Auditing Computer Systems - PowerPoint PPT Presentation

Loading...

PPT – Auditing Computer Systems PowerPoint presentation | free to download - id: 40c1a1-ZTM3Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Auditing Computer Systems

Description:

Dr. Yan Xiong College of Business CSU Sacramento 9/11/03 Agenda Auditing scope and objectives Information system (IS) audit objectives Study ... – PowerPoint PPT presentation

Number of Views:21
Avg rating:3.0/5.0
Slides: 55
Provided by: csusEdui79
Learn more at: http://www.csus.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Auditing Computer Systems


1
Auditing Computer Systems
  • Dr. Yan Xiong
  • College of Business
  • CSU Sacramento
  • 9/11/03

2
Agenda
  • Auditing scope and objectives
  • Information system (IS) audit
    objectives
  • Study and evaluation of internal
    control in an AIS
  • Computer audit software

3
Internal Auditing Standards
  • According to the Institute of Internal Auditors
    (IIA), the purpose of an internal audit is to
    evaluate the adequacy and effectiveness of a
    companys internal control system.
  • Also, it is to determine the extent to which
    assigned responsibilities are actually carried
    out.

4
Internal Auditing Standards
  • The IIAs five audit scope standards are
  • Review the reliability and integrity of operating
    and financial information and how it is
    identified, measured, classified, and reported.
  • Determine whether the systems designed to comply
    with operating and reporting policies, plans,
    procedures, laws, and regulations are actually
    being followed.

5
Internal Auditing Standards
  • Review how assets are safeguarded, and verify the
    existence of assets as appropriate.
  • Examine company resources to determine how
    effectively and efficiently they are utilized.
  • Review company operations and programs to
    determine whether they are being carried out as
    planned and whether they are meeting their
    objectives.

6
Types of Internal Auditing Work
  • What are the three different types of audits
    commonly performed?
  • Financial audit
  • Information system (IS) audit
  • Operational or management audit

7
Types of Internal Auditing Work
  • The financial audit examines the reliability and
    integrity of accounting records (both financial
    and operating information).
  • The information systems (IS) audit reviews the
    general and application controls in an AIS to
    assess its compliance with internal control
    policies and procedures and its effectiveness in
    safeguarding assets.

8
Types of Internal Auditing Work
  • The operational, or management, audit is
    concerned with the economical and efficient use
    of resources and the accomplishment of
    established goals and objectives.

9
An Overview of the Auditing Process
  • All audits follow a similar sequence of
    activities and may be divided into four stages.
  • Audit planning
  • Collection of audit evidence
  • Evaluation of audit evidence
  • Communication of audit results

10
An Overview of theAuditing Process
Audit Planning Establish scope and
objectives Organize audit team Develop knowledge
of business operations Review prior audit
results Identify risk factors Prepare audit
program
11
An Overview of theAuditing Process
Collection of Audit Evidence Observation of
operating activities Review of documentation Discu
ssion with employees and questionnaires Physical
examination of assets Confirmation through third
parties Reperformance of procedures Vouching of
source documents Analytical review and sampling
12
An Overview of theAuditing Process
Evaluation of Audit Evidence Assess quality of
internal controls Assess reliability of
information Assess operating performance Consider
need for additional evidence Consider risk
factors Consider materiality factors Document
audit findings
13
An Overview of theAuditing Process
Communication of Audit Results Formulate audit
conclusions Develop recommendations for
management Present audit results to management
14
Operational Audits of an AIS
  • The techniques and procedures used in operational
    audits are similar to those of IS and financial
    audits.
  • The basic difference is that the IS audit scope
    is confined to internal controls, whereas the
    financial audit scope is limited to IIS output.
  • The operational audit scope encompasses all
    aspects of IS management.

15
Operational Audits of an AIS
  • Operational audit objectives include evaluating
    effectiveness, efficiency, and goal
    achievement.
  • What are some evidence collection activities?
  • reviewing operating policies and documentation
  • confirming procedures with management and
    operating personnel

16
Operational Audits of an AIS
  • observing operating functions and activities
  • examining financial and operating plans and
    reports
  • testing the accuracy of operating information
  • testing controls

17
Agenda
  • Auditing scope and objectives
  • Information system (IS) audit
    objectives
  • Study and evaluation of internal
    control in an AIS
  • Computer audit software

18
IS Audits
  • Purpose of AIS audit review
    and evaluate internal
    controls that protect system
  • When performing IS audit, auditors
    ascertain that certain objectives met

19
Audit Objectives
  • Security provisions protect
    computer equipment, programs,
    communications, and data from
    unauthorized access, modification, or
    destruction
  • Program development and acquisition performed in
    accordance with managements general and
    specific authorization

20
Audit Objectives
  • Program modifications have
    authorization and approval of
    management
  • Processing of transactions, files,
    reports, and other computer records accurate and
    complete

21
Audit Objectives
  • Source data that is
    inaccurate or improperly authorized
    identified and handled according to
    prescribed managerial policies
  • Computer data files are accurate, complete, and
    confidential

22
Audit Objectives
1 Overall Security
Source Data
Files
Enter
Source Data
Process
3 Program Modification
Output
Programs
23
Risk-Based Audit
  • Approach provides auditors
    with clear understanding of errors and
    irregularities that can occur and
    related risks and exposures
  • Provides basis for developing recommendations to
    management on how AIS control system should be
    improved

24
Risk-Based Audit
  • Four-step approach
  • Determine threats facing AIS
  • Identify control procedures that should be in
    place to minimize each threat
  • Evaluate existing control procedures
  • Determine weaknesses

25
Agenda
  • Auditing scope and objectives
  • Information system (IS) audit
    objectives
  • Study and evaluation of internal
    control in an AIS
  • Computer audit software

26
Audit Framework
5 Source Data
6 Data Files
1 Overall Security
Source Data
Files
Types of Errors / Fraud
Enter
Control Procedures
Audit Procedures System Review
Source Data
2 Program Development
Audit Procedures Tests of Controls
Process
3 Program Modification
Compensating Controls
Output
4 Processing
Programs
27
Overall Security
  • Security errors and fraud
  • theft of or accidental / intentional
    damage to hardware and files
  • loss, theft, or unauthorized access to programs,
    data files or disclosure of confidential data
  • unauthorized modification or use of programs and
    data files

28
Overall Security
  • Control procedures
  • develop information security
    and protection plan - restrict
    physical and logical access
  • encrypt data / protect against viruses
  • implement firewalls
  • institute data transmission controls, and
    prevent and recover from system
    failures or disasters

29
Overall Security
  • Systems review audit procedures
  • inspect computer sites
  • interview personnel
  • review policies and procedures
  • examine access logs, insurance policies, and
    disaster recovery plan

30
Overall Security
  • Tests of control audit procedures
  • observing procedures
  • verifying controls are in place
    and work as intended
  • investigating errors or problems to ensure they
    were handled correctly
  • examining any test previously performed

31
Overall Security
  • Compensating controls
  • sound personnel
    policies
  • effective user controls
  • segregation of incompatible duties

32
Program Development
  • Types of errors and fraud
  • inadvertent programming errors
  • unauthorized program code

33
Program Development
  • Control procedures
  • management authorizes and approves
    programming specifications
  • user approves of programming specifications
  • thorough testing of new programs and user
    acceptance testing
  • complete systems documentation

34
Program Development
  • Systems review audit procedures
  • independent review of development process
  • systems review of development policies,
    authorization, and approval procedure
  • documentation standards
  • program testing and test approval procedures

35
Program Development
  • Tests of control audit procedures
  • interview users about involvement
  • verify user sign-off at milestone points
  • review test specifications, data, and results

36
Program Development
  • Compensating controls
  • strong processing controls
  • independent processing of test
    data by auditor

37
Program Modification
  • Types of errors and fraud
  • inadvertent programming errors
  • unauthorized program code
  • These are the same as in audit program
    development.

38
Program Modification
  • Control procedures
  • listing of program components that are to be
    modified, and management authorization and
    approval of programming modifications
  • user approval of program changes specifications
  • thorough testing of program changes, including
    user acceptance test

39
Program Modification
  • Systems review audit procedures
  • reviewing program modification policies,
    standards, and procedures
  • reviewing documentation standards for program
    modification, program modification testing, and
    test approval procedures
  • discussing systems development procedures with
    management

40
Program Modification
  • Tests of control audit procedures
  • interviewing users about involvement in systems
    design and implementation
  • reviewing minutes of development team meetings
    for evidence of involvement
  • verifying management and user sign-off at
    milestone points in the development process
  • reviewing test specifications, data, and results

41
Program Modification
  • Compensating controls
  • strong processing controls
  • independent processing of test data by auditor
  • These are the same as in audit program
    development.

42
Processing Controls
  • Types of errors and fraud
  • intentional or unintentional report inaccuracies
  • Control procedures
  • proper use of internal and external file labels
  • Systems review audit procedures
  • observe computer operations and data control
    functions

43
Processing Controls
  • Tests of control audit procedures
  • evaluation of adequacy and completeness of data
    editing controls
  • Compensating controls
  • strong user controls

44
Source Data Controls
  • Types of errors and fraud
  • inadequate source data
  • Control procedures
  • user authorization of source data input
  • Systems review audit procedures
  • reviewing documentation for source data control
    standards

45
Source Data Controls
  • Tests of control audit procedures
  • examination of samples of accounting source data
    for proper authorization
  • Compensating controls
  • strong processing controls

46
Data File Controls
  • Types of errors and fraud
  • unauthorized modification or disclosure of
    stored data
  • Control procedures
  • concurrent update controls
  • Systems review audit procedures
  • examination of disaster recovery plan

47
Data File Controls
  • Tests of control audit procedures
  • observing and evaluating file library operations
  • Compensating controls
  • effective computer security controls

48
Agenda
  • Auditing scope and objectives
  • Information system (IS) audit
    objectives
  • Study and evaluation of internal
    control in an AIS
  • Computer audit software

49
Computer Software
  • Computer audit software (CAS) or
    generalized audit software (GAS),
    written for auditors
  • CAS is computer program that, based on the
    auditors specifications, generates programs
    performing audit functions

50
Types of CAS
  • Integrated Test Facilities
  • Embedded Audit Modules
    (EAM)
  • Audit Hooks
  • Snapshot
  • SCARF
  • Audit Control Language (ACL)

51
Usage of Computer Software
  • The auditors first step is to decide on audit
    objectives, learn about the files to be audited,
    design the audit reports, and determine how to
    produce them.
  • This information is recorded on specification
    sheets and entered into the system via a data
    entry program.

52
Usage of Computer Software
  • This program creates specification records that
    the CAS uses to produce one or more auditing
    programs.
  • The auditing programs process the sources files
    and perform the auditing operations needed to
    produce the specified audit reports.

53
General Functions ofComputer Audit Software
  • reformatting
  • file manipulation
  • calculation
  • data selection
  • data analysis
  • file processing
  • statistics
  • report generation

54
Topics Discussed
  • Auditing scope and objectives
  • Information system (IS) audit
    objectives
  • Study and evaluation of internal
    control in an AIS
  • Computer audit software
About PowerShow.com