CIS Auditing Transactions PDF
Document Details
Uploaded by Deleted User
Tags
Summary
This document discusses different types of audits, including external and internal audits. It also describes the role of the audit committee and fraud audits. The document further explores financial audit components and standards, as well as the importance of IT audits in a complex IT environment.
Full Transcript
CHAPTER 1: AUDITING & ❖ Internal auditors are often certified as a Certified Internal Auditor (CIA) or Certified INTERNAL CONTROL Information Systems Audit...
CHAPTER 1: AUDITING & ❖ Internal auditors are often certified as a Certified Internal Auditor (CIA) or Certified INTERNAL CONTROL Information Systems Auditor (CISA). ❖ Internal auditors represent the interests of Different Types of Audit the organization External Audit - Independent attestation performed by an expert who expresses an opinion regarding the presentation of financial statements. ❖ Also known as an attest service performed by Certified Public Accountants (CPAs) who work for professional services firms that are independent of the client organization being audited. ❖ Associated with assuring the fair presentation of financial statements, hence, often referred to as financial audit. ❖ External auditors represent the interests of outsiders: stockholders, creditors, government agencies, and the general public. ❖ External auditors must follow strict rules Fraud Audit - Investigation of anomalies and (e.g., standards, legislations, etc.) in gathering of evidence of fraud that may lead to a conducting financial audits. criminal conviction. ❖ The objective is to investigate anomalies and gather evidence of fraud that may lead to a criminal conviction. ❖ Organizations victimized by fraud usually contract with specialized fraud units of professional services firms or with companies that specialize in forensic accounting. ❖ Typically, fraud auditors have earned the Certified Fraud Examiner (CFE) certification THE ROLE OF THE AUDIT COMMITTEE Audit Committee - An audit committee is a subcommittee of a company’s board of directors that oversees financial reporting, risk management, and compliance processes. All U.S. publicly-traded Internal Audit - An independent appraisal function is companies must maintain a qualified audit established within an organization to examine and committee in order to be listed on a stock exchange. evaluate its activities as a service to the In the Philippines, the Securities and Exchange organization. Commission (SEC) also requires publicly-listed ❖ Performs a wide range of activities on behalf organizations to establish an audit committee as of the organization. mandated by the Code of Corporate Governance for ❖ Typically conducted by auditors who work for Publicly-Listed Companies. the organization, but this task may be Serves as the independent “check-and-balance” for outsourced. the internal audit function and liaison with external auditors. systematic approach is particularly important in the IT environment. The lack of physical procedures that can be visually verified and evaluated injects a high degree of complexity into the IT audit. Therefore, a logical framework for conducting an audit in the IT environment is critical to help the auditor identify all- important processes and data files. 3. Management Assertions & Audit Objectives FINANCIAL AUDIT COMPONENTS 1. Auditing Standards 4. Obtaining Evidence Obtaining audit evidence is a crucial step in the audit process, as it involves gathering sufficient and appropriate information to support the auditor's conclusions and opinions. Evidence is collected by performing: Test of Controls establish whether internal controls are functioning properly Substantive Tests determine whether accounting databases fairly reflect the organization’s transactions and account balances. 5. Ascertaining Materiality Materiality, in the context of auditing, refers to the significance or importance of an error, misstatement, or omission in the financial statements that could influence the decisions of users relying on those 2. Systematic Process statements. Conducting an audit is a systematic and logical Ascertaining materiality in audits ensures that process that applies to all forms of information auditors focus on issues that have a significant systems. While important in all audit settings, a impact on financial statement users' decisions, allowing for effective and efficient audit procedure. 6. Communicating Results AR = IR x CR x DR An independent auditor renders a report to the audit 4% = 38% x 60% x DR committee of the board of directors. DR = 0.04 / 0.228 The audit report contains, among other things, an DR = 17.54% audit opinion. This opinion is distributed along with the financial report to interested parties both internal and external to the organization. IT auditors often communicate their findings to internal and external auditors, who can then integrate these findings with the non-IT aspects of the audit. AUDIT RISK is the risk that auditors may issue an incorrect or inappropriate audit opinion on the financial statements, failing to detect material misstatements or issues. Inherent Risk - the risk of material misstatement existing in a financial statement component before considering the effectiveness of internal controls THE IT AUDIT Control Risk - the risk that the organization's internal controls will not prevent or detect material Phases of an IT Audit misstatements. Detection Risk - the risk that auditors’ audit procedures will fail to identify material misstatements that exist in the financial statements. Assume that the acceptable audit risk is assessed at a value of 4%, inherent risk is assessed at 38%, and control risk is assessed at 75%. What would be the level of planned detection risk needed to achieve the acceptable audit risk? Internal Control AR = IR x CR x DR Internal Control Objectives: 4% = 38% x 75% x DR ❖ To safeguard the assets of the firm. ❖ To ensure the accuracy and reliability of DR = 0.04 / 0.285 accounting records and information. ❖ To promote efficiency in the firm’s operations. DR = 14.04% ❖ To measure compliance with Assume that the acceptable audit risk is assessed management’sprescribed policies and at a value of 4%, inherent risk is assessed at 38%, procedures. and control risk is assessed at 60%. What would be the level of planned detection risk needed to achieve the acceptable audit risk? Modifying Principles Management Responsibility - The establishment and Proactively deter errors, fraud, or risks from maintenance of a system of internal control is a occurring in the first place. They are intended to stop management responsibility. problems before they happen by implementing measures that discourage unwanted events. LIMITATIONS - every system of internal control has limitations on its effectiveness. Detective Control ❖ Possibility of error Identify and detect errors, fraud, or irregularities after ❖ Circumvention they have occurred. They are aimed at uncovering ❖ Management override issues as they arise to minimize their impact and ❖ Changing conditions enable timely corrective actions. Methods of Data Processing - Internal control Corrective Control systems should achieve the four broad objectives regardless of the data processing method used. Address and rectify errors, fraud, or issues that have been identified. They focus on fixing problems that Reasonable Assurance - The cost of achieving have already occurred to prevent their recurrence improved control should not outweigh its benefits. and minimize their impact on the organization. Control Weakness and Risk COSO INTERNAL CONTROL FRAMEWORK The COSO (Committee of Sponsoring THE PDC MODEL Organizations of the Treadway Commission) Internal Control Framework is a widely recognized and comprehensive model designed to help organizations establish, assess, and enhance their internal control systems. It provides a structured approach to manage risks, ensure reliable financial reporting, and achieve operational effectiveness. CONTROL ENVIRONMENT This component sets the tone for the organization by emphasizing ethics, integrity, and accountability. It includes factors such as management's commitment to controls, organizational structure, and the overall culture. Preventive Control SAS 109 requires that auditors obtain sufficient IT CONTROL knowledge to assess the attitude and awareness of the organization’s management, board of directors, and owners regarding internal control. RISK ASSESSMENT Organizations need to identify, assess, and prioritize risks that could affect their objectives. This involves understanding potential internal and external risks and their potential impact on operations. SAS 109 requires that auditors obtain sufficient knowledge of the organization’s risk assessment ❖ IT GENERAL CONTROLS procedures to understand how management identifies, prioritizes, and manages the risks related ❖ ACCESS TO PROGRAMS & DATA to financial reporting. Focuses on controlling access to IT systems, CONTROL ACTIVITIES applications, and data to ensure that only authorized users can access sensitive information and perform These are the specific policies, procedures, and specific functions. practices implemented to mitigate risks and achieve control objectives. User ID Management They encompass both preventive, detective, and Ito ay tungkol sa pag-create, pag-manage, at pag- corrective controls, as well as manual and maintain ng user IDs sa isang system, making sure automated processes. na unique ang ID ng bawat user. Importante ito para ma-track ang activities ng mga users at masiguro na Categories of Control Activities: authorized lang ang may access sa specific resources. PHYSICAL CONTROL User Access Granting & Modification Ang process na ito involves ang pagbibigay ng access rights sa users base sa kanilang roles at responsibilities sa organization. Pwedeng i-modify ang access kapag nagbago ang role ng user para siguradong tama at naaayon ang level ng access nila. User Access Termination Kapag ang isang user ay nag-resign o nagbago ng role, kailangan agad na i-revoke ang kanilang access sa systems at data para maiwasan ang unauthorized access. Critical ito para mapanatili ang security ng system at maprotektahan ang sensitive information. Password Management Ang Password Management ay involves ang paggawa ng policies para sa pag-create, pag-store, at regular na pag-update ng passwords para maiwasan ang unauthorized access. Kailangan din turuan ang mga users ng best practices para ❖ PROGRAM CHANGES makagawa ng strong passwords at maiwasan ang Focuses on controls to manage and track changes password-related security breaches. effectively, including change management Privileged ID Management procedures, documentation, testing, and approval processes to ensure that changes are authorized, Ang Privileged ID Management ay tungkol sa pag- and properly implemented, and do not introduce manage at pagkontrol ng accounts na may higher security vulnerabilities or errors. level of access, tulad ng admin accounts. Kailangan ng strict control at monitoring para maiwasan ang Change Management Process misuse ng powerful accounts na ito at para Ito ay ang proseso ng pag-manage ng changes sa masigurong access ay ibinibigay lang sa mga taong nangangailangan nito. IT systems, ensuring na ang bawat pagbabago ay na-document, na-review, at na-approve para Periodic Access Review maiwasan ang disruptions at errors. Ang Periodic Access Review ay regular na pagsusuri Segregation of IT Environments ng user access rights para masiguro na aligned ito Tumutukoy ito sa paghihiwalay ng iba't ibang IT sa current roles at responsibilities ng mga users. environments (e.g., development, testing, Nakakatulong ito para matukoy at ma-correct ang production) para maiwasan ang unintended anumang outdated o unnecessary access, reducing changes o conflicts at masiguro ang integrity ng the risk ng unauthorized data access. production environment. ❖ COMPUTER OPERATIONS ❖ PROGRAM DEVELOPMENT Encompass the management and oversight of IT Includes controls related to software development infrastructure, including hardware, software, networks, and data centers. lifecycle (SDLC) processes, such as requirements gathering, design, coding, testing, and deployment. Problem & Incident Management It also covers controls to ensure the integrity, reliability, and security of software applications. Ito ay ang process ng pag-handle at pag-resolve ng mga issues o incidents na nakakaapekto sa IT Planning systems para ma-minimize ang disruption sa operations. Ito ang unang step kung saan dine-develop ang overall strategy at objectives para sa bagong IT Batch Job Management system, kasama na ang timeline at resource allocation. Involves ito sa scheduling, executing, at monitoring ng batch jobs (automated processes) para ma- System Analysis & Requirement ensure na natatapos ang mga critical tasks ng system on time. Sa phase na ito, kinokolekta at ine-evaluate ang mga business needs para ma-identify kung anong Data Backup & Recovery functionalities ang kailangan ng system. Ito ay ang proseso ng pag-backup ng data at pag- System Design restore nito kapag nagkaroon ng data loss o system Dito ine-define at idino-drawing ang structure ng failure, para masigurong hindi mawawala ang importanteng impormasyon. system, kabilang ang technical architecture, interfaces, at data flows, base sa mga na-gather na Data Center Management requirements. Tumutukoy ito sa pamamahala at maintenance ng Development physical at virtual infrastructures ng data center para Sa development phase, ang actual coding at masigurong laging available, secure, at efficient ang creation ng system ay ginagawa base sa system IT services. design na naaprubahan. Testing Duplicate Check: Tinitiyak nito na walang na- duplicate na data entries, tulad ng checking if an Ang testing ay involves sa pag-verify at pag-validate invoice number has already been used. ng system para masiguro na gumagana ito according to the requirements, at walang major ❖ PROCESSING CONTROLS bugs. Implemented to monitor and regulate the execution Implementation of business processes or workflows within a system. These controls ensure that processes are performed Ang huling phase, kung saan ina-deploy ang system efficiently, accurately, and in compliance with sa production environment at ginagamit na ito ng organizational policies and standards. end users. Batch Controls: Ito ay nagva-validate ng ❖ IT APPLICATION CONTROLS completeness at accuracy ng data sa batch processing, gamit ang totals o counts (e.g., total INPUT PROCESS OUTPUT number of transactions) to ensure na lahat ng items sa batch ay na-process nang tama. Run-to-Run Controls: Tinitiyak nito na ang data ay ❖ INPUT CONTROLS tama sa bawat step ng processing, by comparing outputs from one run (process) to the inputs of the Designed to ensure the accuracy, completeness, next, ensuring na walang nawala o nagbago nang and validity of data entered into a system. These hindi inaasahan. controls aim to prevent erroneous or unauthorized data from being inputted, which could lead to ❖ OUTPUT CONTROLS incorrect processing and output. Implemented to verify the accuracy, completeness, Examples: and integrity of the information produced by a system. These controls ensure that output is Check Digits: Ito ay isang number o digit na delivered to the appropriate users or systems in a dinadagdag sa data (like account numbers) para timely and secure manner. ma-verify ang accuracy ng input by performing a mathematical check. Print Programs: Ito ay tumutukoy sa mga controls na ginagamit para siguraduhing tama at secure ang Missing Data Check: Tinitiyak nito na walang mga printed outputs, tulad ng pag-set ng kulang na information sa data input, tulad ng permissions para sa printing sensitive documents. mandatory fields na dapat may laman. Waste Minimization: Nakatuon ito sa pag-reduce Data Type Validation: Sine-check nito kung tama ng unnecessary output or printing, tulad ng paggamit ang uri ng data na ini-input (e.g., letters lang sa ng electronic reports instead of paper para name field, numbers lang sa phone number field). mabawasan ang waste. Limit Check: Sine-set nito ang maximum o Report Distribution: Tinitiyak nito na ang mga minimum value na pwedeng i-enter sa isang field, reports ay naipapadala lang sa authorized para maiwasan ang out-of-bounds entries. recipients, either through secure channels or Range Check: Sinisigurado nito na ang input values controlled access para maiwasan ang unauthorized ay nasa loob ng tinukoy na valid range (e.g., age na access. dapat nasa pagitan ng 18 to 65). End-User Controls: Ito ay ang mga mechanisms na Reasonableness Check: Ito ay nagva-validate ibinibigay sa end-users para ma-check at ma- kung logical at sensible ang input data, tulad ng validate ang accuracy ng mga outputs na natanggap checking if a salary amount is within a reasonable nila, ensuring na ang data ay tama bago gamitin. range for the position. Key Reports Configuration: Tumutukoy ito sa Validity Check: chine-check nito kung ang input setup at verification ng critical reports, na dapat tama data ay valid based sa predefined criteria o sa ang format, content, at layout, para siguraduhing existing database (e.g., valid customer ID). accurate ang mga key decision-making outputs. INFORMATION AND CHAPTER 2: AUDITING IT COMMUNICATION GOVERNANCE CONTROLS Effective communication ensures that relevant INFORMATION TECHNOLOGY GOVERNANCE information flows throughout the organization. What is Governance? Accurate and timely data helps in making informed decisions and executing control activities. Refers to the framework, processes, and practices that guide the strategic planning, SAS 109 requires that auditors obtain sufficient decision-making, and oversight of an organization's knowledge of the organization’s information system. information technology (IT) activities. MONITORING ACTIVITIES Involves aligning IT initiatives with the organization's business objectives, managing IT Regular monitoring of controls is crucial to identify risks, ensuring regulatory compliance, and changes in risks, ensure controls are operating optimizing IT resources to deliver value and support effectively, and address issues promptly. business goals. Monitoring includes ongoing assessments, separate IT governance aims to establish structures and evaluations, or a combination of both. mechanisms that enhance accountability, transparency, and the effective use of technology within an organization. AUDIT IMPLICATION OF SOX Key objectives of IT governance are to: SOX legislation dramatically expands the role of external auditors by mandating that reduce risk, and; ensure that investments in IT they attest to the quality of their client resources add value to the corporation. organization’s internal control. STRUCTURE OF THE IT CORPORATE This constitutes the issuance of a separate FUNCTION audit opinion on the internal controls in addition to the opinion on the fairness of the financial statements. It is technically possible for auditors to find internal controls over financial reporting to be weak, but conclude through substantive tests that the weaknesses did not cause the financial statements to be materially misrepresented. Centralized Data Processing Organizational Chart of a centralized IT ADVANTAGES OF CENTRALIZED DATA Services Function PROCESSING Data Consistency: Ensures data consistency and reduces the risk of data duplication or inconsistencies. Control and Standardization: Allows for greater control over processes, security measures, and standardized procedures. Efficient Resource Allocation: Resources can be allocated more efficiently since they are managed from a central location. DATABASE ADMINISTRATION Simplified Management: Managing and maintaining a single centralized infrastructure is Database a structured collection of organized often simpler than managing multiple distributed and interconnected data that is stored systems. electronically. It is designed to efficiently store, manage, and retrieve information. RISKS & CONTROLS ASSOCIATED WITH Database Administration involves the CENTRALIZED DATA PROCESSING management, maintenance, and optimization of databases within an organization. Database Administrator (DBA) professional responsible for the overall management of the organization’s databases. DATA PROCESSING SYSTEM DEVELOPMENT AND MAINTENANCE System Development - refers to the process of creating, designing, and building a new information system or software application. System Maintenance - involves the ongoing activities of managing, updating, and supporting an existing information system or software application after it has been developed and implemented the maintenance phase of the systems development life cycle. Although a common arrangement, this approach is associated with inadequate documentation and the potential for program fraud. SEGREGATION OF INCOMPATIBLE IT FUNCTIONS Systems development and maintenance professionals should creates systems for users, and should have no involvement in entering data, or running applications. ORGANIZATIONAL CHART OF A DISTRIBUTED PROCESSING FUNCTION Operations staff should run these systems and have no involvement in their design. An individual could make unauthorized changes to the application during its execution. DBA function is responsible for a number of critical tasks pertaining to database security. ADVANTAGES OF DISTRIBUTED DATA Delegating these responsibilities to other PROCESSING who perform incompatible tasks threatens database integrity. Cost Reductions: Allows organizations to use cost- effective hardware resources instead of investing in high-end centralized systems. Improved User Satisfaction: Provides faster Programmers, who codes the original response times and better performance, leading to programs, also maintains the systems during improved user experience and satisfaction. Backup Flexibility: Facilitates flexible backup and recovery options. Data can be backed up locally at each node, reducing the reliance on a single backup location and enhancing data protection. RISKS & CONTROLS ASSOCIATED WITH DISTRIBUTED DATA PROCESSING STRUCTURE OF THE CORPORATE IT FUNCTIONS AUDIT OBJECTIVE To verify that the structure of the IT function is such that individuals in incompatible areas are segregated in accordance with the level of potential risk and in a manger that promotes a working environment. AUDIT PROCEDURE: Centralized Data Processing Review relevant documentation to determine if individuals or groups are performing incompatible functions. Review systems documentation and maintenance records. Verify that maintenance programmers assigned to specific projects are not also the original design programmers. Verify that computer operators do not have access to the operational details of a system’s internal logic. Through observation, determine that segregation policy is being followed in practice. Review operations room access logs to determine whether programmers enter the facility for reasons other than system failures Distributed Data Processing Review the current organizational chart to determine if individuals or groups are performing incompatible duties. Verify that corporate policies and standards are published and provided to distributed IT units. Verify that compensating controls are employed when segregation of incompatible duties is economically infeasible. Review system documentation to verify applications, procedures and databases are designed and functioning in accordance with corporate standards. THE COMPUTER CENTER Also known as a data center. Refers to a facility equipped with specialized infrastructure, hardware, and resources dedicated to housing and managing computing and networking equipment. It serves as a centralized location for hosting, storing, processing, and managing large volumes of digital data, applications, and services. AUDIT OBJECTIVE To verify that physical security controls are adequate to reasonably protect the organization from physical exposures. To verify that insurance coverage on equipment is adequate to compensate the organization for the destruction of, or damage to , its computer center. DISASTER RECOVERY PLANNING Categories of Disaster What is a Disaster Recovery Plan (DRP)? Structured and documented strategy that outlines the procedures, actions, and resources to be used in the event of a disruptive incident. The goal of a disaster recovery plan is to minimize downtime, recover data and systems, and restore normal operations as swiftly as possible after a significant disruption. Common Features of DRP In this step, organizations assess their various applications to determine which ones are essential for sustaining core business functions. The identification process involves: i. Business Impact Analysis (BIA): Evaluate each application's effect on revenue, customer service, compliance, and efficiency. ii. Stakeholder Input: Collaborate with department representatives To gather insights on vital applications. iii. Dependency Mapping: Understand how applications interact; prioritize those with interdependencies. iv. Recovery Time Objectives (RTO) & PROVIDING SECOND-SITE BACKUP Recovery Point Objective (RPO): Define the acceptable downtime and data loss for each application. v. Business Process Mapping: Consider how applications support critical business processes CREATING A DISASTER RECOVERY TEAM Mutual AID Pack An arrangement between organizations to provide assistance to each other during disasters. In the context of second-site backup, organizations agree to share their backup facilities in case of a disaster. This allows each organization to have access to a secondary location for recovery A disaster recovery team is a group of individuals purposes. responsible for executing the disaster recovery plan and ensuring a coordinated response to disruptive Empty Shell events. Also known as a cold site, is a second-site backup ✓ Roles & Responsibilities: Assign roles like option where the facility is pre-selected and team leader, technical expert, and prepared for disaster recovery but lacks the communication coordinator. necessary IT infrastructure. ✓ Diverse Expertise: Form a team with cross- functional skills in IT, operations, and Organizations provide their own hardware, software, communication. and data backups to set up operations at the cold ✓ Leadership Support: Ensure senior site. leadership endorses the team and RECOVERY OPERATIONS CENTER (ROC) designates oversight. ✓ Clear Communication: Establish Also known as a hot site, is a fully equipped and communication channels within the team and operational second-site backup facility. externally. It is equipped with hardware, software, ✓ Training: Train members, conduct drills, and communication systems, and data replication simulations for readiness. mechanisms to ensure a swift transition in case of a ✓ Documentation: Maintain up-to-date disaster. member information for quick contact. ✓ Activation Protocol: Define triggers, INTERNALLY PROVIDED BACKUP communication, and escalation procedures. ✓ Regular Review: Periodically assess and Some organizations choose to establish their own adjust roles based on changes and lessons secondary backup facility internally. ▪ This could learned. involve setting up a separate data center at a different location, ensuring redundancy in hardware, software, and data SPECIFYING BACKUP & OFF-SITE STORAGE PROCEDURES Operating System Backup: This involves regularly backing up the operating system files and configurations necessary to restore servers and systems to their operational state in case of a disaster. Application Backup: Regularly backing up application software, settings, and configurations to restore the applications' operational state. Backup Data Files: Regularly backing up critical data files, databases, and user-generated content to prevent data loss during disruptions. Backup Documentation: Creating copies of disaster recovery plans, procedures, contact lists, and technical documentation for recovery personnel. Backup Supplies and Source Documents: Storing copies of essential supplies, forms, templates, and documents required for business processes at an offsite location. Testing DRP (Disaster Recovery Plan): Regularly testing the disaster recovery plan through simulations and exercises to identify gaps and areas for improvement. AUDIT OBJECTIVE OF DISATER RECOVERY PLANNING To verify that management’s disaster recovery plan is adequate and feasible for dealing with a catastrophe that could deprive the organization of its computing resources. OUTSOURCING THE IT FUNCTION Software as a Service (SaaS): Sa SaaS, wala nang IT OUTSOURCING hassle ng manual installations o hardware upgrades, Refers to the practice of contracting specific IT dahil ang provider ang responsable sa infrastructure, functions, tasks, or services to external third-party software updates, at security patches. Madalas itong providers. gamitin ng businesses para sa email, collaboration tools, at customer relationship management (CRM) These providers, often specialized in IT services, systems, dahil accessible ito kahit saan basta may take on responsibilities such as managing internet. infrastructure, software development, technical support, cybersecurity, and more. Platform as a Service (PaaS): Sa PaaS, binibigyan ka ng mga tools at services para mapabilis ang WHAT IS CLOUD? development process, tulad ng pre-configured Refers to servers that are accessed over the servers, integrated development environments Internet, and the software and databases that run on (IDEs), at scalable infrastructure. Ito ay ginagamit ng those servers. mga businesses o developers na gustong i- streamline ang development cycle, iwasan ang Virtualization hassle ng manual setup, at mag-focus sa pag- improve ng kanilang software. Allows multiple virtual instances of operating systems, applications, or resources to run on a Infrastructure as a Service (IaaS): Sa IaaS, ang single physical server or hardware platform. users ay may kontrol sa operating system, Cloud Computing applications, at storage, pero ang cloud provider ang nag-aalaga ng physical hardware at networking Refers to the delivery of different services through components. Ito ay madalas gamitin ng mga the Internet. businesses na nangangailangan ng flexible at scalable computing power, tulad ng mga startups o These resources include tools and applications like mga businesses na may biglaang paglago ng IT data storage, servers, databases, networking, and needs. software. STATEMENT ON STANDARDS FOR ATTESTATION ENGAGEMENTS NO. 16 (SSAE 16) SOC 1 Reports RISK INHERENT TO IT OUTSOURCING SOC 1TYPE1 Failure to Perform: Risk that the outsourcing Shows how well the internal controls are provider may not meet performance expectations, designed to prevent mistakes regarding leading to service disruptions, delays, or inadequate financial transaction/statement data. quality of work. Testing is done at one point in time; does not Vendor Exploitation: Risk that the outsourcing test the operating effectiveness of the control vendor may take advantage of the organization's set. dependency, leading to unfair terms, high fees, or subpar service delivery. SOC 1TYPE 2 Outsourcing Costs Exceed Benefit: Risk that the Tests the operating effectiveness of the cost savings expected from outsourcing may not internal controls (business process and IT 1 materialize, and the organization may end up general controls); designed to mitigate the spending more than the anticipated benefits. risk of a financial inaccuracy of the user entity. Reduced Security: Risk that sensitive data and information may be at a higher risk of exposure due Testing is conducted over a period of time, to inadequate security measures on the vendor's and a sampling methodology is used for an side or lack of control over security protocols. accurate portrayal of operating effectiveness. Loss of Strategic Advantage: Risk that outsourcing critical functions may lead to a loss of in- house expertise and control, impacting the organization's ability to innovate and maintain a competitive edge. CHAPTER 3 : SECURITY PART I – AUDITING OPERATING SYSTEMS & NETWORKS What is an Operating System? An operating system (OS) is software that serves as an intermediary between computer hardware and the computer user. It provides a user interface and controls the computer hardware so that software applications can function MAIN TASKS PERFORMED BY AN OPERATING SYSTEM 1. Translating High-Level Languages Refers to the process by which a program written in a high-level programming language (like Python, Java, C++) is converted into a form that the computer's hardware can directly execute. This translation is necessary because computers can only understand and execute instructions in their native machine language, which consists of binary code (0s and 1s). 2. Resource Allocation Refers to the process by which a program written in a high-level programming language (like Python, Java, C++) is converted into a form that the computer's hardware can directly execute. This translation is necessary because computers can only understand and execute instructions in their native machine language, which consists of binary code (0s and 1s). 3. Job Scheduling and Multiprogramming Job scheduling involves determining the order in which jobs or processes are executed by the CPU. Multiprogramming allows multiple programs to reside in memory simultaneously, with the CPU switching between them to keep it constantly busy. AUDITING NETWORKS What Is a Network? A network is a collection of interconnected devices, such as computers, servers, printers, and other hardware, that are linked together to facilitate the sharing of resources and information. These devices are connected via various means, such as wired (e.g., Ethernet cables) or wireless (e.g., Wi-Fi) connections. AUDITING ELECTRONIC DATA INTERCHANGE (EDI) Electronic Data Interchange Refers to a digital communication technology that allows businesses to exchange structured business documents, such as purchase orders, invoices, and shipping notices, electronically BENEFITS OF EDI Data Keying: Eliminates the need for manual data entry, reducing the risk of human error and speeding up transaction processing. Error Reduction: Automation and standardized formats in EDI reduce the likelihood of mistakes compared to manual paper-based processes. Reduction of Paper: Since transactions are digital, there's no need for physical paperwork, saving on printing, storage, and handling cost Simplified Management: Managing and maintaining a single centralized infrastructure is often simpler than managing multiple distributed systems. Postage: As documents are transmitted electronically, there's no need for traditional mail, reducing postage expenses. Automated Procedures: EDI enables automated processing of documents, reducing the time and effort required for manual handling. Inventory Reduction: Faster processing times lead to reduced inventory holding costs, as businesses can respond more promptly to orders and deliveries. AUDITING PC-BASED ACCOUNTING SYSTEMS PC-based accounting systems are accounting software applications designed to run on personal computers (PCs). These systems are used by businesses to manage their financial transactions, recordkeeping, and reporting processes. CHAPTER 4 : SECURITY PART 2 – AUDITING DATABASE SYSTEMS DATA MANAGEMENT APPROACHES ❖ DEFINITION ❖ DATA STORAGE ❖ DATA UPDATING ❖ CURRENCY OF INFORMATION ❖ TASK DATA DEPENDENCY METHODS OF DATABASE ACCESS Formal Application Interfaces Think of it like a specialized tool or software. This is when users interact with the database through specific software or applications that are designed for a particular purpose. These applications have a defined set of functions and features. KEY ELEMENTS OF DATABASE ENVIRONMENT For example, imagine a cashier using a Point-of- Sale (POS) system to handle transactions. The Data Management System system is tailored for this specific task and provides clear options for the cashier to input data. Database Management System (DBMS) is a software that facilitates the creation, organization, Informal Method of Queries management, and manipulation of databases. It provides an interface for users and applications to Picture it as asking questions. interact with databases while ensuring data integrity, This is a more flexible way of interacting with the security, and efficient data retrieval. database. Users can ask questions or request specific information directly. For instance, think of a manager asking, "How many products did we sell last month?" This question can be translated into an SQL query to get the answer. Query Language is a specialized language used to interact with databases. It allows users to retrieve specific information from a database by specifying criteria. Data Definition Language Structured Query Language (SQL): SQL is the most commonly used query language for Data Definition Language (DDL) is used to define relational databases. It provides a standardized and manage the structure of the database. way to communicate with a database and perform It includes commands like CREATE (for creating tasks like retrieving, updating, and managing data. objects like tables), ALTER (for modifying objects), and DROP (for deleting objects). PHYSICAL DATABASE Refers to the actual storage structure where data is stored on a physical storage medium such as disks or memory. It involves how data is organized, accessed, and stored on the underlying hardware. This includes details like file organization, indexing methods, data compression, and disk storage management. DATABASE IN A DISTRIBUTED ENVIRONMENT REPLICATED DATABASE The entire database or specific portions of it are duplicated across multiple nodes. Now, let's say you have a really important notebook, and you make copies of it. You keep one copy at home, give another to your friend, and keep a third copy at your grandma's house. This way, if you lose one copy, you can still get the information from the other copies. CONTROLLING AND AUDITING DATA MANAGEMENT SYSTEMS DISTRIBUTED DATABASES PARTITIONED DATABASE Data is divided or partitioned based on specific criteria (e.g., range of values, hashing algorithms, geographical location). Imagine you have a very big library with lots of books. Instead of trying to fit all the books on one shelf, you decide to organize them into different sections. Each section has a specific type of book, like fiction, non-fiction, and so on. This way, it's easier to find the book you want because you know where to look.