Chapters 1- 12

IT Auditing, Hall, 4e

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Controlling and Auditing Data
Management Systems

o Controls over data management systems fall into two categories.

o Access controls are designed to prevent unauthorized
individuals from viewing, retrieving, corrupting or destroying data.
o Backup controls ensure tat the organization can recover its
database in the event of data loss.

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Access Controls

o User views (subschema) is a subset of the database that defines

user’s data domain and access.
o Database authorization table contains rules that limit user actions.
o User-defined procedures allow users to create a personal security
program or routine .
o Data encryption procedures protect sensitive data.
o Biometric devices such as fingerprints or retina prints control
access to the database.
o Inference controls should prevent users from inferring, through
query options, specific data values they are unauthorized to access.

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Backup Controls in the
Database Environment
o Since data sharing is a fundamental objective of the database
approach, environment is vulnerable to damage from individual
users.
o Four needed backup and recovery features:
o Backup feature makes a periodic backup of entire database which is
stored in a secure, remote location.
o Transaction log provides an audit trail of all processed transactions.
o Checkpoint facility suspends all processing while system reconciles
transaction log and database change log against the database.
o Recovery module uses logs and backup files to restart the system
after a failure.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Audit Procedures for Testing
Database Access Controls

o Verify DBA personnel retain responsibility for authority tables and

designing user views.
o Select a sample of users and verify access privileges are
consistent with job description.
o Evaluate cost and benefits of biometric controls.
o Verify database query controls to prevent unauthorized access
via inference.
o Verify sensitive data are properly encrypted.

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Systems Development Life Cycle
(SDLC)

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Controlling and Auditing the SDLC

o Systems authorization, user specification and technical design

activities.
o Internal audit participation:
o System planning and analysis.
o Conceptual system design impacts auditability.
o Economic feasibility needs to be measured accurately.
o Systems implementation.
o Provide technical expertise with regard to accounting rules.
o Specify documentation standards.
o Verify control adequacy and compliance with SOX.

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Controlling and Auditing the SDLC

o Before implementation, individual modules must be tested as a

whole.
o Formal testing and user acceptance considered by many auditors to
be the most important control over the SDLC.
o Audit objectives are to verify:
o SDLC activities are applied consistently and in accordance with
management’s policies.
o Original system free from material errors and fraud.
o System was judged necessary and justified.
o Documentation is adequate and complete.

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Controlling and Auditing the SDLC

o Audit procedures should determine:

o Proper end user and IT management authorization.
o Preliminary feasibility study showed project had merit.
o Detailed analysis of user needs was conducted.
o Accurate cost-benefit analysis was conducted.
o System testing occurred before implementation.
o Checklist of specific problems determined during conversion
were corrected during maintenance.
o System documentation complies with standards.

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Controlling and Auditing
System Maintenance

o Upon implementation system enters maintenance phase of the

SDLC.
o Access to systems for maintenance increases the possibility of
system errors.
o To minimize exposure all maintenance should require: formal
authorization, technical specifications of change, retesting the
system and updating the documentation.
o Source program library controls:
o Program source code stored on magnetic disks called the source
program library (SPL) which must be properly controlled to
preserve application integrity.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Controlling and Auditing
the SDLC

o Worst-Case situation: No controls:

o Program access completely unrestricted making them subject to
unauthorized change.
o Controlled SPL Environment:
o Password control and separate test libraries.
o Audit trail and management reports that detail program
modifications and program version numbers.
o Controlled access to maintenance [SPL] commands.

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Controlling and Auditing
the SDLC – Audit Objectives

o Detect unauthorized program maintenance.

o Determine maintenance procedures protect applications from
unauthorized changes.
o Verify applications are free from material errors.
o Verify SPL are protected from unauthorized access.

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Controlling and Auditing the
SDLC- Audit Procedures
o Identify unauthorized changes:
o Reconcile program version numbers.
o Confirm maintenance authorization.
o Identify application errors:
o Reconcile source code.
o Review test results.
o Retest the program.
o Test access to libraries:
o Review programmer authority tables.
o Test authority table.

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Information Systems
Acquisition

o Well designed system can increase productivity, reduce

inventories, eliminate non-value added activities, enhance
customer service, improve management decisions, and
coordinate organizational activities.
o Two methods of acquiring information systems:
o In-house development
o Purchase commercial systems from software vendor.

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Trends in Commercial Software

o Four factors have contributed to the growth of the commercial

software market:
o Relatively low cost for general purpose software.
o Industry-specific vendors.
o Growing demand from businesses too small to afford in-house
development.
o Downsizing units and the move to distributed data processing have
increased appeal to larger organizations.
o Turnkey systems are finished, tested and ready for
implementation.

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Commercial Systems

o Advantages:
o Can be implementation almost immediately once need is recognized.
o Cost is a fraction of cost of in-house development.
o Reliability since software is pretested and less likely to have errors
than in-house systems.
o Disadvantages:
o Firm is dependent on vendor for maintenance.
o When user needs are unique and complex, software may be too
general or inflexible.
o May be difficult or impossible to modify if user needs change.
o Company may satisfy some needs with commercial software and
develop other systems in-house.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Types of Turnkey Systems

o General accounting systems designed to serve a wide variety

of user needs.
o Designed in modules that include AP, AR, payroll, inventory, GL,
financial reporting and fixed asset.
o Special-purpose systems target specific segments.
o Office automation systems improve productivity.
o Word processing, spreadsheet, desktop publishing.
o Backbone systems provide a structure to build on, with primary
processing modes programmed.
o Vendor-supported systems are custom systems developed and
maintained for the client.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Audit Risk

o Probability that auditor will render unqualified (clean) opinion on

financial statements that are, in fact, materially misstated.
o Inherent risk (IR) is associated with unique characteristics of
client’s business or industry.
o Control risk (CR) is the likelihood the control structure is flawed
because controls are either absent or inadequate to prevent or
detect errors.
o Detection risk (DR) is the risk auditors are willing to take that
errors not detected or prevented by the control structure will not
be detected by the auditor.

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Audit Risk

o Audit risk components in a model used to determine the scope,

nature and timing of substantive tests:
o Audit risk model: AR = IR x CR x DR
o If acceptable audit risk is 5%, the planned detection risk will depend
upon the control structure.
o The stronger the internal control structure, the lower the control risk
and the less substantive testing the auditor must do.
o Substantive tests are labor intensive and time consuming, which drives
up audit costs and cause disruption.
o Management’s best interests are served by a strong internal control
structure.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Example Problem

 Assume that an Acceptable Audit Risk (AR) is assessed at a

value of 5%. Assume the Inherence Risk (IR) is assessed at
40% and Control Risk (CR) is assessed at 40%. What would be
the level of planned Detection Risk (DR)?
 In the above case, assume that the CR is assessed at 90%,
recalculate the DR.

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or

posted to a publicly accessible website, in whole or in part, except for use
as permitted in a license distributed with a certain product or service or
otherwise on a password-protected website or school-approved learning
management system for classroom use.
 Example Problem

 AR = IR x CR x DR
 0.05 = 0.4*0.4*DR -> DR = 0.3125
 If CR = 90% then DR = 0.1388

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or

posted to a publicly accessible website, in whole or in part, except for use
as permitted in a license distributed with a certain product or service or
otherwise on a password-protected website or school-approved learning
management system for classroom use.
 Relation between IR, CR and DR

 Control risk, which is the risk that the client's controls will not prevent or detect a material
misstatement;
 Detection risk, which is the risk that the auditor will not detect a material misstatement.

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or

posted to a publicly accessible website, in whole or in part, except for use
as permitted in a license distributed with a certain product or service or
otherwise on a password-protected website or school-approved learning
management system for classroom use.
 Give an example of a risk associate with the following: Design an internal
control, and a test of control for each risk.

 System development and security

 Loss, theft, unauthorized access to program ...
 Limit logical access to system using authentication and authorization controls ...
 Check whether unauthorized people can access
 Computer center
 Theft of hardware ...
 Limit physical access to computer equipment
 Check whether unauthorized people can access
 IT outsourcing
 Fraud and privacy…
 check whether unauthorized people can access
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or
posted to a publicly accessible website, in whole or in part, except for use
as permitted in a license distributed with a certain product or service or
otherwise on a password-protected website or school-approved learning
management system for classroom use.
 IT Auditing Phases

 Describe the main phases of IT audit.

 First step is audit planning which includes the analysis of
audit risk.
 Techniques for gathering evidence include questionnaires,
management interviews, reviewing system documentation and
observing activities.
 Objective of tests of controls Phase is to determine if
adequate controls are in place and functioning.
 Third phase focuses on financial data and a detailed
investigation of specific account balances and transactions
through
© 2016 Cengage Learning®.substantive tests.
May not be scanned, copied or duplicated or
posted to a publicly accessible website, in whole or in part, except for use
as permitted in a license distributed with a certain product or service or
otherwise on a password-protected website or school-approved learning
management system for classroom use.
 IT Auditing Phases

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or

posted to a publicly accessible website, in whole or in part, except for use
as permitted in a license distributed with a certain product or service or
otherwise on a password-protected website or school-approved learning
management system for classroom use.
 The IT Audit

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 The IT Audit

o First step is audit planning which includes the analysis of audit risk.
o Techniques for gathering evidence include questionnaires, management
interviews, reviewing system documentation and observing activities.
o Objective of tests of controls is to determine if adequate controls
are in place and functioning.
o Third phase focuses on financial data and a detailed investigation of
specific account balances and transactions through substantive
tests.
o Files may be extracted using Computer-Assisted-Audit Tools and
Techniques (CAATTs) software.

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Internal control system comprises policies, practices, and
procedures to achieve different broad objectives.

 objectives.

 Safeguard assets of the firm.

 Ensure accuracy and reliability of accounting records and
information.
 Promote efficiency in the firm’s operations.
 Measure compliance with management’s prescribed policies and
procedures.

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or

posted to a publicly accessible website, in whole or in part, except for use
as permitted in a license distributed with a certain product or service or
otherwise on a password-protected website or school-approved learning
management system for classroom use.
 Network communication poses some special types of risk
for a business. Analyze two broad areas of concern.

 Two general types of risk exist when networks communicate with each other–risks
from subversive threats and risks from equipment failure.
 Subversive threats include interception of information transmitted between sender
and receiver, computer hackers gaining unauthorized access to the organization’s
network, and denial-of-service attacks from remote locations on the Internet.
 network, and denial-of-service attacks from remote locations on the Internet.
Methods for controlling these risks include firewalls, encryption, digital
signatures, digital certificates, message transaction logs, and call-back devices.
 Equipment failure can be the result of line errors. The problems can be minimized
with the help of echo checks, parity checks, and good backup control.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or
posted to a publicly accessible website, in whole or in part, except for use
as permitted in a license distributed with a certain product or service or
otherwise on a password-protected website or school-approved learning
management system for classroom use.
 Risk based Audit approach steps

 Determine the threats (fraud and errors) facing the company

 Identify control procedures (prevent, detect, correct the threats)
 Evaluate control procedures
 Review to see if control exists and is in place
 Test controls to see if they work as intended
 Determine effect of control weaknesses
 Compensating controls

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or

posted to a publicly accessible website, in whole or in part, except for use
as permitted in a license distributed with a certain product or service or
otherwise on a password-protected website or school-approved learning
management system for classroom use.