Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

Copyright © 2007 Pearson Education Canada 23-2 Chapter 23 objectives  Explain how WebTrust and SystTrust help provide assurance over information systems  Identify characteristics, risks, internal controls for advanced information systems  List important controls in a small business with respect to information technology  Describe the impact of a client’s use of a computer service organization upon the audit

Copyright © 2007 Pearson Education Canada 23-3 What is WebTrust?  A seal placed on a web site upon completion of an auditor’s report verifying compliance with standards with respect to business practices and controls over electronic commerce transactions  The purpose is to help provide an independent assurance with respect to the safety of processing transactions at the site

Copyright © 2007 Pearson Education Canada 23-4 WebTrust principles  Business practice disclosure: The entity is to disclose its business practices with respect to e-commerce transactions  Transaction integrity: Effective controls are maintained over transaction ordering, fulfillment and billing  Information protection: Effective controls are maintained over data

Copyright © 2007 Pearson Education Canada 23-5 The nature of SysTrust  An engagement where the PA evaluates a company’s computer system using the following principles (Table 23-1): – Security – Availability – Processing integrity – Online Privacy – Confidentiality

Copyright © 2007 Pearson Education Canada 23-6 Advanced information systems  Such systems have one or more of the following characteristics: – Custom-designed operational or strategic information systems – Use of database management systems – Use of data communications (including Internet) – Use of paperless systems – Complex hardware or software processing configuration

Copyright © 2007 Pearson Education Canada 23-7 Strategic information systems  Such systems provide a competitive advantage or improve efficiency within an entity  Should they fail or have errors, they increase costs and risks to the business  When systems are so strategic that they could affect the ability of the entity to continue as a going concern if they fail, then the auditor takes a close look at the disaster recovery planning process

Copyright © 2007 Pearson Education Canada 23-8 Custom software  Custom software is unique software designed for the entity  It can be developed by in-house personnel or by external professionals  The key reasons such software is chosen by entities is to provide a competitive advantage, or to better match the needs of the business

Copyright © 2007 Pearson Education Canada 23-9 Risks associated with custom software (Figure 23-1)  Such systems are costly, having lengthy development times, up to several years  This increases the risk of additional costs  Rigorous testing is required, and such systems are difficult to fully test or ensure that they are error free

Copyright © 2007 Pearson Education Canada Audit impact of custom software  The auditor would need to examine the systems development process to identify the likelihood of errors or unauthorized programs  If the risk of errors or unauthorized programs exists, then the auditor would need to look for manual compensating controls

Copyright © 2007 Pearson Education Canada Database management system components

Copyright © 2007 Pearson Education Canada Databases versus database management systems  Many software packages use a database as an underlying file structure. This is the collection of data that is shared and used by different users within the software.  A database management system is the software that is used to create, maintain and operate the database.

Copyright © 2007 Pearson Education Canada Effects of database management systems (DBMS) on internal controls  The existence of a separate database management system with a separate database administration function at an organization adds complexity  All areas of general controls are affected

Copyright © 2007 Pearson Education Canada DBMS effects on: organization and management controls  The database administrator should be segregated from other functions, such as data authorization  The auditor needs to document the responsibilities of the database administrator and document and test segregation of duties

Copyright © 2007 Pearson Education Canada DBMS effects on: systems acquisition, development and maintenance  Added controls should exist to ensure that:  (1) the database is developed in accordance with business needs and  (2) programs accessing the database are accurate, authorized, and control concurrent options (preventing multiple individuals from accessing the same data element at the same time)

Copyright © 2007 Pearson Education Canada DBMS effects on: operations and information systems support  Controls should exist to provide security over the data dictionary and the data  Each application cycle needs to be examined for controls over: – Data ownership, access and update procedures – Existence and quality of passwords – Segregation of duties

Copyright © 2007 Pearson Education Canada Practice problem (pp )  Identify controls required for a database management system in a hospital patient care situation  Discuss risks with respect to data exposure

Copyright © 2007 Pearson Education Canada Paperless systems  A wide variety of paperless systems exist. Here we describe those that are related to business data communications:  EDI (electronic data interchange), the transfer of standard business documents  EFT (electronic funds transfer), or electronic commerce, the transfer of money electronically

Copyright © 2007 Pearson Education Canada Impact of paperless systems on the audit engagement  Where there is no paper trail, the auditor may be required to use computer assisted audit testing to test the transactions directly, or to evaluate programmed controls  Without a paper trail, the auditor may have no choice but to rely upon programmed controls, which require adequate general controls for reliance

Copyright © 2007 Pearson Education Canada Potential data communications risk points

Copyright © 2007 Pearson Education Canada Practice problem (p. 657)  Identify methods that could be used to steal confidential corporate data  How could these risks be mitigated?

Copyright © 2007 Pearson Education Canada Risks from and controls for multiple information processing locations (Table 23-3)  Data processed in multiple locations could become inconsistent (one location should have primary responsibility for updating)  Programs could be inaccurate or unauthorized (head office should control program changes)

Copyright © 2007 Pearson Education Canada Risks from and controls for multiple information processing locations (Table 23-3, cont’d)  Locations could have unauthorized access to programs or data of other locations (assign clear responsibilities for data and program ownership and change rights)  Data sent from one location to another may not be received (use control totals, record counts, and sequential numbering of transactions with follow up)

Copyright © 2007 Pearson Education Canada Practice problem (p. 657)  Identify potential sources of virus infection  How could such an infection be prevented?  How can a disaster recovery plan help recover from virus infection?

Copyright © 2007 Pearson Education Canada Small business information technology (IT) controls  As with other aspects of small business, the quality of the control environment depends upon the attitudes of the owner/manager  He/she should adequately supervise employees, hire only competent employees, and encourage practices such as confidential passwords

Copyright © 2007 Pearson Education Canada Practical IT controls for the owner/manager  Systems acquisition, development and maintenance: understand the nature of the software used and ensure that only authorized programs are used  Operations and information support: require backups to be made daily, with at least two copies offsite. Provide documentation for ongoing operations

Copyright © 2007 Pearson Education Canada Practical IT controls for the owner/manager (cont’d)  Application controls (includes controls to prevent fraud): separation of authorization from recording. Perform key activities, such as signing payroll and disbursement cheques, reviewing master file information.

Copyright © 2007 Pearson Education Canada Practice problem (p. 657)  Assess a small business information technology situation  Identify the activities to be performed by the owner

Copyright © 2007 Pearson Education Canada Service organizations  Computer service organizations: perform key operational tasks (such as payroll) for the organization  When the client has controls that involve comparing the input details provided by the client to the output details provided by the service provider, reference to controls at the service provider may not be necessary  In other situations, the auditor may need to examine and test controls at the service provider, or request a service auditor’s report

Copyright © 2007 Pearson Education Canada Outsourcing  Outsourcing is a broader term and encompasses functional tasks or subsystems being executed by independent organizations  This could be programming, human resources, accounting  The same principles apply: controls relevant to the organization’s financial systems need to be assessed