Download presentation
1
Auditing Computer Systems
Dr. Yan Xiong College of Business CSU Sacramento 9/11/03
2
Agenda Auditing scope and objectives
Information system (IS) audit objectives Study and evaluation of internal control in an AIS Computer audit software
3
Internal Auditing Standards
According to the Institute of Internal Auditors (IIA), the purpose of an internal audit is to evaluate the adequacy and effectiveness of a company’s internal control system. Also, it is to determine the extent to which assigned responsibilities are actually carried out.
4
Internal Auditing Standards
The IIA’s five audit scope standards are: Review the reliability and integrity of operating and financial information and how it is identified, measured, classified, and reported. Determine whether the systems designed to comply with operating and reporting policies, plans, procedures, laws, and regulations are actually being followed.
5
Internal Auditing Standards
Review how assets are safeguarded, and verify the existence of assets as appropriate. Examine company resources to determine how effectively and efficiently they are utilized. Review company operations and programs to determine whether they are being carried out as planned and whether they are meeting their objectives.
6
Types of Internal Auditing Work
What are the three different types of audits commonly performed? Financial audit Information system (IS) audit Operational or management audit
7
Types of Internal Auditing Work
The financial audit examines the reliability and integrity of accounting records (both financial and operating information). The information systems (IS) audit reviews the general and application controls in an AIS to assess its compliance with internal control policies and procedures and its effectiveness in safeguarding assets.
8
Types of Internal Auditing Work
The operational, or management, audit is concerned with the economical and efficient use of resources and the accomplishment of established goals and objectives.
9
An Overview of the Auditing Process
All audits follow a similar sequence of activities and may be divided into four stages. Audit planning Collection of audit evidence Evaluation of audit evidence Communication of audit results
10
An Overview of the Auditing Process
Audit Planning Establish scope and objectives Organize audit team Develop knowledge of business operations Review prior audit results Identify risk factors Prepare audit program
11
An Overview of the Auditing Process
Collection of Audit Evidence Observation of operating activities Review of documentation Discussion with employees and questionnaires Physical examination of assets Confirmation through third parties Reperformance of procedures Vouching of source documents Analytical review and sampling
12
An Overview of the Auditing Process
Evaluation of Audit Evidence Assess quality of internal controls Assess reliability of information Assess operating performance Consider need for additional evidence Consider risk factors Consider materiality factors Document audit findings
13
An Overview of the Auditing Process
Communication of Audit Results Formulate audit conclusions Develop recommendations for management Present audit results to management
14
Operational Audits of an AIS
The techniques and procedures used in operational audits are similar to those of IS and financial audits. The basic difference is that the IS audit scope is confined to internal controls, whereas the financial audit scope is limited to IIS output. The operational audit scope encompasses all aspects of IS management.
15
Operational Audits of an AIS
Operational audit objectives include evaluating effectiveness, efficiency, and goal achievement. What are some evidence collection activities? reviewing operating policies and documentation confirming procedures with management and operating personnel
16
Operational Audits of an AIS
observing operating functions and activities examining financial and operating plans and reports testing the accuracy of operating information testing controls
17
Agenda Auditing scope and objectives
Information system (IS) audit objectives Study and evaluation of internal control in an AIS Computer audit software
18
IS Audits Purpose of AIS audit: review and evaluate internal controls that protect system When performing IS audit, auditors ascertain that certain objectives met
19
Audit Objectives Security provisions protect computer equipment, programs, communications, and data from unauthorized access, modification, or destruction Program development and acquisition performed in accordance with management’s general and specific authorization
20
Audit Objectives Program modifications have authorization and approval of management Processing of transactions, files, reports, and other computer records accurate and complete
21
Audit Objectives Source data that is inaccurate or improperly authorized identified and handled according to prescribed managerial policies Computer data files are accurate, complete, and confidential
22
Audit Objectives #6 Data Files #5 Source Data #1 Overall Security
Enter #4 Processing Source Data #2 Program Development Process #3 Program Modification Output Programs
23
Risk-Based Audit Approach provides auditors with clear understanding of errors and irregularities that can occur and related risks and exposures Provides basis for developing recommendations to management on how AIS control system should be improved
24
Risk-Based Audit Four-step approach Determine threats facing AIS
Identify control procedures that should be in place to minimize each threat Evaluate existing control procedures Determine weaknesses
25
Agenda Auditing scope and objectives
Information system (IS) audit objectives Study and evaluation of internal control in an AIS Computer audit software
26
Audit Framework #5 Source Data #6 Data Files #1 Overall Security
Types of Errors / Fraud Enter Control Procedures Audit Procedures: System Review Source Data #2 Program Development Audit Procedures: Tests of Controls Process #3 Program Modification Compensating Controls Output Programs #4 Processing
27
Overall Security Security errors and fraud:
theft of or accidental / intentional damage to hardware and files loss, theft, or unauthorized access to programs, data files; or disclosure of confidential data unauthorized modification or use of programs and data files
28
Overall Security Control procedures:
develop information security and protection plan - restrict physical and logical access encrypt data / protect against viruses implement firewalls institute data transmission controls, and prevent and recover from system failures or disasters
29
Overall Security Systems review audit procedures:
inspect computer sites interview personnel review policies and procedures examine access logs, insurance policies, and disaster recovery plan
30
Overall Security Tests of control audit procedures:
observing procedures verifying controls are in place and work as intended investigating errors or problems to ensure they were handled correctly examining any test previously performed
31
Overall Security Compensating controls: sound personnel policies
effective user controls segregation of incompatible duties
32
Program Development Types of errors and fraud:
inadvertent programming errors unauthorized program code
33
Program Development Control procedures: management authorizes and approves programming specifications user approves of programming specifications thorough testing of new programs and user acceptance testing complete systems documentation
34
Program Development Systems review audit procedures:
independent review of development process systems review of development policies, authorization, and approval procedure documentation standards program testing and test approval procedures
35
Program Development Tests of control audit procedures:
interview users about involvement verify user sign-off at milestone points review test specifications, data, and results
36
Program Development Compensating controls: strong processing controls
independent processing of test data by auditor
37
Program Modification Types of errors and fraud:
inadvertent programming errors unauthorized program code These are the same as in audit program development.
38
Program Modification Control procedures:
listing of program components that are to be modified, and management authorization and approval of programming modifications user approval of program changes specifications thorough testing of program changes, including user acceptance test
39
Program Modification Systems review audit procedures:
reviewing program modification policies, standards, and procedures reviewing documentation standards for program modification, program modification testing, and test approval procedures discussing systems development procedures with management
40
Program Modification Tests of control audit procedures:
interviewing users about involvement in systems design and implementation reviewing minutes of development team meetings for evidence of involvement verifying management and user sign-off at milestone points in the development process reviewing test specifications, data, and results
41
Program Modification Compensating controls: strong processing controls
independent processing of test data by auditor These are the same as in audit program development.
42
Processing Controls Types of errors and fraud: Control procedures:
intentional or unintentional report inaccuracies Control procedures: proper use of internal and external file labels Systems review audit procedures: observe computer operations and data control functions
43
Processing Controls Tests of control audit procedures:
evaluation of adequacy and completeness of data editing controls Compensating controls: strong user controls
44
Source Data Controls Types of errors and fraud: Control procedures:
inadequate source data Control procedures: user authorization of source data input Systems review audit procedures: reviewing documentation for source data control standards
45
Source Data Controls Tests of control audit procedures:
examination of samples of accounting source data for proper authorization Compensating controls: strong processing controls
46
Data File Controls Types of errors and fraud:
unauthorized modification or disclosure of stored data Control procedures: concurrent update controls Systems review audit procedures: examination of disaster recovery plan
47
Data File Controls Tests of control audit procedures:
observing and evaluating file library operations Compensating controls: effective computer security controls
48
Agenda Auditing scope and objectives
Information system (IS) audit objectives Study and evaluation of internal control in an AIS Computer audit software
49
Computer Software Computer audit software (CAS) or generalized audit software (GAS), written for auditors CAS is computer program that, based on the auditor’s specifications, generates programs performing audit functions
50
Types of CAS Integrated Test Facilities Embedded Audit Modules (EAM)
Audit Hooks Snapshot SCARF Audit Control Language (ACL)
51
Usage of Computer Software
The auditor’s first step is to decide on audit objectives, learn about the files to be audited, design the audit reports, and determine how to produce them. This information is recorded on specification sheets and entered into the system via a data entry program.
52
Usage of Computer Software
This program creates specification records that the CAS uses to produce one or more auditing programs. The auditing programs process the sources files and perform the auditing operations needed to produce the specified audit reports.
53
General Functions of Computer Audit Software
reformatting file manipulation calculation data selection data analysis file processing statistics report generation
54
Topics Discussed Auditing scope and objectives
Information system (IS) audit objectives Study and evaluation of internal control in an AIS Computer audit software
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.