Embed Size (px)
Citation preview
Chapter 14-1
Chapter 14-2
Chapter 14:Information Technology
Auditing
Introduction
The Audit Function
The IT Auditor’s Toolkit
Auditing Computerized AIS
IT Auditing Today
Chapter 14-3
Introduction
Audits of AISs Ensure controls are functioning properly Confirm additional controls not necessary
Nature of Auditing Internal and external auditing IT Audit and financial audit Tools of an IT auditor
Chapter 14-4
The Audit Function
Internal versus External Auditing
Information Technology Auditing
Evaluating the Effectiveness of Information Systems Controls
Chapter 14-5
Internal Auditing
Responsibility of Performance Company’s own employees External of the department being audited
Audit Purpose Employee compliance with policies and procedures Development and evaluation of internal controls
Chapter 14-6
External Auditing
Responsibility of Performance Those outside the organization Accountants working for independent CPA
Audit Purpose Performance of the attest function Evaluate the accuracy and fairness of the financial
statements relative to GAAP
Chapter 14-7
Information Technology Auditing
Function Evaluate computer’s role in achieving audit and
control objectives
Assurance Provided Data and information are reliable, confidential,
secure, and available Safeguarding assets, data integrity, and
operational effectiveness
Chapter 14-8
The Componentsof an IT Audit
Chapter 14-9
The IT Audit Process
Computer-Assisted Audit Techniques (CAAT) Use of computer processes to perform audit
functions Performing substantive tests
Approaches Auditing through the computer Auditing with the computer
Chapter 14-10
The IT Audit Process
Chapter 14-11
Careers in IT Auditing
Background Accounting skills Information systems or computer science skills
Certified Information System Auditor (CISA) Successfully complete examination Experience requirements Comply with Code of Professional Ethics Continuing professional education Comply with standards
Chapter 14-12
CISA Exam Components
Chapter 14-13
Careers in IT Auditing
Certified Information Security Manager (CISM) Business orientation Understand risk management and security
CISM Knowledge Information security governance Information security program management Risk management Information security management Response management
Chapter 14-14
Evaluating the Effectiveness of
Information Systems Controls
Impact on Substantive Testing Strong controls, less substantive testing Weak controls, more substantive testing
Risk Assessment Evaluate the risks associated with control
weaknesses Make recommendations to improve controls
Chapter 14-15
Risk Assessment
Risk-Based Audit Approach Determine the threats Identify the control procedures needed Evaluate the current control procedures Evaluate the weaknesses within the AIS
Benefits Understanding of errors and irregularities Sound basis for recommendations
Chapter 14-16
Information Systems Risk Assessment
Method of evaluating desirability of IT controls
Types of Risks Loss of company secrets Unauthorized manipulation of company files Interrupted computer access
Penetration Testing
Chapter 14-17
Guidance is Designing and Evaluating IT Controls
Systems Auditability and Control Report (SAC)
Electronic Systems Assurance and Control (eSAC) Framework for evaluating e-business controls
Control Objectives for Information and Related Technology (COBIT)
Chapter 14-18
An IT auditor:
A.Must be an external auditor
B.Must be an internal auditor
C.Can be either an internal or external auditor
D.Must be a Certified Public Accountant
Study Break #1
Chapter 14-19
An IT auditor:
A.Must be an external auditor
B.Must be an internal auditor
C.Can be either an internal or external auditor
D.Must be a Certified Public Accountant
Study Break #1 - Answer
Chapter 14-20
In determining the scope of an IT audit, the auditor should pay most attention to:
A.Threats and risks
B.The cost of the audit
C.What the IT manager asks to be evaluated
D.Listings of standard control procedures
Study Break #2
Chapter 14-21
In determining the scope of an IT audit, the auditor should pay most attention to:
A.Threats and risks
B.The cost of the audit
C.What the IT manager asks to be evaluated
D.Listings of standard control procedures
Study Break #2 - Answer
Chapter 14-22
The IT Auditor’s Toolkit
Utilization of CAATs Auditing with the computer Manual access to data stored on computers is
impossible
Tools Auditing Software People Skills
Chapter 14-23
General-Use Software
Productivity tools that improve the auditor’s work
Types Word processing programs Spreadsheet software Database management systems (DBMS) Structured Query Language (SQL)
Chapter 14-24
Generalized Audit Software
Overview Allow for reviewing of files without rewriting
processing programs Basic data manipulation Tailored to auditor tasks
Common Programs Audit Command Language (ACL) Interactive Data Extraction and Analysis (IDEA)
Chapter 14-25
Generalized Audit Software - Inventory
Chapter 14-26
Automated Workpaper Software
Overview Similar to general ledger software Handles accounts from many organizations
Features Generate trial balances Make adjusting entries Perform consolidations Conduct analytical procedures
Chapter 14-27
People Skills
Examples Working as a team Interact with clients and other auditors Interviewing clients
Importance of Interviews Gain understanding of organization Evaluate internal controls
Chapter 14-28
Auditing Computerized AISs
Auditing Around the Computer Assumes accurate output verifies proper
processing Not effective in a computerized environment
Auditing Through the Computer Follows audit trail through the computer Verifies proper functioning of processing controls
in AIS programs
Chapter 14-29
Auditing Computerized AISs
Testing Computer Programs
Validating Computer Programs
Review of Systems Software
Validating Users and Access Privileges
Continuous Auditing
Chapter 14-30
Testing Computer Programs
Test Data Create set of transactions Covering range of exception situations Compare results and investigate further
Integrated Test Facility Establish a fictitious entity Enter transactions for that entity Observe how they are processed
Chapter 14-31
Testing Computer Programs
Parallel Simulation Utilized live input data Simulates all or some of the operations Compare results Very time-consuming and cost-prohibitive
Chapter 14-32
Edit Tests and Test Data
Chapter 14-33
Validating Computer Programs
Tests of Program Change Controls Protect against unauthorized program changes Documentation of requests for program changes Utilize special forms for authorization
Program Comparison Test of Length Comparison Program
Chapter 14-34
Reviewing a Responsibility System
Chapter 14-35
Review of Systems Software
Systems Software Controls Operating system software Utility programs Program library software Access control software
Inspect Outputs Logs Incident reports
Chapter 14-36
Password Parameters
Chapter 14-37
Validating Users and Access Privileges
Purpose Ensure all system users are valid Appropriate access privileges
Utilize Software Tools Examine login times Exception conditions Irregularities
Chapter 14-38
Continuous Auditing
Embedded Audit Modules (Audit Hooks) Capture data for audit purposes
Exception Reporting Transactions falling outside given parameters are
rejected
Transaction Tagging Certain transactions tagged and progress recorded
Chapter 14-39
Continuous Auditing
Snapshot Technique Examines how transactions are processed
Continuous and Intermittent Simulation (CIS) Embeds audit module in a database management
system (DBMS) Similar to parallel simulation
Chapter 14-40
Continuous Auditing – Spreadsheet Errors
Chapter 14-41
Which of the following is NOT an audit technique for auditing computerized AIS?
A.Parallel simulation
B.Use of specialized control software
C.Continuous auditing
D.All of the above are techniques used to audit computerized AIS
Study Break #3
Chapter 14-42
Which of the following is NOT an audit technique for auditing computerized AIS?
A.Parallel simulation
B.Use of specialized control software
C.Continuous auditing
D.All of the above are techniques used to audit computerized AIS
Study Break #3 - Answer
Chapter 14-43
Continuous auditing:
A.Has been talked about for years but will never catch on
B.Will likely become popular if organizations adopt XBRL in their financial reporting
C.Does not include techniques such as embedded audit modules
D.Will never allow IT auditors to provide some types of assurance on a real-time basis
Study Break #4
Chapter 14-44
Continuous auditing:
A.Has been talked about for years but will never catch on
B.Will likely become popular if organizations adopt XBRL in their financial reporting
C.Does not include techniques such as embedded audit modules
D.Will never allow IT auditors to provide some types of assurance on a real-time basis
Study Break #4 - Answer
Chapter 14-45
IT Auditing Today
IT Governance
Auditing for Fraud: Statement on Auditing Standards No. 99
The Sarbanes-Oxley Act of 2002
Third Party and Information Systems Reliability Assurances
Chapter 14-46
IT Governance
Overview Process of using IT resources effectively Efficient, responsible, strategic use of IT
Objectives Using IT strategically to fulfill mission of
organization Ensure effective management of IT
Chapter 14-47
Auditing for Fraud: Statement on Auditing
Standard No. 99
Overview Supersedes SAS No. 82 Provides more guidance to prevent and deter fraud
Fraud Triangle Motive for committing fraud Opportunity that allows fraud to occur Rationalization by individual
Chapter 14-48
Fraud Triangle
Chapter 14-49
The Sarbanes-Oxley Act of 2002
Overview Limits services that auditors can provide clients while
they are conducting audits
Groups of Compliance Requirements Audit committee/corporate governance requirements Certification, disclosure, and internal control Financial statement reporting rules Executive reporting and conduct
Chapter 14-50
The Sarbanes-Oxley Act of 2002
Section 302 CEOs and CFOs are required to certify the
financial statements Internal controls and disclosures are adequate
Section 404 CEOs and CFOs assess and attest to the
effectiveness of internal controls
Chapter 14-51
Key Provisions of SOX
Chapter 14-52
Key Provisions of SOX
Chapter 14-53
Third Party and Information Systems Reliability
Assurances
Growth of Electronic Commerce Area of growing risk Security and privacy concerns Difficult to audit
AICPA Trust Services CPA WebTrust SysTrust
Chapter 14-54
Third Party and Information Systems Reliability
Assurances
Principles of Trust Services Security Availability Processing integrity Online privacy Confidentiality
Chapter 14-55
Copyright
Copyright 2010 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in
Section 117 of the 1976 United States Copyright Act without the
express written permission of the copyright owner is unlawful.
Request for further information should be addressed to the
Permissions Department, John Wiley & Sons, Inc. The purchasermay make backup copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.
Chapter 14-56
Chapter 14
