Auditing Computer SystemsAuditing Computer Systems

Dr. Yan XiongDr. Yan XiongCollege of BusinessCollege of Business

CSU SacramentoCSU Sacramento

9/11/039/11/03

AgendaAgenda Auditing scope and Auditing scope and

objectivesobjectives Information system (IS) Information system (IS)

audit objectivesaudit objectives Study and evaluation of Study and evaluation of

internal control in an AISinternal control in an AIS Computer audit softwareComputer audit software

Internal Auditing StandardsInternal Auditing Standards According to the Institute of Internal Auditors (IIA), the According to the Institute of Internal Auditors (IIA), the

purpose of an internal audit is to evaluate the adequacy purpose of an internal audit is to evaluate the adequacy and effectiveness of a company’s internal control system.and effectiveness of a company’s internal control system.

Also, it is to determine the extent to which assigned Also, it is to determine the extent to which assigned responsibilities are actually carried out.responsibilities are actually carried out.

Internal Auditing StandardsInternal Auditing Standards The IIA’s five audit scope standards are:The IIA’s five audit scope standards are:

1 Review the reliability and integrity of operating and financial Review the reliability and integrity of operating and financial information and how it is identified, measured, classified, and reported.information and how it is identified, measured, classified, and reported.

2 Determine whether the systems designed to comply with operating and Determine whether the systems designed to comply with operating and reporting policies, plans, procedures, laws, and regulations are actually reporting policies, plans, procedures, laws, and regulations are actually being followed.being followed.

Internal Auditing StandardsInternal Auditing Standards3 Review how assets are safeguarded, and verify the existence of assets as Review how assets are safeguarded, and verify the existence of assets as

appropriate.appropriate.4 Examine company resources to determine how effectively and efficiently Examine company resources to determine how effectively and efficiently

they are utilized. they are utilized. 5 Review company operations and programs to determine whether they are Review company operations and programs to determine whether they are

being carried out as planned and whether they are meeting their objectives.being carried out as planned and whether they are meeting their objectives.

Types of Internal Auditing Work Types of Internal Auditing Work

What are the three different types of What are the three different types of audits commonly performed?audits commonly performed?1 Financial audit Financial audit 2 Information system (IS) audit Information system (IS) audit 3 Operational or management auditOperational or management audit

Types of Internal Auditing Work Types of Internal Auditing Work The The financial auditfinancial audit examines the reliability and integrity of examines the reliability and integrity of

accounting records (both financial and operating information).accounting records (both financial and operating information). The The information systems (IS) auditinformation systems (IS) audit reviews the general and reviews the general and

application controls in an AIS to assess its compliance with internal application controls in an AIS to assess its compliance with internal control policies and procedures and its effectiveness in control policies and procedures and its effectiveness in safeguarding assets.safeguarding assets.

Types of Internal Auditing Work Types of Internal Auditing Work The The operational, or management, auditoperational, or management, audit is is

concerned with the economical and efficient concerned with the economical and efficient use of resources and the accomplishment of use of resources and the accomplishment of established goals and objectives.established goals and objectives.

An Overview of the An Overview of the Auditing ProcessAuditing Process

All audits follow a similar sequence of activities and may be divided into All audits follow a similar sequence of activities and may be divided into four stages.four stages.1 Audit planningAudit planning2 Collection of audit evidenceCollection of audit evidence3 Evaluation of audit evidenceEvaluation of audit evidence4 Communication of audit resultsCommunication of audit results

An Overview of theAn Overview of theAuditing ProcessAuditing Process

Audit PlanningEstablish scope and objectives

Organize audit teamDevelop knowledge of business operations

Review prior audit resultsIdentify risk factors

Prepare audit program

Collection of Audit EvidenceObservation of operating activities

Review of documentationDiscussion with employees and questionnaires

Physical examination of assetsConfirmation through third parties

Reperformance of proceduresVouching of source documentsAnalytical review and sampling

An Overview of theAn Overview of theAuditing ProcessAuditing Process

An Overview of theAn Overview of theAuditing ProcessAuditing Process

Evaluation of Audit EvidenceAssess quality of internal controlsAssess reliability of informationAssess operating performance

Consider need for additional evidenceConsider risk factors

Consider materiality factorsDocument audit findings

An Overview of theAn Overview of theAuditing ProcessAuditing Process

Communication of Audit ResultsFormulate audit conclusions

Develop recommendations for managementPresent audit results to management

Operational Audits of an AISOperational Audits of an AIS The techniques and procedures used in operational audits are similar The techniques and procedures used in operational audits are similar

to those of IS and financial audits.to those of IS and financial audits. The basic difference is that the IS audit scope is confined to internal The basic difference is that the IS audit scope is confined to internal

controls, whereas the financial audit scope is limited to IIS output.controls, whereas the financial audit scope is limited to IIS output. The operational audit scope encompasses all aspects of IS The operational audit scope encompasses all aspects of IS

management.management.

Operational Audits of an AISOperational Audits of an AIS Operational audit objectives include evaluating effectiveness, Operational audit objectives include evaluating effectiveness,

efficiency, and goal achievement.efficiency, and goal achievement. What are some evidence collection activities?What are some evidence collection activities?

– reviewing operating policies and documentationreviewing operating policies and documentation– confirming procedures with management and operating personnelconfirming procedures with management and operating personnel

Operational Audits of an AISOperational Audits of an AIS– observing operating functions and activitiesobserving operating functions and activities– examining financial and operating plans and reportsexamining financial and operating plans and reports– testing the accuracy of operating informationtesting the accuracy of operating information– testing controlstesting controls

AgendaAgenda Auditing scope and Auditing scope and

objectivesobjectives Information system (IS) Information system (IS)

audit objectivesaudit objectives Study and evaluation of Study and evaluation of

internal control in an AISinternal control in an AIS Computer audit softwareComputer audit software

IS AuditsIS Audits Purpose of AIS audit: review and evaluate Purpose of AIS audit: review and evaluate

internal controls that protect internal controls that protect systemsystem

When performing IS audit, auditors ascertain When performing IS audit, auditors ascertain that certain objectives metthat certain objectives met

Audit ObjectivesAudit Objectives SecuritySecurity provisions provisions

protect computer equipment, protect computer equipment, programs, communications, programs, communications, and data from unauthorized and data from unauthorized access, modification, or destructionaccess, modification, or destruction

Program developmentProgram development and and acquisition performed in acquisition performed in accordance with management’s accordance with management’s general and specific authorizationgeneral and specific authorization

Audit Objectives Audit Objectives Program modifications Program modifications

have authorization and have authorization and approval of managementapproval of management

ProcessingProcessing of transactions, of transactions, files, reports, and other computer files, reports, and other computer records accurate and completerecords accurate and complete

Audit ObjectivesAudit Objectives Source dataSource data that is inaccurate or that is inaccurate or

improperly authorized identified and improperly authorized identified and handled according to prescribed managerial policies handled according to prescribed managerial policies

Computer data filesComputer data files are accurate, complete, and are accurate, complete, and confidentialconfidential

Audit ObjectivesAudit Objectives

SourceData

SourceData

EnterEnter

SourceData

SourceData

ProcessProcess

OutputOutputProgramsPrograms

FilesFiles

#1 Overall Security#1 Overall Security

#2 ProgramDevelopment#2 ProgramDevelopment

#3 ProgramModification#3 ProgramModification

#4 Processing#4 Processing

#5 Source Data#5 Source Data

#6 Data Files#6 Data Files

Risk-Based AuditRisk-Based Audit Approach provides auditors with clear Approach provides auditors with clear

understanding of errors and irregularities that can occur understanding of errors and irregularities that can occur and related risks and exposures and related risks and exposures

Provides basis for developing recommendations to Provides basis for developing recommendations to management on how AIS control system should be improvedmanagement on how AIS control system should be improved

Risk-Based AuditRisk-Based Audit Four-step approach Four-step approach

• Determine threats facing AIS Determine threats facing AIS • Identify control procedures that should be in place to minimize Identify control procedures that should be in place to minimize

each threateach threat• Evaluate existing control proceduresEvaluate existing control procedures• Determine weaknesses Determine weaknesses

AgendaAgenda Auditing scope and Auditing scope and

objectivesobjectives Information system (IS) Information system (IS)

audit objectives audit objectives Study and evaluation of Study and evaluation of

internal control in an AISinternal control in an AIS Computer audit softwareComputer audit software

Audit FrameworkAudit Framework

SourceData

SourceData

EnterEnter

SourceData

SourceData

ProcessProcess

OutputOutputProgramsPrograms

FilesFiles

#1 Overall Security#1 Overall Security

#2 ProgramDevelopment#2 ProgramDevelopment

#3 ProgramModification#3 ProgramModification

#4 Processing#4 Processing

#5 Source Data#5 Source Data

#6 Data Files#6 Data Files

Types of Errors / FraudTypes of Errors / Fraud

Control ProceduresControl Procedures

Audit Procedures: System ReviewAudit Procedures: System Review

Audit Procedures: Tests of ControlsAudit Procedures: Tests of Controls

Compensating ControlsCompensating Controls

Overall SecurityOverall Security Security errors and fraud:Security errors and fraud:

– theft of or accidental / intentional damage to theft of or accidental / intentional damage to hardware and fileshardware and files

– loss, theft, or unauthorized access to programs, data files; or loss, theft, or unauthorized access to programs, data files; or disclosure of confidential datadisclosure of confidential data

– unauthorized modification or use of programs and data filesunauthorized modification or use of programs and data files

Overall SecurityOverall Security Control proceduresControl procedures::

– develop information security develop information security and protection plan - restrict and protection plan - restrict physical and logical accessphysical and logical access

– encrypt data / protect against virusesencrypt data / protect against viruses– implement firewallsimplement firewalls– institute data transmission controls, institute data transmission controls,

and prevent and recover from and prevent and recover from system failures or disasterssystem failures or disasters

Overall SecurityOverall Security Systems review audit procedures:Systems review audit procedures:

– inspect computer sitesinspect computer sites– interview personnelinterview personnel– review policies and proceduresreview policies and procedures– examine access logs, insurance policies, and disaster recovery examine access logs, insurance policies, and disaster recovery

planplan

Overall SecurityOverall Security Tests of controlTests of control audit procedures:audit procedures:– observing proceduresobserving procedures– verifying controls are in place and work as intendedverifying controls are in place and work as intended– investigating errors or problems to ensure they were handled investigating errors or problems to ensure they were handled

correctlycorrectly– examining any test previously performedexamining any test previously performed

Overall SecurityOverall Security Compensating controlsCompensating controls::

– sound personnel policiessound personnel policies– effective user controlseffective user controls– segregation of incompatible dutiessegregation of incompatible duties

Program DevelopmentProgram Development Types of errors and fraud:Types of errors and fraud:

– inadvertent programming errorsinadvertent programming errors– unauthorized program codeunauthorized program code

Program DevelopmentProgram Development Control procedures:Control procedures:

– management authorizes and approves programming management authorizes and approves programming specificationsspecifications

– user approves of programming specificationsuser approves of programming specifications– thorough testing of new programs and user acceptance testingthorough testing of new programs and user acceptance testing– complete systems documentationcomplete systems documentation

Program DevelopmentProgram Development Systems review audit proceduresSystems review audit procedures::

– independent review of development processindependent review of development process– systems review of development policies, authorization, and systems review of development policies, authorization, and

approval procedureapproval procedure– documentation standardsdocumentation standards– program testing and test approval proceduresprogram testing and test approval procedures

Program DevelopmentProgram Development Tests of control audit proceduresTests of control audit procedures::

– interview users about involvement interview users about involvement – verify user sign-off at milestone pointsverify user sign-off at milestone points– review test specifications, data, and resultsreview test specifications, data, and results

Program DevelopmentProgram Development Compensating controls:Compensating controls:

– strong processing controlsstrong processing controls– independent processing of test independent processing of test

data by auditordata by auditor

Program ModificationProgram Modification

Types of errors and fraud:Types of errors and fraud:– inadvertent programming errorsinadvertent programming errors– unauthorized program codeunauthorized program code

These are the same as in audit These are the same as in audit program development.program development.

Program ModificationProgram Modification Control procedures:Control procedures:

– listing of program components that are to listing of program components that are to be modified, and management authorization be modified, and management authorization and approval of programming modificationsand approval of programming modifications

– user approval of program changes user approval of program changes specificationsspecifications

– thorough testing of program changes, thorough testing of program changes, including user acceptance testincluding user acceptance test

Program ModificationProgram Modification Systems review audit proceduresSystems review audit procedures::

– reviewing program modification policies, reviewing program modification policies, standards, and proceduresstandards, and procedures

– reviewing documentation standards for reviewing documentation standards for program modification, program program modification, program modification testing, and test approval modification testing, and test approval proceduresprocedures

– discussing systems development discussing systems development procedures with managementprocedures with management

Program ModificationProgram ModificationTests of control audit proceduresTests of control audit procedures::

– interviewing users about involvement in interviewing users about involvement in systems design and implementationsystems design and implementation

– reviewing minutes of development team reviewing minutes of development team meetings for evidence of involvementmeetings for evidence of involvement

– verifying management and user sign-off verifying management and user sign-off at milestone points in the development at milestone points in the development processprocess

– reviewing test specifications, data, and reviewing test specifications, data, and resultsresults

Program ModificationProgram Modification

Compensating controls:Compensating controls:– strong processing controlsstrong processing controls– independent processing of test independent processing of test

data by auditordata by auditor These are the same as in audit These are the same as in audit

program development.program development.

Processing ControlsProcessing Controls

Types of errors and fraud:Types of errors and fraud:– intentional or unintentional report intentional or unintentional report

inaccuraciesinaccuracies

Control procedures:Control procedures:– proper use of internal and external file labelsproper use of internal and external file labels

Systems review audit procedures:Systems review audit procedures:– observe computer operations and data observe computer operations and data

control functionscontrol functions

ProcessingProcessing ControlsControls

Tests of control audit procedures:Tests of control audit procedures:– evaluation of adequacy and evaluation of adequacy and

completeness of data editing completeness of data editing controlscontrols

Compensating controls:Compensating controls:– strong user controlsstrong user controls

Source Data ControlsSource Data Controls

Types of errors and fraud:Types of errors and fraud:– inadequate source datainadequate source data

Control procedures:Control procedures:– user authorization of source data inputuser authorization of source data input

Systems review audit procedures:Systems review audit procedures:– reviewing documentation for source reviewing documentation for source

data control standardsdata control standards

Source Data ControlsSource Data Controls

Tests of control audit procedures:Tests of control audit procedures:– examination of samples of examination of samples of

accounting source data for proper accounting source data for proper authorizationauthorization

Compensating controls:Compensating controls:– strong processing controlsstrong processing controls

Data File ControlsData File Controls

Types of errors and fraud:Types of errors and fraud:– unauthorized modification or unauthorized modification or

disclosure of stored datadisclosure of stored dataControl procedures:Control procedures:

– concurrent update controlsconcurrent update controlsSystems review audit procedures:Systems review audit procedures:

– examination of disaster recovery examination of disaster recovery planplan

Data File ControlsData File Controls

Tests of control audit procedures:Tests of control audit procedures:– observing and evaluating file library observing and evaluating file library

operationsoperationsCompensating controls:Compensating controls:

– effective computer security controlseffective computer security controls

AgendaAgenda Auditing scope and Auditing scope and

objectivesobjectives Information system (IS) Information system (IS)

audit objectives audit objectives Study and evaluation of Study and evaluation of

internal control in an AISinternal control in an AIS Computer audit softwareComputer audit software

Computer SoftwareComputer Software Computer audit software (CAS)Computer audit software (CAS) or generalized or generalized

audit software audit software (GAS)(GAS),, written for auditors written for auditors CAS is computer program that, based on the auditor’s CAS is computer program that, based on the auditor’s

specifications, generates programs performing audit specifications, generates programs performing audit functionsfunctions

Types of CASTypes of CAS Integrated Test FacilitiesIntegrated Test Facilities Embedded Audit Embedded Audit

Modules (EAM)Modules (EAM) Audit HooksAudit Hooks SnapshotSnapshot SCARFSCARF Audit Control Language (ACL)Audit Control Language (ACL)

Usage of Computer SoftwareUsage of Computer Software The auditor’s first step is to decide on audit objectives, The auditor’s first step is to decide on audit objectives,

learn about the files to be audited, design the audit reports, learn about the files to be audited, design the audit reports, and determine how to produce them.and determine how to produce them.

This information is recorded on specification sheets and This information is recorded on specification sheets and entered into the system via a data entry program.entered into the system via a data entry program.

Usage of Computer SoftwareUsage of Computer Software This program creates specification records that the CAS This program creates specification records that the CAS

uses to produce one or more auditing programs.uses to produce one or more auditing programs. The auditing programs process the sources files and The auditing programs process the sources files and

perform the auditing operations needed to produce the perform the auditing operations needed to produce the specified audit reports.specified audit reports.

General Functions ofGeneral Functions ofComputer Audit SoftwareComputer Audit Software– reformattingreformatting– file manipulationfile manipulation– calculationcalculation– data selectiondata selection– data analysisdata analysis– file processingfile processing– statisticsstatistics– report generationreport generation

Topics DiscussedTopics Discussed Auditing scope and objectivesAuditing scope and objectives Information system (IS) audit objectivesInformation system (IS) audit objectives Study and evaluation of internal control in an Study and evaluation of internal control in an

AISAIS Computer audit softwareComputer audit software