BA 122.2 Exam.pdf

Full Transcript

1

AY 2024-2025 First Semester: BA 122.2
IT Audit and Governance Controls
L1-1. IT Audit
An IT audit is part of the audit procedures that the auditors perform that focuses on the computer-based aspects of an
organization’s information system; and modern systems employ significant levels of technology.
Phases of an IT Audit

L1-2. Internal Control Objectives, Principles, and Models
Internal Control Objectives
1. To safeguard assets of the entity
2. To ensure the accuracy and reliability of the accounting records and information
3. To promote efficiency in the entity's operations
4. To measure compliance with management's prescribed policies and procedures
Internal Control Principles
1. Management Responsibility
2. Methods of Data Processing
3. Limitations
a. possibility of error
b. circumvention
c. management override
d. changing conditions
4. Reasonable Assurance
Internal Control Model - The PDC Model
1. Preventive Controls
2. Detective Controls
3. Corrective Controls
Internal Control Model - COSO Internal Control Framework
1. Control Environment
2. Risk Assessment
3. Information and Communication
4. Monitoring
5. Control Activities
 2
L1-3. Categories of Internal Control Activities

L2-1. IT Governance and Function
IT Governance
IT governance is a subset of corporate governance that focuses on management and assessment of strategic IT
resources. The key objectives of IT governance are:
1. To reduce risk, and
2. To ensure that investments in IT resources add value to the corporation.

Our focus in relation to IT Governance for this course will be on the following:
1. Organizational structure of the IT function
2. Computer center operations
3. Disaster recovery planning
 3
Key IT Functions
Database Administration
Responsible for the security and integrity of the database.
Data Processing
The data processing group manages the computer resources used to perform the day-to-day processing of
transactions. It consists of the following functions: data control/data entry, computer operations, and the data library.
Systems Development and Maintenance
The information systems needs of users are met by two related functions: system development and systems
maintenance. The former group is responsible for analyzing user needs and for designing new systems to satisfy
those needs. once a new system has been designed and implemented, the systems maintenance group assumes
responsibility for keeping it current with user needs

Centralized IT Structure Issues
> Separate systems development and
computer operations
> Separating database administration
from other functions
> Separating new systems development
from maintenance
Two potential control problems:
- Inadequate documentation
- Program fraud

Distributed IT Structure Issues
> Inefficient use of resources
Destruction of audit trails
Inadequate segregation of duties
Hiring qualified professionals
Lack of standards
Advantages of a Distributed Data Processing
> Cost reductions
> Improved cost control
> Improved user satisfaction
> Backup flexibility
Controlling a Distributed Data Processing
> Implement a Corporate IT function
> Central testing of Commercial software and
hardware
> User services
> Standard-setting body
> Personnel review
 4
Audit Objective and Procedures for the IT Structure
Audit Objective: to verify that the structure of the IT function is such that individuals in incompatible areas are
segregated in accordance with the level of potential risk and in a manner that promotes a working environment

Audit procedures for a centralized IT Audit procedures for a distributed IT

Review relevant documentation to determine if Review relevant documentation to determine if
individuals or groups are performing individuals or groups are performing
incompatible functions incompatible functions
Review systems documentation and Verify that corporate policies and standards for
maintenance records for a sample of systems design, documentation, and hardware
applications and software acquisition are published and
Verify that computer operators do not have provided to distributed IT units.
access to the operational details of a system’s Verify that there is compensating controls if
internal logic there are incompatible duties
Observe whether segregation policies are done Review systems documentation to verify that
in practice units are following corporate standards

L2-2. The Computer Center
Physical location
Construction
Access
Air-conditioning
Fire suppression
Fault tolerance
Audit Objective: to verify that:
1. Physical security controls are adequate to reasonably protect the organization from physical exposures
2. Insurance coverage on equipment is adequate to compensate the organization for the destruction of, or
damage to, its computer center
Audit Procedures:
1. Test of physical construction
2. Test of fire detection system
3. Test of access controls
4. Test of parallel backups
5. Test of uninterruptible power supply
6. Test of insurance coverage

L2-3. Disaster Recovery Planning
Disaster Recovery Plan - Common Features
Identify critical applications
Create disaster recovery team
Provide site backup
○ Mutual aid pact
○ Empty shell - cold site
○ ROC - hot site
○ Internally provided
Specify backup and off - site storage procedures
 5
Disaster Recovery Plan
Audit Objective: to verify that management’s disaster recovery plan is adequate and feasible for dealing with a
catastrophe that could deprive the organization of its computing resources
Audit Procedures:
1. Evaluate adequacy of site backup arrangement
2. Review the list of critical applications to ensure that it is complete
3. Verify that copies of updated critical applications and operating systems are stored off-site
4. Verify that critical data files are backed up
5. Verify that the types and quantities of items specified in the DRP exist in a secure location
6. Verify that members of the team are current employees and are aware of their assigned responsibilities

L2-4. Outsourced IT Function
Theory:
Core Competency
Pros:
Improved core business performance
Improved IT performance
Reduced IT cost
Cons:
Failure to perform
Vendor exploitation
Outsourcing costs exceeds benefits
Reduced security
Loss of strategic advantage
Outsourcing the IT Function
Audit Objective: to verify that controls surrounding the IT Function, regardless of who is performing them should be
assessed and tested as to its design and operating effectiveness
Audit Procedures: Obtain a Statement on Standards for Attestation Engagements No. 16 (SSAE 16) report
(previously SAS 70 report)
 6
Auditing Operating Systems and Networks
L3-1. Operating Systems
Auditing Operating Systems
The Operating System (OS) is the computer's control program. It allows users and their applications to share and
access common computer resources (e.g., processors, main memory, databases, and printers).
Because the OS is common to all users, the potential damage is greater as the computer facility's size increases.
OS Tasks and Objectives
Tasks
Translates high-level languages into the machine-level language that the computer can execute
Allocates computer resources to users, workgroups, and applications
Manages the tasks of job scheduling and multiprogramming
Control Objectives
The OS must protect itself from users
The OS must protect users from each other
The OS must protect users from themselves
The OS must be protected from itself
The OS must be protected from its environment
OS Security and Threats to Integrity
OS Security
Log-on procedure
Access token
Access control list
Discretionary access privileges
Integrity Threats
Accidental threats (e.g., hardware failure, errors in user application programs)
Intentional threats
Controlling Access Privileges

Control Audit Objective Audit Procedures

User access privileges To verify that access Review the organization’s policies for separating
are assigned to privileges are granted in a incompatible functions and ensure that they promote
individuals and to manner that is consistent reasonable security.
entire workgroups with the need to separate Review the privileges of a selection of user groups
authorized to use the incompatible functions and is and individuals to determine if their access rights are
system in accordance with the appropriate for their job descriptions and positions.
organization’s policy The auditor should verify that individuals are granted
access to data and programs based on their need to
know.
Review personnel records to determine whether
privileged employees undergo an adequately
intensive security clearance check in compliance with
company policy.
Review the users’ permitted log-on times. Permission
should be commensurate with the tasks being
performed.
 7
Password Control

Control Audit Objective Audit Procedures

Reusable passwords To ensure that the Verify that all users are required to have passwords.
One-time password organization has an Verify that new users are instructed in the use of
adequate and effective passwords and the importance of password control.
password policy for Review password control procedures to ensure that
controlling access to the passwords are changed regularly.
operating system Review the password file to determine that weak
passwords are identified and disallowed.
Verify that the password file is encrypted and that the
encryption key is properly secured.
Assess the adequacy of password standards such as
length and expiration interval.
Review the account lockout policy and procedures

Controlling Against Malicious and Destructive Programs

Controls Audit Objective Audit Procedures

Purchase from reputable To verify that effective Through interviews, determine that operations
vendors management policies personnel have been educated about computer
Presence of policies and procedures are in viruses and are aware of the risky computing
pertaining to use of place to prevent the practices that can introduce and spread viruses and
unauthorized software introduction and other malicious programs.
Inspect software for spread of destructive Verify that new software is tested on standalone
viruses programs, including workstations prior to being implemented on the host
Increase awareness viruses, worms, back or network server.
regarding threats from doors, logic bombs, Verify that the current version of antiviral software is
malicious programs and Trojan horses installed on the server and that upgrades are
Routinely back-up files regularly downloaded to workstations.
Use anti-virus software

System Audit

Controls Audit Objective Audit Procedures

Keystroke monitoring To ensure that the Verify that the audit trail has been activated according
Event monitoring established system to organization policy.
audit trail is adequate Review unusual activities from the logs such as
The security objectives of for preventing and unauthorized or terminated user, periods of inactivity,
audit trails are: detecting abuses, activity by specific user/group, log-on/log-off times,
detecting unauthorized reconstructing key failed log-on attempts, and access to specific
access events that precede files/applications.
reconstructing events systems failures, and Select a sample of security violation cases and
promoting personal planning resource evaluate their disposition to assess the effectiveness
accountability allocation of the security group

L3-2. Networks
Auditing Networks
Networks exist to provide user access to shared resources, but at the same time, the most important objective of any
network is to control such access. That is why, for every productivity argument in favor of remote access, there is a
security argument against it. Organizations constantly seek a balance between increased access and the associated
business risks.
 8
Network Security Risks

Intranet Risks Internet Risks

Interception of network messages IP Spoofing
Inappropriate access to corporate database Denial of service attack (DoS)
Reluctance to prosecute employees ○ SYN flood attack
○ Smurf attack
Distributed denial of service attack (DDoS)

Controlling Networks

Controls Audit Objective Audit Procedures

Firewalls To verify the security and Review the adequacy of the firewall in achieving the
Deep Packet integrity of financial proper balance between control and convenience
Inspection (DPI) transactions by based on the organization’s business objectives and
Encryption determining that network potential risks.
Digital Signatures controls (1) can prevent Verify that an IPS with DPI is in place for
and Certificate and detect illegal access, organizations that are vulnerable to DDoS attacks,
Message Sequence (2) will render useless any such as financial institutions.
Numbering data that a perpetrator Review security procedures governing the
Message Transaction successfully captures, and administration of data encryption keys.
Log (3) are sufficient to Verify the encryption process by transmitting a test
RequestResponse preserve the integrity and message and examining the contents.
Call-Back Devices physical security of data Review the message transaction logs to verify that all
connected to the network messages were received in their proper sequence.
Test the operation of the call-back feature by placing
an unauthorized call from out-side the installation.

Advance Encryption Standard (AES)
AES is a 128-bit encryption technique that has
become a U.S. government standard for private key
encryption

Triple-DES
Encryption (DES)
Triple DES provides
considerably improved
security over most
single encryption
techniques.
 9
Public Key Encryption (see ppt)

L3-3. Electronic Data Interchange
Auditing Electronic Data Interchange
The intercompany exchange of computer processable business information in standard format.
EDI Overview EDI Using Van

EDI with and EFT Component (see ppt)
EDI Controls

Controls Audit Objectives Audit Procedures

Validate To determine that: Test of Authorization and Validation Controls
passwords and all EDI transactions are ○ Review agreements with the VAN facility to validate
user ID codes authorized, validated, and transactions and ensure that information regarding
Validate users in compliance with the valid trading partners is complete and correct; and,
or systems trading partner ○ Examine the organization’s valid trading partner file
accessing agreement; for accuracy and completeness.
databases no unauthorized Test of Access Controls
Set-up an audit organizations gain access ○ Determine that access to the valid vendor or
trail to database records; customer file is limited to authorized employees
authorized trading only.
partners have access only ○ Reconcile the terms of the trading agreement
to approved data; against the trading partner’s access privileges
adequate controls are in stated in the database authority table.
place to ensure a ○ Simulate access by a sample of trading partners
complete audit trail of all and attempt to violate access privileges.
EDI transactions. Test of Audit Trail Controls
○ Verify that the EDI system produces a transaction
log that tracks transactions through all stages of
processing.
 10
L3-4. PC-based Accounting Systems
Auditing PC-based Accounting Systems
PC accounting systems are used to replace manual
systems. They are normally modular in design which
provides a certain degree of flexibility in tailoring systems
to the specific needs of the users.

PC Accounting System Modules →

PC Systems Risks:
Weak access control
Inadequate segregation of duties
Risks of theft
Weak backup procedures
Virus infection
PC Systems Controls

Controls Audit Objectives

1. Multilevel password control 1. Verify that controls are in place to protect data,
2. Anti-theft security locks programs, and computers.
3. Establishment of formal backup procedures 2. Verify that adequate supervision and operating
4. Secure an online backup service procedures exist to compensate for lack of
5. Use of effective antivirus software segregation between the duties.
3. Verify that backup procedures are in place.
4. Verify that systems selection and acquisition
procedures produce applications that are high
quality, and protected from unauthorized changes.
5. Verify that the system is free from viruses and
adequately protected

Audit Procedures

1. Observe that PCs are physically anchored.
2. Verify from organizational charts, job descriptions, and observation that programmers of accounting systems do
not also operate those systems. In smaller organizational units where functional segregation is impractical, we
should verify that there is adequate supervision over these tasks.
3. Confirm that reports of processed transactions, listings of updated accounts, and control totals are prepared,
distributed, and reconciled by appropriate management at regular and timely intervals.
4. Determine that multilevel password control is used to limit access to data and applications and that the access
authority granted is consistent with the employees’ job descriptions.
5. Verify that the drives are removed and stored in a secure location when not in use.
6. Verify that backup procedures are being followed by comparing data values and dates on the backup disks to
production files. If an online backup service is used, verify that the contract is current and adequate to meet the
organization's needs.
7. Verify that their commercial software packages were purchased from reputable vendors and are legal copies.
Review the selection and acquisition procedures to ensure that end-user needs were fully considered and that
the purchased software satisfies those needs.
8. Review the organization’s policy for using antiviral software.
 11
Auditing Database Systems
L4-1. Data Management Systems
Data Management Approaches
A. Flat-file Approach (see ppt)
Associated with large, older legacy systems still in use today.
Promotes a single-user view approach where end users own rather than share data files.
Separate data sets for each user leads to data redundancy which causes problems with:
○ Data storage: Commonly used data duplicated multiple times within the organization.
○ Data updating: Changes must be made separately for each user. If updating fails problem of currency of
information with users having outdated information.
○ Task-data dependency: Users cannot obtain additional information as needs change.

B. Database Approach
Access to the data resource is controlled by a database management system (DBMS).
Centralizes organization’s data into a common database shared by the user community.
All users have access to data they need which may overcome flat-file problems.
○ Elimination of data storage
problem: No data redundancy.
○ Elimination of data updating
problem: Single update
procedure eliminates currency
of information problem.
○ Elimination of task-data
dependency problem: Users
only constrained by legitimacy
of access needs.

L4-2. Key Elements of the Data Management Environment
DBMS (Database Management System) Features
Program Development – Applications may be created by programmers and end users
Backup and Recovery – Copies made during processing
Database Usage Reporting – Captures statistics on database usage (who, when, etc.)
Database Access – Authorizes access to sections of the database
Data Definition Language – Used to define the database to the DBMS on three levels (views)
Database Views

Internal View / Physical View Conceptual View / Logical View External View / User View

Physical arrangement of records in Describes the entire database Portion of database each user
the database. Describes structures logically and abstractly rather than views. May be many distinct users
of data records, linkage between physically. Only one conceptual
files and physical arrangement and view.
sequence of records in a file. Only
one internal view.
*check ppt for Overview of DBMS Operation
 12
Data Manipulation Language (DML)
DML is the proprietary programming language that a particular DBMS uses to retrieve, process, and store
data to / from the database.
Entire user programs may be written in the DML, or selected DML commands can be inserted into universal
programs, such as COBOL and FORTRAN.
The use of standard language programs provide flexibility and independence.
Query Language
Query is an ad hoc access methodology for extracting information from a database. Users can access data
via direct query which requires no formal application programs.
IBM’s Structured Query Language (SQL) has emerged as the standard query language.
Query feature enhances ability to deal with problems that pop-up but poses an important control issue. Must
ensure it is not used for unauthorized database access.
Functions of the Database Administrator (DBA)

Database planning: Implementation: Change and growth:
Develop organization’s database strategy Determine access policy Plan for change and
Define database environment Implement security controls growth
Define data requirements Specify test procedures Evaluate new
Develop data dictionary Establish programming standards technology

Design: Operation and Maintenance:
Logical database (schema) Evaluate database performance
External users’ views (subschemas) Reorganize database as user needs demand
Internal view of database Review standards and procedures
Database controls

Organizational Interaction of DBA

The Physical Database
Lowest level and only one in physical form.
Magnetic sports on metallic coated disks that create a logical collection of files and records.
Data structures are bricks and mortar of the database.
○ Allows records to be located, stored, and retrieved.
○ Two components: organization and access methods. The organization of a file refers to the way
records are physically arranged on the storage device - either sequential or random. Access methods
are programs used to locate records and to navigate through the database.
 13
Database Terminologies
Entity – Anything an organization wants to capture data about.
Record Type – Physical database representation of an entity
Occurrence – Related to the number of records of represented by a particular record type
Attributes – Defines entities with values that vary (i.e. each employee has a different name)
Database – Set of record types that an organization needs to support its business processes
Associations (see ppt) – Record types that constitute a database exist in relation to other record types. Three basic
record association:
One-to-one – For every occurrence of Record Type X there is one (or zero) of Record Type Y.
One-to-many – For every occurrence of Record Type X, there are zero, one or many occurrences of Record
Type Y.
Many-to-many – For every occurrence of Record Types X and Y, there are zero, one or many occurrences of
Record Types Y and X, respectively.
Hierarchical Model
Basis of earliest DBAs and still in use today.
Sets that describe relationship between two linked
files.
○ Each set contains a parent and a child.
○ Files at the same level with the same parent are
siblings.
○ Tree structure with the highest level in the tree
being the root segment and the lowest file in a
branch the leaf.
Also called a navigational database.
Usefulness of model is limited because no child record
can have more than one parent which leads to data redundancy.
Network Data Model

Relational Model
Difference between this and navigational models is the way data associations are represented to the user.
○ Relational model portrays data in two-dimensional tables with attributes across the top forming columns.
○ Intersecting columns to form rows are tuples which are normalized arrays of data similar to records in a
flat-file system.
Relations are formed by an attribute common to both tables in the relation
Data Integration in the Relational Model (see ppt)
 14
L4-3. Database in a Distributed Environment
Centralized Databases in a Distributed Environment
Data retained in a central location. Remote IT units send requests to central site which processes requests
and transmits data back to the requesting IT units.
○ Actual processing of performed at remote IT unit.
Objective of database approach it to maintain data currency with can be challenging.
○ During processing, account balances pass through a state of temporary inconsistency where values are
incorrect.
○ Database lockout procedures prevent multiple simultaneous access to data preventing potential
corruption.
Distributed Databases: Partitioned Databases
Splits central database into segments distributed to their primary users.
Advantages
○ Users’ control increased by having data stored at local sites.
○ Improved transaction processing response time.
○ Volume of transmitted data between IT units is reduced.
○ Reduces potential data loss from a disaster.
Works best for organizations that require minimal data sharing among units.
Distributed Databases: Replicated Databases
Effective for situations with a high degree of data sharing, but no primary user.
Common data replicated at each site, reducing data traffic between sites.
Primary justification to support read-only queries.
Problem is maintaining current versions of database at each site.
○ Since each IT unit processes its own transactions, common data replicated at each site affected by
different transactions and reflect different values.
Concurrency Control
Database concurrency is the presence of complete and accurate data at all user sites.
Designers need to employ methods to ensure transactions processed at each site are accurately reflected in
the databases of all the other sites.
Commonly used method is to serialize transactions by:
○ Special software groups transactions into classes to identify potential conflicts.
○ Second part of control is to time-stamp each transaction.

L4-4. Controlling and Auditing DBMS
Access Controls
User views (subschema) is a subset of the database that defines user’s data domain and access.
Database authorization table contains rules that limit user actions.
User-defined procedures allow users to create a personal security program or routine.
Data encryption procedures protect sensitive data.
Biometric devices such as fingerprints or retina prints control access to the database.
Inference controls should prevent users from inferring, through query options, specific data values they are
unauthorized to access.
Audit Procedures for Testing Database Access Controls
Verify DBA personnel retain responsibility for authority tables and designing user views.
 15
Select a sample of users and verify access privileges are consistent with job description.
Evaluate cost and benefits of biometric controls.
Verify database query controls to prevent unauthorized access via inference.
Verify sensitive data are properly encrypted
Backup Controls
Since data sharing is a fundamental objective of the database approach, environment is vulnerable to damage
from individual users.
Four needed backup and recovery features:
○ Backup feature makes a periodic backup of entire database which is stored in a secure, remote
location.
○ Transaction log provides an audit trail of all processed transactions.
○ Checkpoint facility suspends all processing while system reconciles transaction log and database
change log against the database.
○ Recovery module uses logs and backup files to restart the system after a failure
Audit Procedures for Testing Database Backup Controls
Verify backups are performed routinely and frequently.
○ Backup policy should balance inconvenience of frequent activity against business disruption caused
by system failure.
Verify that automatic backup procedures are in place and functioning and that copies of the database are
stored off-site.
 16
Auditing Systems Development and Program Change Activities
L5-1. Auditing Systems Development and Program Change Activities
Participants in Systems Development
Systems professionals
Analysts, engineers, database designers, and programmers
End users
Managers, operations personnel from various functional areas, including accountants
Stakeholders
Individuals with an interest in the system who are not formal end users
Includes steering committee and both internal and external auditors.

Information Systems Acquisition
Well designed system can increase productivity, reduce inventories, eliminate non-value added activities, enhance
customer service, improve management decisions, and coordinate organizational activities
Two methods of acquiring information systems:
In-house development
Purchase commercial systems from software vendo

Trends in Commercial Software
Four factors have contributed to the growth of the commercial software market:
Relatively low cost for general purpose software.
Industry-specific vendors.
Growing demand from businesses too small to afford in-house development.
Downsizing units and the move to distributed data processing have increased appeal to larger organizations
Turnkey systems are finished, tested, and ready for implementation.

Types of Turnkey Systems
General accounting systems designed to serve a wide variety of user needs.
Special-purpose systems target specific segments.
Office automation systems improve productivity
Backbone systems provide a structure to build on, with primary processing modes programmed.
Vendor-supported systems are custom systems developed and maintained for the client.

Commercial Systems
Advantages:
Can be implemented almost immediately once need is recognized.
Cost is a fraction of cost of in-house development.
Reliability since software is pretested and less likely to have errors than in-house systems
Disadvantages:
Firm is dependent on vendor for maintenance.
When user needs are unique and complex, software may be too general or inflexible.
May be difficult or impossible to modify if user needs change.
Company may satisfy some needs with commercial software and develop other systems in-house.
 17
The Systems Development Life Cycle

Phase 1 - Systems Planning
Objective: To link individual systems
projects to the strategic objectives of the
firm
Most firms establish a steering
committee to provide guidance and
review project status.
○ May include the CEO, CFO, CIO,
senior management, internal
auditors, and external parties (consultants).
○ Responsibilities include resolving system conflicts, reviewing projects and assigning priorities, budgeting
system development, and determining whether or not to continue the project at various stages of
development.
Two levels: strategic systems planning and project planning.

Strategic Systems Planning
Involves allocation of resources at the macro level.
Time frame of 3 – 5 years with process similar to budgeting resources for other strategic activities.
Technically not part of SDLC which pertains to specific applications
Concerned with allocation of systems resources.
Four justifications:
○ A changing plan is better than no plan.
○ Reduces crises in systems development.
○ Provides authorization control for SDLC.
○ Systems planning tends to be a cost-effective means of managing systems projects and application
development.

Project Planning
Purpose is to allocate resources to individual applications within the framework of the strategic plan
○ Identifying user needs, preparing proposals, evaluating proposals’ feasibility, prioritizing and scheduling.
Two formal documents:
○ Project proposal provides management with a basis for deciding whether to proceed by summarizing
findings and outlining link between system and business objectives of the firm.
○ Project schedule represents management’s commitment to the project

Phase 2 - Systems Analysis
Process to survey current system and analyze user needs.
Survey step has advantages and disadvantages:
○ Can result in current tar pit syndrome where analyst is “sucked-in” and “bogged down” by the surveying task.
○ Surveying system may stifle new ideas (thinking inside the box).
○ Identifies aspects of the old system that should be kept.
○ Forces analysts to fully understand the old system which will be required to convert to the new one.
 18
○ Analyst may determine root cause of problems, which may not be the system at all.
System facts fall into the following classes:
○ Data sources
○ Users
○ Data stores
○ Processes
○ Data flows
○ Controls
○ Transaction volumes
○ Error rates
○ Resource costs
○ Bottlenecks
○ Redundant operations
Fact-gathering techniques:
○ Observation, task participation, personal interviews, key document review
Analyst is analyzing while gathering facts.
Systems analysis report:
○ Presented to management or the steering committee.
○ Provides survey findings, problems identified with old system, user needs and new system requirements.
○ Constitutes a formal contract that specifies the objectives and goals of the system.

Phase 3 - Conceptual System Design
Objective: To produce alternative systems that satisfy identified system requirements.
Structured design approach:
○ Designs system from the top-down by starting with the “big picture” and gradually decomposing the system
into more detail until fully understood.
○ Designs should identify all inputs, outputs, processes and special features necessary to distinguish one
alternative from another.
Object-oriented design approach (OOD):
○ Builds information systems from reusable objects.
○ Concept of reusability is central as standard modules can be used in other systems with similar needs.
○ Library of reusable modules results in less time, cost, maintenance, and testing and improved user support
and system flexibility.

Phase 4 - System Evaluation and Selection
Identify optimal solution from alternatives
First step is a detailed feasibility study:
○ Technical: Existing or new technology?
○ Economic: Are funds available?
○ Legal: Any conflicts with new system and legal responsibilities?
○ Operational: Procedures and personnel compatible with new system?
○ Schedule: Is firm able to implement project in acceptable amount of time?
Second step is a cost-benefit analysis:
 19
○ Identify both one-time and recurring costs and tangible and intangible benefits which cannot be easily
quantified.
○ Compare costs and benefits.
One-Time Costs
○ Hardware acquisition
○ Site preparation
○ Software acquisition
○ Systems design
○ Programming and testing
○ Data conversion from old system to new system
○ Personnel training
Recurring Costs
○ Hardware maintenance
○ Software maintenance contracts
○ Insurance
○ Supplies
○ Personnel

Tangible benefits Intangible benefits

Increased revenues Increased customer satisfaction
- Increased sales within existing models Improved employee satisfaction
- Expansion into other markets More current information
Improved decision making
Cost reduction Faster response to competitor actions
- Labor reduction More efficient operations
- Operating cost reduction (such as supplies and Better internal and external communications
overhead) Improved planning
- Reduced inventories Operational flexibility
- Less expensive equipment Improved control environment
- Reduced equipment maintenance

Phase 5 - Detailed Design
Objective: To produce description of proposed system that satisfies requirements identified during systems analysis
and is in accordance with conceptual design.
All system components specified
Components presented formally in a detailed design report that constitutes a set of “blueprints.
○ Plans proceed to the systems implementation phase
Development team performs a design walkthrough to ensure it is free from conceptual error
○ May be done by an independent quality assurance group
Detailed design report documents and describes system to this point including:
○ Designs for input screens and source documents
○ Designs for screen outputs, reports, and operational documents
○ Normalized data for database tables, specifying all data elements
○ Database structures and diagrams
Data flow diagrams (DFD’s)
Database models (ER, Relational)
○ Updated data dictionary
○ Processing logic (flow charts)
 20
Phase 6 - Application Programming and Testing
Program the application software
○ Procedural languages require the programmer to specify the precise order in which program logic is executed
○ Event-driven language programs designed to respond to external action or event initiated by the user
○ Object-oriented languages are required to achieve the benefits of the object-oriented approach.
Programming system should follow a modular approach to achieve: programming efficiency, maintenance
efficiency and control
Test the application software.
Testing methodology process has structured steps to follow.
Testing offline before deploying online is critical to avoid potential disaster.
Test data creation is time consuming but can provide future benefits.

Phase 7 - System Implementation
Database structures are created and populated with data, equipment is purchased and installed, employees are
trained, the system is documented, and the new system is installed
○ Engages efforts of designers, programmers, database administrators, users and accountants
Test the entire system.
Document the system
○ Designer and programmer documentation
○ Operator documentation
○ User documentation often takes the form of a user handbook
○ Online tutorials and help features
Database conversion is a critical step
○ Validation, reconciliation, backup
Converting the new system:
○ Under the cold turkey cutover (Big Bang), the firm switches to the new system and simultaneously terminates
the old.
○ Phased cutover begins operating new system in modules. Reduces the risk of a devastating failure but can
create incompatibilities during the process.
○ Parallel operation cutover involves running both systems simultaneously for a period of time. Most time
consuming and costly, but least risky approach.
Post-implementation review is an important step that takes place months later
Conducted by independent team to measure system success by gathering evidence regarding adequacy and risks
Systems design adequacy:
○ Physical features reviewed to see if they meet user needs
Accuracy of time, cost, and benefit estimates
○ Review of actual vs budgeted amounts provides critical input for future budgeting decision

Phase 8 - Systems Maintenance
Formal process by which application programs undergo changes to accommodate changes in user needs
Can be extensive and the maintenance periods can be 5 years or longer in some organizations
○ When maintaining an old system is no longer feasible, it is scrapped and a new SDLC begins
Represents a significant resource outlay
○ As much as 80% - 90% of total cost may be incurred in the maintenance phase
 21
Controlling and Auditing the SLDC
Controlling New Systems Development
Systems authorization, user specification and technical design activities.
Internal audit participation:
○ System planning and analysis.
○ Conceptual system design impacts auditability.
○ Economic feasibility needs to be measured accurately.
○ Systems implementation.
Provide technical expertise with regard to accounting rules.
Specify documentation standards.
Verify control adequacy and compliance with regulations.
Before implementation, individual modules must be tested as a whole.
○ Formal testing and user acceptance considered by many auditors to be the most important control over the
SDLC
Audit objectives are to verify:
○ SDLC activities are applied consistently and in accordance with management’s policies
○ Original system free from material errors and fraud
○ System was judged necessary and justified
○ Documentation is adequate and complete

Audit Procedures for New Systems Development
Audit procedures should determine:
○ Proper end user and IT management authorization.
○ Preliminary feasibility study showed project had merit.
○ Detailed analysis of user needs was conducted.
○ Accurate cost-benefit analysis was conducted.
○ System testing occurred before implementation.
○ Checklist of specific problems determined during conversion were corrected during maintenance.
○ System documentation complies with standards

Controlling Systems Maintenance
Upon implementation, system enters maintenance phase of the SDLC.
Access to systems for maintenance increases the possibility of system errors.
○ To minimize exposure all maintenance should require: formal authorization, technical specifications of change,
retesting the system and updating the documentation.
Source program library controls:
○ Program source code stored on magnetic disks called the source program library (SPL), which must be
properly controlled to preserve application integrity
To control the SPL:
○ Password control and separate test libraries.
○ Audit trail and management reports that detail program modifications and program version numbers.
○ Controlled access to maintenance [SPL] commands.
 22
Audit Objectives for Systems Maintenance
Detect unauthorized program maintenance.
Determine maintenance procedures protect applications from unauthorized changes.
Verify applications are free from material errors.
Verify SPL are protected from unauthorized access.
Identify unauthorized changes:
○ Reconcile program version numbers.
○ Confirm maintenance authorization.
Identify application errors:
○ Reconcile source code.
○ Review test results.
○ Retest the program.
Test access to libraries:
○ Review programmer authority tables.
○ Test authority table.
 23
Financial Reporting Cycle
L6-1. Transaction Cycles
Relationship Between Transaction Cycles

L6-2. Accounting Records in a Manual vs. Computerized Accounting System

Accounting Records in a Manual Accounting
System: Documents

Accounting Records in a Manual Accounting System: Journals
 24
Accounting Records in a Manual Accounting System:
Ledgers

Accounting Records in a Computerized
Accounting System

L6-3. Documentation Techniques
Data Flow Diagram

Entity Relationship Diagram
 25
Systems Flowchart

(see ppt)

Program Flowchart

(see ppt)

Record Layout Diagram

L6-4. Transaction Processing Models
Batch vs. Real Time Processing

Distinguishing Feature Batch Real-time

Information time frame Lag exists between time when the Processing takes place when the
economic event occurs and when it economic event occurs
is recorded

Resources Generally, fewer resources (e.g., More resources are required than for
hardware, programming, training, batch processing
etc.) are required

Operational Efficiency Certain records are processed after All records pertaining to the event
the event to avoid operational delays are processed immediately
(see ppt)

L6-5. Data Coding Schemes

A system without codes: Dr Cr A system with codes:
Inventory–nut, ½ inch, case-hardened steel, standard thread 896 1000
AP – Industrial Parts Manufacturer, Cleveland, Ohio 1000 1000 321 1000
 26
Different Coding Schemes

Coding Techniques Advantages Disadvantages

Sequential Codes (Inv No. 1001, Efficient tracking Lack descriptive info
1002, 1003... Simplified ordering Inflexible structure

Block Codes (Expense accounts -- Organized structure Requires reference for meaning
600 Revenue accounts -- 400 Easy insertion of new codes Limited descriptive info

Group Codes (Store No. 04, Dept Detailed data representation Can become complex
No. 09, Item No. 476214, Hierarchical structure May increase cost
Salesperson No. 99

Alphabetic Codes (Expense Larger combination possibilities Sorting challenges
accounts -- XAA Revenue accounts Can be intuitive May lack meaning
-- EAA

Mnemonic Codes (BA 122.2 - BA Easy to understand Limited capacity for item
Course Eng 13 - English Course Self-descriptive representation
 27
Computer Assisted Auditing Tools
L7-1. Computer Assisted Auditing Tools and Techniques (CAATTs)
IT Application Controls
Input Controls
Ensure that transaction data is free from errors before they are processed.
Processing Controls
Ensure that an application’s logic is functioning properly.
Output Controls
Ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated.

Input Controls

Field Interrogation Record Interrogation File Interrogation

Check Digit Reasonableness Check Internal and external label
Missing Data Check Sign Check checks
Numeric-Alphabetic Check Sequence Check Version checks
Limit Check
Range Check
Validity Check

Input Error Correction
Correct Immediately
Create an error file
Reject the entire batch

Processing Controls

Category What it is Components / Examples

Run-to-Run Designed to monitor the batch as it moves from Batch control data
Controls one run to another ○ unique batch number
Ensure that: ○ batch date
○ all records in the batch are processed ○ transaction code
○ no records are processed more than once ○ Record count
○ a transaction audit trail is created from the ○ Control total
input, throughout the processing, and to the ○ Hash total
output stage

Operator Reduce the probability that errors can occur Clear business rules
Intervention when there is operator intervention (e.g., entering Automation
Controls control totals for a batch of records, providing
parameter values for logical operations, etc.)

Audit Trail Controls Ensure that every transaction must be traceable Transaction logs
through each stage of the processing from its Log of automatic transactions
economic source to its presentation in the Listing of automatic transactions
financial state Unique transaction idenfiers
Error listing
 28
Output Controls

Control Activity What it is

Output spooling Directing output to a magnetic disk file rather than directly to the printer to
avoid other application to access the processing stream.

Print programs Designed to deal with:
1. production of unauthorized copies of the output; and,
2. employee browsing sensitive data.

Supervision during bursting Bursting is when the printed pages are separated and collated. There should
be appropriate supervision to avoid the production of unauthorized copies
and reading of sensitive information.

Waste Control Proper disposal of printed outputs

Data Control Verification of the accuracy of computer output before it is distributed to the
user.

Report Distribution Controls Minimize the risks of reports being lost, stolen, or misdirected

End User Control Final examination of the user of any errors not previously observed

Real-time Systems Output Control Directs output to the user’s computer screen, terminal, or printer

Testing Computer Application Controls

Approach What it is Components

Approach "Around the Computer” “Through the computer”

Testing Techniques Analysis through: Access Test
Inquiry/Interview Validity Test
Review of flowcharts Accuracy Test
Comparison of actual input and actual Completeness Test
output Redundancy Test
Audit Trail Test
Rounding Error Test

Use Relatively simple systems Complex systems

CAATT Approaches
Test Data Method
Base Case System Evaluation
Tracing
Integrated Test Facility
Parallel Simulation

Test Data Method
Used to test integrity of an application by processing specially prepared sets of input data that will be run using
copies of the applications under review

Base Case System Evaluation Test that is conducted using a set of test data that is comprehensive (i.e.,
contains all possible transaction types)

Tracing An electronic walkthrough of the application’s internal logic
 29

Advantages 1. Employs through-the-computer testing.
2. Data runs can be empoyed with only minimal disruption to the
organization’s operations.
3. Require minimal computer expertise on the part of the auditors.

Disadvantages 1. Reliance on computer services personnel to obtain a compy of the
application for test purposes.
2. Provides only static picture of application integrity at a single point in
time.
3. Relatively high cost of implementation, which can result in audit
inefficiency

Integrated Test Facility
Automated technique that enables auditors to test an application’s logic and controls during its normal operations.

Advantages 1. Supports ongoing monitoring of controls.
2. Can be tested economically without disrupting the user’s operations
and without intervention of computer services personnel.

Disadvantages Potential for corrupting the data files of the organization during the testing.

Parallel Simulation
The auditor writes a program that simulates key features or processes of the application under review.