are not overstated.
Determine the accuracy of accruals for expenses incurred, but not yet received (also revenues if appropriate).
40
Embedded Audit Module (EAM)
An ongoing module which filters out non-material transactions
The chosen material transactions are used for sampling in substantive tests
Requires additional computing resources by the client
Hard to maintain in systems with high maintenance
Substantive Testing: The Embedded Audit Module
ProductionTransactions
ProductionApplication
ProductionOutput
ProductionMaster FilesEAM
Audit File
TransactionsList
Auditor sets materialitythreshold for capturingtransactions.
Auditor reviews audit file andprepares a list of materialtransactions for use insubstantive tests.
Production outputgoes to users.
42
Generalized Audit Software (GAS)
Very popular and widely used Can access data files and perform operations
on them: screen data statistical sampling methods foot and balance format reports compare files and fields recalculate data fields
Substantive Testing - GAS: Complex File Structure Access
GAS
TransactionsList
Auditor specifies whichdatabase records tocopy into flat file.
DBMSUtilityProgram Database
Flat File
DBMS produces a flat fileof a portion of a database.
GAS retrieves selected recordsfrom the flat file.
Auditor determines theselection criteria used by the GAS.