Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 14: Information Technology Auditing

Published byArnold Hamilton Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 14: Information Technology Auditing"— Presentation transcript:

1

2 Chapter 14: Information Technology Auditing
Introduction The Audit Function The IT Auditor’s Toolkit Auditing Computerized AIS IT Auditing Today

3 Introduction Audits of AISs Nature of Auditing
Ensure controls are functioning properly Confirm additional controls not necessary Nature of Auditing Internal and external auditing IT Audit and financial audit Tools of an IT auditor

4 The Audit Function Internal versus External Auditing
Information Technology Auditing Evaluating the Effectiveness of Information Systems Controls

5 Internal Auditing Responsibility of Performance Audit Purpose
Company’s own employees External of the department being audited Audit Purpose Employee compliance with policies and procedures Development and evaluation of internal controls

6 External Auditing Responsibility of Performance Audit Purpose
Those outside the organization Accountants working for independent CPA Audit Purpose Performance of the attest function Evaluate the accuracy and fairness of the financial statements relative to GAAP

7 Information Technology Auditing
Function Evaluate computer’s role in achieving audit and control objectives Assurance Provided Data and information are reliable, confidential, secure, and available Safeguarding assets, data integrity, and operational effectiveness

8 The Components of an IT Audit

9 The IT Audit Process Computer-Assisted Audit Techniques (CAAT)
Use of computer processes to perform audit functions Performing substantive tests Approaches Auditing through the computer Auditing with the computer

10 The IT Audit Process

11 Careers in IT Auditing Background
Accounting skills Information systems or computer science skills Certified Information System Auditor (CISA) Successfully complete examination Experience requirements Comply with Code of Professional Ethics Continuing professional education Comply with standards

12 CISA Exam Components

13 Careers in IT Auditing Certified Information Security Manager (CISM)
Business orientation Understand risk management and security CISM Knowledge Information security governance Information security program management Risk management Information security management Response management

14 Evaluating the Effectiveness of Information Systems Controls
Impact on Substantive Testing Strong controls, less substantive testing Weak controls, more substantive testing Risk Assessment Evaluate the risks associated with control weaknesses Make recommendations to improve controls

15 Risk Assessment Risk-Based Audit Approach Benefits
Determine the threats Identify the control procedures needed Evaluate the current control procedures Evaluate the weaknesses within the AIS Benefits Understanding of errors and irregularities Sound basis for recommendations

16 Information Systems Risk Assessment
Method of evaluating desirability of IT controls Types of Risks Loss of company secrets Unauthorized manipulation of company files Interrupted computer access Penetration Testing

17 Guidance is Designing and Evaluating IT Controls
Systems Auditability and Control Report (SAC) Electronic Systems Assurance and Control (eSAC) Framework for evaluating e-business controls Control Objectives for Information and Related Technology (COBIT)

18 Study Break #1 An IT auditor: Must be an external auditor
Must be an internal auditor Can be either an internal or external auditor Must be a Certified Public Accountant

19 Study Break #1 - Answer An IT auditor: Must be an external auditor
Must be an internal auditor Can be either an internal or external auditor Must be a Certified Public Accountant

20 Study Break #2 In determining the scope of an IT audit, the auditor should pay most attention to: Threats and risks The cost of the audit What the IT manager asks to be evaluated Listings of standard control procedures

21 Study Break #2 - Answer In determining the scope of an IT audit, the auditor should pay most attention to: Threats and risks The cost of the audit What the IT manager asks to be evaluated Listings of standard control procedures

22 The IT Auditor’s Toolkit
Utilization of CAATs Auditing with the computer Manual access to data stored on computers is impossible Tools Auditing Software People Skills

23 General-Use Software Productivity tools that improve the auditor’s work Types Word processing programs Spreadsheet software Database management systems (DBMS) Structured Query Language (SQL)

24 Generalized Audit Software
Overview Allow for reviewing of files without rewriting processing programs Basic data manipulation Tailored to auditor tasks Common Programs Audit Command Language (ACL) Interactive Data Extraction and Analysis (IDEA)

25 Generalized Audit Software - Inventory

26 Automated Workpaper Software
Overview Similar to general ledger software Handles accounts from many organizations Features Generate trial balances Make adjusting entries Perform consolidations Conduct analytical procedures

27 People Skills Examples Importance of Interviews Working as a team
Interact with clients and other auditors Interviewing clients Importance of Interviews Gain understanding of organization Evaluate internal controls

28 Auditing Computerized AISs
Auditing Around the Computer Assumes accurate output verifies proper processing Not effective in a computerized environment Auditing Through the Computer Follows audit trail through the computer Verifies proper functioning of processing controls in AIS programs

29 Auditing Computerized AISs
Testing Computer Programs Validating Computer Programs Review of Systems Software Validating Users and Access Privileges Continuous Auditing

30 Testing Computer Programs
Test Data Create set of transactions Covering range of exception situations Compare results and investigate further Integrated Test Facility Establish a fictitious entity Enter transactions for that entity Observe how they are processed

31 Testing Computer Programs
Parallel Simulation Utilized live input data Simulates all or some of the operations Compare results Very time-consuming and cost-prohibitive

32 Edit Tests and Test Data

33 Validating Computer Programs
Tests of Program Change Controls Protect against unauthorized program changes Documentation of requests for program changes Utilize special forms for authorization Program Comparison Test of Length Comparison Program

34 Reviewing a Responsibility System

35 Review of Systems Software
Systems Software Controls Operating system software Utility programs Program library software Access control software Inspect Outputs Logs Incident reports

36 Password Parameters

37 Validating Users and Access Privileges
Purpose Ensure all system users are valid Appropriate access privileges Utilize Software Tools Examine login times Exception conditions Irregularities

38 Continuous Auditing Embedded Audit Modules (Audit Hooks)
Capture data for audit purposes Exception Reporting Transactions falling outside given parameters are rejected Transaction Tagging Certain transactions tagged and progress recorded

39 Continuous Auditing Snapshot Technique
Examines how transactions are processed Continuous and Intermittent Simulation (CIS) Embeds audit module in a database management system (DBMS) Similar to parallel simulation

40 Continuous Auditing – Spreadsheet Errors

41 Study Break #3 Which of the following is NOT an audit technique for auditing computerized AIS? Parallel simulation Use of specialized control software Continuous auditing All of the above are techniques used to audit computerized AIS

42 Study Break #3 - Answer Which of the following is NOT an audit technique for auditing computerized AIS? Parallel simulation Use of specialized control software Continuous auditing All of the above are techniques used to audit computerized AIS

43 Study Break #4 Continuous auditing:
Has been talked about for years but will never catch on Will likely become popular if organizations adopt XBRL in their financial reporting Does not include techniques such as embedded audit modules Will never allow IT auditors to provide some types of assurance on a real-time basis

44 Study Break #4 - Answer Continuous auditing:
Has been talked about for years but will never catch on Will likely become popular if organizations adopt XBRL in their financial reporting Does not include techniques such as embedded audit modules Will never allow IT auditors to provide some types of assurance on a real-time basis

45 IT Auditing Today IT Governance
Auditing for Fraud: Statement on Auditing Standards No. 99 The Sarbanes-Oxley Act of 2002 Third Party and Information Systems Reliability Assurances

46 IT Governance Overview Objectives
Process of using IT resources effectively Efficient, responsible, strategic use of IT Objectives Using IT strategically to fulfill mission of organization Ensure effective management of IT

47 Auditing for Fraud: Statement on Auditing Standard No. 99
Overview Supersedes SAS No. 82 Provides more guidance to prevent and deter fraud Fraud Triangle Motive for committing fraud Opportunity that allows fraud to occur Rationalization by individual

48 Fraud Triangle

49 The Sarbanes-Oxley Act of 2002
Overview Limits services that auditors can provide clients while they are conducting audits Groups of Compliance Requirements Audit committee/corporate governance requirements Certification, disclosure, and internal control Financial statement reporting rules Executive reporting and conduct

50 The Sarbanes-Oxley Act of 2002
Section 302 CEOs and CFOs are required to certify the financial statements Internal controls and disclosures are adequate Section 404 CEOs and CFOs assess and attest to the effectiveness of internal controls

51 Key Provisions of SOX

52 Key Provisions of SOX

53 Third Party and Information Systems Reliability Assurances
Growth of Electronic Commerce Area of growing risk Security and privacy concerns Difficult to audit AICPA Trust Services CPA WebTrust SysTrust

54 Third Party and Information Systems Reliability Assurances
Principles of Trust Services Security Availability Processing integrity Online privacy Confidentiality

55 Copyright Copyright 2010 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make backup copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.

56 Chapter 14

Download ppt "Chapter 14: Information Technology Auditing"

Similar presentations

ACCOUNTING INFORMATION SYSTEMS

ACCOUNTING INFORMATION SYSTEMS
ITAuditing Using GAS & CAATs

ITAuditing Using GAS & CAATs
ACCOUNTING INFORMATION SYSTEMS

ACCOUNTING INFORMATION SYSTEMS
ACCOUNTING INFORMATION SYSTEMS

ACCOUNTING INFORMATION SYSTEMS
MODERN AUDITING 7th Edition

MODERN AUDITING 7th Edition
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Auditing Computer Systems

Auditing Computer Systems
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
The Islamic University of Gaza

The Islamic University of Gaza
Chapter 11 Information Technology Auditing

Chapter 11 Information Technology Auditing
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 1 - 1 The Demand for Audit and Other Assurance Services Chapter 1.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
MODERN AUDITING 7th Edition

MODERN AUDITING 7th Edition
Chapter 13-1. Chapter 13-2 Chapter 13 Data Modeling Introduction An Overview of Databases Steps in Creating a Database Using Rea Creating Database Tables.

Chapter Chapter 13-2 Chapter 13 Data Modeling Introduction An Overview of Databases Steps in Creating a Database Using Rea Creating Database Tables.
MODERN AUDITING 7th Edition

MODERN AUDITING 7th Edition
MODERN AUDITING 7th Edition

MODERN AUDITING 7th Edition
Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc. 15-1 Introduction to Information Technology.

Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc Introduction to Information Technology.
Chapter 14 Organizing and Manipulating the Data in Databases

Chapter 14 Organizing and Manipulating the Data in Databases
Dr. Raymond N. Johnson, CPA MODERN AUDITING 7th Edition Developed by: Raymond N. Johnson Portland Sate University John Wiley & Sons, Inc. William C. Boynton.

Dr. Raymond N. Johnson, CPA MODERN AUDITING 7th Edition Developed by: Raymond N. Johnson Portland Sate University John Wiley & Sons, Inc. William C. Boynton.
Chapter 18: Controlling – Processes and Systems

Chapter 18: Controlling – Processes and Systems
MODERN AUDITING 7th Edition

MODERN AUDITING 7th Edition

Similar presentations

Ads by Google