Embed Size (px)
Citation preview
EDP AUDIT CAREER PATHS
BY
FREDERICK GALLEGOS
GAO EVALUATOR - Los Angeles Regional Office
U.S. General Accounting Office
EO Auditing in the Federal Environment-Const.
EDP AUDIT CAREER PATHS
Monday, June 22, 10:15 to 11:30 a.m.or
Tuesday, June 23, 10:15 to 11:30 a.m.
Frederick Gallegos, Super'isory Management Analyst,General Accounting Office.
IMPLEMENTATION OF A/71 GUIDELINESThis presentation will focus on the training and FOR FEDERAL SYSTEMS
career paths for the EDP auditor. Mr. Gallegos willTdiscuss recent training and career development pro- Tuesday, June 23, 4:30 to 5:30 p.m.grams both within and outside of the General Account- Panel Discussioning Office. Consideration will be given to the How anorganization can design and develop its own career This panel discussion will review the requirementsdevelopment program. What needs to be done? How to necessary to prepare to meet the needs of A/71.start? How to obtain support? Specific approaches for The panel will consist of:the identification of skill levels, selection of trainingprograms and the conceptualization and formalization Edward Springer, Office of Management of the Budgetof a training/career development program will be Robert Abbot, EDP Audit Controls, Inc.covered. - Peter Browne, Computer Resource Controls
. Mr. Gallegos' primary function within the General Joseph Sickon, U.S. Department of Housing and UrbanAccounting Office is to research program and agency Developmentpolicies, audit management operations and report tointerested members~ of Congress. He assisted in the Participants of the conference are invited to presentdesign, development and implementation of an agency- their views and bring questions to the panel.wide data processing training program. Gallegos was. aprime mover in the development and implementationof an M.S. program in EDP Auditing at CaliforniaPolytechnic University at Pomona.
ORGANIZING AND MANAGING THE EDPAUDIT FUNCTION IN A FEDERAL DEPARTMENT
Wednesday, June 24, 10:15 to 11:30 a.mn
Joseph A. Sickon, Assistant Inspector General, U. S.Department of Housing and Urban Development
t~~ ~ ~~~ ~ ~~~~~~~~~~~~~~~ - -
This session describes computer auditing in a majorFederal Department. Mr. Sickon addresses organizationand staffing of the EDP audit function along with plan-FrdikGaegsJepASckoning, reporting and following up on audit findings. Healso discusses the impact of the Inspector General Actof 1978 and compliance with GAO Audit Standardsand 0MB Circulars.
Sickon is responsible for planning, conducting, supervising and coordinating audit activities related to pro-grams and operations of the Department. He supervises -audit and related efforts of about 350 audit and clericalpersonnel in headquarters and in the field.
A former Director of. Procurement and ADP Manag -Ement with the U.S. Department of Commerce, Mr Sickon also served as Director of Audits for that De-partment, following a number of years in the audit andfinancial management of the Maritime Administration,Department of Commerce. Lee F. Haynes Roldan Fernandez
TRAINING AND CAREER DEVELOPMENT FOR
THE EDP AUDITOR
** OUTLOOK
** CAREER PATHS FOR THE EDP AUDITOR
** IDENTIFICATION OF SKILL LEVELS
** TRAINING AND CAREER DEVELOPMENT PLAN
** SELECTION CRITERIA FOR TRAINING COURSES
I
OUTLOOK
CALIFORNIA STATE POLYTECHNIC UNIVERSITY, POMONA
THE NEED FOR A BETTER TRAINED EDP AUDITOR
Although the basic concepts of EDP Auditing have been around since the 1960's andseveral authorities will even say the 1950's, EDP Auditing as a profession hascome into its own in the 1970's. Moreover, if one checks the want ads of mostnewspapers or even the business classified ads they will see with more regularity,advertisements for EDP Auditors, Internal Auditors with EDP audit experience orAccountants with EDP knowledge and qualifications. The EDP Auditor's demand hasgrown quite rapidly over the last 4-6 years, especially with reported financialfiascos such as Equity Funding, the Rifkin incidence, the legal issues such asForeign Corrupt Practices Act and the pending Computer Security Protection Act.With the average loss due to abuse or crime running about $460,000 to $780,000,private industry and government have awakened to the reality that the computeris their soft underbellie. If they are shaking now, what about tomorrow? Whowill the EDP Auditor be? What training and credentials will he need?
WHERE IS EDP AUDITING GOING
In general, we are in a Technology Evolution phase in the computer field. Ithas been said by many of the authorities in the field that during the 1980's and1990's we will have to undergo a revolution in our way of thinking and attackingEDP problems. The EDP Auditor of today will be tomorrow's Information SystemsAuditor.
Today's EDP auditors, especially those with international organizations, arefeeling the pinch of this future technology. Approaching the audits of distributedprocessing environments, data base arthitecture, networks, minicomputers, micro-computers and processors are unlike the traditional installation reviews of yester-year. How does one approach an audit of today's advanced system which may involveone or more combinations of the following: telecommunication, teleprocessing, dis-tributed processing, OCR input, microtechnology, etc. Many are struggling now toanswer these questions or attempt to find some explanatory method to approach asolution.
The future technology of the 1980's and 1990's point toward advancements in hard-ware and software beyond our comprehension. The Computerworld issue of December31, 1979 presented a range of articles surveying the future. Even in retrospect,the issue cites "The machines of the '70's become antiques of the '80's. Theygrow bigger, more powerful; we, in proportion, feel smaller. We question theirlimits--and ours.' The Information Systems Auditor of the '80's and '90's willtest those limits in ways we today do not think possible or achievable.
In short, the EDP Auditing skills needed by the year 2000 may require extensiveknowledge in the following areas:
- Telecommunications- Teleprocessing- Microcircuitry- Firmware- Embedded systems technology- Laws involving
Privacy. Security and FraudInterstate data transferInternational data transfer
-2-
Telecommunication and Teleprocessing
Although some people may laugh, we are only a few years away from the first on-line, real-time financial information system. The developments in the fields oftelecommunication and teleprocessing will skrink the communication barrier by afactor of 100 within the next 9-10 years. In recent discussion with several fel-low EDP auditors in the banking industry, I was not surprised to hear that theirorganization's ultimate goal is to have a real-time financial information system.In other words, if a transaction occurs in a California subsidiary, it will im-mediately appear on the financial books of the New York holding company. Inter-nationally, if it occurs in a Switzerland subsidiary it will immediately appearon the financial account records.
Teleco-mmunications and teleprocessing involve a host of subtopics which the In-formation Systems Auditor must be able to adequately and capably review. Further,examination of the controls in such system will require a high level of technicalexpertise. Knowledge of telemetry transfer of data, crytographics and telecom-munication and teleprocessing security will gain increasing importance.
Firmware, Microcircuitry and Embedded Technology
Another area of virtual technology explosion is in the new firmware, microcir-cuitry and embedded technology that has recently entered the business community.Although such technology is no stranger to advanced weapons systems technology,its applicability to business/information systems community is just now beingfelt. We are seeing an evolution of new systems technology that can be self-contained or shared in a distributed architecture. The orientation of suchsystems is toward a total integrated information system designed to tie informa-tion channels together.
Again, the challenges from these advancements are coming forth. The InformationSystems Auditor must have the knowledge and skills to conduct audits or examina-tion of the firmware and microcircuity and insure that the information process-ing that takes place yields valid, reliable and secured information for manage-ment decision making. Arthur Young & Company has recently published a brochureon Computer Auditina which characterizes an audit in the year 2001 with the aidof embedded technology. Although they have stated that article is fictitious,they do indicate that with the changes that have occurred and those foreseen inComputer Technology, the concepts are not far from reality or out of the questionin the year 2001.
Legal Requirements
If you think the information systems auditor has his hands full with the two priorareas discussed, the legal requirements which have and will be evolving over thenext twenty years will have tremendous repercussions in the field. Again, onemust take a look to what is happening in Europe and their concern for informationprivacy and security. Luxemburg, Austria and West Germany see computerized dataas a potential weapon in the hands of a wrong person. Therefore, they have enactedstrong laws to ensure that individual data and the access to the dissemination ofis controlled and protection guaranteed.
The Privacy Act of 1974, Foreign Corrupt Practices Act of 1977, and the pendingFederal Computer Security Protection Act are stepping stones to more comprehensivelegislation. The information systems auditor will need to clearly understand theselaws and apply them in his evaluations of automated systems. Legal implicationsand restriction on intra-and inter-state transfer of information booms in thefuture.
-3-
WHAT STEPS ARE BEING TAKEN NOW TO TRAIN THE IS AUDITOR
The total awareness of. the skills needed to develop a capable information systemsauditor of the future are largely undefined at this time. Our society has ap-proached this need in a fragmented order. Several steps in assessing these skillshave been undertaken by various professional societies, educational institutions,government agencies and Big "8" Audit Firms. These efforts have been largelyfragmented and lacking in coordination and cohesiveness. There results have beenvery good in some areas considering the above and extremely weak in other areas.
Professional Societies
Among the professional societies who have contributed to the abvancement and aware-ness of the EDP Audit role in the organization are the American Institute of Certi-fied Public Accountants, Institute of Internal Auditors and the EDP Auditor's As-sociation and the EDP Auditor's Foundation for Education and Research.
CAREER PATES FOR THE EDP AUDITOR
AUDIT MANAGER - EDP AUDITING
SENIOR EDP AUDITOR
EDP AUDITOR
EDP AUDITOR TRAINEE
INFORMATION SYSTEMS
ACCOUNTING / BUDGETING
LINE MANAGEMENT
CORPORATE MANAGEMENT
CONSULTING
IDENTIFICATION OF SKILL LEVELS
'TINPiG AN
I NF RAT IN SHARIPdG NETWORK FOR THE
E D P AUJ 7 XIE- C0 F TH rE C I CHUTI E- EForum on EDP audit professional
Forum on EDP audit Research Projects Forum on Personal Growvth and the Human Potential
Model on Academic Offerings and Training Audit Activities Forumgoals in El)? auditing X goals in~t EU auditing-~ QU~/ X Audit Target Areas Forum
Forum on Structuring, Indexing, and fb , Forum on Staffing and RunningIntegrating the Growing Common Body / a o the EDP Audit Department
of Knowledge ISSUES, PROBLEMSInforato R c FSOLUTIONS, VALUES Risk Assessment Forum
Information Resources Forum 0 NEED TO KNOWV Controls Forum
Training Resources Forum / TRAINIING NEEDS C FeSOURCES OF Auditaaitity Forum
Needto-KnoW, Training Needs Forum INFORMATION I P SeCUrityFo.Um\~~~~~~~~~~~~~~~ D Security OF TFANI( .I
Forum on Teamwork with Financial SOURCES OF TRAINING Pauditors, EDP Security, Quality * EXPERTS EDP Privacy Forum
Assurance, Data Control, External Auditers CLIPINGS Forum on Mvietheds, Tools, and Practices
Forum on EDP audit, Control, and \ / BOOKS , Audit Communications ForumSecurity Interests of Peer Professions re to Know, Trainin- NEEDS Forum
and Peer Groups toY ~~~~Technology A,.^.areness Forum
Forum on EDP audit interests and responsibilities of computer users Control Issues surrounding New Technology
Forum on EDP audit interests andresponsibilities of auditees
OUTLINE
COMMON BODY OF KNOWLEDGENEEDED TO AUDIT COMPUTER SECURITY
1. COMPUTER SYSTEMS, OPERATIONS, AND SOFTWAREA. Theory of systems (as applied to information systems)B. Theory of computersC. Theory of data communications
2. DATA PROCESSING TECHNIQUESA. Information structuresB. Programming languagesC. Sort and search techniquesD. File creation, maintenance, and interrogationE. Storage devicesF. Data management systemsG. Integrated systemsH. The dynamics of developing, modifying, and maintaining
computer software
3. MANAGEE1ENT OF THE DATA PROCESSING FUNCTIONA. Organizational structuresB. Personnel selection, training, and managementC. Operating and organizational policies and proceduresD. Computer operationsE. Analysis, design, and programming functions
4. SECURITY OF THE DATA PROCESSING FUNCTIONA. The computer centerB. Remote sitesC. Systems including operating, application, and tele-
comnunications softwareD. Policies and proceduresE. PersonnelF. Data handlingG. Recovery capabilitiesH. Tests of internal controls
5. RISK ANALYSIS AND THREAT ASSESSMENTA. Physical facilitiesB. Remote sitesC. SoftwareD. Information
8. MANAGEMENT CONCEPTS AND PRACTICESA. Management tasks, responsibilities, practices, and ethicsB. Business administrationC. Principles of organizational structuresD. Concepts of general managementE. Management of the human resource
4-11
7. AUDITING CONCEPTS AND PRACTICESA. Introductory accountingB. Intermediate accountingC. Advanced accountingD. Cost accountingE. Municipal and governmental accountingF. Auditing
8. ADDITIONAL QUALIFICATIONS NEEDED TO AUDIT COMPUTER SECURITY
Individuals selected to conduct audits of computersecurity, in addition to the comnon body of knowledgeoutlined above, should have the following qualifications:
1. Sufficient experience to be able to plan, direct,and coordinate audits of large complex functions,activities, or programs,
2. The ability to assign tasks to individuals on theteam and to identify the specific disciplines andexpertise needed to perform the work, and
3. The ability to conduct conferences and to prepare,present, and process the report describing theresults of the work.
4-12
___ , = : = 7 = .- I~. e
< =W 0) UoQCD CDCD 3 .
cC CD 0 3 ; I'D .) 0 0 a> C D) C C1Ca C ZDD < C H °
CL ~ :y 0 na S ,~ cD Ca _ CD ' 0. G) 'f fl. ' ',
CD ) CD' c CD CD m
.. -, . -' C -, -
=r =>r
CD .3 -CDC -w nD r77 -0 3 3 |o 0 C) '. - - r
'. CD c 0 CD ,-' '
3 :D -. 0 C D0V tCD . 0 ;
mCD
< C,, . : X O m Q D D~~~~~~~~~~~~~~~~O n ~ ~ ~ ~ ~ . -.* .' -. F.
C) CD .. CL.0-. ~~~~~~~~~~' -. C ~~~~~~~~~~~~ 0 ~~~~~~ H0
3 . _ . 3 .
-o '. ' _'.u ,, 8)"'t) 0 (3 -'C. (n ) )z J>Wr~~~~ 4 -. .Cm W8
b
_D -. -CD
m
fl)~ ~ ~ ~ ~~~~C3 m~~~~
< CD
C)~~~~~~~~~~~~~~~~~~~~~~~~~~~C
~~~~~~~~~~ CD~~~~~~~~~~~~~~~~~~~~~~~~r-~~~~~~~~~~ 0. N~~~~~~~~~~~~~~~~~~~~~
C) C)~~~~~~~~~~ O 0O 0 * C)~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CD~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~CU' CD ~ ~ ~ ~ ~ ~ ~ ~~~~~~~~~~~ U)> 2~~~~~~~~~~~~~C
CD fu-~- CK ~~~~~~~~~) CD-
CD
0. 0. C
C)~~~~~~~~~~~~~~~~~~/CD
Lo ~ ~ ~ ~ ~ ~ LCD .2l0
-~l CD CDo to
Cl) <
CD (/CD-0D .. Ca
v~~~~~~~~~~~~~~~~~~~~~~~~~~~~4 CD
TRAINING AND CAREER DEVELOPMENT PLAN
GAO EVALUATOR (AD? AUDITOR) CURMRICULTUM
- -. Auditing .Auditin-
Advanced Advanced Progran Tele- Auditing Data BazeGrades 14/15 Suparvision Evaluation coz.unica- System Management
-rodu .-. tions Software Systems
.'roducin ComnuterProject Elements Organized Advanced Intro to Auditing Assisted
Leader of Writing & ADP Computer ADP AuditGrades 13/1P 1Sumervision Effective Concepts 7erformance Acnuistions Techluniques
I . . Reviewir.g valuation
, . ~~~~~~~~~~CommuterSub-Project . S'Kills for Internal Assisted
Leader Auditing Performance Computer ontrols in Audit SystemsGrades.12/13 and Job & Career Seculri-t Automated Te_-rnique-s Anallysis
Management Development & Privacy Syst emt s
Conducting Ease System AD? AD? Syste-_Intermediate Program Intermediat Level Design & 1,anng-enent. Documenta-
Grades 11 Results Writing ADP-IT Development and tionReviews Operations
Use ofEntry Base Moaels & Intro to
Entry-Level Level Orientation Level OPS SPSS Statistis lGrades 5/9 Training - ADP-I Research & Sampli
/ . - ; Techniques S.A.S.
E Lntr'1
C04PUTER SECURITY AND PRIVACY
OBJECTIVES: To exoose the individual to legal, political andpublic policy aspects of privacy and securitywithin comouterized systems, and to present aframework on whicl t-he particinants can builduDon to ensure that necessary safeouards existin cocmuterized system.s.
CCONT-N T The course is divided into 8 basic learningelements as follows:
--History of inforation systems privacy,--Legal environmenL,,--Civil liberties,--Total system security,--Environment security,--Installation security,--Software security, and--Cost/benefit analysis.
ZTEOZDLOG : Classroom instruction, group discussion, groupexercise.
L__F _,_ :; H 3. y p rogram.
INS T CTOR: C-ziceof Personnel Manaae-.ent (OP:M)
PR2-_REQ'ISITES: . Base level ADP I & II or. equivalent knowledge.
REZOIMENDD -p--1=TwC 11-? S: AD? Auditors and Computer Specialist/OPS Research
FREQS-LNCV : Offered 4 times a year.
CLASS SIZE: 20-24 students.
STATUS: Available at $250 per student.
IINTERŽAL CONTROLS IN AUTOMATID SYST2'S
OBJECT IVES: To provide individuals with an overall understandingof ADr internal cont-crls-wch can _ use_ to evaluatethe'reliabilitv.OL cc -ized data and %the adecuacyof security over comiputerized svstezs.
COr, Tzi T The course is divided into 11 basic learning elementsas follows:
-- O-rcanization Controls,--System Dev.elopmer.t,--Data Center lManagemenrt,--Data Center Security/Protection,-- DaaL2 Origination,--Data Entry Pre paration/Validation,-- Data Co7mmunication Controls,--Computer Processing Controls,--Processing Con-trols in Advanced Systems,--Data Base Controls, and-Output Processing.
14EW--_JDbZCZ Ar-ro.ma telv 2/3 of the course time is lectureaid-d by slides. Numterous class e:-rcises whichrequire sro-°l discussions and presentations areintersoersed.
L F N G ru-_- E A 5 day program.
IS.`TRCYCORS: GAO auO-itors who have extensive know-ledge ofAD? internal controls and job excerier.ce inauditing internal controls.
PRE--
RE~Q13SITIS: Base Level ADP I & II. or equivalen_. knowledge.
RECY!.M EN D ECEDPARTICIPANTS: ADP Auditors and Computer Specialist/oPs Research
FREQUENCY: Ofered twice a year.
CLASS SIZ-. 12-25 students.
STATUS: Present, course under revision.
.20
COMPUTER ASSIST-ED AUDIT TECHNIQUES II
OBJECTIVES: To provide individuals with advanced knowledge in theuse of comuter retrieval packages (DYL-260 and DYL-PIUD3T)and prograrn docLLmentaticn packages (DAS and DCD); andhow they have been and can be applied to audit work.
CONT-NT: The course is divided in-to 4 basic learning elementsas follows:
--Advanced DYL-260 concepts and progra,-ming toinclude: editing, last-time logic, indexing,subroutines, linkage, fixed position printingand others,
--DYL-AUD1T discussion and use,--DAS and DCD discussion and use, and--Class problem using the above techniques.
M-T-=O_- OGY.: Video-assisted lecture with hands-on exercise.
z-. 5 day program.
I2.5--CTORS: T;,-a_ C-AO senior ADP auditors with extensive CAATSex~er ence.-
RE^QP a -TvS: All base level, and previous career ladder training,or equivalent knowledge.
R EC OM3 ~DESDpARTTCTDANTS: ADP Auditors, Computer Specialist/OPS Research
FREQUMNCY: Offered twice a'vear.
CLASS SIZE: 15-16 students.
STATUS: Under develocrment..
721
Zs P-----
VD C
0 m g
X z ~~ ~ ~~~~~~~>- vr o (D = r- C M C F3 c~~~~~~~n fD 4) C m pM r C.
tt ' CD H- cQ 10 z toD
* P3 ~~~~~~~~rr O rl pi >Y m f* ( tF D0 P)
' * 5 ~~~~~~~~~~ ~~~~~~rt r > * * O (D F a C t C Fw ,~~~~~~~~~~~~~~~~~r 2
Fj~~E ;P>C O m CO A) a. Q .SXF DF~~~~~~~ 0 :; _ UZr to C D H. m t:
x~~~~P #. Az m P m Z r r O e
O * * * ~~~~~~~~~D P :r F~ W
* * C F XD S H rv F {n~rT 0CD
* * . - ~~~~~~. MD CD CL * t It2. ~ ~ ~ ~ ~ ~ ~ ~ ~~~r .t .D l^ a t7 ( D 0.
-~~~~~~~~~~~~ ~ pi CD t O 3 CD* * * Pt O tO~~0 0 5; 7t tm
*~ ~ ~~~~~~r *3 la IC I = tO* * rD S 3 En D
m CL wo n ;> n Q tn ~~Cln Q V > tz C :i C t m S rlt-° ~ ~ ~ ~~~ 0 0 ° 1-4 O O~ ITC w: O pi a> 0 tPr
rr~ ~ IV -j I: *c ' rOSsFL , e ~~C r- r- c : a >M¢cn nOf 1r wF :: o :: ~~rt rt rt rr n 3; rt o x a) rt- 0
_ e n ra ea rD rm P . :CL - r m =ar nf) pi " " r. t: p:t n) C ~ D (D srw _
S > Q ( D m " w rr- Cs C HC5W c Q [/) m t m ro CD f CL to rD L
c; a k4 rt aC 1- i- F;CD* >F fD) U) Cn D tt ~ ~ ~~~ 0 CD; c: CT OO nL Mr r- Cl rr : ,
X r~~t rr = " r- C- C Yn D P =rn ~ ~ ~ ~ r m " O t> Ct CD =' 'o 7 r. x* - ::I A
rt~ ~ ~ ~ C D) T Fl- o w P o M I _ F r P "F ~ ~ : E3 o3 Ie.s f o ; x0 ~
O m fD Y v0 F- CD 01" > I CM tl tM, D
MD 3 :: We ° ;v rD (D CLr : rD 20 rr , , CDe S C: CD rr n " H Ft1 ic it rY r rT CD rtr CD CDPt ,
OD Ft FW f H M p1 IV ti m Q Pi CD l : 10 M n C 3 w5 to C
9: ti " rt 10 CD F rt OF Ot
r? 1-- C' 0rt0 -4 0 03 > n n 3 :J 0 3 )C 3 >
b fD f C Ot.D G M
t: . : -t~l :r u rDCD oll rT 5 m::
C- (D >0 th "
mC F r- D
ID rt C1 MD CD fD
C r cf;r m n C. rl 3 l O r- n C
n -0 n -!n w
~~~0 C
P rr ~~~rrLO (D
I-0
Z 4 0C-, �4m �mC�o .- '
---1 -�
-I I 7,
I II H'.
-1-f- I
0n �c3CI &..� -�
In.4 TflI -4a" C)
ii 4- iiI I I f -cI __1+1111 } T 1H1 __14 -{ - - - - - -f
- t- 1�
L II -r �1 I- 4.ii I + � -- -I
In-4
In
a,
I,
¢ . CD O X0
rr r?
CD n
@ Fpi i~~~~~~~~~~~~~~~~~~~~~p
o~~~~~~~~~~~~~~~~~~~~~~~~~~~~~c I D
=~~~~~~~~~~~~~~~~C ;D . -I|~~~~~~~~~~~~~~~T piM-.
lZ -1 7;,~~~
i e .~ ~ ~ ~ ~ ~ ~ ~ ~ L
= n D l j :3 w I O W I | :
m z z - s< W @ cs !w r w Y a w m. . F~~~~~~~~~~~~~~~~~C
,< 00 rt 34¢Oa vXra t at r- o IV3 F- f > F ~~~D CDt nn D a VD tDID'l nt Fi f FX tD Y Ho Y Y rt C Dttt CD3 tS g cD rt C(D CD I ID I IIC O ::0 zr 3°wot t;
%4 tz M5 tD O H M P j a D i- M l< OI n O -.a *- M o) g.- E M _ o; Ft M0 0 CD 5t M MI )- w w* -o05
C D 0 Z H f f M sH rT '-- Pt 0 H to 0 . 0: 0 rt 2? M 0 M 0 0 0t- z to M P 5 t3 C "O lk< M rt * M n ,¢ :C Mt )o " OM rr6 rr M t t D
; IN CD . o I. rt 0) M CD ti &t * tD IVF
O :r r o 0 V " o i- M W z- to p c ?l f to
0 H 0h fD M C H M Mn D0 M 13 vQ r 0 _;a p O r t D 0 - 4 -A 0 M i I C M PD
rt~~~~ ~ ~~~~~~~ n: CQ tD - t th M rt t t M ¢ b;Dh M . D ::: Sw rY b - p- VI rlp b
t~~~~~~~~~~- n " 5 " °H9 .
; z :12 '' ::I M F- -
a; " 0 - CD :5 M~ lw-6 0 c) -D M P
_~~~~~~~~~~~Z , .
3 C D : 5 a t
cn t 0tD D 9 C. O n z ¢ *t X t X~~1-
t Y- ; . '. P0 O%3$r. D : ; 1't r .. , +-r,. ,.
> Y e OtDC m C:O D
.1. pi P 0 CD CD, Ot'
O~~ ~ ~~~ ~~~ CD M r rt O w
Pz F O rt ~~~~~~0D Pn J- V. ,rt~~~~~~~~~f rt C; D >°
Ln i- M *- - ¢
SS 5~~~ ~ ~ ~~~- CD 0. rl - r>> M ::I BD *
E +-I V> tr to , ~-rt .1 O o D
m ~~~CL tC r.
tD~~~~~~~~~~~~C ::I pi t I B g & > ' v~~~t
n sD 0 rS l)#O Fr rt e .
CD % mt
* CaD rt
ED :3 3 =C
c :3 :3 n vc
0~~~~~F rDw
M ~ ~ ~ ~ ~ ~ L W I;M ~ ~ ~ ~ ~ ~ ~
M r t n .+ en. G
m: E ~~D P x VO ;O r
nPI z nt
,tC < 'c e Me D . ,
a: rw n C* C n *4 q
C D C El _tg
s g:3 NC C: m C'nI- r D CD r C-.
mn 0r. rr C
:r CD -0 r -r
c: r o > n cC> w: Fb 3 x W; n ~~~~~~Z1
rr ~ ~ ~ ~ r Ds fD ~ ~ ~ ~ ~ ~ ~~ 3 oo:
3 v> X~:
m ~ ~ ~ ~ ~ ~ ~ S m::-
LO~~~~~~~~~ :X sx*nb
o _ o ;
¢~~~~~~~~~~~1 r) o -1 C~ ttn > c
CD7 u co r- C~ n .tD I I I I I = m fo C- p O 0
co C I I I I I O w < (D 0 C Z H~ ~~t 0 CO o F- t- LO rFO zY (:~~~ 5 C rr 5 t-h o CD 0ct oO~Onn *
> ~ ~~C CD 'C t-s ns- to °0 5 :3 r3 tl CD rr "s rt -C n o O n El tF X s - :
re rt Al =' . a. :54 V > n~~ r rt CD 0 a) :3 CD Fs>co c o IC z ;
C CD ::r n H M C *-As3 t*t Sst ~ ~ ~ 0 m r@: C D I:O $ C:~ ~ : FY D3 H OCD :3 91 D C CD D n~tD6 rs F" 00 M = C Do-3
* ~~C P "t " tDO --0 C) p F
CDtt C0 P W : IV t eOYn
rl co t>p 0 5L M c O I MI
:3 g tD0 0 0) PD CD ;i; = rt rX 0 . o m O 6 CD co = C H F.
Cf t- " 0 C 5£°
FX H "0 CDO=C
Pi PI F Pi OV rr - M CPO Irt ov o tt) " H co m " u)
PO ow POrC tD- P ° :C £w0 El rt 3 96 r U, 0 g:a
CDr ttl nCL t b)r
I" x F (D 1 ID r) On to " r, C O tm C t CP) - Wt C D rS CD b rt o F- ;N r m
o-I CD _t v
0 co :CE H- c; H3el to > C :3 r c: r' to. i o O. C
rD MD 3 rr = rH n - rto o
o) O ": o 0O t
H C tD 0 :: C
C) w m CD
o t 0
C DnD <
C) * CpLf
C CCCb * gL >~~~~
CD O 6
C rD
H. rT~ ~~~~
C 0
O n pi o to CfG D :rr tl 0 t. VC) O nt 0 O D CD P: Q. 0 CD CD w~.
n CD rT " .0 n WFF
C w n F H >Ot " C = Dr LIC r? > PC} ¢ W r C;D m: "I -: U
C CDaHD A) CD a -- rt x )eQ~~ ~H Pt 10 r3 c0 0 G n D nbX~~~~ M -- M4 Fe 0 tD tP n; rr ¢ {D r tD _ CD a oCr
I." 1- G t) ti C M: O n SC ::5 n a 9 C $I _
CD m pff 0 m P. n laC n m
P3n t er _ m CD ::s v bLA_
I~~~~P t< 0 CD OD -r " CD31 ~C& C:sC DcD O CD 4 F"
C1 Ci CD co e- r t
rt~1 "tGC I 0
CD~~~~~~~~~
cn 0 ~ ~ ~ ~ ~ ~ ~~n
Q n a m F F *F . F m CD Zs
D m = r :: EG ¢ C~~~~~~C rn fD c Gg mo > co Fv
OQ'f xY[t
>. < cn n n e o . 2~~~~~C
0 ' c ¢ 0 V cT
CD m
W E5 r t n r< C o 0 0n CD rCT r* v (D7 t O ,
1*0 H ¶ c: COp:n
Fi CD PC
CD CD t- r
0 C C: D ;3 F C. f l; P '.
0 V I t
t'"~~~~ e. CD :
CD ~ W nf
0.~~~
0
CD 1- CD
Fh PCO
0o CD
P P rt
rt 5°
tDt C;
O 0 Dvt0 1-t
O n
0 OWtCQ a
r0
SELECTION CRITERIA FOR TRAINING COURSES
SELECTION CRITERIA FOR COURSES
1. Does the course support our organization's
short term goals or objectives?
2. Does the course provide new or innovative
techniques which can benefit the organization?
3. TYPE OF INSTRUCTION PROVIDED IS WORTHWHILE
4. MEDIA AND ANTICIPATED LEVEL OF EFFECTIVENESS
California State Polytechnic University, Pomona3801 West Temple AvenuePomona, California 91768
Master of Science in Business AdministrationElectronic Data Processing uditing Option
Dr. Madeline Currie, Director, Graduate ProgramsDr. Ronald Eaves, Advisor, EDP Auditing Option
Graduate Programs Committee
Dr. Madeline Currie, Chairperson
Peter Dawson, Thuman Resources & Small Business ManagementRonald Eaves, Information SystemsHyung-T'i Jin, Finance, Insurance & Real EstateMorcos, Massoud, AccountingCharles Pinkus, Management Science & ProductionAnthony Reed, Marketing Management
THE CAMTUS
California State Polytechnic University, Pomona is located south of theSan Bernardino Freeway on the eastern slope of Kellogg Hill. Cal Poly isat the hub of an important transportation network. Adjacent to the SanBernardino Freeway, the campus is 40 minutes from downtown Los Angeles.The University will be convenient for travelers on the Pomona, Foothill,Corona, and Orange Freeways.
Cal Poly is a coeducational institution with an enrollment of over 15,500.It is one of 19 campuses of the California State Universities and Collegessystem. Seven departments comprise the School of Business Administration:accounting; management; information systems; finance, insurance and realestate; marketing management; and hotel and restaurant management.
ACCREDITATION
The university is accredited as a degree-granting institution by theWestern Association of Schools and Colleges.
from an accredited college or university plus the GMAT score; or atleast 1,050 points based on the formula: 200 times the upperdivision GPA (4.0 system) from an accredited college or universityplus the GMAT score. In addition, a minimum GMAT score of 400 willbe required for admission. Exceptions may be granted on petition ofthe applicant, recommendation of the Graduate Programs Committee,and approval by the school dean. Applicants with bachelor's orgraduate degrees other than in business will require evaluation forthe necessary equivalent courses to be taken.
2. The Dean of the School of Business Administration will notifyapplicants of their selection or rejection.
3. The EDP Auditing Program Advisor will serve as advisor to allselected applicants.
4. An advisory program study worksheet for guidance of the student willbe prepared by the Advisor of EDP Auditing Program upon admission tothe program. An official degree program will be finalized prior tothe student's advancement to candidacy. It will be approved by theDirector of Graduate Programs and the Dean of Graduate Studies.
5. The degree program must include a minimum of 45 quarter units.Transfer credits not exceeding thirteen quarter units completedin a graduate school of an accredited college or university may beaccepted upon approval of both Director of Graduate Programs andAdvisor of EDP Auditing Program.
6. A grade point average of "B' (3.0) or better must be maintained inall course work attempted to satisfy the degree requirements and inall upper division and graduate level course work attempted at thisuniversity.
7.Foreign students must have a TOEFL score of 550 or better.
Curriculum
Due to the technical orientation of the EDP Auditing Option, a strongbackground in accounting and information systems is required. Before astudent can be formally admitted to the graduate program, the followingcourses or their equivalents must be completed:
Requirements for Admission to the Program UndergraduateQuarter Units
ACC 301 Intermediate Accounting 4ACC 302 Intermediate Accounting 4ACC 303 Intermediate Accounting 4IS 314 Data Management Concepts 4IS 315 Systems Design 4ACC 419 Auditing Principles 4IS 433 EDP Auditing 4
Total 28
PLACEMENT
Many representatives from business, industry, and government recruitannually through the University Career Planning and Placement Center.Faculty members are often of additional assistance in placing students.
If you have any questions not answered in these pages, write to:
Graduate Program Advisor - EDP AuditingSchool of Business Administration
California State Polytechnic University, Pomona3801 West Temple AvenuePomona, California. 91768
or phone (714) 598-4214 for an appointment.
GBA 659 Seminar in Current Accounting Theory (4)Evolution of accounting theory. Current problems, reasons, and causes for controversy, and future
developments. Seminar, 4 hours. Prerequisite: GBA 551.
GBA 671 Management Seminar (4)The development and evaluation of alternative corporate strategies, drawing upon the functional
areas within business and the outside environmental factors which affect business. Seminar, 4 hours.To be taken in last quarter of the MBA program. Prerequisite: GBA 561.
GSA 675 Theory of Orpnizations (4)Analysis of organizations from a theoretical and structural point of view. Current research in
organization dynamics and development from a multidisciplinary perspective. Seminar 4 hours.Prerequisite. GBA 535.
GSA 689 Accounting Research (4)Application of selected theory concepts in model construction. The determination of changes in
reported operating results arising from changes in accounting theory. Serninar, 4 hours. Prerequisite:GBA 564.
GSA 691 Directed Study in Business (1-4)Independent, directed study of advanced topics in the field. Individual conferences with the
instructor.
GBA 692 Independent Study (1-4)Individual investigation or original study to be conducted in a field of interest selected by the
student with approval of the instructor. Intensive personal research under initiative of the studentwith general guidance and advice from the instructor. Seminar.
GSA 695 Business Research Project (4)A written research project concerning a significant problem in the field of business. Prerequisite:
GBA 691 for MEIA candidates. GBA 541 for MS candidates.
GSA 6% Thesis (4)A formal thesis concerning a significant problem in the field of business. Prerequisite: GBA 691
for MBA candidates. GBA 541 for MS candidates.
GBA 699 Master's Degree Continuation (0)Registration required in any quarter following final assignment of SP in continuing work in which
student intends to use facilities of the university. Registration permitted instead of leave of absencewhen student plans to use university facilities.
Upper-division courses applicable to the master's degree will be found in the section of this catalogdescribing undergraduate courses in the School of Business Administration.
BUSINESS ADMINISTAR lON
a. Bookkeeping and Accountingb. Business-Economics Educationc. Data Processing for Teachersd. Distributive Educatione. Office-Secretarial Subjects
GBA 546 Fundamentals of Financial Management (4)Theoretical and conceptual framework for financial decision making stressing analytical and
quantitative techniques. Analysis of controversial and sophisticated methods of allocating resourcesand raising funds both internally and externally within the corporate context. Lecture-discussion, 4hours. Prerequisite: GBA 510.
GBA 550 Seminar in Business Education (4)Discussion of selected areas in business education. Seminar, 4 hours. Prerequisite; GBA 540 or
consent of instructor.
GBA 551 Accounting for Executive Ad 'Ministration (4)Control systems, responsibility in profit planning and control, capital investment decisions, and
federal income tax aspects of decisions. Lecture-discussion. 4 hours. Prerequisite: GBA 511.
GBA 560 Legal Environment of Information Systems (4)Fundamentals and intermediate knowledge of the legal environment concerning EDP. Typical
legal problems arising from the acquisition, use and control of EDP. 4 lectures. Prerequisites: GBA530 and IS 433.
GOA 56i Seminar in Organizational Behavior (4)Human processes employed in accomplishing work tasks and creating employee satisfaction
within the organization. Group experiences whereby students test their interpersonal skills in theorganizational environment. Group activities, lecture discussion, 4 hours.
GBA 563 Executive Development (4)Analysis of the factors endemic to the successful executive and how these skills and traits can be
acquired. Seminar, 4 hours. Prerequisite: GBA 561.
GBA 564 Quantitative Business Analysis (4)Quantitative theory and techniques. Linear, integer, non-linear, and dynamic programming, trans-
portation and assignment algorithms, replacement problems, game theory and Markov processes;introduction to computer solutions. Lecture-discussion 4 hours. To be taken during first quarter ofthe second year of the MBA program. Prerequisite: GBA 534.
GBA 577 Advanced EDP Auditing (4)Hands on experience in applying EDP Auditing techniques and methods. Fundamentals of ad-
vanced concepts in EDP Auditing. 4 lectures and projects. Prerequisite: tS 433 or equivalent experi-ence.
GBA 578 Security and Privacy of Information Systems (4)Practical case-study approach to solving security problems peculiar to the commercial data
systems environment. 4 lectures. Prerequisite: IS 433.
GBA 591 Systems Approach (4)Analysis of business systems from a systems approach. Information gathering, analysis, design, and
implementation of effective systems. Analysis and critique of alternative approaches to solution ofpractical management problems. Lecture-discussion, 4 hours.
GBA 610 Management Policies and Strategies Practicum (4)Experience in the making of business policy and developing competitive strategies at the top
management level. Computer-based simulation, 4-hours. This course, when combined with GBA 627Organizational Communication or other approved writing course, may be substituted for courseGGA 691 Directed Study in Business and GBA 695 Business Research Project (or GBA 696 Thesis)in the MUBA core curriculum.
DPMA MODEL CIRRICULIUM
CIS - 12
EDP AUDITING
CIS-12 EDP AUDIT AND CONTROLS
Course Level: Senior
Prerequisite: CIS-6 Data Base Program Development andat least one Audit or Managerial levelcourse in Accounting
Course Description: An introduction to the fundamentals ofEDP Aud~iting. Tnphasis on understanding EDP controlsthe types of EDP Audits, concepts and techniques usedin EDP Audits. Exposure to risk assessment and professionalstandards in the field of EDP Auditing.
Course Goal
To develop a basic understanding, awareness, and appre-ciation of the EDP Audit environment.
Course Objectives
1. To develop an understanding of the EDP Auditenvironment.
2. To develop an understanding of the importance ofEDP controls and the effect poor controls canhave within a computer based information system.
3. To develop an understanding and awareness thevarious kinds of audits which ED? auditorsperform in conducting audits of computer basedinformation systems and operations, (i.e., SAS-3Reviews, Audits of Systems Development, etc.)
4. To develop an understanding and a-wareness ofsome of the fundamental and new concepts andtechniques used by the EDP auditor (i.e.,Extended Records, Risk Assessment)
5. To develop motivation and appreciation forgood professional data processing managementpractices.
Course Content
1. EDP Audit Environment and CojmputerBased Information Systems (10%)Skill Level 3
A basic orientation to the ED? Audit environment and itsrelationship and effect on computer based informationsystems. Relationships between the internal auditfunction, the external audit function, the publicaccounting function, and the information systemsfunction. EDP audit definitions. Discussion of majorexamples of computer abuse and their impact upon thebusiness community at large.
2. Information System Controls (25%)Skill Level 3
Types of Information Systems Controlss:
Application controls, System Development controls,Information Processing Facility controls, Horizontalcontrols vs. Vertical controls. Preventive, Detectiveand Corrective controls. Controls for security.
3. Computer Audit Techniques (30%)Skill Level 2
The types of EDP Audits (i.e., Audits of Applications,Audits of Systems Development, Audits of InformationProcessing Facilities, SAS-3 Reviews). ComputerAssisted Audit Techniques such as Test Decking,Integrated Test Facility, Parallel Simulation, SystemControl Audit Review File, Sample Audit Review File,Snapshot, Extended Records, etc. Uses of audit softwareto verify results (i.e., conf irmnation, comparison withfile or physical, edit & reasonableness tests). Dis-cussion of Advantages and Disacvantages of ComputerAssisted Audit Techniques.
4. Auditing Advanced InformationSystems (20%6) Skill Level 2
Techniques used to audit advanced systems which utilizea combination of any one of the following informationprocessing techniques: on-line, real-time, teleprocessing,telecommunication, distributed processing, minicomputer,
2
microcomputer, data bases, etc. Techniques used toaudit data base systems. Cost of Advanced Controls.Audit technical expertise needed. Examination ofminicomputer and microcomputer applications andenvironment.
5. Systems Approach to Auditing (15%)Skill Level 3
Concept and Application of Risk Assessment. Conceptand Application of Threat Analysis. Concept andApplication of Cost/Benefit analysis in analyzingexposures and recommending controls.
EDP Audit Applications_
There should be sufficient opportunity for limitedresearch and moderate application of some of these conceptsand practices through computer laboratory exercises, casestudies and research papers. Included in the exercisesshould be recquirerent to design and develop an audit softwareprogram to verify results of a business application (Generalledger system, payroll, inventory, etc.)
Course Approach
This course is a senior level elective course. Assuch, it will provide fundamental knowledge of the EDP Auditenvironment and Process. Although the course requires fundamentalknowledge of accounting principles and processes and auditingconcepts, they are used in the course to benefit and expand theknowledge of the future information systems specialist.
Emphasis throughout the course should be on the importanceof EDP Controls, EDP Audit Reviews and their interaction withthe business organization, especially the IS department. Thecourse will cover EDP Controls and Comout-er Audit Techniques.The methodology used to introduce the EDP controls and ComputerAudit Techniques is left to the discretion of the instructor.However, it should be representative of the current philosophytoward the examination of EDP controls and use of computer audittechniques.
There should be ample opportunity for students toaccomplish two projects during the course which will aid thestudents' understanding of the EDP Audit environment and expand
3
their awareness of this field. The first project shouldbe a research paper on an EDP Audit related topic of about15-20 pages in length. In lieu of this, a Test Data casecould be used as a substitute to provide more "hands on"projects. The second project should be a project whichrequires students to apply some of the concepts and funda-mentals learned. Several case studies are presentlyavailable which can be used to accomplish this objective.The case study should include an exercise involving thedesign, development and execution of an audit retrievallanguage such as TREART, CARS III, DYL-260, PEARL, MARS,STRATA, etc. If an audit retrieval language is unavail-able, then COBOL could be used. If possible, "real world"projects should be used in place of case studies.
The Audits of Advanced Systems will be covered.However, because of the nature and complexity of this area,the presentation and exercises should be kept to aninformative rather than a detail level. Included inthe discussion of audits of on-line systems are Remotesystems (Batch transactions and job entry [RJE], Real-timesystems (Inquiry, Update and Programming) and Switchingsystems (Electronic Funds Transfer, Distributed Systtemsand Networks). Also, discussion should include the techniquesused to approach minicomputer and microcomputer applications.
The final area to be presented involves some of thenewer methods or techniques used by auditors and consultantsin evaluating the vulnerability of an information processingsystem to computer abuse and fraud. Two of the currenttechniques are Risk Assessment and Threat Analysis. Bothemploy systematic techniques and methodologies in theirapplication. Another area for discussion is the use ofcost/benefit analysis in determining -the acceptable levelof risk.
The teaching methodology for this course should includelecture, discussion, illustration and clarification of theconcepts and terminology. The projects suggested aredesigned to expand the understanding of the EDP AuditEnvironment and Process, and to allow the development of aminimum level of skill in the application of EDP auditingconcepts.
4
References:
Texts - (1) Computer Control and AuditWilliam C. Mair, Donald R. Wood, Keagle W. Davis
(2) EDP Auditing: Gordon Davis, Schaller, andAdams
(3) Controls and Auditing: Second EditionW. Thomas Porter and William E. Perry
(4) Computer Control and Audit: A Total SystemsApproachJohn C. Burch, Jr., and Joseph L. Sandinas
Case Studis_ -
. Case Studies In Computer Control and Auditing -Funded by The Touche Ross Foundation (June 1978)
. Fedco Case Study - by Frederick GallegosU.S. General Accounting Office, Los Angeles
Publications - EDP Audit, Control & Security Newsletter
EDP Auditor's Journal
EDP Auditor's Update
NBS Publication 500-19 "Audit and Evaluationof Computer Security"
Computer Control Objectives - 1980, EDPAuditors Foundation for Research and Education
NBS Publication 500-57 Audit and Evaluationof Computer Security II: Systems Vulnerabilitiesand Controls
Computer Audit Guidelines, Canadian Instituteof Chartered Accountants
Systems Auditability and Control - AuditPractices, Institute of Internal Auditors, 1977.
Management, Control and Audit of AdvancedEDP Systems - AICPA, 1977.
5
![Modul EDP Audit [TM12]](https://img.dokumen.tips/doc/110x75/55cf87ee55034664618ba9a0/modul-edp-audit-tm12.jpg)
