Auditing Computer Systems

1
Auditing Computer Systems

• Dr. Yan Xiong
• College of Business
• CSU Sacramento
• 9/11/03

2
Agenda

• Auditing scope and objectives
• Information system (IS) audit
  objectives
• Study and evaluation of internal
  control in an AIS
• Computer audit software

3
Internal Auditing Standards

• According to the Institute of Internal Auditors
  (IIA), the purpose of an internal audit is to
  evaluate the adequacy and effectiveness of a
  companys internal control system.
• Also, it is to determine the extent to which
  assigned responsibilities are actually carried
  out.

4
Internal Auditing Standards

• The IIAs five audit scope standards are
• Review the reliability and integrity of operating
  and financial information and how it is
  identified, measured, classified, and reported.
• Determine whether the systems designed to comply
  with operating and reporting policies, plans,
  procedures, laws, and regulations are actually
  being followed.

5
Internal Auditing Standards

• Review how assets are safeguarded, and verify the
  existence of assets as appropriate.
• Examine company resources to determine how
  effectively and efficiently they are utilized.
• Review company operations and programs to
  determine whether they are being carried out as
  planned and whether they are meeting their
  objectives.

6
Types of Internal Auditing Work

• What are the three different types of audits
  commonly performed?
• Financial audit
• Information system (IS) audit
• Operational or management audit

7
Types of Internal Auditing Work

• The financial audit examines the reliability and
  integrity of accounting records (both financial
  and operating information).
• The information systems (IS) audit reviews the
  general and application controls in an AIS to
  assess its compliance with internal control
  policies and procedures and its effectiveness in
  safeguarding assets.

8
Types of Internal Auditing Work

• The operational, or management, audit is
  concerned with the economical and efficient use
  of resources and the accomplishment of
  established goals and objectives.

9
An Overview of the Auditing Process

• All audits follow a similar sequence of
  activities and may be divided into four stages.
• Audit planning
• Collection of audit evidence
• Evaluation of audit evidence
• Communication of audit results

10
An Overview of theAuditing Process
Audit Planning Establish scope and
objectives Organize audit team Develop knowledge
of business operations Review prior audit
results Identify risk factors Prepare audit
program
11
An Overview of theAuditing Process
Collection of Audit Evidence Observation of
operating activities Review of documentation Discu
ssion with employees and questionnaires Physical
examination of assets Confirmation through third
parties Reperformance of procedures Vouching of
source documents Analytical review and sampling
12
An Overview of theAuditing Process
Evaluation of Audit Evidence Assess quality of
internal controls Assess reliability of
information Assess operating performance Consider
need for additional evidence Consider risk
factors Consider materiality factors Document
audit findings
13
An Overview of theAuditing Process
Communication of Audit Results Formulate audit
conclusions Develop recommendations for
management Present audit results to management
14
Operational Audits of an AIS

• The techniques and procedures used in operational
  audits are similar to those of IS and financial
  audits.
• The basic difference is that the IS audit scope
  is confined to internal controls, whereas the
  financial audit scope is limited to IIS output.
• The operational audit scope encompasses all
  aspects of IS management.

15
Operational Audits of an AIS

• Operational audit objectives include evaluating
  effectiveness, efficiency, and goal
  achievement.
• What are some evidence collection activities?
• reviewing operating policies and documentation
• confirming procedures with management and
  operating personnel

16
Operational Audits of an AIS

• observing operating functions and activities
• examining financial and operating plans and
  reports
• testing the accuracy of operating information
• testing controls

17
Agenda

• Auditing scope and objectives
• Information system (IS) audit
  objectives
• Study and evaluation of internal
  control in an AIS
• Computer audit software

18
IS Audits

• Purpose of AIS audit review
  and evaluate internal
  controls that protect system
• When performing IS audit, auditors
  ascertain that certain objectives met

19
Audit Objectives

• Security provisions protect
  computer equipment, programs,
  communications, and data from
  unauthorized access, modification, or
  destruction
• Program development and acquisition performed in
  accordance with managements general and
  specific authorization

20
Audit Objectives

• Program modifications have
  authorization and approval of
  management
• Processing of transactions, files,
  reports, and other computer records accurate and
  complete

21
Audit Objectives

• Source data that is
  inaccurate or improperly authorized
  identified and handled according to
  prescribed managerial policies
• Computer data files are accurate, complete, and
  confidential

22
Audit Objectives
1 Overall Security
Source Data
Files
Enter
Source Data
Process
3 Program Modification
Output
Programs
23
Risk-Based Audit

• Approach provides auditors
  with clear understanding of errors and
  irregularities that can occur and
  related risks and exposures
• Provides basis for developing recommendations to
  management on how AIS control system should be
  improved

24
Risk-Based Audit

• Four-step approach
• Determine threats facing AIS
• Identify control procedures that should be in
  place to minimize each threat
• Evaluate existing control procedures
• Determine weaknesses

25
Agenda

• Auditing scope and objectives
• Information system (IS) audit
  objectives
• Study and evaluation of internal
  control in an AIS
• Computer audit software

26
Audit Framework
5 Source Data
6 Data Files
1 Overall Security
Source Data
Files
Types of Errors / Fraud
Enter
Control Procedures
Audit Procedures System Review
Source Data
2 Program Development
Audit Procedures Tests of Controls
Process
3 Program Modification
Compensating Controls
Output
4 Processing
Programs
27
Overall Security

• Security errors and fraud
• theft of or accidental / intentional
  damage to hardware and files
• loss, theft, or unauthorized access to programs,
  data files or disclosure of confidential data
• unauthorized modification or use of programs and
  data files

28
Overall Security

• Control procedures
• develop information security
  and protection plan - restrict
  physical and logical access
• encrypt data / protect against viruses
• implement firewalls
• institute data transmission controls, and
  prevent and recover from system
  failures or disasters

29
Overall Security

• Systems review audit procedures
• inspect computer sites
• interview personnel
• review policies and procedures
• examine access logs, insurance policies, and
  disaster recovery plan

30
Overall Security

• Tests of control audit procedures
• observing procedures
• verifying controls are in place
  and work as intended
• investigating errors or problems to ensure they
  were handled correctly
• examining any test previously performed

31
Overall Security

• Compensating controls
• sound personnel
  policies
• effective user controls
• segregation of incompatible duties

32
Program Development

• Types of errors and fraud
• inadvertent programming errors
• unauthorized program code

33
Program Development

• Control procedures
• management authorizes and approves
  programming specifications
• user approves of programming specifications
• thorough testing of new programs and user
  acceptance testing
• complete systems documentation

34
Program Development

• Systems review audit procedures
• independent review of development process
• systems review of development policies,
  authorization, and approval procedure
• documentation standards
• program testing and test approval procedures

35
Program Development

• Tests of control audit procedures
• interview users about involvement
• verify user sign-off at milestone points
• review test specifications, data, and results

36
Program Development

• Compensating controls
• strong processing controls
• independent processing of test
  data by auditor

37
Program Modification

• Types of errors and fraud
• inadvertent programming errors
• unauthorized program code
• These are the same as in audit program
  development.

38
Program Modification

• Control procedures
• listing of program components that are to be
  modified, and management authorization and
  approval of programming modifications
• user approval of program changes specifications
• thorough testing of program changes, including
  user acceptance test

39
Program Modification

• Systems review audit procedures
• reviewing program modification policies,
  standards, and procedures
• reviewing documentation standards for program
  modification, program modification testing, and
  test approval procedures
• discussing systems development procedures with
  management

40
Program Modification

• Tests of control audit procedures
• interviewing users about involvement in systems
  design and implementation
• reviewing minutes of development team meetings
  for evidence of involvement
• verifying management and user sign-off at
  milestone points in the development process
• reviewing test specifications, data, and results

41
Program Modification

• Compensating controls
• strong processing controls
• independent processing of test data by auditor
• These are the same as in audit program
  development.

42
Processing Controls

• Types of errors and fraud
• intentional or unintentional report inaccuracies
• Control procedures
• proper use of internal and external file labels
• Systems review audit procedures
• observe computer operations and data control
  functions

43
Processing Controls

• Tests of control audit procedures
• evaluation of adequacy and completeness of data
  editing controls
• Compensating controls
• strong user controls

44
Source Data Controls

• Types of errors and fraud
• inadequate source data
• Control procedures
• user authorization of source data input
• Systems review audit procedures
• reviewing documentation for source data control
  standards

45
Source Data Controls

• Tests of control audit procedures
• examination of samples of accounting source data
  for proper authorization
• Compensating controls
• strong processing controls

46
Data File Controls

• Types of errors and fraud
• unauthorized modification or disclosure of
  stored data
• Control procedures
• concurrent update controls
• Systems review audit procedures
• examination of disaster recovery plan

47
Data File Controls

• Tests of control audit procedures
• observing and evaluating file library operations
• Compensating controls
• effective computer security controls

48
Agenda

• Auditing scope and objectives
• Information system (IS) audit
  objectives
• Study and evaluation of internal
  control in an AIS
• Computer audit software

49
Computer Software

• Computer audit software (CAS) or
  generalized audit software (GAS),
  written for auditors
• CAS is computer program that, based on the
  auditors specifications, generates programs
  performing audit functions

50
Types of CAS

• Integrated Test Facilities
• Embedded Audit Modules
  (EAM)
• Audit Hooks
• Snapshot
• SCARF
• Audit Control Language (ACL)

51
Usage of Computer Software

• The auditors first step is to decide on audit
  objectives, learn about the files to be audited,
  design the audit reports, and determine how to
  produce them.
• This information is recorded on specification
  sheets and entered into the system via a data
  entry program.

52
Usage of Computer Software

• This program creates specification records that
  the CAS uses to produce one or more auditing
  programs.
• The auditing programs process the sources files
  and perform the auditing operations needed to
  produce the specified audit reports.

53
General Functions ofComputer Audit Software

• reformatting
• file manipulation
• calculation
• data selection
• data analysis
• file processing
• statistics
• report generation

54
Topics Discussed

• Auditing scope and objectives
• Information system (IS) audit
  objectives
• Study and evaluation of internal
  control in an AIS
• Computer audit software