Chapter 17

Information
Systems Auditing and Assurance

Objectives for Chapter 17

Purpose of an audit and the basic conceptual elements of the audit
process
Difference between internal and external auditing and the
relationship between them
How auditing objectives and tests of control are determined by the
control structure of the client firm
Audit objective and tests of control for each of the nine general
control areas
Auditing techniques used to verify the effective functioning of
application controls
Auditing techniques used to perform substantive tests in a CBIS
environment

Attestation versus Assurance

Attestation:
an engagement in which a practitioner is engaged to
issue, or does issue, a written communication that
expresses a conclusion about the reliability of a written
assertion that is the responsibility of another party.
(SSAE No. 1, AT Sec. 100.01)

Assurance:
professional services that are designed to improve the
quality of information, both financial and nonfinancial, used by decision-makers
includes, but is not limited to attestation

Attest and Assurance Services

What is a Financial Audit?

An independent attestation by a
professional (CPA) regarding the faithful
representation of the financial
statements.
Three phases of a financial audit:
familiarization with client firm
evaluation and testing of internal controls
assessment of reliability of financial data

Generally Accepted Auditing Standards

(GAAS)

External versus Internal Auditing

External auditors represent the interests of
third party stakeholders, while internal
auditors serve as an independent appraisal
function within the organization.
Internal auditors often perform tasks which
can reduce external audit fees and help to
achieve audit efficiency and reduce audit
fees.

Elements of an Audit
Systematic procedures are used
Evidence is obtained
tests of internal controls
substantive tests

Determination of materiality for weaknesses

found
Prepare audit report & audit opinion

Information Technology (IT) Audit

Since most information systems employ
information technology, the IT audit is typically
a significant component of all external
(financial) and internal audits.
IT audits:
focus on the computer-based aspects of an
organizations information system
assess the proper implementation, operation, and
control of computer resources

Phases of an IT Audit

Audit Risk is...

the probability the auditor will issue an
unqualified (clean) opinion when in fact the
financial statements are materially misstated.

Components of Audit Risk

Inherent risk is associated with the unique
characteristics of the business or industry of the
client.
Control risk is the likelihood that the control
structure is flawed because controls are either
absent or inadequate to prevent or detect errors
in the accounts.
Detection risk is the risk that auditors are willing
to take that errors not detected or prevented by
the control structure will also not be detected by
the auditor.

Tests of General Controls

Our primary purposes are
to understand:
the auditing objectives in
each general control
area and
the nature of the tests
that auditors perform to
achieve these
objectives.

Tests of General Controls

Our discussion is organized around the
following :
1.operating system controls
2. data management controls
3. organizational structure controls
4. systems development controls
5. systems maintenance controls
6. computer center security and control
7. Internet and Intranet controls
8. electronic data interchange (EDI) controls
9. personal computer controls

Organizational Structure
Internet
& Intranet

Operating
System

Data
Management

Internet
& Intranet

Systems
Development

EDI Trading
Partners

Systems
Maintenance

Personal Computers
Applications

Computer Center Security

General Control Framework for CBIS Risks

1. General Control Tests

Operating system objective: verify that the security
policy and control procedures are rigorous enough to
protect the operating system against:
hardware failure
software efforts
destructive acts by employees or hackers
virus infection

1. General Control Tests

Operating system
(continued)
Access controls:
privilege controls
password control
virus control
fault tolerance control

2. General Control Tests

Data management objective:
protect against unauthorized access to or
destruction of data & inadequate data backup.

Controls:
access - encryption, user authorization tables,
inference controls and biometric devices are a few
examples
backup - grandfather-father-son and direct access
backup; recovery procedures

3. General Control Tests

Organizational structure objectives:
determine whether incompatible functions have been
identified and segregated in accordance with the level
of potential exposure
determine whether segregation is sustained through a
working environment that promotes formal
relationships between incompatible tasks

Controls:
review organizational & systems documentation,
observe behavior, and review database authority tables

4. General Control Tests

Systems development objectives: ensure that...
SDLC activities are applied consistently and in
accordance with managements policies
the system as originally implemented was free from
material errors and fraud
the system was judged to be necessary and justified at
various checkpoints throughout the SDLC
system documentation is sufficiently accurate and
complete to facilitate audit and maintenance activities

4. General Control Tests

Systems development
(continued)
Controls:
systems authorization techniques
good development procedures
internal audit team participation
appropriate testing of system

5. General Control Tests

Systems maintenance objectives: detect
unauthorized program maintenance and
determine that...
maintenance procedures protect
applications from unauthorized changes
applications are free from material errors
program libraries are protected from
unauthorized access

5. General Control Tests

Systems maintenance
(continued)
Controls:

authorization requirements for program maintenance

appropriate documentation of changes
adequate testing of program changes
reconciling program version numbers
review programmer authority table
test authority table

6. General Control Tests

Computer center objectives: determine that...
physical security controls are adequately protect the
organization from physical exposures
insurance coverage on equipment is adequate to
compensate the organization for the destruction of, or
damage to, its computer center
operator documentation is adequate to deal with
routine operations as well as system failures
the organizations disaster recovery plan is adequate
and feasible

6. General Control Tests

Computer center
(continued)
Controls:
well-planned physical layout
backup and disaster recovery planning
review critical application list

7. General Control Tests

Internet & Intranet objectives: determine that
communications controls...
can detect and correct messages loss due to
equipment failure
can prevent and detect illegal access both internally
and from the Internet
will render useless any data that are successfully
captured by a perpetrator
are sufficient to preserve the integrity and security of
data connected to the network

7. General Control Tests

Internet & Intranet
(continued)
Controls:
equipment failure: line checks (parity & echo),and
backups
subversive threats: access controls, encryption of
data, and firewalls
message control: sequence numbering,
authentication, transaction logs, request-response
polling

8. General Control Tests

EDI objectives: determine that...
all EDI transactions are authorized, validated,
and in compliance with organizational policy
no unauthorized organizations gain access to
data base records
authorized trading partners have access only to
approved data
adequate controls are in place to ensure a
complete EDI transactions

8. General Control Tests

EDI
(continued)
Controls:
sophisticated authorization & validation
techniques
access controls
audit trail modules and controls

9. General Control Tests

Personal computers (PCs) objectives: determine that...
adequate supervision and operating procedures exist to
compensate for lack of segregation between the duties
of users, programmers, and operators
access to microcomputers, data files, and program files
is restricted to authorized personnel
backup procedures are in place to prevent data and
program loss from hardware failures
systems selection and acquisition procedures produce
applications that are high quality, free from errors, and
protected from unauthorized changes

9. General Control Tests

PCs
(continued)
Controls:

increased supervision
access & security controls
backup controls
systems development and maintenance controls
systems development and acquisition controls

Computer Applications Controls

Techniques for auditing computer
applications fall into two classes:
1) techniques for testing application
controls
2) techniques for examining transaction
details and account balances
substantive testing

Testing Application Controls

Black Box Approach - understanding flowcharts, input
procedures, & output results
White Box Approach - understanding the internal logic of
the application

authenticity (access) tests

accuracy tests
completeness tests
redundancy tests
audit trail tests
rounding error tests

Auditing Around the Computer The Black Box Approach

White Box Testing Techniques

Test data method: testing for logic or control
problems - good for new systems or systems which
have undergone recent maintenance
base case system evaluation (BCSE) - using a
comprehensive set of test transactions
tracing - performs an electronic walkthrough of the
applications internal logic

Test Data Methods are not fool-proof

a snapshot - one point in time examination
high-cost of developing adequate test data

Auditing through the Computer:

The Test Data Technique

White Box Testing Techniques

Integrated test facility (ITF): an automated,
on-going technique that enables the auditor
to test an applications logic and controls
during its normal operation
Parallel simulation: auditor writes
simulation programs and runs actual
transactions of the client through the system

Auditing through the Computer:

The ITF Technique

Auditing through the Computer:

The Parallel Simulation Technique

Substantive Testing Techniques

Search for unrecorded liabilities
Confirm accounts receivable to ensure they
are not overstated
Determine the correct value of inventory, and
ensure they are not overstated
Determine the accuracy of accruals for
expenses incurred, but not yet received (also
revenues if appropriate)

Embedded Audit Module (EAM)

An ongoing module which filters out nonmaterial transactions
The chosen, material transactions are used
for sampling in substantive tests
Requires additional computing resources by
the client
Hard to maintain in systems with high
maintenance

Substantive Testing:
EAM

Generalized Audit Software (GAS)

Very popular & widely used
Can access data files & perform operations on them:

screen data
statistical sampling methods
foot & balance
format reports
compare files and fields
recalculate data fields

Substantive Testing:
GAS