1 / 33

Chapter 12 Information Technology Auditing

Chapter 12 Information Technology Auditing. Introduction The Audit Function The IT Auditor’s Toolkit Auditing the Computerized AIS Information Technology Auditing Today. The Audit Function. The function of an audit is to examine and to give assurance.

fionan
Télécharger la présentation

Chapter 12 Information Technology Auditing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 12Information Technology Auditing • Introduction • The Audit Function • The IT Auditor’s Toolkit • Auditing the Computerized AIS • Information Technology Auditing Today

  2. The Audit Function The function of an audit • is to examine and to give assurance. • will differ according to the subject under examination. • can be internal, or external • always involves the accounting information systems Information technology auditing discusses • internal auditing, • External auditing, and • IT auditing.

  3. Internal Auditing An internal audit, which preserves its objectivity • is carried out by company personnel reporting to • the Audit Committee of the Board of Directors (preferable) • Top management (on departmental efficiency audits) • is external to the corporate department ordivision being audited • concerns compliance to company policies & procedures • involves an evaluation of internal controls and fraud • tests for efficiency, effectiveness and economy Cynthia Cooper – WorldCom internal auditor and whistleblower

  4. External Auditing The external audit • is carried out by independent accountants • has the attest function as its chief purpose confirming • the fairness of financial statements in all material respects • Has a secondary purpose - to test that internal controls are strong and can be relied on to catch errors and fraud (the stronger the controls, the smaller the audit risk, and the less work an auditor has to do).

  5. A raised eyebrow indicates professional skepticism The Attest Function Auditor ? ? ? Information Management Stakeholders

  6. Information Risk

  7. The IT Audit The IT audit function encompasses

  8. Careers in Information Systems Auditing The demand for IT auditors is growing • increasing use of computer-based AISs • systems becoming more technologically complex • passing of the Sarbanes-Oxley bill IT auditing requires a variety of skills, combining • accounting and • information systems or computer science skills.

  9. The Information Technology Auditor’s Toolkit IT auditors need to have • the technical skills to understand the vulnerabilities in • hardware and software • use of appropriate software to do their jobs • general-use software such as • word processing programs, • spreadsheet software, and • database management systems. • generalized audit software (GAS), and • automated workpaper software.

  10. The Information Technology Auditor’s Toolkit • people skills • to work as a team • to interact with clients and other auditors, • to interview many people constantly for evaluation • can’t just be a technical nerd!

  11. Careers in Information Systems Auditing Information systems auditors • may be internal or external • can obtain professional certification as a Certified Information Systems Auditor (CISA) • Pass exam • Five years of experience (some exceptions) • 40 hours of CPE/year • can also acquire certification as Certified Information Security Managers (CISM)

  12. General-Use Software Auditors use general-use software as productivity tools to improve their work such as • spreadsheets and • database management systems (e.g. Access) Auditors often use structured query language (SQL) • to retrieve a client’s data and • display these data for audit purposes.

  13. Generalized Audit Software Generalized audit software (GAS) packages • are specifically tailored to auditor tasks • have been developed in-house in large firms, or • are available from various software suppliers • automates working papers and trial balances • Examples of GAS are • Audit Command Language (ACL) • Interactive Data Extraction Analysis (IDEA) • FAST! (Financial Audit Systems Technology)

  14. Auditing Computerized AIS-Auditing Around the Computer Auditing around the computer • Compares output with input; assumes that accurate output verifies proper processing operations • pays little or no attention to the controlprocedures within the IT environment • is generally not an effective approach toauditing in a computerized environment. CPTR

  15. Auditing Computerized AIS-Auditing Through the Computer CPTR Five techniques to audit a computerized AIS are: • use of test data, integrated test facility, and parallelsimulation to test programs, • use of audit techniques to validate computer programs, • use of logs and specialized control software toreview systems software, • use of documentation and CAATs to validateuser accounts and access privileges, and • use of embedded audit modules to achievecontinuous auditing.

  16. Testing ComputerPrograms - Test Data (test deck) CPTR The auditor’s responsibility is to • develop test data (or test deck from deck of cards) • that tests the range of exception situations • arrange the data in preparation for processing • compare output with a predetermined set of answers • investigate further if the results do not agree Test data (or test deck, named from punch card days) • can check if program edit test controls are in place and working • can be developed using software programs called test data generators • But may contaminate real data with fake data

  17. Testing Computer Programs -Integrated Test Facility CPTR An integrated test facility (ITF) • establishes a fictitious entity such as a department, branch, customer, or employee, • enters transactions for that entity, and • observes how these transactions are processed. • is effective in evaluating integrated onlinesystems and complex programming logic, and • aims to audit an AIS in an operational setting. • May contaminate real data with fake data

  18. Testing Computer Programs -Parallel Simulation CPTR In parallel simulation, the auditor • uses live input data, rather than test data, in aseparate program, which • is written or controlled by the auditor • simulates all or some of the operations ofthe real program that is actually in use. • needs to understand the client system, • should possess sufficient technical knowledge, and • should know how to predict the results CPTR

  19. Testing Computer Programs -Parallel Simulation Parallel simulation • eliminates the need to prepare aset of test data, • can be very time-consuming andthus cost-prohibitive • usually involves replicating onlycertain critical functions of a program • But reduces the chance of contaminating real data with fake data CPTR CPTR

  20. Validating Computer Programs Auditors • must validate any program presented to them • to thwart a clever programmer’s dishonest program Procedures that assist in program validation are 1. tests of program change control • begins with an inspection of the documentation • includes program authorization forms to be filled • ensures accountability and adequate supervisory controls 2. program comparison • guards against unauthorized program tampering • performs certain control total tests of program authenticity • using a test of length • using a comparison program

  21. Review of Systems Software Systems software includes • operating system software, • utility programs, • program library software, and • access control software.

  22. Review of Systems Software • Auditors should first review systems software documentation. • Next, auditors should review incident reports, which list events that are • unusual or interrupt operations • security violations (such as unauthorized access attempts), • hardware failures, and • software failures

  23. Validating Users and Access Privileges The IT auditor • needs to verify that the software parameters are set appropriately • must make sure that IT staff are using them appropriately • needs to make sure that all users • are valid and • each has access privileges appropriate to their job There are a variety of auditor software tools which can scan settings and access logs

  24. Password Parameters

  25. Continuous Approach Continuous auditing can be achieved by • embedded audit modules or audit hooks • application subroutines capture data for audit purposes • exception reporting • mechanisms reject certain transactionsthat fall outside preset limits • transaction tagging • tags transactions with a special identifiers • snapshot technique • Examines how transactions are processed (e.g. macro, step-by-step)

  26. The Sarbanes-Oxley Act of 2002 In 2002, Congress passed the Sarbanes-Oxley Act, which was response to the accounting scandals of Enron, Worldcom, etc. As Congress studied these frauds, it realized that one of the big problems was a weakness in internal controls. Sen. Paul Sarbanes Representative Mike Oxley

  27. The Sarbanes-Oxley Act of 2002 Some important provisions of SOX for auditors are • Section 201 – prohibits public accounting firms from offering most nonaudit services to clients at the same time they are conducting audits (conflict of interest). • Section 302 – requiring CFOs and CEOs to certify that their company’s financial statements are accurate and complete • Section 404 –requiring both the CEO and CFO to attest to their organization’s internal controls over financial reporting

  28. Continuous Auditing – Spreadsheet Errors

  29. Continuous Auditing – Spreadsheet Errors Sleuthing With Excel Excel 2010 and 2012 • Formula Auditing: On the top menu of Excel, go to Formulas, see Formula Auditing section. Perform the error checking function to find and correct the formula errors. You can also display Precedent and Dependent arrows to show the formula pattern among the cells. • Data Validation: On the top menu of Excel, go to Data and then under the Data Tools section, go to Data Validation. Use the validation tool to verify data as it is being entered. For example, highlight the payrate range and set the data validation decimal feature between $7.50 and $40.00. From this point on, any data entered in the payrate range that does not fall between these two values will be flagged.

  30. Benford’s Law Physicist Frank Benford figured out the probability that certain digits form part of financial numbers. For example, the numeral 1 should occur as the first digit in any multiple-digit number about 31% of the time, while 9 should occur as the first digit only 5% of the time. As you can see below, the numbers in digit 1,2,5,6 & 7 are suspicious.

  31. Third-Party Assurance Internet systems and web sites • are a source of risk for many companies, • need specialized audits of these systems, • have created a market for third-party assurance services, which • is limited to data privacy.

  32. Third-Party Assurance The AICPA introduced Trust Services an assurance service. The principles of Trust Services are • security, • availability, • processing integrity, • online privacy, and • confidentiality.

  33. Privacy Issues • Have a privacy policy for your website • Have an audit done by professionals who provide a privacy seal • Truste • BBB Online • Webtrust

More Related