ADM 4346 Accounting Information Systems Auditing

7/25/2019 ADM 4346 Accounting Information Systems Auditing

1/137

ADM 4346:

Dont worry about chapter 3 4 5 8 or other readings

List and describe questions

For chapter 10

Use words from the slides when possible

ContentsSlide 1 - Accounting Information Systems and the Accountant - Chapter 1...........................................................2

Slide 2 - Information Technology and Accounting Information Systems - Chapter 2.............................................14

Slide 3 - Data Modelling - Chapter 3 age.............................................................................................. 23

Slide ! - Data"ase #rgani$ing% Manipulating and &orms and 'eports - Chapter !-( age..................................30

Slide ! "ocumentin# $ccountin# %nformation S&stems ! Chapter ' ( )a#e.................................3*

Slide ' ! $ccountin# %nformation S&stems and +usiness )rocesses ! Chapter , ( )a#e.................2Slide - ! %ntroduction to %nternal Control S&stems ! Chapter - ( )a#e...........................................*

Slide 10 ! Computer Controls for r#ani/ations and $%Ss ! Chapter 10 ( )a#e 311.......................,2

Slide 11 - Computer Crime, Fraud, Ethics and Privacy - Chapter 11A Page..................*1

Slide 11 - Computer Crime, Fraud, Ethics and Privacy - Chapter 11B Page ..................*-

Slide 11 - Inormation !echnology Auditing - Chapter 1" Page....................................10'

Slide 11 - #eveloping and Implementing E$ective AISs - Chapter 1% Page................120


2/137

Slide 1 - Accounting Information Systems and the Accountant - Chapter 1

Learning Objecties

Explain the differences between the terms:

Systems, information systems, information technology, and accounting informationsystems.

Explain how information technology (IT)

Influences accounting systems

Supports the use of business intelligence (e.g. dashboards and scorecards) and

Is changing financial reporting (e.g. !"#$)

Show why auditors pro%ide a %ariety of assurance ser%ices

"e more aware of ad%ances in accounting information systems "e familiar with

Suspicious acti%ity reporting and

&areer opportunities that combine accounting and IT 'nowledge and s'ills

!hat is a "yste#$

&onsists of

eople, Tools and b*ects


3/137

&an be:

+anual

artial or fully automated

!hat Are Accounting %n&or#ation "yste#s$

Accounting %n&or#ation "yste# 'A%"(:

collection of data, processing procedures, and outputs

creates needed information for users

can be manual or computeried

ser%es internal and external users

Accounting %n&or#ation "yste#s

)!hats *ew in A%"$

"ustainabi+ity ,eporting 'M%%(

+easuring non-financial performance

ualitati%e as well as /uantitati%e information

Impacts on income and future performance

-he Accountants .ha++enge


4/137

/roide in&or#ation to support:

0ecision-ma'ing

"usiness and go%ernment processes

1ccounting and finance

2on-accountants in planning and control

Accounting %n&or#ation "yste#s

3ulfills three important business functions:

&ollect and store data about organiational acti%ities, resources and personnel

Transform data into information so management can plan, execute, control and e%aluateacti%ities, resources and personnel

ro%ide ade/uate controls to safeguard the organiation4s assets and data

1IS also supports non-financial business processes:

"upp+y chain #anage#ent 5 in%entory le%el, demand trends, supplier relationship

management

Mar0eting5 sales management, forecasts and summaries customer relationship

management

1u#an ,esources 5 wor'force planning, employment recruitment, retention and

de%elopment, and payroll

/roduction5 in%entory summaries, product cost analysis, material re/uirements

planning

2inance5 cash and asset management, multi-company management, credit card

transactions

1ow A%" Adds a+ue

1IS can add %alue to the organiation by:

6. Impro%ing /uality and reducing costs of products or ser%ices.

7. Impro%ing efficiency

8. Sharing 'nowledge

9. Impro%ing efficiency and effecti%eness of supply chain

. Impro%ing the internal control structure

;. Impro%ing decision ma'ing


5/137

A%" %nteractions

Data s %n&or#ation

Data s %n&or#ation

0ata


6/137

Information

!hat is Data$ &acts


7/137

Data 2or#atted into %n&or#ation

Data Ana+ytics: design your own report


8/137

)%n&or#ation %ntegrity and a+ue ',A-.,(


9/137

)%n&or#ation "yste#s

%n&or#ation and 7usiness Decisions


10/137

"usiness processes get things done.

These processes are a set of structured acti%ities that are performed by people, machines, orboth to achie%e a specific goal.

Information and 'ey decisions result from these business processes.

)A%" ,e+ationship with 7usiness Decisions

rganiation goals, ob*ecti%es, culture, IT influence the 1IS and %ice %ersa.

-he %n&or#ation Age

%- a #ajor &orce in society

&onsumer technology enables online shopping, communications and education

&omputers enable changes in commerce

now+edge wor0ers

roduce, analye, manipulate, and distribute information

3ocus on business acti%ities

1ccountants ha%e always been 'nowledge wor'ers

-rends in %-

e-&ommerce 5 buying and selling on Internet

e-"usiness 5 conducting all aspects of business o%er the Internet

E# (enterprise resource planning)


11/137

Information sources, systems and applications for all business systems 5 accessible by

all business functions

&loud &omputing

0ata storage

Infrastructure and platform

1pplication

)!hats *ew in A%"$

"uspicious Actiity ,eporting '"A,(

?sed by ban's and certain other financial institutions

0etailed reporting on %arious financial transactions

&ombats money laundering, funding terrorism

S1# basically affects any place money can be laundered.

2orensic accounting9 goern#enta+ accountants9 and terroris#

&ombines s'ills of in%estigation, accounting, and auditing

See's patterns in financial data

ro%ides indicators of fraud, money laundering, financial support of terrorism

Traces arms and chemical orders to final destination

&ombats cyber terrorism

)"uspicious Actiity ,eporting

S1# laws re/uire accountants to report /uestionable transaction to the +inister of 3inance

3I2T#1& (2inancial Transactions and ,eports Analysis .entre of &anada) 5 authoritybased on the roceeds of &rime (+oney $aundering) and Terrorist 3inancing 1ct.

b*ecti%e is to implement specific measures to detect and deter money

laundering and the financing of terrorist acti%ities to facilitate the in%estigation orprosecution of money laundering and terrorist financing offences.

Institutions affected: ban's, bro'er dealers, money ser%ice businesses (e.g.

currency traders), casinos and card clubs, commodity traders, insurancecompanies and mutual funds.


12/137

Accounting and %- 2igure ;6

IT impacts all ma*or areas of accounting practice

-he Accounting .yc+e 2igure ; not =1lb> or 1b>)

7. 120 C # logic

8. Hoin tables properly

9. 2ame /ueries systematically (not ry6, ry7)

. Selecti%e data fields 5 meet your re/uirements

.reating the Buery


36/137

Buery Answer

Designing ,eports

6. Select underlying tables (data sources) and fields

7. Indicate grouping le%els if re/uired (e.g. by pro%ince)

8. Indicate sort fields (e.g. by customer name)

9. 2ame and sa%e report

. +odify report as desired (e.g. add graphics, colour)


37/137

Discussion

6. Identify the data files and relations would be re/uired to %erify that all Bendor In%oice (1C)amounts agree with receipted amounts (i.e. ?nit cost in 1C e/uals unit price in the in%entoryfile).

3inal output should include the following fields: %endor number, name and addressproduct number, product description, product class, class description and unit price.

7. 0raw the relationship diagram showing the data files and the foreign 'eys.

8. Identify the controls that should be in place to ensure amounts are e/ual.

,ecord Layouts &or -ab+es

A.L De#o

0emo of 1&$

#elate command

3ilter

.reating "i#p+e 2or#s

-wo options &or creating si#p+e &or#:

6. 0esign from scratch using ="lan' 3orm>

7. Enter the appropriate settings in the 3orm @iard


38/137

2or# !iCard: 2irst "creen 2igure 54a

2or# !iCard: "econd "creen 2igure 54b


39/137

2or# !iCard: -hird "creen 2igure 54c

.reating "i#p+e 2or#s

A&ter &or# is created9 custo#iCe it

3orm controls are ob*ects such as textboxes and labels

"ound controls are textboxes, drop down boxes

?nbound controls are labels, pictures

roperty sheet window can customie a control

&ontrol source property

ey -er#s

0ata definition language (00$)

0ata manipulation language (0+$)

0ata /uery language (0$)

0ata type

3ield properties

Input mas's

uery

#eferential integrity

Schema

Structured /uery language (S$)

Balidation rule


40/137

=ercise 5;

Buantity ,eceied Buantity Ordered

ou ha%e determined that there is no control to ensure that the /uantity recei%ed is what wasordered. 1s a result, the uantity #ecei%ed can be more than the uantity rdered

Identify three people who could ta'e ad%antage of this control wea'ness and how they

could do so.

3or each identify a benefit - @hy might they do soQ

3or each - what would be an appropriate controlQ

1o#ewor0 Assign#ent

Droups

&omplete on "lac'board (9-; per group)

Select case (first-come-first-ser%ed)

Exercise -6:

uantity #ecei%ed U uantity rdered

Slide ! "ocumentin# $ccountin# %nformation S&stems ! Chapter '

( )a#eLearning Objecties

1fter reading this chapter you will:

?nderstand why documenting an 1IS is important to the organiation and its auditors

"e able to create simple data flow diagrams and document flowcharts and explain how they

describe the flow of data in 1ISs

"e able to create simple system flow diagrams and process maps and interpret these diagrams

0escribe how program flowcharts and decision tables help document 1ISs

0escribe software for documenting 1ISs

)Docu#entation

0ocumentation includes flowcharts, narrati%es, etc. that describe the inputs, processing and outputsof the 1IS. 0ocument is important:

6. 0epicts how a system wor's

7. Training users

8. 0esigning new systems

9. &ontrolling system de%elopment and maintenance costs

. Standardiing communication with others

;. 1uditing 1ISs

. 0ocumenting business processes

K. &omplying with regulation such as &-S!


41/137

P. Establishing accountability

1long with control

+a'es it easier to do a lot of these things.

/ri#ary Docu#entation Methods

Systems are fre/uently deficient in documentation due to implementation pressures

3our common documentation methods: 0ata flow diagrams

0ocument flowcharts

System flowcharts

rocess maps

Data 2+ow Diagra#s

ses

In systems de%elopment process

Tool for analying an existing system

0escribes sources and destinations of data

-ypes

&ontext

hysical

$ogical

-ypes o& D2Ds

.ontet Diagra#s


42/137

Data 2+ow Diagra#s

/hysica+ Data 2+ow Diagra#s

3ocus on physical entities, tangible documents, and reports flowing through the system

Include same inputs and outputs as predecessor context diagram

$ist *ob titles of employees

1re simple, more readable, and easier to interpret


43/137

Data 2+ow Diagra#s

Logica+ Data 2+ow Diagra#s

Identify what participants do

"ubbles indicate a tas' the system performs


44/137

Data 2+ow Diagra#s

- ou ha%e more information and things are bro'en down (logical flow of information)

- &ircles instead of showing employees and their *ob titles is showing *obs that are being

performed

Deco#position

Exploding of data flow diagrams to show more detail

$e%el G data flow diagrams exploded into successi%e le%els of detail

$e%el 6 data flow diagrams

8.6 5 &ompute gross pay

8.7 5 &ompute payroll deductions


45/137

Data 2+ow Diagra#s

- 1ll of that needs to be done to process pay che/ues

- It4s always an action

-ypes o& 2+owcharts

0ocument: shows the flow of documents and data for a process, useful in e%aluating internal controls

Systems: depicts the data processing cycle for a process

rogram: illustrates the se/uences of logic in the system process

).reating Data 2+ow Diagra#s

=a#p+e Le#onade stand

"teps:

6. &reate a list of business transactions

7. &onstruct &ontext $e%el 030(identifies system and entities)


46/137

8. &onstruct $e%el G 030(identifies manageable sub processes )

9. &onstruct $e%el 6- n 030(identifies actual data flows and data stores )

&reate a list of business transactions

&ustomer rder

Ser%e roduct

&ollect ayment

roduce roduct

Store roduct

rder #aw +aterials

ay for #aw +aterials

ay for $abor

&reate a list of functional acti%ities


47/137

.ontet Lee+ Data 2+ow Diagra#

Lee+ E Data 2+ow Diagra#


48/137

/rocess Deco#position


49/137

Lee+ ; Data 2+ow Diagra#

Docu#ent 2+ows basic sy#bo+s Do not need to 0now &or #idter# ea#


50/137

Drawing a Docu#ent 2+owchart

Steps:

6. Identify =who>

7. Identify the documents

8. Identify where documents are created, processed, and used

"i#p+e Docu#ent 2+owchart


51/137

"yste# 2+owchart "y#bo+s

"i#p+e "yste# 2+owchart


52/137

7usiness /rocess Diagra# /reparation

"uild swim lanes

) Identify areas of responsibility for each person in%ol%ed in process 5 list across top or

side of page

0iagram e%ents or tas's

) Se/uence of e%ents (in order from top to bottom and left to right)

0raw documents

) 0ocuments and reports created or used in process

0raw data files

) 0ata files created or used in the process) 0otted lines with arrows indicate direction information flows

"i#p+e /rocess Map


53/137

=ercise 6;

In groups of 8-9 - de%elop a process map for oneof the following:

) urchase of a house or car

) #ental of an apartment

) ther - your choice

Identify:

) Aey layers (at least 8)

) E%ents and documents

) Aey control points

) 3or each control point identify data analysis tests

/urchase o& 1ouse


54/137

2+owchart -oo+s

+icrosoft

Bisio

oweroint

@ord

&1SE tools

Bariety of other software 5 online, free

ey -er#s

&1SE (&omputer-assisted software engineering) tools

&ontext diagram

0ata flow diagrams (030s)

0ecision table

0ecomposition

0ocument flowchart


55/137

End-user computing

Draphical documentation

Hob stream

$e%el G data flow diagram

$e%el 6 data flow diagram

$ogical data flow diagrams

b*ect oriented software

hysical data flow diagram

rocess maps

rogram flowcharts

#apid application de%elopments

Sandwich rule

Scope

Signed chec'list

Structure programming

System flowcharts

1o#ewor0 Assign#ent

roblem ;-67 p. 7G6

&ase analysis ;-76 p.7G

Slide ' ! $ccountin# %nformation S&stems and +usiness )rocesses !

Chapter , ( )a#eLearning Objecties


"e able to describe the steps in the financial accounting process and the role of 1IS in eachstep

"e able to demonstrate the use of Hournals and ledgers to assist in processing accountingtransactions

#ecognie different types of coding systems used by 1ISs

?nderstand why planning an 1IS starts with the design of the outputs in order to meet theuser4s information needs

#ecognie the ob*ecti%es and map the inputs and outputs of the sales and purchasing process

7usiness /rocess 2unda#enta+s

The fundamentals of accounting are embedded in modern 1IS:

Hournals


56/137

$edgers

Trial "alance

3inancial Statement

Enable the accounting cycle from transaction recording to financial reporting

2inancia+ Accounting .yc+e "teps

6. #ecord transaction in *ournal

7. ost *ournal entries to ledger

8. repare unad*usted trial balance

9. ost and record ad*usting *ournal entries

. repare ad*usted trial balance

;. repare financial statements

. #ecord and post-closing *ournal entries

K. repare a post-closing trial balance

A%" 2inancia+ Accounting .yc+e

).oding "yste#s

.ode -ypes:

+nemonic (e.g. S, +, $, !$)

1lphanumeric 5 uses letters and numbers

"e>uence5 se/uential set of numbers (e.g. customer accounts)


57/137

7+oc05 se/uent codes with bloc's of number reser%ed for specific purposes

Froup5 lead portion of se/uential code (e.g. first 7 of product code is product type)

?se those two code types whene%er possible.

Identify all the current assets with a 6 and all in%estments by loo'ing for 67.

2inancia+ Accounting .yc+e

)-he "a+es /rocess

Sales rocess

"egins with customer order

Ends with collection of cash

rimary b*ecti%es of Sales rocess

rocess sales or other re%enues in a timely and efficient manner


58/137

&ollect cash in a timely and efficient manner

Objecties

Trac' sales of goodsCser%ices to &ustomers

3ill customer orders and maintain customer records

"illing and collection of payments for goodsCser%ices

3orecast sales and cash receipts

%nputs

Sales rder

Sales In%oices

#emittance 1d%ice

Shipping 2otice

0ebitC&redit +emo

Outputs

3inancial Statement Info

&ustomer "illing Statement

1ging #eport

"ad 0ebt #eport

&ash #eceipts 3orecast

&ustomer $isting

Sales #eport 1nalysis

)-hreats and .ontro+s "a+es /rocess


59/137

/urchase /rocess

Objecties

Trac' purchase of goodsCser%ices from Bendors

Trac' amounts owed and ma'e timely accurate payments

+aintain %endor records and &ontrol in%entory

3orecast purchases and cash outflows

%nputs

urchase In%oice

urchase re/uisition

urchase order

Bendor listing

#ecei%ing report

"ill of lading C pac'ing slip

0ebitCcredit memo

Outputs

3inancial Statement Info

Bendor che/ues

&he/ue #egister

0iscrepancy reports

&ash re/uirements forecast


60/137

Sales analysis reports

-hreats and .ontro+s /urchase /rocess =ercise


61/137

"usiness process management

&ustomer relationship management

0iscrepancy reports

Exception report

Droup code

+nemonic code

2umeric code

urchasing process

#3I0 tags

Sales process

Se/uence code

Supply chain

1o#ewor0 Assign#ent

Droup topics (first-come-first ser%ed)

Topic

Short description of what will be addressed

&ase analysis -6; pp. 79G-796

Slide - ! %ntroduction to %nternal Control S&stems ! Chapter - (

)a#eLearning Objecties


"e familiar with the primary control framewor's

"e familiar with an internal control system and its components

?nderstand the importance of enterprise-ris' assessment and its impact on internal controls

?nderstand the importance of &S and &"IT

"e able to identify the differences between pre%enti%e, detecti%e and correcti%e controls

?nderstand %arious methods use to analye internal control decisions

.ontro+s

&ontrols in a computer information system reflect the policies, procedures, practices and

organiational structures designed to pro%ide reasonable assurance that ob*ecti%es will be

achie%ed.

The controls in a computer system ensure effecti%eness and efficiency of operations, reliability

of financial reporting and compliance with the rules and regulations

%nterna+ .ontro+s


62/137

Internal control describes the policies, plans and procedures implemented by management to:

rotect assets

Ensure accuracy and completeness of financial information

+eet business ob*ecti%es

)%nterna+ .ontro+ "yste# "Ar==.

+ethods and measures to achie%e the following four ob*ecti%es:

Safeguard assets

&hec' the accuracy and reliability of accounting data

romote and impro%e operational efficiency

Enforce adherence with management policies


63/137

A 3;H@;

Errors in the design, maintenance or monitoring of IT controls

IT personnel may not completely understand how the IT system and how it processes

transactions

A 3;H@@

Edit routines in programs designed to identify and report transactions that exceed certain

limits may be disabled or o%erwritten

/+anning /hase .onsiderations

A 3;H3E

@hat IT ris's can result in misstatements in financial reportsQ

A 3;H3;

0o you ha%e the necessary s'ills on the audit team or do you need an IT 1udit specialistQ

).ontro+ 2ra#ewor0s

&S

3ramewor' for enterprise internal controls (control-based approach)

&S-E#+

Expands &S framewor' ta'ing a ris'-based approach

&"IT

3ramewor' for IT controls

+ostly loo'ed at through IT perspecti%e

ull up a set of controls abo%e to test a system.


64/137

.O"O .ontro+ .o#ponents

The control en%ironment 5 standards, processes and structures that pro%ide the framewor' -

includes the organiational structures, the ethical %alues of the company and expectations ofrigor in performance measures.

#is' assessment 5 identifying and assessing ris's that could impact the achie%ement ofob*ecti%es.

&ontrol acti%ities 5 actions to ensure that management efforts to mitigate ris' are carried out.This includes authoriations, %erifications and business performance re%iews.

Information and communication 5 the generation of information and its dissemination bothwithin and outside of the company.

+onitoring acti%ities 5 chec's to see if internal control is wor'ing

).o#ponents o& .O"O 2ra#ewor0s


65/137

&S-E#+ expands some areas of &S (in red). 3or example the coco beans for fla%ouringchocolate due to internal strife, competition for bean, weather, etc.


66/137

analying the ris's

implementing cost-effecti%e measures to 1%oid, +itigate, or Transfer ris's

,is0 Assess#ent

#is' is assessed from two perspecti%es:

$i'elihood

robability that the e%ent will occur

Impact

Estimate potential loss if e%ent occurs

,is0 ,esponses )',A"A(

#educe

Implement effecti%e internal control

1ccept

0o nothing, accept li'elihood and impact of ris'

Share

"uy insurance, outsource, or hedge

1%oid

0o not engage in the acti%ity

.ontro+ Actiities ea#p+es

1udit Trail

ersonnel policies and procedures

Separation of duties (authoriing, recording and custody)

hysical protection of assets (in%entory, document and cash controls)

#e%iew of operating performance

Monitoring %nterna+ .ontro+ "yste#s

Establish a foundation for monitoring

Tone-at-the-top

1ssignment of monitoring roles

"aseline for ongoing monitoring and e%aluation

0esign and Execution

rioritie ris's

&onclusions about the effecti%eness of controls are supported

Identify internal controls

Information on the operation of 'ey controls

Execute effecti%e, efficient monitoring


67/137

1ssess and report results

E%aluate identified wea'nesses or deficiencies in controls

#eport results to appropriate personnel and "oard of 0irectors

3ollow-up if needed

.O7%- 2ra#ewor0 )'"n.e%&1aF(

&urrent framewor' %ersion is &"IT

"ased on the following principles:

+eeting sta'eholder needs

&o%ering the enterprise end-to-end

1pplying a single, integrated framewor'

Enabling a holistic approach

Separating go%ernance from management

).O7%- /rincip+e )'7r%r%p=i(

VIT Do%ernance Institute (Vnot to signify importance)

&"IT loo's at framewor'

.O7%-5 "eparates Foernance &ro# Manage#ent


68/137

.O7%- Do#ains '/oAiDsMe(

@E;; .O7%- ersion 5

&ontrol b*ecti%es for Information and related Technology (&"IT)

Denerally accepted IT control ob*ecti%es


69/137

3ocuses on execution of IT operations

Bal IT: a go%ernance framewor' for IT

Tightly integrated with &"IT


70/137

is the susceptibility of an account balance or class of transactions to error that could be

material, assu#ing that there were no re+ated interna+ accounting contro+s

#esidual ris'

Is the ris' that remains after management implements internal controls or some other

type of ris' response

&ontrol ris'

is the ris' that error that could occur in an account balance or class of transactions andcould be material, will not be preented or detected on a ti#e+y basis by thesyste# o& interna+ accounting contro+s

0etection ris'

is the ris' that an auditorIs procedures wi++ +ead hi# to conc+ude that an errorin

an account balance or class of transactions that could be material, does not eistwhen in &act such error does eist

)-ypes o& .ontro+s )'/D.(

re%enti%e controls

0eter problems from occurring (e.g. firewall to pre%ent unauthoried access to networ')

0etecti%e controls

1lert managers when pre%enti%e control fails (e.g. %ariance report)

&orrecti%e controls

rocedures used to sol%e, correct or reco%er from a problem (e.g. bac'up copies of

critical data)

If someone gets through firewall you need detecti%e controls to tell you. ou then need to fix it withcorrecti%e control.

=a#p+es o& .ontro+ Actiities

&ommon control acti%ities include:

Dood audit trail

Sound personnel policies and practices

Separation of duties

hysical protection of assets

#e%iews of operating performance

).ontro+s ea#p+es

/reentie

hysical safeguard and access restriction controls (human, financial, physical and

information assets)

1uthoriation and 1ppro%als

Segregation of duties

"usiness systems integrity and continuity controls (e.g. system de%elopment process,change controls, security controls, systems bac'up and reco%ery)


71/137

asswords and authentication

Edit chec's on 'ey fields

Encryption C 0ecryption

1nti-%irus software

&ontrol access to physical facilities

"eparation o& Duties

/urpose

Structure of wor' assignments so one employee4s wor' chec's the wor' of another

"eparate re+ated actiities

&ustody of assets

1uthoriing transactions

#ecording transactions

,is0 increases i& two or #ore o& these are co#bined

/hysica+ /rotection o& Assets

=stab+ish accountabi+ity with custody docu#ents

%nentory contro+s

Stored in safe location with limited access

?tiliation of recei%ing and issuance reports

Docu#ent contro+s

rotecting %aluable organiational documents

&orporate charter, ma*or contracts, blan' che/ues, and TSE registration statements

.ontro+s ea#p+es

2o internal control unit on &orrecti%e side (mista'e)

Discussion H;


72/137

3or each topic below identify pre%enti%e, detecti%e and correcti%e controls:

) 3orestry (forest fires)

)


73/137

&an use matrix to assist in decision ma'ing.

,is0 ? .ontro+ Matri

3or each ris', determine the controls that should mitigate the ris'. Identify controls as: -pre%enti%e 0 5 detecti%e or & 5 correcti%e.

The matrix can identify unnecessary controls or ris's that are not being mitigated.

=ercise H@

3or the following flow diagram

identify the controls (c6-&66) represented by triangles

3or each control

0etermine whether control is pre%enti%e, detecti%e or correcti%e

0etermine whether controls is manual or automated


74/137

/rocess .ontro+s


75/137

.ontro+s

$imitations of controls:

) Hudgement

) "rea'downs

) +anagement o%erride

)&ollusion

) perational expediency

Discussion

Identify mitigation strategies or controls for each of the control limitations:

) Hudgement

) "rea'downs

) +anagement o%erride

) &ollusion

) perational expediency

ey -er#s

&ontrol en%ironment

&ontrol ob*ecti%es for information related technology (&"IT)

&orporate go%ernance

&orrecti%e controls

&ommittee of Sponsoring rganiations (&S)

0etecti%e controls

Enterprise ris' management (E#+)

Expected loss

Ideal control

Internal control

perational audits

#is' assessment

Sarbanes-xley 1ct (S!)

S1S P9

Separation of duties

1o#ewor0 Assign#ent

.ase Ana+ysis:

&ase P-6P p. 8GP and


76/137

&ase P-7G pp. 8GP - 86G

Slide 10 ! Computer Controls for r#ani/ations and $%Ss ! Chapter

10 ( )a#e 3111fter reading this chapter you will:

"e able to describe control ob*ecti%es related to IT and understand how these ob*ecti%es areachie%ed.

"e able to identify enterprise-le%el controls and understand why they are essential forcorporate go%ernance.

0iscuss the importance of general controls for IT and why these should be considered when

designing and implementing 1ISs.

"e able to identify IT general security and controls issues for wireless technology, networ'edcomputers, and personal computers.

Anow what input, processing and output controls are and be familiar with specific examples ofcontrol procedures in each of these categories.

).o#puter .ontro+s

-hree broad categories:

Enterprise le%el controls focus on firm wide issues

IT general controls apply to all information systems

1pplication controls are to pre%ent, detect, and correct errors in processing transactions

=nterpriseLee+ .ontro+s

Enterprise controls are those that affect the entire organiation and influence the effecti%eness ofother controls.

-he Jtone at the topK Additiona+ i#portant contro+s are:

&onsistent policies and procedures

Such as formal codes of conduct and fraud pre%ention policies. 3or example, a companymay re/uire all employees to periodically sign a formal code of conduct stipulating thatcomputer resources are to be used only for appropriate business purposes and any actsof fraud or abuse will be prosecuted. This is similar to the computer acceptable usagepolicies that are usually read and signed as soon as an employee *oins an organiation.

+anagement4s ris' assessment process

&entralied processing and controls

&ontrols to monitor results of operations

&anadian ublic 1ccounting "oard (&1") agreement of guidance issued by ?S - ublic

&ompany 1ccounting %ersight "oard (&1")

@e identified a number of these controls in &hapter P: management4s ethical %alues,philosophy, assignment of authority and responsibility, and the effecti%eness of the board of

directors. The &1" agreed with this guidance and issued notice to the &anadian audit firms tobe aware of these changes.

1dditional controls that are also %ery important include the following:

W &onsistent policies and procedures


77/137

W +anagement4s ris' assessment process.

W &entralied processing and controls.

W &ontrols to monitor results of operations.

W &ontrols to monitor other controls, including acti%ities of the internal audit function,the audit committee, and self-assessment programs.

W The period-end financial reporting process.

W "oard-appro%ed policies that address significant business control and ris'management practices.

,is0 Assess#ent and "ecurity /o+icies

Aey issues for de%eloping a security policy:

E%aluate information assets and identify threats to these assets

1ssess both internal and external threats

erform a ris' assessment

0etermine whether information assets are under, oer, or ade>uate+yprotected

&reate a team for drafting security policies

Implement the policies throughout the organiation

0e%elop policy compliance measures and enforce policies

+anage the policies

%ntegrated "ecurity &or the OrganiCation

-rend is to #erge physica+ and +ogica+ security

hysical measures protect firm4s facilities, resources, and data stored on physical media

$ogical measures limit access to system and information to authoried indi%iduals

Integrated security combines physical and logical elements. 2eed comprehensi%e

security policy to protect confidentiality, integrity, and a%ailability

%ntegrated "ecurity "yste#

/hysica+ "ecurity

3acility monitoring (e.g. sur%eillance, cameras, guards)

1ccess controls to facilities, data centres, computers (e.g. biometrics, access cards)

1larm systems (fire, water, humidity, power fluctuations, burglar)

Shred sensiti%e documents

roper storage and disposal of hard dri%e and electronic storage media

Secure storage of bac'up copies of data and master copies of critical software

Logica+ "ecurity

e-I0s and passwords

System authentication


78/137

"iometrics

$og of logon attempts

1pplication-le%el fire walls

1nti-%irus and anti-spyware software

Intrusion detection systems

Encryption for data in transit

Smart cards

)%- Fenera+ .ontro+s )'A/.(

IT Deneral &ontrols primarily ensure that:

6. 1ccess to program and data is granted only to authoried users

7. 0ata and systems are protected from change, theft or loss

8. 0e%elopment of, and changes to, computer programs are authoried, tested, andappro%ed before their use

IT is trying to find the right mix abo%e. 0o we ma'e changes that are re/uired, authoried, testedQThe person who does that can4t be the one implementing.


79/137

Access to Data9 1ardware9 and "o&tware

Li#it +ogica+ access to syste#s through:

Strong passwords

K or more characters in lengthXor longer

0ifferent types of characters (letters, numbers, symbols)

"iometric identification

0istincti%e user physical characteristics (%oice patterns, fingerprints, facial

patterns, retina prints)

"ecurity

@ireless

0ata encryption

Birtual pri%ate networ'

2etwor's

#outing %erification procedures


80/137

Securely transmits encrypted data between sender and recei%er

Sender and recei%er ha%e the appropriate encryption and decryption 'eys.

"ecurity

Safeguards for &s, laptops and tablets

"ac'up contents regularly

assword protect de%ices

Encrypt sensiti%e de%ices

1nti-%irus software

hysical storage 5 cables and security de%ices

Separation of 0uties

Separate 1ccounting and Information processing systems from other systems

Separate responsibilities within IT en%ironment

.ontro+s &or *etwor0s

.ontro+ prob+e#s

Electronic ea%esdropping


81/137

se o& co#puter accounts

Each user has account and uni/ue password

"iometric identification adds security

%denti&ying suspicious behaiour

rotect against fraudulent employee actions

+onitor suspicious beha%ior and red flags such as la%ish spending

Safeguard files from intentional and unintentional errors. (;PJ of database breaches

were because of internal culprits)

2i+e "ecurity .ontro+s

/rotect &i+es &ro# accidenta+ or intentiona+ abuse:

Ensure programs access correct files

"ac' up critical files

+a'e sure only authoried changes

Identify files for processing through file labels

Disaster ,ecoery

/rocess and procedures to resu#e business &o++owing disruptie eent

2ocus on essentia+ techno+ogies &or dai+y operations

Disaster ,ecoery /+an 'D,/( shou+d inc+ude

0isaster reco%ery team

"ac' up and disaster reco%ery sites (hot, flying-start, and cold site alternati%es)

)Aai+abi+ity .ontro+s '2/L/7Drp7cp(

3ault tolerance

?se of redundant components

re%enti%e maintenance

0ata center location and design

ut in best possible place, not in disaster ones.

#aised floorC1ir conditioning

3ire suppression

?ninterruptible power supply (?S)

Surge protection

atch management and anti%irus software

"ac'up procedures

Incremental bac'up

&opies only items that ha%e changed since last partial bac'up

0ifferential bac'up


82/137

&opies all changes made since last full bac'up

0isaster reco%ery plan (0#)

rocedures to restore organiation4s IT function

&old site C


83/137

/rocessing Data =ntry .ontro+s

2ie+d chec0

&haracters in a field are proper type

"ign chec0

0ata in a field is appropriate sign (positi%eCnegati%e)

Li#it chec0

Tests numerical amount against a fixed %alue

,ange chec0

Tests numerical amount against lower C upper limits

"iCe chec0

Input data fits into the field

.o#p+eteness chec0

Berifies that all re/uired data is entered

a+idity chec0

&ompares data from transaction file to that of master file to %erify existence

,easonab+eness test

&orrectness of logical relationship between two data items

.hec0 digit eri&ication

#ecalculating chec' digit to %erify data entry error has not been made

7atch processing

Se/uence chec'

Test of batch data in proper numerical or alphabetical se/uence

"atch totals

Summarie numeric %alues for a batch of input records

3inancial total


84/137

2i+e +abe+s

Ensures correct and most updated file is used

,eca+cu+ation o& batch tota+s

.ross&ooting

Berifies accuracy by comparing two alternati%e ways of calculating the same total

eroba+ance tests

3or control accounts (e.g., payroll clearing)

!riteprotection #echanis#s

rotect against o%erwriting or erasing data

.oncurrent update contro+s

re%ent error of two or more users updating the same record at the same time

Output .ontro+s

?ser re%iew of output

#econciliation

rocedures to reconcile to control reports (e.g. general ledger 1C# account reconciled to1C# subsidiary ledger)

External data reconciliation

0ata transmission controls

=ercise ;E;

1ccounts ayable 5 duplicates

&riteria: Same %endor, in%oice number, in%oice date and amount

1n audit found 6+ in duplicates because of wea'nesses in the controls o%er duplicates

3or each criteria 5 identify a possible control wea'ness which would allow duplicates to

happen and recommend a control impro%ement.

Bendor name in master file. If there4s poor control in master file you ha%e %endor4s with multiple

names and suddenly you4%e bro'en test for duplicates. &ontrol is to restrict access.

ey -er#s

1pplication controls

"atch control total

"usiness continuity planning ("&)

&old C


85/137

Input controls

Integrated security

IT general control

utput controls

hysical security

processing controls

Security policies

?ninterrupted power supply (?S)

Balidity test

Birtual pri%ate networ' (B2)

1o#ewor0 Assign#ent

Case analysis 1&-"1 pp' %(% %((

1. %dentif& and brie& eplain the problems he +i# Corporation could eperience with

respect to the condentialit& of information and records in the new s&stem.

here doesnt seem to be an& condentialit& as not onl& stores and warehouses can access the

information s&stem but also laptops and handhelds. 5hile for the former there ma& be

restrictions for some personnel its not the case for all of them. his means if the& e6er lose

access to their de6ices or someone else was to use them the& could access condential

information. Furthermore remote terminals could allow access to condential data b&

unauthori/ed personnel. he restrictions themsel6es are upon certain reports which means of

e6er&thin# listed such as compan& records7 personnel information7 etc7 etc there could be a lot of

sensiti6e information a6ailable to an&one who can access the s&stem.

2. 8ecommend measures he +i# Corporation could incorporate into the new s&stem that

would ensure the condentialit& of information and records in this new s&stem.

here needs to be a mi of ph&sical and lo#ical securities within the new s&stem to ensure

condentialit& of information and records. )h&sical securities such as facilit& monitorin# such as

sur6eillance and #uards and access controls such as access cards would ma9e the remote

terminals a lot more secure. Li9ewise lo#ical securit& such as e!%"s and passwords alon# with

s&stem authentication could ma9e accessin# the s&stem with laptops and handhelds much more

secure. $dditionall& a lo# of whos accessin# the condential information is important as it can

hold people accountable in case of a breach of securit&. %t could also indicate there were

attempts to access condential information if there were too man& lo# on attempts. here also

needs to be policies in place such as time restrictions on access to the s&stem so that in thee6ent someone does snea9 onto the s&stem the& dont ha6e a lot of time to #o throu#h the

condential information.

3. 5hat safe#uards can he +i# Corporation de6elop to pro6ide ph&sical securit& for its :a;

computer equipment7 :b; data7 and :c; data processin# centre facilitiesuantities

=#p+oyees in co++usion with endors9 custo#ers9 or third parties

) ayment of inflated or fictitious in%oices

) Issuance of inflated or fictitious credit notes

) In%oices for goods not recei%ed or ser%ices not performed

) referred pricing or deli%ery

) &ontract bid rigging

) Theft or use of customer lists and proprietary information

Sometimes the controls are such that collusion is re/uired.

Examples of asset misappropriation by employees in collusion with %endors or customers include:

) 3ictitious credit notes

) referred pricing or payment terms

) &ontract bid rigging


102/137

) Theft of third party information

!hy do these re>uire co++usionQ 5 how does the fraudster benefitQ

!hat cou+d you do to rig the contract bidding process$ 5dateCamount

!hat cou+d you do to create pre&erred pricing or pay#ent ter#s$

!hat is the adantage to you$ )))

endors

) Inflated or fictitious in%oices

) Short shipments or substitution of lower /uality goods

) In%oices for goods not recei%ed or ser%ices not preformed

.usto#ers

) 3alse claims for damaged or returned goods or short shipments

"ut not all frauds are committed by employees. Bendors and customers can be the perpetrator of

fraud without any in%ol%ement of employees:

fictitious in%oices

inferior goods

false claims or damaged goods or short shipments

=a#p+e sa+e o& printer cartridges &ree or +owest price

!hat did this sche#e re+y on$

no authority re>uired +ow do++ar ite#

rush at year end to spend

+ots o& inoices at yearend

persona+ greed get so#ething &or nothing

desire to sae got #oney

.orruption

) "ribery of

) &ompanies

) ri%ate indi%iduals

) ublic officials

) #eceipt of 'ic'bac's, bribes, gratuities

) 1dding and abetting of fraud by others

&orruption includes:

) "ribery and gratuities to &ompanies ri%ate indi%iduals or ublic officials

) #eceipt of bribes, 'ic'bac's, and gratuities.

) 1iding and abetting fraud by other parties (e.g., customers, %endors).


103/137

!hen and why #ight this occur$

!hat about pay#ents to get ensure that your per#it gets approed$

&anadian 3oreign 1nti-&orruption $aw was amended in Hune 7G68 to ha%e new pro%isions which

significantly increase penalties for and the scope of indi%idual and corporate liability for bribery of

foreign public officials. The amended &orruption of 3oreign ublic fficials 1ct introduces a form of

=boo's and records> offence in relation to falsifying boo's and records for the purpose of bribing a

foreign public official.

@hereas =facilitation payments> were permitted under the pre%ious law, this exception is now sub*ect

to elimination by an rder of &abinet to be made at a future date to be determined. 3acilitation

payments are payments made to expedite or secure performance by a foreign public official of an act

of a routine nature, such as issuing a permit, processing official documentsor pro%isioning public

ser%ices, such as power supply or police protection.

2inancia+ "tate#ent 2raud

Intentional manipulation of financial statement to:

) +isstated #e%enue

) Inappropriately reported expenses

) +as'ed disclosures

) &oncealment of ac/uisitions

) Inappropriate balance sheet amounts

Executi%es coo' the boo's, as they say, by fictitiously inflating re%enues, recogniing re%enues before

they are earned, closing the boo's early (delaying current period expenses to a later period),

o%erstating in%entories or fixed assets, and concealing losses and liabilities.

The Treadway &ommission recommended &our actionsto reduce the possibility of fraudulentfinancial reporting:

Establish an organiational en%ironment that contributes to the integrity of the financial

reporting process. (Tone-at-the 5Top)

Identify and understand the factors that lead to fraudulent financial reporting.

1ssess the ris' of fraudulent financial reporting within the company.

0esign and i#p+e#ent interna+ contro+s to pro%ide reasonable assurance that fraudulent

financial reporting is pre%ented.

Do you 0now o& any ea#p+es o& this happening in recent years$$$$$$

=nron9 !or+d.o#9

!hy did these happen$ shareho+der earnings?epectations

"A" GHH

&onsideration of 3raud in 3inancial Statement 1udit

?nderstand 3raud

0iscuss ris' of material fraudulent misstatements


104/137

btain information

Identify, assess, and respond to ris's

E%aluate results of audit tests

0ocument and communicate findings

Incorporate a technology focus

S1S PP- &onsideration of 3raud in 3inancial Statement 1udit

&omputer fraud - S1S PP re/uires auditors to:

?nderstand 3raud

0iscuss ris' of material fraudulent misstatements

btain information

Identify, assess, and respond to ris's

E%aluate results of audit tests

0ocument and communicate findings

"ut S1S PP also re/uires audits to incorporate a technology focus 5 auditors ha%e to use technology

to define fraud-auditing and IT auditing procedures.

This is expanded in S1S P9 which we will co%er in chapter P.

,is0 =a#p+es


105/137

S1S PP defines %arious ris' factors and can be used as when assessing the ris' of fraudulent financial

reporting and other fraudulent acts. In particular, it outlines ris' factors, including:

Manage#ent =niron#ent

) 1re financial targets too ambitious and the conse/uences of failure highQ '=nron(

) 1re performance measures unrealistic 5 e.g. increase mar'et share by 6GJ e%ery

/uarter or increase shareholder %alue by 7GJ e%ery year.

) +anagement style 5 not willing to accept failure.

These types of pressures can increase the ris' that an employee will o%erstate performance to

achie%e targets.

Types of analysis suggested include: re%iewing production figures for accuracy re%iew next period 5

after bonuses ha%e been awarded 5 and loo' for returns. $$$$$ Others $$$$$

.o#petitie %ndustry 5 with rapidly changing technology (*orte+9 77) can lead to in%entory

becoming obsolete 5 and if not re-e%aluated 5 lead to o%erstatement on the financial report. &hec'

for data and impact of last in%entory e%aluation. $oo' at in%entory turno%er. $ Others $

=#p+oyee ,e+ationships5 hiring of family member or gi%ing contracts to relati%es. ne test is to

match employee and %endor address 'prob+e#s with this approach$ 1ow cou+d you i#proe

it$( ou can also compare trends across years 5 totals by contracting officer 5 %endor 5 loo' at

sudden increases or decreases. $$ Others $$

Attractie Assets 5 if your company has attracti%eCeasily transportable items (hi-tech) 5 then you

are at ris'. Test in%entory controls and loo' at trends in reorder /uantity. $$ Others $$

%nterna+ .ontro+s

) 2ew organiation structures and systems 5 the pre%ious manual system may ha%e had

mitigating controls often it is assumed that new computer systems will contain all the


106/137

necessary controls 5 but sometimes these aren4t e%en turned on. Therefore, you should test

'ey controls. $$$ Others $$$$

7usiness ,eengineering

) #e-organiation 5 particularly downsiing 5 can lead to issues around separation of duties $$$

Others $$$$

-oo #uch -rust

) insufficient monitoring and few audits 5 particularly in purchasing. E%en companies that ha%e

E# systems often don4t initiate three-way matching. $$$ Others $$$$

Examine these ris' factors can help you complete a 3raud #is' 1ssessment of different areas of the

company.

.o#puter .ri#e9 2raud9 =thics and /riacy .hapter ;;7 @

Dee+oping a 2raud %nestigation /+an

1ll the time with fraud:

0efine ob*ecti%es of in%estigation

0efine the indicators of fraud

Identify the re/uired data sources and analysis techni/ues

btain and safeguard the re/uired data

Test the integrity and completeness of the data

erform analysis

&hallenge your assumptions and %erify to source documents

@hen fraud is suspected you need to enhance the fraud monitoring plan and de%elop a more detailed

fraud in%estigation plan

why are you performing the analysis and what are you loo'ing for - including stating the

possible symptoms of the fraud

specifies the re/uired data - single year or se%eral one business unit or more also describes

the expected results.

determines the data source and which fields are re/uired data owners and programmers

determine the best methods for obtaining the data file formats transfer mechanisms and

how you will safeguard the data

1ssesses the integrity and completeness of the data

outlines the tests to be performed, the follow up analyses.

@hen performing the analysis, it is important to drill down into the data 5 challenging the

assumptions and results. In cases of suspected fraud, the auditor must %erify to source or compare

with other sources.

The 3raud lan is a li%ing document - does not constrain your analyses, but pro%ides a structure and

a purpose.


107/137

%#portant to get sign o&&9 you #ay want to con&er the corporate +awyer

Discussion ;;@

ou ha%e been informed that someone in 1C# has changed the system parameters so customers can

ha%e an outstanding balance that is more than their credit limit.

0e%elop a fraud detection plan to deter#ine i& this is happening. 1nswer the following:

@hat is the ob*ecti%e of the analysisQ

@hat are the expected results if controls are wor'ingQ

@hat is the source of the data and re/uired fieldsQ

@hat analysis will be performedQ

If the controls are not wor'ing 5 what additional analysis should be performed and

whyQ

)%dentica+ Buestion on 2ina+s

2raud ,is0:#umors that someone in 1C# has changed the system parameters such that customers

can ha%e an outstanding balance that is more than their credit limit. In groups 5 de%elop a fraudmonitoringCdetection plan by answering

@hat is the purpose of the analysisQ to eri&y the ba+ances on custo#er accounts.

@hat are the expected resultsQ the outstanding ba+ance shou+d be +ess than ;;EN o& the

custo#ers credit +i#it

@hat is the source of the dataQ the A?, &i+e &or outstanding a#ountsP the custo#er &i+e &or

credit +i#its

@hat analysis will be performedQ ca+cu+ate outstanding ba+ance &or each custo#er and

co#pare this with the credit +i#it and high+ight cases where the ba+ance is #ore than

;;EN o& the +i#it

!hats net$ The results of the analysis will be %erified to the customer file and further analysis will

be performed to loo' at sales by salesman for the problem accounts to see if there are trends.

!hy$ - fa'e customers to meet sales /uota.

!hat e+se$- someone is stealing the 1C# - confirm balances with customers.

)))))))))))))))))))) ;E #inutes ))))))))))))))))))))))))))))))))))))

Objectie: Berify that &ontrols to ensure GCs "al Z 6GJ $imit are wor'ing

Expectations if &ontrols are wor'ing: 2o customer has "al U 6GJ limit

Source of 0ata

@e need customer number for the foreign 'ey and the purchases and the payments

0oing it within a certain time period then within the curren tperiod

@e also need customer master file, the limit and customer numberand a+so +i#it

Ana+ysis: 7y custo#ers no and ca+cu+ate o?s 7a+ Q

!hat e+se$ %- contro+ shou+d re&use purchases at a certain ti#e Loo0 at root cause the

caused the contro+ to brea0


108/137

%t cou+d a+so be so#eone in receiing raising the custo#ers +i#it .usto#er pays bac0 but

the person stea+s @EE out o& th ;EEE

%denti&y -he&t

The minimum information re/uired to impersonate someone is simply their name, but access to the

following can cause real damage:

3ull name

0ate of birth

Social Insurance 2umber

3ull address

+other4s maiden name

?ser name C asswords to websites

our identity can be stolen simply by someone using your name (for example, at a party 5

someone gi%es the person they ha%e been tal'ing to 5 and don4t want to see again - your

name and number).


109/137

0i%ert your mail

?se identify to obtain a false health care card or passport.

Discussion ;;3

In groups:

0escribe fi%e methods a fraudster could use to obtain your identify.

0escribe a mitigation strategy or control for each.

Describe &ie #ethods a &raudster cou+d obtain your identi&y

0umpster di%ing 5 ban' C credit card statements, phone C water C hydro bills

Steal letters from your mailbox

ic' your poc'et

Hob offers (online or in newspapers) 5 re/uire resume and personal info

S'imming cards 5 swiping de%ice to capture card details

Internet

hishing 5 directed email as'ing you to %erify account info


110/137

Identify theft

Intrusion testing

ri%acy policy

Social engineering

Slide 11 - Inormation !echnology Auditing - Chapter 1"

Page

1o#ewor0

&ase ;.6 5


111/137

Deneral use software 5 Excel and 1ccess

Deneralied audit software 5 1&$

Statistics, duplicates, sort, summarie

1utomated wor'papers

Denerate trial balances

+a'e ad*usting entries

erform consolidations

&onduct analytical procedures

3acilitate consistency across team members

3acilitate timely re%iew and wor'flow

0ocument audit procedures and conclusions

.o#puterAssisted Audit -echni>ues

Three broad categories of computer-assisted techni/ues to test controls:

1uditing around the computer

1uditing with the computer

1uditing through the computer

Auditing Around the .o#puter

Ta'e a sample of transactions being entered into the system

&alculate the expected results

&ompare to system output

Auditing !ith the .o#puter

&omputer-assisted audit techni/ues

Deneralie 1udit Software (D1S) 5 such as 1&$

Specialied pac'ages

S$


112/137

0irect access to tables or system extracts

#un analysis routines to test 'ey controls

Auditing -hrough the .o#puter

Test processing steps, programing logic, edit routine and controls

Techni/ues include:

Test dec' or test data

Integrated test facility (IT3)

arallel simulation

Test of program change controls

rogram comparison

,eiew o& "yste#s "o&tware

System software controls:

6. perating system software

7. ?tility programs 5 sorting and copying

8. rogram libraries 5 controls and monitor storage of programs

9. 1ccess control software 5 controls access to programs and data files

.ontinuous Auditing

#eal-time assurance

Embedded audit modules

Exception reporting Transaction tagging

Snapshot techni/ue

&ontinuous and intermittent simulation

,is07ased 2ra#ewor0

Steps to determine where and what to audit:

Identify fraud and errors (threats) that can occur that affect each ob*ecti%e and assess

the probability and impact of the ris' occurring

Identify control procedures (pre%ent, detect, correct the ris'sCthreats)

E%aluate control procedures to determine if control exists and is wor'ing as intended

and chec' for compensating controls

0etermine effect of control wea'nesses and identify and recommend control procedures

that should be in place

Major "teps in the Auditing /rocess

6. 1udit planning


113/137

@hy, how, when, and who

Establish scope and ob*ecti%es of the audit identify ris'

7. &ollection of audit e%idence

8. E%aluation of e%idence

9. &ommunication of results

. Audit /rocess

Audit /+anning Actiities

ro*ect Initiation


114/137

ro*ect assignment

ro*ect announcement

pening meetings

#is' 1ssessment

&onduct initial research

0e%elop an understanding of the ob*ecti%es of the area being audited

Identify ris's to the area4s ob*ecti%es

0etermine area of audit focus

Audit Objecties and "cope

b*ecti%es 5 broad statements de%eloped to define the audit4s intended

accomplishment.

Scope 5 answers the /uestion what will be audited. It delineates the boundaries of the

audit.

Audit /rogra#

utlines the wor' to be performed during the audit

Includes:

&riteria 5 @hat should be

+ethodology and 1pproach

-i#e and ,esource =sti#ates

S'ill set, of auditors, training, tra%el, locations, etc

Audit .onduct Actiities


115/137

/i+ot "ites

To %alidate the plans approach

=ntry Meetings

To introduce the audit and the team

Father =idence

Standards of E%idence

Types of E%idence

+ethods of Dathering E%idence

#eliance on wor' of others

7rie&ings or =it Meetings

2o surprises approach

3indings

&riteria 5 what should be

&ondition 5 what is

&ause 5 why did it happen

Effect 5 so what

#ecommendation 5 what should be done

3indings are trac'ed on finding sheets

3indings are used to de%elop conclusions for each ob*ecti%e

Dee+op !or0ing /apers


116/137

1ll supporting documentation to conclusions and results

Standard index used

"uperisory ,eiew

Balidation of e%idence

Initial uality 1ssurance

Audit ,eporting Actiities

.+osing .on&erences

2o surprises approach

Ensure we are aware of all rele%ant e%idence

"uy-in

Dra&ting ,eports

Balidate facts

Solicit a management action plan

1ssess management action plan

&ommunicate audit results

Manage#ent ,esponse

&lient responses to recommendations

/resentation to Audit .o##ittee

ro%ide copy of report for recommendation for appro%al


117/137

2ina+ ,eports

&ommunications - reports, briefing notes, etc

/ub+ish ,eports

Betted (1TI) and translated

Transparency

2o++owup Actiities

Audit .onsistency


118/137

%n&or#ation "yste#s Audit

IT audit ob*ecti%es:

6. rotect o%erall system security (e.g. computer e/uipment, programs, and data)

7. 1ccurate and complete processing of transactions, records, files, and reports

8. re%ent, detect, or correct inaccurate or unauthoried source data

9. 1ccurate, complete, and confidential data files

. rogram de%elopment, ac/uisition and modifications properly planned and authoried

Oera++ "yste# "ecurity

.ontro+ /rocedures

Information security plan

$imiting physical and logical access to e/uipment and systems

0ata storage and transmission controls

1nti-%irus software and procedures and firewalls

3ault tolerant design file bac'up and reco%ery and disaster reco%ery

re%enti%e maintenance

Insurance 5 casualty and business interruption

.ontro+ -ests

#e%iew information security and disaster reco%ery plans and results of tests

#e%iew and %erify policies and procedures

hysical and logical access


119/137

3ile bac'up and reco%ery

0ata storage and transmission

Berify use of firewalls and %irus protection software and procedures

Berify effecti%eness of data encryption and data transmission controls

Berify monitoring and effecti%e use of system logs

.o#puter /rocessing

.ontro+ /rocedures

0ata editing routines

#econciliation and batch totals

Error correction procedures

perating documentation and manuals


120/137

Data 2i+es

.ontro+ /rocedures

Storage 5 secure physical and logical access

@rite protection and update controls

Encryption for confidential data

ff-site bac'up

&hec'point and rollbac' procedures

.ontro+ -ests

#e%iew physical and logical access controls

Berify preparation and off-site storage

#econcile master file with control totals

Berify encryption and file handling procedures

/rogra# Ac>uisition9 Dee+op#ent and Maintenance

.ontro+ /rocedures

$icense agreements and management authoriation for program de%elopment and

ac/uisition

Testing and user acceptance procedures

System documentation

+anagement authoriation for program modification

&hange 5 documentation C separation of duties

$ogical access controls

.ontro+ -ests

Berify license agreements and test for management authoriation for program

de%elopment and ac/uisition

#e%iew system de%elopment documentation

Test system authoriation and appro%als

#e%iew test specifications, dec's, results and user acceptance results

Berify logical access and separation of duties

Berify program modification appro%al procedures, testing and user acceptance

*etwor0 .o##unication and "ecurity .ontro+s

Sensiti%e information in the networ' should be protected

The critical networ' de%ices such as routers, switches and modems protected from physical

damage and configuration and in%entories maintained


121/137

&hanges to networ' configuration authoried, documented and a threat ris' assessment

re%iewed after any changes.

The networ' operation monitored for any security irregularity and formal procedures in place

for identifying and resol%ing security problems.

hysical access to communications and networ' sites controlled and restricted and

communication and networ' systems controlled and restricted to authoried indi%iduals.

2etwor' diagnostic tools, e.g., spectrum analyer protocol analyer used on a need basis.

3irewalls to isolate an organisationNs data networ' from any external networ' and to limit

networ' connecti%ity from unauthorised use.

1ll firewalls sub*ected to thorough test for %ulnerability prior to being put to use and at

regularly thereafter.

The internal networ' of the organiation physically and logically isolated from the Internet and

any other external connection.

1ll web ser%ers for access by Internet users isolated from other data and host ser%ers and

procedures established for allowing connecti%ity of the computer networ' or computer system

to any outside system or networ'

2etwor's that operate at %arying security le%els isolated from each other

The suitability of new hardwareCsoftware assessed before connecting the same to the

organiationNs networ'.

2etwor' should be monitored and appropriate follow up of any unusual acti%ity or pattern of

access should be in%estigated promptly

Secure 2etwor' +anagement Systems should be implemented to monitor functioning of the

computer networ'.

The system must include a mechanism (e.g., intrusion detection system) for alerting the

2etwor' 1dministrator of possible breaches in security, e.g., unauthorised access, %irus

infection and hac'ing.

nly authoried and legal software should be used

-ypica+ %- Audit Docu#entation

lanning and preparation of the audit scope and ob*ecti%es

0escription andCor wal'throughs on the scoped audit area

1udit program

1udit steps performed and audit e%idence gathered

@hether ser%ices of other auditors and experts were used and their contributions

1udit findings, conclusions and recommendations

+anagement response

1udit documentation relation with document identification and dates (your cross-reference of

e%idence to audit step)


122/137

0raft and final copies of report issued

E%idence of audit super%isory re%iew

%- Audit

#is's

b*ecti%e

Scope

1udit program

0ata collection and analysis

@hat


123/137

8. rocessing integrity 5 complete, timely and accurate

9. &onfidentiality C online pri%acy 5 protection of personal information

. rotection of information designated as secret or confidential

Each of the principles and criteria are organied and presented in four broad areas:

/o+icies

The entity has defined and documented its policies rele%ant to the particular principle.

.o##unications

The entity has communicated its defined policies to authoried users.

/rocedures

The entity uses procedures to achie%e its ob*ecti%es in accordance with its defined

policies.

Monitoring

The entity monitors the system and ta'es action to maintain compliance with its defined

policies

=ercise ;@;


124/137

ey -er#s

1uditing 5 around, through and with the computer

1utomated wor'ing papers

&1 @ebTrust

&omputer assisted audit techni/ues (&11Ts)

3raud triangle

Deneral use software

Deneral audit software (D1S)

Information system ris' assessment

IT auditing

arallel simulation

rogram change control


125/137

#is'-based audit

Test data

Third party assurance ser%ices

Trust ser%ices

Slide 11 - #eveloping and Implementing E$ective AISs -

Chapter 1% Page1o#ewor0

&ase P.7 5


126/137

oor planning can lead to:

Systems that do not meet users4 needs 5 causes frustration, resistance and e%en sabotage

System that are not flexible enough to meet business re/uires and are ultimately scrapped

&ost o%erruns

Time delays to complete pro*ect

Systems addressing the wrong problems

2o top management appro%al or support for new systems

Systems that are difficult and costly to maintain

"yste# Ana+ysis

Examine system in depth

Deneral system goals

Top management systems goals

perating management goals

0ata gathering

#e%iew existing documentation 5flowcharts, dictionaries, process maps, procedure

manuals, chart of accounts, etc

bser%e current system in operation

?se /uestionnaires and sur%eys

#e%iew internal control procedures

Inter%iew system participants 5 users, managers and operations

"yste# 2easibi+ity =a+uation

&omparison of alternati%e proposals

6. Technical feasibility 5 hardware, software, interfaces

7. perational feasibility 5 compatibility with current operating en%ironment

8. Schedule feasibility 5 time to implementation

9. $egal feasibility 5 complies with laws and regulations such as financial reporting re/uirements

and contractual obligations

. Economic feasibility 5 anticipated benefits and pro*ected costs

Detai+ed "yste# Design

rocesses to be performed in re%ised system (what and by whom)

0ata elements 5 name, sie, format, source, importance

0ata structure 5 how data elements will be organied into logical records

Inputs 5 descriptions of content, source, and responsibilities

utputs 5 description of purpose, fre/uency and distribution


127/137

0ocumentation 5 descriptions of system and subsystems

&onstraints 5 description

&ontrols 5 to reduce ris' of errors and irregularities in the input, processing and output stages

#eorganiations 5 changes to business functions, staffing le%els or responsibilities

Ma0eor7uy

#3 E%aluation 5 consider each of the proposed systems:

erformance capability

&ost C "enefit

+aintainability

&ompatibility with existing systems

Bendor support

Training of employees and systems personnel

Testing and Implementation support

+aintenance

"ac'up systems

?ser support 5 a%ailability, language

"yste# %#p+e#entation

hysical site

3unctional changes

Select and assign personnel

Train personnel

1c/uire and install computer e/uipment

Establish internal controls

&on%ert data files

1c/uire computer software

Test computer software

&on%ert to new system 5 direct, parallel, or modular2o++owup and Maintenance

ost-Implementation #e%iew

Top management and operating management satisfaction

?ser satisfaction

E%aluate control procedures 5 functioning properly

bser%ation 5 efficiency and effecti%eness


128/137

E%aluate computer processing functions 5 data capture, preparation and processing 5

for efficiency and effecti%eness

utput 5 meeting management and regulatory re/uirements

"yste# .hange Manage#ent

"yste# .hange /hases


129/137

ey -er#s

&hange management

&on%ersion: direct, parallel, or modular

&ritical path

3easibility e%aluation: technical, operational, schedule, economic, and legal

+a'e-or-buy decisions

#3 e%aluation

Scope creep

Structured design

System maintenance

Systems analysis

Systems de%elopment life cycle (S0$&)

Systems implementation

Turn'ey system

@hat-if analysis


130/137

Slide 11 - Accounting on the Internet - Accounting and

Enterprise Sot+are - Chapters 1( 1 PageLearning Objecties

1fter reading these chapters you will:

?nderstand basic Internet concepts: T&CI, ?#$, web page addresses

1ppreciate why electronic communication is useful to accountants

Anow why !"#$ is important to financial reporting and E0I is important to 1ISs

?nderstand some examples of cloud computing and the difference between business-to-

consumer and "7" e-commerce

1ppreciate pri%acy and security issues,

Anow why business use firewalls, proxy ser%ers and encryption and understand digital

signatures and time-stamping techni/ues

?nderstand the differences among %arious types of accounting and enterprise software

"e able to explain how the %arious functions wor' in E#s and understand the architecture

and use of a centralied database in E#s

"e able to describe the relationship between business process re-engineering and E#

implementation

#ecognie when an organiation needs a new 1IS and the process to select an E#

%nternet 7asic .oncepts

?#$ 5 ?niform resource allocator (domain address)

I 1ddress 5 internet protocol address

7G.697.686.G.G. (geographicCorganisationCcomputer groupCcomputer)

T&CI 5 transmission control protocolCinternet protocol is the basic communication language or

protocol of the Internet.

Intranet 5 communication networ' internal to a company

Extranet 5 enable selected outside users to access corporate intranets

RML and R7,L

!+$ 5 Extensible mar'up language

Supports general financial reporting and the exchange of financial information between

trading partners

?ser can define own tags (extensible)

!+$ tags actually describe the data rather than simply indicate how to display it.


131/137

!"#$ 5 Extensible "usiness #eporting $anguage

Standardied tags for describing financial information in documents (subset of !+$)

!"#$-enabled software will automatically insert !"#$ tags in financial files

R7,L

Adantages

1bility to transfer financial information is a standard format 5 facilitatescommunications between suppliers, buyers, shippers

Standardied financial filing (SE& re/uired &S1 optional)

?ni/uely defines the data 5 e%en if reported in se%eral places always has same tags

Express relationships as formulas (assets L liabilities Y e/uity)

Exchange of information across platforms and technologies

Disadantages

#e/uires users to learn and conform to standards

#e/uires user to conform to changing specifications

2o re/uirement for auditors to pro%ide assurance on !"#$ filings

%nternet and 7usiness

E-business

Does beyond e-commerce and deep into the processes and cultures of an

enterprise. Includes: email, soliciting %endor bids, e-payments, electronic

exchange of data, and a host of cloud-computing ser%ices

E-commerce

"uying and selling of goods and ser%ices electronically between businesses, business

and go%ernment, business and customer

=+ectronic 7usiness

Electronic 0ata Interchange (E0I)

Transmission of information o%er high-speed data communications channels e.g. #3s,

purchase orders, bills of lading, freight bills, sales in%oices, payment remittance forms

E-ayment

paying for a goods or ser%ices electronically (e.g. ayal)

E-@allets

Software application (customer 5 %endor) to store consumers info (e.g. &redit card

numbers)

=.o##erce

0efinition:

1 type of business model, or segment of a larger business model, that enables a firm or

indi%idual to conduct business o%er an electronic networ', typically the internet.


132/137

1ttributes:

Birtual stores (websites) selling directly to customers

1llows customers to create own order forms, shipping labels, and payment documents

Discussion

E-commerce creates opportunities and ris's.

@hat are three ris's to a retailerQ

@hat are three ris's to customersQ

7usinessto7usiness '7@7(

"usiness buying and selling goods and ser%ices to each other o%er the Internet

Shortens time from purchase to deli%ery

urchase from %endors around the world

Expedite internal paperwor'

#eal-time data

DS trac'ing 5 status and deli%ery times

.+oud .o#puting

urchase of computing ser%ices o%er the Internet

rocessing ser%ices

Software (SaaS) e.g. tax preparation

@ed hosting (aaS)

"ac'up ser%ices

Educational ser%ice

"usiness phone ser%ices

ayroll ser%ices

1d%antages

1ccess to specialied expertise

&ost sa%ings 5 only pay for ser%ices consumed

Speed

1%oid pea' loading problems

Birtual remote bac'up

ay as you go

"ecurity on the %nternet

3irewalls

Duards against unauthoried access to company computers.


133/137

Inclusion 5 access control list (1&$) of accepted I addresses

Exclusion 5 re*ects messages from 'nown threat addresses

0enial of Ser%ice (0S) attac's 5 o%erwhelm system resources

Spoofing 5 mas/uerading as an authoried user


134/137

Secret 'ey cryptography 5 single 'ey shared by two communicating parties

ublic 'ey encryption 5 re/uires each party to use a pair of publicCpri%ate encryption

'eys

Sending party uses public 'ey to encrypt message

#ecei%ing party uses second 'ey to decode the message

0igital Signature C 0igital &ertificate

Encoded Fsignatures4 or Fcertificates4 e.g. BeriSign

0igital Time-Stamping

Time and date of transmission, filing or data entry

%ntegrated Accounting "o&tware

rocesses all types of accounting transactions through entire accounting process: general and special

*ournals, such as sales and purchases, as well as in%entory and payroll - may also include *ob

costing, purchasing, in%oicing, and fixed assets

Small and +edium Enterprises

commercial accounting software pac'ages

+idrange and $arge scale accounting software

e.g. Sage 5 +1SPG and +icrosoft 0ynamics D

rocess transactions in multiple currencies

Specialied 1ISs

e.g. for dental or medical offices, schools, and niche businesses

=nterprise!ide %n&or#ation "yste#sAey features 5 integration and central database

Integration includes:

1ccounting

3inance

Supply chain

Strategic planning

&ustomer relationship


135/137

Adantages o& =,/ "yste#

Impro%ed flow of the information - stored in a centralied database and can be accessed by

all areas of the organiation (i.e., Sales enters data about a customer and the info

automatically is a%ailable to 1ccounting for in%oicing)

0ata captured once - resol%es data redundancy and integrity problems

Impro%e access of control of the data through security settings

Impro%e decision ma'ing - standardiation of procedures and reports

Dlobal and supply chain integration

#educe in%entory in%estment impro%ed asset management

Disadantages o& =,/ "yste#

Documents

ADM 4346 Accounting Information Systems Auditing