• No results found

Auditing Computer-Based Information Systems Chapter 11

N/A
N/A
Info
Download
Protected

Academic year: 2020

Share "Auditing Computer-Based Information Systems Chapter 11"

Copied!
18
0
0

Loading.... (view fulltext now)

Download now ( 18 Page )

Full text

(1)

Auditing Computer-Based Information

Systems

(2)

Learning Objectives

Describe the nature, scope, and objectives of audit work, and identify the

major steps in the audit process.

Identify the six objectives of an information system audit, and describe how

the risk-based audit approach can be used to accomplish these objectives.

Describe the different tools and techniques auditors use to test software

programs and program logic.

Describe computer audit software, and explain how it is used in the audit of

an AIS.

(3)

Auditing

The process of obtaining and evaluating evidence regarding

assertions about economic actions and events in order to

(4)

Major Steps in the Auditing Process

Audit planning

▫ Why, how, when, and who

▫ Establish scope and objectives of the audit; identify risk

Collection of audit evidence

Evaluation of evidence

(5)

Risk-Based Framework

Identify fraud and errors (threats) that can occur that threaten

each objective

Identify control procedures (prevent, detect, correct the threats)

Evaluate control procedures

▫ Review to see if control exists and is in place

▫ Test controls to see if they work as intended

Determine effect of control weaknesses

(6)

Information Systems Audit

Using the risk-based framework for an information systems audit

allows the auditor to review and evaluate internal controls that

protect the system to meet each of the following objectives:

▫ Protect overall system security (includes computer equipment,

programs, and data)

▫ Program development and acquisition occur under management

authorization

▫ Program modifications occur under management authorization

▫ Accurate and complete processing of transactions, records, files, and

reports

▫ Prevent, detect, or correct inaccurate or unauthorized source data

▫ Accurate, complete, and confidential data files

(7)

1. Protect Overall System Security

Controls

• Theft of hardware

• Damage of hardware (accidental and

intentional)

• Loss, theft, unauthorized access to

▫ Programs ▫ Data

• Unauthorized modification or use of

programs and data files

• Unauthorized disclosure of confidential data

• Interruption of crucial business activities

• Limit physical access to computer

equipment

• Use authentication and authorization

controls

• Data storage and transmission controls

• Virus protection and firewalls

• File backup and recovery procedures

• Disaster recovery plan

• Preventive maintenance

• Insurance

(8)

2. Program Development and Acquisition Occur

under Management Authorization

Threat Controls

• Inadvertent programming errors

• Unauthorized program code

• Review software license agreements

• Management authorization for:

▫ Program development ▫ Software acquisition

• Management and user approval of

programming specifications

• Testing and user acceptance of new

programs

(9)

3. Program Development and Acquisition Occur

under Management Authorization

Threat Controls

• Inadvertent programming errors

• Unauthorized program code

• List program components to be modified

• Management authorization and approval

for modifications

• User approval for modifications

• Test changes to program

• System documentation of changes

(10)

4. Accurate and Complete Processing of

Transactions, Records, Files, and Reports

Threats Controls

• Failure to detect incorrect, incomplete, or unauthorized input data

• Failure to correct errors identified from data editing procedures

• Errors in files or databases during updating

• Improper distribution of output

• Inaccuracies in reporting

• Data editing routines

• Reconciliation of batch totals

• Error correction procedures

• Understandable documentation

(11)

5. Prevent, Detect, or Correct Inaccurate or

Unauthorized Source Data

Threat Controls

• Inaccurate source data

• Unauthorized source data

• User authorization of source data input

• Batch control totals

• Log receipt, movement, and disposition of

source data input

• Turnaround documents

• Check digit and key verification

(12)

6. Accurate, Complete, and Confidential Data Files

Threats Controls

• Destruction of stored data from

▫ Errors

▫ Hardware and software malfunctions ▫ Sabotage

• Unauthorized modification or disclosure of

stored data

• Secure storage of data and restrict physical access

• Logical access controls

• Write-protection and proper file labels

• Concurrent update controls

• Data encryption

• Virus protection

• Backup of data files (offsite)

(13)

Audit Techniques Used to Test Programs

Integrated Test Facility

▫ Uses fictitious inputs

Snapshot Technique

▫ Master files before and after update are stored for specially marked

transactions

System Control Audit Review File (SCARF)

▫ Continuous monitoring and storing of transactions that meet

pre-specifications

Audit Hooks

▫ Notify auditors of questionable transactions

Continuous and Intermittent Simulation

(14)

Software Tools Used to Test Program Logic

Automated flowcharting program

▫ Interprets source code and generates flowchart

Automated decision table program

▫ Interprets source code and generates a decision table

Scanning routines

▫ Searches program for specified items

Mapping programs

▫ Identifies unexecuted code

Program tracing

▫ Prints program steps with regular output to observe sequence of

program execution events

(15)

Computer Audit Software

Computer assisted audit software that can perform audit tasks on

a copy of a company’s data. Can be used to:

▫ Query data files and retrieve records based upon specified criteria

▫ Create, update, compare, download, and merge files

▫ Summarize, sort, and filter data

▫ Access data in different formats and convert to common format

▫ Select records using statistical sampling techniques

▫ Perform analytical tests

(16)

Operational Audits

Purpose is to evaluate effectiveness, efficiency, and goal

achievement. Although the basic audit steps are the same, the

specific activities of evidence collection are focused toward

operations such as:

▫ Review operating policies and documentation

▫ Confirm procedures with management and operating personnel

▫ Observe operating functions and activities

▫ Examine financial and operating plans and reports

▫ Test accuracy of operating information

(17)

Key Terms

• Auditing

• Internal auditing

• Financial audit

• Information systems audit

• Operational audit • Compliance audit • Investigative audit • Inherent risk • Control risk • Detection risk • Confirmation • Reperformance • Vouching • Materiality • Reasonable assurance • Systems review • Test of controls • Compensating controls

• Source code comparison program

• Reprocessing

• Parallel simulation

• Test data generator

• Concurrent audit techniques

• Embedded audit modules

• Integrated test facility (ITF)

(18)

Key Terms

(continued)

• Audit hooks

• Continuous and intermittent simulation

(CIS)

• Automated flowcharting program

• Automated decision table program

• Scanning routines

• Mapping programs

• Program tracing

• Input controls matrix

• Computer-assisted audit techniques

(CAAT)

References

Download now ( PDF - 18 Page - 97.04 KB )

Related documents

rotary drum vaccum filter final (final)

Rotary drum vacuum filter is a solid liquid filtration equipment depending on using vacuum to suck liquid a cross a filter medium and filtrate it from solids then

Corpus-Based Transcription as an Approach to the Compositional Control of Timbre

Using CataRT and re- lated tools in the FTM and Gabor libraries for Max/MSP we describe a technique for real-time analysis of a live sig- nal to pilot corpus-based synthesis, along

Depth-based classification for functional data

The idea of depth provides a criterion to order a sample of curves from center-outward and robust location estimates, such as the trimmed mean, are defined for functional data..

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

• Mitigate fundamental security weaknesses with perimeter network defenses • Prevent unauthorized internal or external access to confidential data • Follow important network

THE EFFECTS OF BOJ’S MONETARY POLICY ON CAPITAL STRUCTURE Evidence from Japanese listed companies

Monetary policy measurements in this paper contain not only unconventional policies that are BoJ’s holding of Japanese government bonds (GB) and ETFs (ETF), but

Mangal Skt

Next day the uncle of Shiva approaches Susheela’s parents and tells them that he has come with a boy called Shiva and is looking out for a suitable bride, and asks them for the

1. Describe the information (data elements and fields) available in the system in the following categories:

If processes are being consolidated, are the proper controls remaining in place to protect the data and prevent unauthorized

Department of the Interior Privacy Impact Assessment

Data is not being consolidated. 7) If processes are being consolidated, are the proper controls remaining in place to protect the data and prevent unauthorized access?