Tools And Techniques Used In Auditing IT PDF
Document Details
Uploaded by Deleted User
Prof. Omar Almomani
Tags
Summary
This presentation covers tools and techniques in IT auditing, including productivity tools, system documentation, and computer-assisted audit techniques (CAATs). It details how these methods are used in operational reviews and highlights the difference between "Auditing Around the Computer" and "Auditing Through the Computer."
Full Transcript
T O O L S A N D T E C H N I Q U E S U S E D I N AU D I T I N G IT P r o f. O m a r A l m o m a n i LEARNING OBJECTIVES Define auditor productivity tools and describe how they assist the audit process. Describe techniques used to document application systems, such as flowcharting, and...
T O O L S A N D T E C H N I Q U E S U S E D I N AU D I T I N G IT P r o f. O m a r A l m o m a n i LEARNING OBJECTIVES Define auditor productivity tools and describe how they assist the audit process. Describe techniques used to document application systems, such as flowcharting, and how these techniques are developed to assist the audit process. Explain what Computer-Assisted Audit Techniques (CAATs) are and describe the role they play in the performance of audit work. Describe how CAATs are used to define sample size and select the sample. Describe the various CAATs used for reviewing applications, particularly, the audit command language (ACL) audit software. Describe CAATs used when auditing application controls. Describe CAATs used in operational reviews. Differentiate between “Auditing Around the Computer” and “Auditing Through the Computer. Describe computer forensics and sources to evaluate computer forensic tools and techniques TOOLS AND TECHNIQUES USED IN AUDITING IT Tools and techniques used in IT audits include Audit productivity tools System documentation techniques Computer-assisted audit techniques (CAATs) AUDIT PRODUCTIVITY TOOLS The core of the audit process is assessing internal controls to determine if they are effective or need improvement. However, many of the tasks associated with performing an audit, such as planning, testing, and documenting results, although necessary, take time away from performing the actual control assessment work. This is where auditor productivity tools come into play. Auditor productivity tools assist auditors in automating the necessary audit functions and integrating information gathered as part of the audit process. Examples of audit functions that may be automated through auditor productivity tools include: ◾ Audit planning and tracking ◾ Documentation and presentations ◾ Communication ◾ Data management, electronic working papers, and groupware ◾ Resource management AUDIT PLANNING AND TRACKING Developing an audit universe with all of the potential audit areas within the organization, a risk assessment prioritizing these audit areas, an audit schedule, and a budget to track audit progress are some of the necessary tasks in any audit planning. Solutions such as spreadsheets, database software, and/or project management software can be used to document and plan audits, as well as track their current status. However, each of these solutions is standalone, as their integration may not even be possible. Because planning tasks are interdependent, an auditor productivity tool software that integrates these planning and tracking tasks would provide quicker update and ensure that all phases of planning are kept in sync. For example, the budget should provide sufficient costs to accomplish the audit schedule, or the audit schedule should not exceed the resources available. DOCUMENTATION AND PRESENTATIONS Tools, such as the Microsoft Office suite, provide features to facilitate the creation and presentation of documents. For example, spreadsheet data containing functional testing results can be incorporated into a report document with a few clicks of a mouse. These same data can then be copied to a presentation slide and also be linked, so that changes to the source documents will be reflected in any of the related documents. Software tools like these save time and ensure consistency and accuracy. Other tools include video conferencing and/or video capture software to provide presentations to collaborators worldwide and to document audit evidence, respectively. COMMUNICATION Because the auditor operates as part of a team, the need to share data as well as to communicate with other members of the group is important. Providing immediate access to current data, electronic messaging, and online review capabilities allow audit staff to quickly communicate and gather research information for audits and special projects. auditors may occasionally need to operate from a host computer terminal, Therefore, it is necessary to have the required computer hardware, media hardware, protocol handlers, desired terminal software emulators, and high- speed wired or wireless connectivity at the audit site. Electronic connectivity not only allows auditors to communicate but also provides access for organization management personnel or audit clients to exchange information. Video conferencing capabilities are also an effective way for communication. Video conferencing allows meetings to be conducted and members to participate worldwide. Some of the best video conferencing software includes Cisco WebEx Meeting Center DATA MANAGEMENT, ELECTRONIC WORKING PAPERS, AND GROUPWARE Establishing electronic connectivity provides audit personnel with the capability to access and input data into a central data repository or knowledge base. The central data repository (e.g., database, etc.) can archive historical risk, audit schedule, and budget data that can be accessed electronically by all authorized users throughout the audit group, regardless of physical location. Database applications can be developed to automatically consolidate data input electronically from all audit functions. Groupware or collaborative software is a specialized tool or assembly of compatible tools that enables business teams to work faster, share more information, communicate more effectively, and perform a better job of completing tasks. SYSTEM DOCUMENTATION TECHNIQUES TO UNDERSTAND APPLICATION SYSTEMS auditors typically request organizations or clients for an entity relationship diagrams (ERDs). If available, these ERDs are a great starting point for auditors, as they graphically represent the relationship between “entities” (or people, objects, places, concepts, events, etc.) within the information system (i.e., financial application system). Documentation of application systems is commonly performed using, diagrams, tables, data flow diagrams, business process diagrams, flowcharts, etc. Data flow diagrams or DFDs, for instance, are process-oriented and use graphics or symbols to describe data transformation and how it flows throughout the organization. DFD PAYROLL PROCESSING PROCEDURES. EXAMPLE squares or rectangles represent d or destinations. Arrows indicate flows of data circle represent that a transformat FLOWCHARTING AS AN AUDIT ANALYSIS TOOL Auditors prepare flowcharts using standard symbols and techniques to represent application systems, workflows, or processes. Flowcharts developed during the application analysis phase of an audit engagement are most useful if they distinguish processing according to department, function, or company area. For an IT auditor, flowcharts represent a method for identifying and evaluating control strengths and weaknesses within a financial application system under examination. FLOWCHARTING AS AN AUDIT ANALYSIS TOOL COMMON FLOWCHART SYMBOLS UNDERSTANDING HOW APPLICATIONS PROCESS DATA The auditor should identify potential areas for testing, using familiar audit procedures, such as: ◾ Reviewing corporate documentation, including system documentation files, input preparation instructions, and user manuals ◾ Interviewing organization personnel, including users, systems analysts, and programmers ◾ Inspecting, comparing, and analyzing corporate records IDENTIFYING DOCUMENTS AND THEIR FLOW THROUGH THE SYSTEM To understand document flow, certain background information must be obtained through discussions with corporate officials, from previous audits or evaluations, or from system documentation files. Because this information may not be current or complete, it should be verified with the appropriate personnel (e.g., IT member, etc.). A user or member of the IT department staff may already have a document flow diagram or flowchart that shows the origin of data and how it flows to and from the application. If not available, auditors will have to develop document flow diagrams. The document flow diagram should include: ◾ Sources and source document(s), by title and identification number, with copies of the forms attached ◾ Point of origin for each source document ◾ Each operating unit or office through which data are processed ◾ Destination of each copy of the source document(s) ◾ Actions taken by each unit. ◾ Controls over the transfer of source documents between units. ◾ Recipients of computer outputs DEFINING DATA ELEMENTS The auditor must build a clear understanding of the data being recorded on the application for definition purposes. DEVELOPING FLOWCHART DIAGRAMS Inputs from which flowcharts are prepared should include copies of the following: ◾ All manually prepared source documents that affect application processing as well as corresponding coding sheets and instructions for data transcription ◾ Record layouts for all major computer input and output records, computer master files, and work files (such as update or file maintenance tapes and computation tapes) ◾ All major outputs produced by the application system ◾ Lists of standard codes, constants, and tables used by the application EVALUATING THE QUALITY OF SYSTEM DOCUMENTATION On the basis of user and IT staff inputs, as well as on the degree of difficulty experienced in constructing a flowchart, the auditor should be able to comment on the quality of system documentation. There are two basic questions to answer: Is the documentation accurate? Is the documentation complete?. ASSESSING CONTROLS OVER DOCUMENTS Control points on the flowcharts should be identified and evaluated. By reviewing a diagram of this type, the auditor can determine whether controls have been used and if so, highlight. gaps, strengths, and weaknesses within the system. Identified controls, including automated and IT dependent application controls, should be adequately designed and implemented in order to mitigate risks. DETERMINING THE EFFECTIVENESS OF DATA PROCESSING The audit staff should determine how effective data processing is by identifying problem areas, such as the ones below, in the processing cycle: ◾ Redundant processing of data or other forms of duplication ◾ Bottleneck points that delay or congest processing ◾ Points in the operating cycle at which clerks do not have enough time to review output reports and make corrections. EVALUATING THE ACCURACY, COMPLETENESS, AND USEFULNESS OF REPORTS The audit staff should review key or major outputs (e.g., edit listings, error listings, control of hour listings, etc.) of the financial application system and determine if the outputs are accurate, complete, and useful as intended. The auditor should confirm the accuracy, completeness, and usefulness of the generated reports by interviewing appropriate users. One suitable technique might be the completion of a questionnaire or survey, perhaps conducted by e- mail, on user satisfaction with output reports. EXAMPLE OF FLOWCHART AS AUDIT TOOL ASSESSING CONTROL RISK FLOWCHART UNDERSTANDING INTERNAL CONTROL F1 THE MANAGEMENT INTEGRITY F2 INVESTIGATION OF CONTROL PROCEDURES F5