View
215
Download
0
Tags:
Embed Size (px)
Citation preview
IS Auditing Midterm ReviewISMT 350
Time & Venue: 5 Oct 2006, 10:30 am to 11:50 am @ Room 2463
Note: You will be allowed one A4 sized sheet of paper as a “ Cheat Sheet” for your reference during the IST350 Midterm Exam. You can fill out both sides, and there are no limits on handwriting, font, or techniques for the information you place on the page. No other materials will be allowed during the exam
Course Topics So FarTopic Readings Practicum
Competency Case Study
What is Information Systems (IS) Auditing?
Industry Profile: The Job of the IS Auditor
Identifying Computer Systems Chapter 1 Evaluating IT Benefits and Risks
Jacksonville Jaguars
IS Audit Programs Chapter 2 The Job of the Staff Auditor A Day in the Life of Brent Dorsey
IS Security Chapter 3 Recognizing Fraud The Anonymous Caller
Logical Structure of the CourseWith Readings from the Text
Material Covered (colored area) I S Au d itin g
C u r r en t an dF u tu r e I s s u es in
I S Au d itin g
I S C o m p o n en tsC h . 1 & 2
Au d it C o m p o n en tsC h 3 & 4
C o n tr o ls o v er I SAs s e ts
C h . 7 & 8
P r o c ed u r a lC o n tr o ls
C h . 9
Au d it S tan d ar d san d P r o c ed u r es
C h . 1 0
F o r en s ic s an dF r au d Au d its
C h . 1 2
E n c r y p tio nC h . 11
Classes of Things You have Learned
Concepts: Things you need to know These include: Theories and frameworks Facts
Activities and Tasks: Things an auditor needs to do
Tools: Used to make audit decisioms
Identifying Computer Systems
Chapter 11. Identifying what you are going to audit
2. The Computer Asset Inventory
3. Identification of Transactions, and Risk Levels
4. Audit programs for high risk transactions
Audit Program Audit programs are checklists of the various tests (audit
procedures) that auditors must perform within the scope of their audits to determine whether key controls intended to mitigate significant risks are functioning as designed.
Objective To determine the adequacy of the controls over the particular
accounting processes covered by the audit program This is fundamentally what the assurance and attestation
aspects of the audit are expected to achieve during the ‘tests of transactions’ or mid-year or internal control tests
The objective
The reason for an audit is to write an opinion: Saying stock price is fairly stated (external) Control processes are effective (internal & external) Assets are not at risk of theft or damage (internal)
We only need to identify computer systems where one of more of these objectives is affected
Benefits
The use of audit programs is fairly standard for audit firms, and is considered good business practice. List three (3) benefits to the audit firm of using an audit program The improve resource planning (where to spend money and
employ people on an audit) They promote consistency from year to year when personnel and
situations of an audit change Prior years’ programs are the basis for the current year’s audit
procedures Anything else that seems reasonable
Control assessment
Information systems audit programs should assess the adequacy of controls in four (4) areas.
1. Environmental controls
2. Physical security controls
3. Logical security controls
4. IS operating controls
Computer Assets
Central Processing Unit
MemoryPeripheral Processor
(Video, Bus, Etc.)Network Devices
RAM / ROMOptical &
Magnetic Media
Operating Systems
Specialized O/S
Utilities
Network O/S Database O/SProgramming Languages,
Tools & EnvironmentsUtilities and Services
Applications
The main categories of Computer Applications, and their relative importance
InformationTechnology Market
Annual Expenditures($US billion)
Employees(thousand)
Major Suppliers
Operations & Accounting 500 2000 US, India
Search & Storage 1000 5000 US
Tools 300 300 US, Germany
Embedded 1500 700 US, Japan, Korea, Greater China
Communications 700 2000 US, Germany, Japan, Greater China
Total 4,000 10,000 GWP ~$45 trillion (Pop: 6 billion)
US GDP ~$10 trillion (Pop: 300 million)
The Risk Assessment Database
Asset (Ex 2.1) Risk Assessment (Ex. 2.2 with improvements)
Primary OS OwnerApplication
Asset Value ($000,000 to Owner)*
Transaction Flow Description
Total Annual Transaction Value Flow managed by Asset($000,000)* Risk Description
Probability of Occurrence (# per Year)
Cost of single occurrence ($)
Expected Loss
Win XPReceiving Dock A/P 0.002
RM Received from Vendor 23 Theft 100 100 10000
Win XPReceiving Dock A/P 0.002
RM Received from Vendor 23
Obsolescence and spoilage 35 350 12250
Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc
Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc
Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc
*Whether you list depends on Audit Materiality
Ideas, not Things, have Value … and these ideas are tracked in the computer
0
2
4
6
8
10
12
14
16
Rank order by increasing return
Ass
et In
tens
ity (F
ixed
Ass
ets
/ Sal
es)
-100
0
100
200
300
400
500
600
5-yr
Sha
reho
lder
Ret
urn
%
How Accounting has had to ChangeBecause of Business Automation
M an u f ac tu r in gValu e Ad d ed
C o n s u m er
M ater ia lL ab o r
C ap ita l
5 0 %
3 0 %
2 0 %
1 1 0 %
M an u f ac tu r in gValu e Ad d ed
C o n s u m er
M ater ia lL ab o r
C ap ita l
5 %
5 %
1 0 %Kn o w led g eI n teg r a to r
Kn o w led g eI n teg r a to r
Kn o w led g eI n teg r a to r
Kn o w led g eI n teg r a to r
K n o w led g e B as e (u n certainclaim s , co n t rib u t io n s an d
p ro p erty rig h t s )
8 0 %
11 0 %
M an u fac tu ring
S p ec if ica tio n s
F in ished
P ro d u c t 2 0 %
IS Audit Programs
Chapter 2
What is IS Auditing?Why is it Important? What is the Industry Structure?Attestation and Assurance
Auditing
E x ter n a l R ea lW o r ld E n tit ies
an d E v en ts th a tC r ea te an d
D es tr o y Valu e
Au d it R ep o r t /O p in io n
J o u r n a l E n tr ies
'O w n e d ' A s s e t sa n d Lia b ilit ie s
R ep o r ts :S ta tis t ic s
I n te r n a lO p er a tio n so f th e F ir m
Ac c o u n tin gS y s tem s
Au d itP r o g r am
T r an s ac tio n s
T ra n sa c tio n s
The P hys i c al W o r l d
The P ar al l e l (L o g i c al )W o r l d o f Ac c o unt i ng
L ed g er s :D atab as es
Audi t i ng
C o r p o r a te L aw
Su b
stan
tiv e
Te s
ts
Te st s o f T
ran sa c ti o n s
Attes ta tion
A n a ly tic a l T ests
How Auditors Should Visualize Computer Systems
Bu s in es s Ap p lic a tio nS y s tem s
T r an s ac tio n F lo w s
As s e t L o s s R is k s( I n te r n a l Au d its )
R ep o r tin g R is k s( E x ter n a l Au d it)
C o n tr o l P r o c es s R is k s( I n te r n a l & E x ter n a l
Au d its )
O p er a tin g S y s tem s( in c lu d in g D BM S , n e tw o r kan d o th er s p ec ia l s y s tem s )
Har d w ar e P la tf o r m
Ph y s ica l a n d L o g ica lS e cu rity En v iro n m e n t
A u dit O bje ct iv e s
The IS Auditor’s Challenge
Corporate Accounting is in a constant state of flux Because of advances in Information Technology applied to
Accounting Information that is needed for an Audit is often hidden from
easy access by auditors Making computer knowledge an important prerequisite for
auditing
IS (and also just Information) assets are increasingly the main proportion of wealth held by corporations
The Challenge to Auditing Presented by Computers
Transaction flows are less visible Fraud is easier Computers do exactly what you tell them
To err is human But, to really screw up you need a computer
Audit samples require computer knowledge and access Transaction flows are much larger (good for the company, bad for the
auditor) Audits grow bigger and bigger from year to year
And there is more pressure to eat hours Environmental, physical and logical security problems grow
exponentially Externally originated viruses and hacking are the major source of risk
(10 years ago it was employees)
The Challenge to Auditing Presented by The Internet
Transaction flows are External External copies of transactions on many Internet nodes External Service Providers for accounting systems
require giving control to outsiders with different incentives
Audit samples may be impossible to obtain Because they require access to 3rd party databases
Transaction flows are intermingled between companies
Environmental, physical and logical security problems grow exponentially Externally originated viruses and hacking are the major source of risk
(10 years ago it was employees)
Audit Program Audit programs are checklists of the various tests (audit
procedures) that auditors must perform within the scope of their audits to determine whether key controls intended to mitigate significant risks are functioning as designed.
Objective To determine the adequacy of the controls over the particular
accounting processes covered by the audit program This is fundamentally what the assurance and attestation
aspects of the audit are expected to achieve during the ‘tests of transactions’ or mid-year or internal control tests
The objective
The reason for an audit is to write an opinion: Saying stock price is fairly stated (external) Control processes are effective (internal & external) Assets are not at risk of theft or damage (internal)
We only need to identify computer systems where one of more of these objectives is affected
Benefits
The use of audit programs is fairly standard for audit firms, and is considered good business practice. List three (3) benefits to the audit firm of using an audit program The improve resource planning (where to spend money and
employ people on an audit) They promote consistency from year to year when personnel and
situations of an audit change Prior years’ programs are the basis for the current year’s audit
procedures Anything else that seems reasonable
Control assessment
Information systems audit programs should assess the adequacy of controls in four (4) areas.
1. Environmental controls
2. Physical security controls
3. Logical security controls
4. IS operating controls
Materiality Materiality represents the maximum, combined, financial statement
misstatement or omission that could occur before influencing the decisions of reasonable individuals relying on the financial statements.
The magnitude and nature of financial statement misstatements or omissions will not have the same influence on all financial statement users.
For example, a 5 percent misstatement with current assets may be more relevant for a creditor than a stockholder, whereas a 5 percent misstatement with net income before income taxes may be more relevant for a stockholder than a creditor. Therefore, the primary consideration when determining materiality is the expected users of the financial statements.
The specific amounts established for each financial statement element must be determined by considering the primary users as well as qualitative factors.
For example, if the client is close to violating the minimum current ratio requirement for a loan agreement, a smaller planning materiality amount should be used for current assets and liabilities.
Conversely, if the client is substantially above the minimum current ratio requirement for a loan agreement, it would be reasonable to use a higher planning materiality amount for current assets and current liabilities.
Planning materiality should be based on the smallest amount established from relevant materiality bases to provide reasonable assurance that the financial statements, taken as a whole, are not materially misstated for any user.
Tolerable misstatement
This is essentially materiality for individual financial statement accounts. The amount established for individual accounts is referred to as "tolerable misstatement."
Tolerable misstatement represents the amount an individual financial statement account can differ from its true amount without affecting the fair presentation of the financial statements taken as a whole.
Establishment of tolerable misstatement for individual accounts enables the auditor to design and execute an audit strategy for each audit cycle.
Tolerable misstatement should be established for all balance sheet accounts (except "retained earnings" because it is the residual account).
Phases and Productsof the Audit
P lan n in g & R is kAs s es s m en t
P lan n in g & R is kAs s es s m en t
I n ter n a l C o n tr o l T es ts( M id - y ear ; T es ts o f
T r an s ac tio n s )
Au d itP r o g r am
S AS 3 0C o n tr o l L e tte r
Au d it R ep o r t
S ar b an es - O x leym an ag em en t le t te r
Bu d g et
Beg in n in g o f Year
M id - y ear ( 9 m o n th s )
Year - en d ( 1 - 3 m o n th s a f te r y ear - en d )
Internal Control Tests (Mid-year)
Assess internal control Output is the annual "management letter" issued in
connection with an audit In accordance with SAS No. 30 “Reporting on
Internal Accounting Controls”
Substantive Tests (Year-ent)
Product is Audit Statement (signed by auditor) Sarbanes-Oxley (signed by management)
Compliance “Management Letter Schedule of Unadjusted Differences List of Control ‘Weaknesses’
Practicum:
A Day in the Life of Brent Dorsey
A Staff Auditors’ Professional Pressure
Understand some of the pressures faced by young professionals in the workplace
Generate and evaluate alternative courses of action to resolve a difficult workplace issue
Understand more fully the implications of "eating time" and "premature sign-off"
More fully appreciate the need to balance professional and personal demands
Flowcharting Accounting Systems
Each bubble is associated with a person or entity that is responsible for that processThe same individuals with:
Managerial ControlAccountabilityResponsibility for the process
Should all be responsible for the same bubble
Flowcharting Accounting Systems
Datastores are repositories of data in the system.
They are sometimes also referred to as databases or files.
Flowcharting Accounting Systems
Dataflows are pipelines through which transactions (packets of information) flow.
Label the arrows with the name of the data that moves through it.
Flowcharting Accounting Systems
External entities are entities outside the firm, with which the accounting system communicates E.g., vendors, customers,
advertisers, etc.
External entities are sources and destinations of the transaction input and output
Flowcharting Accounting Systems …Levels
Context
known as Level 0) data flow diagram. It only contains one process node (process 0) that generalizes the function of the entire system in relationship to external entities.
DFD levels
The first level DFD shows the main processes within the system.
Each of these processes can be broken into further processes until you reach the level at which individual actions on transaction flows take place
If you use SmartDraw Drawing Nested DFDs in SmartDrawYou can easily nest data flow diagrams in SmartDraw. Draw the high-level diagrams first, then select the process you want to expand, go to the Tools menu, and select Insert Hyperlink. Link the selected process notation to another SmartDraw diagram or a web page.
The Datastore
The Datastore is used to represent Ledgers, Journals
Or more often in the current world Their computer
implemented counterpart Since almost no one keeps
physical records
Flowcharting Accounting Systems …Lower Level with Multiple Processes
Data Flow Diagram Layers Draw data flow diagrams in
several nested layers. A single process node on a
high level diagram can be expanded to show a more detailed data flow diagram
Practicum:
Jacksonville Jaguars
Assurance Services for the Electronic Payments System of a privately held company
Identify benefits, costs and risks to businesses from implementing information technologies
Determine how CPAs can provide assurance about processes designed to reduce risks created when new IT systems are introduced
Understand ways CPAs can identify new assurance services opportunities (i.e., new areas for revenue generation)
What is Security?
Security involves: the protection of a person, property or organization from attack. Knowing the types of possible attacks, being aware of the motivations for attacks and your relationship to those
motives. Proper security
makes it difficult to attack, threatens counter-measures, or make a pre-emptive attack on a source of threat.
IS Security is a collection of investments and procedures that: Protect information stored on computers Protect Hardware and Software assets From theft or vandalism by 3rd parties
What is a Lock & Key? Lock is a security system
The key is its password Keys used to be worn visibly around the neck
As a sign of authority (similar to employee badges today)
Newer Technology Badges and electronic keys Biometrics (M-28 fingerprint lock at right) Remote controls (Lexus keys)
‘Keys’ are just another Security Policy
Effective security policy
Security policy defines the organization’s attitude to Assets, and announces internally and externally which assets are mission critical
Which is to be protected from unauthorized access, vandalism and destruction by 3rd parties
Effective information security policies Will turn staff into participants in the company’s security The process of developing these policies will help to define a company’s
assets An effective security policy also protects people.
Anyone who makes decisions or takes action in a situation where information is a risk incurs personal risk as well.
A security policy allows people to take necessary actions without fear of reprisal.
Security policy compels the safeguarding of information, while it eliminates, or at least reduces, personal liability for
employees.
IP
There are four types of Intellectual Property (IP) that are protected by law
Copyright Patent Trade secret Trademark
Two aspects of the use of IP are covered by intellectual property laws
Right of publicity Privacy
Almost All Security Controls use the Lock & Key paradigm. Authorization system = Who gets a Key (And Why?) Password, etc. = Key Encryption algorithms, SSL, etc. = Lock
Entry into Computer Crime
This flowchart describes the points at which Control Processes may be created to stop criminals
Controls may: Prevent access to the asset Detect asset access Correct the problems or
losses after an illicit access Remember that criminals
specialize in one type of crime
Personal Background
Learning Skills to Commit Crime
Reaction to Chance Event
Motives
Choose "Best" Option
Decision / Action Matrix
Select Asset
Don't Select
Commit Crime Don't Commit
• Unfamilar • Not enough valueN/A
• Face Penalties • Enjoy Rewards
• Too Hard • Monitored
PremeditatedUn-premeditated
Bringing a computer crime to court
Step Potential Terminal Outcome
Crime committed Not detectedReported Not investigatedInvestigation UnsolvedArrest Released without prosecutionBooking Released without prosecutionPreliminary appearance in court Charges dropped or dismissedBail or detentionAdjudication Arbitration, Settled "Out of Court"Arraignment Charge dismissedTrial AcquittedSentencing AppealSentencing ProbationSentencing Prison
Practicum:
The Anonymous Caller
Recognizing It's a Fraud and Evaluating What to Do
How would you politely and ethically handle a ‘dodgy’ request for help
Appreciate real-world pressures for meeting financial expectations Distinguish financial statement fraud from aggressive accounting Identify alternative actions when confronted with suspected
financial statement fraud Develop arguments to resist or prevent inappropriate accounting
techniques
Security Policy
Env ironmenta lCompetitiv e
Interna l Financ ia lIn terna l
Non- f inanc ia l
Prof itab ilityEf f ic ienc y
Grow thSurv iv a l
QuantityQuality
Cos tTime
Manpow erMoney
Mac hinesMethodsMater ia ls
PlanOrganiz eA c tuateContro l
I n fo rm a t io n I n pu ts O u tpu ts O bje ct iv e sM a n a g e r A ct io n
In form ation System
Inform ation System s
Inf ormation Sy s tem
Inform ation System
Strategy Policy
Strategy defines the way that Top Management achieves corporate objectives
Policy is a written set of procedures, guidelines and rules Designed to accomplish a subset of strategic tasks By a particular subgroup of employees
Effective security policy
An effective security policy also protects people. Anyone who makes decisions or takes action in a situation where
information is a risk incurs personal risk as well. A security policy allows people to take necessary actions without
fear of reprisal. Security policy compels the safeguarding of information,
while it eliminates, or at least reduces, personal liability for employees.
Effective information security policy
Information security policy defines the organization’s attitude to information, and announces internally and externally that information is an asset
Which is to be protected from unauthorized access, modification, disclosure, and destruction
Effective information security policies Will turn staff into participants in the company’s security The process of developing these policies will help to define a
company’s information assets
Why Do You Need Security Policy?
A security policy should Protect people and information Set the rules for expected behavior by users, system
administrators, management, and security personnel Authorize security personnel to monitor, probe, and investigate Define and authorize the consequences of violation
The Three Elements of Policy Implementation
Standards – Standards specify the use of specific technologies in a uniform way. The example the book gives is the standardization of operating procedures
Guidelines – Similar to standards but are recommended actions
Procedures – These are the detailed steps that must be performed for any tasks.
Steps to Creation of IS Security PolicyPolicy Development Lifecycle
1. Senior management buy-in2. Determine a compliance grace period 3. Determine resource involvement . 4. Review existing policy5. Determine research materials (Internet, SANS, white papers, books…)6. Interview parties {Responsible, Accountable, Controlling} assets
1. Define your objectives 2. Control the interview 3. Sum up and confirm
4. Post-interview review
7. Review with additional stakeholders 8. Ensure policy is reflected in “awareness” strategies 9. Review and update 10. Gap Analysis11. Develop communication strategy12. Publish
Governing Policy
Should cover Address information security policy at a general level define significant concepts describe why they are important, and detail what your company’s stand is on them
Governing policy will be read by managers and by technical custodians
Level of detail: governing policy should address the “what” in terms of security policy.
Governing Policy Outlinemight typically include
1. Authentication 2. Access Control 3. Authorization 4. Auditing 5. Cryptography 6. System and Network Controls 7. Business Continuity/Disaster Recovery 8. Compliance Measurement
Technical Policies
Used by technical custodians as they carry out their security responsibilities for the system they work with.
Are more detailed than the governing policy and will be system or issue specific, e.g., AS-400 or physical security.
Technical Policy Outline might typically include
1. Authentication 2. Authorization 3. Auditing 4. Network Services 5. Physical Security 6. Operating System 7. Business Continuity/Disaster Recovery 8. Compliance Measurement
User Policies
Cover IS security policy that end-users should ever have to know about, comply with, and implement.
Most of these will address the management of transaction flows and databases associated with applications
Some of these policy statements may overlap with the technical policy
Grouping all end-user policy together means that users will only have to go to one place and read one document in order to learn everything they need to do to ensure compliance with company security
User Policy Outline might typically include 1. User Access 2. User Identification and Accountability 3. Passwords 4. Software 5. System Configuration and Settings 6. Physical 7. Business Continuity Planning 8. Data Classification 9. Encryption 10. Remote Access 11. Wireless Devices/PDAs 12. Email 13. Instant Messaging 14. Web Conferencing 15. Voice Communications 16. Imaging/Output