The document discusses information technology auditing and the IT audit process. It covers evaluating computer controls and ensuring reliability, confidentiality, security and availability of data. It also discusses careers in IT auditing and certifications for IT auditors.
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0 ratings0% found this document useful (0 votes)
45 views32 pages
5 Session Five Information Technology Auditing
The document discusses information technology auditing and the IT audit process. It covers evaluating computer controls and ensuring reliability, confidentiality, security and availability of data. It also discusses careers in IT auditing and certifications for IT auditors.
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32
Information Technology Auditing
Information technology (IT) auditing
involves evaluating the computer’s role in achieving audit objectives and control objectives means proving data and information are reliable, confidential, secure, and available as needed includes attest objectives like safeguarding of assets and data integrity, operational effectiveness. The IT Audit The IT audit function encompasses The Information Technology Audit Process Computer-assisted audit techniques (CAATs) are used a) when controls are weak for substantive testing of transactions and account balances. b) when controls are strong for compliance testing to ensure controls are in place and working as prescribed. Careers in Information Systems Auditing The demand for IT auditors is growing 1. increasing use of computer-based AISs 2. systems becoming more technologically complex 3. passing of the Sarbanes-Oxley bill IT auditing requires a variety of skills, combining accounting and information systems or computer science skills. Information systems auditors may be internal or external can obtain professional certification as a Certified Information Systems Auditor (CISA) can also acquire certification as Certified Information Security Managers (CISM) Careers in Information Systems Auditing Auditors can achieve CISA certification by completing an examination given by ISACA, meeting specific experience requirements, complying with a Code of Professional Ethics, undergoing continuing professional education, and complying with the Information Systems Auditing Standards CISM certification, which is also granted by ISACA evaluates knowledge in information security governance, information security program management, risk management, information security management, and response management. Effectiveness of Information Systems Controls An external auditor’s objectives are to evaluate the risks to the integrity of accounting data to make recommendations to managers to improve these controls. Guidance in Reviewing and Evaluating IT Controls Two guides available to IT auditors Systems Auditability and Control (SAC) report 1. identifies important information technologies and 2. specific risks related to these technologies 3. recommends controls to mitigate risks and 4. suggests audit procedures to validate these controls
Control Objectives for Information and Related Technology
(COBIT) provides guidance in 1. assessing business risks, 2. controlling for business risks, and 3. evaluating the effectiveness of controls Risk Assessment A risk-based audit approach involves Determining the threats facing the AIS -errors and irregularities Identifying the control procedures -to prevent or detect the errors and irregularities Evaluating the control procedures within the AIS 1. observing system operations, 2. inspecting documents, records, and reports, 3. checking samples of system inputs and outputs, and 4. tracing transactions through the system Evaluating weaknesses 1. identifying control deficiencies 2. determining compensating controls to make up for the deficiency Information Systems Risk Assessment Information Systems Risk Assessment evaluates 1. desirability of IT controls for an aspect of business risk. 2. disaster recovery or business continuity plan Auditors and managers must answer each of the following questions: 1. What assets or information does the company have that unauthorized individuals would want? 2. What is the value of these identified assets of information? 3. How can unauthorized individuals obtain valuable assets or information? 4. What are the chances of unauthorized individuals obtaining valuable assets or information? The Information Technology Auditor’s Toolkit IT auditors need to have the technical skills to understand the vulnerabilities in 1. hardware and software 2. use of appropriate software to do their jobs 3. general-use software such as word processing programs, spreadsheet software, and database management systems. 4. generalized audit software (GAS), and 5. automated workpaper software. The Information Technology Auditor’s Toolkit
people skills 1. to work as a team 2. to interact with clients and other auditors, 3. to interview many people constantly for evaluation
Auditing with the Computer
entails using computer-assisted audit techniques (CAATs) to help in auditing tasks and hence is effective and saves time is virtually mandatory since data are stored on computer media and manual access is impossible. General-Use Software Auditors use general-use software as productivity tools to improve their work such as spreadsheets and database management systems. Auditors use structured query language (SQL) to retrieve a client’s data and display these data for audit purposes. Generalized Audit Software Generalized audit software (GAS) packages enable auditors to review computer files without rewriting processing programs, are specifically tailored to auditor tasks have been developed in-house in large firms, or are available from various software suppliers Examples of GAS are Audit Command Language (ACL) Interactive Data Extraction Analysis People skills The most important skills auditors need are people skills. Auditors 1. will find that many of the audit steps are nontechnical 2. need to work in a team, 3. have to interact with clients and other auditors, 4. require strong interpersonal relationships. 5. will need to interview the CIO Many of the controls that an IT auditor needs to evaluate have more to do with human behavior than technology - 1. one of the best protections viruses and worms is regularly updated antivirus software but 2. it is even more important to see if the security administrator is checking for virus updates and patches on a regular basis Auditing the Computerized AIS 1. Testing Computer Programs 2. Validating Computer Programs 3. Review of Systems Software 4. Validating Users and Access Privileges 5. Continuous Auditing In an IT audit, auditors should meet the following objectives Checking security provisions, which protect computer equipment, programs, communications, and data from unauthorized access, modification, or destruction. 1. Program development and acquisition are performed in accordance with management’s authorization. 2. Program modifications have authorization and approval from management. 3. Processing of transactions, files, reports, and other computer records is accurate and complete. 4. Source data that are inaccurate or improperly authorized are identified and handled according to prescribed managerial policies. 5. Computer data files are accurate, complete, and confidential. Auditing Computerized AIS- Auditing Around the Computer Auditing around the computer 1. assumes that accurate output verifies proper processing operations 2. pays little or no attention to the control procedures within the IT environment 3. is generally not an effective approach to auditing a computerized environment. Auditing Computerized AIS- Auditing Through the Computer Five techniques used to audit a computerized AIS are: 1. use of test data, integrated test facility, and parallel simulation to test programs, 2. use of audit techniques to validate computer programs, 3. use of logs and specialized control software to review systems software, 4. use of documentation to validate user accounts and access privileges, and 5. use of embedded audit modules to achieve continuous auditing. Testing Computer Programs - Test Data The auditor’s responsibility is to develop test data that tests the range of exception situations arrange the data in preparation for computerized processing complete the audit test by comparing the results with a predetermined set of answers investigate further if the results do not agree Test data can check if program edit test controls are in place and working can be developed using software programs called test data generators Testing Computer Programs - Integrated Test Facility An integrated test facility (ITF) 1. establishes a fictitious entity such as a department, branch, customer, or employee, 2. enters transactions for that entity, and 3. observes how these transactions are processed. 4. is effective in evaluating integrated online systems and complex programming logic, and 5. aims to audit an AIS in an operational setting. Testing Computer Programs -Integrated Test Facility The auditor’s role is to examine the results of transaction processing to find out how well the AIS does the tasks required of it by introducing artificial transactions into the data processing stream of the AIS. In Parallel Simulation, the auditor uses live input data, rather than test data, in a program, which is written or controlled by the auditor simulates all or some of the operations of the real program that is actually in use. needs to understand the client system, should possess sufficient technical knowledge, and should know how to predict the results. Parallel simulation eliminates the need to prepare a set of test data, but can be very time-consuming and thus cost-prohibitive, usually involves replicating only certain critical functions of a program. Validating Computer Programs Auditors must validate any program presented to them to thwart a clever programmer’s dishonest program Procedures that assist in program validation are tests of program change control 1. procedures to protect against unauthorized program changes 2. begins with an inspection of the documentation 3. includes program authorization forms to be filled 4. ensures accountability and adequate supervisory controls program comparison 1. guards against unauthorized program tampering 2. performs certain control total tests of program authenticity using a test of length using a comparison program Review of Systems Software Systems software includes 1. operating system software, 2. utility programs, 3. program library software, and 4. access control software. Auditors should review systems software documentation. Systems software can generate incident reports, which list events that are unusual or interrupt operations 1. security violations (such as unauthorized access attempts), 2. hardware failures, and 3. software failures Validating Users and Access Privileges The IT auditor 1. needs to verify that the software parameters are set appropriately 2. must make sure that IT staff are using them appropriately 3. needs to make sure that all users are valid and each has access privileges appropriate to their job There are a variety of auditor software tools, which can scan settings and databases and make the work more efficient Information Technology Auditing Today Information technology auditing today involves 1. Information Technology Governance 2. Auditing for Fraud—Statement on Auditing Standards No. 99 3. The Sarbanes-Oxley Act of 2002 4. Third-Party Reliability Assurances 5. Information Systems Reliability Assurances Information Technology Governance Information Technology governance is the process of using IT resources efficiently, responsibly, and strategically. The IT Governance Institute was created in 1998 Information Technology Governance The objectives of IT governance are twofold: to fulfill the organizational mission and to compete effectively to ensure that the IT resources are managed effectively and that management controls IT related risks. Auditing for Fraud—Statement on Auditing Standards No. 99 Earlier financial statement audits required auditors to attest to the fairness of financial statements not to detect fraudulent activities. Financial statement audits now require auditors to attest to the fairness of financial statements detect fraudulent activities assist a fraud investigator in many ways where an audit trail needs to be reconstructed when computerized records must be retrieved The Sarbanes-Oxley Act of 2002 In 2002, Congress passed the Sarbanes-Oxley Act, which limits the services that auditors can provide to their clients, prohibits public accounting firms from offering nonaudit services to clients at the same time they are conducting audits . The SOX four groups of compliance requirements: 1. audit committee/corporate governance requirements, 2. issues regarding certification, disclosure, and internal controls, 3. rules about financial statement reporting, and 4. regulations governing executive reporting and conduct. The Sarbanes-Oxley Act of 2002
The two most important provisions of SOX
for auditors are Section 302 – requiring CFOs and CEOs to certify that their company’s financial statements are accurate and complete Section 404 – requiring both the CEO and CFO to attest to their organization’s internal controls over financial reporting Information Systems Reliability Assurance Auditing electronic commerce is a specialized field because of the skill level involved, of the many safeguards, inherent in non-e-commerce systems, which do not exist here, of the lack of hard-copy documents for verification, and of an electronic transaction, which does not guarantee validity or authenticity Auditors need to attest this type of format to provide the traditional assurance by an audit report or digital signature Third-Party Assurance Internet systems and web sites are a source of risk for many companies, need specialized audits of these systems, have created a market for third-party assurance services, which is limited to data privacy. The Trust Services an assurance service. The principles of Trust Services are 1. security, 2. availability, 3. processing integrity, 4. online privacy, and 5. confidentiality.