Module H - Information Systems Auditing MODULE H Information Systems Auditing LEARNING OBJECTIVES Review Checkpoints Exercises, Problems and Simulations List and describe the general and application controls in a computerized information system 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13 52, 53, 54, 55, 57, 58, 59, 60, 61, 62, 66 Explain the difference between auditing around the computer and auditing through the computer 14, 15, 16 51, 65 List several techniques auditors can use to perform tests of controls in a computerized information system 17, 18, 19, 20, 21 64 Describe the characteristics and control issues associated with end-user and other computing environments 22, 23, 24, 25 63 26, 27, 28, 29, 30 56 Define and describe computer fraud and the controls that an entity can use to prevent it MODH-1 Module H - Information Systems Auditing SOLUTIONS FOR REVIEW CHECKPOINTS H.1 Given its extensive use, auditors must consider clients’ computerized information systems technology All auditors should have sufficient familiarity with computers, computerized information systems, and computer controls to be able to complete the audit of simple systems and to work with information system auditors More importantly, auditors must assess the control risk (and the risk of material misstatement) regardless of the technology used for preparing the financial statements In a computerized processing environment, auditors must study and test information technology general and application controls H.2 COBIT (which stands for Control Objectives for Information and Related Technology) represents a set of best practices for information technology management that has achieved general acceptance as the internal control framework for information technology COBIT’s basic principle is: To provide the information the enterprise requires to achieve its objectives, the enterprise needs to invest in and manage and control IT resources using a structured set of processes to provide the services that deliver the required enterprise information H.3 The four domains of COBIT (along with a brief description of each) are: Plan and Organize: Summarizes how information and technology can be used within an entity to best achieve its goals and objectives Acquire and Implement: Focuses on identifying the related IT requirements, acquiring the necessary technology, and implementing the technology within the entity’s business processes Delivery and Support: Focuses on the execution of applications within the IT system Monitor and Evaluate: Considers whether the IT system continues to meet the entity’s objectives H.4 ITGC (information technology general controls) apply to all applications of a computerized information system, while ITAC (information technology application controls) apply to specific business activities within a computerized information system Thus, ITGC operate at an overall entity level and ITAC operate at a transaction level H.5 The five major categories of ITGC are: Hardware controls: Provide reasonable assurance that data are not altered or modified as they are transmitted within the system Program development: Provide reasonable assurance that (1) acquisition or development of programs and software is properly authorized, conducted in accordance with entity policies, and supports the entity’s financial reporting requirements; (2) appropriate users participate in the software acquisition or program development process; (3) programs and software are tested and validated prior to being placed into operation; and (4) all software and programs have appropriate documentation Program changes: Provide reasonable assurance that modifications to existing programs (1) are properly authorized, conducted in accordance with entity policies, and support the entity’s financial reporting requirements; (2) involve appropriate users in the program modification process; (3) are tested and validated prior to being placed into operation; and, (4) have been appropriately documented MODH-2 Module H - Information Systems Auditing H.5 (Continued) Computer operations: Provide reasonable assurance that the processing of transactions through the computerized information system is in accordance with the entity’s objectives and actions are taken to facilitate the backup and recovery of important data when the need arises Access to programs and data: Provide reasonable assurance that access to programs and data is only granted to authorized users H.6 Auditors are not expected to be computer technicians with respect to hardware controls, but they should be familiar with the terminology and the way these controls operate This will allow auditors to identify potential issues related to these controls and converse knowledgeably with the entity’s computer personnel If hardware controls fail, auditors should be primarily concerned with operator procedures in response to this failure H.7 The Systems Development Life Cycle (SDLC) is the process through which the entity plans, develops, and implements new computerized information systems or databases The SDLC includes the following controls related to program development and changes: • Ensuring that software acquisition and program development efforts are consistent with the entity’s needs and objectives • Following established entity policies and procedures for acquiring or developing software or programs • Involving users in the design of programs, selection of prepackaged software and programs, and testing of programs • Testing and validating new programs and developing proper implementation and “back out” plans prior to placing the programs into operation • Ensuring that data are converted completely and accurately for use in the new systems • Ensuring that consistent processes are followed and the most recent version of programs are implemented • Considering application controls that should be incorporated within the system to facilitate the accurate processing of data and transactions • Periodically reviewing entity policies and procedures for acquiring and developing software or programs for continued appropriateness and modifying these policies and procedures, as necessary MODH-3 Module H - Information Systems Auditing H.8 The primary duties associated with various functions related to computerized information systems are: • Systems Analyst: Analyze requirements for information, evaluate the existing system, and design new or improved computerized information systems • Programmer: Flowcharts the logic of the computer programs required by the computerized information system designed by the systems analyst • Computer Operator: Operates the computer for each accounting application system according to written operating procedures found in the computer operation instructions • Data Conversion Operator: Prepares data for machine processing by converting manual data into machine-readable form or directly entering transactions into the system using remote terminals • Librarian: Maintains control over (1) system and program documentation and (2) data files and programs used in processing transactions • Control Group: The control group receives input from user departments, logs the input and transfers it to data conversion, reviews documentation sequence numbers, reviews and processes error messages, monitors actual processing, compares control totals to computer output, and distributes output Separation of the duties performed by systems analysts, programmers, and computer operators is important The general idea is that anyone who designs a computerized information system should not perform the technical programming work, and anyone who performs either of these tasks should not be the computer operator when “live” data are processed Persons performing each function should not have access to each other’s work, and only the computer operators should have access to the equipment H.9 ITGC are important in the auditors’ evaluation of internal control and assessment of control risk (and the risk of material misstatement) because they are pervasive and the effectiveness of application controls relies heavily on the effectiveness of ITGC H.10 The objective of input controls is to provide reasonable assurance that data received for processing by the computer department have been properly authorized and accurately entered and converted for processing H.11 Record counts are tallies of the number of transaction documents submitted for data conversion These counts allow situations in which transactions may not have been input or may have been input more than once to be identified Batch totals are mathematical totals of an important quantity or amount, such as the total of sales dollars in a batch of invoices Batch totals allow the following types of input errors to be detected: (1) input error for the wrong amount; (2) transactions have not been input; and, (3) transactions have been input more than once Hash totals are mathematical totals of a quantity or amount that is not meaningful, such as the total of all invoice numbers Like batch totals, hash totals allow the following types of input errors to be detected: (1) input error for the wrong amount; (2) transactions have not been input; and, (3) transactions have been input more than once MODH-4 Module H - Information Systems Auditing H.12 H.13 H.14 The objective of processing controls is to provide reasonable assurance that data processing has been performed accurately, without any omission or duplication of transactions Examples of processing controls include: • Run-to-run totals: Totals such as record counts, batch totals, and/or hash totals obtained at the end of one processing run are distributed to the next run and compared to corresponding totals produced at the end of the second run • Control total reports: Control totals, such as record counts, batch totals, hash totals, and run-torun totals, can be calculated during processing and reconciled to input totals or totals from earlier processing runs • File and operator controls: External and internal labels ensure that the proper files are used in applications • Limit and reasonableness tests: These tests should be programmed to ensure that illogical conditions not occur (for example, depreciating an asset below zero or calculating a negative inventory quantity) The objective of output controls is to ensure that only authorized persons receive output or have access to files produced by the system Some common output controls include: • Control total reports: Compare controls totals to input and run-to-run control totals produced during transaction processing • Master file changes: Any changes to master file information should be properly authorized by the entity and reported in detail to the user department from which the request for change originated • Output distribution: Systems output should only be distributed to persons authorized to receive the output The major steps in the auditors’ assessment of control risk in a computerized processing environment include: • Identify specific control objectives based on the types of misstatements that can occur in significant accounting applications • Identify the points in the flow of transactions where specific types of misstatements could occur • Identify specific control procedures designed to prevent or detect these misstatements • Evaluate the design of control procedures to determine whether the design suggests a low control risk and whether tests of controls might be costeffective • Perform tests of the operating effectiveness of control procedures designed to prevent or detect misstatements (assuming it is cost-effective to so) MODH-5 Module H - Information Systems Auditing H.15 The following are points in the processing of transactions at which misstatements may be introduced because of the use of computerized processing: 10 11 Preparation of source data for input Manual summary of data (preparation of batch totals and hash totals) Conversion of source data into computer-readable form Use of incorrect input files in processing Transfer of information from one computer program to another Use of incorrect computer files in processing transactions Inappropriate initiation of transactions by the computer Creation of output files are update of master files Changes to master files outside the normal flow of transactions within each cycle through file maintenance procedures Production of output reports or files Correction of errors identified by control procedures H.16 Auditing “though the computer” refers to making use of the computer itself to test the operating effectiveness of application controls in the program used to process transactions When auditing “around the computer”, auditors are only concerned with the correspondence of the input with the output and not specifically evaluate the effectiveness of the client’s computer controls H.17 Audit hooks: Client or auditors can select specific transactions of audit/control interest Tagging transactions: Auditors or client select and “tag” transactions to capture a computer trail of the transaction SCARF (systems control audit review file): Program that selects transactions according to auditors’ or client’s criteria (e.g reasonableness limit) SARF (sample audit review file): Program that randomly selects transactions for review Snapshot: Taking a “picture” of main memory of transactions and database elements before and after computerized processing Monitoring systems activity: Computerized information system capture of activity records, such as all passwords used during a period Extended records: Expanding the transaction record itself to include computer trail information, such as snapshot information before and after processing H.18 The test data technique uses simulated transactions created by auditors that are processed by the client’s actual programs at a different time from the processing of actual client transactions The integrated test facility technique is an extension of the test data technique, but simulated transactions for a “dummy” department or division are intermingled with the actual client transactions and processed along with actual client transactions H.19 It is true that fictitious (fake) transactions are not used by auditors when the information processing system is manual, but in a manual system, documentary evidence is available for visual examination to audit a client’s control activities New techniques are necessary to gather evidence and evaluate controls with computer programs The client should be advised of the nature of the test data or integrated test facility and these procedures must be carefully controlled to prevent contamination of actual client files MODH-6 Module H - Information Systems Auditing H.20 Both test data and parallel simulation are audit procedures that use the computer to test computer controls The basic difference is that the test data procedure uses the client’s program with auditor-created transactions, while parallel simulation uses an auditor-created program with actual client transactions In the test data procedure, the results from the client program are compared to auditors’ predetermined results to determine whether the controls operate as intended In the parallel simulation procedure, the results from auditors’ program are compared to the results from the client’s program to determine whether the controls operate as intended H.21 Controlled reprocessing is another method of obtaining evidence regarding the operating effectiveness of the client’s computer controls through parallel simulation In controlled reprocessing, auditors create the “simulated system” by performing a thorough technical audit of the controls in the client’s actual program, then maintain a copy of this program Actual client data can later be processed using this copy of the client’s program H.22 In an end-user environment, limited resources may result in a lack of separation of duties in the accounting function (initiate and authorize source documents, enter data, operate the computer, and distribute output) and computer functions (programming and computer operations) H.23 Major characteristics in end-user computing environments include: • • • • Terminals are used for transaction data entry, inquiry, and other interactive functions Purchased software packages are used extensively Portable storage devices (compact disks (CDs) and Universal Serial Bus (USB) drives) are used for file storage Available system, program, operation, and user documentation is often limited or does not exist Control problems in end-user computing environments include: • • • • Lack of separation of duties, both in accounting functions and computer functions Lack of physical security over computer hardware, programs, and data files Lack of documentation and testing Limited computer knowledge H.24 Control procedures an entity can use to achieve control over computer operations in an end-user computing environment include: • Restricting access to input devices • Standard screens and computer prompting • On-line editing and sight verification H.25 Control procedures an entity can use to achieve control over computerized in an end-user computing environment include: • Transaction logs • Control totals • Balancing input to output • Audit trail H.26 Five things used to facilitate computer fraud are (1) the computer, (2) data files, (3) computer programs, (4) system information (documentation), and (5) time and opportunity to convert the assets to personal use MODH-7 Module H - Information Systems Auditing H.27 Physical controls that can be used to protect computerized information systems from fraud include: • Inconspicuous location • Controlled access • Computer room guard (after hours) • Computer room entry log record • Preprinted limits on documents • Data backup storage H.28 Technical controls that can be used to protect computerized information systems from fraud include: • Data encryption • Access control software and passwords • Transaction logging reports • Control totals (both batch totals and hash totals) • Program source comparison • Range checks on permitted transaction amounts • Reasonableness check on permitted transaction amounts H.29 Administrative controls that can be used to protect computerized information systems from fraud include: • Security checks on personnel • Separation of duties • Proper review of access and execution log records • Program testing after modification • Rotation of computer duties • Transaction limit amounts H.30 Methods of limiting damages resulting from computer fraud (through damage-limiting controls) include: • • • • • • Rotation of computer duties Transaction limit amounts Range checks on permitted transaction amounts Preprinted limits on documents (e.g., checks) Data backup storage Reasonableness check on permitted transaction amounts SOLUTIONS FOR MULTIPLE-CHOICE QUESTIONS H.31 a b c d Incorrect Incorrect Incorrect Correct This is a software function This is a programmer function This is an input control function This is an automated hardware function H.32 a b c d Correct Incorrect Incorrect Incorrect A payroll processing program is an example of user software The operating system program is an example of a system program Data management system software is an example of a system program Utility programs are examples of system programs MODH-8 Module H - Information Systems Auditing H.33 H.34 H.35 H.36 H.37 H.38 a Incorrect b Correct c Incorrect d Incorrect a b Incorrect Incorrect c d Incorrect Correct a b Incorrect Incorrect c d Incorrect Correct a Incorrect b Correct c d Incorrect Incorrect a Correct b Incorrect c d Incorrect Incorrect a b Incorrect Correct c Incorrect d Incorrect The computer librarian is the appropriate person to maintain these files, since this individual has no access to the computer Computer operators should not have access to instructions and detailed program lists, since they have would have enough knowledge to alter programs and run those programs The control group is appropriate for distributing output, since they not have access to programs and computer Programmers are the appropriate individuals to write and debug programs, since they have no access to data Employee intelligence is not necessarily greater in a computerized environment Due to the limitations of computer evidence (it may only exist for a very brief time), auditors should audit the computerized information system throughout the year Large dollar amounts are not unique to a computerized environment Due to the accessibility of large number of computer terminals, employees have greater access to computerized information systems and computer resources in a computerized environment Control totals detect input and processing errors Record counts are used to ensure that all transactions are entered once, and only once Limit tests identify items larger than expected during input or processing External labels reduce the likelihood that operators will not use the incorrect file Copies of client data files for controlled reprocessing should be obtained from the client, but not extracted using CAATs CAATs can be used to create a parallel simulation to test the client’s computer controls CAATs are not designed to perform tests of a client’s hardware controls Attempting to enter false passwords is the best way to test the operating effectiveness of a client’s password access control, not the use of CAATs It may be appropriate to audit simple systems without testing computer programs; essentially, the client is using this system in a manner similar to a calculator The impact of computerized processing on master files would require the computer programs to be tested Auditors cannot audit “around the computer” when limited output is available See (b) and (c) Condensing data would not necessarily result in a more efficient audit Abnormal conditions inform auditors of potential issues and allow them to focus their efforts on these issues Reduced tests of controls would depend upon the content of the exemption reports (i.e., number of exceptions), not the existence of these reports Exception reporting is an example of an output control, not an input control MODH-9 Module H - Information Systems Auditing H.39 a b Incorrect Incorrect c Correct d Incorrect H.40 d Correct H.41 NOTE TO INSTRUCTOR: Since this question asks students to identify the statement that is not true, the response labeled “correct” is not true and those labeled “correct” are true H.42 H.43 H.44 a b Incorrect Incorrect c Correct d Incorrect a Incorrect b Incorrect c Incorrect d Correct a Incorrect b c Incorrect Correct d Incorrect a b c Incorrect Incorrect Correct d Incorrect The use of test data evaluates computer controls, not input data Machine capacity can be evaluated by reference to the manufacturer’s specifications Test data are used to examine the operating effectiveness of computer control procedures Test data provide evidence on specific application control procedures, not information technology general controls In a computerized processing environment, a sample of one transaction is sufficient because the computer handles all transactions identically The test data approach does test the client’s computer programs Test data need to include only the transactions that test control procedures auditors believe to be important Test data need to include only the transactions that test control procedures auditors believe to be important One of each deviation condition is sufficient, because the computer handles each transaction in an identical manner Auditors may submit test data at several different times to gain additional assurance on the processing of transactions Manually comparing detail transactions to the program’s actual error messages is a way of verifying the operation of computer control procedures Comparing transactions processed through a separate program to those processed through the client’s program is a form of parallel simulation and will test the operation of computer controls This is an example of auditing “around the computer” and will not test the operation of computer control procedures Writing a computer program that simulates the logic of a good password control system does not test the actual system A test of proper authorization is not a test of actual access to the system Attempting to sign onto the computer system with a false password is similar to a test data approach Several different types of false passwords might need to be used Written representations are not direct or reliable form of evidence on a detailed matter such as password controls Inquiries produce a relatively weak form of evidence Observation is not relevant to the performance of computer controls This method will test computer controls since it compares known input with computer output The run manual provides information to the computer operator and does not allow auditors to test computer controls MODH-10 • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • ... programs, selection of prepackaged software and programs, and testing of programs • Testing and validating new programs and developing proper implementation and “back out” plans prior to placing the... data and transactions • Periodically reviewing entity policies and procedures for acquiring and developing software or programs for continued appropriateness and modifying these policies and procedures,... acquisition or program development process; (3) programs and software are tested and validated prior to being placed into operation; and (4) all software and programs have appropriate documentation Program