IS Auditing Techniques
advertisement
Update from Business Week Number of Net Fraud Complaints – – 2002 – 48,252 2004 – 207,449 Update from Business Week Cybertricks Phishing Pharming – viruses attached to emails and web sites drop monitoring software onto peoples computers Wi-Phishing – Cybercrooks set up “free” wireless networks. Monitor use and steal passwords and other identify information Typosquatting – Web site addresses similar to real sites (whitehouse.com) Scope Of Bank Data Theft Grows To 676,000 Customers – – largest breach of banking security in the U.S. to date investigators learned that the bank employees normally conducted 40 to 50 searches of customer bank accounts as a daily part of their jobs. While the ring was in operation, however, they performed up to 500 account searches a day, looking for new data to steal. Study: Insider revenge often behind cyberattacks (MAY 20, 2005 COMPUTERWORLD) Companies hoping to thwart insider attacks need to have good password, account and configuration management practices in place, as well as the right processes for disabling network access when employees are terminated Investigation of 49 cases of insider attacks – In 92% of the cases, a negative work-related event triggered the insider action Internal Control Primary objectives of an AIS Identify and record all valid transactions Properly classify transactions Record transactions at the proper monetary value Record transactions in the proper accounting period Properly present transactions and related disclosures in the financial statements AICPA AIS Auditing Audit Through the Computer – Audit With the Computer – – Review and evaluate internal controls during compliance testing Direct verification of financial statement balances Part of substantive testing of account balances Audit Around the Computer – – Treat AIS as a black box Enter specific test transactions, determine if output reflects those transactions IS Auditing Techniques Test data (black box testing) – Both valid and invalid input – Determine expected output before processing the input Run the input transaction through the system Compare actual output with expected output Determine the cause of any discrepancy Good for: Verifying validation controls Verifying computational routines (depreciation calculations) IS Auditing Techniques Test data (black box testing) – Complications Will not detect fraud by clever programmers How do you reverse the test transactions? Not feasible to test all combinations of logic within a program IS Auditing Techniques Integrated Test Facility – Create fictitious entities within system for test – – Run test transactions in conjunction with live data Must exclude fictitious entities and data from normal output reports (financial statements) Same technique used in Equity Funding scandal IS Auditing Techniques Parallel Simulation – Process real data through test programs – – As opposed to processing test data through real programs Compare regular output with simulated output Very useful when evaluating changes or upgrades to a system Need to ensure that upgrades did not negatively affect existing routines IS Auditing Techniques Embedded Audit Routines – modify computer programs for audit purposes – Snapshot – Trace – Status of the system at a given point in time Take a snapshot of database before transaction, process the transaction, then take snapshot of database after. Detailed audit trail Requires in-depth knowledge of computer program Desk Check Manually process transaction through program logic (as provided in flowchart or program listing) Internal Control Time to put it all together Internal Control Process Control Environment Bridge, Mike and Ian Moss. “COSO back in the limelight” http://www.pwc.com/extweb/indissue.nsf/docid/41D0EC9E16678147CA256D030038030B Control Environment Integrity and ethical values – Ethics and corporate culture Commitment to competence Management philosophy and operating style Responsibility and commensurate authority Human resources – – – Adequate supervision Job rotation and forced vacations Dual control Internal Control Process Risk Assessment Bridge, Mike and Ian Moss. “COSO back in the limelight” http://www.pwc.com/extweb/indissue.nsf/docid/41D0EC9E16678147CA256D030038030B Apply Risk Assessment Framework What is threat? What is likelihood that threat will occur? What is potential damage from threat? What controls can be used to minimize damage? What is the cost of implementing the control? Internal Control Process Control Activities Bridge, Mike and Ian Moss. “COSO back in the limelight” http://www.pwc.com/extweb/indissue.nsf/docid/41D0EC9E16678147CA256D030038030B Control Activities Constraints imposed on a user or a system to secure systems against risks. Types – – – Prevent Detect Correct General vs IT specific Segregation of Systems Duties Systems Administration Network Management Security Management Change Management Systems Analysis Programming/Develop ment Test and Validation Computer Operations Data Control Internal Control Process Information and Communication Bridge, Mike and Ian Moss. “COSO back in the limelight” http://www.pwc.com/extweb/indissue.nsf/docid/41D0EC9E16678147CA256D030038030B Information and Communication Need to understand: – – – – – How transactions are initiated How data are captured in machine-readable form (or converted from source documents into machine-readable form) How computer files are accessed and updated How data are processed How information is reported to internal and external users Internal Control Process Monitoring Bridge, Mike and Ian Moss. “COSO back in the limelight” http://www.pwc.com/extweb/indissue.nsf/docid/41D0EC9E16678147CA256D030038030B Monitoring Effective Supervision Responsibility Accounting Monitor System Activities – – – – Review computer and network security Detect illegal entry Test for weaknesses and vulnerabilities Monitor for viruses, spyware, span, pop-ups, etc. Track purchased software In-Class Exercise Problem 36, pg 477 Final Project Project 3
