Chapter 12-1Chapter 12: Information Technology Auditing Introduction The Audit Function The Information Technology Auditor’s Toolkit Auditing Computerized Accounting Information Systems
Trang 1Chapter 12-1
Chapter 12:
Information Technology Auditing
Introduction
The Audit Function
The Information Technology Auditor’s Toolkit
Auditing Computerized Accounting Information Systems
Information Technology Auditing Today
Trang 2Chapter 12-2
Introduction
Audits of AISs
Ensure controls are functioning properly
Confirm additional controls not necessary
Nature of Auditing
Internal and external auditing
IT Audit and financial audit
Tools of an IT auditor
Trang 3Chapter 12-3
The Audit Function
Internal versus External Auditing
Information Technology Auditing
Evaluating the Effectiveness of Information Systems Controls
Trang 4Chapter 12-4
Internal Auditing
Responsibility of Performance
Company’s own employees
External of the department being audited
Evaluation of:
Employee compliance with policies and procedures
Effectiveness of operations
Compliance with external laws and regulations
Reliability of financial reports
Internal controls
Trang 5Chapter 12-5
External Auditing
Responsibility of Performance
Those outside the organization
Accountants working for independent CPA
Audit Purpose
Performance of the attest function
Evaluate the accuracy and fairness of the financial statements relative to GAAP
Trang 6Chapter 12-6
Data and information are reliable, confidential, secure, and available
Safeguarding assets, data integrity, and operational effectiveness
Trang 7Chapter 12-7
The Components
of an IT Audit
Trang 8Chapter 12-8
The IT Audit Process
Computer-Assisted Audit Techniques (CAAT)
Use of computer processes to perform audit functions
Performing substantive tests
Approaches
Auditing through the computer
Auditing with the computer
Trang 9Chapter 12-9
The IT Audit Process
Trang 10Chapter 12-10
Careers in IT Auditing
Background
Accounting skills
Information systems or computer science skills
Certified Information System Auditor (CISA)
Successfully complete examination
Experience requirements
Comply with Code of Professional Ethics
Continuing professional education
Comply with standards
Trang 11Chapter 12-11
CISA Exam Components
Trang 12Chapter 12-12
Information security governance
Information security program management
Risk management
Information security management
Response management
Trang 13Chapter 12-13
Evaluating the Effectiveness of Information Systems Controls
Impact on Substantive Testing
Strong controls, less substantive testing
Weak controls, more substantive testing
Risk Assessment
Evaluate the risks associated with control weaknesses
Make recommendations to improve controls
Trang 14Chapter 12-14
Risk Assessment
Risk-Based Audit Approach
Determine the threats
Identify the control procedures needed
Evaluate the current control procedures
Evaluate the weaknesses within the AIS
Benefits
Understanding of errors and irregularities
Sound basis for recommendations
Trang 15Chapter 12-15
Information Systems
Risk Assessment
Method of evaluating desirability of IT controls
Types of Risks
Errors and accidents
Loss of company secrets
Unauthorized manipulation of company files
Interrupted computer access
Penetration Testing
Trang 16Chapter 12-16
An IT auditor:
A.Must be an external auditor
B.Must be an internal auditor
C.Can be either an internal or external auditor
D.Must be a Certified Public Accountant
Study Break #1
Trang 17Chapter 12-17
An IT auditor:
A.Must be an external auditor
B.Must be an internal auditor
C.Can be either an internal or external auditor
D.Must be a Certified Public Accountant
Study Break #1 - Answer
Trang 18Chapter 12-18
In determining the scope of an IT audit, the auditor should pay most attention to:
A.Threats and risks
B.The cost of the audit
C.What the IT manager asks to be evaluated
D.Listings of standard control procedures
Study Break #2
Trang 19Chapter 12-19
In determining the scope of an IT audit, the auditor should pay most attention to:
A.Threats and risks
B.The cost of the audit
C.What the IT manager asks to be evaluated
D.Listings of standard control procedures
Study Break #2 - Answer
Trang 20Chapter 12-20
The IT Auditor’s Toolkit
Utilization of CAATs
Auditing with the computer
Manual access to data stored on computers is impossible
Tools
Auditing Software
People Skills
Trang 21Chapter 12-21
Database management systems (DBMS)
Structured Query Language (SQL)
Trang 22Chapter 12-22
Generalized Audit Software
Overview
Allow for reviewing of files without rewriting processing programs
Basic data manipulation
Tailored to auditor tasks
Common Programs
Audit Command Language (ACL)
Interactive Data Extraction and Analysis (IDEA)
Trang 23Chapter 12-23
Generalized Audit
Software - Inventory
Trang 24Chapter 12-24
Automated Workpapers
Overview
Automate and standardize audit tests
Can prepare financial statements and other financial measures
Features
Generate trial balances
Make adjusting entries
Perform consolidations
Conduct analytical procedures
Document audit procedures and conclusions
Trang 25Chapter 12-25
Gain understanding of organization
Evaluate internal controls
Trang 26Chapter 12-26
Auditing Computerized AISs
Auditing Around the Computer
Assumes accurate output verifies proper processing
Not effective in a computerized environment
Auditing Through the Computer
Follows audit trail through the computer
Verifies proper functioning of processing controls in AIS programs
Trang 27Chapter 12-27
Auditing Computerized AISs
Testing Computer Programs
Validating Computer Programs
Review of Systems Software
Validating Users and Access Privileges
Continuous Auditing
Trang 28Chapter 12-28
Testing Computer Programs
Test Data
Create set of transactions
Covering range of exception situations
Compare results and investigate further
Integrated Test Facility
Establish a fictitious entity
Enter transactions for that entity
Observe how they are processed
Trang 29Chapter 12-29
Testing Computer Programs
Parallel Simulation
Utilized live input data
Simulates all or some of the operations
Compare results
Very time-consuming and cost-prohibitive
Trang 30Chapter 12-30
Edit Tests and Test Data
Trang 31Chapter 12-31
Validating Computer Programs
Tests of Program Change Controls
Protect against unauthorized program changes
Documentation of requests for program changes
Utilize special forms for authorization
Program Comparison
Test of Length
Comparison Program
Trang 32Chapter 12-32
Reviewing a Responsibility
System
Trang 33Chapter 12-33
Review of Systems Software
Systems Software Controls
Operating system software
Utility programs
Program library software
Access control software
Inspect Outputs
Logs
Incident reports
Trang 34Chapter 12-34
Password Parameters
Trang 35Chapter 12-35
Validating Users and Access Privileges
Purpose
Ensure all system users are valid
Appropriate access privileges
Utilize Software Tools
Examine login times
Exception conditions
Irregularities
Trang 36Chapter 12-36
Continuous Auditing
Embedded Audit Modules (Audit Hooks)
Capture data for audit purposes
Trang 37Chapter 12-37
Continuous Auditing
Snapshot Technique
Examines how transactions are processed
Continuous and Intermittent Simulation (CIS)
Embeds audit module in a database management system (DBMS)
Similar to parallel simulation
Trang 38Chapter 12-38
Continuous Auditing –
Spreadsheet Errors
Trang 39Chapter 12-39
Which of the following is NOT an audit technique for auditing computerized AIS?
Trang 40Chapter 12-40
Which of the following is NOT an audit technique for auditing computerized AIS?
Trang 41Chapter 12-41
Continuous auditing:
A.Has been talked about for years but will never catch on
B.Will likely become popular if organizations adopt XBRL in their financial reporting
C.Does not include techniques such as embedded audit
modules
D.Will never allow IT auditors to provide some types of
assurance on a real-time basis
Study Break #4
Trang 42Chapter 12-42
Continuous auditing:
A.Has been talked about for years but will never catch on
B.Will likely become popular if organizations adopt XBRL in their financial reporting
C.Does not include techniques such as embedded audit
modules
D.Will never allow IT auditors to provide some types of
assurance on a real-time basis
Study Break #4 - Answer
Trang 43Chapter 12-43
IT Auditing Today
Auditing for Fraud: Statement on Auditing Standards No 99
The Sarbanes-Oxley Act of 2002
Auditing Standard No 5 (AS5)
Third Party and Information Systems Reliability Assurances
Trang 44Chapter 12-44
IT Governance
Overview
Process of using IT resources effectively
Efficient, responsible, strategic use of IT
Objectives
Using IT strategically to fulfill mission of organization
Ensure effective management of IT
Trang 45Chapter 12-45
Auditing for Fraud: Statement
on Auditing Standard No 99
Overview
Supersedes SAS No 82
Provides more guidance to prevent and deter fraud
Fraud Triangle
Motive for committing fraud
Opportunity that allows fraud to occur
Rationalization by individual
Trang 46Chapter 12-46
Fraud Triangle
Trang 47Chapter 12-47
The Sarbanes-Oxley Act of 2002
Overview
Limits services that auditors can provide clients while they are conducting audits
Groups of Compliance Requirements
Audit committee/corporate governance requirements
Certification, disclosure, and internal control
Financial statement reporting rules
Executive reporting and conduct
Trang 48Chapter 12-48
The Sarbanes-Oxley Act of 2002
Section 302
CEOs and CFOs are required to certify the financial statements
Internal controls and disclosures are adequate
Section 404
CEOs and CFOs assess and attest to the effectiveness of internal controls
Trang 49Chapter 12-49
Key Provisions of SOX
Trang 50Chapter 12-50
Key Provisions of SOX
Trang 51Chapter 12-51
Auditing Standard No 5 (AS5)
Purpose
PCAOB guidance
Focus on most critical controls
Rebalancing of Auditor’s Work
Internal auditors help to advise board of directors
External auditors reduce redundant testing
Trang 52Chapter 12-52
Third Party and Information
Systems Reliability Assurances
Growth of Electronic Commerce
Area of growing risk
Security and privacy concerns
Difficult to audit
AICPA Trust Services
CPA WebTrust
SysTrust
Trang 53Chapter 12-53
Third Party and Information
Systems Reliability Assurances
Principles of Trust Services
Trang 54Chapter 12-54
Copyright
Copyright 2012 John Wiley & Sons, Inc All rights reserved
Reproduction or translation of this work beyond that permitted in
Section 117 of the 1976 United States Copyright Act without the
express written permission of the copyright owner is unlawful
Request for further information should be addressed to the
Permissions Department, John Wiley & Sons, Inc The purchaser
may make backup copies for his/her own use only and not for
distribution or resale The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.
Trang 55Chapter 12-55
Chapter 12