Chapter 12 - Monitoring and auditing AIS. After completing this chapter, students will be able to: Understand the risks involved with computer hardware and software, understand and apply computer-assisted audit techniques, explain continuous auditing in AIS.
Trang 1Monitoring and
Auditing AIS
Copyright © 2014 McGrawHill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGrawHill Education.
Trang 2• LO#1 Understand the risks involved with
computer hardware and software
• LO#2 Understand and apply computer-assisted
audit techniques
• LO#3 Explain continuous auditing in AIS.
12-2
Trang 3Computer hardware and
Software
important system software)
Trang 4Operating System (OS)
• To ensure the integrity of the system
and tasks of scheduling in the computer
and applications
computer
12-4
Trang 5Operating System (OS) (Contd.)
Five fundamental control objectives:
• Protect itself from users
• Protect users from each other
• Protect users from themselves
• Be protected from itself
• Be protected from its environment
Operating system security should be included as part of IT governance in establishing proper policies and procedures for IT controls
12-5
Trang 6Database Systems
• A database is a shared collection of
logically related data which meets the
information needs of a firm
collection of firm-wide data for a relatively
long period of time
• Operational databases is for daily
operations and often includes data for the current fiscal year only.
• Data mining is the process of searching
for patterns in the data in a data
warehouse and data analyzing these
patterns for decision making (OLAP)
• Data governance is the convergence of
data quality, data management, data
policies, business process management,
and risk management surrounding the
handling of data in a firm.
12-6
Trang 7computers, printers, and other devices
connected to the same network that
covers a limited geographic range
hubs (broadcasts through multiple
ports)
switches (provides a path for each pair
of connections)
Switches provide a significant
improvement over hubs
12-7
Trang 8WANs
• Wide area networks (WANs) link different sites
together, transmit information across
geographically and cover a broad geographic
area
to provide remote access to employees or
customers
to link two or more sites within the firm
to provide corporate access to the Internet
routers and firewalls
12-8
Trang 9WANs (Contd.)
• Routers: connects different LANs,
software-based intelligent devices, examines the Internet
Protocol (IP) address
• Firewalls: a security system comprised of
hardware and software that is built using routers, servers, and a variety of software; allows
individuals on the corporate network to
send/receive a data packet from the Internet
• Virtual Private Network (VPN)
12-9
Trang 10Wireless Networks
• A Wireless Network is comprised of two
fundamental architectural components: access
points and stations
• An access point logically connects stations to a
firm’s network
• A station is a wireless endpoint device equipped with a wireless Network Interface Card (NIC).
12-10
Trang 11Wireless Networks (Contd.)
Benefits of using wireless technology:
Mobility Rapid deployment
Flexibility and Scalability Confidentiality
Integrity Availability
Access Control Eavesdropping
Man-in-the-Middle Masquerading
Message Modification Message Replay
Misappropriation Traffic Analysis
Rogue Access Point 12-11
Trang 12Security Controls in Wireless
Networks
• Management Controls management of risk
and information system security
• Operational Controls protecting a firm’s
premise and facilities, preventing and detecting
physical security breaches, and providing
security training to employees, contractors, or
third party users
• Technical Controls primarily implemented and
executed through mechanisms contained in
computing related equipments
12-12
Trang 13Computer-assisted Audit
Techniques (CAATs)
• CAATs are imperative tools for auditors to
conduct an audit in accordance with heightened auditing standards
• Generally Accepted Auditing Standards (GAAS) are broad guidelines regarding an auditor’s
professional responsibilities
• Information Systems Auditing Standards (ISASs) provides guidelines for conducting an IS/IT audit (issued by ISACA)
• According to the Institute of Internal Auditors’
(IIA) professional practice standard section
1220.A2, internal auditors must consider the use
of computer-assisted, technology-based audit
tools and other data analysis techniques when
conducting internal audits
12-13
Trang 14Use CAATs in Auditing Systems
Trang 15Auditing around the computer
(the black-box approach)
• First calculating expected results from the
transactions entered into the system
• Then comparing these calculations to the
processing or output results
• The advantage of this approach is that the
systems will not be interrupted for auditing
purposes The black-box approach could be
adequate when automated systems applications are relatively simple
12-15
Trang 16Auditing through the computer (the white-box
approach)
understand the internal logic of the
system/application being tested
embraces a variety of techniques: test data
technique, parallel simulation, integrated test
facility (ITF), and embedded audit module
12-16
Trang 17Generalized Audit Software
(GAS)
• Frequently used to perform substantive tests
and is used for testing of controls through
functions to be performed on data files
Audit Control Language (ACL)
Interactive Date Extraction and Analysis (IDEA)
12-17
Trang 18Continuous Audit
12-18
Trang 19Fraud Schemes and Corresponding Proposed Alarms under Continuous
Audits
12-19
Trang 20Implementation of Continuous Auditing
(XBRL)
techniques (CAATs)
12-20
Trang 21Implementation of Continuous Auditing (Contd.)
• Non-technical barriers and technical