MGT422 Final Exam PDF

Summary

This document appears to be course notes or study material for a class called MGT422, focusing on information systems and controls, including elements related to accounting, business, and finance.

Full Transcript

Class 1 ;

CAATOE

- Completeness
- Accuarcy
- Timeliness
- Authorizaition
- Occurence
- Efficiency compute info faster and cost effective and scalable

Compnents of AIS – SIPPII

- Infromation system is a system of collecting, storing and processing financial and
accounting data that is used by decision makers
- Infrastrucre
o LAN
o WAN
o Wireless Network
o Hardware
o Real estate

Software

- System Software
- Applicaiton Software

People

- CIO
- System Operations
- Managment
- Users

What are It controls ?

- Security measures and procedures to put in place that information is secure

Why are It controls important /

- Reliable output
- Risk of theft and fraud
- Security of information
 - Effective decision making

AIS purpose?

- Collect and store data about organizational activities, resources and personnel
- Transform data into information so management can plan executer control and
evaluate activities resource and personnel
- Enable management decision Maing
- Provide adequate control to safeguard the organizational assets and data

Processing Modes;

- Online input update – transfer money to one account on real time
- Online input and batch update- paying your credit card via bank account. You see
the money go out but takes a while to make the impact
- Batch input and period update: writing cheque and give it someone who deposits it.
It takes time to make transition even after the deposit the cheque for the changes
made

Database is a collection of files used in related application and can be shared by related
application. They require a database management system

Database management system pros

- Data redundancy reduced
- Data independence
- Improve data accessibility
- Data is managed more centrally

Database Management System – Cons

- Complex to setup and more costly
- Slower for processing high volume periodic transaction updates

Class 2:

Computer Processing

- When you utilize computer, trails don't tend to exist
- They might eliminate random errors but not systemic errors
 - Incompatible function may not be segregated
- Inappropriate access
- Increase management supervision
- It controls auditing is part of the audit of general-purpose f/s as control affects f/s

Causes of It related issues

- Lack of testing
- Overload of access
- Lack of bandwidth
- Human error

Some source of problems

- Hardware implementation
- Programming
- Abuse and misuse

Audit Risk

- Risk than audit opinion is wrong

Inherent risk

- Risk r error of undesirable financial event occurring
- Mgt cannot influence IR but can mitigate it using control risk

Auditors can influence detection risk

Control risk

- Risk of control not being able to prevent or detect undesirable events
- Depends on org practice

If CR is high, not rely on controls, substantive testing

Auditor’s Concerns (independence) (27:20)

§ Internal auditors’ concerns are closely aligned with management’s.

· Numbers are correct

§ External auditors’ concerns are in line with management’s but also tied to financial statement
correctness and going concern, less to efficiency and profitability.
IT effect on IR

- Affects IR as it supports new ways of doing business like ecommerce
o IR increase because external parties are responsible for entering transaction
data

IT can increase CR since less people, less segregation of duties and also not having
reliable IC to keep up with advancement of tech

It can decrease risk since we are relying on computer so less mistake

IT can increase DR as audit trail is less visible and more complex and systems are
more integrated

IT can decrease risk dues to CAAT

IT can increase audit risk because due to less competent in information system and
not being able to perform audit properly

Overall, more increased risk, due to less audit trail; , less segregation of duty, open
access and system complexity

Control risk – risk that the IC implemented will fail to prevent misstatement

Password easily cracked – control risk

Input risk

- Incorrect input
- Untimely input or incomplete input
- Unauthorized transaction- someone else might be making the transactions for
another
- Lost audit trail

Processing risk- calculation of grades and moving from one system to another

- Incomplete processing
- Inaccurate processing
- Undocumented processes – no breakdown of where the grades come from
- Untimely processing
Output risk

- Incomplete output
- Inaccurate output
- Unauthorized access to report
- Untimely Output like late T4

Stored data risk

- Unauthorized access to data
- Unavailability of data
- Data loss

Other risk

- Virus
- Hackers
- Disasters
- Computer crime
- Sabotage

Class 3: IT governance and geeral controls

- IT Strategy
- Must conform with business strategy
- 3 year rolling period
- Beggining of IT governance
- Addresses infrastructure, software, information and people
- Procedures are not part of it
- Addresses IP and I of he AIs
 - Therefore procedures support IT startegy implantation , thus could
needed before IT strategy

IT governance

- CIO is accountable. Setting corporate policies and providing IT infrastructure.
- Execs are responsible for participation as they approve the IT expenditure and IT
projects

CIO needs to report to the CEO or the COO, not the CFO. This is because CFo focuses on
the financial aspects and might conflict with their goals. Resources would be allocated to
the finance and accounting function more that eh business areas and strategic initiatives.

Internal controls

- Help mitigate risk
- Managment is responsible for the design and implementation
- Two types of internal controls preventative (risk we can avoid) and detective
(find it as happening)

General Controls

- IT controls that apply more than 1 system
- Should be implemented before application controls
- Not every system has the same risk, so application control is necessary
- Foundaton for application control- strong network password make the payroll
password more reliable

Types of General Controls

- Organizational controls
o IT governance
o Segregation of duties
▪ To ensure check and balances to minimize errors
▪ Focus expertise for efficiency
▪ Deter frauds and improper practices
▪ Avoid concentration of power
▪ One way to do this is to separate the IT department from the business
areas. Or separate development areas from the opeariton to prevent
unauthorized or incorrect program changes
 ▪ Software change implementation and database administration
should be separate function so the person who controls programs
have no access to information and this helps prevent fraud
Relies on access controls
▪ Hiring practice
▪ Policies and Procedures
▪ Management review, management supervision and independent
review
- Network Control
- Computer Operations Controls
o Use the operating system to specify resource allocation, constraints, and
types of transactions allowed
o Maintain data file versions
o Distribute output

Disaster Prevention And Recovery Plan

- Purpose is to recover critical applicaiton in the event of system collapse
- Backupp
- Environmental controls
o Preventative
o Detective
o Corrective
- Plan should be kept offsite
o Hot site- available within a day, has hardware software and data, within a
day and most expensive
o Warm site – has hardware but no software. Typically, within days
o Cold site- available in about a week, no hardware, software pr data
- Plan should be tested with result reviews and approved by appropriate level of
mgt
- Tested annually
- Should have procedures and criteria for invoking plan
- Distant from produciton site

Auditing Disaster recovery plan

Reveiw back up procedure to ensure systems can be recovered in timely matter

- Obtain and Review recovery plan for comprehensiveness
 - Review back up log for currency and offsite storage
- Visits off site location for any weakness
- Review any related contract
- Review recovery test result that may have happen previously
- Assess adequacy of data center protection such as humid, temperature fire and
flood , a expert may be required to check off the effectiveness of these detectors
-

Conclusion

- General control weakness must be assessed in relation to impact on application
control
- Weak general controls may still allow some application control to be relied on
- General control that are relent to auditor are access control, organizational control
and program change controls

Corporate governance : employed by organization to select objective, establish processes
to achieve objective, and monitor performance

- IT governance – processes of IT infrastructure support eh business strategy and
conforms
-

Lecture 4; System development controls:

- Why do we test SDLC ? - part of general controls
o Reliability of computer system is only as good as the change management
controls surrounding the development
o Insufficient or inappropriate controls lead to errors in programming logic and
consequently, Errors in output

What can go wrong iwth SDLC – accounting information system?

- Erroneous management decision
- Unacceptable accounting policies
- Inaccurate bookkeeping
- Bookkeeping fraud
- Violation of legal statues
- Business interruption+

What can cause development issues ? Causes of the above

- Inadequate user involvement
 - Inadequate user testing- they need to be involved throughout the development
- Poor communication
- Incompetent personnel
- Inadequate testing
- Outdated software
- Problem with the code itself

Source code written by the programmer

Escrow Agreement- you enter an escrow agreement with a third party and will hold the
escrow rights. This protects the provider and user. If the provider/developer-, goes out of
business, the code is given to purchaser

Object code: code run by computers (off the shelf)

Customized

- Meet user needs
- Easier to change
- More expensive
- More likelihood of bugs
- Own the source code

Off the Shelf

- Cheaper
- Faster to implement
- May not meet needs
- Less likelihood of bugs

Web based solutions (one drive, google docs)

Pros
- Backup, accessibility, easy to collaborate
- Only need an up-to-date browser
- No software to install
- Can be cheaper
- Storage offsite (no need to backup)
- Easy to collaborate

Cons
 - Seecurity, Wi-Fi based, system going down risk
- No internet connection -no access to data or processing
- Potential risk of hackers and interception or tampering of data

SDLC

Feasibility studies

- Operational – how well can it be executed
- Technical – resources
- Finacial- do you have the money
Recurring cost (maintenace fee)
Non reccuring – cost ofsetting up system
Tangible : Can quantify in dollars
Non tangible (cannot quantify like employee satisfaction)
- System Architecure – includes general controls
- System design –expands the application controls
- Programming
- Testing
▪ Unit – testing one component of the system. This is done by the
developer. Its ok for the developer to test their code
▪ Integration String- its during the integration testing where the
independent tester will come in and do the testing. Here multiple
components are tested by independent party
 ▪UAT – done at the end by the user to ensure the system is working
as intended
▪ Stress- test the stress and the volume and many transactions can
be handles before the system crashes
- Policies and procedures
- Training
- Install producution infrastructure
- Conversion and implementation
▪ Process at which the old system is converted into the new system
either manually or automated
Parallel: Old and new system are used at the same time
(expensive)
Direct: old system is dicsontinued on one day and the new
system is used on the next ( risky)
Phased: Part of the system is implemented over time (lless
risky)
Pilot: Use new system in one location, ideally the smaller
warehouse, but won't be represented on the load

Post Implementation

- Review what might have gone wrong with the process
- Ensure the new system is functioning as planned

System Development Controls

§ Documented Methodology (SDLC)

§ Staff hiring policies

§ Training

§ Technical review and approval

§ Management review and approval

§ Audit participation

§ Testing

§ Post-implementation review
§ Checklists

§ Documentation

Control In Details

- Segregation of duties
- - Developers, tester, computer operator should be different people /gorup

Segregation of environment

- Development, test, production should be segregated (physically if possible) due
to independence issues

Program change controls – controls relating to the change in programs

- Prioritization
- Authorization
- Documentation
- Testing
- Segregation of environment
- Controlled implementation to production
- Back out procedures

End User Development Controls

- Aplpciaiton or mini applicaiton developed by the user themselves
- Should have policy for documentation, approval , testing and types of systems that
are allowed

Sample Size Guideling

- Automated controls would be 1
- Manual changes depend on annual frequency , interval is not critical
Fraud Triangle

Incentive: financial or emotional force

Opportunity: can execute without getting caught

Rationalization: personal justification

Lecture 5 : 2 Cases

Self Study Lecture

Ebusiness infrstrcure

- Webserver and Web master
- Firewall
o Combination of hardware and software that restrict information flow
o ISP ( internet service provider)
o Application Server
o Database server
o Router that allow us to connect to the Internet
o Web hosting software
o Website management system to keep track of visits and user patters
o Network Operating systems
o Infrasture needs to be protected

Inherent risk

- Increased due to complexity of systems required and risk of hackers
 Control Risk

- Increased because somee controls performed by external parties

Detection risk

- Increaseed due to complexity and lack of audit trails

Risk implicaton

- Non occurence of transactions
- Incompete processing
- Inaccurte processing
- Interception of transactions
- Inefficieny

Ebusiness controls ?

- DRP
- Digitral signature – authenticated the purchaser
- Edit checks – to verify potential validity of information
- Firewall
- Encryption
- Digital certificate –authenticates the vendor
- Online Back up
- Recalculate transaction amount behind the web server to nullify change made by a
hacker
- Redundant server and communication lines

Audit Ebusiness controls

- Review contract with ISP
- Review the policies and procedures
- Review the configuration on the router, firewall to see if they follow the procedures
- Review the network layout and confirm by inspecting hardware to assess stability

EDI – Electronic Data Interchange – popular before internet

- Before the internet became popular, EDI would happen through dedicated network
or network service provider
o Reather than going to a vendor site to buy, EDI simply sends a batch of
purchase orders, and the vendor can send invoices by EDI

Issues with EDI – CAATOE
 - Inaccurate
- Untimely
- Security issues and network problems possible
- Nonoccurrence of transactions as duplicates

Controls of EDI

- Acknowledgment of transfer completeness
- Batch total
- Digital signature
- EDI agreement with trading partners and customers
- Backup of the EDI files
- Testing of translation software

How to audit EDI

- Less substantive testing because of smaller inventory balance
- More control Testing due to lack of paper trail and reliance on electronic controls
- Review contracts
- Review access controls for server
- Review logs for completeness and management review

Four components of EDI –translating. data mapping, network, support

Electronic contracts have same legal acts as physical since october 2000

PIPEDA Impersonal information protection and electronic document act)

- Governs the collection, use and disclosure of personal information in manner than
balances the right of privacy of all individuals
- Require each organization to designate a responsible officer

Principles

- Need a chief privacy officer
- Consend from information provider and owner
- Identifying purpose – can only hold information for business purpose
- Safeguard by organizaiton holding personal information
- Openness – poring privacy policy on website

The rise in techonlogy mean they can bypass and violate PIPEDA. Auditors must

- Review the data stores to see if the amount and information retained is
excessive
 - Review those applications that mine data to see if they violate policy.

Extensible Business Reporting Language) XBRL

- Issue time consuming to copy paste financial information from pdf for analysis and
so XBRL is important
- IT uses standardized tags to describe business information, making business
information immediately reusable and interactive. The tag data is removed from the
system and compiles which can be sent. As everyone is using this format, it makes
things easier and more efficient
- Based on taxonomy
- Filed centrally and Internet based allowing easy flow of information between
business

XBRL benefits

- Improve data analysis
- Reduced the need of several spreadsheet to analyze data
- Can help increase the Fficiency and value of an audit

Risk of XBRL

- Controls needs to be in place to ensure mapping remain correct
- If mapping tags are incorrect, the data analysis will be incorrect

XBRL Controls

- Need to make sure proper taxonomy is used
- Perform change management activities related to all aspect of XBRL
- Taxonomy has to be up to date
- Review and approval if proper tagging element, consistency of tags with taxonomy
used, preparation of tagged data for inclusion on financial statement

Audit XBRL

- Users rely on these documents along with financial statement
- - auditors must ensure that the tagging is right as we know that the taxonomy
defines what the tags are
- Review the policies as to how XBRL statements are generated at a point in time
- Review the procedures that describe how statement are generated on a real time
basis
Implication in (WIR)

- Risk computer system fails
- Risk that mapping was done incorrectly
- Fraud could be committed related to XBRL for the same reason that fraud is
committed preparing financial statement
- Susceptible to hackers

Lecture 7 Application Controls

Programmers have access to operational environment, so what they can make changes
that are put into production, system can crash

Obtain all documentation they need, obtain the log of change from the IT department, get
system generated list, sample the changes, obtain the backup and make sure its approved
by right level of mgt by inspecting the sign up

Weakness: All changes are not given to users, Lack of communication

Implication Disrupt systems and workplace

Recommendation: Adapt open communication, make it priority

Weakness: Programmers are making changes in production environment (segregation of
environment)

Implication: result in errors or system crashes, fraud

Recommendation: Removing the access from the live production environment and
separate users should have access to it

Weakness: no testing done

Implementation : system not working properly

Recommendation: regular testing needs to be done

All changes have to be approved by mgt

Application Controls defition
Application controls are built into an application, built into speciifc computer
programming (gym swiping card)

- They can be manual or automated
- Application control can be preventative or detective in nature and are designed to
ensure the integrity of the accounting records

Application controls ensure that input, output and processing is complete, accurate, vaid
and authorized

Only complete accurate and valid data are entered and updated in a computer system
(inout )

Processing authorized accomplishes the correct task, and result meet expectations
(Processing)

Data is maintained and access restricted

Segregation of duties –passwords

Input

Wht are the objective of input in applciaiton control

- All transaction are initially and completely recorded
- All transaction are accurately recorded in the system
- All transaction is only entered once – this is related to the occurrence CAATOE

TYpes of input controls ?

- Pre numbered documents
- Sequence checks
- Programming calcualton
- Control /total reconcialaiton (batch /Hash)
- Document cancelling
- Activity logging
- Limit check (credit card)
- Document Scanning

Data validation /edit checks

- What are some examples of data validation or edit checks upon input of data
- Can't put a negative number, specification to input a date
 - Audit trail
- Formation of date (DD/MM/YY)

Other input controls

- User friendly screen
- Automatic custom movement
- Exception reporting and review – any exception are reported to mgt and are
processed for review before they are proceeded with.

How to test these input data?

- Test the data
- Obsercvation/ Control walkthrugh
- Review the system documentation
- Review the audit trail processed and rejected data
- - Go back to history and see if that person issued a check
- CAAT- test if you approve a loan, see if the system approves

Processing

Objective ( control objective ):

- Only approved transaction are accepted and processed
- All rejected transaction are reported corrected and re input
- All accepted transactions are actually processed
- All transation are processed only once and they are completely processes

What are processing controls?

- Segregations of duties
- Restricted Access
- File Labels ( paid vs unpaid )
- Error logs
- Exception reports
- Manual cross checks
- Programmed balancing ( journal entries
- Reasonable test
- Concurrent update controls
Test of controls?

- Test data
- Review of system documentation
- Review audit trail
- CAAT

Output

Objective?

- Assurance that results of input and processing are output
- They must be available only to authorized personnel

Controls ?

- Complete audit trail
- Logs and output distribution logs
- Shredding

Test of output controls?

- Observation
- Review access controls
- Review the system documentation
- Ask user (payroll printer during a blue jays game )
-

Reliance on reports

Auditors rely on controls as part of the combined approach

- Manual follow up control rely on a report to highligh the errors/ anomalies
- Estimation process relies on a report to generate complete and accurate input data
(receivables aging etc)

The auditors may perform substantive procedure on a client based records

- Selct items for substantive testing requires the report to be complete
- Substantive analytical procedures using computer generated report

If the data is agreed by independant sources, that the report is reliable
How can you test applcaiton controls ?

- During the walkthrough interview key people responsible for using THE
application system
- Review the documentation
- Identify significant controls that tie into the business objective /assertions.
There are some controls that might help with the completeness assertion, or
the accuracy assertion. You must check those ones.
- Analyze flow o the transaction thought the systems
- Evaluate design effectivenes and implementation – would this control, if
operating effectively, achieve the control objective
- Consider general control testing results
- Determine test strategy and frequency
- Execute test and evaluate result

MCQ

In a system that records all receivable for a company, the recievable are bated and
posted o a daily basis. Which of the following would ensure that receivables blaances
are unaltede between postings?

- We need to compare the total receivable before posting with of after posting

Sales orders are automatically numbered in sequence at each of a retailer’s outlets. Small
order are processed directly at the outlets, with large orders sent to a central production
facility

- Have data transmitted back to the local site for comparison

Which of the following is used to ensure that invoice data is completely accurately
transferred between two systems?

- Check for the duplicate entries (duplicate entries address occurrence )

Common method of proving the accuracy of a system tax calculation is by:

- Preparing simulated transaction for processing and comparing the results to
predetermined results. We don't want to manually recalculate as that's the other
way around and more time consuming. Using a simulated transaction and
comparing to the predetermined results makes things easier.
A company uses ADP to process its weekly payroll. Time sheets and payroll adjustment
forms are delivered to ADP who prepares payroll report and. Best application control to
ensure payroll data was received and process accurately by ADP is :

- ADP payroll report must be compared to employee timesheet. Comparing it to
input or output forms is too late in the process which could then be an issue

Lecture 8: Data Integrity

Access control Objective:

- Integrity
- Availability
- Confidentiality

Process of Access Controls

Identification: each user is given a unique ID to access the system

Authentication: user is authenticated on the system through a combination of user IDs,
and strong password

Authorization: Users are authorized access to certain privileges based on authorization
from management

Logging and monitoring: user activity is logged and monitored, and logs are retained for
investigation purposes.

Information Security Layers

1) Network- firewalls
2) Platform –antivirus
 3) Applicaiton – secure coding and security specification
4) Data – encrypted and enterprise right management – highest risk due to human
error
5) Response – monitoring, intrusion detection and remediation

General Access Controls

- Applies to multitude of systems
- Can be a policy, set of standards or a system control
- Crucial to external audit as it affects organization controls and program change
control
- These included – password, encryption, physical security, security education,
privacy policy, , information secutry policy
-

Password

- Should not be shared and changed by user frequently
- 8 characters
- Must include special characters
- After certain failed attempts can't use password
- Previous password cannot be used
- 8 character password are harder to crack

Password cracking methods

- Random trials – haphazard, low chane
- Dictionary attack – not common names
- Brute force – scrambling possible combination
- Systemic deduction – try name followed by months

Two Factor Authentication

- Used to compensate for inherent weakenedd of passwords such as guessing and
hacking
- Uses what the user has and what the user knows

Biometrics

- Fingerprints, but they are held back due to privacy concerns
- Not recognized legally in place of signature
Application Access Controls

- Applies to specific system
- Can be procedural or automated
- Supports management or independent controls
- An example is a password

Applicaiton Access Controls:

- Passwords
- Access control list (ACL) to restrict functions in an application, only payroll people
can process pay raises. ACL can be used by individual users
- Encryption
- Procedures
- Monitoring
- It supports segregation of duties

Platform

Operating System security

- Use a standard chedklist for configuration
- Lock down workstation by employees to prevent unauthorized installation of
software
- Use scanning software to detect vulnerabilities before implementation
- Use automated patching tools to install security fixes. Manual ones can be prone to
viruses
- Server profile to determining password length

Firewall

- Can be hardware like router or server with sophiticated software
- Can use AI to check for pattern
- Every organization with website should have firwwall to protect its internal network
from hacker and intruders
- Block traffic that would be unacceptable
- Should not be remotely administrable and should be reviewed frequently to avoid
the log getting full, and being reviewed allows to get caught quickly
Virus Protection

- Internet email scanned
- critical servers protected
- Block common virus type past
- Spyware : software that gather information about a person and their org and sends
to another entity
- Trojan: tricked into installing and hide in the computer to be released later
- Computer virus – insert copy of itself into and become part of the program and like a
a virus, it spreads
- Need a specialist to help you figure out

VPN

- Secure remote acess to company system by staff or contractors
- Should require two factor authentication
- Encrypts the data as well

Inrusion Deteciton System

- Screens traffic that passes a firewall to build pattern
- Alerts secuirty administration of questionable or unacceptable pattern
- Administrator can then decide , with management guidance if significant , to place a
firewall rule to block further traffic of this pattern – IDS is after the firewall
▪ Before the firewall –would alert the user on everything and after
firewall it would be better

Intrusion Prevention Systerm

- Screen traffic that pasesa a firewall to build pattern
- Rejects highly questionabl or unaceptable traffic
- More effective than firewalls but may have false positive. Deployed to protect highly
sensitive servers
- Pre emptively blocks them even if it may not be a threat , should run firwall + IPS
and IDS

Data

Encryption
- Use math to scramble data
 - Use key and algorithm
- Symmetric key – they use one common key to encrypt and decrypt- whatsapp
- Asymmetric keys – dont have teh same key – public key to send data with
encryption and privaye key needed to decrypt data
- Can prevent sniffing – interception of data transmission

Symmetric Key Encryption

- Same key is used to encrypt and decrypt
- Simple to encrypt and decrypt
- Large number of keys required for one on one secret communication
- Number of keys for n people wold N(N-1)/2
- Need to secure the key
o Unauthorized person takes a key, they can read it

Asymmetric Encryption

- Pair of key is generated by a user, private and public key
- Public key can be discosed since it only encrypts the data. The private key is
secured as it decrypts the data

Application of encryption

- VPN
- Email
- Stored Data
- Digital Signature – authenticity, integirty and identification of the user
- WIreless Network

Encryption and Public Key Infrastructure

- Digital Signature: these are done by the customer
o Digital code atached to an electornic message that is used to verify the
origin and contents of the message
o Electornic signature that can be used to authenticate the idenetity of the
sender or the signer of the docuemnt and to ensure the original content of
the message sent is unchanged
- Sender uses algorithm to compute a has (garbled digest – document encryptison of
the document
- Sender uses public key to encrypt the hash
 - Recipeinet uses same algorithm to has the plain text document when recieved
- Recipient uses the ptivate key to decrypt the digigital signature and comparet he
hash the reciepeint created , to confirm integrity.

Digital Certificate: typically done by vendors

- Data files used to establish the idenity of users and electornic assets for
proteciton on online trasactions
- Cant send something and then deny it ( cerificate cerifies it and later you cannot
deny what you did)
- What does certificate of authority do as they are one who issue it ?
- They are responsible for the destruction of the key and verify wheter the key
exists. THey verify the keys too
- You can be your own certificate authority as long as you can demonstrate
segragation of dutiesand can verify it
-

Public Key Infrastructure

- Set of policy, procedures and servers used to operate a public key environment
- There is a pubkick key servers that hold all public key that use encryption
- There are servers used to authenticate users that activate private keys
Depository needs to be where the keys are stored
How to dispose of encryption key?
- Crypt shredding is to destory and certificate authrity needs to be contacted to
destroy the key

Limitation of Encryption

- If keys is lost , data cannot be decrypted
- Rogue parties can delete the encrypted file without knowing the key : therefore
access control list is important
- Encrypted email attachemtn are gneerallt deelted by anti virus program

WIreless encryption

- Use of 128 or 256 symmetic keys that changes with every packet of data
- Static 128 bit key for encrypting the challenge response text to authenticate the
user computer

Perks of encryption
 - Secrecy
- Lenght of the key
- Rigor of the algorithm

Cookies

- Useful to websted and users to remeber info of users
- Remeber the account number
- Must not be used to rememebr password
- Privacy concersn as it can track behavior

Web Applicaton Security

- Input validation : web applciations implement contorls to ensure that the input is
valid
- Web applicaiton expect valid input – that is , it sof correct length, right type etc
- Developers ofthen inster edit checks that is executed on the client side
- However, end users can always modify the checks
- Developers should implement edit checks on the server side

Test Acess controls

- Review policies and procedures
- Review and test user profiles, access control list and system configuration
- Review positon of firewalls, intrustion detecstion sysstems, and anti virus software
- Review configuration of security software and hardware, including firewalls,
intrusion deteciton systems
 us

Lecture 9: Data Analytics and the Audit

- Data life cycle;
Data collection: collect the data
Data processing: the auditors prepare the data for use
Data usage: ADA is performed and the test results documented
Data maintenance: the audit file, included the data is kept in storage
Data deletion: when appropriate, the data is deleted

What the problem?

- Data is messy and needs to be complied and filtered to make it easier to
understand
- Data needs to extract, validate with vendors with employees
- Look at phantom employee and phantom vendor – vendor master file and then look
at employee master file , fuzzy search to see if it there is a match (like an address ofr
bank account)
- Clear data and filter data , and change formats

Types of Analytics
Descriptive analytics – used to understand the past data

Diagnostic analytics – understand why something has happened

Predictive analytics – make prediction into the future considering a variety of scenarios

Prescriptive analytics – examine a variety of solutions to determine the best outcome

Data visualization

Data Visualization became more useful now in the past

Clustering is grouping items and statical techniques would be use of regression
substantive analytics )

Visualization – information presented virtually

Matching – seathcing that should or should not match – phantom vendor

Clustering – grouping items with similar characteristics

Statical techniques – regression analysis

Avoid psychological bias like overconfidence, anchoring, gambler fallacy and confirmation
bias

DAta analytics can be applied to auditing fuciton to increase coverage of audit, while
reducing time dedciate to the audit task

Audit data analytics can help with nature extent and timing (evidence) of audit procedures

Data preparation

- Is the format appropriate?
- Missing data ? Duplicate data/
Data is consistent
Agree to general ledger

When can ADA be using in Audit

- Risk assessment – Risk Assessment Procedures
- Risk Response – test of controls, substantive analytical procedures, test of details
- Audit Completion – procedures to help form a conclusion
Risk Assessment

- Analyze the general ledger for unusual transactions
- Create visualization of ratio analysis
- Perform a quantity and price analysis for sales
- Analyze changes to account receivable to assess the risk of material misstatement
- Perform trend analysis

Substantive Testing ADA

- Perform non statical and stastical model to predict revenue
- Identify and isolate unusual items such as credit to A/R
- Test net realizable value of inventory
- Identify credit notes issues after year end – makes sales though the year but remove
it
- Identify payments after year end- violate cutoff and occurrence assertion, auditors
looks after year end.

Plan the ADA

1) Acess and prepare the data
2) Asess the data relevance and reliability
3) Perform ADA
4) Evaluate the results

Objective of ADA

- Segregation of duty to test whether the internal controls are operating effectively
- Dupicate payments of invoices
- Phantom employee and vendors
- Collect evidence that you are following regulation and policy and procedures
- Test account balances to tie them to the financial statement

3 types of CAAT

1) General audit software
a. Excel
b. POwer BI
2) Integrated test facility
 a. Setup at the client organization where we run test transaction thorugh the
test unit and subject to all controls.
b. Very important if u have all electornic audit evidence
c. Cant use it for substantive testing since we are using dummy variables
3) Embedded audit modules
a. Control function for auditors to do real time sampling and called continuous
auditing as all transaction are subject to control functions

Functions of GAS CAAT
- File import
- Recalculation
- Joining Tables
- Gap analysis ( current perforance to target performacne )
-

GAS Application Bank

- Deposit – check withdrwals from bank
- Loans – verify calculation
- Credit card –verify service charge

For revenue

- Sales – selecting sample to vouch
- Receivable – aging
- Cost of sales – cross referencing to inventory changes
- Commissions –verifying calculation

Expenses
 - Purchases – checking to warehouse receipts indicated in data file
- Inventory – lower of cost and NRV
- Expense analytical review
- Payroll – verify calculations

General Ledger

- Journal entries – verify debit and credit
- Consolidation – check calculation
- Suspense items –aging
- GL number change – sampling for vouching to management authorization

Risk of CAAt

- Using CAAT: Unauthorized changes and testing, inaccuare, incomplete
- Not using CAAT: Audit risk increases , court may find negligent

Benford Law

- The first digit of a financial number like expense or population is most likely 1
and least likely to be 9. Having 0 would be odd.

Lecture 10

Spcecial Report and Other Assurance Engagements

- Outsourcing: Taking some sort of process like payroll, outsourcing some sort of
supply chain, big takeaway assurance engagement for auditors for the controls
are effective enough that working with them won't be issues
Issues with outsourcing?

- Risk and accountability are not outsourced with services, this means that the firm is
still reliable for any issues if there is an issue
- Ris increases as the org. Receiving service has less direct control – agency control
issues
- Control risk will further increase if service provider in turn outsources –4th party
- Many controls are impractical to be duplicated or compensated within in house
procedures – hard to replicate these controls

Mitigate risk of outsourcing

- Have clause in control to cancel the payment
- In person review of the processes, and building their judgment
- Audit them directly
- Look at market directly, other third party exist, ask service audit report, CSAE

Service organization: org that's providing a service – payroll

User organization: the company that is receiving the related service

Service auditor: auditing the payroll of the service organization- or that service

User auditor: Those auditing the user organization. EY or deloitte

How can external auditors get comfort over controls at service org /

- Modify contract term
- Arrange a visit to the service provider to test their controls
- Rely on the service providers auditor report
- type 1 (point in time ) or type 2 report (over time)
- Rely on the service providers audit report
- Do a substantive audit
- Look for compensating controls within the client that has outsourced (like back up
security check, risk assessment)

Audit consideration of outsourcing

- CAS 402 allows auditors to rely on a control assurance report prepared b a service
provider independent auditor, in accordance with CSAE 3416 which is equivalent to the
SOC 1 and SOC2 (inclusive and carve out method)
Financial auditor SOC 1 – control assurance over financial reporting

Soc 2 –data security and privacy controls

Test of design – point in time – test of implementation, sample of 1 , termination

Control Operating Effectiveness – Period of time – looking at historical data of period we
are operating and look at population sample, getting list and see if there are meeting
control objectives

Attestation engagement

- Management provides report and information, and the auditor looks at them and
verify in lines with criteria based on assertion

Preperation of Control Assurance Report by Service auditor

Management provides, assertion system description, control objectives, and control
description

Auditor audit assertion based on criteria, test of control, test description of system,
provide report if they have achieved or not, like financial audit, if all of them fail, adverse, if
some, qualified report

Service organization auditor provides audit opinion on the correctness of system
description and the effectiveness of control procedure to support certain criteria. Theya re
listed in the User Consideration Section.

Service auditor should have a qualified report if the control deficiency is significant, and
the objectives are not met

Sampling in test procedure – type 2 – document the controls and procedure

In type 1 – not document the procedure – we document the controls

Deficiencies in Control Procedures

- Identify compensating controls – sometimes two weak controls can make a strong
one if they both have the same objectives
- Also, thye need to correct the deficiency prior the year end
When the above are done, we can issue an unqualified opinion

5 audit procedure –inspection, inquiry, reperformance inspect, external confirmation

Use of Control Assurance report by user auditor

When the user auditor recieves teh control assurance report – the auditor must

1) Review the audit opinion
2) Period that has been covered by the report
3) Control Considerations
4) Control procedures that have been carried out to ensure that they meet the
objectives
5) Exception and impact along with if compensation controls were there to eliminate
the impact

Payment card industry and data security standard are developed by the PCI security
council fomed by major card issuers – this is like another assurance service

Standards include

1) Firewall
2) Vendor defaults and password
3) Stored data
4) Data in transit
5) Anti virus software
6) Secure system and applicaiton
7) Restrict access
8) Unique ID
9) Physical Acess
10) Track and monitor
11) Testing
12) Policy

SOC – developed by AICPA
 - SOC for service organization reports are designed to help service organizations that
provide services to other entities, build trust and confidence in the service
performed and controls related to the services through a report by and independent
CPA. Each type of SOC for service organization report is designed to help
service organization meet specific user needs

What is SOC 2: based security (common controls) availability, integrity,
confidentiality to the scope of the report.

Drivers for Soc 2/ Soc 3 report
- Complexity of the system
- Remoteness of the users and user organization
- Consequences of unreliability
- Frequent system failure

User of Soc 2 report

- Management
- Customers
- Trading Partner
Financial Statement auditors

SOC 2/ SOC 3 Report

- Reports provide an opinion on management asserted control, they do not formally
include the system description

How to get SoC 2

- Hire a cpa firm
- Criteria are established for optional principles such as privacy, availability and
mandatory principle (security) , and managers then develops control activities

Difference between SOC 2/ Soc 3 and CSAE 3416

- Each stated criteria ion the report must be met by controls to get and unqualified
report for Soc 2 and soc3 , SOC 2 is very strict
- CSAE 3416 is more flexible
 - CSAE 3416 is more as to whether it helps with assertion and the Soc 2/3 ins for
reliability

SOC 1 report document serv org control that mat be relevant to financial reporting

SOC 2 is report based on ACIPA p trust service criteria, mandatory (security) and optional
(confidentiality availability, processing integrity, privacy)

SOC 3 is smilar to SOC2 but its publicly available