Upload
sylvia-lambert
View
246
Download
0
Tags:
Embed Size (px)
Citation preview
Chapter 11-1
Chapter 11-2
Chapter 11Information Technology Auditing
Introduction
The Audit Function
The IT Auditor’s Toolkit
Auditing the Computerized AIS
Information Technology Auditing Today
Chapter 11-3
Introduction
Audits of accounting systems ensure that controls are functioning properly
confirm that additional controls are not needed
The nature of auditing includes the distinction between internal and external auditing
the relationship between an IT audit and a financial audit
Chapter 11-4
Introduction
the tools an IT auditor uses
discussion of information technology governance,
fraud in auditing,
the impact of Sarbanes-Oxley on IT audits, and
third-party and systems reliability assurance services
Chapter 11-5
The Audit Function
The function of an auditis to examine and to assure.will differ according to the subject under examination.can be internal, or external, andconcerns information systems also.
Information technology auditing discussesinternal auditing,External auditing, andIT auditing.
Chapter 11-6
Question
An IT auditora. must be an external auditor.b. must be an internal auditor.c. can be either an internal or external auditor.d. must be a certified public accountant.
The Audit Function
Chapter 11-7
An internal audit, which preserves its objectivity
is carried out by company personnel reporting to top management and/or the Audit Committee of the Board of Directors
is external to the corporate department ordivision being audited
concerns employee adherence to company policies and procedures, evaluation
of internal controls
Internal Auditing
Chapter 11-8
Internal Auditing
is relatively broad in scope, including auditing for fraud, ensuring that employees are not
copying software programs illegally
can provide assurance to a company’stop management about the efficiency of its organization and effectiveness of its organization
Chapter 11-9
External Auditing
The external audit is carried out by independent accountants
has the attest function as its chief purpose confirming the accuracy of financial statements and fairness of financial statements.
is conducted in the context of GAAP
has expanded to check if financial statements are free of erroneous materials and do not contain fraudulent misstatements
includes a variety of assurance services now
Chapter 11-10
Information Technology Auditing
Information technology (IT) auditing involves evaluating the computer’s role in achieving audit objectives and control objectives
means proving data and information are reliable, confidential, secure, and available as needed
includes attest objectives like safeguarding of assets and data integrity, operational effectiveness.
Chapter 11-11
The IT Audit
The IT audit function encompasses
Chapter 11-12
The Information Technology Audit Process
Computer-assisted audit techniques (CAATs) are used
when controls are weak for substantive testing of transactions and account balances.
when controls are strong for compliance testing to ensure controls are
in place and working as prescribed.
Chapter 11-13
The Information Technology Audit Process
Chapter 11-14
Careers in Information Systems Auditing
The demand for IT auditors is growing
increasing use of computer-based AISs
systems becoming more technologically complex
passing of the Sarbanes-Oxley bill
IT auditing requires a variety of skills, combining
accounting and
information systems or computer science skills.
Chapter 11-15
Careers in Information Systems Auditing
Information systems auditorsmay be internal or external
can obtain professional certification as a Certified Information Systems Auditor (CISA)
can also acquire certification as Certified Information Security Managers (CISM)
Chapter 11-16
Auditors can achieve
CISA certification by completing an examination given by ISACA, meeting specific experience requirements, complying with a Code of Professional Ethics, undergoing continuing professional education, and complying with the Information Systems Auditing
Standards
Careers in Information Systems Auditing
Chapter 11-17
CISM certification, which is also granted by ISACA evaluates knowledge
in information security governance, information security program management, risk management, information security management, and response management.
Careers in Information Systems Auditing
Chapter 11-18
Effectiveness of Information Systems
Controls
An external auditor’s objectives are
to evaluate the risks to the integrity of accounting data
to make recommendations to managers to improve these controls.
Chapter 11-19
A risk-based audit approach involves
Determining the threats facing the AIS errors and irregularities
Identifying the control procedures to prevent or detect the errors
and irregularities
Risk Assessment
Chapter 11-20
Risk Assessment
Evaluating the control procedures within the AIS observing system operations, inspecting documents, records, and reports, checking samples of system inputs and outputs, and tracing transactions through the system
Evaluating weaknesses identifying control deficiencies determining compensating controls
to make up for the deficiency
Chapter 11-21
Information Systems Risk Assessment
Information Systems Risk Assessment evaluates desirability of IT controls for an aspect of business risk. disaster recovery or business continuity plan
Auditors and managers must answer each of thefollowing questions: What assets or information does the company have that
unauthorized individuals would want? What is the value of these identified assets of information? How can unauthorized individuals obtain valuable assets or
information? What are the chances of unauthorized individuals obtaining
valuable assets or information?
Chapter 11-22
Guidance in Reviewing and Evaluating IT Controls
Two guides available to IT auditors Systems Auditability and Control (SAC) report identifies important information technologies and specific risks related to these technologies recommends controls to mitigate risks and suggests audit procedures to validate these controls
Chapter 11-23
Guidance in Reviewing and Evaluating IT Controls
Control Objectives for Information and Related Technology (COBIT) provides guidance in assessing business risks, controlling for business risks, and evaluating the effectiveness of controls
Chapter 11-24
Question
COBIT isa. a control framework developed by the Institute of Internal Auditors.b. a control framework developed specifically for organizations
involved in e-business.c. an internal control model that covers both automated
and manual systems.d. an internal control framework and model that encompasses an
organization’s IT governance and information technologies.
Guidance in Reviewing and Evaluating IT Controls
Chapter 11-25
The Information Technology Auditor’s Toolkit
IT auditors need to have
the technical skills to understand the vulnerabilities in hardware and software use of appropriate software to do their jobs general-use software such as
word processing programs, spreadsheet software, and database management systems.
generalized audit software (GAS), and automated workpaper software.
Chapter 11-26
people skills to work as a team to interact with clients and other auditors, to interview many people constantly for evaluation
The Information Technology Auditor’s Toolkit
Chapter 11-27
Auditing with the Computer
Auditing with the Computer
entails using computer-assisted audit techniques(CAATs) to help in auditing tasks and hence is effective and saves time
is virtually mandatory since data are stored on computer media and manual access is impossible.
Chapter 11-28
General-Use Software
Auditors use general-use software as productivity tools to improve their work such as
spreadsheets and
database management systems.
Auditors use structured query language (SQL) to retrieve a client’s data and
display these data for audit purposes.
Chapter 11-29
Generalized Audit Software
Generalized audit software (GAS) packagesenable auditors to review computer files withoutrewriting processing programs,
are specifically tailored to auditor tasks
have been developed in-house in large firms, or
are available from various software suppliers
Examples of GAS are Audit Command Language (ACL) Interactive Data Extraction Analysis (IDEA)
Chapter 11-30
Question
Which of the following is not true with respect to generalized audit software (GAS)? a. They require auditors to rewrite processing programs frequently while reviewing computer files. b. They are specifically tailored to auditor tasks. c. They may be used for specific application areas, such as accounts receivable and inventory. d. They allow auditors to manipulate files to extractand compare data.
Generalized Audit Software
Chapter 11-31
Automated Workpaper Software
Automated workpaper software is similar to general ledger software
is much more flexible.
Its features include: generated trial balances,
adjusting entries,
consolidations, and
analytical procedures.
Chapter 11-32
People skills
The most important skills auditors need are people skills. Auditors
will find that many of the audit stepsare nontechnical
need to work in a team,
have to interact with clients and other auditors,
require strong interpersonal relationships.
will need to interview the CIO
Chapter 11-33
Many of the controls that an IT auditor needs to evaluate have more to do with human behavior than technology -
one of the best protections virusesand worms is regularly updatedantivirus software but
it is even more important to see if thesecurity administrator is checking for virusupdates and patches on a regular basis.
People skills
Chapter 11-34
Auditing the Computerized AIS
Testing Computer Programs
Validating Computer Programs
Review of Systems Software
Validating Users and Access Privileges
Continuous Auditing
Chapter 11-35
Objectives of an Information Systems
AuditIn an IT audit, auditors should meet the following objectives
Checking security provisions, which protect computer equipment, programs, communications,
and data from unauthorized access, modification, or destruction. Program development and acquisition are performed
in accordance with management’s authorization. Program modifications have authorization and
approval from management.
Chapter 11-36
Objectives of an Information Systems
Audit Processing of transactions, files, reports, and other
computer records is accurate and complete. Source data that are inaccurate or improperly
authorized are identified and handled according to prescribed managerial policies.
Computer data files are accurate, complete, and confidential.
Chapter 11-37
Auditing Computerized AIS-Auditing Around the
Computer
Auditing around the computer
assumes that accurate output verifies proper processing operations
pays little or no attention to the controlprocedures within the IT environment
is generally not an effective approach toauditing a computerized environment.
Chapter 11-38
Five techniques used to audit a computerized AIS are: use of test data, integrated test facility, and parallelsimulation to test programs,
use of audit techniques to validate computer programs,
use of logs and specialized control software toreview systems software,
use of documentation and CAATs to validateuser accounts and access privileges, and
use of embedded audit modules to achievecontinuous auditing.
Auditing Computerized AIS-Auditing Through the
Computer
Chapter 11-39
Testing ComputerPrograms - Test Data
The auditor’s responsibility is todevelop test data that tests the range of exception situations
arrange the data in preparation for computerized processingcomplete the audit test by comparing the results with a predetermined set of answers
investigate further if the results do not agreeTest data
can check if program edit test controls are in place and working can be developed using software programs called test data generators
Chapter 11-40
Testing Computer Programs -Integrated
Test Facility
An integrated test facility (ITF) establishes a fictitious entity such as a department, branch, customer, or employee,
enters transactions for that entity, and
observes how these transactions are processed.
is effective in evaluating integrated onlinesystems and complex programming logic, and
aims to audit an AIS in an operational setting.
Chapter 11-41
Testing Computer Programs -Integrated
Test Facility
The auditor’s role is to
examine the results of transaction processing
find out how well the AIS does the tasks required of it by introducing artificial transactions
into the data processing stream of the AIS.
Chapter 11-42
Testing Computer Programs -Parallel
Simulation
In Parallel Simulation, the auditoruses live input data, rather than test data, in aprogram, which is written or controlled by the auditor simulates all or some of the operations of
the real program that is actually in use.
needs to understand the client system, should possess sufficient technical knowledge, andshould know how to predict the results.
Chapter 11-43
Parallel simulation eliminates the need to prepare aset of test data,
can be very time-consuming andthus cost-prohibitive
usually involves replicating onlycertain critical functions of a program.
Testing Computer Programs -Parallel
Simulation
Chapter 11-44
Validating Computer Programs
Auditors must validate any program presented to them to thwart a clever programmer’s dishonest program
Procedures that assist in program validation are tests of program change control procedures to protect against unauthorized
program changes begins with an inspection of the documentation includes program authorization forms to be filled ensures accountability and adequate
supervisory controls
Chapter 11-45
program comparison guards against unauthorized program tampering performs certain control total tests of program
authenticity using a test of length using a comparison program
Validating Computer Programs
Chapter 11-46
Question
Which of the following is an audit technique for auditing computerized AISs? a. Parallel simulation b. Use of specialized control software c. Continuous auditing d. All of the above are techniques used to audit computerized AISs.
Validating Computer Programs
Chapter 11-47
Review of Systems Software
Systems software includes operating system software,
utility programs,
program library software, and
access control software.
Chapter 11-48
Review of Systems Software
Auditors should review systems software documentation.
Systems software
can generate incident reports, which list events that are unusual or interrupt operations
security violations (such as unauthorized access attempts), hardware failures, and software failures
Chapter 11-49
Validating Users and Access Privileges
The IT auditor needs to verify that the software parameters are set appropriately
must make sure that IT staff are using them appropriately
needs to make sure that all users are valid and each has access privileges appropriate to their job
There are a variety of auditor software tools, CAATs, which can
scan settings and databases and make the work more efficient
Chapter 11-50
Continuous Approach
Continuous auditing can be achieved by
embedded audit modules or audit hooks application subroutines capture data for audit purposes
exception reporting mechanisms reject certain transactions
that fall outside
predefined specifications prespecified criteria in a special
log called SCARF
Chapter 11-51
Continuous Approach
transaction tagging tags with a special identifier for certain transactions
snapshot technique examination of the way transactions are processed
continuous and intermittent simulation embedding of an audit module in a DBMS
Chapter 11-52
Information Technology Auditing Today
Information technology auditing today involvesInformation Technology Governance
Auditing for Fraud—Statement on AuditingStandards No. 99
The Sarbanes-Oxley Act of 2002
Third-Party Reliability Assurances
Information Systems Reliability Assurances
Chapter 11-53
Information Technology Governance
Information Technology governance is the process of using IT resources efficiently, responsibly, and strategically.
The IT Governance Institute, is affiliated to ISACAwas created in 1998
Chapter 11-54
Information Technology Governance
The objectives of IT governance are twofold:
to fulfill the organizational mission and to compete effectively
to ensure that the IT resources are managed effectively and that management controls IT related risks.
Chapter 11-55
Auditing for Fraud—Statement on Auditing
Standards No. 99
Earlier financial statement audits required auditorsto attest to the fairness of financial statements
not to detect fraudulent activities.
Financial statement audits now require auditors toattest to the fairness of financial statementsdetect fraudulent activitiesassist a fraud investigator in many ways where an audit trail needs to be reconstructed when computerized records must be retrieved
Chapter 11-56
Question
With respect to changes in IT auditing today, which of thefollowing is not true?
a. IT governance, which ties IT to organizational strategy, is increasingly important.
b. Section 404 of the Sarbanes-Oxley Act of 2002 created an increase in demand for both IT auditors and internal auditors.
c. IT auditors are concerned only with supporting financial auditors and should not investigate fraud cases.
d. Third-party assurance seals may provide some comfort to e-business customers regarding the security of online transactions.
Auditing for Fraud—Statement on Auditing
Standards No. 99
Chapter 11-57
The Sarbanes-Oxley Act of 2002
In 2002, Congress passed the Sarbanes-Oxley Act, which
limits the services that auditors can provide to their clients,
prohibits public accounting firms from offering nonauditservices to clients at the same time they are conducting audits .
The SOX has basically four groups of compliance requirements. These are
audit committee/corporate governance requirements,
issues regarding certification, disclosure, and internal controls,
rules about financial statement reporting, and
regulations governing executive reporting and conduct.
Chapter 11-58
The Sarbanes-Oxley Act of 2002
The two most important provisions of SOXfor auditors are
Section 302 – requiring CFOs and CEOs to certify that their company’s financial statements are
accurate and complete
Section 404 – requiring both the CEO and CFO to attest to their organization’s internal controls over financial reporting
Chapter 11-59
Information Systems Reliability Assurance
Auditing electronic commerce is a specialized field because of the skill level involved, of the many safeguards, inherent in non-e-commerce systems, which do not exist here,of the lack of hard-copy documents for verification, andof an electronic transaction, which does not guarantee validity or authenticity
Auditors need toattest this type of format to provide the traditional assurance by an audit report or digital signature
Chapter 11-60
Third-Party Assurance
Internet systems and web sites are a source of risk for many companies,
need specialized audits of these systems,
have created a market for third-party assurance services, which is limited to data privacy.
Chapter 11-61
Third-Party Assurance
The AICPA introduced Trust Services an assurance service.
The principles of Trust Services are security, availability, processing integrity, online privacy, and confidentiality.
Chapter 11-62
Copyright
Copyright 2005 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in
Section 117 of the 1976 United States Copyright Act without the
express written permission of the copyright owner is unlawful.
Request for further information should be addressed to the
Permissions Department, John Wiley & Sons, Inc. The purchasermay make backup copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.
Chapter 11-63
Chapter 11