4 Auditing AIS

Prepared by Paula Funkhouser
University of Nevada, Reno
Core Concepts of Accounting Information Systems, 13th Edition

Mark G. Simkin Jacob M. Rose Carolyn S. Norman
Information
Technology
Auditing
Chapter 15
Chapter 15:
Information Technology Auditing
Introduction
The Audit Function
The Information Technology Auditors Toolkit
Auditing Computerized Accounting Information Systems
Information Technology Auditing Today
2
Copyright 2015. John Wiley & Sons, Inc. All rights reserved.
Introduction
Audits of AISs
Ensure controls are functioning properly
Confirm additional controls not necessary
Nature of Auditing
Internal and external auditing
IT Audit and financial audit
Tools of an IT auditor
3
The Audit Function

Internal versus External Auditing
Evaluating the Effectiveness of Information Systems Controls
4
Internal Auditing
Responsibility of Performance
Companys own employees
External of the department being audited
Evaluation of:
Employee compliance with policies and procedures
Effectiveness of operations
Compliance with external laws and regulations
Reliability of financial reports
Internal controls
5
External Auditing
Responsibility of Performance
Those outside the organization
Accountants working for independent CPA
Audit Purpose
Performance of the attest function
Evaluate the accuracy and fairness of the financial statements
relative to GAAP
6
THE NATURE OF AUDITING

The IIAs five audit scope standards outline the internal
auditors responsibilities:
Review the reliability and integrity of operating and financial
information and how it is identified, measured, classified, and reported.
Determine if the systems designed to comply with these policies, plans,
procedures, laws, and regulations are being followed.
Review how assets are safeguarded, and verify their existence.
Examine company resources to determine how effectively and
efficiently they are used.
Review company operations and programs to determine if they are
being carried out as planned and if they are meeting their objectives.
7

Function
Evaluate computers role in achieving audit and control
objectives
Assurance Provided
Data and information are reliable, confidential, secure, and
available
Safeguarding assets, data integrity, and operational
effectiveness
8
The Components
of an IT Audit
9
The IT Audit Process

Computer-Assisted Audit Techniques (CAAT)
Use of computer processes to perform audit functions
Performing substantive tests
Approaches
Auditing through the computer
Auditing with the computer
10
The IT Audit Process
11

Types of internal auditing work
Three different types of audits are commonly performed.
Financial audit
Examines reliability and integrity of accounting

records (financial and operating).
Correlates with the first of the five scope standards.
12

Financial audit
Information systems audit
Reviews the controls of an AIS to assess:

Compliance with internal control policies and
procedures; and
Effectiveness in safeguarding assets.
Scope roughly corresponds to the IIAs second and
third standards.
13

Financial audit
Information systems audit
Operational or management audit
Concerned with economical and efficient use of

resources and accomplishment of established goals
and objectives.
Scope corresponds to fourth and fifth standards.
14

Planning
An overview of the auditing process

All audits follow a similar sequence
of activities and may be divided
into four stages:
Planning
15

Planning
Collecting Evidence

into four stages:
Planning
Collecting Evidence
16

Planning
Collecting Evidence

into four stages:
Planning
Collecting evidence
Evaluating evidence
Evaluating Evidence
17

Planning
Collecting Evidence
Evaluating Evidence

into four stages:
Planning
Collecting evidence
Evaluating evidence
Communicating audit results
Communicating Audit
Results
18

Planning
Collecting Evidence
Evaluating Evidence
Communicating Audit
Results
Audit planning
Purpose: Determine why, how, when, and by
whom the audit will be performed.
The first step in audit planning is to establish
the scope and objectives of the audit.
An audit team with the necessary experience
and expertise is formed.
Team members become familiar with the
auditee by:
Conferring with supervisory and

operating personnel;
Reviewing system documentation; and
Reviewing findings of prior audits.
19

The audit should be planned so that the greatest amount of
audit work focuses on areas with the highest risk factors.
There are three types of risk when conducting an audit:
Inherent risk
How susceptible the area would be to threats if there

were no controls.
20
The risk that a material misstatement will get

through the internal control structure and into the
The audit shouldfinancial
be planned
so that the greatest amount of
statements.
audit work focuses
on areas
withtothe
factors.
Inversely
related
the highest
strengthrisk
of the
companys
internal
i.e.,conducting
stronger controls
means lower
There are three types
ofcontrols,
risk when
an audit:
control risk.
Inherent risk
Can be determined by:
Control risk Reviewing the control environment.
Considering control weaknesses identified in
prior audits and evaluating how they have been
rectified.
21

The audit should be planned so that the greatest amount of
audit work focuses on areas with the highest risk factors.
There are three types of risk when conducting an audit:
Inherent risk
Control risk
Detection risk
The risk that auditors and their procedures will miss

a material error or misstatement.
22

To conclude the planning stage:
A preliminary audit program is prepared to show the
nature, extent, and timing of the procedures necessary to
achieve audit objectives and minimize audit risks.
A time budget is prepared.
Staff members are assigned to perform specific audit steps.
23

Planning
Collecting Evidence
Collection of audit
evidence
Much audit effort is spent
collecting evidence.
Evaluating Evidence
Communicating Audit
Results
24

Collection of audit evidence
The following are among the most commonly used
evidence collection methods:
Observation
Watch the activities being audited, e.g., how employees
enter the site or handle a particular form.
25

Observation
Review of documentation
Review documents to understand how an AIS or an
internal control system is supposed to function.
26

Observation
Discussions
Talk with employees about their jobs and how they

carry out certain procedures.
27

Observation
Discussions
Physical examination
Examine quantity and/or condition of tangible
assets, such as equipment, inventory, or cash.
28

Observation
Discussions
Confirmation
Communicate with third parties to check the
accuracy of information such as customer account
balances.
29

Observation
Discussions
Confirmation
Re-performance
Repeat a calculation to verify quantitative
information on records and reports.
30

Observation
Discussions
Examine supporting documents to ensure the
Confirmation
validity of the transaction.
Re-performance
Vouching
31

Collection of Audit Evidence
Observation
Examine relationships and trends among information
Review of
documentation
items to detect those that deserve further
Discussions
investigation.
Example: If the inventory turnover ratio has
Confirmation
plummeted, its time to investigate why the change
Re-performance
has occurred.
Vouching
Analytical review
32

Because many audit tests and procedures cannot feasibly be
performed on the entire set of activities, records, assets, or
documents, they are often performed on a sample basis.
A typical audit will be a mix of audit procedures.
33

An audit designed to evaluate AIS internal controls would
make greater use of:
Observation
Discussions
Re-performance
An audit of financial information would focus on:
Confirmation
Vouching
Analytical review
Re-performance
34
Because errors will occur anywhere,

auditors focus on those that have a
significant impact on managements
interpretation of the audit findings.
Evaluation
Materiality of
dictates
is and is not
Auditwhat
Evidence
in evaluates
a given set
circumstances
important
The auditor
the of
evidence
primarily
gathered ainmatter
light ofofthejudgment.
specific audit
and decides
if it supports
a
Itobjective
is generally
more important
to external
favorable
or unfavorable
audits,
when
the overall conclusion.
emphasis is on the
fairness
If inconclusive,
the auditor
plans and
of financial
statement
executes additional
presentations,
thanprocedures
to internaluntil
audits, where
sufficient
evidence
is obtained.
the
focus is
on determining
adherence to
managements
Two important factors
when deciding how
policies.
much audit work is necessary and in
evaluating audit evidence are:
Materiality

Planning
Collecting Evidence
Evaluating Evidence
Communicating Audit
Results
35
Reasonable
assurance is somewhat of a
THE NATURE
OF
AUDITING
cost-benefit notion.
Planning
Collecting Evidence
Evaluating Evidence
It is prohibitively expensive for the auditor to

Evaluation
of Audit
Evidence
seek complete
assurance
that no material
exists, evaluates
so he must
error
The auditor
the accept
evidencerisk that the
audit
conclusion
is the
incorrect.
gathered
in light of
specific audit
objective and
decidesreasonable
if it supportsassurance,
a
Therefore
he seeks
favorable
or to
unfavorable
as
opposed
absolute conclusion.
assurance.
If inconclusive, the auditor plans and
Note that when inherent or control risk is
executes additional procedures until
high,
the auditor
must
obtain greater
sufficient
evidence
is obtained.
to offset
the
greater
uncertainty
assurance
Two important
factors
when
deciding
how
and
risks.
much
audit work is necessary and in
evaluating audit evidence are:
Materiality
Reasonable assurance
Communicating Audit
Results
36

At all stages of the audit, findings and conclusions are
carefully documented in working papers.
Documentation is critical at the evaluation stage,
when final conclusions must be reached and
supported.
37

Planning
Collecting Evidence
Evaluating Evidence
Communicating Audit
Results
Communication of audit results

The auditor prepares a written (and
sometimes oral) report summarizing audit
findings and recommendations, with
references to supporting evidence in the
working papers.
Report is presented to:
Management
The audit committee
The board of directors
Other appropriate parties
After results are communicated, auditors
often perform a follow-up study to see if
recommendations have been implemented.
38

The risk-based audit approach
A risk-based audit approach is a four-step approach to
internal control evaluation that provides a logical
framework for carrying out an audit. Steps are:
Determine the threats (errors and irregularities) facing the
AIS.
39

A risk-based audit approach is a four-step approach to
internal control evaluation that provides a logical
Determine the threats (errors and irregularities) facing the AIS.
Identify control procedures implemented to minimize each
threat by preventing or detecting such errors and irregularities.
40
THE NATURE
OF AUDITING
Perform a systems review to determine if necessary
procedures are in place. Involves:

Reviewing
system documentation
The risk-basedaudit
approach
Interviewing
appropriate
personnel
A risk-basedaudit
approach
is a four-step
approach to
Conduct
tests of controls
to determine
if the
internal control
evaluation
that provides
a logical
procedures are satisfactorily followed. Involves:
Observing system operations
Determine the threats (errors and irregularities) facing the AIS.
Inspecting documents, records, and reports
Identify control procedures implemented to minimize each threat
samples
of system
inputs and outputs
by preventingChecking
or detecting
such errors
and irregularities.
Tracing transactions through the system
Evaluate the
control procedures.
41

Focuses on control risks and whether the control

A risk-basedsystem
audit as
approach
a four-step
approachthem.
to
a wholeis
adequately
addresses
internal control
evaluation that provides a logical
If a control deficiency is identified, the auditor asks
framework about
for carrying
out an audit. Steps are:
compensating controlsprocedures that
Determinemake
the threats
and irregularities) facing the AIS.
up for(errors
the deficiency.
Identify
procedures
implemented
to minimize
threat if
control
A control
weakness
in one area
may be each
acceptable
by preventing or detecting such errors and irregularities.
compensated for by control strengths in other areas.
Evaluate the control procedures.
Evaluate weaknesses (errors and irregularities not covered by
control procedures) to determine their effect on the nature,
timing, or extent of auditing procedures and client suggestions.
42

The risk-based approach to auditing provides auditors
with a clear understanding of the errors and
irregularities that can occur and the related risks and
exposures.
This understanding provides a basis for developing
recommendations to management on how the AIS
control system should be improved.
43
Careers in IT Auditing
Background
Accounting skills
Information systems or computer science skills
Certified Information System Auditor (CISA)
Successfully complete examination

Experience requirements
Comply with Code of Professional Ethics
Continuing professional education
Comply with standards
44
INFORMATION SYSTEMS
AUDITS
The purpose of an information systems audit is to review and

evaluate the internal controls that protect the system.
When performing an information system audit, auditors should
ascertain that the following objectives are met:
Security provisions protect computer equipment, programs,
communications, and data from unauthorized access, modification, or
destruction.
Program development and acquisition are performed in accordance
with managements general and specific authorization.
Program modifications have managements authorization and approval.
45
INFORMATION SYSTEMS
AUDITS
Processing of transactions, files, reports, and other computer records

are accurate and complete.
Source data that are inaccurate or improperly authorized are identified
and handled according to prescribed managerial policies.
Computer data files are accurate, complete, and confidential.
The following slide depicts the relationship among these six objectives and
information systems components.
The objectives are then discussed in detail in the following section.
Each description includes an audit plan to accomplish the objective, as well
as the techniques and procedures to carry out the plan.
46
IS COMPONENTS AND AUDIT OBJECTIVES

Objective 1: Overall Security
Objective 5: Source Data
Source
Data
Data
Entry
Objective 2:
Program Development
and Acquisition
Programs
Source
Data
Processing
Files
Output
Objective 3:
Program Modification
Objective 4: Computer Processing
Objective 6:
Data Files
47

Source
Data
Data
Entry
Objective 2:
Program Development
and Acquisition
Programs
Source
Data
Processing
Files
Output
Objective 3:
Objective 6:
Data Files
48
OBJECTIVE 1: OVERALL
SECURITY
Types of security errors and fraud faced by companies:

Accidental or intentional damage to system assets.
Unauthorized access, disclosure, or modification of data
and programs.
Theft.
Interruption of crucial business activities.
49
SECURITY
Control procedures to minimize security errors and fraud:
Developing an information security/protection plan.

Restricting physical and logical access.
Encrypting data.
Protecting against viruses.
Implementing firewalls.
Instituting data transmission controls.
Preventing and recovering from system failures or disasters, including:
Designing fault-tolerant systems.
Preventive maintenance.
Backup and recovery procedures.
Disaster recovery plans.
Adequate insurance.
50
SECURITY
Audit procedures: Systems review

Inspecting computer sites.
Interviewing personnel.
Reviewing policies and procedures.
Examining access logs, insurance policies, and the disaster
recovery plan.
51
SECURITY
Audit procedures: Tests of controls

Auditors test security controls by:
Observing procedures.
Verifying that controls are in place and work as
intended.
Investigating errors or problems to ensure they were
handled correctly.
Examining any tests previously performed.
One way to test logical access controls is to try to break
into a system.
52
SECURITY
Compensating controls
If security controls are seriously deficient, the organization

faces substantial risks.
Partial compensation for poor computer security can be
provided by:
Sound personnel policies
Effective segregation of incompatible duties
Effective user controls, so that users can recognize unusual system
output.
These compensations arent likely to be enough, so auditors

should strongly recommend that security weaknesses be
corrected.
53

Source
Data
Data
Entry
Objective 2:
Program Development
and Acquisition
Programs
Source
Data
Processing
Files
Output
Objective 3:
Objective 6:
Data Files
54

Source
Data
Data
Entry
Objective 2:
Program Development
and Acquisition
Programs
Source
Data
Processing
Files
Output
Objective 3:
Objective 6:
Data Files
55
OBJECTIVE 2: PROGRAM
DEVELOPMENT AND ACQUISITION
Types of errors and fraud:
Two things can go wrong in program development:
Inadvertent errors due to careless programming or
misunderstanding specifications; or
Deliberate insertion of unauthorized instructions into
the programs.
56
Control procedures:
The preceding problems can be controlled by requiring:
Management and user authorization and approval
Thorough testing
Proper documentation
57
The auditors role in systems development should be
limited to an independent review of system development
activities.
To maintain necessary objectivity for performing an independent
evaluation, the auditor should not be involved in system
development.
During the systems review, the auditor should gain an
understanding of development procedures by discussing them with
management, users, and IS personnel.
Should also review policies, procedures, standards, and
documentation for systems and programs.
58
To test systems development controls, auditors should:
Interview managers and system users.

Examine development approvals.
Review the minutes of development team meetings.
Thoroughly review all documentation relating to the testing
process and ascertain that all program changes were tested.
Examine the test specifications, review the test data, and evaluate
the test results.
If results were unexpected, ascertain how the

problem was resolved.
59
Strong processing controls can sometimes compensate for
inadequate development controls.
If auditors rely on compensatory processing controls,
they should obtain persuasive evidence of compliance.
Use techniques such as independent processing of
test data to do so.
If this type of evidence cant be obtained, they may
have to conclude there is a material weakness in internal
control.
60

Source
Data
Data
Entry
Objective 2:
Program Development
and Acquisition
Programs
Source
Data
Processing
Files
Output
Objective 3:
Objective 6:
Data Files
61

Source
Data
Data
Entry
Objective 2:
Program Development
and Acquisition
Programs
Source
Data
Processing
Files
Output
Objective 3:
Objective 6:
Data Files
62
MODIFICATION
Types of errors and fraud
Same that can occur during program development:
Inadvertent programming errors
Unauthorized programming code
63
MODIFICATION
Control procedures
When a program change is submitted for approval, a list of all required
updates should be compiled by management and program users.
Changes should be thoroughly tested and documented.
During the change process, the developmental version of the program
must be kept separate from the production version.
When the amended program has received final approval, it should
replace the production version.
Changes should be implemented by personnel independent of users or
programmers.
Logical access controls should be employed at all times.
64
MODIFICATION
Audit procedures: System review
During systems review, auditors should:
Gain an understanding of the change process by discussing it with
management and user personnel.
Examine the policies, procedures, and standards for approving,
modifying, testing, and documenting the changes.
Review a complete set of final documentation materials for recent
program changes, including test procedures and results.
Review the procedures used to restrict logical access to the
developmental version of the program.
65
MODIFICATION
An important part of these tests is to verify that program changes were
identified, listed, approved, tested, and documented.
Requires that the auditor observe how changes are implemented to
verify that:
Separate development and production programs are maintained;
and
Changes are implemented by someone independent of the user and
programming functions.
The auditor should review the development programs access control
table to verify that only those users assigned to carry out modification
had access to the system.
66
MODIFICATION
To test for unauthorized program changes, auditors can use
a source code comparison program to compare the current
version of the program with the original source code.
Any unauthorized differences should result in an
investigation.
If the difference represents an authorized change, the
auditor can refer to the program change specifications to
ensure that the changes were authorized and correctly
incorporated.
67
MODIFICATION
Two additional techniques detect unauthorized program
changes:
Reprocessing
On a surprise basis, the auditor uses a verified copy of
the source code to reprocess data and compare that
output with the companys data.
Discrepancies are investigated.
Parallel simulation
Similar to reprocessing except that the auditor writes his
own program instead of using verified source code.
Can be used to test a program during the
implementation process.
68
MODIFICATION
Auditors should observe testing and implementation,
review related authorizations, and, if necessary, perform
independent tests for each major program change.
If this step is skipped and program change controls are
subsequently deemed inadequate, it may not be possible to
rely on program outputs.
Auditors should always test programs on a surprise basis to
protect against unauthorized changes being inserted after
the examination is completed and then removed prior to
scheduled audits.
69
MODIFICATION
If internal controls over program changes are deficient,
compensation controls are:
Source code comparison;
Reprocessing; and/or
Parallel simulation.
The presence of sound processing controls, independently

tested by the auditor, can also partially compensate for
deficiencies.
But if deficiencies are caused by inadequate restrictions on
program file access, the auditor should strongly recommend
actions to strengthen the organizations logical access
controls.
70

Source
Data
Data
Entry
Objective 2:
Program Development
and Acquisition
Programs
Source
Data
Processing
Files
Output
Objective 3:
Objective 6:
Data Files
71

Source
Data
Data
Entry
Objective 2:
Program Development
and Acquisition
Programs
Source
Data
Processing
Files
Output
Objective 3:
Objective 6:
Data Files
72
OBJECTIVE 4: COMPUTER
PROCESSING
During computer processing, the system may:
Fail to detect erroneous input.
Improperly correct input errors.
Process erroneous input.
Improperly distribute or disclose output.
73
PROCESSING
Control procedures
Computer data editing routines.

Proper use of internal and external file labels.
Reconciliation of batch totals.
Effective error correction procedures.
Understandable operating documentation and run manuals.
Competent supervision of computer operations.
Effective handling of data input and output by data control personnel.
File change listings and summaries prepared for user department
review.
Maintenance of proper environmental conditions in computer facility.
74
PROCESSING
Review administrative documentation for processing
control standards.
Review systems documentation for data editing and other
processing controls.
Review operating documentation for completeness and
clarity.
Review copies of error listings, batch total reports, and file
change lists.
Observe computer operations and data control functions.
Discuss processing and output controls with operations and
IS supervisory personnel.
75
PROCESSING
Evaluate adequacy of processing control standards and procedures.
Evaluate adequacy and completeness of data editing controls.
Verify adherence to processing control procedures by observing
computer operations and the data control function.
Verify that selected application system output is properly distributed.
Reconcile a sample of batch totals, and follow up on discrepancies.
Trace disposition of a sample of errors flagged by data edit routines to
ensure proper handling.
Verify processing accuracy for a sample of sensitive transactions.
76
PROCESSING
Verify processing accuracy for selected computer-generated
transactions.
Search for erroneous or unauthorized code via analysis of program
logic.
Check accuracy and completeness of processing controls using test
data.
Monitor online processing systems using concurrent audit techniques.
Recreate selected reports to test for accuracy and completeness.
77
PROCESSING
Auditors must periodically re-evaluate processing controls
to ensure their continued reliability.
If controls are unsatisfactory, user and source data
controls may be strong enough to compensate.
If not, a material weakness exists and steps should be
taken to eliminate the control deficiencies.
78
PROCESSING
The purpose of the preceding audit procedures is to gain an
understanding of the controls, evaluate their adequacy, and
observe operations for evidence that the controls are in use.
Several specialized techniques allow the auditor to use the
computer to test processing controls:
Processing test data.
Using concurrent audit techniques.
Analyzing program logic.
Each has its own advantages and disadvantages:

Appropriateness of each technique depends on the situation.
No one technique is good for all circumstances.
Auditors should not disclose which technique they use.

79
PROCESSING


80
PROCESSING
Processing test data
Involves testing a program by processing a hypothetical
series of valid and invalid transactions.
The program should:
Process all the valid transactions correctly.
Identify and reject the invalid ones.
All logic paths should be checked for proper functioning by

one or more test transactions, including:
Records with missing data.

Fields containing unreasonably large amounts.
Invalid account numbers or processing codes.
Non-numeric data in numeric fields.
Records out of sequence.
81
PROCESSING
The following resources are helpful when preparing
test data:
A listing of actual transactions.
The transactions that the programmer used to test the
program.
A test data generator program, which automatically
prepares test data based on program specifications.
82
PROCESSING
In a batch processing system, the companys program and a
copy of relevant files are used to process the test data.
Results are compared with the predetermined correct output.
Discrepancies indicate processing errors or control deficiencies that
should be investigated.
In an online system, auditors enter test data using a data entry

device, such as a PC or terminal.
The auditor observes and logs the systems response.
If the system accepts erroneous or invalid test transactions, the auditor
reverses the effects of the transactions, investigates the problem, and
corrects the deficiency.
83
PROCESSING
Although processing test transactions is usually
effective, it has the following disadvantages:
The auditor must spend considerable time understanding
the system and preparing an adequate set of test
transactions.
Care must be taken to ensure test data do not affect the
companys files and databases.
The auditor can reverse the effects of the test transactions or
process them in a separate run, using a copy of the file or database.
Reversal procedures may reveal the existence and

nature of the auditors test to key personnel.
A separate run removes some of the authenticity.
84
PROCESSING


85
PROCESSING
Concurrent audit techniques
Millions of dollars of transactions can be processed in an
online system without leaving a satisfactory audit trail.
In such cases, evidence gathered after data processing is
insufficient for audit purposes.
Also, because many online systems process transactions
continuously, it is difficult or impossible to stop the system
to perform audit tests.
Consequently, auditors use concurrent audit techniques to
continually monitor the system and collect audit evidence
while live data are processed during regular operating
hours.
86
OBJECTIVE 5: SOURCE
DATA
Inaccurate source data
Unauthorized source data
87
OBJECTIVE 5: SOURCE
DATA
Control procedures
Effective handling of source data input by data control personnel

User authorization of source data input
Preparation and reconciliation of batch control totals
Logging of the receipt, movement, and disposition of source data input
Check digit verification
Key verification
Use of turnaround documents
Computer data editing routines
File change listings and summaries for user department review
Effective procedures for correcting and resubmitting erroneous data
88
OBJECTIVE 5: SOURCE
DATA
Audit procedures: System review
Review documentation about responsibilities of data control function.

Review administrative documentation for source data control
standards.
Review methods of authorization and examine authorization
signatures.
Review accounting systems documentation to identify source data
content and processing steps and specific source data controls used.
Document accounting source data controls using an input control
matrix.
Discuss source data control procedures with data control personnel as
well as the users and managers of the system.
89
OBJECTIVE 5: SOURCE
DATA
Observe and evaluate data control department operations

and specific data control procedures.
Verify proper maintenance and use of data control log.
Evaluate how items recorded in the error log are handled.
Examine samples of accounting source data for proper
authorization.
Reconcile a sample of batch totals and follow up on
discrepancies.
Trace disposition of a sample of errors flagged by data edit
routines.
90
OBJECTIVE 5: SOURCE
DATA
Strong user controls

Strong processing controls
91
CISA Exam Components
92
Careers in IT Auditing
Certified Information Security Manager (CISM)
Business orientation
Understand risk management and security
CISM Knowledge
Information security governance

Information security program management
Risk management
Information security management
Response management
93
Evaluating the Effectiveness of

Information Systems Controls
Impact on Substantive Testing
Strong controls, less substantive testing
Weak controls, more substantive testing
Risk Assessment
Evaluate the risks associated with control weaknesses
Make recommendations to improve controls
94
Risk Assessment
Risk-Based Audit Approach
Determine the threats
Identify the control procedures needed
Evaluate the current control procedures
Evaluate the weaknesses within the AIS
Benefits
Understanding of errors and irregularities
Sound basis for recommendations
95
Information Systems
Risk Assessment
Method of evaluating desirability of IT controls
Types of Risks
Errors and accidents
Loss of company secrets
Unauthorized manipulation of company files
Interrupted computer access
Penetration Testing
96
Study Break #1
An IT auditor:
A. Must be an external auditor
B. Must be an internal auditor
C. Can be either an internal or external auditor
D. Must be a Certified Public Accountant
97
Study Break #2
In determining the scope of an IT audit, the auditor should pay
most attention to:
A. Threats and risks
B. The cost of the audit
C. What the IT manager asks to be evaluated
D. Listings of standard control procedures
98
The IT Auditors Toolkit

Utilization of CAATs
Auditing with the computer
Manual access to data stored on computers is impossible
Tools
Auditing Software
People Skills
99
General-Use Software
Productivity tools that improve the auditors work
Types
Word processing programs
Spreadsheet software
Database management systems (DBMS)
Structured Query Language (SQL)
100
Generalized Audit Software

Overview
Allow for reviewing of files without rewriting processing
programs
Basic data manipulation
Tailored to auditor tasks
Common Programs
Audit Command Language (ACL)
Interactive Data Extraction and Analysis (IDEA)
101
Generalized Audit
Software - Inventory
102
Automated Workpapers
Overview
Automate and standardize audit tests
Can prepare financial statements and other financial measures
Features
Generate trial balances

Make adjusting entries
Perform consolidations
Conduct analytical procedures
Document audit procedures and conclusions
103
People Skills
Examples
Working as a team
Interact with clients and other auditors
Interviewing clients
Importance of Interviews
Gain understanding of organization
Evaluate internal controls
104
Auditing Computerized AISs

Auditing Around the Computer
Assumes accurate output verifies proper processing
Not effective in a computerized environment
Auditing Through the Computer
Follows audit trail through the computer
Verifies proper functioning of processing controls in AIS
programs
105
Auditing Computerized AISs

Testing Computer Programs
Validating Computer Programs
Review of Systems Software
Validating Users and Access Privileges
Continuous Auditing
106

Test Data
Create set of transactions
Covering range of exception situations
Compare results and investigate further
Integrated Test Facility
Establish a fictitious entity
Enter transactions for that entity
Observe how they are processed
107

Parallel Simulation
Utilized live input data
Simulates all or some of the operations
Compare results
Very time-consuming and cost-prohibitive
108
Edit Tests and Test Data
109
Validating Computer Programs

Tests of Program Change Controls
Protect against unauthorized program changes
Documentation of requests for program changes
Utilize special forms for authorization
Program Comparison
Test of Length
Comparison Program
110
Reviewing a Responsibility System
111
Review of Systems Software

Systems Software Controls
Operating system software
Utility programs
Program library software
Access control software
Inspect Outputs
Logs
Incident reports
112
Password Parameters
113
Validating Users
and Access Privileges
Purpose
Ensure all system users are valid
Appropriate access privileges
Utilize Software Tools
Examine login times
Exception conditions
Irregularities
114
Continuous Auditing
Embedded Audit Modules (Audit Hooks)
Capture data for audit purposes
Exception Reporting
Transactions falling outside given parameters are rejected
Transaction Tagging
Certain transactions tagged and progress recorded
115
Continuous Auditing
Snapshot Technique
Examines how transactions are processed
Continuous and Intermittent Simulation (CIS)
Embeds audit module in a database management system
(DBMS)
Similar to parallel simulation
116
Continuous Auditing Spreadsheet

Errors
117
Study Break #3
Which of the following is NOT an audit technique for auditing
computerized AIS?
A. Parallel simulation
B. Use of specialized control software
C. Continuous auditing
D. All of the above are techniques used to audit computerized
AIS
118
Study Break #4
Continuous auditing:
A. Has been talked about for years but will never catch on
B. Will likely become popular if organizations adopt XBRL in
their financial reporting
C. Does not include techniques such as embedded audit
modules
D. Will never allow IT auditors to provide some types of
assurance on a real-time basis
119
IT Governance
Overview
Process of using IT resources effectively
Efficient, responsible, strategic use of IT
Objectives
Using IT strategically to fulfill mission of organization
Ensure effective management of IT
120
IT Auditing Today
The Sarbanes-Oxley Act of 2002
Auditing Standard No. 5 (AS5)
Third Party and Information Systems Reliability Assurances
121

Overview
Limits services that auditors can provide clients while they
are conducting audits
Groups of Compliance Requirements
Audit committee/corporate governance requirements

Certification, disclosure, and internal control
Financial statement reporting rules
Executive reporting and conduct
122

Section 302
CEOs and CFOs are required to certify the financial statements
Internal controls and disclosures are adequate
Section 404
CEOs and CFOs assess and attest to the effectiveness of
internal controls
123
Key Provisions of SOX
124
Key Provisions of SOX
125
Auditing Standard No. 5 (AS5)

Purpose
Public Company Accounting Oversight Board (PCAOB)
guidance
Focus on most critical controls
Rebalancing of Auditors Work
Internal auditors help to advise board of directors
External auditors reduce redundant testing
126
Third Party and Information

Systems Reliability Assurances
Growth of Electronic Commerce
Area of growing risk
Security and privacy concerns
Difficult to audit
AICPA Trust Services
CPA WebTrust
SysTrust
127
Third Party and Information

Systems Reliability Assurances
Principles of Trust Services
Security
Availability
Processing integrity
Online privacy
Confidentiality
128

4 Auditing AIS

Cargado por

Información del documento

Título original

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

4 Auditing AIS

Cargado por

Copyright:

Formatos disponibles

Prepared by Paula Funkhouser

University of Nevada, Reno

Core Concepts of Accounting Information Systems, 13th Edition

The Audit Function

THE NATURE OF AUDITING

Information Technology Auditing

The IT Audit Process

The IT Audit Process

THE NATURE OF AUDITING

Examines reliability and integrity of accounting

THE NATURE OF AUDITING

Reviews the controls of an AIS to assess:

THE NATURE OF AUDITING

Concerned with economical and efficient use of

THE NATURE OF AUDITING

An overview of the auditing process

THE NATURE OF AUDITING

An overview of the auditing process

THE NATURE OF AUDITING

An overview of the auditing process

THE NATURE OF AUDITING

An overview of the auditing process

THE NATURE OF AUDITING

Conferring with supervisory and

THE NATURE OF AUDITING

How susceptible the area would be to threats if there

THE NATURE OF AUDITING

The risk that a material misstatement will get

THE NATURE OF AUDITING

The risk that auditors and their procedures will miss

THE NATURE OF AUDITING

THE NATURE OF AUDITING

THE NATURE OF AUDITING

THE NATURE OF AUDITING

THE NATURE OF AUDITING

Talk with employees about their jobs and how they

THE NATURE OF AUDITING

THE NATURE OF AUDITING

THE NATURE OF AUDITING

THE NATURE OF AUDITING

THE NATURE OF AUDITING

THE NATURE OF AUDITING

THE NATURE OF AUDITING

An audit of financial information would focus on:

Because errors will occur anywhere,

THE NATURE OF AUDITING

It is prohibitively expensive for the auditor to

THE NATURE OF AUDITING

THE NATURE OF AUDITING

Communication of audit results

THE NATURE OF AUDITING

THE NATURE OF AUDITING

procedures are in place. Involves:

THE NATURE OF AUDITING

Focuses on control risks and whether the control

THE NATURE OF AUDITING

Certified Information System Auditor (CISA)

Successfully complete examination

The purpose of an information systems audit is to review and

Processing of transactions, files, reports, and other computer records

IS COMPONENTS AND AUDIT OBJECTIVES

Objective 4: Computer Processing

IS COMPONENTS AND AUDIT OBJECTIVES