IS Auditing Midterm Review ISMT 350 Time & Venue: 5 Oct 2006, 10:30 am to 11:50 am @ Room 2463 Note: You will be allowed one A4 sized sheet of paper as

IS Auditing Midterm ReviewISMT 350

Time & Venue: 5 Oct 2006, 10:30 am to 11:50 am @ Room 2463

Note: You will be allowed one A4 sized sheet of paper as a “ Cheat Sheet” for your reference during the IST350 Midterm Exam. You can fill out both sides, and there are no limits on handwriting, font, or techniques for the information you place on the page. No other materials will be allowed during the exam

Course Topics So FarTopic Readings Practicum

Competency Case Study

What is Information Systems (IS) Auditing?

Industry Profile: The Job of the IS Auditor

Identifying Computer Systems Chapter 1 Evaluating IT Benefits and Risks

Jacksonville Jaguars

IS Audit Programs Chapter 2 The Job of the Staff Auditor A Day in the Life of Brent Dorsey

IS Security Chapter 3 Recognizing Fraud The Anonymous Caller

Logical Structure of the CourseWith Readings from the Text

Material Covered (colored area) I S Au d itin g

C u r r en t an dF u tu r e I s s u es in

I S Au d itin g

I S C o m p o n en tsC h . 1 & 2

Au d it C o m p o n en tsC h 3 & 4

C o n tr o ls o v er I SAs s e ts

C h . 7 & 8

P r o c ed u r a lC o n tr o ls

C h . 9

Au d it S tan d ar d san d P r o c ed u r es

C h . 1 0

F o r en s ic s an dF r au d Au d its

C h . 1 2

E n c r y p tio nC h . 11

Classes of Things You have Learned

Concepts: Things you need to know These include: Theories and frameworks Facts

Activities and Tasks: Things an auditor needs to do

Tools: Used to make audit decisioms

Identifying Computer Systems

Chapter 11. Identifying what you are going to audit

2. The Computer Asset Inventory

3. Identification of Transactions, and Risk Levels

4. Audit programs for high risk transactions

Audit Program Audit programs are checklists of the various tests (audit

procedures) that auditors must perform within the scope of their audits to determine whether key controls intended to mitigate significant risks are functioning as designed.

Objective To determine the adequacy of the controls over the particular

accounting processes covered by the audit program This is fundamentally what the assurance and attestation

aspects of the audit are expected to achieve during the ‘tests of transactions’ or mid-year or internal control tests

The objective

The reason for an audit is to write an opinion: Saying stock price is fairly stated (external) Control processes are effective (internal & external) Assets are not at risk of theft or damage (internal)

We only need to identify computer systems where one of more of these objectives is affected

Benefits

The use of audit programs is fairly standard for audit firms, and is considered good business practice. List three (3) benefits to the audit firm of using an audit program The improve resource planning (where to spend money and

employ people on an audit) They promote consistency from year to year when personnel and

situations of an audit change Prior years’ programs are the basis for the current year’s audit

procedures Anything else that seems reasonable

Control assessment

Information systems audit programs should assess the adequacy of controls in four (4) areas.

1. Environmental controls

2. Physical security controls

3. Logical security controls

4. IS operating controls

Computer Assets

Central Processing Unit

MemoryPeripheral Processor

(Video, Bus, Etc.)Network Devices

RAM / ROMOptical &

Magnetic Media

Operating Systems

Specialized O/S

Utilities

Network O/S Database O/SProgramming Languages,

Tools & EnvironmentsUtilities and Services

Applications

The main categories of Computer Applications, and their relative importance

InformationTechnology Market

Annual Expenditures($US billion)

Employees(thousand)

Major Suppliers

Operations & Accounting 500 2000 US, India

Search & Storage 1000 5000 US

Tools 300 300 US, Germany

Embedded 1500 700 US, Japan, Korea, Greater China

Communications 700 2000 US, Germany, Japan, Greater China

Total 4,000 10,000 GWP ~$45 trillion (Pop: 6 billion)

US GDP ~$10 trillion (Pop: 300 million)

The Risk Assessment Database

Asset (Ex 2.1) Risk Assessment (Ex. 2.2 with improvements)

Primary OS OwnerApplication

Asset Value ($000,000 to Owner)*

Transaction Flow Description

Total Annual Transaction Value Flow managed by Asset($000,000)* Risk Description

Probability of Occurrence (# per Year)

Cost of single occurrence ($)

Expected Loss

Win XPReceiving Dock A/P 0.002

RM Received from Vendor 23 Theft 100 100 10000

Win XPReceiving Dock A/P 0.002

RM Received from Vendor 23

Obsolescence and spoilage 35 350 12250

Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc



*Whether you list depends on Audit Materiality

Ideas, not Things, have Value … and these ideas are tracked in the computer

0

2

4

6

8

10

12

14

16

Rank order by increasing return

Ass

et In

tens

ity (F

ixed

Ass

ets

/ Sal

es)

-100

0

100

200

300

400

500

600

5-yr

Sha

reho

lder

Ret

urn

%

How Accounting has had to ChangeBecause of Business Automation

M an u f ac tu r in gValu e Ad d ed

C o n s u m er

M ater ia lL ab o r

C ap ita l

5 0 %

3 0 %

2 0 %

1 1 0 %

M an u f ac tu r in gValu e Ad d ed

C o n s u m er

M ater ia lL ab o r

C ap ita l

5 %

5 %

1 0 %Kn o w led g eI n teg r a to r

Kn o w led g eI n teg r a to r



K n o w led g e B as e (u n certainclaim s , co n t rib u t io n s an d

p ro p erty rig h t s )

8 0 %

11 0 %

M an u fac tu ring

S p ec if ica tio n s

F in ished

P ro d u c t 2 0 %

IS Audit Programs

Chapter 2

What is IS Auditing?Why is it Important? What is the Industry Structure?Attestation and Assurance

Auditing

E x ter n a l R ea lW o r ld E n tit ies

an d E v en ts th a tC r ea te an d

D es tr o y Valu e

Au d it R ep o r t /O p in io n

J o u r n a l E n tr ies

'O w n e d ' A s s e t sa n d Lia b ilit ie s

R ep o r ts :S ta tis t ic s

I n te r n a lO p er a tio n so f th e F ir m

Ac c o u n tin gS y s tem s

Au d itP r o g r am

T r an s ac tio n s

T ra n sa c tio n s

The P hys i c al W o r l d

The P ar al l e l (L o g i c al )W o r l d o f Ac c o unt i ng

L ed g er s :D atab as es

Audi t i ng

C o r p o r a te L aw

Su b

stan

tiv e

Te s

ts

Te st s o f T

ran sa c ti o n s

Attes ta tion

A n a ly tic a l T ests

How Auditors Should Visualize Computer Systems

Bu s in es s Ap p lic a tio nS y s tem s

T r an s ac tio n F lo w s

As s e t L o s s R is k s( I n te r n a l Au d its )

R ep o r tin g R is k s( E x ter n a l Au d it)

C o n tr o l P r o c es s R is k s( I n te r n a l & E x ter n a l

Au d its )

O p er a tin g S y s tem s( in c lu d in g D BM S , n e tw o r kan d o th er s p ec ia l s y s tem s )

Har d w ar e P la tf o r m

Ph y s ica l a n d L o g ica lS e cu rity En v iro n m e n t

A u dit O bje ct iv e s

The IS Auditor’s Challenge

Corporate Accounting is in a constant state of flux Because of advances in Information Technology applied to

Accounting Information that is needed for an Audit is often hidden from

easy access by auditors Making computer knowledge an important prerequisite for

auditing

IS (and also just Information) assets are increasingly the main proportion of wealth held by corporations

The Challenge to Auditing Presented by Computers

Transaction flows are less visible Fraud is easier Computers do exactly what you tell them

To err is human But, to really screw up you need a computer

Audit samples require computer knowledge and access Transaction flows are much larger (good for the company, bad for the

auditor) Audits grow bigger and bigger from year to year

And there is more pressure to eat hours Environmental, physical and logical security problems grow

exponentially Externally originated viruses and hacking are the major source of risk

(10 years ago it was employees)

The Challenge to Auditing Presented by The Internet

Transaction flows are External External copies of transactions on many Internet nodes External Service Providers for accounting systems

require giving control to outsiders with different incentives

Audit samples may be impossible to obtain Because they require access to 3rd party databases

Transaction flows are intermingled between companies

Environmental, physical and logical security problems grow exponentially Externally originated viruses and hacking are the major source of risk

(10 years ago it was employees)

Audit Program Audit programs are checklists of the various tests (audit

procedures) that auditors must perform within the scope of their audits to determine whether key controls intended to mitigate significant risks are functioning as designed.

Objective To determine the adequacy of the controls over the particular

accounting processes covered by the audit program This is fundamentally what the assurance and attestation

aspects of the audit are expected to achieve during the ‘tests of transactions’ or mid-year or internal control tests

The objective

The reason for an audit is to write an opinion: Saying stock price is fairly stated (external) Control processes are effective (internal & external) Assets are not at risk of theft or damage (internal)

We only need to identify computer systems where one of more of these objectives is affected

Benefits

The use of audit programs is fairly standard for audit firms, and is considered good business practice. List three (3) benefits to the audit firm of using an audit program The improve resource planning (where to spend money and

employ people on an audit) They promote consistency from year to year when personnel and

situations of an audit change Prior years’ programs are the basis for the current year’s audit

procedures Anything else that seems reasonable

Control assessment

Information systems audit programs should assess the adequacy of controls in four (4) areas.

1. Environmental controls

2. Physical security controls

3. Logical security controls

4. IS operating controls

Materiality Materiality represents the maximum, combined, financial statement

misstatement or omission that could occur before influencing the decisions of reasonable individuals relying on the financial statements.

The magnitude and nature of financial statement misstatements or omissions will not have the same influence on all financial statement users.

For example, a 5 percent misstatement with current assets may be more relevant for a creditor than a stockholder, whereas a 5 percent misstatement with net income before income taxes may be more relevant for a stockholder than a creditor. Therefore, the primary consideration when determining materiality is the expected users of the financial statements.

The specific amounts established for each financial statement element must be determined by considering the primary users as well as qualitative factors.

For example, if the client is close to violating the minimum current ratio requirement for a loan agreement, a smaller planning materiality amount should be used for current assets and liabilities.

Conversely, if the client is substantially above the minimum current ratio requirement for a loan agreement, it would be reasonable to use a higher planning materiality amount for current assets and current liabilities.

Planning materiality should be based on the smallest amount established from relevant materiality bases to provide reasonable assurance that the financial statements, taken as a whole, are not materially misstated for any user.

Tolerable misstatement

This is essentially materiality for individual financial statement accounts. The amount established for individual accounts is referred to as "tolerable misstatement."

Tolerable misstatement represents the amount an individual financial statement account can differ from its true amount without affecting the fair presentation of the financial statements taken as a whole.

Establishment of tolerable misstatement for individual accounts enables the auditor to design and execute an audit strategy for each audit cycle.

Tolerable misstatement should be established for all balance sheet accounts (except "retained earnings" because it is the residual account).

Phases and Productsof the Audit

P lan n in g & R is kAs s es s m en t

P lan n in g & R is kAs s es s m en t

I n ter n a l C o n tr o l T es ts( M id - y ear ; T es ts o f

T r an s ac tio n s )

Au d itP r o g r am

S AS 3 0C o n tr o l L e tte r

Au d it R ep o r t

S ar b an es - O x leym an ag em en t le t te r

Bu d g et

Beg in n in g o f Year

M id - y ear ( 9 m o n th s )

Year - en d ( 1 - 3 m o n th s a f te r y ear - en d )

Planning and Risk Assessment

Output is Audit Program Budget (based on contract with client)

Internal Control Tests (Mid-year)

Assess internal control Output is the annual "management letter" issued in

connection with an audit In accordance with SAS No. 30 “Reporting on

Internal Accounting Controls”

Substantive Tests (Year-ent)

Product is Audit Statement (signed by auditor) Sarbanes-Oxley (signed by management)

Compliance “Management Letter Schedule of Unadjusted Differences List of Control ‘Weaknesses’

Practicum:

A Day in the Life of Brent Dorsey

A Staff Auditors’ Professional Pressure

Understand some of the pressures faced by young professionals in the workplace

Generate and evaluate alternative courses of action to resolve a difficult workplace issue

Understand more fully the implications of "eating time" and "premature sign-off"

More fully appreciate the need to balance professional and personal demands

IS Security

Chapter 3

Flowcharting Accounting Systems

Each bubble is associated with a person or entity that is responsible for that processThe same individuals with:

Managerial ControlAccountabilityResponsibility for the process

Should all be responsible for the same bubble


A data flow diagram

Data Flow Diagram Notations


A process transforms incoming data flow into outgoing data flow.


Datastores are repositories of data in the system.

They are sometimes also referred to as databases or files.


Dataflows are pipelines through which transactions (packets of information) flow.

Label the arrows with the name of the data that moves through it.


External entities are entities outside the firm, with which the accounting system communicates E.g., vendors, customers,

advertisers, etc.

External entities are sources and destinations of the transaction input and output


The Context diagram lists all of the external relationships

Flowcharting Accounting Systems …Levels

Context

known as Level 0) data flow diagram. It only contains one process node (process 0) that generalizes the function of the entire system in relationship to external entities.

DFD levels

The first level DFD shows the main processes within the system.

Each of these processes can be broken into further processes until you reach the level at which individual actions on transaction flows take place

If you use SmartDraw Drawing Nested DFDs in SmartDrawYou can easily nest data flow diagrams in SmartDraw. Draw the high-level diagrams first, then select the process you want to expand, go to the Tools menu, and select Insert Hyperlink. Link the selected process notation to another SmartDraw diagram or a web page.

The Datastore

The Datastore is used to represent Ledgers, Journals

Or more often in the current world Their computer

implemented counterpart Since almost no one keeps

physical records

Flowcharting Accounting Systems …Lower Level with Multiple Processes

Data Flow Diagram Layers Draw data flow diagrams in

several nested layers. A single process node on a

high level diagram can be expanded to show a more detailed data flow diagram

Practicum:

Jacksonville Jaguars

Assurance Services for the Electronic Payments System of a privately held company

Identify benefits, costs and risks to businesses from implementing information technologies

Determine how CPAs can provide assurance about processes designed to reduce risks created when new IT systems are introduced

Understand ways CPAs can identify new assurance services opportunities (i.e., new areas for revenue generation)

IS Security

Chapter 3

What is Security?

Security involves: the protection of a person, property or organization from attack. Knowing the types of possible attacks, being aware of the motivations for attacks and your relationship to those

motives. Proper security

makes it difficult to attack, threatens counter-measures, or make a pre-emptive attack on a source of threat.

IS Security is a collection of investments and procedures that: Protect information stored on computers Protect Hardware and Software assets From theft or vandalism by 3rd parties

What is a Lock & Key? Lock is a security system

The key is its password Keys used to be worn visibly around the neck

As a sign of authority (similar to employee badges today)

Newer Technology Badges and electronic keys Biometrics (M-28 fingerprint lock at right) Remote controls (Lexus keys)

‘Keys’ are just another Security Policy

Effective security policy

Security policy defines the organization’s attitude to Assets, and announces internally and externally which assets are mission critical

Which is to be protected from unauthorized access, vandalism and destruction by 3rd parties

Effective information security policies Will turn staff into participants in the company’s security The process of developing these policies will help to define a company’s

assets An effective security policy also protects people.

Anyone who makes decisions or takes action in a situation where information is a risk incurs personal risk as well.

A security policy allows people to take necessary actions without fear of reprisal.

Security policy compels the safeguarding of information, while it eliminates, or at least reduces, personal liability for

employees.

IP

There are four types of Intellectual Property (IP) that are protected by law

Copyright Patent Trade secret Trademark

Two aspects of the use of IP are covered by intellectual property laws

Right of publicity Privacy

Almost All Security Controls use the Lock & Key paradigm. Authorization system = Who gets a Key (And Why?) Password, etc. = Key Encryption algorithms, SSL, etc. = Lock

Entry into Computer Crime

This flowchart describes the points at which Control Processes may be created to stop criminals

Controls may: Prevent access to the asset Detect asset access Correct the problems or

losses after an illicit access Remember that criminals

specialize in one type of crime

Personal Background

Learning Skills to Commit Crime

Reaction to Chance Event

Motives

Choose "Best" Option

Decision / Action Matrix

Select Asset

Don't Select

Commit Crime Don't Commit

• Unfamilar • Not enough valueN/A

• Face Penalties • Enjoy Rewards

• Too Hard • Monitored

PremeditatedUn-premeditated

Bringing a computer crime to court

Step Potential Terminal Outcome

Crime committed Not detectedReported Not investigatedInvestigation UnsolvedArrest Released without prosecutionBooking Released without prosecutionPreliminary appearance in court Charges dropped or dismissedBail or detentionAdjudication Arbitration, Settled "Out of Court"Arraignment Charge dismissedTrial AcquittedSentencing AppealSentencing ProbationSentencing Prison

Practicum:

The Anonymous Caller

Recognizing It's a Fraud and Evaluating What to Do

How would you politely and ethically handle a ‘dodgy’ request for help

Appreciate real-world pressures for meeting financial expectations Distinguish financial statement fraud from aggressive accounting Identify alternative actions when confronted with suspected

financial statement fraud Develop arguments to resist or prevent inappropriate accounting

techniques

Physical Security Chapter 7 Logical Security Chapter 8

Security Policy

Env ironmenta lCompetitiv e

Interna l Financ ia lIn terna l

Non- f inanc ia l

Prof itab ilityEf f ic ienc y

Grow thSurv iv a l

QuantityQuality

Cos tTime

Manpow erMoney

Mac hinesMethodsMater ia ls

PlanOrganiz eA c tuateContro l

I n fo rm a t io n I n pu ts O u tpu ts O bje ct iv e sM a n a g e r A ct io n

In form ation System

Inform ation System s

Inf ormation Sy s tem

Inform ation System

Strategy Policy

Strategy defines the way that Top Management achieves corporate objectives

Policy is a written set of procedures, guidelines and rules Designed to accomplish a subset of strategic tasks By a particular subgroup of employees

Effective security policy

An effective security policy also protects people. Anyone who makes decisions or takes action in a situation where

information is a risk incurs personal risk as well. A security policy allows people to take necessary actions without

fear of reprisal. Security policy compels the safeguarding of information,

while it eliminates, or at least reduces, personal liability for employees.

Effective information security policy

Information security policy defines the organization’s attitude to information, and announces internally and externally that information is an asset

Which is to be protected from unauthorized access, modification, disclosure, and destruction

Effective information security policies Will turn staff into participants in the company’s security The process of developing these policies will help to define a

company’s information assets

Why Do You Need Security Policy?

A security policy should Protect people and information Set the rules for expected behavior by users, system

administrators, management, and security personnel Authorize security personnel to monitor, probe, and investigate Define and authorize the consequences of violation

The Three Elements of Policy Implementation

Standards – Standards specify the use of specific technologies in a uniform way. The example the book gives is the standardization of operating procedures

Guidelines – Similar to standards but are recommended actions

Procedures – These are the detailed steps that must be performed for any tasks.

Steps to Creation of IS Security PolicyPolicy Development Lifecycle

1. Senior management buy-in2. Determine a compliance grace period 3. Determine resource involvement . 4. Review existing policy5. Determine research materials (Internet, SANS, white papers, books…)6. Interview parties {Responsible, Accountable, Controlling} assets

1. Define your objectives 2. Control the interview 3. Sum up and confirm

4. Post-interview review

7. Review with additional stakeholders 8. Ensure policy is reflected in “awareness” strategies 9. Review and update 10. Gap Analysis11. Develop communication strategy12. Publish

What’s in a Policy Document

Governing Policy

Should cover Address information security policy at a general level define significant concepts describe why they are important, and detail what your company’s stand is on them

Governing policy will be read by managers and by technical custodians

Level of detail: governing policy should address the “what” in terms of security policy.

Governing Policy Outlinemight typically include

1. Authentication 2. Access Control 3. Authorization 4. Auditing 5. Cryptography 6. System and Network Controls 7. Business Continuity/Disaster Recovery 8. Compliance Measurement

Technical Policies

Used by technical custodians as they carry out their security responsibilities for the system they work with.

Are more detailed than the governing policy and will be system or issue specific, e.g., AS-400 or physical security.

Technical Policy Outline might typically include

1. Authentication 2. Authorization 3. Auditing 4. Network Services 5. Physical Security 6. Operating System 7. Business Continuity/Disaster Recovery 8. Compliance Measurement

User Policies

Cover IS security policy that end-users should ever have to know about, comply with, and implement.

Most of these will address the management of transaction flows and databases associated with applications

Some of these policy statements may overlap with the technical policy

Grouping all end-user policy together means that users will only have to go to one place and read one document in order to learn everything they need to do to ensure compliance with company security

User Policy Outline might typically include 1. User Access 2. User Identification and Accountability 3. Passwords 4. Software 5. System Configuration and Settings 6. Physical 7. Business Continuity Planning 8. Data Classification 9. Encryption 10. Remote Access 11. Wireless Devices/PDAs 12. Email 13. Instant Messaging 14. Web Conferencing 15. Voice Communications 16. Imaging/Output

Documents

IS Auditing Midterm Review ISMT 350 Time & Venue: 5 Oct 2006, 10:30 am to 11:50 am @ Room 2463 Note: You will be allowed one A4 sized sheet of paper as