SlideShare a Scribd company logo

James hall ch 15

•Download as PPT, PDF•
•
David Julian
David Julian

Semoga Bermanfaat :)

Education
1 of 39
Accounting Information Systems, 6th edition James A. Hall COPYRIGHT © 2009 South-Western, a division of Cengage Learning. Cengage Learning and South-Western are trademarks used herein under license
Objectives for Chapter 15 Key features of Sections 302 and 404 of the Sarbanes- Oxley Act Management and auditor responsibilities under Sections 302 and 404 Risks of incompatible functions and how to structure the IT function Controls and security of an organization’s computer facilities  Key elements of a disaster recovery plan
Sarbanes-Oxley Act The 2002 Sarbanes-Oxley (SOX) Act established new corporate governance rules Created company accounting oversight board Increased accountability for company officers and board of directors Increased white collar crime penalties Prohibits a company’s external audit firms from providing financial information systems
SOX Section 302 Section 302—in quarterly and annual financial statements, management must: certify the internal controls (IC) over financial reporting state responsibility for IC design provide reasonable assurance as to the reliability of the financial reporting process disclose any recent material changes in IC
SOX Section 404 Section 404—in the annual report on IC effectiveness, management must: state responsibility for establishing and maintaining adequate financial reporting IC assess IC effectiveness reference the external auditors’ attestation report on management’s IC assessment provide explicit conclusions on the effectiveness of financial reporting IC identify the framework management used to conduct their IC assessment, e.g., COBIT
IT Controls & Financial Reporting ď‚—Modern financial reporting is driven by information technology (IT) ď‚—IT initiates, authorizes, records, and reports the effects of financial transactions. ď‚—Financial reporting IC are inextricably integrated to IT.
COSO identifies two groups of IT controls: application controls – apply to specific applications and programs, and ensure data validity, completeness and accuracy general controls – apply to all systems and address IT governance and infrastructure, security of operating systems and databases, and application and program acquisition and development IT Controls & Financial Reporting
Sales CGS AP CashInventory Significant Financial Accounts Order Entry Application Controls Cash Disbursements Application Controls Purchases Application Controls Related Application Controls Systems Development and Program Change Control Database Access Controls Operating System Controls Supporting General Controls Controls for Review IT Controls & Financial Reporting
SOX Audit Implications Pre-SOX, audits did not require IC tests. Only required to be familiar with client’s IC Audit consisted primarily of substantive tests SOX – radically expanded scope of audit Issue new audit opinion on management’s IC assessment Required to test IC affecting financial information, especially IC to prevent fraud Collect documentation of management’s IC tests and interview management on IC changes
Types of Audit Tests Tests of controls – tests to determine if appropriate IC are in place and functioning effectively Substantive testing – detailed examination of account balances and transactions
Organizational Structure IC Audit objective – verify that individuals in incompatible areas are segregated to minimize risk while promoting operational efficiency IC, especially segregation of duties, affected by which of two organizational structures applies: Centralized model Distributed model
President VP Marketing VP Computer Services VP Operations VP Finance Systems Development Database Administration Data Processing New Systems Development Systems Maintenance Data Control Data Preparation Computer Operations Data Library President VP Marketing VP Finance VP Operations IPU IPU IPU IPU IPU IPU VP Administration Treasurer Controller Manager Plant X Manager Plant Y CENTRALIZED COMPUTER SERVICES FUNCTION DISTRIBUTED ORGANIZATIONAL STRUCTURE
Segregation of Duties ď‚—Transaction authorization is separate from transaction processing. ď‚—Asset custody is separate from record- keeping responsibilities. ď‚—The tasks needed to process the transactions are subdivided so that fraud requires collusion.
Segregation of Duties Authorization Authorization Authorization Processing Custody Recording Task 1 Task 2 Task 3 Task 4 Custody Recording Control Objective 1 Control Objective 3 Control Objective 2 TRANSACTION
Centralized IT Structure Critical to segregate: systems development from computer operations database administrator (DBA) from other computer service functions DBA’s authorizing and systems development’s processing DBA authorizes access maintenance from new systems development data library from operations
Distributed IT Structure ď‚—Despite its many advantages, important IC implications are present: ď‚—incompatible software among the various work centers ď‚—data redundancy may result ď‚—consolidation of incompatible tasks ď‚—difficulty hiring qualified professionals ď‚—lack of standards
Organizational Structure IC ď‚—A corporate IT function alleviates potential problems associated with distributed IT organizations by providing: ď‚—central testing of commercial hardware and software ď‚—a user services staff ď‚—a standard-setting body ď‚—reviewing technical credentials of prospective systems professionals
Audit Procedures ď‚—Review the corporate policy on computer security ď‚—Verify that the security policy is communicated to employees ď‚—Review documentation to determine if individuals or groups are performing incompatible functions ď‚—Review systems documentation and maintenance records ď‚—Verify that maintenance programmers are not also design programmers
Audit Procedures ď‚—Observe if segregation policies are followed in practice. ď‚—E.g., check operations room access logs to determine if programmers enter for reasons other than system failures ď‚—Review user rights and privileges ď‚—Verify that programmers have access privileges consistent with their job descriptions
Audit objectives: ď‚—physical security IC protects the computer center from physical exposures ď‚—insurance coverage compensates the organization for damage to the computer center ď‚—operator documentation addresses routine operations as well as system failures Computer Center IC
Computer Center IC Considerations: ď‚—man-made threats and natural hazards ď‚—underground utility and communications lines ď‚—air conditioning and air filtration systems ď‚—access limited to operators and computer center workers; others required to sign in and out ď‚—fire suppressions systems installed ď‚—fault tolerance ď‚—redundant disks and other system components ď‚—backup power supplies
Audit Procedures Review insurance coverage on hardware, software, and physical facility Review operator documentation, run manuals, for completeness and accuracy Verify that operational details of a system’s internal logic are not in the operator’s documentation
Disaster Recovery Planning Disaster recovery plans (DRP) identify: actions before, during, and after the disaster disaster recovery team priorities for restoring critical applications Audit objective – verify that DRP is adequate and feasible for dealing with disasters
Disaster Recovery Planning ď‚—Major IC concerns: ď‚—second-site backups ď‚—critical applications and databases ď‚—including supplies and documentation ď‚—back-up and off-site storage procedures ď‚—disaster recovery team ď‚—testing the DRP regularly
Second-Site Backups ď‚—Empty shell - involves two or more user organizations that buy or lease a building and remodel it into a computer site, but without computer equipment ď‚—Recovery operations center - a completely equipped site; very costly and typically shared among many companies ď‚—Internally provided backup - companies with multiple data processing centers may create internal excess capacity
DRP Audit Procedures ď‚—Evaluate adequacy of second-site backup arrangements ď‚—Review list of critical applications for completeness and currency ď‚—Verify that procedures are in place for storing off-site copies of applications and data ď‚—Check currency back-ups and copies
DRP Audit Procedures ď‚—Verify that documentation, supplies, etc., are stored off-site ď‚—Verify that the disaster recovery team knows its responsibilities ď‚—Check frequency of testing the DRP
From Appendix
Attestation versus Assurance ď‚—Attestation: ď‚—practitioner is engaged to issue a written communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of another party. ď‚—Assurance: ď‚—professional services that are designed to improve the quality of information, both financial and non-financial, used by decision- makers ď‚—includes, but is not limited to attestation
Attest and Assurance Services
What is an External Financial Audit? ď‚—An independent attestation by a professional (CPA) regarding the faithful representation of the financial statements ď‚—Three phases of a financial audit: ď‚—familiarization with client firm ď‚—evaluation and testing of internal controls ď‚—assessment of reliability of financial data
Generally Accepted Auditing Standards (GAAS)
Auditing Management’s Assertions
External versus Internal Auditing External auditors – represent the interests of third party stakeholders Internal auditors – serve an independent appraisal function within the organization Often perform tasks which can reduce external audit fees and help to achieve audit efficiency and reduce audit fees
What is an IT Audit? Since most information systems employ IT, the IT audit is a critical component of all external and internal audits. IT audits: focus on the computer-based aspects of an organization’s information system assess the proper implementation, operation, and control of computer resources
Elements of an IT Audit ď‚—Systematic procedures are used ď‚—Evidence is obtained ď‚—tests of internal controls ď‚—substantive tests ď‚—Determination of materiality for weaknesses found ď‚—Prepare audit report & audit opinion
Phases of an IT Audit
Audit Risk is... the probability the auditor will issue an unqualified (clean) opinion when in fact the financial statements are materially misstated.
Three Components of Audit Risk Inherent risk – associated with the unique characteristics of the business or industry of the client Control risk – the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts Detection risk – the risk that errors not detected or prevented by the control structure will also not be detected by the auditor

Recommended

James hall ch 2
James hall ch 2James hall ch 2
James hall ch 2David Julian
 
James hall ch 3
James hall ch 3James hall ch 3
James hall ch 3David Julian
 
James hall ch 1
James hall ch 1James hall ch 1
James hall ch 1David Julian
 
James hall ch 8
James hall ch 8James hall ch 8
James hall ch 8David Julian
 
James hall ch 6
James hall ch 6James hall ch 6
James hall ch 6David Julian
 
James hall ch 14
James hall ch 14James hall ch 14
James hall ch 14David Julian
 
Chapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's PerspectiveChapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's Perspectiveermin08
 
James hall ch 13
James hall ch 13James hall ch 13
James hall ch 13David Julian
 

Recommended

James hall ch 2
James hall ch 2James hall ch 2
James hall ch 2David Julian
 
James hall ch 3
James hall ch 3James hall ch 3
James hall ch 3David Julian
 
James hall ch 1
James hall ch 1James hall ch 1
James hall ch 1David Julian
 
James hall ch 8
James hall ch 8James hall ch 8
James hall ch 8David Julian
 
James hall ch 6
James hall ch 6James hall ch 6
James hall ch 6David Julian
 
James hall ch 14
James hall ch 14James hall ch 14
James hall ch 14David Julian
 
Chapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's PerspectiveChapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's Perspectiveermin08
 
James hall ch 13
James hall ch 13James hall ch 13
James hall ch 13David Julian
 
James hall ch 4
James hall ch 4James hall ch 4
James hall ch 4David Julian
 
James hall ch 7
James hall ch 7James hall ch 7
James hall ch 7David Julian
 
James hall ch 5
James hall ch 5James hall ch 5
James hall ch 5David Julian
 
The Revenue Cycle
The Revenue Cycle The Revenue Cycle
The Revenue Cycle Qamar Farooq
 
Introduction to Transaction Processing Chapter No. 2
Introduction to Transaction Processing Chapter No. 2Introduction to Transaction Processing Chapter No. 2
Introduction to Transaction Processing Chapter No. 2Qamar Farooq
 
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...Vhena Pilongo
 
Revenue cycle (AIS)
Revenue cycle (AIS)Revenue cycle (AIS)
Revenue cycle (AIS)Morgan Stanley
 
James hall ch 9
James hall ch 9James hall ch 9
James hall ch 9David Julian
 
General Ledger and Financial Reporting System (GLFRS)
General Ledger and Financial Reporting System (GLFRS)General Ledger and Financial Reporting System (GLFRS)
General Ledger and Financial Reporting System (GLFRS)Osareme Erhomosele
 
Pp 02-new
Pp 02-newPp 02-new
Pp 02-newRoshini Balan
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksTommy Zul Hidayat
 
Pp 11-new
Pp 11-newPp 11-new
Pp 11-newSri Apriyanti Husain
 
Chapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systemsChapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systemsjayussuryawan
 
Audit report- Consideration of Internal Control
Audit report- Consideration of Internal ControlAudit report- Consideration of Internal Control
Audit report- Consideration of Internal Controlnellynljcoles
 
Chapter 02 - Transaction Processing System
Chapter 02 - Transaction Processing SystemChapter 02 - Transaction Processing System
Chapter 02 - Transaction Processing SystemViduni Udovita
 
Lecture 10 documentation techniques -transaction processing- james a. hall b...
Lecture 10 documentation techniques -transaction processing- james a. hall b...Lecture 10 documentation techniques -transaction processing- james a. hall b...
Lecture 10 documentation techniques -transaction processing- james a. hall b...Habib Ullah Qamar
 
Lecture 21 expenditure cycle part i - accounting information systesm james ...
Lecture 21 expenditure cycle part i - accounting information systesm james ...Lecture 21 expenditure cycle part i - accounting information systesm james ...
Lecture 21 expenditure cycle part i - accounting information systesm james ...Habib Ullah Qamar
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsTommy Zul Hidayat
 
Report AIS chapter 7- Conversion Cycle
Report AIS chapter 7- Conversion CycleReport AIS chapter 7- Conversion Cycle
Report AIS chapter 7- Conversion CycleHarah Bae
 
Pp 12-new
Pp 12-newPp 12-new
Pp 12-newSri Apriyanti Husain
 
Sample audit plan
Sample audit planSample audit plan
Sample audit planMaher Manan
 
Information systems and its components iii
Information systems and its components iiiInformation systems and its components iii
Information systems and its components iiiAshish Desai
 

More Related Content

What's hot

James hall ch 4
James hall ch 4James hall ch 4
James hall ch 4David Julian
 
James hall ch 7
James hall ch 7James hall ch 7
James hall ch 7David Julian
 
James hall ch 5
James hall ch 5James hall ch 5
James hall ch 5David Julian
 
The Revenue Cycle
The Revenue Cycle The Revenue Cycle
The Revenue Cycle Qamar Farooq
 
Introduction to Transaction Processing Chapter No. 2
Introduction to Transaction Processing Chapter No. 2Introduction to Transaction Processing Chapter No. 2
Introduction to Transaction Processing Chapter No. 2Qamar Farooq
 
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...Vhena Pilongo
 
Revenue cycle (AIS)
Revenue cycle (AIS)Revenue cycle (AIS)
Revenue cycle (AIS)Morgan Stanley
 
James hall ch 9
James hall ch 9James hall ch 9
James hall ch 9David Julian
 
General Ledger and Financial Reporting System (GLFRS)
General Ledger and Financial Reporting System (GLFRS)General Ledger and Financial Reporting System (GLFRS)
General Ledger and Financial Reporting System (GLFRS)Osareme Erhomosele
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksTommy Zul Hidayat
 
Chapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systemsChapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systemsjayussuryawan
 
Audit report- Consideration of Internal Control
Audit report- Consideration of Internal ControlAudit report- Consideration of Internal Control
Audit report- Consideration of Internal Controlnellynljcoles
 
Chapter 02 - Transaction Processing System
Chapter 02 - Transaction Processing SystemChapter 02 - Transaction Processing System
Chapter 02 - Transaction Processing SystemViduni Udovita
 
Lecture 10 documentation techniques -transaction processing- james a. hall b...
Lecture 10 documentation techniques -transaction processing- james a. hall b...Lecture 10 documentation techniques -transaction processing- james a. hall b...
Lecture 10 documentation techniques -transaction processing- james a. hall b...Habib Ullah Qamar
 
Lecture 21 expenditure cycle part i - accounting information systesm james ...
Lecture 21 expenditure cycle part i - accounting information systesm james ...Lecture 21 expenditure cycle part i - accounting information systesm james ...
Lecture 21 expenditure cycle part i - accounting information systesm james ...Habib Ullah Qamar
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsTommy Zul Hidayat
 
Report AIS chapter 7- Conversion Cycle
Report AIS chapter 7- Conversion CycleReport AIS chapter 7- Conversion Cycle
Report AIS chapter 7- Conversion CycleHarah Bae
 

What's hot (20)

James hall ch 4
James hall ch 4James hall ch 4
James hall ch 4
 
James hall ch 7
James hall ch 7James hall ch 7
James hall ch 7
 
James hall ch 5
James hall ch 5James hall ch 5
James hall ch 5
 
The Revenue Cycle
The Revenue Cycle The Revenue Cycle
The Revenue Cycle
 
Introduction to Transaction Processing Chapter No. 2
Introduction to Transaction Processing Chapter No. 2Introduction to Transaction Processing Chapter No. 2
Introduction to Transaction Processing Chapter No. 2
 
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
 
Revenue cycle (AIS)
Revenue cycle (AIS)Revenue cycle (AIS)
Revenue cycle (AIS)
 
James hall ch 9
James hall ch 9James hall ch 9
James hall ch 9
 
General Ledger and Financial Reporting System (GLFRS)
General Ledger and Financial Reporting System (GLFRS)General Ledger and Financial Reporting System (GLFRS)
General Ledger and Financial Reporting System (GLFRS)
 
Pp 02-new
Pp 02-newPp 02-new
Pp 02-new
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networks
 
Pp 11-new
Pp 11-newPp 11-new
Pp 11-new
 
Chapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systemsChapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systems
 
Audit report- Consideration of Internal Control
Audit report- Consideration of Internal ControlAudit report- Consideration of Internal Control
Audit report- Consideration of Internal Control
 
Chapter 02 - Transaction Processing System
Chapter 02 - Transaction Processing SystemChapter 02 - Transaction Processing System
Chapter 02 - Transaction Processing System
 
Lecture 10 documentation techniques -transaction processing- james a. hall b...
Lecture 10 documentation techniques -transaction processing- james a. hall b...Lecture 10 documentation techniques -transaction processing- james a. hall b...
Lecture 10 documentation techniques -transaction processing- james a. hall b...
 
Lecture 21 expenditure cycle part i - accounting information systesm james ...
Lecture 21 expenditure cycle part i - accounting information systesm james ...Lecture 21 expenditure cycle part i - accounting information systesm james ...
Lecture 21 expenditure cycle part i - accounting information systesm james ...
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controls
 
Report AIS chapter 7- Conversion Cycle
Report AIS chapter 7- Conversion CycleReport AIS chapter 7- Conversion Cycle
Report AIS chapter 7- Conversion Cycle
 
Pp 12-new
Pp 12-newPp 12-new
Pp 12-new
 

Similar to James hall ch 15

Sample audit plan
Sample audit planSample audit plan
Sample audit planMaher Manan
 
Information systems and its components iii
Information systems and its components iiiInformation systems and its components iii
Information systems and its components iiiAshish Desai
 
Topic 3 Accounting System And Control
Topic 3 Accounting System And ControlTopic 3 Accounting System And Control
Topic 3 Accounting System And Controlmandalina landy
 
Topic 3 Accounting System And Control
Topic 3 Accounting System And ControlTopic 3 Accounting System And Control
Topic 3 Accounting System And Controlguest441011
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security AuditMufaddal Nullwala
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)NCTechSymposium
 
1auditconcepts
1auditconcepts1auditconcepts
1auditconceptsShubham Raj
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.gueste080564
 
Technology Controls in Business - End User Computing
Technology Controls in Business - End User ComputingTechnology Controls in Business - End User Computing
Technology Controls in Business - End User Computingguestc1bca2
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.renetta
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1Sharing Slides Training
 
Ais Romney 2006 Slides 06 Control And Ais
Ais Romney 2006 Slides 06 Control And AisAis Romney 2006 Slides 06 Control And Ais
Ais Romney 2006 Slides 06 Control And Aissharing notes123
 
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1sharing notes123
 
Ais Romney 2006 Slides 06 Control And Ais
Ais Romney 2006 Slides 06 Control And AisAis Romney 2006 Slides 06 Control And Ais
Ais Romney 2006 Slides 06 Control And AisSharing Slides Training
 
Technology Audit
Technology AuditTechnology Audit
Technology AuditArish Roy
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditingMarc Vael
 

Similar to James hall ch 15 (20)

Sample audit plan
Sample audit planSample audit plan
Sample audit plan
 
Information systems and its components iii
Information systems and its components iiiInformation systems and its components iii
Information systems and its components iii
 
Topic 3 Accounting System And Control
Topic 3 Accounting System And ControlTopic 3 Accounting System And Control
Topic 3 Accounting System And Control
 
Topic 3 Accounting System And Control
Topic 3 Accounting System And ControlTopic 3 Accounting System And Control
Topic 3 Accounting System And Control
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)
 
It Governance Methodology Cox
It Governance Methodology CoxIt Governance Methodology Cox
It Governance Methodology Cox
 
1auditconcepts
1auditconcepts1auditconcepts
1auditconcepts
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
 
Technology Controls in Business - End User Computing
Technology Controls in Business - End User ComputingTechnology Controls in Business - End User Computing
Technology Controls in Business - End User Computing
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
 
Audit presentation
Audit presentationAudit presentation
Audit presentation
 
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
 
Ais Romney 2006 Slides 06 Control And Ais
Ais Romney 2006 Slides 06 Control And AisAis Romney 2006 Slides 06 Control And Ais
Ais Romney 2006 Slides 06 Control And Ais
 
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
 
Ais Romney 2006 Slides 06 Control And Ais
Ais Romney 2006 Slides 06 Control And AisAis Romney 2006 Slides 06 Control And Ais
Ais Romney 2006 Slides 06 Control And Ais
 
Technology Audit
Technology AuditTechnology Audit
Technology Audit
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditing
 

Recently uploaded

Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfUjwalaBharambe
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Atmosphere science 7 quarter 4 .........
Atmosphere science 7 quarter 4 .........Atmosphere science 7 quarter 4 .........
Atmosphere science 7 quarter 4 .........LeaCamillePacle
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxRaymartEstabillo3
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
ROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationAadityaSharma884161
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomnelietumpap1
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 

Recently uploaded (20)

Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Atmosphere science 7 quarter 4 .........
Atmosphere science 7 quarter 4 .........Atmosphere science 7 quarter 4 .........
Atmosphere science 7 quarter 4 .........
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
ROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint Presentation
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choom
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
Rapple "Scholarly Communications and the Sustainable Development Goals"
Rapple "Scholarly Communications and the Sustainable Development Goals"Rapple "Scholarly Communications and the Sustainable Development Goals"
Rapple "Scholarly Communications and the Sustainable Development Goals"
 

James hall ch 15

  • 1. Accounting Information Systems, 6th edition James A. Hall COPYRIGHT © 2009 South-Western, a division of Cengage Learning. Cengage Learning and South-Western are trademarks used herein under license
  • 2. Objectives for Chapter 15 ď‚—Key features of Sections 302 and 404 of the Sarbanes- Oxley Act ď‚—Management and auditor responsibilities under Sections 302 and 404 ď‚—Risks of incompatible functions and how to structure the IT function ď‚—Controls and security of an organization’s computer facilities ď‚— Key elements of a disaster recovery plan
  • 3. Sarbanes-Oxley Act ď‚—The 2002 Sarbanes-Oxley (SOX) Act established new corporate governance rules ď‚—Created company accounting oversight board ď‚—Increased accountability for company officers and board of directors ď‚—Increased white collar crime penalties ď‚—Prohibits a company’s external audit firms from providing financial information systems
  • 4. SOX Section 302 ď‚—Section 302—in quarterly and annual financial statements, management must: ď‚—certify the internal controls (IC) over financial reporting ď‚—state responsibility for IC design ď‚—provide reasonable assurance as to the reliability of the financial reporting process ď‚—disclose any recent material changes in IC
  • 5. SOX Section 404 ď‚—Section 404—in the annual report on IC effectiveness, management must: ď‚—state responsibility for establishing and maintaining adequate financial reporting IC ď‚—assess IC effectiveness ď‚—reference the external auditors’ attestation report on management’s IC assessment ď‚—provide explicit conclusions on the effectiveness of financial reporting IC ď‚—identify the framework management used to conduct their IC assessment, e.g., COBIT
  • 6. IT Controls & Financial Reporting ď‚—Modern financial reporting is driven by information technology (IT) ď‚—IT initiates, authorizes, records, and reports the effects of financial transactions. ď‚—Financial reporting IC are inextricably integrated to IT.
  • 7. ď‚—COSO identifies two groups of IT controls: ď‚—application controls – apply to specific applications and programs, and ensure data validity, completeness and accuracy ď‚—general controls – apply to all systems and address IT governance and infrastructure, security of operating systems and databases, and application and program acquisition and development IT Controls & Financial Reporting
  • 8. Sales CGS AP CashInventory Significant Financial Accounts Order Entry Application Controls Cash Disbursements Application Controls Purchases Application Controls Related Application Controls Systems Development and Program Change Control Database Access Controls Operating System Controls Supporting General Controls Controls for Review IT Controls & Financial Reporting
  • 9. SOX Audit Implications ď‚—Pre-SOX, audits did not require IC tests. ď‚—Only required to be familiar with client’s IC ď‚—Audit consisted primarily of substantive tests ď‚—SOX – radically expanded scope of audit ď‚—Issue new audit opinion on management’s IC assessment ď‚—Required to test IC affecting financial information, especially IC to prevent fraud ď‚—Collect documentation of management’s IC tests and interview management on IC changes
  • 10. Types of Audit Tests ď‚—Tests of controls – tests to determine if appropriate IC are in place and functioning effectively ď‚—Substantive testing – detailed examination of account balances and transactions
  • 11. Organizational Structure IC ď‚—Audit objective – verify that individuals in incompatible areas are segregated to minimize risk while promoting operational efficiency ď‚—IC, especially segregation of duties, affected by which of two organizational structures applies: ď‚—Centralized model ď‚—Distributed model
  • 13. Segregation of Duties ď‚—Transaction authorization is separate from transaction processing. ď‚—Asset custody is separate from record- keeping responsibilities. ď‚—The tasks needed to process the transactions are subdivided so that fraud requires collusion.
  • 14. Segregation of Duties Authorization Authorization Authorization Processing Custody Recording Task 1 Task 2 Task 3 Task 4 Custody Recording Control Objective 1 Control Objective 3 Control Objective 2 TRANSACTION
  • 15. Centralized IT Structure ď‚—Critical to segregate: ď‚—systems development from computer operations ď‚—database administrator (DBA) from other computer service functions ď‚—DBA’s authorizing and systems development’s processing ď‚—DBA authorizes access ď‚—maintenance from new systems development ď‚—data library from operations
  • 16. Distributed IT Structure ď‚—Despite its many advantages, important IC implications are present: ď‚—incompatible software among the various work centers ď‚—data redundancy may result ď‚—consolidation of incompatible tasks ď‚—difficulty hiring qualified professionals ď‚—lack of standards
  • 17. Organizational Structure IC ď‚—A corporate IT function alleviates potential problems associated with distributed IT organizations by providing: ď‚—central testing of commercial hardware and software ď‚—a user services staff ď‚—a standard-setting body ď‚—reviewing technical credentials of prospective systems professionals
  • 18. Audit Procedures ď‚—Review the corporate policy on computer security ď‚—Verify that the security policy is communicated to employees ď‚—Review documentation to determine if individuals or groups are performing incompatible functions ď‚—Review systems documentation and maintenance records ď‚—Verify that maintenance programmers are not also design programmers
  • 19. Audit Procedures ď‚—Observe if segregation policies are followed in practice. ď‚—E.g., check operations room access logs to determine if programmers enter for reasons other than system failures ď‚—Review user rights and privileges ď‚—Verify that programmers have access privileges consistent with their job descriptions
  • 20. Audit objectives: ď‚—physical security IC protects the computer center from physical exposures ď‚—insurance coverage compensates the organization for damage to the computer center ď‚—operator documentation addresses routine operations as well as system failures Computer Center IC
  • 21. Computer Center IC Considerations: ď‚—man-made threats and natural hazards ď‚—underground utility and communications lines ď‚—air conditioning and air filtration systems ď‚—access limited to operators and computer center workers; others required to sign in and out ď‚—fire suppressions systems installed ď‚—fault tolerance ď‚—redundant disks and other system components ď‚—backup power supplies
  • 22. Audit Procedures ď‚—Review insurance coverage on hardware, software, and physical facility ď‚—Review operator documentation, run manuals, for completeness and accuracy ď‚—Verify that operational details of a system’s internal logic are not in the operator’s documentation
  • 23. Disaster Recovery Planning ď‚—Disaster recovery plans (DRP) identify: ď‚—actions before, during, and after the disaster ď‚—disaster recovery team ď‚—priorities for restoring critical applications ď‚—Audit objective – verify that DRP is adequate and feasible for dealing with disasters
  • 24. Disaster Recovery Planning ď‚—Major IC concerns: ď‚—second-site backups ď‚—critical applications and databases ď‚—including supplies and documentation ď‚—back-up and off-site storage procedures ď‚—disaster recovery team ď‚—testing the DRP regularly
  • 25. Second-Site Backups ď‚—Empty shell - involves two or more user organizations that buy or lease a building and remodel it into a computer site, but without computer equipment ď‚—Recovery operations center - a completely equipped site; very costly and typically shared among many companies ď‚—Internally provided backup - companies with multiple data processing centers may create internal excess capacity
  • 26. DRP Audit Procedures ď‚—Evaluate adequacy of second-site backup arrangements ď‚—Review list of critical applications for completeness and currency ď‚—Verify that procedures are in place for storing off-site copies of applications and data ď‚—Check currency back-ups and copies
  • 27. DRP Audit Procedures ď‚—Verify that documentation, supplies, etc., are stored off-site ď‚—Verify that the disaster recovery team knows its responsibilities ď‚—Check frequency of testing the DRP
  • 29. Attestation versus Assurance ď‚—Attestation: ď‚—practitioner is engaged to issue a written communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of another party. ď‚—Assurance: ď‚—professional services that are designed to improve the quality of information, both financial and non-financial, used by decision- makers ď‚—includes, but is not limited to attestation
  • 31. What is an External Financial Audit? ď‚—An independent attestation by a professional (CPA) regarding the faithful representation of the financial statements ď‚—Three phases of a financial audit: ď‚—familiarization with client firm ď‚—evaluation and testing of internal controls ď‚—assessment of reliability of financial data
  • 32. Generally Accepted Auditing Standards (GAAS)
  • 34. External versus Internal Auditing ď‚—External auditors – represent the interests of third party stakeholders ď‚—Internal auditors – serve an independent appraisal function within the organization ď‚—Often perform tasks which can reduce external audit fees and help to achieve audit efficiency and reduce audit fees
  • 35. What is an IT Audit? Since most information systems employ IT, the IT audit is a critical component of all external and internal audits. ď‚—IT audits: ď‚—focus on the computer-based aspects of an organization’s information system ď‚—assess the proper implementation, operation, and control of computer resources
  • 36. Elements of an IT Audit ď‚—Systematic procedures are used ď‚—Evidence is obtained ď‚—tests of internal controls ď‚—substantive tests ď‚—Determination of materiality for weaknesses found ď‚—Prepare audit report & audit opinion
  • 37. Phases of an IT Audit
  • 38. Audit Risk is... the probability the auditor will issue an unqualified (clean) opinion when in fact the financial statements are materially misstated.
  • 39. Three Components of Audit Risk ď‚—Inherent risk – associated with the unique characteristics of the business or industry of the client ď‚—Control risk – the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts ď‚—Detection risk – the risk that errors not detected or prevented by the control structure will also not be detected by the auditor