Chapter 17

Information Systems Auditing and Assurance

1

Objectives for Chapter 17

The purpose of an audit and the basic conceptual elements of the audit process Difference between internal and external auditing and the relationship between them How auditing objectives and tests of control are determined by the control structure of the client firm Audit objective and tests of control for each of the nine general control areas Auditing techniques used to verify the effective functioning of application controls Auditing techniques used to perform substantive tests in a CBIS environment

Attestation vs. Assurance

Attestation:
an engagement in which a practitioner is

engaged to issue, or does issue, a written communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of another party (SSAE No. 1, AT
Sec. 100.01)

Assurance:
professional services that are designed to improve the quality of information, both financial and non-financial, used by decision-makers 3 includes, but is not limited to, attestation

Attest and Assurance Services

Assurance Attestation Management Consulting

What is Auditing?
An independent attestation by a professional (CPA) regarding the faithful representation of the financial statements Three phases of a financial audit:
Familiarization with client firm Evaluation and testing of internal controls Assessment of reliability of financial data
5

External Auditing versus Internal Auditing

External auditors represent the interests of third party stakeholders, while internal auditors serve as an independent appraisal function within the organization. Internal auditors often perform tasks

which can reduce external audit fees and help to achieve audit efficiency and reduce audit fees.

Information Technology (IT) Audit

Since most information systems employ

information technology, the IT audit is typically a significant component of all external (financial) and internal audits.

IT audits:
focuses on the computer-based aspects of an organizations information system assessing the proper implementation, operation, and control of computer resources
7

Elements of an Audit
systematic procedures are used evidence is obtained
tests of internal controls substantive tests

determination of materiality for weaknesses found prepare audit report and audit opinion
8

Phases of an IT Audit
AUDIT PLANNING PHASE TESTS OF CONTROLS PHASE
Perform Tests of Controls

SUBSTANTIVE TESTING PHASE

Perform Substantive Tests

Start

Review of Organizations Policies, Practices, and Structure

Review General Controls and Application Controls

Evaluate Test Results

Evaluate Results and Issue Auditors Report

Plan Tests of Controls and Substantive Testing Procedures

Determine Degree of Reliance on Controls

Audit Report

Audit Risk is
the probability the auditor will issue an unqualified (clean) opinion when in fact the financial statements are materially misstated.

10

Components of Audit Risk

Inherent risk is associated with the unique characteristics of the business or industry of the client. Control risk is the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts. Detection risk is the risk that auditors are willing to take that errors not detected or prevented by the control structure will also not be detected by the auditor. 11

Tests of General Controls

Our primary purposes are to understand: auditing objectives in each general control area the nature of the tests that auditors perform to achieve these objectives
12

Tests of General Controls

Our discussion following: is organized around the

1.Operating system controls

2. Data management controls 3. Organizational structure controls 4. Systems development controls 5. Systems maintenance controls 6. Computer center security and controls 7. Internet and Intranet controls 8. Electronic data interchange controls 9. Personal computer controls

13

Organizational Structure Internet & Intranet Data Management Internet & Intranet

Operating System Systems Development

EDI Trading Partners

Systems Maintenance

Personal Computers Applications

Computer Center Security

General Control Framework for CBIS Risks

1. General Control Tests

Operating System Objective: verify that the security policy and control procedures are rigorous enough to protect the operating system against: hardware failure software efforts destructive acts by

employees or hackers virus infection

15

1. General Control Tests

Operating System Controls: access
privilege controls password control virus control fault tolerance control

16

2. General Control Tests

Data Management Objective:
protect against unauthorized access to or destruction of data and inadequate data backup

Controls:
access - encryption, user authorization tables, inference controls, and biometric devices are a few examples backup - grandfather-father-son and direct access backup; recovery procedures
17

3. General Control Tests

Organizational Structure Objectives: determine whether incompatible functions have been identified and segregated in accordance with the level of potential exposure determine whether segregation is sustained through a working environment that promotes formal relationships between incompatible tasks Controls: review organizational and systems documentation, observe behavior, and review database authority tables 18

4. General Control Tests

Systems Development Objectives ensure that: SDLC activities are applied consistently and in accordance with managements policies the system as originally implemented was free from material errors and fraud the system was judged to be necessary and justified at various checkpoints throughout the SDLC system documentation is sufficiently accurate and complete to facilitate audit and maintenance activities
19

4. General Control Tests

Systems Development Controls:
systems authorization techniques good development procedures internal audit team participation appropriate testing of system

20

5. General Control Tests

Systems Maintenance Objectives: determine that: maintenance procedures protect applications from unauthorized changes applications are free from material errors program libraries are protected from unauthorized access
21

5. General Control Tests

Systems Maintenance

Controls:
authorization requirements for program maintenance appropriate documentation of changes adequate testing of program changes reconciling program version numbers review programmer authority table test authority table

22

6. General Control Tests

Computer Center Objectives determine that: physical security controls are adequately protecting the organization from physical exposures insurance coverage on equipment is adequate to compensate the organization for the destruction of, or damage to, its computer center operator documentation is adequate to deal with routine operations as well as system failures the organizations disaster recovery plan is adequate and feasible
23

6. General Control Tests

Computer Center Controls:
well-planned physical layout backup and disaster recovery planning review critical application list

24

7. General Control Tests

Internet & Intranet Objectives determine that communications controls:
can detect and correct messages lost due to equipment failure can prevent and detect illegal access both internally and from the Internet will render useless any data that are successfully captured by a perpetrator are sufficient to preserve the integrity and security of data connected to the network
25

7. General Control Tests

Internet & Intranet

Controls:
Equipment failure: line checks (parity & echo) and backups Subversive threats: access controls, encryption of data, and firewalls Message control: sequence numbering, authentication, transaction logs, requestresponse polling
26

8. General Control Tests

EDI Objectives determine that:
all EDI transactions are authorized, validated, and in compliance with organizational policy no unauthorized organizations gain access to database records authorized trading partners have access only to approved data adequate controls are in place to ensure complete EDI transactions
27

8. General Control Tests

EDI Controls:
sophisticated authorization and validation techniques access controls audit trail modules and controls

28

9. General Control Tests

Personal Computers Objectives determine that: adequate supervision and operating procedures exist to compensate for lack of segregation between the duties of users, programmers, and operators access to microcomputers, data files, and program files is restricted to authorized personnel backup procedures are in place to prevent data and program loss from hardware failures systems selection and acquisition procedures produce applications that are high quality, free from errors, and protected from unauthorized changes
29

9. General Control Tests

Personal Computers Controls:
increased supervision access and security controls backup controls systems and acquisition controls

30

Computer Applications Controls

Techniques for auditing computer applications fall into two classes: techniques for testing application controls techniques for examining transaction details and account balances--

substantive testing

31

Testing Application Controls

Black Box Approach - understanding flowcharts, input procedures, and output results White Box Approach - understanding the internal logic of the application
authenticity (access) tests accuracy tests completeness tests redundancy tests audit trail tests rounding error tests
32

Auditing Around the Computer The Black Box Approach

Input

Master File

Application under review

Auditor reconciles input transactions with output produced by application.

Output

White Box Testing Techniques

Test Data Method - testing for logic or control problems; good for testing new systems or systems that have undergone recent maintenance
Base Case System Evaluation (BCSE) - using a comprehensive set of test transactions Tracing - performs an electronic walkthrough of the applications internal logic

Test Data Methods are not fool-proof

a snapshot-one point in time examination high-cost of developing adequate test data
34

Auditing through the Computer: The Test Data Technique

Test Data

Auditor prepares test transactions, test master files, and expected results.

Test Data

Test Data

Predetermined Results

Test Master Files

Application under review

After test run, auditor compares test results with predetermined results.

Test Results

White Box Testing Techniques

Integrated Test Facility (ITF) - an automated, ongoing technique that enables the auditor to test an applications logic and controls during its normal operation Parallel Simulation - auditor writes simulation programs and runs actual transactions of the client through the system
36

Auditing through the Computer: The Integrated Test Facility Technique

Auditor enters test transactions along with production transactions and calculates expected results.

ITF Transactions

Production Transactions

Expected Results

Production Application with Embedded ITF Modules

ITF Test Results

After testing, auditor compares ITF results with expected results.

Production Master Files ITF Master Files

Production Reports

Auditing through the Computer: The Parallel Simulation Technique

Auditor uses GAS to produce simulation of application under review Production Transactions

Application Specifications

Production Transaction File

Generalized Audit Software (GAS)

Simulation Program

Production Master Files

Actual Production Application Production Output

Simulation Output

Auditor reconciles simulation with production output

Substantive Testing Techniques

Search for unrecorded liabilities. Confirm accounts receivable to ensure they are not overstated. Determine the correct value of inventory, and ensure they are not overstated. Determine the accuracy of accruals for expenses incurred, but not yet received (also revenues if appropriate).
39

Embedded Audit Module (EAM)

An ongoing module which filters out non-material transactions The chosen material transactions are used for sampling in substantive tests Requires additional computing resources by the client Hard to maintain in systems with high maintenance
40

Substantive Testing: The Embedded Audit Module

Production Transactions
Auditor sets materiality threshold for capturing transactions.

Production Application EAM

Auditor reviews audit file and prepares a list of material transactions for use in substantive tests.

Production Master Files

Audit File Transactions List

Production Output
Production output goes to users.

Generalized Audit Software (GAS)

Very popular and widely used Can access data files and perform operations on them:
screen data statistical sampling methods foot and balance format reports compare files and fields recalculate data fields
42

Substantive Testing - GAS: Complex File Structure Access

DBMS Utility Program Auditor specifies which database records to copy into flat file. Database DBMS produces a flat file of a portion of a database.

Flat File

GAS Auditor determines the selection criteria used by the GAS.

GAS retrieves selected records from the flat file.

Transactions List