Professional Documents
Culture Documents
CHAPTER 8 - Internal Audit Tools and Techniques STDT
CHAPTER 8 - Internal Audit Tools and Techniques STDT
CHAPTER 8 - Internal Audit Tools and Techniques STDT
1
Learning Objectives
After going through this chapter, you should be able
to:
Describe the Information Technology (IT) audit.
Identify technology risks and challenges to internal auditing.
Discuss the evaluation of general and application controls.
Define and discuss the audit of the System Development
Life Cycle (SDLC).
Define and discuss the audit of e-commerce and its
challenges to Internal Auditors.
Understand the idea of computer-assisted audit technique
(CAATs) in performing an audit procedure.
2
Introduction
Heavy reliance on computers for processing have
increase the requirement for conducting Information
Technology (IT) auditing
IT auditing is a branch of general auditing, but the
focus on governance of information and
communications technologies
There are unlimited area of IT auditing, but this
chapter focus on general & application controls,
System Development Life Cycle project, e-commerce
environment and using of Computer-Assisted Audit
Tools and Techniques (CAATs).
3
IT AUDIT
Use and Impact of Technology
• Business becomes more and more dependent on
IT
• Set of skills required by business– technical skill
& business process knowledge
• But, with IT – more risks faced by the business,
and at the same time greater earning capacity
• Entity dependent on IT must b evaluated from
going concern aspect using IT perspective
5
5
Technology Risks & Challenges to
IA
Issues surrounding modification of system
Poor IS management
Unstable system and confidence erosion
Extra cost and time to correct system
Business loses credibility
Authority intervention
Compromised control that could result in fraud
Poor database management, data integrity
Threat to asset security
Systems and process confusion – result in fraud
6
6
IA Function in an IT Business Environment
7
7
Definition IT Audit
IT audit focuses on the evaluation of an organization's
computer systems and network to ensure:
the effectiveness of control procedures in minimizing related
technology risks; and
the compliance with international or Malaysia’s standard
operating practice, policies, procedures and related law or
regulations of the regulatory body.
8
Main Types of IT Audit
Operational computer system audits
IT application audits
Developing system audit
IT management audit
IT process audit
Information security and control audit
Disaster contingency or disaster recovery audit
IT strategy audit
9
9
Information Security Audit
Purpose – to provide assurance that an
appropriate level of control over the
confidentiality, integrity and availability of
information within e-commerce operation
E-commerce is opened to threat (e.g. virus
attack), vulnerability of system (e.g. product
flaw) and associated risk
Business need to have information security
policy
Network environment – e-commerce websites
reside
Sources of threats to network environment:
network segment, application software, system
software, process integrity and physical security
10
10
Elements of IT Audit
Physical and environmental review
System administration review
Application software review
Network security review
Business continuity review
Data integrity review
11
Guide to Conduct an IT audit
1. The GAIT Methodology B-head
a guideline to assess the scope of IT general controls using a
top-down and risk based approach.
helps the management to identify any deficiencies in key IT
general controls that may result in material errors in financial
statements.
It include four principles that form the basis for this guideline
2. GAIT for IT General Control Deficiency Assessment
a guideline to evaluate any IT general controls deficiencies
identified during assessment
3. GAIT for Business and IT Risk
a guideline to help identify the IT controls that are critical to
12
achieve business goals and objectives.
Scope & Objectives of IT Audit
No. Scope Of Audit Objectives Of Audit
1. Security Controls To ensure the establishment of appropriately defined IT
Management structure with a clear framework of
authorities and responsibilities
2. Logical access controls To ensure that the access controls are reviewed to
determine safeguards are in place to prevent unauthorized
acquisition of data resources.
3. Physical Security To prevent unauthorised access to computer related
Controls equipment & ensure an adequate protection on
computer related equipment against natural hazards.
4. Installation Controls To ensure consistent control of software and
hardware management in its operation of applications
system.
5. Local area To prevent any unauthorized access to local
network controls area of network .
13
Steps To Perform IT Audit
Establish the Perform Issue the
Terms of the Audit Audit
Engagement Procedures Report
Preliminary
Consider
Internal
Review
Control
Establish
Materiality and Plan the
Assess Risks Audit
14
IT Related Risks
System application error
Hardware failure
Computer crime
15
Issues In IT Audit
Security
Confidentiality
Privacy
Processing integrity
Availability
16
Evaluation of
General & Application Controls
General controls
Applicable to all aspects of IT functions, for example the
administration of IT function, hardware or software acquisition
and maintenance and physical and security control over
hardware
Application controls
Include control of usage of individual transactions specific to
certain software application. For example, controls over the
processing of sales
17
General Controls
18
General Controls
19
Application Controls
Categories
Purpose Of Control
Of Control
Input control To check the integrity of data entered into an
organization application.
Processing To ensure proper control for data processing so that
control the process is complete, accurate and authorized.
20
SDLC
Auditing Of System Development
System Development Life Cycle (SDLC)
a series of steps used to identify the phases of an
information system development project
Process centric approach to develop and implement
system - set of defined goals and timelines that sets
out the completion date and associated deliverables
within each phases of the life cycle
Each phase (plan, analyse, design, implement)
sequentially executed – allow proper evaluation
and resolution of problems within each phase
22
22
The SDLC Process
Programming
Detail Systems
and Testing
Design Implementation
Systems
23
SDLC – Life Cycle
IA involvement in each phase of SDLC provides
assurance to management that appropriate
controls are in place
Phases of life cycle:
Plan – Who build the system
Analyse – Who, what, when and where will the system
be
Design – How will the system work
Implement – When, where, how will the system be
delivered
Support - **not within SDLC – post-implementation
phase (but need to be reviewed by IA as well)
24
24
IA Involvement in SDLC
Proactive auditor’s involvement
On-the-spot advice for all phases – not wait till the end
26
26
Auditing E-Commerce
What is E-commerce
Literally, doing business electronically (through internet
technologies)
Use of electronic data transmission to implement or
enhance business processes
Concern with increasing number of security
incidences – security implications affect the trust of
businesses (malicious attacks on company
websites) and consumers (e.g. unauthorised usage
of credit card for online transactions)
IA involvement – Advisory service during system
development and system/network/software/
information security/system monitoring & recovery
27
27
Issues in E-commerce Environment
Business continuity
Information security and privacy
The lack of audit trails
Record retention
Segregation of duties
Legal liability
28
28
E-commerce Environment
Electronic commerce (e-commerce) is the process by which
organisations conduct their business over electronic systems
such as the Internet and other computer networks with their
customers, suppliers and other external business partners.
Threats to e-commerce environments include virus
infections, hacking, cybercrime and failure of the system and
infrastructure.
29
Reason for Audit e-Commerce
To assess the effectiveness of the infrastructure and
security measures of an e-commerce.
To evaluate compliance of e-commerce business
operations with an organisation’s IT security policies as
well as with the industry good practices.
To evaluate the readiness of IT functions in the event of a
major failure in e-commerce business transactions.
To identify other security issues that may affect the
current infrastructure of an e-commerce model.
30
CAATs
Computer-Assisted Audit Tools (CAATs)
Computer-assisted audit techniques (CAATs) or Computer-
assisted audit tools and techniques (CAATTs) is an approach of
auditing using computers.
It offers various tools or utilities, which help the auditor to select,
gather, analyze and report audit findings.
Tools/utilities to help auditor to select, gather, analyse and report
audit findings
CAATs can be classified:
Electronic working papers
Information retrieval and analysis
Fraud detection
Network security
Electronic commerce and internet security
Continuous monitoring
Audit reporting
32
32
CAATs and Its Functions
Information retrieval and analysis
Fraud detection tool
Audit reporting function
33
Advantages of CAATs
CAATs are suitable to audit large volume of transactions. It is
valuable to organisations with complex processes, distributed
operations and high transaction volumes.
the use of CAATs is important for auditors to gain access into
audited data in a much effecient way. A direct access to an
organisation’s data will eventually reduce the time and effort
spent in performing audit procedures with assured accuracy.
34
Advantages of CAATs
Using CAATs in performing substative testing will provide total
assurance to the area being audited. It allows auditors to point
out errors or fraud easily in order to provide effective
recommendations.
CAATs provides a standard uniform practice and user-friendly
interface for auditors. It allows auditors to perform various tasks,
irrespective of data format or the underlying operating system of
an organisation.
Data could be examined faster and more accurate
Practical to scrutiny large volume data
Improve effectiveness and efficiency of audit
Continuous in usage once the software is available
Flexible as the parameters can be varies
35
Disadvantages of CAATs
Audit software incompatible with other softwares
May require considerable computer resources/capacity
Give rise to question cost vs. benefits
Modifications to systems may render vendor’s warranty void
Security and validity of the system can be compromised –
especially in using dummy data
The issue of cost outweighs the benefit of purchasing CAATs?
Costs included
Cost of puchasing and installing the software;
Cost of training the staff in using the software;
Cost for maintaining the software; and
36
Cost for to contact the service centre.
Disadvantages of CAATTs
Compitability issues with the existing software applications
used by a company.
Installation process require various computer resources or
facility, for examples the type of processor, size of memory
and storage required.
Sensitive business data such as customers’ detail, business
plan and strategy could be compromised by irresponsible
persons, if not handled properly.
Too many software available – may need software specialist
to support the system
37
Conclusion
The audit of IT environment is very challenging as it involves
reviewing and reporting very technical matters
To excellent in the audit, internal auditor should posses
adequate IT knowledge, technical skills and experiences.
38
END CHAPTER 8