Romney Ais13 PPT 11
Romney Ais13 PPT 11
Systems
Chapter 11
• Identify the six objectives of an information system audit, and describe how the risk-
based audit approach can be used to accomplish these objectives.
• Describe the different tools and techniques auditors use to test software programs
and program logic.
• Describe computer audit software, and explain how it is used in the audit of an AIS.
• Audit planning
▫ Why, how, when, and who
▫ Establish scope and objectives of the audit; identify risk
• Collection of audit evidence
• Evaluation of evidence
• Communication of results
• Identify fraud and errors (threats) that can occur that threaten
each objective
• Identify control procedures (prevent, detect, correct the threats)
• Evaluate control procedures
▫ Review to see if control exists and is in place
▫ Test controls to see if they work as intended
• Determine effect of control weaknesses
▫ Compensating controls
Threats Controls
• Failure to detect incorrect, incomplete, or • Data editing routines
unauthorized input data • Reconciliation of batch totals
• Failure to correct errors identified from • Error correction procedures
data editing procedures • Understandable documentation
• Errors in files or databases during • Competent supervision
updating
• Improper distribution of output
• Inaccuracies in reporting
Threat Controls
• Inaccurate source data • User authorization of source data input
• Unauthorized source data • Batch control totals
• Log receipt, movement, and disposition of
source data input
• Turnaround documents
• Check digit and key verification
• Data editing routines
Threats Controls
• Destruction of stored data from • Secure storage of data and restrict physical
▫ Errors access
▫ Hardware and software malfunctions • Logical access controls
▫ Sabotage • Write-protection and proper file labels
• Unauthorized modification or disclosure of • Concurrent update controls
stored data • Data encryption
• Virus protection
• Backup of data files (offsite)
• System recovery procedures