Publications: 97 | Followers: 0

Auditing Computer-Based Information Systems

Publish on Category: Birds 0

Auditing Computer-Based Information Systems
Chapter 11
11-1
Learning Objectives
Describe the nature, scope, and objectives of audit work, and identify the major steps in the audit process.Identify the six objectives of an information system audit, and describe how the risk-based audit approach can be used to accomplish these objectives.Describe the different tools and techniques auditors use to test software programs and program logic.Describe computer audit software, and explain how it is used in the audit of an AIS.Describe the nature and scope of an operational audit.
11-2
Auditing
The process of obtaining and evaluating evidence regarding assertions about economic actions and events in order to determine how well they correspond with established criteria
11-3
Major Steps in the Auditing Process
Audit planningWhy, how, when, and whoEstablish scope and objectives of the audit; identify riskCollection of audit evidenceEvaluation of evidenceCommunication of results
11-4
Risk-Based Framework
Identify fraud and errors (threats) that can occur that threaten each objectiveIdentify control procedures (prevent, detect, correct the threats)Evaluate control proceduresReview to see if control exists and is in placeTest controls to see if they work as intendedDetermine effect of control weaknessesCompensating controls
11-5
Information Systems Audit
Using the risk-based framework for an information systems audit allows the auditor to review and evaluate internal controls that protect the system to meet each of the following objectives:Protect overall system security (includes computer equipment, programs, and data)Program development and acquisition occur under management authorizationProgram modifications occur under management authorizationAccurate and complete processing of transactions, records, files, and reportsPrevent, detect, or correct inaccurate or unauthorized source dataAccurate, complete, and confidential data files
11-6
1. Protect Overall System Security
Controls
Theft of hardwareDamage of hardware (accidental and intentional)Loss, theft, unauthorized access toProgramsDataUnauthorized modification or use of programs and data filesUnauthorized disclosure of confidential dataInterruption of crucial business activities
Limit physical access to computer equipmentUse authentication and authorization controlsData storage and transmission controlsVirus protection and firewallsFile backup and recovery proceduresDisaster recovery planPreventive maintenanceInsurance
Threats
11-7
2. Program Development and Acquisition Occur under Management Authorization
Threat
Controls
Inadvertent programming errorsUnauthorized program code
Review software license agreementsManagement authorization for:Program developmentSoftware acquisitionManagement and user approval of programming specificationsTesting and user acceptance of new programsSystems documentation
11-8
3. Program Development and AcquisitionOccur underManagement Authorization
Threat
Controls
Inadvertent programming errorsUnauthorized program code
List program components to be modifiedManagement authorization and approval for modificationsUser approval for modificationsTest changes to programSystem documentation of changesLogical access controls
11-9
4. Accurate andComplete ProcessingofTransactions,Records,Files,andReports
Threats
Controls
Failure to detect incorrect, incomplete, or unauthorized input dataFailure to correct errors identified from data editing proceduresErrors in files or databases during updatingImproper distribution of outputInaccuracies in reporting
Data editing routinesReconciliation of batch totalsError correction proceduresUnderstandable documentationCompetent supervision
11-10
5. Prevent,Detect, orCorrect InaccurateorUnauthorized Source Data
Threat
Controls
Inaccurate source dataUnauthorized source data
User authorization of source data inputBatch control totalsLog receipt, movement, and disposition of source data inputTurnaround documentsCheck digit and key verificationData editing routines
11-11
6. Accurate,Complete, andConfidential Data Files
Threats
Controls
Destruction of stored data fromErrorsHardware and software malfunctionsSabotageUnauthorized modification or disclosure of stored data
Secure storage of data and restrict physical accessLogical access controlsWrite-protection and proper file labelsConcurrent update controlsData encryptionVirus protectionBackup of data files (offsite)System recovery procedures
11-12
Audit Techniques Used to Test Programs
Integrated Test FacilityUses fictitious inputsSnapshot TechniqueMaster files before and after update are stored for specially marked transactionsSystem Control Audit Review File (SCARF)Continuous monitoring and storing of transactions that meet pre-specificationsAudit HooksNotify auditors of questionable transactionsContinuous and Intermittent SimulationSimilar to SCARF for DBMS
11-13
Software Tools Used to Test Program Logic
Automated flowcharting programInterprets source code and generates flowchartAutomated decision table programInterprets source code and generates a decision tableScanning routinesSearches program for specified itemsMapping programsIdentifies unexecuted codeProgram tracingPrints program steps with regular output to observe sequence of program execution events
11-14
Computer Audit Software
Computer assisted audit software that can perform audit tasks on a copy of a company’s data. Can be used to:Query data files and retrieve records based upon specified criteriaCreate, update, compare, download, and merge filesSummarize, sort, and filter dataAccess data in different formats and convert to common formatSelect records using statistical sampling techniquesPerform analytical testsPerform calculations and statistical tests
11-15
Operational Audits
Purpose is to evaluate effectiveness, efficiency, and goal achievement. Although the basic audit steps are the same, the specific activities of evidence collection are focused toward operations such as:Review operating policies and documentationConfirm procedures with management and operating personnelObserve operating functions and activitiesExamine financial and operating plans and reportsTest accuracy of operating informationTest operational controls
11-16
Key Terms
AuditingInternal auditingFinancial auditInformation systems auditOperational auditCompliance auditInvestigative auditInherent riskControl riskDetection riskConfirmationReperformanceVouchingAnalytical review
MaterialityReasonable assuranceSystems reviewTest of controlsCompensating controlsSource code comparison programReprocessingParallel simulationTest data generatorConcurrent audit techniquesEmbedded audit modulesIntegrated test facility (ITF)Snapshot techniqueSystem control audit review file (SCARF)Audit log
11-17
Key Terms(continued)
Audit hooksContinuous and intermittent simulation (CIS)Automated flowcharting programAutomated decision table programScanning routinesMapping programsProgram tracing
Input controls matrixComputer-assisted audit techniques (CAAT)Generalized audit software (GAS)
11-18

1

Embed

Share

Upload

Make amazing presentation for free
Auditing Computer-Based Information Systems