• The Audit Function• The Information Technology Auditor’s Toolkit • Auditing Computerized Accounting Information Systems • Information Technology Auditing Today... • Audits of AISs – En
Trang 1Prepared by Paula Funkhouser University of Nevada, Reno
Core Concepts of Accounting Information Systems, 13th Edition
Mark G Simkin ● Jacob M Rose ● Carolyn S Norman
Information Technology Auditing
Chapter 15
Trang 2• The Audit Function
• The Information Technology Auditor’s Toolkit
• Auditing Computerized Accounting Information Systems
• Information Technology Auditing Today
Trang 3• Audits of AISs
– Ensure controls are functioning properly
– Confirm additional controls not necessary
• Nature of Auditing
– Internal and external auditing
– IT Audit and financial audit
– Tools of an IT auditor
Trang 4Copyright © 2015 John Wiley & Sons, Inc All rights reserved.
The Audit Function
• Internal versus External Auditing
• Information Technology Auditing
• Evaluating the Effectiveness of Information Systems Controls
Trang 5Internal Auditing
• Responsibility of Performance
– Company’s own employees
– External of the department being audited
• Evaluation of:
– Employee compliance with policies and procedures
– Effectiveness of operations
– Compliance with external laws and regulations
– Reliability of financial reports
– Internal controls
Trang 6Copyright © 2015 John Wiley & Sons, Inc All rights reserved.
External Auditing
• Responsibility of Performance
– Those outside the organization
– Accountants working for independent CPA
• Audit Purpose
– Performance of the attest function
– Evaluate the accuracy and fairness of the financial statements relative to GAAP
Trang 7Information Technology Auditing
Trang 8Copyright © 2015 John Wiley & Sons, Inc All rights reserved.
The Components
of an IT Audit
Trang 9The IT Audit Process
• Computer-Assisted Audit Techniques (CAAT)
– Use of computer processes to perform audit functions
– Performing substantive tests
• Approaches
– Auditing through the computer
– Auditing with the computer
Trang 10Copyright © 2015 John Wiley & Sons, Inc All rights reserved.
The IT Audit Process
Trang 11Careers in IT Auditing
• Background
– Accounting skills
– Information systems or computer science skills
• Certified Information System Auditor (CISA)
– Successfully complete examination
– Experience requirements
– Comply with Code of Professional Ethics
– Continuing professional education
– Comply with standards
Trang 12Copyright © 2015 John Wiley & Sons, Inc All rights reserved.
CISA Exam Components
Trang 13– Information security governance
– Information security program management
– Risk management
– Information security management
– Response management
Trang 14Copyright © 2015 John Wiley & Sons, Inc All rights reserved.
Evaluating the Effectiveness of
Information Systems Controls
• Impact on Substantive Testing
– Strong controls, less substantive testing
– Weak controls, more substantive testing
• Risk Assessment
– Evaluate the risks associated with control weaknesses
– Make recommendations to improve controls
Trang 15Risk Assessment
• Risk-Based Audit Approach
– Determine the threats
– Identify the control procedures needed
– Evaluate the current control procedures
– Evaluate the weaknesses within the AIS
• Benefits
– Understanding of errors and irregularities
– Sound basis for recommendations
Trang 16– Errors and accidents
– Loss of company secrets
– Unauthorized manipulation of company files
– Interrupted computer access
• Penetration Testing
Trang 17An IT auditor:
A Must be an external auditor
B Must be an internal auditor
C Can be either an internal or external auditor
D Must be a Certified Public Accountant
Study Break #1
Trang 18Copyright © 2015 John Wiley & Sons, Inc All rights reserved.
In determining the scope of an IT audit, the auditor should pay most attention to:
A Threats and risks
B The cost of the audit
C What the IT manager asks to be evaluated
D Listings of standard control procedures
Study Break #2
Trang 19The IT Auditor’s Toolkit
• Utilization of CAATs
– Auditing with the computer
– Manual access to data stored on computers is impossible
• Tools
– Auditing Software
– People Skills
Trang 20– Database management systems (DBMS)
– Structured Query Language (SQL)
Trang 21Generalized Audit Software
• Overview
– Allow for reviewing of files without rewriting processing programs
– Basic data manipulation
– Tailored to auditor tasks
• Common Programs
– Audit Command Language (ACL)
– Interactive Data Extraction and Analysis (IDEA)
Trang 22Copyright © 2015 John Wiley & Sons, Inc All rights reserved.
Generalized Audit
Software - Inventory
Trang 23Automated Workpapers
• Overview
– Automate and standardize audit tests
– Can prepare financial statements and other financial measures
• Features
– Generate trial balances
– Make adjusting entries
– Perform consolidations
– Conduct analytical procedures
– Document audit procedures and conclusions
Trang 24– Gain understanding of organization
– Evaluate internal controls
Trang 25Auditing Computerized AISs
• Auditing Around the Computer
– Assumes accurate output verifies proper processing
– Not effective in a computerized environment
• Auditing Through the Computer
– Follows audit trail through the computer
– Verifies proper functioning of processing controls in AIS programs
Trang 26Copyright © 2015 John Wiley & Sons, Inc All rights reserved.
Auditing Computerized AISs
• Testing Computer Programs
• Validating Computer Programs
• Review of Systems Software
• Validating Users and Access Privileges
• Continuous Auditing
Trang 27Testing Computer Programs
• Test Data
– Create set of transactions
– Covering range of exception situations
– Compare results and investigate further
• Integrated Test Facility
– Establish a fictitious entity
– Enter transactions for that entity
– Observe how they are processed
Trang 28Copyright © 2015 John Wiley & Sons, Inc All rights reserved.
Testing Computer Programs
• Parallel Simulation
– Utilized live input data
– Simulates all or some of the operations
– Compare results
– Very time-consuming and cost-prohibitive
Trang 29Edit Tests and Test Data
Trang 30Copyright © 2015 John Wiley & Sons, Inc All rights reserved.
Validating Computer Programs
• Tests of Program Change Controls
– Protect against unauthorized program changes
– Documentation of requests for program changes
– Utilize special forms for authorization
• Program Comparison
– Test of Length
– Comparison Program
Trang 31Reviewing a Responsibility System
Trang 32Copyright © 2015 John Wiley & Sons, Inc All rights reserved.
Review of Systems Software
• Systems Software Controls
– Operating system software
– Utility programs
– Program library software
– Access control software
• Inspect Outputs
– Logs
– Incident reports
Trang 33Password Parameters
Trang 34– Ensure all system users are valid
– Appropriate access privileges
• Utilize Software Tools
– Examine login times
– Exception conditions
– Irregularities
Trang 35Continuous Auditing
• Embedded Audit Modules (Audit Hooks)
– Capture data for audit purposes
Trang 36Copyright © 2015 John Wiley & Sons, Inc All rights reserved.
Continuous Auditing
• Snapshot Technique
– Examines how transactions are processed
• Continuous and Intermittent Simulation (CIS)
– Embeds audit module in a database management system (DBMS)
– Similar to parallel simulation
Trang 37Continuous Auditing – Spreadsheet Errors
Trang 38Copyright © 2015 John Wiley & Sons, Inc All rights reserved.
Which of the following is NOT an audit technique for auditing computerized AIS?
Trang 39Continuous auditing:
A Has been talked about for years but will never catch on
B Will likely become popular if organizations adopt XBRL in their financial reporting
C Does not include techniques such as embedded audit
modules
D Will never allow IT auditors to provide some types of
assurance on a real-time basis
Study Break #4
Trang 40Copyright © 2015 John Wiley & Sons, Inc All rights reserved.
IT Governance
• Overview
– Process of using IT resources effectively
– Efficient, responsible, strategic use of IT
• Objectives
– Using IT strategically to fulfill mission of organization
– Ensure effective management of IT
Trang 41IT Auditing Today
• The Sarbanes-Oxley Act of 2002
• Auditing Standard No 5 (AS5)
• Third Party and Information Systems Reliability Assurances
Trang 42Copyright © 2015 John Wiley & Sons, Inc All rights reserved.
The Sarbanes-Oxley Act of 2002
• Overview
– Limits services that auditors can provide clients while they are conducting audits
• Groups of Compliance Requirements
– Audit committee/corporate governance requirements
– Certification, disclosure, and internal control
– Financial statement reporting rules
– Executive reporting and conduct
Trang 43The Sarbanes-Oxley Act of 2002
Trang 44Copyright © 2015 John Wiley & Sons, Inc All rights reserved.
Key Provisions of SOX
Trang 45Key Provisions of SOX
Trang 46Copyright © 2015 John Wiley & Sons, Inc All rights reserved.
Auditing Standard No 5 (AS5)
• Purpose
– Public Company Accounting Oversight Board (PCAOB)
guidance
– Focus on most critical controls
• Rebalancing of Auditor’s Work
– Internal auditors help to advise board of directors
– External auditors reduce redundant testing
Trang 47Third Party and Information Systems Reliability Assurances
• Growth of Electronic Commerce
– Area of growing risk
– Security and privacy concerns
– Difficult to audit
• AICPA Trust Services
– CPA WebTrust
– SysTrust
Trang 48Copyright © 2015 John Wiley & Sons, Inc All rights reserved.
Third Party and Information Systems Reliability Assurances
• Principles of Trust Services