ACS-1803 Introduction to Information Systems - PowerPoint PPT Presentation

1 / 40
About This Presentation
Title:

ACS-1803 Introduction to Information Systems

Description:

ACS-1803 Introduction to Information Systems Instructor: Kerry Augustine The Auditing of Information Systems Lecture Outline 16 ACS-1803 Introduction to Information ... – PowerPoint PPT presentation

Number of Views:158
Avg rating:3.0/5.0
Slides: 41
Provided by: i124
Category:

less

Transcript and Presenter's Notes

Title: ACS-1803 Introduction to Information Systems


1
ACS-1803Introduction to Information Systems
  • Instructor Kerry Augustine

The Auditing of Information Systems Lecture
Outline 16
2
Principles and Learning Objectives
  • Understand internal controls of Information
    Systems within an organization
  • Understand six objective areas of risk (focus on
    Objective 1 and Objective 6

3
Two Types of Auditors
  • External auditor The primary mission of the
    external auditors is to provide an independent
    opinion on the organization's financial
    statements, annually. They are from outside the
    organization. MC

4
Two Types of Auditors
  • Internal auditor MC
  • works inside an organization
  • Have a broader mandate
  • Is the organization fulfilling its mission?
  • Review the reliability and integrity of operating
    and financial information
  • Are org systems intended to comply with policies,
    plans and regulations being followed?
  • How are assets safeguarded?
  • Is operational efficiency being promoted?

5
Internal Controls of An Organization
  • An Internal Control MC
  • Any policy, procedure, process, or practice
    designed to provide reasonable assurance that an
    organizations objectives will be achieved. 
    Specifically to ensure
  •     assets are safeguarded against theft misuse
  •     operations are efficient and effective
  •     financial reporting is reliable and complete
  •     compliance with applicable laws
    regulations  
  •  

6
Mandate of an Internal Auditor
  • MC
  • The main job of an internal auditor is to assess
    and report on the existence and proper
    functioning of internal controls in an
    organization
  • Some of these controls relate to an
    organizations information systems

7
Information System Controls L
  • Controls are implemented to counteract risks
  • General (overall) controls, e.g. passwords, virus
    protection software, restricted physical access,
    backups of data files
  • Controls for a specific system input controls,
    data storage controls, processing controls,
    output controls
  • Also system development controls, system
    acquisition controls, system modification
    controls

8
The Nature of Auditing
  • An overview of the auditing process L
  • All audits follow a similar sequence of
    activities and may be divided into four stages
  • Planning
  • Collecting evidence
  • Evaluating evidence
  • Communicating audit results

Planning
Collecting Evidence
Evaluating Evidence
Communicating Audit Results
9
The Nature of Auditing
  • At all stages of the audit, findings and
    conclusions are carefully documented in working
    papers.
  • Documentation is critical at the evaluation
    stage, when final conclusions must be reached and
    supported.

10
Information Systems Audit
  • The purpose of an information systems audit is to
    review and evaluate the internal controls that
    are part of the information system, that are
    intended to protect the system. L

11
IS Components and Audit Locations
Objective 1 Overall Security
Objective 5 Source Data
Source Data
Data Entry
Objective 2 Program Development and Acquisition
Source Data
Programs
Files
Processing
Output
Objective 3 Program Modification
Objective 6 Data Files
Objective 4 Computer Processing
12
Making Sense of This L
  • There are six areas of risk in an organizations
    information systems as identified here
  • 1.Overall (General) (L)
  • 2. System development, acquisition and (X)
  • 3. Modification (X)
  • 4. The working of the programs in the system
    (processing) (X)
  • 5. The capture and input of data into the system
    (source data) (X)
  • 6. The storage of data that has been input (data
    files) (L)

13
For each area of risk (1 to 6)L
  • A.What are some actual risks (e.g., possible
    error or fraud)?
  • B. What are some controls to counteract these
    risks?
  • C. What might an internal auditor do,
    specifically, to assess each such control, and
    how would s/he do it?

14
OBJECTIVE 1 Overall Security
  • 1A General Risks L
  • Break-in to facilities where computer is housed
    and destruction of data
  • Theft of data as it is transmitted
  • Virus infection of system
  • Computer breakdown

15
OBJECTIVE 1 Overall SecurityEvaluate General
Controls
  • 1 B Control procedures to minimize general risks
    L
  • Developing an information security/protection
    plan.
  • Restricting physical and logical access.
  • Encrypting data.
  • Protecting against viruses.
  • Implementing firewalls.
  • Instituting data transmission controls.
  • Preventing and recovering from system failures or
    disasters, including
  • Designing fault-tolerant systems.
  • Preventive maintenance.
  • Backup and recovery procedures.
  • Disaster recovery plans.
  • Adequate insurance.

16
OBJECTIVE 1 Overall Security
  • 1C1 Audit procedures Systems review L
  • Inspecting computer sites.
  • Interviewing personnel.
  • Reviewing policies and procedures.
  • Examining access logs, insurance policies, and
    the disaster recovery plan.

17
OBJECTIVE 1 Overall Security
  • 1C2 Audit procedures Tests of controls L
  • Auditors test security controls by
  • Observing procedures.
  • Verifying that controls are in place and work as
    intended.

18
OBJECTIVE 2 Program Development and Acquisition
X
  • 2A. Risks Types of errors and fraud
  • Two things can go wrong in program development
  • Inadvertent errors due to careless programming or
    misunderstanding specifications or
  • Deliberate insertion of unauthorized instructions
    into the programs.

19
OBJECTIVE 2 Program Development and Acquisition
X
  • 2B Control procedures
  • The preceding problems can be controlled by
    requiring
  • Management and user authorization and approval
  • Thorough testing
  • Proper documentation
  • Thorough step-by-step documentation in
    acquisition of canned software systems

20
OBJECTIVE 2 Program Development and Acquisition
X
  • 2C Audit procedures Systems review
  • The auditors role in systems development should
    be limited to an independent review of system
    development activities.
  • To maintain necessary objectivity for performing
    an independent evaluation, the auditor should not
    be involved in system development.
  • During the systems review, the auditor should
    gain an understanding of development procedures
    and controls therein by discussing them with
    management, users, and IS personnel.

21
OBJECTIVE 3 Program Modification X
  • 3A Risks Errors and fraud
  • program change implemented incorrectly
  • program change introduces new errors into
    existing system
  • program change not implemented
  • program change not documented

22
OBJECTIVE 3 Program Modification X
  • 3B Control procedures
  • When a program change is submitted for approval,
    a list of all required updates should be compiled
    by management and program users.
  • Changes should be thoroughly tested and
    documented.
  • During the change process, the developmental
    version of the program must be kept separate from
    the production version.
  • When the amended program has received final
    approval, it should replace the production
    version.

23
OBJECTIVE 3 Program Modification X
  • 3C1 Audit procedures Tests of controls
  • An important part of these tests is to verify
    that program changes were identified, listed,
    approved, tested, and documented.

24
OBJECTIVE 3 Program Modification X
  • 3C2 Test for Unauthorized Changes
  • To test for unauthorized program changes,
    auditors can use a source code comparison program
    to compare the current version of the program
    with the original source code.

25
OBJECTIVE 3 Program Modification X
  • 3C3 Observe Testing
  • Auditors should observe testing and
    implementation, review related authorizations,
    and, if necessary, perform independent tests for
    each major program change.
  • Auditors should always test programs on a
    surprise basis to protect against unauthorized
    changes being inserted after the examination is
    completed and then removed prior to scheduled
    audits.

26
OBJECTIVE 4 Computer Processing X
  • 4A Types of errors and fraud
  • During computer processing, the system may
  • Fail to detect erroneous input.
  • Improperly correct input errors.
  • Process erroneous input.
  • Improperly distribute or disclose output.

27
OBJECTIVE 4 Computer Processing X
  • 4B Control procedures
  • Computer data editing routines.
  • Reconciliation of batch totals.
  • Effective error correction procedures.
  • Effective handling of data input and output by
    data control personnel..
  • Maintenance of proper environmental conditions in
    computer facility.

28
OBJECTIVE 4 Computer Processing X
  • 4C1 Audit Procedures
  • Processing test data
  • Involves testing a program by processing a
    hypothetical series of valid and invalid
    transactions.
  • The program should
  • Process all the valid transactions correctly.
  • Identify and reject the invalid ones.
  • All logic paths should be checked for proper
    functioning by one or more test transactions,
    including
  • Records with missing data.
  • Fields containing unreasonably large amounts.
  • Invalid account numbers or processing codes.
  • Non-numeric data in numeric fields.
  • Records out of sequence.

29
OBJECTIVE 4 Computer Processing X
  • 4C2 The following resources are helpful when
    preparing test data
  • A listing of actual transactions.
  • The transactions that the programmer used to test
    the program.
  • A test data generator program, which
    automatically prepares test data based on program
    specifications.

30
OBJECTIVE 4 Computer Processing X
  • 4C3 Although processing test transactions is
    usually effective, it has the following
    disadvantages
  • The auditor must spend considerable time
    understanding the system and preparing an
    adequate set of test transactions.
  • Care must be taken to ensure test data do not
    affect the companys files and databases.

31
OBJECTIVE 4 Computer Processing X
  • 4C4 Analysis of program logic
  • If an auditor suspects that a particular program
    contains unauthorized code or serious errors, a
    detailed analysis of the program logic may be
    necessary.
  • Done only as a last resort because
  • Its time-consuming
  • Requires programming language proficiency

32
OBJECTIVE 5 Source Data Input X
  • 5A Types of errors and fraud
  • Inaccurate source data
  • Unauthorized source data

33
OBJECTIVE 5 Source Data X
  • 5B Control procedures
  • Effective handling of source data input
    documents input by data entry dept personnel
  • User authorization of source data input
  • Logging of the receipt, movement, and disposition
    of source data input
  • Effective procedures for correcting and
    resubmitting erroneous data

34
OBJECTIVE 5 Source Data X
  • 5C Audit Procedures
  • Auditors should test source data controls on a
    regular basis to see if these controls are
    working, because the strictness with which they
    are applied may vacillate.

35
OBJECTIVE 6 Data Files L
  • 6A1 The sixth objective concerns the accuracy,
    integrity, and security of data stored in
    machine-readable files (including relational
    tables in a database) after this data has been
    entered
  • Data storage risks include
  • Unauthorized modification of data
  • Destruction of data
  • Disclosure of data
  • If file controls are seriously deficient,
    especially with respect to access or backup and
    recovery, the auditor should strongly recommend
    they be rectified.

36
OBJECTIVE 6 Data Files L
  • 6A2 Types of errors and fraud L
  • Destruction of stored data due to
  • Inadvertent errors
  • Hardware or software malfunctions
  • Intentional acts of sabotage or vandalism
  • Unauthorized modification or disclosure of stored
    data

37
OBJECTIVE 6 Data Files L
  • 6B Control procedures L
  • restrictions on physical access to data files
  • Logical access (access by program) controls using
    passwords
  • Encryption of highly confidential data
  • Use of virus protection software
  • Maintenance of backup copies of all data files in
    an off-site location

38
OBJECTIVE 6 Data Files L
  • 6C1 Audit procedures System review MC
  • Review logical access policies and procedures.
  • Review operating documentation to determine
    prescribed standards for
  • Use of write-protection mechanisms.
  • Use of virus protection software.
  • Use of backup storage.
  • System recovery, including checkpoint and
    rollback procedures.

39
OBJECTIVE 6 Data Files L
  • 6C2 MC
  • Review systems documentation to examine
    prescribed procedures for
  • Use of data encryption
  • Control of file conversions
  • Reconciling master file totals with independent
    control totals
  • Examine disaster recovery plan.
  • Discuss data file control procedures with systems
    managers and operators.

40
Audit Software
  • 6C3 X
  • Computer audit software (CAS) or generalized
    audit software (GAS) are computer programs that
    have been written especially for auditors.
  • Two of the most popular
  • Audit Control Language (ACL)
  • IDEA
  • Based on auditors specifications, CAS generates
    programs that perform the audit function.
  • CAS is ideally suited for examination of large
    data files to identify records needing further
    audit scrutiny.
Write a Comment
User Comments (0)
About PowerShow.com