Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Auditing In Computer Environment Presentation


Published on

The slides presents audit in computer environment as a revision material for student and practitioners in auditing and related subject matter

  • You should try to cover some of the inventory tools at least. Personally myself i prefer Total Network Inventory (TNI). There are plenty of them like Lansweeper or Solarwinds or the other ones that can automize your work a bit. When you would have a system network consisting of a 1000 nodes you wouldnt be pleased with a handcrafted auditing. These kind of software can scan both software and hardware for versions and licenses. Some of them need a satellite program on other PCs but Lansweeper or TNI can scan hardware inventory only using admin password to get access to computer
    Are you sure you want to  Yes  No
    Your message goes here
  • thanks so much guys. wow! this would be a great help to me. I will be taking a CPA licensure exam on May here in the Philippines and I think I really have to master auditing theory.
    Are you sure you want to  Yes  No
    Your message goes here
  • ilove u mama
    Are you sure you want to  Yes  No
    Your message goes here

Auditing In Computer Environment Presentation

  1. 1. AUDITING IN COMPUTER ENVIRONMENT What is audit in a computer environment?
  2. 2. AUDITING IN COMPUTER ENVIRONMENT <ul><li>Approaches </li></ul><ul><li>Auditing around the computer </li></ul><ul><li>Auditing through the Computer </li></ul><ul><li>Auditing with the computer </li></ul>
  3. 3. AUDITING IN COMPUTER ENVIRONMENT <ul><li>Use of computer of audit automation </li></ul><ul><ul><li>Working Papers </li></ul></ul><ul><ul><li>Statistical sampling and analytical procedures </li></ul></ul><ul><ul><li>Decision Support System; </li></ul></ul>
  4. 4. AUDITING IN COMPUTR ENVIRONMENT <ul><li>Types of software on PC in order to aid his audit work </li></ul><ul><ul><li>Standard software for word processing , spreadsheets </li></ul></ul><ul><ul><li>Expert systems . </li></ul></ul><ul><li>Generally, an auditor can use his PC to assist for </li></ul><ul><ul><li>Production of time budget and budgetary control . </li></ul></ul><ul><ul><li>Analytical procedures . </li></ul></ul><ul><ul><li>The maintenance of permanent file information </li></ul></ul>
  5. 5. AUDITING IN COMPUTER ENVIROMENT <ul><ul><li>The computer systems challenges </li></ul></ul><ul><ul><ul><li>lack of visible evidence and systematic errors. What to do? </li></ul></ul></ul><ul><ul><ul><ul><li>techniques available to him, </li></ul></ul></ul></ul><ul><ul><ul><ul><li>The internal controls, </li></ul></ul></ul></ul><ul><ul><ul><ul><li>the availability of the data </li></ul></ul></ul></ul><ul><ul><ul><ul><li>the length of time it is retained in a readily usable form . </li></ul></ul></ul></ul>
  6. 6. AUDITING IN COMPUTER ENVIRONMENT <ul><li>Controls over audit computers </li></ul><ul><ul><li>Security, and Accuracy (of input, processing and output). The auditor should exercise controls when PCs are used by auditor in their work are as follows: </li></ul></ul><ul><ul><li>Access controls for users by means of passwords </li></ul></ul>
  7. 7. AUDITING IN COMPUTER ENVIRONMENT <ul><li>Controls over audit computers </li></ul><ul><ul><li>Back up of data contained on files, regular production of hard copy; back-up disks held off the premises. </li></ul></ul><ul><ul><li>Viral protection for programs and Training users. </li></ul></ul><ul><ul><li>Evaluation and testing of programs use 6.Proper recording of input data , to ensure reasonableness of output. </li></ul></ul>
  8. 8. INTERNAL CONTROLS IN CIS <ul><li>The internal control over computer based accounting system </li></ul><ul><ul><li>Application controls </li></ul></ul><ul><ul><li>General controls </li></ul></ul>
  9. 9. INTERNAL CONTROLS IN CIS <ul><li>The internal control over computer based accounting system </li></ul><ul><ul><li>Application controls: </li></ul></ul><ul><ul><ul><li>The objective of application controls (manual or programmed) are to </li></ul></ul></ul><ul><ul><ul><ul><li>Ensure completeness and accuracy of accounting records </li></ul></ul></ul></ul><ul><ul><ul><ul><li>validity of entries made resulting from both manual and programmed processing. </li></ul></ul></ul></ul>
  10. 10. INTERNAL CONTROLS IN CIS <ul><li>The internal control over computer based accounting system </li></ul><ul><ul><ul><li>General controls; </li></ul></ul></ul><ul><ul><ul><ul><li>relates to the environment CIS </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>are developed, maintained and operated , and which are therefore applicable to all the applications. </li></ul></ul></ul></ul></ul><ul><ul><ul><li>The objectives of general controls are . </li></ul></ul></ul><ul><li>The application controls and general controls are inter-related . Strong general controls contribute to assurance, which may be obtained by an auditor in relation </li></ul>
  11. 11. INTERNAL CONTROLS IN CIS <ul><li>The specific requirements in order to achieve the overall objectives of application controls are:- </li></ul><ul><ul><li>Control over the completeness and authorization of input </li></ul></ul><ul><ul><li>Control over the completeness and accuracy of processing </li></ul></ul><ul><ul><li>Control over the maintenance of master files and the standing data contained therein </li></ul></ul>
  12. 12. INTERNAL CONTROLS IN CIS <ul><li>In order to achieve the overall objective of general controls, the controls required are:- </li></ul><ul><ul><li>Control over applications development </li></ul></ul><ul><ul><li>To prevent or detect unauthorized changes to programs </li></ul></ul><ul><ul><li>To ensure that all programs changes are adequately tested and documented </li></ul></ul><ul><ul><li>Control to prevent and detect errors during program execution </li></ul></ul><ul><ul><li>To prevent unauthorized amendments to data files </li></ul></ul><ul><ul><li>To ensure that system software is properly installed and maintained </li></ul></ul><ul><ul><li>To ensure that proper documentation is kept </li></ul></ul><ul><ul><li>To ensure continuity of operations. </li></ul></ul>
  13. 13. COMPUTER ASSISTED AUDIT TECHNIQUES (CAATs) <ul><li>Definition </li></ul><ul><ul><li>Techniques in that the auditors are afforded opportunities to use either the enterprises or another computer to assist them in performance of audit work. </li></ul></ul><ul><ul><li>CAATs, are ways in which the auditor may use the computer in a computerized information system to gather, or assist in gathering, audit evidence. </li></ul></ul>
  14. 14. CATEGORIES OF CAAT <ul><li>Audit software </li></ul><ul><li>Test data </li></ul><ul><li>Other techniques </li></ul>
  15. 15. CATEGORIES OF CAAT <ul><li>Audit software: </li></ul><ul><ul><li>generalized audit software </li></ul></ul><ul><ul><li>specialized audit software or </li></ul></ul><ul><ul><ul><li>Interrogation softwares </li></ul></ul></ul><ul><ul><li>utility programs and </li></ul></ul><ul><ul><li>existing entity programs . </li></ul></ul><ul><ul><ul><li>Regardless of the source of the programs, the auditor should substantiate their validity for audit purposes prior to use. </li></ul></ul></ul>
  16. 16. CATEGORIES OF CAAT <ul><li>Audit software some uses </li></ul><ul><ul><li>Stratify accounting population and select monetary unit statistical samples. </li></ul></ul><ul><ul><li>Carry out an aging /usage analysis of stocks </li></ul></ul><ul><ul><li>Perform detailed analytical reviews of financial statements </li></ul></ul>
  17. 17. TYPES OF CAATs <ul><li>Test data </li></ul><ul><li>Is a CAAT in which test data prepared by the auditor is processed on the current production version of the client's software, but separately from the client's normal input data. </li></ul>
  18. 18. TYPES OF CAATs <ul><li>Other techniques </li></ul><ul><ul><li>embedded audit facilities </li></ul></ul><ul><ul><ul><li>Integrated test facility </li></ul></ul></ul><ul><ul><ul><li>System Review and control file ( SCARF) </li></ul></ul></ul><ul><ul><ul><li>Application program examination </li></ul></ul></ul><ul><ul><ul><ul><li>Internal control evaluation via; Flowchart verification (Logical Path analysis ) ,Program code verification (Code Comparison Programs), Printout examination. </li></ul></ul></ul></ul>
  19. 19. CAATs and Sustentative testing <ul><li>During substantive testing some, CAATs are used frequently. </li></ul><ul><ul><li>Audit software is used extensively to examine accounting records maintained on computer files </li></ul></ul><ul><ul><li>CAATs assists in carrying out analytical review procedures </li></ul></ul>
  20. 20. Limits of CAATs <ul><li>Limits of CAATs </li></ul><ul><ul><li>Evaluation of general controls </li></ul></ul><ul><ul><ul><li>Use ICQ or the ICE approach. </li></ul></ul></ul>
  21. 21. PROGRAM AUTHENTICITY <ul><li>Source Program authenticity </li></ul><ul><ul><li>guarantee that the correct application program is being tested. </li></ul></ul><ul><ul><ul><li>“ Live test” data, integrated test facilities and embedded audit facilities as described above are audit techniques, which help in this respect. </li></ul></ul></ul><ul><ul><ul><li>General controls </li></ul></ul></ul><ul><ul><ul><li>Copy must be identical to orignal </li></ul></ul></ul>
  22. 22. KNOWLEDGE BASED SYSTEM <ul><li>Knowledge based systems </li></ul><ul><ul><li>Decision Support Systems and Expert systems can be used to assist with the auditors own judgment and decisions. </li></ul></ul>
  23. 23. MANUAL Vs CAATs <ul><li>Factors to consider in choosing between CAATs and manual Techniques:- </li></ul><ul><li>Practicability of carrying out audit tests manually </li></ul><ul><li>Cost effectiveness of the procedures under considerations . </li></ul><ul><li>Availability of audit time </li></ul><ul><li>The availability of appropriate computer facilities and independence issue </li></ul><ul><li>The level of audit experience and expertise. </li></ul><ul><li>The extent of possible reliance upon internal audit work </li></ul>
  24. 24. PLANNING AN AUDIT IN A COMPUTER ENVIRONMENT <ul><li>Planning an audit in a Computer environment </li></ul><ul><ul><li>Possibilities of attending during system development stage </li></ul></ul><ul><ul><li>Consideration of use of CAATs </li></ul></ul><ul><ul><li>Practicability of manual audit </li></ul></ul><ul><ul><li>Expertise </li></ul></ul>
  25. 25. PLANNING AN AUDIT IN A COMPUTER ENVIRONMENT <ul><li>Use of CAATS </li></ul><ul><ul><li>The pattern cost associated with CAATs, </li></ul></ul><ul><ul><li>The extent of tests of controls or substantive procedures achieved by both alternatives, </li></ul></ul><ul><ul><li>Ability to incorporate within the use of CAAT a number of different audit tests. </li></ul></ul><ul><ul><li>Time of reporting </li></ul></ul>
  26. 26. PLANNING AN AUDIT IN A COMPUTER ENVIRONMENT <ul><li>In using CAAT, </li></ul><ul><ul><li>computer facilities, computer files and programs are available ; </li></ul></ul><ul><ul><li>the auditors should plan the use of CAAT in good time so that these copies are retained for their use. </li></ul></ul><ul><ul><li>Internal auditor CAATs , consider ISA </li></ul></ul><ul><ul><li>Availability of computer facilities </li></ul></ul>
  27. 27. INTERNAL CONTROL EVALUATION <ul><li>Internal control evaluation </li></ul><ul><ul><li>ICQ . </li></ul></ul><ul><ul><li>Weak controls = extensive substantive procedures </li></ul></ul><ul><ul><li>In determining whether they wish to place reliance on application controls or general controls ,the auditors will be influenced by the cost effectiveness and ease of testing by the following matters </li></ul></ul><ul><ul><li>General controls and application controls </li></ul></ul>
  28. 28. INTERNAL CONTROL EVALUATION <ul><li>Check systematic errors and program intergrity </li></ul><ul><ul><li>Manual examination may be useful in small computer application </li></ul></ul><ul><ul><li>Observation, examination of documentary evidence or reperforming the procedures may be useful. </li></ul></ul><ul><ul><ul><li>CAATs can also be useful </li></ul></ul></ul>
  29. 29. Review of financial statements <ul><li>Review of financial statements </li></ul><ul><ul><li>CAATs (audit software) </li></ul></ul><ul><ul><ul><li>e.g analytical review. </li></ul></ul></ul><ul><ul><li>The working papers should indicate the work performed by CAAT, the auditors conclusion, the manner in which any technical problems were resolved and may include any recommendations about modification of CAAT for future audits. </li></ul></ul>
  30. 30. AUDIT TRAIL. <ul><li>Audit trail. </li></ul><ul><li>As the complexity of computer systems has increased there has been a corresponding loss of audit trail. Most systems have searching facilities that are much quicker to use than searching through print outs by hand. </li></ul><ul><li>This offsets the so- called loss of “audit trail” to a significant exten t. The trail is still there , although it may have to be followed through in electronic form. </li></ul>
  31. 31. COMPUTER SERVICE BUREAUX <ul><li>These are third part service organization who provide EDP facilities to their clients </li></ul><ul><li>Factor to consider </li></ul><ul><ul><li>make or buy decisions </li></ul></ul><ul><ul><li>Consider and Analyze the cost benefit; </li></ul></ul><ul><ul><li>Level of management’s own computing knowledge and their willingness to take risk to unknown third party; </li></ul></ul>
  32. 32. COMPUTER SERVICE BUREAUX <ul><li>Factors to consider </li></ul><ul><ul><li>The volume and frequency of processing requirements ; </li></ul></ul><ul><ul><li>The complexity of the program package required ;The simpler the program the easier it would be to process in – house on Micro; </li></ul></ul><ul><ul><li>The importance of timelines in processing of data check the efficiency and economy of DP </li></ul></ul><ul><ul><li>The confidentiality of the data being processed. </li></ul></ul>
  33. 33. Types of Bureaux <ul><ul><li>Independent companies formed to provide specialist computer services </li></ul></ul><ul><ul><li>Computer manufacturers with bureau </li></ul></ul><ul><ul><li>Computer users (e.g. universities) </li></ul></ul>
  34. 34. PLANNING AND CONTROL EXERCISED BY THE USER <ul><li>When the system using bureaux is set up it is essential that </li></ul><ul><li>a full feasibility study and </li></ul><ul><li>system design should be carried out. </li></ul><ul><li>In practice the bureau may provide assistance in performing these tasks. </li></ul>
  35. 35. PLANNING AND CONTROL EXERCISED BY THE USER <ul><li>The control should include : </li></ul><ul><ul><li>Prior vetting of bureau standards ; </li></ul></ul><ul><ul><li>Input controls at preparer’s end; bunching and providing or authorizing in the same way as usual; </li></ul></ul><ul><ul><li>Transit controls ;Physical transfer of documents ; </li></ul></ul><ul><ul><li>batch controls ,physical security and authorized personnel; </li></ul></ul>
  36. 36. PLANNING AND CONTROL EXERCISED BY THE USER <ul><li>The control should include : </li></ul><ul><ul><li>Electronic transmission of data ;batch totals, passwords and possibly encryption coding for very sensitive data; </li></ul></ul><ul><ul><li>Control over and action on rejection; there must be strong control over the level of rejections; whose fault, the bureaus or ours?; </li></ul></ul>
  37. 37. COMPUTER SERVICE BUREAUX <ul><li>Output controls :logging /registering receipt of output material and original documentation ,distribution and filing; Master file amendment controls; suggested control include the usual use of pre-numbered properly authorized forms. Special control of periodic print out of all master file amendments; </li></ul><ul><li>Adequate insurance covering loss of data or documents and computer breakdown at the bureau itself ;The external auditor review of bureau controls ; </li></ul>
  38. 38. COMPUTER SERVICE BUREAUX <ul><li>A third party review –an independent firm to carry out review of internal controls, both the general and application based. The report is then made available to the auditors of clients of the bureaus. This saves the bureau having to make provision for many different sets of auditors all asking to run CAATs on the bureaux system and complete roughly similar ICQ/ICE forms. </li></ul><ul><li>Direct evaluation of the bureau by the auditor using the CAATs , ICQ and ICE.; </li></ul><ul><li>Standby /back up /emergency arrangement ; </li></ul>
  39. 39. COMPUTER SERVICE BUREAUX <ul><li>The compliance and substantive testing of programmed procedures, the CAATs such as discussed above are appropriate where the client has the data and files on the premises. They may not be possible in context of the computer service bureau. The client may have to arrange to have files copied by the bureau or supplied to the auditor for testing. </li></ul>
  40. 40. CONTROLS IN ON-LINE AND REAL TIME SYSTEMS <ul><li>Controls in real time systems </li></ul><ul><li>The main control problem is that primarily the concern is on large, multi–user systems with terminals (dumb terminals or networked PCs) ;The same person is often responsible for producing and processing the same information. Internal check ,supervisory controls should be strengthened (segregation of duties) ;The ability of a person using remote terminal to gain access to databases at will results in the need for special controls to ensure that files are neither read nor written to (nor destroyed). </li></ul>
  41. 41. CONTROLS IN ON-LINE AND REAL TIME SYSTEMS <ul><li>Physical controls; </li></ul><ul><ul><li>Operating system; Use passwords( or lockwords) or special badges or key; Restriction by the operating system of a certain users to certain files .eg wages dept can be given access to only wages file; Logging of all attempted violation of the above controls .eg Automatic shut down of the PC or terminal used; All violations should be speedily and thoroughly investigated </li></ul></ul><ul><ul><li>Application controls; Validity checks on input; Reporting of unusual transactions; Passwords </li></ul></ul>
  42. 42. DATABASE MANAGEMENT SYSTEMS (DBMS) <ul><li>Main controls; Control to prevent or detect unauthorized changes to programs; </li></ul><ul><ul><li>No access to live program file by any personnel except for the operation personnel at the central computer; Password protection on programs;Restricted access to the central computer and terminal ;Maintenance of console; Periodic comparison of live production programs to control copies and supporting documentation. </li></ul></ul>
  43. 43. DATABASE MANAGEMENT SYSTEMS (DBMS) <ul><li>Main controls; Controls to prevent or detect error during operation; </li></ul><ul><ul><li>Restriction of access to terminals by use of password; Satisfactory application control over input , processing and master file ;Use of operation manuals and training all users;Maintenance of logs showing unauthorized attempts to access; Physical protection over data files ;Training in emergency procedures </li></ul></ul><ul><li>Controls to ensure integrity of the database system; Restriction of access to data dictionary </li></ul>
  44. 44. DATABASE MANAGEMENT SYSTEMS (DBMS) <ul><li>Controls to ensure integrity of the database system; Restriction of access to data dictionary( point of definition and interrelationship of data); Segregation of duties between data processing manager and data base administration personnel; Liaison between database administration function and systems development personnel ;Preparation and update as necessary of user manual in conjunction with data dictionary </li></ul>
  45. 45. DATA BASE MANAGEMENT SYSTEM <ul><li>The audit of DBMS creates particular problems as the two principal CAATs , test data and audit software , tend to work unsatisfactorily on programs and files contained within such system. The auditor may, however, be able to use embedded audit facilities . Close liaison with the internal auditor may provide audit comfort. The auditors should if possible be involved at the evaluation, design and development stages, so that they are able to determine their audit requirements and identify control problems before implementation. </li></ul>
  46. 46. SMALL COMPUTER SYSTEM <ul><li>Control problems in small computer systems </li></ul><ul><li>The problems surrounding PC’s can be grouped as ; </li></ul><ul><ul><li>Lack of planning over the acquisition and use of PCs; </li></ul></ul><ul><ul><li>Lack of documentary evidence ; </li></ul></ul><ul><ul><li>Lack of security and confidentiality . </li></ul></ul>
  47. 47. COMPUTER FRAUD <ul><ul><li>Input fraud : </li></ul></ul><ul><ul><li>Processing fraud; </li></ul></ul><ul><ul><li>Fraudulent use of computer system; </li></ul></ul><ul><ul><li>Output fraud; </li></ul></ul>
  48. 48. FACTORS- RISK TO COMPUTER FRAUD <ul><ul><li>Increase in computer literacy – </li></ul></ul><ul><ul><li>Communications e.g. telephone and PCs and hackers </li></ul></ul><ul><ul><li>Reduction of internal </li></ul></ul><ul><ul><li>Improvements in quality of software and increase in implementation of good software has not kept pace with improvements in hard ware </li></ul></ul>
  49. 49. COUNTERACT COMPUTER FRAUD <ul><li>Planned approach to counteract computer fraud. </li></ul><ul><ul><li>All staff should be properly trained and should fully appreciate their role in computer function </li></ul></ul><ul><ul><li>Management policy on fraud should be clear and firm </li></ul></ul><ul><ul><li>A study should be carried to examine where the company is exposed to possible fraud </li></ul></ul><ul><ul><li>A company should map out an approach or plan in each area of the business to tackle and prevent fraud. </li></ul></ul>
  50. 50. CONTROLS TO PREVENT COMPUTER FRAUDS <ul><li>As with a control system, three areas to examine are; prevention, detection and correction </li></ul><ul><ul><li>Access to the computer terminals and other parts of the computer should be restricted </li></ul></ul><ul><ul><li>Access to sensitive areas of the system should be logged and monitored </li></ul></ul><ul><ul><li>Errors logs and reports should be monitored and investigated on regular basis </li></ul></ul><ul><ul><li>Staff recruitment should include careful vetting ,include taking up all references </li></ul></ul><ul><ul><li>Expert systems software may be used to monitor unusual transactions </li></ul></ul>
  51. 51. DEVELOPMENTS IN COMPUTERIZED ENVIRONMENT <ul><li>Many auditors are now finding their clients conducting business through the internet . As always, the principle audit concern , will be controls over the use of the internet and the strength of audit evidence obtained through the internet </li></ul>
  52. 52. INTERNET <ul><li>Controls over the Internet </li></ul><ul><ul><li>Unauthorized use of the internet </li></ul></ul><ul><ul><li>Staffs may use internet for unauthorized purchases </li></ul></ul><ul><ul><li>Staff may use internet for accessing data which have a costs (call) </li></ul></ul><ul><ul><li>People may be able to access “business “ internal systems via the internet and obtain confidential information or launch virus which disrupts internal systems </li></ul></ul>
  53. 53. CONTROLS IN INTERNET… <ul><li>Controls from these risks include </li></ul><ul><ul><li>Use of passwords , </li></ul></ul><ul><ul><li>Disabling certain terminals – </li></ul></ul><ul><ul><li>Firewalls – </li></ul></ul><ul><ul><li>Authorization the technique make sure that a message has come from an authorized sender </li></ul></ul><ul><ul><li>Virus control software –regular updating </li></ul></ul><ul><ul><li>Physical controls ;against fire, damage etc </li></ul></ul>
  54. 54. AUDIT EVIDENCE IN THE INTERNET <ul><li>Audit evidence in the Internet </li></ul><ul><ul><li>Certain general observations can be made about audit evidence obtained through the Internet </li></ul></ul><ul><ul><li>Internet evidence generated by the auditor will be stronger than evidence generated by client. Comfort may be obtained if the auditor can access the internet and test what the client has posted </li></ul></ul><ul><ul><li>Internet evidence can be obtained in written form and thus stronger than oral evidence </li></ul></ul><ul><ul><li>If the internal controls mentioned above are strong ,the auditors will have more confidence in the quality of evidence </li></ul></ul>
  55. 55. WHAT ABOUT E-MAIL ? <ul><li>Email may have numerous advantages in reducing office paperwork and speeding up communication, but it also has dangers from an audit point of view. e.g. unscrupulous employee in a large organization might find it quite easy to send and e-mail from his or her boss’s computer authorizing a substantial bonus /payrise </li></ul><ul><li>H/W; what controls could you put to prevent this from happening </li></ul>
  56. 56. CONTROL IN INTERNET SYSTEM <ul><li>Control of network system is of uttermost importance .the auditors must be able to analyse the risk of unauthorized access such as line tapping or interception and to evaluate preventive measures </li></ul><ul><li>Authentication programs and encryption are used for security .the auditor must understand those matter and should be able to make recommendations on implementation. </li></ul><ul><li>Password security is extremely important, and the auditors may be called upon to recommend complex password procedures for sophisticated systems. </li></ul>
  57. 57. ELECTRONIC DATA INTERCHANGE <ul><li>Electronic data interchange (EDI) is now used very widely because it cuts the task of re-inputting data that has already been input into a system in electronic form, saving time and improving accuracy </li></ul><ul><ul><li>EDI is authentic ? What authorization measures are in place to ensure that transactions above certain value are properly authorized before being transmitted or accepted? </li></ul></ul><ul><li>What is the legal position of the two parties if the transaction is disputed? </li></ul><ul><li>Encryption and authentication offer some help, as do transaction logs that identify the originator or any transactions generated and transmitted . </li></ul>
  58. 58. WHAT IS EDI <ul><li>Is the automated computer-to-computer exchange of structured business transactions between an enterprise and its vendors, customers, or other trading partners in a standard format, with a minimum of human intervention </li></ul>
  59. 59. CONSIDERATION OF AUDIT STANDARDS <ul><li>ISA 315, “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement” and </li></ul><ul><li>ISA 330, “The Auditor’s Procedures in Response to Assessed Risks” became effective. </li></ul>
  60. 60. CONSIDERATION OF AUDIT STANDARDS <ul><li>Major issues to be considered by an auditor as per ISA </li></ul><ul><ul><li>An auditor should consider new CIS environment affects the audit </li></ul></ul><ul><ul><li>The overall objective of audit in CIS audit never changes. </li></ul></ul><ul><ul><li>The design and performance of appropriate tests of Controls and Substantive procedures to achieve the audit objective are likely to change. </li></ul></ul>
  61. 61. CONSIDERATION OF AUDIT STANDARDS <ul><li>Major issues to be considered by an auditor as per ISA </li></ul><ul><ul><li>The existence of computer is likely to have an impact on the clients inherent risk and control risk. </li></ul></ul><ul><ul><li>The auditor should have sufficient knowledge of CIS to plan, direct supervise and review the work performed. </li></ul></ul><ul><ul><li>The auditor should consider whether specialized CIS skills are needed in an audit. </li></ul></ul>
  62. 62. ISA <ul><li>The ISA makes it clear that auditors should have sufficient knowledge of the CIS to perform such audit effectively.I t is not necessary for overly member of audit team to be a computer expert auditors must consider need for specialized CIS skills.ISA 620 “using the work of expert” is relevant. </li></ul><ul><li>In planning the portions of audit which may be affected by the clients environment the auditor should obtain an understanding of significance and complexity of CIS activities and the availability of data for use in the audit. </li></ul>
  63. 63. ISA <ul><li>Auditor must obtain understanding of accounting and IC sufficient to plan an effective approach. </li></ul><ul><li>Where CIS is significant, the auditor must assess the effect of the CIS on in hereunto control risk. </li></ul><ul><li>Complexity normally increases risk and pensive deficiencies in program development, mtc, physical security and access controls would have an effect on all applications that the system served. </li></ul>
  64. 64. ELECTRONIC COMMERCE IAPS 1013 <ul><li>Is any Commercial activity that takes place by means of connected computers. E.g. offering goods for sale directly from office computer; the purchasers’ computer and office computer is connected over Internet. </li></ul><ul><li>How do we audit ex-commerce? </li></ul><ul><li>International Audit Practice Standard ISPS 1013 (IAP’s) in intended to assist auditors in identifying and assessing the new risk to which the business in exposed when it undertakes e-commerce transactions. </li></ul>
  65. 65. MAJOR AREAS OF FOCUS BY THE IAPS 1013 <ul><li>The skill and knowledge required to understand the implications of e-commerce on audit </li></ul><ul><li>The extent of knowledge an auditor should have about the client’s business environment and activities. </li></ul>
  66. 66. MAJOR AREAS OF FOCUS BY THE IAPS 1013 <ul><li>The business, legal, regulatory and other risk faced by entries engaged in e-commerce transactions. </li></ul><ul><li>The effect of electronic records on audit evidence. </li></ul><ul><li>The statement may be also helpful to the auditor of any business engaged in e-commerce. </li></ul>
  67. 67. What is an IT audit? <ul><li>Like operational, financial and compliance auditors, Information Technology (IT) auditors work to: </li></ul><ul><li>Understand the existing internal control environment </li></ul><ul><li>Identify high risk areas through a formal methodology </li></ul><ul><li>Ensure that adequate internal controls are in place and operate effectively (through the testing of said controls) </li></ul><ul><li>Recommend control implementation where risk exists </li></ul>
  68. 68. Why IT AUDIT? <ul><li>Because of Information Technology RISK!! </li></ul><ul><li>Risk : The probability that a particular threat exploits a particular vulnerability (i.e. an issue which may impact ability to meet objective). </li></ul><ul><li>Threat : Event or entity with the potential to cause unauthorized access, modification, disclosure, or destruction of info resources. </li></ul><ul><li>Vulnerability : Weakness in a system control, or a design flaw, that can be exploited to violate system, network, or data integrity. </li></ul>
  69. 69. What Reduces IT Risk and What about any Remaining Risk? <ul><li>Internal Controls (i.e. safeguards) </li></ul><ul><li>Control : Protective measure implemented to ensure company assets (IT or otherwise) are both available and accurate in order to meet the business requirements of that asset. </li></ul><ul><li>Residual Risk : The risk that is left over after reasonable internal controls have been both evaluated and implemented. </li></ul><ul><li>Internal Controls do not eliminate all risk!! </li></ul>
  70. 70. INTERNAL CONTROLS OTHER MATTERS <ul><li>The are two major types of controls: </li></ul><ul><ul><li>Application Controls </li></ul></ul><ul><ul><li>General Controls. </li></ul></ul>
  71. 72. What about OTHER types of audits that may impact Security Administration functions <ul><li>Traditional Audit Types: </li></ul><ul><ul><li>Financial – “opinion” audits (CPAs) </li></ul></ul><ul><ul><li>Operational – process audits – now includes environmental & construction </li></ul></ul><ul><ul><li>Compliance – laws/regulations and policies, standards, and procedures </li></ul></ul><ul><ul><li>IT – usually considered “operational” unless performed so “opinion” auditors may “rely” on financial info provided </li></ul></ul><ul><li>Hybrid - Integrated Audit – today almost all audits are actually hybrid </li></ul>
  72. 73. Operational Audits <ul><li>Review operating policies/procedures </li></ul><ul><ul><li>Documented policies/procedures? </li></ul></ul><ul><ul><li>Informal policies/procedures? </li></ul></ul><ul><li>Work flow examined (thru flowchart or description requested/developed) </li></ul><ul><li>Controls identified and documented </li></ul><ul><li>Examine the business process and recommend improvements – control related or efficiency/effectiveness </li></ul>
  73. 74. INTERNAL CONTROLS OTHER MATTERS <ul><li>General Controls: </li></ul><ul><li>The purpose of General controls is to establish a framework of overall control over the CIS activities and to provide a reasonable level of assurance that the overall objectives of IC are achieved . </li></ul>
  74. 75. INTERNAL CONTROLS OTHER MATTERS <ul><li>Categories of General Controls : </li></ul><ul><ul><li>Organizational and Management control </li></ul></ul><ul><ul><ul><li>-Helps to provide a proper organizational framework including regression of incompatible functions. </li></ul></ul></ul><ul><ul><li>Application development and Mtc controls </li></ul></ul><ul><ul><ul><li>-To ensure that applications are properly developed, tested and maintained. </li></ul></ul></ul>
  75. 76. INTERNAL CONTROLS OTHER MATTERS <ul><li>Categories of General Controls : </li></ul><ul><ul><li>Operational controls – To ensure properly authorized access to system and the detection of errors. </li></ul></ul><ul><ul><li>Systems software controls – to ensure the integrity of the development and usage of systems software. </li></ul></ul><ul><ul><li>Data entry & program controls – to ensure the integrity of data and program files. </li></ul></ul>
  76. 77. CIS APPLICATION CONTROLS <ul><li>CIS application controls. </li></ul><ul><li>The purpose of this control is to establish specific control procedures over the acting applications to provide reasonable assurances that all transactions are authorized, recorded and processed, completely, accurately and on a timely bases. </li></ul>
  77. 78. CIS APPLICATION CONTROLS <ul><li>The Controls Include: </li></ul><ul><li>Controls over input – designed to provide reasonable assurance that:- </li></ul><ul><ul><li>Transactions are properly authorized before being processed by the computer transactions are accurately converted into machined readable form and recorded in the compute data files. </li></ul></ul><ul><ul><li>Transactions are not lost, duplicated or improperly changed. </li></ul></ul><ul><ul><li>Processing errors are identified and corrected on timely basis </li></ul></ul>
  78. 79. CIS APPLICATION CONTROLS <ul><li>The Controls Include: </li></ul><ul><li>Control’s over output – designed to provide reasonable assurance that:- </li></ul><ul><ul><li>Results of processing are accounts; Access to output is restricted to authorized personnel; Output is provided to appropriate authorized personnel on timely basis ;Normally the technique which control the accuracy of input and processing while help to control master file date; Since master file standing data items are used many times over in processing, they take on greaten importance than transaction date and more costly controls such as one - for – one checks may be justified. </li></ul></ul>
  79. 80. MANUAL AND PROGRAMMED CONTROLS <ul><li>Many controls over computers are manual controls, and prodding that the manual controls exercised by users are sufficient to provide reasonable assurance of the completeness, accuracy and authorization of output, test of control may be limited to those manual controls. In a payroll system, for example, if users test check gross pay, deductions net pay and authorization at the output stage, and if they compare net pay with approved bank transfer documentation and perform regular bank reconciliation’s; there may be no need to test programmed controls. </li></ul>
  80. 81. MANUAL CONTROLS <ul><li>Other Controls: </li></ul><ul><ul><li>Manual Controls </li></ul></ul><ul><ul><ul><li>Physical Controls: </li></ul></ul></ul><ul><ul><ul><ul><li>-Is a matter of common sense. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>-Limit access to a computer room, -Locks and keys, only to specified people </li></ul></ul></ul></ul><ul><ul><ul><ul><li>-Prevention of smooking. </li></ul></ul></ul></ul><ul><ul><ul><li>Back-up of disks: </li></ul></ul></ul><ul><ul><ul><ul><li>-Create and update an identical back up disk for every disk in the system; Data files&Program files; The disk should be stored in separate place. </li></ul></ul></ul></ul>
  81. 82. MANUAL CONTROLS <ul><li>Other Controls: </li></ul><ul><ul><li>Manual Controls </li></ul></ul><ul><ul><ul><li>Data filing: </li></ul></ul></ul><ul><ul><ul><li>-Each disk should be labeled clearly and filed securely.The labeled disks should be filed in special disk boxes to provide a degree of protection against liquid being spoilt on the disks or their being bent or plied. </li></ul></ul></ul><ul><ul><ul><li>Documentation : It is vital, as it provides both a support system for work already stored on disk and filed, and progress report on data currently being processed or updated. </li></ul></ul></ul><ul><ul><ul><li>Staff Training: </li></ul></ul></ul><ul><ul><ul><li>Proofing: There is always room for manual checking or proofing, to control data on disk . </li></ul></ul></ul>
  82. 83. PROGRAMMED CONTROLS <ul><li>Programmed Controls: </li></ul><ul><li>Passwords ; Date/time stamps for compass on of two revisions of data; Prompts – Asking the user to continue with an action or not. </li></ul><ul><li>Check Digit: A means of control on that they ascertain whether or not a number, such as ISBN is valid. E.g. customer account No. The computer will detect of the number is ever input incorrectly. </li></ul><ul><li>Batch totals and hash totals: </li></ul>
  83. 84. PROGRAMMED CONTROLS <ul><li>Programmed Controls: </li></ul><ul><li>Reasonable checks: Checks to ensure that data input is reasonable given the type of input it is e.g. A payroll system would check that his recorded for a falls within a range of 30 to 50. </li></ul><ul><li>Existence checks: Checks to ensure that the data input is valid by checking that the entity already exists in the system. E.g. employee number. </li></ul><ul><li>Dependency checks: Data input fields can be compared with other fields for reasonableness. </li></ul>
  84. 85. SMALL STAND ALONE MICRO-COMPUTER <ul><li>Main problems. </li></ul><ul><ul><ul><li>Internal Controls. </li></ul></ul></ul><ul><ul><ul><ul><li>Major controls appropriate in this environment are:- </li></ul></ul></ul></ul><ul><li>Authorization: </li></ul><ul><ul><li>Physical security </li></ul></ul><ul><ul><li>AUDIT PROCEDURES </li></ul></ul><ul><ul><ul><li>Substantive tests </li></ul></ul></ul>
  85. 86. Internal controls <ul><li>Inherent limitations of the system of IC in elimination of frauds & errors. </li></ul><ul><li>The need to balance the cost of control with its benefits; The fact that IC are applied to systematic transaction, not one-off year-end adjustments, which are often larger and subject to error; The potential human error; Possibility of circumvention of IC through coolness in of managers or employees with other parts inside /outside the entity; Abuse of controls or override of controls e.g. ordering of personal goods; Obsolescent of controls </li></ul>
  86. 87. FURTHER CONSIDERATION OF CAATs <ul><li>Further considerations of CAATs </li></ul><ul><ul><ul><li>ISA requires auditors to obtain appropriate audit evidence to be able to allow reasonable conditions on which to base their opinion. </li></ul></ul></ul><ul><li>Advantages of CAATS: </li></ul><ul><ul><li>Helps to test larger number of data hence increase confidence in their opinion; Help’s to test Accounting Systems its records (Tables & Disk files) rather than relying on testing printout; Are cost effective once set up for obtaining audit evidence; Comparison can easily be made from clerical audit work hence increase confidence. </li></ul></ul>
  87. 88. OTHER DETAIL MATTERS <ul><li>Difficulties of using computer programs cost. </li></ul><ul><ul><li>Cost; Changes to clients system; Small installations PC; Over –elaboration; Larger quantities of output; Version of file used for lest. </li></ul></ul><ul><li>Test Data: </li></ul><ul><ul><li>Is a data submitted by the auditor for processing the clients computer-based accounting system. </li></ul></ul>
  88. 89. OTHER DETAIL MATTERS <ul><li>Major approached to the use of test data </li></ul><ul><ul><li>Using live data </li></ul></ul><ul><ul><li>Using dummy data in a normal production nun. </li></ul></ul><ul><ul><li>Using dummy data in special nun. </li></ul></ul><ul><li>Difficulties of test data: </li></ul><ul><ul><li>Cost </li></ul></ul><ul><ul><li>Limited objective </li></ul></ul><ul><ul><li>Dangers of live testing </li></ul></ul><ul><ul><li>Difficult in recording audit evidence </li></ul></ul>