Scribd Logo
Upload

Welcome to Scribd!

  • Romney Ais13 PPT 11

    Uploaded by

    francisco Kaunda
    28 views18 pages

    Original Title

    romney_ais13_ppt_11.pptx

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    28 views18 pages

    Romney Ais13 PPT 11

    Uploaded by

    francisco Kaunda

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    of 18

    Auditing Computer-Based Information

    Systems
    Chapter 11

    Copyright © 2015 Pearson Education, Inc.


    11-1
    Learning Objectives
    • Describe the nature, scope, and objectives of audit work, and identify the major steps
    in the audit process.

    • Identify the six objectives of an information system audit, and describe how the risk-
    based audit approach can be used to accomplish these objectives.

    • Describe the different tools and techniques auditors use to test software programs
    and program logic.

    • Describe computer audit software, and explain how it is used in the audit of an AIS.

    • Describe the nature and scope of an operational audit.


    Copyright © 2015 Pearson Education, Inc.
    11-2
    Auditing

    • The process of obtaining and evaluating evidence regarding


    assertions about economic actions and events in order to
    determine how well they correspond with established criteria

    Copyright © 2015 Pearson Education, Inc.


    11-3
    Major Steps in the Auditing Process

    • Audit planning
    ▫ Why, how, when, and who
    ▫ Establish scope and objectives of the audit; identify risk
    • Collection of audit evidence
    • Evaluation of evidence
    • Communication of results

    Copyright © 2015 Pearson Education, Inc.


    11-4
    Risk-Based Framework

    • Identify fraud and errors (threats) that can occur that threaten
    each objective
    • Identify control procedures (prevent, detect, correct the threats)
    • Evaluate control procedures
    ▫ Review to see if control exists and is in place
    ▫ Test controls to see if they work as intended
    • Determine effect of control weaknesses
    ▫ Compensating controls

    Copyright © 2015 Pearson Education, Inc.


    11-5
    Information Systems Audit
    • Using the risk-based framework for an information systems audit
    allows the auditor to review and evaluate internal controls that
    protect the system to meet each of the following objectives:
    ▫ Protect overall system security (includes computer equipment,
    programs, and data)
    ▫ Program development and acquisition occur under management
    authorization
    ▫ Program modifications occur under management authorization
    ▫ Accurate and complete processing of transactions, records, files, and
    reports
    ▫ Prevent, detect, or correct inaccurate or unauthorized source data
    Copyright ©▫2015
    Accurate,
    Pearson Education,complete,
    Inc. and confidential data files 11-6
    1. Protect Overall System Security
    Threats Controls
    • Theft of hardware • Limit physical access to computer
    • Damage of hardware (accidental and equipment
    intentional) • Use authentication and authorization
    • Loss, theft, unauthorized access to controls
    ▫ Programs • Data storage and transmission controls
    ▫ Data • Virus protection and firewalls
    • Unauthorized modification or use of • File backup and recovery procedures
    programs and data files • Disaster recovery plan
    • Unauthorized disclosure of confidential • Preventive maintenance
    data • Insurance
    • Interruption of crucial business activities

    Copyright © 2015 Pearson Education, Inc.


    11-7
    2. Program Development and Acquisition Occur
    under Management Authorization
    Threat Controls
    • Inadvertent programming errors • Review software license agreements
    • Unauthorized program code • Management authorization for:
    ▫ Program development
    ▫ Software acquisition
    • Management and user approval of
    programming specifications
    • Testing and user acceptance of new
    programs
    • Systems documentation

    Copyright © 2015 Pearson Education, Inc.


    11-8
    3. Program Development and Acquisition Occur
    under Management Authorization
    Threat Controls
    • Inadvertent programming errors • List program components to be modified
    • Unauthorized program code • Management authorization and approval
    for modifications
    • User approval for modifications
    • Test changes to program
    • System documentation of changes
    • Logical access controls

    Copyright © 2015 Pearson Education, Inc.


    11-9
    4. Accurate and Complete Processing of Transactions,
    Records, Files, and Reports

    Threats Controls
    • Failure to detect incorrect, incomplete, or • Data editing routines
    unauthorized input data • Reconciliation of batch totals
    • Failure to correct errors identified from • Error correction procedures
    data editing procedures • Understandable documentation
    • Errors in files or databases during • Competent supervision
    updating
    • Improper distribution of output
    • Inaccuracies in reporting

    Copyright © 2015 Pearson Education, Inc.


    11-10
    5. Prevent, Detect, or Correct Inaccurate or Unauthorized Source Data

    Threat Controls
    • Inaccurate source data • User authorization of source data input
    • Unauthorized source data • Batch control totals
    • Log receipt, movement, and disposition of
    source data input
    • Turnaround documents
    • Check digit and key verification
    • Data editing routines

    Copyright © 2015 Pearson Education, Inc.


    11-11
    6. Accurate, Complete, and Confidential Data Files

    Threats Controls
    • Destruction of stored data from • Secure storage of data and restrict physical
    ▫ Errors access
    ▫ Hardware and software malfunctions • Logical access controls
    ▫ Sabotage • Write-protection and proper file labels
    • Unauthorized modification or disclosure of • Concurrent update controls
    stored data • Data encryption
    • Virus protection
    • Backup of data files (offsite)
    • System recovery procedures

    Copyright © 2015 Pearson Education, Inc.


    11-12
    Audit Techniques Used to Test Programs
    • Integrated Test Facility
    ▫ Uses fictitious inputs
    • Snapshot Technique
    ▫ Master files before and after update are stored for specially marked
    transactions
    • System Control Audit Review File (SCARF)
    ▫ Continuous monitoring and storing of transactions that meet pre-
    specifications
    • Audit Hooks
    ▫ Notify auditors of questionable transactions
    • Continuous and Intermittent Simulation
    ▫ Similar to SCARF for DBMS
    Copyright © 2015 Pearson Education, Inc.
    11-13
    Software Tools Used to Test Program Logic
    • Automated flowcharting program
    ▫ Interprets source code and generates flowchart
    • Automated decision table program
    ▫ Interprets source code and generates a decision table
    • Scanning routines
    ▫ Searches program for specified items
    • Mapping programs
    ▫ Identifies unexecuted code
    • Program tracing
    ▫ Prints program steps with regular output to observe sequence of
    program
    Copyright © 2015 execution
    Pearson Education, Inc. events 11-14
    Computer Audit Software
    • Computer assisted audit software that can perform audit tasks on
    a copy of a company’s data. Can be used to:
    ▫ Query data files and retrieve records based upon specified criteria
    ▫ Create, update, compare, download, and merge files
    ▫ Summarize, sort, and filter data
    ▫ Access data in different formats and convert to common format
    ▫ Select records using statistical sampling techniques
    ▫ Perform analytical tests
    ▫ Perform calculations and statistical tests
    Copyright © 2015 Pearson Education, Inc.
    11-15
    Operational Audits
    • Purpose is to evaluate effectiveness, efficiency, and goal
    achievement. Although the basic audit steps are the same, the
    specific activities of evidence collection are focused toward
    operations such as:
    ▫ Review operating policies and documentation
    ▫ Confirm procedures with management and operating personnel
    ▫ Observe operating functions and activities
    ▫ Examine financial and operating plans and reports
    ▫ Test accuracy of operating information
    ▫ Test operational controls
    Copyright © 2015 Pearson Education, Inc.
    11-16
    Key Terms
    • Auditing • Materiality
    • Internal auditing • Reasonable assurance
    • Financial audit • Systems review
    • Information systems audit • Test of controls
    • Operational audit • Compensating controls
    • Compliance audit • Source code comparison program
    • Investigative audit • Reprocessing
    • Inherent risk • Parallel simulation
    • Control risk • Test data generator
    • Detection risk • Concurrent audit techniques
    • Confirmation • Embedded audit modules
    • Reperformance • Integrated test facility (ITF)
    • Vouching • Snapshot technique
    • Analytical review • System control audit review file (SCARF)
    Copyright © 2015 Pearson Education, Inc. • Audit log 11-17
    Key Terms (continued)

    • Audit hooks • Input controls matrix


    • Continuous and intermittent simulation • Computer-assisted audit techniques
    (CIS) (CAAT)
    • Automated flowcharting program • Generalized audit software (GAS)
    • Automated decision table program
    • Scanning routines
    • Mapping programs
    • Program tracing

    Copyright © 2015 Pearson Education, Inc.


    11-18

    You might also like