BA 122.2 Exam 2024-2025 PDF
Document Details
2024
Tags
Summary
This document is an excerpt from a past paper for a first-semester undergraduate course on IT audit and governance controls. It details the phases of an IT audit and various internal control objectives, principles, and models.
Full Transcript
1 AY 2024-2025 First Semester: BA 122.2 IT Audit and Governance Controls L1-1. IT Audit An IT audit is part of the audit procedures that the auditors perform that focuses on the comp...
1 AY 2024-2025 First Semester: BA 122.2 IT Audit and Governance Controls L1-1. IT Audit An IT audit is part of the audit procedures that the auditors perform that focuses on the computer-based aspects of an organization’s information system; and modern systems employ significant levels of technology. Phases of an IT Audit L1-2. Internal Control Objectives, Principles, and Models Internal Control Objectives 1. To safeguard assets of the entity 2. To ensure the accuracy and reliability of the accounting records and information 3. To promote efficiency in the entity's operations 4. To measure compliance with management's prescribed policies and procedures Internal Control Principles 1. Management Responsibility 2. Methods of Data Processing 3. Limitations a. possibility of error b. circumvention c. management override d. changing conditions 4. Reasonable Assurance Internal Control Model - The PDC Model 1. Preventive Controls 2. Detective Controls 3. Corrective Controls Internal Control Model - COSO Internal Control Framework 1. Control Environment 2. Risk Assessment 3. Information and Communication 4. Monitoring 5. Control Activities 2 L1-3. Categories of Internal Control Activities L2-1. IT Governance and Function IT Governance IT governance is a subset of corporate governance that focuses on management and assessment of strategic IT resources. The key objectives of IT governance are: 1. To reduce risk, and 2. To ensure that investments in IT resources add value to the corporation. Our focus in relation to IT Governance for this course will be on the following: 1. Organizational structure of the IT function 2. Computer center operations 3. Disaster recovery planning 3 Key IT Functions Database Administration Responsible for the security and integrity of the database. Data Processing The data processing group manages the computer resources used to perform the day-to-day processing of transactions. It consists of the following functions: data control/data entry, computer operations, and the data library. Systems Development and Maintenance The information systems needs of users are met by two related functions: system development and systems maintenance. The former group is responsible for analyzing user needs and for designing new systems to satisfy those needs. once a new system has been designed and implemented, the systems maintenance group assumes responsibility for keeping it current with user needs Centralized IT Structure Issues > Separate systems development and computer operations > Separating database administration from other functions > Separating new systems development from maintenance Two potential control problems: - Inadequate documentation - Program fraud Distributed IT Structure Issues > Inefficient use of resources Destruction of audit trails Inadequate segregation of duties Hiring qualified professionals Lack of standards Advantages of a Distributed Data Processing > Cost reductions > Improved cost control > Improved user satisfaction > Backup flexibility Controlling a Distributed Data Processing > Implement a Corporate IT function > Central testing of Commercial software and hardware > User services > Standard-setting body > Personnel review 4 Audit Objective and Procedures for the IT Structure Audit Objective: to verify that the structure of the IT function is such that individuals in incompatible areas are segregated in accordance with the level of potential risk and in a manner that promotes a working environment Audit procedures for a centralized IT Audit procedures for a distributed IT Review relevant documentation to determine if Review relevant documentation to determine if individuals or groups are performing individuals or groups are performing incompatible functions incompatible functions Review systems documentation and Verify that corporate policies and standards for maintenance records for a sample of systems design, documentation, and hardware applications and software acquisition are published and Verify that computer operators do not have provided to distributed IT units. access to the operational details of a system’s Verify that there is compensating controls if internal logic there are incompatible duties Observe whether segregation policies are done Review systems documentation to verify that in practice units are following corporate standards L2-2. The Computer Center Physical location Construction Access Air-conditioning Fire suppression Fault tolerance Audit Objective: to verify that: 1. Physical security controls are adequate to reasonably protect the organization from physical exposures 2. Insurance coverage on equipment is adequate to compensate the organization for the destruction of, or damage to, its computer center Audit Procedures: 1. Test of physical construction 2. Test of fire detection system 3. Test of access controls 4. Test of parallel backups 5. Test of uninterruptible power supply 6. Test of insurance coverage L2-3. Disaster Recovery Planning Disaster Recovery Plan - Common Features Identify critical applications Create disaster recovery team Provide site backup ○ Mutual aid pact ○ Empty shell - cold site ○ ROC - hot site ○ Internally provided Specify backup and off - site storage procedures 5 Disaster Recovery Plan Audit Objective: to verify that management’s disaster recovery plan is adequate and feasible for dealing with a catastrophe that could deprive the organization of its computing resources Audit Procedures: 1. Evaluate adequacy of site backup arrangement 2. Review the list of critical applications to ensure that it is complete 3. Verify that copies of updated critical applications and operating systems are stored off-site 4. Verify that critical data files are backed up 5. Verify that the types and quantities of items specified in the DRP exist in a secure location 6. Verify that members of the team are current employees and are aware of their assigned responsibilities L2-4. Outsourced IT Function Theory: Core Competency Pros: Improved core business performance Improved IT performance Reduced IT cost Cons: Failure to perform Vendor exploitation Outsourcing costs exceeds benefits Reduced security Loss of strategic advantage Outsourcing the IT Function Audit Objective: to verify that controls surrounding the IT Function, regardless of who is performing them should be assessed and tested as to its design and operating effectiveness Audit Procedures: Obtain a Statement on Standards for Attestation Engagements No. 16 (SSAE 16) report (previously SAS 70 report) 6 Auditing Operating Systems and Networks L3-1. Operating Systems Auditing Operating Systems The Operating System (OS) is the computer's control program. It allows users and their applications to share and access common computer resources (e.g., processors, main memory, databases, and printers). Because the OS is common to all users, the potential damage is greater as the computer facility's size increases. OS Tasks and Objectives Tasks Translates high-level languages into the machine-level language that the computer can execute Allocates computer resources to users, workgroups, and applications Manages the tasks of job scheduling and multiprogramming Control Objectives The OS must protect itself from users The OS must protect users from each other The OS must protect users from themselves The OS must be protected from itself The OS must be protected from its environment OS Security and Threats to Integrity OS Security Log-on procedure Access token Access control list Discretionary access privileges Integrity Threats Accidental threats (e.g., hardware failure, errors in user application programs) Intentional threats Controlling Access Privileges Control Audit Objective Audit Procedures User access privileges To verify that access Review the organization’s policies for separating are assigned to privileges are granted in a incompatible functions and ensure that they promote individuals and to manner that is consistent reasonable security. entire workgroups with the need to separate Review the privileges of a selection of user groups authorized to use the incompatible functions and is and individuals to determine if their access rights are system in accordance with the appropriate for their job descriptions and positions. organization’s policy The auditor should verify that individuals are granted access to data and programs based on their need to know. Review personnel records to determine whether privileged employees undergo an adequately intensive security clearance check in compliance with company policy. Review the users’ permitted log-on times. Permission should be commensurate with the tasks being performed. 7 Password Control Control Audit Objective Audit Procedures Reusable passwords To ensure that the Verify that all users are required to have passwords. One-time password organization has an Verify that new users are instructed in the use of adequate and effective passwords and the importance of password control. password policy for Review password control procedures to ensure that controlling access to the passwords are changed regularly. operating system Review the password file to determine that weak passwords are identified and disallowed. Verify that the password file is encrypted and that the encryption key is properly secured. Assess the adequacy of password standards such as length and expiration interval. Review the account lockout policy and procedures Controlling Against Malicious and Destructive Programs Controls Audit Objective Audit Procedures Purchase from reputable To verify that effective Through interviews, determine that operations vendors management policies personnel have been educated about computer Presence of policies and procedures are in viruses and are aware of the risky computing pertaining to use of place to prevent the practices that can introduce and spread viruses and unauthorized software introduction and other malicious programs. Inspect software for spread of destructive Verify that new software is tested on standalone viruses programs, including workstations prior to being implemented on the host Increase awareness viruses, worms, back or network server. regarding threats from doors, logic bombs, Verify that the current version of antiviral software is malicious programs and Trojan horses installed on the server and that upgrades are Routinely back-up files regularly downloaded to workstations. Use anti-virus software System Audit Controls Audit Objective Audit Procedures Keystroke monitoring To ensure that the Verify that the audit trail has been activated according Event monitoring established system to organization policy. audit trail is adequate Review unusual activities from the logs such as The security objectives of for preventing and unauthorized or terminated user, periods of inactivity, audit trails are: detecting abuses, activity by specific user/group, log-on/log-off times, detecting unauthorized reconstructing key failed log-on attempts, and access to specific access events that precede files/applications. reconstructing events systems failures, and Select a sample of security violation cases and promoting personal planning resource evaluate their disposition to assess the effectiveness accountability allocation of the security group L3-2. Networks Auditing Networks Networks exist to provide user access to shared resources, but at the same time, the most important objective of any network is to control such access. That is why, for every productivity argument in favor of remote access, there is a security argument against it. Organizations constantly seek a balance between increased access and the associated business risks. 8 Network Security Risks Intranet Risks Internet Risks Interception of network messages IP Spoofing Inappropriate access to corporate database Denial of service attack (DoS) Reluctance to prosecute employees ○ SYN flood attack ○ Smurf attack Distributed denial of service attack (DDoS) Controlling Networks Controls Audit Objective Audit Procedures Firewalls To verify the security and Review the adequacy of the firewall in achieving the Deep Packet integrity of financial proper balance between control and convenience Inspection (DPI) transactions by based on the organization’s business objectives and Encryption determining that network potential risks. Digital Signatures controls (1) can prevent Verify that an IPS with DPI is in place for and Certificate and detect illegal access, organizations that are vulnerable to DDoS attacks, Message Sequence (2) will render useless any such as financial institutions. Numbering data that a perpetrator Review security procedures governing the Message Transaction successfully captures, and administration of data encryption keys. Log (3) are sufficient to Verify the encryption process by transmitting a test RequestResponse preserve the integrity and message and examining the contents. Call-Back Devices physical security of data Review the message transaction logs to verify that all connected to the network messages were received in their proper sequence. Test the operation of the call-back feature by placing an unauthorized call from out-side the installation. Advance Encryption Standard (AES) AES is a 128-bit encryption technique that has become a U.S. government standard for private key encryption Triple-DES Encryption (DES) Triple DES provides considerably improved security over most single encryption techniques. 9 Public Key Encryption (see ppt) L3-3. Electronic Data Interchange Auditing Electronic Data Interchange The intercompany exchange of computer processable business information in standard format. EDI Overview EDI Using Van EDI with and EFT Component (see ppt) EDI Controls Controls Audit Objectives Audit Procedures Validate To determine that: Test of Authorization and Validation Controls passwords and all EDI transactions are ○ Review agreements with the VAN facility to validate user ID codes authorized, validated, and transactions and ensure that information regarding Validate users in compliance with the valid trading partners is complete and correct; and, or systems trading partner ○ Examine the organization’s valid trading partner file accessing agreement; for accuracy and completeness. databases no unauthorized Test of Access Controls Set-up an audit organizations gain access ○ Determine that access to the valid vendor or trail to database records; customer file is limited to authorized employees authorized trading only. partners have access only ○ Reconcile the terms of the trading agreement to approved data; against the trading partner’s access privileges adequate controls are in stated in the database authority table. place to ensure a ○ Simulate access by a sample of trading partners complete audit trail of all and attempt to violate access privileges. EDI transactions. Test of Audit Trail Controls ○ Verify that the EDI system produces a transaction log that tracks transactions through all stages of processing. 10 L3-4. PC-based Accounting Systems Auditing PC-based Accounting Systems PC accounting systems are used to replace manual systems. They are normally modular in design which provides a certain degree of flexibility in tailoring systems to the specific needs of the users. PC Accounting System Modules → PC Systems Risks: Weak access control Inadequate segregation of duties Risks of theft Weak backup procedures Virus infection PC Systems Controls Controls Audit Objectives 1. Multilevel password control 1. Verify that controls are in place to protect data, 2. Anti-theft security locks programs, and computers. 3. Establishment of formal backup procedures 2. Verify that adequate supervision and operating 4. Secure an online backup service procedures exist to compensate for lack of 5. Use of effective antivirus software segregation between the duties. 3. Verify that backup procedures are in place. 4. Verify that systems selection and acquisition procedures produce applications that are high quality, and protected from unauthorized changes. 5. Verify that the system is free from viruses and adequately protected Audit Procedures 1. Observe that PCs are physically anchored. 2. Verify from organizational charts, job descriptions, and observation that programmers of accounting systems do not also operate those systems. In smaller organizational units where functional segregation is impractical, we should verify that there is adequate supervision over these tasks. 3. Confirm that reports of processed transactions, listings of updated accounts, and control totals are prepared, distributed, and reconciled by appropriate management at regular and timely intervals. 4. Determine that multilevel password control is used to limit access to data and applications and that the access authority granted is consistent with the employees’ job descriptions. 5. Verify that the drives are removed and stored in a secure location when not in use. 6. Verify that backup procedures are being followed by comparing data values and dates on the backup disks to production files. If an online backup service is used, verify that the contract is current and adequate to meet the organization's needs. 7. Verify that their commercial software packages were purchased from reputable vendors and are legal copies. Review the selection and acquisition procedures to ensure that end-user needs were fully considered and that the purchased software satisfies those needs. 8. Review the organization’s policy for using antiviral software. 11 Auditing Database Systems L4-1. Data Management Systems Data Management Approaches A. Flat-file Approach (see ppt) Associated with large, older legacy systems still in use today. Promotes a single-user view approach where end users own rather than share data files. Separate data sets for each user leads to data redundancy which causes problems with: ○ Data storage: Commonly used data duplicated multiple times within the organization. ○ Data updating: Changes must be made separately for each user. If updating fails problem of currency of information with users having outdated information. ○ Task-data dependency: Users cannot obtain additional information as needs change. B. Database Approach Access to the data resource is controlled by a database management system (DBMS). Centralizes organization’s data into a common database shared by the user community. All users have access to data they need which may overcome flat-file problems. ○ Elimination of data storage problem: No data redundancy. ○ Elimination of data updating problem: Single update procedure eliminates currency of information problem. ○ Elimination of task-data dependency problem: Users only constrained by legitimacy of access needs. L4-2. Key Elements of the Data Management Environment DBMS (Database Management System) Features Program Development – Applications may be created by programmers and end users Backup and Recovery – Copies made during processing Database Usage Reporting – Captures statistics on database usage (who, when, etc.) Database Access – Authorizes access to sections of the database Data Definition Language – Used to define the database to the DBMS on three levels (views) Database Views Internal View / Physical View Conceptual View / Logical View External View / User View Physical arrangement of records in Describes the entire database Portion of database each user the database. Describes structures logically and abstractly rather than views. May be many distinct users of data records, linkage between physically. Only one conceptual files and physical arrangement and view. sequence of records in a file. Only one internal view. *check ppt for Overview of DBMS Operation 12 Data Manipulation Language (DML) DML is the proprietary programming language that a particular DBMS uses to retrieve, process, and store data to / from the database. Entire user programs may be written in the DML, or selected DML commands can be inserted into universal programs, such as COBOL and FORTRAN. The use of standard language programs provide flexibility and independence. Query Language Query is an ad hoc access methodology for extracting information from a database. Users can access data via direct query which requires no formal application programs. IBM’s Structured Query Language (SQL) has emerged as the standard query language. Query feature enhances ability to deal with problems that pop-up but poses an important control issue. Must ensure it is not used for unauthorized database access. Functions of the Database Administrator (DBA) Database planning: Implementation: Change and growth: Develop organization’s database strategy Determine access policy Plan for change and Define database environment Implement security controls growth Define data requirements Specify test procedures Evaluate new Develop data dictionary Establish programming standards technology Design: Operation and Maintenance: Logical database (schema) Evaluate database performance External users’ views (subschemas) Reorganize database as user needs demand Internal view of database Review standards and procedures Database controls Organizational Interaction of DBA The Physical Database Lowest level and only one in physical form. Magnetic sports on metallic coated disks that create a logical collection of files and records. Data structures are bricks and mortar of the database. ○ Allows records to be located, stored, and retrieved. ○ Two components: organization and access methods. The organization of a file refers to the way records are physically arranged on the storage device - either sequential or random. Access methods are programs used to locate records and to navigate through the database. 13 Database Terminologies Entity – Anything an organization wants to capture data about. Record Type – Physical database representation of an entity Occurrence – Related to the number of records of represented by a particular record type Attributes – Defines entities with values that vary (i.e. each employee has a different name) Database – Set of record types that an organization needs to support its business processes Associations (see ppt) – Record types that constitute a database exist in relation to other record types. Three basic record association: One-to-one – For every occurrence of Record Type X there is one (or zero) of Record Type Y. One-to-many – For every occurrence of Record Type X, there are zero, one or many occurrences of Record Type Y. Many-to-many – For every occurrence of Record Types X and Y, there are zero, one or many occurrences of Record Types Y and X, respectively. Hierarchical Model Basis of earliest DBAs and still in use today. Sets that describe relationship between two linked files. ○ Each set contains a parent and a child. ○ Files at the same level with the same parent are siblings. ○ Tree structure with the highest level in the tree being the root segment and the lowest file in a branch the leaf. Also called a navigational database. Usefulness of model is limited because no child record can have more than one parent which leads to data redundancy. Network Data Model Relational Model Difference between this and navigational models is the way data associations are represented to the user. ○ Relational model portrays data in two-dimensional tables with attributes across the top forming columns. ○ Intersecting columns to form rows are tuples which are normalized arrays of data similar to records in a flat-file system. Relations are formed by an attribute common to both tables in the relation Data Integration in the Relational Model (see ppt) 14 L4-3. Database in a Distributed Environment Centralized Databases in a Distributed Environment Data retained in a central location. Remote IT units send requests to central site which processes requests and transmits data back to the requesting IT units. ○ Actual processing of performed at remote IT unit. Objective of database approach it to maintain data currency with can be challenging. ○ During processing, account balances pass through a state of temporary inconsistency where values are incorrect. ○ Database lockout procedures prevent multiple simultaneous access to data preventing potential corruption. Distributed Databases: Partitioned Databases Splits central database into segments distributed to their primary users. Advantages ○ Users’ control increased by having data stored at local sites. ○ Improved transaction processing response time. ○ Volume of transmitted data between IT units is reduced. ○ Reduces potential data loss from a disaster. Works best for organizations that require minimal data sharing among units. Distributed Databases: Replicated Databases Effective for situations with a high degree of data sharing, but no primary user. Common data replicated at each site, reducing data traffic between sites. Primary justification to support read-only queries. Problem is maintaining current versions of database at each site. ○ Since each IT unit processes its own transactions, common data replicated at each site affected by different transactions and reflect different values. Concurrency Control Database concurrency is the presence of complete and accurate data at all user sites. Designers need to employ methods to ensure transactions processed at each site are accurately reflected in the databases of all the other sites. Commonly used method is to serialize transactions by: ○ Special software groups transactions into classes to identify potential conflicts. ○ Second part of control is to time-stamp each transaction. L4-4. Controlling and Auditing DBMS Access Controls User views (subschema) is a subset of the database that defines user’s data domain and access. Database authorization table contains rules that limit user actions. User-defined procedures allow users to create a personal security program or routine. Data encryption procedures protect sensitive data. Biometric devices such as fingerprints or retina prints control access to the database. Inference controls should prevent users from inferring, through query options, specific data values they are unauthorized to access. Audit Procedures for Testing Database Access Controls Verify DBA personnel retain responsibility for authority tables and designing user views. 15 Select a sample of users and verify access privileges are consistent with job description. Evaluate cost and benefits of biometric controls. Verify database query controls to prevent unauthorized access via inference. Verify sensitive data are properly encrypted Backup Controls Since data sharing is a fundamental objective of the database approach, environment is vulnerable to damage from individual users. Four needed backup and recovery features: ○ Backup feature makes a periodic backup of entire database which is stored in a secure, remote location. ○ Transaction log provides an audit trail of all processed transactions. ○ Checkpoint facility suspends all processing while system reconciles transaction log and database change log against the database. ○ Recovery module uses logs and backup files to restart the system after a failure Audit Procedures for Testing Database Backup Controls Verify backups are performed routinely and frequently. ○ Backup policy should balance inconvenience of frequent activity against business disruption caused by system failure. Verify that automatic backup procedures are in place and functioning and that copies of the database are stored off-site. 16 Auditing Systems Development and Program Change Activities L5-1. Auditing Systems Development and Program Change Activities Participants in Systems Development Systems professionals Analysts, engineers, database designers, and programmers End users Managers, operations personnel from various functional areas, including accountants Stakeholders Individuals with an interest in the system who are not formal end users Includes steering committee and both internal and external auditors. Information Systems Acquisition Well designed system can increase productivity, reduce inventories, eliminate non-value added activities, enhance customer service, improve management decisions, and coordinate organizational activities Two methods of acquiring information systems: In-house development Purchase commercial systems from software vendo Trends in Commercial Software Four factors have contributed to the growth of the commercial software market: Relatively low cost for general purpose software. Industry-specific vendors. Growing demand from businesses too small to afford in-house development. Downsizing units and the move to distributed data processing have increased appeal to larger organizations Turnkey systems are finished, tested, and ready for implementation. Types of Turnkey Systems General accounting systems designed to serve a wide variety of user needs. Special-purpose systems target specific segments. Office automation systems improve productivity Backbone systems provide a structure to build on, with primary processing modes programmed. Vendor-supported systems are custom systems developed and maintained for the client. Commercial Systems Advantages: Can be implemented almost immediately once need is recognized. Cost is a fraction of cost of in-house development. Reliability since software is pretested and less likely to have errors than in-house systems Disadvantages: Firm is dependent on vendor for maintenance. When user needs are unique and complex, software may be too general or inflexible. May be difficult or impossible to modify if user needs change. Company may satisfy some needs with commercial software and develop other systems in-house. 17 The Systems Development Life Cycle Phase 1 - Systems Planning Objective: To link individual systems projects to the strategic objectives of the firm Most firms establish a steering committee to provide guidance and review project status. ○ May include the CEO, CFO, CIO, senior management, internal auditors, and external parties (consultants). ○ Responsibilities include resolving system conflicts, reviewing projects and assigning priorities, budgeting system development, and determining whether or not to continue the project at various stages of development. Two levels: strategic systems planning and project planning. Strategic Systems Planning Involves allocation of resources at the macro level. Time frame of 3 – 5 years with process similar to budgeting resources for other strategic activities. Technically not part of SDLC which pertains to specific applications Concerned with allocation of systems resources. Four justifications: ○ A changing plan is better than no plan. ○ Reduces crises in systems development. ○ Provides authorization control for SDLC. ○ Systems planning tends to be a cost-effective means of managing systems projects and application development. Project Planning Purpose is to allocate resources to individual applications within the framework of the strategic plan ○ Identifying user needs, preparing proposals, evaluating proposals’ feasibility, prioritizing and scheduling. Two formal documents: ○ Project proposal provides management with a basis for deciding whether to proceed by summarizing findings and outlining link between system and business objectives of the firm. ○ Project schedule represents management’s commitment to the project Phase 2 - Systems Analysis Process to survey current system and analyze user needs. Survey step has advantages and disadvantages: ○ Can result in current tar pit syndrome where analyst is “sucked-in” and “bogged down” by the surveying task. ○ Surveying system may stifle new ideas (thinking inside the box). ○ Identifies aspects of the old system that should be kept. ○ Forces analysts to fully understand the old system which will be required to convert to the new one. 18 ○ Analyst may determine root cause of problems, which may not be the system at all. System facts fall into the following classes: ○ Data sources ○ Users ○ Data stores ○ Processes ○ Data flows ○ Controls ○ Transaction volumes ○ Error rates ○ Resource costs ○ Bottlenecks ○ Redundant operations Fact-gathering techniques: ○ Observation, task participation, personal interviews, key document review Analyst is analyzing while gathering facts. Systems analysis report: ○ Presented to management or the steering committee. ○ Provides survey findings, problems identified with old system, user needs and new system requirements. ○ Constitutes a formal contract that specifies the objectives and goals of the system. Phase 3 - Conceptual System Design Objective: To produce alternative systems that satisfy identified system requirements. Structured design approach: ○ Designs system from the top-down by starting with the “big picture” and gradually decomposing the system into more detail until fully understood. ○ Designs should identify all inputs, outputs, processes and special features necessary to distinguish one alternative from another. Object-oriented design approach (OOD): ○ Builds information systems from reusable objects. ○ Concept of reusability is central as standard modules can be used in other systems with similar needs. ○ Library of reusable modules results in less time, cost, maintenance, and testing and improved user support and system flexibility. Phase 4 - System Evaluation and Selection Identify optimal solution from alternatives First step is a detailed feasibility study: ○ Technical: Existing or new technology? ○ Economic: Are funds available? ○ Legal: Any conflicts with new system and legal responsibilities? ○ Operational: Procedures and personnel compatible with new system? ○ Schedule: Is firm able to implement project in acceptable amount of time? Second step is a cost-benefit analysis: 19 ○ Identify both one-time and recurring costs and tangible and intangible benefits which cannot be easily quantified. ○ Compare costs and benefits. One-Time Costs ○ Hardware acquisition ○ Site preparation ○ Software acquisition ○ Systems design ○ Programming and testing ○ Data conversion from old system to new system ○ Personnel training Recurring Costs ○ Hardware maintenance ○ Software maintenance contracts ○ Insurance ○ Supplies ○ Personnel Tangible benefits Intangible benefits Increased revenues Increased customer satisfaction - Increased sales within existing models Improved employee satisfaction - Expansion into other markets More current information Improved decision making Cost reduction Faster response to competitor actions - Labor reduction More efficient operations - Operating cost reduction (such as supplies and Better internal and external communications overhead) Improved planning - Reduced inventories Operational flexibility - Less expensive equipment Improved control environment - Reduced equipment maintenance Phase 5 - Detailed Design Objective: To produce description of proposed system that satisfies requirements identified during systems analysis and is in accordance with conceptual design. All system components specified Components presented formally in a detailed design report that constitutes a set of “blueprints. ○ Plans proceed to the systems implementation phase Development team performs a design walkthrough to ensure it is free from conceptual error ○ May be done by an independent quality assurance group Detailed design report documents and describes system to this point including: ○ Designs for input screens and source documents ○ Designs for screen outputs, reports, and operational documents ○ Normalized data for database tables, specifying all data elements ○ Database structures and diagrams Data flow diagrams (DFD’s) Database models (ER, Relational) ○ Updated data dictionary ○ Processing logic (flow charts) 20 Phase 6 - Application Programming and Testing Program the application software ○ Procedural languages require the programmer to specify the precise order in which program logic is executed ○ Event-driven language programs designed to respond to external action or event initiated by the user ○ Object-oriented languages are required to achieve the benefits of the object-oriented approach. Programming system should follow a modular approach to achieve: programming efficiency, maintenance efficiency and control Test the application software. Testing methodology process has structured steps to follow. Testing offline before deploying online is critical to avoid potential disaster. Test data creation is time consuming but can provide future benefits. Phase 7 - System Implementation Database structures are created and populated with data, equipment is purchased and installed, employees are trained, the system is documented, and the new system is installed ○ Engages efforts of designers, programmers, database administrators, users and accountants Test the entire system. Document the system ○ Designer and programmer documentation ○ Operator documentation ○ User documentation often takes the form of a user handbook ○ Online tutorials and help features Database conversion is a critical step ○ Validation, reconciliation, backup Converting the new system: ○ Under the cold turkey cutover (Big Bang), the firm switches to the new system and simultaneously terminates the old. ○ Phased cutover begins operating new system in modules. Reduces the risk of a devastating failure but can create incompatibilities during the process. ○ Parallel operation cutover involves running both systems simultaneously for a period of time. Most time consuming and costly, but least risky approach. Post-implementation review is an important step that takes place months later Conducted by independent team to measure system success by gathering evidence regarding adequacy and risks Systems design adequacy: ○ Physical features reviewed to see if they meet user needs Accuracy of time, cost, and benefit estimates ○ Review of actual vs budgeted amounts provides critical input for future budgeting decision Phase 8 - Systems Maintenance Formal process by which application programs undergo changes to accommodate changes in user needs Can be extensive and the maintenance periods can be 5 years or longer in some organizations ○ When maintaining an old system is no longer feasible, it is scrapped and a new SDLC begins Represents a significant resource outlay ○ As much as 80% - 90% of total cost may be incurred in the maintenance phase 21 Controlling and Auditing the SLDC Controlling New Systems Development Systems authorization, user specification and technical design activities. Internal audit participation: ○ System planning and analysis. ○ Conceptual system design impacts auditability. ○ Economic feasibility needs to be measured accurately. ○ Systems implementation. Provide technical expertise with regard to accounting rules. Specify documentation standards. Verify control adequacy and compliance with regulations. Before implementation, individual modules must be tested as a whole. ○ Formal testing and user acceptance considered by many auditors to be the most important control over the SDLC Audit objectives are to verify: ○ SDLC activities are applied consistently and in accordance with management’s policies ○ Original system free from material errors and fraud ○ System was judged necessary and justified ○ Documentation is adequate and complete Audit Procedures for New Systems Development Audit procedures should determine: ○ Proper end user and IT management authorization. ○ Preliminary feasibility study showed project had merit. ○ Detailed analysis of user needs was conducted. ○ Accurate cost-benefit analysis was conducted. ○ System testing occurred before implementation. ○ Checklist of specific problems determined during conversion were corrected during maintenance. ○ System documentation complies with standards Controlling Systems Maintenance Upon implementation, system enters maintenance phase of the SDLC. Access to systems for maintenance increases the possibility of system errors. ○ To minimize exposure all maintenance should require: formal authorization, technical specifications of change, retesting the system and updating the documentation. Source program library controls: ○ Program source code stored on magnetic disks called the source program library (SPL), which must be properly controlled to preserve application integrity To control the SPL: ○ Password control and separate test libraries. ○ Audit trail and management reports that detail program modifications and program version numbers. ○ Controlled access to maintenance [SPL] commands. 22 Audit Objectives for Systems Maintenance Detect unauthorized program maintenance. Determine maintenance procedures protect applications from unauthorized changes. Verify applications are free from material errors. Verify SPL are protected from unauthorized access. Identify unauthorized changes: ○ Reconcile program version numbers. ○ Confirm maintenance authorization. Identify application errors: ○ Reconcile source code. ○ Review test results. ○ Retest the program. Test access to libraries: ○ Review programmer authority tables. ○ Test authority table. 23 Financial Reporting Cycle L6-1. Transaction Cycles Relationship Between Transaction Cycles L6-2. Accounting Records in a Manual vs. Computerized Accounting System Accounting Records in a Manual Accounting System: Documents Accounting Records in a Manual Accounting System: Journals 24 Accounting Records in a Manual Accounting System: Ledgers Accounting Records in a Computerized Accounting System L6-3. Documentation Techniques Data Flow Diagram Entity Relationship Diagram 25 Systems Flowchart (see ppt) Program Flowchart (see ppt) Record Layout Diagram L6-4. Transaction Processing Models Batch vs. Real Time Processing Distinguishing Feature Batch Real-time Information time frame Lag exists between time when the Processing takes place when the economic event occurs and when it economic event occurs is recorded Resources Generally, fewer resources (e.g., More resources are required than for hardware, programming, training, batch processing etc.) are required Operational Efficiency Certain records are processed after All records pertaining to the event the event to avoid operational delays are processed immediately (see ppt) L6-5. Data Coding Schemes A system without codes: Dr Cr A system with codes: Inventory–nut, ½ inch, case-hardened steel, standard thread 896 1000 AP – Industrial Parts Manufacturer, Cleveland, Ohio 1000 1000 321 1000 26 Different Coding Schemes Coding Techniques Advantages Disadvantages Sequential Codes (Inv No. 1001, Efficient tracking Lack descriptive info 1002, 1003... Simplified ordering Inflexible structure Block Codes (Expense accounts -- Organized structure Requires reference for meaning 600 Revenue accounts -- 400 Easy insertion of new codes Limited descriptive info Group Codes (Store No. 04, Dept Detailed data representation Can become complex No. 09, Item No. 476214, Hierarchical structure May increase cost Salesperson No. 99 Alphabetic Codes (Expense Larger combination possibilities Sorting challenges accounts -- XAA Revenue accounts Can be intuitive May lack meaning -- EAA Mnemonic Codes (BA 122.2 - BA Easy to understand Limited capacity for item Course Eng 13 - English Course Self-descriptive representation 27 Computer Assisted Auditing Tools L7-1. Computer Assisted Auditing Tools and Techniques (CAATTs) IT Application Controls Input Controls Ensure that transaction data is free from errors before they are processed. Processing Controls Ensure that an application’s logic is functioning properly. Output Controls Ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. Input Controls Field Interrogation Record Interrogation File Interrogation Check Digit Reasonableness Check Internal and external label Missing Data Check Sign Check checks Numeric-Alphabetic Check Sequence Check Version checks Limit Check Range Check Validity Check Input Error Correction Correct Immediately Create an error file Reject the entire batch Processing Controls Category What it is Components / Examples Run-to-Run Designed to monitor the batch as it moves from Batch control data Controls one run to another ○ unique batch number Ensure that: ○ batch date ○ all records in the batch are processed ○ transaction code ○ no records are processed more than once ○ Record count ○ a transaction audit trail is created from the ○ Control total input, throughout the processing, and to the ○ Hash total output stage Operator Reduce the probability that errors can occur Clear business rules Intervention when there is operator intervention (e.g., entering Automation Controls control totals for a batch of records, providing parameter values for logical operations, etc.) Audit Trail Controls Ensure that every transaction must be traceable Transaction logs through each stage of the processing from its Log of automatic transactions economic source to its presentation in the Listing of automatic transactions financial state Unique transaction idenfiers Error listing 28 Output Controls Control Activity What it is Output spooling Directing output to a magnetic disk file rather than directly to the printer to avoid other application to access the processing stream. Print programs Designed to deal with: 1. production of unauthorized copies of the output; and, 2. employee browsing sensitive data. Supervision during bursting Bursting is when the printed pages are separated and collated. There should be appropriate supervision to avoid the production of unauthorized copies and reading of sensitive information. Waste Control Proper disposal of printed outputs Data Control Verification of the accuracy of computer output before it is distributed to the user. Report Distribution Controls Minimize the risks of reports being lost, stolen, or misdirected End User Control Final examination of the user of any errors not previously observed Real-time Systems Output Control Directs output to the user’s computer screen, terminal, or printer Testing Computer Application Controls Approach What it is Components Approach "Around the Computer” “Through the computer” Testing Techniques Analysis through: Access Test Inquiry/Interview Validity Test Review of flowcharts Accuracy Test Comparison of actual input and actual Completeness Test output Redundancy Test Audit Trail Test Rounding Error Test Use Relatively simple systems Complex systems CAATT Approaches Test Data Method Base Case System Evaluation Tracing Integrated Test Facility Parallel Simulation Test Data Method Used to test integrity of an application by processing specially prepared sets of input data that will be run using copies of the applications under review Base Case System Evaluation Test that is conducted using a set of test data that is comprehensive (i.e., contains all possible transaction types) Tracing An electronic walkthrough of the application’s internal logic 29 Advantages 1. Employs through-the-computer testing. 2. Data runs can be empoyed with only minimal disruption to the organization’s operations. 3. Require minimal computer expertise on the part of the auditors. Disadvantages 1. Reliance on computer services personnel to obtain a compy of the application for test purposes. 2. Provides only static picture of application integrity at a single point in time. 3. Relatively high cost of implementation, which can result in audit inefficiency Integrated Test Facility Automated technique that enables auditors to test an application’s logic and controls during its normal operations. Advantages 1. Supports ongoing monitoring of controls. 2. Can be tested economically without disrupting the user’s operations and without intervention of computer services personnel. Disadvantages Potential for corrupting the data files of the organization during the testing. Parallel Simulation The auditor writes a program that simulates key features or processes of the application under review.