Upload File

ch17

prev
next
out of 44
Download ch17

Upload: eric-john-enriquez

Post on 14-Jan-2016

214 views

Category:

Documents


0 download

Report

DESCRIPTION

aud prob

TRANSCRIPT

  • Chapter 17 Information Systems Auditing and Assurance

  • Objectives for Chapter 17Purpose of an audit and the basic conceptual elements of the audit processDifference between internal and external auditing and the relationship between themHow auditing objectives and tests of control are determined by the control structure of the client firmAudit objective and tests of control for each of the nine general control areasAuditing techniques used to verify the effective functioning of application controlsAuditing techniques used to perform substantive tests in a CBIS environment

  • Attestation versus AssuranceAttestation: an engagement in which a practitioner is engaged to issue, or does issue, a written communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of another party. (SSAE No. 1, AT Sec. 100.01)Assurance:professional services that are designed to improve the quality of information, both financial and non-financial, used by decision-makersincludes, but is not limited to attestation

  • Attest and Assurance Services

  • What is a Financial Audit?An independent attestation by a professional (CPA) regarding the faithful representation of the financial statements.Three phases of a financial audit:familiarization with client firmevaluation and testing of internal controlsassessment of reliability of financial data

  • Generally Accepted Auditing Standards (GAAS)

  • External versus Internal AuditingExternal auditors represent the interests of third party stakeholders, while internal auditors serve as an independent appraisal function within the organization.Internal auditors often perform tasks which can reduce external audit fees and help to achieve audit efficiency and reduce audit fees.

  • Elements of an AuditSystematic procedures are usedEvidence is obtained tests of internal controlssubstantive tests Determination of materiality for weaknesses foundPrepare audit report & audit opinion

  • Information Technology (IT) Audit Since most information systems employ information technology, the IT audit is typically a significant component of all external (financial) and internal audits.IT audits: focus on the computer-based aspects of an organizations information system assess the proper implementation, operation, and control of computer resources

  • Phases of an IT Audit

  • Audit Risk is... the probability the auditor will issue an unqualified (clean) opinion when in fact the financial statements are materially misstated.

  • Components of Audit RiskInherent risk is associated with the unique characteristics of the business or industry of the client.Control risk is the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts.Detection risk is the risk that auditors are willing to take that errors not detected or prevented by the control structure will also not be detected by the auditor.

  • Tests of General ControlsOur primary purposes are to understand: the auditing objectives in each general control area and the nature of the tests that auditors perform to achieve these objectives.

  • Tests of General ControlsOur discussion is organized around the following :1.operating system controls2.data management controls3.organizational structure controls4.systems development controls5.systems maintenance controls6.computer center security and control7.Internet and Intranet controls8.electronic data interchange (EDI) controls9.personal computer controls

  • Operating SystemData ManagementSystems DevelopmentSystems MaintenanceOrganizational StructureInternet & Intranet EDI Trading PartnersPersonal ComputersComputer Center SecurityApplicationsGeneral Control Framework for CBIS Risks

  • 1. General Control Tests Operating system objective: verify that the security policy and control procedures are rigorous enough to protect the operating system against:hardware failuresoftware effortsdestructive acts by employees or hackersvirus infection

  • 1. General Control TestsOperating system(continued)Access controls: privilege controlspassword controlvirus controlfault tolerance control

  • 2. General Control TestsData management objective: protect against unauthorized access to or destruction of data & inadequate data backup.Controls:access - encryption, user authorization tables, inference controls and biometric devices are a few examplesbackup - grandfather-father-son and direct access backup; recovery procedures

  • 3. General Control Tests Organizational structure objectives: determine whether incompatible functions have been identified and segregated in accordance with the level of potential exposuredetermine whether segregation is sustained through a working environment that promotes formal relationships between incompatible tasks Controls: review organizational & systems documentation, observe behavior, and review database authority tables

  • 4. General Control Tests Systems development objectives: ensure that...SDLC activities are applied consistently and in accordance with managements policiesthe system as originally implemented was free from material errors and fraudthe system was judged to be necessary and justified at various checkpoints throughout the SDLCsystem documentation is sufficiently accurate and complete to facilitate audit and maintenance activities

  • 4. General Control TestsSystems development (continued) Controls:systems authorization techniques good development proceduresinternal audit team participationappropriate testing of system

  • 5. General Control Tests Systems maintenance objectives: detect unauthorized program maintenance and determine that...maintenance procedures protect applications from unauthorized changesapplications are free from material errorsprogram libraries are protected from unauthorized access

  • 5. General Control TestsSystems maintenance (continued) Controls:authorization requirements for program maintenanceappropriate documentation of changesadequate testing of program changesreconciling program version numbersreview programmer authority tabletest authority table

  • 6. General Control Tests Computer center objectives: determine that...physical security controls are adequately protect the organization from physical exposuresinsurance coverage on equipment is adequate to compensate the organization for the destruction of, or damage to, its computer centeroperator documentation is adequate to deal with routine operations as well as system failuresthe organizations disaster recovery plan is adequate and feasible

  • 6. General Control TestsComputer center (continued) Controls: well-planned physical layoutbackup and disaster recovery planningreview critical application list

  • 7. General Control Tests Internet & Intranet objectives: determine that communications controls...can detect and correct messages loss due to equipment failurecan prevent and detect illegal access both internally and from the Internetwill render useless any data that are successfully captured by a perpetratorare sufficient to preserve the integrity and security of data connected to the network

  • 7. General Control TestsInternet & Intranet (continued) Controls: equipment failure: line checks (parity & echo),and backupssubversive threats: access controls, encryption of data, and firewallsmessage control: sequence numbering, authentication, transaction logs, request-response polling

  • 8. General Control Tests EDI objectives: determine that...all EDI transactions are authorized, validated, and in compliance with organizational policyno unauthorized organizations gain access to data base recordsauthorized trading partners have access only to approved dataadequate controls are in place to ensure a complete EDI transactions

  • 8. General Control TestsEDI (continued) Controls:sophisticated authorization & validation techniquesaccess controlsaudit trail modules and controls

  • 9. General Control Tests Personal computers (PCs) objectives: determine that...adequate supervision and operating procedures exist to compensate for lack of segregation between the duties of users, programmers, and operatorsaccess to microcomputers, data files, and program files is restricted to authorized personnelbackup procedures are in place to prevent data and program loss from hardware failuressystems selection and acquisition procedures produce applications that are high quality, free from errors, and protected from unauthorized changes

  • 9. General Control TestsPCs (continued) Controls:increased supervisionaccess & security controlsbackup controlssystems development and maintenance controls systems development and acquisition controls

  • Computer Applications ControlsTechniques for auditing computer applications fall into two classes: 1) techniques for testing application controls 2) techniques for examining transaction details and account balancessubstantive testing

  • Testing Application ControlsBlack Box Approach - understanding flowcharts, input procedures, & output resultsWhite Box Approach - understanding the internal logic of the applicationauthenticity (access) testsaccuracy testscompleteness testsredundancy testsaudit trail testsrounding error tests

  • Auditing Around the Computer - The Black Box Approach

  • White Box Testing TechniquesTest data method: testing for logic or control problems - good for new systems or systems which have undergone recent maintenancebase case system evaluation (BCSE) - using a comprehensive set of test transactionstracing - performs an electronic walkthrough of the applications internal logicTest Data Methods are not fool-proofa snapshot - one point in time examinationhigh-cost of developing adequate test data

  • Auditing through the Computer: The Test Data Technique

  • White Box Testing TechniquesIntegrated test facility (ITF): an automated, on-going technique that enables the auditor to test an applications logic and controls during its normal operationParallel simulation: auditor writes simulation programs and runs actual transactions of the client through the system

  • Auditing through the Computer: The ITF Technique

  • Auditing through the Computer: The Parallel Simulation Technique

  • Substantive Testing TechniquesSearch for unrecorded liabilitiesConfirm accounts receivable to ensure they are not overstatedDetermine the correct value of inventory, and ensure they are not overstatedDetermine the accuracy of accruals for expenses incurred, but not yet received (also revenues if appropriate)

  • Embedded Audit Module (EAM)An ongoing module which filters out non-material transactionsThe chosen, material transactions are used for sampling in substantive testsRequires additional computing resources by the clientHard to maintain in systems with high maintenance

  • Substantive Testing: EAM

  • Generalized Audit Software (GAS)Very popular & widely usedCan access data files & perform operations on them:screen data statistical sampling methodsfoot & balanceformat reportscompare files and fieldsrecalculate data fields

  • Substantive Testing: GAS

    1332343579331115121314151617181920202122232432527333436


Fm10e ch17

Ch17 Communication

Ch17 20ppt

Shi20396 ch17

Brinkley13 ppt ch17

Ch17 Problems

Ch17 shafts

Ch17 Pindyck myslides

Ch17 groundwater fall2007

Ebbpa3 b ch17

83341 ch17 jacobsen

Ch17 Hashing

Phes ch17 Atmosphere

Sayre2e ch17 images_cap

Ch17 Investments

Ch17 338 lpk

Ch17 Lecture

Ch17 scheduling

MAterial- Ch17

Hrm10e ch17

Management ch17

Financial Accounting Ch17

Ch17 - discounted cf

Ch17 marketing concept

Insel10ebrup Ppt Ch17

Ch17 Hr Policies

Dk1792 ch17

Ch17 reformation

CH17 Dynamics

Ch17: Ethics

Ch17 lecture 3e

Ch17 Modified

355 ch17 ppt

Ch17 coldwar

Ch17 progressivism1