KAS 3083: Topic 1OVERVIEW OF IS AUDITING

1. The Need for Control and Audit of IS2. Definition and objectives of IS auditing3. Effects of computers on traditional internal

control principle4. Auditors evidence collection & evidence

evaluation functions 5. Foundations of IS auditing

LEARNING OUTCOMESOverview of IS Auditing

Computers assists organization to process data and provide information for decision making.

The use of computers has to be controlled. Organization must control and audit

computer-based IS because the costs of errors and irregularities is high.

7 majors reasons to establish a function to examine controls and audit of computers.

Need for Control & Audit of Computers

Factors Influencing an Organization toward Control and Audit of Computers

organizational costs of data loss

costs of incorrect decision making

costs of computer

abusevalue of computer hardware, software

and personnel

high costs of computer

error

maintenance of privacy

controlled evolution of computer

user

Organizations

control and audit of computers

Data is a resource which provides an organization with an image of itself, environment, history and future.

Accurate data increases an organizations ability to adapt and survive in a changing environment but

If the data is inaccurate the organization will suffer significant losses

Organizational Costs of Data Loss

High quality decisions require:HIGH QUALITY DATA and HIGH QUALITY DECISION RULES.

Accurate data depends on the types of decisions

Accurate decision rules depends on the types of decision.

Incorrect Decision Making

Development of IS audit function is needed because of computer abuse.

Major types of computer abuse Hacking - unauthorized electronic access to a

computer Viruses - programs which attach themselves to

computer files to disrupt operations or damage data or programs

Illegal physical access to computer facilities Abuse of privileges

Computer abuse lead of some consequences

Costs of Computer Abuse

Types of consequences of computer abuse Destruction of assets Theft of assets Modification of assets Privacy violations Disruption of operations Unauthorized use of assets Physical harm to personnel

Losses are higher than from conventional fraud Numbers and types of threats seem to be increasing Organizations are not well prepared Deterrent security and administrative

countermeasures can be effective Laws governing abuse are evolving

Costs of Computer Abuse

Data, computer hardware, software and personnel are important to organization.

Loss or damage to hardware can be costly - value of assets and cost of disruption of service

Investment in software, disruption of business, confidential information, proprietary secrets

Personnel - scarcity, training cost, unique knowledge, disruption in service, loss of competitive advantage

Value of Computer Hardware, Software & Personnel

Automatic performance of critical functions in society

Cost of computer errors is high such as loss of life or damage environment.

Organizations held liable for the consequences of computer errors

High Costs of Computer Error

Data is collected about us taxation, credit, medical, educational,

employment, residence, spending habits People concerned the impact on personal

privacy to be a human right

Maintenance of Privacy

Conflicts arise on how computer technology should be used: use of computers in control over weapon systems use of computers to control working life and

environment Use of technology produce social problems Governments, professional bodies, pressure

groups, organizations and individual must concerned with evaluating and monitoring how to deploy computer technology.

Controlled Evolution of Computer Use

IS auditing is the process of collecting and evaluating evidence to determine whether; A computer safeguards assets; Maintains data integrity; Allows organizational goals to be achieved effectively; Uses resources efficiently.

IS auditing supports traditional audit objectives, effectiveness and efficiency objectives- external and internal auditor.

IS audit ensure that organizations complies with regulation, rule and conditions.

IS Auditing

The impact of IS audit function on organizationsInformation Systems Auditing

Improved safeguarding

of assets

Improved data integrity

Improved system

effectiveness

Improved systems

efficiency

Organizations

Compliance with regulations, rules or conditions

- Effectiveness Auditing

- Effectiveness Metrics

- Efficiency Metrics

Separation of duties Separation of duties does not always apply

Delegation of authority and responsibility Delegation authority and responsible is difficult Some resources are shared among multiple users. Difficult to trace who is responsible when error occur

Competent and trustworthy personnel Difficult to have competent and trustworthy IS personnel – high

turnover, therefore substantial power given to IS personnel System of authorizations

2 types of authorization to execute transaction general and specific authorizations

Manual system- procedure authorization examine by auditors, BUT computer system is within the computer program.

Difficult to assess the authority assigned consistent to management.

Effects of Computers on Internal Controls

Adequate documents and records Manual system adequate documents and records need to

provide an audit trail BUT computer system documents might not be used.

No visible audit or management trail needed. NOT all computer systems are well designed, some does not

provide adequate access control and logging facilities to ensure preservation of an accurate and complete audit trail.

Physical control over assets and records Critical in both systems but different concentration of the IS

assets and records. Manual systems records are maintained in different physical

location BUT computer system records are maintained in a single site.

Losses of IS assets and records increases when computer abuse arise.

Effects of Computers on Internal Controls

Adequate management supervision Manual supervision on employee is straightforward BUT computer

systems might be remotely. Supervisory controls built into the computer systems to controls –

leverage the technology Develop Agreement between management and subordinates

Independent checks on performance Manual systems, independent checks carried out to detect errors

and irregularities by employee BUT in computer systems independent checks are less value.

Computer system always follows the program code designated in a computer system to authorized, accurate and complete.

Computer recorded accountability with assets Manual systems, the basic data by employee is prepared for

comparison BUT computer systems software is used to prepare data.

Effects of Computers on Internal Controls

Changes to evidence collection More complex control technology Rapid evolution of control technology Lag in the development of audit toolsSystem Reliability and Controls Reliability?

Changes to evidence evaluation Is the control reliable? It is difficult to trace the effect of a weakness in a

shared data environment Greater consequence of errorsConsequences of control strength or weaknesses?

Effects of Computers on Auditing

IS auditing as an intersection of other disciplines.Foundations of IS Auditing

InformationSystems Auditing

Traditional Auditing

ISManagement

Behavioral Science

Computer Science

Knowledge and experience with IC techniques

Control Philosophy

Understand better ways to manage system development

Understand condition leads to system failure due to human factors

Technical knowledge

What do IT auditors do? Ensure IT governance by assessing risks and monitoring

controls over those risks Works as either internal or external auditor Works on many kind of audit engagements Evidence Collection by performing -Test of Control and Substantive TestFinancial vs. IT Audits IT auditors may work on financial audit engagements IT auditors may work on every step of the financial audit

engagement Standards, such as SAS No. 94, guide the work of IT

auditors on financial audit engagements IT audit work on financial audit engagements is likely to

increase as internal control evaluation becomes more important

IT Auditors Roles

Role of IT Auditors in the Financial Audit Process ?

Develop an understanding of the client and perform preliminary audit work

Develop Audit Plan

Evaluate the IC system

Determine degree of reliance on IC

Perform Substantive Testing

Review work and issue audit report

Conduct follow-up work

TOC

College education – IS, computer science, accounting

Certifications – CPA, CFE, CIA, CISA, CISSP, and special technical certifications

Technical IT audit skills – specialized technologies General personal and business skills Professional Groups and Certifications – Alphabet

Soup ISACA – CISA, CISSP IIA – CIA ACFE – CFE AICPA – CPA and CITP

IT Audit Skills

AICPA Standards and Guidelines – GAAS, SAS, and SSAE

IFAC Guidelines – harmonized or common international accounting standards and guidelines

ISACA standards, guidelines, and procedures – includes CobiT and audit standards

Structuring an IT Audit

Organization must control and audit computer based IS because the costs of errors and irregularities is high

IS audit function is used to safeguards assets, maintain data integrity, achieve systems effectiveness and efficiency.

Computer based IS do not undermine the traditional internal control principles

Collecting evidence on the reliability of internal control in computer based IS are more in types, complex and critical.

Evaluating the reliability of controls in computer based IS are more complex.

Many of the principles in IS auditing similar as the traditional auditing, computer science, management and behavioral science.

Summary

IT Auditing is a growing field. Technology is changing daily and increasingly

impacting businesses. The need of auditing is also increasingly important.

Accounting scandals in recent years point to a need for more monitoring and oversight.So, as IT is becoming more complex and pervasive, the need for auditing is also on the rise.. Thus, IT auditors are going to be in demand..

Weber, A. R. (1999) Information System Control and Audit, Prentice-Hall, NJ

Hunton, E. J., Bryant M. S. & Barranoff, A.N. (2004) Core Concept of Information Technology Auditing, Wiley, USA

Kadam, A (2004) A Career as Information Systems Auditor, Available from: http://www.networkmagazineindia.com/200312/securedview01.shtml

Wescott, R (2006) Job Roles – Into the Spotlight: IT Audit Managers, Certification Magazine, February, pp 30-33 & pp39-40

Cora, R.R (2000) Basic Concepts of Information Systems Auditing, Available from:…

Vasant, R. & Uma G.G. (1998) Information systems audits: What's in it for executives?, Information Strategy: The Executive's Journal, Summer98, Vol. 14 Issue 4, pp22-27

References & Recommended Readings

Thank You!The End