Bài giảng Romney_ais13 - Chapter 11: Auditing Computer-Based Information Systems

Auditing Computer-Based Information SystemsChapter 1111-1Learning ObjectivesDescribe the nature, scope, and objectives of audit work, and identify the major steps in the audit process.Identify the six objectives of an information system audit, and describe how the risk-based audit approach can be used to accomplish these objectives.Describe the different tools and techniques auditors use to test software programs and program logic.Describe computer audit software, and explain how it is used in the audit of an AIS.Describe the nature and scope of an operational audit.11-2AuditingThe process of obtaining and evaluating evidence regarding assertions about economic actions and events in order to determine how well they correspond with established criteria11-3Major Steps in the Auditing ProcessAudit planningWhy, how, when, and whoEstablish scope and objectives of the audit; identify riskCollection of audit evidenceEvaluation of evidenceCommunication of results11-4Risk-Based Framework Identify fraud and errors (threats) that can occur that threaten each objectiveIdentify control procedures (prevent, detect, correct the threats)Evaluate control proceduresReview to see if control exists and is in placeTest controls to see if they work as intendedDetermine effect of control weaknessesCompensating controls11-5Information Systems AuditUsing the risk-based framework for an information systems audit allows the auditor to review and evaluate internal controls that protect the system to meet each of the following objectives:Protect overall system security (includes computer equipment, programs, and data)Program development and acquisition occur under management authorizationProgram modifications occur under management authorizationAccurate and complete processing of transactions, records, files, and reportsPrevent, detect, or correct inaccurate or unauthorized source dataAccurate, complete, and confidential data files11-61. Protect Overall System Security ControlsTheft of hardwareDamage of hardware (accidental and intentional)Loss, theft, unauthorized access to ProgramsDataUnauthorized modification or use of programs and data filesUnauthorized disclosure of confidential dataInterruption of crucial business activitiesLimit physical access to computer equipmentUse authentication and authorization controlsData storage and transmission controlsVirus protection and firewallsFile backup and recovery proceduresDisaster recovery planPreventive maintenanceInsuranceThreats11-72. Program Development and Acquisition Occur under Management AuthorizationThreatControlsInadvertent programming errorsUnauthorized program codeReview software license agreementsManagement authorization for:Program developmentSoftware acquisitionManagement and user approval of programming specificationsTesting and user acceptance of new programsSystems documentation11-83. Program Development and Acquisition Occur under Management AuthorizationThreatControlsInadvertent programming errorsUnauthorized program codeList program components to be modifiedManagement authorization and approval for modificationsUser approval for modificationsTest changes to programSystem documentation of changesLogical access controls11-94. Accurate and Complete Processing of Transactions, Records, Files, and ReportsThreatsControlsFailure to detect incorrect, incomplete, or unauthorized input dataFailure to correct errors identified from data editing proceduresErrors in files or databases during updatingImproper distribution of outputInaccuracies in reporting Data editing routinesReconciliation of batch totalsError correction proceduresUnderstandable documentationCompetent supervision11-105. Prevent, Detect, or Correct Inaccurate or Unauthorized Source DataThreatControlsInaccurate source dataUnauthorized source dataUser authorization of source data inputBatch control totalsLog receipt, movement, and disposition of source data inputTurnaround documentsCheck digit and key verificationData editing routines11-116. Accurate, Complete, and Confidential Data FilesThreatsControlsDestruction of stored data fromErrorsHardware and software malfunctionsSabotageUnauthorized modification or disclosure of stored dataSecure storage of data and restrict physical accessLogical access controlsWrite-protection and proper file labelsConcurrent update controlsData encryptionVirus protectionBackup of data files (offsite)System recovery procedures11-12Audit Techniques Used to Test ProgramsIntegrated Test FacilityUses fictitious inputsSnapshot TechniqueMaster files before and after update are stored for specially marked transactionsSystem Control Audit Review File (SCARF)Continuous monitoring and storing of transactions that meet pre-specificationsAudit HooksNotify auditors of questionable transactionsContinuous and Intermittent SimulationSimilar to SCARF for DBMS11-13Software Tools Used to Test Program LogicAutomated flowcharting programInterprets source code and generates flowchartAutomated decision table programInterprets source code and generates a decision tableScanning routinesSearches program for specified itemsMapping programsIdentifies unexecuted codeProgram tracingPrints program steps with regular output to observe sequence of program execution events11-14Computer Audit SoftwareComputer assisted audit software that can perform audit tasks on a copy of a company’s data. Can be used to:Query data files and retrieve records based upon specified criteriaCreate, update, compare, download, and merge filesSummarize, sort, and filter dataAccess data in different formats and convert to common formatSelect records using statistical sampling techniquesPerform analytical testsPerform calculations and statistical tests11-15Operational Audits Purpose is to evaluate effectiveness, efficiency, and goal achievement. Although the basic audit steps are the same, the specific activities of evidence collection are focused toward operations such as:Review operating policies and documentationConfirm procedures with management and operating personnelObserve operating functions and activitiesExamine financial and operating plans and reportsTest accuracy of operating informationTest operational controls11-16Key TermsAuditingInternal auditingFinancial auditInformation systems auditOperational auditCompliance auditInvestigative auditInherent riskControl riskDetection riskConfirmationReperformanceVouchingAnalytical reviewMaterialityReasonable assuranceSystems reviewTest of controlsCompensating controlsSource code comparison programReprocessingParallel simulationTest data generatorConcurrent audit techniquesEmbedded audit modulesIntegrated test facility (ITF)Snapshot techniqueSystem control audit review file (SCARF)Audit log11-17Key Terms (continued)Audit hooksContinuous and intermittent simulation (CIS)Automated flowcharting programAutomated decision table programScanning routinesMapping programsProgram tracingInput controls matrixComputer-assisted audit techniques (CAAT)Generalized audit software (GAS)11-18