Presentation on theme: "Auditing Computer Systems"— Presentation transcript:
1 Auditing Computer Systems Dr. Yan XiongCollege of BusinessCSU Sacramento9/11/03
2 Agenda Auditing scope and objectives Information system (IS) audit objectivesStudy and evaluation of internal control in an AISComputer audit software
3 Internal Auditing Standards According to the Institute of Internal Auditors (IIA), the purpose of an internal audit is to evaluate the adequacy and effectiveness of a company’s internal control system.Also, it is to determine the extent to which assigned responsibilities are actually carried out.
4 Internal Auditing Standards The IIA’s five audit scope standards are:Review the reliability and integrity of operating and financial information and how it is identified, measured, classified, and reported.Determine whether the systems designed to comply with operating and reporting policies, plans, procedures, laws, and regulations are actually being followed.
5 Internal Auditing Standards Review how assets are safeguarded, and verify the existence of assets as appropriate.Examine company resources to determine how effectively and efficiently they are utilized.Review company operations and programs to determine whether they are being carried out as planned and whether they are meeting their objectives.
6 Types of Internal Auditing Work What are the three different types of audits commonly performed?Financial auditInformation system (IS) auditOperational or management audit
7 Types of Internal Auditing Work The financial audit examines the reliability and integrity of accounting records (both financial and operating information).The information systems (IS) audit reviews the general and application controls in an AIS to assess its compliance with internal control policies and procedures and its effectiveness in safeguarding assets.
8 Types of Internal Auditing Work The operational, or management, audit is concerned with the economical and efficient use of resources and the accomplishment of established goals and objectives.
9 An Overview of the Auditing Process All audits follow a similar sequence of activities and may be divided into four stages.Audit planningCollection of audit evidenceEvaluation of audit evidenceCommunication of audit results
10 An Overview of the Auditing Process Audit PlanningEstablish scope and objectivesOrganize audit teamDevelop knowledge of business operationsReview prior audit resultsIdentify risk factorsPrepare audit program
11 An Overview of the Auditing Process Collection of Audit EvidenceObservation of operating activitiesReview of documentationDiscussion with employees and questionnairesPhysical examination of assetsConfirmation through third partiesReperformance of proceduresVouching of source documentsAnalytical review and sampling
12 An Overview of the Auditing Process Evaluation of Audit EvidenceAssess quality of internal controlsAssess reliability of informationAssess operating performanceConsider need for additional evidenceConsider risk factorsConsider materiality factorsDocument audit findings
13 An Overview of the Auditing Process Communication of Audit ResultsFormulate audit conclusionsDevelop recommendations for managementPresent audit results to management
14 Operational Audits of an AIS The techniques and procedures used in operational audits are similar to those of IS and financial audits.The basic difference is that the IS audit scope is confined to internal controls, whereas the financial audit scope is limited to IIS output.The operational audit scope encompasses all aspects of IS management.
15 Operational Audits of an AIS Operational audit objectives include evaluating effectiveness, efficiency, and goal achievement.What are some evidence collection activities?reviewing operating policies and documentationconfirming procedures with management and operating personnel
16 Operational Audits of an AIS observing operating functions and activitiesexamining financial and operating plans and reportstesting the accuracy of operating informationtesting controls
17 Agenda Auditing scope and objectives Information system (IS) audit objectivesStudy and evaluation of internal control in an AISComputer audit software
18 IS AuditsPurpose of AIS audit: review and evaluate internal controls that protect systemWhen performing IS audit, auditors ascertain that certain objectives met
19 Audit ObjectivesSecurity provisions protect computer equipment, programs, communications, and data from unauthorized access, modification, or destructionProgram development and acquisition performed in accordance with management’s general and specific authorization
20 Audit ObjectivesProgram modifications have authorization and approval of managementProcessing of transactions, files, reports, and other computer records accurate and complete
21 Audit ObjectivesSource data that is inaccurate or improperly authorized identified and handled according to prescribed managerial policiesComputer data files are accurate, complete, and confidential
22 Audit Objectives #6 Data Files #5 Source Data #1 Overall Security Enter#4 ProcessingSourceData#2 ProgramDevelopmentProcess#3 ProgramModificationOutputPrograms
23 Risk-Based AuditApproach provides auditors with clear understanding of errors and irregularities that can occur and related risks and exposuresProvides basis for developing recommendations to management on how AIS control system should be improved
24 Risk-Based Audit Four-step approach Determine threats facing AIS Identify control procedures that should be in place to minimize each threatEvaluate existing control proceduresDetermine weaknesses
25 Agenda Auditing scope and objectives Information system (IS) audit objectivesStudy and evaluation of internal control in an AISComputer audit software
26 Audit Framework #5 Source Data #6 Data Files #1 Overall Security Types of Errors / FraudEnterControl ProceduresAudit Procedures: System ReviewSourceData#2 ProgramDevelopmentAudit Procedures: Tests of ControlsProcess#3 ProgramModificationCompensating ControlsOutputPrograms#4 Processing
27 Overall Security Security errors and fraud: theft of or accidental / intentional damage to hardware and filesloss, theft, or unauthorized access to programs, data files; or disclosure of confidential dataunauthorized modification or use of programs and data files
28 Overall Security Control procedures: develop information security and protection plan - restrict physical and logical accessencrypt data / protect against virusesimplement firewallsinstitute data transmission controls, and prevent and recover from system failures or disasters
29 Overall Security Systems review audit procedures: inspect computer sitesinterview personnelreview policies and proceduresexamine access logs, insurance policies, and disaster recovery plan
30 Overall Security Tests of control audit procedures: observing proceduresverifying controls are in place and work as intendedinvestigating errors or problems to ensure they were handled correctlyexamining any test previously performed
31 Overall Security Compensating controls: sound personnel policies effective user controlssegregation of incompatible duties
32 Program Development Types of errors and fraud: inadvertent programming errorsunauthorized program code
33 Program DevelopmentControl procedures:management authorizes and approves programming specificationsuser approves of programming specificationsthorough testing of new programs and user acceptance testingcomplete systems documentation
34 Program Development Systems review audit procedures: independent review of development processsystems review of development policies, authorization, and approval proceduredocumentation standardsprogram testing and test approval procedures
35 Program Development Tests of control audit procedures: interview users about involvementverify user sign-off at milestone pointsreview test specifications, data, and results
36 Program Development Compensating controls: strong processing controls independent processing of test data by auditor
37 Program Modification Types of errors and fraud: inadvertent programming errorsunauthorized program codeThese are the same as in audit program development.
38 Program Modification Control procedures: listing of program components that are to be modified, and management authorization and approval of programming modificationsuser approval of program changes specificationsthorough testing of program changes, including user acceptance test
39 Program Modification Systems review audit procedures: reviewing program modification policies, standards, and proceduresreviewing documentation standards for program modification, program modification testing, and test approval proceduresdiscussing systems development procedures with management
40 Program Modification Tests of control audit procedures: interviewing users about involvement in systems design and implementationreviewing minutes of development team meetings for evidence of involvementverifying management and user sign-off at milestone points in the development processreviewing test specifications, data, and results
41 Program Modification Compensating controls: strong processing controls independent processing of test data by auditorThese are the same as in audit program development.
42 Processing Controls Types of errors and fraud: Control procedures: intentional or unintentional report inaccuraciesControl procedures:proper use of internal and external file labelsSystems review audit procedures:observe computer operations and data control functions
43 Processing Controls Tests of control audit procedures: evaluation of adequacy and completeness of data editing controlsCompensating controls:strong user controls
44 Source Data Controls Types of errors and fraud: Control procedures: inadequate source dataControl procedures:user authorization of source data inputSystems review audit procedures:reviewing documentation for source data control standards
45 Source Data Controls Tests of control audit procedures: examination of samples of accounting source data for proper authorizationCompensating controls:strong processing controls
46 Data File Controls Types of errors and fraud: unauthorized modification or disclosure of stored dataControl procedures:concurrent update controlsSystems review audit procedures:examination of disaster recovery plan
47 Data File Controls Tests of control audit procedures: observing and evaluating file library operationsCompensating controls:effective computer security controls
48 Agenda Auditing scope and objectives Information system (IS) audit objectivesStudy and evaluation of internal control in an AISComputer audit software
49 Computer SoftwareComputer audit software (CAS) or generalized audit software (GAS), written for auditorsCAS is computer program that, based on the auditor’s specifications, generates programs performing audit functions
50 Types of CAS Integrated Test Facilities Embedded Audit Modules (EAM) Audit HooksSnapshotSCARFAudit Control Language (ACL)
51 Usage of Computer Software The auditor’s first step is to decide on audit objectives, learn about the files to be audited, design the audit reports, and determine how to produce them.This information is recorded on specification sheets and entered into the system via a data entry program.
52 Usage of Computer Software This program creates specification records that the CAS uses to produce one or more auditing programs.The auditing programs process the sources files and perform the auditing operations needed to produce the specified audit reports.
53 General Functions of Computer Audit Software reformattingfile manipulationcalculationdata selectiondata analysisfile processingstatisticsreport generation
54 Topics Discussed Auditing scope and objectives Information system (IS) audit objectivesStudy and evaluation of internal control in an AISComputer audit software