Fundamentals of IT Auditing

Presentation Outline
 Concepts in Information Systems Auditing

 Auditing Technology for Information

Systems
 Part I
Concepts in
Information Systems
Auditing
 Concepts in IS Auditing

A. The Phases to the Information Systems

Audit
B. Structure of the Financial Statement Audit
C. Auditing Around the Computer
D. Auditing With the Computer
E. Auditing Through the Computer
 A. Phases of the Information
Systems Audit
1. Initial review and
evaluation of the area to
be audited, and the audit
plan preparation
2. Detailed review and
evaluation of controls
3. Compliance testing
4. Analysis and reporting of
results
B. Structure of the Financial
Statement Audit

Transactions Accounting Financial

System Reports

Financial
Interim Audit Statement Audit
Substantive
Compliance Testing
Testing
 B1. Compliance Testing

Auditors perform tests of controls to determine

that the control policies, practices, and procedures
established by management are functioning as
planned. This is known as compliance testing.
 B2. Substantive Testing
Substantive testing is the direct verification of
financial statement figures. Examples would
include reconciling a bank account and
confirming accounts receivable.
Audit Confirmation
To ABC Co. Customer:
Please confirm that the
balance of your account
on Dec. 31 is _____ .
 C. Auditing Around the Computer

The auditor ignores computer processing.

Instead, the auditor selects source documents
that have been input into the system and
summarizes them manually to see if they match
the output of computer processing.

Processing
 D. Auditing With The Computer
The utilization of the computer by an auditor to
perform some audit work that would otherwise
have to be done manually.
E. Auditing Through the Computer

The process of reviewing and evaluating the

internal controls in an electronic data
processing system.

Audit
 PART II
Auditing Technology
for Information
Systems
Auditing Technology for IS
A. Review of Systems Documentation
B. Test Data
C. Integrated-Test-Facility (ITF) Approach
D. Parallel Simulation
E. Audit Software
F. Embedded Audit Routines
G. Mapping
H. Extended Records and Snapshots
 A. Review of Systems
Documentation
The auditor reviews documentation such as
narrative descriptions, flowcharts, and program
listings. In desk checking the auditor processes
test or real data through the program logic.
 B. Test Data
The auditor prepares input containing both
valid and invalid data. Prior to processing the
test data, the input is manually processed to
determine what the output should look like.
The auditor then compares the computer-
processed output with the manually processed
results.
Illustration of Test Data Approach
Computer Operations Auditors
Prepare Test
Transaction
Transactions
Test Data
And Results
Computer
Application
System

Manually
Computer Auditor Compares Processed
Output Results
 C. Integrated Test Facility (ITF)
Approach
A common form of an ITF is as follows:
1. A dummy ITF center is created for the auditors.
2. Auditors create transactions for controls they
want to test.
3. Working papers are created to show expected
results from manually processed information.
4. Auditor transactions are run with actual
transactions.
5. Auditors compare ITF results to working papers.
 Illustration of ITF Approach
Computer Operations Auditors

Actual ITF Prepare ITF

Transactions Transactions Transactions
And Results

Computer
Application Data Files
System ITF Data

Reports Reports Manually

With Only With Only Auditor Processed
Actual Data ITF Data Compares Results
 D. Parallel Simulation
The test data and ITF methods both process test
data through real programs. With parallel
simulation, the auditor processes real client data
on an audit program similar to some aspect of
the client’s program. The auditor compares the
results of this processing with the results of the
processing done by the client’s program.
 Illustration of Parallel
Simulation
Computer Operations Auditors

Actual
Transactions

Computer Auditor’s
Application Simulation
System Program

Auditor Compares Auditor

Actual Client
Simulation
Report
Report
 E. Audit Software
Computer programs that permit computers to
be used as auditing tools include:
1. Generalized audit software
Perform tasks such as selecting sample data
from file, checking computations, and
searching files for unusual items.
2. P.C. Software
Allows auditors to analyze data from
notebook computers in the field.
 F. Embedded Audit Routines
1. In-line Code – Application program performs
audit data collection while it processes data
for normal production purposes.
2. System Control Audit
Review File (SCARF)–
Edit tests for audit The Auditor
transaction analysis are
included in program.
Exceptions are written
to a file for audit review.
 G. Mapping

Special software counts the number of times each

program statement in a program executes.
Helps identify code that is bypassed when the
bypass is not readily apparent in the program code
and/or documentation.
 H. Extended Records and
Snapshots
Extended Records Snapshot
Specific transactions are A snapshot is similar
tagged, and the to an extended
intervening processing
record except that
steps that normally
would not be saved are the snapshot is a
added to the extended printed audit trail.
record, permitting the
audit trail to be
reconstructed for these
transactions.
General Control : Logical Security
• General Security Concepts

• Access Management

• Cybersecurity
 I. General Security Concepts
• Logical security can occur at various level within
the IT Infrastructure.
• Logical Security control components include:
– Authentication – Manner in which user logs into the
system.
– Authorization – Manner in which the user gets
approved to access a system
– Access Management
– Monitoring and Follow-up
 II. Access Management
• Process in which the manner of
access is managed:

– Access by data classification

– Access by functionality
 Access Control SOD
• Examples:
– Moving cash and performing bank
reconciliation
– Moving cash and journal entry
– Ordering and Receiving
– Developer and Update access within an
application
 Access Control Principles
• Least Permission
– Initially a user has no access
– Security is then designed to provide users with
the access they need to perform their job
function.
– Access is limited to inquiry.
 Access Control Principles
• All Permissions
– Initially a user has full permissions
– Organization then restricts from a global
perspective down
– Can cause users to have more access than
required
– Poor design is typically achieved.
 Ways Companies Approve Access
• The best practice is to interface with a
human resource system where, once
someone is hired, a user account is set-up
for that person and access is granted based
on job to all systems.
• Paper based approval
• Email Approval
• Automated workflow system
 Periodic Review of Access
• Best practice is annual or quarterly re-
certification of all users’ access
• Entails a report of all users’ access, which is
sent to the data or application owner for
review
• Differences noted are then updated
• Access is automatically removed if not
used.
 Password Policy
• Reusable passwors
• Not using the same password at
multiple sites
• Password duration policies
• Shared password policies (Makes
auditing impossible)
• Lost passwords (Password resets)
 III. Cybersecurity
Internet connectivity and unathorized
activity
Interna Threats
External Threats
Disaster recovery and Business
Continuity Planning
End user awareness
APPLICATION
CONTROLS
 Overview
• Input Controls
• Processing Controls
• Output Controls
• Interface Controls
• Audit Trails
• Application Security
 Input Controls
• These controls are used primarily to check
the integrity of data entered into a business
application whether the data entered
directly by staff, remotely by a business
partner or through a web-enabled
application or interface.
 Processing Controls
• These controls provide an automated means
to ensure processing is complete, accurate
and authorized.
 Output Controls
• These controls ensure that data from a
system is complete and accurate and that
only authorized personnel received that
output.
• Risks:
– Undetected errors
– Incomplete/ Inaccurate/ Inefficient reporting
– Sensitive Data delivered to wrong person
 Interface Controls
• These contrls are used to ensure that the
data transferred between source and
destination are complete and accurate
• Risks:
– Incomplete data transfer
– Unauthorized access occurs
– System interruptions can occur
 Audit Trails
• Processing history controls enables
management to identify the transactions and
events the record by tracking transactions
from their source to their output and by
tracing backward.
• Risks:
– Lack of capturing significant events
– Capability to change, delete and modify audit
trail activity.
 Application Security
• The focus of application security is based on
information integrity.
• Risk Include
– Application independent and based on lack of
segregation of duties.
BUSINESS CONTINUITY
MANAGEMENT and
BACKUP PROCESS
 BCM
• Business Continuity Management (BCM) is a
plan to continue operations if adverse
conditions occur such as a storm, fire or
crime.
 DR
• Disaster Recovery (DR) supports restoring
operations critical to the resumption of
business, including regaining access to data
(Records, hardware, software, etc.),
communications (e-mail, phone, etc.) ,
workspace and other business processes
after a disaster.
 Backup Processing
• Backup Processing refers to the copying and
archiving of computer software and data so
it may be used to restore the original after a
data loss event
• Examples include restoring a file folder,
database, entire system or a full data center.