Information Systems Auditing The IS Audit Study and Evaluation of Controls Process 2nd Edition Robert E. Davis, MBA, CISA, CICA CraigsPress.com PO Box 339 Ramona, CA 92065 www.craigspress.com © Copyright 2009 Robert E. Davis, MBA, CISA, CICA. All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted by any means without the written permission of the author. First published by CraigsPress.com on 5/5/2009. Printed in the United States of America. This book is printed on acid-free paper. Preface The global Information Technology (IT) community considers becoming a Certified Information Systems Auditor (CISA) a major accomplishment. To obtain the CISA designation information systems auditors, controls, or security professionals must pass a rigorous test demonstrating knowledge in a multitude of information systems audit process areas. Information Systems Audit and Control Association (ISACA) standards and guidelines, audit risk, and audit fieldwork are just a few knowledge requirements CISA candidates must master. Objectives Information Systems Auditing: The IS Audit Study and Evaluation of Controls Process is part of a booklets series providing comprehensive IS Audit planning, study, evaluation, and testing methods. Systemically, the series covers major steps in the IS audit processes not chronicled in ISACA standards and guidelines. In terms of content, these monographs convert selected audit standards into practical applications using detailed examples. These monographs also allow auditors to understand various steps and processes required to adequately initiate, document, and compile IT audit phases. Through these study assistants, a CISA student will acquire an appreciation for IT financial statement, government, and external auditing. Collectively, these monographs function as study guides for CISA examination preparation as well as audit reference manuals. IS audit area study and evaluation mastery reflects professional experience and training. Regarding subject mastery, this booklet contains a detail control system review, analysis, and evaluation process for IS audits; which can be translated, if practiced, into professional experience. Chronologically, this monograph describes required audit steps performed during an audit area assignment. Specifically, internal and external controls study and evaluation are described from an ISA’s perspective, while simultaneously presenting other equivalent audit standards and guidelines. Furthermore, audit risk and testing reassessment are discussed at this monograph’s conclusion. Related Material To enhance certification candidate preparation, Boson Software offers practice tests traversing the ISACA CISA examination domains. These practice tests are excellent knowledge diagnostic and test simulation tools, furnishing a variety of question formats for the purchaser. Lastly, the practice tests are customizable, therefore, allowing selected CISA domain study. Table of Contents Introduction...........................................................6 1.0 Study of Controls ............................................7 1.1 Study of Internal Controls............................10 1.2 Study of External Controls ..........................18 2.0 Design Materiality .........................................19 3.0 Control Objectives ........................................19 4.0 Evaluation of Controls..................................21 4.1 Evaluation of Internal Controls...................24 4.2 Evaluation of External Controls..................25 4.3 Illegal and Irregular Acts.............................26 5.0 Working Papers ............................................27 5.1 Audit Evidence ..............................................28 6.0 Assessing Risk ...............................................31 7.0 Assessing Testing ..........................................34 Appendix A..........................................................37 Appendix B..........................................................38 Appendix C .........................................................39 Acronyms ............................................................40 Glossary...............................................................42 Bibliography .......................................................47 Biography............................................................54 Introduction1, 2 Audit department management approved the Information System (IS) audit plan. Client management was informed during the opening conference of IS audit department’s accountability, authority, and responsibility. Now, with audit plan, audit program and Internal Control Questionnaire (ICQ) documented, the Information Systems Auditor (ISA) is ready to begin, what is commonly called, fieldwork. Metaphorically, continuing from Information Systems Auditing: The IS Audit Planning Process, dinner party guest have arrived and awaiting to partake of the prepared meal. Audit fieldwork generally represents two distinct classifications, study and evaluation of controls as well as testing. This monograph is restricted to the IS audit process Study and Evaluation of Controls Phase. An ISA’s controls study produces sufficient audit area documentation demonstrating comprehensive investigation concerning Information Technology (IT) and related manual processes. Most business processes have control measures assisting in accomplishing control objectives. However, even if control measures do not exist, while scrutinizing an audit area’s implemented controls, the ISA evaluates effectiveness, efficiency, confidentiality, integrity, availability, compliance, and/or reliability to determine the degree control objectives are achieved (Table 1.1). Jointly, the study and evaluation of controls present an opportunity to assess if management is achieving control objectives. Furthermore, if warranted, preliminary audit risk reassessment and additional testing procedures allocation are performed before the end of this audit phase. Table 1.1 Selected Domain-Process-Information Criteria Matrix Domain Plan & Organise Process Define Strategic IT Plan Information Criteria Effectiveness Efficiency Define Information Architecture Effectiveness Efficiency Confidentiality Integrity Financial Reporting Prepare Financial Statements Integrity Compliance Adhere to Laws & Regulations Compliance Operations Promote Economy & Efficiency Effectiveness Efficiency 1.0 Study of Controls3, 4, 5, 45, 50, 51 The Information Systems Audit and Control Association (ISACA) promote planning and organization, acquisition and implementation, delivery and support, and monitoring and evaluation as information technology control domains. These domains are part of the enterprise’s total Internal Control Structure (ICS): control environment, risk assessment, control activities, information and communication, and monitoring. Organization, policies, procedures, personnel, accounting, budgeting, reporting, and internal control reviewing are means to control an enterprise and can be mapped into an entity’s ICS. In regards to financial statement auditing, financial controls are implemented for business activities and resources allocation. Therefore, pre-numbered source documents, suspense accounts, and cryptography are considered controls because they meet at least one of the eight previously mentioned ICS criteria. Auditors should be aware experience has demonstrated that many of the serious control weaknesses occur in user areas before and after computer processing. Detailed definitional terms conveyance provides an ISA with control aspects of enterprise control activities. Ergo, by definition, enterprise organization is implemented to prevent chaos and assist in identifying processes. Organization provides a structure that allows systematic conducting of business mirroring an enterprise’s objectives and goals. Consequently, policies and procedures direct staff activity to ensure management’s intentions for an organized unit are adopted. Various criminal and civil charges as well as associated fines and penalties could confront an enterprise if personnel deviate from documented policies and procedures. Personnel implement policies and procedures for the enterprise manually or technologically. Simultaneously, personnel as a control basis reside in enterprise maintained activity-authority relationships. Accounting controls an enterprise through utilization of principles and procedures. These controls reflect a system of documenting and summarizing business and financial transactions in logs as well as analyzing, verifying, and reporting results. Specifically, accounting documents transactions and allows enterprise financial status determination. Contrastingly, budgeting is an administration’s statement of financial position reflecting estimated income and expenditures. Budgeting normally records management’s financial intentions for a specified time period. Enterprise reporting communicates prepared or presented business accounts related information. In most organizations, the reporting process has been enhanced by IT implementation. Enterprise control quality is ensured through Internal Control Reviews (ICRs). An ICR enables feedback to management concerning the state of controls. Auditors may not be the individuals who execute an ICR for the enterprise. However, auditors are responsible for assessing ICR effectiveness. Therefore, the ISA is indirectly, if not directly, an enterprise control mechanism. Directness, selectivity, method of application, and follow-up determine whether implemented controls will assist in attaining a control objective in an effective manner. Directness is the extent a control process relates to a control objective. Thus, direct control relationship correlation enhances effectiveness. Selectivity is based on magnitude of the amount or significance of other criteria, or distinguishing characteristic, that a specific control will identify an exception condition. How a specific control is placed into operations determines method of application. Process method of application sub-categories includes control repetitiveness as well as personnel skills and experience. Lastly, control follow-up are procedures pursued when an exception condition is identified. At inception, the study of control processes demands an ISA identify and relate applicable auditing standards to control activities. Control processes are designed and implemented to achieve specific control objectives. Audit area IT design effects the controls relied on by an organization’s management, therefore, effecting control processes. Some designs that maybe used in developing a system are: Structured Design Rapid Application Development (RAD) Joint Application Development (JAD) Object Oriented Design (OOD) Structured System Analysis and Design Method (SSADM) Data Structuring Levels of Abstraction High-Order-Software (HOS) Design methodology also affects the quality, amount and documentation type available for a system. The American Institute of Certified Public Accountants (AICPA) Computer Services Committee classified IT documentation into problem definition, systems, program, operations, and user related categories. Normally, at a minimum, two documentation types exist for deployed IT: system flow and system functionality. System flow documentation explains objectives, whereas, system functionality (program) documentation explains processes. Source and nature of input, computer operations, and output disposition are usually presented with system flow objectives. An ISA can identify and document control points related to the audit area with system flowcharts, hence, transforming a system flowchart into a control flowchart. However, if any parts of the audit areas processes are not documented in the system flowchart, it is an ISA’s responsibility to ensure completeness using standard flowcharting symbols. Accomplishment of control point identification requires an ISA to relate risk identified during audit planning to system flowcharts.