IS Auditing Midterm Review
ISMT 350
Time & Venue: 5 Oct 2006, 10:30 am to 11:50 am @ Room 2463
Note: You will be allowed one A4 sized sheet of paper as a “ Cheat Sheet” for
your reference during the IST350 Midterm Exam. You can fill out both sides, and
there are no limits on handwriting, font, or techniques for the information you
place on the page. No other materials will be allowed during the exam
Course Topics So Far
Topic
Readings
Practicum
Competency
Case Study
What is Information Systems (IS)
Auditing?
Industry Profile: The Job of the IS
Auditor
Identifying Computer Systems
Chapter 1
Evaluating IT Benefits and
Risks
Jacksonville Jaguars
IS Audit Programs
Chapter 2
The Job of the Staff Auditor
A Day in the Life of Brent
Dorsey
IS Security
Chapter 3
Recognizing Fraud
The Anonymous Caller
Logical Structure of the Course
With Readings from the Text


Material Covered
(colored area)
IS Components
Ch. 1&2
Controls over IS
Assets
Ch. 7 & 8
Encryption
Ch. 11
IS Auditing
Current and
Future Issues in
IS Auditing
Audit Components
Ch 3&4
Procedural
Controls
Ch. 9
Audit Standards
and Procedures
Ch. 10
Forensics and
Fraud Audits
Ch. 12
Classes of Things
You have Learned

Concepts: Things you need to know These include:


Theories and frameworks
Facts

Activities and Tasks: Things an auditor needs to
do

Tools: Used to make audit decisioms
Identifying Computer
Systems
Chapter 1
1.
2.
3.
4.
Identifying what you are going to audit
The Computer Asset Inventory
Identification of Transactions, and Risk Levels
Audit programs for high risk transactions
Audit Program
Audit programs are checklists of the various tests (audit
procedures) that auditors must perform within the scope of their
audits to determine whether key controls intended to mitigate
significant risks are functioning as designed.

Objective

To determine the adequacy of the controls over the particular
accounting processes covered by the audit program
This is fundamentally what the assurance and attestation
aspects of the audit are expected to achieve





during the ‘tests of transactions’ or
mid-year or
internal control tests
The objective

The reason for an audit is to write an opinion:




Saying stock price is fairly stated (external)
Control processes are effective (internal & external)
Assets are not at risk of theft or damage (internal)
We only need to identify computer systems where one
of more of these objectives is affected
Benefits

The use of audit programs is fairly standard for audit firms,
and is considered good business practice. List three (3)
benefits to the audit firm of using an audit program




The improve resource planning (where to spend money and
employ people on an audit)
They promote consistency from year to year when personnel and
situations of an audit change
Prior years’ programs are the basis for the current year’s audit
procedures
Anything else that seems reasonable
Control assessment
Information systems audit programs should assess
the adequacy of controls in four (4) areas.

1.
2.
3.
4.
Environmental controls
Physical security controls
Logical security controls
IS operating controls
Computer Assets
Central Processing Unit
Peripheral Processor
(Video, Bus, Etc.)
Memory
RAM / ROM
Network Devices
Optical &
Magnetic Media
Operating Systems
Specialized
O/S
Network O/S
Utilities
Database O/S
Applications
Programming Languages,
Utilities and Services
Tools & Environments
The main categories of Computer
Applications, and their relative importance
Information
Technology
Market
Operations & Accounting
Search & Storage
Tools
Embedded
Communications
Total
Annual
Expenditures
($US billion)
Employees
(thousand)
Major Suppliers
500
2000
US, India
1000
5000
US
300
300
US, Germany
1500
700
US, Japan, Korea, Greater China
700
2000
4,000
10,000
US, Germany, Japan, Greater China
GWP ~$45 trillion (Pop: 6 billion)
US GDP ~$10 trillion (Pop: 300 million)
The Risk Assessment Database
Asset (Ex 2.1)
Risk Assessment (Ex. 2.2 with improvements)
Asset Value
($000,000 to
Owner)*
Transaction Flow
Description
Total Annual Transaction
Value Flow managed by
Asset($000,000)*
Cost of
single
occurrence
($)
Probability of
Occurrence (# per
Year)
Primary OS
Owner
Applicati
on
Win XP
Receiving
Dock
A/P
0.002
RM Received from
Vendor
23
Theft
Win XP
Receiving
Dock
A/P
0.002
RM Received from
Vendor
23
Obsolescence
and spoilage
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
*Whether you list depends on
Audit Materiality
Risk Description
Expected
Loss
100
100
10000
35
350
12250
Ideas, not Things, have Value
16
600
14
500
Asset Intensity
(Fixed Assets / Sales)
12
400
10
300
8
200
6
100
4
2
0
0
-100
Rank order by increasing return
5-yr Shareholder Return %
… and these ideas are tracked in the computer
How Accounting has had to Change
Because of Business Automation
Material
Labor
Capital
30%
50%
Knowledge
Integrator
Knowledge
Integrator
20%
Knowledge
Integrator
Manufacturing
Value Added
110%
Material
Consumer
Knowledge Base (uncertain
claims, contributions and
property rights)
Labor
Capital
5%
5%
80%
10%
Knowledge
Integrator
Manufacturing
Value Added
%
ed
ish ct 20
n
i
F du
g
Pro
rin
u
t
fac tions
u
n
a
Ma ecific
Sp
Consumer
110%
IS Audit Programs
Chapter 2
What is IS Auditing?
Why is it Important?
What is the Industry Structure?
Attestation and Assurance
Transactions
External Real
World Entities
and Events that
Create and
Destroy Value
Internal
Operations
of the Firm
The Physical World
Transactions
Corporate Law
ts
Analytical Tes
Audit Report /
Opinion
Accounting
Systems
The Parallel (Logical)
World of Accounting
Ledgers:
Databases
Auditing
Journal Entries
Reports:
Statistics
Tests of Transactions
Audit
Program
tation
Attes
Auditing
Substantive T
ests
'Owned' Assets
and Liabilities
Audit Objectives
Reporting Risks
(External Audit)
Control Process Risks
(Internal & External
Audits)
Asset Loss Risks
(Internal Audits)
Transaction Flows
Business Application
Systems
Operating Systems
(including DBMS, network
and other special systems)
Hardware Platform
Physical and Logical
Security Environment
How Auditors
Should Visualize
Computer Systems
The IS Auditor’s Challenge

Corporate Accounting is in a constant state of flux


Because of advances in Information Technology applied to
Accounting
 Information that is needed for an Audit is often hidden from
easy access by auditors
 Making computer knowledge an important prerequisite for
auditing
IS (and also just Information) assets are increasingly
the main proportion of wealth held by corporations
The Challenge to Auditing Presented
by Computers

Transaction flows are less visible


Fraud is easier
Computers do exactly what you tell them




Audit samples require computer knowledge and access
Transaction flows are much larger (good for the company, bad for the
auditor)

Audits grow bigger and bigger from year to year


To err is human
But, to really screw up you need a computer
And there is more pressure to eat hours
Environmental, physical and logical security problems grow
exponentially


Externally originated viruses and hacking
are the major source of risk

(10 years ago it was employees)
The Challenge to Auditing Presented
by The Internet

Transaction flows are External



External copies of transactions on many Internet nodes
External Service Providers for accounting systems
 require giving control to outsiders with different incentives
Audit samples may be impossible to obtain

Because they require access to 3rd party databases

Transaction flows are intermingled between companies

Environmental, physical and logical security problems grow exponentially


Externally originated viruses and hacking
are the major source of risk

(10 years ago it was employees)
Audit Program
Audit programs are checklists of the various tests (audit
procedures) that auditors must perform within the scope of their
audits to determine whether key controls intended to mitigate
significant risks are functioning as designed.

Objective

To determine the adequacy of the controls over the particular
accounting processes covered by the audit program
This is fundamentally what the assurance and attestation
aspects of the audit are expected to achieve





during the ‘tests of transactions’ or
mid-year or
internal control tests
The objective

The reason for an audit is to write an opinion:




Saying stock price is fairly stated (external)
Control processes are effective (internal & external)
Assets are not at risk of theft or damage (internal)
We only need to identify computer systems where one
of more of these objectives is affected
Benefits

The use of audit programs is fairly standard for audit firms,
and is considered good business practice. List three (3)
benefits to the audit firm of using an audit program




The improve resource planning (where to spend money and
employ people on an audit)
They promote consistency from year to year when personnel and
situations of an audit change
Prior years’ programs are the basis for the current year’s audit
procedures
Anything else that seems reasonable
Control assessment
Information systems audit programs should assess
the adequacy of controls in four (4) areas.

1.
2.
3.
4.
Environmental controls
Physical security controls
Logical security controls
IS operating controls
Materiality


Materiality represents the maximum, combined, financial statement
misstatement or omission that could occur before influencing the decisions of
reasonable individuals relying on the financial statements.
The magnitude and nature of financial statement misstatements or omissions
will not have the same influence on all financial statement users.


The specific amounts established for each financial statement element must be
determined by considering the primary users as well as qualitative factors.



For example, a 5 percent misstatement with current assets may be more relevant for a creditor
than a stockholder, whereas a 5 percent misstatement with net income before income taxes
may be more relevant for a stockholder than a creditor. Therefore, the primary consideration
when determining materiality is the expected users of the financial statements.
For example, if the client is close to violating the minimum current ratio requirement for a loan
agreement, a smaller planning materiality amount should be used for current assets and
liabilities.
Conversely, if the client is substantially above the minimum current ratio requirement for a loan
agreement, it would be reasonable to use a higher planning materiality amount for current
assets and current liabilities.
Planning materiality should be based on the smallest amount established from
relevant materiality bases to provide reasonable assurance that the financial
statements, taken as a whole, are not materially misstated for any user.
Tolerable misstatement




This is essentially materiality for individual financial statement
accounts. The amount established for individual accounts is
referred to as "tolerable misstatement."
Tolerable misstatement represents the amount an individual
financial statement account can differ from its true amount
without affecting the fair presentation of the financial
statements taken as a whole.
Establishment of tolerable misstatement for individual
accounts enables the auditor to design and execute an audit
strategy for each audit cycle.
Tolerable misstatement should be established for all balance
sheet accounts (except "retained earnings" because it is the
residual account).
Phases and Products
of the Audit
Audit
Program
Beginning of Year
Planning & Risk
Assessment
Budget
Mid-year (9 months)
Internal Control Tests
(Mid-year; Tests of
Transactions)
SAS 30
Control Letter
Sarbanes-Oxley
management letter
Year-end (1-3 months after year-end)
Planning & Risk
Assessment
Audit Report
Planning and Risk Assessment

Output is


Audit Program
Budget (based on contract with client)
Internal Control Tests (Mid-year)



Assess internal control
Output is the annual "management letter" issued in
connection with an audit
In accordance with SAS No. 30 “Reporting on
Internal Accounting Controls”
Substantive Tests (Year-ent)

Product is


Audit Statement (signed by auditor)
Sarbanes-Oxley (signed by management)
 Compliance “Management Letter
 Schedule of Unadjusted Differences
 List of Control ‘Weaknesses’
Practicum:
A Day in the Life of Brent Dorsey





A Staff Auditors’ Professional Pressure
Understand some of the pressures faced by young
professionals in the workplace
Generate and evaluate alternative courses of action
to resolve a difficult workplace issue
Understand more fully the implications of "eating
time" and "premature sign-off"
More fully appreciate the need to balance
professional and personal demands
IS Security
Chapter 3
Flowcharting Accounting
Systems
Each
bubble is associated with a person or entity
that is responsible for that process
The same individuals with:
Managerial Control
Accountability
Responsibility for the process
Should all be responsible for the same bubble
Flowcharting Accounting Systems

A data flow diagram
Data Flow Diagram
Notations
Flowcharting Accounting Systems
A process transforms
incoming data flow into
outgoing data flow.
Flowcharting Accounting Systems


Datastores are repositories
of data in the system.
They are sometimes also
referred to as databases or
files.
Flowcharting Accounting Systems


Dataflows are pipelines
through which transactions
(packets of information)
flow.
Label the arrows with the
name of the data that
moves through it.
Flowcharting Accounting Systems

External entities are entities
outside the firm, with which the
accounting system
communicates


E.g., vendors, customers,
advertisers, etc.
External entities are sources
and destinations of the
transaction input and output
Flowcharting Accounting Systems

The Context diagram lists
all of the external
relationships
Flowcharting Accounting
Systems …Levels

Context


DFD levels



known as Level 0) data flow diagram. It only
contains one process node (process 0) that
generalizes the function of the entire system in
relationship to external entities.
The first level DFD shows the main processes
within the system.
Each of these processes can be broken into
further processes until you reach the level at
which individual actions on transaction flows
take place
If you use SmartDraw Drawing Nested DFDs in SmartDrawYou can easily
nest data flow diagrams in SmartDraw. Draw the high-level diagrams first,
then select the process you want to expand, go to the Tools menu, and
select Insert Hyperlink. Link the selected process notation to another
SmartDraw diagram or a web page.
The Datastore


The Datastore is used to
represent Ledgers, Journals
Or more often in the current
world


Their computer
implemented counterpart
Since almost no one keeps
physical records
Flowcharting Accounting
Systems …Lower Level with Multiple
Processes

Data Flow Diagram Layers


Draw data flow diagrams in
several nested layers.
A single process node on a
high level diagram can be
expanded to show a more
detailed data flow diagram
Practicum:
Jacksonville Jaguars

Assurance Services for the Electronic Payments
System of a privately held company



Identify benefits, costs and risks to businesses from
implementing information technologies
Determine how CPAs can provide assurance about
processes designed to reduce risks created when new IT
systems are introduced
Understand ways CPAs can identify new assurance
services opportunities (i.e., new areas for revenue
generation)
IS Security
Chapter 3
What is Security?

Security involves:




Proper security




the protection of a person, property or organization from attack.
Knowing the types of possible attacks,
being aware of the motivations for attacks and your relationship to those
motives.
makes it difficult to attack,
threatens counter-measures, or
make a pre-emptive attack on a source of threat.
IS Security is a collection of investments and procedures that:



Protect information stored on computers
Protect Hardware and Software assets
From theft or vandalism by 3rd parties
What is a Lock & Key?

Lock is a security system


The key is its password
Keys used to be worn visibly around the neck


Newer Technology




As a sign of authority (similar to employee
badges today)
Badges and electronic keys
Biometrics (M-28 fingerprint lock at right)
Remote controls (Lexus keys)
‘Keys’ are just another Security Policy
Effective security policy

Security policy defines the organization’s attitude to Assets, and

announces internally and externally which assets are mission critical


Effective information security policies



Which is to be protected from unauthorized access, vandalism and destruction
by 3rd parties
Will turn staff into participants in the company’s security
The process of developing these policies will help to define a company’s
assets
An effective security policy also protects people.



Anyone who makes decisions or takes action in a situation where
information is a risk incurs personal risk as well.
A security policy allows people to take necessary actions without
fear of reprisal.
Security policy compels the safeguarding of information,

while it eliminates, or at least reduces, personal liability for
employees.
IP
There are four types of Intellectual Property (IP) that are
protected by law





Copyright
Patent
Trade secret
Trademark
Two aspects of the use of IP are covered by intellectual
property laws



Right of publicity
Privacy
Almost All Security Controls use the Lock & Key paradigm.




Authorization system = Who gets a Key (And Why?)
Password, etc. = Key
Encryption algorithms, SSL, etc. = Lock
Entry into Computer Crime


This flowchart describes the
points at which Control
Processes may be created
to stop criminals
Controls may:




Personal
Background
Motives
Learning
S kills to
Commit
Crime
Un-premeditated
Prevent access to the asset
Detect asset access
Correct the problems or
losses after an illicit access
Remember that criminals
specialize in one type of
crime
Premeditated
Choose
"Best"
Option
Decision / Action Matrix
Commit Crime
Reaction to
Chance
Event
Select Asset
Don't Select
• Face Penalties
• Enjoy Rewards
N/A
Don't Commit
• Too Hard
• M onitored
• Unfamilar
• Not enough value
Bringing a computer
crime to court
Step
Potential Terminal Outcome
Crime committed
Reported
Investigation
Arrest
Booking
Preliminary appearance in court
Bail or detention
Adjudication
Arraignment
Trial
Sentencing
Sentencing
Sentencing
Not detected
Not investigated
Unsolved
Released without prosecution
Released without prosecution
Charges dropped or dismissed
Arbitration, Settled "Out of Court"
Charge dismissed
Acquitted
Appeal
Probation
Prison
Practicum:
The Anonymous Caller

Recognizing It's a Fraud and Evaluating What to Do

How would you politely and ethically handle a ‘dodgy’ request
for help

Appreciate real-world pressures for meeting financial
expectations
Distinguish financial statement fraud from aggressive
accounting
Identify alternative actions when confronted with suspected
financial statement fraud
Develop arguments to resist or prevent inappropriate
accounting techniques



Physical Security
Logical Security
Chapter 7
Chapter 8
Security Policy
Information
Manager
Environmental
Competitive
Internal Financial
Internal
Non-financial
Action
Inputs
Plan
Organize
Actuate
Control
Manpow er
Money
Machines
Methods
Materials
Information System
Information Systems
Information System
Information System
Outputs
Objectives
Quantity
Quality
Cost
Time
Profitability
Efficiency
Grow th
Survival
Strategy  Policy

Strategy defines the way that Top Management
achieves corporate objectives

Policy is a written set of procedures, guidelines and
rules


Designed to accomplish a subset of strategic tasks
By a particular subgroup of employees
Effective security policy




An effective security policy also protects people.
Anyone who makes decisions or takes action in a situation where
information is a risk incurs personal risk as well.
A security policy allows people to take necessary actions without
fear of reprisal.
Security policy compels the safeguarding of information,

while it eliminates, or at least reduces, personal liability for
employees.
Effective information security
policy

Information security policy defines the organization’s attitude to
information, and
 announces internally and externally that information is an asset


Which is to be protected from unauthorized access, modification,
disclosure, and destruction
Effective information security policies
 Will turn staff into participants in the company’s security
 The process of developing these policies will help to define a
company’s information assets
Why Do You Need Security Policy?

A security policy should Protect people and information
 Set the rules for expected behavior by users, system
administrators, management, and security personnel
 Authorize security personnel to monitor, probe, and investigate
 Define and authorize the consequences of violation
The Three Elements of Policy
Implementation

Standards – Standards specify the use of specific technologies in a
uniform way. The example the book gives is the standardization of
operating procedures

Guidelines – Similar to standards but are recommended actions

Procedures – These are the detailed steps that must be performed
for any tasks.
Steps to Creation of IS Security Policy
Policy Development Lifecycle
5.
Senior management buy-in
Determine a compliance grace period
Determine resource involvement .
Review existing policy
Determine research materials (Internet, SANS, white papers, books…)
6.
Interview parties {Responsible, Accountable, Controlling} assets
1.
2.
3.
4.
1.
2.
3.
4.
7.
8.
9.
10.
11.
12.
Define your objectives
Control the interview
Sum up and confirm
Post-interview review
Review with additional stakeholders
Ensure policy is reflected in “awareness” strategies
Review and update
Gap Analysis
Develop communication strategy
Publish
What’s in a Policy Document
Governing Policy

Should cover






Address information security policy at a general level
define significant concepts
describe why they are important, and
detail what your company’s stand is on them
Governing policy will be read by managers and by technical
custodians
Level of detail: governing policy should address the “what” in
terms of security policy.
Governing Policy Outline
might typically include








1. Authentication
2. Access Control
3. Authorization
4. Auditing
5. Cryptography
6. System and Network Controls
7. Business Continuity/Disaster Recovery
8. Compliance Measurement
Technical Policies

Used by technical custodians as they carry out their
security responsibilities for the system they work
with.

Are more detailed than the governing policy and will
be system or issue specific, e.g., AS-400 or physical
security.
Technical Policy Outline
might typically include








1. Authentication
2. Authorization
3. Auditing
4. Network Services
5. Physical Security
6. Operating System
7. Business Continuity/Disaster Recovery
8. Compliance Measurement
User Policies


Cover IS security policy that end-users should ever have to know about,
comply with, and implement.
Most of these will address the management of

transaction flows and

databases associated with applications

Some of these policy statements may overlap with the technical policy

Grouping all end-user policy together means that users will only have to
go to one place and read one document in order to learn everything
they need to do to ensure compliance with company security
User Policy Outline
might typically include
















1. User Access
2. User Identification and Accountability
3. Passwords
4. Software
5. System Configuration and Settings
6. Physical
7. Business Continuity Planning
8. Data Classification
9. Encryption
10. Remote Access
11. Wireless Devices/PDAs
12. Email
13. Instant Messaging
14. Web Conferencing
15. Voice Communications
16. Imaging/Output