Chapter 12 Monitoring and Auditing AIS Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. Learning Objectives • LO#1 Understand the risks involved with computer hardware and software. • LO#2 Understand and apply computer-assisted audit techniques. • LO#3 Explain continuous auditing in AIS. 12-2 LO# 1 Computer hardware and Software • Operating System (OS) (the most important system software) • Database Systems • Local Networks (LANs) • Wide Area Networks (WANs) • Virtual Private Networks (VPNs) • Wireless Networks • Remote Access 12-3 LO# 1 Operating System (OS) • To ensure the integrity of the system • To control the flow of multiprogramming and tasks of scheduling in the computer • To allocate computer resources to users and applications • To manage the interfaces with the computer 12-4 LO# 1 Operating System (OS) (Contd.) Five fundamental control objectives: • Protect itself from users • Protect users from each other • Protect users from themselves • Be protected from itself • Be protected from its environment Operating system security should be included as part of IT governance in establishing proper policies and procedures for IT controls. 12-5 LO# 1 Database Systems • A database is a shared collection of logically related data which meets the information needs of a firm. • A data warehouse is a centralized collection of firm-wide data for a relatively long period of time. • Operational databases is for daily operations and often includes data for the current fiscal year only. • Data mining is the process of searching for patterns in the data in a data warehouse and data analyzing these patterns for decision making. (OLAP) • Data governance is the convergence of data quality, data management, data policies, business process management, and risk management surrounding the handling of data in a firm. 12-6 LO# 1 LANs • A local area network (LAN): a group of computers, printers, and other devices connected to the same network that covers a limited geographic range. • LAN devices include hubs and switches. --hubs (broadcasts through multiple ports) --switches (provides a path for each pair of connections) --Switches provide a significant improvement over hubs 12-7 LO# 1 WANs • Wide area networks (WANs) link different sites together, transmit information across geographically and cover a broad geographic area. --to provide remote access to employees or customers --to link two or more sites within the firm --to provide corporate access to the Internet routers and firewalls 12-8 LO# 1 WANs (Contd.) • Routers: connects different LANs, software-based intelligent devices, examines the Internet Protocol (IP) address • Firewalls: a security system comprised of hardware and software that is built using routers, servers, and a variety of software; allows individuals on the corporate network to send/receive a data packet from the Internet. • Virtual Private Network (VPN) 12-9 LO# 1 Wireless Networks • A Wireless Network is comprised of two fundamental architectural components: access points and stations. • An access point logically connects stations to a firm’s network. • A station is a wireless endpoint device equipped with a wireless Network Interface Card (NIC). 12-10 LO# 1 Wireless Networks (Contd.) Benefits of using wireless technology: --Mobility --Rapid deployment --Flexibility and Scalability --Confidentiality --Integrity --Availability --Access Control --Eavesdropping --Man-in-the-Middle --Masquerading --Message Modification --Message Replay --Misappropriation --Traffic Analysis --Rogue Access Point 12-11 Security Controls in Wireless Networks LO# 1 • Management Controls--management of risk and information system security • Operational Controls--protecting a firm’s premise and facilities, preventing and detecting physical security breaches, and providing security training to employees, contractors, or third party users • Technical Controls--primarily implemented and executed through mechanisms contained in computing related equipments 12-12 LO# 2 Computer-assisted Audit Techniques (CAATs) • CAATs are imperative tools for auditors to conduct an audit in accordance with heightened auditing standards. • Generally Accepted Auditing Standards (GAAS) are broad guidelines regarding an auditor’s professional responsibilities • Information Systems Auditing Standards (ISASs) provides guidelines for conducting an IS/IT audit (issued by ISACA) • According to the Institute of Internal Auditors’ (IIA) professional practice standard section 1220.A2, internal auditors must consider the use of computer-assisted, technology-based audit tools and other data analysis techniques when conducting internal audits. 12-13 LO# 2 Use CAATs in Auditing Systems • Test of details of transactions and balances • Analytical review procedures • Compliance tests of IT general and application controls • Operating system and network vulnerability assessments • Application security testing and source code security scans • Penetration Testing Two approaches: • Auditing around the computer (the black-box approach) • Auditing through the computer (the white-box approach) 12-14 LO# 2 Auditing around the computer (the black-box approach) • First calculating expected results from the transactions entered into the system • Then comparing these calculations to the processing or output results • The advantage of this approach is that the systems will not be interrupted for auditing purposes. The black-box approach could be adequate when automated systems applications are relatively simple. 12-15 LO# 2 Auditing through the computer (the white-box approach) • The white-box approach requires auditors to understand the internal logic of the system/application being tested. • The auditing through the computer approach embraces a variety of techniques: test data technique, parallel simulation, integrated test facility (ITF), and embedded audit module. 12-16 LO# 2 Generalized Audit Software (GAS) • Frequently used to perform substantive tests and is used for testing of controls through transactionaldata analysis. • Directly read and access data from various database platforms • provides auditors an independent means to gain access to data for analysis and the ability to use highlevel, problem-solving software to invoke functions to be performed on data files. --Audit Control Language (ACL) --Interactive Date Extraction and Analysis (IDEA) 12-17 LO# 3 Continuous Audit 12-18 LO# 3 Fraud Schemes and Corresponding Proposed Alarms under Continuous Audits 12-19 LO# 3 Implementation of Continuous Auditing • • • • • • Extensible Markup Language (XML) Extensible Business Reporting Language (XBRL) Database management systems Transaction logging and query tools Data warehouses Data mining or computer-assisted audit techniques (CAATs) 12-20 LO# 3 Implementation of Continuous Auditing (Contd.) • Non-technical barriers and technical challenges exist • A general template that a steering team or the internal audit function can use: --Evaluate the overall benefit and cost --Develop a strategy --Plan and design how to implement continuous auditing --Implement continuous auditing --Performance monitoring 12-21