Download presentation
Presentation is loading. Please wait.
Published byRodney Ball Modified over 7 years ago
1
Chapter 1: Auditing, Assurance, and Internal Control
2
Syllabus Course Description Textbooks Course Objectives Exams
Research Papers Assignments Class Schedule Performance Evaluation
3
Syllabus (cont.) Class Format Blackboard and Class Website
Lecture and Discussion In-Class Assignments Short Presentations Blackboard and Class Website stpt.usf.edu/gkearns/acg6936 Academic Dishonesty Disruption of the Academic Process
4
IT AUDITS IT audits: provide audit services where processes or data, or both, are embedded in technologies. Subject to ethics, guidelines, and standards of the profession (if certified) CISA Most closely associated with ISACA Joint with internal, external, and fraud audits Scope of IT audit coverage is increasing Characterized by CAATTs IT governance as part of corporate governance
5
FRAUD AUDITS Fraud audits: provide investigation services where anomalies are suspected, to develop evidence to support or deny fraudulent activities. Auditor is more like a detective No materiality Goal is conviction, if sufficient evidence of fraud exists CFE ACFE
6
EXTERNAL AUDITS External auditing: Objective is that in all material respects, financial statements are a fair representation of organization’s transactions and account balances. SEC’s role Sarbanes-Oxley Act FASB - PCAOB CPA AICPA
7
ATTEST vs. ASSURANCE ASSURANCE
Professional services that are designed to improve the quality of information, both financial and non-financial, used by decision-makers IT Audit Groups in “Big Four” (e.g. Final Four) IT Risk Management I.S. Risk Management Operational Systems Risk Management Technology & Security Risk Services Typically a division of assurance services
8
ATTEST definition Written assertions Practitioner’s written report
Formal establishment of measurement criteria or their description Limited to: Examination Review Application of agreed-upon procedures
9
THE IT ENVIRONMENT There has always been a need for an effective internal control system. The design and oversight of that system has typically been the responsibility of accountants. The I.T. Environment complicates the paper systems of the past. Concentration of data Expanded access and linkages Increase in malicious activities in systems vs. paper Opportunity that can cause management fraud (i.e., override)
10
IT Investigative and Forensic Techniques for Auditors
Purpose To assist auditors in developing the knowledge, skills, and abilities to provide reasonable assurance for the security, availability, integrity and management of information systems and resources.
11
The IT Audit An IT audit is the process of collecting and evaluating evidence of an organization's information systems, practices, and operations. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively and efficiently to achieve the organization's goals or objectives.
12
The IT Audit These reviews may be performed in conjunction with a financial statement audit, an internal audit, or other form of attestation engagement. External auditors can accept the result of an internal audit only if the function reports to the audit committee. External auditors may use and rely upon a 3rd party IT audit firm.
13
IT Audit Process: 8 Steps
Plan the audit Hold kickoff meeting Gather data/test IT controls Remediate identified deficiencies (organization) Test remediated controls Analyze and report findings Respond to findings (organization) Issue final report (auditor)
14
INTERNAL CONTROL is … policies, practices, procedures … designed to …
safeguard assets ensure accuracy and reliability promote efficiency measure compliance with policies
15
BRIEF HISTORY - SEC SEC acts of 1933 and 1934
All corporations that report to the SEC are required to maintain a system of internal control that is evaluated as part of the annual external audit.
16
BRIEF HISTORY - Copyright
Federal Copyright Act 1976 Protects intellectual property in the U.S. Has been amended numerous times since Management is legally responsible for violations of the organization U.S. government has continually sought international agreement on terms for protection of intellectual property globally vs. nationally Auditing (Guy) – p
17
Foreign Corrupt Practices Act 1977
BRIEF HISTORY - FCPA Foreign Corrupt Practices Act 1977 Accounting provisions FCPA requires SEC registrants to establish and maintain books, records, and accounts. It also requires establishment of internal accounting controls sufficient to meet objectives. Transactions are executed in accordance with management’s general or specific authorization. Transactions are recorded as necessary to prepare financial statements (i.e., GAAP), and to maintain accountability. Access to assets is permitted only in accordance with management authorization. The recorded assets are compared with existing assets at reasonable intervals. Illegal foreign payments
18
Committee on Sponsoring Organizations - 1992
BRIEF HISTORY - COSO Committee on Sponsoring Organizations AICPA, AAA, FEI, IMA, IIA Developed a management perspective model for internal controls over a number of years Is widely adopted
19
BRIEF HISTORY – S-OX Sarbanes-Oxley Act - 2002
Section 404: Management Assessment of Internal Control Management is responsible for establishing and maintaining internal control structure and procedures. Must certify by report on the effectiveness of internal control each year, with other annual reports. Section 302: Corporate Responsibility for Incident Reports Financial executives must disclose deficiencies in internal control, and fraud (whether fraud is material or not).
20
EXPOSURES AND RISK Exposure (definition) Risks (definition)
Types of risk Destruction of assets Theft of assets Corruption of information or the I.S. Disruption of the I.S. EXPOSURE: Absence or weakness of a control RISK: Potential threat to compromise use or value of organizational assets
21
THE P-D-C MODEL Preventive controls Detective controls
Corrective controls Which is most cost effective? Which one tends to be proactive measures? Can you give an example of each? Predictive controls
22
COSO (Treadway Commission)
The five components of internal control are: The control environment Risk assessment Information & communication Monitoring Control activities Control Environment. According to the COSO Report, the control environment “sets the tone of an organization and influences the control consciousness of its people.” It provides structure and discipline, and forms the foundation for all other components of internal control. Risk Assessment. Risk assessment refers to the “identification, analysis, and management of risks relevant to the preparation of financial statements that are fairly presented in conformity with generally accepted accounting principles [GAAP] (or another comprehensive basis of accounting).” Control Activities. Control activities are the policies and procedures that help ensure that management’s directives are carried out. Information and Communication. The identification, capture and exchange of information in a form and timeframe that enables people to carry out their responsibilities. Monitoring. In relation to the COSO report and SAS 78, monitoring refers to the process used to assess the quality of internal control performance over time. Adequate internal control is a key defense (but no guarantee) against fraud, errors and program abuse.
23
SAS 78 The Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) incorporated the components of internal control presented in the COSO Report in its Statement on Auditing Standards No. 78 (SAS 78), entitled “Consideration of Internal Control in a Financial Statement Audit.”
24
SAS 78 (#1:Control Environment -- elements)
Describe how each one could adversely affect internal control. The integrity and ethical values Structure of the organization Participation of audit committee Management’s philosophy and style Procedures for delegating Page 13
25
SAS 78 (#1:Control Environment -- elements)
Management’s methods of assessing performance External influences Organization’s policies and practices for managing human resources
26
SAS 78 (#1:Control Environment -- techniques)
Describe possible activity or tool for each. Assess the integrity of organization’s management Conditions conducive to management fraud Understand client’s business and industry Determine if board and audit committee are actively involved Study organization structure
27
SAS 78 (#2:Risk Assessment)
Changes in environment Changes in personnel Changes in I.S. New IT’s Significant or rapid growth New products or services (experience) Organizational restructuring Foreign markets New accounting principles
28
SAS 78 (#3:Information & Communication-elements)
Initiate, identify, analyze, classify and record economic transactions and events. Identify and record all valid economic transactions Provide timely, detailed information Accurately measure financial values Accurately record transactions
29
SAS 78 (#3:Information & Communication-techniques)
Auditors obtain sufficient knowledge of I.S.’s to understand: Classes of transactions that are material Accounting records and accounts used Processing steps:initiation to inclusion in financial statements (illustrate) Financial reporting process (including disclosures)
30
SAS 78 (#4: Monitoring) By separate procedures (e.g., tests of controls) By ongoing activities (Embedded Audit Modules – EAMs and Continuous Online Auditing - COA)
31
SAS 94 The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit Provides auditors with guidance on IT’s effect on internal control and on the auditor’s understanding of internal control and the assessment of control risk. Requires the auditor to consider how an organization’s IT use affects his or her audit strategy. Where a significant amount of information is electronic, the auditor may decide it is not practical or possible to limit detection risk to an acceptable level by performing only substantive tests for one or more financial statement assertions. In such cases, the auditor should gather evidence about the effectiveness of both the design and operation of controls intended to reduce the assessed level of control risk. SAS No. 94 and Tests of Controls Under the auditing standards (SAS Nos. 48, 55 and 78) relevant to computer-based systems issued prior to SAS No. 94, a large percentage of auditors assessed control risk at the maximum and performed only substantive tests of account balances and classes of transactions to gather evidence about financial statement assertions. SAS No. 94 recognizes that this approach may not be viable in complex IT environments. When evidence of a firm's initiation, recording and processing of transactions exists only in electronic form, the auditor's ability to obtain the desired assurance only from substantive tests is significantly diminished. SAS No. 94 does not change the requirement to perform substantive tests on significant amounts, but states that "it is not practical or possible to restrict detection risk to an acceptable level by performing only substantive tests."3 When assessing the effectiveness of the design and operation of controls in complex IT environments, it is necessary for the auditor to test these controls. The decision to test controls is not related to the size of the firm but to the complexity of the IT environment.
32
SAS 78 (#5: Control Activities)
33
Physical Controls (1-3) Transaction authorization
Example: Sales only to authorized customer Sales only if available credit limit Segregation of duties Examples of incompatible duties: Authorization vs. processing [e.g., Sales vs. Auth. Cust.] Custody vs. recordkeeping [e.g., custody of inventory vs. DP of inventory] Fraud requires collusion [e.g., separate various steps in process] Supervision Serves as compensating control when lack of segregation of duties exists by necessity
34
Physical Controls (4-6) Accounting records (audit trails; examples)
Access controls Direct (the assets) Indirect (documents that control the assets) Fraud Disaster Recovery Independent verification Management can assess: The performance of individuals The integrity of the AIS The integrity of the data in the records Examples
35
IT Risks Model Operations Data management systems
New systems development Systems maintenance Electronic commerce (The Internet) Computer applications
36
End Ch. 1
37
Chapter 2: Computer Operations
38
STRUCTURING THE IT FUNCTION
Centralized data processing (as opposed to DDP) Database administrator Data processing manager/dept. Data control Data preparation/conversion Computer operations Data library CDP: Data in, Information out. CHARGEBACK for costs. Organization Chart: VP Computer Services or CIO – Systems Development Manager, DBA, DP Manager 1. Data Control -- serves as liaison between end users and DP Manager 2. Data Conversion -- transcribes data from paper to electronic files or media (KP) 3. Computer Operations – processes computer files (data) into Info, manages the processes 4. Data Library – Safe offline storage of data files, software [data librarian]
39
STRUCTURING THE IT FUNCTION
Segregation of incompatible IT functions Systems development & maintenance Participants End users IS professionals Auditors Other stakeholders
40
STRUCTURING THE IT FUNCTION
Segregation of incompatible IT functions Objectives: Segregate transaction authorization from transaction processing Segregate record keeping from asset custody Divide transaction processing steps among individuals to force collusion to perpetrate fraud Separating systems development from computer operations
41
STRUCTURING THE IT FUNCTION
Segregation of incompatible IT functions Separating DBA from other functions DBA is responsible for several critical tasks: Database security Creating database schema and user views Assigning database access authority to users Monitoring database usage Planning for future changes
42
STRUCTURING THE IT FUNCTION
Segregation of incompatible IT functions Alternative 1: segregate systems analysis from programming Two types of control problems from this approach: Inadequate documentation Is a chronic problem. Why? Not interesting Lack of documentation provides job security Assistance: Use of CASE tools Potential for fraud Example: Salami slicing, trap doors Salami slicing: A programmer wrote the software to calculate interest earned on savings accounts in a bank. He had the rounding feature round down if it should have rounded up, and deposit the penny in his account. Made thousands of dollars before caught. Trap door: Programmer writes code into the program that allows him to work around any or all controls in the system, and thus makes it easy to commit fraud. By typing the “Magic Word”, the programmer is unencumbered by application controls, and maybe system controls.
43
STRUCTURING THE IT FUNCTION
Segregation of incompatible IT functions Segregate data library from operations Physical security of off-line data files Implications of modern systems on use of data library: Real-time/online vs. batch processing Volume of tape files is insufficient to justify full-time librarian Alternative: rotate on ad hoc basis Custody of on site data backups Custody of original commercial software and licenses
44
STRUCTURING THE IT FUNCTION
Segregation of incompatible IT functions Audit procedures: Obtain and review security policy Verify policy is communicated Review relevant documentation (org. chart, mission statement, key job descriptions) Review systems documentation and maintenance records (using a sample) Verify whether maintenance programmers are also original design programmers Observe segregation policies in practice Review operations room access log Review user rights and privileges Colored text is to emphasize the action verbs that describe WHAT auditors do in actual audit procedures.
45
Computing Models Centralized Processing Client Server Processing
thin or fat clients 2 to n tiered Distributed Computing using idle processing time Distributed Database Computing replicated or divided
46
STRUCTURING THE IT FUNCTION
The distributed model Risks associated with DDP Inefficient use of resources Mismanagement of resources by end users Hardware and software incompatibility Redundant tasks Destruction of audit trails Inadequate segregation of duties Hiring qualified professionals Increased potential for errors Programming errors and system failures Lack of standards
47
STRUCTURING THE IT FUNCTION
The distributed model Advantages of DDP Cost reduction End user data entry vs. data control group Application complexity reduced Development and maintenance costs reduced Improved cost control responsibility IT critical to success then managers must control the technologies Improved user satisfaction Increased morale and productivity Backup flexibility Excess capacity for DRP
48
STRUCTURING THE IT FUNCTION
Controlling the DDP environment Audit objectives: Conduct a risk assessment Verify the distributed IT units employ entity-wide standards of performance that promotes compatibility among hardware, operating software, applications, and data
49
STRUCTURING THE IT FUNCTION
Controlling the DDP environment Audit procedures: Verify corporate policies and standards are communicated Review current organization chart, mission statement, key job descriptions to determine if any incompatible duties exist Verify compensating controls are in place where incompatible duties do exist Review systems documentation Verify access controls are properly established Policies/Standards (review, if exists) Procedures (observe, question/interview) Audit Trail (substantive procedures) Testing of Controls (verify)
50
THE COMPUTER CENTER Computer center controls Physical location
Avoid human-made and natural hazards Example: Chicago Board of Trade Construction Ideally: single-story, underground utilities, windowless, use of filters If multi-storied building, use top floor (away from traffic flows, and potential flooding in a basement) Access Physical: Locked doors, cameras Manual: Access log of visitors
51
THE COMPUTER CENTER Computer center controls Air conditioning
Especially mainframes Amount of heat even from a group of PCs Fire suppression Automatic: usually sprinklers Gas, such as halon, that will smother fire by removing oxygen can also kill anybody trapped there Sprinklers and certain chemicals can destroy the computers and equipment Manual methods Power supply Need for clean power, at a acceptable level Uninterrupted power supply
52
THE COMPUTER CENTER Computer center controls Audit objectives
Verify physical security controls are reasonable Verify insurance coverage is adequate Verify operator documentation is adequate in case of failure Audit procedures Tests of physical construction Tests of fire detection Tests of access control Tests of backup power supply Tests for insurance coverage Tests of operator documentation controls
53
PC SYSTEMS Control environment for PCs Controls Risk of physical loss
Risk assessment Inherent weaknesses Weak access control Inadequate segregation of duties Multilevel password control – multifaceted access control Risk of physical loss Laptops, etc. can “walk off” Risk of data loss Easy for multiple users to access data End user can steal, destroy, manipulate Inadequate backup procedures Local backups on appropriate medium Dual hard drives on PC External/removable hard drive on PC INHERENT WEAKNESSES: PCs were designed to be easy to use, single-user systems, facilitate access – not restrict it. Controlling PCs rests heavily on physical security controls & need for effective access control system WEAK ACCESS CONTROL: Booting from floppy or hard drive or CD-ROM to invoke logon security procedures.
54
PC SYSTEMS Control environment for PCs
Risk associated with virus infection Policy of obtaining software Policy for use of anti-virus software Verify no unauthorized software on PCs Risk of improper SDLC procedures Use of commercial software Formal software selection procedures
55
PC SYSTEMS PC systems audit
Audit objectives Verify controls are in place to protect data, programs, and computers from unauthorized access, manipulation, destruction, and theft Verify that adequate supervision and operating procedures exist to compensate for lack of segregation between the duties of users, programmers, and operators Verify that backup procedures are in place to prevent data and program loss due to system failures, errors Verify that systems selection and acquisition procedures produce applications that are high quality, and protected from unauthorized changes Verify the system is free from viruses and adequately protected to minimize the risk of becoming infected with a virus or similar object
56
FIGURE 2.8 – Password Policy
Proper Dissemination – Promote it, use it during employee training or orientation, and find ways to continue to raise awareness within the organization. Proper Length: Use at least 8 characters. The more characters, the more difficult to guess or crack. Eight characters is an effective length to prevent guessing, if combined with below. Proper Strength: Use alphabet (letters), numbers (at least 1), and special characters (at least 1). The more non-alpha, the harder to guess or crack. Make them case sensitive and mix upper and lower case. A “Strong” password for any critical access or key user. Password CANNOT contain a real word in the content. Proper Access Levels or Complexity: Use multiple levels of access requiring multiple passwords. Use a password matrix of data to grant read-only, read/write, or no access per data field per user. Use biometrics {such as fingerprints, voice prints}. Use supplemental access devices, such as smart cards, or beeper passwords in conjunction with remote logins. Use user-defined procedures. Proper Timely Changes: At regular intervals, make employees change their passwords. Proper Protection: Prohibit the sharing of passwords or “post-its” with passwords located near one’s computer. Proper Deletion: Require the immediate deletion of accounts for terminated employees, to prevent an employee from being able to perpetrate adverse activities.
57
SYSTEM-WIDE CONTROLS E-mail risks Spoofing Spamming
Hoax virus warnings Flaming Malicious attachments (e.g., viruses) Phishing Pharming
58
SYSTEM-WIDE CONTROLS Malicious objects risk Virus Worm Logic bomb
Back door / trap door Trojan horse Potential control procedures Audit objective Audit procedures
59
SYSTEM-WIDE CONTROLS Controlling electronic audit trails
Keystroke monitoring (keystroke log) Event monitoring (key events log) Audit trail objectives Detecting unauthorized access Reconstructing events Personal accountability Implementing an audit trail Transaction logs Keystroke monitoring: Equivalent of a telephone wiretap. Records both user’s keystrokes and system’s responses. Event Monitoring: Summarizes key events related to users. Records: ID, time and duration of session, programs that were executed during session, files – databases – printers – network resources used during session. AUDIT TRAIL OBJECTIES: 1. Detecting Unauthorized Access: Can occur in REAL TIME of after the fact (POST HOC). Primary objective is to protect the system from outsiders who are attempting to breach system controls. Example: Real-time system performance that reports changes, might indicate adversarial activity. REAL TIME may slow down system’s overall performance. POST HOC detection logs, if properly designed, can determine if unauthorized access was attempted, accomplished, or failed. 2. Reconstructing Events: Reconstruct STEPS that led to events such as system failures, security violations, application processing errors. The audit trail can be used to reconstruct accounting data files that were corrupted by a system failure, natural disaster, accident, or hacker. 3. Personal Accountability: Used to influence human behavior – a deterrent to adverse activities. Less likely to violate SECURITY POLICY if they know their actions are being recorded in an audit log! Can be used to enforce SECURITY POLICY. IMPLEMENTING AN AUDIT TRAIL: Usefulness: measuring potential damage and financial loss associated with errors, abuse, unauthorized access; evidence of adequacy of controls; evidence to enforce policy or laws. However, they can generate an overwhelming amount of detail data. Therefore, the benefits must be balanced against the total costs of implementing them.
60
SYSTEM-WIDE CONTROLS Disaster recovery planning
Critical applications identified and ranked Create a disaster recovery team with responsibilities
61
SYSTEM-WIDE CONTROLS Disaster recovery planning Site backup “Hot site” – Recovery Operations Center “Cold site” – empty shell Mutual aid pact Internally provided backup Other options At a minimum, Hot Site and Cold Site are subject to competing customers if the site signs multiple contracts for companies in the same geographic area. For example, EDS lost a roof to an ice storm in New York area. Had a hot site contract. Went to it only to discover it was in line behind other contract holders with same hot site who also got hit by the same storm. Lost millions while EDS scrambled to restore business operations. Others: Silo – ROC/Hot Site on wheels. Example, 18-wheeler with ROC inside and a generator, pulls up to the location that was destroyed by fire etc., so employees can generally come to same physical location (convenient).
62
Disaster Recovery Plan
Critical Applications – Rank critical applications so an orderly and effective restoration of computer systems is possible. Create Disaster Recovery Team – Select team members, write job descriptions, describe recovery process in terms of who does what. Site Backup – a backup site facility including appropriate furniture, housing, computers, and telecommunications. Another valid option is a mutual aid pact where a similar business or branch of same company swap availability when needed. Hardware Backup – Some vendors provide computers with their site – known as a hot site or Recovery Operations Center. Some do not provide hardware – known as a cold site. When not available, make sure plan accommodates compatible hardware (e.g., ability to lease computers). System Software Backup – Some hot sites provide the operating system. If not included in the site plan, make sure copies are available at the backup site. Application Software Backup – Make sure copies of critical applications are available at the backup site Data Backup – One key strategy in backups is to store copies of data backups away from the business campus, preferably several miles away or at the backup site. Another key is to test the restore function of data backups before a crisis. Supplies – A modicum inventory of supplies should be at the backup site or be able to be delivered quickly. Documentation – An adequate set of copies of user and system documentation. TEST! – The most important element of an effective Disaster Recovery Plan is to test it before a crisis occurs, and to test it periodically (e.g., once a year).
63
SYSTEM-WIDE CONTROLS Disaster recovery planning Audit objectives
Verify management’s DRP is adequate Audit procedures Verify a second-site backup is adequate Review the critical application list for completeness Verify backups of application software are stored off-site Verify that critical data files are backed up and readily accessible to DRP team Verify resources of supplies, documents, and documentation are backed up and stored off-site Verify that members listed on the team roster are current employees and that they are aware of their responsibilities
64
SYSTEM-WIDE CONTROLS Fault tolerance Redundant systems or parts UPS
Definition 44% of IS down-time attributable to system failures! Controls Redundant systems or parts RAID UPS Multiprocessors Audit objective To ensure the organization is employing an appropriate level of fault tolerance Audit procedures Verify proper level of RAID devices Review procedures for recovery from system failure Verify boot disks are secured ACL search of archived log files for: Unauthorized or terminated user Periods of inactivity Activity by user, workgroup, and department Logon and logoff times Failed logon attempts Access to specific files or applications
65
Client Server Systems
66
Firewalls
67
Proxy Servers
68
Demilitarized Zone
69
Chapter 2: Computer Operations
70
Excerpts from … An Introduction to Computer Auditing (online reading)
71
Computer Auditing Examples of Computer Abuse
Unauthorized disclosure of confidential information Unavailability of key IT systems Unauthorized modification of IT systems Theft of IT hardware and software Theft of IT data files Use of IT resources for personal use
72
Problems with Computer Auditing
Technology continually evolves IT can be a black box and attacks may not be apparent Auditors lack of IT skills Data can be difficult to access Computer logs and audit trails may be incomplete On-line real time systems can support frauds that occur rapidly without sufficient time to react Electronic evidence is volatile
73
Systems Development Use of project management
Use of methodology such as SDLC, RAD Steering Committee Continuous monitoring of progress (milestones) Prototyping
74
IT Application Controls
Input Controls: all data entered is authorized, complete, accurate, and entered only once Processing Controls: transactions are processed completely, accurately, and in a timely manner Output Controls: results are communicated to the authorized persons in a timely and efficient manner
75
General Controls Identification, prioritization and development of new systems and modification of existing systems Ongoing operations and maintenance Physical access Access rights and privileges Change management control Segregation of incompatible duties Contingency planning
76
The basic principles of good project management are:
clearly defined management responsibility clear objectives and scope effective planning and control clear lines of accountability steering committee oversight milestones
77
good project management (cont.)
end-user involvement methodology such as SDLC or RAD possible use of prototypes possible use of phased development
78
Be sure to read the entire article!
79
Chapter 3 with added info
Auditing Data Management Systems
80
Challenges of Sophisticated Computer Systems
electronic method of sending documents between companies no “paper trail” for the auditor to follow increased emphasis on front-end controls security becomes key element in controlling system
81
Objectives of General Controls
1. Responsibility for control 2. Information system meets needs of entity 3. Efficient implementation of information systems 4. Efficient and effective maintenance of information systems 5. Effective and efficient development and acquisition of information systems 6. Present and future requirements of users can be met 7. Efficient and effective use of resources within information systems processing
82
Objectives of General Controls
8. Complete, accurate and timely processing of authorized information systems 9. Appropriate segregation of incompatible functions 10. All access to information and information systems is authorized 11. Hardware facilities are physically protected from unauthorized access, loss or damage 12. Recovery and resumption of information systems processing 13. Maintenance and recovery of critical user activities
83
Input Controls input data should be authorized & approved
the system should edit the input data & prevent errors Examples include: validity checks, field checks, reasonableness check, record counts etc.
84
Processing Controls assure that data entered into the system are processed, processed only once, and processed accurately
85
Processing Controls Examples
control, batch, or proof total - a total of a numerical field for all the records of a batch that normally would be added (example: wages expense) logic test - ensures against illogical combina tions of information (example: a salaried em- ployee does not report hours worked)
86
appropriate quantities
Output Controls assure that data generated by the system are valid, accurate, complete, and distributed to authorized persons in appropriate quantities
87
Objectives of Application Controls
1. Design application controls with regard to: - segregation of incompatible functions - security - development - processing of information systems 2. Information provided by the systems is: - complete - accurate - authorized 3. Existence of adequate management trails
88
There are two general approaches to auditing EDP systems:
1. Auditing “around” the computer involves extensive testing of the inputs and outputs of the EDP system and little or no testing of processing or computer hardware. This approach involves no tests of the computer programs and no auditor use of the computer.
89
There are two general approaches to auditing EDP systems:
1. Auditing “around” the computer depends on a visible, traceable, hard copy audit trail made of manually prepared and computer-prepared documents.
90
There are two general approaches to auditing EDP systems:
2. Auditing with use of the computer involves extensive testing of computer hardware and software.
91
Techniques for auditing with use of the computer
1. Test data involves auditor preparation of a series of fictitious transactions; many of those transactions will contain intentional errors. The auditor examines the results and determines whether the errors were detected by the client’s system.
92
What are the shortcomings of the use of test data?
- possibility of accidental integration of fictitious and actual data - preparation of test data that examines all aspects of the application is difficult - the auditor must make sure that the program being tested is the one actually used in routine processing
93
techniques for auditing with use of the computer
2. Parallel simulation the auditor writes a computer program that replicates part of the client’s system the auditor’s program is used to process actual client data - the results from the auditor’s program and that of the client’s routine processing are compared
94
Auditing Software Generalized audit software involves
the use of auditor programs, client data, and auditor hardware. The primary advantage of GAS is that the client data can be down-loaded into the auditor’s system and manipulated in a variety of ways.
95
Common Audit Software Functions
- verifying extensions and footings - examining records - comparing data on separate files - summarizing or re-sequencing data and performing analyses - comparing data obtained through other audit procedures with company records - selecting audit samples - printing confirmation requests
96
Differences with Computer Processing
Audit trails are different than with manual accounting systems Portions of audit trails may be temporary or never exist Processing is more uniform Computer may initiate and complete transactions Greater potential for fraud
97
Impact of Computers on Planning
Extent to which computers are used Complexity of computer operations Organizational structure of computer operations Availability of data Use of CAATs Need for specialized skills by auditor
98
Audit Alternatives Continuous (Electronic) Auditing Auditing Around the Computer Auditing Through the Computer Non-concurrent (after-the-fact) auditing Can be used for tests of transactions and balances (substantive tests) Can be used to test the effectiveness of controls at various times in the past Recent SAS pronouncements reduce applicability of non-concurrent auditing
99
Audit Alternatives Concurrent auditing provides greater information about the effectiveness of controls Special audit test records can be used to examine system effectiveness Embedded audit modules collect, process and report audit evidence as it is processed by the system
100
SAS No. 80 In entities where significant information is transmitted, processed, maintained, or accessed electronically, the auditor may determine that it is not practical or possible to reduce detection risk to an acceptable level by performing only substantive tests for one or more financial statement assertions.
101
SAS No. 80 Due to the short-term nature of electronic data, the auditor should consider the time during which information exists or is available in determining the nature, timing and extent of his tests
102
SAS No. 94 “The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit” Amends SAS No. 55 – “Consideration of Internal Control in a Financial Statement Audit” SAS No. 94 does NOT change the requirement that the auditor obtain a sufficient understanding of internal control to plan the audit
103
SAS No. 94 SAS No. 94 acknowledges that IT use presents benefits as well as risks to an entity’s internal control The auditor should expect to encounter IT systems and electronic records rather than paper documents An entity’s IT use may be so significant that the quality of the audit evidence available to the auditor will depend on the controls that business maintains over its accuracy and completeness
104
SAS No. 94 As companies rely more and more on IT systems and controls, auditors will need to adopt new testing strategies to obtain evidence that controls are effective An auditor might need specialized skills to determine the effect of IT on the audit In some instances, the auditor may need the skills of a specialist
105
Areas of Audit Focus Auditing computer programs
Auditing computer processing Auditing computer files and databases
106
Auditing Computer Programs
Non-processing of data Program logic flowchart verification Program code checking Examination of job accounting and control information Review printouts
107
Non-concurrent Auditing
The Black Box Approach (still allowed?) Must be able to locate copies of source documents for transactions and the accounting reports resulting from those transactions Must be able to read the source documents and reports without the aid of the client’s computer Auditor must assess a low level of risk on controls external to EDP
108
Black Box Approach Must trace transactions from the source documents (cradle) to the accounting reports (grave) and from the reports back to the source documents Computer (Black Box) Manual Verification
109
Need for Concurrent Auditing
Disappearing paper-based audit trail Continuous monitoring required by advanced systems Increasing difficulty of performing transaction walkthroughs Presence of entropy (disorder) in systems Outsourced and distributed IS Increased interorganizational IS (EDI)
110
EDP Controls Categories: Specific Types of Controls: Nature: General
Application Specific Types of Controls: Organization and Operation Systems Development and Documentation Hardware and Systems Software Access Data and Procedural Input Processing Output Nature: Pertain to EDP environment and all EDP activities Pertain to specific EDP tasks
111
Errors and Irregularities
Necessary Control Procedures INPUT Valid data are incorrectly converted to machine-sensible form. Properly converted input is lost, duplicated or distorted during handling. Detected erroneous data are not corrected and resubmitted for processing. Verification controls Computer editing Batch controls Data control group monitoring Transmittal controls Control totals Error logs PROCESSESSING The wrong files are processed and updated. Processing errors are made on valid input data. Illogical or unreasonable input is processed. External file labels Internal file labels Limit and reasonableness tests OUTPUT Output may be incorrect because of processing errors. Output may be incorrect because file revisions are unauthorized or approved changes are not made. Output is distributed to unauthorized users. Output control totals Periodic comparisons of file data with source documents Report distribution control sheet
112
Tests of Controls Techniques
Auditing Around the Computer—Manually processing selected transactions and comparing results to computer output Auditing Through the Computer—Computer assisted techniques Test Decks—Processing dummy transactions and records with errors and exceptions to see that program controls are operating
113
Tests of Controls Techniques
Controlled Programs—Processing real and test data with a copy of the client’s program under the auditors’ control Program Analysis Techniques—The examination of a computer generated flowchart of the client’s program to test the program’s logic Tagging and Tracing Transactions—Examination of computer generated details of the steps in processing “tagged” transactions
114
Tests of Controls Techniques
Integrated Test Facility—A system that processes test data simultaneously with real transactions to allow the system to be constantly monitored Parallel Simulation—The use of an auditor-written program to process client data and comparison of its output to the output generated by the client’s program
115
Auditors’ Predetermined Results
Auditors’ Test Data Client’s Program Computer Processing Auditors’ Predetermined Results Computer Results should match
116
System Concept of Parallel Simulation
Transactions Master file “Live” system Simulated system Comparison “Live” file Simulated output Exceptions Source: W.C. Mair, “New Techniques in Computer Program Verification,” Tempo (Touche Ross & Co., Winter ), p. 14.
117
Parallel Simulation Input Transaction File Input Master File
Output Master File System Application Parallel Simulation Generalized Audit Software Discrepancies
118
Types of Concurrent Auditing
Testing real data Tracing transactions Snapshot/extended record (EAM) System Control Audit Review File (SCARF) Testing simulated data Test deck approach Integrated test facility (ITF)
119
Auditing Using Client’s Computer- Tracing Real Data
Provides direct confirmation that controls functioned as prescribed Weaknesses of approach Actual transactions selected may not trigger all of the controls- in fact, finding actual transactions to test every control may not be possible May be disruptive to client’s operation
120
Auditing using Client’s Computer- Tracing Real Data
Weaknesses, continued Difficult to verify that program tested is program normally used Difficult to verify that procedures used during test are procedures normally employed Auditor needs to understand IT operations
121
Auditing using Client’s Computer- Using Simulated Data
Strengths Auditor can reduce substantially the number of records that have to be processed (one record can test several controls) Permits testing of every control
122
Auditing using Client’s Computer- Using Simulated Data
Weaknesses Only those conditions known to exist can be tested Same program and procedures questions as in processing real data Removal of simulated data from client's records
123
Auditing using Client’s Computer- Using Simulated Data
Verify that no amounts, accounts, or transaction types are omitted Verify pricing, extensions, and other valuation procedures Verify account coding and classification Verify proper time period recording Test subsidiary records footing and reconciliation to control account balances
124
Auditing using Client’s Computer- Using Simulated Data
Test data or test record approach Simulated data is controlled and processed separately from real data Output is compared to auditor-calculated output
125
Auditing using Client’s Computer- Using Simulated Data
Integrated test facility (ITF) Simulated data is assigned a special code to distinguish it from real data Simulated data is integrated with real data and processed in normal course of business Weakness - simulated data may be processed differently than real data
126
Generalized Audit Software
Off-the-shelf software that allows examination of client data on auditor’s computer Information systems vary widely between clients Hardware and software environments Data structures Record formats Processing functions
127
Generalized Audit Software
GAS developed specifically to accommodate a wide variety of hardware and software platforms Allows auditor to quickly modify audit approach as audit objectives change Allows auditors relatively unskilled in computer systems to audit effectively in an electronic environment
128
Functional Capabilities of GAS
File access File reorganization (sorting and merging) Filtering (Boolean operators: =, >=, <=, <>, AND, OR, etc.) Statistical (sample selections) Arithmetic Stratification File creation Reporting
129
Available CAATs CA-Easytrieve (Computer Associates) SAS ACL IDEA
Works in UNIX or LAN (primarily mainframes) Uses a background language similar to COBOL SAS Statistical analysis Data mining ACL IDEA
130
Electronic Workpapers
Electronic working papers Standardizes audit forms and formats Improves quality and consistency Coordinates efforts Can centralize management efforts
131
Centralized Vs Distributed Systems
Some activities should remain centralized DDP is more expensive but can add efficiencies over straight client-server approach Data can be distributed in different ways May raise security issues Auditor must question how each site is secured DDP may be partitioned or replicated DDP requires concurrency control
132
End Ch 3
133
Chapter 4: Systems Development & Maintenance Activities
134
PARTICIPANTS Systems professionals End users Stakeholders ACCOUNTANTS
Internal External Limitations of involvement
135
ACCOUNTANTS/AUDITORS
Why are accountants/auditors involved? Experts in financial transaction processes Quality of AIS is determined in SDLC How are accountants involved? Users (e.g., user views and accounting techniques) Members of SDLC development team (e.g., Control Risk being minimized) Auditors (e.g., auditable systems)
136
IS Development In-house development Purchase commercial systems
General Rule: Never build if you can acquire a system that will provide 80% of your needs. Qstn: When would you want to build your own system?
137
TRENDS IN COMMERCIAL SOFTWARE
Relatively low cost for general purpose software Industry-specific vendors Businesses too small to have in-house IS staff Downsizing & DDP
138
TYPES OF COMMERCIAL SYSTEMS
Turnkey systems General accounting systems Typically in modules Special-purpose systems Example banking Office automation systems Purpose is to improve productivity Enterprise systems (ERP) SAP, Peoplesoft, Baan, Oracle
139
COMMERCIAL SYSTEMS Advantages Disadvantages Implementation time Cost
Reliability Disadvantages Independence Customization needs Maintenance
140
SYSTEMS DEVELOPMENT LIFE CYCLE (SDLC)
New systems Systems planning Systems analysis Conceptual systems design System evaluation and selection Detailed design System programming and testing System implementation System maintenance SDLC -- Figure 4-1 [p.141]
141
SYSTEMS PLANNING– PHASE I
PURPOSE: To link individual systems projects to the strategic objectives of the firm. Link individual projects to strategic objectives of the firm - Figure 4-2 [p.142] Who does it? Steering committee CEO, CFO, CIO, senior mgmt., auditors, external parties Ethics and auditing standards limit when auditors can serve on this committee Long-range planning: 3-5 years Allocation of resources - broad
142
SYSTEMS PLANNING-PHASE I
Level 1 = Strategic systems planning Why? A changing plan is better than no plan Reduces crises in systems development Provides authorization control for SDLC It works! Level 2 = Project planning Project proposal Project schedule
143
SYSTEMS PLANNING-PHASE I
Auditor’s role in systems planning Auditability Security Controls
144
SYSTEMS PLANNING-PHASE I
SUMMARY Identify user’s needs Preparing proposals Evaluating proposals Prioritizing individual projects Scheduling work Project Plan – allocates resources to specific project Project Proposal – Go or not Project Schedule – represents mgmt’s commitment
145
SYSTEMS ANALYSIS- PHASE II
PURPOSE: Effectively identify and analyze the needs of the users for the new system. Survey step Disadvantages: Tar pit syndrome Thinking inside the box Advantages: Identify aspects to keep Forcing analysts to understand the system Isolating the root of problem symptoms
146
SYSTEMS ANALYSIS- PHASE II
Gathering facts Data sources Users Data stores Processes Data flows Controls Transaction volumes Error rates Resource costs Bottlenecks Redundant operations
147
SYSTEMS ANALYSIS- PHASE II
Fact-gathering techniques Observation Task participation Personal interviews Reviewing key documents (see list, p. 147) Systems analysis report Figure 4-3 (p.148) Auditor’s role CAATTs (e.g., embedded modules)
148
CONCEPTUAL SYSTEMS DESIGN-PHASE III
PURPOSE: Develop alternative systems that satisfy system requirements identified during system analysis 1. Top-down (structured design) [see Figure 4-4, p.150] Designs general rather than specific Enough details for design to demonstrate differences Example: Figure 4-5, p. 151 Object-oriented approach (OOD) Reusable objects Creation of modules (library, inventory of objects) 3. Auditor’s role special auditability features
149
SYSTEM EVALUATION & SELECTION– PHASE IV
PURPOSE: Process that seeks to identify the optimal solution from the alternatives Perform detailed feasibility study Technical feasibility [existing IT or new IT?] Legal feasibility Operational feasibility Degree of compatibility between the firm’s existing procedures and personnel skills, and requirements of the new system Schedule feasibility [implementation] Perform a cost-benefit analysis Identify costs Identify benefits Compare the two
150
SYSTEM EVALUATION & SELECTION-PHASE IV
Cost-Benefit Analysis: Costs ONE-TIME COSTS: Hardware acquisition Site preparation Software acquisition Systems design Programming Testing Data conversion Training RECURRING COSTS: Hardware maintenance Software maintenance Insurance Supplies Personnel Allocated existing IS
151
SYSTEM EVALUATON & SELECTION–PHASE IV
Cost-Benefit Analysis: Benefits INTANGIBLE 2: Increased customer satisfaction Improved employee satisfaction More current information Improved decision making Faster response to competitors’ actions More effective operations Better internal and external communications Improved control environment TANGIBLE: Increased revenues Increased sales in existing markets Expansion into new markets Cost Reduction 1 Labor reduction Operating cost reduction Supplies overhead Reduced inventories Less expensive eqpt. Reduced eqpt. maint. (1) When measuring cost savings, it is important to include only escapable costs See Figure 4-6 for illustration of calculating actual escapable costs (2) Professionals use a variety of means to try to quantify intangible benefits: opinion surveys, statistical analysis, expected value techniques, simulation models.
152
Cost-Benefit Analysis: Comparison
NPV 1 [Table 4-4] Payback 2 [Figures 4-7a, 7b] BE Auditor’s role Managerial accounting techniques 3 Escapable costs Reasonable interest rates Identify one-time and recurring costs Realistic useful lives for competing projects Determining financial values for intangible benefits NPV of Benefits (over life of system) – NPV costs (over life of system) = NPV If NPV > 0, economically feasible When choosing between projects, choose the one with the greatest NPV Figure 4-7 – BUT must incorporate intangible benefits and design feasibility scores Payback: -- uses present values, i.e., discounted – COST LINE: y intercept = One-time costs Slope = recurring costs Intersection of COSTS and BENEFITS lines = when BREAKEVEN occurs CHOICE: quickest (shortest) payback period (3) Managerial techniques: Escapable Costs Reasonable interest rates Determination of one-time and recurring costs Realistic useful lives in competing projects Determination of financial values for intangible benefits
153
DETAILED DESIGN–PHASE V
PURPOSE: Produce a detailed description of the proposed system that satisfies system requirements identified during systems analysis and is in accordance with conceptual design. User views Database tables Processes Controls i.e., a set of “blueprints”
154
DETAILED DESIGN– PHASE V
Quality Assurance “Walkthrough” Quality assurance
155
DETAILED DESIGN – PHASE V
Detailed Design Report Designs for input screens and source documents Designs for screen outputs, reports, operational documents Normalized database Database structures and diagrams Data flow diagrams (DFD’s) Database models (ER, Relational) Data dictionary Processing logic (flow charts)
156
SYSTEM PROGRAMMING & TESTING– PHASE VI
Program the Application Procedural languages Event-driven languages OO languages Programming the system Test the application {Figure 4-8] Testing methodology Testing offline before deploying online Test data Why? Can provide valuable future benefits
157
SYSTEMS IMPLEMENTATION– PHASE VII
PURPOSE: Database structures are created and populated with data, applications are coded and tested, equipment is purchased and installed, employees are trained, the system is documented, and the new system is installed. Testing the entire system Documenting the system Designer and programmer documentation Operator documentation User documentation
158
SYSTEMS IMPLEMENTATION– PHASE VII
Conversion Converting the databases Validation Reconciliation Backup Converting the new system Auditor involvement virtually stops! Cold turkey cutover Phased cutover Parallel operation cutover
159
SYSTEMS IMPLEMENTATION– PHASE VII
Post-Implementation Review Reviewed by independent team to measure the success of the system Systems design adequacy [see list p. 170] Accuracy of time, cost, and benefit estimates [see list p. 170] Auditor’s role We’re back!! Provide technical expertise Specify documentation standards Verify control adequacy External auditors
160
SYSTEMS IMPLEMENTATION– PHASE VII
Auditors’ Role Provide technical expertise AIS: GAAP, GAAS, SEC, IRS Legal Social / behavioral IS/IT (if capable) Effective and efficient ways to limit application testing Specify documentation standards Verify control adequacy COSO – SAS No. 78 – PCAOB Standard #1 Impact on scope of external auditors
161
SYSTEMS MAINTENANCE–PHASE VIII
PURPOSE: Changing systems to accommodate changes in user needs 80/20 rule Importance of documentation? Facilitate efficient changes Facilitate effective changes (at all!) 80% of the total cost of a system occurs in the Maintenance phase! Only 20% actually occurs in the other 7 phases. Therefore, it makes sense that the place to reduce costs lies more in maintenance than any other phase. And the best way to reduce costs in the maintenance phase is to DOCUMENT adequately in the other phases …
162
Cost-Benefit Analysis
Preliminary Feasibility Project Authorization Systems Planning Project Proposal Project Schedule Systems Analysis System Analysis Rpt Conceptual Design DFD (general) Systems Selection Feasibility Study Cost-Benefit Analysis System Selection Rpt Detailed Design Detailed Design Rpt DFD (Detail) ER Diagram Relational Model Normalized Data System Implementation Post-Impl. Review Program Flowcharts Documentation User Acceptance Rpt
163
A materially flawed financial application will eventually corrupt financial data, which will then be incorrectly reported in the financial statements. Therefore, the accuracy and integrity of the IS directly affects the accuracy of the client’s financial data.
164
CONTROLLING & AUDITING THE SDLC
Controlling New Systems Development Systems authorization activities User specification activities Technical design activities Documentation is evidence of controls Documentation is a control! Internal audit participation User test and acceptance procedures Audit objectives Audit procedures
165
CONTROLLING & AUDITING THE SDLC
Audit Objectives & Procedures Audit objectives Verify SDLC activities are applied consistently and in accordance with management’s policies Verify original system is free from material errors and fraud Verify system necessary and justified Verify documentation adequate and complete Audit procedures How verify SDLC activities applied consistently? How verify system is free from material errors and fraud? How verify system is necessary? How verify system is justified? How verify documentation is adequate and complete? See page 174 for a list
166
CONTROLLING & AUDITING THE SDLC
Controlling Systems Maintenance Four minimum controls: Formal authorization Technical specifications Retesting Updating the documentation
167
CONTROLLING & AUDITING THE SDLC
Controlling Systems Maintenance Source program library controls Why? What trying to prevent? Unauthorized access Unauthorized program changes SPLMS [Figure 4-13, p. 177] SPLMS Controls Storing programs on the SPL Retrieving programs for maintenance purposes Detecting obsolete programs Documenting program changes (audit trail)
168
CONTROLLING & AUDITING THE SDLC
Controlled SPL Environment Password control On a specific program Separate test libraries Audit trail and management reports Describing software changes Program version numbers Controlling access to maintenance [SPL] commands
169
CONTROLLING & AUDITING THE SDLC
Audit Objectives & Procedures Audit objectives Detect any unauthorized program changes Verify that maintenance procedures protect applications from unauthorized changes Verify applications are free from material errors Verify SPL are protected from unauthorized access
170
CONTROLLING & AUDITING THE SDLC
Audit Objectives & Procedures Audit procedures Figure 4-14, p.179 Identify unauthorized changes Reconcile program version numbers Confirm maintenance authorization Identify application errors Reconcile source code [after taking a sample] Review test results Retest the program Testing access to libraries Review programmer authority tables Test authority table
171
End Chapter 4: Systems Development & Maintenance Activities
172
Chapter 5: Networks, Internet & Ecommerce
IT Auditing & Assurance, 2e, Hall & Singleton
173
NETWORKS: TYPES LAN (Local Area Networks) WAN (Wide Area Networks
Internet/Internet-Works
174
IP addresses and Hosts Names
Each machine is addressed by a 32-bit integer: IP address We will tell you what “IP” is later Ran out of numbers and there are schemes to extend An IP address is: Written down in a “dot notation” for “ease” of readings such as Consists of a network address and a host ID IP addresses are the universal IDs that are used to name everything For convenience, each host also has a human-friendly host name: for example “ ” is “concave.cs.yale.edu” Question: how do you translate names into IP addresses?
176
Domain Hierarchy edu com gov mil org net uk fr
Yale MIT Cisco yahoo Initially name-to-address mapping was a flat file mailed out to all the machines on the internet. Now we have a hierarchical name space, just like a UNIX file system tree. Top level names: historical influence: heavily US centric, government centric, and military centric view of the world. Math CS Physics Cyndra netra
177
DNS Zones and Name Servers
edu com gov mil org net uk fr Yale MIT Cisco yahoo Divide up the name hierarchy into zones Each zone corresponds to one or more name servers under a single administrative control Math CS Physics Cyndra netra
178
Network Protocols LANs Ethernet Token ring WAN TCP/IP (4 layer)
OSI model (7 layer)
179
Encryption Encryption systems translate data into a secret code.
Encryption systems include 4 main components: Plaintext: the unencrypted message An encryption algorithm: that works like the locking mechanism to a safe A key that works like the safe’s combination Ciphertext is produced from the plaintext message by the encryption function. Decryption is the same process in reverse (like a modulation/demodulation), but it doesn’t always use the same key or algorithm. Plaintext results from decryption.
180
Encryption Techniques
The two main encryption techniques now in use: Symmetric encryption in which both sender and receiver use the same key. Asymmetric or public key encryption, which uses two separate keys, called public and private keys.
181
Symmetric Encryption Symmetric or private key encryption, uses the same algorithm and key to both encrypt and decrypt a message. Historically, this is the most common encryption technique. Since the key must be distributed, however, it is vulnerable to interception. This is an important weakness of symmetric key encryption. DES uses symmetric encryption.
182
Asymmetric or Public Key Encryption
A second popular technique is asymmetric or public key encryption (PKE). PKE is called asymmetric since it uses two different “one way” keys: a public key used to encrypt messages, and a private key used to decrypt them. PKE greatly reduces the key management problem since the private key is never distributed. PGP (pretty good privacy) is a popular form of PKE available as shareware.
183
Authentication Authentication is the security process of verifying that a user is who he or she says they are. Passwords are the most common type of authentication. Digital signatures are now gaining popularity for authenticating transmitted information.
184
Authentication: Digital Signatures
Digital signatures take the place of ordinary signatures in online transactions to prove that the sender of a message is who he or she claims to be. When received, the digital signature is compared with a known copy of the sender’s digital signature. Digital signatures are also sent in encrypted form to ensure they have not been forged.
185
Secure servers Secure Sockets Layer (SSL) is a standard for secure interactions use on the Web. SSL, uses a combination of private key encryption (using a one-time session key) and digital signatures to enhance the security of transmission. Secure servers protect the privacy of the data they send and receive through encryption.
186
NETWORKS: CONNECTING DEVICES
LAN Linking Devices and Systems Multiplexer Hubs Passive Manageable Switched Routers Switches Gateways Bridges
187
ELECTRONIC COMMERCE Electronic commerce Types Components B2C B2B C2C
Electronic payment systems SSL SET S-HTTP
188
ELECTRONIC COMMERCE Risks Internal External
Accidents / system failures Ineffective accounting Malicious activities Fraud External Intruders Hackers Cracker Script kiddies Viruses Cyberterrorism / cyber-crime
189
CONTROLLING E-COMMERCE
Controls Policies and procedures SDLC techniques Anti-virus systems Message sequence numbers Logs Monitoring systems
190
CONTROLLING E-COMMERCE
Access control systems Call-back systems Challenge-response systems Multifaceted password systems Biometrics Firewalls IDS Misuse detection vs. anomaly detection Network-based vs. host-based systems Passive system vs. reactive systems Controlling DoS attacks
191
AUDIT OBJECTIVES Can detect and correct message loss
Verify the security and integrity of transactions Can detect and correct message loss Can prevent and detect illegal access, internally and externally Will render useless any data captured Verify that backup procedures are sufficient Determine: All EDI and electronic transactions are authorized, validated, and compliant with SLA No unauthorized access to databases Authorized partners only have access to approved data Adequate controls are in place to ensure a complete audit trail for electronic transactions
192
AUDIT OBJECTIVES Tests of validation control
Backup control for networks Transaction validation Access control: Tests of validation control Tests of audit trail controls
193
AUDIT PROCEDURES Select of sample of messages from transaction log and verify their integrity Review the message transaction logs to verify that all messages were received in proper sequence Test the operation of features such as call-back Review security procedures governing data Verify any encryption process by sending test messages Review the adequacy of firewalls
194
Chapter 6: Enterprise Resource Planning Systems
1
195
PROBLEMS WITH NON-ERP SYSTEMS
In-house design limits connectivity outside the company Tendency toward separate IS’s within firm Lack of integration limits communication within the company Strategic decision-making not supported Long-term maintenance costs high Limits ability to engage in process reengineering
196
TRADITIONAL IS MODEL: CLOSED DATABASE ARCHITECTURE
Similar in concept to flat-file approach Data remains the property of the application Fragmentation limits communications Existence of numerous distinct and independent databases Redundancy and anomaly problems Paper-based Requires multiple entry of data Status of information unknown at key points
197
Traditional Information System with Closed Database Architecture
BUSINESS ENTERPRISE Products Materials Order Entry System Manufacturing and Distribution System Procurement System Supplier Customer Purchases Orders Customer Sales Account Rec Production Scheduling Shipping Vendor Accts Pay Inventory Customer Database Manufacturing Database Procurement Database Traditional Information System with Closed Database Architecture
198
WHAT IS ERP? Those activities supported by multi-module application software that help a company manage the important parts of its business in an integrated fashion Key features include: Smooth and seamless flow of information across organizational boundaries Standardized environment with shared database independent of applications and integrated applications
199
ERP System BUSINESS ENTERPRISE Data Warehouse Legacy Systems
On-Line Analytical Processing (OLAP) Bolt-On Applications (Industry Specific Functions) Suppliers Customers Core Functions [On-Line Transaction Processing (OLTP)] Sales & Distribution Business Planning Shop Floor Control Logistics Operational Database Customers, Production, Vendor, Inventory, etc.
200
TWO MAIN ERP APPLICATIONS
Core applications: A.K.A. On-line Transaction Processing (OLTP) Transaction processing systems Support the day-to-day operational activities of the business Support mission-critical tasks through simple queries of operational databases Include sales and distribution, business planning, production planning, shop floor control, and logistics modules
201
TWO MAIN ERP APPLICATIONS
Business analysis applications: A.K.A. On-line Analytical Processing (OLAP) Decision support tool for management-critical tasks through analytical investigation of complex data associations Supplies management with “real-time” information and permits timely decisions to improve performance and achieve competitive advantage Includes decision support, modeling, information retrieval, ad-hoc reporting/analysis, and what-if analysis
202
OLAP Supports management-critical tasks through analytical investigation of complex data associations captured in data warehouses: Consolidation is the aggregation or roll-up of data. Drill-down allows the user to see data in selective increasing levels of detail. Slicing and Dicing enables the user to examine data from different viewpoints often performed along a time axis to depict trends and patterns.
203
ERP SYSTEM CONFIGURATIONS: CLIENT-SERVER NETWORK TOPOLOGY
Two-tier: Common server handles both application and database duties Used especially in LANs
204
TWO-TIER CLIENT SERVER
User Presentation Layer First Tier Application and Database Layer Server Server Second Tier Applications Database
205
ERP SYSTEM CONFIGURATIONS: CLIENT-SERVER NETWORK TOPOLOGY
Three-tier: Client links to the application server which then initiates a second connection to the database server Used especially in WANs
206
THREE-TIER CLIENT SERVER
User Presentation Layer First Tier Applications Application Server Second Tier Application Layer Database Database Server Database Layer Third Tier
207
ERP WITH OLTP AND OLAP CLIENT SERVER USING DATA WAREHOUSE
User Presentation Layer First Tier OLTP Applications OLAP Applications Second Tier Application Layer OLTP Server OLAP Server Operations Database Operations Database Server Data Warehouse Data Warehouse Server Database Layer Third Tier
208
ERP SYSTEM CONFIGURATIONS: DATABASES AND BOLT-ONS
Database Configuration Selection of database tables in the thousands Setting the switches in the system Bolt-on Software Third-party vendors provide specialized functionality software Supply-Chain Management (SCM) links vendors, carriers, third-party logistics companies, and information systems providers
209
WHAT IS A DATA WAREHOUSE?
A relational or multi-dimensional database that may consume hundreds of gigabytes or even terabytes of disk storage The data is normally extracted periodically from operational database or from a public information service. A database constructed for quick searching, retrieval, ad-hoc queries, and ease of use An ERP system could exist without having a data warehouse. The trend, however, is that organizations that are serious about competitive advantage deploy both. The recommended data architecture for an ERP implementation includes separate operational and data warehouse databases.
210
DATA WAREHOUSE PROCESS
The five essential stages of the data warehousing process are: Modeling data for the data warehouse Extracting data from operational databases Cleansing extracted data Transforming data into the warehouse model Loading the data into the data warehouse database
211
DATA WAREHOUSE SYSTEM Legacy Systems VSAM Files Hierarchical DB
Order Entry System VSAM Files Hierarchical DB Network DB Purchases System The Data Warehouse Previous Years Previous Quarters ERP System Sales Data Summarized Annually Previous Weeks Sales Data Summarized Quarterly Data Cleansing Process Operations Database Archived over Time Current (this weeks) Detailed Sales Data
212
APPLICATIONS OF DATA MINING
213
RISKS ASSOCIATED WITH ERP IMPLEMENTATION
Pace of implementation ‘Big Bang’--switch operations from legacy systems to ERP in a single event ‘Phased-In’--independent ERP units installed over time, assimilated and integrated Opposition to changes to the businesses culture User reluctance and inertia Need of (upper) management support
214
RISKS ASSOCIATED WITH ERP IMPLEMENTATION
Choosing the wrong ERP Goodness of fit: no ERP system is best for all industries Scalability: system’s ability to grow Choosing the wrong consultant Common to use a third-party (the Big Five) Be thorough in interviewing potential consultants Establish explicit expectations
215
RISKS ASSOCIATED WITH ERP IMPLEMENTATION
High cost and cost overruns Common areas with high costs: Training Testing and integration Database conversion Disruptions to operations ERP is reengineering--expect major changes in how business is done
216
IMPLICATIONS FOR INTERNAL CONTROL AND AUDITING
Transaction authorization Controls are needed to validate transactions before they are accepted by other modules ERPs are more dependent on programmed controls than on human intervention Segregation of duties Manual processes that normally require segregation of duties are often eliminated User role: predefined user roles limit a user’s access to certain functions and data
217
IMPLICATIONS FOR INTERNAL CONTROL AND AUDITING
Supervision Supervisors need to acquire a technical and operational understanding of the new system Employee-empowered philosophy should not eliminate supervision Accounting records Corrupted data may be passed from external sources and from legacy systems Loss of paper audit trail
218
IMPLICATIONS FOR INTERNAL CONTROL AND AUDITING
Access controls Critical concern with confidentiality of information Who should have access to what? Access to data warehouse Data warehouses often involve sharing information with suppliers and customers.
219
IMPLICATIONS FOR INTERNAL CONTROL AND AUDITING
Contingency planning How to keep business going in case of disaster Key role of servers requires backup plans: redundant servers or shared servers Independent verification Traditional verifications are meaningless Need to shift from transaction level to overall performance level
220
Auditing and Assurance 2e, Hall & Singleton
221
Auditing and Assurance 2e, Hall & Singleton
222
Auditing and Assurance 2e, Hall & Singleton
223
Auditing and Assurance 2e, Hall & Singleton
224
Auditing and Assurance 2e, Hall & Singleton
225
ERP PRODUCTS SAP: largest ERP vendor J.D. Edwards
Modules can be integrated or used alone New features include SCM, B2B, e-commerce, XML Began with MRP systems ERP J.D. Edwards Flexibility: users can change features; less of a pre-set structure than SAP’s Modularity: accept modules (bolt-ons) from other vendors
226
ERP PRODUCTS Oracle PeopleSoft Baan Tailored to e-business focus
Internet based vs. client-server based applications PeopleSoft Open, modular architecture allows rapid integration with existing systems Baan Use of “best-of-class” applications
227
Chapter 6: ERP 1
228
Chapter 7: Computer-Assisted Audit Techniques [CAATs]
IT Auditing & Assurance, 2e, Hall & Singleton IT Auditing & Assurance, 2e, Hall & Singleton
229
CLASSES OF INPUT CONTROLS
Source document controls Data coding controls Batch controls Validation controls Input error correction Generalized data input systems IT Auditing & Assurance, 2e, Hall & Singleton
230
SOURCE DOCUMENT CONTROLS
Controls in systems using physical source documents Source document fraud To control for exposure, control procedures are needed over source documents to account for each one Use pre-numbered source documents Use source documents in sequence Periodically audit source documents Source Document Controls – in systems that use physical source documents in initiate transactions, careful control must be exercised over these instruments. Source document fraud can be used to remove assets from the organization. To control against this type of exposure, implement control procedures over source documents to account for each document. o Use Pre-numbered Source Documents – source documents should come pre-numbered from the printer with a unique sequential number on each document. This provides an audit trail for tracing transactions through accounting records. o Use Source Documents in Sequence – source documents should be distributed to the users and used in sequence, requiring the adequate physical security be maintained over the source document inventory at the user site. Access to source documents should be limited to authorized persons. o Periodically Audit Source Documents – the auditor should compare the numbers of documents used to date with those remaining in inventory plus those voided due to errors. IT Auditing & Assurance, 2e, Hall & Singleton
231
DATA CODING CONTROLS Checks on data integrity during processing
Transcription errors Addition errors, extra digits Truncation errors, digit removed Substitution errors, digit replaced Transposition errors Single transposition: adjacent digits transposed (reversed) Multiple transposition: non-adjacent digits are transposed Control = Check digits Added to code when created (suffix, prefix, embedded) Sum of digits (ones): transcription errors only Modulus 11: different weights per column: transposition and transcription errors Introduces storage and processing inefficiencies Data Coding Controls – coding controls are checks on the integrity of data codes used in processing. Three types of errors can corrupt data codes and cause processing errors: Transcription errors, Single Transposition errors, and Multiple Transposition errors. Transcription errors fall into three classes: Addition errors occur when an extra digit or character is added to the code. Truncation errors occur when a digit or character is removed from the end of a code. Substitution errors are the replacement of one digit in a code with another. Two types of Transposition Errors: Single transposition errors occur when two adjacent digits are reversed. Multiple transposition errors occur when nonadjacent digits are transposed. Check Digits – is a control digit (or digits) added to the code when it is originally assigned that allows the integrity of the code to be established during subsequent processing. The digit can be located anywhere in the code: suffix, prefix, or embedded. This technique will detect only transcription errors. The popular method is modulus 11, which recalculates the check digit during processing. The use of check digits introduces storage and processing inefficiencies and should be restricted to essential data. MODULUS 11: Code = 5372 5*5, 4*3, 3*7, 2*2 = 62 62/11 = 5 with remainder of 7 11 – 7 = 4 [is check digit] Revised Code=53724 IT Auditing & Assurance, 2e, Hall & Singleton
232
BATCH CONTROLS Method for handling high volumes of transaction data – esp. paper-fed IS Controls of batch continues thru all phases of system and all processes (i.e., not JUST an input control) All records in the batch are processed together No records are processed more than once An audit trail is maintained from input to output Requires grouping of similar input transactions Batch Controls – are an effective method of managing high volumes of transaction data through a system. It reconciles output produced by the system with the input originally entered into the system. Controlling the batch continues throughout all phases of the system. It assures that: All records in the batch are processed. No records are processed more than once. An audit trail of transactions in created from input through processing to the output. It requires the grouping of similar types of input transactions together in batches and then controlling the batches throughout data processing. IT Auditing & Assurance, 2e, Hall & Singleton
233
VALIDATION CONTROLS Intended to detect errors in data before processing Most effective if performed close to the source of the transaction Some require referencing a master file Validation Controls – intended to detect errors in transaction data before the data are processed. Most effective when they are performed as close to the source of the transaction as possible. Some validation procedures require making references against the current master file. There are three levels of input validation controls: IT Auditing & Assurance, 2e, Hall & Singleton
234
VALIDATION CONTROLS Field Interrogation Missing data checks
Numeric-alphabetic data checks Zero-value checks Limit checks Range checks Validity checks Check digit Record Interrogation Reasonableness checks Sign checks Sequence checks File Interrogation Internal label checks (tape) Version checks Expiration date check 1. Field Interrogation – involves programmed procedures that examine the characteristics of the data in the field. · Missing Data Checks – used to examine the contents of a field for the presence of blank spaces. · Numeric-Alphabetic Data Checks – determine whether the correct form of data is in a field. · Zero-Value Checks – used to verify that certain fields are filled with zeros. · Limit Checks – determine if the value in the field exceeds an authorized limit. · Range Checks – assign upper and lower limits to acceptable data values. · Validity Checks – compare actual values in a field against known acceptable values. · Check Digit – identify keystroke errors in key fields by testing the internal validity of the code. 2. Record Interrogation – procedures validate the entire record by examining the interrelationship of its field values. · Reasonable Checks – determine if a value in one field, which has already passed a limit check and a range check, is reasonable when considered along with other data fields in the record. · Sign Checks – tests to se if the sign of a field is correct for the type of record being processed. · Sequence Checks – determine if a record is out of order. 3. File Interrogation – purpose is to ensure that the correct file is being processed by the system. · Internal Label Checks – verify that the file processed is the one the program is actually calling for. The system matches the file name and serial number in the header label with the program’s file requirements. · Version Checks – verify that the version of the file processed is correct. The version check compares the version number of the files being processed with the program’s requirements. · Expiration Date Check – prevents a file from being deleted before it expires. IT Auditing & Assurance, 2e, Hall & Singleton
235
INPUT ERROR CORRECTION
Batch – correct and resubmit Controls to make sure errors dealt with completely and accurately Immediate Correction Create an Error File Reverse the effects of partially processed, resubmit corrected records Reinsert corrected records in processing stage where error was detected Reject the Entire Batch Input Error Correction – when errors are detected in a batch, they must be corrected and the records resubmitted for reprocessing. This must be a controlled process to ensure that errors are dealt with completely and correctly. Three common error handling techniques are: 1. Immediate Correction – when a keystroke error is detected or an illogical relationship, the system should halt the data entry procedure until the user corrects the error. 2. Create an Error File – individual errors should be flagged to prevent them from being processed. At the end of the validation procedure, the records flagged as errors are removed from the batch and placed in a temporary error holding file until the errors can be investigated. At each validation point, the system automatically adjusts the batch control totals to reflect the removal of the error records from the batch. Errors detected during processing require careful handling. These records may already be partially processed. There are two methods for dealing with this complexity. The first is to reverse the effects of the partially processed transactions and resubmit the corrected records to the data input stage. The second is to reinsert corrected records to the processing stage in which the error was detected. 3. Reject the Entire Batch – some forms of errors are associated with the entire batch and are not clearly attributable to individual records. The most effective solution in this case is to cease processing and return the entire batch to data control to evaluate, correct, and resubmit. Batch errors are one reason for keeping the size of the batch to a manageable number. IT Auditing & Assurance, 2e, Hall & Singleton
236
GENERALIZED DATA INPUT SYSTEMS (GDIS)
Centralized procedures to manage data input for all transaction processing systems Eliminates need to create redundant routines for each new application Advantages: Improves control by having one common system perform all data validation Ensures each AIS application applies a consistent standard of data validation Improves systems development efficiency Generalized Data Input Systems – to achieve a high degree of control and standardization over input validation procedures, some organizations employ a generalized data input system (GDIS) which includes centralized procedures to manage the data input for all of the organization’s transaction processing systems. A GDIS eliminates the need to recreate redundant routines for each new application. Has 3 advantages: Improves control by having one common system perform all data validation. Ensures that each AIS application applies a consistent standard for data validation. Improves systems development efficiency. IT Auditing & Assurance, 2e, Hall & Singleton
237
CLASSES OF PROCESSING CONTROLS
Run-to-Run Controls Operator Intervention Controls Audit Trail Controls IT Auditing & Assurance, 2e, Hall & Singleton
238
RUN-TO-RUN (BATCH) Use batch figures to monitor the batch as it moves from one process to another Recalculate Control Totals Check Transaction Codes Sequence Checks Run-to-Run Controls – use batch figures to monitor the batch as it moves from one programmed procedure (run) to another. It ensures that each run in the system processes the batch correctly and completely. Specific run-to-run control types are listed below: Recalculate Control Totals – after each major operation in the process and after each run, $ amount fields, hash totals, and record counts are accumulated and compared to the corresponding values stored in the control record. Transaction Codes – the transaction code of each record in the batch is compared to the transaction code contained in the control record, ensuring only the correct type of transaction is being processed. Sequence Checks – the order of the transaction records in the batch is critical to correct and complete processing. The sequence check control compares the sequence of each record in the batch with the previous record to ensure that proper sorting took place. IT Auditing & Assurance, 2e, Hall & Singleton
239
OPERATOR INTERVENTION
When operator manually enters controls into the system Preference is to derive by logic or provided by system Operator intervention increases the potential for human error. Systems that limit operator intervention through operator intervention controls are thus less prone to processing errors. Parameter values and program start points should, to the extent possible, be derived logically or provided to the system through look-up tables IT Auditing & Assurance, 2e, Hall & Singleton
240
AUDIT TRAIL CONTROLS Every transaction becomes traceable from input to output Each processing step is documented Preservation is key to auditability of AIS Transaction logs Log of automatic transactions Listing of automatic transactions Unique transaction identifiers [s/n] Error listing Audit Trail Controls – the preservation of an audit trail is an important objective of process control. Every transaction must be traceable through each stage of processing. Each major operation applied to a transaction should be thoroughly documented. The following are examples of techniques used to preserve audit trails: · Transaction Logs – every transaction successfully processed by the system should be recorded on a transaction log. There are two reasons for creating a transaction log: It is a permanent record of transactions. Not all of the records in the validated transaction file may be successfully processed. Some of these records fail tests in the subsequent processing stages. A transaction log should contain only successful transactions. · Log of Automatic Transactions – all internally generated transactions must be placed in a transaction log. · Listing of Automatic Transactions – the responsible end user should receive a detailed list of all internally generated transactions. · Unique Transaction Identifiers – each transaction processed by the system must be uniquely identified with a transaction number. · Error Listing – a listing of all error records should go to the appropriate user to support error correction and resubmission. IT Auditing & Assurance, 2e, Hall & Singleton
241
OUTPUT CONTROLS Ensure system output: Not misplaced Not misdirected
Not corrupted Privacy policy not violated Batch systems more susceptible to exposure, require greater controls Controlling Batch Systems Output Many steps from printer to end user Data control clerk check point Unacceptable printing should be shredded Cost/benefit basis for controls Sensitivity of data drives levels of controls Output Controls – ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. The type of processing method in use influences the choice of controls employed to protect system output. Batch systems are more susceptible to exposure and require a greater degree of control that real-time systems. · Controlling Batch Systems Output – Batch systems usually produce output in the form of hard copy, which typically requires the involvement of intermediaries. The output is removed from the printer by the computer operator, separated into sheets and separated from other reports, reviewed for correctness by the data control clerk, and then sent through interoffice mail to the end user. Each stage is a point of potential exposure where the output could be reviewed, stolen, copied, or misdirected. When processing or printing goes wrong and produces output that is unacceptable to the end user, the corrupted or partially damaged reports are often discarded in waste cans. Computer criminals have successfully used such waste to achieve their illicit objectives. Techniques for controlling each phase in the output process are employed on a cost-benefit basis that is determined by the sensitivity of the data in the reports. IT Auditing & Assurance, 2e, Hall & Singleton
242
OUTPUT CONTROLS Output spooling – risks:
Access the output file and change critical data values Access the file and change the number of copies to be printed Make a copy of the output file so illegal output can be generated Destroy the output file before printing take place Output Spooling – applications are often designed to direct their output to a magnetic disk file rather than to the printer directly. The creation of an output file as an intermediate step in the printed process presents an added exposure. A computer criminal may use this opportunity to perform any of the following unauthorized acts: Access the output file and change critical data values. Access the file and change the number of copies to be printed. Make a copy of the output file to produce illegal output reports. Destroy the output file before printed takes place. IT Auditing & Assurance, 2e, Hall & Singleton
243
OUTPUT CONTROLS Bursting Waste Data control Report distribution
Supervision Waste Proper disposal of aborted copies and carbon copies Data control Data control group – verify and log Report distribution Bursting – when output reports are removed from the printer, they go the bursting stage to have their pages separated and collated. The clerk may make an unauthorized copy of the report, remove a page from the report, or read sensitive information. The primary control for this is supervision. Waste – computer output waste represents a potential exposure. Dispose properly of aborted reports and the carbon copies from the multipart paper removed during bursting. Data Control – the data control group is responsible for verifying the accuracy of compute output before it is distributed to the user. The clerk will review the batch control figures for balance, examine the report body for garbled, illegible, and missing data, and record the receipt of the report in data control’s batch control log. Report Distribution – the primary risks associated with report distribution include reports being lost, stolen, or misdirected in transit to the user. To minimize these risks: name and address of the user should be printed on the report, an address file of authorized users should be consulted to identify each recipient of the report, and maintaining adequate access control over the files. The reports may be placed in a secure mailbox to which only the user has the key. The user may be required to appear in person at the distribution center and sign for the report. A security officer or special courier may deliver the report to the user. IT Auditing & Assurance, 2e, Hall & Singleton
244
OUTPUT CONTROLS End user controls Report retention: End user detection
Statutory requirements (gov’t) Number of copies in existence Existence of softcopies (backups) Destroyed in a manner consistent with the sensitivity of its contents End User Controls – output reports should be re-examined for any errors that may have evaded the data control clerk’s review. Errors detected by the user should be reported to the appropriate computer services management. A report should be stored in a secure location until its retention period has expired. Factors influencing the length of time a hard copy report is retained include: Statutory requirements specified by government agencies. The number of copies of the report in existence. The existence of magnetic or optical images of reports that can act as permanent backup. Reports should be destroyed in a manner consistent with the sensitivity of their contents. IT Auditing & Assurance, 2e, Hall & Singleton
245
TESTING COMPUTER APPLICATION CONTROLS
Around the computer Rarely appropriate Through the computer Supported by continuous audit techniques Testing Computer Application Controls – control-testing techniques provide information about the accuracy and completeness of an application’s processes. These test follow two general approaches: Black Box: Testing around the computer White Box: Testing through the computer IT Auditing & Assurance, 2e, Hall & Singleton
246
TESTING COMPUTER APPLICATION AROUND THE COMPUTER
Ignore internal logic of application Use functional characteristics Flowcharts Interview key personnel Advantages: Do not have to remove application from operations to test it Appropriately applied: Simple applications Relative low level of risk Black Box (Around the Computer) Technique – auditors performing black box testing do not rely on a detailed knowledge of the application’s internal logic. They seek to understand the functional characteristics of the application by analyzing flowcharts and interviewing knowledgeable personnel in the client’s organization. The auditor tests the application by reconciling production input transactions processed by the application with output results. The advantage of the black box approach is that the application need not be removed from service and tested directly. This approach is feasible for testing applications that are relatively simple. Complex applications require a more focused testing approach to provide the auditor with evidence of application integrity. IT Auditing & Assurance, 2e, Hall & Singleton
247
TESTING COMPUTER APPLICATION CONTROLS THROUGH THE COMPUTER
Relies on in-depth understanding of the internal logic of the application Uses small volume of carefully crafted, custom test transactions to verify specific aspects of logic and controls Allows auditors to conduct precise test with known outcomes, which can be compared objectively to actual results White Box (Through the Computer) Technique – relies on an in-depth understanding of the internal logic of the application being tested. Several techniques for testing application logic directly are included. This approach uses small numbers of specially created test transactions to verify specific aspects of an application’s logic and controls. Auditors are able to conduct precise tests, with known variables, and obtain results that they can compare against objectively calculated results. IT Auditing & Assurance, 2e, Hall & Singleton
248
COMPUTER AIDED AUDIT TOOLS AND TECHNIQUES (CAATTs)
Test data method Base case system evaluation Tracing Integrated Test Facility [ITF] Parallel simulation GAS Computer Aided Audit Tools and Techniques for Testing Controls – there are 5 CAATT approaches: IT Auditing & Assurance, 2e, Hall & Singleton
249
TEST DATA Used to establish the application processing integrity
Uses a “test deck” Valid data Purposefully selected invalid data Every possible: Input error Logical processes Irregularity Procedures: Predetermined results and expectations Run test deck Compare Test Data Method – used to establish application integrity by processing specially prepared sets of input data through production applications that are under review. The results of each test are compared to predetermined expectations to obtain an objective evaluation of application logic and control effectiveness. Creating Test Data – when creating test data, auditors must prepare a complete set of both valid and invalid transactions. If test data are incomplete, auditors might fail to examine critical branches of application logic and error-checking routines. Test transactions should test every possible input error, logical process, and irregularity. IT Auditing & Assurance, 2e, Hall & Singleton
250
TRACING Test data technique that takes step-by-step walk through application The trace option must be enabled for the application Specific data or types of transactions are created as test data Test data is “traced” through all processing steps of the application, and a listing is produced of all lines of code as executed (variables, results, etc.) Excellent means of debugging a faculty program 3. Tracing – performs an electronic walk-through of the application’s internal logic. Implementing tracing requires a detailed understanding of the application’s internal logic. Tracing involves three steps: · The application under review must undergo a special compilation to activate the trace option. · Specific transactions or types of transactions are created as test data. · The test data transactions are traced through all processing stages of the program, and a listing is produced of all programmed instructions that were executed during the test. IT Auditing & Assurance, 2e, Hall & Singleton
251
TEST DATA: ADVANTAGES AND DISADVANTAGES
Advantages of test data They employ white box approach, thus providing explicit evidence Can be employed with minimal disruption to operations They require minimal computer expertise on the part of the auditors Disadvantages of test data Auditors must rely on IS personnel to obtain a copy of the application for testing Audit evidence is not entirely independent Provides static picture of application integrity Relatively high cost to implement, auditing inefficiency Advantages of Test Data Techniques They employ through the computer testing, thus providing the auditor with explicit evidence concerning application functions. Test data runs can be employed with only minimal disruption to the organization’s operations. They require only minimal computer expertise on the part of auditors. Disadvantages of Test Data Techniques Auditors must rely on computer services personnel to obtain a copy of the application for test purposes. Audit evidence collected by independent means is more reliable than evidence supplied by the client. Provide a static picture of application integrity at a single point in time. They do not provide a convenient means of gathering evidence about ongoing application functionality. Their relatively high cost of implementation, resulting in auditing inefficiency. IT Auditing & Assurance, 2e, Hall & Singleton
252
Continuous Auditing Embedded Audit Module Real and test transactions
Tagged transactions Audit hooks IT Auditing & Assurance, 2e, Hall & Singleton
253
INTEGRATED TEST FACILITY
ITF is an automated technique that allows auditors to test logic and controls during normal operations Set up a dummy entity within the application system System able to discriminate between ITF audit module transactions and routine transactions Auditor analyzes ITF results against expected results Integrated Test Facility – an automated technique that enables the auditor to test an application’s logic and controls during its normal operation. ITF databases contain ‘dummy’ or test master file records integrated with legitimate records. ITF audit modules are designed to discriminate between ITF transactions and routine production data. The auditor analyzes ITF results against expected results. IT Auditing & Assurance, 2e, Hall & Singleton
254
PARALLEL SIMULATION Auditor writes or obtains a copy of the program that simulates key features or processes to be reviewed / tested Auditor gains a thorough understanding of the application under review Auditor identifies those processes and controls critical to the application Auditor creates the simulation using program or Generalized Audit Software (GAS) Auditor runs the simulated program using selected data and files Auditor evaluates results and reconciles differences Out of date approach IT Auditing & Assurance, 2e, Hall & Singleton
255
and IM 255
256
Sedona ConferenceWG1 Best Practices for E Doc Retention and Production
The Sedona Conference exists to allow leading jurists, lawyers, experts, academics and others, at the cutting edge of issues in the area of antitrust law, complex litigation, and intellectual property rights, to come together - in conferences and mini-think tanks (Working Groups) - and engage in true dialogue, not debate, all in an effort to move the law forward in a reasoned and just way. WG1: The development of principles and best practices recommendations for electronic document retention and production.
257
Sedona ESI Framework Sedona Conference - White papers on keyword searches and electronic stored information (ESI) Keyword list can cut costs substantially Most searches turn up small percent of relevant documents and miss many critical documents Risks for both under and over inclusive terms Sedona framework provides higher quality and lower costs
258
Keyword Search and E-Discovery
E-discovery and document review expensive Cost associated with heavy reliance on human review Search solutions were not built with e-discovery in mind Majority of companies do not have an effective retention or archiving plan for electronic documents
259
ESI Retention Policy Must comply with SOX and be scrutinized by legal
Categorize documents by type and retention period Use different archival methods Software can provide for efficient retrieval Train employees to policy There are several questions that need to be answered to address the larger question of “what to keep.” The first is, “what type of documents and what sort of key words or phrases are deemed sensitive?” The second is, “does the company allow documents to be created and saved on local machines, or is everything saved on a central server(s)?” Regarding the first question, there are some obvious answers. For example, words or phrases that have a sexual or racial content would obviously be deemed sensitive--they might prove important in an employment law-related case. To isolate s containing such matter, an filtering program could be customized to search both messages and attachments and save copies of any that contained keywords or phrases deemed sensitive. This would safeguard the organization from relying on end-users to save these messages, and would guarantee that all s are retained in a universal format in a single location. It would also save money and storage space by not archiving every message that passes through the company’s servers. By indexing these messages and attachments, an organization will greatly streamline future data requests--and save significant dollars in the process. An organization might also wish to copy and retain copies of certain file types, depending on the nature of their business. For example, a high tech manufacturer who creates potentially patentable designs might want to retain all Acrobat PDF files or other graphics-oriented documents that might contain design information, should a patent-infringement oriented matter surface. The question of whether documents are to be created and saved on local machines or stored exclusively on a central network server inherently implies the backup and preservation procedures that a good retention policy should implement. If files are created and saved on local machines, an organization can set-up workstations so that duplicate files are centrally backed-up or otherwise saved on central servers. This gives an organization much better control of potential evidence. Otherwise, records managers would need to periodically review the content of each machine, a time-consuming and expensive process. Another thing to consider in crafting a retention policy is whether or not employees are allowed to take notebook computers on the road or home, or to work on company business from a home computer. In the case of notebook systems, synchronization software can be used to update the files on central servers the next time the notebook systems log into the network, so all information is accounted for. Once the files are on the network, forensic search tools can be deployed to identify key files that would fall under the retention policy. They can then be copied and archived according to the procedures established in the policy. The tools one would use depend upon the operating environment and server access. Text Search Pro (published by New Technologies, Inc.) and DTSearch (by DTSearch Corp.) both work well depending on the server configurations and types of data to be searched.
260
E-Mail Retention Policy
Federal Rules of Civil Procedure, industry regulations and internal policies all influence which s should be archived. Safe harbor in eDiscovery rests in an organization adhering to its policies and procedures that guide the destruction of its data. Not all s are the same: Set archive categories by nature of . Adopt a policy and do not vary from it. administration tasks gobble up 43% of IT support costs. In one lawsuit an IT professional divulged that he was storing hundreds of backup tapes in a closet. He had not told his lawyers. Regardless of whether the backups had anything to do with the lawsuit, the opposing lawyers had the right to order that the backups be read. Of course they did that, and the cost ran into the millions of dollars for the company. In another case, Prudential Life Insurance was involved in a class action suit and the court had ordered that it destroy no records during the proceedings. Unfortunately no one told the IT department, who happily went on deleting electronic records on its own retention schedule. A judge issued a $1 million penalty against Prudential for destroying data that supported its opponent's case, and required them to deploy a records management program with a multimillion dollar price tag. Although Prudential had not deliberately destroyed relevant data, it still lost huge sums of money over its inability to enforce a reasonable and consistent retention policy. Federal Rules of Civil Procedure (FRCP), industry regulations and internal policies all influence which s should be archived If your retention of is 90 days then you should adhere to this standard and not let 90 days mean 60 days, or 6 months etc. as inconsistent adherence to retention policies is even worse in the eyes of the court than having a wrong policy in place. Safe harbor in eDiscovery rests in an organization adhering to its policies and procedures that guide the destruction of its data. RIMM- s showed a systematic fraud perpetrated at the expense of the company and its shareholders.
261
Redacted E-mail and Privacy
Deleted information may be recoverable from electronic documents Policy should be specific as to what information must be deleted before issuing to a third party Covered by federal laws and regs Software available to filter and delete Privacy experts point out that similarly sensitive, private and protected information is now in the hands of thousands of private corporations, which often use , the Web and other means to exchange data with third parties. Even files that appear to be safe on the surface, such as those from which certain information has been redacted, can still put a company at risk of violating privacy laws. Workers often delete specific words from a document or block them out by changing font or background colors. In many cases, however, the word processor program will save a copy of the original document, which can later be recovered by a third party. Louis Jurgens, executive vice president at security consultancy Sage Inc. in Amarillo, Texas, said there are several tamper-proof methods of redaction that will work with electronic documents and , and eliminate the possibility of information being recovered after redaction. But, he added, the technical aspects are less important than having a solid policy that complies with regulations. Such a policy spells out exactly what items need to be redacted from a document and who is responsible for scrubbing private data. Cheryl Camin, an attorney in the HIPAA practice team at the Dallas law firm of Gardere Wynne Sewell, said at a minimum, a policy should require that employees "de-identify" all patient records and other sensitive information by removing anything that could identify the person if there is a possibility of it being made public. Several vendors offer products for preventing privacy leaks, such as rule-based filtering for outgoing , a feature that SurfControl in Scotts Valley, Calif. and others offer to help close loopholes. Other solutions include an automatic redaction product from Landsdowne, Penn.-based Appligent called Redax, which is used by the Department of Homeland Security, Kaiser Permanente and others to automatically identify and permanently remove sensitive information. Still, Jurgens said the bottom line is knowing what privacy laws require and
262
Cost of Poor Retention Policy
The judge could … instruct the jury to infer that the record(s) destroyed contained information unfavorable to your company. order your company to pay cost of restoring any archival media on which a lost record is stored plus reasonable litigation expenses incurred by your opponent in filing a motion for discovery and production of the record. In Residential Funding Corp. v. DeGeorge Fin. Corp. 306 F.3d 99, the 2d U.S. Circuit Court sounded a grim warning for companies lacking a sound electronic document retention policy: if you wind up in court and can’t produce the goods, you may be liable! Applying long-standing spoliation doctrine to the electronic era, the Second Circuit held that where a party breaches a discovery obligation by failing to produce evidence, the trial court has broad discretion in fashioning an appropriate sanction, including the discretion to delay the start of a trial, to declare a mistrial, or to issue an adverse inference instruction. Sanctions may be imposed where a party has not only acted in bad faith or gross negligence, but also through ordinary negligence. Residential Funding holds that delay, as well as destruction, is sanctionable. Vacating the trial court’s sanctions order, the 2d Circuit Court reversed and remanded the plaintiff’s favorable $96.4 million jury verdict even though the unproduced evidence-- that resided on old backup tapes--was felt to contain little if any significant material for the defense’s case. Comparable holdings go back at least sixteen years to the decision in National Assoc. of Radiation Survivors v. Turnage, 115 F.R.D. 543 (D.C., N.D., California, 1987).
263
Beware the Unmanaged IM and Email
Recipients may retain IM IM immune to firewalls IM may be offensive to employees Track IM usage Enable content filtering and blocking Log and audit conversations Do not allow encrypted IM Changes to Federal Rules of Civil Procedure, effective December 1, 2006, created a new category for electronic records which may be requested during discovery in legal proceedings. Most countries around the world also regulate the use of electronic messaging and electronic records retention in similar fashion to the United States. The most common regulations related to IM at work involve the need to produce archived business communications to satisfy government or judicial requests under law. Many instant messaging communications fall into the category of business communications that must be archived and retrievable. In addition to the malicious code threat, the use of instant messaging at work also creates a risk of non-compliance to laws and regulations governing the use of electronic communications in businesses. In the United States alone there are over 10,000 laws and regulations related to electronic messaging and records retention.[12] many companies don't know that retention and content policies should apply also to instant messaging, which is, "just turbo-charged . there is a huge misconception out there that IM is not a written business record and that you can say anything you want. "Users think that once you close your window, the message is gone, but that's not true. Even if you're not retaining the message, the person you're chatting with might be. Also, it's an enormous security issue if your employees are transmitting IMs on business issues. These messages are transmitted via the public Internet. They could include customers' social security numbers and important account information." Employers need to find out what the business presence of IM is in their workplace and how it is used. Enable content filtering and blocking. Just as content filtering and blocking help prevent viruses, worms and other malware from infecting the network via , employing these technologies for IM provides similar protection, Verhoeven says. Log and audit IM conversations. This includes searching logs based on keywords, dates, participants, protocols or some combination of these factors. Such logging and auditing should be reviewable by an authorized reviewer as well as the IM user for any specific message. There should also be an defined retention period to store this information, Don't permit use of encryption in IM. If a user's is encrypting IM messages, the monitoring system can't determine if the IM is legitimate or if it's sending out corporate secrets or contains other unauthorized communication 263 263
264
Chapter 7: Computer-Assisted Audit Techniques [CAATs]
IT Auditing & Assurance, 2e, Hall & Singleton IT Auditing & Assurance, 2e, Hall & Singleton
265
IT Auditing & Assurance, 2e, Hall & Singleton
Chapter 8: CAATTs for Data Extraction and Analysis IT Auditing & Assurance, 2e, Hall & Singleton IT Auditing & Assurance, 2e, Hall & Singleton
266
DATA STRUCTURES Organization Access method
IT Auditing & Assurance, 2e, Hall & Singleton
267
Access: Non-Index Methods
Hashing Pointers INDEX File DATA File Access: Index Methods Data Organization SEQUENTIAL ISAM RANDOM SEQUENTIAL RANDOM IT Auditing & Assurance, 2e, Hall & Singleton
268
FILE PROCESSING OPERATIONS
Retrieve a record by key Insert a record Update a record Read a file Find next record Scan a file Delete a record Individual Records Table 8-1 IT Auditing & Assurance, 2e, Hall & Singleton
269
DATA STRUCTURES Flat file structures Sequential structure [Figure 8-1]
All records in contiguous storage spaces in specified sequence (key field) Sequential files are simple & easy to process Application reads from beginning in sequence If only small portion of file being processed, inefficient method Does not permit accessing a record directly Efficient: 4, 5 – sometimes 3 Inefficient: 1, 2, 6, 7 – usually 3 Sequential Structure: All records in the file lie in contiguous storage spaces in a specified sequence arranged by their primary key. Sequential files are simple and easy to process. The application starts at the beginning of the file and processes each record in sequence. When only a small portion of a file is being processed, this approach is not efficient. The sequential access method does not permit accessing a record directly. Efficient for operations 4 & 5; sometimes 3 Inefficient for 1,2,6,7; usually 3 IT Auditing & Assurance, 2e, Hall & Singleton
270
DATA STRUCTURES Flat file structures Indexed structure
In addition to data file, separate index file Contains physical address in data file of each indexed record Index Structure: In addition to the actual data file, there exists a separate index that is itself a file of record addresses. This index contains the numeric value of the physical disk storage location for each record in the associated data file IT Auditing & Assurance, 2e, Hall & Singleton
271
DATA STRUCTURES Flat file structures Indexed random file
Records are created without regard to physical proximity to other related records Physical organization of index file itself may be sequential or random Random indexes are easier to maintain, sequential more difficult Advantage over sequential: rapid searches Other advantages: processing individual records, efficient usage of disk storage Indexed Random File Records are dispersed throughout a disk without regard for their physical proximity to other related records. The physical organization of the index file itself may be either sequential or random. Random indexes are easier to maintain, in terms of adding records, b/c new key records are simply added to the end of the index without regard to their sequence. Indexes in sequential order are more difficult to maintain because new record keys must be inserted between existing keys. One advantage of a sequential index is that it can be searched rapidly (e.g., binary search) The principal advantage of indexed random files is in operations involving the processing of individual records (Ops 1,2,3,6) and the efficient use of disk storage. Random file are not efficient structures for operations that involve processing a large portion of a file (e.g., payroll master file). IT Auditing & Assurance, 2e, Hall & Singleton
272
DATA STRUCTURES Flat file structures
Indexed Sequential Access Method (ISAM) Large files, routine batch processing Moderate degree of individual record processing Used for files across cylinders Uses number of indexes, with summarized content Access time for single record is slower than Indexed Sequential or Indexed Random Disadvantage: does not perform record insertions efficiently – requires physical relocation of all records beyond that point – SOS Has 3 physical components: indexes, prime data storage area, overflow area [Figure 8-4] Might have to search index, prime data area, and overflow area – slowing down access time Integrating overflow records into prime data area, then reconstructing indexes reorganizes ISAM files Indexed Sequential Access Method (ISAM): Structure is used for very large files that require routine batch processing and a moderate degree of individual record processing. The ISAM structure is used for files that often occupy several cylinders of contiguous storage on a disk. To find a specific record location, the ISAM file uses a number of indexes that describe in summarized form the contents of each cylinder [see figure 8-3]. The average access time for a single record is slower than the indexed sequential or indexed random structures. Disadvantage of ISAM structure is that it does not perform record insertion operations efficiently. Inserting a new record into a file requires the physical relocation of all the records located beyond that point of insertion. An ISAM file has 3 physical components: indexes, prime data storage area, and the overflow area [Figure 8-4]. Accessing a record may involve searching the indexes, searching the track in the prime data area, and the overflow area, thus slowing data access time. Integrating the overflow records into the prime area and then reconstructing the indexes must reorganize the ISAM files. Very efficient: Operations 4, 5, 6 Moderately efficient: Operations 1 & 3 Inefficient: Operations 2, 7 IT Auditing & Assurance, 2e, Hall & Singleton
273
EVOLUTION OF ORG./ACCESS METHODS
Random DBMS etc. Legacy systems ISAM Legacy systems Sequential 1960 1970 1980 1990 EVOLUTION OF ORG./ACCESS METHODS IT Auditing & Assurance, 2e, Hall & Singleton
274
Random Sequential Efficient ISAM Inefficient Access single records
Access entire files IT Auditing & Assurance, 2e, Hall & Singleton
275
POINTER STRUCTURE Stores the address (pointer) of related record in a field with each data record [Figure 8-6] Records stored randomly Pointers provide connections b/w records Pointers may also provide links of records b/w files [Figure 8-7] Types of pointers [Figure 8-8]: Physical address – actual disk storage location Advantage: Access speed Disadvantage: if related record moves, pointer must be changed & w/o logical reference, a pointer could be lost causing referenced record to be lost Relative address – relative position in the file (135th) Must be manipulated to convert to physical address Logical address – primary key of related record Key value is converted by hashing to physical address Pointer Structures (linked-list file) – Figure 8-6 Stores in a field of one record the address (pointer) of a related record The records in this type of file are spread over the entire disk without concern for their physical proximity with other related records. The pointers provide connections between the records. Pointes may also be used to link records between files [Figure 8-7]. There are three types of pointers [Figure 8-8]: Physical Address Pointer – contains the actual disk storage location needed by the disk controller. This approach allows the system to access the record directly without obtaining further information. Advantages: Speed. Because it does not need to be manipulated further to determine a record’s location. Disadvantages: (1) If the related record is moved from one disk location to another, the pointer must be changed. (2) Physical pointers bear no logical relationship to the records they identify. Relative Address Pointer – contains the relative position of a record in the file. Requires a simple conversion routine (e.g., 135th record) Logical Key Pointer – contains the primary key of the related record. This key value is then converted into the record’s physical address by a hashing algorithm. Efficient: Operations 1,2,3,6 Inefficient: 4,5,7 IT Auditing & Assurance, 2e, Hall & Singleton
276
DATABASE STRUCTURES Hierarchical & network structures Uses explicit linkages b/w records to establish relationship Relational structure Uses implicit linkages b/w records to establish relationship: foreign keys / primary keys Databases: The major difference between the these two approaches is the degree of process integration and data sharing that can be achieved. Two-dimensional flat files exist as independent data structures that are not linked logically or physically to other files. Database models were designed to support flat-file systems already in place, while allowing the organization to move to new levels of data integration. IT Auditing & Assurance, 2e, Hall & Singleton
277
IT Auditing & Assurance, 2e, Hall & Singleton
Relational Records: “Foreign Keys” in one record establishes relationships to related records in other files. CUSTOMERS INVOICES Record #3 of the INVOICE file has a “foreign key” for the related CUSTOMER record (i.e., for this transaction, to whom the merchandise was sold), which is the Primary Key in the CUSTOMER file. That same record (#3) has a foreign key for the INVENTORY record (i.e., for this same transaction, the item sold) on that INVOICE to that CUSTOMER. Thus the foreign keys help to build a composite picture of the transaction or event. See Figure 8-10 for another example. The indexed sequential file structure uses an index in conjunction with a sequential file organization, which allows both direct access to individual records and batch processing of the entire file. Multiple indexes can be used to create a cross-reference called an inverted list that allows even more flexible access to data [Figure 8-11]. NOTE: In this example, it is assumed only 1 item of INVENTORY is sold on an INVOICE. Obviously, there are other scenarios, which would be represented differently than the one chosen here. INVENTORY IT Auditing & Assurance, 2e, Hall & Singleton
278
DATABASE STRUCTURES Relational structure User views
Data a particular user needs to achieve his/her assigned tasks A single view, or view without user input, leads to problems in meeting the diverse needs of the enterprise Trend today: capture data in sufficient detail and diversity to sustain multiple user views User views MUST be consolidated into a single “logical view” or schema Data in the logical view MUST be normalized Set of data that a particular user needs to achieve his or her assigned tasks. A problem arises in meeting diverse user needs when the collection, summarization, storage, and reporting of transaction and standing data are dominated by a single view that is inappropriate for entity-wide purposes. The trend today is to capture data in sufficient detail and diversity to sustain multiple user views. The tables that support the user views are called base tables. To be effective, they must be properly normalized. IT Auditing & Assurance, 2e, Hall & Singleton
279
DATABASE STRUCTURES Relational structure
Importance of data normalization Critical to success of DBMS Effective design in grouping data Several levels: 1NF, 2NF, 3NF, etc. Un-normalized data suffers from: Insertion anomalies Deletion anomalies Update anomalies One or more of these anomalies will exist in tables < 3NF The Importance of Data Normalization Correctly designed database tables are critical to the success of the DBMS. Data normalization is a process that promotes effective database design by grouping data attributes into tables that comply to specific conditions. There are several possible levels of normalization. Usually, designers normalize to the level called third normal form (3NF). Tables that have not been normalized are associated with three types of problems called anomalies: Insertion Deletion Update One or more of these anomalies will exist in tables that are normalized at lower levels such as 1NF and 2NF, but tables in 3NF are free of anomalies. IT Auditing & Assurance, 2e, Hall & Singleton
280
DATABASE STRUCTURES Relational structure
Auditors and data normalization Database normalization is a technical matter that is usually the responsibility of systems professionals. The subject has implications for internal control that make it the concern of auditors also. Most auditors will never be responsible for normalizing an organization’s databases; they should have an understanding of the process and be able to determine whether a table is properly normalized. In order to extract data from tables to perform audit procedures, the auditor first needs to know how the data are structured. Database normalization is a technical matter that is usually the responsibility of systems professionals. The subject has implications for internal control that make it the concern of auditors also. Most auditors will never be responsible for normalizing an organization’s databases; they should have an understanding of the process and be able to determine whether a table is properly normalized. In order to extract data from tables to perform audit procedures, the auditor first needs to know how the data are structured. IT Auditing & Assurance, 2e, Hall & Singleton
281
EMBEDDED AUDIT MODULE Identify important transactions live while they are being processed and extract them Examples Errors Fraud Compliance SAS 78, SAS 94, SAS 99 / S-OX The objective of the EAM is to identify important transactions while they are being processed and extract copies of them in real time. As the selected transaction is being processed by the host application, a copy of the transaction is stored in an audit file for subsequent review. While primarily a substantive testing technique, EAMs may also be used to monitor controls on an ongoing basis as required by SAS 78. Transactions selected by the EAM can be reviewed for proper authorization, completeness, and accuracy of processing, and correct posting to accounts. Disadvantages of EAMS Operational Efficiency – EAMs decrease operational performance. They may create significant overhead, especially when the amount of testing is extensive. Verifying EAM Integrity – the EAM approach may not be a viable audit technique in environments with a high level of program maintenance. When host applications undergo frequent changes, the EAMs embedded within the hosts will also require frequent modifications. Compliance: EAMs can assist auditors in assuring compliance with requirements, such as SAS 78, 94 and 99 for financial audits by CPAs. SAS 78 is the COSO model, SAS 94 outlines “auditing through” computer systems, and SAS 99 is the codification of Sarbanes-Oxley Act into the technical literature of the AICPA regarding audits (particularly Section 404 of S-OX). S-OX now requires auditors to test internal controls. IT Auditing & Assurance, 2e, Hall & Singleton
282
EMBEDDED AUDIT MODULE Disadvantages:
Operational efficiency – can decrease performance, especially if testing is extensive Verifying EAM integrity - such as environments with a high level of program maintenance Status: increasing need, demand, and usage of COA/EAM/CA Disadvantages of EAMS Operational Efficiency – EAMs decrease operational performance. They may create significant overhead, especially when the amount of testing is extensive. Verifying EAM Integrity – the EAM approach may not be a viable audit technique in environments with a high level of program maintenance. When host applications undergo frequent changes, the EAMs embedded within the hosts will also require frequent modifications. Synonyms: EAM – Embedded Audit Module COA – Continuous Online Auditing CA – Continuous Auditing IT Auditing & Assurance, 2e, Hall & Singleton
283
GENERALIZED AUDIT SOFTWARE
Brief history Most widely used CAATT Usages include: Footing and balancing entire files or selected data items (e.g., extending inventory) Selecting and reporting detail data Selecting stratified statistical samples from data files Formatting results into audit reports (auto work papers!) Printing confirmations Screening / filtering data Comparing multiple files for differences Recalculating values in data Generalized Audit Software – brief history [TS] –nascent field, little tools or techniques (e.g., K. Davis in Viet Nam) October 1967 – Haskins & Sells, Ken Stringer, AUDITAPE – AICPA efforts for one GAS, Big 8 each developed their own c1970 – first commercial GAS – CARS 2000 – commercial GAS is common place Importance of GAS in history of IS auditing GAS - most widely used CAATT for IS/EDP auditing. Common uses for GAS include: Footing and balancing entire files or selected data items. (e.g., extending line items) Selecting and reporting detailed data contained in files. Selecting stratified statistical samples from data files. Formatting results of tests into reports. (i.e., auto work papers!) Printing confirmations in either standardized or special wording. Screening data and selectivity including or excluding items. (e.g., identify outliers) Comparing multiple files and identifying any differences. Recalculating data fields. (e.g., recalculating invoice totals) NOTE: Usages 1, 2, 4, 5, 8 are processes that can be done using other methods/tools, and do not demonstrate the real advantages or power of GAS. Usages 3, 6, 7 (and perhaps 8), however, are more in line with “Data Extraction and Analysis” techniques. Therefore they represent the unique advantages and power of GAS. IT Auditing & Assurance, 2e, Hall & Singleton
284
GENERALIZED AUDIT SOFTWARE
Popular because: GAS software is easy to use and requires little computer background Many products are platform independent, works on mainframes and PCs Auditors can perform tests independently of IT staff GAS can be used to audit the data currently being stored in most file structures and formats GAS’s have widespread popularity due to 4 factors: GAS languages are easy to use and require little computer background on the part of the auditor. Many GAS products can be used on both mainframe and PC systems. Auditors can perform their tests independently of the client’s computer service staff. GAS can be used to audit the data stored in most file structures and formats. IT Auditing & Assurance, 2e, Hall & Singleton
285
GENERALIZED AUDIT SOFTWARE
Simple structures [Figure 8-19] Complex structures [Figures 8-20, 8-21] Auditing issues: Auditor must sometime rely on IT personnel to produce files/data Risk that data integrity is compromised by extraction procedures Auditors skilled in programming better prepared to avoid these pitfalls GAS’s have widespread popularity due to 4 factors: GAS languages are easy to use and require little computer background on the part of the auditor. Many GAS products can be used on both mainframe and PC systems. Auditors can perform their tests independently of the client’s computer service staff. GAS can be used to audit the data stored in most file structures and formats. IT Auditing & Assurance, 2e, Hall & Singleton
286
ACL ACL is a proprietary version of GAS Leader in the industry
Designed as an auditor-friendly meta-language (i.e., contains commonly used auditor tests) Access to data generally easy with ODBC interface ACL is a proprietary version of a GAS and is the leader in the industry. ACL is designed as a meta-language for auditors to access most data stored by electronic means and to test them comprehensively. Many of the problems associated with accessing complex data structures have been solved by ACL’s Open Data Base Connectivity (ODBC) interface. IT Auditing & Assurance, 2e, Hall & Singleton
287
Chapter 8: CAATTs for Data Extraction and Analysis
IT Auditing & Assurance, 2e, Hall & Singleton IT Auditing & Assurance, 2e, Hall & Singleton
288
Chapter 9: Auditing the Revenue Cycle
IT Auditing & Assurance, 2e, Hall & Singleton IT Auditing & Assurance, 2e, Hall & Singleton
289
MANUAL PROCEDURES Processing shipping orders
4 copies of Sales Order to warehouse; packing slip, shipping notice, stock release, file copy Locate and “pick” goods using Stock Release; package them with packing slip Reconcile documents and goods, sign Shipping Notice, prepare Bill of Lading – multiple copies [Figure 9-3] Transfer custody of goods (packing slip inside) and 2 copies of Bill of Lading to carrier Record shipment in shipping log Send shipping notice to Billing Dept. File: Stock Release, 1 BOL, File Copy Processing Shipping Orders – the sales department sends the stock release (picking ticket) copy of the sales order to the warehouse. This document identifies the items of inventory that must be located and picked from the warehouse shelves. It also provides formal authorization for the warehouse clerk to release custody of the specified assets. The clerk then adjusts the stock records to reflect the reduction in inventory. The stock records are not the formal accounting records for these assets. Before the arrival of the goods and the stock release copy, the shipping department receives the packing slip and shipping notice copies from the sales department. The packing slip travels with the goods to the customer to describe the contents of the order. Upon receiving the goods from the warehouse, the shipping clerk reconciles the physical items with the stock release documents, the packing slip, and the shipping notice to verify the correctness of the order. The shipping clerk packages the goods, attaches the packing slip to the container, completes the shipping notice, and prepares a bill of lading, which is a formal contract between the seller and the shipping company to transport the goods to the customer. The shipping clerk transfer custody of the goods, the packing slip, and two copies of the bill of lading to the carrier and then performs the following tasks: Records the shipment in the shipping log. Sends the shipping notice to the billing department as proof of shipment. Files one copy each of the bill of lading, Stock Release, and file copy of the Sales Order. IT Auditing & Assurance, 2e, Hall & Singleton
290
LEGACY SYSTEM PROCEDURES
Keypunch batch of shipping notices Edit run program, correct any errors Field checks Limit tests Range tests Price times quantity extensions Sort run on batches by AR account number Legacy systems store records in sequential manner, usually tape Next process is to “post” individual shipping notices to appropriate individual AR accounts AR update & billing run [Figure 9-4] Updates AR file becomes new AR file Billing would be printing invoices to be mailed Sales journal file or printout Journal voucher for AR [DR] and sales [CR] Automated Procedures – a legacy system employs sequential file structures for its accounting records. This approach is labor intensive and expensive. Most organizations that still use sequential files store them on disks that are permanently connected (on-line) to the computer system and require no human intervention. Keystroke – the process begins with the arrival of batches of shipping notices from the shipping department. The keystroke clerks receive and convert batches of shipping notices to magnetic media. The resulting transaction file will thus contain many separate batches of sales orders. Batch control totals are calculated for each batch on the file. Edit Run – periodically, the batch sales order system is executed. The process may take place only once or several times a day. The edit run is the 1st run in the batch process. This process validates transactions by testing each record for the existence of clerical or logical errors. The edit program recalculates the batch control totals to reflect changes due to the removal of error records. Sort Run – at this point, the sales order file is in no useful sequence. The sort run program physically arranges the sales order transaction file sequentially. AR Update and Billing Run – the AR update program posts to accounts receivable by sequentially matching the Account Number key in each sales order record with the corresponding record in the AR-SUB master file. Some firms employ cycle billing of their customers. The update program searches the billing date field in the AR-SUB master file for those customers to be billed on that day of the month and prepare statements for the selected accounts. IT Auditing & Assurance, 2e, Hall & Singleton
291
LEGACY SYSTEM PROCEDURES
Re-sort by inventory item {why?} Same reason; but this process is to update Inventory Items Inventory update run [Figure 9-5] Reduce quantity on hand for items shipped, generate a new Inventory file Compare “On Hand” quantity with “Reorder Point” to identify items needing replenishment; file or printout Journal voucher for Cost of Goods Sold [DR] and Inventory [CR] Sort journal entries by GL # Run general ledger update Management reports Sort and Inventory Update Runs – the sort programs sorts the sales order file on the secondary key. The inventory update program reduces the Quantity On Hand filed in the affected inventory records. A new inventory master file is created in the process. The program compares values of the Quantity On Hand and the Reorder Sales Point fields to identify inventory items that need to be replenished. A journal voucher is prepared to reflect the cost of goods sold and the reduction in inventory. General Ledger Update Run – under the sequential file approach, the general ledger master file is not updated after each batch of transactions. Firms using sequential files typically employ separate end-of-day procedures to update the general ledger accounts. This program also generates a number of management reports. IT Auditing & Assurance, 2e, Hall & Singleton
292
BATCH CASH RECEIPTS SYSTEMS WITH DIRECT ACCESS FILES
See Figure 9-6 Discrete events that naturally fit the batch approach Update Procedures Mail Room Receives checks and Remittance Advices. Separates checks from Remittance Advices Prepares a Remittance List – multiple copies Copy of Remittance List and checks go to Cash Receipts Dept. Remittance Advices and copy of Remittance List go to AR Dept. Last copy of Remittance List to Controller’s Office Example of separation of duties and separating segments of process for integrity purposes. IT Auditing & Assurance, 2e, Hall & Singleton
293
REAL-TIME SALES ORDER ENTRY AND CASH RECEIPTS
See Figure 9-7 Sales procedures Transactions are processed as they occur, separately Credit check is performed online by the system If approved, system checks availability of inventory If available, system: Transmits electronic stock release to warehouse dept Transmits electronic packing slip to shipping dept Updates inventory file records for depletion Records sale in open sales order computer file This system provides real-time input and output with batch updating of only some of the master files. Order Entry Procedures Sales Procedures – under real-time processing, sales clerks receiving orders from customers process each transaction separately as it is received. The sales clerk also performs the following tasks: A credit check is performed on-line by accessing the customer credit file. If credit is approved, the clerk then accesses the inventory master file and checks the availability of the inventory. The system automatically transmits an electronic stock release record to the warehouse and a shipping notice to the shipping department, and records the sale in the open sales order file. IT Auditing & Assurance, 2e, Hall & Singleton
294
REAL-TIME SALES ORDER ENTRY AND CASH RECEIPTS
Warehouse procedures Produces hard copy of stock release Clerk picks goods, sends them with a copy of stock release to shipping dept. Shipping procedures Reconciles goods, stock release, packing slip from system. Online, IS prepares Bill of Lading for shipment, and shipping notice for DP Dept. Select carrier and prepare goods for shipment, along with packing slip and Bill of Lading Stock release form is filed This system provides real-time input and output with batch updating of only some of the master files. Order Entry Procedures Warehouse Procedures – produces a hard copy printout of the electronically transmitted stock release document. The clerk then picks the goods and sends them, along with a copy of the stock release document, to the shipping department. Shipping and Billing – reconciles the goods, the stock release document, and the hard copy packing slip produced on the terminal. The clerk then selects the carrier and prepares the goods for shipment. IT Auditing & Assurance, 2e, Hall & Singleton
295
FEATURES OF REAL-TIME PROCESSING
Events Database Traditional accounting does not have to exist in per se (in traditional form) General Ledger can be derived at any time from a compilation from the events database Advantages Greatly shortens the cash cycle of the firm Can give a firm a competitive advantage (e.g., managing inventory better) Real-time editing permits the identification of many kinds of errors as they occur, greatly reducing the efficiency and effectiveness of business processes Reduces the amount of paper documents Electronic audit trails are possible in real-time computer-based systems Features of Real-Time Processing – a central feature of the system is the use of an events database. Traditional accounting records may not exist per se. In theory, such a system does not even need a general ledger since sales, sales returns, accounts receivable-control, and cost of goods sold can all be derived from the invoices in the events database. This system has the following advantages: Greatly shortens the cash cycle of the firm. Can give a firm a competitive advantage in the marketplace by maintaining current inventory information, the sales staff can know immediately if inventories are in stock. Real-time editing permits the identification of many kinds of errors when they occur and greatly improves the efficiency and the effectiveness of operations. Reduces the amount of paper documents in a system. Hard copy documents are expensive to produce and clutter the system. Documents in electronic format are efficient, effective, and adequate for most audit trails. IT Auditing & Assurance, 2e, Hall & Singleton
296
MANAGEMENT ASSERTIONS AND REVENUE CYCLE AUDIT OBJECTIVES
Existence / Occurrence VERIFY AR balance represents amounts actually owed as of Balance Sheet date Establish sales represents goods shipped and/or services rendered during period of financials Completeness Determine all amounts owed organization are included in AR VERIFY shipped goods, services rendered, and/or returns and allowances for period are included in financials Accuracy VERIFY revenue transactions are accurately computed, based on correct prices and quantities Ensure AR subsidiary ledger, sales invoice file, remittance file are mathematically correct .. And agree with GL accounts Rights & Obligations Determine organization has legal right to AR VERIFY accounts sold or factored have been removed from AR Valuation or Allocation Determine AR balance stated in net realizable value Establish allocation for uncollectible accounts is appropriate Presentation and Disclosure VERIFY AR and revenues for period are properly described and classified Relationship Between Management Assertions and Revenue Cycle Audit Objectives [Table 9-1, p.393] Existence or Occurrence – verify that the accounts receivable balance represents amounts actually owed to the organization at the balance sheet date. Establish that revenue from sales transactions represent goods shipped and services rendered during the period covered by the financial statements. Completeness – determine that all amounts owed to the organization at the balance sheet date are reflected in accounts receivable. Verify that all sales for shipped goods, all services rendered, and all returns and allowances for the period are reflected in the financial statements. Accuracy – verify that revenue transactions are accurately computed and based on current prices and correct quantities. Ensure that the accounts receivable subsidiary ledger, the sales invoice file, and the remittance file are mathematically correct and agree with general ledger accounts. Rights and Obligations – determine that the organization has a legal right to recorded accounts receivable. Customer accounts that have been sold or factored have been removed from the accounts receivable balance. Valuation or Allocation – determine that accounts receivable balance states its net realizable value. Establish that the allocation for uncollectible accounts is appropriate. Presentation and Disclosure – verify that accounts receivable and revenues reported for the period are properly described and classified in the financial statements. IT Auditing & Assurance, 2e, Hall & Singleton
297
INPUT CONTROLS Purpose Ensure creditworthiness of customers
Control techniques vary considerably between batch systems and real-time systems Credit authorization procedures Credit worthiness of customer Batch and manual systems use credit dept. Real-time systems use programmed decision rules Testing credit procedures Verify effective procedures exist Verify information is adequately communicated Verify effectiveness of programmed decision rules (test data, ITF) Verify that authority for making credit decisions is limited to authorized credit personnel/procedures Perform Substantive Tests of Detail Review credit policy periodically and revise as necessary Input Controls – designed to ensure that transactions are valid, accurate, and complete. Control techniques vary considerably between batch and real-time systems. The following input controls relate to revenue cycle operations. Credit Authorization Procedures – purpose of the credit check is to establish the creditworthiness of the customer. In batch systems with manual credit authorization procedures, the credit department (or credit manager) is responsible for implementing the firm’s credit policies. Testing Credit Procedures – the auditor needs to determine that effective procedures exist to establish appropriate customer credit limits; communicate this information adequately to the credit policy decision –makers; review credit policy periodically and revise it as necessary; and monitor adherence to current credit policy. The auditor can verify the correctness of programmed decision rules by using either the test data or integrated test facility (ITF) approaches to directly test their functionality. This can be done by creating several dummy customer accounts and running test transactions and then analyzing the rejected transactions to determine if the computer application correctly applied the credit policy. The integrity of reference data is an important element in testing credit policy controls. The auditor needs to verify that authority for making line-of-credit changes is limited to authorized credit department personnel. Performing substantive tests of detail to identify customers with excessive credit limits can do this. IT Auditing & Assurance, 2e, Hall & Singleton
298
INPUT CONTROLS Data Validation Controls
To detect transcription errors in data as it is processed Batch: after shipment of goods Error logs Error correction computer processes Transaction resubmission procedures Real-Time: Errors handled as they occur Missing data checks – presence of blank fields Numeric-Alphabetic data checks – correct form of data Limit checks – value does not exceed max for the field Range checks – data is within upper and lower limits Validity checks – compare actual values against known acceptable values Check digit – identify keystroke errors by testing internal validity Testing Data Validation Controls Verify controls exist and are functioning effectively Validation of program logic can be difficult If Controls over system development and maintenance are NOT weak, testing data editing/programming logic more efficient than substantive tests of details (test data, ITF) Some assurance can be gained through the testing of error lists and error logs (detected errors only) Input Controls – designed to ensure that transactions are valid, accurate, and complete. Control techniques vary considerably between batch and real-time systems. The following input controls relate to revenue cycle operations. Data Validation Controls – intended to detect transcription errors in transaction data before they are processed. In the batch system data validation occurs only after the goods have been shipped. Extensive error logs, error correction, and transaction resubmission procedures characterize such systems. Validity tests performed in real-time deal with most errors as they occur. The following are validity tests that pertain to the revenue cycle: Missing Data Checks – used to examine the contents of a filed for the presence of blank spaces. Numeric-Alphabetic Data Checks – determine whether the correct form of data is in a field. Limit Checks – determine if the value in the field exceeds an authorized limit. Range Checks – assign upper and lower limits to acceptable data values. Validity Checks – compare actual values in a field against known acceptable values. Check Digit – controls identify keystroke errors in key fields by testing their internal validity. Testing Validation Controls – the central audit issue is whether the validation programs in the data editing system are functioning correctly and have continued to function as intended throughout the period. Testing the logic of a validation program however represents a significant undertaking. The auditor may decide to rely on the quality of other controls to provide the assurance needed to reduce substantive testing. If controls over systems development and maintenance are weak, the auditor may decide that testing the data editing controls would be more efficient that performing extensive substantive tests of details. ITF or the test data approach would enable the auditor to perform explicit tests of logic. The auditor may achieve some degree of assurance by reviewing error listings and error logs. Error listings and logs do not provide evidence of undetected errors. An analysis of error conditions not present in the listing can be used to guide the auditor in designing substantive tests to perform. IT Auditing & Assurance, 2e, Hall & Singleton
299
INPUT CONTROLS Batch controls Testing data validation controls
Manage high volumes of similar transactions Purpose: Reconcile output produced by system with the original input Controls continue through all computer (data) processes Batch transmittal sheet: Unique batch number Batch date Transaction code Record count Batch control total (amount) Hast totals (e.g., account numbers) Testing data validation controls Failures of batch controls indicates data errors Involves reviewing transmittal records of batches processed and reconcile them to the batch control log (batch transmittal sheet) Examine out-of-balance conditions and other errors to determine cause of error Review and reconcile transaction listings, error logs, etc. Input Controls – designed to ensure that transactions are valid, accurate, and complete. Control techniques vary considerably between batch and real-time systems. The following input controls relate to revenue cycle operations. Batch Controls – used to manage high volumes of transaction data through a system. The objective is to reconcile output produced by the system with the input originally entered into the system. The controls continue through all phases of data processing. An important element of batch control is the batch transmittal sheet, which captures relevant information about the batch such as a unique batch number, batch date, transaction code, record count, batch control total, and hash totals. Testing Batch Controls – the failure of batch controls to function properly can result in records being lost or processed multiple times. Testing batch controls involves reviewing transmittal records of batches processed throughout the period and reconciling them to the batch control log. The auditor needs to investigate out-of-balance conditions to determine the cause. The auditor should be able to obtain answers to these questions by reviewing and reconciling transaction listings, error logs, and logs or resubmitted records. IT Auditing & Assurance, 2e, Hall & Singleton
300
PROCESS CONTROLS Computerized procedures for file updating
Restricting access to data Techniques: File update controls -- Run-to-run batch control data to monitor data processing steps Transaction code controls – to process different transactions using different programming logic (e.g., transaction types) Sequence check controls – sequential files, proper sorting of transaction files required Testing file update controls – results in errors Testing data that contains errors (incorrect transaction codes, out of sequence) Can be performed in ITF or test data CAATTs requires careful planning Single audit procedure can be devised that performs all tests in one operation. Process Controls – process controls include computerized procedures for file updating and restricting access to data. The following are techniques related to file updating and access controls; File Update Controls – run-to-run controls use batch control data to monitor the batch as it moves from one run to another. These controls ensure that each run in the system processes the batch correctly and completely. Transaction Code Controls – revenue cycle systems are often designed to process multiple record types. The actual tasks performed by the application are determined by a transaction code assigned to each record. Sequence Check Control – in systems that use sequential master files, the order of the transaction records in the batch is critical to correct and complete processing. As the batch moves through the process, it must be re-sorted in the order of the master file. A sequence check control should be in place to compare the sequence of each record in the batch with the previous record to ensure that proper sorting took place. Testing File Update Controls – the failure of a file update control to function properly can result in records going unprocessed, being processed incorrectly, or being posted to the wrong customer’s account. Tests of file update controls provide the auditor with evidence relating to the assertions of existence, completeness, and accuracy. Testing run-to-run controls is a logical extension of these procedures and needs no further explanation. Tests of transaction codes and sequence checks can be performed using ITF or the test-data approach. The auditor should create test data that contain records with incorrect transaction codes and records that are out of sequence in the batch and verify that each was handled correctly. The efficient use of logic-testing CAATTs like ITF requires careful planning. By determining in advance the input and process controls to be tested, a single audit procedure can be devised that performs all tests in one operation. IT Auditing & Assurance, 2e, Hall & Singleton
301
ACCESS CONTROLS Prevent and detect unauthorized and illegal access to firm’s systems and/or assets Warehouse security Depositing cash daily Use safe deposit box, night box, lock cash drawers and safes Accounting records Removal of an account from books Unauthorized shipments of goods using blank sales orders Removal of cash, covered by adjustments to cash account Theft of products/inventory, covered by adjustments to inventory or cash accounts Testing access controls – heart of accounting information integrity Absence thereof allows manipulation of invoices (i.e., fraud) Access controls are system-wide and application-specific Access controls are dependent on effective controls in O/S, networks, and databases Access Controls – prevent and detect unauthorized and illegal access to the firm’s assets. Traditional techniques used to limit access to these assets include warehouse security, depositing cash daily, using a safe or night deposit box, locking cash drawers and safes. Controlling access to accounting records is no less important. The following are risks associated with the revenue cycle 1. Removal of one’s account or someone else’s from the books. 2. Unauthorized individual can trigger shipment of a product. 3. Removal of cash from the firm to cover the act by adjusting the cash account. 4. Steal products and adjust the records to cover the theft. Testing Access Controls - access control is at the heart of accounting information integrity. In the absence of controls, invoices can be deleted, added, or falsified. Computer access controls are both system-wide and application-specific. Access control over revenue cycle applications depends upon effectively controlling access to the operating systems, the networks, and the databases with which they interact. IT Auditing & Assurance, 2e, Hall & Singleton
302
PHYSICAL CONTROLS Segregation of duties Supervision
Rule 1: Transaction authorization separate from transaction processing Rule 2: Asset custody separate from record-keeping tasks Rule 3: Organization structured such that fraud requires collusion between two or more people Supervision Necessary for employees who perform incompatible functions Compensates for inherent exposure from incompatible functions Can be supplement when duties are properly segregated Prevention vs. detection of fraud and crime is objective: supervision can be effective preventive control Physical Controls Segregation of Duties – ensures that no single individual or department processes a transaction in its entirety. Rule 1: Transaction authorization should be separate from transaction processing. Rule 2: Asset custody should be separate from the record-keeping tasks. Rule 3: The organization should be so structured that the perpetration of a fraud requires collusion between two or more individuals. Supervision – by closely supervising employees who perform potentially incompatible functions, a firm can compensate for the exposure inherent in a system. Supervision can also provided control in systems that are properly segregated. Detecting crimes after the fact accomplishes little. Prevention is the best solution. The deterrent effect of supervision can provide an effective preventive control. IT Auditing & Assurance, 2e, Hall & Singleton
303
PHYSICAL CONTROLS Independent verification Testing physical controls
Review the work of others at critical points in business processes Purpose: Identify errors or possible fraud Examples: Shipping dept. verifies goods sent from warehouse dept. are correct in type and quantity Billing dept. reconciles shipping notice with sales notice to ensure customers billed correctly Testing physical controls Review organizational structure for incompatible tasks Tasks normally segregated in manual systems get consolidated in DP systems. Duties of design, maintenance, and operations for computers need to be separated Programmers should not be responsible for subsequent program changes. Independent Verification – the purpose is to review the work performed by others at key junctures in the processes to identify and correct errors. Two examples: The shipping dept verifies that the goods sent from the warehouse are correct in type and quantity. The billing dept reconciles the shipping notice with the sales notice to ensure that customers are billed only for the items and quantities that were actually shipped. Testing Physical Controls – the auditor’s review of organizational structure should disclose the more gregarious examples of incompatible tasks. Covert relationships that lead to collusion may not be apparent from an organizational chart. Many tasks that are normally segregated in manual systems are consolidated in the data processing function of computer-bases systems. Duties pertaining to the design, maintenance, and operation of computer programs need to be separated. Programmers who write original computer programs should not be responsible for making program changes. IT Auditing & Assurance, 2e, Hall & Singleton
304
OUTPUT CONTROLS PURPOSE: Information is not lost, misdirected, or corrupted; that the system output processes function properly Controls are designed to identify potential problems Reconciling GL to subsidiary ledgers Maintenance of the audit trail – that is the primary way to trace the source of detected errors Details of transactions processed at intermediate points AR change report Transaction logs: permanent record of valid transactions Transaction listings – successfully posted transactions Log of automatic transactions Unique transaction identifiers Error listings Testing output controls Reviewing summary reports for accuracy, completeness,timeliness, and relevance for decisions Trace sample transactions through audit trails; including transaction listings, error logs, and logs of resubmitted records ACL is very helpful in this process Output Controls – designed to ensure that information is not lost, misdirected, or corrupted and that system processes function as intended. Output control can be designed to identify potential problems. The following are examples of audit trail output controls. Reconciling the general ledger is an output control that can detect certain types of transaction processing errors. Maintenance of an audit trail. To resolve transaction processing errors, each detected error needs to be traced to its source. Details of transaction processing produced at intermediate points can provide an audit trail that reflects activity through every stage of operations. Accounts Receivable Change Report – shows the overall change to accounts receivable from sales orders and cash receipts. These numbers should reconcile with total sales, total cash receipts (on account), and the general ledger. Transaction Logs – every transaction successfully processed by the system should be recorded on a transaction log, which serves as a journal. A transaction log serves 2 purposes: Permanent record of valid transactions and contains only successful transactions, none that were partially processed. Transaction Listings – system should produce a transaction listing of all successful transactions. Log of Automatic Transactions – some transactions are triggered internally by the system. To maintain an audit trail of these activities, all internally generated transactions must be placed in a transaction log, and a listing or these transactions should be sent to the appropriate managers. Unique Transaction Identifiers – each transaction processed by the system must be uniquely identified with a transaction number. This is the only practical means of tracing a particular transaction. Error Listing – a listing of all errors should go to the appropriate user to support error correction and resubmission. Testing Output Controls – testing output controls involves reviewing summary reports for accuracy, completeness, timeliness, and relevance to the decisions that they are intended to support. The auditor should trace sample transactions through audit trail reports, including transaction listings, error logs, and logs of resubmitted records. In modern systems, audit trails are usually stored on-line in text files. Data extraction software such as ACL can be used to search log files for specific records to verify the completeness and accuracy of output reports. IT Auditing & Assurance, 2e, Hall & Singleton
305
SUBSTANTIVE TESTS OF REVENUE CYCLE ACCOUNTS
PURPOSE: Determine the nature, timing, and extent of substantive tests using auditor’s assessment of inherent risk, unmitigated control risk, materiality considerations, and efficiency of the audit. Concern: Overstatement or understatement of revenues? Focus on large and unusual transactions, especially near period-end Recognizing revenues from sales that did not occur Recognizing revenues BEFORE they are realized Failing to recognize cutoff points Underestimating allowance for doubtful accounts Shipping unsolicited products to customers, subsequently returned Billings customers for products held by seller Tests of controls and substantive tests Credit limit logic may be effective but cut-off of AR may be error Substantive testing of AR may give assurance about accuracy of total AR but does not offer assurance about collectibility SUBSTANTIVE TESTS OF REVENUE CYCLE ACCOUNTS The strategy used in determining the nature, timing, and extent of substantive tests derives from the auditor’s assessment of inherent risk, unmitigated control risk, materiality considerations, and the need to conduct the audit in an efficient manner. Revenue Cycle Risks and Audit Concerns – pertain to the potential for overstatement of revenues and accounts rather than their understatement. The auditor should focus attention on large and unusual transactions at or near period-end. The auditor will see evidence by performing a combination of tests of internal controls and substantive tests. While positive results from such a test may enable the auditor to reduce the degree of substantive testing needed to gain assurance about the mathematical accuracy of account processing, they offer no assurance about the collectibility of those accounts receivable. Similarly, ITF can be used to test the credit-limit logic of the edit program to provide assurance that the organization’s credit policy is being properly implemented. This test, however, provides no evidence that proper cutoff procedures were followed in calculating the total value of accounts receivable. IT Auditing & Assurance, 2e, Hall & Singleton
306
SUBSTANTIVE TESTS OF REVENUE CYCLE ACCOUNTS
Understanding data VERIFY data used in CAATTs (e.g., ACL) is accurate VERIFY adequate setup of files from originals (e.g., ACL and Profilecommand) Relationships and data from [see Figure 9-10]: Customer file Sales Invoice file Line item file Inventory file Shipping log file File preparation procedures SUBSTANTIVE TESTS OF REVENUE CYCLE ACCOUNTS Understanding Data – the auditor needs to understand the systems and controls that produced the data, as well as the physical characteristics of the files that contain them. The auditor must verify that he or she is working with the correct version of the file to be analyzed. ACL can read most sequential files and relational database tables directly, but esoteric and/or complex file structures may require flattening before they can be analyzed. The auditor must verify that the correct version of the original file was used and that all relevant records from the original were transferred to the copy for analysis. The audit procedure described are based on the file structure indicate the key data and logical linkages between files. o Customer File – contains address and credit information about customers and is used to validate sales transactions. o Sales Invoice File – captures sales transaction data for the period. The sales invoice file contains summary data for each invoice. o Line Item File – contains a record for every product sold. These data also provide audit evidence needed to corroborate the accuracy of price times quantity calculations that are summarized in the sales invoices. o Inventory File – contains quantity, price, supplier, and warehouse location data for each item of inventory. o Shipping Log File – a record of all sales orders shipped to customers. These data can also be used to determine if customer orders are being shipped in a timely manner. o File Preparation Procedures – each file needs to be defined in terms of its physical location and its structure. When the file definition is completed, it is saved under a unique name assigned by the auditor. Sometimes the contents of a data filed are different from what they are supposed to be. Prior to performing any substantive tests on a new file, it is important to validate its contents. ACL’s verify command analyzes the data fields in the selected fields in the selected file to ensure that their contents are consistent with the field type in the file definition. IT Auditing & Assurance, 2e, Hall & Singleton
307
SUBSTANTIVE TESTS OF REVENUE CYCLE ACCOUNTS
Accuracy/completeness assertion Analytical review of account balances Overall perspective for trends in sales, cash receipts, sales returns, and AR Provides first-level assurance that amounts are reasonably stated and reasonably complete If so, may reduce the extent of substantive testing Review sales invoices for unusual trends and exceptions Scanning data files using CAAT (e.g., ACL and stratify and possibly filters - see Figure 9-11) Reveals all errors or raises questions? SUBSTANTIVE TESTS OF REVENUE CYCLE ACCOUNTS The strategy used in determining the nature, timing, and extent of substantive tests derives from the auditor’s assessment of inherent risk, unmitigated control risk, materiality considerations, and the need to conduct the audit in an efficient manner. Testing the Accuracy and Completeness Assertions – auditors often precede substantive tests of detail with an analytical review of account balances. This review will provide the auditor with an overall perspective for trends in sales, cash receipts, sales returns, and accounts receivable. Analytical procedures can provide assurance that transactions and accounts are reasonably stated and complete and may thus permit the auditor to reduce substantive tests of details on these accounts. o Review Sales Invoices for Unusual Trends and Exceptions – a useful audit procedure for identifying potential audit risks involves scanning data files for unusual transactions and account balances. The auditor can use ACL’s stratify feature to identify such anomalies. This function groups data into predetermined intervals and counts the number of records that fall into each interval. The auditor can use other ACL features to seek answers to questions raised by the preceding analysis. Although the auditor cannot specifically identify from the stratification which records are causing the anomalies, the potential problem has been flagged. ACL provides a filter capability that can be used to select or ignore specific records from an entire file. Raises questions, points auditor in the direction of possible, or potential, anomalies. IT Auditing & Assurance, 2e, Hall & Singleton
308
SUBSTANTIVE TESTS OF REVENUE CYCLE ACCOUNTS
Accuracy/completeness assertion Review sales invoice and shipping log files Missing and duplicate transactions [see Table 9-2] Questions/survey: Are procedures in place to document and approve voided invoices? How are gaps in sales invoice numbers communicated to management? What physical controls exist over access to sales invoice source documents? If applicable, are batch totals used to control batch transactions during each processing step? Are transaction listings reconciled and reviewed by management? Review line item and inventory files for pricing accuracy ACL allows auditor to compare prices on invoices with inventory – using JOIN [see example on page 413] Testing unmatched records (complement) SUBSTANTIVE TESTS OF REVENUE CYCLE ACCOUNTS o Review Sales Invoice and Shipping Log Files for Missing and Duplicate Items – searching for missing and/or duplicate transactions is another important test that helps the auditor corroborate or refute the completeness and accuracy assertions. ACL is capable of testing a designated field for out-of-sequence records, gaps in sequence numbers, and duplicates for the entire file. The auditor can scan the Invoice Number field of all records in the Sales Invoice file. The auditor will need to interview management and employees involved in the process and seek answers to the following types of questions: Are procedures in place to document and approve voided invoices? How are gaps in sales invoices communicated to management? What physical controls exist over access to sales invoice source documents? Are batch totals used to control total transactions during data processing? Are transaction listings reconciled and reviewed by management? o Review Line Item and Inventory Files for Sales Price Accuracy – auditors would verify pricing accuracy by comparing sales prices on the invoices with the published price list. ACL allows the auditor to compare the prices charged on every invoice in the file for the period under review. This procedure involves a few simple steps. First, notice that the actual sales price charged is stored in the Sales Price field in the Line Item file. Both files need to be ordered according to their common key. The next step is to combine the two files to create a third. ACL accomplishes this with its Join feature. ACL’s join feature permits the auditor to specify the fields from the two input files that are passed to the new output file. o Testing for Unmatched Records - by selecting a different join option, the auditor can produce a new file of only unmatched records. IT Auditing & Assurance, 2e, Hall & Singleton
309
SUBSTANTIVE TESTS OF REVENUE CYCLE ACCOUNTS
Existence assertion Confirmation of AR – SAS #67 Not required if: AR is immaterial Assessed Control Risk is low Confirmation process will be ineffective CAATTs to use for this function? Steps: Select accounts to confirm Consolidate invoices (not AR subsidiary) using CLASSIFY (filter) and SUMMARIZE (amount) [see Tables 9-3 and 9-4] Why? JOIN the CUSTOMER file with the new consolidated invoice file Prepare confirmation requests [see Figure 9-12] Positive and Negative Confirmations (ACL, EXPORT) Evaluating and controlling responses Retain custody of the confirmation letters until mailed The letters should be addressed to the auditor, not client org. The replies should be mailed to the auditor, not client org. Discrepancies should be investigated. Non responses to POSITIVE confirmation should be investigated SUBSTANTIVE TESTS OF REVENUE CYCLE ACCOUNTS The strategy used in determining the nature, timing, and extent of substantive tests derives from the auditor’s assessment of inherent risk, unmitigated control risk, materiality considerations, and the need to conduct the audit in an efficient manner. Testing the Existence Assertion – one of the most widely performed tests of existence is the confirmation of accounts receivable. This test involves direct written contact between the auditors and the client’s customers to confirm account balances and transactions. Statement of Auditing Standards No. 67, The Confirmation Process, states that auditors should request confirmations of accounts receivable except in the following 3 situations: Accounts receivable is immaterial. Based on a review of internal controls, the auditor has assessed controls; the auditor has assessed control risk to be low. The confirmation process will be ineffective. Open Invoice System records invoices individually rather than being summarized or grouped by the creditor. The confirmation process involves 3 stages: Selecting Accounts to Confirm – obtaining a set of accounts for confirmation requires three steps: consolidate the invoices by customer, join the data from the two files, and select a sample of accounts from the joined file. Consolidate Invoices – consolidate all the open invoices for each customer. ACL’s classify command allows the auditor to set a filter to select only the open sales invoices and to summarize the Invoice Amount field for each record based on thee Customer Number. Join the Files – the next step in the confirmation process is to join the Classified Invoices files and the Customer file to produce another new file called Accounts Receivable. o Preparing Confirmation Requests – involves preparing confirmation requests that contain the information captured in the AR-Sample file. The requests are drafted and administered by the auditor but are written in the client entity’s name. o Positive and Negative Confirmations – in positive confirmations, the recipients are asked to respond whether their records agree or disagree with the amount stated. This is useful when the auditor suspects that a large number of accounts may be in dispute. A problem with positive confirmations is poor response rates. Negative confirmations request the recipient to respond only if they disagree with the amount shown in the letter. This technique is used primarily when accounts receivable consist of a large number of low-value balances and the control risk of misstatement is considered to be low. Once the creditor decides upon the nature and the wording of the confirmation letter, it can be created using a word processor. ACL’s export feature greatly facilitates the physical task of inserting the relevant financial data for each customer into the individual letters. o Evaluating and Controlling Responses – maintaining control over the confirmation process is critical to its integrity. The auditor should take all reasonable steps to ensure the following procedures are observed. Retain custody of the confirmation letters until they are mailed. The letters should be addressed to the auditor, not the client organization. The confirmation letter replies should be mailed to the auditor, not the client organization. When the responses are returned to the auditor, discrepancies in the amount owed should be investigated. Non-responses to positive confirmations also need to be investigated. IT Auditing & Assurance, 2e, Hall & Singleton
310
SUBSTANTIVE TESTS OF REVENUE CYCLE ACCOUNTS
Valuation/allocation assertion Corroborate or refute AR is stated at reasonable Net Realizable Value AGING AR ACL, AGE [see Table 9-7] Is allowance for doubtful accounts reasonable compared to prior years and based on composition of AR portfolio Confirmation process will be ineffective Review past-due balances Conference with credit manager to determine collectibility Determine if methods used to estimate allowance for doubtful accounts is adequate, not the collectibility of each account Determine if overall allowance is, therefore, reasonable SUBSTANTIVE TESTS OF REVENUE CYCLE ACCOUNTS The strategy used in determining the nature, timing, and extent of substantive tests derives from the auditor’s assessment of inherent risk, unmitigated control risk, materiality considerations, and the need to conduct the audit in an efficient manner. Testing the Valuation/Allocation Assertion – the auditor’s objective regarding proper valuation and allocation is to corroborate or refute that accounts receivable are stated at net realizable value. The auditor needs to review the accounts receivable aging process to determine that the allowance for doubtful accounts is adequate. Aging Accounts Receivable – as accounts age, the probability that they will ultimately be collected is decreased. The larger the number of older accounts that are included in an organization’s accounts receivable file, the larger the allowance for doubtful accounts needs to be to reflect the risk. A key issue for auditors to resolve is whether the allowance is calculated by the client is consistent with the composition of their organization’s accounts receivable portfolio and with prior years. Review Past-Due Balances - The auditor should review past-due balances with the credit manger to obtain information for basing an opinion on their collectibility. The auditor’s objective is not to assess the collectibility of each account, but to determine that the methods used by the credit manager to estimate the allowance for doubtful accounts is adequate and that the overall allowance is reasonable. IT Auditing & Assurance, 2e, Hall & Singleton
311
IS Controls Access Controls Site System File Record
Rights and privileges IT Auditing & Assurance, 2e, Hall & Singleton
312
Controls for Automated Systems
General and application controls for IS Transaction tags Transaction logs Increased supervision Online validation and authentication Rotation of duties Authorizations and automated rules Continuous auditing techniques IT Auditing & Assurance, 2e, Hall & Singleton
313
IT Auditing & Assurance, 2e, Hall & Singleton
314
IT Auditing & Assurance, 2e, Hall & Singleton
315
IT Auditing & Assurance, 2e, Hall & Singleton
316
IT Auditing & Assurance, 2e, Hall & Singleton
317
IT Auditing & Assurance, 2e, Hall & Singleton
318
IT Auditing & Assurance, 2e, Hall & Singleton
319
Chapter 9: Auditing the Revenue Cycle
IT Auditing & Assurance, 2e, Hall & Singleton IT Auditing & Assurance, 2e, Hall & Singleton
320
Chapter 10: Auditing the Expenditure Cycle
IT Auditing & Assurance, 2e, Hall & Singleton
321
PURCHASES: BATCH PROCESSING
Step 1: Data processing department – inventory control Purchasing Department Step 2: Data processing department – P.O. Receiving Department Step 3: Data processing department – batch update of inventory Accounts Payable Step 4: Data processing department – validates vendors
322
CASH DISBURSEMENT: BATCH PROCESSING
Step 5: Data processing department – scans for items due and prints checks for items received Step 6: Cash disbursements department – reconciles checks, submits checks to management for signature Step 7: Accounts payable – matches copies of checks with open vouchers, closes them and files documents Concludes expenditure cycle
323
CASH DISBURSEMENT: REENGINEERED—FULLY AUTOMATED
Data processing steps performed automatically: Inventory file scanned for items and reorder points Purchase requisition record for all items needing replenishment Consolidate requisitions by vendor Retrieve vendor mailing information P.O. prepared and sent to vendor (EDI) Open P.O. record added for each transaction List of P.O. sent to purchasing department
324
CASH DISBURSEMENT: REENGINEERED– FULLY AUTOMATED
Goods arrive at receiving department Quantities received entered per item
325
CASH DISBURSEMENT: REENGINEERED—FULLY AUTOMATED
Data processing steps performed automatically: Quantities keyed matched to open P.O. record Receiving report file record added Update inventory subsidiary records G.L. inventory updated Record removed from open P.O. file and added to open A.P. file, due date established
326
CASH DISBURSEMENT: REENGINEERED—FULLY AUTOMATED
Each day, due date filed of A.P. are scanned for items where payment is due
327
CASH DISBURSEMENT: REENGINEERED—FULLY AUTOMATED
Data processing steps performed automatically: Checks are printed, signed and distributed to mailroom (unless EDI/EFT) Payments are recorded in check register file Items paid are transferred from open A.P. to closed A.P. file G.L.- A.P. and cash accounts are updated Appropriate reports are transmitted to A.P. and cash disbursements departments for review
328
CASH DISBURSEMENT: REENGINEERED—FULLY AUTOMATED
Control implications General in nature Similar to those of Chapter 9
329
BATCH AUTOMATED SYSTEM VS. MANUAL BATCH
Improved inventory control Better cash management Less time lag Better purchasing time management Reduction of paper documents
330
REENGINEERED SYSTEM VS. BATCH AUTOMATED SYSTEM
Segregation of duties Accounting records and access controls
331
PAYROLL PROCEDURES Drawbacks to using regular A.P. and cash disbursements systems to do payroll General expenditure procedures that apply to all vendors will not apply to employees Writing checks to employees requires special controls General expenditure procedures are designed to accommodate relatively smooth flow of transactions
332
REENGINEERED PAYROLL SYSTEM
Often integrated with H.R. Differs from previous automate system Operations departments transmit transactions to D.P. electronically Direct access to files are used for data storage Many processes are now performed in real time
333
REENGINEERED PAYROLL SYSTEM
Personnel Cost accounting Timekeeping Data processing Labor costs are distributed to accounts Online labor distribution summary Online payroll register Employee records are updated Payroll checks are prepared and signed Disbursement system generates check to fund the payroll imprest account G.L. updated
334
EXPENDITURE CYCLE AUDIT OBJECTIVES
Input controls Data validation controls Testing validation controls Batch controls Testing batch controls Purchases authorization controls Testing purchases authorization controls Employee authorization Testing employee authorization procedures
335
EXPENDITURE CYCLE AUDIT OBJECTIVES
Process controls File update controls Sequence check control Liability validation control Valid vendor file Testing file update controls Access controls Warehouse security Moving assets promptly when received Paying employees by check vs. cash Risks Employees with access to A.P. subsidiary file Employees with access to attendance records Employees with access to both cash and A.P. records Employees with access to both inventory and inventory records Testing access controls
336
EXPENDITURE CYCLE AUDIT OBJECTIVES
Process controls Physical controls Purchase system controls Segregation of inventory control from warehouse Segregation of G.L. and A.P. from cash disbursements Supervision of receiving department Inspection of assets Theft of assets Reconciliation of supporting documents: P.O., receiving report, supplier’s invoice Payroll System controls Verification of timecards Supervision Paymaster Payroll imprest account Testing of physical controls
337
EXPENDITURE CYCLE AUDIT OBJECTIVES
Process controls Output controls A.P. change report Transaction logs Transaction listing Logs of automatic transactions Unique transaction identifiers Error listing Testing output controls
338
EXPENDITURE CYCLE SUBSTANTIVE TESTS
Risks and audit concerns Understanding data Inventory file Purchase order file Purchase order line item file Receiving report file Disbursement voucher file File preparation procedures
339
EXPENDITURE CYCLE SUBSTANTIVE TESTS
Testing accuracy and completeness assertions Review disbursement vouchers for unusual trends and exceptions Accurate invoice prices Testing completeness, existence, rights and obligations assertions Searching for unrecorded liabilities Searching for unauthorized disbursement vouchers Review of multiple checks to vendors Auditing payroll and related records
340
Additional Cybercrime Info
The following slides are not in the text!
341
Incident Response Mandates Gramm-Leach-Bliley
Financial Institutions must … Establish incident response capability Perform prompt and reasonable investigation when sensitive customer info is accessed Notify customers if misuse of info has or is likely to occur
342
Incident Response Requirements ISO 17799
ISO is international standard for IS best practices Security framework must contain an effective incident response approach In 2002, 22% companies with sales over $500 million had implemented ISO 17799 Must collect information for three purposes … Internal problem analysis Use as evidence Negotiation for compensation from software/service vendors
343
Incident Response Requirements ISO 17799
Response procedures should cover … Analysis and identification of cause of incident Planning and implementation of remedies Collection of audit trails and similar evidence Communication with those affected or involved with recovery Reporting the action to the appropriate authority
344
Best Practices Imaging hard drive of employees who resign or are terminated (proactive) Avoid “patch and proceed” response Implement network forensics analysis with tools like EnCase Focus on insider threats Companies face increasing cyberliability claims stemming from security breaches
345
Chapter 10: Auditing the Expenditure Cycle
IT Auditing & Assurance, 2e, Hall & Singleton
346
Chapter 11: Introduction to Business Ethics and Fraud
347
How do managers decide on what is right in conducting business?
ETHICS Pertains to the principles of conduct that individuals use in making choices and guiding their behavior in situations that involve the concepts of right and wrong. Business Ethics How do managers decide on what is right in conducting business? Once managers have recognized what is right, how to they achieve it? The necessity to have an articulate foundation for ethics and a consistent application of the ethical standards. Ethics – pertains to the principles of conduct that individuals use in making choices and guiding their behavior in situations that involve the concepts of right and wrong. Business ethics involves finding the answers to two questions. How do managers decide on what is right in conducting their business? Once managers have recognized what is right, how do they achieve it? IT Auditing & Assurance, 2e, Hall & Singleton
348
Ethical Issues in Business [Table 11-1]
BUSINESS ETHICS Basis of Ethical Standards Religious Philosophical Historical IBM combination of all three Ethical Issues in Business [Table 11-1] Equity Exec. salaries Pricing Rights Health (screening) Privacy Sexual harassment Equal opportunity Whistleblowing Honesty Conflicts of interest Security of data & records Foreign practices [FCPA] Accurate F/S reporting Exercise of Corp. Power PAC, and politics Workplace safety Downsizing, closures Business Ethics can be divided into 4 areas: Equity, Rights, Honesty, Exercise of Corporate Power [Table 11-1] IT Auditing & Assurance, 2e, Hall & Singleton
349
IMPLEMENTING BUSINESS ETHICS
1990 Business Roundtable Greater commitment of top management Written codes (policy) that clearly communicate standards and expectations Programs to implement ethical guidelines Techniques to monitor compliance Boeing Uses line managers to lead ethics training Toll-free number to report violations General Mills Published guidelines with vendors, competitors, customers Johnson & Johnson Creed integral to its culture Uses surveys to ascertain compliance SAIC Toll-free number, required training, separate dept. HOW SOME FIRMS ADDRESS ETHICAL ISSUES 1. Greater commitment of top management to improving ethical standards 2. Written codes that clearly communicate management expectations 3. Programs to implement ethical guidelines 4. Techniques to monitor compliance EXAMPLES: Boeing uses line managers to lead ethics training; toll-free number to report violations General Mills has published guidelines with vendors, competitors, customers Johnson & Johnson has a creed integral to its culture; uses surveys to ascertain compliance SAIC has toll-free number and separate ethics department to handle reports, questions, and whistleblowers Examples IT Auditing & Assurance, 2e, Hall & Singleton
350
IMPLEMENTING BUSINESS ETHICS
Role of Management Create and maintain appropriate ethical atmosphere Limit the opportunity and temptation for unethical behavior Management needs a methodology for including lower-level managers and employees in the ethics schema Many times, lower-level managers responsible to uphold ethical standards Poor ethical standards among employees are a root cause of employee fraud and abuses Managers and employees both should be made aware of firm’s code of ethics What if management is unethical? e.g., Enron The Role of Management in Maintaining the Ethical Climate Must create and maintain an appropriate ethical atmosphere; they must limit the opportunity and temptation for unethical behavior within the firm. In many situations it is up lower-level managers to uphold a firm’s ethical standards. Poor ethical standards among employees are a root cause of employee fraud and other abuses. A method needs to be developed for including lower-level mangers and employees in the ethics schema of the firm. Managers and employees alike should be made aware of the firm’s code of ethics. IT Auditing & Assurance, 2e, Hall & Singleton
351
IMPLEMENTING BUSINESS ETHICS
Reported Abuses Typically junior employees (Wall Street Journal) Half of American workers believe the best way to get ahead is politics and cheating One-third of a group of 9,175 surveyed had stolen property and supplies from employers Ethics Resource Center: 1994 study 41% falsified reports 35% committed theft Ethical Development Reported abuses: · Typically junior employees (WSJ) – in case of frauds, typically male, educated, many years on job, holds some key position · Half of American workers believe the way to get ahead is through politics and cheating · One-third of a group [9,175] surveyed had stolen property and supplies from employers · Ethics Resource Center, 1994 study, falsifying reports (41%) and theft (35%) Ethical Development Figure 11-2 Most individuals develop a code of ethics as a result of their family environment, formal educations, and personal experiences. We all go through several stages of moral evolution before settling on one level of ethical reasoning. Most people develop a personal code of ethics from family, formal education, and personal experience Go through stages of moral evolution [Figure 11-2] IT Auditing & Assurance, 2e, Hall & Singleton
352
IMPLEMENTING BUSINESS ETHICS
Making Ethical Decisions Business schools can and should be involved in ethical development of future managers Business programs can teach students analytical techniques to use in trying to understand and properly handle a firm’s conflicting responsibilities to its employees, shareholders, customers, and the public Every ethical decision has risks and benefits. Balancing them is the manager’s ethical responsibility: Ethical Principles Making Ethical Decisions Business schools can and should be involved in the ethical development of future managers. Business programs can teach students analytical techniques to use in trying to understand and put into perspective a firm’s conflicting responsibilities to its employees, shareholders, customers, and the public. Every ethical decision has both risks and benefits. The balance between these consequences is the managers’ ethical responsibility. The following ethical principles provide some guidance in the discharge of this responsibility. Proportionality – the benefit from a decision must outweigh the risks. With alternatives of equal or greater benefits, choose one with least risk. Justice – the benefits of the decision should be distributed fairly to those who share the risks. Those who do not benefit should not carry the burden of risk. Minimize Risk – the decision should be implemented so as to minimize all of the risks and avoid any unnecessary risks. Proportionality: Benefits of a decision must outweigh the risks. Choose least risky option. Justice: Distribute benefits of decision fairly to those who share risks. Those who do not benefit should not carry any risk Minimize Risk: Minimize all risks. IT Auditing & Assurance, 2e, Hall & Singleton
353
Levels of Computer Ethics
The analysis of the nature and social impact of computer technology and the corresponding formulation and justification of policies for the ethical use of such technology. Levels of Computer Ethics POP: the exposure to stories and reports in popular media PARA: taking a real interest in computer ethics cases and acquiring some level of skill and knowledge THEORETICAL: multi-disciplinary researchers who apply the theories of philosophy, sociology, and psychology to computer science, intending to bring some new understanding to the field. That is, ethics research. WHAT IS COMPUTER ETHICS “The analysis of the nature and social impact of computer technology and the corresponding formulation and justification of policies for the ethical use of such technology.” Three levels of computer ethics: Pop – computer ethics is simply the exposure to stories and reports found in the popular media regarding the good or bad ramifications of computer technology (e.g., reporting of viruses) Para - computer ethics involves taking a real interest in computer ethics cases and acquiring some level of skill and knowledge in the field. Theoretical – computer ethics is of interest to multidisciplinary researchers who apply the theories of philosophy, sociology, and psychology to computer science with the goal of bringing some new understanding to the field IT Auditing & Assurance, 2e, Hall & Singleton
354
A new problem or just a new twist to an old problem?
COMPUTER ETHICS A new problem or just a new twist to an old problem? Although computer programs are a new type of asset, many believe that they should not be considered as different form other forms of property; i.e., intellectual property is the same as real property and the rights associated with real property. A New Problem or Just a New Twist on an Old Problem? Although computer programs are a new type of asset, many believe that they should not be considered as different from other forms of property. That is, is intellectual property the same as real property and the rights concomitant with real property. IT Auditing & Assurance, 2e, Hall & Singleton
355
COMPUTER ETHICAL ISSUES
Privacy: Ownership of personal information Policies Security: Systems attempt to prevent fraud and abuse of computer systems, furthering the legitimate interests of firm Shared databases have potential to disseminate inaccurate info to authorized users Ownership of Property: Federal copyright laws Race: African-Americans and Hispanics constitute 20% of population but 7% of MIS professionals Privacy – “… is a matter of restricted access to persons or information about persons.” People prefer to be in full control of what and how much information about themselves is available to others, and to whom it is available. The creation and maintenance of huge, shared databases makes it necessary to protect people from the potential misuse of data. That raises the issue of ownership in the personal information industry. Security (Accuracy and Confidentiality) – computer security is an attempt to avoid such undesirable events as a loss of confidentiality or data integrity. Security systems attempt to prevent fraud and other misuse of computer systems; they act to protect and further the legitimate interests of the system’s constituencies. The ethical issues involving security arise from the emergency of shared, computerized databases that have the potential to cause irreparable harm to individuals by disseminating inaccurate information to authorized users. Ownership of Property – laws designed to preserve real property rights have been extended to cover what is referred to as intellectual property – SOFTWARE. Copyright laws have been invoked in an attempt to protect those who develop software from having it copied. Race – African Americans and Hispanics constitute about 20 percent of the U.S. population, they make up only 7 percent of management information systems (MIS) professionals. Should something special be done in this situation? IT Auditing & Assurance, 2e, Hall & Singleton
356
COMPUTER ETHICAL ISSUES
Equity in Access: Some barriers are avoidable, some are not Factors: economic status, affluence of firm, documentation language, cultural limitations Environmental Issues: Should firms limit non-essential hard copies? What is non-essential? Disposal of equipment and supplies (toner) Artificial Intelligence: Who is responsible for faulty decisions from an Expert System? What is the extent of AI/ES in decision-making processes? Equity in Access – some barriers to access are intrinsic to the technology of information systems, but some are avoidable through careful system design. Factors that limit access to computing technology: The economic status of the individual, the affluence of an organization, documentation in only one language, other cultural limitations. Environmental Issues – computers with high-speed printers allow for the production of printed documents faster than ever before. Should organizations limit nonessential hard copies? What is nonessential definition? Artificial Intelligence – a new set of social and ethical issues has arisen out of the popularity of expert systems. Both knowledge engineers and domain experts must be concerned about their responsibility for faulty decisions, incomplete or inaccurate knowledge bases, and the role given to computers in the decision-making process. This has the potential to cause a displacement of “experts” b/c expert systems attempt to clone a manger’s decision-making style. IT Auditing & Assurance, 2e, Hall & Singleton
357
COMPUTER ETHICAL ISSUES
Unemployment & Displacement: Computers and technology sometimes replace jobs (catch-22, productivity) Some people unable to change with IT, get displaced and find it difficult to obtain new job Misuse of Computer: Copying proprietary software Using a firm’s computers for personal benefit Snooping through firm’s files Internal Control Responsibility: Unreliable information leads to bad decision, possible financial distress Management must establish and maintain a system of appropriate internal controls to ensure integrity and reliability of data (antithetical) IS professionals and accountants are central to adequate internal controls Unemployment and Displacement – many jobs have been and are being changed as a result of the availability of computer technology. People unable or unprepared to change are displaced and are finding it difficult to obtain new jobs. Misuse of Computers – computers can be misused in many ways. Examples: Copying proprietary software, using a company’s computer for personal benefit, snooping through other people’s files, and using company systems for personal pleasure or business during company time (or not?). Internal Control Responsibility – a business cannot meet its financial obligations or achieve the objectives if its information is unreliable. Managers must establish and maintain a system of appropriate internal controls to ensure that integrity and reliability of their data. Information systems professionals and accountants are central to ensuring control adequacy. IT Auditing & Assurance, 2e, Hall & Singleton
358
FRAUD & ACCOUNTANTS The lack of ethical standards* is fundamental to the occurrence of business fraud. No major aspect of the independent auditor’s role has caused more difficulty for public accounting than the responsibility for detection of fraud during an audit. [article] This issue has gathered momentum outside the accounting profession to the point where the profession faces a crisis in public confidence in its ability to perform independent attest functions. [SAS 82] Fraud denotes a false representation of a material fact made by one party to another party with the intent to deceive and induce the other party to justifiably rely on the fact to his/her detriment, i.e., his/her injury or loss. Synonyms: White-collar crime, defalcation, embezzlement, irregularities. FRAUD The lack of ethical standards is fundamental to business fraud. No major aspect of the independent auditor’s role has caused more difficulty for the public accounting profession than the responsibility for the detection of fraud during an audit. The issue of the auditor’s role in detecting fraud has gathered momentum to the point where the public accounting profession today faces a crisis in public confidence in its ability to perform the independent attestation function. [SAS 82] From SEC, Congress, public press. Fraud – denotes a false representation of a material fact made by one party to another party with the intent to deceive and induce the other party to justifiably rely on the fact to his or her detriment. Also known as white-collar crime, defalcation, embezzlement, and irregularities. * See Messina et al. research into Ethics and Actual Frauds (coops) IT Auditing & Assurance, 2e, Hall & Singleton
359
A fraudulent act must meet the following 5 conditions:
False representation Material fact Intent Justifiable reliance Injury or loss A fraudulent act must meet the following 5 conditions: False representation Material fact Intent Justifiable Reliance Injury or loss Forensic Accounting · Investigation · Evidence for court · Litigation · CFE – Association of Certified Fraud Examiners [see newsletter sample] IT Auditing & Assurance, 2e, Hall & Singleton
360
FRAUD TREE Asset misappropriation fraud Stealing something of value – usually cash or inventory (i.e., asset theft) Converting asset to usable form Concealing the crime to avoid detection Usually, perpetrator is an employee Financial fraud Does not involve direct theft of assets Often objective is to obtain higher stock price (i.e., financial fraud) Typically involves misstating financial data to gain additional compensation, promotion, or escape penalty for poor performance Often escapes detection until irreparable harm has been done Usually, perpetrator is executive management Source: ACFE Corruption fraud Bribery, etc. IT Auditing & Assurance, 2e, Hall & Singleton
361
FRAUD SCHEMES Fraudulent financial statements {5%} Corruption {10%}
Bribery Illegal gratuities Conflicts of interest Economic extortion Asset misappropriation {85%} Charges to expense accounts Lapping Kiting Transaction fraud FRAUD SCHEMES ACFE 2002 Report to the Nation Fraudulent Financial Statements {5%} Corruption {10%} Bribery Illegal gratuities Conflicts of interest Economic extortion Asset Misappropriation {85%} Charges to Expense Accounts {??} Lapping {??} Kiting {??} Transaction Fraud {??} IT Auditing & Assurance, 2e, Hall & Singleton
362
EMPLOYEE FRAUD Employee Theft Theft of asset
Conversion of asset (to cash, to fraudster) Concealment of fraud Employee fraud – done by non-management employees are generally designed to directly convert cash or other assets to the employee’s personal benefit. Employee fraud usually involves 3 steps: stealing something of value, converting the asset to a usable form, and concealing the crime to avoid detection. Management fraud – often escapes detection until irreparable damage has been done. Does not involve the direct theft of assets. Management may engage in fraudulent activities to obtain a higher price from a stock or debt offering or just to meet the expectations of investors. May typically involve materially misstating financial data and reports to gain additional compensation, to garner a promotion, or to escape the penalty for poor performance. IT Auditing & Assurance, 2e, Hall & Singleton
363
MANAGEMENT FRAUD Special Characteristics:
Perpetrated at levels of management above the one where internal controls relate Frequently involves using the financial statements to create false image of corporate financial health If fraud involves misappropriation of assets, it frequently is shrouded in a complex maze of business transactions, and often involves third parties. [e.g., ZZZZ Best fraud] Three special characteristics: · Perpetrated at levels of management above the one where internal controls relate · Frequently involves using the financial statements to create illusions about corporate financial health · If fraud involves misappropriation of assets, it frequently is shrouded in a complex maze of business transactions, and often involves third parties IT Auditing & Assurance, 2e, Hall & Singleton
364
FRAUD TRIANGLE People engage in fraudulent activities as a result of forces within the individual (their ethical system) and without (from temptation and/or stress from the external environment) Situational Pressures Opportunity Rationalization A person with a high level of personal ethics and limited pressure and opportunity to commit fraud is most likely to behave honestly [Figure 11-2] A person with low level of integrity, and moderate to high pressures, and moderate to high opportunity is most likely to commit fraud Auditors can develop a “red flag” checklist to detect possible fraudulent activity A questionnaire approach could be used to help auditors uncover motivations for fraud Factors that Contribute to Fraud People engage in fraudulent activities as a result of an interaction of forces both within the individual’s personality and the external environment. Three major categories: Situational Pressures, Opportunity, Rationalization. A person with a high level of personal ethics and limited pressure and opportunity to commit fraud is most likely to behave honestly. An individual with less personal integrity, when placed in situations with increasing pressure and given the opportunity, is most likely to commit fraud. Auditors can develop a red flag checklist to detect possible fraudulent activity. A questionnaire approach could be used to help external auditors uncover motivations for committing fraud. IT Auditing & Assurance, 2e, Hall & Singleton
365
POSSIBLE QUESTIONNAIRE
Do key executives have unusually high personal debt? Do key executives appear to be living beyond their means? Do key executives engage in habitual gambling? Do key executives appear to abuse alcohol or drugs? Do key executives appear to lack personal codes of ethics? Do key executives appear to be unstable (e.g., frequent job or residence changes, mental or emotional problems)? Are economic conditions unfavorable within the company’s industry? Does the company use several different banks, none of which sees the company’s entire financial picture? Do key executives have close associations with suppliers? Do key executives have close associations with members of the Audit Committee or Board? Is the company experiencing a rapid turnover of key employees, either through quitting or being fired? Do one or two individuals dominate the company? Does anyone never take a vacation? SAMPLES: Do key executives have unusually high personal debt? Do key executives appear to be living beyond their means? Do key executives engage in habitual gambling? Do key executives appear to abuse alcohol or drugs? Do key executives appear to lack personal codes of ethics? Do key executives appear to be unstable (e.g., frequent job or residence changes, mental or emotional problems)? Are economic conditions unfavorable within the company’s industry? Does the company use several different banks, none of which sees the company’s entire financial picture? Do key executives have close associations with suppliers? Do key executives have close associations with members of the Audit Committee or Board? Is the company experiencing a rapid turnover of key employees, either through quitting or being fired? Do one or two individuals dominate the company? IT Auditing & Assurance, 2e, Hall & Singleton
366
FINANCIAL LOSSES FROM FRAUD
1996, 2002, and 2004 study by Association of CFE (“Report to the Nation”) estimated losses from fraud and abuse at 6% of annual revenues! Based on GDP in 2002, that would be $600B, and in 2004 $660B in losses. Actual cost is difficult to quantify because: All fraud is not detected Of ones detected, not all are reported In many cases, incomplete information is gathered Information is not properly distributed to management or law enforcement authorities Too often, business organizations decide to take no civil or criminal action against the perpetrator of fraud Organizations with 100 or fewer employees were the most vulnerable to fraud SEC fraud violations reported in COSO “Landmark Study” 1998 FINANCIAL LOSSES FROM FRAUD 1996 study by Association of CFE estimated losses from fraud and abuse at 6% of annual revenues. 1) All fraud is not detected 2) Of ones detected, not all are reported 3) In many cases, incomplete information is gathered 4) Information is not properly distributed to management or law enforcement authorities 5) Too often, business organizations decide to take no civil or criminal action against the perpetrator(s) of fraud Organizations with 100 or fewer employees were the most vulnerable to fraud. 1998 COSO Landmark Study found similar results to ACFE Report to the Nation regarding smaller firms having higher risks. It also found problems with executives, independence, and audit committees which were addressed in Sarbanes-Oxley Act of 2002. IT Auditing & Assurance, 2e, Hall & Singleton
367
FINANCIAL LOSSES FROM FRAUD
Profile of perpetrator: By position – Table 11-3 By gender – Table 11-5 By age – Table 11-6 By Education – Table 11-7 Conclusions about profile? Fraudsters do not look like crooks! Collusion – Table 11-4 Significant reason to adhere to segregation of duties Risks associated with a key position held by a trusted employee who unknowingly has weak ethics IT Auditing & Assurance, 2e, Hall & Singleton
368
UNDERLYING PROBLEMS Lack of auditor independence
Lack of director independence Questionable executive compensation schemes Inappropriate accounting practices IT Auditing & Assurance, 2e, Hall & Singleton
369
SARBANES-OXLEY ACT PCAOB Auditor independence
List of services considered non-independent Corporate governance Issuer and management disclosure Fraud and criminal penalties IT Auditing & Assurance, 2e, Hall & Singleton
370
ANTI-FRAUD PROFESSION
Fraud auditors Forensic accountants Association of Certified Fraud Examiners Certified Fraud Examiner certification – Forensic Accounting Investigation Evidence for court Litigation CFE – Association of Certified Fraud Examiners See newsletter sample at ACFE web site IT Auditing & Assurance, 2e, Hall & Singleton
371
Professor’s Note: I have incorporated material from other sources into this presentation to include ethical issues. IT Auditing & Assurance, 2e, Hall & Singleton
372
Culture Helps Determine Laws and Ethical Standards
Chapter 15 Forensic and Investigative Accounting IT Auditing & Assurance, 2e, Hall & Singleton
373
Ethical Principles Golden rule: Do unto others as you would have them do unto you Immanuel Kant’s categorical imperative: If an action is not right for everyone to take, then it is not right for anyone Chapter 15 Forensic and Investigative Accounting IT Auditing & Assurance, 2e, Hall & Singleton
374
Ethical Principles Descartes’ rule of change: If an action cannot be taken repeatedly, then it is not right to be taken at any time Utilitarian principle: Put values in rank order and understand consequences of various courses of action Chapter 15 Forensic and Investigative Accounting IT Auditing & Assurance, 2e, Hall & Singleton
375
Ethical Principles Risk aversion principle: Take the action that produces the least harm or incurs the least cost Ethical “no free lunch” rule: All tangible and intangible objects are owned by creator who wants compensation for the work Chapter 15 Forensic and Investigative Accounting IT Auditing & Assurance, 2e, Hall & Singleton
376
Information Rights: Privacy and Freedom in the Internet Age
Privacy: Claim of individuals to be left alone, free from surveillance or interference from other individuals, organizations, or the state Fair information practices: Set of principles governing the collection and use of information on the basis of U.S. and European privacy laws Chapter 15 Forensic and Investigative Accounting IT Auditing & Assurance, 2e, Hall & Singleton
377
U.S. Federal Privacy Laws
General Federal Privacy Laws Freedom of Information Act, 1968 Privacy Act of 1974 Electronic Communications Privacy Act of 1986 Computer Matching and Privacy Protection Act of 1988 Computer Security Act of 1987 Federal Managers Financial Integrity Act of 1982 Chapter 15 Forensic and Investigative Accounting IT Auditing & Assurance, 2e, Hall & Singleton
378
Communications with Children
Children’s Online Privacy Protection Act of (COPPA) Provides restrictions on data collection that must be followed by electronic commerce sites aimed at children Requires schools that receive federal funds to install filtering software on computers Chapter 15 Forensic and Investigative Accounting IT Auditing & Assurance, 2e, Hall & Singleton
379
Sanrio’s Approach to COPPA Compliance
Chapter 15 Forensic and Investigative Accounting IT Auditing & Assurance, 2e, Hall & Singleton
380
Ethical Issues (continued)
Principles for handling customer data Use data collected to provide improved customer service Do not share customer data with others outside your company without the customer’s permission Tell customers what data you are collecting and what you are doing with it Give customers the right to have you delete any of the data you have collected about them Chapter 15 Forensic and Investigative Accounting IT Auditing & Assurance, 2e, Hall & Singleton
381
IT Auditing & Assurance, 2e, Hall & Singleton
Chapter 15 Forensic and Investigative Accounting IT Auditing & Assurance, 2e, Hall & Singleton
382
Ethical Issues Under what conditions should the privacy of others be invaded? What legitimaizes intruding into others’ lives through unobtrusive surveillance, through market research, or by whatever means? Chapter 15 Forensic and Investigative Accounting IT Auditing & Assurance, 2e, Hall & Singleton
383
Ethical Issues Do we have to inform people that we are eavesdropping?
Do we have to inform people that we are using credit history information for employment screening purposes? Chapter 15 Forensic and Investigative Accounting IT Auditing & Assurance, 2e, Hall & Singleton
384
Property Rights: Intellectual Property
Intellectual property: Intangible creations protected by law Trade secret: Intellectual work or product belonging to business, not in public domain Chapter 15 Forensic and Investigative Accounting IT Auditing & Assurance, 2e, Hall & Singleton
385
Property Rights: Intellectual Property
Copyright: Statutory grant protecting intellectual property from getting copied for 28 years Patents: Legal document granting the owner an exclusive monopoly on the ideas behind an invention for 20 years Chapter 15 Forensic and Investigative Accounting IT Auditing & Assurance, 2e, Hall & Singleton
386
Web Site Content Issues
Fair use of a copyrighted work Includes copying it for use in criticism, comment, news reporting, teaching, or research Vicarious copyright infringement Entity becomes liable if It is capable of supervising infringing activity Obtains financial benefit from infringing activity Chapter 15 Forensic and Investigative Accounting IT Auditing & Assurance, 2e, Hall & Singleton
387
Domain Names, Cybersquatting, and Name Stealing (continued)
U.S. Anticybersquatting Consumer Protection Act (ACPA) Protects trademarked names from being registered as domain names by other parties Parties found guilty of cybersquatting can be held liable for damages of up to $100,000 per trademark Chapter 15 Forensic and Investigative Accounting IT Auditing & Assurance, 2e, Hall & Singleton
388
Defamation Defamatory statement Product disparagement
Statement that is false and injures the reputation of another person or company Product disparagement If a defamatory statement injures the reputation of a product or service instead of a person Per se defamation Court deems some types of statements to be so negative that injury is assumed Chapter 15 Forensic and Investigative Accounting IT Auditing & Assurance, 2e, Hall & Singleton
389
Deceptive Trade Practices
Federal Trade Commission Regulates advertising in the United States Publishes regulations and investigates claims of false advertising Provides policy statements Policies cover specific areas such as Bait advertising Consumer lending and leasing Endorsements and testimonials Chapter 15 Forensic and Investigative Accounting IT Auditing & Assurance, 2e, Hall & Singleton
390
Federal Statutes Related to Cybercrimes
18 U.S.C. 1029 Fraud and Related Activity in Connection with Access Devices 18 U.S.C. 1030 Fraud and Related Activity in Connection with Computers 18 U.S.C. 2701 Unlawful Access to Stored Communications Chapter 15 Forensic and Investigative Accounting IT Auditing & Assurance, 2e, Hall & Singleton
391
USA Patriot Act of 2001 The USA Patriot Act has strengthened U.S. cyber laws and expanded cybercrime definitions. Under the Act, an activity covered by the law is considered a crime if it causes a loss exceeding $5,000, impairment of medical records, harm to a person, or threat to public safety. Chapter 15 Forensic and Investigative Accounting IT Auditing & Assurance, 2e, Hall & Singleton
392
USA Patriot Act of 2001 Amendments made by the Act make it easier for an Internet service provider (ISP) to make disclosures about unlawful customer actions without the threat of civil liability to the ISP. Another revision made by the Act provides that victims of hackers can request law enforcement help in monitoring trespassers on their computer systems. Chapter 15 Forensic and Investigative Accounting IT Auditing & Assurance, 2e, Hall & Singleton
393
IT Auditing & Assurance, 2e, Hall & Singleton
Chapter 15 Forensic and Investigative Accounting IT Auditing & Assurance, 2e, Hall & Singleton
394
IT Auditing & Assurance, 2e, Hall & Singleton
Chapter 15 Forensic and Investigative Accounting IT Auditing & Assurance, 2e, Hall & Singleton
395
IT Auditing & Assurance, 2e, Hall & Singleton
CAN-SPAM Act of 2003 Controlling the Assault of Non-Solicited Pornography and Marketing Act Establishes requirements for those who send commercial , spells out penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask ers to stop spamming them. IT Auditing & Assurance, 2e, Hall & Singleton
396
IT Auditing & Assurance, 2e, Hall & Singleton
CAN-SPAM Act of 2003 It bans false or misleading header information. It prohibits deceptive subject lines. It requires that your give recipients an opt-out method. It requires that commercial be identified as an advertisement and include the sender's valid physical postal address. Report Violations to FTC-HELP IT Auditing & Assurance, 2e, Hall & Singleton
397
Organizations for Ethics
398
Chapter 11: Introduction to Business Ethics and Fraud
IT Auditing & Assurance, 2e, Hall & Singleton IT Auditing & Assurance, 2e, Hall & Singleton
399
Chapter 12: Fraud Schemes & Fraud Detection
IT Auditing & Assurance, 2e, Hall & Singleton
400
FRAUD Asset misappropriation fraud Financial fraud Corruption fraud
Stealing something of value – usually cash or inventory (i.e., asset theft) Converting asset to usable form Concealing the crime to avoid detection Usually, perpetrator is an employee Financial fraud Does not involve direct theft of assets Often objective is to obtain higher stock price (i.e., financial fraud) Typically involves misstating financial data to gain additional compensation, promotion, or escape penalty for poor performance Often escapes detection until irreparable harm has been done Usually, perpetrator is executive management Source: ACFE Corruption fraud Bribery, etc. IT Auditing & Assurance, 2e, Hall & Singleton
401
ACFE 2004 REPORT TO THE NATION
IT Auditing & Assurance, 2e, Hall & Singleton
402
FRAUD SCHEMES Fraudulent financial statements {5%} Corruption {13%}
Bribery Illegal gratuities Conflicts of interest Economic extortion Asset misappropriation {85%} Charges to expense accounts Lapping Kiting Transaction fraud FRAUD SCHEMES ACFE 2002 Report to the Nation Fraudulent Financial Statements {5%} Corruption {10%} Bribery Illegal gratuities Conflicts of interest Economic extortion Asset Misappropriation {85%} Charges to Expense Accounts {??} Lapping {??} Kiting {??} Transaction Fraud {??} Percentages per ACFE 2002 Report to the Nation – see Table 12-1 IT Auditing & Assurance, 2e, Hall & Singleton
403
COMPUTER FRAUD SCHEMES
Data Collection Data Processing Database Management Information Generation Employee fraud – done by non-management employees are generally designed to directly convert cash or other assets to the employee’s personal benefit. Employee fraud usually involves 3 steps: stealing something of value, converting the asset to a usable form, and concealing the crime to avoid detection. Management fraud – often escapes detection until irreparable damage has been done. Does not involve the direct theft of assets. Management may engage in fraudulent activities to obtain a higher price from a stock or debt offering or just to meet the expectations of investors. May typically involve materially misstating financial data and reports to gain additional compensation, to garner a promotion, or to escape the penalty for poor performance. IT Auditing & Assurance, 2e, Hall & Singleton
404
AUDITOR’S RESPONSIBILITY FOR DETECTING FRAUD—SAS NO. 99
Sarbanes-Oxley Act 2002 SAS No. 99 – “Consideration of Fraud in a Financial Statement Audit” Description and characteristics of fraud Professional skepticism Engagement personnel discussion Obtaining audit evidence and information Identifying risks Assessing the identified risks Responding to the assessment Evaluating audit evidence and information Communicating possible fraud Documenting consideration of fraud Three special characteristics: · Perpetrated at levels of management above the one where internal controls relate · Frequently involves using the financial statements to create illusions about corporate financial health · If fraud involves misappropriation of assets, it frequently is shrouded in a complex maze of business transactions, and often involves third parties IT Auditing & Assurance, 2e, Hall & Singleton
405
FRAUDULANT FINANCIAL REPORTING
Risk factors: Management’s characteristics and influence over the control environment Industry conditions Operating characteristics and financial stability Three special characteristics: · Perpetrated at levels of management above the one where internal controls relate · Frequently involves using the financial statements to create illusions about corporate financial health · If fraud involves misappropriation of assets, it frequently is shrouded in a complex maze of business transactions, and often involves third parties IT Auditing & Assurance, 2e, Hall & Singleton
406
FRAUDULANT FINANCIAL REPORTING
Common schemes: Improper revenue recognition Improper treatment of sales Improper asset valuation Improper deferral of costs and expenses Improper recording of liabilities Inadequate disclosures Three special characteristics: · Perpetrated at levels of management above the one where internal controls relate · Frequently involves using the financial statements to create illusions about corporate financial health · If fraud involves misappropriation of assets, it frequently is shrouded in a complex maze of business transactions, and often involves third parties IT Auditing & Assurance, 2e, Hall & Singleton
407
What Is Internal Control?
Control Environment Sets the tone of an organization. Influences control consciousness Foundation for all other components Provides discipline and structure Risk Assessment Control activities Information / Communication Control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Risk assessment is the entity’s identification and analysis of relevant risks to achievement of its objectives, forming a basis for determining how the risks should be managed. Control activities are the policies and procedures that help ensure that management directives are carried out. Information and communication are the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities. Monitoring is a process that assesses the quality of internal control performance over time. Monitoring IT Auditing & Assurance, 2e, Hall & Singleton
408
Why Did It Take So Long to Find Out?
IT Auditing & Assurance, 2e, Hall & Singleton
409
What Is Internal Control?
Control Environment Identification and analysis Relevant risks to objective achievement Forms basis of risk management Risk Assessment Control activities Information / Communication Risk assessment is the entity’s identification and analysis of relevant risks to achievement of its objectives, forming a basis for determining how the risks should be managed. Control activities are the policies and procedures that help ensure that management directives are carried out. Information and communication are the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities. Monitoring is a process that assesses the quality of internal control performance over time. Monitoring IT Auditing & Assurance, 2e, Hall & Singleton
410
What Is Internal Control?
Control Environment Risk Assessment Policies and procedures Help ensure achievement of management objectives Control activities Information / Communication Control activities are the policies and procedures that help ensure that management directives are carried out. Information and communication are the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities. Monitoring is a process that assesses the quality of internal control performance over time. Monitoring IT Auditing & Assurance, 2e, Hall & Singleton
411
What Is Internal Control?
Control Environment Information identification, capture, and exchange Forms and time frames Enables people to carry out responsibilities Risk Assessment Control activities Information / Communication Information and communication are the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities. Monitoring is a process that assesses the quality of internal control performance over time. Monitoring IT Auditing & Assurance, 2e, Hall & Singleton
412
Risk Factors Lack of management oversight
Misappropriation of Assets Lack of management oversight Inadequate job applicant screening Poor recordkeeping Lack of appropriate management oversight (i.e., inadequate supervision or monitoring of remote locations). Lack of job applicant screening procedures relating to employees with access to assets susceptible to misappropriation. Inadequate recordkeeping with respect to assets susceptible to misappropriation. Poor segregation of duties or independent checks IT Auditing & Assurance, 2e, Hall & Singleton
413
Risk Factors Misappropriation of Assets
Inappropriate transaction authorization and approval Poor physical safeguards Lack of timely and appropriate transaction documentation Lack of appropriate system of authorization and approval of transactions (i.e., in purchasing). Lack of timely and appropriate documentation for transactions (i.e., credits for merchandise returns). No mandatory vacations for control function employees IT Auditing & Assurance, 2e, Hall & Singleton
414
Risk Factors Susceptibility of Assets to Misappropriation
Large amounts of cash on hand or in process. IT Auditing & Assurance, 2e, Hall & Singleton
415
Risk Factors Susceptibility of Assets to Misappropriation Inventory that is small in size, high in value, or in high demand. IT Auditing & Assurance, 2e, Hall & Singleton
416
Risk Factors Susceptibility of Assets to Misappropriation
Easily convertible assets IT Auditing & Assurance, 2e, Hall & Singleton
417
Susceptibility of Assets to Misappropriation
Risk Factors Susceptibility of Assets to Misappropriation Fixed assets that are small, marketable, or lack ownership identification. IT Auditing & Assurance, 2e, Hall & Singleton
418
Material Misstatements Due to Fraud
Risk Factors Material Misstatements Due to Fraud Transactions improperly recorded or not recorded completely / timely. Unsupported/unauthorized balances or transactions. Last-minute adjustments significantly affecting financial results. IT Auditing & Assurance, 2e, Hall & Singleton
419
Conflicting or Missing Evidential Matter
Risk Factors Conflicting or Missing Evidential Matter Missing documents or photocopies where originals should be. Missing significant inventory or physical assets. IT Auditing & Assurance, 2e, Hall & Singleton
420
Conflicting or Missing Evidential Matter
Risk Factors Conflicting or Missing Evidential Matter ? Unusual discrepancies between records and confirmation replies. Significant unexplained items on reconciliations. IT Auditing & Assurance, 2e, Hall & Singleton
421
Conflicting or Missing Evidential Matter
Risk Factors Conflicting or Missing Evidential Matter Inconsistent, vague, or implausible responses to inquiries or analytical procedures. IT Auditing & Assurance, 2e, Hall & Singleton
422
MISAPPROPRIATION OF ASSETS
Common schemes: Personal purchases Ghost employees Fictitious expenses Altered payee Pass-through vendors Theft of cash (or inventory) Lapping Three special characteristics: · Perpetrated at levels of management above the one where internal controls relate · Frequently involves using the financial statements to create illusions about corporate financial health · If fraud involves misappropriation of assets, it frequently is shrouded in a complex maze of business transactions, and often involves third parties IT Auditing & Assurance, 2e, Hall & Singleton
423
ACFE 2004 REPORT TO THE NATION
IT Auditing & Assurance, 2e, Hall & Singleton
424
AUDITOR’S RESPONSE TO RISK ASSESSMENT
Engagement staffing and extent of supervision Professional skepticism Nature, timing, extent of procedures performed Three special characteristics: · Perpetrated at levels of management above the one where internal controls relate · Frequently involves using the financial statements to create illusions about corporate financial health · If fraud involves misappropriation of assets, it frequently is shrouded in a complex maze of business transactions, and often involves third parties IT Auditing & Assurance, 2e, Hall & Singleton
425
AUDITOR’S RESPONSE TO DETECTED MISSTATEMENTS DUE TO FRAUD
If no material effect: Refer matter to appropriate level of management Ensure implications to other aspects of the audit have been adequately addressed If effect is material or undeterminable: Consider implications for other aspects of the audit Discuss the matter with senior management and audit committee Attempt to determine if material effect Suggest client consult with legal counsel Three special characteristics: · Perpetrated at levels of management above the one where internal controls relate · Frequently involves using the financial statements to create illusions about corporate financial health · If fraud involves misappropriation of assets, it frequently is shrouded in a complex maze of business transactions, and often involves third parties IT Auditing & Assurance, 2e, Hall & Singleton
426
AUDITOR’S DOCUMENTATION
Document in the working papers criteria used for assessing fraud risk factors: Those risk factors identified Auditor’s response to them Three special characteristics: · Perpetrated at levels of management above the one where internal controls relate · Frequently involves using the financial statements to create illusions about corporate financial health · If fraud involves misappropriation of assets, it frequently is shrouded in a complex maze of business transactions, and often involves third parties IT Auditing & Assurance, 2e, Hall & Singleton
427
FRAUD DETECTION TECHNIQUES USING ACL
Payments to fictitious vendors Sequential invoice numbers Vendors with P.O. boxes Vendors with employee address Multiple company with same address Invoice amounts slightly below review threshold Three special characteristics: · Perpetrated at levels of management above the one where internal controls relate · Frequently involves using the financial statements to create illusions about corporate financial health · If fraud involves misappropriation of assets, it frequently is shrouded in a complex maze of business transactions, and often involves third parties IT Auditing & Assurance, 2e, Hall & Singleton
428
FRAUD DETECTION TECHNIQUES USING ACL
Payroll fraud Test for excessive hours worked Test for duplicate payments Tests for non-existent employee Three special characteristics: · Perpetrated at levels of management above the one where internal controls relate · Frequently involves using the financial statements to create illusions about corporate financial health · If fraud involves misappropriation of assets, it frequently is shrouded in a complex maze of business transactions, and often involves third parties IT Auditing & Assurance, 2e, Hall & Singleton
429
Chapter 12: Fraud Schemes & Fraud Detection
IT Auditing & Assurance, 2e, Hall & Singleton IT Auditing & Assurance, 2e, Hall & Singleton
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.