08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Information systems audit n control introduction.ppt
1. Information Systems Audit and
Control: INFO438
Felex Madzikanda
Department of Information and
Marketing Science
Midlands State University
madzikandaf@msu.ac.zw
0774810683
3. Overview of EDP Auditing
• EDP Auditing: Is the process of collecting and
evaluating evidence to determine whether a
computer system safeguards assets, maintains
data integrity, achieves organizational goals
effectively, and consumes resources efficiently.
4. Need for control and audit of
computers
• Organizational costs of data loss
• Incorrect decision making
• Computer abuse
• Value of computer hardware, software and
personnel
• High costs of computer error
• Privacy
• Controlled evolution of computer use
5. Effects of EDP on Internal Controls
• Seperation of duties
• Delegation of authority and responsibility
• Competent and trustworthy personnel
• System authorizations
• Adequate documents and records
• Physical control of assets and records
• Adequate management supervision
• Independent checks on performance
• Comparing recorded accountability with assets
6. Effects of EDP on Auditing
Changes to evidence collection
• Auditors confront a complex range of internal
control technology
• Auditors need EDP systems to collect evidence
Changes to evidence evaluation
• Due to complexity, there is difficulty to evaluate
the consequences of a control strength and
weakness
• Auditors are much stressed in that errorneous
programs will always execute incorrectly, errors
are generated at high speed, and the costs to
correct and rerun programs can be high
7. Effects of EDP on Auditing
• Computer program errors can involve
extensive redesign and reprogramming –
auditors must ensure controls are sufficient
8. Foundations of EDP Auditing
• Traditional auditing – (internal control
techniques, control totals, philosophy)
• Information systems mgt – (techniques of project
mgt, documentation and standards, structured
programming)
• Computer science – (reliability theory and control
theory have been the basis for designing secure
systems)
• Behavioral science
9. Foundations of EDP Auditing
EDP AUDITING
Information
Systems
management
Computer
Science
Traditional
Auditing
Behavioural
Science
10. Conducting an EDP Audit
Dealing with complexity
(1) Given the purpose of the edp audit, factor
the system to be evaluated into
subsystems(Management subsystems and
application subsystems)
(2) Identify the components that perform the
basic activities in each subsystems(hardware,
software, people, transmission media)
11. Conducting an EDP Audit
(3) Evaluate the reliability with which each
component executes its activities(archieved by
several Controls: Below are some of the major
classes of controls)
• authenticity
• accuracy – validation checks, overflow checks,
financial controls
• completenes – validation, record sequence #s
12. Conducting an EDP Audit
• Redundancy – to ensure a data item is
processed only once
• Privacy – encryption, passwords, inference
• Audit Trails – two types i.e. accounting and
operations audit trail.
• Existence – attempt to ensure the ongoing
availability of all system resources
13. Conducting an EDP Audit
• Asset safeguarding – ensure that resources
within a system are protected from
destruction or corruption
• Effectiveness – to ensure that systems achieve
their goals e.g. Post audits
• Efficiency controls – to ensure a system uses
minimum resources to achieve its goals e.g
logs of resource consumption, perfomance
monitoring using h/w and s/w monitors
14. Conducting an EDP Audit
(4) Determine the reliability of each subsystem
and the implications of each subsystem's level
of reliability for the overall level of reliability in
the system.
15. Conducting an EDP Audit
Overview of steps in an EDP Audit
(1)Preliminary review phase
• the objective of the preliminary review is to
obtain the information necessary for the
auditor to make a decision on how to proceed
with the audit.
• Review of management and application
controls
16. Conducting an EDP Audit
• primary means of evidence collection are
interviews, observations and reviews of
documentations.
• In conclusion the auditor will decide to:
a) Withdraw from the audit
17. Conducting an EDP Audit
b) Perform a detailed review of the internal
control system with the expectation that
reliance can be placed upon the internal
control system and the scope and extent of
substantive testing can be reduced as a
consequence.
c) Decide not to rely on the internal control s
.
18. Conducting an EDP Audit
(2) Detailed Review Phase
• Objective is to obtain the information
necessary for the auditor to have an in-depth
understanding of the controls used in the
computer installation
• Detailed review of management and
application controls
• Means of evidence are interviews,
observations and reviews of documentations.
19. Conducting an EDP Audit
• In conclusion the auditor must evaluate
whether the controls established reduce the
expected losses to an acceptable level.
(3) Compliance Testing Phase
• objective is to determine whether the or not
the system of internal controls operates as it
is purported to operate.
• Use of computer-assisted evidence collection
techniques to determine the existence and
reliability of controls.
20. Conducting an EDP Audit
• In conclusion, the auditor evaluates the
internal control system in light of the evidence
collected on the reliability of individual
controls.
(4) Review and Testing of User(compensating)
Controls
• Users may carefully reconcile their own
control totals with those produced as output
from application systems programs.
21. Conducting an EDP Audit
• From external audit view point, evaluating
compensating controls may be a more cost
effective way of completing the audit.
• Compensating controls may represent a
duplication of controls
(5) Substantive Testing Phase
• Objective is to obtain sufficient evidence so the
auditor can make a final judgment on whether
or not material losses have occurred or could
occur during computer data processing.
22. Conducting an EDP Audit
• The five types of substantive tests are to
identify erroneous processing, assess the
quality of data, identify inconsistent data,
tests to compare data with physical counts,
confirmation of data with outside sources.
• Much of these tests require computer
support.
23. Conducting an EDP Audit
Some Major Audit Decisions
(1) Evaluation Judgement
• it is made at the end of every phase.
• Questions are what controls are critical to the
audit and how they should be tested for
compliance, what extent of substantive
testing is needed and finally whether or not
the system has satisfactorily safeguarded
assets, maintained data integrity, archieved
system effectiveness and efficiency.
24. Conducting an EDP Audit
(2)Timing of Audit procedures
• Some auditors argue that little change is
needed to the traditional schedule of interim
work, end of period work, and post-period-
end work.
• Some edp auditors argue both external and
internal auditors should, at a minimum,
review and evaluate the design of computer
controls at various major check points in the
system development process.
25. Conducting an EDP Audit
• Some auditors emphasize audit participation
in the design phase of the edp systems( with
this approach,audits will be performed at 3
stages in the life cycle of a system)
analysis Design implementation operation review
27. Conducting an EDP Audit
(3)Audit use of the computer
• Brings in two approaches: auditing around the
computer and auditing through the computer.
(a)Auditing around the computer
• It is arriving at an audit opinion through
examining the internal control system for a
computer installation and the input and
output only for the application systems.
28. Conducting an EDP Audit
Suitability
• When system is simple
• The system uses generalized software that is
well tested and used widely by many
installations
• The system logic is straight forward
• Controls can be mentained through the
normal methods e.g. Seperation of duties and
mgt supervision
29. Conducting an EDP Audit
• The task environment is relatively constant
and few stresses are placed on the system
(b)Auditing through the computer
• the auditor can use the computer to test:
I. The logic and controls existing with in the
system and
II. The records produced by the system.
30. Conducting an EDP Audit
Suitability
• The application system processes large
volumes of input and produces large volumes
of output
• The logic of the system is complex
• Significant parts of the internal control system
are embedded in the computer system
• Cost-benefit considerations
31. Conducting an EDP Audit
(4)Selecting Application Systems for Audit
• as a general rule the auditor should select for
audit those application systems most critical
to the continued existence of the organization.
(a)User audits as a selection basis
• Control clerks in the user area responsible for
gathering and batching source data, error
correction, and error resubmission often know
the fundamental weaknesses in an application
system.
32. Conducting an EDP Audit
(b)Application system characteristics
• High risk system, technologically advanced
systems, high cost systems
• Auditors should also perform a cyclical review
of systems that seem to function well. This
review examines ways of improving these
systems.
Editor's Notes
Regular monitoring of user satisfaction, periodic cost/benefit analysis, monitoring of frequency of use – system effectiveness
System efficiency – regular interviews with system users.