Rittenberg/Schwieger/Johnstone Auditing: A Business Risk Approach Sixth Edition Chapter 8 Computerized Systems: Risks, Controls, and Opportunities Copyright © 2008 Thomson South-Western, a part of the Thomson Corporation. Thomson, the Star logo, and South-Western are trademarks used herein under license. 1 Overview of Computerized Accounting Systems Most computer systems are highly integrated and networked The computing environment includes hardware, software, telecommunications, data, and people The auditor needs to understand this environment including the risks involved: (see chart on next slide) 2 Overview of Computerized Accounting Systems Computer Processing Area Risks Computer Operations Sabotage, natural disaster, viruses, anything that impairs operations Computer Programs Fraudulent programming, incorrect data processing, processing fraudulent data Data Files Unauthorized access, manipulation of data, addition of unauthorized data Data Communications Data is intercepted, modified, deleted or replaced with fraudulent data Data ports provide access to hackers, denial of service attacks or unauthorized access 3 Key Computer Software Operating systems Communications Application programs Access control 4 Interconnected Systems: Virtual Private Networks (VPNs) Embraces all communications: Fiber-optic to wireless e-business (business to business) E-Commerce (business to consumer) Auctions (consumer to consumer) Intranets (within business) Personal digital assistant Application and database processing This type of computerized environment is evolving as the "new economy" demands anytime, anywhere service 5 Risks with VPNs The open nature of a VPN creates risks that both internal and external auditors need to assess Unauthorized penetration into the organization's system Loss of messages in transmission Interception and either destruction, modification, or copy of information transmitted over the network Denial of service attacks designed to overload and shut the company's system down Loss of processing 6 General & Application Controls On larger, more complex audits, the client's computing systems may present major business risks that need to be evaluated Dividing controls as either general or application controls helps the auditor organize his/her evaluation of the client's computing systems General Controls - pervasive data processing control procedures that affect all computerized applications Planning and controlling data processing Controlling applications development Controlling access Maintaining hardware Controlling electronic communications Application Controls - controls related to a particular program 7 Risk Analysis at the General Control Level The auditor usually starts with general controls in evaluating control weaknesses Good controls built into a particular application are unlikely to offset weaknesses that affect all aspects of processing Risks at the general level include: Unauthorized use of applications or access of data Company may develop the wrong programs negatively impacting operations Telecommunications systems may not safeguard the system from intruders The wrong data may be processed or wrong files updated Unauthorized personnel may steal or modify company programs or data Hardware may not be secured against attacks or natural disaster 8 Users may inadvertently cause errors in programs or data Planning & Controlling the Data Processing Function Fundamental concepts an auditor should consider when in evaluating the organization and control of the data processing: Authorization for all transactions should originate outside the data processing department Users are responsible for authorization, review, and testing of all application developments and changes in computer programs Access to data is provided only to authorized users Data processing department is responsible for all custodial functions associated with data, data files, software, and related documentation Users, along with data processing, are responsible for the adequacy of application controls built into the system Management should periodically evaluate the information systems function for efficiency, integrity, security, and consistency with organizational objectives Internal audit staff should periodically audit applications and operations 9 Planning & Controlling the Data Processing Function Segregation of Duties Within Data Processing Data processing personnel should not have access to programs or data except when authorized to make changes, and those changes follow authorized procedures Users should review and test all significant computer program changes Program Development Every organization should have a process to determine that the right applications are acquired, installed and accomplish their objectives 10 Planning & Controlling the Data Processing Function (continued) Program Changes Only authorized changes are made to computer applications All authorized changes are made to computer applications All changes are tested, reviewed, and documented before implementation Only the authorized version of the computer program is run Controlling Access to Equipment, Data, and Programs Access to data is limited to those with a need to know Ability to change, modify, delete data is restricted to authorized persons Control system has ability to identify potential users as authorized or unauthorized Security department actively monitors attempts to compromise the system 11 Planning & Controlling the Data Processing Function (continued) Authentication System to verify that users are authorized to access data Three primary methods used to authenticate users: Something they know, such as a password Something they possess, such as a card with a magnetic strip Something about themselves, such as a fingerprint or other type of physical identification Business Continuity Security and backup plans for both physical assets and media Minimum elements in a backup and recovery Standardized procedures for backup and disaster recovery Plans for reconstruction Period review and testing of plans and procedures 12 Planning & Controlling the Data Processing Function (continued) Data Transmission Controls To ensure the completeness and correctness of data transmitted Controls that should minimize loss or alteration of data: Encryption Callback Echo check Bit reconciliation Feedback Private lines Application Controls Designed into and around the computer program to ensure processing objectives are attained Often referred to as input, processing, and output control procedures 13 Planning & Controlling the Data Processing Function (continued) Batch Controls Input control; used to ensure all items submitted are actually processed Types of batch controls typically calculated: Record count Financial total Hash totals Reconciles batch totals for items entered with same batch totals calculated by the system 14 Planning & Controlling the Data Processing Function (continued) Input Controls To ensure transactions are fully and accurately captured, and properly recorded Includes use of Prenumbered documents Unique transaction identifier established by the computer Batch control and batch control totals Procedures to limit access to transactions Formation of an audit trail Computerized input validation procedures Self-checking digits Use of stored data to minimize data input On-screen input verification techniques (edit tests) 15 Planning & Controlling the Data Processing Function (continued) On-Line Processing Controls Onscreen validation techniques used to verify data input: Stored data used to minimize data input Screen layout logically follows order in which data is gathered Edit errors noted automatically so data can be immediately corrected Authorization for input noted and verified Unique identifiers automatically added to the transaction 16 Planning & Controlling the Data Processing Function (continued) Processing Controls Designed to ensure The correct program is used for processing All transactions are processed The correct transactions update files Output Controls Designed to ensure All data is completely processed Output is distributed only to authorized recipients 17 Overview of Computer Controls Risk Assessment Understanding the control structure Testing the effectiveness of controls Documentary evidence of controls Monitoring controls 18 Discuss Gaining an Understanding of the Control Structure The process of assessing control risk in a computerized environment: Identify important accounting applications and extent of computerization within those applications Develop understanding of general controls to determine how those controls may affect integrity of important applications Develop understanding of the flow of transactions in important accounting applications; identify and document control procedures Develop preliminary assessment of control risk for the application If preliminary control risk assessed below high, develop approach to determine effectiveness of controls in operation Update assessment of control risk based on understanding of application design and testing of controls in operation 19 Testing the Effectiveness of Controls The auditor must decide on the most efficient way to test controls Some test general controls as a whole, because these affect all accounting applications Others test general controls only as they affect important applications Documentary Evidence of Controls Some controls provide documentary evidence of their operation That evidence serves as a basis for developing audit procedures to test the controls Examples: Batch control totals Exception reports Computer logs of transactions 20 Monitoring Controls Examples of monitoring controls found in most computerized systems: Computer logs of reports of attempted illegal access Reports of approved program changes Internal audit reports of program changes Reports of unusual activities Internal audit reports on the effectiveness of access controls Reports on production discrepancies 21 Electronic Commerce E-Commerce involves communication through the Internet; it can be used to link trading partners Companies involved in E-Commerce need the following controls: Firewalls to intercept unwanted traffic and protect the website and server Encryption of transmissions Monitoring reports Electronic transmission protocols that identify lost or missing data Denial of service software to identify attacks Integrated systems Website security Systems security and backup 22 Electronic Data Interchange (EDI) Exchange of business documents between economic trading partners, computer to computer, in standard format The auditor should review components necessary to a successful EDI system: Formal trading partner agreement specifying each party’s responsibilities Bar coding Formal contract with the Value-Added Network Formal communication system that specifies standard communication format Formal communication process Need for automated control structure Need to identify authorized electronic signatures 23 Electronic Data Interchange (continued) EDI has the potential to create two new types of risks that ought to be evaluated as part of every audit: Economic interdependence Objective of EDI is to enlist large number of partners into a wide communications network to support business With increased partners, there is increase in level of interdependence of suppliers and customers The failure of one partner may adversely affect the other trading partners Total systems dependence EDI increases reliance on computerized systems Should these systems fail, substantial losses will likely be realized The auditor should determine whether the client has controls in place to monitor these risks and take effective action when needed 24 Electronic Data Interchange: Application Controls Application controls must be built into EDI to ensure accurate accounting Key controls in an EDI system include: Control over authorized signatures Access controls Segregation of duties Syntactic edit checks Traditional edit checks Formal protocol for communication acknowledgement between partners Logging of transactions (audit trail) 25 What is computer auditing? Many of the concepts applicable to manual systems hold for computerized systems The auditor will want to: Gain assurance that the processes and computer programs are working correctly Trace transactions through the processing system to determine that transactions have been correctly processed Select transactions for more detailed testing and analysis Computerized audit techniques commonly used include Integrated test facility Tagging and tracing (tracing transactions through the system) Generalized audit software 26 An Integrated Test Facility: Testing Correctness of Processing A test data approach that involves developing and submitting fictitious transactions to be processed by computer applications Test data are developed to determine whether Control procedures built into the applications are functioning effectively The computer application is processing transactions correctly All transaction and master files are fully and correctly updated The test data approach only examines those controls built into the computer application It does not test whether the company has adequate controls to prevent submission of unauthorized or incorrect data 27 Tagging and Testing: Tracing Transactions through the System A transaction is selected at the input stage and is electronically "marked" The transaction is then electronically tracked through processing This allows the auditor to determine whether the transaction has been properly recorded and that the correct files have been updated Advantages: Works concurrently with client's processing of regular transactions Flexible: auditor is able to select transactions to "mark" Can be used to track transactions through distributed processing networks 28 What is generalized audit software (GAS)? Designed to read existing computer files and perform function such as: Footing a file Selecting a sample - either statistically or judgmentally Extracting, sorting, and summarizing data Obtaining file statistics Evaluating statistical sample results Perform analytical procedures Finding how many transactions or population items meet specified criteria Checking for gaps in processing sequences Checking for duplicates Performing arithmetic calculations Analyzing data for file validity Analyzing data files for unusual patterns 29 Generalized Audit Software (continued) The most widely used of all computerized audit techniques Allows auditors to perform a variety of procedures including: Analyzing files Selecting transactions based on logical identifiers Scanning accounts for unusual entries Selecting statistical samples Projecting errors based on samples Performing basic and advanced numerical analysis Creating reports 30 Audit Approaches for E-Commerce Audit of entity using E-Commerce follows basic audit approach; auditor must understand business processes, important applications, control environment, and risks Risk analysis Risks in common with traditional information systems: Unauthorized access Unauthorized changes to programs or data files Misstatements caused by processing or logic errors Lack of physical security 31 Audit Approaches for E-Commerce (continued) Risks unique to E-Commerce systems Security of system and protection against penetration by outsiders Integrity of processing may be threatened by many different sources Integrity of data communications Trading partner agreements Systems interdependencies Paperless systems coupled with "soft" controls 32 Audit Approaches for ECommerce (Continued) Process and Control Audit Audits of E-Commerce will focus on tests of controls and processes Auditor develops understanding of controls and approach to determine that controls are working effectively Tagging and Tracing Tagging is more complicated than process identified earlier in chapter Auditor must work with IT to develop logic Generalized Audit Software Use of GAS may be reduced in some areas such as confirmations Other areas, like inventory, will continue to use GAS 33