1

Chapter Two

Control and Audit of AIS

 Overview
2

 AIS is a system that collects, records,

stores, and processes data to produce
information for decision makers.
 Control objectives are similar regardless of
the data processing methods.
 However, control policies and procedures
are different because:
 Computer processing may reduce clerical

errors but increase risks of unauthorized

access.
 Segregation of duties achieve differently
 Information Systems Control
3

 Internal controls are processes

implemented to provide assurance that
the following objectives are achieved:
 Safeguard assets
 Maintain sufficient records
 Provide accurate and reliable
information
 Prepare financial reports according to

established criteria
 Promote and improve operational
efficiency
 Cont’d…….
4

 Internal controls perform three important

functions:
 Preventive controls

 Deter problems from occurring

 Detective controls

 Discover problems that are not

prevented
 Corrective controls

 Correct and recover from problems

 Application Controls
5
(revisit)

Revenue Cycle: Sales and Cash

Collections
And
Expenditure Cycle: Purchasing and
Cash Disbursements
 Revenue Cycle
6
 Selling goods and services to customers
and collecting cash in payment for those
sales.
 Basic revenue cycle activities:
 Sales Order Entry: taking customer’s

order, checking and approving

customer’s credit, and checking
inventory availability.
 Shipping: picking and packing the

order, and shipping the order.

 Billing and Accounts Receivable:
billing customers and updating
 Cont’d……….
7

 AIS provides adequate controls to

ensure:
 Transactions are properly authorized.
 Recorded transactions are valid.
 Control Objectives:
 Valid and authorized transactions are

recorded.
 Transactions are recorded accurately.
 Assets are safeguarded from loss or

theft.
 Business activities are performed
 Cont’d………
8

Threats & Applicable Control Procedures

to Sales Order Applicable
Threat Control
Procedures
Incomplete/ Data entry edit checks
inaccurate
customer orders
Credit sales to Credit approval by credit
customers with manager;
poor credit history Accurate records of
customer account balances
Legitimacy of Signatures on paper
orders documents;
 Cont’d………
9

Threats & Applicable Control Procedures

to Threat
Shipping Applicable Control
Procedures
1. Shipping errors: Reconciliation of sales order
• Wrong with picking ticket and packing
merchandise slip; bar code scanners;
• Wrong data entry controls
quantities
• Wrong address
2. Theft of Restrict physical access to
inventory inventory;
Documentation of all internal
transfers of inventory;
 Cont’d…………
10

Threats and Control Procedures to

Billing
Threat & A/R Applicable Control
Procedures
1. Failure to bill Separation of shipping & billing
customers functions;
Pre-numbering of shipping
documents and periodic
reconciliation to invoices;
Reconciliation of picking tickets
and bills of lading with sales
orders
2. Billing errors Data entry edit control, Price
 Cont’d………
11

Threat and Control Procedures to Cash

Collections
Threat Applicable Control
Procedures
1. Theft of Segregation of duties;
Cash Minimization of cash
handling;
Lockbox arrangements;
Prompt endorsement and
deposit of all receipts;
Periodic reconciliation of
bank statement
 Cont’d……….
12

General Control Issues in the Revenue

Cycle
Threat Applicable Control
Procedures
1. Loss of Data Backup and disaster
recovery procedures;
Access controls (physical
and logical)
2. Poor Preparation and review
performance of performance reports
 Expenditure Cycle
13
 Frequent set of business activities and
related data processing operations
associated with purchase and payment for
goods and services.
 Basic activities in expenditure cycle:
1. Ordering goods and services
2. Receiving and storing goods and
services
3. Paying for goods and services
 Cont’d……….
14

 AIS must provide the operational

information needed to perform the
following functions:
 Determine when and how much
additional inventory to order.
 Select the appropriate vendors from

whom to order.
 Verify the accuracy of vendor invoices.
 Decide whether purchase discounts
should be taken.
 Monitor cash flow needs to pay
 Threats & Control in
Expenditure Cycle
15

Threats; Control procedures;

Stock outs Inventory control system
Purchasing Vendor performance analysis
unnecessary goods, at Purchase requisitions & orders
inflated prices, inferior approval
quality, from Restricted access to blank
unauthorized vendors purchase requisitions
Kickbacks (or bribes) Price list consultation
Receiving unordered Budgetary controls
goods Use of approved vendor lists
Errors in counting Pre-numbered purchase orders
goods Prohibition of gifts from vendors
Theft of inventory Incentives to count all deliveries
Failure to take Physical access control
available purchasing Recheck of invoice accuracy
 Fraud and Computers
16

 Computer fraud includes;

 Theft, misuse, or misappropriation of
 Assets by altering computer-readable
records and files.
 Assets by altering the logic of
computer software.
 Computer hardware and software.
 Cont’d…. Potential areas of
risk in AIS
17

Data Collection
 The simplest stage to perpetrate a
computer fraud as it only requires
understanding the system and its control
weaknesses.
 The fraudulent act involves entering
falsified data into the system. For
example;
 To commit a payroll fraud, the
perpetrator may insert a fraudulent
payroll transaction along with other
legitimate transactions.
 Cont’d………..
18

Data Processing
 Data processing frauds fall into two
classes: program fraud and operations
fraud.
 Program fraud techniques:

 Creating illegal programs that can

access data files to alter, delete, or
insert values into accounting records;
 Destroying or corrupting a program’s

logic using a computer virus; or

 Altering program logic to cause the
 Cont’d……….
19

 Operations fraud is the misuse or theft of

computer resources.
 Example; Using firm’s computer for

personal business.
 Cont’d……..
20

Database Management
 DBM Fraud includes altering, deleting,

corrupting, destroying, or stealing an

organization’s data.
 A common fraud technique is accessing

the database from a remote site and

browse useful information that can be
copied and sold to competitors.
 Disgruntled employees may try to
destroy company data files simply to
harm the organization.
 Cont’d………..
21

Information Generation
 It is the process of compiling, arranging,

formatting, and presenting information to

users.
 A common fraud at this stage is stealing,

misdirect, or misuse computer output.

 Auditing of Computer
22 based IS
 IS auditors should review the controls in
AIS to ensure its compliance with
internal control policies and procedures
and its effectiveness in safeguarding
assets.
Audit Objective
 To verify the structure of IS function that
individuals in incompatible areas are
segregated.
 IS auditors should ascertain:

 Security provisions protect computer

equipment, programs, communications,

 Cont’d………
23

 Program modifications have an

authorization and approval of
management.
 Processing of transactions, files,
reports, and other computer records is
accurate and complete.
 Source data that are inaccurate or
improperly authorized are identified
and handled according to prescribed
managerial policies.
 Computer data files are accurate,
complete, and confidential.
 Cont’d………
24

Audit Procedures:
 Review relevant documentation to verify
if individuals are performing
incompatible functions.
 Review system documentation and
maintenance records to verify
maintenance programmers are not
original design programmers.
 Review that computer operators do not
have access to the operational details of
the system’s internal logic and Systems
documentation.
 Cont’d………..
25

 Auditing of computer based IS is

regarding both;
 Computer Center
 Operating Systems
 Cont’d………
26

Computer Center
 The auditor should examine the physical
environment of the computer center to
 Identify risks, and check for controls
 Mitigate risks and
 Create a secure computer
environment.
Audit areas include;
 Physical location: Where should the
computer center be located?
 Construction: Soundly constructed
 Cont’d………
27

 Access: limited to authorized

personnel only
 Air conditioning: The room’s air
must be conditioned with AC
 Fire Suppression: Automatic and
manual alarms connected to fire
fighting stations
 Fault Tolerance: continue operation
when part of the system fails.
Example; Uninterruptible Power
Supplies (UPS)
 Cont’d………
28

Operating Systems
 Set of programs that controls the way a

computer works and runs other

programs.
 If the system integrity is compromised,

controls within individual applications

may also be neutralized.
 Operating system must achieve five
control objectives:
 It must protect itself from users.
 Users may attempt to gain control
and destroy its components
 Cont’d………
29

 It must protect users from themselves.

 Applications are made of set of modules
that may compete and corrupt the
applications.
 It must protect itself from itself.
 The OS is made of multiple modules that
may compete and destroy each other.
 It must protect itself from the environment
 The OS may affects by incidents such as
power failure.
 Cont’d………
30

OS Security Components
1. Log on Procedure
 Use ID and Password
2. Access Token
 If successfully logged in, the OS creates
an access token (sign).
 Access token contains key information
about the user;
 ID, Password, User group and privileges
granted
 Access token uses to approve all actions
 Cont’d……..
31

3. Access Control List

 A list containing information that
defines the access privileges for all
valid users and for IT resources (disk
drives, data file, program or printer)
 Access is granted if ID, privileges
defined in access token and user
control list matches.
 Cont’d……..
32

 Threats to OS Integrity
 Accidental: Disk failures, OS Crushes,
Memory damp
 Intentional: Illegal access, Destructive
programs
 Operating System controls and Audit
tests
 The design of OS security controls
must be assessed, covering;
 Access privileges,
 Password control,
 Virus control and
 Cont’d………
33

Access privileges
 Audit Objective:
 Verify that access privileges are granted

in consistent with the need to separate

incompatible functions.
 Audit Procedures:
 Review the organization’s policy for

separating incompatible functions and

ensure that they promote reasonable
security.
 Review the privileges of selected users

to determine if their access rights are

 Cont’d………
34

 Review personnel records to determine if

privileged employees pass through
security clearance check in compliance
with company policies.
 Review the user’s permitted log-on times.
Permission should be appropriate with
the tasks being performed.
 Cont’d…….
35

Password Control
 Audit Objective:
 Ensure that there is adequate and

effective password policy.

 Audit Procedures:
 Verify that all users are required to

have passwords.
 Verify that new users are instructed in

the use of passwords.

 Review password control procedures to

ensure that passwords are changed

regularly.
 Cont’d……..
36

 Verify that the password file is

encrypted and encryption key is
properly secured.
 Assess the adequacy of password
standards such as length and expiration
interval.
 Review the account lock out policy and
procedures.
 Number of failures and duration of
lockouts.
 Cont’d……
37

Virus control
Audit Objective:
 Verify that effective policies and
procedures are in place to prevent
destructive programs: viruses….
Audit Procedures:
 Determine that operation personnel have

been educated about computer viruses and

aware of the risky computing practices
through interview.
 Verify that the new software is tested on

standalone workstations prior to being

 Cont’d……..
38

Audit trail control

 A detailed record of activity at the
system, application, and user level.

Audit Objective:
 Ensure that the established audit trial

system is adequate for preventing and

detecting abuses, reconstructing key
events and planning resource allocation.
 Cont’d………
39

 Audit Procedures
 Verify that the audit trial has been

activated according to organization

policy
 Review audit trail logs to evaluate

unauthorized or terminated users failed

log in attempts
 Evaluate the effectiveness of security

group in security violation cases

arrangement by taking samples.
40

The End!

Thank You!