Description

Chapter 7
Control and AIS
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
7-1
Learning Objectives

Explain basic control concepts and explain why computer control and security
are important.

Compare and contrast the COBIT, COSO, and ERM control frameworks.

Describe the major elements in the internal environment of a company

Describe the four types of control objectives that companies need to set.

Describe the events that affect uncertainty and the techniques used to identify
them.

Explain how to assess and respond to risk using the Enterprise Risk Management
(ERM) model.

Describe control activities commonly used in companies.

Describe how to communicate information and monitor control processes in
organizations.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
7-2
Internal Control
 System to provide reasonable assurance that objectives
are met such as:
 Safeguard assets.
 Maintain records in sufficient detail to report company assets
accurately and fairly.
 Provide accurate and reliable information.
 Prepare financial reports in accordance with established
criteria.
 Promote and improve operational efficiency.
 Encourage adherence to prescribed managerial policies.
 Comply with applicable laws and regulations.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
7-3
Internal Control
Functions
Categories
 Preventive
 General
 Deter problems
 Detective
 Discover problems
 Corrective
 Overall IC system and
processes
 Application
 Transactions are
processed correctly
 Correct problems
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
7-4
Sarbanes Oxley (2002)
 Designed to prevent financial statement fraud, make
financial reports more transparent, protect investors,
strengthen internal controls, and punish executives who
perpetrate fraud
 Public Company Accounting Oversight Board (PCAOB)
 Oversight of auditing profession
 New Auditing Rules
 Partners must rotate periodically
 Prohibited from performing certain non-audit services
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
7-5
Sarbanes Oxley (2002)
 New Roles for Audit Committee
 Be part of board of directors and be independent
 One member must be a financial expert
 Oversees external auditors
 New Rules for Management
 Financial statements and disclosures are fairly presented,
were reviewed by management, and are not misleading.
 The auditors were told about all material internal control
weak- nesses and fraud.
 New Internal Control Requirements
 Management is responsible for establishing and
maintaining an adequate internal control system.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
7-6
SOX Management Rules
 Base evaluation of internal control on a recognized
framework.
 Disclose all material internal control weaknesses.
 Conclude a company does not have effective financial
reporting internal controls of material weaknesses.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
7-7
Internal Control Frameworks
 Control Objectives for Information and Related
Technology (COBIT)
 Business objectives
 IT resources
 IT processes
 Committee of Sponsoring Organizations (COSO)
 Internal control—integrated framework
 Control environment
 Control activities
 Risk assessment
 Information and communication
 Monitoring
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
7-8
Internal Control
 Enterprise Risk Management Model
 Risk-based vs. control-based
 COSO elements +
 Setting objectives
 Event identification
 Risk assessment
 Can be controlled but also
 Accepted
 Diversified
 Shared
 Transferred
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
7-9
Control Environment
 Management’s philosophy, operating style, and risk
appetite
 The board of directors
 Commitment to integrity, ethical values, and
competence
 Organizational structure
 Methods of assigning authority and responsibility
 Human resource standards
 External influences
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
7-10
ERM—Objective Setting
 Strategic
 High-level goals aligned with corporate mission
 Operational
 Effectiveness and efficiency of operations
 Reporting
 Complete and reliable
 Improve decision making
 Compliance
 Laws and regulations are followed
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
7-11
ERM—Event Identification
 “…an incident or occurrence emanating from internal or
external sources that affects implementation of strategy
or achievement of objectives.”
 Positive or negative impacts (or both)
 Events may trigger other events
 All events should be anticipated
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
7-12
Risk Assessment
 Identify Risk
 Identify likelihood of risk
 Identify positive or negative impact
 Types of Risk
 Inherent
 Risk that exists before any plans are made to control it
 Residual
 Remaining risk after controls are in place to reduce it
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
7-13
ERM—Risk Response
 Reduce
 Implement effective internal control
 Accept
 Do nothing, accept likelihood of risk
 Share
 Buy insurance, outsource, hedge
 Avoid
 Do not engage in activity that produces risk
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
7-14
Event/Risk/Response Model
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
7-15
Control Activities
 Policies and procedures to provide reasonable
assurance that control objectives are met:
 Proper authorization of transactions and activities
 Signature or code on document to signal authority
over a process
 Segregation of duties
 Project development and acquisition controls
 Change management controls
 Design and use of documents and records
 Safeguarding assets, records, and data
 Independent checks on performance
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
7-16
Segregation of Accounting Duties
 No one employee should be given too much responsibility
 Separate:
 Authorization
 Approving transactions and decisions
 Recording
 Preparing source documents
 Entering data into an AIS
 Maintaining accounting records
 Custody
 Handling cash, inventory, fixed assets
 Receiving incoming checks
 Writing checks
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
7-17
Information and Communication
 Primary purpose of an AIS
 Gather
 Record
 Process
 Summarize
 Communicate
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
7-18
Monitoring
 Evaluate internal control framework.
 Effective supervision.
 Responsibility accounting system.
 Monitor system activities.
 Track purchased software and mobile devices.
 Conduct periodic audits.
 Employ a security officer and compliance officer.
 Engage forensic specialists.
 Install fraud detection software.
 Implement a fraud hotline.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
7-19
Segregation of System Duties
 Like accounting system duties should also be separated
 These duties include:
 System administration
 Network management
 Security management
 Change management
 Users
 Systems analysts
 Programmers
 Computer operators
 Information system librarian
 Data control
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
7-20
Chapter 8
Information Systems Controls for System Reliability— Part 1: Information Security
8-1
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
Learning Objectives
 Discuss how the COBIT framework can be used to
develop sound internal control over an organization’s
information systems.
 Explain the factors that influence information systems
reliability.
 Describe how a combination of preventive, detective,
and corrective controls can be employed to provide
reasonable assurance about information security.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
8-2
AIS Controls
 COSO and COSO-ERM address general internal control
 COBIT addresses information technology internal control
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
8-3
Information for Management Should
Be:
 Effectiveness
 Information must be relevant
and timely.
 Availability
 Information must be available
whenever needed.
 Efficiency
 Information must be produced
in a cost-effective manner.
 Compliance
 Controls must ensure
compliance with internal
policies and with external
legal and regulatory
requirements.
 Confidentiality
 Sensitive information must be
protected from unauthorized
disclosure.
 Integrity
 Information must be accurate,
complete, and valid.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Reliability
 Management must have
access to appropriate
information needed to
conduct daily activities and to
exercise its fiduciary and
governance responsibilities.
8-4
COBIT Framework
Information
Criteria
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
8-5
COBIT Cycle
 Management develops plans to organize information
resources to provide the information it needs.
 Management authorizes and oversees efforts to acquire (or
build internally) the desired functionality.
 Management ensures that the resulting system actually
delivers the desired information.
 Management monitors and evaluates system performance
against the established criteria.
 Cycle constantly repeats, as management modifies existing
plans and procedures or develops new ones to respond to
changes in business objectives and new developments in
information technology.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
8-6
COBIT Controls
 210 controls for ensuring information integrity
 Subset is relevant for external auditors
 IT control objectives for Sarbanes-Oxley, 2nd Edition
 AICPA and CICA information systems controls
 Controls for system and financial statement reliability
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
8-7
Trust Services Framework
 Security
 Access to the system and its data is controlled and restricted to legitimate
users.
 Confidentiality
 Sensitive organizational information (e.g., marketing plans, trade secrets) is
protected from unauthorized disclosure.
 Privacy
 Personal information about customers is collected, used, disclosed, and
maintained only in compliance with internal policies and external regulatory
requirements and is protected from unauthorized disclosure.

Processing Integrity
 Data are processed accurately, completely, in a timely manner, and only with
proper authorization.
 Availability
 The system and its information are available to meet operational and
contractual obligations.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
8-8
Trust Services Framework
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
8-9
Security / Systems Reliability
 Foundation of the Trust Services Framework
 Management issue, not a technology issue
 SOX 302 states:
 CEO and the CFO responsible to certify that the
financial statements fairly present the results of the
company’s activities.
 The accuracy of an organization’s financial
statements depends upon the reliability of its
information systems.
 Defense-in-depth and the time-based model of information
security
 Have multiple layers of control
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
8-10
Management’s Role in IS Security
 Create security aware culture
 Inventory and value company information resources
 Assess risk, select risk response
 Develop and communicate security:
 Plans, policies, and procedures
 Acquire and deploy IT security resources
 Monitor and evaluate effectiveness
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
8-11
Time-Based Model
 Combination of detective and corrective controls
 P = the time it takes an attacker to break through the
organization’s preventive controls
 D = the time it takes to detect that an attack is in progress
 C = the time it takes to respond to the attack
 For an effective information security system:
 P>D+C
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
8-12
Steps in an IS System Attack
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
8-13
Mitigate Risk of Attack
 Preventive Control
 Detective Control
 Corrective Control
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
8-14
Preventive Control
 Training
 User access controls (authentication and authorization)
 Physical access controls (locks, guards, etc.)
 Network access controls (firewalls, intrusion prevention
systems, etc.)
 Device and software hardening controls (configuration
options)
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
8-15
Authentication vs.
Authorization
 Authentication—verifies who a person is
1. Something person knows
2. Something person has
3. Some biometric characteristic
4. Combination of all three
 Authorization—determines what a person can access
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
8-16
Network Access Control
(Perimeter Defense)
 Border router
 Connects an organization’s information system to the Internet
 Firewall
 Software or hardware used to filter information
 Demilitarized Zone (DMZ)
 Separate network that permits controlled access from the
Internet to selected resources
 Intrusion Prevention Systems (IPS)
 Monitors patterns in the traffic flow, rather than only inspecting
individual packets, to identify and automatically block attacks
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
8-17
Internet Information Protocols
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
8-18
Device and Software
Hardening (Internal Defense)
 End-Point Configuration
 Disable unnecessary features that may be vulnerable to
attack on:
 Servers, printers, workstations
 User Account Management
 Software Design
 Programmers must be trained to treat all input from external
users as untrustworthy and to carefully check it before
performing further actions.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
8-19
Detective Controls
 Log Analysis
 Process of examining logs to identify evidence of possible
attacks
 Intrusion Detection
 Sensors and a central monitoring unit that create logs of
network traffic that was permitted to pass the firewall and
then analyze those logs for signs of attempted or successful
intrusions
 Managerial Reports
 Security Testing
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
8-20
Corrective Controls
 Computer Incident Response Team
 Chief Information Security Officer (CISO)
 Independent responsibility for information security assigned
to someone at an appropriate senior level
 Patch Management
 Fix known vulnerabilities by installing the latest updates
 Security programs
 Operating systems
 Applications programs
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
8-21
Computer Incident Response
Team
 Recognize that a problem exists
 Containment of the problem
 Recovery
 Follow-up
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
8-22
New Considerations
 Virtualization
 Multiple systems are
run on one computer
 Cloud Computing
 Remotely accessed
resources
 Software
applications
 Data storage
 Hardware
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Risks
 Increased exposure if
breach occurs
 Reduced
authentication
standards
 Opportunities
 Implementing strong
access controls in the
cloud or over the server
that hosts a virtual
network provides good
security over all the
systems contained
therein
8-23
Chapter 9
Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy
9-1
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
Learning Objectives
 Identify and explain controls designed to protect the
confidentiality of sensitive corporate information.
 Identify and explain controls designed to protect the
privacy of customers’ personal information.
 Explain how the two basic types of encryption systems
work.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
9-2
Trust Services Framework
 Security (Chapter 8)
 Access to the system and its data is controlled and restricted to legitimate
users.
 Confidentiality (Chapter 8)
 Sensitive organizational information (e.g., marketing plans, trade secrets) is
protected from unauthorized disclosure.
 Privacy
 Personal information about customers is collected, used, disclosed, and
maintained only in compliance with internal policies and external regulatory
requirements and is protected from unauthorized disclosure.

Processing Integrity (Chapter 10)
 Data are processed accurately, completely, in a timely manner, and only with
proper authorization.
 Availability (Chapter 10)
 System and its information are available to meet operational and contractual
obligations.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
9-3
Intellectual Property (IP)
 Strategic plans
 Trade secrets
 Cost information
 Legal documents
 Process improvements
 All need to be secured
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
9-4
Steps in Securing IP
Identification
and
Classification
Encryption
Controlling
Access
Trainingj
Where is the information, who has access to it?
Classify value of information
The process of obscuring information to make it unreadable
without special knowledge, key files, or passwords.
Information rights management: control who can
read, write, copy , delete, or download information.
Most important! Employees need to know what can or
can’t be read, written, copied, deleted, or downloaded
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
9-5
Privacy
 Deals with protecting customer information vs. internal
company information
 Same controls
 Identification and classification
 Encryption
 Access control
 Training
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
9-6
Privacy Concerns
 SPAM
 Unsolicited e-mail that contains either advertising or
offensive content
 CAN-SPAM (2003)
 Criminal and civil penalties for spamming
 Identity Theft
 The unauthorized use of someone’s personal information for
the perpetrator’s benefit.
 Companies have access to and thus must control
customer’s personal information.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
9-7
Privacy Regulatory Acts
 Health Insurance Portability and Accountability Act
(HIPAA)
 Health Information Technology for Economic and Clinical
Health Act (HITECH)
 Financial Services Modernization Act
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
9-8
Generally Accepted Privacy
Principles
1.
Management
 Procedures and policies
 Assignment of responsibility
2.
Notice
 To customers of policies
3.
4.
5.
6.
Access
 Customers should be capable
of reviewing, editing, deleting
information
7.
Choice and Consent
 Allow customers consent over
information provided, stored
Disclosure to 3rd Parties
 Based on policy and only if 3rd
party has same privacy policy
standard
8.
Collection
 Only what is necessary and
stated in policy
Security
 Protection of personal
information
9.
Quality
 Allow customer review
 Information needs to be
reasonably accurate
Use and Retention
 Based on policy and only for as
long as needed for the
business
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
10. Monitor and Enforce
 Ensure compliance with policy
9-9
Encryption
 Preventive control
 Process of transforming
normal content, called
plaintext, into unreadable
gibberish
 Decryption reverses this
process
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
9-10
Encryption Strength
 Key length
 Number of bits (characters) used to convert text into blocks
 256 is common
 Algorithm
 Manner in which key and text is combined to create
scrambled text
 Policies concerning encryption keys
 Stored securely with strong access codes
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
9-11
Types of Encryption
 Symmetric
 One key used to both encrypt and decrypt
 Pro: fast
 Con: vulnerable
 Asymmetric
 Different key used to encrypt than to decrypt
 Pro: very secure
 Con: very slow
 Hybrid Solution
 Use symmetric for encrypting information
 Use asymmetric for encrypting symmetric key for decryption
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
9-12
Hashing
 Converts information into a “hashed” code of fixed
length.
 The code can not be converted back to the text.
 If any change is made to the information the hash code
will change, thus enabling verification of information.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
9-13
Digital Signature
 Hash of a document
 Using document creators key
 Provides proof:
 That document has not been altered
 Of the creator of the document
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
9-14
Digital Certificate
 Electronic document that contains an entity’s public key
 Certifies the identity of the owner of that particular public
key
 Issued by Certificate Authority
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
9-15
Virtual Private Network (VPN)
 Private communication channels, often referred
to as tunnels, which are accessible only to those
parties possessing the appropriate encryption
and decryption keys.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
9-16
Chapter 10
Information Systems Controls for System Reliability—Part 3: Processing Integrity
10-1
and Availability
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
Learning Objectives
 Identify and explain controls designed to ensure
processing integrity.
 Identify and explain controls designed to ensure systems
availability.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
10-2
Trust Services Framework
 Security (Chapter 8)
 Access to the system and its data is controlled and restricted to legitimate
users.
 Confidentiality (Chapter 8)
 Sensitive organizational information (e.g., marketing plans, trade secrets) is
protected from unauthorized disclosure.
 Privacy (Chapter 9)
 Personal information about customers is collected, used, disclosed, and
maintained only in compliance with internal policies and external regulatory
requirements and is protected from unauthorized disclosure.

Processing Integrity
 Data are processed accurately, completely, in a timely manner, and only with
proper authorization.
 Availability
 System and its information are available to meet operational and contractual
obligations.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
10-3
Controls Ensuring Processing Integrity
 Input
 Process
 Output
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
10-4
Input Controls
 “Garbage-in Garbage-out”
 Form Design
 All forms should be sequentially numbered
 Verify missing documents
 Use of turnaround documents
 Eliminate input errors
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
10-5
Input Controls
 Data Entry Checks
 Field check
 Characters proper type?
Text, integer, date, and so
on
 Sign check
 Proper arithmetic sign?
 Limit check
 Input checked against
fixed value?
 Range check
 Input within low and high
range value?
 Size check
 Input fit within field?
 Completeness check
 Have all required data
been entered?
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Validity check
 Input compared with
master data to confirm
existence
 Reasonableness check
 Logical comparisons
 Check digit verification
 Computed from input
value to catch typo errors
 Prompting
 Input requested by system
 Close-loop verification
 Uses input data to retrieve
and display related data
10-6
Batch Input Controls
 Batch Processing
 Input multiple source documents at once in a group
 Batch Totals
 Compare input totals to output totals
 Financial
 Sums a field that contains monetary values
 Hash
 Sums a nonfinancial numeric field
 Record count
 Sums a nonfinancial numeric field
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
10-7
Processing Controls
 Data Matching
 Multiple data values must match before processing occurs.
 File Labels
 Ensure correct and most current file is being updated.
 Batch Total Recalculation
 Compare calculated batch total after processing to input totals.
 Cross-Footing and Zero Balance Tests
 Compute totals using multiple methods to ensure the same results.
 Write Protection
 Eliminate possibility of overwriting or erasing existing data.
 Concurrent Update
 Locking records or fields when they are being updated so multiple users are
not updating at the same time.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
10-8
Output Controls
 User Review
 Verify reasonableness, completeness, and routed to
intended individual
 Reconciliation
 Data Transmission Controls
 Check sums
 Hash of file transmitted, comparison made of hash before
and after transmission
 Parity checking
 Bit added to each character transmitted, the characters
can then be verified for accuracy
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
10-9
Controls Ensuring Availability
 Systems or information need to be available 24/7
 It is not possible to ensure this so:
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
10-10
Minimize Risks
 Preventive Maintenance
 Cleaning, proper storage
 Fault Tolerance
 Ability of a system to continue if a part fails
 Data Center Location
 Minimize risk of natural and human created disasters.
 Training
 Less likely to make mistakes and will know how to recover, with minimal
damage, from errors they do commit
 Patch Management
 Install, run, and keep current antivirus and anti-spyware programs
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
10-11
Quick Recovery
 Back-up
 Incremental
 Copy only data that changed from last partial back-up
 Differential
 Copy only data that changed from last full back-up
 Business Continuity Plan (BCP)
 How to resume not only IT operations, but all business
processes
 Relocating to new offices
 Hiring temporary replacements
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
10-12
Change Control
 Formal process used to ensure that modifications to
hardware, software, or processes do not reduce systems
reliability
 Changes need to be documented.
 Changes need to be approved by appropriate manager.
 Changes need to be tested before implementations.
 All documentation needs to be updated for changes.
 Back-out plans need to be adopted.
 User rights and privileges need to be monitored during
change.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
10-13
Disaster Recovery Plan (DRP)
 Procedures to restore an organization’s IT function in the
event that its data center is destroyed
 Cold Site
 An empty building that is prewired for necessary telephone
and Internet access, plus a contract with one or more
vendors to provide all necessary equipment within a
specified period of time
 Hot Site
 A facility that is not only prewired for telephone and Internet
access but also contains all the computing and office
equipment the organization needs to perform its essential
business activities
 Second Data-Center
 Used for back-up and site mirroring
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
10-14
Chapter 11
Auditing Computer-Based Information Systems
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
11-1
Learning Objectives
 Describe the scope and objectives of audit work, and
identify the major steps in the audit process.
 Identify the objectives of an information system audit,
and describe the four-step approach necessary for
meeting these objectives.
 Design a plan for the study and evaluation of internal
control in an AIS.
 Describe computer audit software, and explain how it is
used in the audit of an AIS
 Describe the nature and scope of an operational audit.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
11-2
Auditing
 The systematic process of obtaining and evaluating
evidence regarding assertions about economic actions
and events in order to determine how well they
correspond with established criteria
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
11-3
Types of Audits

Financial
 Examines the reliability and integrity of:


Financial transactions, accounting records, and financial statements.
Information System
 Reviews the controls of an AIS to assess compliance with:


Internal control policies and procedures and effectiveness in
safeguarding assets
Operational
 Economical and efficient use of resources and the accomplishment of
established goals and objectives

Compliance
 Determines whether entities are complying with:


Applicable laws, regulations, policies, and procedures
Investigative
 Incidents of possible fraud, misappropriation of assets, waste and abuse, or
improper governmental activities.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
11-4
The Audit Process
 Planning
 Collecting Evidence
 Evaluating Evidence
 Communicating Audit Results
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
11-5
Planning the Audit
 Why, when, how, whom
 Work targeted to area with greatest risk:
 Inherent
 Chance of risk in the absence of controls
 Control
 Risk a misstatement will not be caught by the internal
control system
 Detection
 Chance a misstatement will not be caught by auditors or
their procedures
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
11-6
Collection of Audit Evidence
 Not everything can be
examined so samples are
collected
 Confirmations
 Observation activates to
be audited
 Re-performance
 Review of documentation
 Gain understanding of
process or control
 Discussions
 Questionnaires
 Physical examination
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Testing balances with
external 3rd parties
 Recalculations to test
values
 Vouching
 Examination of
supporting documents
 Analytical review
 Examining relationships
and trends
11-7
Evaluation of Audit Evidence
 Does evidence support favorable or unfavorable
conclusion?
 Materiality
 How significant is the impact of the evidence?
 Reasonable Assurance
 Some risk remains that the audit conclusion is incorrect.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
11-8
Communication of Audit Conclusion
 Written report summarizing audit findings and
recommendations:
 To management
 The audit committee
 The board of directors
 Other appropriate parties
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
11-9
Risk-Based Audit
 Determine the threats (fraud and errors) facing the company.
 Accidental or intentional abuse and damage to which the system is
exposed
 Identify the control procedures that prevent, detect, or correct the
threats.
 These are all the controls that management has put into place and that
auditors should review and test, to minimize the threats
 Evaluate control procedures.
 A systems review
 Are control procedures in place
 Tests of controls
 Are existing controls working
 Evaluate control weaknesses to determine their effect on the
nature, timing, or extent of auditing procedures.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
11-10
Information Systems Audit
 Purpose:
 To review and evaluate the internal controls that protect the
system
 Objectives:
1. Overall information security
2. Program development and acquisition
3. Program modification
4. Computer processing
5. Source files
6. Data files
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
11-11
1. Information System Threats
 Accidental or intentional damage to system assets
 Unauthorized access, disclosure, or modification of data
and programs
 Theft
 Interruption of crucial business activities
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
11-12
2. Program Deve