CHAPTER 1: AUDITING, ASSURANCE, &
INTERNAL CONTROL
AUDITING
Auditing is a systematic process of objectively
obtaining and evaluating evidence regarding
assertions about economic actions and events to
ascertain the degree of correspondence between
those assertions and establishing criteria and
communicating the results to interested users.
INTERNAL AUDITS
Internal auditing: independent appraisal function
established within an organization to examine and
evaluate its activities as a service to the organization
• Financial Audits
• Operational Audits
• Compliance Audits
• Fraud Audits
• IT Audits
✓ CIA
✓ IIA
IT AUDITS
• IT audits: provide audit services where
processes or data, or both, are embedded in
technologies.
• Subject to ethics, guidelines, and standards
of the profession (if certified)
CISA
Most closely associated with ISACA
• Joint with internal, external, and fraud audits
• Scope of IT audit coverage is increasing
• Characterized by CAATTs
• IT governance as part of corporate
governance
FRAUD AUDITS
• Fraud audits: provide investigation services
where anomalies are suspected, to develop
evidence to support or deny fraudulent
activities.
• Auditor is more like a detective
• No materiality
• Goal is conviction, if sufficient evidence of
fraud exists
✓ CFE
✓ ACFE
EXTERNAL AUDITS
• External auditing: Objective is that in all
material respects, financial statements are a
By: Roxy <333
fair representation of organization’s
transactions and account balances.
✓ SEC’s role
✓ Accountancy Act of 2004
✓ PRC-BOA
CPA
EXTERNAL vs. INTERNAL
External auditing:
o Independent auditor (CPA)
o Independence defined by SEC/S-OX/AIC
o Required by SEC for publicly traded
companies
o Referred to as a “financial audit”
o Represents interests of outsiders, “the
public” (e.g., stockholders)
o Standards, guidance, certification governed
by PICPA, PRC-BOA, SEC; delegated by
SEC who has final authority
Internal auditing:
o Auditor (often a CIA or CISA)
o Is an employee of organization imposing
independence on self
o Optional per management requirements
o Broader services than financial audit; (e.g.,
operational audits)
o Represent interests of the organization
o Standards, guidance, certification governed
by IIA and ISACA
FINANCIAL AUDITS
• An independent attestation performed by an
expert (i.e., an auditor, a CPA) who
expresses an opinion regarding the
presentation of financial statements
• Key concept: Independence
• {Should be} Similar to a trial by judge
• Culmination of systematic process
involving:
✓ Familiarization with the organization’s
business
✓ Evaluating and testing internal controls
✓ Assessing the reliability of financial data
• Product is formal written report that
expresses an opinion about the reliability of
the assertions in financial statements; in
conformity with GAAP
ATTEST definition
✓ Written assertions
✓ Practitioner’s written report
✓ Formal establishment of measurement
criteria or their description
✓ Limited to:
▪ Examination
▪ Review
▪ Application of agreed-upon procedures
AUDITS
• Systematic process
• Five primary management assertions, and
correlated audit objectives and procedures
✓ Existence or Occurrence
✓ Completeness
✓ Rights & Obligations
✓ Valuation or Allocation
✓ Presentation or Disclosure
➢ Phases [Figure 1-3]
1. Planning
2. Obtaining evidence
✓ Tests of Controls
✓ Substantive Testing
o CAATTs
o Analytical procedures
3. Ascertaining reliability
✓ MATERIALITY
4. Communicating results
✓ Audit opinion
Audit Risk Formula
AUDIT RISK:
▪ The probability that the auditor will give an
inappropriate opinion on the financial
statements: that is, that the statements will
contain materials misstatement(s) which the
auditor fails to find
INHERENT RISK:
▪ The probability that material misstatements
have occurred
✓ Material vs. Immaterial
▪ Includes economic conditions, etc.
▪ Relative risk (e.g., cash)
CONTROL RISK:
▪ The probability that the internal controls will
fail to detect material misstatements
DETECTION RISK:
▪ The probability that the audit procedures
will fail to detect material misstatements
▪ Substantive procedures
AUDIT RISK MODEL:
▪ AR = IR * CR * DR
▪ example inventory with:
IR=40%, CR=60%, AR=5% (fixed)
By: Roxy <333
▪
▪
▪
▪
▪
.05 = .4 * .6 * DR
... then DR=4.8%
Why is AR = 5%?
What is detection risk?
Can CR realistically be 0?
Relationship between DR and substantive
procedures
Relationship between tests of controls and
substantive tests
o Illustrate higher reliability of the internal
controls and the Audit Risk Model
o What happens if internal controls are
more reliable than last audit
o Last year: .05 = .4 * .6 * DR [DR = 4.8]
o This year: .05 = .4 * .4 * DR [DR = 3.2]
o The more reliable the internal controls,
the lower the CR probability; thus the
lower the DR will be, and fewer
substantive tests are necessary.
o Substantive tests are labor intensive
Role of Audit Committee
• Selected from board of directors
• Usually three members
• Outsiders (SEC now requires it)
• Fiduciary responsibility to shareholders
• Serve as independent check and balance
system
• Interact with internal auditors
• Hire, set fees, and interact with external
auditors
• Resolved conflicts of GAAP between
external auditors and management
What is an IT Audit?
o most accounting transactions to be in
electronic form without any paper
documentation because electronic storage is
more efficient. These technologies greatly
change the nature of audits, which have so
long relied on paper documents.
THE IT ENVIRONMENT
• There has always been a need for an
effective internal control system.
• The design and oversight of that system has
typically been the responsibility of
accountants.
• The I.T. Environment complicates the paper
systems of the past.
o Concentration of data
o Expanded access and linkages
o Increase in malicious activities in systems
vs. paper
o Opportunity that can cause management
fraud (i.e., override)
• Audit planning
• Tests of controls
• Substantive test
CAATTs
INTERNAL CONTROL
is policies, practices, procedures designed to …
• safeguard assets
• ensure accuracy and reliability
• promote efficiency
• measure compliance with policies
BRIEF HISTORY - COSO
Committee on Sponsoring Organizations - 1992
1. AICPA, AAA, FEI, IMA, IIA
2. Developed a management perspective model
for internal controls over a number of year
3. Is widely adopted
EXPOSURES AND RISK
• Exposure - Absence or weakness of a
control
• Risks - Potential threat to compromise use
or value of organizational assets
Types of risk
▪ Destruction of assets
▪ Theft of assets
▪ Corruption of information or the I.S.
▪ Disruption of the I.S.
THE P-D-C MODEL
▪ Preventive controls
▪ Detective controls
▪ Corrective controls
✓ Which is most cost effective?
✓ Which one tends to be proactive measures?
✓ Can you give an example of each?
▪ Predictive controls
Consideration of Internal Control in a Financial
Statement Audit
▪ COSO
✓ The control environment
✓ Risk assessment
✓ Information & communication
By: Roxy <333
✓ Monitoring
✓ Control activities
#1:Control Environment -- elements
▪ The integrity and ethical values
▪ Structure of the organization
▪ Participation of audit committee
▪ Management’s philosophy and style
▪ Procedures for delegating
▪ Management’s methods of assessing
performance
▪ External influences
▪ Organization’s policies and practices for
managing human resources
#1: Control Environment – Techniques
▪ Assess the integrity of organization’s
management
▪ Conditions conducive to management fraud
▪ Understand client’s business and industry
▪ Determine if board and audit committee are
actively involved
▪ Study organization structure
#2: Risk Assessment
▪ Changes in environment
▪ Changes in personnel
▪ Changes in I.S.
▪ New IT’s
▪ Significant or rapid growth
▪ New products or services (experience)
▪ Organizational restructuring
▪ Foreign markets
▪ New accounting principles
#3:Information & Communication-Elements
▪ Initiate, identify, analyze, classify and record
economic transactions and events.
▪ Identify and record all valid economic
transactions
▪ Provide timely, detailed information
▪ Accurately measure financial values
▪ Accurately record transactions
▪ Auditors obtain sufficient knowledge of
I.S.’s to understand:
✓ Classes of transactions that are
material
✓ Accounting records and accounts used
✓ Processing steps:initiation to inclusion
in financial statements (illustrate)
✓ Financial reporting process (including
disclosures)
#4: Monitoring
▪ By separate procedures (e.g., tests of
controls)
▪ By ongoing activities (Embedded Audit
Modules – EAMs and Continuous Online
▪ Auditing - COA)
#5: Control Activities
Physical Controls (1-3)
1. Transaction authorization
Example:
• Sales only to authorized customer
• Sales only if available credit limit
2. Segregation of duties
Examples of incompatible duties:
• Authorization vs. processing [e.g.,
Sales vs. Auth. Cust.]
• Custody vs. recordkeeping [e.g.,
custody of inventory vs. DP of
inventory]
• Fraud requires collusion [e.g., separate
various steps in process]
3. Supervision
• Serves as compensating control when
lack of segregation of duties exists by
necessity
Physical Controls (4-6)
4. Accounting records (audit trails; examples)
5. Access controls
• Direct (the assets)
• Indirect (documents that control the
assets)
• Fraud
• Disaster Recovery
6. Independent verification
• Management can assess:
▪ The performance of individuals
By: Roxy <333
▪
▪
The integrity of the AIS
The integrity of the data in the
record
▪ Examples
IT Risks Model
• Operations
• Data management systems
• New systems development
• Systems maintenance
• Electronic commerce (The Internet)
• Computer applications
CHAPTER 2: AUDITING IT GOVERNANCE
CONTROLS
STRUCTURING THE IT FUNCTION
• Centralized data processing
• Organizational chart
✓ Database administrator (DBA)
✓ Data processing manager/dept.
o Data control
o Data preparation/conversion
o Computer operations
o Data library
• Systems development & Systems
maintenance
✓ Participants
✓ End users
✓ IS professionals
✓ Auditors
✓ Other stakeholders
Segregation of incompatible IT functions
• Objectives:
✓ Segregate transaction authorization from
transaction processing
✓ Segregate record keeping from asset
custody
✓ Divide transaction processing tasks among
individuals such that short of collusion
between two or more individuals would not
be possible.
SEGREGATION OF INCOMPATIBLE IT
FUNCTIONS
1. Separating systems development from
computer operations
2. Separating DBA from other functions
▪ DBA is responsible for several critical tasks:
✓ Database security
✓ Creating database schema and user view
✓ Assigning database access authority to
users
✓ Monitoring database usage
✓ Planning for future changes
3. Segregate data library from operations
▪ Physical security of off-line data files
▪ Implications of modern systems on use of
data library:
✓ Real-time/online vs. batch processing
✓ Volume of tape files is insufficient to justify
full-time librarian
✓ Alternative: rotate on ad hoc basis
✓ Custody of on site data backups
✓ Custody of original commercial software and
licenses
4. Segregate Systems Development from
Maintenance
▪ Two types of improvements from this
approach:
1. Better documentation standards - Necessary
for transfer of responsibility
2. Deters fraud - Possibility of being
discovered
STRUCTURING THE IT FUNCTION
Audit objectives
▪ Risk assessment
▪ Verify incompatible areas are properly
segregated
✓ How would an auditor accomplish this
objective?
▪ Verify incompatible areas are properly
segregated
▪ Verify formal vs. informal relationships exist
between incompatible tasks
✓ Why does it matter?
Segregation of incompatible IT functions
▪ Audit procedures:
✓ Obtain and review security policy
✓ Verify policy is communicated
✓ Review relevant documentation (org.
chart, mission statement, key job
descriptions)
✓ Review systems documentation and
maintenance records (using a sample)
✓ Verify whether maintenance
programmers are also original design
programmers
✓ Observe segregation policies in practice
✓ Review operations room access log
✓ Review user rights and privileges
By: Roxy <333
The distributed model
▪ Distributed Data Processing (DDP)
▪ Alternative A: centralized
▪ Alternative B: decentralized / network
▪ Risks associated with DDP
✓ Inefficient use of resources
✓ Mismanagement of resources by end users
✓ Hardware and software incompatibility
✓ Redundant tasks
✓ Destruction of audit trails
✓ Inadequate segregation of duties
✓ Hiring qualified professionals
✓ Increased potential for errors
✓ Programming errors and system failures
✓ Lack of standards
▪
Advantages of DDP
✓ Cost reduction
✓ End user data entry vs. data control group
✓ Application complexity reduced
✓ Development and maintenance costs
reduced
✓ Improved cost control responsibility
✓ IT critical to success then managers must
control the technologies
✓ Improved user satisfaction
✓ Increased morale and productivity
✓ Backup flexibility
✓ Excess capacity for Disaster Recovery
Planning (DRP)
▪
Controlling the DDP environment
✓ Need for careful analysis
✓ Implement a corporate IT function
Central systems development
o Acquisition, testing, and
implementation of commercial software
and hardware
User services
o Help desk: technical support, FAQs,
chat room, etc.
Standard-setting body
Personnel review
o IT staff
✓ Audit objectives:
o Conduct a risk assessment
o Verify the distributed IT units employ
entity-wide standards of performance that
promotes compatibility among hardware,
operating software, applications, and data
✓ Audit procedures:
o Verify corporate policies and standards
are communicated
o Review current organization chart,
mission statement, key job descriptions to
determine if any incompatible duties exist
o Verify compensating controls are in place
where incompatible duties do exist
o Review systems documentation
o Verify access controls are properly
established
THE COMPUTER CENTER
Computer center controls
• Physical location
✓ Avoid human-made and natural hazards
✓ Example: Chicago Board of Trade
• Construction
✓ Ideally: single-story, underground utilities,
windowless, use of filters
✓ If multi-storied building, use top floor
(away from traffic flows, and potential
flooding in a basement)
• Access
✓ Physical: Locked doors, cameras
✓ Manual: Access log of visitors
• Air conditioning
✓ Especially mainframes
✓ Amount of heat even from a group of PCs
• Fire suppression
✓ Automatic: usually sprinklers
✓ Gas, such as halon, that will smother fire
by removing oxygen can also kill anybody
trapped there
✓ Sprinklers and certain chemicals can
destroy the computers and equipment
✓ Manual methods
• Power supply
✓ Need for clean power, at a acceptable level
✓ Uninterrupted power supply
Audit objectives
• Verify physical security controls are
reasonable
• Verify insurance coverage is adequate
• Verify operator documentation is adequate
in case of failure
Audit procedures
• Tests of physical construction
• Tests of fire detection
• Tests of access control
• Tests of backup power supply
By: Roxy <333
•
•
Tests for insurance coverage
Tests of operator documentation controls
SYSTEM-WIDE CONTROLS
Disaster recovery planning (DRP)
•
•
Critical applications identified and ranked
Create a disaster recovery team with
responsibilities
• Site backup
✓ “Hot site” – Recovery Operations Center
✓ “Cold site” – empty shell
✓ Mutual aid pact
✓ Internally provided backup
✓ Other options
• Hardware backup
• Software backup: operating system
• Software backup: application software
(based on critical application step)
• Data backup
• Supplies (on site)
• Documentation (on site)
✓ User manuals
✓ System and software technical manuals
• Test!
Disaster Recovery Plan
1. Critical Applications – Rank critical
applications so an orderly and effective
restoration of computer systems is possible.
2. Create Disaster Recovery Team – Select team
members, write job descriptions, describe
recovery process in terms of who does what.
3. Site Backup – a backup site facility including
appropriate furniture, housing, computers, and
telecommunications. Another valid option is a
mutual aid pact where a similar business or
branch of same company swap availability
when needed.
4. Site Backup – a backup site facility including
appropriate furniture, housing, computers, and
telecommunications. Another valid option is a
mutual aid pact where a similar business or
branch of same company swap availability
when needed.
5. System Software Backup – Some hot sites
provide the operating system. If not included in
the site plan, make sure copies are available at
the backup site
6. Application Software Backup – Make sure
copies of critical applications are available at
the backup site
7. Data Backup – One key strategy in backups is
to store copies of data backups away from the
business campus, preferably several miles away
or at the backup site. Another key is to test the
restore function of data backups before a crisis.
8. Supplies – A modicum inventory of supplies
should be at the backup site or be able to be
delivered quickly.
9. Documentation – An adequate set of copies of
user and system documentation.
10. TEST! – The most important element of an
effective Disaster Recovery Plan is to test it
before a crisis occurs, and to test it periodically
(e.g., once a year)
Audit objectives
• Verify management’s DRP is adequate
Audit procedures
• Verify a second-site backup is adequate
• Review the critical application list for
completeness
• Verify backups of application software are
stored off-site
• Verify that critical data files are backed up
and readily accessible to DRP team
• Verify resources of supplies, documents, and
documentation are backed up and stored offsite
• Verify that members listed on the team
roster are current employees and that they
are aware of their responsibilities
By: Roxy <333
Fault tolerance
• 44% of time IS unavailable is due to system
failures!
• Controls
✓ Redundant systems or parts
✓ RAID (Redundant Array of Independent
Risks)
✓ Uninterrupted Power Supply (UPS)
✓ Multiprocessors
Audit objective
• To ensure the organization is employing an
appropriate level of fault tolerance
Audit procedures
• Verify proper level of RAID devices
• Review procedures for recovery from
system failure
• Verify boot disks are secured
CHAPTER 3: AUDITING OPERATING
SYSTEMS AND NETWORKS
Operating system performs three main tasks:
• Translates high-level languages into machinelevel language. (Compilers & Interpreters)
• Allocates computer resources to users,
workgroups & applications.
• Manages tasks of job scheduling and
multiprogramming.
1) computer operator
2) various job queues
3) telecommunications
OPERATING SYSTEMS PC
SMARTPHONES
•
•
•
•
OPERATING SYSTEM SECURITY
• Log-On Procedure
✓ first line of defense--user IDs and passwords
• Access Token
✓ contains key information about user
• Access Control List
✓ defines access privileges of users
• Discretionary Access Control / Privileges
✓ allows User to grant access to another user
OTHER GOOD SECURITY POLICIES
• Formalized procedures for software
acquisition
• Security clearances of prospective employees
• Formal acknowledgment by users of their
responsibilities to company
• Security group to monitor security violations
• Formal policy for taking disciplinary action
against security violators
THREATS TO OPERATING SYSTEM
INTEGRITY
• Privileged Personnel Abusing their
Authority
o Systems Administrators & programmers
must be given unlimited access to the OS to
perform maintenance.
• Browsing
o looking through memory for sensitive
information (e.g., in printer queue)
• Masquerading
o pretend to be authorized user by getting ID
and passwords – shoulder surfing
o The most common method to get your
password is for someone to look over your
shoulder! Make sure your password is a
By: Roxy <333
combination of upper/lower case letters,
numbers, special characters.
Virus & Worms
o foreign programs that spread through system
o virus must attach to another program, worms
are self-contained
Trojan Horse
o foreign program that conceals itself with
another legitimately imported program
Logic Bomb
o foreign programs triggered by specific event
Back Door
o alternative entry into system
o Intentional (programmers)
o Security hole
OPERATING SYSTEMS CONTROLS
Access Privileges
• Audit objectives: verify that access privileges are
consistent with separation of incompatible
functions and organization policies
• Audit procedures: review or verify…
✓ policies for separating incompatible functions
✓ a sample of user privileges, especially access
to data and programs
✓ security clearance checks of privileged
employees
✓ formally acknowledgements to maintain
confidentiality of data
✓ users’ log-on times
Password Control
• Audit objectives: ensure adequacy and
effectiveness password policies for controlling
access to operating system
• Audit procedures: review or verify…
✓ passwords required for all users
✓ password instructions for new users
✓ passwords changed regularly
✓ password file for weak passwords
✓ encryption of password file
✓ password standards
✓ account lockout policies
Audit Trail Controls
• Audit objectives: whether used to (1) detect
unauthorized access, (2) facilitate event
reconstruction, and (3) promote accountability
• Audit procedures: review or verify…
✓ how long audit trails have been in place
✓ archived log files for key indicators
✓ monitoring and reporting of security
violations
Malicious & Destructive Programs
• Audit objectives: verify effectiveness of
procedures to protect against programs such as
viruses, worms, back doors, logic bombs, and
Trojan horses (refer to list)
• Audit procedures: review or verify…
✓ training of operations personnel concerning
destructive programs
✓ testing of new software prior to being
implemented
✓ currency of antiviral software and frequency
of upgrades
INTERNET AND INTRANET RISKS
• Communications is a unique aspect of the
computer networks:
o different than processing (applications) or
data storage (databases)
• Network topologies – configurations of:
o communications lines (twisted-pair wires,
coaxial cable, microwaves, fiber optics)
o hardware components (modems,
multiplexers, servers, front-end
processors)
o software (protocols, network control
systems)
INTERNET RISKS
1. DOS Attack
o In a DOS Attack, the sender sends hundreds
of messages, receives the SYN/ACK packet,
but does not response with an ACK packet.
This leaves the receiver with clogged
transmission ports, and legitimate messages
cannot be received.
By: Roxy <333
2. SMURF & SYN ATTACK
SOURCES OF INTERNET & INTRANET
RISKS
Internal and external subversive activities
Audit objectives:
✓ prevent and detect illegal internal and Internet
network access
✓ render useless any data captured by a
perpetrator
✓ preserve the integrity and physical security of
data connected to the network
Equipment failure
✓ Audit objective: the integrity of the
electronic commerce transactions by
determining that controls are in place to detect
and correct message loss due to equipment
failure
IC for Subversive Threats
Firewalls provide security by channeling all
network connections through a control gateway.
• Network level firewalls
o Low cost and low security access control
o Do not explicitly authenticate outside users
o Filter junk or improperly routed messages
o Experienced hackers can easily penetrate the
system
• Application level firewalls
o Customizable network security, but
expensive
o Sophisticated functions such as logging or
user authentication
• Denial-of-service (DOS) attacks
o Security software searches for connections
which have been half-open for a period of
time.
• Encryption
o Computer program transforms a clear
message into a coded (cipher) text form
using an algorithm
✓ Private Encryption
✓ Triple DES Encryption (EEE3 & EDE3)
✓ Public Key Encryption
✓ RSA
✓ Digital Envelope = RSA + DES
Standard Data Encryption Technique
IC for Subversive Threats
• Digital signature – electronic authentication
technique to ensure that…
✓ transmitted message originated with the
authorized sender
✓ message was not tampered with after the
signature was applied
• Digital certificate – like an electronic
identification card used with a public key
encryption system
✓ Verifies the authenticity of the message
sender
• Message sequence numbering – sequence
number used to detect missing messages
• Message transaction log – listing of all
incoming and outgoing messages to detect the
efforts of hackers
• Request-response technique – random control
messages are sent from the sender to ensure
messages are received
• Call-back devices – receiver calls the sender
back at a pre-authorized phone number before
transmission is completed
Auditing Procedures for Subversive Threats
• Review firewall effectiveness in terms of
flexibility, proxy services, filtering, segregation
By: Roxy <333
•
•
•
•
•
•
•
of systems, audit tools, and probing for
weaknesses.
Review data encryption security procedures
Verify encryption by testing
Review message transaction logs
Test procedures for preventing unauthorized
calls
IC for Equipment Failure
Line errors are data errors from
communications noise.
Two techniques to detect and correct such data
errors are:
✓ echo check - the receiver returns the
message to the sender
✓ parity checks - an extra bit is added onto
each byte of data similar to check digits
Auditing Procedures for Equipment Failure
• Using a sample of a sample of messages from
the transaction log:
✓ examine them for garbled contents caused
by line noise
✓ verify that all corrupted messages were
successfully retransmitted
• Vertical and Horizontal Parity
Electronic Data Interchange
• Electronic data interchange (EDI) uses
computer-to-computer communications, standard
format for messaging between two dissimilar
systems. Exchange of computer-processible
business info in standard format.
• Audit objectives:
✓ Transactions are authorized, validated, and in
compliance with the trading partner
agreement.
✓ No unauthorized organizations can gain
access to database
✓ Authorized trading partners have access only
to approved data.
✓ Adequate controls are in place to ensure a
complete audit trail.
Notes on EDI:
✓ Is an inter-organization endeavor.
✓ IS of the trading partners process the
transactions.
✓ Transactions are transmitted in standardized
format
✓ Directly to trading partner.
✓ Use of a third party value added network
(VAN)
✓ Benefit
✓ FINANCIAL EDI – uses intermediary such as
banks (OBK,RBK & ACH).
✓ Converting remittance information to
electronic form is a challenge.
EDI Risks
• Authorization - automated and absence of
human intervention
• Access - need to access EDI partner’s files
• Audit trail - paperless and transparent
(automatic) transactions
EDI Controls
• Authorization - use of passwords and value
added networks (VAN) to ensure valid partner
• Access - software to specify what can be
accessed and at what level
• Audit trail - control log records the
transaction’s flow through each phase of the
transaction processing
✓ Review procedures for verifying trading
partner identification codes
✓ Review agreements with VAN
✓ Review trading partner files
• Tests of Access Controls
✓ Verify limited access to vendor and
customer files
✓ Verify limited access of vendors to database
✓ Test EDI controls by simulation
•
Tests of Audit Trail Controls
✓ Verify exists of transaction logs are key
points
✓ Review a sample of transactions
AUDITING PC BASED ACCOUNTING
SYSTEMS
PC Risks & Controls
✓ Operating System Weaknesses
✓ Weak Access Control
✓ Inadequate Segregation of Duties
✓ Risk of Theft
✓ Weak Back up Procedures
✓ Risk of Virus Infection
✓ Audit Objective with PC Security
✓ Audit Procedures with PC Security
Auditing Procedures for EDI
• Tests of Authorization and Validation Controls
By: Roxy <333
DATABASE MANAGEMENT CONTROLS
Two crucial database control issues:
1. Access controls
• Audit objectives: (1) those authorized to use
databases are limited to data needed to
perform their duties and (2) unauthorized
individuals are denied access to data
2. Backup controls
•
Audit objectives: backup controls can
adequately recovery lost, destroyed, or
corrupted data
ACCESS CONTROLS
• User views - based on subschemas. A
database schema (/ˈski.mə/ skee-ma) of a
database system is its structure described in a
formal language supported by the database
management system (DBMS) and refers to the
organization of data as a blueprint of how a
database is constructed (divided into database
tables in case of Relational Databases).
• Database authorization table - allows specific
authority rules
• Data encryption - encoding algorithms
• Biometric devices - fingerprints, retina prints,
or signature characteristic
• Audit procedures: verify…
✓ Who has responsibility for authority tables
& subschemas?
✓ Granting appropriate access authority
✓ Are biometric controls used?
✓ Encryption?
Subschema Restricting Access
BACKUP CONTROLS
• Database backup – automatic periodic copy of
data
• Transaction log – list of transactions which
provides an audit trail
• Checkpoint features – suspends data during
system reconciliation
• Recovery module – restarts system after a
failure
• Grandparent-parent-child backup –the number
of generations to backup is up to company
policy
By: Roxy <333
•
Direct access file backup - back-up master-file
at pre-determined intervals
• Off-site storage - guard against
disasters
and/or physical destruction
• Audit procedures: verify…
✓ that production databases are copied at
regular intervals
✓ backup copies of the database are stored off
site to support disaster recovery
CHAPTER 4: AUDITING DATABASE
SYSTEMS
WHAT IS A DATABASE
✓ A database is an organized collection of data.
The data are typically organized to model
relevant aspects of reality in a way that supports
processes requiring this information. For
example, modeling the availability of rooms in
hotels in a way that supports finding a hotel with
vacancies.
✓ Database management systems (DBMSs) are
specially designed applications that interact with
the user, other applications, and the database
itself to capture and analyze data. A generalpurpose database management system (DBMS)
is a software system designed to allow the
definition, creation, querying, update, and
administration of databases.
✓ DBMS responsible for maintaining the integrity
and security of stored data, and for recovering
information if the system fails.
EXAMPLES OF DBMS
✓ MySQL
✓ MariaDB
✓ PostgreSQL
✓ SQLite
✓ Microsoft SQL Server
✓ Oracle
✓ SAP
✓ Dbase
✓ FoxPro
✓ IBM DB2
✓ LibreOffice
✓ Base and FileMaker Pro
Flat-File Versus Database Environments
• Computer processing involves two
components: data and instructions (programs).
• Conceptually, there are two methods for
designing the interface between program
instructions and data:
o File-oriented processing: A specific data file
was created for each application.
o Data-oriented processing: Create a single
data repository to support numerous
applications.
• Disadvantages of file-oriented processing
include
o redundant data and programs
o varying formats for storing the redundant
data
•
•
•
•
•
•
•
Users access data via computer programs that
process the data and present information to
the users.
Users own their data files.
Data redundancy results as multiple
applications maintain the same data elements.
Files and data elements used in more than one
application must be duplicated, which results
in data redundancy.
As a result of redundancy, the characteristics
of data elements and their values are likely to
be inconsistent.
Outputs usually consist of preprogrammed
reports instead of ad-hoc queries provided
upon request. This results in inaccessibility of
data.
Changes to current file-oriented applications
cannot be made easily, nor can new
developments be quickly realized, which
results in inflexibility.
By: Roxy <333
Data Redundancy and Flat-File Problems
• Data Storage - creates excessive storage costs
of paper documents and/or magnetic form
• Data Updating - any changes or additions
must be performed multiple times
• Currency of Information – has the potential
problem of failing to update all affected files
• Task-Data Dependency - user unable to obtain
additional information as his or her needs
change
Advantages of the Database Approach
o Data sharing/centralized database resolves
flat-file problems
o No data redundancy: Data is stored only
once, eliminating data redundancy and
reducing storage costs
o Single update: Because data is in only one
place, it requires only a single update,
reducing the time and cost of keeping the
database current
o Current values: A change to the database
made by any user yields current data values
for all other users.
o Task-data independence: As users’
information needs expand, the new needs
can be more easily satisfied than under the
flat-file approach.
Disadvantages of the Database Approach
o Can be costly to implement - additional
hardware, software, storage, and network
resources are required
o Can only run in certain operating
environments - may make it unsuitable for
some system configurations
o Because it is so different from
the file-oriented approach, the database
approach requires training users - may be
inertia or resistance.
Elements of the Database Environment
•
•
Four Elements
1. Database management system
2. Users
3. Database administrator
4. Physical database
Internal Controls and DBMS
• The database management system stands
between the user and the database per se.
• Thus, commercial DBMS’s (e.g., Access or
Oracle) actually consist of a database plus…
✓ software to manage the database, especially
controlling access and other internal controls
✓ software to generate reports, create dataentry forms, etc.
• The DBMS has special software to control
which data elements each user is authorized to
access.
Data Definition Language (DDL)
• DDL is a programming language used to
define the database per se.
✓ It identifies the names and the relationship
of all data elements, records, and files that
constitute the database.
• DDL defines the database on three viewing
levels
✓ Internal view – physical arrangement of
records (1 view)
✓ Conceptual view (schema) – representation
of database (1 view)
✓ User view (subschema) – the portion of the
database each user views (many views)
Data Manipulation Language (DML)
• DML is the proprietary programming
language that a particular DBMS uses to
By: Roxy <333
retrieve, process, and store data to / from the
database
Entire user programs may be written in the
DML, or selected DML commands can be
inserted into universal programs, such as
COBOL and FORTRAN
Can be used to ‘patch’ third party applications
to the DBMS
Query Language
• The query capability permits end users and
professional programmers to access data in
the database without the need for
conventional programs.
✓ Can be an internal control issue since users
may be making an ‘end run’ around the
controls built into the conventional programs
• IBM’s structured query language (SQL) is a
fourth-generation language that has emerged as
the standard query language.
✓ Adopted by ANSI as the standard language
for all relational databases
Functions of the DBA
PHYSICAL DATABASE
• Lowest level of database and the only level that
exists in physical form
• Logical collection of records and files that
constitute the firm’s data source.
DATA STRUCTURE COMPONENTS
✓ Data Organization – physical arrangement of
files
✓ Data Access Methods – technique to locate
records
SIX CRITERIA INFLUENCING THE
SELECTION OF DATA STRUCTURE
Database Conceptual Models
• Refers to the particular method used to
organize records in a database. a.k.a. “logical
data structures”
•
Objective: develop the database efficiently so
that data can be accessed quickly and easily
• There are three main models:
✓ hierarchical (tree structure)
✓ network
✓ relational
• Most existing databases are relational. Some
legacy systems use hierarchical or network
databases.
HIERARCHICAL MODEL
• Navigational Database – traversing the files
following a predefined path; explicit linkages
through networks. (Figure 4.10)
• Limitations1: A parent record may have one or
more child records
• Limitation2: No child can have more than one
parent.
NETWORK MODEL
• ANSI thru CODASYL
• Most popular model of network is IDM
• Navigational thru multiple linkage
• A child can have multiple parents
RELATIONAL MODEL
• The relational model portrays data in the form
of two dimensional ‘tables’.
• Its strength is the ease with which tables may
be linked to one another.
• a major weakness of hierarchical and network
databases
• Relational model is based on the relational
algebra functions of restrict, project, and join.
• Implicit linkages, rows are dependent on the
primary key and independent of the other
attributes
By: Roxy <333
•
Linkages are established through logical
operations of the DMBS rather than explicit
addresses that are structured into the database.
Distributed Data Processing (DDP)
• Data processing is organized around several
information processing units (IPUs) distributed
throughout the organization.
• Each IPU is placed under the control of the end
user
• DDP does not always mean total
decentralization.
• IPUs in a DDP system are still connected to one
another and coordinated.
• Typically, DDP’s use a centralized database.
• Alternatively, the database can be distributed,
similar to the distribution of the data processing
capability.
Centralized Databases in DDP Environment
• The data is retained in a central location.
• Remote IPUs send requests for data
• Central site services the needs of the remote
IPUs
• The actual processing of the data is performed
at the remote IPU.
• Advantages of DDP
✓ Cost reductions in hardware and data entry
task
✓ Improved cost control responsibility
✓ Improved user satisfaction since control is
closer to the user level
✓ Backup of data can be improved through the
use of multiple data storage sites
• Disadvantages of DDP
✓ Loss of control
✓ Mismanagement of resources
✓ Hardware and software incompatibility
✓
✓
✓
✓
Redundant tasks and data
Consolidating incompatible tasks
Difficulty attracting qualified personnel
Lack of standards
Distributed Databases: Partitioned Database
Approach (Partitioning)
• Splits the central database into segments that
are distributed to their primary users.
• Advantages:
✓ users’ control is increased by having data
stored at local sites.
✓ transaction processing response time is
improved.
✓ volume of transmitted data between IPUs is
reduced.
✓ reduces the potential data loss from a
disaster.
The Deadlock Phenomenon
• Especially a problem with partitioned databases
• Occurs when multiple sites lock each other out
of data that they are currently using.
✓ One site needs data locked by another site.
• Special software is needed to analyze and
resolve conflicts.
✓ Transactions may be terminated and restarted.
The Deadlock Condition
✓ Mutual exclusion to data resource and the
transactions are in wait until the locks are
removed.
✓ DEADLOCK RESOLUTION - terminating on
or more transactions to complete processing of
the other transactions in the deadlock.
Distributed Databases: Replication
• Effective when there is high degree of sharing
but no primary user
• The duplication of the entire database for
multiple IPUs
By: Roxy <333
•
•
Effective for situations with a high degree of data
sharing, but no primary user. Supports read-only
queries
Data traffic between sites is reduced
considerably.
CONCURRENCY CONTROL: Concurrency
Problems and Control Issue
• Database concurrency is the presence of
complete and accurate data at all IPU sites.
• With replicated databases, maintaining current
data at all locations is difficult
• Time stamping is used to serialize transactions.
Prevents and resolves conflicts created by
updating data at various IPUs
Distributed Databases and the Accountant
• The following database options impact the
organization’s ability to maintain database
integrity, to preserve audit trails, and to have
accurate accounting records.
✓ Centralized or distributed data?
✓ If distributed, replicated or partitioned?
✓ If replicated, total or partial replication?
✓ If partitioned, what is the allocation of the
data segments among the sites?
DATABASE MANAGEMENT CONTROLS
Two crucial database control issues:
1. Access controls
• Audit objectives: (1) those authorized to use
databases are limited to data needed to
perform their duties and (2) unauthorized
individuals are denied access to data
2. Backup controls
• Audit objectives: backup controls can
adequately recovery lost, destroyed, or
corrupted data
ACCESS CONTROLS
• User views - based on subschemas.
• A database schema (/ˈski.mə/ skee-ma) of a
database system is its structure described in a
formal language supported by the database
management system (DBMS) and refers to the
organization of data as a blueprint of how a
database is constructed (divided into database
tables in case of Relational Databases).
• Database authorization table - allows specific
authority rules
• Data encryption - encoding algorithms
•
Biometric devices - fingerprints, retina prints,
or signature characteristics
• Inference Controls – prevent users from
inferring, through query features, specific data
values that should not be accessed.
• Positive Compromise, Negative Compromise
& Approximate Compromise
• Audit procedures: verify…
✓ Who has responsibility for authority tables
& subschemas?
✓ Granting appropriate access authority
✓ Are biometric controls used?
✓ Are inference controls used?
✓ Encryption?
BACKUP CONTROLS
• Database backup – automatic periodic copy of
data
• Transaction log – list of transactions which
provides an audit trail
• Checkpoint features – suspends data during
system reconciliation
• Recovery module – restarts system after a
failure
• Grandparent-parent-child backup –the number
of generations to backup is up to company
policy
• Direct access file backup - back-up master-file
at pre-determined intervals
• Off-site storage - guard against
disasters
and/or physical destruction
• Audit procedures: verify…
✓ that production databases are copied or
backed up at regular intervals
✓ Verify automatic back up
✓ backup copies of the database are stored off
site to support disaster recovery
By: Roxy <333