Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.

Published byLisa Simpson Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills."— Presentation transcript:

1 Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills

2 Copyright © 2007 Pearson Education Canada 23-2 Chapter 23 objectives  Explain how WebTrust and SystTrust help provide assurance over information systems  Identify characteristics, risks, internal controls for advanced information systems  List important controls in a small business with respect to information technology  Describe the impact of a client’s use of a computer service organization upon the audit

3 Copyright © 2007 Pearson Education Canada 23-3 What is WebTrust?  A seal placed on a web site upon completion of an auditor’s report verifying compliance with standards with respect to business practices and controls over electronic commerce transactions  The purpose is to help provide an independent assurance with respect to the safety of processing transactions at the site

4 Copyright © 2007 Pearson Education Canada 23-4 WebTrust principles  Business practice disclosure: The entity is to disclose its business practices with respect to e-commerce transactions  Transaction integrity: Effective controls are maintained over transaction ordering, fulfillment and billing  Information protection: Effective controls are maintained over data

5 Copyright © 2007 Pearson Education Canada 23-5 The nature of SysTrust  An engagement where the PA evaluates a company’s computer system using the following principles (Table 23-1): – Security – Availability – Processing integrity – Online Privacy – Confidentiality

6 Copyright © 2007 Pearson Education Canada 23-6 Advanced information systems  Such systems have one or more of the following characteristics: – Custom-designed operational or strategic information systems – Use of database management systems – Use of data communications (including Internet) – Use of paperless systems – Complex hardware or software processing configuration

7 Copyright © 2007 Pearson Education Canada 23-7 Strategic information systems  Such systems provide a competitive advantage or improve efficiency within an entity  Should they fail or have errors, they increase costs and risks to the business  When systems are so strategic that they could affect the ability of the entity to continue as a going concern if they fail, then the auditor takes a close look at the disaster recovery planning process

8 Copyright © 2007 Pearson Education Canada 23-8 Custom software  Custom software is unique software designed for the entity  It can be developed by in-house personnel or by external professionals  The key reasons such software is chosen by entities is to provide a competitive advantage, or to better match the needs of the business

9 Copyright © 2007 Pearson Education Canada 23-9 Risks associated with custom software (Figure 23-1)  Such systems are costly, having lengthy development times, up to several years  This increases the risk of additional costs  Rigorous testing is required, and such systems are difficult to fully test or ensure that they are error free

10 Copyright © 2007 Pearson Education Canada 23-10 Audit impact of custom software  The auditor would need to examine the systems development process to identify the likelihood of errors or unauthorized programs  If the risk of errors or unauthorized programs exists, then the auditor would need to look for manual compensating controls

11 Copyright © 2007 Pearson Education Canada 23-11 Database management system components

12 Copyright © 2007 Pearson Education Canada 23-12 Databases versus database management systems  Many software packages use a database as an underlying file structure. This is the collection of data that is shared and used by different users within the software.  A database management system is the software that is used to create, maintain and operate the database.

13 Copyright © 2007 Pearson Education Canada 23-13 Effects of database management systems (DBMS) on internal controls  The existence of a separate database management system with a separate database administration function at an organization adds complexity  All areas of general controls are affected

14 Copyright © 2007 Pearson Education Canada 23-14 DBMS effects on: organization and management controls  The database administrator should be segregated from other functions, such as data authorization  The auditor needs to document the responsibilities of the database administrator and document and test segregation of duties

15 Copyright © 2007 Pearson Education Canada 23-15 DBMS effects on: systems acquisition, development and maintenance  Added controls should exist to ensure that:  (1) the database is developed in accordance with business needs and  (2) programs accessing the database are accurate, authorized, and control concurrent options (preventing multiple individuals from accessing the same data element at the same time)

16 Copyright © 2007 Pearson Education Canada 23-16 DBMS effects on: operations and information systems support  Controls should exist to provide security over the data dictionary and the data  Each application cycle needs to be examined for controls over: – Data ownership, access and update procedures – Existence and quality of passwords – Segregation of duties

17 Copyright © 2007 Pearson Education Canada 23-17 Practice problem 23-20 (pp. 656-57)  Identify controls required for a database management system in a hospital patient care situation  Discuss risks with respect to data exposure

18 Copyright © 2007 Pearson Education Canada 23-18 Paperless systems  A wide variety of paperless systems exist. Here we describe those that are related to business data communications:  EDI (electronic data interchange), the transfer of standard business documents  EFT (electronic funds transfer), or electronic commerce, the transfer of money electronically

19 Copyright © 2007 Pearson Education Canada 23-19 Impact of paperless systems on the audit engagement  Where there is no paper trail, the auditor may be required to use computer assisted audit testing to test the transactions directly, or to evaluate programmed controls  Without a paper trail, the auditor may have no choice but to rely upon programmed controls, which require adequate general controls for reliance

20 Copyright © 2007 Pearson Education Canada 23-20 Potential data communications risk points

21 Copyright © 2007 Pearson Education Canada 23-21 Practice problem 23-21 (p. 657)  Identify methods that could be used to steal confidential corporate data  How could these risks be mitigated?

22 Copyright © 2007 Pearson Education Canada 23-22 Risks from and controls for multiple information processing locations (Table 23-3)  Data processed in multiple locations could become inconsistent (one location should have primary responsibility for updating)  Programs could be inaccurate or unauthorized (head office should control program changes)

23 Copyright © 2007 Pearson Education Canada 23-23 Risks from and controls for multiple information processing locations (Table 23-3, cont’d)  Locations could have unauthorized access to programs or data of other locations (assign clear responsibilities for data and program ownership and change rights)  Data sent from one location to another may not be received (use control totals, record counts, and sequential numbering of transactions with follow up)

24 Copyright © 2007 Pearson Education Canada 23-24 Practice problem 23-22 (p. 657)  Identify potential sources of virus infection  How could such an infection be prevented?  How can a disaster recovery plan help recover from virus infection?

25 Copyright © 2007 Pearson Education Canada 23-25 Small business information technology (IT) controls  As with other aspects of small business, the quality of the control environment depends upon the attitudes of the owner/manager  He/she should adequately supervise employees, hire only competent employees, and encourage practices such as confidential passwords

26 Copyright © 2007 Pearson Education Canada 23-26 Practical IT controls for the owner/manager  Systems acquisition, development and maintenance: understand the nature of the software used and ensure that only authorized programs are used  Operations and information support: require backups to be made daily, with at least two copies offsite. Provide documentation for ongoing operations

27 Copyright © 2007 Pearson Education Canada 23-27 Practical IT controls for the owner/manager (cont’d)  Application controls (includes controls to prevent fraud): separation of authorization from recording. Perform key activities, such as signing payroll and disbursement cheques, reviewing master file information.

28 Copyright © 2007 Pearson Education Canada 23-28 Practice problem 23-23 (p. 657)  Assess a small business information technology situation  Identify the activities to be performed by the owner

29 Copyright © 2007 Pearson Education Canada 23-29 Service organizations  Computer service organizations: perform key operational tasks (such as payroll) for the organization  When the client has controls that involve comparing the input details provided by the client to the output details provided by the service provider, reference to controls at the service provider may not be necessary  In other situations, the auditor may need to examine and test controls at the service provider, or request a service auditor’s report

30 Copyright © 2007 Pearson Education Canada 23-30 Outsourcing  Outsourcing is a broader term and encompasses functional tasks or subsystems being executed by independent organizations  This could be programming, human resources, accounting  The same principles apply: controls relevant to the organization’s financial systems need to be assessed

Download ppt "Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills."

Similar presentations

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 1 The Impact of Information Technology on the Audit Process Chapter 12.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Impact of Information Technology on the Audit Process Chapter 12.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
ITAuditing Using GAS & CAATs

ITAuditing Using GAS & CAATs
Auditing Concepts.

Auditing Concepts.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems

Auditing Computer Systems
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 1 - 1 The Demand for Audit and Other Assurance Services Chapter 1.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
The Demand for Audit and Other Assurance Services Chapter 1.

The Demand for Audit and Other Assurance Services Chapter 1.
12 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder The Impact of Information Technology on the Audit Process Chapter 12.

©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder The Impact of Information Technology on the Audit Process Chapter 12.
Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.

Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Auditing 81.3550 Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.

Auditing Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 1 The Impact of Information Technology on the Audit.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley The Impact of Information Technology on the Audit.

Similar presentations

Ads by Google