Chapter 1

Overview of Information Systems

Auditing

Impact of IT on organizations
IT is important in all kinds of organizations.
Therefore IT has influence on organizational risks
and controls.
IT creates opportunities, but these opportunities
bring with them many kinds of risks.

Impact of IT on organizations
Transmit
documents
electronically to
customers and
vendors

Potential failure of
electronic
communication
systems

Need for control and audit of

computers
Factors influencing an organization toward control and audit of computers

Costs of
incorrect
decision
making

Controlled
evolution of
computer
user

Organizational
costs of data
loss

Costs of
computer
abuse

Value of computer
hardware, software
and personnel
High costs
of computer
error

Organizations
Maintenance
of privacy
Control and audit of computers

Organizational costs of data loss

Data is a resource which provides an organization
with an image of itself.
Accurate data increases an organizations ability to
adapt and survive in a changing environment.
If the data is inaccurate the organization will suffer
significant losses.

Incorrect decision making

High quality decisions require high quality data
The quality of data needed
depends on the type of decision

high quality
decision rules

impact on other stakeholders

Accurate decision rules depend on accurate

modeling and programming
impact on the organization

HQR = HQD + HQI

6

Computer Abuse
Hacking
unauthorized electronic access to a computer system to read, modify
or delete programs/data or to disrupt services.

Viruses
programs which attach themselves to computer files to disrupt
operations or damage data or programs
2 objectives:
Replicate themselves
Deliver a payload that causes a disruption

Illegal physical access to computer facilities

Can cause physical damage to hardware or make unauthorized copies
of programs/data

Abuse of privileges
Use privileges for unauthorized purposes

Consequences of computer abuse

Destruction of assets
Theft of assets
Modification of assets
Privacy violations
Disruption of operations
Unauthorized use of assets
Physical harm to personnel

Computer abuse
Losses are higher than from conventional fraud
Numbers and types of threats
seem to be increasing
Organizations are not well prepared
Deterrent security and administrative
countermeasures can be effective
Laws governing abuse are evolving

Value of computer hardware,

software and personnel
Loss or damage to hardware can be costly - value of
assets and cost of disruption of service
Investment in software, disruption of business,
confidential information, proprietary secrets
Personnel - scarcity, training cost, unique knowledge,
disruption in service, loss of competitive advantage

10

High costs of computer error

Automatic performance of critical functions in
society
Organizations held liable for the consequences of
computer errors

11

Maintenance of privacy
Taxation, credit, medical, educational, employment,
residence, spending habits
Data mining - integration, retrieval and matching profiling
Human genome banks
Regulations vary widely by country

12

Controlled evolution of computer

use
Use of computers in control over weapon systems
Use of computers to control working life and
environment

13

Financial Audits
Financial statements in accordance with Generally
Accepted Accounting Principles (GAAP).
BOD, managers and personnel analyze internal
control system.
A set of rules, policies and procedures an organization implements to
provide reasonable assurance that:
its financial reports are reliable,
its operations are effective and efficient,
its activities comply with applicable laws and regulations

Increase reliance on computer technology in

processing and reporting.
14

Control activities
Control activities are the policies and procedures the
organization uses to ensure that necessary actions
are taken to minimize risks associated with achieving
its objectives.
Controls have various objectives and may be applied
at various organizational and functional levels.
Control Usage - Prevent, Detect, and Correct
Preventive controls focus on preventing an error or irregularity.
Detective controls focus on identifying when an error or irregularity
has occurred.
Corrective controls focus on recovering from, repairing the damage
from, or minimizing the cost of an error or irregularity.

15

Control Activities
Physical controls: security over the assets themselves,
limiting access to the assets to only authorized people and
periodically reconciling the authorized people, and
periodically reconciling the quantities on hand with the
quantities recorded in the organizations records.
Information processing controls are used to check accuracy,
completeness, and authorization of transactions.
General controls cover data center operations, systems software
acquisition and maintenance, access security, and application systems
development and maintenance.
Application controls apply to the processing of a specific application,
like running a computer program to prepare employee's payroll checks
each month.
16

Financial vs Information Systems

Audits
IT auditors may work on financial audit
engagements.
IT auditors may work on every step of the financial
audit engagement.
Standards, such as SAS No. 94, guide the work of IT
auditors on financial audit engagements.
Prior to the issuance of SAS No. 94, many financial
audits of IT systems bypassed testing of controls.
IT audit work on financial audit engagements is likely
to increase as internal control evaluation becomes
more important.
17

Financial vs Information Systems

Audits
New regulations for audits, such as the SarbanesOxley Act of 2002, have also influenced the
relationship between financial and IT audits.
This act, which was created to restore confidence in
financial reports, mandates that management assess
and make representations about internal controls.
Auditors will need to test those controls and provide
assurance about management's representations.

18

Information Systems Auditing

Objectives
Process of collecting and evaluating evidence to
determine whether a computer system

Organizations

Improved
safeguarding
of assets

Improved
data
integrity

Improved
system
effectiveness

Use
resources
efficiently

Compliance with regulations, rules or conditions

19

Examples of Situations Requiring

Testing of Controls
Computer programs containing algorithms or
formulas that make complex calculations, such as
automatically computing commissions, allowance for
doubtful accounts, reorder points, loan reserves and
pension funding calculations
Systems that provide electronic services to
customers. In these situations, the IT system
automatically initiates bills for the services rendered
and processes the billing transactions.
20

What do Information Systems

auditors do?
Ensure IT governance by assessing risks and
monitoring controls over those risks.
Works as either internal or external auditor.
Works on many kind of audit engagements.

21

What do Information Systems

auditors do?
Evaluating controls over specific applications. analyzing the risks and controls over applications
such as e-business, enterprise resource planning
(ERP) systems.
Providing assurance over specific processes in which
the client and the IT auditor determine the scope of
the assurance.
Providing third-party assurance- evaluate the risks
and controls over a third party's information systems
and provide assurance to others.
22

What do Information Systems

auditors do?
Penetration testing- involves trying to gain access to
information resources in order to discover security
weaknesses.
Supporting the financial audit-evaluating IT risks and
controls that may affect the reliability of the financial
reporting system.
Searching for IT-based fraud - to help investigate
computer records in fraud investigations.
23

IT Audit Skills
College education IS, computer science, accounting
Certifications
Certified Information Systems Auditor (CISA)
Certified Information Systems Security Professional (CISSP)

Technical IT audit skills specialized technologies

(Computing platforms hardware and software
applications, Operating System (OS), Enterprise
Resource Planning (ERP), E-Business, Network
security)

24

IT Audit Skills
General Personal and Business Skills

Presentation to internal or external clients

Interpersonal skills
Teamwork
Business education (business processes, financial, distribution, human
resource, manufacturing processes)
Marketing skills

25

The need for information technology

auditors
far outstrips
the supply of qualified candidates
There is high demand for Information Technology (IT)
Auditors and their work is interesting and
challenging.
IT auditors evaluate an organizational entity's
information system, which includes information
technologies, data and information, and systems of
communication.
26

Professional IT Auditor
Organizations
The groups include:

The Information Systems Audit And Control Association (ISACA),

The Institute of Internal Auditors (EA),
The Association of Certified Fraud Examiners (ACFE),
The American Institute Of Certified Public Accountants (AICPA).

27

Professional IT Auditor
Certifications

ISACA Certified Information Systems Auditor (CISA)

IIA Certified Internal Auditor (CIA)
ACFE Certified Fraud Examiner (CFE)
AICPA Certified Public Accountant (CPA) license and
Certified Information Technology Professional (CITP)
certification

28