IS Audit & Control

Abdul-Rahman Mahmood
Assistant Professor, Computer Science, FAST-NU

[email protected] reddit.com/user/alphapeeler
alphapeeler.sf.net/pubkeys/pkey.htm www.flickr.com/alphapeeler
pk.linkedin.com/in/armahmood http://alphapeeler.tumblr.com
bqb-tsid-asp [email protected] https://alphapeeler.sourceforge.net/index4stu.html#about
alphapeeler [email protected] https://pk.linkedin.com/in/armahmood
alphapeeler abdulmahmood-sss
armahmood786 [email protected]
http://alphapeeler.sf.net/ pinterest.com/alphapeeler

Student Life Achievements

 Operating Systems book
 https://alphapeeler.sourceforge.net/index4stu.html#achievements_os

 CEHv12 Mod020 – Cryptanalysis

 https://alphapeeler.sourceforge.net/index4stu.html#achievements_cryptana

 AlphaPeeler Credited by other YouTubers

 https://alphapeeler.sourceforge.net/index4stu.html#achievements_yt

 Referred in Certified Ethical Hacking manuals

 https://alphapeeler.sourceforge.net/index4stu.html#achievements_ceh

 Books and articles references

 https://alphapeeler.sourceforge.net/index4stu.html#achievements_books_arti
cles

1
https://www.taylorfrancis.com/chapters/edit/10.1201/9781003508632-6/cryptanalysis-using-cryptool-alphapeeler-bishwajeet-pandey-keshav-kumar-pushpanjali-pandey-bakar

Reference books
 IT Auditing: Using Controls to Protect Information
• •Attendance will be marked only if you are present in class. Assets, 2nd Edition by Chris Davis, Mike Schiller with
•Attendance: 80% is required to be able to sit in final exams. Kevin Wheeler.
•Remaining 20% : sick leave, internships, job, emergencies,
accidents or going to phoppo's house, or any reason.
• Cross Section Attendance is not allowed
 Auditing Information Systems, Second Edition by Jack
Late Assignment Submission till after 1 week of actual J. Champlain.
deadline. (Marks deduction applies for late submission)
• After 1 week submissions of assignment won’t be accepted.  Information System Control and Audit by Ron Weber
• All Submissions on Google forms, no email submission
• Plagiarism will not be tolerated.
• Class Exit SOP : wait for me to exit you.  CISA Review Manual 2010
• Q&A session : Last 5-7 minutes of each lecture.
• For further discussions, refer consultation schedule:
https://calendar.google.com/calendar/u/1?cid=YWJkdWxyY
WhtYW5AbnUuZWR1LnBr

Assessment GCR codes (Section as on flex)

 The course material builds your innovation skills cumulatively Section A: fpmpz26
 Spot tests will be given periodically to assess your comprehension of
the readings.

 Class participation is graded based on student participation in

practicum exercises.
Section B: moqtiwa
 There will be midterm and final examinations that are cumulative.

 Midterm 30%
 Assignment 10%
 Final Exam 50%
 Project 10%
 Total 100%

2
Course Catalogue - HEC
 Course Outline:
 IS Audit charter, Polices, Procedures, Audit computer
networks and communication, Auditing software
development, Acquisition, Maintenance, Auditing IT
infrastructure, Auditing Management and
Organization, Business process re-engineering: IS
audit proposal, report, evidence and follow-up,
complaint to standard, Enterprise service agreement,
Backup and procedures
Course Goals
 Conduct audits in accordance with IT audit
standards to achieve planned audit objectives.
 Report audit findings and make recommendations
to key stakeholders to communicate results and
effect change when necessary.
 Conduct follow-ups or prepare status reports to
ensure that appropriate actions have been taken by
management in a timely manner.
Auditing
 An audit is an evaluation of an organization, system,
process, project or product.
 performed by a competent, independent, objective, and unbiased
person or persons, known as auditors.
 Purpose
 Make an independent assessment based on management's
representation of their financial condition (through their
financial statements).
 To ensure the operating effectiveness of the internal
accounting system is in accordance with approved and
accepted accounting standards / practices.
 Evaluates the internal controls to determine if
conformance will continue, and recommends necessary
changes in policies, procedures or controls.
 Auditing is a part of quality control certifications such as
ISO 9000.
Course Goals
 After successful completion of this course students
should be able to do auditing of information
systems.
 Develop and implement a risk-based IS audit
strategy in compliance with IT Audit Standards, to
ensure that key areas are included.
 Plan specific audits to determine whether
information systems are protected, controlled and
provided value to the organization.
Financial Audit
 Is an assurance or attestation on financial statements
provided by accounting firms, whereby the firm provides
an independent opinion on published information.
 Performed by firms of practicing accountants due to the
financial reporting knowledge they require.
 Internal auditors, do not attest to financial reports but
focus mainly on the internal controls of the organization.
 External auditors
 US's Certified Public Accountant (CPA)
 UK's Chartered Certified Accountant (ACCA) and Chartered
Accountants
 (A.F. Ferguson & Co. , KPMG Taseer Hadi & Co. , Moody
International)
3
History
 Independent auditing developed with the expansion of the
British Empire in the 19th century
 Prior to the 1930s, corporations were required neither to
submit annual reports to government agencies or
shareholders nor to have such reports audited.
 The 1929 boom initiated to pressure for audit of publicly traded
companies;
 In the UK, the London Association of Accountants successfully
campaigns for the right to audit companies in 1930
 In the US, the Securities Exchange Act of 1934 required all
publicly traded companies to disclose certain financial information,
and that financial information be audited.
 The establishment of the U.S. Securities and Exchange
Commission (SEC) created a body to enforce the audit
requirements.
 Securities and Exchange Commission of Pakistan (1999)
History since 1980
 The Pro-business Reagan administration in the US, and
the Thatcher regime in the UK lifted many of the
controls over the profession
 Leading to abuses that resulted in the crashes of 1987 and 2001
 Since then, the Sarbanes-Oxley Act (SOX) has forced an
expansion of audit responsibility and driven up audit
revenues (and costs)
 One study estimated the net private cost of SOX to amount
to $1.4 trillion in the US.
 It is an econometric estimate of “the loss in total market value
around the most significant legislative events”—i.e., the costs
minus the benefits as perceived by the stock market as the new
rules were enacted.

Worldwide Big 4 revenues

Audit Firms
 The largest accounting firms (the 'Big 4' or ‘Final 4’)
audit nearly all of large quoted/listed companies.
 The revenues of the big accounting firms grew by a healthy
 In addition to providing audits, they also provide other
15% last year.
services including tax advice and strategic consultancy
 The 5th largest firm, Grant Thornton, has only around 10%
of the revenues of KPMG  They are in effect, the back office of the global markets

 They are a “private police force… hired, fired and paid for
by company management”

 The “big four” firms employ around half a million people

https://www.statista.com/statistics/250479/big-four-accounting-firms-global-revenue/

Worldwide Big 4 revenues Stages of an audit

 Planning and risk assessment.
 Internal controls testing.
Growth of 'Big 4' Revenues  Substantive procedures
130
120
110
100
90
Revenues

80
70
60
50
40
30
2000 2002 2004 2006 2008 2010 2012
Year

4
Stages of an audit
Planning and risk assessment
 Timing: before year-end
 Purpose:
 to understand the business of the company and the environment in
which it operates.
 to determine the major audit risks (i.e. the chance that the auditor
will issue the wrong opinion).
 For example, if sales representatives stand to gain bonuses
based on their sales, and they account for the sales they
generate, they have both the incentive and the ability to
overstate their sales figures, thus leading to overstated
revenue.
 In response, the auditor would typically plan to increase the
precision of their procedures for checking the sales figures.
Definitions
 Balance Sheet : A financial statement that summarizes
a company's assets, liabilities and shareholders' equity
at a specific point in time. These three balance sheet
segments give investors an idea as to what the
company owns and owes, as well as the amount
invested by shareholders.
 The balance sheet adheres to the following formula:
 Assets = Liabilities + Shareholders' Equity
Definitions
 In financial accounting, a cash flow statement, also
known as statement of cash flows, is a financial
statement that shows how changes in balance
sheet accounts and income affect cash and cash
equivalents, and breaks the analysis down to
operating, investing and financing activities.
Stages of an audit
Internal controls testing
 Timing: before year-end
 Purpose: to assess the internal control procedures
 (e.g. by checking computer security, account
reconciliations, segregation of duties). If internal
controls are assessed as strong, this will reduce (but not
entirely eliminate) the amount of 'substantive' work the
auditor needs to do
Definitions
 In accounting and finance, equity is the difference
between the value of the assets/interest and the cost
of the liabilities of something owned. For example, if
someone owns a car worth $15,000 but owes $5,000
on that car, the car represents $10,000 equity.
Stages of an audit
Substantive procedures
 Timing: after year-end
 Purpose: to check that the actual numbers in the Income Statement
and Balance Sheet (and, where applicable, Statement of Changes in
Equity and Cash Flow Statement) are reliable, by performing tests that
use the numbers provided.
 Methods:
 where internal controls are strong, auditors typically rely more on
Substantive Analytical Procedures (the comparison of sets of financial
information, and financial with non-financial information, to see if the
numbers 'make sense' and that unexpected movements can be explained)
 where internal controls are weak, auditors typically rely more on
Substantive Tests of Detail (selecting a sample of items from the major
account balances, and finding hard evidence (e.g. invoices, bank
statements) for those items
5
 Audit Report Card
 In 2005, 174 auditors were inspected by the Public Company
Accounting Oversight Board (PCAOB)
 almost half have been deemed to have some trouble doing their job
satisfactorily.
 On January 19th 2006, Grant Thornton became the latest.
 Fifteen of its audits were found to have significant “deficiencies” and one
client had to restate at least part of its financial statements as a result of the
inspection.
 Some audits by the “Big Four” accounting firms have also been found
wanting (A few clients of each of the four restated their accounts)
 At least 19 of PwC's audits, for instance, were found to include deficiencies.
New Business Models
 The business of providing high-end temporary accounting help is already
worth $5 billion a year
 Siegfried Group has seen Revenues sextuple in the past two years, to $73m.
 In 2003 its core accounting business had just 15 clients; last year it had 100; by
the end of May it had 155.
 More than 50 of these are among America's largest companies.
 Siegfried has even received business from a Big Four accounting firm.
 Siegfried's astonishing growth is explained by what it does not do: consulting
and auditing, the signature products of the big firms.

 Siegfried is on the other side of the outsourcing boom: it is an insourcer.

 Most of these failures resulted from accounting firms’
inability to properly audit computer based accounting
systems

The Information Tech Industry

 IT now represents 60% of expenditure in Fortune 500
companies
 90% in Finance companies
 Over $4 trillion annual expenditure (broadly defined)

 Most of this is financial record keeping

How did we get here? How did we get here?

Automated Clerks: 1963-1980 Empowerment: 1980-1995

 Back Office
 Computers as automated accountants  Client / server systems
enhanced the productivity of
 Goals were efficiency and cost control knowledge workers
 “Legacy” systems automated manual tasks  Word processing, spreadsheets,
 … but had no significant and other tools
effect on management’s  Fomented a “white-collar”
decision making revolution

6
 How did we get here? How did we get here?
Networking: 1995 onward Embedding:2002-2010
 Computers grow cheap, small and powerful
 Morphing into a commodity platform
 The Virtual Office (Global  Which substitutes for all sorts of devices
Marketplace)
 Net and Web and internal networks
integrate the separate activities of
the firm
 What were “islands of data” have
become “knowledge nodes”
accessible to the whole firm
 … and the global marketplace

How did we get here? Where are we ?

Invisibility: c. 2020 Industry Structure, c. 2006

The “The Web” becomes Information Annual Employees Major Suppliers

 an all-pervasive info presence,
Technology Expenditures (thousand)
Market ($US billion)
 Devices plug in and rewire on the fly
Operations & 500 2000 US, India
 “Smart dust” monitors everything Accounting
Search & Storage 1000 5000 US
Tools 300 300 US, Germany
Embedded 1500 700 US, Japan, Korea, Greater China
 The Rest?: Machines taking care of the work
Communications 700 2000 US, Germany, Japan, Greater China
Total 4,000 10,000 GWP ~$45 trillion (Pop: 6 billion)
US GDP ~$10 trillion (Pop: 300
million)
* Gross domestic product (GDP)
* The gross world product (GWP)

Where’s the Money? Operations & Accounting

U.S. Output: Contribution to GDP (in billions)

Inform ation
Technology, $534
Life Sciences,
$712
Other, $2,989

Finance, $820

Manufacturing,
$2,839
Services, $2,965

7
 Market Share of servers 2017
Networks Servers OS
Email servers

DB servers
https://www.differencebtw.com/difference-between-stand-alone-operating-systems-and-server-operating-systems/

Problems: Malware and Spam 2016 IT Industry Leaders

https://www.statista.com/chart/10045/new-malware-specimen-and-share-of-windows-based-malware/

Europe’s Venture Capital

Industries 2024

Hardware & Software

https://seedblink.com/2024-08-01-state-of-fundraising-in-q2-2024-key-findings-from-market-reports

8
Software & Hardware Software Taxonomy
 Until the 1950s, there was no differentiation between
the two
 By the turn of the 21st century, they had both been
commoditized
Operating Systems
 Most of the money in IT now goes into:
 System customization (about 20%)
Central
 Data (around 75%) Processing Unit
Specialized
O/S
Utilities Applications

 Hardware Taxonomy:
Peripheral Programming
Memory Processor Network Devices Languages, Utilities and
Network O/S Database O/S
(Video, Bus, Etc.) Tools & Services
Environments

Optical &
Cache RAM / ROM
Magnetic Media

Fast Slow

Programming Applications Software Rules(1967:2000)

 Basically the core task in Information System
 Languages:
 Translate from human language (task specific) 40

 To machine language (bits & bytes)  Proportion of total Softw are

 And back to human language IT industry 35

revenues Communications

 Today, these are just one part of a equipment

 1967-2000
30

 Development environment
Computer Hardw are

 That keeps track of numerous design decisions.

% Share
25

 What Machines do Well

 High speed arithmetic
20

 Massive storage and search

15

 Repetitive, structured processes

Photocopying, office and accounting equipment

 Consequently they often have difficulty with many real 10

world tasks 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000

IT’s Contribution to US GDP Growth

1.2
IT Contribution to Real GDP Growth

0.8

0.6

0.4

0.2

0
1950 1960 1970 1980 1990 2000 2010
Year
http://www.itcandor.com/cloud-forecast-q217/

9
 Accounting Data is increasingly
How does IS change accounting?
Internet Traffic
 They have shifted
 away from the economics of
shortage and resource allocation,

 Towards an economics of
increasing returns
 information, attention and
coordination

What Auditors Need to Know about IS

1. IS Security
2. Utility Computing and IS Service Organizations
3. Physical Security
4. Logical Security
5. IS Operations
6. Controls Assessment
7. Encryption and Cryptography
8. Computer Forensics
9. New Challenges from the Internet: Privacy, Piracy,
Viruses and so forth
10. Auditing and Future Technologies (RFID, Full
Automation of Substantive and Control Tests)

Future Opportunities Organization of IS Audit study

 Automated / Robot Auditors
 Technologies:
 Scanning,
 Surveillance,
 Logging and Analysis,
 Forensics
 Advantages:
 Always ‘on’

 Sample sizes large enough for reliability

 No system ‘learning curve’; shared experience database

 Objective, Not biased / unfavorable assessment

10
 Transactions
External Real
Internal World Entities
The Physical World Operations and Events that
of the Firm Create and
Destroy Value
Transactions

'Owned' Assets Corporate Law

and Liabilities

Tests of Transactions
Audit Audit Report /

Attest
Program Opinion

Substantive Tests
Auditing

ation
Analytical Tests

What is IS Auditing?
Why is it Important?
What is the Industry Structure?
Attestation and Assurance

Auditing
Accounting
The Parallel (Logical) Systems
World of Accounting
Ledgers:
Databases Journal Entries

Reports:
Statistics

Audit Objectives
The IS Auditor’s Challenge
Control Process Risks
 Corporate Accounting is in a constant state of flux
Reporting Risks Asset Loss Risks
 Because of advances in Information Technology applied
(Internal & External
(External Audit) (Internal Audits)
Audits)

to Accounting
Transaction Flows
 Information that is needed for an Audit is often hidden from easy
access by auditors
 Making computer knowledge an important prerequisite for
Business Application How Auditors auditing
Systems
 IS (and also just Information) assets are
Should Visualize increasingly the main proportion of wealth held by
Operating Systems
(including DBMS, network
Computer corporations
and other special systems)
Systems
Hardware Platform

Physical and Logical

Security Environment

The Challenge to Auditing Presented by The Challenge to Auditing Presented by

Computers The Internet
 Transaction flows are less visible  Transaction flows are External
 External copies of transactions on many Internet nodes
 Fraud is easier
 Computers do exactly what you tell them  External Service Providers for accounting systems
 require giving control to outsiders with different incentives
 To err is human
 But, to really screw up you need a computer
 Audit samples require computer knowledge and access  Audit samples may be impossible to obtain
 Because they require access to 3rd party databases
 Transaction flows are much larger (good for the company, bad
for the auditor)  Transaction flows are intermingled between companies
 Audits grow bigger and bigger from year to year
 And there is more pressure to eat hours
 Environmental, physical and logical security problems grow  Environmental, physical and logical security problems grow
exponentially
exponentially  Externally originated viruses and hacking
 Externally originated viruses and hacking  are the major source of risk
 are the major source of risk  (10 years ago it was employees)
 (10 years ago it was employees)

11