Chapter Four

.Role of Information systems in

control and audit functions.
.IT Based Auditing Tools.
. Audit and Control in an IT
Environment.
4.1 What is IT Auditing?
• An information technology audit, or information
systems audit, is an examination of the
management controls within an Information
technology (IT) infrastructure. The evaluation of
obtained evidence determines if the information
systems are safeguarding assets, maintaining data
integrity, and operating effectively to achieve the
organization's goals or objectives. These
reviews may be performed in conjunction with
a financial statement audit, internal audit, or other
form of attestation engagement.
• Another definition for IT Audit can be
“the process of collecting and
evaluating evidence to determine
whether a computer system
(information system) safeguards
assets, maintains data integrity,
achieves organizational goals
effectively and consumes resources
efficiently."
 The purpose of IS audit is to review and provide feedback,
assurances, and suggestions. These concerns can be
grouped under three broad heads:

• 1.Availability: Will the information systems on which the

business is heavily dependent is available for the business at
all times when required? Are the systems well protected
against all types of losses and disasters?
• 2.Confidentiality: Will the information in the systems be
disclosed only to those who have a need to see and use it
and not to anyone else?
• 3.Integrity: Will the information provided by the systems
always be accurate, reliable, and timely? What ensures that
no unauthorized modification can be made to the data or the
software in the systems?
• IT audits are also known
as "automated data
processing (ADP) audits"
and "computer audits".
They were formerly called
"electronic data processing
(EDP) audits".
Purpose of IT audits

• The purposes of an IT audit are to

evaluate the system's internal
control design and effectiveness.
This includes, but is not limited to,
efficiency and security protocols,
development processes, and IT
governance or oversight.
 1.2 Types of IT audits

• Various authorities have created

differing taxonomies to distinguish
the various types of IT audits.
Goodman & Lawless state that there
are three specific systematic
approaches to carry out an IT audit:
• 1. Technological innovation process audit. This audit
constructs a risk profile for existing and new projects. The
audit will assess the length and depth of the company's
experience in its chosen technologies, as well as its presence
in relevant markets, the organization of each project, and the
structure of the portion of the industry that deals with this
project or product, organization, and industry structure.
• 2. Innovative comparison audit. This audit is an analysis of
the innovative abilities of the company being audited, in
comparison to its competitors. This requires examination of
company's research and development facilities, as well as its
track record in actually producing new products.
• 3. Technological position audit: This audit reviews the
technologies that the business currently has and that it needs
to add. Technologies are characterized as being either "base",
"key", "pacing" or "emerging".
 Others describe the spectrum of audits
with five categories of audit:
1. Systems and Applications: An audit to verify that systems and applications
are appropriate, are efficient, and are adequately controlled to ensure valid,
reliable, timely, and secure input, processing, and output at all levels of a
system's activity.
2. Information Processing Facilities: An audit to verify that the processing
facility is controlled to ensure timely, accurate, and efficient processing of
applications under normal and potentially disruptive conditions.
3. Systems Development: An audit to verify that the systems under
development meet the objectives of the organization and to ensure that the
systems are developed in accordance with generally accepted standards for
systems development.
4. Management of IT and Enterprise Architecture: An audit to verify that IT
management has developed an organizational structure and procedures to
ensure a controlled and efficient environment for information processing.
5. Client/Server, Telecommunications, Intranets, and Extranets:
An audit to verify that telecommunications controls are in place on
the client (computer receiving services), server, and on the network
connecting the clients and servers.
 4.3 Elements of IT Audit
The major elements of IS audit can be broadly classified:

1.Physical and environmental review—This includes physical security, power supply,

air conditioning, humidity control and other environmental factors.
2.System administration review—This includes security review of the operating
systems, database management systems, all system administration procedures and
compliance.
3.Application software review—The business application could be payroll, invoicing, a
web-based customer order processing system or an enterprise resource planning
system that actually runs the business.
4.Network security review—Review of internal and external connections to the system,
perimeter security, firewall review, router access control lists, port scanning and
intrusion detection are some typical areas of coverage.
5.Business continuity review—This includes existence and maintenance of fault
tolerant and redundant hardware, backup procedures and storage, and documented
and tested disaster recovery/business continuity plan.
6.Data integrity review—The purpose of this is scrutiny of live data to verify adequacy
of controls and impact of weaknesses, as noticed from any of the above reviews.
Such substantive testing can be done using generalized audit software (e.g.,
computer assisted audit techniques).
 4.4 Planning IT Audit

• One of the main responsibilities and

more difficult tasks of the Chief Audit
Executives (CAEs) is to create the
organization's audit plan. CAEs must
establish risk-based plans on at least an
annual basis to determine the priorities
of the internal audit activity, which, in turn,
should be consistent with the
organization's goals and strategies.
4.5 IT Audit Plan Development Process

• Defining the annual audit plan should

follow a systematic process to ensure all
fundamental business aspects and IT-
service support activities are understood
and considered. Therefore, it is essential
that the foundation for the plan be rooted
in the organization's objectives, strategies,
and business model.
A logical work-flow progression using a
top-down approach to define the IT
audit plan
Leading IT Governance Frameworks

• IT governance framework, such as COBIT,

the ISO 27002 Standard, or ITIL.
• COBIT has been a leading IT governance
framework.
The IT Audit Plan Content
• The plan also should have different types of IT audits, for example:
• Integrated business process audits.
• Audits of IT processes (e.g., IT governance and strategy audits, as well
as audits of the organization’s project management efforts, software
development activities, policies and procedures, COBIT/ISO/ITIL processes,
and information security, incident management, change management, patch
management, and help desk activities).
• Business projects and IT initiative audits, including software development
life cycle (SDLC) reviews.
• Application control reviews.
• Technical infrastructure audits (e.g., demand management reviews,
performance reviews, database assessments, operating systems audits,
and operation analyses).
• Network reviews (e.g., network architecture reviews, penetration testing,
vulnerabilities assessments, and performance reviews).
To verify each audit provides appropriate coverage,
auditors can incorporate the following elements as
part of the audit:

• IT general controls, application controls, and

infrastructure controls.
• Contributions to operational reviews, financial
reviews, and compliance reviews.
• Main control objectives (i.e., segregation of duties,
concentration of duties, and security, among
others).
• New IT trends and their threats, innovations, and
impact.
• All IT layers of the stack.
 4.5 IT Controls
• An IT control is a procedure or policy that
provides a reasonable assurance that the
information technology (IT) used by an
organization operates as intended, that data
is reliable, and that the organization is
following applicable laws and regulations. IT
Controls can be categorized as either general
controls (ITGC) or application controls (ITAC).
Application Controls for Transaction Processing
• An IT general control should demonstrate that
the organization has a procedure or policy in
place for technology that affects the
management of fundamental organizational
processes such as risk management, change
management, disaster recovery and security. IT
application controls, which are actions that a
software application does automatically, should
demonstrate that software applications used for
specific business processes (such as payroll)
are properly maintained, are only used with
proper authorization, are monitored and are
creating audit trails.
IT control Frameworks

• Many frameworks exist for categorizing IT

controls and their objectives, IT control
frameworks include COBIT (Control
Objectives for Information and Related
Technology), ISO/IEC 17799: Code of
Practice for Information Security
Management and ITIL (Information
Technology Infrastructure Library).
• But whatever the framework by any organization, it
uses the applicable components of existing
frameworks to categorize and assess IT controls,
and to provide and document its own framework for:
• Compliance with applicable regulations and
legislation.
• Consistency with the organization’s goals and
objectives.
• Reliable evidence (reasonable assurance) that
activities comply with management’s governance
policies and are consistent with the organization’s
risk appetite.
 Key indicators of effective IT controls
include:
• The ability to execute and plan new work such as IT infrastructure
upgrades required to support new products and services.
• Development projects that are delivered on time and within budget,
resulting in cost-effective and better product and service offerings
compared to competitors.
• Ability to allocate resources predictably.
• Consistent availability and reliability of information and IT services across
the organization and for customers, business partners, and other external
interfaces.
• Clear communication to management of key indicators of effective
controls.
• The ability to protect against new vulnerabilities and threats and to
recover from any disruption of IT services quickly and efficiently.
• The efficient use of a customer support center or help desk.
• Heightened security awareness on the part of the users and a security-
conscious culture throughout the organization.
Control Classifications
 Classification based on
Functionality

•C o n t r o l s m a y b e
classified based on the
functionality as
preventive, detective, or
corrective.
 Preventive controls
• Prevent errors, omissions, or security
incidents from occurring. Examples include
simple data-entry edits that block alphabetic
characters from being entered into numeric
fields, access controls that protect sensitive
data or system resources from unauthorized
people, and complex and dynamic technical
controls such as antivirus software, firewalls,
and intrusion prevention systems.
 Detective controls

• Detect errors or incidents that elude

preventive controls. For example, a
detective control may identify account
numbers of inactive accounts or accounts
that have been flagged for monitoring of
suspicious activities.
 Corrective controls

• Correct errors, omissions, or incidents

once they have been detected. They vary
from simple correction of data-entry errors,
to identifying and removing unauthorized
users or software from systems or
networks to recovery from incidents,
disruptions, or disasters.
Classification based on group
responsibilities
• For the purpose of assessing roles and
responsibilities, we categorize IT controls
as governance, management, and
technical. The first two levels—
governance and management — are the
core focus although it may also be useful
to understand how higher-level controls
specifically are established within the
technical IT infrastructures.
 4.6 Information Security
• Information security is an integral part of all IT
controls. Information security applies to both
infrastructure and data and is the foundation
for the reliability of most other IT controls.
• The exceptions are controls relating to the
financial aspects of IT (e.g., ROI, budgetary
controls) and some project management
controls.
 The universally accepted elements of information security
are:
• Confidentiality – Confidential information must only be
divulged as appropriate and must be protected from
unauthorized disclosure or interception. Confidentiality
includes privacy considerations.
• Integrity – Information integrity refers to the state of data as
being correct and complete. This specifically includes the
reliability of financial processing and reporting.
• Availability – Information must be available to the business,
its customers, and partners when, where, and in the manner
needed. Availability includes the ability to recover from losses,
disruption, or corruption of data and IT services, as well as
from a major disaster where the information was located.
IT Solution Readiness

• IT solutions have a natural development

life cycle that includes a sequence of
phases that must be followed in order to
convert a management need into an IT
system or application and to maintain the
system in a controlled way. Typically, this
sequence is referred to as a software life
cycle (SLC) or software development life
cycle (SDLC).
Information Systems Audits
• The purpose of an AIS audit is to review and evaluate
the internal controls that protect the system.

• When performing an IS audit, auditors should

ascertain that the following objectives are met:
1 Security provisions protect computer equipment,
programs, communications, and data from
unauthorized access, modification, or destruction.
Information Systems Audits….

2 Program development and acquisition is

performed in accordance with management’s
general and specific authorization.

3 Program modifications have the authorization

and approval of management.

4 Processing of transactions, files, reports, and

other computer records is accurate and complete.
Information Systems Audits….

5 Source data that are inaccurate or improperly

authorized are identified and handled
according to prescribed managerial policies.

6 Computer data files are accurate, complete,

and confidential.

10-39
The Risk-Based Audit Approach….

• What is the four-step approach to internal control

evaluation?
1 Determine the threats facing the AIS.

2 Identify the control procedures that should be in place to

minimize each threat.

3 Evaluate the control procedures.

4 Evaluate weakness (errors and irregularities not covered

by control procedures).
Framework for Audit of Computer Security
Some types of security errors and fraud:
– theft of accidental or intentional damage to
hardware and files
– loss, theft, or unauthorized access to
programs, data files; or disclosure of
confidential data
– unauthorized modification or use of programs
and data files
Framework for …

Some types of control procedures:

– developing an information security/protection plan, and
restricting physical and logical access

– encrypting data and protecting against viruses

– implementing firewalls

– instituting data transmission controls, and preventing

and recovering from system failures or disasters
Framework …

Some systems review audit procedures:

– inspecting computer sites

– interviewing personnel

– reviewing policies and procedures

– examining access logs, insurance policies, and

the disaster recovery plan
Framework….
Some tests of control audit procedures:
– observing procedures
– verifying that controls are in place and work
as intended
– investigating errors or problems to ensure
they were handled correctly
– examining any test previously performed
Framework for Audit of Program Development

Some systems review audit procedures:

– Independent and concurrent review of systems
development process

– Systems review of development policies, authorization,

and approval procedure

– Programming evaluation and documentation standards,

and program testing and test approval procedures
Framework for Audit of Program …
Some tests of control audit procedures:
– User interviews about involvement in systems
design and implementation
– Reviewing minutes of development team meetings for
evidence of involvement
– Verifying management and user sign-off at milestone
points in the development process
– Reviewing test specifications, data, and results
Framework for Audit of Program …

Some compensating controls:

– Strong processing controls
– Independent processing of test data
by auditor
Framework for Audit of Program…
o Some types of errors and fraud:
o Inadvertent programming errors
o Unauthorized program code
o These are the same as in audit program
development.
Framework for Audit of Program…
Some types of control procedures:
– Listing of program components that are to be
modified, and management authorization and
approval of programming modifications
– User approval of program changes
specifications
– Thorough testing of program changes,
including user acceptance test
Framework for Audit of Program…
Some systems review audit procedures:
– Reviewing program modification policies,
standards, and procedures
– Reviewing documentation standards for
program modification, program modification
testing, and test approval procedures
– Discussing systems development procedures
with management
Framework for Audit of Program…
Some tests of control audit procedures:
– Interviewing users about involvement in systems design
and implementation
– Reviewing minutes of development team meetings for
evidence of involvement
– Verifying management and user sign-off at milestone
points in the development process
– Reviewing test specifications, data, and results
Framework for Audit of Program…
• Some compensating controls:
– Strong processing controls
– Independent processing of test data by
auditor
• These are the same as in audit program
development.
Framework for Audit of Computer
Processing Controls
• Some types of errors and fraud:
– Failure to detect incorrect, incomplete or
unauthorized input data
– Failure to properly correct errors flagged by
data editing procedures
– Introduction of errors into files or databases
during updating
Framework for Audit of Computer…
• Some types of control procedures:
– Computer data editing routines
– Proper use of internal and external file labels
– Effective error correction procedures
– File change listings and summaries prepared
for user department review
Framework for Audit of Computer …
• Some systems review audit procedures:
– Review administrative documentation for
processing control standards
– Observe computer operations and data
control functions
– Review copies of error listings, batch total
reports and file change list
Framework for Audit of Computer …
• Some tests of control audit procedures:
– Evaluation of adequacy and completeness of
data editing controls
– Verify adherence to processing control
procedure by observing computer operations
and the data control function
– Trace disposition of a sample of errors flagged
by data edit routines to ensure proper handling
– Monitor on-line processing systems using
concurrent audit techniques
Framework for Audit of Computer …
• Some compensating controls:
–Strong user controls
–Effective source data
controls
Framework for Audit of Source Data
Controls
• Some types of errors and fraud:
– Inadequate source data
– Unauthorized source data
– Some types of control procedures:
– User authorization of source data input
– Effective handling of source data input by data
control personnel
– Logging of the receipt, movement, and
disposition of source data input
– Use of turnaround documents
Framework for Audit of Source …
• Some systems review audit
procedures:
– Reviewing documentation for source
data control standards
– Document accounting source data
controls using an input control matrix
– Reviewing accounting systems
documentation to identify source data
content and processing steps and
specific source data controls used.
Framework for Audit of Source…
o Some tests of control audit procedures:
o Observation and evaluation of data control
department
o Reconciliation of a sample of batch totals and follow
up on discrepancies
o Examination of samples of accounting source data for
proper authorization
o Some compensating controls:
o Strong processing controls
o Strong user controls
Framework for Audit of Data
File Controls

• Some types of errors and fraud:

– Unauthorized modification or disclosure of
stored data
– Destruction of stored data due to
inadvertent errors, hardware or software
malfunctions and intentional acts of
sabotage or vandalism
Framework for Audit of Data File Controls….

• Some types of control procedures:

– Concurrent update controls
– Proper use of file labels and write-control
mechanisms
– Use of virus protection software
Framework for Audit of Data….
• Some systems review audit procedures:
– Examination of disaster recovery plan
– Discussion of data file control
procedures with systems managers and
operators
– Review of logical access policies and
procedures
– Review of documentation for functions
of file library operation
Framework for Audit of Data File Controls…..
• Some tests of control audit procedures:
– Observing and evaluating file library operations
– Review records of password assignment and
modification
– Observation of the preparation of off-site storage back-
up facilities
– Reconciliation of master file totals with separately
maintained control totals
• Some compensating controls:
– Effective computer security controls
– Strong user controls
– Strong processing controls
Computer Software
• A number of computer programs,
called computer audit software
(CAS) or generalized audit software
(GAS), have been written especially
for auditors.
• CAS is a computer program that,
based on the auditor’s
specifications, generates programs
that perform the audit functions.
Usage of Computer Software

• The auditor’s first step is to decide on audit

objectives, learn about the files to be audited,
design the audit reports, and determine how
to produce them.
• This information is recorded on specification
sheets and entered into the system via a
data entry program.
Usage of Computer Software

• This program creates specification records

that the CAS uses to produce one or more
auditing programs.
• The auditing programs process the sources
files and perform the auditing operations
needed to produce the specified audit
reports.
General Functions of Computer Audit Software
– Reformatting
– File manipulation
– Calculation
– Data selection
– Data analysis
– File processing
– Statistics
– Report generation
Operational Audits of an AIS
The techniques and procedures used in
operational audits are similar to those of IS
and financial audits.
• The basic difference is that the IS audit
scope is confined to internal controls,
whereas the financial audit scope is limited to
IS output.
• The operational audit scope encompasses all
aspects of IS management.
Operational Audits of an AIS
• Operational audit objectives include evaluating
effectiveness, efficiency, and goal achievement.
• What are some evidence collection activities?
– Reviewing operating policies and documentation
– Confirming procedures with management and
operating personnel
Operational Audits of an AIS
Evidence collection procedures, cont.
– Observing operating functions and
activities
– Examining financial and operating plans
and reports
– Testing the accuracy of operating
information
– Testing controls
How Information Technologies Enhance
Internal Control

• Computer controls replace

manual controls.
• Higher quality information is
available.
Assessing Risks of Information
Technologies

• I T c a n i m p r o v e a c o m p a n y ’s i n t e r n a l
controls; however, it can also affect the
company's overall control risk.
• If IT systems fail, organizations can be
paralyzed by the inability to retrieve
information or by the use of unreliable
information caused by processing errors.
Specific risks to IT systems include the
following

• Risks to hardware and data.

• Reduced audit trail.
• Need for IT experience and
separation of IT duties.
The IT activities and resources must mapped against the business
defined need in the usage and information based transactions
Understanding IT Controls
A top-down approach - used when
considering IT controls.

• IT control is a process that

provides assurance for
information and information
services, and help to mitigate
risks associated with use of
technology.
End of Chapter Four!!