Академический Документы
Профессиональный Документы
Культура Документы
Controls, Concepts, Objectives, types, Risks, exposures risk based audits etc.
been implemented. The Auditor General then satisfies himself that the recommendations
have in fact been implemented.
An audit is an accounting procedure under which the financial records of a company or
individual are closely inspected to make sure that they are accurate. An audit keeps a
company honest and also reassures employees and investors as to the financial status of
the organization. There are two primary types of audit: internal audits and independent
audits.
Regardless as to the type of audit, it should be assumed that an audit will be performed
without bias. In the case of an internal audit, this can be difficult, because an internal audit
is carried out by the accounting staff of the company concerned. Generally, an internal audit
can only successfully be carried out by a large accounting department, because auditors
cannot audit records to which they contributed. Internal audits are usually carried out on a
regular basis by large companies to ensure that their finances are in order, and if the
company is publicly traded, audit reports are available for inspection by stockholders.
An independent or external audit is carried out by a neutral third party, such as a
professional accounting firm which specializes in audits. In both cases, all of the financial
records of a company including ledgers, bank statements, payroll, tax information, internal
financial reports, official published reports, accounts payable, and accounts receivable, will
be examined. During the audit, these records are closely inspected for any discrepancies,
and if an inaccuracy is uncovered, it must be addressed and repaired.
Commonly, an audit will reveal a simple accounting mistake. In other cases, more sinister
issues may come to light during an audit. Companies which are struggling financially may
choose to make unsound financial decisions in an attempt to salvage the company, and
these decisions will be revealed by a close audit. Sometimes an audit will reveal that a
company is on the brink of bankruptcy due to gross misuse of funds by high ranking
personnel, as was the case with many American corporations in the early twenty first
century such as Enron and WorldCom.
When an inaccuracy is revealed by an independent audit, it is addressed by the auditors in
the final report made to the company. In some cases, an audit will be ordered by an
external organization, such as the Securities and Exchange Commission, which will also
receive a copy of the report. The issue must be repaired by the company. Common
examples of repairable audit errors are failure to pay payroll taxes to the Internal Revenue
Service, or misuse of pension plans. If the errors cannot be fixed because the company does
not have the funds to address them, the company may face bankruptcy proceedings, and
major creditors will be reimbursed after the company's assets are liquidated by an
independent firm.
Objectives of IS Audit
The main objective for auditing information system are discussed below;
Should provide the assurance that the computer related assets are completely
protected.
To ensure that the information is accurate and reliable and must be available on
request.
IS Audit should provide the reasonable assurance that all errors, omissions and
irregularities are prevented, detected, corrected and reported.
Insure legal requirements are compiled, audit trails are incorporated, documentation
is completed and system data integrity and security is maintained.
One of the main objective of Information System Auditing is to identify the potential
of computer related frauds, embezzlements, misappropriations and thefts.
It also sees that the management takes corrective and preventing actions when
required.
The objectives of IS audit are to identify the risks that an organisation is exposed
to in the computerized environment. IS audit evaluates the adequacy of the security
controls and informs the Management with suitable conclusions and recommendations. IS
audit is an independent subset of the normal audit exercise in an organisation. The overall
objectives of the normal audit exercise do not change, when applied to the computerized
environment. The major objectives of IS audit include, among others, the following:
a) Safeguarding of Information System Assets/Resources
b) Maintenance of Data Integrity
c) Maintenance of System Effectiveness
d) Ensuring System Efficiency
a) Safeguarding of Information System Assets/Resources :
The Information System Assets of the organisation must be protected by a system of
internal controls. It includes protection of hardware, software, facilities, people
(knowledge), data files, system documentation and supplies. This is because hardware can
be damaged maliciously, software and data files can be stolen, deleted or altered and
supplies of negotiable forms can be used for unauthorized purposes. Safeguarding of the
Information System Assets is a very important function of each organisation.
The term IT infrastructure is a generic one used to describe the physical computer
installations, the system software and the Information Systems process that support them.
The IS auditor will require to review the physical security over the facilities, the security
over the systems software and the adequacy of the internal controls. The IT facilities must
be protected against all hazards. The hazards can be accidental hazards or intentional
hazards.
Accidental hazards include fire, flood, power failure etc. Fire starts accidentally or is the
result of a deliberate attack. All the computer installations should take adequate precautions
to ensure that fire can be prevented, detected and extinguished. Flooding can cause
extensive damage to the computer systems. The power supply for the computer installation
is a vital service need and the uninterrupted availability thereof has to be ensured to
facilitate continuity in processing.
b) Maintenance of Data Integrity :
Data Integrity includes the safeguarding of the information against unauthorised addition,
deletion, modification or alteration. This includes items such as accounting records,
backup, documentation etc. Information Systems are used to capture, store, process,
retrieve and transmit the data in a secure and efficient manner. The emphasis is on the
accuracy of the data and its transmission in a secured manner. Data Integrity also implies
that during the various phases of electronic processing, various features of the data viz.
Accuracy, Confidentiality, Completeness, Up-to-date status, Reliability, Availability,
Timeliness and Effectiveness are not compromised. In other words, data should remain
accurate during electronic processing. The desired features of the data are described
hereunder:
a) Accuracy : Data should be accurate. Inaccurate data may lead to wrong decisions and
thereby, hindering the business development process.
b) Confidentiality: Information should not lose its confidentiality. It should be protected
from being read or copied by anyone who is not authorized to do so. It also includes
protecting the individual pieces of information that may seem harmless by the owner, but
can be used to infer other confidential information.
c) Completeness: Data should be complete. Incomplete data loses its significance and
importance.
d) Up-to-date Status : Data should be updated regularly. If the information is not up-todate, it presents a false picture of the organization.
e) Reliability: Data should be reliable because all business decisions are taken on the basis
of the current database.
f) Availability: Data should be available when an authorized user needs it. It should be
ensured that the information services are unavailable to the unauthorised users.
g) Timeliness: Timeliness of the data is very important because if data is not available
when required, the very purpose of maintaining the database gets defeated.
h) Effectiveness: Information should be effective, so that it helps in the process of business
development and expansion.
If data integrity is not maintained, an organization loses its true representation. Poor data
integrity could lead to loss of competitive advantage. Corruption of data would affect many
users in a networked environment. If the data is valuable to a competitor, its loss may
undermine an organizations competitive position.
c) Maintenance of System Effectiveness :
An effective Information System significantly contributes to the achievement of the goals
of an organization. Therefore, one of the objectives of IS audit is to verify system
effectiveness. It provides input to decide when, what and how the system should be
improved, so that its utility to the management is maximum.
The main objective of introducing computerization in the organisations in the banking and
financial sector is to achieve the goals effectively and efficiently. The IS auditors
responsibility is to examine how the Information Systems assist in the achievement of each
organisations goals. System Effectiveness is a ratio of the actual output to the standard
(budgeted) output. If it is more than 100%, effectiveness is achieved; or else, it shall be
deemed that ineffectiveness has been introduced in the business process. Major goals and
criteria of computerization are:
a) Improved Task Accomplishments: The Information Systems should improve the task
accomplishment capacity of its users by enabling them to become more productive.
b) Improved Quality: It should improve overall quality of work and services by increased
accuracy of information. It should also reduce the time required for retrieval of
information.
c) Operational Effectiveness: The Information System should be operationally effective
and easy to use. It should be frequently used and users must be satisfied with its
performance.
d) Technical Effectiveness: The Information System should be equipped and upgraded by
appropriate hardware and software from time to time.
e) Economic Effectiveness: The Information System should be fully utilized. Benefits
derived should exceed the cost of procurement, implementation, operation and
maintenance.
d) Ensuring System Efficiency :
The resources used by the Information Systems such as the machines, computer
peripherals, software etc. are scarce and costly. Efficient Information Systems use
minimum resources to achieve the desired objectives. When computer no longer has excess
capacity, system efficiency becomes important. It becomes necessary to know whether the
available capacity has been exhausted or the existing allocation of the computer resources
are causing the bottlenecks.
The ratio of the output to the input is known as efficiency. If output is more with the same
or less actual input, system efficiency is achieved; or else, the system is inefficient. If
computerization results in the degradation of efficiency, the effort for making the process
automated stands defeated. Hence, the assessment of the capabilities of the hardware and
software against the workload of the environment is very essential. The IS auditors are
responsible to examine how efficient the application software is in relation to the users and
the workload of the environment. The system should assist in management planning and
efficient execution thereof. The organisation should get maximum output using minimum
resources. In this context, the efficient use of the hardware resources and their
upgradation,
as per requirements, is very essential. Automation should deliver the planned results with
less consumption of computer hardware, software, computerized operations and computer
personnel.
e) Other Objectives :
The following could be, among others, considered the other objectives of IS audit :
a) Identify the risks that the organisation is exposed to in the existing computerized
environment and to prioritize such risks for remedial action.
b) The implementation of Information Technology in the organisation is as per the
parameters laid down in the Security Policy, as approved by the Board of Directors of the
organisation.
c) Verify whether the Information System procedures and policies have been devised for
the entire organisation and that the organisations systems, procedures and practices are
adhered to and that due prudence is exercised at all times in accordance with the circulars
and instructions for a computerized environment, issued by the management of the
organisation.
d) Verify whether proper security policies/procedures have been formulated and
implemented regarding the duties of the system administrators, system maintainers and
persons operating the system for daily operations.
e) Contribute effectively towards the minimization of computer abuses/ crimes by
suggesting steps for removing any laxity observed in the physical and logical controls.
f) Suggest improvements in the security controls for the Information Systems.
g) Act as an advisor to the management of the organisation for improving security and IT
implementation standards.
h) Adhere to the established norms of ethics and professional standards to ensure quality
and consistency of audit work.
Audit Risks:
Because of the test nature of auditing, auditors might fail to detect real or potential material
losses or account misstatements.
The risk of and auditor failing to detect actual or potential material losses or account
misstatements at the conclusion of audit is called audit risk.
Audit Risk Model:
DAR = IR x CR x DR
DAR = Desired Audit Risk
IR = Inherent Risk
CR = Control Risk
DR = Detection Risk
Desired Audit Risk derives the efforts and sets the focus in evidence collection and
evaluation process.
Audit efforts should be focused where they will have the highest payoffs.
Compliance test: this is simply an act of gathering evidence for the purpose of testing an
organizations compliance with control procedures and processes in relation to external
rules, legal requirements, and regulations. Compliance gives the auditor an insight into the
level of compliance with policies and procedures by the management. The aim of a
compliance test is to give the auditor reasonable assurance that the internal control
structure which the auditor plans to rely on is in fact operating as the auditor had already
perceived it to be from the preliminary stage of the audit process.
Substantive test: this is the process of gathering evidence in order to evaluate the
integrity of individual transactions, processes, data, and other information. This is to say
that a substantive test lives up to its name by substantiating the integrity of actual
processing. For example, auditors through substantive test, gathers evidence regarding the
validity and integrity of the balances found in the financial statements of a company and
the balances that supports them.
Auditors perform substantive test when control testing (compliance test) indicate that there
is no control or the presence of weak controls. Make sure you take home the difference
between compliance and substantive testing.
The sole aim of this comprehensive process is to ensure that company objectives are met.
Risk-based approach is used to develop and continually improve the continuous audit
process. It is worth stressing that risk based approach to auditing helps auditors determine
the nature and extent of auditing that needs to be done in an efficient manner. In business
valuation, this process is similar to the fundamental analysis process that an equity
analyst perform in order to help him or her come up with an intrinsic value of a company.
The next section of this article will take you through the process of effectively and efficiently
performing a risk-based audit.
Risk: A risk is the likelihood that an organisation would face a vulnerability being exploited or
a threat becoming harmful. Information systems can generate many direct and indirect risks.
These risks lead to a gap between the need to protect systems and the degree of protection
applied. The gap is caused by:
(a) Widespread use of technology.
(b) Interconnectivity of systems.
(c) Elimination of distance, time and space as constraints.
Saves resources
Inherent risk
Control risk
Detection risk
Overall risk
Thus a risk-based audit approach is designed to be used throughout the audit to efficiently
and effectively focus the nature, timing and extent of audit procedures to those areas that
have the most potential for causing material misstatement(s) in the financial report.
A threat is an action, event or condition where there is a compromise in the system, its quality
and ability to inflict harm to the organisation. Threat is any circumstance or event with the
potential to cause harm to an information system in the form of destruction, disclosure,
adverse modification of data and denial of services
Vulnerability is the weakness in the system safeguards that exposes the system to threats. It
may be weakness in an information system, cryptographic system (security systems), or other
components (e.g. system security procedures, hardware design, internal controls) that could
(a) Power Loss: Power failure can cause disruption of entire computing equipments since
computing equipments depends on power supply.
(b) Communication failure: Failure of communication lines result in inability to transfer data
which primarily travel over communication lines. Where the organisation depends on
public communication lines e.g. for e-banking communication failure present a significant
threat that will have a direct impact on operations.
(c) Disgruntled Employees: A disgruntled employee presents a threat since, with access to
sensitive information of the organisation, he may cause intentional harm to the
information processing facilities or sabotage operations.
(d) Errors: Errors which may result from technical reasons, negligence or otherwise can
cause significant integrity issues. A wrong parameter setting at the firewall to gallowh
attachments instead of gdenyh may result in the entire organisation network being
compromised with virus attacks.
(e) Malicious Code: Malicious code such as viruses and worms which freely access the
unprotected networks may affect organisational and business networks that use these
unprotected networks.
(f) Abuse of access privileges by employees: The security policy of the company
authorises employees based on their job responsibilities to access and execute select
functions in critical applications.
(g) Natural disasters: Natural disasters such as earthquakes, lighting, floods, tornado,
tsunami, etc. can adversely affect the functioning of the IS operations due to damage to
IS facilities.
(h) Theft or destruction of computing resources: Since the computing equipment forms
the back-bone of information processing, any theft or destruction of the resource can
result in compromising the competitive advantage of the organisation.
(i) Downtime due to technology failure: IS facilities may become unavailable due to
technical glitches or equipment failure and hence the computing infrastructure may not
be available for short or extended periods of time. However the period for which the
facilities are not available may vary in criticality depending on the nature of business and
the critical business process that the technology supports.
(j) Fire, etc.: Fire due to electric short circuit or due to riots, war or such other reasons can
cause irreversible damage to the IS infrastructure.
THREATS DUE TO CYBER CRIMES
1. Embezzlement: It is unlawful misappropriation of money or other things of value, by the
person to whom it was entrusted (typically an employee), for his/her own use or purpose.
2. Fraud: It occurs on account of intentional misrepresentation of information or identity to
deceive others, the unlawful use of credit/debit card or ATM, or the use of electronic
means to transmit deceptive information, to obtain money or other things of value. Fraud
may be committed by someone inside or outside the company.
3. Theft of proprietary information: It is the illegal obtaining of designs, plans, blueprints,
codes, computer programs, formulas, recipes, trade secrets, graphics, copyrighted
material, data, forms, files, lists, and personal or financial information, usually by
electronic copying.
4. Denial of service: There can be disruption or degradation of service that is dependent on
external infrastructure. Problems may erupt through internet connection or e-mail service
(a) Prioritisation: All applications are inventoried and critical ones identified. Each of the
critical applications is reviewed to assess its impact on the organisation, in case a disaster
occurs. Subsequently, appropriate recovery plans are developed.
(b) Identifying critical applications: Amongst the applications currently being processed the
critical applications are identified. Further analysis is done to determine specific jobs in the
applications which may be more critical. Even though the critical value would be determined
based on its present value, future changes should not be ignored.
(c) Assessing their impact on the organisation: Business continuity planning should not
concentrate only on business disruption but should also take into account other organisational
functions which may be affected. The areas to be considered include:
. Legal liabilities.
. Interruptions of customer services.
. Possible losses.
. Likelihood of fraud and recovery procedures.
(d) Determining recovery time-frame: Critical recovery time period is the period of time in
which business processing must be resumed before the organisation incurs severe losses.
This critical time depends upon the nature of operations. It is essential to involve the end
users in the identification of critical functions and critical recovery time period.
(e) Assess Insurance coverage: The information system insurance policy should be a multiperil
policy, designed to provide various types of coverage. Depending on the individual
organisation and the extent of coverage required, suitable modifications may be made to the
comprehensive list provided below: