Information Systems Audit and Control Association A Personal View of a World Class IT Auditing Function By Allan R. Paliotta, CISA, CFE, CFSA Perspective In retrospect, the world moved from the agrarian age to the industrial age at a relatively leisurely pace. In contrast, the movement into the information age is occurring at breakneck, and often daredevil, speed and the rate of change is accelerating. Rapid technological advances are occurring concurrently in multiple directions, and sometimes the technologies converge. E-commerce'the Internet’ telecommunications/ enterprise-wide applications! data analysis! data mining/ data warehousing/ image technologies/ knowledge-based _systems/ programming methodologies and tools’ chip technology/ mainframe vs. client-server are just some of the technological issues that organizations are addressing. Of note, too, is that the primary focus of new technologies is initially on functionality. Control and security issues generally tend to be addressed later. And all of this is occurring with one significant hurdle directly ahead -to | January, 2000. Business must select from the constantly changing palette of technologies, sometimes to just survive, sometimes to seck competitive advantage, sometimes to achieve operational excellence, and other times to branch out into totally different arenas of operation. In today's world, information processing has become the business process upon which ally all other business processes depend. In the Information Age, information assets can be as critieal to an organization's success as its financial, physical and human resource assets, and, as such, also needs to be safeguarded, It is in this world of continual and accelerating change in business activities and the supporting, and often enabling, technologies in which the IT auditor must function. No longer can the focus be only on internal controls. Mission of IT Auditing Based on the concepts promulgated in "Internal Control - Integrated Framework” developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the mission of IT auditing could be defined as follows: Using appropriate technological tools and expertise, evaluate the adequacy and effectiveness of control systems addressed to the risks emanating from an organization's application of technology in support of its business objectives. In my opinion, because of the continually changing nature of technology and the increasing dependence of businesses on it, | would expand the COSO-based definition of the IT auditing mission statement by adding the following: wand proactively work with management to identify risks and control objectives in the application of emerging technologies in support of strategie objectives, To accomplish this mission the IT auditors must: keep current with those leading-edge technologies being considered to support and enable business operationsobtain an understanding of how new technology will relate to the business processes continually strive to transfer an understanding and appreciation of the risks and controls associated with current technology to the "business auditor’ population in order to back-fill audit coverage and permit the IT auditors to move forward and keep pace with constantly changing leading-edge technologies continually seek out technological audit tools to add to the tootkits of the IT and business auditors: partner with, or at a minimum provide support and counsel to, the business auditors relative to the audit issues associated with the application systems that interface with the business processes undergoing audit reviews maintain open lines of communication with business and IT management to identify plans that call for the introduction of new technologies, and advise and support management regarding the risk/control environment relative to the application of such technologies provide advice and counsel to corporate computer policy and standards committees establish and maintain involvement with professional auditing organizations (such as ISACA, AICPA, IIA, ISSA) in order to share and validate concerns and solutions The Methodology - Process Auditing The Process Auditing methodology is based on top-down reviews of business processes (namely, Purchasing, Underwriting, Customer Service, Billing, Accounting, Sales, Information Processing) without regard to physical location or organizational structure. The goal is to provide management with an overall evaluation of the adequacy and effectiveness of controls over the process as a whole, Based on initial discussions with management, a primary focus of the process audit approach is on how management monitors and controls the process. The computer systems that interact with the business process should be included within the scope of a process audit and the audit should include an evaluation of the availability, accessibility, integrity, completeness and security of the management, financial and operational information used to support and/or enable the process. ‘The top down approach permits the auditors to understand top management's perception of the purpose of the process, the critical success factors associated with the process, how the process is expected to function, and the information used to manage and control the process. Process Auditing also includes taking into account the control elements included in the COSO report: Control Environment (that is, the "Tone at the Top") - often considered the "soft" controls Assessment of the major business Risks that could prevent an organization from achieving its objectives Control Activities - often considered the "hard" controls Management Information upon which decisions can be made Monitoring systems and procedures that have been put into place to detect anomalous pattems, Scope of IT Auditing based on Process Auditing The following are the components of information processing from an IT auditing perspective. It is important to note that the components are applicable regardless of hardware platform(s), software or systems development techniques utilized, Computer Facility Management Contingency Planning/Disaster Backup and Recovery - including the applicability to current and planned technological environments and business operations. As computer oyoperations support clerical and management operations, the IT auditors should also play a role in the development of contingency plans for administrative operations. Operating Systems Management ~ including access controls over system software libraries and the ability of systems programmers to function "above" the security software level Internal Telecommunications Management - including backbone networks, LANs and WANS. Bandwidth adequacy for current and future needs and single points of failure should be included. Extemal Telecommunications Management - including E-commerce, Internet-based connectivity, telephone lines-based portals, e-mail, firewalls, Planning ~ including capacity planning and planning for new technologies (e.g., is business management sufficiently involved to assure that new technologies will support business requiements?). Production and Problem Management - including change control, application and operating system reliability and availability, help desk/site support, programmer access to the production environment in emergeney situations Environment Management ~ including physical access to sensitive areas, protection of ‘equipment, uninterruptable power supplies, fire retardant/fighting equipment. Computer Applications Management Application Development/Maintenance - including project —initiation/authorization, development methodologies, project costing, achievement of target dates, user involvement. ‘Application systems audits - both pre- and post-implementation. Depending upon the level of technology used to support the application system, these audits could be led by either IT or Business auditors and should include the involvement and perspectives of both organi: ns. The clerical processes that interact with the application should be included in the review. Information Security Management ~ including a determination of whether responsibiliy and ‘accoumability for security over the euerprise’s information assets have been establisied. (Note: Security concems end threats should be included as port of both Facility and Applications Managemen audiss, as appropriate. In addition, audits directed specifically to the Security Management process should be included within the scope of autiting.) Operating System Level (Umbrella) security - including review of default settings, controls over the usege of powerful IDs (e.g, OPERATOR, SUPERUSER, ROOT) including changing default passwords, interrelationships with other system level software (e.g., RACF ys. CICS and TSO), access controls (e.g., password and ID, such as comparison of IDs to Human Resource or Payroll files, disabling of IDs if intrusion attempts are detected, scheduled updating of passwords, password construction), programmer access controls. Application System Level security - including interconnectivity with umbrella security ("security handshake"), functional limitations related to job responsibilities, programmer access controls. Extemal Connectivity level - including perimeter security (e.g., user identification and authentication, user access limitations commensurate with access authorization) message authentication, encryption, firewalls. ‘Tracking Open Recommendations While some audit recommendations and management action plans can be implemented immediately, most require time to modify processes and systems. To follow the progress being made on critical open control issues, a tracking mechanism that calls for the activemonitoring of such items by IT management, the Controllers organization and Auditing helps to close the loop on open audit issues. Ongoing Training/ Professional Designations Because of the constant changing nature of information technology, ongoing training of the IT auditing staff is necessary in order to keep pace with emerging technologies, The acquisition of professional designations, such as CISA, CIA and CPA, help to demonstrate to management (both IT and Audit) the quality of the staff members. Cultivating an Increased Awareness and Appreciation of Technological Risks and Solutions It Auditing has a responsibility to increase the awareness of technological risk and control issues at the business auditor staff level as well as at the business and IT management level. ‘As with anything new, technology brings risks along with the potential rewards. The IT auditors should help to educate the rest of the organization regarding these risks in order to assure that the implementation of new technologies will achieve the corporate objectives ‘without placing the organization is an unacceptable risk position. Often, new technology can attract management like moths to a flame. An ongoing IT auditing role should include alerting management to the potential risks of the flame and helping to assure that controls are put in place to keep the organization from getting burnt, The views and opinions are those of the author cand do not necessarily represent the views and opinions of KPMG LLP. The information provided here is of a general mature and i pot intenuled to address the spect circumstances of ante individual or envity. In specific circumstances. the services of a professional should be song Allan R Allan R. Paliota, CISA, CFE, CFSA, isa senior manager in KPMG's Information Risk Management pr Prior o this assignment, he was te officer-in-charge of MetLife’s Special investigation Unit and had been in charge of MetLife’s Information Technology Auditing Division, two insurance auditing units, and project manager inthe system development orzanization. Paliotta eamed his Bachelor of Arts degree in mathematics fiom Huntse College in New York and he has attended MIT's Center for Information Systems ResearchInformation Systems Audit and Control Association Software Development is Risky Business -- is Audit Ready? by George R. Comrie, P.Eng., CDP, CMC The ability to create and modify information systems quickly and reliably is critical to maintaining a company's competitive edge. The demands on software development departments are enormous. They must deliver higher volumes of feature-rich, error-free application software in shorter time frames and using fewer resources. This kind of pressure can easily lead to errors in the introduction of system changes and in the applications themselves. There are several steps, though, that can be taken to minimize the chance of mistakes and to protect an organization First of all, auditors should ask some basic questions. Can the orgenization afford a service outage due to a planned software change gone bad? Does the development environment have the tools and processes to ensure the best possible quality control? How can auditors enforce standards and not impede turnaround times? What about the cost to do this? Establishing and following a good software configuration management (SCM) process is the starting point for error avoidance. ‘This process should take into consideration the entire life cycle of software applications, not just their development. Managing an application's components as each new release is created, packaged, distributed, installed and obsoleted is important, Particular attention should be given to security, division of responsibilities, approvals and audit trails. ‘Once the desired process has been established, SCM software can be implemented to ensure process compliance, provide audit trails, automate manual tasks and guarantee the reproducibility of the applications. From management's perspective, an SCM. system provides assurance that a company's mission critical applications are not exposed to potential failure due to human error, staff tumover or sabotage. In the development stage, version control is critical. Developers must work with "official" versions of sources and document the changes they make using the "check-out" and "check- in" facilities of the SCM tool. This ensures the proper audit trail for cach change (who, what, when, etc.) is recorded in a secure system. As one would expect, this discipline adds some overhead to an otherwise uncontrolled development process; however it facilitates location of the correct component versions and their change histories Gerben Wieringa, senior consultant in the information technology center/user services group of ING Bank in the Netherlands, says, "An SCM system helps enforce the organization of the development and maintenance process. At first it is seen as difficult and inflexible, but eventually it becomes the way things should be done, because it reduces mistakes and improves the quality of the application. In using an SCM system, we relatively quickly got accustomed to fewer errors in the applications, and forgot how cumbersome the old situation sometimes could be, At the same time, the introduction of SCM didn't come without some trouble.”As software components are compiled and packaged into tumover packages or releas value of the SCM software becomes most evident. The ability to "lock" all components and their dependencies to a release is critical to the guaranteed reproducibility of an application. ‘Changes to a component must be done using a new version, and must not override any [dependent] component that needs to be kept intact as part of the application. One problem is that most dependencies are not obvious because their references are hidden in the source files, Without an SCM tool that knows every dependency and locks them into the release, it is almost impossible to know if a source change is "safe" or not. SCM software is essential in managing our Tandem-based trading systems," said Chris Fojut, Andersen Consulting, who is in charge of change management for the trading and information systems at the London Stock Exchange. "The software we use is RMS - Revision Management System. We know with certainty, information on how a release was put together and which components went in. With so many custom applications, it would be impractical to do this without the system." It is important to understand the range of SCM software available and to recognize the limitations of some tools. Vendors with "source contro!” software sometimes claim to provide an "SCM solution”. To the unaware auditor or management group, using a "source version control" tool for mission-critical applications can be detrimental to the application up-time if'a disaster hits, This is because component dependencies are not typically tracked with "source" tools, and critical components may not be found when needed during an application failure. Critical components often are modified to accommodate new features and bug fixes, which may make it impossible to reproduce the release in its original forn A good SCM system will follow the chain of references and protect them from being changed by forcing the creation of a new version using proper security, with appropriate approvals and an audit trail. If reproducibility of a release is not guaranteed, additional downtime results while one tries to locate or repair the parts, This is even before any analysis can take place to fix the original problem. Auditors should insist on having a separation of duties and an automated audit trail of software migration through each environment, As software migrates from development 10 test/QA to production, the security and access rules may have to change. A migration audit trail is an important feature, particularly for financial institutions, so that complete records are available when an external or internal audit is done. Gerben Wieringa says, "One of the main reasons we purchased SCM software was to obtain a separation of duties and of our environments," While software migration takes place, italso is convenient for management to have an audit wail of approvals. This traditionally has been done with paper; however many SCM. systems support electronic approvals, thereby improving efficiency and accuracy. When preparing a cost analysis of SCM solutions, the main factor to consider is the cost 10 the organization of not having a system in place. Just look at the numerous application failures found in the news lately (and the many not reported) for justification, These examples include hours of downtime for on-line brokers, bank ATM networks, telephone company networks, retail point-of-sale networks and many other mission-critical business operations. Application outages can't always be prevented, but at least with a good SCM solution an organization can have the best chance to recover from an unsuccessful change. George Comrie is a graduate and former academic staff member of the University of Toronto's Department of Industrial Engineering, where he specialized in information systems. His extensive IT Nindustry experience includes management of an operational police information center with strict uptime and security requirements, as well as several years of management consulting. For the past 10 years he has focused on configuration management as president of Data Design Systems Inc., a Toronto-based supplier of enterprise SCM tools and services.Information Systems Audit and Control Association A Comparison of Internal Controls: CosiT®, SAC, COSO and SAS 55/78 By: Janet L. Colbert, Ph.D., CPA, CIA and Paul L. Bowen, Ph.D., CPA In recent years, increased attention has been devoted to internal control by auditors, managers, accountants, and legislators. Five recently issued documents are the result of continuing efforts to define, assess, report on, and improve internal control. They are: the Information Systems Audit and Control Foundation's COBIT (Control Odjectives for Information and related Technology), the Institute of Intemal Auditors Research Foundation's Systems Auditability and Control (SAC), the Committee of Sponsoring Organizations of the Treadway Commission's Internal Control - Integrated Framework (COSO), and the American Institute of Certified Public Accountants’ Consideration of the Internal Control Structure in a Financial Statement Audit (SAS 55), as amended by Consideration of Internal Control in a Financial Statement Audit: An Amendment to SAS 55 (SAS 78). CoRIT (1996) is a framework providing a tool for business process owners to efficiently and effectively discharge their IS control responsibilities. SAC (1991, revised 1994) offers assistance to internal auditors on the control and audit of information systems and technology. COSO (1992) makes recommendations to management on how to evaluate, report, and improve conirol systems. SASs 55 (1988b) and 78 (1995) provide guidance to external auditors regarding the impact of intemal control on planning and performing an audit of an organization's financial statements. Because different bodies developed the documents to address the specific needs of their ‘own audiences, some disparities may exist. Nevertheless, each document focuses on internal control and each audience, i.c., internal auditors, management, and external auditors, devotes much time and effort toward establishing or evaluating internal controls. Therefore, comparing the intemal control concepts presented in these documents is of interest to members of all three audiences. ‘A comparison of the five documents reveals that each builds on the contributions of the previous documents. COBIT incorporates as part of its source documents booth COSO and SAC. It takes definition of control from COSO and its definition of IT Control Objectives from SAC. SAC embodies the intemal control concepts developed in SAS 53, COSO uses the intemal control concepts in both SAS 55 and SAC, and SAS 78 amends SAS 55 t reflect the contributions to internal control concepts made by COSO. In particular, SAS 78 responds to the Winters and Guy (1992) call for a reconciliation of the internal control concepts presented in the COSO report and SAS 55. ‘This article summarizes the four documents (SAC 55/78 are combined.) and compares the internal control concepts presented in each. The following Table notes the major issues presented.Comparison of Control Concepts Cont Primary Management, users, Audience information system ns IC viewed asa Set of processes including policies, procedures, practices, and organizational structures IC Objectives Effective & efficient organizational operations Confidentiality, Integrity and availability of information Reliable financial reporting ‘Compliance with laws & regs ‘Components or Domains Acquisition and implementation Delivery and support Monitoring Focus Information ‘Technology Ic For a period of time Effectiveness Evaluated Management 187 pagesin four documents Summaries of the Documents SAC coso, Internal ‘Management Auditors Set of processes, Process subsystems, and people Effective & Effective & efficient operations Reliable reporting financial Compliance with laws & regs with laws & regs Components: Component Control Control Environment Environment Manual & Risk Management Automated Control Systems, Activities Control Information & Procedures Comm Monitoring Inform: Overall Entity Technology Fora period of Ata pointin time time Management Management 1193 pages in 12. 353 pages in four modules volumes ContT: Control Objectives for Information and related Technology The Information Systems Audit and Control Foundation (ISACF) recently developed the Control Objectives for Information and related Technology (CoBIT) to serve as a framework of generally applicable and IS security and control practi SASs External Auditors Process Reliable financial reporting Effective & efficient ‘operations Compliance with laws & regs Components: Control Environment Risk Assessment Control Act formation & Communication Monitoring Financial Statement For a period of time janagement 68 pages in two documents 's for information technology control. (The report ean be ordered from ISACA by phone or mail.) This CopiTframework allows management to benchmark the security and control practices of IT environments, allows users of IT services to be assured that adequate security and control exists, and allows auditors to substantiate their opinions on intemal control and to advise on TT security and control matters. The primary motivation for providing this framework was to enable the development of clear policy and good practices for IT control throughout industry worldwide. The completed phase of the CoBIT project provides an Executive Summary, a Framework for control of IT, a list of Control Objectives, and a set of Audit Guidelines. (The control objectives and audit guidelines are referenced to the framework.) Future phases of the project will provide self-assessment guidelines for management and identify new or updated control objectives through incorporations of other identified global control standards. Plus, add control guidelines and identify key performance indicators. Definition: COBIT adapted its definition of control from COSO: The policies, procedures, practices, and organizational structures are designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. CopiT adapts its definition of an IT control objective from SAC statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity. CopiT emphasizes the role and impact of IT control as they relate to business processes. ‘The document outlines platform and application independent IT control objectives. IT Resources: ConIT classifies IT resources as data, application systems, technology, facilities, and people. Data is defined in its widest sense and includes not only numbers, text, and dates but objects such as graphics and sound. Application systems are understood to be the sum of manual and programmed procedures. Technology refers to hardware, operating systems, networking equipment, and the like. Facilities are the resources used to house and support information systems. People addresses individuals’ skills and abilities to plan, organize, acquire, deliver, support, and monitor information systems and services. Requirements: To satisty business objectives. information needs to conform to certain criteria which CoBIT refers to as business requirements for information. COBIT combines the principles embedded in existing reference models in three broad categories: quali fiduciary responsibility and security, From these broad requirements, the report extracts seven overlapping categories of criteria for evaluating how well I'T resources are meeting business requirements for information. These criteria are effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability of information, Process and Domains: Based on analysis of the information technology infrastructure library (ITIL) IT management practices, a UK document, CoBIT classifies IT proc into four domains. These four domains are (1) planning and organization, (2) acquisition and implementation, (3) delivery and support and (4) monitoring. The natural grouping of processes into domains is often confirmed as responsibility domains in an organizational structure and follows the management cycle or life cycle applicable to IT’ processes in any IT environment. The Exhibit illustrates the relationship between IT resources and the four IT process domains and lists 32 individual IT processes within the four domains. CobiT presents a framework of control for business process owners. Increasingly, management is fully empowered with complete responsibility and authority for business processes. COBIT includes definitions of both internal control and IT control objectives,four domains of processes and 32 high level control statements for those processes, 271 control objectives referenced to those 32 processes and audit guidelines linked to the control objectives. Framework: The ConiT framework provides high-level control statements for particular IT processes. The framework identifies the business need satisfied by the control statement, identifies the IT resources managed by the processes, states the enabling controls and lists the major applicable control objectives. SAC Report ‘The SAC report defines the system of internal control, describes its components, provides several classifications of controls, describes control objectives and risks, and defines the internal auditor's role. The report provides guidance on using, managing, and protecting information technology resources and discusses the effects of end-user computing, telecommunications, and emerging technologies. Definition: The SAC report defines a system of internal control as: a set of processes, functions, activities, subsystems, and people who are grouped together or consciously segregated to ensure the effective achievement of objectives and goals. ‘The report emphasizes the role and impact of computerized information systems on the system of internal controls. It stresses the need to assess risks, to weigh costs and benefits, and to build controls into systems rather than add them after implementation. ‘Components: The system of internal control consists of three components: the control environment, manual and automated systems, and control procedures. The control environment includes organization structure, control framework, policies and procedures, and external influences. Automated systems consist of systems and application software. SAC discusses the control risks associated with end-user and departmental systems but neither describes nor defines manual systems. Control procedures consist of general, application, and compensating controls. Classifications: SAC provides five classification schemes for intemal controls in information systems: (1) preventive, detective, and corrective, (2) discretionary and non- discretionary, (3) voluntary and mandated, (4) manual and automated, and (5) application, and general controls, These schemes focus on when the control is applied, whether the control can be bypassed, who imposes the need for the control, how the control implemented, and where in the software the control is implemented. Control Objectives and Risks: Risks include fraud, errors, business interruptions, and inefficient and ineffective use of resources. Control objectives reduce these risks and assure information integrity, security, and compliance. Information integrity is guarded by input, processing, output, and software quality controls. Security measures include data, physical, and program security controls. Compliance controls ensure conformance with laws and regulations, accounting and auditing standards, and internal policies and procedures. Internal Auditor's Role: Responsibilities of internal auditors include ensuring the adequacy of the system of internal control, the reliability of data, and the efficient use of the organization's resources. Internal auditors are also concerned with preventing and detecting fraud, and coordinating activities with external auditors. The integration of audit and information system skills and an understanding of the impact of information technology on the audit process are necessary for internal auditors. These professionals now perform financial, operational and information systems audits,COSO Report The COSO report defines internal control, describes its components, and provides criteria against which control systems can be evaluated. The report offers guidance for public reporting on internal control and provides materials that management, auditors, and others can use to evaluate an internal control system. Two major goals of the report are to (1) establish a common definition of internal control that serves many different parties, and (2) provide a standard against which organizations can assess their control systems and determine how to improve them. Definition: The COSO report defines internal control as: a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations reliability of financial reporting compliance with applicable laws and regulations. The report emphasizes that the internal control system is a tool of, but not a substitute for, management and that controls should be built into, rather than built onto, operating activities. Although the report defines internal control as a process, it recommends evaluating the effectiveness of internal control as of a point in time. Components: The internal control system consists of five interrelated components: (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring. The control environment provides the foundation for the other components. It encompasses such factors as management's philosophy and operating style, human resource policies and practices, the integrity and ethical values of employees, the organizational structure, and the attention and direction of the board of directors. The COSO report provides guidance for evaluating each of these factors. For example, management's philosophy and operating style can he assessed by examining the nature of the business risks management accepts, the frequency of their interaction with subordinates, and their attitudes toward financial reporting. Risk assessment consists of risk identification and risk analysis. Risk identification includes examining extemal factors such as technological developments, competition, and economic changes, and internal factors such as personnel quality, the nature of the entity's activities, and the characteristics of information system processing. Risk analysis involves estimating the significance of the risk, assessing the likelihood of the risk occurring, and considering how to manage the risk. Control activities consist of the policies and procedures that ensure employees carry out management directives. Control activities include reviews of the control system, physical controls, segregation of duties, and information system controls. Controls over information systems include general controls and application controls. General controls are those covering access, software, and system development, Application contrals are those which prevent errors from entering the system or detect and correct errors present in the system. ‘The entity obtains pertinent information and communicates it throughout the organization. ‘The information system identifies, captures, and reports financial and operating information that is useful to control the organization's activities. Within the organization, personnel ust receive the message that they must understand their roles in the internal control system, take their internal control responsibilities seriously, and, if necessary, report problems to higher levels of management. Outside the entity, individuals and organizationssupplying or receiving goods or services must receive the message that the entity will not tolerate improper actions. Management monitors the control system by reviewing the output generated by regular control activities and by conducting special evaluations. Regular control activities include ‘comparing physical assets with recorded data, training seminars, and examinations by internal and extemal auditors. Special evaluations can be of varying scope and frequency. Deficiencies found during regular control activities are usually reported to the supervisor in charge; deficiencies located during special evaluations are normally communicated to higher levels of the organization. Other Concepts: The COSO report addresses the limitations of an intemal control system and the roles and responsibilities of the parties that affect a system. Limitations include faulty human judgment, misunderstanding of instructions, errors, management override, collusion, and cost versus benefit considerations. ‘The COSO report defines deficiencies as "conditions within an internal control system worthy of attention.” Deficiencies should be reported to the person responsible for the activity and to management at least one level above the individual responsible. ‘An internal control system is judged to be effective if the five components are present and. functioning effectively for operations, financial reporting, and compliance. SASs 55 and 78: Statements on Auditing Standards SASs 55 and 78 define internal control, describe its components, and provide guidance on the impact of controls when planning and performing financial statement audits. Definition: SAS 78 replaces the definition of the internal control structure in SAS 55 with that of internal control in the COSO report except that SAS 78 emphasizes the reliability of financial reporting objective by placing it first. That is, SAS 78 defines internal control a: a process, effected by an entity's board of directors, management, and other personnel, designed to provide teasonable assurance regarding the achievement of objectives in the following categories: ity of financial reporting feness and efficiency of operations, and compliance with applicable laws and regulations. Although SAS 78 retains the operational and compliance objectives in its definitions of internal control, SASs 55 and 78 focus on controls that affect the examination of the reliability of an entity's financial reporting. Components: SAS 78 replaces the three elements of the internal control structure in SAS 55, (the control environment, the accounting system, and control procedures) with the five components of the internal control system presented in COSO (control environment, risk assessment, control activities, information and communication, and monitoring). Impact: SASs 55 and 78 require the external auditor to perform procedures to obtain a sufficient understanding of cach of the five components to plan the audit. That is, the external auditor must understand the design of the entity's policies and procedures and whether the design has been placed in operation. Because they are rendering an opinion on financial statements which cover a period of time, external auditors are interested in controls affecting the capture and processing of financial information for the entire period. Extemal auditors must report any significant internal control de that could affect financial reporting to the audit committee (SAS 60, AICPA, 1988a). At their discretion,external auditors may also communicate other control matters to the entity, e.g., opportunities to improve the accounts receivable system. Comparison of (0i3!!, SAC, COSO and SASs 55/78 CoBIT, SAC, COSO and SASs 55/78 define internal control, describe its components and provide evaluation tools. SAC, COSO and SASs 55/78 also suggest ways of reporting internal control problems. CoBIT additionally provides a comprehensive framework facilitating analysis and communication of internal control issues. This section contrasts the contributions the individual documents make to each of these areas. Definitions Although the five control definitions contain essentially the same concepts, the emphases are somewhat different. COBIT views internal control as a process which includes policies, procedures, practices and organizational structures that support business processes and objectives. SAC emphasizes that internal control is a system, i.e. that internal control is a set of functions, ubsystems, and people and their interrelationships. COSO accentuates internal control as a process, ie., internal control should be an integrated part of ongoing business activities. Although they use the same definition as COSO, SASs 55/78 emphasize the reliability of financial reporting objective. People are part of the system of intemal control. COBIT classifies people (defined as staff skills, awareness and productivity to plan, organize, acquire, deliver, support and monitor information systems and services) as one of the primary resources managed by various information technology processes. The involvement of people has become more explicit as the documents have evolved. SAC explicitly identifies people as an integral part of the internal control system. COSO and SASs 55/78 note that the people involved with internal control are members of the Board of Directors, management, or other entity personnel. The documents agree that management is the party responsible for establishing, maintaining, and monitoring the system of internal control, All four documents stress the concept of reasonable assurance as it relates to internal control. Internal control does not guarantee that the entity will achieve its objectives or even remain in business. Rather, internal control is designed to provide management with reasonable assurance regarding the achievement of objectives. The documents also acknowledge that there are inherent limitations to internal control and, because of cost/benefit considerations, not all possible controls will be implemented. Inherent limitations may cause internal controls to be less effective than planned. In presenting the definitions of internal control, the documents assume the entity has established objectives for its operations. CoBIT establishes the premise that these objectives are supported by business processes. These processes, in tum, are supported by information provided through the use of information technology resources. Business requirements for that information only are satisfied through adequate control measures. SAC states that achieving the entity’s objectives should be done effectively and stresses that objectives should be translated into measurable goals. COSO categorizes objectives as operational, financial reporting, and compliance. While SAC and COSO are concerned with objectives in all three categories, SASs 55/78 restrict their attention primarily to financial reporting objectives. ‘Components,‘The SAC report describes three components of the system of internal control. The COSO report discusses five components. SAS 78 revises SAS 55 to embrace COSO's five ‘components. CoBIT incorporates the five components discussed in the COSO report and. focuses them within the information technology internal control environment. COBIT's design bridges the gap between the broader business control models such as COSO and highly technical information systems control models available worldwide. Although the documents may appear to differ in their approaches to controls, further study reveals many similarities, SoBIT, SAC, COSO and SAS 78 all include the control environment as a component and discuss essentially the same concepts. Factors impacting the control environment include the integrity and ethical values of management, the competence of personnel, management philosophy and operating style, how authority and responsibilities are assigned, and the guidance provided by the board of directors. COBIT weayes the implications of the control environment into all applicable control objectives. It categorizes the processes within planning, and organization, acquisition and implementation, delivery and support, and monitoring. It also speaks to the control environment wherever appropriate. SAC divides the control environment into fewer categories, is more oriented to information systems, and includes ideas as part of the control environment that the other three documents dis part of another component. In most areas, internal control concepts develop from SAS $5 (1988) to SAC (1991, 1994) to COSO (1992) to SAS 78 (1995), to COBIT (1996). COSO und SASs 55/78 use a larger number of categories of environment concepts and therefore make the control environment well-defined, The increased emphasis of COSO on the competence, integrity, and ethics of entity personnel is reflected in amendments to SAS 55 made by SAS 78. Information and Communication Systems: CopiT, SAC, COSO, and SASs 55/78 differ in their focus and depth of treatment of information systems. COBIT's exclusive focus is the establishment of a reference framework for security and control in information technology. It defines a clear linkage between information systems controls and business objectives. In addition, it provides globally validated control objectives for each information technology process which gives pragmatic control guidance to all interested parties. COBIT also provides a vehicle to facilitate communications among management, users and auditors regarding information systems controls. SAC focuses on automated information systems. The document examines the interrelationships among internal control and systems software, application systems, and end-user and department systems. Systems software provides the operating system, telecommunications, data management, and other utility functions required by application systems, Application systems include the entity's business, financial, and operational (e.g., human resource, accounts receivable, and production scheduling, respectively) systems. End-user and departmental systems serve the needs of specific groups of users. Many of the volumes of the SAC report provide guidance on internal control needed in each of these areas COSO discusses both information and communication. In its discussion of information, COSO reviews the need to capture pertinent internal and external information, the potential of strategic and integrated systems, and the need for data quality. The discussion of communication focuses on conveying internal control matters, and gathering competitive, economic, and legislative information. SAS 55 as amended by SAS 78 is more abbreviated onthan the other documents; it outlines the objectives of an accounting system and summarizes the COSO material. Control Activities: ConIT and SAC examine control procedures relative to an entity's automated information system; COSO and SASs 55/78 discuss the control procedures and activities used throughout an entity, COBIT classifies controls into 32 processes naturally grouped into four domains applicable to any information processing environment. SAC uses five different classification schemes for IS control procedures. COSO and SASs 55/78 only use one classification scheme for information system (IS) control procedures. COSO's discussion of control activities stresses who performs the activities and operational rather than financial reporting objectives. COSO also emphasizes the desirability of integrating control activities with risk assessment. SAS 78 replaces SAS 55's list of control procedures with an abbreviated list of COSO's control activities. In contrast to COSO, SASs 55/78 contain little discussion of these activities. Risk Assessment: COSO and SAS 78 identify risk assessment as an important component of internal control. CoBIT identifies a process within the information technology environment as assessing risks, This particular process falls into the planning and organization domain and has six specific control objectives associated with it. Although risk assessment is not an explicit component of SAC's system of internal control, the document contains extensive discussions of risk. SASs 55/78 categorize risk into inherent risk, control risk, and detection risk. External auditors understand, test, and assess controls relative to the risk of material misstatements in the financial statements, i.e., relative to the risk of failing to achieve financial reporting objectives. Because they cannot directly alter internal controls, external auditors adjust acceptable detection risk inversely to the assessment of control risk. CopIT addresses, in depth, several components of risk assessment in an information technology environment, These include business risk assessment, the risk assessment approach, risk identification, risk measurement, risk action plan and risk acceptance. It deals directly with information technology types of risk such as technology, security, continuity and regulatory risks. Additionally, it addresses risk from both a global and system-specific perspective. ‘The risk concepts presented in SAC and COSO are similar. In addition to the risk of failing to meet financial reporting objectives, SAC and COSO address the risks of failing to meet compliance and, especially, operational objectives. COSO discusses identification of external and intemal risks to the entire entity and to individual activities. COSO also considers management's analysis of risk: estimating the significance of a risk, assessing its probability of occurrence, and considering how to manage the risk. SAC examines risks to the automated information system. SAC provides a detailed analysis of IS risks and explores how each of these risks could be mitigated. SAC and COSO emphasize cost/benefit considerations, the need to interrelate entity objectives and controls, the on- going nature of risk identification and assessment, and managements ability to adjust the entity's internal control system. SASs 55/78 say little about operational or compliance risk. External auditors understand, test, and assess controls relative to the risk of material misstatements in the financial statements, i.e., to the risk of failing to achieve financial reporting objectives. SASs 55/78 categorize risk into inherent risk, detection risk, and control risk. Because they cannot directly alter internal controls, external auditors adjust acceptable detection risk inversely 10 their assessment of control risk.Monitoring: In contrast to CoBIT, COSO and SASs 55/78, SAC does not explicitly include monitoring as a component of the system of internal control. All the documents assign management the responsibility of ensuring that controls continue to operate properly. CoBIT addresses management's responsibility to monitor all information technology processes and the need to obtain independent assurance on controls. It classifies monitoring as a domain ~ in line with the management eyele. SAC recognizes intemal auditors! responsibilities to select areas of information technology where independent review can yield the greatest benefits and to test controls for evidence of ongoing compliance and effectiveness. Because internal controls should and do evolve over time, COSO recognizes the need for management to monitor the entire internal control system through the ongoing activities built into the control system itself and through special evaluations directed at specific activities or areas. While SAC and COSO share the same (internal) perspective, COSO discusses monitoring activities in broad terms and SAC discusses specific monitoring activities that should be performed by or within the entity's automated information systems. CoBIT in a like, but ‘more in-depth fashion, defines specific monitoring requirements and responsibilities within the information technology function. SAS 55, as amended by SAS 78, presents an abbreviated yersion of the COSO material that emphasizes the financial reporting objective. Some ongoing monitoring by the external auditor is implied by the assumption that auditors use knowledge obtained through previous audits of the entity. Reporting Internal Control Problems ‘Asa framework, CoBIT provides the definition of controls and the control objectives for specific information technology processes. Similar to COSO, CoBIT reports of internal control problems are assumed to be available from a variety of sources to the responsible business process owner. These can range from control self-assessment to external audit reviews — all conducted using the COBIT framework. SAC assigns internal auditors the responsibility of evaluating whether appropriate controls are in place and whether these controls are functioning as designed, Internal auditors submit the results of their financial, operational, and information system audits to management and the audit committee, They should articulate the costs and benefits of proposed changes to remedy deficiencies in the system of internal controls. COSO discusses how management collects and disseminates information about internal control deficiencies. Management may learn of deficiencies through reports generated by the internal control system itself, evaluations performed by management or internal auditors, or communications from external parties such as customers, regulators, or external auditors. Management wants information regarding any deficiency that could affect the entity's ability to achieve its operational, financial reporting, or compliance objectives. COSO recommends that entity personnel report deficiencies to immediate supervisors and to management at least one level above the directly responsible person. Separate communication channels should exist for reporting sensitive information. SAGs 55 and 78 focus on the relationship between intemal controls and planning an audit of financial statements. SAS 60, Communication of Internal Control Structure Matters Noted in an Audit (as amended by Appendix C of SAS 78), provides guidance to extemal auditors concerning reporting internal control problems found during a financial statement audit, SAS 60 requires auditors to report significant deficiencies which could affect theentity's financial reporting ability to the audit committee. Auditors may report other problems or improvement opportunities to management, Period of Time versus Point in Time CoBIT is a model framework. It supports evaluations as either point in time or period of time, depending on the reviewer's preference. Although SAC does not explicitly state whether internal effectiveness should be evaluated ata point in time or for a period of time, it appears more supportive of period of time evaluations, For example, SAC speaks of ensuring the reliability of financial and operating data, describes using embedded audit modules to continuously monitor and analyze transactions, and recommends employing change controls to ensure the stability of application and systems software. Although COSO stresses internal control as a process, the report states that internal control effectiveness is a state or condition of the process at a point in time. If intemal control deficiencies have been corrected as of the reporting date, COSO approves management reports to external parties that describe internal control as being effective. SAS 55 and 78 state that external auditors should evaluate the consistency with which controls were applied during the audit period. The Standards caution auditors to supplement tests of controls that only pertain to a point in time with procedures that provide evidence about control effectiveness for the entire audit period. Tools CoBIT provides explicity guidance for all 32 of the processes it defines. This guidance takes the form of over 250 control objectives, It further provides navigation aids which all users, depending on their particular perspective, implement to organize and categorize control objectives according to IT processes, information criteria or IT resource views of controls. SAC provides detailed guidance about the controls needed in the development, implementation, and operation of automated information systems throughout most of the 12 modules. In particular, many modules contain sections on the risks and controls associated with the topics discussed in that module. ‘The COSO report provides the reader with tools which may be used to evaluate the system of internal control. An entire volume is devoted to suggested forms for use in examining controls and to samples of completed forms. While SASs 55/78 themselves do not present forms or tools to use in control evaluation, the companion Audit Guide, Consideration of the Internal Control Structure ina Financial Statement Audit, does. The Guide provides extensive examples of documentation of the understanding of internal control and the assessment of control risk for three companies of varying sizes and characteristics. In addition, the main body of the Guide discusses the evaluation of internal contro| and the related documentation at length. Conclusion Internal and external pressures motivate the accounting and management professions to continue to develop and refine internal control concepts. This article summarizes and compares important documents resulting from these efforts: CopIT, SAC, COSO, and SASs 55 and 78. ‘|CopiT isa globally validated collection of control objectives, organized into processes and domains and linked to business requirements for information. SAC offers detailed guidance about the effects of various aspects of information technology on the system of internal controls. COSO presents a common definition of internal control and emphasizes that internal controls help organizations achieve effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations. The document provides guidance on assessing control systems, reporting publicly on intemal control, and conducting evaluations of control systems. SAS 55, as amended by SAS 78, adopts COSO's five components of internal control, discusses the effect of the entity's intemal control on planning and performing a financial statement audit, and addresses the relationship between internal controls and control risk. CopiT, COSO, SAC and SASs 55/78 contain many of the same internal control concepts; indeed, later documents build on internal control concepts developed in earlier ones. The documents differ in the audience addressed, the purpose of the document, and level of detail of guidance provided, Although other parties will find each of the documents useful, CoBIT is directed to three distinct audiences: management, users and information systems auditors; SAC is primarily addressed to internal auditors; COSO to managers and boards of directors; and SASs 55 and 78 to external auditors. CoBIT is focused exclusively on controls over information technology in support of business objectives. SAC stresses information technology, COSO provides a broad, entity- level view, and SASs 55 and 78 focus on financial statement audits. SAC and COSO are self-contained documents. SASs 55 and 78 are part of a set of standards. The four documents complement and support one another. SAC, COSO, and SASs 55/78 are useful to the primary audiences of the other documents, to legislators, to stakeholders, and to others interested in understanding or improving internal control. Endnotes " American Institute of Certified Public Accountants (AICPA). 1983. Audit Risk and Materiality in Conducting an Audit (SAS 47). * American Institute of Certified Public Accountants (AICPA). 1988a. Communication of Internal Conirol Structure Related Matters Noted in an Audit (SAS 60). * American Institute of Certified Public Accountants (AICPA). 1988b. Consideration of the Internal Control Structure in a Financial Statement Audit (SAS 55). * American Institute of Certified Public Accountants (AICPA). 1990. Consideration of the Internal Conirol Structure in a Financial Statement Audit (Audit Guide for SAS 55). * American Institute of Certified Public Accountants (AICPA). 1993. Reporting on an Entity's Intemal Control Structure over Financial Reporting (Statement on Standards for Attestation Engagements 2), * American Institute of Certified Public Accountants (AICPA). 1995. "Consideration of Internal Control in a Financial Statement Audit: An Amendment to SAS No. 55" (SAS 78). 7 Committee of Sponsoring Organizations of the Treadway Commission (CSOTC), 1992 Internal Control - Integrated Framework (COSO Report). Information Systems Audit and Control Foundation (ISACF). 1995. CoBIT: Control Objectives for Information and related Technology. Institute of Internal Auditors Research Foundation (IIARF). 1991, revised 1994. Systems Auditability and Control [2' Winters, A.J., and D.M. Guy. 1992. Internal Control: Progress and Perils. Proceedings of the 1992 Deloitte & Touche/University of Kansas Symposium on Auditing Problems, pp.177-191 Janet L. Colbert, Ph.D., CPA, CIA, is the Meany-Holland professor of accounting at Westem Kentucky University in Bowling Green, KY, USA. Paul L. Bowen, Ph.D., CPA, isa lecturer in the department of commerce at the University of Queensland in Brisbane, Queensland, Australia,Metodologia de la Auditoria Interna C.P. Fernando Vera Smith Gerente de Auditoria de Teléfonos de México y Expresidente del Institute Mexicano de Auditores Internos, A.C. 1. EL METODO CIENTIFICO Y LA AUDITORIA INTERNA. TIPOS DE CONOCIMIENTO El propdsito de la auditoriainter- na es servir a Ip administracién al evaluar si una organizacion, funcién © programa ha sido administrado econémiea, oficionte y eficazmente. Fara logrer su finalidad, requiere conocer ura serie de hechos y cir- curstancies en que se deserrollen las operaciones. Ahora bien, para obtener dicho conocimiento existen cuatro métodos basicos, segin Ker- linger, @ saber: ‘étodo de Tenscidad.— Los hombres se eferran firmemente a la vercad porque siempre han sabido que es cierta. La repeticion de ta les verdades refuerze su validez, = Método de Autoridad.—Si una tiene el peso de la tradicion y la sncidn publica detrds de ella, es cient. “Si la Biblia lo dice, asi —Método @ Priori (de intuicién).— Las suposiciones aceptadas por el "a priorista” son evidentes por si mismas. Obsérvese que las propo- siciones a. priori concuerdan con la razon (éde quién?) y no con la experiencia. Sin necesidad de mayor anélisis, es evidente que ninguno de los sn- teriores métodos de conocimiento son utilizados en un trabajo profe- sional de auditoria interna. —Método de Ja ciencie.—La con- clusion final de todos los hombres Gebe ser la misma. Su hipétesis fun- damental es ésta: hay coses reales cuyos caracteres son enteramente independientes de nuestras opinio- res acerce de ellas. El enfoque cientifico tiene las si guientes carecteristicas que lo distin: guen de los anteriores métodos de conocimiento, segtin Arias Galicia: a) Es objetiva. Los fenémenos pueden ser producidos o repetidos or cualquier persona en las mismas Veuaim viuoNaaYMETODOLOGIA DE LA AUDITORIA INTERNA piTonia INTERNA circunstancias, sin importar su es- tado afectivo, sus experiencias 0 in- tereses. Para lograrlo emplea medi- ciones con lo cual evita la subjetivi- dad de palabras como: mucho, po- co, suficiente, ete. b) Especitica condiciones de ob- servacion, Es requisite precisar las condiciones imperantes en el mo- mento en el cual se produjo el fe- némeno. ©) Persigue /@ generalizacién.—La prediccién con base en la generali zacion permite el control hasta don- Ge es posible. d) Se corrige a si mismo.—El co: nocimiento brindado por la ciencia nunca es definitive, sino que se co- rrige cuando nuevas demostraciones empirices lo emplian, modifican 0 nulificen. ¢) Es unestudio sistemdtico.— El investicadior sigue une serie de mé todos fincedos en principios lagicos. Para demostrar Ia utilizacion del “métogo cientifico en le ejecucion de la auditoria interna" baste pre- sentar les siguientes analocias entre ambas disciplinas a) L3 auditoria interna requiere de objetividad y por lo tanto a2 me- Giciones, para ser de verdadera uti- lidad, ya que su objetivo bésico es la evaluacion y ésta no puede exis tir si no se miden los resultados rea les en relacidn a esténdares o nor mas, b) Ademés del atributo anterior, reguiere de la especificacién de les condiciones de ahservacién para set verificades por el responsable del ree auditada y aceptada su rezona- bilidad por sus superiores jerérqui c) La generalizacién se aplica al concluir en base @ una muestra so- bre las caracteristicas del universo sujeto a examen. d) Tanto en la fase de seguimien: to para la soluci6n de los problemas detectados como en auditorias sub- secuentes, y en al desarrollo normal de las operaciones, se verifica, di- recta 0 indirectamente, la correc: ci6n del resultado de la auditoria. e) Por Ultimo, como se demos- trard a lo largo de esta exposician, s2 sigue une serie de métodos fir dos en principios idgicos. 2. EL. METODO CIENTIFICO Y SU RELACION CON LA AUDITORIA INTERNA A) Caracteristicas de! método cientifico,E! éxito de los cienti- ficos en aumentar la cantidad de conocimientos tiles y verificables, se debe fundamentalmente s su mé todo de adquisi mientos, basado en: —Actitud de la mente (Iégica). — Procedimiento y conducta ra- clonal Las principales caracteristicas de la actitud cientifica, que 2 su vez coinciden con las del auditor, son: —Curiosidad — Escepticismo —Deseo de llegar a conclusiones y revisarias cuando sea necesario. EI procedimiento y conducta ra: cionales se logran mediante la ap! cacién del “‘método cientifico”, en tendiando este bajo las siguientes acepciones: —Procedimientos légicos necesarios para llegar al conocimiento de le verdad (métodos). Conjunto de actividades —en secuencia Idgica— requeridas para hallar la verdad (Metodologia), B) Conocimiento y evidencia. La evidencia proporciona los me- dios por los que alcanzamos ese es: tado de seguridad llamado “cono- cimiento” y que se opone 2 la mera “‘creencia”, La evidencia es la Hlave para llegar a la verdad, 0 sea la “conformided con Is realidad". Por otra parte, los métodos para obtener conocimientos varizn en su naturaleza y validez y ninguno es suficiente en todos los casos. Cada uno tiene aplicaciones especiales en les que es més efectivo que los otros. Asimismo, la evidencia varia en su grado de influencia dependiendo de la habilidad y experiencia post dos por quien Ia usa La evidencia tiene dos formas de influencia sobre ls mente humana: 2) Compulsiva, es decir, tan fuer- te © intenss que obliga 2 la mente a acepterla como verdadera y, conse- cuentemente, alcenza la seguridad de conocimiento, b) Persuasiva, 0 sea que no es tan fuerte ni tan intenss como la anterior, Tal evidencie es mayor 0 menor en la medida en que influya a la mente pare acepter 0 rechezar la _proposicion en cuyo apoyo ha sido propuesta u obtenida. La cantided y calidad de la evi- dencis que el auditor requiere de- pende de la importancia del aspecto examinado (se considera imporan- te si hay raz6n pata creer que su conocimiento influenciaria les deci- siones de un interesado informado). METODOLOGIA DE LA AUDITORIA INTERNS Si un aspecto de la auditoria es importante, requiere de una evi- dencia considereblemente fuerte (compulsiva). Si no lo es, s6lo se ne- cesita para persuadirse (contrastan- do con asegurarse]. C) Métodos de obtencién de co- nocimientos.—Para obtener la evi: dencia, es decir, para llegar al cono- cimiento de le verdad, ta légica uti- liza cuatro métodos principales (asi como el autoritarismo que no es cientifico) los cuales se analizarén en cuanto a su concepto y relacion con la auditoria, 2 saber: —Andlisis —Sintesis —Deduccion —Autoritarismo 2) Andlisis. Descomposicin de un todo ~conereto 0 abstracto—en sus elementos, hasta describir las causas, naturaleza y efectos dal mis- mo. Puede ser real 0 lagico. Andlisis se contrapone a sintesis, método con el cual se complementa. Sus principales etapas son como sigue: 1) Observacién de un hecho o fe- némeno que despierta nuestro inte: és 0 que escogemos para someterlo aestudio. 2) Descripcién de lo que se ob: serva; incluye el examen critico del objeto de nuestro interés, para lo cual hay que descomponerlo en to Gos sus detalles. 3) Clasificacién y comparacién, con otros hechos o fenémenos, bus- cando analogias 0 discrepancias, a fin de establecer relaciones y coor- dinar el objeto de nuestra investiga: cidn con otros similares. 4) Comprensiéa del hecho o fe- wauaim wivotianyMETODOLOGIA DE LAAUDITORIA INTERNA ITORIA INTERNA, némeno como producto de les cit cunstancias del ambiente que lo ro dea y como parte de un algo supe- rior, de un todo universal. Este método se aplica practica- mente durante toda la auditoria, por ejemplo: — Comversién de los objetivos de ta auditoria a programa de trabajo. — Analisis de informacién finan- ciers y estadistica. — Anilisis de saldos 0 movimien- tos de las cuentas. b) Sintesis. Operacién que consis- te, contrariamente al anélisis, en la reunion racional de varios elemen- tos dispersos en una nueva torali dad, o bien, en la composicién de un todo por ia reunion de sus par- tes. La simesis sirve como base para el desarrollo de la auditoria interna en 3 determinacién de 1os objetivos y una ver que se ha sometido a ans: lisis en el desarrollo del programa de trabajo, y en la aplicacién de las pruebas, 26 realiza dicho proceso de sintesis, tanto en las conclusiones de los pepeles de trabajo, como en la preparacién del informe de audi- toria. ¢) Deduceién. Razonsmiento me- diato, de carécter descendent; de lo general, anstracto, a io singu- lar, concreto; es decir, se parte de un marco general de referencia y se va hacia un caso particular En la deduccién se comparan las caracteristicas de un fenémeno u objeto con la definicién que se ha acordado para el mismo. En le te0- ria de conjuntos, la deduccion con siste en descubrir si un elemento dado pertenece al conjunto que ha sido previarmente definido. En auditoria se aplica el método deductivo al juzgar lo adecuado de los procedimientos contra los estén- dares para la buena administracion de la operacién (descritos en el programa de trabajo), asi como al verificar que dichos estandares (ge- nerales) se cumplan en la practice (casos particulares). Otras formas de aplicar la deduc. cién es cuando utilizamos las mate indticas al verificar célculos, 0 bien, si con base en Ia existencia de cier- tos controles, evaluamos la posibi- lidad de que ocurran 0 no irregula- ridades. d) Induccién. Argumentacién que, partiendo de proposiciones particulares, infiera una afirmacion de extensién universal. Se le consi dera el tipo de rezonamiento opues- to a la deduccion. En otras pal bras, trata de generalizar el conoci miento obtenido en un caso a otros semejantes. El auditor al no poder exami- nar todas las operaciones, por razo- nes précticas y de costos, utiliza una muestra y generaliza sus resul- tedos a partir de ella. En este caso debe asegurarse que sea representa- tiva del universo para eumentar la probabilidad de su correccién, de su razonamiento. Una forma econémica y racio- nal de aplicar este método cuando se ranejan grandes volémenes de datos es la aplicacién del muestreo estadistico el cual tiene, entre sus fundementos, le seleccion de la muestra al azar. —En auditoria se aumente la cer- teza de los resultados de la muestra—en caso de deteccién de debilida- des— con la aceptacibn de las mis- mas por parte del personal auditado. e) Autoritarismo (método de la autoridad). No corresponde a los métodos ldgicos. Sin embargo, es una forma de evidencia basada en el testimonio de otros. La mayoria de nuestros conocimientos los he- mos obtenido por el testimonio de nuestros semejantes, mas que de cualquier otre fuente. Aceptamos Por confianza en aquellas materias en que no podemos investigar por nosotros mismos. Sin embargo, la evidencia de esta clase no podrd ser mas que persuasiva, por lo que con- viene corroborarla con otros mé- todos. De acuerdo con la fuente, este tipo de evidencia la podemos cla ficar en dos grandes grupos, a saber: 1, Testimonio de la gente, Pue e ser por personal interno o ex- temo, En ambos cesos debe cuider se que el informante sea honesto y esté bien informado, asi como que no haya cometido error en su aseve- racién. Una forma de lograrlo es mediante la aplicacion de otras téc: nicas de auditoria (inspeccién, ob: servacion, cdlculo, etc.): en los tes- timonios externos se tiene Ia seguri- ded adicional de que la informacion que nos proporcionen les afecta di- rectamente en sus operaciones. El testimonio de experto es acep- table en [as siguientes circunstan: = El tema debe estar més alld del entendimiento del hombre pro- medio. — El experto debe demostrar su habilided, conacimiento o experien: cia en el campo, METODOLOGIA DE LA AUDITORIA INTERNA 2. Testimonio de documentos. Puede tratarse de documentos for- mulados dentro o fuera de la em- presa. En el primer caso, en base a a evaluacién del sistema de control, pueden considerarse evidencia ad- misible hasta que no se prueba lo contrario. En ambos casos se puede corroborar esta evidencia con testi monios de la gente y con los demas métodos légicos. Combinacién de los métodos En cualesquiera de los métodos antes sefialados es mucho. més pro- bable llegar a conclusiones errbneas cuando se opta por uno solo que si se utilizan combinadamente, Ninguno de los métodos de ob- tencién de evidencia es apto por sf mismo pore proveer de certeza. Sin embargo, combinados se fortalecen considerablemente uno al otro. D) Técnicas de auditoria,—Lator- ma fisica de obtener la evidencia en auditoria estd fundamentada en los anteriores métodos de obtencién de conocimiento y se le denomina "téenicas” Es importante distinguir entre es- te concepto y el procedimiento que es la descripcion de la actividad a realizar, donde se aplica una o va- rias técnicas. Las principales técnicas utilizades para la ejecucion de la auditorfa in- tera sor Observaci6n. Percepcion, a través de los sentidos, de los eventos como Jos recoge la naturaleza. Se utiliza en la prepsracion y realizacin de inventarios y en la aplicacién de rutinas de control (pago de némi- 1a, ejecucién de la cobranza, etc.) ~ yuuaini viyouianyTODOLOGIA DE LAAUDITORIA INTERNA, Inspeccién. Exemen fisico de bie- nes materiales, titulos de crédito 0 documentos para confirmar su au- tenticidad. Examen documental, Estudio que se hace de todcs los detalles de un documento (cartas, registros, contratos, reportes, etc.) Confirmacién, Ratificacién de tercero afectado de fa autenticidad de un saldo, hecho u operacién. Puede ser positiva, cuando se solici- ta la contestacién esté o no confor- me (subdividida a su vez en directa © indirecta, segin se proporcionen (0. no datos) y negativa si se pide la respuesta solo en caso de incontor- midad. Entreviste, Obtencién de infor: macién oral recabads en una situa- cidn de cara 2 cara. Se utiliza prin- civalmente en le: fases de determi necién de objetivos y elaboracibn del programa de trabajo, asi como én la ratificacién de debilidades exis tentes en la operacién. Cétculo. \westigacion que se ha- ce de alguna coss por medio de ope: raciones matemsticas (depreciacio- nes, amortizaciones, intereses € im: puestos)., 3. METODOLOGIA a) Metodologie de le imestiga- cidn cientifica.—La metodologia es un orden jererquizado y clesifica- do de ideas para desorrollerlas, 0 se2 un seguimiento de pasos a efec- tuar, Debe resolver las siguientes preguntas: — eComo se rezliza? —2Ou8-elementos 0 instrumen- tos'son neceserios? = eCudndo y dénde se lleva e ca bo? Las regles de la metodologla de la investigacién cientifica no son in- flexibles, como si se tratera de un conjunto de etapas relacionadas me- cénicamente, en donde dado ol pi mer paso ya no puede volverse atrés, (© no esté permitido realizar dos 0 més paralelamente, Se pueden rez zar dos 0 més etapas y, si es necesa- rio, regresar a revisar la consistencia de tu planteamiento a la luz de nue va informacion y experiencia sobre el trabajo que se realize. Asimismo, la metodologia de la investigacién varia de acuerdo con: — Caracteristicas de los datos a examiner. — Naturaleza del juicio 2 emitir. No obstante Io anterior, la meto: dologia de la investigacion cientifi- ca se enuncia generalmente como sigue: 1, Consideracion de ta intforma- cién preliminar que sugiere el pro- blema. 2. Formulacién del problema. 3. Observaci6n de los hechos per- tinentes al problema. ‘4. Uso de conocimientos anterio- res, §, Formulacion de le hipétesis. 6. Deduccién de les implicacio- nes de las hipotesis. 7. Probar la hipétesis. &. Conclusién: se confirma o no {a hipétesis. b) Metedologia de la auditoria interna.—Por otra parte, para llevar a cabo su funcion, el auditor requie- re realizar investigaciones, es decir, aplicar una serie de métodos a tra- ves Ge operaciones l6gicas en base a datos objetivos. Para realizar dicha investigacién, el auditor requiere de una metodo-logia especial para el desarrollo de su trabajo, la cual, bésicamente, es- td en funcién de’ los objetivos de laauditoria y del rea a examinar. Las particularidades de la meto- dologia serén diferentes para cada auditor, pero deberén estar funda- mentadas e incorporadas dentro del esqueleto general del método cien tffico, Entre los diversos factores que afectan Is metodologia de le audi- toria osu énfesis en algunals) fa sels) del proceso se pueden men- cionar’ Areas simples 0 complejas. —Ateas conocidas 0 desconaci: es. Primera o subsecuentes audito: ties =Con 0 sin procedimientos por escrito Grado de experiencia del per- sonal ~Ceracteristicas del érea. Sujeto 2 la consideracién del punto anterior, la metodologia pro- puesta en este estudio se puede resumir en los siguientes pasos generaies 1 Seleccién del érea a auditar ~ZHdeterminacién de objetivos 3. Elaboracién de! programa de tredajo 4. Ejecucién de fs auditoris 5, Elaboracién del informe 6, Seguimiento de Is auditor A continuacién se presenten dos euadros en que se compara, inten- tando establecer su sralogia, la me anterior con: 1. El método de la investigacion cientifics, de las ciencias sociales, ecandmicas y el andlisis de sistemas. METODOLOGIA DE LA AUDITORIA INTERNA 2. Le propuesta por otros autores © instituciones sobre auditorfes equivalentes a la interna, Il, LA METODOLOGIA DE LA AUDITORIA INTERNA 1. SELECCION DEL AREA A AUDITAR A\ Factores a considerar,— Antes de iniciar la auditorfa de cualquier rea, es necesario evaluar si el tiem- Po y esfuerzo que seran invertidos n con la aporte cién que puede realizar a los obje- tivos de la organizacién. —Debe evitarse caer en la rutina de efectuar auditorfas donde les probabilidades de obtener benefi- cios superiores @ su costo son esca- sos, por el monto de los recursos que se manejan y les dificultades técricas pera efectuar recomends- ciones que mejoren su productivi- dad. —Los principales factores que afectan la seleceién del drea a audi tar se pueden clasificar, tres grupos, a saber: al Operacién, Importancia de la organizacién o actividad, en base 2 indicadores como: —Monto del desembolso o ingre- 50 Monto de la inversidn en activos Actividades y riesgos eriticos =Gravedsd y consecuencias de los posibles problemas. —Grado en que un problema puede ser resuelto 0 atacado (sin- dical, gobierno, etc.) © vNuain viuoLionYCUADRO COMPARATIVO ENTRE LA METODOLOGIA DE LA AUDITORIA INTERNA PROPUESTA ¥ OTRAS AFINES INSTITUTO MEXt- AUTITORIA INTERNA CANO DE CONTA. (ROPOSICIOM —_DORESPUBLICOS —_ DORESPUBLICCS (WMCP) AUDITORIA (AICPA) AUDITORIA OPERACIONAL OPERACIONAL, 1, Seleceion det 1. Deteeminacin de tos Grea a augitor hechos y crcunstan- 7 las pertinentes 2, Determinacién 1, Famillarizacidn 2, Wentficacién de ge ebjetivas cojetvos 3. Elsboracisn de : 3. Definicidm de deeas rogram de Problema y oporuni teabsio dades de mejora 4 Ejecucien de 2. Imvestigueién 4. Evaluaciény deter- fa auditoria vyandlsis mminscisn de pos. bles majorat 5, Etaporacién del 3, Oisgnésticn 5. Preseniacién de ha interme Ntargos y recomen: InsriTuTo AMER” CANO DE CONTA. diciones LEO HERBERT AUDITORIA DE La EJECUCION ADMINIS- TRATIVA Investigacion pre 2. Examen y prueba del conteol sdminista 3. Examen dstaliado 4, Elaberacién det repore’ MAUTZY SHA. RAF AUDITORIA OE JUIC APRE. CIATIVOS SOB EL VALOR. 1 Reconocimiento problema 2, Emablecimiente del probieme 3, Fornulacién de Porbles olucones 4, Evaluacién de posses soluciones 5. Formulacién de jul CUADRO CONPARATIVO ENTRE La wi AUTITORIA INTERNA (PROPOSICION) INVESTIGAGION CIENTIEICA, ETODOLOGIA DE LA AUDITORIA INTERNA Y OTRAS DISCIPLINAS. INVESTIGACION SOCIAL 1, Ssleceidnde! 1, Censiesracion dela. 1, Planteamiemto del dreza auditar ‘nformacionpre® probleme 2, Determinscion 2, Fo-mulacien del 2. E abjetivor prcbiema 3. Oteraciones de Elzboracion de pragiame de 4. Uno oe consciminies 5. Fermulacién de fy 3. Reespilacion ge aster 4, Procesarnte de aster 5: Explicacin e interac. 4 Fjecuenge 6 te ausitoria 5 Eleboracién 8. Conclusion: se can- 6, es intgrme firma ona le hipotesie ©. Seguimiento oe auditor Comuniese INVESTIGACION ECONOMICA 1. Bteceién y formulacién el tema 2. Trebajos preparatorios 3. Recolecin, ordena: datos y ancecedentes 4. Lasjccucién de tabajor ce invesigacion 5. Presentacidn y publicacion e trabajos de Investigacion ANALISIS DE SISTEMAS 1. Selecci6n de! ro: ‘yeets (de viateres) 2. Estudio de tectibi- 3. Detinieion oe 4. DiseFo del sistema {eleono} 5. Implementacién 8. Ealuscién ieow ETODOLOGIA DE LA AUDITORIA INTERNA b) Auditor. Intereses materiales, intelectua les u organizacionales Valores personeles =Conocimientos sobre Is opera: cién. 0) Oganizacion.

You might also like

• Domain 1 - The IT Audit Process

  

  No ratings yet

  Domain 1 - The IT Audit Process

  76 pages
• Chapter 2.3 Audit, IAM

  

  No ratings yet

  Chapter 2.3 Audit, IAM

  12 pages
• Security Audit

  

  No ratings yet

  Security Audit

  31 pages
• Audit Process

  

  100% (1)

  Audit Process

  84 pages
• The Information Systems (IS) Audit Process: Chapter 1 - Page 1

  

  No ratings yet

  The Information Systems (IS) Audit Process: Chapter 1 - Page 1

  84 pages
• The Information Systems Audit Process

  

  No ratings yet

  The Information Systems Audit Process

  56 pages
• Security Audit

  

  100% (2)

  Security Audit

  31 pages
• Chapter Four Information Technology and Auditing

  

  No ratings yet

  Chapter Four Information Technology and Auditing

  78 pages
• It Audit Reviewer

  

  No ratings yet

  It Audit Reviewer

  3 pages
• Introduction To IT Audit

  

  No ratings yet

  Introduction To IT Audit

  25 pages
• 01 CIS (IT Governance)

  

  No ratings yet

  01 CIS (IT Governance)

  68 pages
• IT Audit

  

  No ratings yet

  IT Audit

  4 pages
• INFORMATIONS SYSTEMS AUDIT NOTES Muchelule

  

  No ratings yet

  INFORMATIONS SYSTEMS AUDIT NOTES Muchelule

  60 pages
• Authorities Taxonomies: Types of IT Audits

  

  No ratings yet

  Authorities Taxonomies: Types of IT Audits

  6 pages
• Chapetr 10

  

  No ratings yet

  Chapetr 10

  12 pages
• Audit of IT Security 061cab1246c98f6 59791303

  

  No ratings yet

  Audit of IT Security 061cab1246c98f6 59791303

  42 pages
• IT Security E&A-Lecture 1 - Students - Ver

  

  No ratings yet

  IT Security E&A-Lecture 1 - Students - Ver

  69 pages
• AUD5CIS Prelim Handouts 1

  

  No ratings yet

  AUD5CIS Prelim Handouts 1

  4 pages
• ACIS Reviewer

  

  No ratings yet

  ACIS Reviewer

  2 pages
• Is Security Audit

  

  No ratings yet

  Is Security Audit

  52 pages
• Art4-Auditing The TI Auditors

  

  No ratings yet

  Art4-Auditing The TI Auditors

  5 pages
• CO05 IT Audit Process

  

  No ratings yet

  CO05 IT Audit Process

  20 pages
• Week1 - Introduction

  

  No ratings yet

  Week1 - Introduction

  25 pages
• INFORMATIONS SYSTEMS AUDIT NOTES Muchelule

  

  No ratings yet

  INFORMATIONS SYSTEMS AUDIT NOTES Muchelule

  59 pages
• Bit 2318 Information Systems Audit Notes

  

  No ratings yet

  Bit 2318 Information Systems Audit Notes

  38 pages
• Overview of IT Audit and SOC 2

  

  No ratings yet

  Overview of IT Audit and SOC 2

  27 pages
• Chapter 3

  

  No ratings yet

  Chapter 3

  5 pages
• System Audit Explained

  

  No ratings yet

  System Audit Explained

  9 pages
• Cisa Notes 2010

  

  No ratings yet

  Cisa Notes 2010

  26 pages
• The Role of IT Audit

  

  No ratings yet

  The Role of IT Audit

  30 pages
• AGA IT Audit Seminar March 13 2014 2

  

  No ratings yet

  AGA IT Audit Seminar March 13 2014 2

  32 pages
• Audit Process

  

  No ratings yet

  Audit Process

  83 pages
• Quick Guide To Auditing in An IT Environment

  

  No ratings yet

  Quick Guide To Auditing in An IT Environment

  8 pages
• IT Audit Basics The IS Audit Process by S. Anantha Sayana, CISA, CIA

  

  No ratings yet

  IT Audit Basics The IS Audit Process by S. Anantha Sayana, CISA, CIA

  4 pages
• QG To IT Audit 9.1

  

  No ratings yet

  QG To IT Audit 9.1

  81 pages
• Introduction To Audit

  

  No ratings yet

  Introduction To Audit

  20 pages
• The Information Systems (IS) Audit Process: Chapter 1 - Page 1

  

  No ratings yet

  The Information Systems (IS) Audit Process: Chapter 1 - Page 1

  84 pages
• CISA

  

  No ratings yet

  CISA

  31 pages
• Domain1: IS Audit Process

  

  No ratings yet

  Domain1: IS Audit Process

  31 pages
• CISA - Certified Information Systems Auditor Study Guide Summary

  

  100% (1)

  CISA - Certified Information Systems Auditor Study Guide Summary

  21 pages
• Is Audit - Intro

  

  No ratings yet

  Is Audit - Intro

  7 pages
• Jurnal IS - Audit - Process

  

  50% (2)

  Jurnal IS - Audit - Process

  4 pages
• Auditing

  

  No ratings yet

  Auditing

  11 pages
• Audcis Chapter I III

  

  No ratings yet

  Audcis Chapter I III

  11 pages
• Information Systems Audit Notes - Part 1

  

  No ratings yet

  Information Systems Audit Notes - Part 1

  13 pages
• Chapter 3 Otero

  

  No ratings yet

  Chapter 3 Otero

  43 pages
• INFORMATION SECURITY AUDITING Week 1-5

  

  100% (2)

  INFORMATION SECURITY AUDITING Week 1-5

  25 pages
• Cis Midterms Reviewer

  

  No ratings yet

  Cis Midterms Reviewer

  15 pages
• System Audit: Foundations of Information System Auditing

  

  100% (1)

  System Audit: Foundations of Information System Auditing

  4 pages
• IT Governance Information Security Governance

  

  No ratings yet

  IT Governance Information Security Governance

  57 pages
• Audit Role in Feasibility Studies and Conversions 2015

  

  No ratings yet

  Audit Role in Feasibility Studies and Conversions 2015

  6 pages
• P2-Understanding IS Audit Environment

  

  No ratings yet

  P2-Understanding IS Audit Environment

  20 pages
• CISA Review - Week 1

  

  100% (1)

  CISA Review - Week 1

  66 pages
• Information Technology Environment and IT Audit

  

  No ratings yet

  Information Technology Environment and IT Audit

  13 pages