Chapter 2

Control and Audit of

Accounting Information
Systems
Instructor: Dr. Messele Getachew
 Contents
 Computer Fraud
 Computer Fraud and Abuse Techniques
 Control and Accounting Information
Systems
 Controls for Information Security
 Processing Integrity and Availability
Controls
 Auditing Computer-Based Information
Systems
Tuesday, February 11, 2 2
1 Computer Fraud
 Threats to AIS
• Software errors and equipment
malfunctions
• Unintentional acts
• Intentional acts

Tuesday, February 11, 2 3

 1 Computer Fraud
 Fraud
• Means a person uses to gain an unfair
advantage over another person; includes:
▫A false statement, representation, or
disclosure
▫A material fact, which induces a victim to act
▫An intent to deceive
▫Victim relied on the misrepresentation
▫Injury or loss was suffered by the victim
Fraud is white collar crime ( a nonviolent crime
committed for financial gain)
Tuesday, February 11, 2 4
1 Computer Fraud
 Two Categories of Fraud
Misappropriation of assets
Theft of company assets which can
include physical assets (e.g., cash,
inventory) and digital assets (e.g.,
intellectual property such as protected
trade secrets, customer data)
Fraudulent financial reporting
“cooking the books” (e.g., booking
fictitious revenue, overstating assets,
etc.)
Tuesday, February 11, 2 5
1 Computer Fraud
 Conditions for Fraud
These three conditions must be present
for fraud to occur:
• Pressure
•Opportunity to:
▫ Employee
▫ Commit
 Financial
▫ Conceal
 Lifestyle ▫ Convert to personal
 Emotional gain
▫ Financial Statement •Rationalize
 Financial ▫ Justify behavior
 Management ▫ Attitude that rules
 Industry conditions don’t apply
▫ Lack personal integrity
Tuesday, February 11, 2 6
 Fraud Triangle

Tuesday, February 11, 2 7

1 Computer Fraud
 Computer Fraud
• If a computer is used to commit fraud
it is called computer fraud.
• Computer fraud is classified as:
 Input
 Processor
 Computer instruction
 Data
 Output

Tuesday, February 11, 2 8

1 Computer Fraud
 Preventing and Detecting Fraud
1. Make Fraud Less Likely to Occur
Organizational Systems
 Create a culture of integrity  Develop security policies
 Adopt structure that to guide and design
minimizes fraud, create specific control
governance (e.g., Board of procedures
Directors)  Implement change
 Assign authority for
management controls
business objectives and and project development
hold them accountable for
acquisition controls
achieving those objectives,
effective supervision and
monitoring of employees
 Communicate policies
Tuesday, February 11, 2 9
 1 Computer Fraud
 Preventing and Detecting Fraud
2. Make It Difficulty to Commit
Organizational
• Develop strong internal
controls
• Segregate accounting
functions
• Use properly designed
forms
• Require independent
checks and
reconciliations of data
Tuesday, February 11, 2
Systems
 Restrict access
 System authentication
 Implement computer
controls over input,
processing, storage and
output of data
 Use encryption
 Fix software bugs and
update systems regularly
 Destroy hard drives when
disposing of computers 10
1 Computer Fraud
 Preventing and Detecting Fraud
3. Improve Detection
Organizational Systems

 Assess fraud risk  Audit trail of

 External and internal transactions through the
audits system
 Fraud hotline  Install fraud detection
software
 Monitor system
activities (user and error
logs, intrusion detection)

Tuesday, February 11, 2 11

1 Computer Fraud
 Preventing and Detecting Fraud
4. Reduce Fraud Losses
Organizational Systems
 Insurance  Store
backup copies of
 Business continuity and program and data files
disaster recovery plan in secure, off-site
location
 Monitor system activity

Tuesday, February 11, 2 12

 2. Computer Fraud and
Abuse Techniques
 Types of Attacks
1.Hacking
 Unauthorized access, modification, or use
of an electronic device or some element of
a computer system
2.Social Engineering
 uses psychological manipulation to trick users
into making security mistakes or giving away
sensitive information.
3.Malware
 Software used to do harm

Tuesday, February 11, 2 13

 2. Computer Fraud and Abuse
Techniques
1. Hacking
▫Hijacking
 Gaining control of a computer to carry out
illicit/illegal activities
▫Botnet (robot network)/ include malicious activities
such as credentials leaks, unauthorized access, data theft/
 Zombies/ taken over by a hacker without the knowledge
of the owner./
 Bot herders
 Denial of Service (DoS) Attack
 Spamming
 Spoofing
 Makes the communication look as if someone else sent it
so as to gain confidential information. 14
Tuesday, February 11, 2
 2. Computer Fraud and
Abuse Techniques
1. Hacking
 Forms of Spoofing/Taking
• E-mail spoofing
• Caller ID spoofing
• IP address spoofing
• Address Resolution Protocol(ARP)
spoofing
• SMS spoofing
• Web-page spoofing (phishing)
• Domain Name System (DNS) spoofing
Tuesday, February 11, 2 15
 2. Computer Fraud and
Abuse Techniques
1. Hacking
 Hacking with Computer Code
• Cross-site scripting (XSS)
▫ Uses vulnerability of Web application that allows the
Web site to get injected with malicious code. When a
user visits the Web site, that malicious code is able to
collect data from the user.
• Buffer overflow attack
▫ Large amount of data sent to overflow the input
memory (buffer) of a program causing it to crash and
replaced with attacker’s program instructions.
• SQL/ Structured Query Language/ injection
(insertion) attack
▫ Malicious code inserted in place of a query to get to
Tuesday, February 11, 2 16
 2. Computer Fraud and
Abuse Techniques
1. Hacking
 Other Types of Hacking
• Man in the middle (MITM)
 Hacker is placed in between a client (user) and a
host (server) to read, modify, or steal data.
• Piggybacking/ a situation where an unauthorized party gains
access to some system/
• Password cracking
• War dialing and driving
• Phreaking
• Data diddling
• Data leakage
• Podslurping
Tuesday, February 11, 2 17
 2. Computer Fraud and
Abuse Techniques
1. Hacking
 Hacking Used for Embezzlement
• Salami technique:
 Taking small amounts at a time
 Round-down fraud
• Economic espionage/intellegence
 Theft of information, intellectual property and
trade secrets
• Cyber-extortion
 Threats to a person or business online through
e-mail or text messages unless money is
paid
Tuesday, February 11, 2 18
 2. Computer Fraud and
Abuse Techniques
1. Hacking
 Hacking Used for Fraud
• Internet mis-information
• E-mail threats
• Internet auction
• Internet pump and dump/ fraud that inflate the price of stocks/
• Click fraud / the act of illegally clicking on pay-per-click (PPC) ads to
increase site revenue or to exhaust advertisers' /

• Web cramming/ billing consumers for a web page they did not even
know they had/

• Software piracy /illegal copying, distribution, or use

of software./

Tuesday, February 11, 2 19

 2. Computer Fraud and Abuse
Techniques
ሸuses psychological manipulation to trick users into making
security mistakes or giving away sensitive information.
2. Social Engineering Techniques
• Identity theft • URL hijacking
▫ Assuming someone else’s ▫ Takes advantage of
identity typographical errors
• Pretexting entered in for Web sites
▫ Using a scenario to trick and user gets invalid or
victims to divulge/tell wrong Web site
information or to gain access • Scavenging
• Posing ▫ Searching trash for
▫ Creating a fake business to confidential information
get sensitive information • Shoulder surfing
• Phishing ▫ Snooping (either close
▫ Sending an e-mail asking the behind the person) or
victim to respond to a link using technology to
that appears legitimate that snoop and get
requests sensitive data confidential information
• Pharming • Skimming
▫ Redirects Web site to a
Tuesday, February 11, 2  20
 2. Computer Fraud and
Abuse Techniques
2. Social Engineering Techniques
Why People Fall Victim
• Compassion
▫ Desire to help others
• Greed
▫ Want a good deal or something for free
• Sex appeal
▫ More cooperative with those that are flirtatious or good looking
• Sloth
▫ Lazy habits
• Trust
▫ Will cooperate if trust is gained
• Urgency
▫ Cooperation occurs when there is a sense of immediate need
• Vanity
▫ More cooperation when appeal to vanity/pride
Tuesday, February 11, 2 21
 2. Computer Fraud and
Abuse Techniques
2. Social Engineering Techniques
Minimize the Threat of Social Engineering

• Never let people follow you into restricted

areas
• Never log in for someone else on a
computer
• Never give sensitive information over the
phone or through e-mail
• Never share passwords or user IDs
• Be cautious of someone you don’t know
who is trying to gain access through you
Tuesday, February 11, 2 22
 2. Computer Fraud and
Abuse Techniques
3. Malware
Types of Malware
 Spyware
 Secretly monitors and collects
information
 Can hijack browser, search
requests
 Keylogger
 Software that records user
keystrokes
 Trojan Horse
 Malicious computer instructions
in an authorized and properly
functioning program
Tuesday, February 11, 2
 Trap door
◦ Set of instructions that allow
the user to bypass normal
system controls
 Packet sniffer
◦ Captures data as it travels
over the Internet
 Virus
◦ A section of self-replicating
code that attaches to a
program or file requiring a
human to do something so it
can replicate itself
 Worm
◦ Stand alone self replicating
program 23
 2. Computer Fraud and
Abuse Techniques
3. Malware
Cellphone Bluetooth Vulnerabilities
• Bluesnarfing
Stealing contact lists, data, pictures on
bluetooth compatible smartphones.
• Bluebugging
Taking control of a phone to make or
listen to calls, send or read text
messages.

Tuesday, February 11, 2 24

 3. Control and Accounting
Information Systems
 Why Is Control Needed?
• Any potential adverse occurrence or unwanted
event that could be injurious to either the
accounting information system or the organization
is referred to as a threat or an event.

• The potential dollar loss should a particular threat

become a reality is referred to as the exposure or
impact of the threat.

• The probability that the threat will happen is the

likelihood associated with the threat

Tuesday, February 11, 2 25

 3. Control and Accounting
Information Systems
 A Primary Objective of an AIS
• Is to control the organization so the
organization can achieve its objectives

• Management expects accountants to:

▫ Take a proactive approach to eliminating
system threats.
▫ Detect, correct, and recover from threats
when they occur.

Tuesday, February 11, 2 26

 3. Control and Accounting
Information Systems
 Internal Controls
• Processes implemented to provide assurance
that the following objectives are achieved:
 Safeguard assets
 Maintain sufficient records
 Provide accurate and reliable information
 Prepare financial reports according to
established criteria
 Promote and improve operational efficiency
 Encourage adherence with management
policies
 Comply with laws and regulations

Tuesday, February 11, 2 27

 3. Control and Accounting
Information Systems
 Functions of Internal Controls
• Preventive controls
 Deter problems from occurring
• Detective controls
 Discover problems that are not
prevented
• Corrective controls
 Identify and correct problems;
correct and recover from the
problems
Tuesday, February 11, 2 28
 3. Control and Accounting
Information Systems
 Control Frameworks
• COBIT/ Control Objectives for Information and Related
Technology/
 Framework for IT control
• COSO/ Committee of Sponsoring Organizations of the
Treadway Commission
 Framework for enterprise internal
controls (control-based approach)
• COSO-ERM
 Expands COSO framework taking a risk-
based approach
Tuesday, February 11, 2 29
What is COBIT?

 COBIT (Control Objectives for

Information and Related
Technology) helps organisations
meet business challenges in the
areas of regulatory compliance,
risk management and aligning IT
strategy with organisational goals.
 COBIT 5, the latest iteration of the
framework, was released in 2012.

Tuesday, February 11, 2 Public Expenditure Management by Ashenafi B(PhD) 30

 COBIT 5 is based on five principles that are essential
for the effective management and governance of
enterprise IT:
 Principle 1: Meeting stakeholder needs
 Principle 2: Covering the enterprise end to end
 Principle 3: Applying a single integrated framework
 Principle 4: Enabling a holistic approach
 Principle 5: Separating governance from management

Tuesday, February 11, 2 Public Expenditure Management by Ashenafi B(PhD) 31

These five principles enable an organisation to build a holistic
framework for the governance and management of IT that is built
on seven ‘enablers’:
People, policies and frameworks
Processes
Organisational structures
Culture, ethics and behaviour
Information
Services, infrastructure and applications
People, skills and competencies
Together, the principles and enablers allow an organisation to
align its IT investments with its objectives to realise the value of
those investments.

Tuesday, February 11, 2 Public Expenditure Management by Ashenafi B(PhD) 32

 Benefits of COBIT
The COBIT 5 framework can help organisations of all sizes:
Improve and maintain high-quality information to
support business decisions;
Use IT effectively to achieve business goals;
Use technology to promote operational excellence;
Ensure IT risk is managed effectively;
Ensure organisations realise the value of their
investments in IT; and
Achieve compliance with laws, regulations and
contractual agreements.

Tuesday, February 11, 2 Public Expenditure Management by Ashenafi B(PhD) 33

 Components of COSO Frameworks

COSO COSO-ERM
 Control  Internalenvironment
(internal)
environment  Objective setting
 Risk assessment  Event identification
 Control activities  Risk assessment
 Information and  Risk response
communication  Control activities
 Monitoring  Information and
communication
 Monitoring

Tuesday, February 11, 2 34

 WHAT DOES COSO STAND FOR?

 In 1992, the Committee of Sponsoring

Organizations of the Treadway
Commission (COSO) developed a model
for evaluating internal controls.
 This model has been adopted as the
generally accepted framework for
internal control and is widely recognized
as the definitive standard against which
organizations measure the effectiveness
of their systems of internal control.
Tuesday, February 11, 2 Public Expenditure Management by Ashenafi B(PhD) 35
 WHAT IS THE COSO FRAMEWORK?

The COSO model defines internal control as “a process

effected by an entity’s board of directors, management
and other personnel designed to provide reasonable
assurance of the achievement of objectives in the
following categories:
Operational Effectiveness and Efficiency
Financial Reporting Reliability
Applicable Laws and Regulations Compliance

Tuesday, February 11, 2 Public Expenditure Management by Ashenafi B(PhD) 36

 In an effective internal control system, the following five
components work to support the achievement of an entity’s
mission, strategies and related business objectives:
Control Environment
 Exercise integrity and ethical values.
 Make a commitment to competence.
 Use the board of directors and audit committee.
 Facilitate management’s philosophy and operating style.
 Create organizational structure.
 Issue assignment of authority and responsibility.
 Utilize human resources policies and procedures.

Tuesday, February 11, 2 Public Expenditure Management by Ashenafi B(PhD) 37

 Risk Assessment

 Create companywide objectives.

 Incorporate process-level objectives.
 Perform risk identification and analysis.
 Manage change.

Tuesday, February 11, 2 Public Expenditure Management by Ashenafi B(PhD) 38

Control Activities

 Follow policies and procedures.

 Improve security (application and
network).
 Conduct application change
management.
 Plan business continuity/backups.
 Perform outsourcing.

Tuesday, February 11, 2 Public Expenditure Management by Ashenafi B(PhD) 39

Information and Communication
Measure quality of information.
Measure effectiveness of
communication.
Monitoring
Perform ongoing monitoring.
Conduct separate evaluations.
Report deficiencies.

Tuesday, February 11, 2 Public Expenditure Management by Ashenafi B(PhD) 40

 Thank you for Today

Tuesday, February 11, 2 Public Expenditure Management by Ashenafi B(PhD) 41

COSO-ERM
 Internal Environment
• Management’s philosophy, operating
style, and risk appetite
• Commitment to integrity, ethical values,
and competence
• Internal control oversight by Board of
Directors
• Organizing structure
• Methods of assigning authority and
responsibility
• Human resource standards
Tuesday, February 11, 2 42
 Objective Setting
• Strategic objectives
 High-level goals
• Operations objectives
 Effectiveness and efficiency of operations
• Reporting objectives
 Improve decision making and monitor
performance
• Compliance objectives
 Compliance with applicable laws and
regulations
Tuesday, February 11, 2 43
 Event Identification
Identifying incidents both external and
internal to the organization that
could affect the achievement of the
organizations objectives.
Key Management Questions:
• What could go wrong?
• How can it go wrong?
• What is the potential harm?
• What can be done about it?
Tuesday, February 11, 2 44
 Risk Assessment
Risk is assessed from two perspectives:
• Likelihood
▫ Probability that the event will occur
• Impact
▫ Estimate potential loss if event occurs
Types of risk
• Inherent
▫ Risk that exists before plans are made to
control it
• Residual
▫ Risk that is left over after you control it 45
Tuesday, February 11, 2
 Risk Response
• Reduce
Implement effective internal control
• Accept
Do nothing, accept likelihood and
impact of risk
• Share
Buy insurance, outsource, or hedge
• Avoid
Do not engage in the activity
Tuesday, February 11, 2 46
Control Activities

•Proper authorization of transactions and

activities
•Segregation of duties
•Project development and acquisition
controls
•Change management controls
•Design and use of documents and records
•Safeguarding assets, records, and data
•Independent checks on performance

Tuesday, February 11, 2 47

 Segregation of Duties

Tuesday, February 11, 2 48

 Monitoring
• Perform internal control evaluations (e.g., internal
audit)
• Implement effective supervision
• Use responsibility accounting systems (e.g.,
budgets)
• Monitor system activities
• Track purchased software and mobile devices
• Conduct periodic audits (e.g., external, internal,
network security)
• Employ computer security officer
• Engage forensic specialists
• Install fraud detection software
• Implement fraud hotline
Tuesday, February 11, 2 49
 Trust Services Framework
• Security
▫ Access to the system and data is controlled and
restricted to legitimate users.
• Confidentiality
▫ Sensitive organizational data is protected.
• Privacy
▫ Personal information about trading partners, investors,
and employees are protected.
• Processing integrity
▫ Data are processed accurately, completely, in a timely
manner, and only with proper authorization.
• Availability
▫ System and information are available.

Tuesday, February 11, 2 50

 4. Controls for Information
Security
 Security Life Cycle
Security is a management issue

Tuesday, February 11, 2 51

 4. Controls for Information
Security
 Security Approaches
• Defense-in-depth
Multiple layers of control (preventive and
detective) to avoid a single point of failure
• Time-based model, security is effective if:
P > D + C where
 P is time it takes an attacker to break through
preventive controls
 D is time it takes to detect an attack is in
progress
 C is time it takes to respond to the attack and
take corrective action

Tuesday, February 11, 2 52

 4. Controls for Information
Security
 How to Mitigate Risk of Attack
Preventive Controls Detective Controls

People Log analysis

Process Intrusion detection
ITSolutions systems
Physical security Penetration testing
Change controls Continuous
and change monitoring
management

Tuesday, February 11, 2 53

 4. Controls for Information
Security
 Preventive: People
Culture of security
Tone set at the top with management
Training
Follow safe computing practices
 Never open unsolicited e-mail attachments
 Use only approved software
 Do not share passwords
 Physically protect laptops/cellphones
Protect against social engineering
Tuesday, February 11, 2 54
 4. Controls for Information
Security
 Preventive: Process
• Authentication—verifies the person
1.Something person knows
2.Something person has
3.Some biometric characteristic
4.Combination of all three
• Authorization—determines what a person
can access
 Preventive: IT Solutions
• Antimalware controls
• Network access controls
• Device and software hardening controls
Tuesday, February 11, 2 55
 4. Controls for Information
Security
 Preventive: Other
Physical security access controls
 Limit entry to building
 Restrict access to network and data
Change controls and change management
 Formal processes in place regarding
changes made to hardware, software, or
processes
 Corrective
Computer Incident Response Team (CIRT)
Chief Information Security Officer (CISO)
Patch management
Tuesday, February 11, 2 56
 5. Processing Integrity and
Availability Controls
 Processing Integrity Controls
Input
 Forms design
 Sequentially pre-numbered
 Turnaround documents
 Processing Integrity: Data Entry Controls
Field check
 Characters in a field are proper type
Sign check
 Data in a field is appropriate sign
(positive/negative)
57
Tuesday, February 11, 2
5. Processing Integrity and
Availability Controls
 Processing Integrity: Data Entry Controls
 Limit check
 Tests numerical amount against a fixed
value
 Range check
 Tests numerical amount against lower
and upper limits
 Size check
 Input data fits into the field
 Completeness check
 Verifies that all required data is entered
Tuesday, February 11, 2 58
5. Processing Integrity and
Availability Controls
 Processing Integrity: Data Entry Controls
 Validity check
Compares data from transaction file to
that of master file to verify existence
 Reasonableness test
Correctness of logical relationship
between two data items
 Check digit verification
Recalculating check digit to verify data
entry error has not been made

Tuesday, February 11, 2 59

 5. Processing Integrity and
Availability Controls
 Additional Data Entry Controls
Batch processing
Sequence check
 Test of batch data in proper numerical or
alphabetical sequence
Batch totals
 Summarize numeric values for a batch of
input records
 Financial total
 Hash total
 Record count

Tuesday, February 11, 2 60

5. Processing Integrity and
Availability Controls
 Additional Data Entry Controls
 Prompting
System prompts you for input (online
completeness check)
 Closed-loop verification
Checks accuracy of input data by using
it to retrieve and display other related
information (e.g., customer account #
retrieves the customer name)

Tuesday, February 11, 2 61

 5. Processing Integrity and
Availability Controls
 Processing Controls
• Data matching
 Two or more items must be matched before an action takes
place
• File labels
 Ensures correct and most updated file is used
• Recalculation of batch totals
• Cross-footing
 Verifies accuracy by comparing two alternative ways of
calculating the same total
• Zero-balance tests
 For control accounts (e.g., payroll clearing)
• Write-protection mechanisms
 Protect against overwriting or erasing data
• Concurrent update controls
 Prevent error of two or more users updating the same record at
the same time
Tuesday, February 11, 2 62
5. Processing Integrity and
Availability Controls
 Output Controls

• User review of output

• Reconciliation
 Procedures to reconcile to control reports
(e.g., general ledger A/R account
reconciled to Accounts Receivable
Subsidiary Ledger)
 External data reconciliation
• Data transmission controls

Tuesday, February 11, 2 63

5. Processing Integrity and
Availability Controls
 Availability Controls
• Preventive maintenance
• Fault tolerance
 Use of redundant components
• Data center location and design
 Raised floor
 Fire suppression
 Air conditioning
 Uninterruptible power supply (UPS)
 Surge protection
• Patch management and antivirus
software
Tuesday, February 11, 2 64
5. Processing Integrity and
Availability Controls
 Availability Controls
• Backup procedures
 Incremental
 Copies only items that have changed since last
partial backup
 Differential backup
 Copies all changes made since last full backup
• Disaster recovery plan (DRP)
 Procedures to restore organization’s IT
function
 Cold site
 Hot site
• Business continuity plan (BCP)
 How to resume all operations, not just IT
Tuesday, February 11, 2 65
 6. Auditing Computer-Based
Information Systems
 Auditing
The process of obtaining and evaluating
evidence regarding assertions about economic
actions and events in order to determine how
well they correspond with established criteria
 Major Steps in the Auditing Process
• Audit planning
 Why, how, when, and who
 Establish scope and objectives of the audit;
identify risk
• Collection of audit evidence
• Evaluation of evidence
• Communication of results 66
Tuesday, February 11, 2
6. Auditing Computer-Based
Information Systems
 Risk-Based Framework
• Identify fraud and errors (threats) that can
occur that threaten each objective
• Identify control procedures (prevent,
detect, correct the threats)
• Evaluate control procedures
 Review to see if control exists and is in
place
 Test controls to see if they work as intended
• Determine effect of control weaknesses
 Compensating controls

Tuesday, February 11, 2 67

 6. Auditing Computer-Based
Information Systems
 Information Systems Audit
• Using the risk-based framework for an information
systems audit allows the auditor to review and
evaluate internal controls that protect the system
to meet each of the following objectives:
 Protect overall system security (includes computer
equipment, programs, and data)
 Program development and acquisition occur under
management authorization
 Program modifications occur under management
authorization
 Accurate and complete processing of transactions, records,
files, and reports
 Prevent, detect, or correct inaccurate or unauthorized
source data
 Accurate, complete, and confidential data files
Tuesday, February 11, 2 68
 6. Auditing Computer-Based
Information Systems
1. Protect Overall System Security
Threats Controls
 Theft of hardware  Limitphysical access to
 Damage of hardware computer equipment
(accidental and intentional)  Use authentication and
 Loss, theft, unauthorized authorization controls
access to  Data storage and
◦ Programs transmission controls
◦ Data  Virus protection and
 Unauthorized modification or firewalls
use of programs and data files  File backup and recovery
 Unauthorized disclosure of procedures
confidential data  Disaster recovery plan
 Interruption of crucial  Preventive maintenance
business activities  Insurance
Tuesday, February 11, 2 69
 6. Auditing Computer-Based
Information Systems
2. Program Development and Acquisition Occur under Management
Authorization

Threats Controls
 Inadvertent  Reviewsoftware license
programming errors agreements
 Unauthorized  Management authorization

program code for:

◦ Program development
◦ Software acquisition
 Management and user
approval of programming
specifications
 Testing and user acceptance
of new programs
Tuesday, February 11, 2  Systems documentation 70
 6. Auditing Computer-Based
Information Systems
3. Program Modifications Occur Under Management Authorization

Threats Controls
 Inadvertent  Listprogram components
programming errors to be modified
 Unauthorized  Management
program code authorization and
approval for modifications
 User approval for
modifications
 Test changes to program
 System documentation of
changes
71
Tuesday, February 11, 2 
 6. Auditing Computer-Based
Information Systems
4. Accurate and Complete Processing of Transactions, Records, Files, and
Reports

Threats Controls
• Failure to detect • Data editing routines
incorrect, incomplete, or
unauthorized input data • Reconciliation of batch
totals
• Failure to correct errors
identified from data • Error correction
editing procedures procedures
• Errors in files or • Understandable
databases during documentation
updating • Competent supervision
• Improper distribution of
output
• Inaccuracies
Tuesday, Februaryin
11, reporting
2
72
 6. Auditing Computer-Based
Information Systems
5. Prevent, Detect, or Correct Inaccurate or Unauthorized Source Data
Threats
• Inaccurate source data
• Unauthorized source
data
Tuesday, February 11, 2
Controls
• User authorization of
source data input
• Batch control totals
• Log receipt, movement,
and disposition of
source data input
• Turnaround documents
• Check digit and key
verification
• Data editing routines 73
 6. Auditing Computer-Based
Information Systems
6. Accurate, Complete, and Confidential Data Files
Threats
• Destruction of stored
data from
 Errors
 Hardware and software
malfunctions
 Sabotage
• Unauthorized
modification or
disclosure of stored
data
Tuesday, February 11, 2
Controls
• Secure storage of data and
restrict physical access
• Logical access controls
• Write-protection and proper
file labels
• Concurrent update controls
• Data encryption
• Virus protection
• Backup of data files (offsite)
• System recovery procedures
74
 6. Auditing Computer-Based
Information Systems
 Audit Techniques Used to Test Programs
• Integrated Test Facility
▫ Uses fictitious inputs
• Snapshot Technique
▫ Master files before and after update are stored for
specially marked transactions
• System Control Audit Review File (SCARF)
▫ Continuous monitoring and storing of transactions
that meet pre-specifications
• Audit Hooks
▫ Notify auditors of questionable transactions
• Continuous and Intermittent Simulation
▫ Similar to SCARF for DBMS 75
Tuesday, February 11, 2
 6. Auditing Computer-Based
Information Systems
 Software Tools Used to Test Program
Logic
• Automated flowcharting program
▫ Interprets source code and generates flowchart
• Automated decision table program
▫ Interprets source code and generates a decision table
• Scanning routines
▫ Searches program for specified items
• Mapping programs
▫ Identifies unexecuted code
• Program tracing
▫ Prints program steps with regular output to observe
sequence of program execution events 76
Tuesday, February 11, 2
 6. Auditing Computer-Based
Information Systems
 Computer Audit Software
• Computer assisted audit software that can
perform audit tasks on a copy of a company’s
data. Can be used to:
Query data files and retrieve records based upon
specified criteria
Create, update, compare, download, and merge
files
Summarize, sort, and filter data
Access data in different formats and convert to
common format
Select records using statistical sampling techniques
Perform analytical tests
Perform calculations and statistical tests 77
Tuesday, February 11, 2
 6. Auditing Computer-Based
Information Systems
 Operational Audits
• Purpose is to evaluate effectiveness, efficiency,
and goal achievement. Although the basic
audit steps are the same, the specific activities
of evidence collection are focused toward
operations such as:
▫ Review operating policies and documentation
▫ Confirm procedures with management and
operating personnel
▫ Observe operating functions and activities
▫ Examine financial and operating plans and
reports
▫ Test accuracy of operating information
▫ Test operational controls Tuesday, February 11, 2 78
End of chapter
2