It32015 slides
-
Upload
jim-kaplan-cia-cfe -
Category
Technology
-
view
41 -
download
0
Transcript of It32015 slides
4/27/2015
1
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
AuditNet® Training without Travel™ Audit Use of CAATs May 5 2015
Guest Presenter:
Richard Cascarino,
MBA, CIA, CISM, CFE
Richard Cascarino &
Associates
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Jim Kaplan CIA CFE
• President and Founder of
AuditNet®, the global resource
for auditors (now available on
Apple and Android and Windows
devices)
• Auditor, Web Site Guru,
• Internet for Auditors Pioneer
• Recipient of the IIA’s 2007
Bradford Cadmus Memorial
Award.
• Author of “The Auditor’s Guide
to Internet Resources” 2nd
Edition
4/27/2015
2
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Richard Cascarino MBA CIA CISM CFE
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 30 years experience in IT
audit training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of Auditor's Guide to IT
Auditing
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Webinar Housekeeping
• This webinar and its material are the property of AuditNet® and Richard Cascarino and Associates. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. We are recording the webinar and you will be provided with a link access to that recording as detailed below. Downloading or otherwise duplicating the webinar recording is expressly prohibited.
• Webinar recording link will be sent via email within 5-7 business days.
• NASBA rules require us to ask polling questions during the Webinar and CPE certificates will be sent via email to those who answer ALL the polling questions
• The CPE certificates and link to the recording will be sent to the email address you registered with in GTW. We are not responsible for delivery problems due to spam filters, attachment restrictions or other controls in place for your email client.
• Submit questions via the chat box on your screen and we will answer them either during or at the conclusion.
• After the Webinar is over you will have an opportunity to provide feedback. Please complete the feedback questionnaire to help us continuously improve our Webinars
• If GTW stops working you may need to close and restart. You can always dial in and listen and follow along with the handout.
4/27/2015
3
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Disclaimers
• The views expressed by the presenters do not necessarily represent the views, positions, or opinions of AuditNet® or the presenters’ respective organizations. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant-client relationship.
• While AuditNet® makes every effort to ensure information is accurate and complete, AuditNet® makes no representations, guarantees, or warranties as to the accuracy or completeness of the information provided via this presentation. AuditNet® specifically disclaims all liability for any claims or damages that may result from the information contained in this presentation, including any websites maintained by third parties and linked to the AuditNet® website
• Any mention of commercial products is for information only; it does not imply recommendation or endorsement by AuditNet®
Today’s Agenda • System testing techniques
• Computerized application systems
• Non-computerized systems
• CAAT types
• Source code review
• Use of Test Data
• Parallel Simulation
• Integrated Test Facilities
• Snapshot Techniques
• SCARF
• Retrieval Software
• Generalized Audit Software
• Specialized Audit Software
• Utility Software
• ACL
• IDEA
4/27/2015
4
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Testing of Computerized Systems
7
What is a "System" –Manual - pre-computer
–Computer Application
–Computer Environment
–Manual - post-computer
–Integrated Systems
All subject to control
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Manual – Pre-Computer
8
Business Control Objectives
Control normally exercised by: –Supervision
–Authorization
–Authentication
–Procedures
4/27/2015
5
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Computer Applications
9
–Control objectives have not changed
–Control points may vary
–Controls themselves may be:
Computerized Manual
–Effective / Efficient trade-off
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Application Controls
10
–Prime Areas Recording, Classifying and Summarizing
Authorized Transactions
Updating Files
Reporting the results of processing
–Can data be relied upon? - Is it : Complete
Accurate
Valid
4/27/2015
6
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Computer Environment
11
–Operating Environment Operating System
Networking Software
Database Management Systems
–Control Environment Operation Controls
Change Control
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Operations Controls
12
–Custodial Controls Physical Site Controls
Operations Standards and Procedures
Library and File Controls
Backup / Restart Controls
Disaster Recovery Planning
4/27/2015
7
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Supervisory Controls
13
–Run Schedules
–Checklists
–Exception Reports
–Reconciliation Procedures
–Log Books
–Computer Logs
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Administrative Controls Cover
14
–Reliability of Information
–Timeliness
–Nature and type of Information
–Speed of Error Detection / Correction
–Appropriateness of Management
Decisions
4/27/2015
8
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Integrity Controls Include
15
–Implementation Controls
–Program Security Controls
–Computer Operation Controls
–Data File Security Controls
–System Software Controls
–Change Control When Changes are made is Risk Controlled or Introduced?
Are Changes Authorized?
Are Authorized Changes Carried Out
Are Changes Controlled or Recorded?
Who Does the Changes?
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 1
4/27/2015
9
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Selecting Controls for Testing
17
–Establish "prime" Controls for an Area
–Identify Controls covering several Areas
–Identify Stand-alone Controls
–Controls which provide Evidence
–Do NOT try to prove a Negative
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Primary Areas of Concern
18
–Complex Systems cannot be re-created manually
–Many computer records are intelligible only to
computers
–Most systems allow multiple access
–"Computers can be trusted"
–Disasters really mean Disaster
4/27/2015
10
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Control Concepts and IT
19
–Extent of manual controls reduced
–Sources of data have shifted
–Transaction trails may be discontinuous
–Control points have migrated
–Opportunities for human judgment are less
–Documentation becomes critical Lack of hard-copy audit trails
Continuity Control
Maintenance Control
–Data Custody Shifted
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Logical vs. Technical Controls
20
Logical Controls are : –Business controls
–Functional in nature
–Either people or computer enforced
Technical controls are concerned with
technical complexities (e.g. parity
controls)
4/27/2015
11
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Automated Tools (CAATs)
21
Test Data Generators
Flowcharting Packages
Specialized Audit Software
Generalized Audit Software
Utility Programs
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Specialized Audit Software
22
Can accomplish any audit task but –High development and maintenance cost
–Require specific I.S. skills
–Must be "verified" if not written by the auditor
–High degree of obsolescence
4/27/2015
12
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Generalized Audit Software
23
"Prefabricated" audit tests
Each use is a one-off
Auditor has direct control
Lower development cost
Fast to implement
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Application of GAS
24
Detective examination of files
Verification of processing controls
File interrogations
Management inquiries
4/27/2015
13
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 2
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Types of Audit Software
26
Program generators
Macro languages
Audit-specific tools
Data downloaders
Micro-based software
4/27/2015
14
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Hardware / Software Compatibility (Desirable)
27
–Across manufacturers
–Across operating environments
–Across machine size
–Mainframe / mini / micro
There are some about
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Audit Software Functions
28
File access
Arithmetic operations
Logic operations
Record handling
Update
Output
Statistical Sampling
File comparison
Graphics
4/27/2015
15
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Determining the Appropriate CAAT
29
Depends on the Audit Objective and
selected technique
Application Audit Techniques
Purposes –1 To verify processing operation
–2 To verify the results of processing
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Areas of Control in IT Systems
30
–Application controls - unique to individual
user systems
–Systems development controls - assuring
systems are likely to fulfill objectives
–Physical controls - controlling operating
environment
–System integrity controls - securing the
logical environment
–A balance must be struck
4/27/2015
16
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 3
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
CAAT Types and Their Usage
32
–Application audit tools are not always CAATs
–"Any tangible aid that assists an auditor" Tools to obtain information
Tools to evaluate controls
Tools to verify controls
Automated tools
4/27/2015
17
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Obtaining Information
33
–Interviews
–Questionnaires
–Analytical audit flowcharts
–Flowcharting software
–Documentation Review
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Control Evaluation
34
Application control matrix –Components
–Concerns
Adequate
Inadequate
4/27/2015
18
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Cascarino Cube
35
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Control Verification
36
Audit around
Test data
Re-performance of key functions
Reprocess selected items
4/27/2015
19
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Source code review
–Requires programming skill
–Slow
–Expensive
–Boring
–Proves little
–May be useful for specialized review
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Confirmation of Results
38
e.g. Debtors certification –Slow
–Uncertain
–Only shows up errors in your favor
–Very labor intensive
4/27/2015
20
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Test Data
39
–Selected to test both correct data and errors
–Require little technical background
but Lacks Objectivity –Influenced by what is expected
–Assumes program tested is "LIVE" program
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Integrated Test Facility (ITF)
40
–Establishes a "dummy" entity
–Process data together with live data
–Excluded from live results
–Under the auditor's control but
–May result in system catastrophe
4/27/2015
21
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Advantages of an ITF
41
–Little technical training required
–Low processing cost
–Tests system as it routinely operates
–Understood by all involved
–Tests manual function as well as computer
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Disadvantages of an ITF
42
–ITF transactions must be removed before
they interfere with live totals
–High cost if live systems require
modification to implement
–Test data affects live files - danger of
destruction
–Difficult to identify all exception
conditions
–Quantity of test data will be limited
4/27/2015
22
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Snapshot Technique
43
–A form of transaction trail
–Identifiable inputs "tagged"
–Trail produced for all processing logic
–Useful in high-volume systems
–Used extensively by I.S. staff in testing
systems
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Sampling
44
–"Liars, Damned Liars and Statistics"
–A tool for audit quality control
–May be the only tool possible in a high-volume
system
–Not well understood by auditors
–At computer speeds 100% sampling may be
practicable May not be desirable
4/27/2015
23
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Types of Stat Sampling e.g.
45
–Attributes Sampling
–Variables Sampling
–Systematic selection
–Random selection
–Stratified random selection
–Discovery sampling
–Stop-go sampling
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Parallel Simulation
46
Uses same input data
Uses same files
Uses different programs
From a different source
To produce the same results?
4/27/2015
24
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 4
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Common CAAT Problems
48
–Getting the wrong files
–Getting the wrong layout
–Documentation is out of date
–Prejudging results
Never believe what the first printout tells you
4/27/2015
25
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
In any Application System
49
–Try to identify the controls the user relies on
–Documentation is often misleading
–Not everything needs to be audited
–Program logic mirrors business logic
–You can always ask for help
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Industry-Related Software
50
–Audit procedures commonly available for: Accounts receivable
Payroll
General ledger
Inventory
–May be customizable
–Industry-related audit software available for: Insurance
Health care
Financial services
4/27/2015
26
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Industry- Related Drawbacks
51
–Requires Conversion of input to standard
package layouts
Selection of appropriate parameters
A degree of IS skill for conversion
–Software itself normally Cost-effective
Efficient
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Customized Audit Software
52
–To run in unique circumstances
–To perform unique audit tests
–To produce output in unique formats
–Expensive to develop
–Normally require a high level of IS skills
–May not tell you what you think they do
–May be the only viable solution
4/27/2015
27
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Information Retrieval Software
–Report writers and Query Languages
–Not specifically written for auditors
–Can perform many common audit routines
–Includes Report writers
Program generators
4th generation languages
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Generalized Audit Software
54
–Designed specifically for auditors
–Potential uses Examine records
Test calculations and make computations
Compare data on separate files
Select and print audit samples
Summarize or re-sequence data
Perform analyses
Compare audit data to other sources
4/27/2015
28
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Generalized Audit Software Benefits
55
Handling of volumes
Output can be used for further computer
processing
Time to audit can be reduced
Auditor freed to spend time interpreting
results
Limited programming skills required
Audit reliance on IS staff reduced
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Generalized Audit Software Limitations
56
Hardware and software environments may
be restrictive
Number of files handle able may be
restrictive
Types of record structures may not be
comprehensive
Number of computations may be limited
Number of reports per "pass" may be
restrictive
4/27/2015
29
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 5
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Excel as a CAAT
58
4/27/2015
30
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
ACL as a CAAT
59
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Idea as a CAAT
7
4/27/2015
31
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Importing the Data
61
Bring a copy to the audit machine Copies can be reanalyzed later if need be Live data moves on You cannot corrupt live data working on a copy
Bringing it into the audit software Depends on the software Most modern systems can import from a variety of data types
What’s where in the data Data layout is critical May automatically extract the data layout from metadata (data
about the data) ODBC databases Excel layouts etc. If the structure is flat you will need the file layout from IT (Make
sure it’s up-to-date)
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Acquiring the Data
62
If all you can get is the hard copy Can they print it to a file instead
Comma Delimited if possible Fred Smith, Internal Audit,3/13/2011, Individual data fields separated by commas Easy for the software to identify individual fields
If it’s a printout scan it 1 field of 120 characters for example The audit software will allow you to define fields within the 120
characters You can even define different layouts for different rows
4/27/2015
32
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Acquiring the Data
63
You’ve got the data – now what? Make sure it’s what you asked for
Timeliness – does it reflect the right period? Accuracy – is it the live data? Completeness – is it all the data?
It’s embarrassing to come to an adverse conclusion only to find you were given the “wrong” file / layout etc.
Its even worse if you came to a non-adverse conclusion
Check against known Control totals Dates Transactions
Never believe what the first printout tells you
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
From your Manual Audit
64
It seems to be the right data – now what? You know what you wanted to find You knew where the data resided Now you’ve got it Go ahead with the analysis you planned You have the answer NOW CHECK IT Remember – Never Believe What The First Printout
Tells You Particularly if its what you want to believe
4/27/2015
33
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Acquiring the Data
65
Remember… Modern Audit Software can handle almost any data structure
Variable length block can still cause problems We can take it in any format (even pdf) IT has it in and
we’ll handle it from there Even if it’s on tape we can handle it with an appropriate
tape drive (on loan?) Once you’ve got the data you still have to
Run your tests Interpret the results Form your conclusions Convince someone to do something (perhaps( If it’s fraud, maintain the chain of custody Provide expert testimony
Ensure you have Strength in Depth
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 6
4/27/2015
34
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Questions?
• Any Questions?
Don’t be Shy!
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Coming Up Next
IT AUDIT BASIC
4. Auditing Contingency Planning May 7
5. IT Fraud and Countermeasures May 12
IT AUDIT ADVANCED
1. Advanced IT Audit Risk Analysis for Auditors May 14
2. Advanced IT Audit Securing the Internet May 19
3. Advanced IT Audit IT Security Reviews May 21
4. Advanced IT Audit Performance Auditing of the IT Function May 26
5. Advanced IT Audit Managing the IT Audit Function May 28
4/27/2015
35
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Thank You!
Richard Cascarino, MBA, CIA, CISM, CFE
Richard Cascarino & Associates
970-291-1497 [email protected]
Jim Kaplan
AuditNet LLC®
800-385-1625
www.auditnet.org