BKAS3083-Topic1
-
Upload
weiweichong93 -
Category
Documents
-
view
1 -
download
0
Transcript of BKAS3083-Topic1
1. The Need for Control and Audit of IS2. Definition and objectives of IS auditing3. Effects of computers on traditional internal
control principle4. Auditors evidence collection & evidence
evaluation functions 5. Foundations of IS auditing
LEARNING OUTCOMESOverview of IS Auditing
Computers assists organization to process data and provide information for decision making.
The use of computers has to be controlled. Organization must control and audit
computer-based IS because the costs of errors and irregularities is high.
7 majors reasons to establish a function to examine controls and audit of computers.
Need for Control & Audit of Computers
Factors Influencing an Organization toward Control and Audit of Computers
organizational costs of data loss
costs of incorrect decision making
costs of computer
abusevalue of computer hardware, software
and personnel
high costs of computer
error
maintenance of privacy
controlled evolution of computer
user
Organizations
control and audit of computers
Data is a resource which provides an organization with an image of itself, environment, history and future.
Accurate data increases an organizations ability to adapt and survive in a changing environment but
If the data is inaccurate the organization will suffer significant losses
Organizational Costs of Data Loss
High quality decisions require:HIGH QUALITY DATA and HIGH QUALITY DECISION RULES.
Accurate data depends on the types of decisions
Accurate decision rules depends on the types of decision.
Incorrect Decision Making
Development of IS audit function is needed because of computer abuse.
Major types of computer abuse Hacking - unauthorized electronic access to a
computer Viruses - programs which attach themselves to
computer files to disrupt operations or damage data or programs
Illegal physical access to computer facilities Abuse of privileges
Computer abuse lead of some consequences
Costs of Computer Abuse
Types of consequences of computer abuse Destruction of assets Theft of assets Modification of assets Privacy violations Disruption of operations Unauthorized use of assets Physical harm to personnel
Losses are higher than from conventional fraud Numbers and types of threats seem to be increasing Organizations are not well prepared Deterrent security and administrative
countermeasures can be effective Laws governing abuse are evolving
Costs of Computer Abuse
Data, computer hardware, software and personnel are important to organization.
Loss or damage to hardware can be costly - value of assets and cost of disruption of service
Investment in software, disruption of business, confidential information, proprietary secrets
Personnel - scarcity, training cost, unique knowledge, disruption in service, loss of competitive advantage
Value of Computer Hardware, Software & Personnel
Automatic performance of critical functions in society
Cost of computer errors is high such as loss of life or damage environment.
Organizations held liable for the consequences of computer errors
High Costs of Computer Error
Data is collected about us taxation, credit, medical, educational,
employment, residence, spending habits People concerned the impact on personal
privacy to be a human right
Maintenance of Privacy
Conflicts arise on how computer technology should be used: use of computers in control over weapon systems use of computers to control working life and
environment Use of technology produce social problems Governments, professional bodies, pressure
groups, organizations and individual must concerned with evaluating and monitoring how to deploy computer technology.
Controlled Evolution of Computer Use
IS auditing is the process of collecting and evaluating evidence to determine whether; A computer safeguards assets; Maintains data integrity; Allows organizational goals to be achieved effectively; Uses resources efficiently.
IS auditing supports traditional audit objectives, effectiveness and efficiency objectives- external and internal auditor.
IS audit ensure that organizations complies with regulation, rule and conditions.
IS Auditing
The impact of IS audit function on organizationsInformation Systems Auditing
Improved safeguarding
of assets
Improved data integrity
Improved system
effectiveness
Improved systems
efficiency
Organizations
Compliance with regulations, rules or conditions
- Effectiveness Auditing
- Effectiveness Metrics
- Efficiency Metrics
Separation of duties Separation of duties does not always apply
Delegation of authority and responsibility Delegation authority and responsible is difficult Some resources are shared among multiple users. Difficult to trace who is responsible when error occur
Competent and trustworthy personnel Difficult to have competent and trustworthy IS personnel – high
turnover, therefore substantial power given to IS personnel System of authorizations
2 types of authorization to execute transaction general and specific authorizations
Manual system- procedure authorization examine by auditors, BUT computer system is within the computer program.
Difficult to assess the authority assigned consistent to management.
Effects of Computers on Internal Controls
Adequate documents and records Manual system adequate documents and records need to
provide an audit trail BUT computer system documents might not be used.
No visible audit or management trail needed. NOT all computer systems are well designed, some does not
provide adequate access control and logging facilities to ensure preservation of an accurate and complete audit trail.
Physical control over assets and records Critical in both systems but different concentration of the IS
assets and records. Manual systems records are maintained in different physical
location BUT computer system records are maintained in a single site.
Losses of IS assets and records increases when computer abuse arise.
Effects of Computers on Internal Controls
Adequate management supervision Manual supervision on employee is straightforward BUT computer
systems might be remotely. Supervisory controls built into the computer systems to controls –
leverage the technology Develop Agreement between management and subordinates
Independent checks on performance Manual systems, independent checks carried out to detect errors
and irregularities by employee BUT in computer systems independent checks are less value.
Computer system always follows the program code designated in a computer system to authorized, accurate and complete.
Computer recorded accountability with assets Manual systems, the basic data by employee is prepared for
comparison BUT computer systems software is used to prepare data.
Effects of Computers on Internal Controls
Changes to evidence collection More complex control technology Rapid evolution of control technology Lag in the development of audit toolsSystem Reliability and Controls Reliability?
Changes to evidence evaluation Is the control reliable? It is difficult to trace the effect of a weakness in a
shared data environment Greater consequence of errorsConsequences of control strength or weaknesses?
Effects of Computers on Auditing
IS auditing as an intersection of other disciplines.Foundations of IS Auditing
InformationSystems Auditing
Traditional Auditing
ISManagement
Behavioral Science
Computer Science
Knowledge and experience with IC techniques
Control Philosophy
Understand better ways to manage system development
Understand condition leads to system failure due to human factors
Technical knowledge
What do IT auditors do? Ensure IT governance by assessing risks and monitoring
controls over those risks Works as either internal or external auditor Works on many kind of audit engagements Evidence Collection by performing -Test of Control and Substantive TestFinancial vs. IT Audits IT auditors may work on financial audit engagements IT auditors may work on every step of the financial audit
engagement Standards, such as SAS No. 94, guide the work of IT
auditors on financial audit engagements IT audit work on financial audit engagements is likely to
increase as internal control evaluation becomes more important
IT Auditors Roles
Role of IT Auditors in the Financial Audit Process ?
Develop an understanding of the client and perform preliminary audit work
Develop Audit Plan
Evaluate the IC system
Determine degree of reliance on IC
Perform Substantive Testing
Review work and issue audit report
Conduct follow-up work
TOC
College education – IS, computer science, accounting
Certifications – CPA, CFE, CIA, CISA, CISSP, and special technical certifications
Technical IT audit skills – specialized technologies General personal and business skills Professional Groups and Certifications – Alphabet
Soup ISACA – CISA, CISSP IIA – CIA ACFE – CFE AICPA – CPA and CITP
IT Audit Skills
AICPA Standards and Guidelines – GAAS, SAS, and SSAE
IFAC Guidelines – harmonized or common international accounting standards and guidelines
ISACA standards, guidelines, and procedures – includes CobiT and audit standards
Structuring an IT Audit
Organization must control and audit computer based IS because the costs of errors and irregularities is high
IS audit function is used to safeguards assets, maintain data integrity, achieve systems effectiveness and efficiency.
Computer based IS do not undermine the traditional internal control principles
Collecting evidence on the reliability of internal control in computer based IS are more in types, complex and critical.
Evaluating the reliability of controls in computer based IS are more complex.
Many of the principles in IS auditing similar as the traditional auditing, computer science, management and behavioral science.
Summary
IT Auditing is a growing field. Technology is changing daily and increasingly
impacting businesses. The need of auditing is also increasingly important.
Accounting scandals in recent years point to a need for more monitoring and oversight.So, as IT is becoming more complex and pervasive, the need for auditing is also on the rise.. Thus, IT auditors are going to be in demand..
Weber, A. R. (1999) Information System Control and Audit, Prentice-Hall, NJ
Hunton, E. J., Bryant M. S. & Barranoff, A.N. (2004) Core Concept of Information Technology Auditing, Wiley, USA
Kadam, A (2004) A Career as Information Systems Auditor, Available from: http://www.networkmagazineindia.com/200312/securedview01.shtml
Wescott, R (2006) Job Roles – Into the Spotlight: IT Audit Managers, Certification Magazine, February, pp 30-33 & pp39-40
Cora, R.R (2000) Basic Concepts of Information Systems Auditing, Available from:…
Vasant, R. & Uma G.G. (1998) Information systems audits: What's in it for executives?, Information Strategy: The Executive's Journal, Summer98, Vol. 14 Issue 4, pp22-27
References & Recommended Readings