1. IS Auditing Midterm Review ISMT 350 Time & Venue: 5 Oct 2006, 10:30 am to 11:50 am @ Room 2463 Note: You will be allowed one A4 sized sheet of paper as a “ Cheat Sheet” for your reference during the IST350 Midterm Exam. You can fill out both sides, and there are no limits on handwriting, font, or techniques for the information you place on the page. No other materials will be allowed during the exam

2. Course Topics So Far TopicReadingsPracticum CompetencyCase Study What is Information Systems (IS) Auditing? Industry Profile: The Job of the IS Auditor Identifying Computer SystemsChapter 1Evaluating IT Benefits and Risks Jacksonville Jaguars IS Audit ProgramsChapter 2The Job of the Staff AuditorA Day in the Life of Brent Dorsey IS SecurityChapter 3Recognizing FraudThe Anonymous Caller

3. Logical Structure of the Course With Readings from the Text Material Covered (colored area)

4. Classes of Things You have Learned Concepts: Things you need to know These include: Theories and frameworks Facts Activities and Tasks: Things an auditor needs to do Tools: Used to make audit decisioms

5. Identifying Computer Systems Chapter 1 1. Identifying what you are going to audit 2. The Computer Asset Inventory 3. Identification of Transactions, and Risk Levels 4. Audit programs for high risk transactions

6. Audit Program Audit programs are checklists of the various tests (audit procedures) that auditors must perform within the scope of their audits to determine whether key controls intended to mitigate significant risks are functioning as designed. Objective To determine the adequacy of the controls over the particular accounting processes covered by the audit program This is fundamentally what the assurance and attestation aspects of the audit are expected to achieve during the ‘tests of transactions’ or mid-year or internal control tests

7. The objective The reason for an audit is to write an opinion: Saying stock price is fairly stated (external) Control processes are effective (internal & external) Assets are not at risk of theft or damage (internal) We only need to identify computer systems where one of more of these objectives is affected

8. Benefits The use of audit programs is fairly standard for audit firms, and is considered good business practice. List three (3) benefits to the audit firm of using an audit program The improve resource planning (where to spend money and employ people on an audit) They promote consistency from year to year when personnel and situations of an audit change Prior years’ programs are the basis for the current year’s audit procedures Anything else that seems reasonable

9. Control assessment Information systems audit programs should assess the adequacy of controls in four (4) areas. 1. Environmental controls 2. Physical security controls 3. Logical security controls 4. IS operating controls

10. Computer Assets Central Processing Unit Memory RAM / ROM Optical & Magnetic Media Peripheral Processor (Video, Bus, Etc.) Network Devices Operating Systems Specialized O/S Network O/SDatabase O/S Utilities Programming Languages, Tools & Environments Utilities and Services Applications

11. The main categories of Computer Applications, and their relative importance Information Technology Market Annual Expenditures ($US billion) Employees (thousand) Major Suppliers Operations & Accounting5002000US, India Search & Storage10005000US Tools300 US, Germany Embedded1500700US, Japan, Korea, Greater China Communications7002000US, Germany, Japan, Greater China Total4,00010,000GWP ~$45 trillion (Pop: 6 billion) US GDP ~$10 trillion (Pop: 300 million)

12. The Risk Assessment Database Asset (Ex 2.1)Risk Assessment (Ex. 2.2 with improvements) Primary OSOwner Applicati on Asset Value ($000,000 to Owner)* Transaction Flow Description Total Annual Transaction Value Flow managed by Asset($000,000)*Risk Description Probability of Occurrence (# per Year) Cost of single occurrence ($) Expected Loss Win XP Receiving DockA/P0.002 RM Received from Vendor23Theft100 10000 Win XP Receiving DockA/P0.002 RM Received from Vendor23 Obsolescence and spoilage3535012250 Etc *Whether you list depends on Audit Materiality

13. Ideas, not Things, have Value … and these ideas are tracked in the computer

14. How Accounting has had to Change Because of Business Automation

15. IS Audit Programs Chapter 2 What is IS Auditing? Why is it Important? What is the Industry Structure? Attestation and Assurance

16. Auditing

17. How Auditors Should Visualize Computer Systems

18. The IS Auditor’s Challenge Corporate Accounting is in a constant state of flux Because of advances in Information Technology applied to Accounting Information that is needed for an Audit is often hidden from easy access by auditors Making computer knowledge an important prerequisite for auditing IS (and also just Information) assets are increasingly the main proportion of wealth held by corporations

19. The Challenge to Auditing Presented by Computers Transaction flows are less visible Fraud is easier Computers do exactly what you tell them  To err is human  But, to really screw up you need a computer Audit samples require computer knowledge and access Transaction flows are much larger (good for the company, bad for the auditor) Audits grow bigger and bigger from year to year  And there is more pressure to eat hours Environmental, physical and logical security problems grow exponentially Externally originated viruses and hacking are the major source of risk  (10 years ago it was employees)

20. The Challenge to Auditing Presented by The Internet Transaction flows are External External copies of transactions on many Internet nodes External Service Providers for accounting systems require giving control to outsiders with different incentives Audit samples may be impossible to obtain Because they require access to 3 rd party databases Transaction flows are intermingled between companies Environmental, physical and logical security problems grow exponentially Externally originated viruses and hacking are the major source of risk  (10 years ago it was employees)

21. Audit Program Audit programs are checklists of the various tests (audit procedures) that auditors must perform within the scope of their audits to determine whether key controls intended to mitigate significant risks are functioning as designed. Objective To determine the adequacy of the controls over the particular accounting processes covered by the audit program This is fundamentally what the assurance and attestation aspects of the audit are expected to achieve during the ‘tests of transactions’ or mid-year or internal control tests

22. The objective The reason for an audit is to write an opinion: Saying stock price is fairly stated (external) Control processes are effective (internal & external) Assets are not at risk of theft or damage (internal) We only need to identify computer systems where one of more of these objectives is affected

23. Benefits The use of audit programs is fairly standard for audit firms, and is considered good business practice. List three (3) benefits to the audit firm of using an audit program The improve resource planning (where to spend money and employ people on an audit) They promote consistency from year to year when personnel and situations of an audit change Prior years’ programs are the basis for the current year’s audit procedures Anything else that seems reasonable

24. Control assessment Information systems audit programs should assess the adequacy of controls in four (4) areas. 1. Environmental controls 2. Physical security controls 3. Logical security controls 4. IS operating controls

25. Materiality Materiality represents the maximum, combined, financial statement misstatement or omission that could occur before influencing the decisions of reasonable individuals relying on the financial statements. The magnitude and nature of financial statement misstatements or omissions will not have the same influence on all financial statement users.  For example, a 5 percent misstatement with current assets may be more relevant for a creditor than a stockholder, whereas a 5 percent misstatement with net income before income taxes may be more relevant for a stockholder than a creditor. Therefore, the primary consideration when determining materiality is the expected users of the financial statements. The specific amounts established for each financial statement element must be determined by considering the primary users as well as qualitative factors.  For example, if the client is close to violating the minimum current ratio requirement for a loan agreement, a smaller planning materiality amount should be used for current assets and liabilities.  Conversely, if the client is substantially above the minimum current ratio requirement for a loan agreement, it would be reasonable to use a higher planning materiality amount for current assets and current liabilities. Planning materiality should be based on the smallest amount established from relevant materiality bases to provide reasonable assurance that the financial statements, taken as a whole, are not materially misstated for any user.

26. Tolerable misstatement This is essentially materiality for individual financial statement accounts. The amount established for individual accounts is referred to as "tolerable misstatement." Tolerable misstatement represents the amount an individual financial statement account can differ from its true amount without affecting the fair presentation of the financial statements taken as a whole. Establishment of tolerable misstatement for individual accounts enables the auditor to design and execute an audit strategy for each audit cycle. Tolerable misstatement should be established for all balance sheet accounts (except "retained earnings" because it is the residual account).

27. Phases and Products of the Audit

28. Planning and Risk Assessment Output is Audit Program Budget (based on contract with client)

29. Internal Control Tests (Mid-year) Assess internal control Output is the annual "management letter" issued in connection with an audit In accordance with SAS No. 30 “Reporting on Internal Accounting Controls”

30. Substantive Tests (Year-ent) Product is Audit Statement (signed by auditor) Sarbanes-Oxley (signed by management) Compliance “Management Letter Schedule of Unadjusted Differences List of Control ‘Weaknesses’

31. Practicum: A Day in the Life of Brent Dorsey A Staff Auditors’ Professional Pressure Understand some of the pressures faced by young professionals in the workplace Generate and evaluate alternative courses of action to resolve a difficult workplace issue Understand more fully the implications of "eating time" and "premature sign-off" More fully appreciate the need to balance professional and personal demands

32. IS Security Chapter 3

33. Flowcharting Accounting Systems Each bubble is associated with a person or entity that is responsible for that process The same individuals with: Managerial Control Accountability Responsibility for the process Should all be responsible for the same bubble

34. Flowcharting Accounting Systems A data flow diagram Data Flow Diagram Notations

35. Flowcharting Accounting Systems A process transforms incoming data flow into outgoing data flow.

36. Flowcharting Accounting Systems Datastores are repositories of data in the system. They are sometimes also referred to as databases or files.

37. Flowcharting Accounting Systems Dataflows are pipelines through which transactions (packets of information) flow. Label the arrows with the name of the data that moves through it.

38. Flowcharting Accounting Systems External entities are entities outside the firm, with which the accounting system communicates E.g., vendors, customers, advertisers, etc. External entities are sources and destinations of the transaction input and output

39. Flowcharting Accounting Systems The Context diagram lists all of the external relationships

40. Flowcharting Accounting Systems …Levels Context known as Level 0) data flow diagram. It only contains one process node (process 0) that generalizes the function of the entire system in relationship to external entities. DFD levels The first level DFD shows the main processes within the system. Each of these processes can be broken into further processes until you reach the level at which individual actions on transaction flows take place If you use SmartDraw Drawing Nested DFDs in SmartDrawYou can easily nest data flow diagrams in SmartDraw. Draw the high-level diagrams first, then select the process you want to expand, go to the Tools menu, and select Insert Hyperlink. Link the selected process notation to another SmartDraw diagram or a web page.

41. The Datastore The Datastore is used to represent Ledgers, Journals Or more often in the current world Their computer implemented counterpart Since almost no one keeps physical records

42. Flowcharting Accounting Systems …Lower Level with Multiple Processes Data Flow Diagram Layers Draw data flow diagrams in several nested layers. A single process node on a high level diagram can be expanded to show a more detailed data flow diagram

43. Practicum: Jacksonville Jaguars Assurance Services for the Electronic Payments System of a privately held company Identify benefits, costs and risks to businesses from implementing information technologies Determine how CPAs can provide assurance about processes designed to reduce risks created when new IT systems are introduced Understand ways CPAs can identify new assurance services opportunities (i.e., new areas for revenue generation)

44. IS Security Chapter 3

45. What is Security? Security involves: the protection of a person, property or organization from attack. Knowing the types of possible attacks, being aware of the motivations for attacks and your relationship to those motives. Proper security makes it difficult to attack, threatens counter-measures, or make a pre-emptive attack on a source of threat. IS Security is a collection of investments and procedures that: Protect information stored on computers Protect Hardware and Software assets From theft or vandalism by 3rd parties

46. What is a Lock & Key? Lock is a security system The key is its password Keys used to be worn visibly around the neck As a sign of authority (similar to employee badges today) Newer Technology Badges and electronic keys Biometrics (M-28 fingerprint lock at right) Remote controls (Lexus keys) ‘Keys’ are just another Security Policy

47. Effective security policy Security policy defines the organization’s attitude to Assets, and announces internally and externally which assets are mission critical Which is to be protected from unauthorized access, vandalism and destruction by 3rd parties Effective information security policies Will turn staff into participants in the company’s security The process of developing these policies will help to define a company’s assets An effective security policy also protects people. Anyone who makes decisions or takes action in a situation where information is a risk incurs personal risk as well. A security policy allows people to take necessary actions without fear of reprisal. Security policy compels the safeguarding of information, while it eliminates, or at least reduces, personal liability for employees.

48. IP There are four types of Intellectual Property (IP) that are protected by law Copyright Patent Trade secret Trademark Two aspects of the use of IP are covered by intellectual property laws Right of publicity Privacy Almost All Security Controls use the Lock & Key paradigm. Authorization system = Who gets a Key (And Why?) Password, etc. = Key Encryption algorithms, SSL, etc. = Lock

49. Entry into Computer Crime This flowchart describes the points at which Control Processes may be created to stop criminals Controls may: Prevent access to the asset Detect asset access Correct the problems or losses after an illicit access Remember that criminals specialize in one type of crime

50. Bringing a computer crime to court

51. Practicum: The Anonymous Caller Recognizing It's a Fraud and Evaluating What to Do How would you politely and ethically handle a ‘dodgy’ request for help Appreciate real-world pressures for meeting financial expectations Distinguish financial statement fraud from aggressive accounting Identify alternative actions when confronted with suspected financial statement fraud Develop arguments to resist or prevent inappropriate accounting techniques

52. Physical SecurityChapter 7 Logical SecurityChapter 8

53. Security Policy

54. Strategy  Policy Strategy defines the way that Top Management achieves corporate objectives Policy is a written set of procedures, guidelines and rules Designed to accomplish a subset of strategic tasks By a particular subgroup of employees

55. Effective security policy An effective security policy also protects people. Anyone who makes decisions or takes action in a situation where information is a risk incurs personal risk as well. A security policy allows people to take necessary actions without fear of reprisal. Security policy compels the safeguarding of information, while it eliminates, or at least reduces, personal liability for employees.

56. Effective information security policy Information security policy defines the organization’s attitude to information, and announces internally and externally that information is an asset Which is to be protected from unauthorized access, modification, disclosure, and destruction Effective information security policies Will turn staff into participants in the company’s security The process of developing these policies will help to define a company’s information assets

57. Why Do You Need Security Policy? A security policy should Protect people and information Set the rules for expected behavior by users, system administrators, management, and security personnel Authorize security personnel to monitor, probe, and investigate Define and authorize the consequences of violation

58. The Three Elements of Policy Implementation Standards – Standards specify the use of specific technologies in a uniform way. The example the book gives is the standardization of operating procedures Guidelines – Similar to standards but are recommended actions Procedures – These are the detailed steps that must be performed for any tasks.

59. Steps to Creation of IS Security Policy Policy Development Lifecycle 1. Senior management buy-in 2. Determine a compliance grace period 3. Determine resource involvement. 4. Review existing policy 5. Determine research materials (Internet, SANS, white papers, books …) 6. Interview parties {Responsible, Accountable, Controlling} assets 1. Define your objectives 2. Control the interview 3. Sum up and confirm 4. Post-interview review 7. Review with additional stakeholders 8. Ensure policy is reflected in “awareness” strategies 9. Review and update 10. Gap Analysis 11. Develop communication strategy 12. Publish

60. What’s in a Policy Document

61. Governing Policy Should cover Address information security policy at a general level define significant concepts describe why they are important, and detail what your company’s stand is on them Governing policy will be read by managers and by technical custodians Level of detail: governing policy should address the “what” in terms of security policy.

62. Governing Policy Outline might typically include 1. Authentication 2. Access Control 3. Authorization 4. Auditing 5. Cryptography 6. System and Network Controls 7. Business Continuity/Disaster Recovery 8. Compliance Measurement

63. Technical Policies Used by technical custodians as they carry out their security responsibilities for the system they work with. Are more detailed than the governing policy and will be system or issue specific, e.g., AS-400 or physical security.

64. Technical Policy Outline might typically include 1. Authentication 2. Authorization 3. Auditing 4. Network Services 5. Physical Security 6. Operating System 7. Business Continuity/Disaster Recovery 8. Compliance Measurement

65. User Policies Cover IS security policy that end-users should ever have to know about, comply with, and implement. Most of these will address the management of transaction flows and databases associated with applications Some of these policy statements may overlap with the technical policy Grouping all end-user policy together means that users will only have to go to one place and read one document in order to learn everything they need to do to ensure compliance with company security

66. User Policy Outline might typically include 1. User Access 2. User Identification and Accountability 3. Passwords 4. Software 5. System Configuration and Settings 6. Physical 7. Business Continuity Planning 8. Data Classification 9. Encryption 10. Remote Access 11. Wireless Devices/PDAs 12. Email 13. Instant Messaging 14. Web Conferencing 15. Voice Communications 16. Imaging/Output