Presentation is loading. Please wait.

Presentation is loading. Please wait.

Auditing Computer Systems

Similar presentations


Presentation on theme: "Auditing Computer Systems"— Presentation transcript:

1 Auditing Computer Systems
Dr. Yan Xiong College of Business CSU Sacramento 9/11/03

2 Agenda Auditing scope and objectives
Information system (IS) audit objectives Study and evaluation of internal control in an AIS Computer audit software

3 Internal Auditing Standards
According to the Institute of Internal Auditors (IIA), the purpose of an internal audit is to evaluate the adequacy and effectiveness of a company’s internal control system. Also, it is to determine the extent to which assigned responsibilities are actually carried out.

4 Internal Auditing Standards
The IIA’s five audit scope standards are: Review the reliability and integrity of operating and financial information and how it is identified, measured, classified, and reported. Determine whether the systems designed to comply with operating and reporting policies, plans, procedures, laws, and regulations are actually being followed.

5 Internal Auditing Standards
Review how assets are safeguarded, and verify the existence of assets as appropriate. Examine company resources to determine how effectively and efficiently they are utilized. Review company operations and programs to determine whether they are being carried out as planned and whether they are meeting their objectives.

6 Types of Internal Auditing Work
What are the three different types of audits commonly performed? Financial audit Information system (IS) audit Operational or management audit

7 Types of Internal Auditing Work
The financial audit examines the reliability and integrity of accounting records (both financial and operating information). The information systems (IS) audit reviews the general and application controls in an AIS to assess its compliance with internal control policies and procedures and its effectiveness in safeguarding assets.

8 Types of Internal Auditing Work
The operational, or management, audit is concerned with the economical and efficient use of resources and the accomplishment of established goals and objectives.

9 An Overview of the Auditing Process
All audits follow a similar sequence of activities and may be divided into four stages. Audit planning Collection of audit evidence Evaluation of audit evidence Communication of audit results

10 An Overview of the Auditing Process
Audit Planning Establish scope and objectives Organize audit team Develop knowledge of business operations Review prior audit results Identify risk factors Prepare audit program

11 An Overview of the Auditing Process
Collection of Audit Evidence Observation of operating activities Review of documentation Discussion with employees and questionnaires Physical examination of assets Confirmation through third parties Reperformance of procedures Vouching of source documents Analytical review and sampling

12 An Overview of the Auditing Process
Evaluation of Audit Evidence Assess quality of internal controls Assess reliability of information Assess operating performance Consider need for additional evidence Consider risk factors Consider materiality factors Document audit findings

13 An Overview of the Auditing Process
Communication of Audit Results Formulate audit conclusions Develop recommendations for management Present audit results to management

14 Operational Audits of an AIS
The techniques and procedures used in operational audits are similar to those of IS and financial audits. The basic difference is that the IS audit scope is confined to internal controls, whereas the financial audit scope is limited to IIS output. The operational audit scope encompasses all aspects of IS management.

15 Operational Audits of an AIS
Operational audit objectives include evaluating effectiveness, efficiency, and goal achievement. What are some evidence collection activities? reviewing operating policies and documentation confirming procedures with management and operating personnel

16 Operational Audits of an AIS
observing operating functions and activities examining financial and operating plans and reports testing the accuracy of operating information testing controls

17 Agenda Auditing scope and objectives
Information system (IS) audit objectives Study and evaluation of internal control in an AIS Computer audit software

18 IS Audits Purpose of AIS audit: review and evaluate internal controls that protect system When performing IS audit, auditors ascertain that certain objectives met

19 Audit Objectives Security provisions protect computer equipment, programs, communications, and data from unauthorized access, modification, or destruction Program development and acquisition performed in accordance with management’s general and specific authorization

20 Audit Objectives Program modifications have authorization and approval of management Processing of transactions, files, reports, and other computer records accurate and complete

21 Audit Objectives Source data that is inaccurate or improperly authorized identified and handled according to prescribed managerial policies Computer data files are accurate, complete, and confidential

22 Audit Objectives #6 Data Files #5 Source Data #1 Overall Security
Enter #4 Processing Source Data #2 Program Development Process #3 Program Modification Output Programs

23 Risk-Based Audit Approach provides auditors with clear understanding of errors and irregularities that can occur and related risks and exposures Provides basis for developing recommendations to management on how AIS control system should be improved

24 Risk-Based Audit Four-step approach Determine threats facing AIS
Identify control procedures that should be in place to minimize each threat Evaluate existing control procedures Determine weaknesses

25 Agenda Auditing scope and objectives
Information system (IS) audit objectives Study and evaluation of internal control in an AIS Computer audit software

26 Audit Framework #5 Source Data #6 Data Files #1 Overall Security
Types of Errors / Fraud Enter Control Procedures Audit Procedures: System Review Source Data #2 Program Development Audit Procedures: Tests of Controls Process #3 Program Modification Compensating Controls Output Programs #4 Processing

27 Overall Security Security errors and fraud:
theft of or accidental / intentional damage to hardware and files loss, theft, or unauthorized access to programs, data files; or disclosure of confidential data unauthorized modification or use of programs and data files

28 Overall Security Control procedures:
develop information security and protection plan - restrict physical and logical access encrypt data / protect against viruses implement firewalls institute data transmission controls, and prevent and recover from system failures or disasters

29 Overall Security Systems review audit procedures:
inspect computer sites interview personnel review policies and procedures examine access logs, insurance policies, and disaster recovery plan

30 Overall Security Tests of control audit procedures:
observing procedures verifying controls are in place and work as intended investigating errors or problems to ensure they were handled correctly examining any test previously performed

31 Overall Security Compensating controls: sound personnel policies
effective user controls segregation of incompatible duties

32 Program Development Types of errors and fraud:
inadvertent programming errors unauthorized program code

33 Program Development Control procedures: management authorizes and approves programming specifications user approves of programming specifications thorough testing of new programs and user acceptance testing complete systems documentation

34 Program Development Systems review audit procedures:
independent review of development process systems review of development policies, authorization, and approval procedure documentation standards program testing and test approval procedures

35 Program Development Tests of control audit procedures:
interview users about involvement verify user sign-off at milestone points review test specifications, data, and results

36 Program Development Compensating controls: strong processing controls
independent processing of test data by auditor

37 Program Modification Types of errors and fraud:
inadvertent programming errors unauthorized program code These are the same as in audit program development.

38 Program Modification Control procedures:
listing of program components that are to be modified, and management authorization and approval of programming modifications user approval of program changes specifications thorough testing of program changes, including user acceptance test

39 Program Modification Systems review audit procedures:
reviewing program modification policies, standards, and procedures reviewing documentation standards for program modification, program modification testing, and test approval procedures discussing systems development procedures with management

40 Program Modification Tests of control audit procedures:
interviewing users about involvement in systems design and implementation reviewing minutes of development team meetings for evidence of involvement verifying management and user sign-off at milestone points in the development process reviewing test specifications, data, and results

41 Program Modification Compensating controls: strong processing controls
independent processing of test data by auditor These are the same as in audit program development.

42 Processing Controls Types of errors and fraud: Control procedures:
intentional or unintentional report inaccuracies Control procedures: proper use of internal and external file labels Systems review audit procedures: observe computer operations and data control functions

43 Processing Controls Tests of control audit procedures:
evaluation of adequacy and completeness of data editing controls Compensating controls: strong user controls

44 Source Data Controls Types of errors and fraud: Control procedures:
inadequate source data Control procedures: user authorization of source data input Systems review audit procedures: reviewing documentation for source data control standards

45 Source Data Controls Tests of control audit procedures:
examination of samples of accounting source data for proper authorization Compensating controls: strong processing controls

46 Data File Controls Types of errors and fraud:
unauthorized modification or disclosure of stored data Control procedures: concurrent update controls Systems review audit procedures: examination of disaster recovery plan

47 Data File Controls Tests of control audit procedures:
observing and evaluating file library operations Compensating controls: effective computer security controls

48 Agenda Auditing scope and objectives
Information system (IS) audit objectives Study and evaluation of internal control in an AIS Computer audit software

49 Computer Software Computer audit software (CAS) or generalized audit software (GAS), written for auditors CAS is computer program that, based on the auditor’s specifications, generates programs performing audit functions

50 Types of CAS Integrated Test Facilities Embedded Audit Modules (EAM)
Audit Hooks Snapshot SCARF Audit Control Language (ACL)

51 Usage of Computer Software
The auditor’s first step is to decide on audit objectives, learn about the files to be audited, design the audit reports, and determine how to produce them. This information is recorded on specification sheets and entered into the system via a data entry program.

52 Usage of Computer Software
This program creates specification records that the CAS uses to produce one or more auditing programs. The auditing programs process the sources files and perform the auditing operations needed to produce the specified audit reports.

53 General Functions of Computer Audit Software
reformatting file manipulation calculation data selection data analysis file processing statistics report generation

54 Topics Discussed Auditing scope and objectives
Information system (IS) audit objectives Study and evaluation of internal control in an AIS Computer audit software


Download ppt "Auditing Computer Systems"

Similar presentations


Ads by Google