copyright © 2007 pearson education canada 23-1 chapter 23: using advanced skills

30
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Upload: lisa-simpson

Post on 21-Jan-2016

222 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-1

Chapter 23: Using Advanced Skills

Page 2: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-2

Chapter 23 objectives

Explain how WebTrust and SystTrust help provide assurance over information systems

Identify characteristics, risks, internal controls for advanced information systems

List important controls in a small business with respect to information technology

Describe the impact of a client’s use of a computer service organization upon the audit

Page 3: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-3

What is WebTrust?

A seal placed on a web site upon completion of an auditor’s report verifying compliance with standards with respect to business practices and controls over electronic commerce transactions

The purpose is to help provide an independent assurance with respect to the safety of processing transactions at the site

Page 4: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-4

WebTrust principles

Business practice disclosure: The entity is to disclose its business practices with respect to e-commerce transactions

Transaction integrity: Effective controls are maintained over transaction ordering, fulfillment and billing

Information protection: Effective controls are maintained over data

Page 5: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-5

The nature of SysTrust

An engagement where the PA evaluates a company’s computer system using the following principles (Table 23-1):– Security– Availability– Processing integrity– Online Privacy– Confidentiality

Page 6: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-6

Advanced information systems

Such systems have one or more of the following characteristics:– Custom-designed operational or strategic

information systems– Use of database management systems– Use of data communications (including Internet)– Use of paperless systems– Complex hardware or software processing

configuration

Page 7: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-7

Strategic information systems

Such systems provide a competitive advantage or improve efficiency within an entity

Should they fail or have errors, they increase costs and risks to the business

When systems are so strategic that they could affect the ability of the entity to continue as a going concern if they fail, then the auditor takes a close look at the disaster recovery planning process

Page 8: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-8

Custom software

Custom software is unique software designed for the entity

It can be developed by in-house personnel or by external professionals

The key reasons such software is chosen by entities is to provide a competitive advantage, or to better match the needs of the business

Page 9: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-9

Risks associated with custom software (Figure 23-1)

Such systems are costly, having lengthy development times, up to several years

This increases the risk of additional costs Rigorous testing is required, and such

systems are difficult to fully test or ensure that they are error free

Page 10: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-10

Audit impact of custom software

The auditor would need to examine the systems development process to identify the likelihood of errors or unauthorized programs

If the risk of errors or unauthorized programs exists, then the auditor would need to look for manual compensating controls

Page 11: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-11

Database management system components

Page 12: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-12

Databases versus database management systems

Many software packages use a database as an underlying file structure. This is the collection of data that is shared and used by different users within the software.

A database management system is the software that is used to create, maintain and operate the database.

Page 13: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-13

Effects of database management systems (DBMS) on internal

controls

The existence of a separate database management system with a separate database administration function at an organization adds complexity

All areas of general controls are affected

Page 14: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-14

DBMS effects on: organization and management controls

The database administrator should be segregated from other functions, such as data authorization

The auditor needs to document the responsibilities of the database administrator and document and test segregation of duties

Page 15: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-15

DBMS effects on: systems acquisition, development and

maintenance

Added controls should exist to ensure that: (1) the database is developed in accordance

with business needs and (2) programs accessing the database are

accurate, authorized, and control concurrent options (preventing multiple individuals from accessing the same data element at the same time)

Page 16: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-16

DBMS effects on: operations and information systems support

Controls should exist to provide security over the data dictionary and the data

Each application cycle needs to be examined for controls over:– Data ownership, access and update procedures– Existence and quality of passwords– Segregation of duties

Page 17: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-17

Practice problem 23-20 (pp. 656-57)

Identify controls required for a database management system in a hospital patient care situation

Discuss risks with respect to data exposure

Page 18: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-18

Paperless systems

A wide variety of paperless systems exist. Here we describe those that are related to business data communications:

EDI (electronic data interchange), the transfer of standard business documents

EFT (electronic funds transfer), or electronic commerce, the transfer of money electronically

Page 19: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-19

Impact of paperless systems on the audit engagement

Where there is no paper trail, the auditor may be required to use computer assisted audit testing to test the transactions directly, or to evaluate programmed controls

Without a paper trail, the auditor may have no choice but to rely upon programmed controls, which require adequate general controls for reliance

Page 20: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-20

Potential data communications risk points

Page 21: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-21

Practice problem 23-21 (p. 657)

Identify methods that could be used to steal confidential corporate data

How could these risks be mitigated?

Page 22: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-22

Risks from and controls for multiple information processing locations (Table 23-3)

Data processed in multiple locations could become inconsistent (one location should have primary responsibility for updating)

Programs could be inaccurate or unauthorized (head office should control program changes)

Page 23: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-23

Risks from and controls for multiple information processing locations

(Table 23-3, cont’d)

Locations could have unauthorized access to programs or data of other locations (assign clear responsibilities for data and program ownership and change rights)

Data sent from one location to another may not be received (use control totals, record counts, and sequential numbering of transactions with follow up)

Page 24: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-24

Practice problem 23-22 (p. 657)

Identify potential sources of virus infection

How could such an infection be prevented?

How can a disaster recovery plan help recover from virus infection?

Page 25: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-25

Small business information technology (IT) controls

As with other aspects of small business, the quality of the control environment depends upon the attitudes of the owner/manager

He/she should adequately supervise employees, hire only competent employees, and encourage practices such as confidential passwords

Page 26: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-26

Practical IT controls for the owner/manager

Systems acquisition, development and maintenance: understand the nature of the software used and ensure that only authorized programs are used

Operations and information support: require backups to be made daily, with at least two copies offsite. Provide documentation for ongoing operations

Page 27: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-27

Practical IT controls for the owner/manager (cont’d)

Application controls (includes controls to prevent fraud): separation of authorization from recording. Perform key activities, such as signing payroll and disbursement cheques, reviewing master file information.

Page 28: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-28

Practice problem 23-23 (p. 657)

Assess a small business information technology situation

Identify the activities to be performed by the owner

Page 29: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-29

Service organizations

Computer service organizations: perform key operational tasks (such as payroll) for the organization

When the client has controls that involve comparing the input details provided by the client to the output details provided by the service provider, reference to controls at the service provider may not be necessary

In other situations, the auditor may need to examine and test controls at the service provider, or request a service auditor’s report

Page 30: Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada

23-30

Outsourcing

Outsourcing is a broader term and encompasses functional tasks or subsystems being executed by independent organizations

This could be programming, human resources, accounting

The same principles apply: controls relevant to the organization’s financial systems need to be assessed