Lecture Outline 11

1
Lecture Outline 11

• THE AUDITING OF INFORMATION SYSTEMS

2
What is auditing?

• Auditing is a systematic process of objectively
  obtaining and evaluating evidence regarding
  assertions about economic actions and events to
  ascertain the degree of correspondence between
  those assertions and established criteria and
  communicating the results to interested users
• American Accounting Association

3
Two types of auditors

• External auditor The primary mission of the
  external auditors is to provide an independent
  opinion on the organization's financial
  statements, annually. They are from outside the
  organization.

4
Two types of auditors

• Internal auditor
• works inside an organization
• Have a broader mandate
• Is the organization fulfilling its mission?
• Review the reliability and integrity of operating
  and financial information
• Are org systems intended to comply with policies,
  plans and regulations being followed?
• How are assets safeguarded?
• Is operational efficiency being promoted?

5
Internal Controls of An Organization

• AN INTERNAL CONTROL
• Any policy, procedure, process, or practice
  designed to provide reasonable assurance that an
  organizations objectives will be achieved. 
  Specifically to ensure
•     assets are safeguarded against theft misuse
•     operations are efficient and effective
•     financial reporting is reliable and complete
•     compliance with applicable laws
  regulations  
•  

6
Mandate of an Internal Auditor

• The main job of an internal auditor is to assess
  and report on the existence and proper
  functioning of internal controls in an
  organization
• Some of these controls relate to an
  organizations information systems

7
Information System Controls

• Controls are implemented to counteract risks
• General (overall) controls, e.g. passwords, virus
  protection software, restricted physical access,
  backups of data files
• Controls for a specific system input controls,
  data storage controls, processing controls,
  output controls
• Also system development controls, system
  acquisition controls, system modification
  controls

8
THE NATURE OF AUDITING

• An overview of the auditing process
• All audits follow a similar sequence of
  activities and may be divided into four stages
• Planning
• Collecting evidence
• Evaluating evidence
• Communicating audit results

Planning
Collecting Evidence
Evaluating Evidence
Communicating Audit Results
9
THE NATURE OF AUDITING

• At all stages of the audit, findings and
  conclusions are carefully documented in working
  papers.
• Documentation is critical at the evaluation
  stage, when final conclusions must be reached and
  supported.

10
INFORMATION SYSTEMS AUDIT

• The purpose of an information systems audit is to
  review and evaluate the internal controls that
  are part of the information system, that are
  intended to protect the system.

11
IS COMPONENTS AND AUDIT OBJECTIVES
Objective 1 Overall Security
Objective 5 Source Data
Source Data
Data Entry
Objective 2 Program Development and Acquisition
Source Data
Programs
Files
Processing
Output
Objective 3 Program Modification
Objective 6 Data Files
Objective 4 Computer Processing
12
Making Sense of This

• There are six areas of risk in an organizations
  information systems as identified here
• 1.Overall (General)
• 2. System development, acquisition and 3.
  modification
• 4. The working of the programs in the system
  (processing)
• 5. The capture and input of data into the system
  (source data)
• 6. The storage of data that has been input (data
  files)

13
For each area of risk (1 to 6)

• A.What are some actual risks (e.g., possible
  error or fraud)?
• B. What are some controls to counteract these
  risks?
• C. What might an internal auditor do,
  specifically, to assess each such control, and
  how would s/he do it?

14
OBJECTIVE 1 OVERALL SECURITY

• 1A General Risks
• Break-in to facilities where computer is housed
  and destruction of data
• Theft of data as it is transmitted
• Virus infection of system
• Computer breakdown

15
OBJECTIVE 1 OVERALL SECURITYEvaluate General
Controls

• 1 B Control procedures to minimize general risks
• Developing an information security/protection
  plan.
• Restricting physical and logical access.
• Encrypting data.
• Protecting against viruses.
• Implementing firewalls.
• Instituting data transmission controls.
• Preventing and recovering from system failures or
  disasters, including
• Designing fault-tolerant systems.
• Preventive maintenance.
• Backup and recovery procedures.
• Disaster recovery plans.
• Adequate insurance.

16
OBJECTIVE 1 OVERALL SECURITY

• 1C1 Audit procedures Systems review
• Inspecting computer sites.
• Interviewing personnel.
• Reviewing policies and procedures.
• Examining access logs, insurance policies, and
  the disaster recovery plan.

17
OBJECTIVE 1 OVERALL SECURITY

• 1C2 Audit procedures Tests of controls
• Auditors test security controls by
• Observing procedures.
• Verifying that controls are in place and work as
  intended.

18
OBJECTIVE 2 Program development and acquisition

• 2A. Risks Types of errors and fraud
• Two things can go wrong in program development
• Inadvertent errors due to careless programming or
  misunderstanding specifications or
• Deliberate insertion of unauthorized instructions
  into the programs.

19
OBJECTIVE 2 PROGRAM DEVELOPMENT AND ACQUISITION

• 2B Control procedures
• The preceding problems can be controlled by
  requiring
• Management and user authorization and approval
• Thorough testing
• Proper documentation
• Thorough step-by-step documentation in
  acquisition of canned software systems

20
OBJECTIVE 2 PROGRAM DEVELOPMENT AND ACQUISITION

• 2C Audit procedures Systems review
• The auditors role in systems development should
  be limited to an independent review of system
  development activities.
• To maintain necessary objectivity for performing
  an independent evaluation, the auditor should not
  be involved in system development.
• During the systems review, the auditor should
  gain an understanding of development procedures
  and controls therein by discussing them with
  management, users, and IS personnel.

21
OBJECTIVE 3 PROGRAM MODIFICATION

• 3A Risks Errors and fraud
• - program change implemented incorrectly
• - program change introduces new errors into
  existing system
• - program change not implemented
• - program change not documented

22
OBJECTIVE 3 PROGRAM MODIFICATION

• 3B Control procedures
• When a program change is submitted for approval,
  a list of all required updates should be compiled
  by management and program users.
• Changes should be thoroughly tested and
  documented.
• During the change process, the developmental
  version of the program must be kept separate from
  the production version.
• When the amended program has received final
  approval, it should replace the production
  version.

23
OBJECTIVE 3 PROGRAM MODIFICATION

• 3C1 Audit procedures Tests of controls
• An important part of these tests is to verify
  that program changes were identified, listed,
  approved, tested, and documented.

24
OBJECTIVE 3 PROGRAM MODIFICATION

• 3C2
• To test for unauthorized program changes,
  auditors can use a source code comparison program
  to compare the current version of the program
  with the original source code.

25
OBJECTIVE 3 PROGRAM MODIFICATION

• 3C3
• - Auditors should observe testing and
  implementation, review related authorizations,
  and, if necessary, perform independent tests for
  each major program change.
• Auditors should always test programs on a
  surprise basis to protect against unauthorized
  changes being inserted after the examination is
  completed and then removed prior to scheduled
  audits.

26
OBJECTIVE 4 COMPUTER PROCESSING

• 4A Types of errors and fraud
• During computer processing, the system may
• Fail to detect erroneous input.
• Improperly correct input errors.
• Process erroneous input.
• Improperly distribute or disclose output.

27
OBJECTIVE 4 COMPUTER PROCESSING

• 4B Control procedures
• Computer data editing routines.
• Reconciliation of batch totals.
• Effective error correction procedures.
• Effective handling of data input and output by
  data control personnel.
• File change listings and summaries prepared for
  user department review.
• Maintenance of proper environmental conditions in
  computer facility.

28
OBJECTIVE 4 COMPUTER PROCESSING

• 4C1 Audit Procedures
• Processing test data
• Involves testing a program by processing a
  hypothetical series of valid and invalid
  transactions.
• The program should
• Process all the valid transactions correctly.
• Identify and reject the invalid ones.
• All logic paths should be checked for proper
  functioning by one or more test transactions,
  including
• Records with missing data.
• Fields containing unreasonably large amounts.
• Invalid account numbers or processing codes.
• Non-numeric data in numeric fields.
• Records out of sequence.

29
OBJECTIVE 4 COMPUTER PROCESSING

• 4C2 The following resources are helpful when
  preparing test data
• A listing of actual transactions.
• The transactions that the programmer used to test
  the program.
• A test data generator program, which
  automatically prepares test data based on program
  specifications.

30
OBJECTIVE 4 COMPUTER PROCESSING

• 4C3 Although processing test transactions is
  usually effective, it has the following
  disadvantages
• The auditor must spend considerable time
  understanding the system and preparing an
  adequate set of test transactions.
• Care must be taken to ensure test data do not
  affect the companys files and databases.

31
OBJECTIVE 4 COMPUTER PROCESSING

• 4C4 Analysis of program logic
• If an auditor suspects that a particular program
  contains unauthorized code or serious errors, a
  detailed analysis of the program logic may be
  necessary.
• Done only as a last resort because
• Its time-consuming
• Requires programming language proficiency

32
OBJECTIVE 5 SOURCE DATA - Input

• 5A Types of errors and fraud
• Inaccurate source data
• Unauthorized source data

33
OBJECTIVE 5 SOURCE DATA

• 5B Control procedures
• Effective handling of source data input
  documents input by data entry dept personnel
• User authorization of source data input
• Logging of the receipt, movement, and disposition
  of source data input
• Effective procedures for correcting and
  resubmitting erroneous data

34
OBJECTIVE 5 SOURCE DATA

• 5C Audit Procedures
• Auditors should test source data controls on a
  regular basis, because the strictness with which
  they are applied may vacillate.

35
OBJECTIVE 6 DATA FILES

• 6A1The sixth objective concerns the accuracy,
  integrity, and security of data stored in
  machine-readable files (including relational
  tables in a database)
• Data storage risks include
• Unauthorized modification of data
• Destruction of data
• Disclosure of data
• If file controls are seriously deficient,
  especially with respect to access or backup and
  recovery, the auditor should strongly recommend
  they be rectified.

36
OBJECTIVE 6 DATA FILES

• 6A2 Types of errors and fraud
• Destruction of stored data due to
• Inadvertent errors
• Hardware or software malfunctions
• Intentional acts of sabotage or vandalism
• Unauthorized modification or disclosure of stored
  data

37
OBJECTIVE 6 DATA FILES

• 6B Control procedures
• restrictions on physical access to data files
• Logical access (access by program) controls using
  passwords
• Encryption of highly confidential data
• Use of virus protection software
• Maintenance of backup copies of all data files in
  an off-site location

38
OBJECTIVE 6 DATA FILES

• 6C1 Audit procedures System review
• Review logical access policies and procedures.
• Review operating documentation to determine
  prescribed standards for
• Use of file labels and write-protection
  mechanisms.
• Use of virus protection software.
• Use of backup storage.
• System recovery, including checkpoint and
  rollback procedures.

39
OBJECTIVE 6 DATA FILES

• 6C2
• Review systems documentation to examine
  prescribed procedures for
• Use of concurrent update controls and data
  encryption
• Control of file conversions
• Reconciling master file totals with independent
  control totals
• Examine disaster recovery plan.
• Discuss data file control procedures with systems
  managers and operators.

40
AUDIT SOFTWARE

• 6C3
• Computer audit software (CAS) or generalized
  audit software (GAS) are computer programs that
  have been written especially for auditors.
• Two of the most popular
• Audit Control Language (ACL)
• IDEA
• Based on auditors specifications, CAS generates
  programs that perform the audit function.
• CAS is ideally suited for examination of large
  data files to identify records needing further
  audit scrutiny.

41
Making Sense of This

• There are six areas of risk in an organizations
  information systems as identified here
• 1.Overall (General)
• 2. System development, acquisition and 3.
  modification
• 4. The working of the programs in the system
  (processing)
• 5. The capture and input of data into the system
  (source data)
• 6. The storage of data that has been input (data
  files)

42
For each area of risk (1 to 6)

• A.What are some actual risks (e.g., possible
  error or fraud)?
• B. What are some controls to counteract these
  risks?
• C. What might an internal auditor do,
  specifically, to assess each such control, and
  how would s/he do it?