CIS-AUDITING-TRANSES.pdf

Full Transcript

CHAPTER 1: AUDITING & ❖ Internal auditors are often certified as a
Certified Internal Auditor (CIA) or Certified
INTERNAL CONTROL Information Systems Auditor (CISA).
❖ Internal auditors represent the interests of
Different Types of Audit the organization
External Audit - Independent attestation performed
by an expert who expresses an opinion regarding
the presentation of financial statements.
❖ Also known as an attest service performed
by Certified Public Accountants (CPAs) who
work for professional services firms that are
independent of the client organization being
audited.
❖ Associated with assuring the fair
presentation of financial statements, hence,
often referred to as financial audit.
❖ External auditors represent the interests of
outsiders: stockholders, creditors,
government agencies, and the general
public.
❖ External auditors must follow strict rules Fraud Audit - Investigation of anomalies and
(e.g., standards, legislations, etc.) in gathering of evidence of fraud that may lead to a
conducting financial audits. criminal conviction.
❖ The objective is to investigate anomalies and
gather evidence of fraud that may lead to a
criminal conviction.
❖ Organizations victimized by fraud usually
contract with specialized fraud units of
professional services firms or with
companies that specialize in forensic
accounting.
❖ Typically, fraud auditors have earned the
Certified Fraud Examiner (CFE) certification
THE ROLE OF THE AUDIT COMMITTEE
Audit Committee - An audit committee is a
subcommittee of a company’s board of directors that
oversees financial reporting, risk management, and
compliance processes. All U.S. publicly-traded
Internal Audit - An independent appraisal function is companies must maintain a qualified audit
established within an organization to examine and committee in order to be listed on a stock exchange.
evaluate its activities as a service to the In the Philippines, the Securities and Exchange
organization. Commission (SEC) also requires publicly-listed
❖ Performs a wide range of activities on behalf organizations to establish an audit committee as
of the organization. mandated by the Code of Corporate Governance for
❖ Typically conducted by auditors who work for Publicly-Listed Companies.
the organization, but this task may be Serves as the independent “check-and-balance” for
outsourced. the internal audit function and liaison with external
auditors.
 systematic approach is particularly important in the
IT environment.
The lack of physical procedures that can be visually
verified and evaluated injects a high degree of
complexity into the IT audit. Therefore, a logical
framework for conducting an audit in the IT
environment is critical to help the auditor identify all-
important processes and data files.
3. Management Assertions & Audit
Objectives

FINANCIAL AUDIT COMPONENTS
1. Auditing Standards

4. Obtaining Evidence
Obtaining audit evidence is a crucial step in the audit
process, as it involves gathering sufficient and
appropriate information to support the auditor's
conclusions and opinions.
Evidence is collected by performing:
Test of Controls establish whether internal controls
are functioning properly
Substantive Tests determine whether accounting
databases fairly reflect the organization’s
transactions and account balances.
5. Ascertaining Materiality
Materiality, in the context of auditing, refers to the
significance or importance of an error, misstatement,
or omission in the financial statements that could
influence the decisions of users relying on those
2. Systematic Process statements.

Conducting an audit is a systematic and logical Ascertaining materiality in audits ensures that
process that applies to all forms of information auditors focus on issues that have a significant
systems. While important in all audit settings, a impact on financial statement users' decisions,
allowing for effective and efficient audit procedure.
 6. Communicating Results AR = IR x CR x DR
An independent auditor renders a report to the audit 4% = 38% x 60% x DR
committee of the board of directors.
DR = 0.04 / 0.228
The audit report contains, among other things, an
DR = 17.54%
audit opinion. This opinion is distributed along with
the financial report to interested parties both internal
and external to the organization.
IT auditors often communicate their findings to
internal and external auditors, who can then
integrate these findings with the non-IT aspects of
the audit.
AUDIT RISK
is the risk that auditors may issue an incorrect or
inappropriate audit opinion on the financial
statements, failing to detect material misstatements
or issues.
Inherent Risk - the risk of material misstatement
existing in a financial statement component before
considering the effectiveness of internal controls
THE IT AUDIT
Control Risk - the risk that the organization's
internal controls will not prevent or detect material Phases of an IT Audit
misstatements.
Detection Risk - the risk that auditors’ audit
procedures will fail to identify material misstatements
that exist in the financial statements.

Assume that the acceptable audit risk is assessed at
a value of 4%, inherent risk is assessed at 38%, and
control risk is assessed at 75%. What would be the
level of planned detection risk needed to achieve the
acceptable audit risk? Internal Control

AR = IR x CR x DR Internal Control Objectives:

4% = 38% x 75% x DR ❖ To safeguard the assets of the firm.
❖ To ensure the accuracy and reliability of
DR = 0.04 / 0.285 accounting records and information.
❖ To promote efficiency in the firm’s operations.
DR = 14.04%
❖ To measure compliance with
Assume that the acceptable audit risk is assessed management’sprescribed policies and
at a value of 4%, inherent risk is assessed at 38%, procedures.
and control risk is assessed at 60%. What would
be the level of planned detection risk needed to
achieve the acceptable audit risk? Modifying Principles
Management Responsibility - The establishment and Proactively deter errors, fraud, or risks from
maintenance of a system of internal control is a occurring in the first place. They are intended to stop
management responsibility. problems before they happen by implementing
measures that discourage unwanted events.
LIMITATIONS - every system of internal control has
limitations on its effectiveness. Detective Control
❖ Possibility of error Identify and detect errors, fraud, or irregularities after
❖ Circumvention they have occurred. They are aimed at uncovering
❖ Management override issues as they arise to minimize their impact and
❖ Changing conditions enable timely corrective actions.
Methods of Data Processing - Internal control Corrective Control
systems should achieve the four broad objectives
regardless of the data processing method used. Address and rectify errors, fraud, or issues that have
been identified. They focus on fixing problems that
Reasonable Assurance - The cost of achieving have already occurred to prevent their recurrence
improved control should not outweigh its benefits. and minimize their impact on the organization.
Control Weakness and Risk COSO INTERNAL CONTROL FRAMEWORK

The COSO (Committee of Sponsoring
THE PDC MODEL Organizations of the Treadway Commission)
Internal Control Framework is a widely recognized
and comprehensive model designed to help
organizations establish, assess, and enhance their
internal control systems.
It provides a structured approach to manage risks,
ensure reliable financial reporting, and achieve
operational effectiveness.

CONTROL ENVIRONMENT
This component sets the tone for the organization by
emphasizing ethics, integrity, and accountability.
It includes factors such as management's
commitment to controls, organizational structure,
and the overall culture.
Preventive Control
SAS 109 requires that auditors obtain sufficient IT CONTROL
knowledge to assess the attitude and awareness of
the organization’s management, board of directors,
and owners regarding internal control.

RISK ASSESSMENT
Organizations need to identify, assess, and prioritize
risks that could affect their objectives.
This involves understanding potential internal and
external risks and their potential impact on
operations.
SAS 109 requires that auditors obtain sufficient
knowledge of the organization’s risk assessment
❖ IT GENERAL CONTROLS
procedures to understand how management
identifies, prioritizes, and manages the risks related
❖ ACCESS TO PROGRAMS & DATA
to financial reporting.
Focuses on controlling access to IT systems,
CONTROL ACTIVITIES applications, and data to ensure that only authorized
users can access sensitive information and perform
These are the specific policies, procedures, and
specific functions.
practices implemented to mitigate risks and achieve
control objectives. User ID Management
They encompass both preventive, detective, and Ito ay tungkol sa pag-create, pag-manage, at pag-
corrective controls, as well as manual and maintain ng user IDs sa isang system, making sure
automated processes. na unique ang ID ng bawat user. Importante ito para
ma-track ang activities ng mga users at masiguro na
Categories of Control Activities:
authorized lang ang may access sa specific
resources.
PHYSICAL CONTROL User Access Granting & Modification
Ang process na ito involves ang pagbibigay ng
access rights sa users base sa kanilang roles at
responsibilities sa organization. Pwedeng i-modify
ang access kapag nagbago ang role ng user para
siguradong tama at naaayon ang level ng access
nila.
User Access Termination
Kapag ang isang user ay nag-resign o nagbago ng
role, kailangan agad na i-revoke ang kanilang
access sa systems at data para maiwasan ang
unauthorized access. Critical ito para mapanatili ang
security ng system at maprotektahan ang sensitive
information.
Password Management
Ang Password Management ay involves ang
paggawa ng policies para sa pag-create, pag-store,
at regular na pag-update ng passwords para
maiwasan ang unauthorized access. Kailangan din
turuan ang mga users ng best practices para ❖ PROGRAM CHANGES
makagawa ng strong passwords at maiwasan ang
Focuses on controls to manage and track changes
password-related security breaches.
effectively, including change management
Privileged ID Management procedures, documentation, testing, and approval
processes to ensure that changes are authorized,
Ang Privileged ID Management ay tungkol sa pag-
and properly implemented, and do not introduce
manage at pagkontrol ng accounts na may higher security vulnerabilities or errors.
level of access, tulad ng admin accounts. Kailangan
ng strict control at monitoring para maiwasan ang Change Management Process
misuse ng powerful accounts na ito at para
Ito ay ang proseso ng pag-manage ng changes sa
masigurong access ay ibinibigay lang sa mga taong
nangangailangan nito. IT systems, ensuring na ang bawat pagbabago ay
na-document, na-review, at na-approve para
Periodic Access Review maiwasan ang disruptions at errors.
Ang Periodic Access Review ay regular na pagsusuri Segregation of IT Environments
ng user access rights para masiguro na aligned ito
Tumutukoy ito sa paghihiwalay ng iba't ibang IT
sa current roles at responsibilities ng mga users.
environments (e.g., development, testing,
Nakakatulong ito para matukoy at ma-correct ang
production) para maiwasan ang unintended
anumang outdated o unnecessary access, reducing
changes o conflicts at masiguro ang integrity ng
the risk ng unauthorized data access.
production environment.
❖ COMPUTER OPERATIONS
❖ PROGRAM DEVELOPMENT
Encompass the management and oversight of IT
Includes controls related to software development
infrastructure, including hardware, software,
networks, and data centers. lifecycle (SDLC) processes, such as requirements
gathering, design, coding, testing, and deployment.
Problem & Incident Management It also covers controls to ensure the integrity,
reliability, and security of software applications.
Ito ay ang process ng pag-handle at pag-resolve ng
mga issues o incidents na nakakaapekto sa IT Planning
systems para ma-minimize ang disruption sa
operations. Ito ang unang step kung saan dine-develop ang
overall strategy at objectives para sa bagong IT
Batch Job Management system, kasama na ang timeline at resource
allocation.
Involves ito sa scheduling, executing, at monitoring
ng batch jobs (automated processes) para ma- System Analysis & Requirement
ensure na natatapos ang mga critical tasks ng
system on time. Sa phase na ito, kinokolekta at ine-evaluate ang
mga business needs para ma-identify kung anong
Data Backup & Recovery functionalities ang kailangan ng system.
Ito ay ang proseso ng pag-backup ng data at pag- System Design
restore nito kapag nagkaroon ng data loss o system
Dito ine-define at idino-drawing ang structure ng
failure, para masigurong hindi mawawala ang
importanteng impormasyon. system, kabilang ang technical architecture,
interfaces, at data flows, base sa mga na-gather na
Data Center Management requirements.
Tumutukoy ito sa pamamahala at maintenance ng Development
physical at virtual infrastructures ng data center para
Sa development phase, ang actual coding at
masigurong laging available, secure, at efficient ang
creation ng system ay ginagawa base sa system
IT services.
design na naaprubahan.
 Testing Duplicate Check: Tinitiyak nito na walang na-
duplicate na data entries, tulad ng checking if an
Ang testing ay involves sa pag-verify at pag-validate
invoice number has already been used.
ng system para masiguro na gumagana ito
according to the requirements, at walang major ❖ PROCESSING CONTROLS
bugs.
Implemented to monitor and regulate the execution
Implementation of business processes or workflows within a system.
These controls ensure that processes are performed
Ang huling phase, kung saan ina-deploy ang system
efficiently, accurately, and in compliance with
sa production environment at ginagamit na ito ng organizational policies and standards.
end users.
Batch Controls: Ito ay nagva-validate ng
❖ IT APPLICATION CONTROLS
completeness at accuracy ng data sa batch
processing, gamit ang totals o counts (e.g., total
INPUT PROCESS OUTPUT number of transactions) to ensure na lahat ng items
sa batch ay na-process nang tama.
Run-to-Run Controls: Tinitiyak nito na ang data ay
❖ INPUT CONTROLS tama sa bawat step ng processing, by comparing
outputs from one run (process) to the inputs of the
Designed to ensure the accuracy, completeness,
next, ensuring na walang nawala o nagbago nang
and validity of data entered into a system. These
hindi inaasahan.
controls aim to prevent erroneous or unauthorized
data from being inputted, which could lead to ❖ OUTPUT CONTROLS
incorrect processing and output.
Implemented to verify the accuracy, completeness,
Examples: and integrity of the information produced by a
system. These controls ensure that output is
Check Digits: Ito ay isang number o digit na
delivered to the appropriate users or systems in a
dinadagdag sa data (like account numbers) para
timely and secure manner.
ma-verify ang accuracy ng input by performing a
mathematical check. Print Programs: Ito ay tumutukoy sa mga controls
na ginagamit para siguraduhing tama at secure ang
Missing Data Check: Tinitiyak nito na walang
mga printed outputs, tulad ng pag-set ng
kulang na information sa data input, tulad ng
permissions para sa printing sensitive documents.
mandatory fields na dapat may laman.
Waste Minimization: Nakatuon ito sa pag-reduce
Data Type Validation: Sine-check nito kung tama
ng unnecessary output or printing, tulad ng paggamit
ang uri ng data na ini-input (e.g., letters lang sa
ng electronic reports instead of paper para
name field, numbers lang sa phone number field).
mabawasan ang waste.
Limit Check: Sine-set nito ang maximum o
Report Distribution: Tinitiyak nito na ang mga
minimum value na pwedeng i-enter sa isang field,
reports ay naipapadala lang sa authorized
para maiwasan ang out-of-bounds entries.
recipients, either through secure channels or
Range Check: Sinisigurado nito na ang input values controlled access para maiwasan ang unauthorized
ay nasa loob ng tinukoy na valid range (e.g., age na access.
dapat nasa pagitan ng 18 to 65).
End-User Controls: Ito ay ang mga mechanisms na
Reasonableness Check: Ito ay nagva-validate ibinibigay sa end-users para ma-check at ma-
kung logical at sensible ang input data, tulad ng validate ang accuracy ng mga outputs na natanggap
checking if a salary amount is within a reasonable nila, ensuring na ang data ay tama bago gamitin.
range for the position.
Key Reports Configuration: Tumutukoy ito sa
Validity Check: chine-check nito kung ang input setup at verification ng critical reports, na dapat tama
data ay valid based sa predefined criteria o sa ang format, content, at layout, para siguraduhing
existing database (e.g., valid customer ID). accurate ang mga key decision-making outputs.
 INFORMATION AND CHAPTER 2: AUDITING IT
COMMUNICATION GOVERNANCE CONTROLS
Effective communication ensures that relevant INFORMATION TECHNOLOGY GOVERNANCE
information flows throughout the organization.
What is Governance?
Accurate and timely data helps in making informed
decisions and executing control activities. Refers to the framework, processes, and
practices that guide the strategic planning,
SAS 109 requires that auditors obtain sufficient decision-making, and oversight of an organization's
knowledge of the organization’s information system. information technology (IT) activities.
MONITORING ACTIVITIES Involves aligning IT initiatives with the
organization's business objectives, managing IT
Regular monitoring of controls is crucial to identify
risks, ensuring regulatory compliance, and
changes in risks, ensure controls are operating
optimizing IT resources to deliver value and support
effectively, and address issues promptly.
business goals.
Monitoring includes ongoing assessments, separate
IT governance aims to establish structures and
evaluations, or a combination of both.
mechanisms that enhance accountability,
transparency, and the effective use of technology
within an organization.
AUDIT IMPLICATION OF SOX
Key objectives of IT governance are to:
SOX legislation dramatically expands the
role of external auditors by mandating that reduce risk, and; ensure that investments in IT
they attest to the quality of their client resources add value to the corporation.
organization’s internal control.
STRUCTURE OF THE IT CORPORATE
This constitutes the issuance of a separate FUNCTION
audit opinion on the internal controls in
addition to the opinion on the fairness of the
financial statements.
It is technically possible for auditors to find
internal controls over financial reporting to be
weak, but conclude through substantive tests
that the weaknesses did not cause the
financial statements to be materially
misrepresented.

Centralized Data Processing
 Organizational Chart of a centralized IT ADVANTAGES OF CENTRALIZED DATA
Services Function PROCESSING
Data Consistency: Ensures data consistency and
reduces the risk of data duplication or
inconsistencies.
Control and Standardization: Allows for greater
control over processes, security measures, and
standardized procedures.
Efficient Resource Allocation: Resources can be
allocated more efficiently since they are managed
from a central location.
DATABASE ADMINISTRATION Simplified Management: Managing and
maintaining a single centralized infrastructure is
Database a structured collection of organized often simpler than managing multiple distributed
and interconnected data that is stored systems.
electronically. It is designed to efficiently store,
manage, and retrieve information. RISKS & CONTROLS ASSOCIATED WITH
Database Administration involves the
CENTRALIZED DATA PROCESSING
management, maintenance, and
optimization of databases within an organization.
Database Administrator (DBA) professional
responsible for the overall management of the
organization’s databases.

DATA PROCESSING

SYSTEM DEVELOPMENT AND
MAINTENANCE
System Development - refers to the process of
creating, designing, and building a new information
system or software application.
System Maintenance - involves the ongoing
activities of managing, updating, and supporting an
existing information system or software application
after it has been developed and implemented
 the maintenance phase of the systems
development life cycle.
Although a common arrangement, this
approach is associated with inadequate
documentation and the potential for program
fraud.

SEGREGATION OF INCOMPATIBLE IT
FUNCTIONS

Systems development and maintenance
professionals should creates systems for
users, and should have no involvement in
entering data, or running applications. ORGANIZATIONAL CHART OF A DISTRIBUTED
PROCESSING FUNCTION
Operations staff should run these systems
and have no involvement in their design.
An individual could make unauthorized
changes to the application during its
execution.

DBA function is responsible for a number of
critical tasks pertaining to database security.
ADVANTAGES OF DISTRIBUTED DATA
Delegating these responsibilities to other PROCESSING
who perform incompatible tasks threatens
database integrity. Cost Reductions: Allows organizations to use cost-
effective hardware resources instead of investing in
high-end centralized systems.
Improved User Satisfaction: Provides faster
Programmers, who codes the original response times and better performance, leading to
programs, also maintains the systems during improved user experience and satisfaction.
Backup Flexibility: Facilitates flexible backup and
recovery options. Data can be backed up locally at
each node, reducing the reliance on a single backup
location and enhancing data protection.

RISKS & CONTROLS ASSOCIATED WITH
DISTRIBUTED DATA PROCESSING

STRUCTURE OF THE CORPORATE IT
FUNCTIONS
AUDIT OBJECTIVE

To verify that the structure of the IT function
is such that individuals in incompatible areas
are segregated in accordance with the level
of potential risk and in a manger that
promotes a working environment.
AUDIT PROCEDURE:
Centralized Data Processing

Review relevant documentation to determine
if individuals or groups are performing
incompatible functions.
Review systems documentation and
maintenance records.
Verify that maintenance programmers
assigned to specific projects are not also the
original design programmers.
 Verify that computer operators do not have
access to the operational details of a
system’s internal logic.

Through observation, determine that
segregation policy is being followed in
practice.

Review operations room access logs to
determine whether programmers enter the
facility for reasons other than system failures
Distributed Data Processing

Review the current organizational chart to
determine if individuals or groups are
performing incompatible duties.

Verify that corporate policies and standards
are published and provided to distributed IT
units.

Verify that compensating controls are
employed when segregation of incompatible
duties is economically infeasible.

Review system documentation to verify
applications, procedures and databases are
designed and functioning in accordance with
corporate standards.

THE COMPUTER CENTER
Also known as a data center.
Refers to a facility equipped with specialized
infrastructure, hardware, and resources
dedicated to housing and managing computing and
networking equipment.
It serves as a centralized location for hosting,
storing, processing, and managing large volumes of
digital data, applications, and services.
AUDIT OBJECTIVE
To verify that physical security controls are
adequate to reasonably protect the
organization from physical exposures.
To verify that insurance coverage on
equipment is adequate to compensate the
organization for the destruction of, or
damage to , its computer center.
 DISASTER RECOVERY PLANNING
Categories of Disaster

What is a Disaster Recovery Plan (DRP)?
Structured and documented strategy that
outlines the procedures, actions, and
resources to be used in the event of a
disruptive incident.
The goal of a disaster recovery plan is to
minimize downtime, recover data and
systems, and restore normal operations as
swiftly as possible after a significant
disruption.
Common Features of DRP

In this step, organizations assess their various
applications to determine which ones are essential
for sustaining core business functions.
The identification process involves:
i. Business Impact Analysis (BIA): Evaluate
each application's effect on revenue,
customer service, compliance, and
efficiency.
ii. Stakeholder Input: Collaborate with
department representatives To gather
insights on vital applications.
iii. Dependency Mapping: Understand how
applications interact; prioritize those with
interdependencies.
 iv. Recovery Time Objectives (RTO) & PROVIDING SECOND-SITE BACKUP
Recovery Point Objective (RPO): Define
the acceptable downtime and data loss for
each application.
v. Business Process Mapping: Consider how
applications support critical business
processes
CREATING A DISASTER RECOVERY TEAM

Mutual AID Pack
An arrangement between organizations to provide
assistance to each other during disasters.
In the context of second-site backup, organizations
agree to share their backup facilities in case of a
disaster. This allows each organization to have
access to a secondary location for recovery
A disaster recovery team is a group of individuals
purposes.
responsible for executing the disaster recovery plan
and ensuring a coordinated response to disruptive Empty Shell
events.
Also known as a cold site, is a second-site backup
✓ Roles & Responsibilities: Assign roles like option where the facility is pre-selected and
team leader, technical expert, and prepared for disaster recovery but lacks the
communication coordinator. necessary IT infrastructure.
✓ Diverse Expertise: Form a team with cross-
functional skills in IT, operations, and Organizations provide their own hardware, software,
communication. and data backups to set up operations at the cold
✓ Leadership Support: Ensure senior site.
leadership endorses the team and RECOVERY OPERATIONS CENTER (ROC)
designates oversight.
✓ Clear Communication: Establish Also known as a hot site, is a fully equipped and
communication channels within the team and operational second-site backup facility.
externally.
It is equipped with hardware, software,
✓ Training: Train members, conduct drills, and
communication systems, and data replication
simulations for readiness.
mechanisms to ensure a swift transition in case of a
✓ Documentation: Maintain up-to-date
disaster.
member information for quick contact.
✓ Activation Protocol: Define triggers, INTERNALLY PROVIDED BACKUP
communication, and escalation procedures.
✓ Regular Review: Periodically assess and Some organizations choose to establish their own
adjust roles based on changes and lessons secondary backup facility internally. ▪ This could
learned. involve setting up a separate data center at a
different location, ensuring redundancy in hardware,
software, and data
 SPECIFYING BACKUP & OFF-SITE STORAGE
PROCEDURES

Operating System Backup: This involves regularly
backing up the operating system files and
configurations necessary to restore servers and
systems to their operational state in case of a
disaster.
Application Backup: Regularly backing up
application software, settings, and configurations to
restore the applications' operational state.
Backup Data Files: Regularly backing up critical
data files, databases, and user-generated content to
prevent data loss during disruptions.
Backup Documentation: Creating copies of
disaster recovery plans, procedures, contact lists,
and technical documentation for recovery personnel.
Backup Supplies and Source Documents: Storing
copies of essential supplies, forms, templates, and
documents required for business processes at an
offsite location.
Testing DRP (Disaster Recovery Plan): Regularly
testing the disaster recovery plan through
simulations and exercises to identify gaps and areas
for improvement.

AUDIT OBJECTIVE OF DISATER RECOVERY
PLANNING

To verify that management’s disaster recovery plan
is adequate and feasible for dealing with a
catastrophe that could deprive the organization of its
computing resources.
 OUTSOURCING THE IT
FUNCTION
Software as a Service (SaaS): Sa SaaS, wala nang
IT OUTSOURCING
hassle ng manual installations o hardware upgrades,
Refers to the practice of contracting specific IT dahil ang provider ang responsable sa infrastructure,
functions, tasks, or services to external third-party software updates, at security patches. Madalas itong
providers. gamitin ng businesses para sa email, collaboration
tools, at customer relationship management (CRM)
These providers, often specialized in IT services, systems, dahil accessible ito kahit saan basta may
take on responsibilities such as managing internet.
infrastructure, software development, technical
support, cybersecurity, and more. Platform as a Service (PaaS): Sa PaaS, binibigyan
ka ng mga tools at services para mapabilis ang
WHAT IS CLOUD? development process, tulad ng pre-configured
Refers to servers that are accessed over the servers, integrated development environments
Internet, and the software and databases that run on (IDEs), at scalable infrastructure. Ito ay ginagamit ng
those servers. mga businesses o developers na gustong i-
streamline ang development cycle, iwasan ang
Virtualization hassle ng manual setup, at mag-focus sa pag-
improve ng kanilang software.
Allows multiple virtual instances of operating
systems, applications, or resources to run on a Infrastructure as a Service (IaaS): Sa IaaS, ang
single physical server or hardware platform. users ay may kontrol sa operating system,
Cloud Computing applications, at storage, pero ang cloud provider ang
nag-aalaga ng physical hardware at networking
Refers to the delivery of different services through components. Ito ay madalas gamitin ng mga
the Internet. businesses na nangangailangan ng flexible at
scalable computing power, tulad ng mga startups o
These resources include tools and applications like
mga businesses na may biglaang paglago ng IT
data storage, servers, databases, networking, and
needs.
software.
 STATEMENT ON STANDARDS FOR
ATTESTATION ENGAGEMENTS
NO. 16 (SSAE 16)

SOC 1 Reports
RISK INHERENT TO IT OUTSOURCING SOC 1TYPE1
Failure to Perform: Risk that the outsourcing Shows how well the internal controls are
provider may not meet performance expectations, designed to prevent mistakes regarding
leading to service disruptions, delays, or inadequate financial transaction/statement data.
quality of work.
Testing is done at one point in time; does not
Vendor Exploitation: Risk that the outsourcing test the operating effectiveness of the control
vendor may take advantage of the organization's set.
dependency, leading to unfair terms, high fees, or
subpar service delivery. SOC 1TYPE 2

Outsourcing Costs Exceed Benefit: Risk that the Tests the operating effectiveness of the
cost savings expected from outsourcing may not internal controls (business process and IT 1
materialize, and the organization may end up general controls); designed to mitigate the
spending more than the anticipated benefits. risk of a financial inaccuracy of the user
entity.
Reduced Security: Risk that sensitive data and
information may be at a higher risk of exposure due Testing is conducted over a period of time,
to inadequate security measures on the vendor's and a sampling methodology is used for an
side or lack of control over security protocols. accurate portrayal of operating
effectiveness.
Loss of Strategic Advantage: Risk that
outsourcing critical functions may lead to a loss of in-
house expertise and control, impacting the
organization's ability to innovate and maintain a
competitive edge.
 CHAPTER 3 :
SECURITY PART I –
AUDITING OPERATING
SYSTEMS & NETWORKS
What is an Operating System?
An operating system (OS) is software that serves as
an intermediary between computer hardware and
the computer user.
It provides a user interface and controls the
computer hardware so that software applications
can function

MAIN TASKS PERFORMED BY AN OPERATING
SYSTEM

1. Translating High-Level Languages
Refers to the process by which a program written in
a high-level programming language (like Python,
Java, C++) is converted into a form that the
computer's hardware can directly execute.
This translation is necessary because computers
can only understand and execute instructions in their
native machine language, which consists of binary
code (0s and 1s).
2. Resource Allocation
Refers to the process by which a program written in
a high-level programming language (like Python,
Java, C++) is converted into a form that the
computer's hardware can directly execute.
This translation is necessary because computers
can only understand and execute instructions in their
native machine language, which consists of binary
code (0s and 1s).
3. Job Scheduling and Multiprogramming
Job scheduling involves determining the order in
which jobs or processes are executed by the CPU.
Multiprogramming allows multiple programs to
reside in memory simultaneously, with the CPU
switching between them to keep it constantly busy.
 AUDITING NETWORKS

What Is a Network?
A network is a collection of interconnected devices,
such as computers, servers, printers, and other
hardware, that are linked together to facilitate the
sharing of resources and information.
These devices are connected via various means,
such as wired (e.g., Ethernet cables) or wireless
(e.g., Wi-Fi) connections.
 AUDITING ELECTRONIC DATA
INTERCHANGE (EDI)
Electronic Data Interchange
Refers to a digital communication technology that
allows businesses to exchange structured business
documents, such as purchase orders, invoices, and
shipping notices, electronically
BENEFITS OF EDI
Data Keying: Eliminates the need for manual data
entry, reducing the risk of human error and speeding
up transaction processing.
Error Reduction: Automation and standardized
formats in EDI reduce the likelihood of mistakes
compared to manual paper-based processes.
Reduction of Paper: Since transactions are digital,
there's no need for physical paperwork, saving on
printing, storage, and handling cost
Simplified Management: Managing and
maintaining a single centralized infrastructure is
often simpler than managing multiple distributed
systems.
Postage: As documents are transmitted
electronically, there's no need for traditional mail,
reducing postage expenses.
Automated Procedures: EDI enables automated
processing of documents, reducing the time and
effort required for manual handling.
Inventory Reduction: Faster processing times lead
to reduced inventory holding costs, as businesses
can respond more promptly to orders and deliveries.

AUDITING PC-BASED ACCOUNTING
SYSTEMS
PC-based accounting systems are accounting
software applications designed to run on personal
computers (PCs).
These systems are used by businesses to manage
their financial transactions, recordkeeping, and
reporting processes.
 CHAPTER 4 :
SECURITY PART 2 –
AUDITING DATABASE
SYSTEMS
DATA MANAGEMENT APPROACHES
❖ DEFINITION

❖ DATA STORAGE

❖ DATA UPDATING

❖ CURRENCY OF INFORMATION
 ❖ TASK DATA DEPENDENCY METHODS OF DATABASE ACCESS

Formal Application Interfaces
Think of it like a specialized tool or software.
This is when users interact with the database
through specific software or applications that are
designed for a particular purpose. These
applications have a defined set of functions and
features.

KEY ELEMENTS OF DATABASE ENVIRONMENT For example, imagine a cashier using a Point-of-
Sale (POS) system to handle transactions. The
Data Management System system is tailored for this specific task and provides
clear options for the cashier to input data.
Database Management System (DBMS) is a
software that facilitates the creation, organization, Informal Method of Queries
management, and manipulation of databases. It
provides an interface for users and applications to Picture it as asking questions.
interact with databases while ensuring data integrity, This is a more flexible way of interacting with the
security, and efficient data retrieval. database. Users can ask questions or request
specific information directly.
For instance, think of a manager asking, "How many
products did we sell last month?" This question
can be translated into an SQL query to get
the answer.
Query Language is a specialized language used to
interact with databases. It allows users to
retrieve specific information from a database by
specifying criteria.

Data Definition Language Structured Query Language (SQL): SQL is the
most commonly used query language for
Data Definition Language (DDL) is used to define relational databases. It provides a standardized
and manage the structure of the database. way to communicate with a database and perform
It includes commands like CREATE (for creating tasks like retrieving, updating, and managing data.
objects like tables), ALTER (for modifying objects),
and DROP (for deleting objects).
 PHYSICAL DATABASE

Refers to the actual storage structure where data is
stored on a physical storage medium such as disks
or memory.
It involves how data is organized, accessed, and
stored on the underlying hardware.
This includes details like file organization, indexing
methods, data compression, and disk storage
management.

DATABASE IN A DISTRIBUTED ENVIRONMENT
 REPLICATED DATABASE
The entire database or specific portions of it
are duplicated across multiple nodes.
Now, let's say you have a really important
notebook, and you make copies of it. You
keep one copy at home, give another to your
friend, and keep a third copy at your
grandma's house. This way, if you lose one
copy, you can still get the information from
the other copies.

CONTROLLING AND AUDITING DATA
MANAGEMENT SYSTEMS

DISTRIBUTED DATABASES

PARTITIONED DATABASE
Data is divided or partitioned based on
specific criteria (e.g., range of values,
hashing algorithms, geographical location).
Imagine you have a very big library with lots
of books. Instead of trying to fit all the books
on one shelf, you decide to organize them
into different sections. Each section has a
specific type of book, like fiction, non-fiction,
and so on. This way, it's easier to find the
book you want because you know where to
look.