Chapters 1 To 12 - Revision - Final

Chapters 1- 12
IT Auditing, Hall, 4e
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Controlling and Auditing Data
Management Systems
o Controls over data management systems fall into two categories.

o Access controls are designed to prevent unauthorized
individuals from viewing, retrieving, corrupting or destroying data.
o Backup controls ensure tat the organization can recover its
database in the event of data loss.
Access Controls
o User views (subschema) is a subset of the database that defines

user’s data domain and access.
o Database authorization table contains rules that limit user actions.
o User-defined procedures allow users to create a personal security
program or routine .
o Data encryption procedures protect sensitive data.
o Biometric devices such as fingerprints or retina prints control
access to the database.
o Inference controls should prevent users from inferring, through
query options, specific data values they are unauthorized to access.
Backup Controls in the
Database Environment
o Since data sharing is a fundamental objective of the database
approach, environment is vulnerable to damage from individual
users.
o Four needed backup and recovery features:
o Backup feature makes a periodic backup of entire database which is
stored in a secure, remote location.
o Transaction log provides an audit trail of all processed transactions.
o Checkpoint facility suspends all processing while system reconciles
transaction log and database change log against the database.
o Recovery module uses logs and backup files to restart the system
after a failure.
Audit Procedures for Testing
Database Access Controls
o Verify DBA personnel retain responsibility for authority tables and

designing user views.
o Select a sample of users and verify access privileges are
consistent with job description.
o Evaluate cost and benefits of biometric controls.
o Verify database query controls to prevent unauthorized access
via inference.
o Verify sensitive data are properly encrypted.
Systems Development Life Cycle
(SDLC)
Controlling and Auditing the SDLC
o Systems authorization, user specification and technical design

activities.
o Internal audit participation:
o System planning and analysis.
o Conceptual system design impacts auditability.
o Economic feasibility needs to be measured accurately.
o Systems implementation.
o Provide technical expertise with regard to accounting rules.
o Specify documentation standards.
o Verify control adequacy and compliance with SOX.
o Before implementation, individual modules must be tested as a

whole.
o Formal testing and user acceptance considered by many auditors to
be the most important control over the SDLC.
o Audit objectives are to verify:
o SDLC activities are applied consistently and in accordance with
management’s policies.
o Original system free from material errors and fraud.
o System was judged necessary and justified.
o Documentation is adequate and complete.
o Audit procedures should determine:

o Proper end user and IT management authorization.
o Preliminary feasibility study showed project had merit.
o Detailed analysis of user needs was conducted.
o Accurate cost-benefit analysis was conducted.
o System testing occurred before implementation.
o Checklist of specific problems determined during conversion
were corrected during maintenance.
o System documentation complies with standards.
Controlling and Auditing
System Maintenance
o Upon implementation system enters maintenance phase of the

SDLC.
o Access to systems for maintenance increases the possibility of
system errors.
o To minimize exposure all maintenance should require: formal
authorization, technical specifications of change, retesting the
system and updating the documentation.
o Source program library controls:
o Program source code stored on magnetic disks called the source
program library (SPL) which must be properly controlled to
preserve application integrity.
the SDLC
o Worst-Case situation: No controls:

o Program access completely unrestricted making them subject to
unauthorized change.
o Controlled SPL Environment:
o Password control and separate test libraries.
o Audit trail and management reports that detail program
modifications and program version numbers.
o Controlled access to maintenance [SPL] commands.
the SDLC – Audit Objectives
o Detect unauthorized program maintenance.

o Determine maintenance procedures protect applications from
unauthorized changes.
o Verify applications are free from material errors.
o Verify SPL are protected from unauthorized access.
Controlling and Auditing the
SDLC- Audit Procedures
o Identify unauthorized changes:
o Reconcile program version numbers.
o Confirm maintenance authorization.
o Identify application errors:
o Reconcile source code.
o Review test results.
o Retest the program.
o Test access to libraries:
o Review programmer authority tables.
o Test authority table.
Information Systems
Acquisition
o Well designed system can increase productivity, reduce

inventories, eliminate non-value added activities, enhance
customer service, improve management decisions, and
coordinate organizational activities.
o Two methods of acquiring information systems:
o In-house development
o Purchase commercial systems from software vendor.
Trends in Commercial Software
o Four factors have contributed to the growth of the commercial

software market:
o Relatively low cost for general purpose software.
o Industry-specific vendors.
o Growing demand from businesses too small to afford in-house
development.
o Downsizing units and the move to distributed data processing have
increased appeal to larger organizations.
o Turnkey systems are finished, tested and ready for
implementation.
Commercial Systems
o Advantages:
o Can be implementation almost immediately once need is recognized.
o Cost is a fraction of cost of in-house development.
o Reliability since software is pretested and less likely to have errors
than in-house systems.
o Disadvantages:
o Firm is dependent on vendor for maintenance.
o When user needs are unique and complex, software may be too
general or inflexible.
o May be difficult or impossible to modify if user needs change.
o Company may satisfy some needs with commercial software and
develop other systems in-house.
Types of Turnkey Systems
o General accounting systems designed to serve a wide variety

of user needs.
o Designed in modules that include AP, AR, payroll, inventory, GL,
financial reporting and fixed asset.
o Special-purpose systems target specific segments.
o Office automation systems improve productivity.
o Word processing, spreadsheet, desktop publishing.
o Backbone systems provide a structure to build on, with primary
processing modes programmed.
o Vendor-supported systems are custom systems developed and
maintained for the client.
Audit Risk
o Probability that auditor will render unqualified (clean) opinion on

financial statements that are, in fact, materially misstated.
o Inherent risk (IR) is associated with unique characteristics of
client’s business or industry.
o Control risk (CR) is the likelihood the control structure is flawed
because controls are either absent or inadequate to prevent or
detect errors.
o Detection risk (DR) is the risk auditors are willing to take that
errors not detected or prevented by the control structure will not
be detected by the auditor.
Audit Risk
o Audit risk components in a model used to determine the scope,

nature and timing of substantive tests:
o Audit risk model: AR = IR x CR x DR
o If acceptable audit risk is 5%, the planned detection risk will depend
upon the control structure.
o The stronger the internal control structure, the lower the control risk
and the less substantive testing the auditor must do.
o Substantive tests are labor intensive and time consuming, which drives
up audit costs and cause disruption.
o Management’s best interests are served by a strong internal control
structure.
Example Problem
 Assume that an Acceptable Audit Risk (AR) is assessed at a

value of 5%. Assume the Inherence Risk (IR) is assessed at
40% and Control Risk (CR) is assessed at 40%. What would be
the level of planned Detection Risk (DR)?
 In the above case, assume that the CR is assessed at 90%,
recalculate the DR.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or

posted to a publicly accessible website, in whole or in part, except for use
as permitted in a license distributed with a certain product or service or
otherwise on a password-protected website or school-approved learning
management system for classroom use.
Example Problem
 AR = IR x CR x DR
 0.05 = 0.4*0.4*DR -> DR = 0.3125
 If CR = 90% then DR = 0.1388

Relation between IR, CR and DR
 Control risk, which is the risk that the client's controls will not prevent or detect a material
misstatement;
 Detection risk, which is the risk that the auditor will not detect a material misstatement.

Give an example of a risk associate with the following: Design an internal
control, and a test of control for each risk.
 System development and security

 Loss, theft, unauthorized access to program ...
 Limit logical access to system using authentication and authorization controls ...
 Check whether unauthorized people can access
 Computer center
 Theft of hardware ...
 Limit physical access to computer equipment
 Check whether unauthorized people can access
 IT outsourcing
 Fraud and privacy…
 check whether unauthorized people can access
IT Auditing Phases
 Describe the main phases of IT audit.

 First step is audit planning which includes the analysis of
audit risk.
 Techniques for gathering evidence include questionnaires,
management interviews, reviewing system documentation and
observing activities.
 Objective of tests of controls Phase is to determine if
adequate controls are in place and functioning.
 Third phase focuses on financial data and a detailed
investigation of specific account balances and transactions
through
© 2016 Cengage Learning®.substantive tests.
May not be scanned, copied or duplicated or
IT Auditing Phases

The IT Audit
The IT Audit
o First step is audit planning which includes the analysis of audit risk.
o Techniques for gathering evidence include questionnaires, management
interviews, reviewing system documentation and observing activities.
o Objective of tests of controls is to determine if adequate controls
are in place and functioning.
o Third phase focuses on financial data and a detailed investigation of
specific account balances and transactions through substantive
tests.
o Files may be extracted using Computer-Assisted-Audit Tools and
Techniques (CAATTs) software.
Internal control system comprises policies, practices, and
procedures to achieve different broad objectives.
 objectives.
 Safeguard assets of the firm.

 Ensure accuracy and reliability of accounting records and
information.
 Promote efficiency in the firm’s operations.
 Measure compliance with management’s prescribed policies and
procedures.

Network communication poses some special types of risk
for a business. Analyze two broad areas of concern.
 Two general types of risk exist when networks communicate with each other–risks
from subversive threats and risks from equipment failure.
 Subversive threats include interception of information transmitted between sender
and receiver, computer hackers gaining unauthorized access to the organization’s
network, and denial-of-service attacks from remote locations on the Internet.
 network, and denial-of-service attacks from remote locations on the Internet.
Methods for controlling these risks include firewalls, encryption, digital
signatures, digital certificates, message transaction logs, and call-back devices.
 Equipment failure can be the result of line errors. The problems can be minimized
with the help of echo checks, parity checks, and good backup control.
Risk based Audit approach steps
 Determine the threats (fraud and errors) facing the company

 Identify control procedures (prevent, detect, correct the threats)
 Evaluate control procedures
 Review to see if control exists and is in place
 Test controls to see if they work as intended
 Determine effect of control weaknesses
 Compensating controls


Chapters 1 To 12 - Revision - Final

Uploaded by

Copyright:

Available Formats

Chapters 1 To 12 - Revision - Final

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapters 1 To 12 - Revision - Final

Uploaded by

Copyright:

Available Formats

Chapters 1- 12

o Controls over data management systems fall into two categories.

o User views (subschema) is a subset of the database that defines

o Verify DBA personnel retain responsibility for authority tables and

o Systems authorization, user specification and technical design

o Before implementation, individual modules must be tested as a

o Audit procedures should determine:

o Upon implementation system enters maintenance phase of the

o Worst-Case situation: No controls:

o Detect unauthorized program maintenance.

o Well designed system can increase productivity, reduce

o Four factors have contributed to the growth of the commercial

o General accounting systems designed to serve a wide variety

o Probability that auditor will render unqualified (clean) opinion on

o Audit risk components in a model used to determine the scope,

 Assume that an Acceptable Audit Risk (AR) is assessed at a

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or

 System development and security

 Describe the main phases of IT audit.

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or

 Safeguard assets of the firm.

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or

 Determine the threats (fraud and errors) facing the company

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or

You might also like