Required Auditing Standards in a Computerized Environment Reggie C' Nery, CPA, CIA, CISA, CISSP, CCS

1
Required Auditing Standards in a Computerized
Environment Reggie C. Nery, CPA, CIA, CISA,
CISSP, CCSAManabat Sanagustin Co.(formerly
Laya Mananghaya Co.)July 19, 2007
Risk Advisory Services
2
Agenda

• Auditing and Related Standards in a Computerized
  Environment
• Purpose of PAPS 1013
• What PAPS 1013 is NOT?
• eCommerce and eBusiness Defined
• Current Opportunities and Challenges
• Skills and Knowledge of Auditors
• Risk Identification
• Legal and Regulatory Issues
• Internal Control Considerations
• ISACA Standards, Guidelines and Procedures

3
Auditing and Related Standards in a Computerized
Environment

• LOCAL
• Philippine Auditing Practice Statement (PAPS)
  1013
• INTERNATIONAL
• ISACA IS Auditing Standards, Guidelines and
  Procedures
• IT Governance Institutes COBIT 4.1 and IT
  Assurance guide
• Office of Government Commerces ITIL and PRINCE2
• Project Management Institutes PMBOK
• ISO 27001 (BS7799/ISO17799)
• AICPAs Statements on Auditing Standards (SAS)
  48, SAS 70, SAS 94

4
Purpose of Philippine Auditing Practice Statement
(PAPS) 1013

• provides guidance to assist auditors of financial
  statements where an entity engages in commercial
  activity that takes place by means of connected
  computers over a public network, such as the
  Internet (e-commerce)
• identifies specific matters to assist the auditor
  when considering the significance of e-commerce
  to the entitys business activities and the
  effect of e-commerce on the auditors assessments
  of risk for the purpose of forming an opinion on
  the financial statements.

5
What PAPS 1013 is NOT?

• to form an opinion or provide consulting advice
  concerning the entitys e-commerce systems or
  activities in their own right.

6
Electronic Commerce / Electronic Business Defined
Electronic Commerce (E-Commerce) is the
application of advanced information technologies
to increase the effectiveness of commercial
practices between business partners refers
solely to transactional activities (such as the
buying and selling of goods and services)

• This includes
• Business-to-Business Commerce (B2B)
• Business-to-Consumer Commerce (B2C)
• Internal information collaboration and
  communication

E-Business is used to refer to all business
activities, both transactional and
non-transactional, such as customer relations and
communications
7
Opportunities in eCommerce

• Companies that can provide secure, web-enabled
  business system transactions and access to
  information are able to perform in the global
  economy with greater efficiency and trust.
  Getting to market with these types of systems can
  provide competitive advantage by
• Attracting new customers
• Increasing customer loyalty
• Decreasing transaction costs
• Delivering new value to stakeholders
• Enhancing brand image
• Technology advances over the next decade will
  continue to drive eCommerce users closer to the
  anytime anywhere information access model.

8
Challenges to eCommerce

• As customers and partners become more accustomed
  to instant information, companies are being
  pressured to provide web-based access to core
  business systems thus making business models more
  transparent.
• Utilizing the internet for business-to-business
  information exchange has many challenges
• Internet is not a secure transmission medium
• Privacy is difficult to ensure
• Reliability can be an issue

9
Skills and Knowledge

• Appropriate levels of both information technology
  (IT) and Internet business knowledge may be
  required to
• Understand, so far as they may affect the
  financial statements
• The entitys e-commerce strategy and activities,
• The technology used to facilitate the entitys
  e-commerce activities and the IT skills and
  knowledge of entity personnel,
• The risks involved in the entitys use of
  e-commerce and the entitys approach to managing
  those risks, particularly the adequacy of the
  internal control system, including the security
  infrastructure and related controls, as it
  affects the financial reporting process,
• Determine the nature, timing and extent of audit
  procedures and evaluate audit evidence,
• Consider the effect of the entitys dependence on
  e-commerce activities on its ability to continue
  as a going concern.
• Consider the use of the work of an expert, for
  example if the auditor considers it appropriate
  to test controls by attempting to break through
  the security layers of the entitys system
  (vulnerability and penetration testing).

10
Skills and Knowledge

• KNOWLEDGE OF THE BUSINESS
• In obtaining or updating knowledge of the
  entitys business, the auditor considers, so far
  as they affect the financial statements
• the entitys business activities and industry,
• the entitys e-commerce strategy,
• the extent of the entitys e-commerce activities,
  and
• the entitys outsourcing arrangements.

11
Skills and Knowledge

• KNOWLEDGE OF THE BUSINESS
• Examples of industries that are being transformed
  by e-commerce include
• computer software,
• securities trading,
• banking,
• travel services,
• books and magazines,
• recorded music,
• advertising,
• news media,
• biddings and auctions, and
• education.

12
Skills and Knowledge

• KNOWLEDGE OF THE BUSINESS
• Matters that may be relevant to the auditor when
  considering the entitys e-commerce strategy
  include
• involvement of those charged with governance in
  considering the alignment of e-commerce
  activities with the entitys overall business
  strategy,
• whether e-commerce supports a new activity for
  the entity, or whether it is intended to make
  existing activities more efficient or reach new
  markets for existing activities,
• sources of revenue for the entity and how these
  are changing (for example, whether the entity
  will be acting as a principal or agent for goods
  or services sold),
• managements evaluation of how e-commerce affects
  the earnings of the entity and its financial
  requirements,
• managements attitude to risk and how this may
  affect the risk profile of the entity,

13
Skills and Knowledge

• KNOWLEDGE OF THE BUSINESS
• e-commerce strategy (cont.)
• the extent to which management has identified
  e-commerce opportunities and risks in a
  documented strategy that is supported by
  appropriate controls, or whether e-commerce is
  subject to ad hoc development responding to
  opportunities and risks as they arise, and
• managements commitment to relevant codes of best
  practice or web seal programs.

14
Skills and Knowledge

• KNOWLEDGE OF THE BUSINESS
• Extent of e-commerce activities
• For example, e-commerce might be used to
• provide only information about the entity and its
  activities, which can be accessed by third
  parties such as investors, customers, suppliers,
  finance providers, and employees,
• facilitate transactions with established
  customers whereby transactions are entered via
  the Internet,
• gain access to new markets and new customers by
  providing information and transaction processing
  via the Internet,
• access Application Service Providers (ASPs), and
• create an entirely new business model.

15
Risk Identification

• loss of transaction integrity,
• pervasive e-commerce security risks,
• system availability risks,
• loss of information privacy,
• improper accounting policies related to, for
  example, capitalization of expenditures such as
  website development costs, misunderstanding of
  complex contractual arrangements, title transfer
  risks, translation of foreign currencies,
  allowances for warranties or returns, and revenue
  recognition issues
• noncompliance with taxation and other legal and
  regulatory requirements,
• failure to ensure that contracts evidenced only
  by electronic means are binding, and
• over reliance on e-commerce when placing
  significant business systems or other business
  transactions on the Internet.

16
Risk Identification

• Measures to address risks identified
• verify the identity of customers and suppliers,
• ensure the integrity of transactions and business
  processes,
• ensure that information and information systems
  are available during the periods disclosed by the
  entity,
• obtain agreement on terms of trade, including
  agreement of delivery and credit terms and
  dispute resolution processes, which may address
  tracking of transactions and procedures to ensure
  a party to a transaction cannot later deny having
  agreed to specified terms (non-repudiation
  procedures),
• obtain payment from, or secure credit facilities
  for, customers, and
• establish privacy and information protection
  protocols.

17
Legal and Regulatory Issues

• Legal or regulatory issues that may be
  particularly relevant in an e-commerce
  environment include
• adherence to national and international privacy
  requirements,
• adherence to national and international
  requirements for regulated industries,
• the enforceability of contracts,
• the legality of particular activities, for
  example Internet gambling,
• the risk of money laundering, and
• violation of intellectual property rights.

18
Internal Control Considerations

• To the extent they are relevant to the financial
  statement assertions the auditor considers such
  matters as
• the effective use of firewalls and virus
  protection software to protect its systems from
  the introduction of unauthorized or harmful
  software, data or other material in electronic
  form,
• the effective use of encryption, including both
• maintaining the privacy and security of
  transmissions through, for example, authorization
  of decryption keys, and
• preventing the misuse of encryption technology
  through, for example, controlling and
  safeguarding private decryption keys,
• controls over the development and implementation
  of systems used to support e-commerce activities,
  
• whether security controls in place continue to be
  effective as new technologies that can be used to
  attack Internet security become available, and
• whether the control environment supports the
  control procedures implemented.

19
Internal Control Considerations

• Transaction Integrity
• Controls are often designed to, for example
• validate input,
• prevent duplication or omission of transactions,
• ensure the terms of trade have been agreed before
  an order is processed, including delivery and
  credit terms,
• distinguish between customer browsing and orders
  placed, ensure a party to a transaction cannot
  later deny having agreed to specified terms
  (non-repudiation), and ensure transactions are
  with approved parties when appropriate,
• prevent incomplete processing by ensuring all
  steps are completed and recorded or if all steps
  are not completed and recorded, by rejecting the
  order,
• ensure the proper distribution of transaction
  details across multiple systems in a network, and
• ensure records are properly retained, backed-up
  and secured.

20
Internal Control Considerations

• Process Alignment
• Process alignment refers to the way various IT
  systems are integrated with one another and thus
  operate, in effect, as one system.
• The way e-commerce transactions are captured and
  transferred to the entitys accounting system may
  affect such matters as
• the completeness and accuracy of transaction
  processing and information storage,
• the timing of the recognition of sales revenues,
  purchases and other transactions, and
• identification and recording of disputed
  transactions

21
ISACA IS Auditing Standards and Guidelines

• Relationship between Standards, Guidelines and
  Procedures
• Standards
• Must be followed by IS auditors
• Guidelines
• Provide assistance on how to implement the
  standards
• Procedures
• Provide examples for implementing the standards

22
ISACA IS Auditing Standards and Guidelines

• Objectives of ISACA IS Auditing Standards

• Inform management and other interested parties of
  the professions expectations concerning the work
  of audit practitioners
• Inform information system auditors of the minimum
  level of acceptable performance required to meet
  professional responsibilities set out in the
  ISACA Code of Professional Ethics

23
ISACA IS Auditing Standards and Guidelines

• IS Auditing Standards

• 8. Follow-up activities
• Irregularities and illegal acts
• IT governance
• Use of risk assessment in audit planning
• Audit Materiality
• Using the work of other experts
• Audit evidence

• Audit charter
• Independence
• Ethics and Standards
• Competence
• Planning
• Performance of audit work
• Reporting

24
ISACA IS Auditing Standards and Guidelines

• ISACA IS Auditing Guidelines
• Consider the guidelines in determining how to
  implement the standards
• Use professional judgment in applying these
  guidelines
• Be able to justify any departure
• (Index of Guidelines)

25
ISACA IS Auditing Guidelines

• G1 Using the Work of Other Auditors 1 June 1998
• G2 Audit Evidence Requirement 1 December 1998
• G3 Use of Computer Assisted Audit Techniques
  (CAATs) 1 December 1998
• G4 Outsourcing of IS Activities to Other
  Organizations 1 September 1999
• G5 Audit Charter 1 September 1999
• G6 Materiality Concepts for Auditing Information
  Systems 1 September 1999
• G7 Due Professional Care 1 September 1999
• G8 Audit Documentation 1 September 1999
• G9 Audit Considerations for Irregularities 1
  March 2000
• G10 Audit Sampling 1 March 2000

26
ISACA IS Auditing Guidelines (cont.)

• G11 Effect of Pervasive IS Controls 1 March 2000
• G12 Organizational Relationship and Independence
  1 September 2000
• G13 Use of Risk Assessment in Audit Planning 1
  September 2000
• G14 Application Systems Review 1 November 2001
• G15 Planning Revised 1 March 2002
• G16 Effect of Third Parties on an Organizations
  IT Controls 1 March 2002
• G17 Effect of Nonaudit Role on the IS Auditors
  Independence 1 July 2002
• G18 IT Governance 1 July 2002
• G19 Irregularities and Illegal Acts 1 July 2002
• G20 Reporting 1 January 2003

27
ISACA IS Auditing Guidelines (cont.)

• G21 Enterprise Resource Planning (ERP) Systems
  Review 1 August 2003
• G22 Business-to-consumer (B2C) E-commerce Review
  1 August 2003
• G23 System Development Life Cycle (SDLC) Review
  Reviews 1 August 2003
• G24 Internet Banking 1 August 2003
• G25 Review of Virtual Private Networks 1 July
  2004
• G26 Business Process Reengineering (BPR) Project
  Reviews 1 July 2004
• G27 Mobile Computing 1 September 2004
• G28 Computer Forensics 1 September 2004
• G29 Post-implementation Review 1 January 2005
• G30 Competence 1 June 2005

28
ISACA IS Auditing Guidelines (cont.)

• G31 Privacy 1 June 2005
• G32 Business Continuity Plan (BCP) Review From IT
  Perspective 1 September 2005
• G33 General Considerations on the Use of the
  Internet 1 March 2006
• G34 Responsibility, Authority and Accountability
  1 March 2006
• G35 Follow-up Activities 1 March 2006
• G36 Biometric Controls 1 February 2007

29
ISACA IS Auditing Standards and Guidelines

• ISACA Auditing Procedures
• Procedures developed by the ISACA Standards Board
  provide examples.
• The IS auditor should apply their own
  professional judgment to the specific
  circumstances.
• (Index of Procedures)

30
ISACA IS Auditing Procedures

• P1 IS Risk Assessment 1 July 2002
• P2 Digital Signatures 1 July 2002
• P3 Intrusion Detection 1 August 2003
• P4 Viruses and other Malicious Code 1 August 2003
• P5 Control Risk Self-assessment 1 August 2003
• P6 Firewalls 1 August 2003
• P7 Irregularities and Illegal Acts 1 November
  2003
• P8 Security AssessmentPenetration Testing and
  Vulnerability Analysis 1 September 2004
• P9 Evaluation of Management Controls Over
  Encryption Methodologies 1 January 2005
• P10 Business Application Change Control 1 October
  2006
• P11 Electronic Funds Transfer (EFT) 1 May 2007

31
Questions Answers
Thank you! Reginald C. Nery, Partner KPMG Manabat
Sanagustin Co Risk Advisory Services 885-06-07 8
85-70-00 ext 207/429 rcnery_at_kpmg.com