SlideShare a Scribd company logo

CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)

Download as PPTX, PDF
Muhammad Azmy
Muhammad Azmy

Materi Perkuliahan Control and Auditing Information System in Uin Suska Riau. About Fundamental and Theory Control and Audit. Where this Slide just Theory, not spesific because it just job from teacher in the class.

Education
1 of 46
Information System of Uin Suska Riau Mata Kuliah : Control and Audit Informastion System Created by Date : Saturday, 07 January 2017
Auditing  Information technology (IT) developments have had tremendous impact on auditing.  Business organizations undergo different types of audits for different purposes.  Most common are external (financial) audits, internal audits and fraud audits.
External Audits  Independent attestation performed by an expert (i.e., CPA) who expresses an opinion regarding the fair presentation of financial statements.  Required by SEC for all public companies.  Key concept is independence:  Similar to a trial by judge.  Auditor collects evidence and renders opinion.  Basis of public confidence in financial statements.  Strict rules must be followed.  Defined by SEC, FASB, AICPA and SOX.
Internal Audits  Internal auditing is an independent appraisal function to examine and evaluate activities within, and as a service to, an organization.  Internal auditors perform a wide variety of activities including financial, operational, compliance and fraud audits.  Auditors may work for the organization or task may be outsourced.  Independence is self-imposed, but auditors represent the interests of the organization.
External vs Internal Auditor  External auditors represent outsiders while internal auditors represent organization’s interests.  Internal auditors often cooperate with and assist external auditors in some aspects of financial audits.  Extent of cooperation depends upon the independence and competence of the internal audit staff.  External auditors can rely in part on evidence gathered by internal audit departments that are organizationally independent and report to the board of directors’ audit committee.
The IT Audit  First step is audit planning which includes the analysis of audit risk.  Techniques for gathering evidence include questionnaires, management interviews, reviewing system documentation and observing activities.  Objective of tests of controls is to determine if adequate controls are in place and functioning.  Third phase focuses on financial data and a detailed investigation of specific account balances and transactions through substantive tests.  Files may be extracted using Computer-Assisted-Audit Tools and Techniques (CAATTs) software.
Internal Control  Management required by law to establish and maintain adequate system of internal controls.  Brief history of internal control legislation:  SEC Acts of 1933 and 1934.  Copyright Law of 1976.  Foreign Corrupt Practices (FCPA) of 1977 requires companies registered with the SEC to:  Keep records that fairly and reasonably reflect firm’s transactions and financial position.  Maintain a system of internal control that provides reasonable assurance that organization objectives are met.  Committee of Sponsoring Organizations - 1992
Lanjutan..  Sarbanes-Oxley Act of 2002 (SOX) requires management of public companies to implement adequate internal control system over their financial reporting process. Under Section 302:  Managers must certify organization’s internal controls quarterly and annually.  External auditors must perform certain procedures quarterly to identify any material control modifications that may impact financial reporting.  Section 404 requires management of public companies to access the effectiveness of their internal controls in an annual report.
Internal Control System  Internal control system comprises policies, practices, and procedures to achieve four broad objectives:  Safeguard assets of the firm.  Ensure accuracy and reliability of accounting records and information.  Promote efficiency in the firm’s operations.  Measure compliance with management’s prescribed policies and procedures.
Operating System Security  Log-On Procedure: First line of defense against unauthorized access consisting of user IDs and passwords.  Access Token: Contains key information about the user which is used to approve actions attempted during the session.  Access Control List: Assigned to each IT resource and used to control access to the resource.  Discretionary Access Privileges: Allows user to grant access to another user.
Operating System Security  Access Privileges Verify that access privileges are consistent with separation of incompatible functions and organization policies.  Viruses & Destructive Programs Verify effectiveness of procedures to protect against programs such as viruses, worms, back doors, logic bombs, and Trojan horses.  Password Control Ensure adequacy and effectiveness of password policies for controlling access to the operating system.
Threats 1. Subversive Verify security and integrity of financial transactions. 2. Determine network controls (1) can prevent and detect illegal access; (2) will render captured data useless; and (3) are sufficient to preserve integrity and security of data.
Network Control  Purpose of network control is to:  Establish communications sessions.  Manage the flow of data across the network.  Detect and resolve data collisions between nodes.  Detect line failure of signal degeneration errors  Two or more signals transmitted simultaneously will result in data collision which destroys messages.  Polling most popular technique for establishing a communication session in WANs.  Token passing involves transmitting special signal around the network. Only the node processing the token is allowed to transmit data.
Database Approach  Access to the data resource is controlled by a database management system (DBMS).  Centralizes organization’s data into a common database shared by the user community.  All users have access to data they need which may overcome flat-file problems.  Elimination of data storage problem: No data redundancy.  Elimination of data updating problem: Single update procedure eliminates currency of information problem.  Elimination of task-data dependency problem: Users only constrained by legitimacy of access needs.
Database Model
Audit Procedures for Testing Database Acces Control Backup policy should balance inconvenience of frequent activity against business disruption caused by system failure. Verify that automatic backup procedures are in place and functioning and that copies of the database are stored off-site. Verify backups are performed routinely and frequently.
Participants in Systems Development  Systems professionals:  Analysts, engineers, database designers and programmers.  End users:  Managers, operations personnel from various functional areas, including accountants.  Stakeholders:  Individuals with an interest in the system who are not formal end users.  Includes steering committee and both internal and external auditors.
Systems Development Life Cycle When developing a new information system, there are many, many steps that must be followed. The systems development life cycle (SDLC) is an attempt to structure these steps. From the perspective of a definition, the SDLC is a structured step-by-step approach for developing information systems. When developing a system, there are three primary choices you will make very early in the process: Insourcing is how much will be done by your own IT Selfsourcing is how much can be done by the end-users. Outsourcing is how much will be done by a third-party organization.
Systems Development Life Cycle .
 Objective: To link individual systems projects to the strategic objectives of the firm.  Most firms establish a steering committee to provide guidance and review project status.  May include the CEO, CFO, CIO, senior management, internal auditors, and external parties (consultants).  Responsibilities include resolving system conflicts, reviewing projects and assigning priorities, budgeting system development, and determining whether or not to continue the project at various stages of development.  Two levels: strategic systems planning and project planning. Phase 1 - System Planning
 Involves allocation of resources at the macro level.  Time frame of 3 – 5 years with process similar to budgeting resources for other strategic activities.  Technically not part of SDLC which pertains to specific applications.  Concerned with allocation of systems resources.  Four justifications:  A changing plan is better than no plan.  Reduces crises in systems development.  Provides authorization control for SDLC.  Systems planning tends to be a cost-effective means of managing systems projects and application development. Strategic System Planning
 Purpose is to allocate resources to individual applications within the framework of the strategic plan.  Identifying user needs, preparing proposals, evaluating proposals’ feasibility, prioritizing and scheduling.  Two formal documents:  Project proposal provides management with a basis for deciding whether to proceed by summarizing findings and outlining link between system and business objectives of the firm.  Project schedule represents management’s commitment to the project. Project Planning
 Process to survey current system and analyze user needs.  Survey step has advantages and disadvantages:  Usually involves a detailed system survey.  Can result in current tar pit syndrome where analyst is “sucked-in” and “bogged down” by the surveying task.  Surveying system may stifle new ideas (thinking inside the box).  Identifies aspects of old system that should be kept.  Forces analysts to fully understand the old system which will be required to convert to the new one.  Analyst may determine root cause of problems, which may not be the system at all. Phase 2 - System Analysis
Phase 2 - System Analysis Survey Phase Gathering Fact  Data sources  Users  Data stores  Processes  Data flows  Controls  Transaction volumes  Error rates  Resource costs  Bottlenecks  Redundant operations
 Fact-gathering techniques:  Observation, task participation, personal interviews, key document review.  Analyst is analyzing while gathering facts.  Systems analysis report:  Presented to management or the steering committee.  Provides survey findings, problems identified with old system, user needs and new system requirements.  Constitutes a formal contract that specifies the objectives and goals of the system. Phase 2 - System Analysis
Purpose to produce alternative systems that satisfy identified system requirements. Structured design approach: Designs system from the top-down by starting with “big picture” and gradually decomposing system into more detail until fully understood. Designs should identify all inputs, outputs, processes and special features necessary to distinguish one alternative from another. Object-oriented design approach (OOD): Builds information systems from reusable objects. Concept of reusability is central as standard modules can be used in other systems with similar needs. Library of reusable modules results in less time, cost, maintenance, and testing and improved user support and system flexibility. Phase 3 - Conceptual System Design
 Identify optimal solution from alternatives.  First step is a detailed feasibility study:  Technical: Existing or new technology?  Economic: Are funds available?  Legal: Any conflicts with new system and legal responsibilities?  Operational: Procedures and personnel compatible with new system?  Schedule: Is firm able to implement project in acceptable amount of time?  Second step is a cost-benefit analysis:  Identify both one-time and recurring costs and tangible and intangible benefits which cannot be easily quantified.  Compare costs and benefits. Phase 4 - System Evaluation and Selection
Controlling and Auditing the SDLC System planning and analysis. Conceptual system design impacts auditability. Economic feasibility needs to be measured accurately. Systems implementation. Provide technical expertise with regard to accounting rules. Specify documentation standards. Verify control adequacy and compliance with SOX.
 Provides a smooth and seamless flow of information across organization:  Standardized environment with shared database and integrated applications that support communication.  Data remain independent of any specific application.  Extensive data sharing occurs through application-sensitive views that present data to meet user needs. What is ERP?
ERP Systems
ERP Systems Configurations  Most based on the client-server model.  Typical two-tier model:  Server handles application and database duties.  Used in LAN applications where server demand is limited to a small population of users.  Three-tier model:  Database and application functions separated.  Typical of large systems that use WANs.  Client initially establishes communication with the application server which initiates a second connection to the database server.
Two-Tier Client Server
Three-Tier Client Server
 Data warehousing involves extracting, converting and standardizing data from ERP and legacy systems and loading it into a central archive – the data warehouse.  Loaded data are accessible via various query and analysis tools used for data mining (selecting, exploring and modeling large amounts of data to uncover relationships).  Involves sophisticated techniques that use database queries and artificial intelligence to model real-world phenomena.  Most large ERP implementations include separate operational and data warehouse databases. What is Data Warehousing?
Modelling Data for Data Warehouse  Due to vast size, data warehouse database consists of denormalized data.  Inefficiency can be devastating.  Relationship among attributes does not change.  Data is static so nothing gained by constructing normalized tables with dynamic links.  Relational theory does not apply to a data warehousing system.  Normalized tables pertaining to selected events may be consolidated into denormalized tables.
Data Warehouse System
Risk Associated with ERP Implementation  Big bang implementation occurs when organizations switch operations from legacy systems to ERP in a single event.  Some advantages, but numerous failures.  Initial opposition and changes cause disruption.  Phased-in implementation approach as emerged as a popular alternative.  Independent ERP units installed over time, assimilated, and integrated without disrupting operations.  Can be used by organizations that are not diversified, with legacy system retired over time. Process reengineering will still need to occur.
Risk Associated with ERP Implementation  Opposition to changes in the business’s culture.  Choosing the wrong ERP:  Goodness of fit: No one ERP product is best for all industries.  Scalability: System’s ability to grow in terms of size, speed, workload and transaction cost.  Choosing the wrong consultant:  Thoroughly interview potential consultants and establish explicit expectations.
Risk Associated with ERP Implementation  High cost and cost overruns:  Training costs usually higher than estimated due to need for employees to learn new procedures.  Testing and integration costs are difficult to estimate.  Database conversion requires testing, manual reconciliation and sometimes manual input.  Management should establish key performance measures to help determine ERP success.  Disruptions to operations:  ERP implementations usually involve business process reengineering (BPR).
END Wassalamu’aliku m…

Recommended

Information system control and audit
Information system control and auditInformation system control and audit
Information system control and auditAstri Stiawaty
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
Information System audit
Information System auditInformation System audit
Information System auditPratapchandra
 
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Sreekanth Narendran
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Sreekanth Narendran
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
3c 2 Information Systems Audit
3c 2 Information Systems Audit3c 2 Information Systems Audit
3c 2 Information Systems AuditRajeswaran Muthu Venkatachalam
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 

Recommended

Information system control and audit
Information system control and auditInformation system control and audit
Information system control and auditAstri Stiawaty
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
Information System audit
Information System auditInformation System audit
Information System auditPratapchandra
 
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Sreekanth Narendran
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Sreekanth Narendran
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
3c 2 Information Systems Audit
3c 2 Information Systems Audit3c 2 Information Systems Audit
3c 2 Information Systems AuditRajeswaran Muthu Venkatachalam
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Yasir Khan
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information Systemarif prasetyo
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
SOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleySOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleyAmarnath Gupta
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDITRos Dina
 
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Sreekanth Narendran
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit Sreekanth Narendran
 
The information security audit
The information security auditThe information security audit
The information security auditDhani Ahmad
 
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)Biswajit Bhattacharjee
 
Information Security Management System in the Banking Sector
Information Security Management System in the Banking SectorInformation Security Management System in the Banking Sector
Information Security Management System in the Banking SectorSamvel Gevorgyan
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructurepramod_kmr73
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it auditkinjalmkothari92
 
ISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and recordsISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and recordsManoj Vakekattil
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and controlKashif Rana ACCA
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Servicesmcloete
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessÃsħâr Ãâlâm
 
Chapter 11 Enterprise Resource Planning System
Chapter 11 Enterprise Resource Planning SystemChapter 11 Enterprise Resource Planning System
Chapter 11 Enterprise Resource Planning SystemMuhammad Azmy
 
CV Herman efendi
CV Herman efendiCV Herman efendi
CV Herman efendiHerman efendi
 

More Related Content

What's hot

IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Yasir Khan
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information Systemarif prasetyo
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
SOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleySOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleyAmarnath Gupta
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDITRos Dina
 
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Sreekanth Narendran
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit Sreekanth Narendran
 
The information security audit
The information security auditThe information security audit
The information security auditDhani Ahmad
 
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)Biswajit Bhattacharjee
 
Information Security Management System in the Banking Sector
Information Security Management System in the Banking SectorInformation Security Management System in the Banking Sector
Information Security Management System in the Banking SectorSamvel Gevorgyan
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructurepramod_kmr73
 
ISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and recordsISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and recordsManoj Vakekattil
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and controlKashif Rana ACCA
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Servicesmcloete
 

What's hot (20)

IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologies
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information System
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
 
SOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleySOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-Oxley
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDIT
 
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Information security management system
Information security management systemInformation security management system
Information security management system
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit
 
The information security audit
The information security auditThe information security audit
The information security audit
 
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
 
Information Security Management System in the Banking Sector
Information Security Management System in the Banking SectorInformation Security Management System in the Banking Sector
Information Security Management System in the Banking Sector
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructure
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it audit
 
ISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and recordsISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and records
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and control
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Services
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 

Viewers also liked

Chapter 11 Enterprise Resource Planning System
Chapter 11 Enterprise Resource Planning SystemChapter 11 Enterprise Resource Planning System
Chapter 11 Enterprise Resource Planning SystemMuhammad Azmy
 
Lawweb.in whether it is necessary to make enquiry us 202 of crpc in case of d...
Lawweb.in whether it is necessary to make enquiry us 202 of crpc in case of d...Lawweb.in whether it is necessary to make enquiry us 202 of crpc in case of d...
Lawweb.in whether it is necessary to make enquiry us 202 of crpc in case of d...Law Web
 
Penalties and prosecutions under income-tax: current developments - VKS
Penalties and prosecutions under income-tax: current developments - VKSPenalties and prosecutions under income-tax: current developments - VKS
Penalties and prosecutions under income-tax: current developments - VKSD Murali ☆
 
Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5justinklooster
 
DISHONOUR OF CHEQUES
DISHONOUR OF CHEQUESDISHONOUR OF CHEQUES
DISHONOUR OF CHEQUESKriace Ward
 
Income tax authorities under Income tax act 1961
Income tax authorities under Income tax act 1961Income tax authorities under Income tax act 1961
Income tax authorities under Income tax act 1961Chirantan Tiwari
 
Role and responsibility of Internal Audit under new Companies Act 2013
Role and responsibility of Internal Audit under new Companies Act 2013Role and responsibility of Internal Audit under new Companies Act 2013
Role and responsibility of Internal Audit under new Companies Act 2013Manoj Agarwal
 
How to Begin Secretarial Audit (Compliance of All Applicable Law )
How to Begin Secretarial Audit (Compliance of All Applicable Law )How to Begin Secretarial Audit (Compliance of All Applicable Law )
How to Begin Secretarial Audit (Compliance of All Applicable Law )Pavan Kumar Vijay
 
Dishonour of cheque priyanka agarwal bvdu_pune
Dishonour of cheque priyanka agarwal bvdu_puneDishonour of cheque priyanka agarwal bvdu_pune
Dishonour of cheque priyanka agarwal bvdu_punePriyanka Agarwal
 
13 information system audit of banks
13 information system audit of banks13 information system audit of banks
13 information system audit of banksspandane
 
Information System Audit - UNIKOM Seminar (Nov 2015)
Information System Audit - UNIKOM Seminar (Nov 2015)Information System Audit - UNIKOM Seminar (Nov 2015)
Information System Audit - UNIKOM Seminar (Nov 2015)Basuki Rahmad
 
Penalties and prosecutions
Penalties and prosecutionsPenalties and prosecutions
Penalties and prosecutionspunitky
 
Internal audit of manufacturing co
Internal audit of manufacturing coInternal audit of manufacturing co
Internal audit of manufacturing comaheshr254
 
Assessment Procedures
Assessment ProceduresAssessment Procedures
Assessment ProceduresPrashanth G S
 
Lesson On Excise Duty
Lesson On Excise DutyLesson On Excise Duty
Lesson On Excise Dutyvenkatesh y
 

Viewers also liked (20)

Chapter 11 Enterprise Resource Planning System
Chapter 11 Enterprise Resource Planning SystemChapter 11 Enterprise Resource Planning System
Chapter 11 Enterprise Resource Planning System
 
CV Herman efendi
CV Herman efendiCV Herman efendi
CV Herman efendi
 
Satyam case study
Satyam case studySatyam case study
Satyam case study
 
Lawweb.in whether it is necessary to make enquiry us 202 of crpc in case of d...
Lawweb.in whether it is necessary to make enquiry us 202 of crpc in case of d...Lawweb.in whether it is necessary to make enquiry us 202 of crpc in case of d...
Lawweb.in whether it is necessary to make enquiry us 202 of crpc in case of d...
 
Satyam1
Satyam1Satyam1
Satyam1
 
Penalties and prosecutions under income-tax: current developments - VKS
Penalties and prosecutions under income-tax: current developments - VKSPenalties and prosecutions under income-tax: current developments - VKS
Penalties and prosecutions under income-tax: current developments - VKS
 
City bank - (FINACLE) Information System Report
City bank - (FINACLE) Information System ReportCity bank - (FINACLE) Information System Report
City bank - (FINACLE) Information System Report
 
Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5
 
manufacturing company audit
manufacturing company auditmanufacturing company audit
manufacturing company audit
 
DISHONOUR OF CHEQUES
DISHONOUR OF CHEQUESDISHONOUR OF CHEQUES
DISHONOUR OF CHEQUES
 
Income tax authorities under Income tax act 1961
Income tax authorities under Income tax act 1961Income tax authorities under Income tax act 1961
Income tax authorities under Income tax act 1961
 
Role and responsibility of Internal Audit under new Companies Act 2013
Role and responsibility of Internal Audit under new Companies Act 2013Role and responsibility of Internal Audit under new Companies Act 2013
Role and responsibility of Internal Audit under new Companies Act 2013
 
How to Begin Secretarial Audit (Compliance of All Applicable Law )
How to Begin Secretarial Audit (Compliance of All Applicable Law )How to Begin Secretarial Audit (Compliance of All Applicable Law )
How to Begin Secretarial Audit (Compliance of All Applicable Law )
 
Dishonour of cheque priyanka agarwal bvdu_pune
Dishonour of cheque priyanka agarwal bvdu_puneDishonour of cheque priyanka agarwal bvdu_pune
Dishonour of cheque priyanka agarwal bvdu_pune
 
13 information system audit of banks
13 information system audit of banks13 information system audit of banks
13 information system audit of banks
 
Information System Audit - UNIKOM Seminar (Nov 2015)
Information System Audit - UNIKOM Seminar (Nov 2015)Information System Audit - UNIKOM Seminar (Nov 2015)
Information System Audit - UNIKOM Seminar (Nov 2015)
 
Penalties and prosecutions
Penalties and prosecutionsPenalties and prosecutions
Penalties and prosecutions
 
Internal audit of manufacturing co
Internal audit of manufacturing coInternal audit of manufacturing co
Internal audit of manufacturing co
 
Assessment Procedures
Assessment ProceduresAssessment Procedures
Assessment Procedures
 
Lesson On Excise Duty
Lesson On Excise DutyLesson On Excise Duty
Lesson On Excise Duty
 

Similar to CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)

Kontrol & Audit Sistem Informasi
Kontrol & Audit Sistem InformasiKontrol & Audit Sistem Informasi
Kontrol & Audit Sistem Informasidwiki apsyarin
 
Information systems and its components iii
Information systems and its components iiiInformation systems and its components iii
Information systems and its components iiiAshish Desai
 
Tugas control & audit sistem informasi
Tugas control & audit sistem informasiTugas control & audit sistem informasi
Tugas control & audit sistem informasiNur Fatrianti
 
Information 2nd lesson
Information 2nd lessonInformation 2nd lesson
Information 2nd lessonAnne ndolo
 
Auditing Systems Development
Auditing Systems DevelopmentAuditing Systems Development
Auditing Systems Developmentessbaih
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docxLynellBull52
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxJoshJaro
 
OverviewYou have been hired as an auditor for a local univer.docx
OverviewYou have been hired as an auditor for a local univer.docxOverviewYou have been hired as an auditor for a local univer.docx
OverviewYou have been hired as an auditor for a local univer.docxaman341480
 
mis ch2.pptx
mis ch2.pptxmis ch2.pptx
mis ch2.pptxTeshome48
 
Building Information System
Building Information SystemBuilding Information System
Building Information SystemRabia Jabeen
 
SOX ICMS Implmenetation - 2007
SOX ICMS Implmenetation - 2007SOX ICMS Implmenetation - 2007
SOX ICMS Implmenetation - 2007Slava Gorbunov
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.gueste080564
 
Technology Controls in Business - End User Computing
Technology Controls in Business - End User ComputingTechnology Controls in Business - End User Computing
Technology Controls in Business - End User Computingguestc1bca2
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.renetta
 
mis ch2.pptx
mis ch2.pptxmis ch2.pptx
mis ch2.pptxhabte11
 
Development of information system chap 2
Development of information system chap 2Development of information system chap 2
Development of information system chap 2amanuelayde1
 
SAD_UnitII.docx
SAD_UnitII.docxSAD_UnitII.docx
SAD_UnitII.docx8759000398
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 

Similar to CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015) (20)

Kontrol & Audit Sistem Informasi
Kontrol & Audit Sistem InformasiKontrol & Audit Sistem Informasi
Kontrol & Audit Sistem Informasi
 
Information systems and its components iii
Information systems and its components iiiInformation systems and its components iii
Information systems and its components iii
 
Tugas control & audit sistem informasi
Tugas control & audit sistem informasiTugas control & audit sistem informasi
Tugas control & audit sistem informasi
 
Information 2nd lesson
Information 2nd lessonInformation 2nd lesson
Information 2nd lesson
 
Auditing Systems Development
Auditing Systems DevelopmentAuditing Systems Development
Auditing Systems Development
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptx
 
OverviewYou have been hired as an auditor for a local univer.docx
OverviewYou have been hired as an auditor for a local univer.docxOverviewYou have been hired as an auditor for a local univer.docx
OverviewYou have been hired as an auditor for a local univer.docx
 
mis ch2.pptx
mis ch2.pptxmis ch2.pptx
mis ch2.pptx
 
Building Information System
Building Information SystemBuilding Information System
Building Information System
 
Auditing concept
Auditing conceptAuditing concept
Auditing concept
 
SOX ICMS Implmenetation - 2007
SOX ICMS Implmenetation - 2007SOX ICMS Implmenetation - 2007
SOX ICMS Implmenetation - 2007
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
 
Technology Controls in Business - End User Computing
Technology Controls in Business - End User ComputingTechnology Controls in Business - End User Computing
Technology Controls in Business - End User Computing
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
 
mis ch2.pptx
mis ch2.pptxmis ch2.pptx
mis ch2.pptx
 
Sdlc1
Sdlc1Sdlc1
Sdlc1
 
Development of information system chap 2
Development of information system chap 2Development of information system chap 2
Development of information system chap 2
 
SAD_UnitII.docx
SAD_UnitII.docxSAD_UnitII.docx
SAD_UnitII.docx
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
 

Recently uploaded

DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersSabitha Banu
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfSpandanaRallapalli
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.arsicmarija21
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomnelietumpap1
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxSherlyMaeNeri
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
Planning a health career 4th Quarter.pptx
Planning a health career 4th Quarter.pptxPlanning a health career 4th Quarter.pptx
Planning a health career 4th Quarter.pptxLigayaBacuel1
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
 
Quarter 4 Peace-education.pptx Catch Up Friday
Quarter 4 Peace-education.pptx Catch Up FridayQuarter 4 Peace-education.pptx Catch Up Friday
Quarter 4 Peace-education.pptx Catch Up FridayMakMakNepo
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 

Recently uploaded (20)

OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
 
Rapple "Scholarly Communications and the Sustainable Development Goals"
Rapple "Scholarly Communications and the Sustainable Development Goals"Rapple "Scholarly Communications and the Sustainable Development Goals"
Rapple "Scholarly Communications and the Sustainable Development Goals"
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdf
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choom
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptx
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
Planning a health career 4th Quarter.pptx
Planning a health career 4th Quarter.pptxPlanning a health career 4th Quarter.pptx
Planning a health career 4th Quarter.pptx
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
 
Quarter 4 Peace-education.pptx Catch Up Friday
Quarter 4 Peace-education.pptx Catch Up FridayQuarter 4 Peace-education.pptx Catch Up Friday
Quarter 4 Peace-education.pptx Catch Up Friday
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 

CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)

  • 1. Information System of Uin Suska Riau Mata Kuliah : Control and Audit Informastion System Created by Date : Saturday, 07 January 2017
  • 2.
  • 3. Auditing  Information technology (IT) developments have had tremendous impact on auditing.  Business organizations undergo different types of audits for different purposes.  Most common are external (financial) audits, internal audits and fraud audits.
  • 4. External Audits  Independent attestation performed by an expert (i.e., CPA) who expresses an opinion regarding the fair presentation of financial statements.  Required by SEC for all public companies.  Key concept is independence:  Similar to a trial by judge.  Auditor collects evidence and renders opinion.  Basis of public confidence in financial statements.  Strict rules must be followed.  Defined by SEC, FASB, AICPA and SOX.
  • 5. Internal Audits  Internal auditing is an independent appraisal function to examine and evaluate activities within, and as a service to, an organization.  Internal auditors perform a wide variety of activities including financial, operational, compliance and fraud audits.  Auditors may work for the organization or task may be outsourced.  Independence is self-imposed, but auditors represent the interests of the organization.
  • 6. External vs Internal Auditor  External auditors represent outsiders while internal auditors represent organization’s interests.  Internal auditors often cooperate with and assist external auditors in some aspects of financial audits.  Extent of cooperation depends upon the independence and competence of the internal audit staff.  External auditors can rely in part on evidence gathered by internal audit departments that are organizationally independent and report to the board of directors’ audit committee.
  • 7. The IT Audit  First step is audit planning which includes the analysis of audit risk.  Techniques for gathering evidence include questionnaires, management interviews, reviewing system documentation and observing activities.  Objective of tests of controls is to determine if adequate controls are in place and functioning.  Third phase focuses on financial data and a detailed investigation of specific account balances and transactions through substantive tests.  Files may be extracted using Computer-Assisted-Audit Tools and Techniques (CAATTs) software.
  • 8. Internal Control  Management required by law to establish and maintain adequate system of internal controls.  Brief history of internal control legislation:  SEC Acts of 1933 and 1934.  Copyright Law of 1976.  Foreign Corrupt Practices (FCPA) of 1977 requires companies registered with the SEC to:  Keep records that fairly and reasonably reflect firm’s transactions and financial position.  Maintain a system of internal control that provides reasonable assurance that organization objectives are met.  Committee of Sponsoring Organizations - 1992
  • 9. Lanjutan..  Sarbanes-Oxley Act of 2002 (SOX) requires management of public companies to implement adequate internal control system over their financial reporting process. Under Section 302:  Managers must certify organization’s internal controls quarterly and annually.  External auditors must perform certain procedures quarterly to identify any material control modifications that may impact financial reporting.  Section 404 requires management of public companies to access the effectiveness of their internal controls in an annual report.
  • 10. Internal Control System  Internal control system comprises policies, practices, and procedures to achieve four broad objectives:  Safeguard assets of the firm.  Ensure accuracy and reliability of accounting records and information.  Promote efficiency in the firm’s operations.  Measure compliance with management’s prescribed policies and procedures.
  • 11.
  • 12. Operating System Security  Log-On Procedure: First line of defense against unauthorized access consisting of user IDs and passwords.  Access Token: Contains key information about the user which is used to approve actions attempted during the session.  Access Control List: Assigned to each IT resource and used to control access to the resource.  Discretionary Access Privileges: Allows user to grant access to another user.
  • 13. Operating System Security  Access Privileges Verify that access privileges are consistent with separation of incompatible functions and organization policies.  Viruses & Destructive Programs Verify effectiveness of procedures to protect against programs such as viruses, worms, back doors, logic bombs, and Trojan horses.  Password Control Ensure adequacy and effectiveness of password policies for controlling access to the operating system.
  • 14. Threats 1. Subversive Verify security and integrity of financial transactions. 2. Determine network controls (1) can prevent and detect illegal access; (2) will render captured data useless; and (3) are sufficient to preserve integrity and security of data.
  • 15. Network Control  Purpose of network control is to:  Establish communications sessions.  Manage the flow of data across the network.  Detect and resolve data collisions between nodes.  Detect line failure of signal degeneration errors  Two or more signals transmitted simultaneously will result in data collision which destroys messages.  Polling most popular technique for establishing a communication session in WANs.  Token passing involves transmitting special signal around the network. Only the node processing the token is allowed to transmit data.
  • 16.
  • 17. Database Approach  Access to the data resource is controlled by a database management system (DBMS).  Centralizes organization’s data into a common database shared by the user community.  All users have access to data they need which may overcome flat-file problems.  Elimination of data storage problem: No data redundancy.  Elimination of data updating problem: Single update procedure eliminates currency of information problem.  Elimination of task-data dependency problem: Users only constrained by legitimacy of access needs.
  • 19. Audit Procedures for Testing Database Acces Control Backup policy should balance inconvenience of frequent activity against business disruption caused by system failure. Verify that automatic backup procedures are in place and functioning and that copies of the database are stored off-site. Verify backups are performed routinely and frequently.
  • 20.
  • 21. Participants in Systems Development  Systems professionals:  Analysts, engineers, database designers and programmers.  End users:  Managers, operations personnel from various functional areas, including accountants.  Stakeholders:  Individuals with an interest in the system who are not formal end users.  Includes steering committee and both internal and external auditors.
  • 22. Systems Development Life Cycle When developing a new information system, there are many, many steps that must be followed. The systems development life cycle (SDLC) is an attempt to structure these steps. From the perspective of a definition, the SDLC is a structured step-by-step approach for developing information systems. When developing a system, there are three primary choices you will make very early in the process: Insourcing is how much will be done by your own IT Selfsourcing is how much can be done by the end-users. Outsourcing is how much will be done by a third-party organization.
  • 24.  Objective: To link individual systems projects to the strategic objectives of the firm.  Most firms establish a steering committee to provide guidance and review project status.  May include the CEO, CFO, CIO, senior management, internal auditors, and external parties (consultants).  Responsibilities include resolving system conflicts, reviewing projects and assigning priorities, budgeting system development, and determining whether or not to continue the project at various stages of development.  Two levels: strategic systems planning and project planning. Phase 1 - System Planning
  • 25.  Involves allocation of resources at the macro level.  Time frame of 3 – 5 years with process similar to budgeting resources for other strategic activities.  Technically not part of SDLC which pertains to specific applications.  Concerned with allocation of systems resources.  Four justifications:  A changing plan is better than no plan.  Reduces crises in systems development.  Provides authorization control for SDLC.  Systems planning tends to be a cost-effective means of managing systems projects and application development. Strategic System Planning
  • 26.  Purpose is to allocate resources to individual applications within the framework of the strategic plan.  Identifying user needs, preparing proposals, evaluating proposals’ feasibility, prioritizing and scheduling.  Two formal documents:  Project proposal provides management with a basis for deciding whether to proceed by summarizing findings and outlining link between system and business objectives of the firm.  Project schedule represents management’s commitment to the project. Project Planning
  • 27.  Process to survey current system and analyze user needs.  Survey step has advantages and disadvantages:  Usually involves a detailed system survey.  Can result in current tar pit syndrome where analyst is “sucked-in” and “bogged down” by the surveying task.  Surveying system may stifle new ideas (thinking inside the box).  Identifies aspects of old system that should be kept.  Forces analysts to fully understand the old system which will be required to convert to the new one.  Analyst may determine root cause of problems, which may not be the system at all. Phase 2 - System Analysis
  • 28. Phase 2 - System Analysis Survey Phase Gathering Fact  Data sources  Users  Data stores  Processes  Data flows  Controls  Transaction volumes  Error rates  Resource costs  Bottlenecks  Redundant operations
  • 29.  Fact-gathering techniques:  Observation, task participation, personal interviews, key document review.  Analyst is analyzing while gathering facts.  Systems analysis report:  Presented to management or the steering committee.  Provides survey findings, problems identified with old system, user needs and new system requirements.  Constitutes a formal contract that specifies the objectives and goals of the system. Phase 2 - System Analysis
  • 30. Purpose to produce alternative systems that satisfy identified system requirements. Structured design approach: Designs system from the top-down by starting with “big picture” and gradually decomposing system into more detail until fully understood. Designs should identify all inputs, outputs, processes and special features necessary to distinguish one alternative from another. Object-oriented design approach (OOD): Builds information systems from reusable objects. Concept of reusability is central as standard modules can be used in other systems with similar needs. Library of reusable modules results in less time, cost, maintenance, and testing and improved user support and system flexibility. Phase 3 - Conceptual System Design
  • 31.  Identify optimal solution from alternatives.  First step is a detailed feasibility study:  Technical: Existing or new technology?  Economic: Are funds available?  Legal: Any conflicts with new system and legal responsibilities?  Operational: Procedures and personnel compatible with new system?  Schedule: Is firm able to implement project in acceptable amount of time?  Second step is a cost-benefit analysis:  Identify both one-time and recurring costs and tangible and intangible benefits which cannot be easily quantified.  Compare costs and benefits. Phase 4 - System Evaluation and Selection
  • 32.
  • 33. Controlling and Auditing the SDLC System planning and analysis. Conceptual system design impacts auditability. Economic feasibility needs to be measured accurately. Systems implementation. Provide technical expertise with regard to accounting rules. Specify documentation standards. Verify control adequacy and compliance with SOX.
  • 34.
  • 35.  Provides a smooth and seamless flow of information across organization:  Standardized environment with shared database and integrated applications that support communication.  Data remain independent of any specific application.  Extensive data sharing occurs through application-sensitive views that present data to meet user needs. What is ERP?
  • 37. ERP Systems Configurations  Most based on the client-server model.  Typical two-tier model:  Server handles application and database duties.  Used in LAN applications where server demand is limited to a small population of users.  Three-tier model:  Database and application functions separated.  Typical of large systems that use WANs.  Client initially establishes communication with the application server which initiates a second connection to the database server.
  • 40.  Data warehousing involves extracting, converting and standardizing data from ERP and legacy systems and loading it into a central archive – the data warehouse.  Loaded data are accessible via various query and analysis tools used for data mining (selecting, exploring and modeling large amounts of data to uncover relationships).  Involves sophisticated techniques that use database queries and artificial intelligence to model real-world phenomena.  Most large ERP implementations include separate operational and data warehouse databases. What is Data Warehousing?
  • 41. Modelling Data for Data Warehouse  Due to vast size, data warehouse database consists of denormalized data.  Inefficiency can be devastating.  Relationship among attributes does not change.  Data is static so nothing gained by constructing normalized tables with dynamic links.  Relational theory does not apply to a data warehousing system.  Normalized tables pertaining to selected events may be consolidated into denormalized tables.
  • 43. Risk Associated with ERP Implementation  Big bang implementation occurs when organizations switch operations from legacy systems to ERP in a single event.  Some advantages, but numerous failures.  Initial opposition and changes cause disruption.  Phased-in implementation approach as emerged as a popular alternative.  Independent ERP units installed over time, assimilated, and integrated without disrupting operations.  Can be used by organizations that are not diversified, with legacy system retired over time. Process reengineering will still need to occur.
  • 44. Risk Associated with ERP Implementation  Opposition to changes in the business’s culture.  Choosing the wrong ERP:  Goodness of fit: No one ERP product is best for all industries.  Scalability: System’s ability to grow in terms of size, speed, workload and transaction cost.  Choosing the wrong consultant:  Thoroughly interview potential consultants and establish explicit expectations.
  • 45. Risk Associated with ERP Implementation  High cost and cost overruns:  Training costs usually higher than estimated due to need for employees to learn new procedures.  Testing and integration costs are difficult to estimate.  Database conversion requires testing, manual reconciliation and sometimes manual input.  Management should establish key performance measures to help determine ERP success.  Disruptions to operations:  ERP implementations usually involve business process reengineering (BPR).