ISA Review Course Module 7 Information Systems Auditing, Security and Control Standards.
-
Upload
domenic-rice -
Category
Documents
-
view
223 -
download
3
Transcript of ISA Review Course Module 7 Information Systems Auditing, Security and Control Standards.
ISA Review CourseISA Review Course
Module 7Module 7
Information Systems Auditing, Information Systems Auditing, Security Security
and and Control StandardsControl Standards
Need for Information Systems Need for Information Systems AuditingAuditing
• Need to control the use of Computers.
• High costs of errors.
• Computer Abuse.
• Possibility of loss of data processing.
• Value of personnel.
• Maintain privacy.
• Cost of incorrect decision making.
Information Systems Auditing Information Systems Auditing DefinedDefined
Information Systems auditing is the process of Information Systems auditing is the process of collecting and evaluating evidence to collecting and evaluating evidence to determine whether Information Systems: determine whether Information Systems:
• Safeguards Assets.Safeguards Assets.
• Maintains data integrityMaintains data integrity
• Allows organisational goals to be achieved effectivelyAllows organisational goals to be achieved effectively
• Uses resources efficientlyUses resources efficiently
Information Systems Auditing Information Systems Auditing
Change in Evidence CollectionChange in Evidence Collection
Information Systems Auditing Information Systems Auditing Change in Evidence EvaluationChange in Evidence Evaluation
Audit MissionAudit Mission
• Defines the purpose of the audit.
• Steps an IS auditor could take to gain
an understanding of the business include
• Touring key organisation facilities.
• Reading background material including industry publications, annual reports and independent financial analysis reports.
• Reviewing long – term strategic plans.
• Interviewing key managers to understand business issues.
• Studying applicable regulatory reports or regulations.
• Reviewing prior reports.
IS Audit Standards & IS Audit Standards & GuidelinesGuidelines
• Standards – Standards – mandatory requirements for IS mandatory requirements for IS auditing and reporting.auditing and reporting.
• Guidelines – Guidelines – provide guidance in applying provide guidance in applying the IS auditing standards. The IS auditor should the IS auditing standards. The IS auditor should consider them in determining how to achieve consider them in determining how to achieve implementation of the standards.implementation of the standards.
• Procedures – Procedures – provide examples of provide examples of procedures an IS auditor might follow in an procedures an IS auditor might follow in an audit engagement on how to meet the audit engagement on how to meet the standards when doing information systems standards when doing information systems auditing work but do not set requirements.auditing work but do not set requirements.
Audit CharterAudit Charter
Defines the Objectives,
Authority, Responsibility and
Accountability of the Audit
Function.
Auditing StandardsAuditing Standards
Auditing StandardsAuditing Standards
Professional Independence
Organizational Relationship
IndependenceIndependence
Auditing StandardsAuditing Standards
Code of Professional Code of Professional EthicsEthics
Due Professional CareDue Professional Care
Professional Ethics Professional Ethics and and
StandardsStandards
Auditing StandardsAuditing Standards
Skills and KnowledgeSkills and Knowledge
Continuing Professional EducationContinuing Professional Education
Competence
Auditing StandardsAuditing Standards
Audit Planning
PlanningPlanning
Performance of Audit WorkPerformance of Audit Work
SupervisionEvidence
Auditing StandardsAuditing Standards
ContentsForm
ReportingReporting
Follow-up ActivitiesFollow-up ActivitiesReview previous relevant findingsReview previous relevant findings
Review previous Conclusions and Review previous Conclusions and recommendationsrecommendations
LOG ON LOG ON www.isaca.org/stand1.htmwww.isaca.org/stand1.htm
RISKRISK
The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. The impact or relative severity of the risk is proportional to the business value of the loss/ damage and to the estimated frequency of the threat.
RISKRISK• Elements of RiskElements of Risk
•1. Assets
•2.Threats
•3.Vulnerabilities
•4.Impacts
•5.Overall Risk
•6.Residual Risk
1. ASSETS1. ASSETS
• Information and Data.• Hardware.• Software.• Services.• Documents.• Personnel.
2. THREATS2. THREATS
• A Threat is some action or event A Threat is some action or event that can lead to a loss.that can lead to a loss.
• The result of Vulnerability Analysis The result of Vulnerability Analysis is a list of threats.is a list of threats.
THREATSTHREATS• Unreliable SystemsUnreliable Systems
•Hardware Failures.
•Software Failures.
•Personnel Failures.
•DisasterDisaster
•Natural.
•Financial.
•Hostile ActionHostile Action
•External
•Internal
3. VULNERABILITIES3. VULNERABILITIES
The result of Threat Analysis is The result of Threat Analysis is VulnerabilitiesVulnerabilities.
•Lack of knowledge.
•Lack of Security functionality.
•Poor choice of passwords.
•Untested technology
•Transmission over unprotected communications.
4. IMPACTS4. IMPACTS
All threats that actually happen result in a loss of one sort or another. In commercial organisations, threats usually result in a direct financial loss in the short term or an ultimate (indirect) financial loss in the long term.
IMPACTSIMPACTS• Direct loss of money.• Breach of legislation.• Loss of reputation or goodwill.• Endangering of staff or customers.• Breach of confidence.• Loss of business opportunity.• Reduction in operational efficiency/
performance.• Interruption of business activity.
5. OVERALL5. OVERALL RISKRISK
Once the elements of risks have been established to form an overall view of risks. A common method combining the elements is to calculate IMPACTIMPACT X PROBABILITYPROBABILITY for each threat to give measure of OVERALL RISKOVERALL RISK.
CONTROLCONTROL ASSESSMENTASSESSMENTExisting controls have to be evaluated and new controls if required have to be designed to achieve the acceptable level of risk.
•Preventive Control.
•Detective Control.
•Manual Control.
•Programmed/ Automated Control.
6. RESIDUAL6. RESIDUAL RISKSRISKS
Remaining level of risk once controls are been implemented. Risk in excess of this level should be reduced by the implementation of more stringent controls. Risks below this level should be evaluated and a cost benefit analysis may be done to decide whether controls should be implemented.
EVALUATION OF BUSINESS EVALUATION OF BUSINESS RISK AND MANAGEMENT RISK AND MANAGEMENT
PROCESSESPROCESSES
The process of risk assessment may start with an identification of information assets and the underlying systems, which generate/store, use or manipulate the assets including DATA.
EVALUATION OF BUSINESS EVALUATION OF BUSINESS RISK AND MANAGEMENT RISK AND MANAGEMENT
PROCESSESPROCESSESThis can be achieved byThis can be achieved by
• Identifying all existing controls.
• Any new or additional controls required.
• Prioritizing all the identified risks.
• Identifying those controls that provide the most effective and efficient counter measure.
INFORMATION SYSTEMS INFORMATION SYSTEMS CONTROLSCONTROLS
ObjectivesObjectives
•Control Objectives.
•Types of Controls.
INFORMATION SYSTEMS INFORMATION SYSTEMS CONTROLSCONTROLS
Definition of Control
The policies, practices and organisational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.
INFORMATION SYSTEMS INFORMATION SYSTEMS CONTROLSCONTROLS
Control ObjectivesControl Objectives
It is a statement of the desired result or purpose to be achieved by implementing control procedures in a particular activity.
Control ObjectivesControl ObjectivesInternal Control ObjectivesInternal Control Objectives
Internal Accounting Controls
They concern the safeguarding of the assets and the reliability of financial records.
Operational Controls
Concerned with the day-to-day operations, functions and activities and ensure the operation is meeting the business objectives.
Control ObjectivesControl ObjectivesInternal Control ObjectivesInternal Control Objectives
Administrative ControlsConcerned with operational efficiency in a functional area and adherence to management policies. Administrative controls support the operational controls specifically concerned with operating efficiency and adherence to organisational policies.
Control ObjectivesControl ObjectivesInternal Control ObjectivesInternal Control Objectives
•Safeguarding of assets.
•Compliance with corporate policies or regulatory and legal requirements.
•Authorisation of the input.
•Accuracy and completeness of processing of transactions.
•Accuracy, completeness and security of the output.
•Reliability of the process.
•Backup / recovery.
•Efficiency and effectiveness of the operation. Contd…
Control ObjectivesControl ObjectivesInternal Control ObjectivesInternal Control Objectives
Contd…………
• Assuring the integrity of general operating system environments, including network management and operations.
• Database integrity.
• Compliance with the users requirements.
• Business continuity and disaster recovery.
• Compliance with corporate policies or regulatory and legal requirements.
Information Systems Control Information Systems Control ObjectivesObjectives
• Information on automated systems is secured from improper access and kept up to date.
• Each transaction is authorised and entered only once.
• All transactions are recorded and entered into the computer for the proper period.
• All rejected transactions are reported.• Duplicate transactions are reported• Files are adequately backed up to allow for
proper recovery.• All changes to operating software are approved
and tested.
Information Systems Control Information Systems Control ProceduresProcedures
Control procedures include policies and practices established by management to provide reasonable assurance that specific objectives will be achieved.
Information Systems Control Information Systems Control ProceduresProcedures
Examples:•Strategy and Direction.
•General organisation and management.
•Access to data and programs.
•System development and change control.
•Data processing operations.
•Systems programming and technical support functions.
•Data processing quality assurance procedures
Continued………..
Information Systems Control Information Systems Control ProceduresProcedures
Examples:•Physical Access Controls.
•Business continuity/ disaster recovery planning.
•Networks and communications.
•Database administration.
Each general control procedure can be translated into an information systems specific procedure. For example, IS Auditor can translate the general procedure on adequate safeguards over access to assets and facilities to an information systems-related set of control procedures covering access safeguards over computer programs, data and computer equipment.
Information Systems Control Information Systems Control ProceduresProcedures
Categories
• General organisation control procedure.
• Access to data and programs.
• System development methodologies.
• Data processing operations.
• Systems programming and technical support
functions.
• Data processing quality assurance procedures.
CONTROLSCONTROLS
• Preventive.Preventive.
• Detective.Detective.
• Corrective.Corrective.
PREVENTIVE CONTROLPREVENTIVE CONTROL
FUNCTIONFUNCTION
• Detect problems before they arise.
• Monitor both operation and inputs.
• Attempt to predict potential problems before they occur and make adjustments.
• Prevent an error, omission or malicious act from occurring.
PREVENTIVE CONTROLPREVENTIVE CONTROLExamplesExamples
• Employ only qualified personnel.
• Segregate duties.
• Control access to physical facilities.
• Use well-designed documents.
• Establish suitable procedures for authorisation of transactions.
• Programmed edit checks.
• Use of access control software that allows only authorised personnel to access sensitive files.
DETECTIVE CONTROLSDETECTIVE CONTROLS
FunctionsFunctions
Controls that detect an error, omission or malicious act has occurred and report the occurrence.
DETECTIVE CONTROLSDETECTIVE CONTROLSExamplesExamples
•Hash Totals.
•Check points in production jobs.
•Echo controls in telecommunications
•Error messages over tape labels.
•Duplicate checking of calculations.
•Periodic performance reporting with variances.
•Past due account reports.
•Internal audit functions.
CORRECTIVE CONTROLSCORRECTIVE CONTROLSFunctions
• Minimize the impact of a threat.
• Remedy problems discovered by detective controls.
• Identify the cause of a problem.
• Correct errors arising from a problem.
• Modify the processing system(s) to minimize future occurrence of the problem.
CORRECTIVE CONTROLSCORRECTIVE CONTROLS
ExamplesExamples
•Contingency planning.
•Back-up procedures.
•Re-run procedures.
PERFORMING AN IS AUDITPERFORMING AN IS AUDIT
ObjectivesObjectives
•Audit program and phases.
•Audit risk and materiality.
•Audit Objectives.
•Evidences.
AUDIT PROGRAM AND AUDIT PROGRAM AND PHASESPHASES
Adequate planning is necessary first step in performing effective IS audits. The IS Auditor must assess the overall risks and then develop an audit program that consist of objectives and audit procedures which will satisfy the objectives. Audit management must ensure the availability of adequate audit resources and a schedule for performing the audits and for follow-up reviews on the status of corrective actions taken by management.
CLASSIFICATION OF AUDITSCLASSIFICATION OF AUDITS
FINANCIAL AUDITSFINANCIAL AUDITSThe purpose of a financial audit is to assess the correctness of financial statements or records.
OPERATIONAL AUDITOPERATIONAL AUDITAn operational audit is designed to evaluate the internal control structure in a given area.
INTEGRATED AUDITSINTEGRATED AUDITSA comprehensive audit combines both financial and operational audit steps.
CLASSIFICATION OF AUDITSCLASSIFICATION OF AUDITS
ADMINISTRATIVE AUDITSADMINISTRATIVE AUDITSThey are oriented to assess issues related with the efficiency of operational productivity within an organisation.
INFORMATION AUDITINFORMATION AUDIT
Process of collecting and evaluating evidence to determine whether an information system safeguards assets, maintains data integrity, achieves organisational goals effectively and consumes resources efficiently.
GENERAL AUDIT GENERAL AUDIT PROCEDURESPROCEDURES
• Risk assessment and audit planning.• Individual Audit planning.• Preliminary review of audit area.• Obtaining & recording an understanding
of audit area/ subject.• Evaluating audit area/ subject.• Compliance testing.• Substantive Testing.• Reporting• Follow - up.
AUDIT METHODOLOGYAUDIT METHODOLOGY
An audit methodology is a set of documented audit procedures designed to achieve planned audit objectives. A product of the audit process is an audit program that becomes a guide for documenting the various audit steps performed and the extent and types of evidence matter reviewed. It provides a trail of the process used to perform the audit as well as accountability of performance.
AUDIT PHASESAUDIT PHASESSUBJECTSUBJECT
Identify the area to be audited.
OBJECTIVEOBJECTIVEIdentify the purpose of the audit.
SCOPESCOPEIdentify the specific systems, function or unit of the organisation to be included in the review.
PREAUDIT PLANNINGPREAUDIT PLANNINGIdentify technical skills and resources needed. Identify the sources of information for test or review such as functional flow-chart, policies, standards, procedures and prior audit work papers. Identify locations or facilities to be audited.
AUDIT PHASESAUDIT PHASESAUDIT PROCEDURES AND STEPS FOR DATA AUDIT PROCEDURES AND STEPS FOR DATA GATHERINGGATHERING
• Identify and select the audit approach to verify and test the controls.
• Identify a list of individuals to interview.
• Identify and obtain department policies, standards and guidelines for review.
• Develop audit tools and methodology to test and verify control.
AUDIT PHASESAUDIT PHASESPROCEDURES FOR EVALUATING THE TEST PROCEDURES FOR EVALUATING THE TEST OR REVIEW RESULTSOR REVIEW RESULTS
Organisation Specific.
PROCEDURES FOR COMMUNICATION WITH PROCEDURES FOR COMMUNICATION WITH MANAGEMENTMANAGEMENT
Organisation Specific.
AUDIT REPORT PREPARATIONAUDIT REPORT PREPARATION• Identify follow-up review procedures.
• Identify procedures to evaluate/ test operational efficiency and effectiveness.
• Identify procedures to test controls.
• Review and evaluate the soundness of documents, policies and procedures.
AUDIT RISK & MATERIALITYAUDIT RISK & MATERIALITYRISK BASED AUDIT APPROACHRISK BASED AUDIT APPROACH
This approach is used to assess risk and to assist an IS Auditor’s decision to do either compliance testing or substantive testing. Within this concept, inherent risk, control risk or detection risk need not be assessed as high, despite some weaknesses. In a risk-based audit approach, IS auditors are not just replying on risk; they are also relying on internal and operational controls as well as knowledge of the company or the business. This type of risk assessment decision can help relate the cost/ benefit analysis of the control to the known risk, allowing practical choices.
RISK BASED AUDIT RISK BASED AUDIT APPROACHAPPROACH
Gather Information and PlanGather Information and Plan
•Knowledge of business and industry.
•Prior year’s audit results.
•Recent financial information.
•Regulatory statutes.
•Inherent risk assessment.
RISK BASED AUDIT RISK BASED AUDIT APPROACHAPPROACH
Obtain understanding of Internal Obtain understanding of Internal ControlControl
•Control environment.
•Control procedures.
•Detection risk assessment.
•Control risk assessment.
•Equate total risk.
RISK BASED AUDIT RISK BASED AUDIT APPROACHAPPROACH
Perform Compliance TestsPerform Compliance Tests
•Test policies and procedures.
•Test segregation of duties.
Perform Substantive TestsPerform Substantive Tests•Analytical procedures.
•Detailed tests of account balances.
•Other substantive audit procedures.
Conclude the AuditConclude the AuditRecommendations and Audit Report.
CATEGORIES OF AUDIT RISKCATEGORIES OF AUDIT RISKInherent RiskInherent Risk
The risk that an error exists which could be material or significant when combined with other errors encountered during the audit assuming that there are no related compensating controls. Inherent risk exist independent of an audit and can occur because of the nature of the business.
Control RiskControl RiskThe risk that a material error exists which will not be prevented or detected on a timely basis by the system of internal controls.
Contd……….
CATEGORIES OF AUDIT RISKCATEGORIES OF AUDIT RISK
Contd………..
Detection RiskDetection RiskThe risk that an IS Auditor uses an inadequate test procedure and concludes that material errors do not exists when, in fact they do. Detection of an error would not be determined during the risk assessment phase of an audit. However, identifying detection risk would better evaluate and assess the auditor’s ability to test, identify and correct assess material errors as the result of a test.
Contd………….
CATEGORIES OF AUDIT RISKCATEGORIES OF AUDIT RISK
Contd…………
Overall Audit RiskOverall Audit Risk
Overall audit risk is the combination of the individual categories of audit risks assessed for each individual specific control objective. An objective in formulating the audit approach is to limit the audit risk in the area under scrutiny so that overall audit risk is at a sufficiently low level at the completion of the examination. Another objective is to assess and control those risks to achieve the desired level of assurance as efficiently as possible.
RISK ASSESSMENT RISK ASSESSMENT TECHNIQUESTECHNIQUES
IS Auditor faces a large variety of audit subjects, each of these may represent different type of audit risk. The IS auditor should evaluate these various risk candidates to determine the high risk areas that should be audited first.
BENEFITS OF RISK BENEFITS OF RISK ASSESSMENTASSESSMENT
• Enables effective use of limited resources.
• Enables that relevant information has been obtained.
• Establishes a basis for effectively managing the audit department.
• Provides a summary of how the individual audit subject is related to the overall organisation as well as to the business plans.
Selecting and Testing Key Selecting and Testing Key ControlsControls
The auditor needs to understand the control requirements of the business operation before assessing control strengths and weaknesses. The IS auditor’s initial review objective of an information system should be to identify key controls. The IS should should keep in his mind that the key controls where present throughout the year.
AUDIT OBJECTIVESAUDIT OBJECTIVES
Audit Objective refers to the specific goals of the audit, often center around substantiating that internal controls exist to minimise business risks. A key element in planning an information systems audit is to translate basic audit objectives into specific information system audit objectives.
TESTINGTESTINGSubstantive Vs ComplianceSubstantive Vs Compliance
Compliance Test determines if controls are being applied in a manner that complies with management policies and procedures. The broad objective of any compliance test is to provide auditors with reasonable assurance that a particular control, on which the IS auditor plans to rely, is operating as the IS auditor perceived in the preliminary evaluation.
Substantive Test substantiates the integrity of actual processing. It provides evidence of the validity and propriety of the balances in the financial statements and the transactions that directly affecting financial statement balances.
AUDIT FOW CHARTAUDIT FOW CHARTReview the System to identify controlsReview the System to identify controls
Test compliance to determine whether controls are Test compliance to determine whether controls are functioningfunctioning
Evaluate the controls to determine the basis for Evaluate the controls to determine the basis for reliance and the nature, scope and timing of reliance and the nature, scope and timing of
substantive testssubstantive tests
Use two types of substantive tests to evaluate the Use two types of substantive tests to evaluate the validity of the datavalidity of the data
1. Test of balances and 1. Test of balances and transactionstransactions
2. Analytical review 2. Analytical review proceduresprocedures
EVIDENCEEVIDENCE
• Independence of the provider of the Independence of the provider of the
evidence.evidence.
• Qualifications of the individual providing Qualifications of the individual providing
the information or evidence.the information or evidence.
• Objectivity of the evidence.Objectivity of the evidence.
Evidence is any information used by the IS auditor to determine whether the entity or data being audited follows the established audit criteria or objectives. Determinants of evaluating the reliability of audit evidence include:
TECHNIQUES FOR TECHNIQUES FOR GATHERING EVIDENCEGATHERING EVIDENCE
• Review Information System organisation Review Information System organisation
structures. structures.
• Review Information Systems documentation Review Information Systems documentation
standards. The IS auditor should look for a standards. The IS auditor should look for a
minimum level of information systems minimum level of information systems
documentation which may include:documentation which may include:•Systems development initiating documents (e.g. Systems development initiating documents (e.g. feasibility study).feasibility study).
•Functional requirements and design specifications.Functional requirements and design specifications.
•Tests plans and reports.Tests plans and reports.
•Program and operations documents.Program and operations documents.
•User Manuals. User Manuals. Contd……
TECHNIQUES FOR TECHNIQUES FOR GATHERING EVIDENCEGATHERING EVIDENCE
• Interview appropriate personnel.Interview appropriate personnel.
• Observing processes and employee performance.Observing processes and employee performance.
Contd……
•Operations Manuals.Operations Manuals.
•Security-related documents (e.g., security plans, Security-related documents (e.g., security plans, risk management).risk management).
•Quality assurance reports.Quality assurance reports.
SAMPLINGSAMPLING
Sampling is used when time and cost considerations preclude a total verification of all transactions and events in a predefined population. Sampling is used to infer characteristics about a population, based on the results of examining the characteristics of a sample of the population. The subset of population member is called a SAMPLESAMPLE.
SAMPLING APPROACHESSAMPLING APPROACHES
Statistical Sampling Statistical Sampling is an objective method of
determining the sample size and selection criteria. IS auditor quantitatively decides how closely the sample should represent the population and the number of times in 100 the sample should represent the population. It is expressed in a form of percentage.
Non-statistical Sampling Non-statistical Sampling uses auditor judgment
to determine the method of sampling, the number of items that will be examined from a population and which items to select.
PRIMARY METHODS OF PRIMARY METHODS OF SAMPLINGSAMPLING
Attribute Sampling Attribute Sampling is a sampling model that is
used to estimate the rate (percentage) of occurrence of a specific quality (attribute) in a population. It is generally applied in compliance testing situations.
Variable Sampling Variable Sampling is also known as Dollar
Estimation or Mean estimation sampling is a technique used to estimate the dollar value or some other unit of measure, such as weight, of a population from a sample portion. It is generally applied in substantive testing situation.
PRIMARY METHODS OF PRIMARY METHODS OF SAMPLINGSAMPLING
Examples of Attribute Sampling Examples of Attribute Sampling
Stop-or-go Sampling Stop-or-go Sampling is a sampling model that is a sampling model that helps prevent excessive sampling of an attribute by helps prevent excessive sampling of an attribute by allowing an audit test to be stopped at the earliest allowing an audit test to be stopped at the earliest possible moment.possible moment.
Discovery Sampling Discovery Sampling is a sampling model that can is a sampling model that can be used when the expected occurrence rate is be used when the expected occurrence rate is extremely low. Discovery Sampling is most often extremely low. Discovery Sampling is most often used when the objective of the audit is to seek out used when the objective of the audit is to seek out (discover0 frauds, circumvention of regulations or (discover0 frauds, circumvention of regulations or other irregularities.other irregularities.
PRIMARY METHODS OF PRIMARY METHODS OF SAMPLINGSAMPLING
Examples of Variable Sampling Examples of Variable Sampling
Stratified mean per unit Stratified mean per unit is a sampling model in is a sampling model in which the population is divided into groups and which the population is divided into groups and samples are drawn from various groups. Stratified samples are drawn from various groups. Stratified mean sampling is used to produce a smaller overall mean sampling is used to produce a smaller overall sample size, relative to unstratified mean per unit.sample size, relative to unstratified mean per unit.
Unstratified mean per unit Unstratified mean per unit is a statistical model is a statistical model whereby a sample mean is calculated and projected whereby a sample mean is calculated and projected as an estimated total.as an estimated total.
Difference Estimation Difference Estimation is used to estimate the is used to estimate the total difference between audited values and book total difference between audited values and book (unaudited) values on a sample obtained.(unaudited) values on a sample obtained.
PRIMARY METHODS OF PRIMARY METHODS OF SAMPLINGSAMPLING
Few Terms of SamplingFew Terms of Sampling
Confidence coefficient Confidence coefficient is a percentage expression of is a percentage expression of the probability that the characteristics of the sample the probability that the characteristics of the sample are a true representation of the population. The greater are a true representation of the population. The greater the confidence coefficient, the larger the sample size.the confidence coefficient, the larger the sample size.
Level of Risk Level of Risk is 1 minus the confidence coefficient.is 1 minus the confidence coefficient.
Precision Precision represents the acceptable range difference represents the acceptable range difference between the sample and the actual population. Higher between the sample and the actual population. Higher the precision amount, smaller the sample size and the precision amount, smaller the sample size and greater the the risk of fairly large errors going greater the the risk of fairly large errors going undetected. Smaller the precision amount, the greater undetected. Smaller the precision amount, the greater the sample size.the sample size.
PRIMARY METHODS OF PRIMARY METHODS OF SAMPLINGSAMPLING
Few Terms of SamplingFew Terms of Sampling
Expected Error Rate Expected Error Rate is an estimate of the errors that is an estimate of the errors that might exist. Greater the expected error rate, greater might exist. Greater the expected error rate, greater the sample size. This applies only to attribute sampling.the sample size. This applies only to attribute sampling.
Sample Mean Sample Mean is the sum of all sample values, divided is the sum of all sample values, divided by the size of the sample. It measures the average size by the size of the sample. It measures the average size of the sample.of the sample.
Sample Standard Deviation Sample Standard Deviation computes the variance computes the variance of the sample values from the mean sample. It of the sample values from the mean sample. It measures the spread(s) or dispersion of the sample measures the spread(s) or dispersion of the sample values.values.
PRIMARY METHODS OF PRIMARY METHODS OF SAMPLINGSAMPLING
Few Terms of SamplingFew Terms of SamplingTolerable Error Rate Tolerable Error Rate is used to describe the is used to describe the maximum misstatement or number of errors that can maximum misstatement or number of errors that can exist without an account being materially misstated.exist without an account being materially misstated.
Population Standard Population Standard is a mathematical concept that is a mathematical concept that measures the relationship to the normal distribution. measures the relationship to the normal distribution. Greater the standard deviation, the larger the sample Greater the standard deviation, the larger the sample size. This applied to variable sampling only.size. This applied to variable sampling only.
COMPUTER ASSISTED AUDIT COMPUTER ASSISTED AUDIT TECHNIQUESTECHNIQUES
ObjectivesObjectives
•Computer Assisted Audit.
•Continuous Audit
Computerisation Effects Computerisation Effects Two Broad Areas Two Broad Areas
NamelyNamely
Evidence Collection
Evidence Evaluation
RequirementsRequirementsAudit ToolsAudit Tools
Generalised Audit Tools.
Customised Audit Tools.
GENERALISED AUDIT GENERALISED AUDIT SOFTWARESOFTWARE
• To undertake evidence collection work in different hardware/software environments.
• To develop an audit capability quickly.
• To minimize the need of technical knowledge.
GENERALIZED AUDIT GENERALIZED AUDIT SOFTWARESOFTWARE
• File access functions• File reorganization functions• Selection functions• Statistical functions• Arithmetic functions• Stratification and frequency analysis
functions• File creation and updating functions• Reporting functions
Generalized Audit Generalized Audit SoftwareSoftware
Audit Tasks accomplished
• Examine the quality of data• Examine the quality of system
processes• Examine the existence of the
entities the data purports to represents
• Undertake analytical review
Generalized Audit Generalized Audit SoftwareSoftware
Functional LimitationFunctional Limitation• Permits auditors to undertake only
ex-post auditing and not concurrent auditing
• Has limited capabilities for verifying processing logic
• Has a limited use to determine the propensity of an application system to make errors
Why Customised Audit Why Customised Audit Software?Software?
Unavailability of Generalised Software.Efficiency.
Functional Limitations.
Increased Understanding of Systems
Increased Auditor Independence.
Opportunity For Easy Implementation
Need For Audit ToolsNeed For Audit Tools Gathers Data.
Safeguards Assets.
Protects Data Integrity. Evaluates System Efficiency And Effectiveness. Reduces the level of audit risk. Greater Independence to the Auditor. Broader and more consistent audit coverage. Faster availability of information. Cost saving over time. Improved exception identification. Enhanced Sampling.
TYPES OF CAATsTYPES OF CAATs
• Which evaluate application system with test data.
• Which select transactions for audit review.
• Which trace or map the changing states of application systems as they undertake production processing.
Types of CAATsTypes of CAATs
• EX POST AUDITING
• CONTINUOUS AUDITING.
Examples of CAATsExamples of CAATs
For Ex Post AuditingGeneralised Audit Software.
Customised Audit Software.
Specialized audit utilities.
High level languages.
Expert Systems
Neural Networks
Examples of CAATsExamples of CAATs
Generalized Audit SoftwareA major tool that provides a means to gain access to and manipulate data maintained on computer storage media.
Expert SystemsExpert SystemsSoftware applications are developed to hold a base of expert knowledge and logic provided by experts in a given field. Such software application permits the computerised use of the decision-making processes of these experts.
Examples of CAATsExamples of CAATs
Standard UtilitiesStandard UtilitiesResident in software packages that specify the status of parameters used to install the package.
Specialised Audit SoftwareSpecialised Audit SoftwareUsed to perform specific audit steps for the IS auditor,to fulfill a specific set of audit tasks, such as sampling.
Parallel SimulationsParallel SimulationsParallel simulation involves the IS auditor writing a program to replicate those application processes that are critical to an audit opinion and using this program to reprocess a application system data.
Examples of CAATsExamples of CAATsSnapshotsSnapshots
This technique involves taking “pictures” of a transaction as it flows through the computer system. Audit software routines are embedded at different points in the processing logic to capture images of the transaction as it progresses through various stages of processing. Such technique permits the IS auditor to track data and evaluates the computer processes applied to this data throughout the various stages of processing.
Continuous and Intermittent SimulationContinuous and Intermittent Simulation
The computer systems, during a process run of a transaction, simulates the instruction execution of the application. As each transaction is entered, the simulator decides whether the transaction meets with certain predetermined criteria and if so, audits the transaction.
Examples of CAATsExamples of CAATs
System Control Audit Review FileSystem Control Audit Review FileInvolves embedding audit software modules within an application system to provide continuous monitoring of the system’s transactions.
Software Library PackageSoftware Library PackageVerify the integrity and appropriateness of program changes.
Integrated Test FacilitiesIntegrated Test FacilitiesInvolves setting up dummy entities on an application system and processing test or production data against the entity as a means of verifying processing accuracy.
SNAPSHOTS
SNAPSHOTSSNAPSHOTS
Involves taking pictures of the processing path that a transaction follows from the input to the output stage.
The transactions are tagged by applying identifiers to input data and record selected information about what occurs .
SNAPSHOT IMPLENTATIONSNAPSHOT IMPLENTATION
• Locating the snapshot points within the application system
• When to capture snapshots of transactions
• Reporting of the snapshot data that is captured
Inputvalidationprogram
Snapshotreport
Errorreport
Transactions Input error file
Snapshot points1,2,3
Outputerrorfile
Validtransactions
Updateprogram
Snapshotreport
Update report
Reportprogram
Snapshotreport
Managementreports
InputMaster file
Sorted transactionfile
Snapshot points4,5,6,7,8
Output masterfile
Snapshot point 9
SYSTEM CONTROL AUDIT SYSTEM CONTROL AUDIT REVIEW FILEREVIEW FILE
It involves embedding audit software modules within a host application system to provide continuous monitoring of the system’s transactions.
Systems Control Audit Systems Control Audit Review Review
File and Embedded Audit File and Embedded Audit Module (SCARF)Module (SCARF)
• DESIGN DECISIONS– Information to be collected by
embedded audit routines– Reporting system to be used
Update programcontaining SCARF
embeddedaudit routines
Transactionfile
Input masterfile
Output master file
SCARF
SCARFreporting
systemUpdate reports
Auditreports
INFORMATION TO BE INFORMATION TO BE COLLECTED BY SCARFCOLLECTED BY SCARF
• Application System Errors• Policy and procedural variances• System exceptions• Statistical samples• Snapshots and extended records• Profiling data• Performance measurement data
CONTINUOUS AND CONTINUOUS AND INTERMITTENT INTERMITTENT SIMULATIONSIMULATION
It is used whenever application systems use a database management system. Continuous and Intermittent Simulation uses database management system to trap exceptions.
CONTINUOUS AND CONTINUOUS AND INTERMITTENT INTERMITTENT SIMULATIONSIMULATION
• DBMS reads an application system transaction and passes it to CIS
• DBMS provides to CIS all data requested by the application system to process the selected transaction
• Every update to the database is checked by CIS
• Exceptions identified by CIS are written to a log file
CIS Vs Parallel SimulationCIS Vs Parallel Simulation
• Provides an online auditing capability
• Number of program instructions are less
• Input/ output overheads are less
• Difficult to implement
• Provides a batch auditing capability
• Number of program instructions are more
• input/output overheads are more
• Relatively easier to implement
EVIDENCE EVALUATION• IS auditor to consider series of strengths and
weaknesses and then develop audit opinions and recommendations.
• Apply Professional Care in evaluating audit strengths and weaknesses.
• Assess the results of the evidence gathered for compliance with the control requirements or objectives established during the planning stage.
• Use of control matrix.• Evaluation of compensating controls in the
system.
MATERIALITY OF FINDING
• Potential effect of the findings if no corrective action is taken.
• Apply the judgment for which findings are material to various levels of management and should be reported to them accordingly.
COMMUNICATION OF RESULTS
• IS auditor is responsible to only top management and to the audit committee of the board of directors.
• Consideration should be given to discuss the findings with the management staff.
• Format of the Audit Report varies by organisation.
AUDIT REPORT STRUCTURE AND CONTENTS
• Statement of audit objectives and scope.• The period of audit coverage.• Statement on the nature and extent of
audit procedures examined during the audit.
• Communicate reservations/ qualifications.• Conclusion and the overall evidence
gathered during the audit.