Chapter 1Overview of Information Systems Auditing AuditingImpact of IT on organizations IT is important in all kinds of organizations. Therefore IT has influenceon organizational risks and controls. IT creates opportunities, but these opportunities IT creates opportunities, but these opportunities bring with them many kinds of risks. 2Impact of IT on organizationsTransmit documents electronically to customers and vendorsPotential failure ofPotential failure of electronic communication systemsNeed for control and audit of computersFactors influencing an organization toward control and audit of computersCosts of Costs of computer abuseValue of computer hardware, software and personnelControlled evolution of computer Organizational costs of data lossCosts of incorrect decision makingand personnelHigh costs of computer errorMaintenance of privacycomputer userOrganizationsControl and audit of computers4Organizational costs of data loss Data is a resource which provides an organization with an image of itself. Accurate data increases an organizations ability to adapt and survive in a changing environment. adapt and survive in a changing environment. If the data is inaccurate the organization will suffer significant losses.5Incorrect decision making High quality decisions require The quality of data needed depends on the type of decisionhigh quality datahigh quality decision rulesdepends on the type of decision impact on other stakeholders Accurate decision rules depend on accurate modeling and programming impact on the organizationdecision rules6HQR = HQD + HQIComputer Abuse Hacking unauthorized electronic access to a computer system to read, modify or delete programs/data or to disrupt services. Viruses programs which attach themselves to computer files to disrupt operations or damage data or programs operations or damage data or programs 2 objectives: Replicate themselves Deliver a payload that causes a disruption Illegal physical access to computer facilities Can cause physical damage to hardware or make unauthorized copies of programs/data Abuse of privileges Use privileges for unauthorized purposes7Consequences of computer abuse Destruction of assets Theft of assets Modification of assets Privacy violations Privacy violations Disruption of operations Unauthorized use of assets Physical harm to personnel8Computer abuse Losses are higher than from conventional fraud Numbers and types of threatsseem to be increasing Organizations are not well prepared Organizations are not well prepared Deterrent security and administrative countermeasures can be effective Laws governing abuse are evolving9Value of computer hardware, software and personnel Loss or damage to hardware can be costly - value of assets and cost of disruption of service Investment in software, disruption of business, Investment in software, disruption of business, confidential information, proprietary secrets Personnel - scarcity, training cost, unique knowledge, disruption in service, loss of competitive advantage10High costs of computer error Automatic performance of critical functions in society Organizations held liable for the consequences of computer errors computer errors11Maintenance of privacy Taxation, credit, medical, educational, employment, residence, spending habits Data mining - integration, retrieval and matching -profiling profiling Human genome banks Regulations vary widely by country12Controlled evolution of computer use Use of computers in control over weapon systems Use of computers to control working life and environment13Financial Audits Financial statements in accordance with Generally Accepted Accounting Principles (GAAP). BOD, managers and personnel analyze internal control system. control system. A set of rules, policies and procedures an organization implements to provide reasonable assurance that: its financial reports are reliable, its operations are effective and efficient, its activities comply with applicable laws and regulations Increase reliance on computer technology in processing and reporting.14Control activities Control activities are the policies and procedures the organization uses to ensure that necessary actions are taken to minimize risks associated with achieving its objectives. Controls have various objectives and may be applied at various organizational and functional levels. Control Usage - Prevent, Detect, and Correct Preventive controls focus on preventing an error or irregularity. Detective controls focus on identifying when an error or irregularity has occurred. Corrective controls focus on recovering from, repairing the damage from, or minimizing the cost of an error or irregularity.15Control Activities Physical controls: security over the assets themselves, limiting access to the assets to only authorized people and periodically reconciling the authorized people, and periodically reconciling the quantities on hand with the quantities recorded in the organizations records.quantities recorded in the organizations records. Information processing controls are used to check accuracy, completeness, and authorization of transactions. General controls cover data center operations, systems software acquisition and maintenance, access security, and application systems development and maintenance. Application controls apply to the processing of a specific application, like running a computer program to prepare employee's payroll checks each month.16Financial vs Information Systems Audits IT auditors may work on financial audit engagements. IT auditors may work on every step of the financial audit engagement. audit engagement. Standards, such as SAS No. 94, guide the work of IT auditors on financial audit engagements. Prior to the issuance of SAS No. 94, many financial audits of IT systems bypassed testing of controls. IT audit work on financial audit engagements is likely to increase as internal control evaluation becomes more important. 17Financial vs Information Systems Audits New regulations for audits, such as the Sarbanes-Oxley Act of 2002, have also influenced the relationship between financial and IT audits. This act, which was created to restore confidence inThis act, which was created to restore confidence in financial reports, mandates that management assess and make representations about internal controls. Auditors will need to test those controls and provide assurance about management's representations. 18Information Systems Auditing ObjectivesProcess of collecting and evaluating evidence to determine whether a computer system19Improved safeguarding of assetsImproved data integrityImproved system effectivenessUse resources efficientlyOrganizationsCompliance with regulations, rules or conditionsExamples of Situations Requiring Testing of Controls Computer programs containing algorithms or formulas that make complex calculations, such as automatically computing commissions, allowance for doubtful accounts, reorder points, loan reserves and pension funding calculations pension funding calculations Systems that provide electronic services to customers. In these situations, the IT system automatically initiates bills for the services rendered and processes the billing transactions.20What do Information Systems auditors do? Ensure IT governance by assessing risks and monitoring controls over those risks. Works as either internal or external auditor. Works on many kind of audit engagements. Works on many kind of audit engagements.21What do Information Systems auditors do? Evaluating controls over specific applications. -analyzing the risks and controls over applications such as e-business, enterprise resource planning (ERP) systems. Providing assurance over specific processes in which the client and the IT auditor determine the scope of the assurance. Providing third-party assurance- evaluate the risks and controls over a third party's information systems and provide assurance to others.22What do Information Systems auditors do? Penetration testing- involves trying to gain access to information resources in order to discover security weaknesses. Supporting the financial audit-evaluating IT risks and controls that may affect the reliability of the financial reporting system. Searching for IT-based fraud - to help investigate computer records in fraud investigations.23IT Audit Skills College education IS, computer science, accounting Certifications Certified Information Systems Auditor (CISA) Certified Information Systems Security Professional (CISSP) Technical IT audit skills specialized technologies Technical IT audit skills specialized technologies (Computing platforms hardware and software applications, Operating System (OS), Enterprise Resource Planning (ERP), E-Business, Network security)24IT Audit Skills General Personal and Business Skills Presentation to internal or external clients Interpersonal skills Teamwork Business education (business processes, financial, distribution, human Business education (business processes, financial, distribution, human resource, manufacturing processes) Marketing skills25The need for information technology auditors far outstripsthe supply of qualified candidatesThere is high demand for Information Technology (IT) Auditors and their work is interesting and challenging. 26challenging. IT auditors evaluate an organizational entity's information system, which includes information technologies, data and information, and systems of communication. Professional IT Auditor Organizations The groups include: The Information Systems Audit And Control Association (ISACA), The Institute of Internal Auditors (EA), The Association of Certified Fraud Examiners (ACFE), The American Institute Of Certified Public Accountants (AICPA). The American Institute Of Certified Public Accountants (AICPA).27Professional IT Auditor Certifications ISACA Certified Information Systems Auditor (CISA) IIA Certified Internal Auditor (CIA) ACFE Certified Fraud Examiner (CFE) AICPA Certified Public Accountant (CPA) license and AICPA Certified Public Accountant (CPA) license and Certified Information Technology Professional (CITP) certification28