chapter 17 information systems auditing and assurance

44
Chapter 17 Information Systems Auditing and Assurance

Upload: cordelia-snow

Post on 24-Dec-2015

224 views

Category:

Documents


3 download

TRANSCRIPT

Page 1: Chapter 17 Information Systems Auditing and Assurance

Chapter 17

Information Systems Auditing

and Assurance

Page 2: Chapter 17 Information Systems Auditing and Assurance

Objectives for Chapter 17• Purpose of an audit and the basic conceptual elements of the

audit process• Difference between internal and external auditing and the

relationship between them• How auditing objectives and tests of control are determined by

the control structure of the client firm• Audit objective and tests of control for each of the nine general

control areas• Auditing techniques used to verify the effective functioning of

application controls• Auditing techniques used to perform substantive tests in a CBIS

environment

Page 3: Chapter 17 Information Systems Auditing and Assurance

Attestation versus Assurance• Attestation:

– an engagement in which a practitioner is engaged to issue, or does issue, a written communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of another party. (SSAE No. 1, AT Sec. 100.01)

• Assurance:– professional services that are designed to

improve the quality of information, both financial and non-financial, used by decision-makers

– includes, but is not limited to attestation

Page 4: Chapter 17 Information Systems Auditing and Assurance

Attest and Assurance Services

Page 5: Chapter 17 Information Systems Auditing and Assurance

What is a Financial Audit?

• An independent attestation by a professional (CPA) regarding the faithful representation of the financial statements.

• Three phases of a financial audit:– familiarization with client firm– evaluation and testing of internal controls– assessment of reliability of financial data

Page 6: Chapter 17 Information Systems Auditing and Assurance

Generally Accepted Auditing Standards (GAAS)

Page 7: Chapter 17 Information Systems Auditing and Assurance

External versus Internal Auditing

• External auditors represent the interests of third party stakeholders, while internal auditors serve as an independent appraisal function within the organization.

• Internal auditors often perform tasks which can reduce external audit fees and help to achieve audit efficiency and reduce audit fees.

Page 8: Chapter 17 Information Systems Auditing and Assurance

Elements of an Audit

• Systematic procedures are used

• Evidence is obtained – tests of internal controls– substantive tests

• Determination of materiality for weaknesses found

• Prepare audit report & audit opinion

Page 9: Chapter 17 Information Systems Auditing and Assurance

Information Technology (IT) Audit

• Since most information systems employ information technology, the IT audit is typically a significant component of all external (financial) and internal audits.

• IT audits: – focus on the computer-based aspects of an

organization’s information system – assess the proper implementation,

operation, and control of computer resources

Page 10: Chapter 17 Information Systems Auditing and Assurance

Phases of an IT Audit

Page 11: Chapter 17 Information Systems Auditing and Assurance

Audit Risk is...

the probability the auditor will issue an unqualified (clean) opinion when in fact the financial statements are materially misstated.

Page 12: Chapter 17 Information Systems Auditing and Assurance

Components of Audit Risk• Inherent risk is associated with the unique

characteristics of the business or industry of the client.

• Control risk is the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts.

• Detection risk is the risk that auditors are willing to take that errors not detected or prevented by the control structure will also not be detected by the auditor.

Page 13: Chapter 17 Information Systems Auditing and Assurance

Tests of General Controls• Our primary purposes

are to understand:

– the auditing objectives in each general control area and

– the nature of the tests that auditors perform to achieve these objectives.

Page 14: Chapter 17 Information Systems Auditing and Assurance

Tests of General Controls

• Our discussion is organized around the following :

1. operating system controls

2. data management controls3. organizational structure controls4. systems development controls5. systems maintenance controls6. computer center security and control7. Internet and Intranet controls8. electronic data interchange (EDI) controls9. personal computer controls

Page 15: Chapter 17 Information Systems Auditing and Assurance

Operating System

Data Management

Systems Development

Systems Maintenance

Organizational Structure

Internet

& Intranet

EDI Trading Partners

Personal Computers

Computer Center Security

Applications

Internet

& Intranet

General Control Framework for CBIS Risks

Page 16: Chapter 17 Information Systems Auditing and Assurance

1. General Control Tests

Operating system objective: verify that the security policy and control procedures are rigorous enough to protect the operating system against:– hardware failure– software efforts– destructive acts by

employees or hackers– virus infection

Page 17: Chapter 17 Information Systems Auditing and Assurance

Operating system

(continued)

Access controls: – privilege controls– password control– virus control– fault tolerance control

1. General Control Tests

Page 18: Chapter 17 Information Systems Auditing and Assurance

2. General Control Tests

• Data management objective:– protect against unauthorized access to or

destruction of data & inadequate data backup.

• Controls:– access - encryption, user authorization tables,

inference controls and biometric devices are a few examples

– backup - grandfather-father-son and direct access backup; recovery procedures

Page 19: Chapter 17 Information Systems Auditing and Assurance

3. General Control Tests

Organizational structure objectives: – determine whether incompatible functions have

been identified and segregated in accordance with the level of potential exposure

– determine whether segregation is sustained through a working environment that promotes formal relationships between incompatible tasks

Controls: – review organizational & systems documentation,

observe behavior, and review database authority tables

Page 20: Chapter 17 Information Systems Auditing and Assurance

4. General Control Tests

Systems development objectives: ensure that...

– SDLC activities are applied consistently and in accordance with management’s policies

– the system as originally implemented was free from material errors and fraud

– the system was judged to be necessary and justified at various checkpoints throughout the SDLC

– system documentation is sufficiently accurate and complete to facilitate audit and maintenance activities

Page 21: Chapter 17 Information Systems Auditing and Assurance

Systems development

(continued)

Controls:– systems authorization techniques – good development procedures– internal audit team participation– appropriate testing of system

4. General Control Tests

Page 22: Chapter 17 Information Systems Auditing and Assurance

5. General Control Tests

Systems maintenance objectives: detect unauthorized program maintenance and determine that...

– maintenance procedures protect applications from unauthorized changes

– applications are free from material errors

– program libraries are protected from unauthorized access

Page 23: Chapter 17 Information Systems Auditing and Assurance

5. General Control TestsSystems maintenance

(continued)

Controls:– authorization requirements for program maintenance– appropriate documentation of changes– adequate testing of program changes– reconciling program version numbers– review programmer authority table– test authority table

Page 24: Chapter 17 Information Systems Auditing and Assurance

6. General Control Tests

Computer center objectives: determine that...– physical security controls are adequately protect

the organization from physical exposures– insurance coverage on equipment is adequate to

compensate the organization for the destruction of, or damage to, its computer center

– operator documentation is adequate to deal with routine operations as well as system failures

– the organization’s disaster recovery plan is adequate and feasible

Page 25: Chapter 17 Information Systems Auditing and Assurance

Computer center

(continued)

Controls: – well-planned physical layout– backup and disaster recovery planning– review critical application list

6. General Control Tests

Page 26: Chapter 17 Information Systems Auditing and Assurance

7. General Control Tests

Internet & Intranet objectives: determine that communications controls...– can detect and correct messages loss due to

equipment failure– can prevent and detect illegal access both

internally and from the Internet– will render useless any data that are

successfully captured by a perpetrator– are sufficient to preserve the integrity and

security of data connected to the network

Page 27: Chapter 17 Information Systems Auditing and Assurance

7. General Control Tests

Internet & Intranet

(continued)

Controls: – equipment failure: line checks (parity &

echo),and backups– subversive threats: access controls, encryption

of data, and firewalls– message control: sequence numbering,

authentication, transaction logs, request-response polling

Page 28: Chapter 17 Information Systems Auditing and Assurance

8. General Control Tests

EDI objectives: determine that...– all EDI transactions are authorized, validated,

and in compliance with organizational policy– no unauthorized organizations gain access to

data base records– authorized trading partners have access only

to approved data– adequate controls are in place to ensure a

complete EDI transactions

Page 29: Chapter 17 Information Systems Auditing and Assurance

8. General Control Tests

EDI

(continued)

Controls:– sophisticated authorization & validation

techniques– access controls– audit trail modules and controls

Page 30: Chapter 17 Information Systems Auditing and Assurance

9. General Control Tests

Personal computers (PCs) objectives: determine that...– adequate supervision and operating procedures

exist to compensate for lack of segregation between the duties of users, programmers, and operators

– access to microcomputers, data files, and program files is restricted to authorized personnel

– backup procedures are in place to prevent data and program loss from hardware failures

– systems selection and acquisition procedures produce applications that are high quality, free from errors, and protected from unauthorized changes

Page 31: Chapter 17 Information Systems Auditing and Assurance

9. General Control Tests

PCs

(continued)

Controls:– increased supervision– access & security controls– backup controls– systems development

and maintenance controls – systems development and

acquisition controls

Page 32: Chapter 17 Information Systems Auditing and Assurance

Computer Applications Controls

• Techniques for auditing computer applications fall into two classes: 1) techniques for testing application controls

2) techniques for examining transaction details and account balances—substantive testing

Page 33: Chapter 17 Information Systems Auditing and Assurance

Testing Application Controls• Black Box Approach - understanding flowcharts, input

procedures, & output results• White Box Approach - understanding the internal logic

of the application– authenticity (access) tests– accuracy tests– completeness tests– redundancy tests– audit trail tests– rounding error tests

Page 34: Chapter 17 Information Systems Auditing and Assurance

Auditing Around the Computer - The Black Box Approach

Page 35: Chapter 17 Information Systems Auditing and Assurance

White Box Testing Techniques• Test data method: testing for logic or control

problems - good for new systems or systems which have undergone recent maintenance– base case system evaluation (BCSE) - using a

comprehensive set of test transactions– tracing - performs an electronic walkthrough of the

application’s internal logic

• Test Data Methods are not fool-proof– a snapshot - one point in time examination– high-cost of developing adequate test data

Page 36: Chapter 17 Information Systems Auditing and Assurance

Auditing through the Computer: The Test Data Technique

Page 37: Chapter 17 Information Systems Auditing and Assurance

White Box Testing Techniques

• Integrated test facility (ITF): an automated, on-going technique that enables the auditor to test an application’s logic and controls during its normal operation

• Parallel simulation: auditor writes simulation programs and runs actual transactions of the client through the system

Page 38: Chapter 17 Information Systems Auditing and Assurance

Auditing through the Computer: The ITF Technique

Page 39: Chapter 17 Information Systems Auditing and Assurance

Auditing through the Computer: The Parallel Simulation Technique

Page 40: Chapter 17 Information Systems Auditing and Assurance

Substantive Testing Techniques

• Search for unrecorded liabilities• Confirm accounts receivable to ensure

they are not overstated• Determine the correct value of inventory,

and ensure they are not overstated• Determine the accuracy of accruals for

expenses incurred, but not yet received (also revenues if appropriate)

Page 41: Chapter 17 Information Systems Auditing and Assurance

Embedded Audit Module (EAM)

• An ongoing module which filters out non-material transactions

• The chosen, material transactions are used for sampling in substantive tests

• Requires additional computing resources by the client

• Hard to maintain in systems with high maintenance

Page 42: Chapter 17 Information Systems Auditing and Assurance

Substantive Testing: EAM

Page 43: Chapter 17 Information Systems Auditing and Assurance

Generalized Audit Software (GAS)

• Very popular & widely used

• Can access data files & perform operations on them:– screen data – statistical sampling methods– foot & balance– format reports– compare files and fields– recalculate data fields

Page 44: Chapter 17 Information Systems Auditing and Assurance

Substantive Testing: GAS