copyright © 2007 pearson education canada 23-1 chapter 23: using advanced skills
Post on 21-Jan-2016
222 Views
Preview:
TRANSCRIPT
Copyright © 2007 Pearson Education Canada
23-1
Chapter 23: Using Advanced Skills
Copyright © 2007 Pearson Education Canada
23-2
Chapter 23 objectives
Explain how WebTrust and SystTrust help provide assurance over information systems
Identify characteristics, risks, internal controls for advanced information systems
List important controls in a small business with respect to information technology
Describe the impact of a client’s use of a computer service organization upon the audit
Copyright © 2007 Pearson Education Canada
23-3
What is WebTrust?
A seal placed on a web site upon completion of an auditor’s report verifying compliance with standards with respect to business practices and controls over electronic commerce transactions
The purpose is to help provide an independent assurance with respect to the safety of processing transactions at the site
Copyright © 2007 Pearson Education Canada
23-4
WebTrust principles
Business practice disclosure: The entity is to disclose its business practices with respect to e-commerce transactions
Transaction integrity: Effective controls are maintained over transaction ordering, fulfillment and billing
Information protection: Effective controls are maintained over data
Copyright © 2007 Pearson Education Canada
23-5
The nature of SysTrust
An engagement where the PA evaluates a company’s computer system using the following principles (Table 23-1):– Security– Availability– Processing integrity– Online Privacy– Confidentiality
Copyright © 2007 Pearson Education Canada
23-6
Advanced information systems
Such systems have one or more of the following characteristics:– Custom-designed operational or strategic
information systems– Use of database management systems– Use of data communications (including Internet)– Use of paperless systems– Complex hardware or software processing
configuration
Copyright © 2007 Pearson Education Canada
23-7
Strategic information systems
Such systems provide a competitive advantage or improve efficiency within an entity
Should they fail or have errors, they increase costs and risks to the business
When systems are so strategic that they could affect the ability of the entity to continue as a going concern if they fail, then the auditor takes a close look at the disaster recovery planning process
Copyright © 2007 Pearson Education Canada
23-8
Custom software
Custom software is unique software designed for the entity
It can be developed by in-house personnel or by external professionals
The key reasons such software is chosen by entities is to provide a competitive advantage, or to better match the needs of the business
Copyright © 2007 Pearson Education Canada
23-9
Risks associated with custom software (Figure 23-1)
Such systems are costly, having lengthy development times, up to several years
This increases the risk of additional costs Rigorous testing is required, and such
systems are difficult to fully test or ensure that they are error free
Copyright © 2007 Pearson Education Canada
23-10
Audit impact of custom software
The auditor would need to examine the systems development process to identify the likelihood of errors or unauthorized programs
If the risk of errors or unauthorized programs exists, then the auditor would need to look for manual compensating controls
Copyright © 2007 Pearson Education Canada
23-11
Database management system components
Copyright © 2007 Pearson Education Canada
23-12
Databases versus database management systems
Many software packages use a database as an underlying file structure. This is the collection of data that is shared and used by different users within the software.
A database management system is the software that is used to create, maintain and operate the database.
Copyright © 2007 Pearson Education Canada
23-13
Effects of database management systems (DBMS) on internal
controls
The existence of a separate database management system with a separate database administration function at an organization adds complexity
All areas of general controls are affected
Copyright © 2007 Pearson Education Canada
23-14
DBMS effects on: organization and management controls
The database administrator should be segregated from other functions, such as data authorization
The auditor needs to document the responsibilities of the database administrator and document and test segregation of duties
Copyright © 2007 Pearson Education Canada
23-15
DBMS effects on: systems acquisition, development and
maintenance
Added controls should exist to ensure that: (1) the database is developed in accordance
with business needs and (2) programs accessing the database are
accurate, authorized, and control concurrent options (preventing multiple individuals from accessing the same data element at the same time)
Copyright © 2007 Pearson Education Canada
23-16
DBMS effects on: operations and information systems support
Controls should exist to provide security over the data dictionary and the data
Each application cycle needs to be examined for controls over:– Data ownership, access and update procedures– Existence and quality of passwords– Segregation of duties
Copyright © 2007 Pearson Education Canada
23-17
Practice problem 23-20 (pp. 656-57)
Identify controls required for a database management system in a hospital patient care situation
Discuss risks with respect to data exposure
Copyright © 2007 Pearson Education Canada
23-18
Paperless systems
A wide variety of paperless systems exist. Here we describe those that are related to business data communications:
EDI (electronic data interchange), the transfer of standard business documents
EFT (electronic funds transfer), or electronic commerce, the transfer of money electronically
Copyright © 2007 Pearson Education Canada
23-19
Impact of paperless systems on the audit engagement
Where there is no paper trail, the auditor may be required to use computer assisted audit testing to test the transactions directly, or to evaluate programmed controls
Without a paper trail, the auditor may have no choice but to rely upon programmed controls, which require adequate general controls for reliance
Copyright © 2007 Pearson Education Canada
23-20
Potential data communications risk points
Copyright © 2007 Pearson Education Canada
23-21
Practice problem 23-21 (p. 657)
Identify methods that could be used to steal confidential corporate data
How could these risks be mitigated?
Copyright © 2007 Pearson Education Canada
23-22
Risks from and controls for multiple information processing locations (Table 23-3)
Data processed in multiple locations could become inconsistent (one location should have primary responsibility for updating)
Programs could be inaccurate or unauthorized (head office should control program changes)
Copyright © 2007 Pearson Education Canada
23-23
Risks from and controls for multiple information processing locations
(Table 23-3, cont’d)
Locations could have unauthorized access to programs or data of other locations (assign clear responsibilities for data and program ownership and change rights)
Data sent from one location to another may not be received (use control totals, record counts, and sequential numbering of transactions with follow up)
Copyright © 2007 Pearson Education Canada
23-24
Practice problem 23-22 (p. 657)
Identify potential sources of virus infection
How could such an infection be prevented?
How can a disaster recovery plan help recover from virus infection?
Copyright © 2007 Pearson Education Canada
23-25
Small business information technology (IT) controls
As with other aspects of small business, the quality of the control environment depends upon the attitudes of the owner/manager
He/she should adequately supervise employees, hire only competent employees, and encourage practices such as confidential passwords
Copyright © 2007 Pearson Education Canada
23-26
Practical IT controls for the owner/manager
Systems acquisition, development and maintenance: understand the nature of the software used and ensure that only authorized programs are used
Operations and information support: require backups to be made daily, with at least two copies offsite. Provide documentation for ongoing operations
Copyright © 2007 Pearson Education Canada
23-27
Practical IT controls for the owner/manager (cont’d)
Application controls (includes controls to prevent fraud): separation of authorization from recording. Perform key activities, such as signing payroll and disbursement cheques, reviewing master file information.
Copyright © 2007 Pearson Education Canada
23-28
Practice problem 23-23 (p. 657)
Assess a small business information technology situation
Identify the activities to be performed by the owner
Copyright © 2007 Pearson Education Canada
23-29
Service organizations
Computer service organizations: perform key operational tasks (such as payroll) for the organization
When the client has controls that involve comparing the input details provided by the client to the output details provided by the service provider, reference to controls at the service provider may not be necessary
In other situations, the auditor may need to examine and test controls at the service provider, or request a service auditor’s report
Copyright © 2007 Pearson Education Canada
23-30
Outsourcing
Outsourcing is a broader term and encompasses functional tasks or subsystems being executed by independent organizations
This could be programming, human resources, accounting
The same principles apply: controls relevant to the organization’s financial systems need to be assessed
top related