ISA Review Course Module 7 Information Systems Auditing, Security and Control Standards.

ISA Review CourseISA Review Course

Module 7Module 7

Information Systems Auditing, Information Systems Auditing, Security Security

and and Control StandardsControl Standards

Need for Information Systems Need for Information Systems AuditingAuditing

• Need to control the use of Computers.

• High costs of errors.

• Computer Abuse.

• Possibility of loss of data processing.

• Value of personnel.

• Maintain privacy.

• Cost of incorrect decision making.

Information Systems Auditing Information Systems Auditing DefinedDefined

Information Systems auditing is the process of Information Systems auditing is the process of collecting and evaluating evidence to collecting and evaluating evidence to determine whether Information Systems: determine whether Information Systems:

• Safeguards Assets.Safeguards Assets.

• Maintains data integrityMaintains data integrity

• Allows organisational goals to be achieved effectivelyAllows organisational goals to be achieved effectively

• Uses resources efficientlyUses resources efficiently

Information Systems Auditing Information Systems Auditing

Change in Evidence CollectionChange in Evidence Collection

Information Systems Auditing Information Systems Auditing Change in Evidence EvaluationChange in Evidence Evaluation

Audit MissionAudit Mission

• Defines the purpose of the audit.

• Steps an IS auditor could take to gain

an understanding of the business include

• Touring key organisation facilities.

• Reading background material including industry publications, annual reports and independent financial analysis reports.

• Reviewing long – term strategic plans.

• Interviewing key managers to understand business issues.

• Studying applicable regulatory reports or regulations.

• Reviewing prior reports.

IS Audit Standards & IS Audit Standards & GuidelinesGuidelines

• Standards – Standards – mandatory requirements for IS mandatory requirements for IS auditing and reporting.auditing and reporting.

• Guidelines – Guidelines – provide guidance in applying provide guidance in applying the IS auditing standards. The IS auditor should the IS auditing standards. The IS auditor should consider them in determining how to achieve consider them in determining how to achieve implementation of the standards.implementation of the standards.

• Procedures – Procedures – provide examples of provide examples of procedures an IS auditor might follow in an procedures an IS auditor might follow in an audit engagement on how to meet the audit engagement on how to meet the standards when doing information systems standards when doing information systems auditing work but do not set requirements.auditing work but do not set requirements.

Audit CharterAudit Charter

Defines the Objectives,

Authority, Responsibility and

Accountability of the Audit

Function.

Auditing StandardsAuditing Standards


Professional Independence

Organizational Relationship

IndependenceIndependence


Code of Professional Code of Professional EthicsEthics

Due Professional CareDue Professional Care

Professional Ethics Professional Ethics and and

StandardsStandards


Skills and KnowledgeSkills and Knowledge

Continuing Professional EducationContinuing Professional Education

Competence


Audit Planning

PlanningPlanning

Performance of Audit WorkPerformance of Audit Work

SupervisionEvidence


ContentsForm

ReportingReporting

Follow-up ActivitiesFollow-up ActivitiesReview previous relevant findingsReview previous relevant findings

Review previous Conclusions and Review previous Conclusions and recommendationsrecommendations

LOG ON LOG ON www.isaca.org/stand1.htmwww.isaca.org/stand1.htm

RISKRISK

The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. The impact or relative severity of the risk is proportional to the business value of the loss/ damage and to the estimated frequency of the threat.

RISKRISK• Elements of RiskElements of Risk

•1. Assets

•2.Threats

•3.Vulnerabilities

•4.Impacts

•5.Overall Risk

•6.Residual Risk

1. ASSETS1. ASSETS

• Information and Data.• Hardware.• Software.• Services.• Documents.• Personnel.

2. THREATS2. THREATS

• A Threat is some action or event A Threat is some action or event that can lead to a loss.that can lead to a loss.

• The result of Vulnerability Analysis The result of Vulnerability Analysis is a list of threats.is a list of threats.

THREATSTHREATS• Unreliable SystemsUnreliable Systems

•Hardware Failures.

•Software Failures.

•Personnel Failures.

•DisasterDisaster

•Natural.

•Financial.

•Hostile ActionHostile Action

•External

•Internal

3. VULNERABILITIES3. VULNERABILITIES

The result of Threat Analysis is The result of Threat Analysis is VulnerabilitiesVulnerabilities.

•Lack of knowledge.

•Lack of Security functionality.

•Poor choice of passwords.

•Untested technology

•Transmission over unprotected communications.

4. IMPACTS4. IMPACTS

All threats that actually happen result in a loss of one sort or another. In commercial organisations, threats usually result in a direct financial loss in the short term or an ultimate (indirect) financial loss in the long term.

IMPACTSIMPACTS• Direct loss of money.• Breach of legislation.• Loss of reputation or goodwill.• Endangering of staff or customers.• Breach of confidence.• Loss of business opportunity.• Reduction in operational efficiency/

performance.• Interruption of business activity.

5. OVERALL5. OVERALL RISKRISK

Once the elements of risks have been established to form an overall view of risks. A common method combining the elements is to calculate IMPACTIMPACT X PROBABILITYPROBABILITY for each threat to give measure of OVERALL RISKOVERALL RISK.

CONTROLCONTROL ASSESSMENTASSESSMENTExisting controls have to be evaluated and new controls if required have to be designed to achieve the acceptable level of risk.

•Preventive Control.

•Detective Control.

•Manual Control.

•Programmed/ Automated Control.

6. RESIDUAL6. RESIDUAL RISKSRISKS

Remaining level of risk once controls are been implemented. Risk in excess of this level should be reduced by the implementation of more stringent controls. Risks below this level should be evaluated and a cost benefit analysis may be done to decide whether controls should be implemented.

EVALUATION OF BUSINESS EVALUATION OF BUSINESS RISK AND MANAGEMENT RISK AND MANAGEMENT

PROCESSESPROCESSES

The process of risk assessment may start with an identification of information assets and the underlying systems, which generate/store, use or manipulate the assets including DATA.

EVALUATION OF BUSINESS EVALUATION OF BUSINESS RISK AND MANAGEMENT RISK AND MANAGEMENT

PROCESSESPROCESSESThis can be achieved byThis can be achieved by

• Identifying all existing controls.

• Any new or additional controls required.

• Prioritizing all the identified risks.

• Identifying those controls that provide the most effective and efficient counter measure.

INFORMATION SYSTEMS INFORMATION SYSTEMS CONTROLSCONTROLS

ObjectivesObjectives

•Control Objectives.

•Types of Controls.


Definition of Control

The policies, practices and organisational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.


Control ObjectivesControl Objectives

It is a statement of the desired result or purpose to be achieved by implementing control procedures in a particular activity.

Control ObjectivesControl ObjectivesInternal Control ObjectivesInternal Control Objectives

Internal Accounting Controls

They concern the safeguarding of the assets and the reliability of financial records.

Operational Controls

Concerned with the day-to-day operations, functions and activities and ensure the operation is meeting the business objectives.


Administrative ControlsConcerned with operational efficiency in a functional area and adherence to management policies. Administrative controls support the operational controls specifically concerned with operating efficiency and adherence to organisational policies.


•Safeguarding of assets.

•Compliance with corporate policies or regulatory and legal requirements.

•Authorisation of the input.

•Accuracy and completeness of processing of transactions.

•Accuracy, completeness and security of the output.

•Reliability of the process.

•Backup / recovery.

•Efficiency and effectiveness of the operation. Contd…


Contd…………

• Assuring the integrity of general operating system environments, including network management and operations.

• Database integrity.

• Compliance with the users requirements.

• Business continuity and disaster recovery.

• Compliance with corporate policies or regulatory and legal requirements.

Information Systems Control Information Systems Control ObjectivesObjectives

• Information on automated systems is secured from improper access and kept up to date.

• Each transaction is authorised and entered only once.

• All transactions are recorded and entered into the computer for the proper period.

• All rejected transactions are reported.• Duplicate transactions are reported• Files are adequately backed up to allow for

proper recovery.• All changes to operating software are approved

and tested.

Information Systems Control Information Systems Control ProceduresProcedures

Control procedures include policies and practices established by management to provide reasonable assurance that specific objectives will be achieved.


Examples:•Strategy and Direction.

•General organisation and management.

•Access to data and programs.

•System development and change control.

•Data processing operations.

•Systems programming and technical support functions.

•Data processing quality assurance procedures

Continued………..


Examples:•Physical Access Controls.

•Business continuity/ disaster recovery planning.

•Networks and communications.

•Database administration.

Each general control procedure can be translated into an information systems specific procedure. For example, IS Auditor can translate the general procedure on adequate safeguards over access to assets and facilities to an information systems-related set of control procedures covering access safeguards over computer programs, data and computer equipment.


Categories

• General organisation control procedure.

• Access to data and programs.

• System development methodologies.

• Data processing operations.

• Systems programming and technical support

functions.

• Data processing quality assurance procedures.

CONTROLSCONTROLS

• Preventive.Preventive.

• Detective.Detective.

• Corrective.Corrective.

PREVENTIVE CONTROLPREVENTIVE CONTROL

FUNCTIONFUNCTION

• Detect problems before they arise.

• Monitor both operation and inputs.

• Attempt to predict potential problems before they occur and make adjustments.

• Prevent an error, omission or malicious act from occurring.

PREVENTIVE CONTROLPREVENTIVE CONTROLExamplesExamples

• Employ only qualified personnel.

• Segregate duties.

• Control access to physical facilities.

• Use well-designed documents.

• Establish suitable procedures for authorisation of transactions.

• Programmed edit checks.

• Use of access control software that allows only authorised personnel to access sensitive files.

DETECTIVE CONTROLSDETECTIVE CONTROLS

FunctionsFunctions

Controls that detect an error, omission or malicious act has occurred and report the occurrence.

DETECTIVE CONTROLSDETECTIVE CONTROLSExamplesExamples

•Hash Totals.

•Check points in production jobs.

•Echo controls in telecommunications

•Error messages over tape labels.

•Duplicate checking of calculations.

•Periodic performance reporting with variances.

•Past due account reports.

•Internal audit functions.

CORRECTIVE CONTROLSCORRECTIVE CONTROLSFunctions

• Minimize the impact of a threat.

• Remedy problems discovered by detective controls.

• Identify the cause of a problem.

• Correct errors arising from a problem.

• Modify the processing system(s) to minimize future occurrence of the problem.

CORRECTIVE CONTROLSCORRECTIVE CONTROLS

ExamplesExamples

•Contingency planning.

•Back-up procedures.

•Re-run procedures.

PERFORMING AN IS AUDITPERFORMING AN IS AUDIT


•Audit program and phases.

•Audit risk and materiality.

•Audit Objectives.

•Evidences.

AUDIT PROGRAM AND AUDIT PROGRAM AND PHASESPHASES

Adequate planning is necessary first step in performing effective IS audits. The IS Auditor must assess the overall risks and then develop an audit program that consist of objectives and audit procedures which will satisfy the objectives. Audit management must ensure the availability of adequate audit resources and a schedule for performing the audits and for follow-up reviews on the status of corrective actions taken by management.

CLASSIFICATION OF AUDITSCLASSIFICATION OF AUDITS

FINANCIAL AUDITSFINANCIAL AUDITSThe purpose of a financial audit is to assess the correctness of financial statements or records.

OPERATIONAL AUDITOPERATIONAL AUDITAn operational audit is designed to evaluate the internal control structure in a given area.

INTEGRATED AUDITSINTEGRATED AUDITSA comprehensive audit combines both financial and operational audit steps.

CLASSIFICATION OF AUDITSCLASSIFICATION OF AUDITS

ADMINISTRATIVE AUDITSADMINISTRATIVE AUDITSThey are oriented to assess issues related with the efficiency of operational productivity within an organisation.

INFORMATION AUDITINFORMATION AUDIT

Process of collecting and evaluating evidence to determine whether an information system safeguards assets, maintains data integrity, achieves organisational goals effectively and consumes resources efficiently.

GENERAL AUDIT GENERAL AUDIT PROCEDURESPROCEDURES

• Risk assessment and audit planning.• Individual Audit planning.• Preliminary review of audit area.• Obtaining & recording an understanding

of audit area/ subject.• Evaluating audit area/ subject.• Compliance testing.• Substantive Testing.• Reporting• Follow - up.

AUDIT METHODOLOGYAUDIT METHODOLOGY

An audit methodology is a set of documented audit procedures designed to achieve planned audit objectives. A product of the audit process is an audit program that becomes a guide for documenting the various audit steps performed and the extent and types of evidence matter reviewed. It provides a trail of the process used to perform the audit as well as accountability of performance.

AUDIT PHASESAUDIT PHASESSUBJECTSUBJECT

Identify the area to be audited.

OBJECTIVEOBJECTIVEIdentify the purpose of the audit.

SCOPESCOPEIdentify the specific systems, function or unit of the organisation to be included in the review.

PREAUDIT PLANNINGPREAUDIT PLANNINGIdentify technical skills and resources needed. Identify the sources of information for test or review such as functional flow-chart, policies, standards, procedures and prior audit work papers. Identify locations or facilities to be audited.

AUDIT PHASESAUDIT PHASESAUDIT PROCEDURES AND STEPS FOR DATA AUDIT PROCEDURES AND STEPS FOR DATA GATHERINGGATHERING

• Identify and select the audit approach to verify and test the controls.

• Identify a list of individuals to interview.

• Identify and obtain department policies, standards and guidelines for review.

• Develop audit tools and methodology to test and verify control.

AUDIT PHASESAUDIT PHASESPROCEDURES FOR EVALUATING THE TEST PROCEDURES FOR EVALUATING THE TEST OR REVIEW RESULTSOR REVIEW RESULTS

Organisation Specific.

PROCEDURES FOR COMMUNICATION WITH PROCEDURES FOR COMMUNICATION WITH MANAGEMENTMANAGEMENT

Organisation Specific.

AUDIT REPORT PREPARATIONAUDIT REPORT PREPARATION• Identify follow-up review procedures.

• Identify procedures to evaluate/ test operational efficiency and effectiveness.

• Identify procedures to test controls.

• Review and evaluate the soundness of documents, policies and procedures.

AUDIT RISK & MATERIALITYAUDIT RISK & MATERIALITYRISK BASED AUDIT APPROACHRISK BASED AUDIT APPROACH

This approach is used to assess risk and to assist an IS Auditor’s decision to do either compliance testing or substantive testing. Within this concept, inherent risk, control risk or detection risk need not be assessed as high, despite some weaknesses. In a risk-based audit approach, IS auditors are not just replying on risk; they are also relying on internal and operational controls as well as knowledge of the company or the business. This type of risk assessment decision can help relate the cost/ benefit analysis of the control to the known risk, allowing practical choices.

RISK BASED AUDIT RISK BASED AUDIT APPROACHAPPROACH

Gather Information and PlanGather Information and Plan

•Knowledge of business and industry.

•Prior year’s audit results.

•Recent financial information.

•Regulatory statutes.

•Inherent risk assessment.


Obtain understanding of Internal Obtain understanding of Internal ControlControl

•Control environment.

•Control procedures.

•Detection risk assessment.

•Control risk assessment.

•Equate total risk.


Perform Compliance TestsPerform Compliance Tests

•Test policies and procedures.

•Test segregation of duties.

Perform Substantive TestsPerform Substantive Tests•Analytical procedures.

•Detailed tests of account balances.

•Other substantive audit procedures.

Conclude the AuditConclude the AuditRecommendations and Audit Report.

CATEGORIES OF AUDIT RISKCATEGORIES OF AUDIT RISKInherent RiskInherent Risk

The risk that an error exists which could be material or significant when combined with other errors encountered during the audit assuming that there are no related compensating controls. Inherent risk exist independent of an audit and can occur because of the nature of the business.

Control RiskControl RiskThe risk that a material error exists which will not be prevented or detected on a timely basis by the system of internal controls.

Contd……….

CATEGORIES OF AUDIT RISKCATEGORIES OF AUDIT RISK

Contd………..

Detection RiskDetection RiskThe risk that an IS Auditor uses an inadequate test procedure and concludes that material errors do not exists when, in fact they do. Detection of an error would not be determined during the risk assessment phase of an audit. However, identifying detection risk would better evaluate and assess the auditor’s ability to test, identify and correct assess material errors as the result of a test.

Contd………….

CATEGORIES OF AUDIT RISKCATEGORIES OF AUDIT RISK

Contd…………

Overall Audit RiskOverall Audit Risk

Overall audit risk is the combination of the individual categories of audit risks assessed for each individual specific control objective. An objective in formulating the audit approach is to limit the audit risk in the area under scrutiny so that overall audit risk is at a sufficiently low level at the completion of the examination. Another objective is to assess and control those risks to achieve the desired level of assurance as efficiently as possible.

RISK ASSESSMENT RISK ASSESSMENT TECHNIQUESTECHNIQUES

IS Auditor faces a large variety of audit subjects, each of these may represent different type of audit risk. The IS auditor should evaluate these various risk candidates to determine the high risk areas that should be audited first.

BENEFITS OF RISK BENEFITS OF RISK ASSESSMENTASSESSMENT

• Enables effective use of limited resources.

• Enables that relevant information has been obtained.

• Establishes a basis for effectively managing the audit department.

• Provides a summary of how the individual audit subject is related to the overall organisation as well as to the business plans.

Selecting and Testing Key Selecting and Testing Key ControlsControls

The auditor needs to understand the control requirements of the business operation before assessing control strengths and weaknesses. The IS auditor’s initial review objective of an information system should be to identify key controls. The IS should should keep in his mind that the key controls where present throughout the year.

AUDIT OBJECTIVESAUDIT OBJECTIVES

Audit Objective refers to the specific goals of the audit, often center around substantiating that internal controls exist to minimise business risks. A key element in planning an information systems audit is to translate basic audit objectives into specific information system audit objectives.

TESTINGTESTINGSubstantive Vs ComplianceSubstantive Vs Compliance

Compliance Test determines if controls are being applied in a manner that complies with management policies and procedures. The broad objective of any compliance test is to provide auditors with reasonable assurance that a particular control, on which the IS auditor plans to rely, is operating as the IS auditor perceived in the preliminary evaluation.

Substantive Test substantiates the integrity of actual processing. It provides evidence of the validity and propriety of the balances in the financial statements and the transactions that directly affecting financial statement balances.

AUDIT FOW CHARTAUDIT FOW CHARTReview the System to identify controlsReview the System to identify controls

Test compliance to determine whether controls are Test compliance to determine whether controls are functioningfunctioning

Evaluate the controls to determine the basis for Evaluate the controls to determine the basis for reliance and the nature, scope and timing of reliance and the nature, scope and timing of

substantive testssubstantive tests

Use two types of substantive tests to evaluate the Use two types of substantive tests to evaluate the validity of the datavalidity of the data

1. Test of balances and 1. Test of balances and transactionstransactions

2. Analytical review 2. Analytical review proceduresprocedures

EVIDENCEEVIDENCE

• Independence of the provider of the Independence of the provider of the

evidence.evidence.

• Qualifications of the individual providing Qualifications of the individual providing

the information or evidence.the information or evidence.

• Objectivity of the evidence.Objectivity of the evidence.

Evidence is any information used by the IS auditor to determine whether the entity or data being audited follows the established audit criteria or objectives. Determinants of evaluating the reliability of audit evidence include:

TECHNIQUES FOR TECHNIQUES FOR GATHERING EVIDENCEGATHERING EVIDENCE

• Review Information System organisation Review Information System organisation

structures. structures.

• Review Information Systems documentation Review Information Systems documentation

standards. The IS auditor should look for a standards. The IS auditor should look for a

minimum level of information systems minimum level of information systems

documentation which may include:documentation which may include:•Systems development initiating documents (e.g. Systems development initiating documents (e.g. feasibility study).feasibility study).

•Functional requirements and design specifications.Functional requirements and design specifications.

•Tests plans and reports.Tests plans and reports.

•Program and operations documents.Program and operations documents.

•User Manuals. User Manuals. Contd……

TECHNIQUES FOR TECHNIQUES FOR GATHERING EVIDENCEGATHERING EVIDENCE

• Interview appropriate personnel.Interview appropriate personnel.

• Observing processes and employee performance.Observing processes and employee performance.

Contd……

•Operations Manuals.Operations Manuals.

•Security-related documents (e.g., security plans, Security-related documents (e.g., security plans, risk management).risk management).

•Quality assurance reports.Quality assurance reports.

SAMPLINGSAMPLING

Sampling is used when time and cost considerations preclude a total verification of all transactions and events in a predefined population. Sampling is used to infer characteristics about a population, based on the results of examining the characteristics of a sample of the population. The subset of population member is called a SAMPLESAMPLE.

SAMPLING APPROACHESSAMPLING APPROACHES

Statistical Sampling Statistical Sampling is an objective method of

determining the sample size and selection criteria. IS auditor quantitatively decides how closely the sample should represent the population and the number of times in 100 the sample should represent the population. It is expressed in a form of percentage.

Non-statistical Sampling Non-statistical Sampling uses auditor judgment

to determine the method of sampling, the number of items that will be examined from a population and which items to select.

PRIMARY METHODS OF PRIMARY METHODS OF SAMPLINGSAMPLING

Attribute Sampling Attribute Sampling is a sampling model that is

used to estimate the rate (percentage) of occurrence of a specific quality (attribute) in a population. It is generally applied in compliance testing situations.

Variable Sampling Variable Sampling is also known as Dollar

Estimation or Mean estimation sampling is a technique used to estimate the dollar value or some other unit of measure, such as weight, of a population from a sample portion. It is generally applied in substantive testing situation.


Examples of Attribute Sampling Examples of Attribute Sampling

Stop-or-go Sampling Stop-or-go Sampling is a sampling model that is a sampling model that helps prevent excessive sampling of an attribute by helps prevent excessive sampling of an attribute by allowing an audit test to be stopped at the earliest allowing an audit test to be stopped at the earliest possible moment.possible moment.

Discovery Sampling Discovery Sampling is a sampling model that can is a sampling model that can be used when the expected occurrence rate is be used when the expected occurrence rate is extremely low. Discovery Sampling is most often extremely low. Discovery Sampling is most often used when the objective of the audit is to seek out used when the objective of the audit is to seek out (discover0 frauds, circumvention of regulations or (discover0 frauds, circumvention of regulations or other irregularities.other irregularities.


Examples of Variable Sampling Examples of Variable Sampling

Stratified mean per unit Stratified mean per unit is a sampling model in is a sampling model in which the population is divided into groups and which the population is divided into groups and samples are drawn from various groups. Stratified samples are drawn from various groups. Stratified mean sampling is used to produce a smaller overall mean sampling is used to produce a smaller overall sample size, relative to unstratified mean per unit.sample size, relative to unstratified mean per unit.

Unstratified mean per unit Unstratified mean per unit is a statistical model is a statistical model whereby a sample mean is calculated and projected whereby a sample mean is calculated and projected as an estimated total.as an estimated total.

Difference Estimation Difference Estimation is used to estimate the is used to estimate the total difference between audited values and book total difference between audited values and book (unaudited) values on a sample obtained.(unaudited) values on a sample obtained.


Few Terms of SamplingFew Terms of Sampling

Confidence coefficient Confidence coefficient is a percentage expression of is a percentage expression of the probability that the characteristics of the sample the probability that the characteristics of the sample are a true representation of the population. The greater are a true representation of the population. The greater the confidence coefficient, the larger the sample size.the confidence coefficient, the larger the sample size.

Level of Risk Level of Risk is 1 minus the confidence coefficient.is 1 minus the confidence coefficient.

Precision Precision represents the acceptable range difference represents the acceptable range difference between the sample and the actual population. Higher between the sample and the actual population. Higher the precision amount, smaller the sample size and the precision amount, smaller the sample size and greater the the risk of fairly large errors going greater the the risk of fairly large errors going undetected. Smaller the precision amount, the greater undetected. Smaller the precision amount, the greater the sample size.the sample size.


Few Terms of SamplingFew Terms of Sampling

Expected Error Rate Expected Error Rate is an estimate of the errors that is an estimate of the errors that might exist. Greater the expected error rate, greater might exist. Greater the expected error rate, greater the sample size. This applies only to attribute sampling.the sample size. This applies only to attribute sampling.

Sample Mean Sample Mean is the sum of all sample values, divided is the sum of all sample values, divided by the size of the sample. It measures the average size by the size of the sample. It measures the average size of the sample.of the sample.

Sample Standard Deviation Sample Standard Deviation computes the variance computes the variance of the sample values from the mean sample. It of the sample values from the mean sample. It measures the spread(s) or dispersion of the sample measures the spread(s) or dispersion of the sample values.values.


Few Terms of SamplingFew Terms of SamplingTolerable Error Rate Tolerable Error Rate is used to describe the is used to describe the maximum misstatement or number of errors that can maximum misstatement or number of errors that can exist without an account being materially misstated.exist without an account being materially misstated.

Population Standard Population Standard is a mathematical concept that is a mathematical concept that measures the relationship to the normal distribution. measures the relationship to the normal distribution. Greater the standard deviation, the larger the sample Greater the standard deviation, the larger the sample size. This applied to variable sampling only.size. This applied to variable sampling only.

COMPUTER ASSISTED AUDIT COMPUTER ASSISTED AUDIT TECHNIQUESTECHNIQUES


•Computer Assisted Audit.

•Continuous Audit

Computerisation Effects Computerisation Effects Two Broad Areas Two Broad Areas

NamelyNamely

Evidence Collection

Evidence Evaluation

RequirementsRequirementsAudit ToolsAudit Tools

Generalised Audit Tools.

Customised Audit Tools.

GENERALISED AUDIT GENERALISED AUDIT SOFTWARESOFTWARE

• To undertake evidence collection work in different hardware/software environments.

• To develop an audit capability quickly.

• To minimize the need of technical knowledge.

GENERALIZED AUDIT GENERALIZED AUDIT SOFTWARESOFTWARE

• File access functions• File reorganization functions• Selection functions• Statistical functions• Arithmetic functions• Stratification and frequency analysis

functions• File creation and updating functions• Reporting functions

Generalized Audit Generalized Audit SoftwareSoftware

Audit Tasks accomplished

• Examine the quality of data• Examine the quality of system

processes• Examine the existence of the

entities the data purports to represents

• Undertake analytical review

Generalized Audit Generalized Audit SoftwareSoftware

Functional LimitationFunctional Limitation• Permits auditors to undertake only

ex-post auditing and not concurrent auditing

• Has limited capabilities for verifying processing logic

• Has a limited use to determine the propensity of an application system to make errors

Why Customised Audit Why Customised Audit Software?Software?

Unavailability of Generalised Software.Efficiency.

Functional Limitations.

Increased Understanding of Systems

Increased Auditor Independence.

Opportunity For Easy Implementation

Need For Audit ToolsNeed For Audit Tools Gathers Data.

Safeguards Assets.

Protects Data Integrity. Evaluates System Efficiency And Effectiveness. Reduces the level of audit risk. Greater Independence to the Auditor. Broader and more consistent audit coverage. Faster availability of information. Cost saving over time. Improved exception identification. Enhanced Sampling.

TYPES OF CAATsTYPES OF CAATs

• Which evaluate application system with test data.

• Which select transactions for audit review.

• Which trace or map the changing states of application systems as they undertake production processing.

Types of CAATsTypes of CAATs

• EX POST AUDITING

• CONTINUOUS AUDITING.

Examples of CAATsExamples of CAATs

For Ex Post AuditingGeneralised Audit Software.

Customised Audit Software.

Specialized audit utilities.

High level languages.

Expert Systems

Neural Networks


Generalized Audit SoftwareA major tool that provides a means to gain access to and manipulate data maintained on computer storage media.

Expert SystemsExpert SystemsSoftware applications are developed to hold a base of expert knowledge and logic provided by experts in a given field. Such software application permits the computerised use of the decision-making processes of these experts.


Standard UtilitiesStandard UtilitiesResident in software packages that specify the status of parameters used to install the package.

Specialised Audit SoftwareSpecialised Audit SoftwareUsed to perform specific audit steps for the IS auditor,to fulfill a specific set of audit tasks, such as sampling.

Parallel SimulationsParallel SimulationsParallel simulation involves the IS auditor writing a program to replicate those application processes that are critical to an audit opinion and using this program to reprocess a application system data.

Examples of CAATsExamples of CAATsSnapshotsSnapshots

This technique involves taking “pictures” of a transaction as it flows through the computer system. Audit software routines are embedded at different points in the processing logic to capture images of the transaction as it progresses through various stages of processing. Such technique permits the IS auditor to track data and evaluates the computer processes applied to this data throughout the various stages of processing.

Continuous and Intermittent SimulationContinuous and Intermittent Simulation

The computer systems, during a process run of a transaction, simulates the instruction execution of the application. As each transaction is entered, the simulator decides whether the transaction meets with certain predetermined criteria and if so, audits the transaction.


System Control Audit Review FileSystem Control Audit Review FileInvolves embedding audit software modules within an application system to provide continuous monitoring of the system’s transactions.

Software Library PackageSoftware Library PackageVerify the integrity and appropriateness of program changes.

Integrated Test FacilitiesIntegrated Test FacilitiesInvolves setting up dummy entities on an application system and processing test or production data against the entity as a means of verifying processing accuracy.

SNAPSHOTS

SNAPSHOTSSNAPSHOTS

Involves taking pictures of the processing path that a transaction follows from the input to the output stage.

The transactions are tagged by applying identifiers to input data and record selected information about what occurs .

SNAPSHOT IMPLENTATIONSNAPSHOT IMPLENTATION

• Locating the snapshot points within the application system

• When to capture snapshots of transactions

• Reporting of the snapshot data that is captured

Inputvalidationprogram

Snapshotreport

Errorreport

Transactions Input error file

Snapshot points1,2,3

Outputerrorfile

Validtransactions

Updateprogram

Snapshotreport

Update report

Reportprogram

Snapshotreport

Managementreports

InputMaster file

Sorted transactionfile

Snapshot points4,5,6,7,8

Output masterfile

Snapshot point 9

SYSTEM CONTROL AUDIT SYSTEM CONTROL AUDIT REVIEW FILEREVIEW FILE

It involves embedding audit software modules within a host application system to provide continuous monitoring of the system’s transactions.

Systems Control Audit Systems Control Audit Review Review

File and Embedded Audit File and Embedded Audit Module (SCARF)Module (SCARF)

• DESIGN DECISIONS– Information to be collected by

embedded audit routines– Reporting system to be used

Update programcontaining SCARF

embeddedaudit routines

Transactionfile

Input masterfile

Output master file

SCARF

SCARFreporting

systemUpdate reports

Auditreports

INFORMATION TO BE INFORMATION TO BE COLLECTED BY SCARFCOLLECTED BY SCARF

• Application System Errors• Policy and procedural variances• System exceptions• Statistical samples• Snapshots and extended records• Profiling data• Performance measurement data

CONTINUOUS AND CONTINUOUS AND INTERMITTENT INTERMITTENT SIMULATIONSIMULATION

It is used whenever application systems use a database management system. Continuous and Intermittent Simulation uses database management system to trap exceptions.

CONTINUOUS AND CONTINUOUS AND INTERMITTENT INTERMITTENT SIMULATIONSIMULATION

• DBMS reads an application system transaction and passes it to CIS

• DBMS provides to CIS all data requested by the application system to process the selected transaction

• Every update to the database is checked by CIS

• Exceptions identified by CIS are written to a log file

CIS Vs Parallel SimulationCIS Vs Parallel Simulation

• Provides an online auditing capability

• Number of program instructions are less

• Input/ output overheads are less

• Difficult to implement

• Provides a batch auditing capability

• Number of program instructions are more

• input/output overheads are more

• Relatively easier to implement

EVIDENCE EVALUATION• IS auditor to consider series of strengths and

weaknesses and then develop audit opinions and recommendations.

• Apply Professional Care in evaluating audit strengths and weaknesses.

• Assess the results of the evidence gathered for compliance with the control requirements or objectives established during the planning stage.

• Use of control matrix.• Evaluation of compensating controls in the

system.

MATERIALITY OF FINDING

• Potential effect of the findings if no corrective action is taken.

• Apply the judgment for which findings are material to various levels of management and should be reported to them accordingly.

COMMUNICATION OF RESULTS

• IS auditor is responsible to only top management and to the audit committee of the board of directors.

• Consideration should be given to discuss the findings with the management staff.

• Format of the Audit Report varies by organisation.

AUDIT REPORT STRUCTURE AND CONTENTS

• Statement of audit objectives and scope.• The period of audit coverage.• Statement on the nature and extent of

audit procedures examined during the audit.

• Communicate reservations/ qualifications.• Conclusion and the overall evidence

gathered during the audit.

ISA Review Course Module 7 Information Systems Auditing, Security and Control Standards.

Documents

Transcript of ISA Review Course Module 7 Information Systems Auditing, Security and Control Standards.