Embed Size (px)
Citation preview
Cdr MK Paul B Tech, CISAIndian Navy
Concurrent Audit Concurrent Audit TechniquesTechniques
Cdr MK Paul B Tech, CISAIndian Navy
What is concurrent auditing ?What is concurrent auditing ?
►Concurrent auditing are techniques used to Concurrent auditing are techniques used to collect audit evidence at the same time as collect audit evidence at the same time as an application system undertakes an application system undertakes processing of production data.processing of production data.
Cdr MK Paul B Tech, CISAIndian Navy
Why concurrent auditing ?Why concurrent auditing ?
►Progressive disappearance of paper based Progressive disappearance of paper based audit trail.audit trail.
►To prevent / detect material loss due to To prevent / detect material loss due to rapid propagation of errors to other rapid propagation of errors to other connected / dependent systems in a connected / dependent systems in a computerised environment.computerised environment.
►Difficulty in performing transaction Difficulty in performing transaction walkthrough in a computerised environmentwalkthrough in a computerised environment
Cdr MK Paul B Tech, CISAIndian Navy
Why concurrent auditing (contd..)?Why concurrent auditing (contd..)?
►For timely detection of entropy in a For timely detection of entropy in a computerised data processing system.computerised data processing system. Entropy is the tendency of any system to move Entropy is the tendency of any system to move
towards internal disorder and eventually towards internal disorder and eventually collapse.collapse.
►Problems of gathering audit evidence in an Problems of gathering audit evidence in an outsourced and distributed information outsourced and distributed information system environment.system environment. Physical presence at every site may be cost Physical presence at every site may be cost
prohibitive and impracticalprohibitive and impractical
Cdr MK Paul B Tech, CISAIndian Navy
Types of concurrent auditingTypes of concurrent auditing
►Two typesTwo types Special audit modules embeded in application / Special audit modules embeded in application /
system software to collect evidence.system software to collect evidence. Special audit records to store the audit evidence Special audit records to store the audit evidence
collected.collected.
Cdr MK Paul B Tech, CISAIndian Navy
Concurrent Auditing TechniquesConcurrent Auditing Techniques
► Integrated Test Facility (ITF)Integrated Test Facility (ITF)►SnapshotsSnapshots
Extended Record TechniqueExtended Record Technique►System Control Audit Review File (SCARF)System Control Audit Review File (SCARF)►Continuous and Intermittent Simulation (CIS)Continuous and Intermittent Simulation (CIS)
Cdr MK Paul B Tech, CISAIndian Navy
Integrated Test Facility (ITF)Integrated Test Facility (ITF)
► Involves establishing a dummy entity in the Involves establishing a dummy entity in the application system’s files and processing application system’s files and processing audit test data against this entity.audit test data against this entity.
►Verifies application system’s processing Verifies application system’s processing authenticity, accuracy and completenessauthenticity, accuracy and completeness
Cdr MK Paul B Tech, CISAIndian Navy
ITFITF
►Test data used in ITFTest data used in ITF Tagged live production transactionsTagged live production transactions Specially designed by auditors according to a Specially designed by auditors according to a
test plantest plan►These specially designed test data are submitted for These specially designed test data are submitted for
processing along with the normal production data.processing along with the normal production data.
Cdr MK Paul B Tech, CISAIndian Navy
ITFITF
Transaction Input Application
systemITF Database with
Dummy Entity
Transaction Input
Live Data
Test Data
Transaction Input Application system
ITF Database withDummy Entity
Tagged LiveTransactions
Cdr MK Paul B Tech, CISAIndian Navy
ITFITF
► Problem with using ITF is that it affects the output Problem with using ITF is that it affects the output of the application system.of the application system.
► Effects of ITF transactions should be removed by Effects of ITF transactions should be removed by the application software prior to producing output.the application software prior to producing output. Modify application program to ignore their effects while Modify application program to ignore their effects while
preparing outputspreparing outputs Submit additional inputs for removing their effects.Submit additional inputs for removing their effects. Submit trivial entries as test data so that their effect on Submit trivial entries as test data so that their effect on
the output is minimal. the output is minimal.
Cdr MK Paul B Tech, CISAIndian Navy
SnapshotsSnapshots► Involves taking pictures of a transaction as it flows Involves taking pictures of a transaction as it flows
through various points in the applicationthrough various points in the application Embedded audit module used to take picturesEmbedded audit module used to take pictures
► Snapshots either printed immediately or saved to Snapshots either printed immediately or saved to a file for later printinga file for later printing
► Auditors determineAuditors determine Where to take snapshotsWhere to take snapshots Which transactions will be subject to snapshotWhich transactions will be subject to snapshot How and when the snapshot data will be presented for How and when the snapshot data will be presented for
evaluationevaluation
Cdr MK Paul B Tech, CISAIndian Navy
SnapshotsSnapshots
►Extended Record TechniqueExtended Record Technique Modification of Snapshot techniqueModification of Snapshot technique
►Snapshot technique involves writing a Snapshot technique involves writing a record for each snapshot point. Snapshots record for each snapshot point. Snapshots usually stored where it is takenusually stored where it is taken
►Extended record technique appends data for Extended record technique appends data for each snapshot point to a single record. Thus each snapshot point to a single record. Thus all data relating to a transaction is kept in all data relating to a transaction is kept in one place.one place.
Cdr MK Paul B Tech, CISAIndian Navy
SnapshotsSnapshotsInput
Transaction InputValidationProgram
UpdateProgram
ReportProgram
SnapshotReport / File
SnapshotReport / File
SnapshotReport / File
Snapshots 1,2,3 Snapshots 4,5,6,7
Snapshots 8,9
Snapshots 1,2,3 Snapshots 4,5,6,7 Snapshots 8, 9
Extended Record
Cdr MK Paul B Tech, CISAIndian Navy
System Control Audit Review File System Control Audit Review File (SCARF)(SCARF)
► Most Complex of all techniquesMost Complex of all techniques► Involves embedding audit modules in an application Involves embedding audit modules in an application
system to provide continuous monitoring of a system’s system to provide continuous monitoring of a system’s transactions.transactions. Embeded audit modules placed at predetermined points to gather Embeded audit modules placed at predetermined points to gather
info about transactions or events that auditors deem to be materialinfo about transactions or events that auditors deem to be material► Data collected via these routines includes errors and Data collected via these routines includes errors and
irregularities, policy and procedural variances, system irregularities, policy and procedural variances, system exceptions, statistical samples, snapshots etcexceptions, statistical samples, snapshots etc
► Written to a special SCARF file for immediate or Written to a special SCARF file for immediate or subsequent audit evaluationsubsequent audit evaluation
Cdr MK Paul B Tech, CISAIndian Navy
SCARFSCARF
InputTransaction
UpdateProgram
ContainingSCARF
EmbeddedAudit
routines
SCARFReportingSystem
SnapshotReport / File
SCARF
AuditReports
Cdr MK Paul B Tech, CISAIndian Navy
► Used whenever application systems use a Used whenever application systems use a database management system.database management system.
► Transactions of interest to the auditors are trapped Transactions of interest to the auditors are trapped by the DBMS and passed to CIS.by the DBMS and passed to CIS.
► CIS replicates the application system’s processingCIS replicates the application system’s processing► Result of application system processing and CIS Result of application system processing and CIS
processing compared and data about processing compared and data about discrepancies written to a special audit filediscrepancies written to a special audit file If discrepancies are material, CIS can instruct DBMS to If discrepancies are material, CIS can instruct DBMS to
reject updatesreject updates
Continuous Intermittent Simulation Continuous Intermittent Simulation (CIS)(CIS)
Cdr MK Paul B Tech, CISAIndian Navy
►AdvantageAdvantage CIS does not require modification to the CIS does not require modification to the
application system (DBMS needs to be modified application system (DBMS needs to be modified to trap CIS transactions)to trap CIS transactions)
►DisadvantageDisadvantage Cannot collect evidence at processing points Cannot collect evidence at processing points
other than DBMSother than DBMS
CISCIS
Cdr MK Paul B Tech, CISAIndian Navy
Parallel SimulationParallel Simulation
InputTransactions
TestData
ApplicationProgram
ParallelSimulation
OfApplicationProgram
Written using GeneralisedAudit Software
OutputFile
OutputFile
Compare Discrepancies
