IT Auditing PDF
Document Details
Uploaded by EffusiveTulip8010
University of the Commonwealth Caribbean (UCC)
Tags
Summary
This presentation covers IT auditing topics such as internal control, IT systems, and risks. It discusses different approaches to auditing within a computer environment, such as auditing around the computer vs. auditing through the computer. The concepts of generalized audit software and the test data approach are also included.
Full Transcript
c t i c e t P r a I I d i e s Au cedurechnologsys Pro T e & i on P r oc r mat di t Info the Au and Information Technology (IT) & Internal Control IT has improved...
c t i c e t P r a I I d i e s Au cedurechnologsys Pro T e & i on P r oc r mat di t Info the Au and Information Technology (IT) & Internal Control IT has improved Internal Control HOW? Access to high quality business transactions. Access to larger volumes of information. Information Technology (IT) & Internal Control Question: Do improvements which are experienced as a result of IT, propose any risks? IT Systems and Risks 1. Risks to hardware and data 2. Reduced audit trail 3. Need for IT experience and separation of IT duties Risks of Information Technology Question: How would hardware and data be at risk? Risks of Information Technology 1 - Risks to hardware and data: Reliance on the functioning capabilities of hardware and software Systematic versus random errors Unauthorized access Loss of data Risks of Information Technology 1 - Risks to hardware and data: Reliance on the functioning capabilities of hardware and software: Evaluation of the risk of system crashes. Risks of Information Technology 1 - Risks to hardware and data: Systematic versus random errors: Errors in computer software can result in incorrect processing for all transactions processed. Risks of Information Technology 1 - Risks to hardware and data: Unauthorized access: Potential for unauthorized on-line access from remote locations is increased. Risks of Information Technology 1 - Risks to hardware and data: Loss of data: Increased risk of total data loss in the event the data file is altered or destroyed. Risks of Information Technology 2 - Reduced audit trail: Visibility of audit trail Reduced human involvement Lack of traditional authorization Risks and Information Technology 2 - Reduced audit trail: Visibility of audit trail The use of IT often converts the traditional paper trail to an electronic audit trail. Risks and Information Technology 2 - Reduced audit trail: Reduced human involvement: The replacement of traditional manual processes with computer-performed processes reduces opportunities for employees to recognize misstatements resulting from transactions that might have appeared unusual to experienced employees. Risks and Information Technology 2 - Reduced audit trail: Lack of traditional authorization: IT-based systems can be programmed to initiate certain types of transactions automatically without obtaining traditional manual approvals. Risks and Information Technology 3 - Need for IT experience and separation of IT duties: Reduced separation of duties Need for IT experience. Risks and Information Technology 3 - Need for IT experience and separation of IT duties: Reduced separation of duties: As organization convert from manual to computer processes, computers do many duties that were traditionally segregated, such as authorization and record keeping. Risks and Information Technology 3 - Need for IT experience and separation of IT duties: Separation of Duties in IT Function/Dept.: IT management (Oversight) Systems development (Application Design) Operations (day-to-day operations) Data control (input/output control personnel) Risks and Information Technology 3 - Need for IT experience and separation of IT duties: Need for IT experience: Even when companies purchase simple off- the-shelf accounting software packages, it is important to have personnel with knowledge and experience to install, maintain, and use the system. IT Governance COBIT (Control Objectives for Information and Related Technology) An IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. http://www.isaca.org/knowledge-center/ cobit/pages/overview.aspx IT Governance http://www.qualified-audit-partners.be/ IT Governance http://www.qualified-audit-partners.be/ IT Governance COBIT 5 COBIT 5 is a business framework for the governance and management of enterprise IT. Developed by ISACA (Information Systems Audit and Control Association). Used globally by those who have the primary responsibility for business https://cobitonline.isaca.org/about/ Auditing Standards IT Controls Types of controls: 1. General Controls 2. Application Controls Used to address many of the risks associated with reliance on IT Auditing Standards IT Controls IT General Controls Policies and procedures that relate to many applications. Support the effective functioning of application controls. Auditing Standards IT Controls IT General Controls includes: Controls over data centre and network operations. System software acquisition, change and maintenance. Access security. Auditing Standards IT Controls IT General Controls includes cont’d” Application system acquisition, development, and maintenance. Physical security of assets Authorization for access to computer programs and data files. Auditing Standards IT Controls IT Application Controls: Controls that relate to specific computer software applications and the individual transactions, for example, the general ledger. Controls over the input, processing, and output functions. N.B includes: Ensure the input data is complete, accurate and valid. Also, ensure the internal processing produces the Auditing Around the Computer Versus Auditing Through the Computer Information Technology (IT) Auditing Generalized Audit Software (GAS) Auditing Around the Computer Versus Auditing Through the Computer Auditing Through the Computer; Testing Categories: 1. Test data approach 2. Parallel simulation 3. Embedded audit module approach Infotech Auditing Auditing in Complex IT Environments (Categories of Testing): Test Data Approach Auditors process their own test data using the client’s computer system and application program to determine whether the automated controls correctly process the test data. Infotech Auditing Auditing in Complex IT Environments (Categories of Testing) 1.Test Data Approach When using the test data approach, auditors have three main considerations: a) Test data should include all relevant conditions that the auditor wants tested. Infotech Auditing Auditing in Complex IT Environments (Categories of Testing) 1.Test Data Approach When using the test data approach, auditors have three main considerations: b) Application programs tested by auditors’ test data must be the same as those the client used throughout the year. Infotech Auditing Auditing in Complex IT Environments (Categories of Testing) 1.Test Data Approach When using the test data approach, auditors have three main considerations: c) Test data must be eliminated from the client’s records Infotech Auditing Auditing in Complex IT Environments (Categories of Testing): Parallel Simulation To determine the effectiveness of automated controls. To obtain evidence about electronic account balances. N.B. Parallel simulation is a process of simulating data processing with a set of data (from client) and comparing the results of simulation with that of client's system results. Infotech Auditing Auditing in Complex IT Environments (Categories of Testing): Embedded Audit Module Approach Auditors insert an audit module in the client’s application system to identify specific types of transactions. THE END
