here - Pearson

advertisement
Auditing Computer-Based Information
Systems
Chapter 11
Copyright © 2015 Pearson Education, Inc.
11-1
Learning Objectives
• Describe the nature, scope, and objectives of audit work, and identify the
major steps in the audit process.
• Identify the six objectives of an information system audit, and describe how
the risk-based audit approach can be used to accomplish these objectives.
• Describe the different tools and techniques auditors use to test software
programs and program logic.
• Describe computer audit software, and explain how it is used in the audit of
an AIS.
• Describe the nature and scope of an operational audit.
Copyright © 2015 Pearson Education, Inc.
11-2
Auditing
• The process of obtaining and evaluating evidence regarding
assertions about economic actions and events in order to
determine how well they correspond with established criteria
Copyright © 2015 Pearson Education, Inc.
11-3
Major Steps in the Auditing Process
• Audit planning
▫ Why, how, when, and who
▫ Establish scope and objectives of the audit; identify risk
• Collection of audit evidence
• Evaluation of evidence
• Communication of results
Copyright © 2015 Pearson Education, Inc.
11-4
Risk-Based Framework
• Identify fraud and errors (threats) that can occur that threaten
each objective
• Identify control procedures (prevent, detect, correct the threats)
• Evaluate control procedures
▫ Review to see if control exists and is in place
▫ Test controls to see if they work as intended
• Determine effect of control weaknesses
▫ Compensating controls
Copyright © 2015 Pearson Education, Inc.
11-5
Information Systems Audit
• Using the risk-based framework for an information systems audit
allows the auditor to review and evaluate internal controls that
protect the system to meet each of the following objectives:
▫ Protect overall system security (includes computer equipment,
programs, and data)
▫ Program development and acquisition occur under management
authorization
▫ Program modifications occur under management authorization
▫ Accurate and complete processing of transactions, records, files, and
reports
▫ Prevent, detect, or correct inaccurate or unauthorized source data
▫ Accurate, complete, and confidential data files
Copyright © 2015 Pearson Education, Inc.
11-6
1. Protect Overall System Security
Threats
Controls
• Theft of hardware
• Damage of hardware (accidental and
intentional)
• Loss, theft, unauthorized access to
▫ Programs
▫ Data
• Unauthorized modification or use of
programs and data files
• Unauthorized disclosure of confidential
data
• Interruption of crucial business activities
• Limit physical access to computer
equipment
• Use authentication and authorization
controls
• Data storage and transmission controls
• Virus protection and firewalls
• File backup and recovery procedures
• Disaster recovery plan
• Preventive maintenance
• Insurance
Copyright © 2015 Pearson Education, Inc.
11-7
2. Program Development and Acquisition Occur
under Management Authorization
Threat
Controls
• Inadvertent programming errors
• Unauthorized program code
• Review software license agreements
• Management authorization for:
▫ Program development
▫ Software acquisition
• Management and user approval of
programming specifications
• Testing and user acceptance of new
programs
• Systems documentation
Copyright © 2015 Pearson Education, Inc.
11-8
3. Program Development and Acquisition Occur
under Management Authorization
Threat
• Inadvertent programming errors
• Unauthorized program code
Copyright © 2015 Pearson Education, Inc.
Controls
• List program components to be modified
• Management authorization and approval
for modifications
• User approval for modifications
• Test changes to program
• System documentation of changes
• Logical access controls
11-9
4. Accurate and Complete Processing of Transactions,
Records, Files, and Reports
Threats
Controls
• Failure to detect incorrect, incomplete, or
unauthorized input data
• Failure to correct errors identified from
data editing procedures
• Errors in files or databases during
updating
• Improper distribution of output
• Inaccuracies in reporting
•
•
•
•
•
Copyright © 2015 Pearson Education, Inc.
Data editing routines
Reconciliation of batch totals
Error correction procedures
Understandable documentation
Competent supervision
11-10
5. Prevent, Detect, or Correct Inaccurate or
Unauthorized Source Data
Threat
Controls
• Inaccurate source data
• Unauthorized source data
• User authorization of source data input
• Batch control totals
• Log receipt, movement, and disposition of
source data input
• Turnaround documents
• Check digit and key verification
• Data editing routines
Copyright © 2015 Pearson Education, Inc.
11-11
6. Accurate, Complete, and Confidential Data Files
Threats
Controls
• Destruction of stored data from
▫ Errors
▫ Hardware and software malfunctions
▫ Sabotage
• Unauthorized modification or disclosure of
stored data
• Secure storage of data and restrict physical
access
• Logical access controls
• Write-protection and proper file labels
• Concurrent update controls
• Data encryption
• Virus protection
• Backup of data files (offsite)
• System recovery procedures
Copyright © 2015 Pearson Education, Inc.
11-12
Audit Techniques Used to Test Programs
• Integrated Test Facility
▫ Uses fictitious inputs
• Snapshot Technique
▫ Master files before and after update are stored for specially marked
transactions
• System Control Audit Review File (SCARF)
▫ Continuous monitoring and storing of transactions that meet prespecifications
• Audit Hooks
▫ Notify auditors of questionable transactions
• Continuous and Intermittent Simulation
▫ Similar to SCARF for DBMS
Copyright © 2015 Pearson Education, Inc.
11-13
Software Tools Used to Test Program Logic
• Automated flowcharting program
▫ Interprets source code and generates flowchart
• Automated decision table program
▫ Interprets source code and generates a decision table
• Scanning routines
▫ Searches program for specified items
• Mapping programs
▫ Identifies unexecuted code
• Program tracing
▫ Prints program steps with regular output to observe sequence of
program execution events
Copyright © 2015 Pearson Education, Inc.
11-14
Computer Audit Software
• Computer assisted audit software that can perform audit tasks on
a copy of a company’s data. Can be used to:
▫
▫
▫
▫
▫
▫
▫
Query data files and retrieve records based upon specified criteria
Create, update, compare, download, and merge files
Summarize, sort, and filter data
Access data in different formats and convert to common format
Select records using statistical sampling techniques
Perform analytical tests
Perform calculations and statistical tests
Copyright © 2015 Pearson Education, Inc.
11-15
Operational Audits
• Purpose is to evaluate effectiveness, efficiency, and goal
achievement. Although the basic audit steps are the same, the
specific activities of evidence collection are focused toward
operations such as:
▫
▫
▫
▫
▫
▫
Review operating policies and documentation
Confirm procedures with management and operating personnel
Observe operating functions and activities
Examine financial and operating plans and reports
Test accuracy of operating information
Test operational controls
Copyright © 2015 Pearson Education, Inc.
11-16
Key Terms
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Auditing
Internal auditing
Financial audit
Information systems audit
Operational audit
Compliance audit
Investigative audit
Inherent risk
Control risk
Detection risk
Confirmation
Reperformance
Vouching
Analytical review
Copyright © 2015 Pearson Education, Inc.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Materiality
Reasonable assurance
Systems review
Test of controls
Compensating controls
Source code comparison program
Reprocessing
Parallel simulation
Test data generator
Concurrent audit techniques
Embedded audit modules
Integrated test facility (ITF)
Snapshot technique
System control audit review file (SCARF)
Audit log
11-17
Key Terms (continued)
• Audit hooks
• Continuous and intermittent simulation
(CIS)
• Automated flowcharting program
• Automated decision table program
• Scanning routines
• Mapping programs
• Program tracing
Copyright © 2015 Pearson Education, Inc.
• Input controls matrix
• Computer-assisted audit techniques
(CAAT)
• Generalized audit software (GAS)
11-18
Download
Related flashcards

Programming constructs

28 cards

Create Flashcards