Auditing Computer Systems Dr. Yan Xiong College of Business CSU Sacramento 9/11/03.
-
Upload
laureen-douglas -
Category
Documents
-
view
212 -
download
0
Transcript of Auditing Computer Systems Dr. Yan Xiong College of Business CSU Sacramento 9/11/03.
Auditing Computer SystemsAuditing Computer Systems
Dr. Yan XiongDr. Yan XiongCollege of BusinessCollege of Business
CSU SacramentoCSU Sacramento
9/11/039/11/03
AgendaAgenda Auditing scope and Auditing scope and
objectivesobjectives Information system (IS) Information system (IS)
audit objectivesaudit objectives Study and evaluation of Study and evaluation of
internal control in an AISinternal control in an AIS Computer audit softwareComputer audit software
Internal Auditing StandardsInternal Auditing Standards According to the Institute of Internal Auditors (IIA), the According to the Institute of Internal Auditors (IIA), the
purpose of an internal audit is to evaluate the adequacy purpose of an internal audit is to evaluate the adequacy and effectiveness of a company’s internal control system.and effectiveness of a company’s internal control system.
Also, it is to determine the extent to which assigned Also, it is to determine the extent to which assigned responsibilities are actually carried out.responsibilities are actually carried out.
Internal Auditing StandardsInternal Auditing Standards The IIA’s five audit scope standards are:The IIA’s five audit scope standards are:
1 Review the reliability and integrity of operating and financial Review the reliability and integrity of operating and financial information and how it is identified, measured, classified, and reported.information and how it is identified, measured, classified, and reported.
2 Determine whether the systems designed to comply with operating and Determine whether the systems designed to comply with operating and reporting policies, plans, procedures, laws, and regulations are actually reporting policies, plans, procedures, laws, and regulations are actually being followed.being followed.
Internal Auditing StandardsInternal Auditing Standards3 Review how assets are safeguarded, and verify the existence of assets as Review how assets are safeguarded, and verify the existence of assets as
appropriate.appropriate.4 Examine company resources to determine how effectively and efficiently Examine company resources to determine how effectively and efficiently
they are utilized. they are utilized. 5 Review company operations and programs to determine whether they are Review company operations and programs to determine whether they are
being carried out as planned and whether they are meeting their objectives.being carried out as planned and whether they are meeting their objectives.
Types of Internal Auditing Work Types of Internal Auditing Work
What are the three different types of What are the three different types of audits commonly performed?audits commonly performed?1 Financial audit Financial audit 2 Information system (IS) audit Information system (IS) audit 3 Operational or management auditOperational or management audit
Types of Internal Auditing Work Types of Internal Auditing Work The The financial auditfinancial audit examines the reliability and integrity of examines the reliability and integrity of
accounting records (both financial and operating information).accounting records (both financial and operating information). The The information systems (IS) auditinformation systems (IS) audit reviews the general and reviews the general and
application controls in an AIS to assess its compliance with internal application controls in an AIS to assess its compliance with internal control policies and procedures and its effectiveness in control policies and procedures and its effectiveness in safeguarding assets.safeguarding assets.
Types of Internal Auditing Work Types of Internal Auditing Work The The operational, or management, auditoperational, or management, audit is is
concerned with the economical and efficient concerned with the economical and efficient use of resources and the accomplishment of use of resources and the accomplishment of established goals and objectives.established goals and objectives.
An Overview of the An Overview of the Auditing ProcessAuditing Process
All audits follow a similar sequence of activities and may be divided into All audits follow a similar sequence of activities and may be divided into four stages.four stages.1 Audit planningAudit planning2 Collection of audit evidenceCollection of audit evidence3 Evaluation of audit evidenceEvaluation of audit evidence4 Communication of audit resultsCommunication of audit results
An Overview of theAn Overview of theAuditing ProcessAuditing Process
Audit PlanningEstablish scope and objectives
Organize audit teamDevelop knowledge of business operations
Review prior audit resultsIdentify risk factors
Prepare audit program
Collection of Audit EvidenceObservation of operating activities
Review of documentationDiscussion with employees and questionnaires
Physical examination of assetsConfirmation through third parties
Reperformance of proceduresVouching of source documentsAnalytical review and sampling
An Overview of theAn Overview of theAuditing ProcessAuditing Process
An Overview of theAn Overview of theAuditing ProcessAuditing Process
Evaluation of Audit EvidenceAssess quality of internal controlsAssess reliability of informationAssess operating performance
Consider need for additional evidenceConsider risk factors
Consider materiality factorsDocument audit findings
An Overview of theAn Overview of theAuditing ProcessAuditing Process
Communication of Audit ResultsFormulate audit conclusions
Develop recommendations for managementPresent audit results to management
Operational Audits of an AISOperational Audits of an AIS The techniques and procedures used in operational audits are similar The techniques and procedures used in operational audits are similar
to those of IS and financial audits.to those of IS and financial audits. The basic difference is that the IS audit scope is confined to internal The basic difference is that the IS audit scope is confined to internal
controls, whereas the financial audit scope is limited to IIS output.controls, whereas the financial audit scope is limited to IIS output. The operational audit scope encompasses all aspects of IS The operational audit scope encompasses all aspects of IS
management.management.
Operational Audits of an AISOperational Audits of an AIS Operational audit objectives include evaluating effectiveness, Operational audit objectives include evaluating effectiveness,
efficiency, and goal achievement.efficiency, and goal achievement. What are some evidence collection activities?What are some evidence collection activities?
– reviewing operating policies and documentationreviewing operating policies and documentation– confirming procedures with management and operating personnelconfirming procedures with management and operating personnel
Operational Audits of an AISOperational Audits of an AIS– observing operating functions and activitiesobserving operating functions and activities– examining financial and operating plans and reportsexamining financial and operating plans and reports– testing the accuracy of operating informationtesting the accuracy of operating information– testing controlstesting controls
AgendaAgenda Auditing scope and Auditing scope and
objectivesobjectives Information system (IS) Information system (IS)
audit objectivesaudit objectives Study and evaluation of Study and evaluation of
internal control in an AISinternal control in an AIS Computer audit softwareComputer audit software
IS AuditsIS Audits Purpose of AIS audit: review and evaluate Purpose of AIS audit: review and evaluate
internal controls that protect internal controls that protect systemsystem
When performing IS audit, auditors ascertain When performing IS audit, auditors ascertain that certain objectives metthat certain objectives met
Audit ObjectivesAudit Objectives SecuritySecurity provisions provisions
protect computer equipment, protect computer equipment, programs, communications, programs, communications, and data from unauthorized and data from unauthorized access, modification, or destructionaccess, modification, or destruction
Program developmentProgram development and and acquisition performed in acquisition performed in accordance with management’s accordance with management’s general and specific authorizationgeneral and specific authorization
Audit Objectives Audit Objectives Program modifications Program modifications
have authorization and have authorization and approval of managementapproval of management
ProcessingProcessing of transactions, of transactions, files, reports, and other computer files, reports, and other computer records accurate and completerecords accurate and complete
Audit ObjectivesAudit Objectives Source dataSource data that is inaccurate or that is inaccurate or
improperly authorized identified and improperly authorized identified and handled according to prescribed managerial policies handled according to prescribed managerial policies
Computer data filesComputer data files are accurate, complete, and are accurate, complete, and confidentialconfidential
Audit ObjectivesAudit Objectives
SourceData
SourceData
EnterEnter
SourceData
SourceData
ProcessProcess
OutputOutputProgramsPrograms
FilesFiles
#1 Overall Security#1 Overall Security
#2 ProgramDevelopment#2 ProgramDevelopment
#3 ProgramModification#3 ProgramModification
#4 Processing#4 Processing
#5 Source Data#5 Source Data
#6 Data Files#6 Data Files
Risk-Based AuditRisk-Based Audit Approach provides auditors with clear Approach provides auditors with clear
understanding of errors and irregularities that can occur understanding of errors and irregularities that can occur and related risks and exposures and related risks and exposures
Provides basis for developing recommendations to Provides basis for developing recommendations to management on how AIS control system should be improvedmanagement on how AIS control system should be improved
Risk-Based AuditRisk-Based Audit Four-step approach Four-step approach
• Determine threats facing AIS Determine threats facing AIS • Identify control procedures that should be in place to minimize Identify control procedures that should be in place to minimize
each threateach threat• Evaluate existing control proceduresEvaluate existing control procedures• Determine weaknesses Determine weaknesses
AgendaAgenda Auditing scope and Auditing scope and
objectivesobjectives Information system (IS) Information system (IS)
audit objectives audit objectives Study and evaluation of Study and evaluation of
internal control in an AISinternal control in an AIS Computer audit softwareComputer audit software
Audit FrameworkAudit Framework
SourceData
SourceData
EnterEnter
SourceData
SourceData
ProcessProcess
OutputOutputProgramsPrograms
FilesFiles
#1 Overall Security#1 Overall Security
#2 ProgramDevelopment#2 ProgramDevelopment
#3 ProgramModification#3 ProgramModification
#4 Processing#4 Processing
#5 Source Data#5 Source Data
#6 Data Files#6 Data Files
Types of Errors / FraudTypes of Errors / Fraud
Control ProceduresControl Procedures
Audit Procedures: System ReviewAudit Procedures: System Review
Audit Procedures: Tests of ControlsAudit Procedures: Tests of Controls
Compensating ControlsCompensating Controls
Overall SecurityOverall Security Security errors and fraud:Security errors and fraud:
– theft of or accidental / intentional damage to theft of or accidental / intentional damage to hardware and fileshardware and files
– loss, theft, or unauthorized access to programs, data files; or loss, theft, or unauthorized access to programs, data files; or disclosure of confidential datadisclosure of confidential data
– unauthorized modification or use of programs and data filesunauthorized modification or use of programs and data files
Overall SecurityOverall Security Control proceduresControl procedures::
– develop information security develop information security and protection plan - restrict and protection plan - restrict physical and logical accessphysical and logical access
– encrypt data / protect against virusesencrypt data / protect against viruses– implement firewallsimplement firewalls– institute data transmission controls, institute data transmission controls,
and prevent and recover from and prevent and recover from system failures or disasterssystem failures or disasters
Overall SecurityOverall Security Systems review audit procedures:Systems review audit procedures:
– inspect computer sitesinspect computer sites– interview personnelinterview personnel– review policies and proceduresreview policies and procedures– examine access logs, insurance policies, and disaster recovery examine access logs, insurance policies, and disaster recovery
planplan
Overall SecurityOverall Security Tests of controlTests of control audit procedures:audit procedures:– observing proceduresobserving procedures– verifying controls are in place and work as intendedverifying controls are in place and work as intended– investigating errors or problems to ensure they were handled investigating errors or problems to ensure they were handled
correctlycorrectly– examining any test previously performedexamining any test previously performed
Overall SecurityOverall Security Compensating controlsCompensating controls::
– sound personnel policiessound personnel policies– effective user controlseffective user controls– segregation of incompatible dutiessegregation of incompatible duties
Program DevelopmentProgram Development Types of errors and fraud:Types of errors and fraud:
– inadvertent programming errorsinadvertent programming errors– unauthorized program codeunauthorized program code
Program DevelopmentProgram Development Control procedures:Control procedures:
– management authorizes and approves programming management authorizes and approves programming specificationsspecifications
– user approves of programming specificationsuser approves of programming specifications– thorough testing of new programs and user acceptance testingthorough testing of new programs and user acceptance testing– complete systems documentationcomplete systems documentation
Program DevelopmentProgram Development Systems review audit proceduresSystems review audit procedures::
– independent review of development processindependent review of development process– systems review of development policies, authorization, and systems review of development policies, authorization, and
approval procedureapproval procedure– documentation standardsdocumentation standards– program testing and test approval proceduresprogram testing and test approval procedures
Program DevelopmentProgram Development Tests of control audit proceduresTests of control audit procedures::
– interview users about involvement interview users about involvement – verify user sign-off at milestone pointsverify user sign-off at milestone points– review test specifications, data, and resultsreview test specifications, data, and results
Program DevelopmentProgram Development Compensating controls:Compensating controls:
– strong processing controlsstrong processing controls– independent processing of test independent processing of test
data by auditordata by auditor
Program ModificationProgram Modification
Types of errors and fraud:Types of errors and fraud:– inadvertent programming errorsinadvertent programming errors– unauthorized program codeunauthorized program code
These are the same as in audit These are the same as in audit program development.program development.
Program ModificationProgram Modification Control procedures:Control procedures:
– listing of program components that are to listing of program components that are to be modified, and management authorization be modified, and management authorization and approval of programming modificationsand approval of programming modifications
– user approval of program changes user approval of program changes specificationsspecifications
– thorough testing of program changes, thorough testing of program changes, including user acceptance testincluding user acceptance test
Program ModificationProgram Modification Systems review audit proceduresSystems review audit procedures::
– reviewing program modification policies, reviewing program modification policies, standards, and proceduresstandards, and procedures
– reviewing documentation standards for reviewing documentation standards for program modification, program program modification, program modification testing, and test approval modification testing, and test approval proceduresprocedures
– discussing systems development discussing systems development procedures with managementprocedures with management
Program ModificationProgram ModificationTests of control audit proceduresTests of control audit procedures::
– interviewing users about involvement in interviewing users about involvement in systems design and implementationsystems design and implementation
– reviewing minutes of development team reviewing minutes of development team meetings for evidence of involvementmeetings for evidence of involvement
– verifying management and user sign-off verifying management and user sign-off at milestone points in the development at milestone points in the development processprocess
– reviewing test specifications, data, and reviewing test specifications, data, and resultsresults
Program ModificationProgram Modification
Compensating controls:Compensating controls:– strong processing controlsstrong processing controls– independent processing of test independent processing of test
data by auditordata by auditor These are the same as in audit These are the same as in audit
program development.program development.
Processing ControlsProcessing Controls
Types of errors and fraud:Types of errors and fraud:– intentional or unintentional report intentional or unintentional report
inaccuraciesinaccuracies
Control procedures:Control procedures:– proper use of internal and external file labelsproper use of internal and external file labels
Systems review audit procedures:Systems review audit procedures:– observe computer operations and data observe computer operations and data
control functionscontrol functions
ProcessingProcessing ControlsControls
Tests of control audit procedures:Tests of control audit procedures:– evaluation of adequacy and evaluation of adequacy and
completeness of data editing completeness of data editing controlscontrols
Compensating controls:Compensating controls:– strong user controlsstrong user controls
Source Data ControlsSource Data Controls
Types of errors and fraud:Types of errors and fraud:– inadequate source datainadequate source data
Control procedures:Control procedures:– user authorization of source data inputuser authorization of source data input
Systems review audit procedures:Systems review audit procedures:– reviewing documentation for source reviewing documentation for source
data control standardsdata control standards
Source Data ControlsSource Data Controls
Tests of control audit procedures:Tests of control audit procedures:– examination of samples of examination of samples of
accounting source data for proper accounting source data for proper authorizationauthorization
Compensating controls:Compensating controls:– strong processing controlsstrong processing controls
Data File ControlsData File Controls
Types of errors and fraud:Types of errors and fraud:– unauthorized modification or unauthorized modification or
disclosure of stored datadisclosure of stored dataControl procedures:Control procedures:
– concurrent update controlsconcurrent update controlsSystems review audit procedures:Systems review audit procedures:
– examination of disaster recovery examination of disaster recovery planplan
Data File ControlsData File Controls
Tests of control audit procedures:Tests of control audit procedures:– observing and evaluating file library observing and evaluating file library
operationsoperationsCompensating controls:Compensating controls:
– effective computer security controlseffective computer security controls
AgendaAgenda Auditing scope and Auditing scope and
objectivesobjectives Information system (IS) Information system (IS)
audit objectives audit objectives Study and evaluation of Study and evaluation of
internal control in an AISinternal control in an AIS Computer audit softwareComputer audit software
Computer SoftwareComputer Software Computer audit software (CAS)Computer audit software (CAS) or generalized or generalized
audit software audit software (GAS)(GAS),, written for auditors written for auditors CAS is computer program that, based on the auditor’s CAS is computer program that, based on the auditor’s
specifications, generates programs performing audit specifications, generates programs performing audit functionsfunctions
Types of CASTypes of CAS Integrated Test FacilitiesIntegrated Test Facilities Embedded Audit Embedded Audit
Modules (EAM)Modules (EAM) Audit HooksAudit Hooks SnapshotSnapshot SCARFSCARF Audit Control Language (ACL)Audit Control Language (ACL)
Usage of Computer SoftwareUsage of Computer Software The auditor’s first step is to decide on audit objectives, The auditor’s first step is to decide on audit objectives,
learn about the files to be audited, design the audit reports, learn about the files to be audited, design the audit reports, and determine how to produce them.and determine how to produce them.
This information is recorded on specification sheets and This information is recorded on specification sheets and entered into the system via a data entry program.entered into the system via a data entry program.
Usage of Computer SoftwareUsage of Computer Software This program creates specification records that the CAS This program creates specification records that the CAS
uses to produce one or more auditing programs.uses to produce one or more auditing programs. The auditing programs process the sources files and The auditing programs process the sources files and
perform the auditing operations needed to produce the perform the auditing operations needed to produce the specified audit reports.specified audit reports.
General Functions ofGeneral Functions ofComputer Audit SoftwareComputer Audit Software– reformattingreformatting– file manipulationfile manipulation– calculationcalculation– data selectiondata selection– data analysisdata analysis– file processingfile processing– statisticsstatistics– report generationreport generation
Topics DiscussedTopics Discussed Auditing scope and objectivesAuditing scope and objectives Information system (IS) audit objectivesInformation system (IS) audit objectives Study and evaluation of internal control in an Study and evaluation of internal control in an
AISAIS Computer audit softwareComputer audit software