Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 11 Information Technology Auditing

Published bySylvia Lambert Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 11 Information Technology Auditing"— Presentation transcript:

1

2 Chapter 11 Information Technology Auditing
Introduction The Audit Function The IT Auditor’s Toolkit Auditing the Computerized AIS Information Technology Auditing Today

3 Introduction Audits of accounting systems
ensure that controls are functioning properly confirm that additional controls are not needed The nature of auditing includes the distinction between internal and external auditing the relationship between an IT audit and a financial audit

4 Introduction the tools an IT auditor uses
discussion of information technology governance, fraud in auditing, the impact of Sarbanes-Oxley on IT audits, and third-party and systems reliability assurance services

5 The Audit Function The function of an audit
is to examine and to assure. will differ according to the subject under examination. can be internal, or external, and concerns information systems also. Information technology auditing discusses internal auditing, External auditing, and IT auditing. 4

6 The Audit Function Question An IT auditor
a. must be an external auditor. b. must be an internal auditor. c. can be either an internal or external auditor. d. must be a certified public accountant.

7 Internal Auditing An internal audit, which preserves its objectivity
is carried out by company personnel reporting to top management and/or the Audit Committee of the Board of Directors is external to the corporate department or division being audited concerns employee adherence to company policies and procedures, evaluation of internal controls 7

8 Internal Auditing is relatively broad in scope, including
auditing for fraud, ensuring that employees are not copying software programs illegally can provide assurance to a company’s top management about the efficiency of its organization and effectiveness of its organization 7

9 External Auditing The external audit
is carried out by independent accountants has the attest function as its chief purpose confirming the accuracy of financial statements and fairness of financial statements. is conducted in the context of GAAP has expanded to check if financial statements are free of erroneous materials and do not contain fraudulent misstatements includes a variety of assurance services now 7

10 Information Technology Auditing
Information technology (IT) auditing involves evaluating the computer’s role in achieving audit objectives and control objectives means proving data and information are reliable, confidential, secure, and available as needed includes attest objectives like safeguarding of assets and data integrity, operational effectiveness.

11 The IT Audit The IT audit function encompasses

12 The Information Technology Audit Process
Computer-assisted audit techniques (CAATs) are used when controls are weak for substantive testing of transactions and account balances. when controls are strong for compliance testing to ensure controls are in place and working as prescribed.

13 The Information Technology Audit Process

14 Careers in Information Systems Auditing
The demand for IT auditors is growing increasing use of computer-based AISs systems becoming more technologically complex passing of the Sarbanes-Oxley bill IT auditing requires a variety of skills, combining accounting and information systems or computer science skills.

15 Careers in Information Systems Auditing
Information systems auditors may be internal or external can obtain professional certification as a Certified Information Systems Auditor (CISA) can also acquire certification as Certified Information Security Managers (CISM)

16 Careers in Information Systems Auditing
Auditors can achieve CISA certification by completing an examination given by ISACA, meeting specific experience requirements, complying with a Code of Professional Ethics, undergoing continuing professional education, and complying with the Information Systems Auditing Standards

17 Careers in Information Systems Auditing
CISM certification, which is also granted by ISACA evaluates knowledge in information security governance, information security program management, risk management, information security management, and response management.

18 Effectiveness of Information Systems Controls
An external auditor’s objectives are to evaluate the risks to the integrity of accounting data to make recommendations to managers to improve these controls.

19 Risk Assessment A risk-based audit approach involves
Determining the threats facing the AIS errors and irregularities Identifying the control procedures to prevent or detect the errors and irregularities 9

20 Risk Assessment Evaluating the control procedures within the AIS
observing system operations, inspecting documents, records, and reports, checking samples of system inputs and outputs, and tracing transactions through the system Evaluating weaknesses identifying control deficiencies determining compensating controls to make up for the deficiency 9

21 Information Systems Risk Assessment
Information Systems Risk Assessment evaluates desirability of IT controls for an aspect of business risk. disaster recovery or business continuity plan Auditors and managers must answer each of the following questions: What assets or information does the company have that unauthorized individuals would want? What is the value of these identified assets of information? How can unauthorized individuals obtain valuable assets or information? What are the chances of unauthorized individuals obtaining valuable assets or information?

22 Guidance in Reviewing and Evaluating IT Controls
Two guides available to IT auditors Systems Auditability and Control (SAC) report identifies important information technologies and specific risks related to these technologies recommends controls to mitigate risks and suggests audit procedures to validate these controls

23 Guidance in Reviewing and Evaluating IT Controls
Control Objectives for Information and Related Technology (COBIT) provides guidance in assessing business risks, controlling for business risks, and evaluating the effectiveness of controls

24 Guidance in Reviewing and Evaluating IT Controls
Question COBIT is a. a control framework developed by the Institute of Internal Auditors. b. a control framework developed specifically for organizations involved in e-business. c. an internal control model that covers both automated and manual systems. d. an internal control framework and model that encompasses an organization’s IT governance and information technologies.

25 The Information Technology Auditor’s Toolkit
IT auditors need to have the technical skills to understand the vulnerabilities in hardware and software use of appropriate software to do their jobs general-use software such as word processing programs, spreadsheet software, and database management systems. generalized audit software (GAS), and automated workpaper software.

26 The Information Technology Auditor’s Toolkit
people skills to work as a team to interact with clients and other auditors, to interview many people constantly for evaluation

27 Auditing with the Computer
entails using computer-assisted audit techniques (CAATs) to help in auditing tasks and hence is effective and saves time is virtually mandatory since data are stored on computer media and manual access is impossible. 22

28 General-Use Software Auditors use general-use software as productivity tools to improve their work such as spreadsheets and database management systems. Auditors use structured query language (SQL) to retrieve a client’s data and display these data for audit purposes. 23

29 Generalized Audit Software
Generalized audit software (GAS) packages enable auditors to review computer files without rewriting processing programs, are specifically tailored to auditor tasks have been developed in-house in large firms, or are available from various software suppliers Examples of GAS are Audit Command Language (ACL) Interactive Data Extraction Analysis (IDEA) 24

30 Generalized Audit Software
Question Which of the following is not true with respect to generalized audit software (GAS)? a. They require auditors to rewrite processing programs frequently while reviewing computer files. b. They are specifically tailored to auditor tasks. c. They may be used for specific application areas, such as accounts receivable and inventory. d. They allow auditors to manipulate files to extract and compare data.

31 Automated Workpaper Software
is similar to general ledger software is much more flexible. Its features include: generated trial balances, adjusting entries, consolidations, and analytical procedures.

32 People skills The most important skills auditors need are people skills. Auditors will find that many of the audit steps are nontechnical need to work in a team, have to interact with clients and other auditors, require strong interpersonal relationships. will need to interview the CIO

33 People skills Many of the controls that an IT auditor needs to evaluate have more to do with human behavior than technology - one of the best protections viruses and worms is regularly updated antivirus software but it is even more important to see if the security administrator is checking for virus updates and patches on a regular basis.

34 Auditing the Computerized AIS
Testing Computer Programs Validating Computer Programs Review of Systems Software Validating Users and Access Privileges Continuous Auditing

35 Objectives of an Information Systems Audit
In an IT audit, auditors should meet the following objectives Checking security provisions, which protect computer equipment, programs, communications, and data from unauthorized access, modification, or destruction. Program development and acquisition are performed in accordance with management’s authorization. Program modifications have authorization and approval from management.

36 Objectives of an Information Systems Audit
Processing of transactions, files, reports, and other computer records is accurate and complete. Source data that are inaccurate or improperly authorized are identified and handled according to prescribed managerial policies. Computer data files are accurate, complete, and confidential.

37 Auditing Computerized AIS-Auditing Around the Computer
assumes that accurate output verifies proper processing operations pays little or no attention to the control procedures within the IT environment is generally not an effective approach to auditing a computerized environment. 10

38 Auditing Computerized AIS-Auditing Through the Computer
Five techniques used to audit a computerized AIS are: use of test data, integrated test facility, and parallel simulation to test programs, use of audit techniques to validate computer programs, use of logs and specialized control software to review systems software, use of documentation and CAATs to validate user accounts and access privileges, and use of embedded audit modules to achieve continuous auditing. 14

39 Testing Computer Programs - Test Data
The auditor’s responsibility is to develop test data that tests the range of exception situations arrange the data in preparation for computerized processing complete the audit test by comparing the results with a predetermined set of answers investigate further if the results do not agree Test data can check if program edit test controls are in place and working can be developed using software programs called test data generators 15

40 Testing Computer Programs -Integrated Test Facility
An integrated test facility (ITF) establishes a fictitious entity such as a department, branch, customer, or employee, enters transactions for that entity, and observes how these transactions are processed. is effective in evaluating integrated online systems and complex programming logic, and aims to audit an AIS in an operational setting. 17

41 Testing Computer Programs -Integrated Test Facility
The auditor’s role is to examine the results of transaction processing find out how well the AIS does the tasks required of it by introducing artificial transactions into the data processing stream of the AIS. 17

42 Testing Computer Programs -Parallel Simulation
In Parallel Simulation, the auditor uses live input data, rather than test data, in a program, which is written or controlled by the auditor simulates all or some of the operations of the real program that is actually in use. needs to understand the client system, should possess sufficient technical knowledge, and should know how to predict the results.

43 Testing Computer Programs -Parallel Simulation
eliminates the need to prepare a set of test data, can be very time-consuming and thus cost-prohibitive usually involves replicating only certain critical functions of a program.

44 Validating Computer Programs
Auditors must validate any program presented to them to thwart a clever programmer’s dishonest program Procedures that assist in program validation are tests of program change control procedures to protect against unauthorized program changes begins with an inspection of the documentation includes program authorization forms to be filled ensures accountability and adequate supervisory controls

45 Validating Computer Programs
program comparison guards against unauthorized program tampering performs certain control total tests of program authenticity using a test of length using a comparison program

46 Validating Computer Programs
Question Which of the following is an audit technique for auditing computerized AISs? a. Parallel simulation b. Use of specialized control software c. Continuous auditing d. All of the above are techniques used to audit computerized AISs.

47 Review of Systems Software
Systems software includes operating system software, utility programs, program library software, and access control software.

48 Review of Systems Software
Auditors should review systems software documentation. Systems software can generate incident reports, which list events that are unusual or interrupt operations security violations (such as unauthorized access attempts), hardware failures, and software failures

49 Validating Users and Access Privileges
The IT auditor needs to verify that the software parameters are set appropriately must make sure that IT staff are using them appropriately needs to make sure that all users are valid and each has access privileges appropriate to their job There are a variety of auditor software tools, CAATs, which can scan settings and databases and make the work more efficient

50 Continuous Approach Continuous auditing can be achieved by
embedded audit modules or audit hooks application subroutines capture data for audit purposes exception reporting mechanisms reject certain transactions that fall outside predefined specifications prespecified criteria in a special log called SCARF

51 Continuous Approach transaction tagging snapshot technique
tags with a special identifier for certain transactions snapshot technique examination of the way transactions are processed continuous and intermittent simulation embedding of an audit module in a DBMS

52 Information Technology Auditing Today
Information technology auditing today involves Information Technology Governance Auditing for Fraud—Statement on Auditing Standards No. 99 The Sarbanes-Oxley Act of 2002 Third-Party Reliability Assurances Information Systems Reliability Assurances

53 Information Technology Governance
is the process of using IT resources efficiently, responsibly, and strategically. The IT Governance Institute, is affiliated to ISACA was created in 1998

54 Information Technology Governance
The objectives of IT governance are twofold: to fulfill the organizational mission and to compete effectively to ensure that the IT resources are managed effectively and that management controls IT related risks.

55 Auditing for Fraud—Statement on Auditing Standards No. 99
Earlier financial statement audits required auditors to attest to the fairness of financial statements not to detect fraudulent activities. Financial statement audits now require auditors to attest to the fairness of financial statements detect fraudulent activities assist a fraud investigator in many ways where an audit trail needs to be reconstructed when computerized records must be retrieved

56 Auditing for Fraud—Statement on Auditing Standards No. 99
Question With respect to changes in IT auditing today, which of the following is not true? a. IT governance, which ties IT to organizational strategy, is increasingly important. b. Section 404 of the Sarbanes-Oxley Act of 2002 created an increase in demand for both IT auditors and internal auditors. c. IT auditors are concerned only with supporting financial auditors and should not investigate fraud cases. d. Third-party assurance seals may provide some comfort to e-business customers regarding the security of online transactions.

57 The Sarbanes-Oxley Act of 2002
In 2002, Congress passed the Sarbanes-Oxley Act, which limits the services that auditors can provide to their clients, prohibits public accounting firms from offering nonaudit services to clients at the same time they are conducting audits . The SOX has basically four groups of compliance requirements. These are audit committee/corporate governance requirements, issues regarding certification, disclosure, and internal controls, rules about financial statement reporting, and regulations governing executive reporting and conduct.

58 The Sarbanes-Oxley Act of 2002
The two most important provisions of SOX for auditors are Section 302 – requiring CFOs and CEOs to certify that their company’s financial statements are accurate and complete Section 404 – requiring both the CEO and CFO to attest to their organization’s internal controls over financial reporting

59 Information Systems Reliability Assurance
Auditing electronic commerce is a specialized field because of the skill level involved, of the many safeguards, inherent in non-e-commerce systems, which do not exist here, of the lack of hard-copy documents for verification, and of an electronic transaction, which does not guarantee validity or authenticity Auditors need to attest this type of format to provide the traditional assurance by an audit report or digital signature

60 Third-Party Assurance
Internet systems and web sites are a source of risk for many companies, need specialized audits of these systems, have created a market for third-party assurance services, which is limited to data privacy.

61 Third-Party Assurance
The AICPA introduced Trust Services an assurance service. The principles of Trust Services are security, availability, processing integrity, online privacy, and confidentiality.

62 Copyright Copyright 2005 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make backup copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.

63 Chapter 11

Download ppt "Chapter 11 Information Technology Auditing"

Similar presentations

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
ACCOUNTING INFORMATION SYSTEMS

ACCOUNTING INFORMATION SYSTEMS
ITAuditing Using GAS & CAATs

ITAuditing Using GAS & CAATs
ACCOUNTING INFORMATION SYSTEMS

ACCOUNTING INFORMATION SYSTEMS
ACCOUNTING INFORMATION SYSTEMS

ACCOUNTING INFORMATION SYSTEMS
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 10-1 Accounting Information Systems 9 th Edition Marshall.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 10-1 Accounting Information Systems 9 th Edition Marshall.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems

Auditing Computer Systems
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
The Islamic University of Gaza

The Islamic University of Gaza
The Islamic University of Gaza

The Islamic University of Gaza
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 1 - 1 The Demand for Audit and Other Assurance Services Chapter 1.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
MODERN AUDITING 7th Edition

MODERN AUDITING 7th Edition
MODERN AUDITING 7th Edition

MODERN AUDITING 7th Edition
MODERN AUDITING 7th Edition

MODERN AUDITING 7th Edition
Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc. 15-1 Introduction to Information Technology.

Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc Introduction to Information Technology.
Chapter 14 Organizing and Manipulating the Data in Databases

Chapter 14 Organizing and Manipulating the Data in Databases

Similar presentations

Ads by Google