copyright © 2007 pearson education canada 23-1 chapter 23: using advanced skills

Copyright © 2007 Pearson Education Canada

23-1

Chapter 23: Using Advanced Skills


23-2

Chapter 23 objectives

Explain how WebTrust and SystTrust help provide assurance over information systems

Identify characteristics, risks, internal controls for advanced information systems

List important controls in a small business with respect to information technology

Describe the impact of a client’s use of a computer service organization upon the audit


23-3

What is WebTrust?

A seal placed on a web site upon completion of an auditor’s report verifying compliance with standards with respect to business practices and controls over electronic commerce transactions

The purpose is to help provide an independent assurance with respect to the safety of processing transactions at the site


23-4

WebTrust principles

Business practice disclosure: The entity is to disclose its business practices with respect to e-commerce transactions

Transaction integrity: Effective controls are maintained over transaction ordering, fulfillment and billing

Information protection: Effective controls are maintained over data


23-5

The nature of SysTrust

An engagement where the PA evaluates a company’s computer system using the following principles (Table 23-1):– Security– Availability– Processing integrity– Online Privacy– Confidentiality


23-6

Advanced information systems

Such systems have one or more of the following characteristics:– Custom-designed operational or strategic

information systems– Use of database management systems– Use of data communications (including Internet)– Use of paperless systems– Complex hardware or software processing

configuration


23-7

Strategic information systems

Such systems provide a competitive advantage or improve efficiency within an entity

Should they fail or have errors, they increase costs and risks to the business

When systems are so strategic that they could affect the ability of the entity to continue as a going concern if they fail, then the auditor takes a close look at the disaster recovery planning process


23-8

Custom software

Custom software is unique software designed for the entity

It can be developed by in-house personnel or by external professionals

The key reasons such software is chosen by entities is to provide a competitive advantage, or to better match the needs of the business


23-9

Risks associated with custom software (Figure 23-1)

Such systems are costly, having lengthy development times, up to several years

This increases the risk of additional costs Rigorous testing is required, and such

systems are difficult to fully test or ensure that they are error free


23-10

Audit impact of custom software

The auditor would need to examine the systems development process to identify the likelihood of errors or unauthorized programs

If the risk of errors or unauthorized programs exists, then the auditor would need to look for manual compensating controls


23-11

Database management system components


23-12

Databases versus database management systems

Many software packages use a database as an underlying file structure. This is the collection of data that is shared and used by different users within the software.

A database management system is the software that is used to create, maintain and operate the database.


23-13

Effects of database management systems (DBMS) on internal

controls

The existence of a separate database management system with a separate database administration function at an organization adds complexity

All areas of general controls are affected


23-14

DBMS effects on: organization and management controls

The database administrator should be segregated from other functions, such as data authorization

The auditor needs to document the responsibilities of the database administrator and document and test segregation of duties


23-15

DBMS effects on: systems acquisition, development and

maintenance

Added controls should exist to ensure that: (1) the database is developed in accordance

with business needs and (2) programs accessing the database are

accurate, authorized, and control concurrent options (preventing multiple individuals from accessing the same data element at the same time)


23-16

DBMS effects on: operations and information systems support

Controls should exist to provide security over the data dictionary and the data

Each application cycle needs to be examined for controls over:– Data ownership, access and update procedures– Existence and quality of passwords– Segregation of duties


23-17

Practice problem 23-20 (pp. 656-57)

Identify controls required for a database management system in a hospital patient care situation

Discuss risks with respect to data exposure


23-18

Paperless systems

A wide variety of paperless systems exist. Here we describe those that are related to business data communications:

EDI (electronic data interchange), the transfer of standard business documents

EFT (electronic funds transfer), or electronic commerce, the transfer of money electronically


23-19

Impact of paperless systems on the audit engagement

Where there is no paper trail, the auditor may be required to use computer assisted audit testing to test the transactions directly, or to evaluate programmed controls

Without a paper trail, the auditor may have no choice but to rely upon programmed controls, which require adequate general controls for reliance


23-20

Potential data communications risk points


23-21

Practice problem 23-21 (p. 657)

Identify methods that could be used to steal confidential corporate data

How could these risks be mitigated?


23-22

Risks from and controls for multiple information processing locations (Table 23-3)

Data processed in multiple locations could become inconsistent (one location should have primary responsibility for updating)

Programs could be inaccurate or unauthorized (head office should control program changes)


23-23

Risks from and controls for multiple information processing locations

(Table 23-3, cont’d)

Locations could have unauthorized access to programs or data of other locations (assign clear responsibilities for data and program ownership and change rights)

Data sent from one location to another may not be received (use control totals, record counts, and sequential numbering of transactions with follow up)


23-24


Identify potential sources of virus infection

How could such an infection be prevented?

How can a disaster recovery plan help recover from virus infection?


23-25

Small business information technology (IT) controls

As with other aspects of small business, the quality of the control environment depends upon the attitudes of the owner/manager

He/she should adequately supervise employees, hire only competent employees, and encourage practices such as confidential passwords


23-26

Practical IT controls for the owner/manager

Systems acquisition, development and maintenance: understand the nature of the software used and ensure that only authorized programs are used

Operations and information support: require backups to be made daily, with at least two copies offsite. Provide documentation for ongoing operations


23-27

Practical IT controls for the owner/manager (cont’d)

Application controls (includes controls to prevent fraud): separation of authorization from recording. Perform key activities, such as signing payroll and disbursement cheques, reviewing master file information.


23-28


Assess a small business information technology situation

Identify the activities to be performed by the owner


23-29

Service organizations

Computer service organizations: perform key operational tasks (such as payroll) for the organization

When the client has controls that involve comparing the input details provided by the client to the output details provided by the service provider, reference to controls at the service provider may not be necessary

In other situations, the auditor may need to examine and test controls at the service provider, or request a service auditor’s report


23-30

Outsourcing

Outsourcing is a broader term and encompasses functional tasks or subsystems being executed by independent organizations

This could be programming, human resources, accounting

The same principles apply: controls relevant to the organization’s financial systems need to be assessed

copyright © 2007 pearson education canada 23-1 chapter 23: using advanced skills

Documents

unique software

custom software figure

businesswhen systems

effective controls

information technologydescribe

systems development

business practices

risk of errors