Title: Required Auditing Standards in a Computerized Environment Reggie C' Nery, CPA, CIA, CISA, CISSP, CCS
1Required Auditing Standards in a Computerized
Environment Reggie C. Nery, CPA, CIA, CISA,
CISSP, CCSAManabat Sanagustin Co.(formerly
Laya Mananghaya Co.)July 19, 2007
Risk Advisory Services
2Agenda
- Auditing and Related Standards in a Computerized
Environment - Purpose of PAPS 1013
- What PAPS 1013 is NOT?
- eCommerce and eBusiness Defined
- Current Opportunities and Challenges
- Skills and Knowledge of Auditors
- Risk Identification
- Legal and Regulatory Issues
- Internal Control Considerations
- ISACA Standards, Guidelines and Procedures
3Auditing and Related Standards in a Computerized
Environment
- LOCAL
- Philippine Auditing Practice Statement (PAPS)
1013 - INTERNATIONAL
- ISACA IS Auditing Standards, Guidelines and
Procedures - IT Governance Institutes COBIT 4.1 and IT
Assurance guide - Office of Government Commerces ITIL and PRINCE2
- Project Management Institutes PMBOK
- ISO 27001 (BS7799/ISO17799)
- AICPAs Statements on Auditing Standards (SAS)
48, SAS 70, SAS 94
4Purpose of Philippine Auditing Practice Statement
(PAPS) 1013
- provides guidance to assist auditors of financial
statements where an entity engages in commercial
activity that takes place by means of connected
computers over a public network, such as the
Internet (e-commerce) - identifies specific matters to assist the auditor
when considering the significance of e-commerce
to the entitys business activities and the
effect of e-commerce on the auditors assessments
of risk for the purpose of forming an opinion on
the financial statements.
5What PAPS 1013 is NOT?
- to form an opinion or provide consulting advice
concerning the entitys e-commerce systems or
activities in their own right.
6Electronic Commerce / Electronic Business Defined
Electronic Commerce (E-Commerce) is the
application of advanced information technologies
to increase the effectiveness of commercial
practices between business partners refers
solely to transactional activities (such as the
buying and selling of goods and services)
- This includes
- Business-to-Business Commerce (B2B)
- Business-to-Consumer Commerce (B2C)
- Internal information collaboration and
communication
E-Business is used to refer to all business
activities, both transactional and
non-transactional, such as customer relations and
communications
7Opportunities in eCommerce
- Companies that can provide secure, web-enabled
business system transactions and access to
information are able to perform in the global
economy with greater efficiency and trust.
Getting to market with these types of systems can
provide competitive advantage by - Attracting new customers
- Increasing customer loyalty
- Decreasing transaction costs
- Delivering new value to stakeholders
- Enhancing brand image
- Technology advances over the next decade will
continue to drive eCommerce users closer to the
anytime anywhere information access model.
8Challenges to eCommerce
- As customers and partners become more accustomed
to instant information, companies are being
pressured to provide web-based access to core
business systems thus making business models more
transparent. - Utilizing the internet for business-to-business
information exchange has many challenges - Internet is not a secure transmission medium
- Privacy is difficult to ensure
- Reliability can be an issue
9Skills and Knowledge
- Appropriate levels of both information technology
(IT) and Internet business knowledge may be
required to - Understand, so far as they may affect the
financial statements - The entitys e-commerce strategy and activities,
- The technology used to facilitate the entitys
e-commerce activities and the IT skills and
knowledge of entity personnel, - The risks involved in the entitys use of
e-commerce and the entitys approach to managing
those risks, particularly the adequacy of the
internal control system, including the security
infrastructure and related controls, as it
affects the financial reporting process, - Determine the nature, timing and extent of audit
procedures and evaluate audit evidence, - Consider the effect of the entitys dependence on
e-commerce activities on its ability to continue
as a going concern. - Consider the use of the work of an expert, for
example if the auditor considers it appropriate
to test controls by attempting to break through
the security layers of the entitys system
(vulnerability and penetration testing).
10Skills and Knowledge
- KNOWLEDGE OF THE BUSINESS
- In obtaining or updating knowledge of the
entitys business, the auditor considers, so far
as they affect the financial statements - the entitys business activities and industry,
- the entitys e-commerce strategy,
- the extent of the entitys e-commerce activities,
and - the entitys outsourcing arrangements.
11Skills and Knowledge
- KNOWLEDGE OF THE BUSINESS
- Examples of industries that are being transformed
by e-commerce include - computer software,
- securities trading,
- banking,
- travel services,
- books and magazines,
- recorded music,
- advertising,
- news media,
- biddings and auctions, and
- education.
12Skills and Knowledge
- KNOWLEDGE OF THE BUSINESS
- Matters that may be relevant to the auditor when
considering the entitys e-commerce strategy
include - involvement of those charged with governance in
considering the alignment of e-commerce
activities with the entitys overall business
strategy, - whether e-commerce supports a new activity for
the entity, or whether it is intended to make
existing activities more efficient or reach new
markets for existing activities, - sources of revenue for the entity and how these
are changing (for example, whether the entity
will be acting as a principal or agent for goods
or services sold), - managements evaluation of how e-commerce affects
the earnings of the entity and its financial
requirements, - managements attitude to risk and how this may
affect the risk profile of the entity,
13Skills and Knowledge
- KNOWLEDGE OF THE BUSINESS
- e-commerce strategy (cont.)
- the extent to which management has identified
e-commerce opportunities and risks in a
documented strategy that is supported by
appropriate controls, or whether e-commerce is
subject to ad hoc development responding to
opportunities and risks as they arise, and - managements commitment to relevant codes of best
practice or web seal programs.
14Skills and Knowledge
- KNOWLEDGE OF THE BUSINESS
- Extent of e-commerce activities
- For example, e-commerce might be used to
- provide only information about the entity and its
activities, which can be accessed by third
parties such as investors, customers, suppliers,
finance providers, and employees, - facilitate transactions with established
customers whereby transactions are entered via
the Internet, - gain access to new markets and new customers by
providing information and transaction processing
via the Internet, - access Application Service Providers (ASPs), and
- create an entirely new business model.
15Risk Identification
- loss of transaction integrity,
- pervasive e-commerce security risks,
- system availability risks,
- loss of information privacy,
- improper accounting policies related to, for
example, capitalization of expenditures such as
website development costs, misunderstanding of
complex contractual arrangements, title transfer
risks, translation of foreign currencies,
allowances for warranties or returns, and revenue
recognition issues - noncompliance with taxation and other legal and
regulatory requirements, - failure to ensure that contracts evidenced only
by electronic means are binding, and - over reliance on e-commerce when placing
significant business systems or other business
transactions on the Internet.
16Risk Identification
- Measures to address risks identified
- verify the identity of customers and suppliers,
- ensure the integrity of transactions and business
processes, - ensure that information and information systems
are available during the periods disclosed by the
entity, - obtain agreement on terms of trade, including
agreement of delivery and credit terms and
dispute resolution processes, which may address
tracking of transactions and procedures to ensure
a party to a transaction cannot later deny having
agreed to specified terms (non-repudiation
procedures), - obtain payment from, or secure credit facilities
for, customers, and - establish privacy and information protection
protocols.
17Legal and Regulatory Issues
- Legal or regulatory issues that may be
particularly relevant in an e-commerce
environment include - adherence to national and international privacy
requirements, - adherence to national and international
requirements for regulated industries, - the enforceability of contracts,
- the legality of particular activities, for
example Internet gambling, - the risk of money laundering, and
- violation of intellectual property rights.
18Internal Control Considerations
- To the extent they are relevant to the financial
statement assertions the auditor considers such
matters as - the effective use of firewalls and virus
protection software to protect its systems from
the introduction of unauthorized or harmful
software, data or other material in electronic
form, - the effective use of encryption, including both
- maintaining the privacy and security of
transmissions through, for example, authorization
of decryption keys, and - preventing the misuse of encryption technology
through, for example, controlling and
safeguarding private decryption keys, - controls over the development and implementation
of systems used to support e-commerce activities,
- whether security controls in place continue to be
effective as new technologies that can be used to
attack Internet security become available, and - whether the control environment supports the
control procedures implemented.
19Internal Control Considerations
- Transaction Integrity
- Controls are often designed to, for example
- validate input,
- prevent duplication or omission of transactions,
- ensure the terms of trade have been agreed before
an order is processed, including delivery and
credit terms, - distinguish between customer browsing and orders
placed, ensure a party to a transaction cannot
later deny having agreed to specified terms
(non-repudiation), and ensure transactions are
with approved parties when appropriate, - prevent incomplete processing by ensuring all
steps are completed and recorded or if all steps
are not completed and recorded, by rejecting the
order, - ensure the proper distribution of transaction
details across multiple systems in a network, and - ensure records are properly retained, backed-up
and secured.
20Internal Control Considerations
- Process Alignment
- Process alignment refers to the way various IT
systems are integrated with one another and thus
operate, in effect, as one system. - The way e-commerce transactions are captured and
transferred to the entitys accounting system may
affect such matters as - the completeness and accuracy of transaction
processing and information storage, - the timing of the recognition of sales revenues,
purchases and other transactions, and - identification and recording of disputed
transactions
21ISACA IS Auditing Standards and Guidelines
- Relationship between Standards, Guidelines and
Procedures - Standards
- Must be followed by IS auditors
- Guidelines
- Provide assistance on how to implement the
standards - Procedures
- Provide examples for implementing the standards
22ISACA IS Auditing Standards and Guidelines
- Objectives of ISACA IS Auditing Standards
- Inform management and other interested parties of
the professions expectations concerning the work
of audit practitioners - Inform information system auditors of the minimum
level of acceptable performance required to meet
professional responsibilities set out in the
ISACA Code of Professional Ethics
23ISACA IS Auditing Standards and Guidelines
- 8. Follow-up activities
- Irregularities and illegal acts
- IT governance
- Use of risk assessment in audit planning
- Audit Materiality
- Using the work of other experts
- Audit evidence
- Audit charter
- Independence
- Ethics and Standards
- Competence
- Planning
- Performance of audit work
- Reporting
24ISACA IS Auditing Standards and Guidelines
- ISACA IS Auditing Guidelines
- Consider the guidelines in determining how to
implement the standards - Use professional judgment in applying these
guidelines - Be able to justify any departure
- (Index of Guidelines)
25ISACA IS Auditing Guidelines
- G1 Using the Work of Other Auditors 1 June 1998
- G2 Audit Evidence Requirement 1 December 1998
- G3 Use of Computer Assisted Audit Techniques
(CAATs) 1 December 1998 - G4 Outsourcing of IS Activities to Other
Organizations 1 September 1999 - G5 Audit Charter 1 September 1999
- G6 Materiality Concepts for Auditing Information
Systems 1 September 1999 - G7 Due Professional Care 1 September 1999
- G8 Audit Documentation 1 September 1999
- G9 Audit Considerations for Irregularities 1
March 2000 - G10 Audit Sampling 1 March 2000
26ISACA IS Auditing Guidelines (cont.)
- G11 Effect of Pervasive IS Controls 1 March 2000
- G12 Organizational Relationship and Independence
1 September 2000 - G13 Use of Risk Assessment in Audit Planning 1
September 2000 - G14 Application Systems Review 1 November 2001
- G15 Planning Revised 1 March 2002
- G16 Effect of Third Parties on an Organizations
IT Controls 1 March 2002 - G17 Effect of Nonaudit Role on the IS Auditors
Independence 1 July 2002 - G18 IT Governance 1 July 2002
- G19 Irregularities and Illegal Acts 1 July 2002
- G20 Reporting 1 January 2003
27ISACA IS Auditing Guidelines (cont.)
- G21 Enterprise Resource Planning (ERP) Systems
Review 1 August 2003 - G22 Business-to-consumer (B2C) E-commerce Review
1 August 2003 - G23 System Development Life Cycle (SDLC) Review
Reviews 1 August 2003 - G24 Internet Banking 1 August 2003
- G25 Review of Virtual Private Networks 1 July
2004 - G26 Business Process Reengineering (BPR) Project
Reviews 1 July 2004 - G27 Mobile Computing 1 September 2004
- G28 Computer Forensics 1 September 2004
- G29 Post-implementation Review 1 January 2005
- G30 Competence 1 June 2005
28ISACA IS Auditing Guidelines (cont.)
- G31 Privacy 1 June 2005
- G32 Business Continuity Plan (BCP) Review From IT
Perspective 1 September 2005 - G33 General Considerations on the Use of the
Internet 1 March 2006 - G34 Responsibility, Authority and Accountability
1 March 2006 - G35 Follow-up Activities 1 March 2006
- G36 Biometric Controls 1 February 2007
29ISACA IS Auditing Standards and Guidelines
- ISACA Auditing Procedures
- Procedures developed by the ISACA Standards Board
provide examples. - The IS auditor should apply their own
professional judgment to the specific
circumstances. - (Index of Procedures)
30ISACA IS Auditing Procedures
- P1 IS Risk Assessment 1 July 2002
- P2 Digital Signatures 1 July 2002
- P3 Intrusion Detection 1 August 2003
- P4 Viruses and other Malicious Code 1 August 2003
- P5 Control Risk Self-assessment 1 August 2003
- P6 Firewalls 1 August 2003
- P7 Irregularities and Illegal Acts 1 November
2003 - P8 Security AssessmentPenetration Testing and
Vulnerability Analysis 1 September 2004 - P9 Evaluation of Management Controls Over
Encryption Methodologies 1 January 2005 - P10 Business Application Change Control 1 October
2006 - P11 Electronic Funds Transfer (EFT) 1 May 2007
31Questions Answers
Thank you! Reginald C. Nery, Partner KPMG Manabat
Sanagustin Co Risk Advisory Services 885-06-07 8
85-70-00 ext 207/429 rcnery_at_kpmg.com