IS Audit Process

1
IS Audit Process
2
Driving Forces Behind IS Audit and Control
Costs of computer error
Costs of incorrect Decision making
Maintenance Of privacy
Costs of Computer abuse
Costs of Data loss
Value of H/w and S/w
Organizations
3
Information Systems Auditing
Information Systems Management
Traditional Auditing
Information Systems Auditing
Behavioral Science
Computer Science
4
Risk Analysis

• Understand relationship between risk and control
• Identify and differentiate risk types and
  corresponding controls
• Risk The potential that a given threat will
  exploit vulnerabilities of an asset or group of
  assets to cause loss or damage to the assets

5
Risk Elements

• Threat and vulnerabilities
• Impact
• Probabilities
• Business risks
• Financial
• Regulatory
• Operational

6
Types of Controls

• A control is a mechanism that prevents, detects
  or remedies unauthorized events.
• Preventive Control
• Prevent errors from happening
• Attempt to predict
• Detective Control
• Find out errors
• Corrective Control
• Remedy problems
• Identify cause
• Enhance procedures

7
Risk-based Audit Approach

• Decide to conduct compliance or substantive
  testing
• Gather information
• Knowledge of business
• Previous results
• Understand internal controls
• Control procedures
• Control risk assessment

8
Risk-based Audit Approach

• Compliance Test
• Test policies and procedures
• Test segregation of duties
• Substantive Test
• Detailed tests of account balances
• Analytical procedures
• Conclude Audit
• Recommendations
• Report

9
Segregation of Duties

• Computer operator ?X? security administrator
• Application programmer ?X? tape librarian
• Application programmer ?X? data entry operator

10
Audit Risks

• Inherent risk
• Risk that errors exist which could be significant
• Business-specific
• Financial, strategic, critical operational,
  advanced systems
• Control risk
• Not prevented or detected by internal controls
• Management and application controls
• Detection risk
• Test procedure is NOT adequate and miss findings
• Overall audit risk
• Combination of all above risks

11
Compliance Vs Substantive Testing

• CT collect evidence to check if controls are
  working as expected
• CT auditor can rely on
• ST collect evidence to evaluate integrity of
  information
• If CT is enough, ? ST

12
Evidence

• Independence of provider
• Outside gt internal
• Qualification
• Objectivity
• Judgmental or interpretational ? ? ? ?

13
How to Gather Evidence?

• Review IS organization structures
• Look for adequate segregation of duties
• Cooperative distributed or end-user processing
• Assess level of control
• Review IS documentation standards
• Understand existing documentation standards
• System development initiating documents
• Functional design specifications
• Program change histories
• User documentation manuals

14
How to Gather Evidence

• Interview appropriate personnel
• Well-organized
• Well-structured
• Well-documented
• Questionnaire-assisted
• Discovery, NOT accusatory
• Observing processes and performance
• Key technique
• Unobtrusive and document in sufficient detail

15
Sampling

• Used when it is impossible to verify population
• Sample subset of population
• Sampling results of sample infer results of
  population
• Statistical sampling
• Objective way to determine sample size and
  selection method
• Sample precision determine quantitatively how
  closely sample results represent population
  characteristics
• Reliability or reliance level of time sample
  represent population
• Each item in population must have equal chance to
  be selected (random sampling)

16
Non-Statistical Sampling

• Judgmental sampling
• Subjective judgment to decide method of sampling,
  sample size and sample selection
• Convenience sampling
• Judgmental ? quick but fluctuate
• Require expertise, experience and instinct

17
Sampling Risk

• Wrong conclusion from sample
• Statistical sampling minimizes risk by allowing
  auditor to quantify probability of risk
  confidence coefficient

18
Attribute Vs Variable Sampling

• Available in both sampling techniques
• Attribute sampling
• Applied in compliance testing
• Deal with presence or absence of attribute
• Provide conclusions expressed in rates of
  incidence
• Variable sampling
• Applied in substantive testing
• Deal with population characteristics that vary,
  e.g. dollars and weights
• Provide conclusions related to deviations from
  norm

19
Attribute Sampling

• Fixed sample-size attribute or frequency-estimatin
  g sampling
• Estimate rate () of occurrence of an attribute
  of population
• Answer how many?, e.g. how many approval
  signatures on computer access request forms
• Stop-or-Go Sampling
• Help prevent excessive sampling of an attribute
• Stop audit test at earliest possible moment
• Used when it is believed that relatively few
  errors will be found

20
Attribute Sampling

• Discovery Sampling
• Used when expected occurrence rate is extremely
  low
• Most often used when objective is to discover
  fraud, circumvention or regulations or other
  irregularities

21
Variable Sampling

• Known as dollar estimation or mean estimation
  sampling
• Used to estimate dollar value, weight, etc.
• E.g. review balance sheet for material
  transactions and application review of program
  that produced balance sheet
• Stratified mean per unit
• Divide population into groups and samples are
  drawn from various groups
• Used to produce smaller overall sample size

22
Variable Sampling

• Unstratified mean per unit
• Randomly select a sample, calculate mean and
  estimate population mean
• Difference estimation
• Base on differences obtained in sample
  observations, estimate total difference between
  audited and book values

23
Statistical Sampling Terms

• Confidence coefficient (CC)
• Known as confidence level or reliability factor
• In , e.g. 90, 95, 99
• Measure probability that characteristics of
  sample represent truly population
• 95 is already high level of confidence
• If auditor is confident that internal controls
  are strong, CC may be lowered
• The greater the CC, the larger the sample size

24
Statistical Sampling Terms

• Level of risk
• 1 CC
• Precision
• Set by auditor, represents acceptable range of
  difference between sample and population
• For attribute sampling, in
• For variable sampling, in monetary term or no.
• The higher the precision amount, the smaller the
  sample size

25
Statistical Sampling Terms

• Expected error rate
• In ? EER, ? sample size
• Attribute sampling ONLY not variable sampling
• Sample mean
• Average of sample means
• Sample standard deviation
• Measure spread/dispersion of sample values

26
Statistical Sampling Terms

• Tolerable error rate
• Describe max. misstatement or no. of errors can
  exist
• Used for planned upper limit of precision range
  for compliance testing
• In in substantive testing, precision range
  precision
• Population standard deviation
• ? SD, ? sample size
• Apply to variable sampling but NOT attribute
  sampling

27
Sample Selection Steps

• Determine objectives of test
• Define population to be sampled
• Determine sampling method
• Calculate sample size
• Select sample
• Evaluate sample from audit perspective

28
Computer-Assisted-Audit Techniques (CAAT)

• Test data generators
• Prepare computerized test data and verify logic
  of application programs
• Expert systems
• Specific domain
• Preserve expertise
• Knowledge base inference engine

29
CAAT

• Standard utilities
• Resident in software applications that specify
  status of parameters used to install package
• Software library packages
• Verify integrity and appropriateness of program
  changes
• Integrated test facilities
• Involve setting up dummy entities on application
  system and processing test, or
• Production data against entity as means of
  verifying processing accuracy

30
CAAT

• Snapshot
• Take pictures of transaction while flowing
  through computer system
• Audit software embedded at different points to
  capture images as transactions progress through
• System control audit review file
• Embed audit software modules with application
  system to provide continuous monitoring of
  transaction
• Log file to keep results

31
CAAT Advantages

• Reduced level of audit risk
• Greater independence from auditee
• Broader and more consistent audit coverage
• Faster availability of info
• Improved exception identification
• Greater flexibility of run times
• Greater opportunity to quantify internal control
  weaknesses
• Enhanced sampling
• Cost savings in long term

32
CAAT Considerations

• Ease of use, both for existing and future audit
  staff
• Training requirements
• Complexity of coding and maintenance
• Flexibility of uses
• Installation requirements
• Processing efficiencies
• Effort required to bring source data into CAAT

33
Other CAAT Considerations

• Documentations well-referenced to audit program
• Clearly identify audit procedures and objectives
• Request for read-only access to production data
• Data manipulation should be done to copies of
  production files in controlled environment

34
Compensating Controls

• May discover strong and week controls
• One strong control may compensate for weak
  control in another area
• Weakness in system transaction error report,
  detailed manual balancing process compensates for
  weaknesses
• Identify compensating controls before reporting
  control weakness

35
Overlapping Controls

• 2 strong controls
• Data center is equipped with card key system and
  a guard inside door to check card key / badge

36
Judging Materiality of Findings

• Decide which findings to bring forward and to who
• Judgmental
• Consider degree of potential impact if corrective
  actions are NOT taken

37
Communicating Audit Results

• Communicate with management of audited entity
  first if possible
• Gain agreement and develop course of corrective
  action
• Communicate to top management and audit committee
• Audit committee provides independent route to
  report sensitive info
• Auditor normally is NOT expected to implement
  recommendations

38
Continuous Audit Approach

• To improve audit efficiency by making greater use
  of automated tools
• Collect evidence on system reliability while
  normal processing takes place
• Monitor operations on continuous basis
• Gather selective audit evidence if not serious,
  action later
• Cut down needless paperwork
• May report directly through computer on findings

39
Continuous Audit Approach

• Especially useful when no paper audit trail
• No disruption to daily operations
• Time lag between misuse and detection is reduced
• Enhance confidence in systems reliability

40
CAA Techniques

• Systems control audit review file and embedded
  audit modules (SCARF/EAM)
• Embed specially-written audit software in host
  application system
• Monitor system on selective basis
• Snapshots
• Audit hooks
• Embed in application system to act as red flags
  and prompt to act proactively

41
CAA Techniques

• Integrated test facilities (ITF)
• Continuous and intermittent simulation (CIS)
• Simulate instruction execution of application
• Each transaction is entered, simulator decide if
  transaction meets certain pre-defined criteria,
  YES ? audit transaction. NO ? wait until next

42
CAA Advantages and Disadv.
43
Control Self-Assessment (CSA)

• Management and/work teams are directly involved
  in checking effectiveness of existing controls
• IS auditor act as control expert and assessment
  facilitator
• Simple questionnaires facilitated workshops
• Objectives
• Enhance audit responsibilities
• Educate line management in control responsibility
  and monitoring
• Concentrate on areas of high risk

44
IS Audit Process

• END