Embed Size (px)
Citation preview
Chapter 12Information Technology Auditing
Introduction
The Audit Function
The IT Auditor’s Toolkit
Auditing the Computerized AIS
Information Technology Auditing Today
The Audit Function
The function of an auditis to examine and to give assurance.will differ according to the subject under
examination.can be internal, or externalalways involves the accounting information
systems
Information technology auditing discusses
internal auditing,External auditing, andIT auditing.
Internal Auditing
An internal audit, which preserves its objectivity
is carried out by company personnel reporting to
the Audit Committee of the Board of Directors (preferable)
Top management (on departmental efficiency audits)
is external to the corporate department ordivision being audited
concerns compliance to company policies & procedures
involves an evaluation of internal controls and fraud
tests for efficiency, effectiveness and economy
Cynthia Cooper – WorldCom internal auditor and whistleblower
External Auditing
The external audit is carried out by
independent accountants has the attest function as its
chief purpose confirming the fairness of financial
statements in all material respects
Has a secondary purpose - to test that internal controls are strong and can be relied on to catch errors and fraud (the stronger the controls, the smaller the audit risk, and the less work an auditor has to do).
Management
Stakeholders
Auditor
Information
A raised eyebrow indicates
professional skepticism
? ?
The Attest
Function
?
66
Information Risk
The IT Audit
The IT audit function encompasses
Careers in Information Systems Auditing
The demand for IT auditors is growing increasing use of computer-based AISssystems becoming more technologically
complex passing of the Sarbanes-Oxley bill
IT auditing requires a variety of skills, combining
accounting and information systems or computer science
skills.
The Information Technology Auditor’s Toolkit
IT auditors need to have the technical skills to understand the
vulnerabilities in hardware and software use of appropriate software to do their jobs general-use software such as
word processing programs, spreadsheet software, and database management systems.
generalized audit software (GAS), and automated workpaper software.
The Information Technology Auditor’s Toolkit
people skills to work as a team to interact with clients and other auditors, to interview many people constantly for evaluation can’t just be a technical nerd!
Careers in Information Systems Auditing
Information systems auditorsmay be internal or external can obtain professional certification as a
Certified Information Systems Auditor (CISA) Pass exam Five years of experience (some exceptions) 40 hours of CPE/year
can also acquire certification as Certified Information Security Managers (CISM)
General-Use Software
Auditors use general-use software as productivity tools to improve their work such asspreadsheets and database management systems (e.g. Access)
Auditors often use structured query language (SQL) to retrieve a client’s data and display these data for audit purposes.
Generalized Audit Software
Generalized audit software (GAS) packagesare specifically tailored to auditor taskshave been developed in-house in large firms, orare available from various software suppliersautomates working papers, trial balances, and
statistical sampling and analysisExamples of GAS are
Audit Command Language (ACL) Interactive Data Extraction Analysis (IDEA) FAST! (Financial Audit Systems Technology)
Auditing Computerized AIS-Auditing Around the Computer
Auditing around the computer Compares output with input; assumes that
accurate output verifies proper processing operations
pays little or no attention to the controlprocedures within the IT environment
is generally not an effective approach toauditing in a computerized environment.
CPTR
Five techniques to audit a computerized AIS are:
use of test data (or deck), integrated test facility, and parallel simulation to test programs,
use of audit techniques to validate computer programs,
use of logs and specialized control software toreview systems software,
use of documentation and CAATs to validateuser accounts and access privileges, and
use of embedded audit modules to achievecontinuous auditing.
Auditing Computerized AIS-Auditing Through the
ComputerCPTR
Testing ComputerPrograms - Test Data (test deck)
The auditor’s responsibility is todevelop test data (or test deck from deck of cards)
that tests the range of exception situations arrange the data in preparation for processingcompare output with a predetermined set of
answersinvestigate further if the results do not agree
Test data (or test deck, named from punch card days)
can check if program edit test controls are in place and working
can be developed using software programs called test data generators
But may contaminate real data with fake data
CPTR
Testing Computer Programs -Integrated Test Facility
An integrated test facility (ITF) establishes a fictitious entity such as a
department, branch, customer, or employee,
enters transactions for that entity, and observes how these transactions are
processed. is effective in evaluating integrated online
systems and complex programming logic, and
aims to audit an AIS in an operational setting.
May contaminate real data with fake data.
CPTR
Testing Computer Programs -Parallel Simulation
In parallel simulation, the auditoruses live input data, rather than test data, in
aseparate program, which
is written or controlled by the auditor simulates all or some of the operations of
the real program that is actually in use. needs to understand the client system, should possess sufficient technical
knowledge, andshould know how to predict the results
CPTR
CPTR
Testing Computer Programs -Parallel Simulation
Parallel simulation eliminates the need to prepare a
set of test data,can be very time-consuming and costly usually involves replicating only
certain critical functions of a programBut reduces the chance of contaminating
real data with fake data
CPTR
CPTR
Validating Computer ProgramsAuditors must validate any program presented to them
to thwart a clever programmer’s dishonest program
Procedures that assist in program validation are 1. tests of program change control
begins with an inspection of the documentation includes program authorization forms to be filled ensures accountability and adequate supervisory controls
2. program comparison guards against unauthorized program tampering performs certain control total tests of program
authenticity using a test of length using a comparison program
Review of Systems Software
Systems software includes operating system software (e.g. Windows,
Linux) utility programs, program library software, and access control software.
Review of Systems Software
Auditors should first review systems software documentation.Next, auditors should review incident reports, which list events that are
unusual or interrupt operations security violations (such as unauthorized access
attempts), hardware failures, and software failures
Validating Users and Access Privileges
The IT auditor needs to verify that the software parameters are set appropriately (passwords, etc.) must make sure that IT staff are using them appropriately needs to ensure all users
are valid and have access privileges appropriate to their jobs
There are a variety of auditor software tools which can scan settings and access logs
Password Parameters
Continuous ApproachContinuous auditing can be achieved by embedded audit modules or audit hooks
application subroutines capture data for audit purposes
exception reporting mechanisms reject certain transactions
that fall outside preset limitstransaction tagging tags transactions with a special identifiers
snapshot technique Examines how transactions are processed
(e.g. macro, step-by-step)
Continuous Auditing – Spreadsheet Errors
Continuous Auditing – Spreadsheet Errors
Sleuthing With Excel
Excel 2010 and newer Formula Auditing: On the top menu of Excel, go to Formulas, see Formula Auditing section. Perform the error checking function to find and correct the formula errors. You can also display Precedent and Dependent arrows to show the formula pattern among the cells.
Data Validation: On the top menu of Excel, go to Data and then under the Data Tools section, go to Data Validation. Use the validation tool to verify data as it is being entered. For example, highlight the payrate range and set the data validation decimal feature between $7.50 and $40.00. From this point on, any data entered in the payrate range that does not fall between these two values will be flagged.
Benford’s LawPhysicist Frank Benford figured out the probability that certain digits form part of financial numbers. For example, the numeral 1 should occur as the first digit in any multiple-digit number about 31% of the time, while 9 should occur as the first digit only 5% of the time. As you can see below, the numbers in digit 1,2,5,6 & 7 are suspicious.
The Sarbanes-Oxley Act of 2002
In 2002, Congress passed the Sarbanes-Oxley Act, which was response to the accounting scandals of Enron, Worldcom, etc. As Congress studied these frauds, it realized that one of the big problems was a weakness in internal controls.
Sen. Paul Sarbanes
Representative Mike Oxley
The Sarbanes-Oxley Act of 2002
Some important provisions of SOX for auditors are Section 201 – prohibits public accounting firms from offering most nonaudit services to clients at the same time they are conducting audits (conflict of interest). Section 302 – requiring CFOs and CEOs to certify that their company’s financial statements are accurate and complete Section 404 – requiring both the CEO and CFO to attest to their organization’s internal controls over financial reporting
Third-Party Assurance
Internet systems and web sites are a source of risk for many companies, need specialized audits of these systems, have created a market for third-party
assurance services, which is limited to data privacy.
Third-Party Assurance
The AICPA introduced Trust Services an assurance service.
The principles of Trust Services are security, availability, processing integrity, online privacy, and confidentiality.
Privacy Issues
Have a privacy policy for your websiteHave an audit done by professionals
who provide a privacy seal Truste BBB Online Webtrust
