Information System Control & Audit.

Need for IS Audit

• Uncontrolled use of computers may results in: Data Loss Incorrect Decision

making Computer Abuse Loss of valuable

hardware or software or personnel

Computer Errors

• Security & abuse - from inside & outside: hacking, viruses, access Destruction & theft of assets Modification of assets Disruption of operations Unauthorized use of assets Physical harm Privacy violations

Need for IS Audit Cont’d…

IT / IS Auditing?

• Process of collecting and evaluating evidence to determine whether a computer system: Safeguard assets Maintains data integrity Achieve organizational goals effectively Consumes resources efficiently

Types of Audits

• Financial: More relevant to external auditor.

• Operational: Compliance with laws, regulations, and/or

contracts Compliance with company standards, policies,

and/or procedures Effectiveness and efficiency of business operations Typically an internal audit function

Types of Audits Cont’d…

• Information Technology (IT): Information confidentiality Data Integrity System availability Compliance with laws, regulations, and/or contracts Compliance with company standards, policies, and/or

procedures Information reliability Effectiveness and efficiency of operations

Auditing Environment

• External vs. internal auditors• External auditors provided by public

accounting firms and also exist in government as well. They provide increased assurance Fairness of financial statements Frauds & irregularities Ability to survive

• Relies on internal control structure for planning of audit

Auditing Environment Cont’d…

• Internal Auditors responsible to Board of Directors

• An internal control function • Assist the organization in measurement &

evaluation: Effectiveness of internal controls Achievement of organizational objectives Economics & efficiency of activities Compliance with laws and regulations

• Operational audits

Audit Standards

• Professional Organizations: American Institute of Certified Public Accountants

(AICPA) Generally Accepted Auditing Standards (GAAS) Statements of Auditing Standards (SAS)

Financial Accounting Standards Board (FASB) Generally Accepted Accounting Principles (GAAP)

The Institute of Internal Auditors (IIA) Statements on Internal Auditing Standards (SIAS)

Information Systems Audit & Control Association (ISACA) COBIT- Control Objectives for Information Technology

Audit Standards Cont’d…

• Related Legislation Privacy Act, 1974 Computer Fraud and Abuse Act (CFAA), 1984 &

1994 Computer Security Act, 1987 Electronic Communications Privacy Act Communications Decency Act, 1995 Health Insurance Portability & Accountability Act,

(HIPAA) 1996 Sarbanes-Oxley Act of 2002 Homeland Security Act of 2002 with the Cyber

Security Enhancement Act

Internal Control Framework

• Separation of duties• Delegation of authority &

responsibility• System of authorizations• Documentation & records• Physical control over assets & records• Management supervision• Independent checks

Internal Controls Cont’d…

• Control is a system, pattern of activities: Preventive Detective Corrective

• Overall purpose is to reduce expected losses from unlawful events.

• Auditor’s task is to determine whether controls are in place and working properly.

Effects of Computers on Auditing

• Impact on control environment• Changes to evidence collection• Complex evidence evaluation