lnternal Audit Tools and Techniques

After going through this chapter, you should be able to:

. Describe the Information Technology (IT) audit.

. Identify technology risks and the challenges it poses to internal auditing.
. Discuss the evaluation ofgeneral and application controls.
. Define and discuss the audit of the System Development Life Cycle (SDLC).
. Define and discuss the audit of e-commerce and the challenges it poses to internal auditors.
. Understand the idea of computer-assisted audit techniques (CAATs) in performing an
audit procedure.

!ntroduction
Information Technology (IT) grown positively in Malaysia and aggressively after
has
the launch of the Multimedia super corridor (MSC) in cyberjaya. Entities ranging
from sole proprietorship to big organizations rely on IT to record and process day-
to-day business transactions. Some business organizations merely purchase avail-
able application software in the market to process their business transactions. Those
with a budget for system development might prefer to develop their own system
application. Heavy reliance on computers for processing business transactions has
changed the business scenario. Businesses are now subjected to various IT-related
risks such as: I

System Applicotion Error

The use of software application in processing transactions will eventually reduce the
risk of human error. However, the risk of system error might increase since the sys-
tem requires to be upgraded from time to time due to the expansion of business
operations. Too many changes and flaws in the system program procedures will lead
to the issue of reliability of the software. At the same time risks such as operating
system crashes, transmission error or missing data can occur.

Hordwqre Failure
Computer hardware such as central processing unit (cPU), monitor and servers can
if not properly maintained and protected. physical damage to
easily malfunction
computer hardware can be prevented by having and following a proper procedure to

l14
 Chapter 8 lnternal Audit Tools and Techniques 115

handle them. Damages could be due to inappropriate use, sabotage or eilrironmen-

tal disasters such as a fire, blackout, flood or an earthquake.

Computer Crime
Business transactions conducted via the Internet can expose the organization's elec-
tronic data to attacks from hackers, comPetitors, terrorist groups, previous employ-
ees or industrial spies. These identified parties will attack to look for valuable data or
to harm the computer system. There are unlimited types of computer attacks such as
hacking, spamming, spoofing or sending viruses and worms.
Therefore, controlling and protecting business information has become one of
the main priorities in most organizations. An effective control of the processing data
in the information system is important to protect an organizalion's liability and to
ensure security as well as confidentiality. This is where management should regu-
larly monitor and evaluate their systems to ensure effective functionality and adher-
ence to related standards and practices.
IT audit is part ofthe overall audit process to ensure IT control issues are pre-
served at all times. The scope of IT audit is wide since a computer system not only
records transactions but has also become the key business processing system of an
organization. Generally IT audit is concerned with the following issues:

1. Security
. .-'.1i01s
To ensure access to the system and its data is restricted to authorised personnel only.
^.i11

2. Confidentiolity
To ensure that sensitive information of an organization is protected from unauthor-
ised access or disclosure.

. .' .iflc:
. ., lgit-t.
3. Privocy
1.' {;1r To ensure personal information of any third party such as customers' addresses and
contact numbers are treated in accordance with the organization's business policy
'. .1- .Li:
. lltrr.. and protected from unauthorised access or disclosure.
:\ Sttll'
, r:s il.'.' 4. Processing lntegrity
To ensure business data are processed accurately and completely in a timely manner
with proper authorisation.

5. Avoilability
To ensure the operating system and its data are available at all times to meet the
- I .' needs of business operations.
.-'l --c'
: - ,!- "'H.;;T*:."ilT:'":,"?il!Xif;.I,tl.lffi ,l'*"ff f*:',l'J
the Canadian Institute of Chartered Accountants)

This chapter highlights different areas to be audited in regard to computerised sys-

tems, such as evaluation of general and application control, audit of System Develop-
ment of Life Cycle (SDLC), audit of e-commerce and the use of Computer-Assisted
Audit Techniques and Tools (CAATTs) in completing audit procedures. The sample
audit programs attached within this chapter allow a better understanding of areas
that are audited.
l16 PartThree Internal AuditingProcess andTechniques

Definition of IT Audit
IT audit is one of the branches of the different tlpes of audits that is performed
by an internal auditor. IT audit holds the same definitionas general auditing An
independent examination of the internal controls, records and related information
geneiated from the system in order to form an opinion on the integrity ofthe system
If controls, the compliance with policies and procedures and the recommendations
of control improvements to minimize or limit risks. However, IT audit focuses
more
on the evaluation of an organization's computer Systems and network to ensure:

. The effectiveness of control procedures in minimising related technology

risks and
. The compliance with international or Malaysias standard operating practice,
policies, frocedures and related laws or regulations of the regulatory body.

Elements of lT Audit
A major challenge in performing an IT audit is to determine the scope for the assess-
ment of internal control in the IT environment. Assurance on information systems
can be obtained only if all components are being assessed and evaluated properly.
The major areas of an IT audit are categotized as follows:

1.Physicol and Environmentol Review

Reviews physical facilities and conditions of IT environment such as physical access,

power supply, air conditioning and humidity control'

2. System Administration Review

Reviews all system administration procedures to ensure compliance with regulatory
rules. It includes review ofsecurity control procedures ofexisting operating systems
and database management sYstems.

3. Application Softwore Review

Reviews all business application software, for example, software to record account-
ing and finance transactions used by the finance department, software to process
suiary ,sed by the payroll department and web-based customer order system used
by the sales department. Generally assessment is carried out in the following areas:
. Access control and authorisations.
. Procedure handling validation, error and exception process'
. Processing transaction flowchart.
. Manual on controls and procedures.

4. Network Security Review

Reviews IT network's infrastructure, which includes internal and external connec-
tions to the system, perimeter security, firewall review, router access control lists'
port scanning and intrusion detection'

5. Business Continuity Review

Reyiews control procedures in ensuring the systems and information are available
when needed, for examPle:

E--
 Chapter 8 Internal Audit Tools andTechniques

. The procedures for maintenance of fault-tolerant and redundant hardware.

. Backup procedures and storage.
Erformed . Documented and tested disaster recovery/business continuity plan.
Citing An
[ormation
he system
6. Doto lntegrity Review
rendations ieviews control security measures around IT operating systems and application
:tlses more software to ensure output produced is accurate, complete, timely an<i vaiid.
:nsure: The CAE should consider performing an audit on these six major elements of
IT in the annual audit plan. Addressing all of these elements properly will ensure the
:echnologY highest ievel of security control measures in the IT environment.

g practice, Guide to Conduct an lT Audit

body.
The Information Systems Audit and Control Association (ISACA) is an indepen-
dent, non-profit global association handling the process of development, adoption
and the use of globally accepted knowiedge and practices for the information sys-
tem. Initially ISACA was started by a smail group of individuals who shared a com-
r the assess-
mon interest on the requirement of the establishment of resource centre for auditing
bn sYstems
control in the computer systems. Back in 1969, the group was known as the EDP
d properlY.
Auditors Association. This association has expanded its scope by establishing an
education foundation for the purpose of undertaking more research on IT gover-
nance and control field.
ISACA developed the Control Objectives for Information and Related Technol-
:-a11 access ogy (COBIT) framework. It serves as an IT governance framework, which provides
guidelines on control requirements, technical issues and business risks. The benefits
of employing this framework are:
. It allows the management to benchmark security and control practices of
h regulatorY IT environments;
rting sYstems . It assures users that adequate IT security and controi exist and
. It ailows auditors to substantiate their internal control opinions and advise on
IT security and control matters.

i eccoul'l:' In addition, the Institute of Internal Auditors (IIA) has developed and issued the
', .rr pIOCe:' Guide to the Assessment of IT Rlsft (GAIT). This guideline helps auditors evaluate
-- :tern usi -'
and assess IT general controls that have an impact over financial reporting. The
.Llq areiis; GAIT Practice Guides include three series, which are:

l.The GAIT Methodology

It is a guideline to the scope of IT general controls using a top-down and risk-
assess
based approach. it
helps the management to identify any deficiencies in key IT gen-
eral controls that may result in material errors in financial statements. The following
four principles form the basis for this guideline:

Principle One The identification of risks and related controls in IT general

' : '- .'.1 colltla - control processes (e.g., in change management, deployment, access security and
: , lltrol lt: : operations) should be a continuation of the top-down and risk-based approach
used to identify significant accounts, risks to those accounts and key controls in the
business processes.
Principle Two The IT general control process risks that need to be identified are
' .r'e avail::.-, those that affect critical IT functionality in financially significant applications and
related data.
118 PartThree lnternal AuditingProcess andTechniques

Principle Three The IT general control process risks that need to be identified exist
in processes and at various IT layers: aPplication program code, databases, operating
systems, and networks.
principle Four Risks in IT general control processes are mitigated by the achieve-
ment of IT control objectives, not individual controls'
GAIT Methodology enables organizations to implemdnt the principles and gives
management and auditors guidance around scoping IT general controls and the
tools to defend these decisions.

2. GAIT for lT Generql Control Deficiency Assessment

It is a guideline to evaluate any IT general control deficiencies identified during
assessrnent such as material weaknesses or significant deficiencies' The
guideline
as well
was developed by nine certified public accounting firms to help management
as internal and external auditors in assessing deficiencies in the organization's inter-
nal control system for financial reporting.

3. GAIT for Business ond lT Nsk

Itisaguidelinetohelpidentis,ITcontrolsthatarecriticaltoachievebusinessgoals
and objectives. Adherence to this guideline would help the CAE and audit team
pro-
and the necessary levels ofconsideration to IT-related business risks.
vide assurance

Scope and Obiectives of an lT Audit

The scope ofIT audit depends on various factors such as the nature and background
of the business, existing and potential technology risks as well as resources from the
IT department (e.g., the number of staff, software applications). Therefore, it is per-
tineni for management to have an appropriate plan for performing an IT audit, to
ensure a proper assessment of every area of IT functions'
Ideaily th. ,.op. should consist of audits on security controls, logical access
controls, physical security controls, installation controls and local network area
controls.

TABLE 8.I I Highlights of the Objectives of an Audit for Each Determined Area.

No. Scope of Audit Objectives of Audit

1. Security Controls To ensure the establishment of appropriately defined lT

management structure with a clear framework of authorities
and responsibilities for successful implementation of security
objectives of an organization.

2. Logical Access Controls

3. Physical SecuritY Controls To prevent unauthorised access to computer-related

equipment.
To ensure an adequate protection of computer-related
equipment against natural hazards and malicious damages'

4. lnstalialionControis
aqemenl !!-) its operation of applications system.

r, Loa.ii Ar..a ilet\^Joik i rnt, .,''' 'j t t.: .; .11 -'r:! -:,:f, lihf!r;,i t,{ a-(j-!i ta iC{ ai,fea i)t rPl'^i{ll k
 Chapter 8 Internal Audit Tools and 119

Examples of audit programs for each of the mentioned areas are depicted as follows

Audit Program - Security Controls

Review the information security management structure to identify those responsible fo

i. Security management
ES ii. Security administration
Ie iii. Data owners
iv. System owners
v. system users
vi. System providers
vii. Procedure owners
-. lrlrit-tg
. .- .lelu-re !:e-9-tl-.yttg.-,..r
.i\
-.-|
\\Cll Lpr"rpte@..
' : 1lltef

f,.
3 ryqYw
Review the appropriateness of the level of segregation of duties between the following
{I:s

I
i. applicationdevelopment
:.: q()dl'
ii. technical support
:: : lll PrL) -
t- iii. computeroperations
- \N).
iv. securityadministration
v. user department

, - ngloulla
. : rlm tht Audit Program - Logical Access Controls
= |isPe: 1 . Review the User Security Administrator and check the following:
- ,,rldit, t. . There is a procedure in place for issuing, approving and monitoring application access.
. User access control reports are periodically reviewed for accuracy and completeness by
. -.,1 acces,
user management.
:-'. -,lk art-
2. Cheek v\E €ttffir' lmt*m {acilE*qs is Fnrited to only ttrs secu
rity administrator.

) Verify whether user iDs are irsec to identify users accessing the system.

4 Verify that a user security administration procedure rs in place to ensure that unique user lDs
are assigned to system users.

Review the follcwirrq.

. -: llltlei . Passwords are beinq d-<ed ra confirir user's identity.
. Passwords are en.rypted t. ensure confidentiality.

'6.;,
th': Check whether a user lD has heen disabled if it has been inactive for more than 90 days
- =- !'Jre
: -r-llsiticr. a-
7. Check whether user lDr are ar..iiomaticaily disalried after 3 conseciltive rinsuccessful loc ,,n

attempts"
:.- ] 8. C heck that u nattended term inals a re a utomatica lly logged off after a period of N min ut rs of
inactivity.

-- . .a: ma- -
120 Part Three

Audit Program - Fhysical Seeurity Controls

1. Review the Computer Centre as a secure

procedures include:
- ;Ililai:i.as iiii,,'l .r;:ifr ia:.irir.l alr

-r rr::
' -'lfiL]t:it i ! :: .;:t 'r {

,-i:''.'-'

.jir'i<,,:t i:'fri,.,ia :!l;-t:, :rri :i:. i-:

-li :ri
2. ReviewlIieadequat;lofthev:]riou!r:'::'Jt' r'rf :'':;r'ir'nr:"'ril-'i'ii;:' 'irr;.:
. Automat;a fire dete(licn S, alarr s;-i1''r'
. Reqular check & servlce fl;r til4 rv!;:err;
. Regulations cc;mplied with fire :)t;lliliri!r[rr] -iv!i€riil

I ' i - , ,rr,i,:1, t-.,.- t.'. it ..t | :

' il gtllerdla): fi-":1ir i{}r1ijrlllrrlr"i': r ' '

' 'a :l'1

4'-' :' ')' l '\"": l,' "
" iequi:r illiri'it::rl.li'i.li;L ".l' lifrt:' - ir

4. RPirew of ih+ foiio."i"::

:r ;i j
Boom ter]]pelafljle and htinljl'fr: !1 -:iir ' )i i-]l-iii'l 'l - '::r'
r-
' ':' " '':" '
:l;i:;lt1;ri t&g i$ ...-.,-...
::tfili r,xi
5. Review controls for confidential print output - identification, d
printers, access restriction to printer rooms and output release

Audit Program - !nstallation Controls

1. Review the controls for system software

i. protection using an access control echani
ii. maintenance of the system is fully Doorte
iii. authorisationofchanges.
!v. docurnentation and supoort a,i :oli4 tena

Review the following:-

i. lnventory listing, to ensure that tt l:, re.ii,iarilr r'lraillia;ired aili ie!'ifiij'i
ii" RemOVal,movementordispoSat olLomputetaquiprinenishl''lidi:eauti-:orl:c;::r'::l ;rr.p
erly recorded"
Hardware mai ntenance ag reemerrli ina ill'jn ore'rentiv6 t11;1
"r'p13''':
All computeiequipnlent nlust be 'lf)efated.r.ai r]ainiaifle " '!r -c-rrcrnq t ''
- '
""f;'
turer'i specif ications.
ltrlr e,&ffi& @
Review of the selected agreements with third-party providers on the foll
. All lT staff and affected parties should be aware of the relevant agree
mitments contained within.
Amendments made to agreements are subjected t al by the board of directors

Obtain and review the procurement pro{-ediiras arid ensrJre lhai ai rii@!i'!3'.@&|l$ i:r:,

. Review samples of the proposai obtr:ine'l i:'':rrr :uppiiers

. Ensure that at ieast three proposai:, iri-itl' iriii:i'*nl ):"iirarilert a!'' arH$ed:eef :_-_e{8a:prpcr{e
ment process.
EnSUre that SUpplier propOSai i.yaiLinilCi, :ii':{l a.iiill,li!'r,ji r.rve:ir:atiOfr havo letl{, iaii'!*il
out prior to the sele.tion of ti'e s'lpniier
Sight the review frorn the cornpany ii ieqal
 Chapter 8 lnternal Audit Tools andTechniques 121

Audit ProEram - Local Area Network Controls

Check whether the audit tem is able to generate an audit trail showing activities of
the users in the system s as user lD, date and time, terminal number and activities
performed.

R.yie'.v ille pirIr,iaai arie: i l{j arilriai lah'rDorre:rrs and r-heck the followinq:

' Tire rel ,/er. di'{: :c! ried :i, seau!'e rocms,'{ abin,}1s with adeqLiate snvi16nrngltrl g6ntrolr
' Only an aul.trai'sea irr!:an ii ailc-,u,,ed tr: cperate the equipment.
. Secundarv !i-rs,'lia ie.i. flrrkeite! anLJ cariridges) are str:r'ed securely.

tiavierr/ii:{jbir';?ttii,,';t..J1art..'ijrIt{!vfirr'.316i1 :.--d\ ,Pr,its.,r:]-r"

:-t*ti.Variartilrj ,,.r.lt:- .r- 1.: ii,Lii:ijri-tii:,i,,r-tilfri:lfiierJ')!,.:i!..liiih.rli.i.,11ilrIli1.,r,ll'
i0Di'l',,,ir i,;ili rr: t. i : l:,

Revie * tne c.Jfn!'il:er cjiraster re.oveiv plalt for ':ll critical lo<:al area network systems' En

the fr.ri llrwi ri

! i ir.p.; a ri ;r !,..tirao!'ated :

, Spare detJ'i.e;q \,vith -cuffiJ:renl aapa.ity and speed lor backup purpose.
. 'l-he
lrecueni:y;rri.J re-fentron r:f backuF otihe sei'vers and workstations.
. Doai.rnientatirrr'; +'iC i.,strnu cf backup anC recovery procedures.
. UrlinlefrLrpiiL:le i:':*rer tLrppiy systdm io Ijroiecl .fitical networi( servers and their
aaJmPOneri':i

5. Check that all directories a ;canned

regularly.
rure
at, iie,zie o.':he ant:,,,1ru,r :oft'o3rp ani er:r:.e the foilowi.lq feaiures aIe avaiiable:
v.
. Virus detr-..',tion ari{r :arilval capabiiilies.
. Lice nsing;t.jreer:rrrirl u,,hri,n provid+s reguiar aili!virus updates, at least eve!'y week,
repuiable trar.i< icrorri ri.li:rrrrs rf reiiab,iilt)v where viruses are cletected and rel-nove(:

Steps in lT Audit

op- Lstahlish tire

terms of thc
e4il:ige menf

M
r:-.....-.-.'.'.'. -'- '..-.'---..
lat.

t:r,, ltl-an ii;e ariiir

,,.:i. :, r.i.jr.l:

..:::

i,.:

t.'
i !rJ:- ':ri ,i:l,l)'
, . i:,.r'
Part Three lnternal Auditing Process and Techniques

Estoblish theTerms of Engogement

The CAE will determine the scope and objectives of the audit of IT functions. The
engagement letter will be addressed to the respective auditee, that is, Head of IT
department. The letter will include information such as the scope and objectives of
audit, responsibilities ofauditor and auditee, authority for auditor to have access to
all information of IT functions and audit schedule.

Preliminory Review
This is the process where the auditor needs to gather information on the IT depart-
ment as a basis for preparing an audit plan. The information required includes audi-
tee's strategies and responsibilities in managing and controlling IT operations.

Estqhlish Moteriolity ond Assess Rislrs

The auditor needs to establish judgement on the materiality of the IT function as
well as perform assessment on the auditee's business rish in order to set the scope
for the audit.

Plon the Audit

Normally, a proper audit plan includes engagement's objectives, scope, timing and
resource allocation. A well-developed audit plan will ensure that the audit process is
conducted efficiently and effectively.

Consider lnternal Control

The auditor has to consider the internal control ofthe auditee in order to begin the
audit process. The information on internal controls could come from a variety of
sources such as studies of existing internal controls, previous audit reports, reports
by regulators such as Bank Negara Malaysia, Bursa Malaysia or feedback from oper-
ating personnel. Once the process is completed, the auditor could assess the level of
auditee's control risk, which is important to determine the level of substantive tests
to be performed during fieldwork.

Perform Audit Procedures

The auditor will perform the audit process based on the scope stated in the audit
plan. The auditor will use a substantive test approach to audit IT business functions.

lssue the Audit Report

The auditor will issue an audit report once all audit procedures have been completed
and evaluated.

Evaluation of General and Application Controls

There are two control groups for any IT system: General controls and Application
controls. General controls handle all aspects of IT functions, including the adminis-
tration of IT function, hardware or software acquisition and maintenance, physical
and security control over hardware and the establishment of disaster recovery plan
in the event of unexpected emergencies. Application controls deal with the control
of usage of individual transactions specific to certain software application, for exam-
ple, controls over the processing of sales or cash receipts.
Table 8.2 hightights the different categories ofgeneral and application controls.
 Chapter 8 Internal Audit Tools and Techniques 123

TABLE 8.2 | Categories of General and Application Controls

Purpose of Control Example of eontrol

GENERAL CONTROLS

Administration of IT function To ensure proper administra- . List of lT staffwith their

tion of people and resources of responsibilities.
the department Organizational chart of lT
Department

Physical access controi Access t0 Data Centre is

restrieteC to arltirorised pf i-
:..-lJl- :icnnei onl\,.

Logical access control To ensure a proper control in
place for infrastructure, aPPli-
cations and data.
. ,,1 ds Backup and contingency plan To ensurethat a prrlpei'ba.kup
: iaape and continqenr',' pian is ir: Place
tor uncvpe( teci em-iqerl( ie(
such as fire, virus atlack, po\,ve!'
fai!ure or naturai riiraster.
Using of password and User lD
to access information on orga-
nization in the computer.
Wefl -written busi ness contin-
qenry and disaster recovery
5.rla n:.

." : .Incl APPLICATION CONTROLS

. a!'SS iS
lnput control
entered inta an orqaniza'.ion iri,\Ll13 iilai' ,r'e de!lqflea
application. ia i:aillurlj ail -eleva'ri da ;t

feqLrrfea

,egin the Processing control To ensure proper control for Review system documentation
ariety of data processing so that the to ensure key computations
process is complete, accurate are fully documented.
; reports and authorised.
)n'I oper-
e level of Output control
rtive tests

ae audit
:',.r-tctions. Auditing of System Development Life Cycle
The system development life cycle (SDLC), also known as Software Development
Process, is a method whereby a system analyst will create or alter the information
: .npleted system to produce a high-quality system to meet the user's expectation. SDLC con-
sists of seven phases that management should follow closely in order to develop a
solid information system.
These seven phases will also give proper evaluation and management of risk
associated with the system development Process. Each stage has to be completed
i'pplication before management could move on to the next. This will ensure success in the devel-
re adminis- opment process. Figure 8.1 shows the seven phases of the SDLC.
ce, physical
;overy Plan Phose 1: Systems plonning
the control
During this phase, management will plan a system to meet the organization's mis-
u for exam-
sion and objectives. The plan will include general guidelines for system develop-
ment, time frame and budget. Several documents will be generated from this phase,
rn controls.
124 Part Three Internal Auditing Process and Technicltre:

FIGURE 8.1 | SDLC Phases

l. Systems planaing

,*i

W
W

both long-term
which consists of a long-term plan, policies for selecting 1T projects,
and short-term IT budgets, a project proposal and a project schedule'

Phase 2: Systems AnalYsis

information
During the second phase, a system analyst will gather the necessary
.,r.h ui facts and sumples to be used in the project from the end users. The
analyst
report'
will then review and analyse the input received and produce a system analysis

Phose 3: Conceptuol Design

During this phase, a conceptual design is developed to include views from all respec-
this Process
tive pe"rsons involved wittrthe deveiopment project. The outcome from
such a data flow diagram (DFD).
wil Le translated into a possible document as

Phose 4: Systems Selection

together with the
A system selection phase involves a process where the manaSement
requirements to select the best system
,y.i.* analyst will evaluate alternative system
to meet the requirements stipulated by the users as well as to fulfil the organization's
includes detailed feasibility study, where the man-
objectives. The analysis involved a
the newly developed system is able to work within the
agement will examine whether
with the organization's business processes and procedures,
current IT infrastructure,
as well as the existing employees' skills. The management
is also_ responsible for pro-
ducing a cost-benefii nrru^tyri. for the newly developed system. The finance personnel
are res'ponsiblefor analysing and determining the value of each alternative' The out-
come fiom this selection process will be summarised in a selection
report'

Phose 5: Detoil Design

created in
At this level, the system analyst will develop a system based on the DFD
phase3,takingintoconsiderationtheanalysismadeduringtheselectionProcess'
as well as prob-
The system anllyst has to record the procedures involved, outcomes,
Iems encountered during the development process'
 Chapter 8 Internal Audit Tools and Techniques 125

Phose 6: Programming ond Testing Systems

The programming and testing system is the most important phase in the SDLC. It
will determine whether the outcome of the project is able to meet the predetermined
objectives. There are several factors to be considered in the testing process, which
include:
. Testing should be done o{fline, before implemented online.
. Testing should be done as a stand-alone module, before being conducted in con-
junction with the other applications.
. Testing should be done with the participations of end users.
. Result of the testing process should be documented.

Phose 7: Systems lmplementotion

This is the last process of the SDLC where the system is ready to be employed. Man-
agement has to sign-off the user acceptance agreement before the system is made
live. However, the process of the sDLC does not end at this stage. Management is
required to perform post-implementation evaluation on the project. Review should
be made of the capability of the system in meeting the user's requirement, and com-
parison should be made on the actual costs against benefits. The process of evalua-
tion should be made continuouslyto ensure proper corrective and preventive actions
rg-term
could be made to the new system.

lnvolvement of lnternal Auditors in the SDLC

:::-,.ltion l. An internal auditor holds an advisory role in every phase of the SDLC.
::1.1h-st Normally, an internal auditor is invited as an independent party during each
: : afort. meeting of the SDLC project. Advice from an internal auditor is needed on cer-
tain risk areas ofthe development process to ensure an effective system is cre-
ated. Other roles of an internal auditor are listed below:

-
.i:llea- . Review the project proposal generated during the system planning phases.
, uaa,, This is to ensure issues such as control procedures and governance activities
--.
are properly addressed.
. Review the relevant documents generated during system testing. This is to
ensure the output generated meets the requirements needed by the end users;
' .r;-r ti,c and to comply with the organizationt policies, as well as conform to rules
and regulations stipulated by the regulatory body.
'. llLlra. : '
. Review and examine various documents generated at every phase of the
..'. -11il:- - SDLC processes. This is to determine that the project is run smoothly. Other
- -'-- +1-
than that, an internal auditor could also use the other tools of assessment
:r:..ra: such as an inquiry and a checklist. Results from this process will help an
. i'
internal auditor evaluate ifthe project is developed in the best interest ofthe
: :i-r1---' organization.
-.:a !'i-. 2. The role of an internal auditor is to provide an independent view on issues dur-
ing the development process.
An internal auditor who is independent of the SDLC is able to provide inde-
pendent or unbiased opinions in regard to any issues derived during the devel-
, a.i!gU
a
opment of the project. This is important as the project has two parties, that is,
. --'t-ir.::: the management (end users of the system) and system analyst (could be staff of
--i:. 1 the organization or a third-party developer), where both parties have their own
- -r:
interest in regard to the newly developed system. Therefore, the presence of an
126 Part Three lnternal Auditing Process and Techniques

internal auditor is needed to ensure that the project is carried out effectively
without jeopardising the interest of the parties involved. However, in providing
advice an internal auditor must maintain his or her integrity by remaining in an
advisory capacity. An internal auditor should not be directly involved with the
actual design or testing activities of the new system.
3. An internal auditor is involved in auditing the SDLC.
An audit on the SDLC is important to assure the management that the actual
development of the project complies with the necessary requirements stated in
the SDLC methodology. The objectives of the audit are:
. To ascertain that the standards and procedures for the SDLC are made avail-
able and followed accordingly;
. To ascertain that resources are effectively and efficiently utilised to enable the
project to meet its deadline;
. To ascertain that proper authorisation/approval is sought at each stage prior
to the commencement of further tasks;
. To ascertain that project documentation is current and properly maintained
for future review;
. To ascertain that test documentation, including test plans and results, is ade-
quately maintained; and
. To ascertain that proper change request procedures exist to ensure all changes
are authorised and attended to on a timely basis.

Auditing of E-commerce
Electronic commerce, commonly known as e-commerce, is the Process by which
organizations conduct their business over electronic systems such as the Internet and
other computer networks with their customers, suppliers and other external business
partners. According to the IT Audit Assurance Guidance (issued by ISACA, 2010)
e-commerce includes both business-to-business (B2B) and business-to-consumer
(B2C) models, but it does not include existing non-Internet e-commerce methods
that are based on private networks, for example, Electronic Data Interchange (EDI)
and SWIFTnet.
The use of e-commerce may expose a company's sensitive information, as well
as programs and hardware equipment to potential sabotage by external parties,
especially hackers. There are indefinite numbers of threats in regard to the use of
e-commerce as a business model, which include:

. virus infections;
. hacking;
. cybercrime and
. failure ofthe system and infrastructure.

Challenges and lnternol Auditing

Unlimited number of Internet exposures when using an e-commerce model has
caused management concern over the need of a strong control on the organization's
IT environment. Management could use various control tools such as firewall, anti-
virus, encryl>tion techniques and others to protect company data and systems appli-
cation. Besides having all these security tools, management requires the assistance
from internal auditors to review the ability and adequacy of the existence security
 Chapter 8 Internal AuditTools andTechniques

control. The foliowing are some areas of concern

for an internal auditor in regard to
. --.-elr
..1r1lg e-commerce.
i '
'lit' auditors
Knowledge of Security Exposures and control Measures
' Internal
the
techniques (e'g'' hacking'
,norta eqriip themselves with the various security breach be
They should
,p""r*iru, virus attacks) associated with e-commerce transactions. that different
- ir.lcIr
."p"ui" oiaddressing those security issues. They need to understand
seiurity threats ,.qrir. different approaches and solutions'
-:
I l.-
:(L L, - increase the possibility of
For example, inadequate network access control may
party into the company's sensi-
unauthorised u...r, (..g., hacking) by an external
. -,.. .1il - perform a penetration test to
tive and confidential dJta. An internal auditor could
security' It is a test where
examine the effectiven.r, or un organization's information
lht information system
: -c an internal audit team will try to break into an organization's
to compromise a company's
legally. Normally the team #U t.y different methods
the level of security con-
:.'.Iiill' ,y"rr.*, in order to assess the level of security control. If
protection tools' For example'
trol is poor, the team would recommend additional
- ....: acompanycouldexercisetheideaofdefence-in-depth'thatis'aprocesswherethe
fail-
to avoid a single point of
company employs a multiple layer of protection tools
methods (ID card' pass-
.'
-l ure. One of the tools is a fiiewali with several authentication
' ' 'iu:
wordandbiometrics)usedsimultaneouslytoaccessthecomPany,swebsite.
Aneffectiverecommendationwillhelpmanagementovercomeissuesina
iocus on other critical areas of
short period of time, thus allowing management to
business oPerations.

Skills and Experience in Handling E-commerce Security

lssues The use of
Jrbori.r.r, op-eration has increased the function, scope and
e-commerce as part
auditors need to equip
responsibiliti", of th. IT departme.tt. ,q.t u result, internal
of the latest developments
th#selves especia\ to better their skills and knowledge
inlTcontrolprocedures.Ifpossible,auditorsmustunderstandtheconceptbehind
the development of the .-.oL-..." business model.
This could help them identify
threats'
any vulneiable areas exposed to external or internal

lntegrity Sincee-commerce transactions do

Question on Loss of Transaction
should focus on the adequacy
.rot irruolrr" physical documentation, interital auditors
The auditors could
ofthe security control as stated in the IT policy and procedures'
a walkthrough of the e_commerce system
to ensure that,a proper secu-
"tro
f.rror* stage of the transaction'
.iry.orr*ot procedure is i"nstalled and implemented at every

a company has operated online_, an internal

audit
Audit on E-commerce once
audit plan. This is important to
has to consider an e-commerce audit in the annual
of internal control on the current
help management in evaluating the existing system
.-.t-rrr..I. model. Generallyreasons for an audit on e-commerce are:

. To assess the effectiveness of the infrastructure and security measures of an

e-commerce.
with an organiza-
. To evaluate compliance of e-commerce business operations
good practices'
tion's IT security policies as well as with the industry
.ToevaluatethereadinessoflTfunctionsintheeventofamajorfailurein
e-commerce business transactions'
.Toidentifyothersecurityissuesthatmayaffectthecurrentinfrastructureofan
e-commerce model.
128 PartThree lnternal AuditingProcess and Techniques

Computer-Assisted Audit Techniques (CAATs)

Computer-assisted audit techniques (CAATs) or computer-assisted audit tools and
techniques (CAATTs) are an approach of auditing using computers. CAATTs offer
various tools or utilities, which help the auditor select, gather, analyse and report
audit findings. CAATTs normally offer basic Microsoft Office applications such as
spreadsheet, word processors and text editing programs, whereas more advanced
software packages offer more functions such as statistical analysis and report writing
tools. Some functions provided by CAATTs are:

I nformotion Retrievol o nd Analysis

Auditors could use automated retrieval and analysis tools to assess data and records
and to evaluate and analyse them based on the criteria or parameters set by them.
Common audit tests or routines in data analysis such as matching transactions,
identifying duplicate transactions, checking of approvals versus authorisation lim-
its, system overrides, access authorities and telephone usage could be handled by
systems rather than done manually.

Frqud DetectionTool
Auditors could use highly sophisticated software to identify unexpected or unex-
plained patterns in data that may indicate a possible fraud case. For example,
software may warn the user the existence of duplicate payments, long overdue out-
standing accounts, sudden write-offs, unusual expensive acquisition or overrides of
authorisation limit.

Audit Reporting F unction

CAATTs provide tools to enable automatic linking between work performed, infor-
mation gathered, auditor assessments and information used in supporting audit
report writing function. This function allows auditors to minimise duplication of
writing or translating information from one section of the audit working papers to
another related section or in writing it as a summary. Intelligent CAATTs may note
audit findings in the audit programs, checklist or internal control questionnaire and
then transfers the related information into the management letter for reporting to
the management.

Advontoges of CAATs
CAAIs are suitable to audit large volume of transactions. It is valuable to orga-
nizations with complex processes, distributed operations and high transaction
volumes. The use of CAAIs will help auditors scrutinise all business data and
highlight any unusual transactions.
As businesses expand, most of the companies prefer the company data being
kept electronically rather than in printed form. Therefore, the use of CAATs is
important for auditors to gain access to audited data in a much efficient way.
Direct access to an organization's data will eventually reduce the time and effort
spent in performing audit procedures with assured accuracy.
Using CAATs in performing substantive testing will provide total assurance to
the area being audited. It allows auditors to point out errors or fraud easily in
order to provide effective recommendations. This will also increase the credibil-
ity of auditors in the eyes of the management.
 har :cnntques 129

CAATs provide a ;tandard uniform practice and an user-friendly interface for

auditors. It allor VS luditors to perform various tasks, irrespective of data format
and or the underlyir rg rperating system of an organization. The CAE could also use
rffer a log analysis th rt ontains all tests conducted using the software for the purpose
port of reviewing
has
lced
itine
Disadvontoges of CAAT
. The issue ofcost < werghing the benefit of purchasing an audit software is one
of the limitations having CAAIs in an organization. The question is whether
management is wi rg to invest in a new audit software and bear all related costs.
cords There are many co r associated with using this software, including the following:

[hem.
rg and installing the software;
tions,
r lim- he staff in using the software;
ed br ring the software and
es such as telephone charges to contact the service
rvice centre is located abroad.

Uertaln audrt soltwar< may have compatibility issues with the existing software
or unex-
applications used by r company. The use of CAATs may not be suitable with
example,
complex operating syr ems. Therefore, it becomes problematic for auditors to
rdue out-
use the software to gai access to the auditee's database pertaining to the audited
errides of
transactions.
The installation and use of a new audit software may sometimes require cer-
tain computer resources or facilities. Normally there are a few system require-
ments that need to be addressed by the management for the purpose of
tol
installation; for example, the tlpe of processor, size of memory and storage
ud
required, compatibility with DVD-ROM drive and the Internet connection
n( for registration purpose. Problems may also arise when auditors use the soft-
ware to perform audit procedures. This is a tlpical situation where the aud.it
process is in conflict with the normal processing of a company's transactions,
which may result in server failure.
cAATs, which are used to extract business data, have various security issues.
Sensitive business data such as customers' details, business plans and strate-
gies could be compromised by irresponsible persons, if not handled properly.
Inadequate control procedure on handling business data could also contrib-
ute to this issue.
to orga
rsactiol
lata anr

ta bein
IAATs:
rent wa I sunrtnnnBv
nd effo The lob of internai auditors il regarci to an I'I audit is very challenging as it invt,lves
reviewing anil reporiiitg '-ulrlit ii:rdings that:ire highly technical. To perfbrnr audit
lrance' procecli.ires etfectivei,v, ;:r,i,-litors shouicl possess aclequate iT knowledge, techrrical
easily shills anci experiences. This rtoril];rlso ena,ble ar.idilors to triuslate the audit find,ngs
credib into value-adcled iect,n-rn'iendalicns tirat cor:]d;rssist an organization in achieving its
'Lr,-rsi
rress olrject rr r:
130 Part Three Interual Autlitittg Pro.!'.s ttrl'l-t','hq,rtt ;"

application control f i.rerr,ali logicai access controi

computer-assisted au dit gener;r1 control output coiltroI
techniques hardr,r,are ,:ontrol Processing c0ntrol
disaster recoverv input control
encr)?tion te, i-niqLre locirl arer netr.vork
lnter
1. Discuss guidelines whe.n perfbrtiing an IT au<1it.
2. Discuss six major area-q in regard to IT audit.
3. identifir ancl discuss the advantagcs ;ind disirclr.ailta$es of CAA'ii.
4. List the ar-rdit procedures periaining to an ;rurlil of a systems det elttpment.
5. What are the difl'erences betr'r.eel business collducted in tire trariitionai mann.:
ancl one '.rsing the Interneti
6. Design an internai a,.rdit progran: tor an e,corninerce auclit.

Anantha Sirvana, S. (200,r)LIsinu (.A.:. t: to !r:p;rcr1 i.-! ALrriit. l5A()t\ !tturtrLt.i Vrrlulrc I

Arrirntha Sirvana, S. l'he {S ;\udit i)ro,.lss. i:,A\'..A lotu ttoL.

Arens, A.A., irlder, R..[., Eea"ier. l!{ 5. '1,;rtr;ir.r. N,A.. Fadzil, i].H., N{ohartrrrrl Yusr:i, \.r
N,lohamad Nor,44.N. anri Shaiir: li i::li,l)8i Aullitiu.q ttntl, \ssura.ncr:5cr-i.'rr'i.-s in .\,1ti,tts.
Peiirson N'lalar.sia.
Blanco. 1.. (2002) Audit I'rails in a;r [. .onrmerce F.ni.rronnrent, L'ISA Jtturrtiil. \'6]lnte 5

T1-re Institntc of Internal Auditor {l()i.}, r i. )i-} -v[etkt,lL.-iutr, :l ll-s(-&nsei {tpl.\r(tL;th to Lt\..:
ing thi: scope of l'l gentrtsl L t in tr{}i..
'1'he lnstitute of Internal Auditors (2(Xr! ) {;rriri L. io /lrt' A-s-srr.ssrlr,ni ir/ 1?'Ri-iA ({;AI}- ).

IS AuditingCtLidelinc: (i-1 Lr-s,,,,1 6r,,r,ir/rc -.1-.:.irr/..1 .\Li.iit !'eJ,stitlLrc.s. 2008.

ITStttndards,()uidelints,an,:lToois(.iltti'ir(iiniLlu?:;tor.,\ttditttndAssuro.n((.i5A(1,,\ ALrct..
2010.
Kaur, |., Yap, l,i.l,. ancl Moh;rmerj \e,.lz;-r, ,{ Z. aJ(){)8) iS Ar.,r-1itir-rg Slartjalcls irr t\{ajar..
ISACA lournal. Voltune 1.
Lee, IvI., Haron, 1i., Ismail, I., (.hc lJa.rt. \1.]i , Z.rri'ri, |.i., Tlng. r.\.., l-ok, f,'"1.. aiiLl h-;r-.;rr. \i :
(20A9) Principlts Lutd Cont.rtpriy,t:',, it:1t<,s tti Ittlt:rtai.,\utit,tng. Mc(}'ari l lill"
Itomne\., L4.8. ancl Steinbart, P.l tl0t.l: ),Li:iin1iilg ittttintrtti,tit,i,slol.s. lrer.rsln Ldurati,
Lilrited.
Sirrgleton, i . \\'. (2(X)4) S)'stenis i,)*'e-'ioprrr.lrt i.ilr,-r,ti,.otri Il irrrr.li[s. I5A(.,\ Ltrrnti. \',;]rilt. '