Information Systems Auditing: The IS Audit Study and Evaluation of

Information Systems Auditing
The IS Audit Study and Evaluation of
Controls Process
2nd Edition
Robert E. Davis, MBA, CISA, CICA
CraigsPress.com
PO Box 339
Ramona, CA 92065
www.craigspress.com
© Copyright 2009 Robert E. Davis, MBA, CISA, CICA. All rights
reserved.
No part of this book may be reproduced, stored in a retrieval system,
or transmitted by any means without the written permission of the
author.
First published by CraigsPress.com on 5/5/2009.
Printed in the United States of America.
This book is printed on acid-free paper.
Preface
The global Information Technology (IT) community considers
becoming a Certified Information Systems Auditor (CISA) a major
accomplishment. To obtain the CISA designation information
systems auditors, controls, or security professionals must pass a
rigorous test demonstrating knowledge in a multitude of information
systems audit process areas. Information Systems Audit and Control
Association (ISACA) standards and guidelines, audit risk, and audit
fieldwork are just a few knowledge requirements CISA candidates
must master.
Objectives
Information Systems Auditing: The IS Audit Study and Evaluation
of Controls Process is part of a booklets series providing
comprehensive IS Audit planning, study, evaluation, and testing
methods. Systemically, the series covers major steps in the IS audit
processes not chronicled in ISACA standards and guidelines. In
terms of content, these monographs convert selected audit standards
into practical applications using detailed examples. These
monographs also allow auditors to understand various steps and
processes required to adequately initiate, document, and compile IT
audit phases. Through these study assistants, a CISA student will
acquire an appreciation for IT financial statement, government, and
external auditing. Collectively, these monographs function as study
guides for CISA examination preparation as well as audit reference
manuals.
IS audit area study and evaluation mastery reflects professional
experience and training. Regarding subject mastery, this booklet
contains a detail control system review, analysis, and evaluation
process for IS audits; which can be translated, if practiced, into
professional experience. Chronologically, this monograph describes
required audit steps performed during an audit area assignment.
Specifically, internal and external controls study and evaluation are
described from an ISA’s perspective, while simultaneously
presenting other equivalent audit standards and guidelines.
Furthermore, audit risk and testing reassessment are discussed at this
monograph’s conclusion.
Related Material
To enhance certification candidate preparation, Boson Software
offers practice tests traversing the ISACA CISA examination
domains. These practice tests are excellent knowledge diagnostic
and test simulation tools, furnishing a variety of question formats for
the purchaser. Lastly, the practice tests are customizable, therefore,
allowing selected CISA domain study.
Table of Contents
Introduction...........................................................6
1.0 Study of Controls ............................................7
1.1 Study of Internal Controls............................10
1.2 Study of External Controls ..........................18
2.0 Design Materiality .........................................19
3.0 Control Objectives ........................................19
4.0 Evaluation of Controls..................................21
4.1 Evaluation of Internal Controls...................24
4.2 Evaluation of External Controls..................25
4.3 Illegal and Irregular Acts.............................26
5.0 Working Papers ............................................27
5.1 Audit Evidence ..............................................28
6.0 Assessing Risk ...............................................31
7.0 Assessing Testing ..........................................34
Appendix A..........................................................37
Appendix B..........................................................38
Appendix C .........................................................39
Acronyms ............................................................40
Glossary...............................................................42
Bibliography .......................................................47
Biography............................................................54
Introduction1, 2
Audit department management approved the Information System
(IS) audit plan. Client management was informed during the
opening conference of IS audit department’s accountability,
authority, and responsibility. Now, with audit plan, audit program
and Internal Control Questionnaire (ICQ) documented, the
Information Systems Auditor (ISA) is ready to begin, what is
commonly called, fieldwork. Metaphorically, continuing from
Information Systems Auditing: The IS Audit Planning Process,
dinner party guest have arrived and awaiting to partake of the
prepared meal. Audit fieldwork generally represents two distinct
classifications, study and evaluation of controls as well as testing.
This monograph is restricted to the IS audit process Study and
Evaluation of Controls Phase.
An ISA’s controls study produces sufficient audit area
documentation demonstrating comprehensive investigation
concerning Information Technology (IT) and related manual
processes. Most business processes have control measures assisting
in accomplishing control objectives. However, even if control
measures do not exist, while scrutinizing an audit area’s
implemented controls, the ISA evaluates effectiveness, efficiency,
confidentiality, integrity, availability, compliance, and/or reliability
to determine the degree control objectives are achieved (Table 1.1).
Jointly, the study and evaluation of controls present an opportunity
to assess if management is achieving control objectives.
Furthermore, if warranted, preliminary audit risk reassessment and
additional testing procedures allocation are performed before the end
of this audit phase.
Table 1.1 Selected Domain-Process-Information Criteria Matrix
Domain
Plan & Organise
Process
Define Strategic IT Plan
Information Criteria
Effectiveness
Efficiency
Define Information Architecture
Effectiveness
Efficiency
Confidentiality
Integrity
Financial Reporting Prepare Financial Statements
Integrity
Compliance
Adhere to Laws & Regulations
Compliance
Operations
Promote Economy & Efficiency
Effectiveness
Efficiency
1.0 Study of Controls3, 4, 5, 45, 50, 51
The Information Systems Audit and Control Association (ISACA)
promote planning and organization, acquisition and implementation,
delivery and support, and monitoring and evaluation as information
technology control domains. These domains are part of the
enterprise’s total Internal Control Structure (ICS): control
environment, risk assessment, control activities, information and
communication, and monitoring. Organization, policies, procedures,
personnel, accounting, budgeting, reporting, and internal control
reviewing are means to control an enterprise and can be mapped into
an entity’s ICS. In regards to financial statement auditing, financial
controls are implemented for business activities and resources
allocation. Therefore, pre-numbered source documents, suspense
accounts, and cryptography are considered controls because they
meet at least one of the eight previously mentioned ICS criteria.
Auditors should be aware experience has demonstrated that many of
the serious control weaknesses occur in user areas before and after
computer processing.
Detailed definitional terms conveyance provides an ISA with control
aspects of enterprise control activities. Ergo, by definition,
enterprise organization is implemented to prevent chaos and assist in
identifying processes. Organization provides a structure that allows
systematic conducting of business mirroring an enterprise’s
objectives and goals. Consequently, policies and procedures direct
staff activity to ensure management’s intentions for an organized
unit are adopted. Various criminal and civil charges as well as
associated fines and penalties could confront an enterprise if
personnel deviate from documented policies and procedures.
Personnel implement policies and procedures for the enterprise
manually or technologically. Simultaneously, personnel as a control
basis reside in enterprise maintained activity-authority relationships.
Accounting controls an enterprise through utilization of principles
and procedures. These controls reflect a system of documenting and
summarizing business and financial transactions in logs as well as
analyzing, verifying, and reporting results. Specifically, accounting
documents transactions and allows enterprise financial status
determination. Contrastingly, budgeting is an administration’s
statement of financial position reflecting estimated income and
expenditures. Budgeting normally records management’s financial
intentions for a specified time period. Enterprise reporting
communicates prepared or presented business accounts related
information. In most organizations, the reporting process has been
enhanced by IT implementation. Enterprise control quality is
ensured through Internal Control Reviews (ICRs). An ICR enables
feedback to management concerning the state of controls. Auditors
may not be the individuals who execute an ICR for the enterprise.
However, auditors are responsible for assessing ICR effectiveness.
Therefore, the ISA is indirectly, if not directly, an enterprise control
mechanism.
Directness, selectivity, method of application, and follow-up
determine whether implemented controls will assist in attaining a
control objective in an effective manner. Directness is the extent a
control process relates to a control objective. Thus, direct control
relationship correlation enhances effectiveness. Selectivity is based
on magnitude of the amount or significance of other criteria, or
distinguishing characteristic, that a specific control will identify an
exception condition. How a specific control is placed into
operations determines method of application. Process method of
application sub-categories includes control repetitiveness as well as
personnel skills and experience. Lastly, control follow-up are
procedures pursued when an exception condition is identified.
At inception, the study of control processes demands an ISA identify
and relate applicable auditing standards to control activities. Control
processes are designed and implemented to achieve specific control
objectives. Audit area IT design effects the controls relied on by an
organization’s management, therefore, effecting control processes.
Some designs that maybe used in developing a system are:








Structured Design
Rapid Application Development (RAD)
Joint Application Development (JAD)
Object Oriented Design (OOD)
Structured System Analysis and Design Method (SSADM)
Data Structuring
Levels of Abstraction
High-Order-Software (HOS)
Design methodology also affects the quality, amount and
documentation type available for a system. The American Institute
of Certified Public Accountants (AICPA) Computer Services
Committee classified IT documentation into problem definition,
systems, program, operations, and user related categories. Normally,
at a minimum, two documentation types exist for deployed IT:
system flow and system functionality. System flow documentation
explains objectives, whereas, system functionality (program)
documentation explains processes. Source and nature of input,
computer operations, and output disposition are usually presented
with system flow objectives. An ISA can identify and document
control points related to the audit area with system flowcharts,
hence, transforming a system flowchart into a control flowchart.
However, if any parts of the audit areas processes are not
documented in the system flowchart, it is an ISA’s responsibility to
ensure completeness using standard flowcharting symbols.
Accomplishment of control point identification requires an ISA to
relate risk identified during audit planning to system flowcharts.