Presentation is loading. Please wait.

Presentation is loading. Please wait.

Auditing Information Systems (AIS)

Published byEaster Willis Modified over 9 years ago

Similar presentations

Presentation on theme: "Auditing Information Systems (AIS)"— Presentation transcript:

1 Auditing Information Systems (AIS)
Lecture - 4

2 Computer-assisted Audit Techniques
CAATs enable IS auditors to gather information independently CAATs include: Generalized audit software (GAS) Utility software Debugging and scanning software Test data Application software tracing and mapping Expert systems

3 Computer-assisted Audit Techniques (continued)
Items to consider before utilizing CAATs: Ease of use for existing and future audit staff Training requirements Complexity of coding and maintenance Flexibility of uses Installation requirements Processing efficiencies Confidentiality of data being processed

4 Computer-assisted Audit Techniques (continued)
CAATs as a continuous online audit approach: Improves audit efficiency IS auditors must: develop audit techniques for use with advanced computerized systems be involved in the creation of advanced systems make greater use of automated tools

5 Fraud Detection Management’s responsibility
Benefits of a well-designed internal control system Deterring fraud at the first instance Detecting fraud in a timely manner Fraud detection and disclosure Auditor’s role in fraud prevention and detection

6 Case Study A - Scenario The IS auditor has been asked to perform preliminary work that will assess the readiness of the organization for a review to measure compliance with new regulatory requirements. These requirements are designed to ensure that management is taking an active role in setting up and maintaining a well-controlled environment and, accordingly, will assess management’s review and testing of the general IT control environment. Areas to be assessed include logical and physical security, change management, production control and network management, IT governance, and end-user computing. The IS auditor has been given six months to perform this preliminary work, so sufficient time should be available. It should be noted that in previous years, repeated problems have been identified in the areas of logical security and change management, so these areas will most likely require some degree of remediation.

7 Case Study A Scenario (continued)
Logical security deficiencies noted included the sharing of administrator accounts and failure to enforce adequate controls over passwords. Change management deficiencies included improper segregation of incompatible duties and failure to document all changes. Additionally, the process for deploying operating system updates to servers was found to be only partially effective. In anticipation of the work to be performed by the IS auditor, the chief information officer (CIO) requested direct reports to develop narratives and process flows describing the major activities for which IT is responsible. These were completed, approved by the various process owners and the CIO, and then forwarded to the IS auditor for examination.

8 Case Study A - Question 1. What should the IS auditor do FIRST?
A. Perform an IT risk assessment. B. Perform a survey audit of logical access controls. C. Revise the audit plan to focus on risk-based auditing. D. Begin testing controls that the IS auditor feels are most critical. The correct answer is A

9 Case Study A - Question When testing program change management, how should the sample be selected? A. Change management documents should be selected at random and examined for appropriateness. B. Changes to production code should be sampled and traced to appropriate authorizing documentation. C. Change management documents should be selected based on system criticality and examined for appropriateness. D. Changes to production code should be sampled and traced back to system-produced logs indicating the date and time of the change. The correct answer is B

10 Case Study B - Scenario An IS auditor is planning to review the security of a financial application for a large company with several locations worldwide. The application system is made up of a web interface, a business logic layer and a database layer. The application is accessed locally through a LAN and remotely through the Internet via a VPN connection.

11 Case Study B - Question 2. Given that the application is accessed through the Internet, how should the auditor determine whether to perform a detailed review of the firewall rules and virtual private network (VPN) configuration settings? A. Documented risk analysis B. Availability of technical expertise C. Approach used in previous audit D. IS auditing guidelines and best practices The correct answer is A )

12 Case Study B - Question 3. During the review, if the auditor detects that the transaction authorization control objective cannot be met due to a lack of clearly defined roles and privileges in the application, the auditor should FIRST: A. review the authorization on a sample of transactions. B. immediately report this finding to upper management. C. request that auditee management review the appropriateness of access rights for all users. D. use a generalized audit software to check the integrity of the database. The correct answer is A

13 Conclusion Chapter 1 Quick Reference Review
Page 32 of CISA Review Manual 2010

Download ppt "Auditing Information Systems (AIS)"

Similar presentations

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.
Audit of Autonomous District Councils (in an IT environment using FAAM)

Audit of Autonomous District Councils (in an IT environment using FAAM)
Software Quality Assurance Plan

Software Quality Assurance Plan
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
ITAuditing Using GAS & CAATs

ITAuditing Using GAS & CAATs
Practical Flowcharting for Auditors

Practical Flowcharting for Auditors
Auditing Concepts.

Auditing Concepts.
Internal Audit Awareness

Internal Audit Awareness
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Learning Objectives LO5 Document an accounting system to identify key controls and weaknesses in order to assess control risk. LO6 Write key control tests.

Learning Objectives LO5 Document an accounting system to identify key controls and weaknesses in order to assess control risk. LO6 Write key control tests.
Auditing Computer Systems

Auditing Computer Systems
The Islamic University of Gaza

The Islamic University of Gaza
Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie.

Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
IS Audit Function Knowledge

IS Audit Function Knowledge
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Advanced Accounting Information Systems

Advanced Accounting Information Systems
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Computer Security: Principles and Practice

Computer Security: Principles and Practice

Similar presentations

Ads by Google