Lecture Notes (19-Sep)
advertisement
Information Systems Auditing (ISMT 350) week #3 Instructor: Professor J. Christopher Westland, PhD, CPA Time: Tue & Thur 10:30am-11:50amVenue: Rm. 2463Duration: 5 Sep – 7 Dec Text. Champlain, Auditing Information Systems (2nd ed.), Wiley, 2003 Contact: Office: 852 2358 7643 Email: westland@ust.hk Fax: 852 2358 2421 URL: http://teaching.ust.hk/~ismt350/ Course Topics Topic Readings Practicum Competency Case Study What is Information Systems (IS) Auditing? Industry Profile: The Job of the IS Auditor Identifying Computer Systems Chapter 1 Evaluating IT Benefits and Risks Jacksonville Jaguars IS Audit Programs and Computer Systems Inventory Chapter 2 The Job of the Staff Auditor A Day in the Life of Brent Dorsey IS Security Chapter 3 Recognizing Fraud The Anonymous Caller Utility Computing and IS Service Organizations Chapter 4 Evaluating a Prospective Audit Client Ocean Manufacturing Physical Security Chapters7 Inherent Risk and Control Risk Comptronix Corporation Logical Security Chapter 8 Evaluating the Internal Control Environment Easy Clean IS Operations Chapter 9 Fraud Risk and the Internal Control Environment Cendant Corporation Controls Assessment Chapter 10 IT-based vs. Manual Accounting Systems St James Clothiers Encryption and Cryptography Chapter 11 Materiality / Tolerable Misstatement Dell Computer New Challenges from the Internet: Privacy, Piracy, Viruses and so forth Course Wrap-up Information Systems and Audit Evidence Henrico Retail Logical Structure of the Course With Readings from the Text IS Auditing IS Components Ch. 1&2 Controls over IS Assets Ch. 7 & 8 Encryption Ch. 11 Current and Future Issues in IS Auditing Audit Components Ch 3&4 Procedural Controls Ch. 9 Audit Standards and Procedures Ch. 10 Forensics and Fraud Audits Ch. 12 Recap: Jacksonville Jaguars’ Spot® e-Cash Card Why use Cash? anonymity, divisibility usability portability, ease of use, time shifting, security, privacy, durability flexibility Why use an e-cash card? The Magnetic Stripe (Contact) Card Credit & debit cards Credit cards offer the major advantage of deferred payment Limitations initiate transfers from one store of value (e.g., a bank account) to another store of value (e.g., a retailer’s bank account). Diners Club issued the first credit card in Hong Kong in 1959. credit limits (lost sales) involve multiple parties (overhead costs and infrastructure) surcharge of between 3 percent and 5 percent (10 to 15 for Internet transactions) Debit cards enable the cardholder’s account to be immediately debited Contactless Cards Contactless implies that input/output is accomplished through a microscopic antenna rather than a physical plug Hong Kong light rail and bus companies use the contactless Octopus card The Octopus is a stored value/debit/credit card hybrid Golden Harvest Cinema card, and the Hospital Authority Patient card can hold customer information Smartcard Taxonomy Reloadable Electronic Purse System Biometrics: Think about e-card security Auditing & the Computer Inventory Transactions External Real World Entities and Events that Create and Destroy Value Internal Operations of the Firm The Physical World Transactions Corporate Law Analytical Tests Audit Report / Opinion Accounting Systems The Parallel (Logical) World of Accounting Ledgers: Databases Journal Entries Reports: Statistics Tests of Transactions Audit Program tation Attes Auditing Substantive Te sts 'Owned' Assets and Liabilities The Computer Inventory Step in Planning and Review Planning and review identifies audit areas by level of risk Relevant factors: Transaction size and volume Computers inside or outside firm Incentives to abuse system Error-prone Audit Objectives Reporting Risks (External Audit) Control Process Risks (Internal & External Audits) Asset Loss Risks (Internal Audits) Transaction Flows Business Application Systems Operating Systems (including DBMS, network and other special systems) Hardware Platform Physical and Logical Security Environment How Auditors Should Visualize Computer Systems Risks Presented by Computers Transaction flows are less visible Fraud is easier Computers do exactly what you tell them Audit samples require computer knowledge and access Transaction flows are much larger (good for the company, bad for the auditor) Audits grow bigger and bigger from year to year To err is human But, to really screw up you need a computer And there is more pressure to eat hours Environmental, physical and logical security problems grow exponentially Externally originated viruses and hacking are the major source of risk (10 years ago it was employees) Risks Presented by The Internet Transaction flows are External External copies of transactions on many Internet nodes Internet Service Providers for accounting systems require giving control to outsiders with different incentives Auditors do not have access to many (perhaps most) of the transaction audit trails Environmental, physical and logical security problems grow exponentially Externally originated viruses and hacking are the major source of risk (10 years ago it was employees) Risks Presented by Utility Computing Transaction flows are transported via the Internet External copies of transactions on many Internet nodes All corporate data is stored outside the physical control of the firm There are legal limits on the access to firm data, especially for 3rd parties (auditors) Audit samples may be impossible to obtain Transaction flows are intermingled between companies Environmental, physical and logical security problems grow exponentially Risks Posed by Transaction Traffic on The Internet Not only are Internet transaction flows external to the firm They tend to be clustered, and transactions are recorded on multiple servers (with multiple owners and sets of security controls) in the process Because anyone on the Internet theoretically has access to these transactions Automated agents can steal, alter or delete huge numbers of transactions Without leaving a trace in the audit trail Internet Traffic Internet connectivity (with backbone ISPs) Finding the Right Data: 19 degrees (and climbing) The Internet (size =N ) Degrees of Separation =. 35+2 log10 N Continental Drift The 4 Realms of the Internet (Andrei Broder, AltaVista, 1999) In(25%) Central Core (25%) Isolate d Is/ands Out (25% ) Corporate Sites The Dark Net 5% to 10% of the Internet is completely unreachable (Arbor Networks ) parts of the Net accessible from one provider but unreachable via one or more competitor Why? Failures and filter errors often result from misconfigured routers, the virtual traffic cops that direct Net activity. Net traffic may be blocked due to contractual disputes between providers Malicious use of dark address space. For example, some spammers use a pernicious technique whereby routes are announced and then immediately withdrawn around the time of a mass email transmission Emerging forms of computer use in accounting systems Computers in the Audit Program Analytical Review Internal Control Tests (Tests of Transactions; Mid-Year Tests) Tests for internal consistency of accounts, cross-sectional and over time Computer is a tool for accomplishing this and administration of audit Main tests of Computerized Accounting System Is it working as it should Are there risks? Are these well-controlled LOR / IC Memo Substantive Tests Account balances and transactions reside on the computer database Closing computer programs are highly error-prone Auditing = Statistics All three classes of procedures share a goal with Statistics Objective: use ‘data’ to guess what is ‘true’ Problems: Type I error: Auditor says F/S are Wrong when they are Fairly Stated Type II error: Auditor says F/S are Fairly Stated when they are Wrong Consequence of either: LAWSUITS Auditors increasingly use computers to prepare parallel sets of statistics for the firm’s transactions To be compared to the account balances Auditing Procedures These are formally laid out in the Audit Program The Planning and Risk Assessment phase of the Audit Writes the Audit Program Which is a sequence of Statistical Tests (Auditors call the sloppier of these ‘Judgment Tests’) Accounting Department in the early 1900s Accounting Department in the 1970s Accounting Department of today and the near future Practicum: A Day in the Life of Brent Dorsey What’s it like to be a staff auditor at a CPA firm Work vs. Family conflicts: What to do? How Auditing today is different than before the 1980s Prac·ti·cum (prăk-tĭ-kəm) noun Lessons in a specialized field of study designed to give students supervised practical application of previously studied theory Student Competence Case Study 1 Evaluating IT Benefits and Risks Jacksonville Jaguars 2 The Job of the Staff Auditor A Day in the Life of Brent Dorsey 3 Recognizing Fraud The Anonymous Caller 4 Evaluating a Prospective Audit Client Ocean Manufacturing 5 Inherent Risk and Control Risk Comptronix Corporation 6 Evaluating the Internal Control Environment Easy Clean 7 Fraud Risk and the Internal Control Environment Cendant Corporation 8 IT-based vs. Manual Accounting Systems St James Clothiers 9 Materiality / Tolerable Misstatement Dell Computer 10 Analytical Procedures as Substantive Tests Burlington Bees 11 Information Systems and Audit Evidence Henrico Retail Risk and Magnitude Where to look for accounting risk Industry Structure, c. 2006 Information Technology Market Operations & Accounting Search & Storage Tools Embedded Communications Total Employees (thousand) Annual Expenditures ($US billion) Major Suppliers 500 2000 US, India 1000. 5000 US 300 300 US, Germany 1500 700 US, Japan, Korea, Greater China 700 2000 4,000 10,000 US, Germany, Japan, Greater China GWP ~$45 trillion (Pop: 6 billion) US GDP ~$10 trillion (Pop: 300 million) Accounting Transaction Flows, c. 2006 Information Technology Market Transaction Flows $(000,000) Accounting Processing 20,000 Accounting Data Storage 10,000. Tools Embedded Communications 0 10 30,000 U.S. Contribution to GDP (in billions) from various industries shows why computer transaction flows have grown Information Technology, $534 Other, $2,989 Life Sciences, $712 Finance, $820 Manufacturing, $2,839 Services, $2,965 Hardware Taxonomy Central Processing Unit Cache Fast Memory Peripheral Processor (Video, Bus, Etc.) RAM / ROM Optical & Magnetic Media Slow Network Devices Software Taxonomy Operating Systems Specialized O/S Network O/S Utilities Database O/S Programming Languages, Tools & Environments Applications Utilities and Services Computer Controls (procedures) and Audit Steps (procedures) Control Concepts Controls are processes associated with a person or entity that is responsible for that process The same individuals with: Managerial Control Accountability Responsibility for the process Internal Controls Are processes that insure procedures operate as they should And produce accurate account values Cost-effective Controls Like any process, the benefit should exceed the cost The way to manage this Is to control high risk transaction flows Transactions that are error-prone Transaction flows where incentive to abuse is high Materiality: How much control or auditing is enough? Materiality is the maximum tolerable error allowable in financial reporting Audit reports will assert that the statements are ‘fairly stated’ if the error is less than some ‘material’ amount with a given degree of ‘confidence.’ Where we do have evidence from court proceedings ‘materiality’ has ranged from fractions of 1% to close to 30% and confidence limits have ranged from 99% to around 70% (generally closer to 70%) Materiality and Auditor Influence A recent survey of 170 chief financial officers by CFO Magazine found that 38% said auditors questioned their results in the past year Of those challenged, most refused to back down: (taken after Enron, WorldCom and numerous other audit scandals) 25% persuaded the auditor to agree to the practice in question, 32% convinced the auditor that the results were immaterial 43% made changes to win the auditor's approval Lynn Turner, former chief accountant at the Securities & Exchange Commission pointed out that an earlier CFO Magazine survey that had 17% of respondents admitting that CEOs pressured them to misrepresent results. Other Audit Considerations Sampling Computer inventory selected as “at risk” will be subject to detailed sampling Short History The earliest references to audit sampling appears in a program of audit procedures printed in 1917 by the US Federal Reserve that included some early references to sampling, such as selecting "a few book items" of inventory In 1955, the American Institute of Accountants (later to become the AICPA) published ‘A Case Study of the Extent of Audit Samples’, which summarized audit programs prepared by several CPAs to indicate the extent of audit sampling each considered necessary Sampling (Cont) Statistical Sampling and the Independent Auditor, issued by the AICPA's in 1962 concluded that statistical sampling was permitted under generally accepted auditing standards (GAAS). Relationship of Statistical Sampling to Generally Accepted Auditing Standards, in 1964 was later included as appendix A of Statement on Auditing Procedure (SAP) 54, The Auditor's Study and Evaluation of Internal Control which was, again, reused later as AU section 320 of Statement an Auditing Standards (SAS) 1, Codification of Auditing Standards and Procedures. Some of that material was extended in 1972 as appendix B of SAP 54. There were in addition to Statements on Auditing Procedure, SAP 33 and SAP 36 which gave tepid support to the use of statistics, but in general encouraged the continuation of what the practice called judgmental sampling – an ad hoc selection of samples that suffered from the biases and foibles that statistics were designed to control. In 1981, the AICPA rolled all of this into a single standard SAS 39, titled Audit Sampling which more or less repeats their position in the mid-1960s. SAS 47 discusses auditor risk and the murky concept of ‚materiality’ (the auditors dispersion or error statistic) in planning an audit. K SAS 55 and SAS 78 address internal control and control risk, but fail to provide objective procedures or formulas for assessing either Nowhere is Materiality unequivocally defined Assurance on Risk Assessment The AICPA’s Position Risk assessment services include identification and assessment of primary potential risks faced by a business or entity, independent assessment of risks identified by an entity, and evaluation of an entity's systems for identifying and limiting risks. Why? “Assessment and control of business risks has become increasingly important in recent years due to changes in information technology and related developments. Information technology has reduced the time available to react to environmental change, streamlined and altered the design of business processes, and changed the optimal form of organization. These developments have led to a de-layering and downsizing of businesses, resulting in fewer employees devoted to control activities, and empowering employees to make decisions. These changes affect traditional controls over information and safeguarding of assets. Types of Risk The AICPA’s Position 1. Business risk has been defined as "the threat that an event or action will adversely affect an organization's ability to achieve its business objectives and execute its strategies successfully" (The Economist Intelligence Unit 1995). A business faces many threats to achieving its objectives and to executing its strategies, and business risks can be classified in many ways. For example, one useful way is: 2. Strategic environment risks - threats from broad factors external to the business including changes in customers' tastes and preferences, creation of substitute products, or changes in the competitive environment, political arena, legal/regulatory rules, and capital availability, 3. Operating environment risks - threats from ineffective or inefficient business processes for acquiring, transforming, and marketing goods and services, as well as loss of physical, financial, information, intellectual, or market-based (such as a customer base) assets, loss of markets or market opportunities, and loss of reputation. 4. Information risks - threats from the use of poor quality information for operational, financial, or strategic decision making within the business and providing misleading information provided to outsiders. Incentives to misuse accounting transactions Steady replacement of paper with databases Steady replacement of meetings and travel with information networks Entry into Computer Crime Personal Background Motives Learning S kills to Commit Crime Un-premeditated Premeditated Choose "Best" Option Decision / Action Matrix Commit Crime Reaction to Chance Event Select Asset Don't Select • Face Penalties • Enjoy Rewards N/A Don't Commit • Too Hard • M onitored • Unfamilar • Not enough value Criminal Decisions Criminals specialize Criminals make simplifications in computing odds E.g., only 22% of robbers think of doing another crime (burglary being the most common choice) They tend to add (rather than multiply) their chances of being caught and punished Suggests that a few controls which are very effective Successful Security What assets are protected Why are they valuable To Whom are they valuable “Where” and when are they accessible How are they accessible The first three questions are answered by Risk Analysis The second three questions by Security Technique Formalizing the Risk Assessment Flowchart to identify risks Flowcharted Accounting System Review each transaction flow for: $ and # volume Incentive to abuse Error-proneness Control effectiveness on nsacti a r T Risk n High ctio a s ran kT s i hR Hig n tio c a s ran T k Ris h g Hi Risk Assessment Database Statistical Tests For each ‘risky’ transaction Mid-year, Internal Control tests will reveal the probability risk of a loss of size X for a transaction You may need last years audit papers Compute probable occurrence (frequency) Compute probable loss Identify needed control processes The ‘Incentive’ Test for each ‘risky’ transaction Personal Background Motives Learning S kills to Commit Crime Un-premeditated Premeditated Choose "Best" Option Decision / Action Matrix Commit Crime Reaction to Chance Event Select Asset Don't Select • Face Penalties • Enjoy Rewards N/A Don't Commit • Too Hard • M onitored • Unfamilar • Not enough value The Risk Assessment Database Asset (Ex 2.1) Risk Assessment (Ex. 2.2 with improvements) Asset Value ($000,000 to Owner)* Transaction Flow Description Total Annual Transaction Value Flow managed by Asset($000,000)* Cost of single occurrence ($) Expected Loss 100 100 10000 35 350 12250 Primary OS Owner Applicatio n Win XP Receiving Dock A/P 0.002 RM Received from Vendor 23 Theft Win XP Receiving Dock A/P 0.002 RM Received from Vendor 23 Obsolescence and spoilage Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc Risk Description *Whether you list depends on Audit Materiality Probability of Occurrence (# per Year) Materiality Test Each row on the Risk Assessment database All expected losses that are material mark transaction flows: Should be compared with the materiality Which should be written up in the internal control letter For which audit tests should be expanded The audit program is typically written in detail at this point Mid-year tests are basically a sequence of ‘risky’ transaction audits Year end tests are modified based on whether an account is built up (in the case of nominal accounts) or represents (in real accounts) a risky transaction New Technologies: Radio Frequency Identification Tags RFID provides an essential link In autonomous, self-aware, intelligent devices Hardware, software and databases combine to automate the capture of new data New Tech New Tech Economics RFID IC chips are made on wafers, and each wafer yields about 25,000 chips. One wafer lot, consisting of 25 wafers, yields about 1.25 million chips. A manufacturer may produce 50 to 70 million chips per day, about 48 wafer lots. Therefore an order of 1.25 million chips could take about 2 hours to manufacture. A typical plant costs $1.5 billion to $2 billion.
