copyright © 2015 pearson education, inc. auditing computer-based information systems chapter 11...

Copyright © 2015 Pearson Education, Inc.

Auditing Computer-Based Information SystemsChapter 11

11-1


Learning Objectives• Describe the nature, scope, and objectives of audit work, and identify the

major steps in the audit process.

• Identify the six objectives of an information system audit, and describe how the risk-based audit approach can be used to accomplish these objectives.

• Describe the different tools and techniques auditors use to test software programs and program logic.

• Describe computer audit software, and explain how it is used in the audit of an AIS.

• Describe the nature and scope of an operational audit.11-2


Auditing

•The process of obtaining and evaluating evidence regarding assertions about economic actions and events in order to determine how well they correspond with established criteria

11-3


Major Steps in the Auditing Process

•Audit planning▫Why, how, when, and who▫Establish scope and objectives of the audit; identify risk

•Collection of audit evidence•Evaluation of evidence•Communication of results

11-4


Risk-Based Framework

•Identify fraud and errors (threats) that can occur that threaten each objective

•Identify control procedures (prevent, detect, correct the threats)

•Evaluate control procedures▫Review to see if control exists and is in place▫Test controls to see if they work as intended

•Determine effect of control weaknesses▫Compensating controls

11-5


Information Systems Audit•Using the risk-based framework for an information systems

audit allows the auditor to review and evaluate internal controls that protect the system to meet each of the following objectives:▫Protect overall system security (includes computer equipment,

programs, and data)▫Program development and acquisition occur under management

authorization▫Program modifications occur under management authorization▫Accurate and complete processing of transactions, records, files,

and reports▫Prevent, detect, or correct inaccurate or unauthorized source data▫Accurate, complete, and confidential data files

11-6


1. Protect Overall System Security Controls

• Theft of hardware• Damage of hardware (accidental and

intentional)• Loss, theft, unauthorized access to

▫ Programs▫ Data

• Unauthorized modification or use of programs and data files

• Unauthorized disclosure of confidential data

• Interruption of crucial business activities

• Limit physical access to computer equipment

• Use authentication and authorization controls

• Data storage and transmission controls

• Virus protection and firewalls• File backup and recovery procedures• Disaster recovery plan• Preventive maintenance• Insurance

Threats

11-7


2. Program Development and Acquisition Occur under Management Authorization

Threat Controls

• Inadvertent programming errors• Unauthorized program code

• Review software license agreements• Management authorization for:

▫ Program development▫ Software acquisition

• Management and user approval of programming specifications

• Testing and user acceptance of new programs

• Systems documentation

11-8


3. Program Development and Acquisition Occur under Management AuthorizationThreat Controls

• Inadvertent programming errors• Unauthorized program code

• List program components to be modified

• Management authorization and approval for modifications

• User approval for modifications• Test changes to program• System documentation of changes• Logical access controls

11-9


4. Accurate and Complete Processing of Transactions, Records, Files, and Reports

Threats Controls

• Failure to detect incorrect, incomplete, or unauthorized input data

• Failure to correct errors identified from data editing procedures

• Errors in files or databases during updating

• Improper distribution of output• Inaccuracies in reporting

• Data editing routines• Reconciliation of batch totals• Error correction procedures• Understandable documentation• Competent supervision

11-10


5. Prevent, Detect, or Correct Inaccurate or Unauthorized Source Data

Threat Controls

• Inaccurate source data• Unauthorized source data

• User authorization of source data input

• Batch control totals• Log receipt, movement, and

disposition of source data input• Turnaround documents• Check digit and key verification• Data editing routines

11-11


6. Accurate, Complete, and Confidential Data Files

Threats Controls

• Destruction of stored data from▫ Errors▫ Hardware and software

malfunctions▫ Sabotage

• Unauthorized modification or disclosure of stored data

• Secure storage of data and restrict physical access

• Logical access controls• Write-protection and proper file

labels• Concurrent update controls• Data encryption• Virus protection• Backup of data files (offsite)• System recovery procedures

11-12


Audit Techniques Used to Test Programs•Integrated Test Facility

▫Uses fictitious inputs•Snapshot Technique

▫Master files before and after update are stored for specially marked transactions

•System Control Audit Review File (SCARF)▫Continuous monitoring and storing of transactions that

meet pre-specifications•Audit Hooks

▫Notify auditors of questionable transactions•Continuous and Intermittent Simulation

▫Similar to SCARF for DBMS 11-13


Software Tools Used to Test Program Logic•Automated flowcharting program

▫Interprets source code and generates flowchart•Automated decision table program

▫Interprets source code and generates a decision table•Scanning routines

▫Searches program for specified items•Mapping programs

▫Identifies unexecuted code•Program tracing

▫Prints program steps with regular output to observe sequence of program execution events 11-14


Computer Audit Software

•Computer assisted audit software that can perform audit tasks on a copy of a company’s data. Can be used to:▫Query data files and retrieve records based upon specified

criteria▫Create, update, compare, download, and merge files▫Summarize, sort, and filter data▫Access data in different formats and convert to common

format▫Select records using statistical sampling techniques▫Perform analytical tests▫Perform calculations and statistical tests 11-15


Operational Audits

•Purpose is to evaluate effectiveness, efficiency, and goal achievement. Although the basic audit steps are the same, the specific activities of evidence collection are focused toward operations such as:▫Review operating policies and documentation▫Confirm procedures with management and operating personnel▫Observe operating functions and activities▫Examine financial and operating plans and reports▫Test accuracy of operating information▫Test operational controls

11-16


Key Terms• Auditing• Internal auditing• Financial audit• Information systems audit• Operational audit• Compliance audit• Investigative audit• Inherent risk• Control risk• Detection risk• Confirmation• Reperformance• Vouching• Analytical review

• Materiality• Reasonable assurance• Systems review• Test of controls• Compensating controls• Source code comparison program• Reprocessing• Parallel simulation• Test data generator• Concurrent audit techniques• Embedded audit modules• Integrated test facility (ITF)• Snapshot technique• System control audit review file

(SCARF)• Audit log

11-17


Key Terms (continued)

• Audit hooks• Continuous and intermittent

simulation (CIS)• Automated flowcharting program• Automated decision table program• Scanning routines• Mapping programs• Program tracing

• Input controls matrix• Computer-assisted audit techniques

(CAAT)• Generalized audit software (GAS)

11-18

copyright © 2015 pearson education, inc. auditing computer-based information systems chapter 11...

Documents