0% found this document useful (0 votes)
45 views32 pages

5 Session Five Information Technology Auditing

The document discusses information technology auditing and the IT audit process. It covers evaluating computer controls and ensuring reliability, confidentiality, security and availability of data. It also discusses careers in IT auditing and certifications for IT auditors.

Uploaded by

ISAAC
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
45 views32 pages

5 Session Five Information Technology Auditing

The document discusses information technology auditing and the IT audit process. It covers evaluating computer controls and ensuring reliability, confidentiality, security and availability of data. It also discusses careers in IT auditing and certifications for IT auditors.

Uploaded by

ISAAC
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

Information Technology Auditing

Information technology (IT) auditing


involves evaluating the computer’s role in achieving
 audit objectives and
 control objectives
means proving data and information are
 reliable,
 confidential,
 secure, and
 available as needed
includes attest objectives like
 safeguarding of assets and data integrity,
 operational effectiveness.
The IT Audit
The IT audit function encompasses
The Information Technology
Audit Process
Computer-assisted audit techniques
(CAATs) are used
a) when controls are weak for substantive testing
of
 transactions and
 account balances.
b) when controls are strong for compliance
testing to ensure controls are
 in place and
 working as prescribed.
Careers in Information Systems Auditing
The demand for IT auditors is growing
1. increasing use of computer-based AISs
2. systems becoming more technologically complex
3. passing of the Sarbanes-Oxley bill
IT auditing requires a variety of skills, combining
accounting and
information systems or computer science skills.
Information systems auditors
may be internal or external
can obtain professional certification as a Certified Information
Systems Auditor (CISA)
can also acquire certification as Certified Information Security
Managers (CISM)
Careers in Information Systems Auditing
Auditors can achieve
CISA certification by completing an examination given by ISACA,
 meeting specific experience requirements,
 complying with a Code of Professional Ethics,
 undergoing continuing professional education, and
 complying with the Information Systems Auditing Standards
CISM certification, which is also granted by ISACA evaluates
knowledge
 in information security governance,
 information security program management,
 risk management,
 information security management, and
 response management.
Effectiveness of Information
Systems Controls
An external auditor’s objectives are
to evaluate the risks
 to the integrity of accounting data
to make recommendations
 to managers
 to improve these controls.
Guidance in Reviewing and
Evaluating IT Controls
Two guides available to IT auditors
Systems Auditability and Control (SAC) report
1. identifies important information technologies and
2. specific risks related to these technologies
3. recommends controls to mitigate risks and
4. suggests audit procedures to validate these controls

Control Objectives for Information and Related Technology


(COBIT) provides guidance in
1. assessing business risks,
2. controlling for business risks, and
3. evaluating the effectiveness of controls
Risk Assessment
A risk-based audit approach involves
Determining the threats facing the AIS -errors and irregularities
Identifying the control procedures -to prevent or detect the errors
and irregularities
Evaluating the control procedures within the AIS
1. observing system operations,
2. inspecting documents, records, and reports,
3. checking samples of system inputs and outputs, and
4. tracing transactions through the system
Evaluating weaknesses
1. identifying control deficiencies
2. determining compensating controls to make up for the
deficiency
Information Systems Risk
Assessment
Information Systems Risk Assessment evaluates
1. desirability of IT controls for an aspect of business risk.
2. disaster recovery or business continuity plan
Auditors and managers must answer each of the
following questions:
1. What assets or information does the company have that
unauthorized individuals would want?
2. What is the value of these identified assets of information?
3. How can unauthorized individuals obtain valuable assets or
information?
4. What are the chances of unauthorized individuals obtaining
valuable assets or information?
The Information Technology
Auditor’s Toolkit
IT auditors need to have
the technical skills to understand the vulnerabilities in
1. hardware and software
2. use of appropriate software to do their jobs
3. general-use software such as
 word processing programs,
 spreadsheet software, and
 database management systems.
4. generalized audit software (GAS), and
5. automated workpaper software.
The Information Technology Auditor’s Toolkit

people skills
1. to work as a team
2. to interact with clients and other auditors,
3. to interview many people constantly for evaluation

Auditing with the Computer


entails using computer-assisted audit techniques (CAATs) to help
in auditing tasks and hence
 is effective and
 saves time
is virtually mandatory since
 data are stored on computer media and
 manual access is impossible.
General-Use Software
Auditors use general-use software as
productivity tools to improve their work
such as
spreadsheets and
database management systems.
Auditors use structured query language
(SQL)
to retrieve a client’s data and
display these data for audit purposes.
Generalized Audit Software
Generalized audit software (GAS) packages
enable auditors to review computer files without
rewriting processing programs,
are specifically tailored to auditor tasks
have been developed in-house in large firms, or
are available from various software suppliers
Examples of GAS are
 Audit Command Language (ACL)
 Interactive Data Extraction
 Analysis
People skills
The most important skills auditors need are people skills.
Auditors
1. will find that many of the audit steps are nontechnical
2. need to work in a team,
3. have to interact with clients and other auditors,
4. require strong interpersonal relationships.
5. will need to interview the CIO
Many of the controls that an IT auditor needs to evaluate have
more to do with human behavior than technology -
1. one of the best protections viruses and worms is regularly
updated antivirus software but
2. it is even more important to see if the security administrator
is checking for virus updates and patches on a regular basis
Auditing the Computerized AIS
1. Testing Computer Programs
2. Validating Computer Programs
3. Review of Systems Software
4. Validating Users and Access
Privileges
5. Continuous Auditing
In an IT audit, auditors should meet the following
objectives
Checking security provisions, which protect computer
equipment, programs, communications, and data from
unauthorized access, modification, or destruction.
1. Program development and acquisition are performed
in accordance with management’s authorization.
2. Program modifications have authorization and
approval from management.
3. Processing of transactions, files, reports, and other computer
records is accurate and complete.
4. Source data that are inaccurate or improperly authorized are
identified and handled according to prescribed managerial
policies.
5. Computer data files are accurate, complete, and confidential.
Auditing Computerized AIS-
Auditing Around the Computer
Auditing around the computer
1. assumes that accurate output verifies
proper processing operations
2. pays little or no attention to the control
procedures within the IT environment
3. is generally not an effective approach to
auditing a computerized environment.
Auditing Computerized AIS-
Auditing Through the Computer
Five techniques used to audit a computerized AIS
are:
1. use of test data, integrated test facility, and parallel
simulation to test programs,
2. use of audit techniques to validate computer programs,
3. use of logs and specialized control software to
review systems software,
4. use of documentation to validate
user accounts and access privileges, and
5. use of embedded audit modules to achieve
continuous auditing.
Testing Computer
Programs - Test Data
The auditor’s responsibility is to
develop test data
 that tests the range of exception situations
arrange the data in preparation for computerized
processing
complete the audit test by
 comparing the results with a predetermined set of answers
investigate further if the results do not agree
Test data
can check if program edit test controls are in place and
working
can be developed using software programs called test
data generators
Testing Computer Programs -
Integrated Test Facility
An integrated test facility (ITF)
1. establishes a fictitious entity such as a
department, branch, customer, or employee,
2. enters transactions for that entity, and
3. observes how these transactions are processed.
4. is effective in evaluating integrated online
systems and complex programming logic, and
5. aims to audit an AIS in an operational setting.
Testing Computer Programs -Integrated Test Facility
The auditor’s role is to examine the results of transaction processing
to find out how well the AIS does the tasks required of it by
introducing artificial transactions into the data processing stream of
the AIS.
In Parallel Simulation, the auditor uses live input data, rather than
test data, in a program, which
 is written or controlled by the auditor
 simulates all or some of the operations of the real program that
is actually in use.
needs to understand the client system,
should possess sufficient technical knowledge, and
should know how to predict the results.
Parallel simulation eliminates the need to prepare a set of test data,
but can be very time-consuming and thus cost-prohibitive, usually
involves replicating only certain critical functions of a program.
Validating Computer Programs
Auditors must validate any program presented to them to thwart a clever
programmer’s dishonest program
Procedures that assist in program validation are
tests of program change control
1. procedures to protect against unauthorized
program changes
2. begins with an inspection of the documentation
3. includes program authorization forms to be filled
4. ensures accountability and adequate
supervisory controls
program comparison
1. guards against unauthorized program tampering
2. performs certain control total tests of program authenticity
 using a test of length
 using a comparison program
Review of Systems Software
Systems software includes
1. operating system software,
2. utility programs,
3. program library software, and
4. access control software.
Auditors should review systems software documentation.
Systems software can generate incident reports, which list events
that are unusual or interrupt operations
1. security violations (such as unauthorized access
attempts),
2. hardware failures, and
3. software failures
Validating Users and Access
Privileges
The IT auditor
1. needs to verify that the software parameters are set
appropriately
2. must make sure that IT staff are using them
appropriately
3. needs to make sure that all users
 are valid and
 each has access privileges appropriate to their job
There are a variety of auditor software tools, which can
 scan settings and databases and
 make the work more efficient
Information Technology
Auditing Today
Information technology auditing today
involves
1. Information Technology Governance
2. Auditing for Fraud—Statement on Auditing
Standards No. 99
3. The Sarbanes-Oxley Act of 2002
4. Third-Party Reliability Assurances
5. Information Systems Reliability Assurances
Information Technology
Governance
Information Technology
governance
is the process of using IT resources
 efficiently,
 responsibly, and
 strategically.
The IT Governance Institute was
created in 1998
Information Technology
Governance
The objectives of IT governance are
twofold:
to fulfill the organizational mission and
to compete effectively
to ensure that the
 IT resources
are managed effectively and
 that management controls IT related
risks.
Auditing for Fraud—Statement
on Auditing Standards No. 99
Earlier financial statement audits required
auditors
to attest to the fairness of financial statements
not to detect fraudulent activities.
Financial statement audits now require auditors
to
attest to the fairness of financial statements
detect fraudulent activities
assist a fraud investigator in many ways
 where an audit trail needs to be reconstructed
 when computerized records must be retrieved
The Sarbanes-Oxley Act of 2002
In 2002, Congress passed the Sarbanes-Oxley Act, which
limits the services that auditors can provide to their
clients, prohibits public accounting firms from offering
nonaudit services to clients at the same time they are
conducting audits .
The SOX four groups of compliance requirements:
1. audit committee/corporate governance requirements,
2. issues regarding certification, disclosure, and internal
controls,
3. rules about financial statement reporting, and
4. regulations governing executive reporting and
conduct.
The Sarbanes-Oxley Act of 2002

The two most important provisions of SOX


for auditors are
Section 302 – requiring CFOs and CEOs to
certify that their company’s financial statements
are accurate and complete
Section 404 – requiring both the CEO and CFO
to attest to their organization’s internal controls
over financial reporting
Information Systems
Reliability Assurance
Auditing electronic commerce is a specialized field
because
of the skill level involved,
of the many safeguards, inherent in non-e-commerce
systems, which do not exist here,
of the lack of hard-copy documents for verification, and
of an electronic transaction, which does not guarantee
validity or authenticity
Auditors need to
attest this type of format to provide the traditional
assurance by
 an audit report or
 digital signature
Third-Party Assurance
Internet systems and web sites
are a source of risk for many companies,
need specialized audits of these systems,
have created a market for third-party assurance services, which
 is limited to data privacy.
The Trust Services an assurance service. The
principles of Trust Services are
1. security,
2. availability,
3. processing integrity,
4. online privacy, and
5. confidentiality.

You might also like